nrfconnect · Vge0rge · Aug 21, 2024 · Sep 5, 2024 · Sep 27, 2024 · Oct 1, 2024
@@ -0,0 +1,36 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+# Disable serial and UART interface.
+CONFIG_SERIAL=n
+CONFIG_UART_CONSOLE=n
+CONFIG_LOG=n
+
+# RAM usage configuration
+CONFIG_HEAP_MEM_POOL_SIZE=8192
+CONFIG_MAIN_STACK_SIZE=2048
+CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=2048
+
+# BT configuration
+CONFIG_BT=y
+CONFIG_BT_HCI_RAW=y
+CONFIG_BT_MAX_CONN=1
+CONFIG_BT_CTLR_ASSERT_HANDLER=y
+CONFIG_BT_PERIPHERAL=y
+CONFIG_BT_CENTRAL=n
+CONFIG_BT_BUF_ACL_RX_SIZE=502
+CONFIG_BT_BUF_ACL_TX_SIZE=251
+CONFIG_BT_CTLR_DATA_LENGTH_MAX=251
+CONFIG_BT_CTLR_PHY_2M=n
+
+# ipc_radio
+CONFIG_IPC_RADIO_BT=y
+CONFIG_IPC_RADIO_BT_HCI_IPC=y
+
+# NRF_802154_ENCRYPTION is not enabled by default in the `overlay-802154.conf` file
+# that is pulled in by NETCORE_IPC_RADIO_IEEE802154 in application's Kconfig.sysbuild.
+# For Wi-Fi builds, this option will not get applied anyway.
+CONFIG_NRF_802154_ENCRYPTION=y
@@ -10,9 +10,9 @@
 
 &cpuapp_ram0x_region{
 	status = "okay";
-	reg = <0x2f010000 DT_SIZE_K(512)>;
-	ranges = <0x0 0x2f010000 0x6e000>;
+	reg = <0x2f011000 DT_SIZE_K(516)>;
+	ranges = <0x0 0x2f011000 0x6e000>;
 	cpuapp_data: memory@1000 {
-		reg = <0x1000 DT_SIZE_K(508)>;
+		reg = <0x1000 DT_SIZE_K(512)>;
 	};
 };
@@ -42,7 +42,3 @@
 &cpuapp_cpurad_ipc {
 	status = "disabled";
 };
-
-&prng {
-	status = "disabled";
-};
@@ -6,24 +6,24 @@
 
 &cpuapp_rx_partitions {
 	/delete-node/ partition@a6000;
-	cpuapp_slot0_partition: partition@a5000 {
-		reg = <0xa5000 DT_SIZE_K(256)>;
+	cpuapp_slot0_partition: partition@a7000 {
+		reg = <0xa7000 DT_SIZE_K(256)>;
 	};
 
-	cpuapp_recovery_partition: partition@e5000 {
-		reg = <0xe5000 DT_SIZE_K(72)>;
+	cpuapp_recovery_partition: partition@e7000 {
+		reg = <0xe7000 DT_SIZE_K(72)>;
 	};
 
 	/* Delete PPR code partition */
 	/delete-node/ partition@e4000;
-	cpuppr_code_partition: partition@a5010 {
-		reg = < 0xa5010 0x10 >;
+	cpuppr_code_partition: partition@a7010 {
+		reg = < 0xa7010 0x10 >;
 	};
 
 	/* Delete FLPR code partition */
 	/delete-node/ partition@f4000;
-	cpuflpr_code_partition: partition@a5020 {
-		reg = < 0xa5020 0x10 >;
+	cpuflpr_code_partition: partition@a7020 {
+		reg = < 0xa7020 0x10 >;
 	};
 };
 
@@ -37,6 +37,6 @@
 	};
 
 	cpurad_recovery_partition: partition@8e000 {
-		reg = < 0x8e000 DT_SIZE_K(92) >;
+		reg = < 0x8e000 DT_SIZE_K(100) >;
 	};
 };
@@ -21,7 +21,10 @@ if(NOT SYSBUILD)
   endif()
 endif()
 
