Adjust CRYPTO_HW_ACCELERATOR build scripts to also support
nrf_security.

Signed-off-by: Sebastian Bøe <[email protected]>
Signed-off-by: Joakim Andersson <[email protected]>
(cherry picked from commit c136210)
(cherry picked from commit 3834117)
Signed-off-by: Joakim Andersson <[email protected]>
(cherry picked from commit 2bdad64)
Signed-off-by: Markus Swarowsky <[email protected]>
Change-Id: Ied8e378ef55fe398ea4e45f65b3c270e9e9cd030
Signed-off-by: Markus Swarowsky <[email protected]>
(cherry picked from commit 5903966)
Signed-off-by: Markus Swarowsky <[email protected]>

Replaces usage of mbedtls_hkdf with PSA Crypto API.

Noup: This is essentially the same functionality as in change
I41ea9cb2af6627aa7ed3a8454898d16d4b5d6306 from upstream, that
can't be cleanly cherry-picked since the code has been refactored.

Signed-off-by: Vidar Lillebø <[email protected]>
(cherry picked from commit 2ff3fdd)
Signed-off-by: Markus Swarowsky <[email protected]>
Change-Id: Ib4bcea3f9b7ea2676b612a20b226a8ae6118bb9b
Signed-off-by: Markus Swarowsky <[email protected]>
(cherry picked from commit ac52dba)
Signed-off-by: Markus Swarowsky <[email protected]>

The MDK for nRF9120 used in the nRF9161 target doesn't define the Secure FPU
as it doesn't exist, but for other platforms like the 9160 it has a dummy
define, with an UNUSED field in the type.
The long plan is to get this fixed in the MDK but until then, to make
the nrfxlib 3.1.0 update possible this tempfix is applied.

 Ref: NCSDK-23046

Signed-off-by: Markus Swarowsky <[email protected]>
Change-Id: I44042ee9aada99c59a5930440306bb6c40ae4880
(cherry picked from commit 6ad9c58)
Signed-off-by: Markus Swarowsky <[email protected]>
(cherry picked from commit a489e9f)
Signed-off-by: Markus Swarowsky <[email protected]>

…nstance.

Add an option to send the log output from the secure firmware on a
UART instance that would be shared with the non-secure application.

This option is added where the number of UART instances is limited
and the application only cares about the receiving the TF-M log
on fatal errors.

To allow this option to be enabled the log is disabled in the boot
process before the non-secure application is started.
It is enabled again when an unrecoverable exception has occurred in
the secure firmware.

NCSDK-18595

upstream PR: https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/25905

Signed-off-by: Joakim Andersson <[email protected]>
(cherry picked from commit 19403a8)
Signed-off-by: Joakim Andersson <[email protected]>
(cherry picked from commit 54af7a2)
Signed-off-by: Markus Swarowsky <[email protected]>
Change-Id: I65e33f48bd7c6334d04b528c28e8b2d4a3331d0d
Signed-off-by: Markus Swarowsky <[email protected]>
(cherry picked from commit 8f000f6)
Signed-off-by: Markus Swarowsky <[email protected]>

…RT0 instance

Add support for selecting which UART instance to use as the secure UART
instance. The supported options are UART0 and UART1.

Add support for the secure UART instance being shared with the non-secure
application.
The UART instance is configured as non-secure after it has been
uninitialized, and configured as secure when it is initialized again
on a fatal error.

NCSDK-18595

Signed-off-by: Joakim Andersson <[email protected]>
(cherry picked from commit b2346e8)
Signed-off-by: Joakim Andersson <[email protected]>
(cherry picked from commit 97224b0)
Signed-off-by: Markus Swarowsky <[email protected]>
Change-Id: I2da826ec4817143ece52baeceaab14999f0d2d96
Signed-off-by: Markus Swarowsky <[email protected]>
(cherry picked from commit d2a1b89)
Signed-off-by: Markus Swarowsky <[email protected]>

…um profile

Disable the cipher crypto module in small, medium and medium-arotless
profile. There is no algorithm for this module enabled in the mbedcrypto
configuration header for these profiles.

Change-Id: Ief1d38a984824c0e746ecbf9b1fe1a8483dba91b
Signed-off-by: Joakim Andersson <[email protected]>
(cherry picked from commit e5e8150)
Signed-off-by: Markus Swarowsky <[email protected]>

… and keys checks

Add missing PSA defined algorithms and keys checks.
The checks only covered supported algorithms in mbedtls.
However mbedtls supports accelerated PSA crypto support through the
psa crypto driver wrappers, which can support additional algorithms
and key types.

This fixes build error when enabling ECDH key agreement algorithm
without enabling any other key derivation algorithms.

Change-Id: Ic609d7ac58b7341316d0a071e5229ea9980fafab
Signed-off-by: Joakim Andersson <[email protected]>
(cherry picked from commit a527aef)
Signed-off-by: Markus Swarowsky <[email protected]>

…o context

Add an API, `tfm_exception_info_get_context()`, which can be used to
retrieve exception info from the exception_info module.

This option is added allow for platform specific handling logic -- for
example, saving the exception info to a non-volatile storage medium
for postmortem analysis.

Change Highlights:

  * Moved `struct exception_info_t` from `exception_info.c` to
    `exception_info.h`
  * Defined `tfm_exception_info_get_context()` which exposes access to
    the static scope `exception_info` struct from exception_info.h

Signed-off-by: Chris Coleman <[email protected]>
Change-Id: I635ef2cc79bf5221300064a3a2813d504f62d46a
Signed-off-by: Joakim Andersson <[email protected]>
(cherry picked from commit 9dd58c9)
Signed-off-by: Markus Swarowsky <[email protected]>

…ters

Change exception handler to use system registers instead of handler
provided information to provide active exception information to the
exception information handler.

This frees up one register argument to the store and dump function.

Change-Id: I70a29438fd5ac0