-add_subdirectory_ifdef(CONFIG_NRF_SECURITY nrf_security)
+if(CONFIG_NRF_SECURITY OR CONFIG_PSA_SSF_CRYPTO_CLIENT)
+  add_subdirectory(nrf_security)
+endif()
+
 add_subdirectory_ifdef(CONFIG_TRUSTED_STORAGE trusted_storage)
 
 add_subdirectory(net)

@@ -39,7 +39,24 @@ if(CONFIG_BUILD_WITH_TFM)
   include(${NRF_SECURITY_ROOT}/cmake/config_to_tf-m.cmake)
 endif()
 
-if(CONFIG_BUILD_WITH_TFM OR CONFIG_PSA_SSF_CRYPTO_CLIENT)
+if(CONFIG_PSA_SSF_CRYPTO_CLIENT AND NOT CONFIG_NRF_SECURITY)
+  zephyr_compile_definitions(MBEDTLS_PSA_CRYPTO_CONFIG)
+  zephyr_compile_definitions(MBEDTLS_PSA_CRYPTO_CLIENT)
+  zephyr_compile_definitions(MBEDTLS_PSA_CRYPTO_CONFIG_FILE="ssf_crypto_config_empty.h")
+  zephyr_compile_definitions(MBEDTLS_CONFIG_FILE="ssf_crypto_config_empty.h")
+
+  zephyr_include_directories(
+    ${NRF_SECURITY_ROOT}/include
+    # Oberon PSA headers
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library
+    # Mbed TLS (mbedcrypto) PSA headers
+    ${ARM_MBEDTLS_PATH}/include
+    ${ARM_MBEDTLS_PATH}/library
+  )
+
+  zephyr_sources(${CMAKE_CURRENT_LIST_DIR}/src/ssf_secdom/ssf_crypto.c)
+elseif(CONFIG_BUILD_WITH_TFM OR CONFIG_PSA_SSF_CRYPTO_CLIENT)
   # We enable either TF-M or the SSF client PSA crypto interface but we are
   # not in the secure image build
 
@@ -88,50 +105,54 @@ else()
   nrf_security_debug("Building for pure Zephyr")
 endif()
 
-set(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG  True)
-
-# Add library for crypto configs (NS/S-only build)
-# The name and intent of this comes from TF-M distribution
-add_library(psa_crypto_config INTERFACE)
+# This check is needed for the cases that CONFIG_PSA_SSF_CRYPTO_CLIENT
+# is enabled but the CONFIG_NRF_SECURITY is not enabled
+if(CONFIG_NRF_SECURITY)
+  set(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG  True)
 
-# Add config files required for PSA crypto interface
-target_compile_definitions(psa_crypto_config
-  INTERFACE
-    -DMBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CFG_FILE}"
-    -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE="${CONFIG_MBEDTLS_PSA_CRYPTO_CONFIG_FILE}"
-)
+  # Add library for crypto configs (NS/S-only build)
+  # The name and intent of this comes from TF-M distribution
+  add_library(psa_crypto_config INTERFACE)
 
-# Add library for crypto configs (S-only or Secure image build)
-# The name and intent of this comes from TF-M distribution
-add_library(psa_crypto_library_config INTERFACE)
+  # Add config files required for PSA crypto interface
+  target_compile_definitions(psa_crypto_config
+    INTERFACE
+      -DMBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CFG_FILE}"
+      -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE="${CONFIG_MBEDTLS_PSA_CRYPTO_CONFIG_FILE}"
+  )
 
-# Add config files required for PSA core
-target_compile_definitions(psa_crypto_library_config
-  INTERFACE
-    -DMBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CFG_FILE}"
-    -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE="${CONFIG_MBEDTLS_PSA_CRYPTO_CONFIG_FILE}"
-    -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE="${CONFIG_MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE}"
-)
+  # Add library for crypto configs (S-only or Secure image build)
+  # The name and intent of this comes from TF-M distribution
+  add_library(psa_crypto_library_config INTERFACE)
 
-# Add a library for crypto includes for the PSA interface (NS, S-only and TF-M)
-# The name and intent of this comes from TF-M distribution
-add_library(psa_interface INTERFACE)
+  # Add config files required for PSA core
+  target_compile_definitions(psa_crypto_library_config
+    INTERFACE
+      -DMBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CFG_FILE}"
+      -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE="${CONFIG_MBEDTLS_PSA_CRYPTO_CONFIG_FILE}"
+      -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE="${CONFIG_MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE}"
+  )
 
-# Add the includes from nrf_security, Oberon PSA core, and Arm Mbed TLS
-# to the psa_interface library
-target_include_directories(psa_interface
-  INTERFACE
-    # Oberon PSA headers
-    ${OBERON_PSA_CORE_PATH}/include
-    ${OBERON_PSA_CORE_PATH}/library
-    # Mbed TLS (mbedcrypto) PSA headers
-    ${ARM_MBEDTLS_PATH}/library
-    ${ARM_MBEDTLS_PATH}/include
-    ${ARM_MBEDTLS_PATH}/include/library
-)
+  # Add a library for crypto includes for the PSA interface (NS, S-only and TF-M)
+  # The name and intent of this comes from TF-M distribution
+  add_library(psa_interface INTERFACE)
+
+  # Add the includes from nrf_security, Oberon PSA core, and Arm Mbed TLS
+  # to the psa_interface library
+  target_include_directories(psa_interface
+    INTERFACE
+      # Oberon PSA headers
+      ${OBERON_PSA_CORE_PATH}/include
+      ${OBERON_PSA_CORE_PATH}/library
+      # Mbed TLS (mbedcrypto) PSA headers
+      ${ARM_MBEDTLS_PATH}/library
+      ${ARM_MBEDTLS_PATH}/include
+      ${ARM_MBEDTLS_PATH}/include/library
+  )
 
-# Finally adding the crypto lib
-add_subdirectory(${NRFXLIB_DIR}/crypto crypto_copy)
+  # Finally adding the crypto lib
+  add_subdirectory(${NRFXLIB_DIR}/crypto crypto_copy)
 
-# Add mbed TLS Libraries
-add_subdirectory(src)
+  # Add mbed TLS Libraries
+  add_subdirectory(src)
+endif()
@@ -29,6 +29,12 @@ config NORDIC_SECURITY_BACKEND
 	  Note that this will enable nrf_oberon by default. Multiple backends is
 	  not supported.
 
+config PSA_SSF_CRYPTO_CLIENT
+	bool
+	prompt "PSA crypto provided through SDFW Service Framework (SSF)"
+	default y
+	depends on SSF_CLIENT && SSF_PSA_CRYPTO_SERVICE_ENABLED
+
 config NRF_SECURITY
 	bool
 	prompt "Enable nRF Security" if !PSA_PROMPTLESS

@@ -21,8 +21,6 @@ osource "modules/mbedtls/Kconfig.psa"
 
 rsource "src/core/Kconfig"
 
-rsource "src/ssf_secdom/Kconfig"
-
 comment "PSA Driver Support"
 
 config MBEDTLS_PSA_CRYPTO_DRIVERS

@@ -0,0 +1,7 @@
+/*
+ * Copyright (c) 2024 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+/* This is intentionally empty since the SSF doesn't support any configuration yet. */
@@ -11,13 +11,15 @@ config PSA_CRYPTO_DRIVER_OBERON
 	prompt "Oberon PSA driver" if !(TFM_PARTITION_PROTECTED_STORAGE || TFM_CRYPTO_BUILTIN_KEYS)
 	bool
 	default y if ! CRACEN_HW_PRESENT
+	depends on PSA_CORE_OBERON
 	help
 	  This configuration enables the usage of the Oberon PSA driver.
 
 config PSA_CRYPTO_DRIVER_CC3XX
 	prompt "CryptoCell PSA driver"
 	bool
 	depends on HAS_HW_NRF_CC3XX
+	depends on PSA_CORE_OBERON
 	help
 	  This configuration enables the usage of CryptoCell for the supported operations.
 	  Disabling this option will result in all crypto operations being handled by
@@ -30,6 +32,7 @@ config PSA_CRYPTO_DRIVER_CRACEN
 	bool "Enable the Cracen PSA driver"
 	depends on MBEDTLS_PSA_CRYPTO_C
 	depends on CRACEN_HW_PRESENT
+	depends on PSA_CORE_OBERON
 	# CRACEN uses the k_event_ API
 	select EVENTS if MULTITHREADING
 	default y

@@ -38,6 +38,11 @@ config SSF_CLIENT_SYS_INIT
 	bool "Start SDFW Service Framework client on boot"
 	default y
 
+config SSF_CLIENT_SYS_INIT_PRIORITY
+	int
+	default 47
+	depends on SSF_CLIENT_SYS_INIT
+
 config SSF_CLIENT_REGISTERED_LISTENERS_MAX
 	int "Maximum number of simultaneous registered listeners"
 	default 1

@@ -45,10 +45,25 @@ void ssf_client_sem_give(struct ssf_client_sem *sem)
 }
 
 #if CONFIG_SSF_CLIENT_SYS_INIT
+
+#ifdef CONFIG_IPC_SERVICE_REG_BACKEND_PRIORITY
+BUILD_ASSERT(CONFIG_SSF_CLIENT_SYS_INIT_PRIORITY > CONFIG_IPC_SERVICE_REG_BACKEND_PRIORITY,
+	     "SSF_CLIENT_SYS_INIT_PRIORITY must be higher than IPC_SERVICE_REG_BACKEND_PRIORITY");
+#endif
+
+#ifdef CONFIG_NRF_802154_SER_RADIO_INIT_PRIO
+BUILD_ASSERT(CONFIG_SSF_CLIENT_SYS_INIT_PRIORITY < CONFIG_NRF_802154_SER_RADIO_INIT_PRIO,
+	     "SSF_CLIENT_SYS_INIT_PRIORITY must be lower than NRF_802154_SER_RADIO_INIT_PRIO");
+#endif
+
+BUILD_ASSERT(
+	CONFIG_SSF_CLIENT_SYS_INIT_PRIORITY > CONFIG_KERNEL_INIT_PRIORITY_DEFAULT,
+	"SSF_CLIENT_SYS_INIT_PRIORITY must be higher than the IPC ICMSG initialization priority");
+
 static int client_init(void)
 {
 	return ssf_client_init();
 }
 
-SYS_INIT(client_init, POST_KERNEL, CONFIG_APPLICATION_INIT_PRIORITY);
+SYS_INIT(client_init, POST_KERNEL, CONFIG_SSF_CLIENT_SYS_INIT_PRIORITY);
 #endif
@@ -18,18 +18,7 @@ SSF_CLIENT_SERVICE_DEFINE(psa_crypto_srvc, PSA_CRYPTO, cbor_encode_psa_crypto_re
 
 psa_status_t ssf_psa_crypto_init(void)
 {
-	int err;
-	struct psa_crypto_req req = { 0 };
-	struct psa_crypto_rsp rsp = { 0 };
-
-	req.psa_crypto_req_msg_choice = psa_crypto_req_msg_psa_crypto_init_req_m_c;
-
-	err = ssf_client_send_request(&psa_crypto_srvc, &req, &rsp, NULL);
-	if (err != 0) {
-		return err;
-	}
-
-	return rsp.psa_crypto_rsp_status;
+	return PSA_SUCCESS;
 }
 
 psa_status_t ssf_psa_get_key_attributes(

@@ -44,12 +44,6 @@ static void ssf_notification_handler(const struct nrf_rpc_group *group, const ui
 NRF_RPC_EVT_DECODER(ssf_group, ssf_notif_decoder, CONFIG_SSF_NRF_RPC_NOTIF_ID,
 		    ssf_notification_handler, NULL);
 
-static void err_handler(const struct nrf_rpc_err_report *report)
-{
-	SSF_CLIENT_LOG_ERR("nRF RPC error %d ocurred. See nRF RPC logs for more details.",
-			   report->code);
-}
-
 int ssf_client_transport_init(ssf_client_transport_notif_handler handler)
 {
 	int err;
@@ -61,8 +55,12 @@ int ssf_client_transport_init(ssf_client_transport_notif_handler handler)
 
 	transport_initialized = false;
 
-	err = nrf_rpc_init(err_handler);
-	if (err != 0) {
+	/* We ignore the nrf_rpc_init on purpose here, the nrf_rpc_init
+	 * will try to initialize all the transports/groups, but we only
+	 * want to check that the ssf_group is initialized.
+	 */
+	err = nrf_rpc_init_group(&ssf_group);
+	if (err < 0) {
 		return -SSF_EINVAL;
 	}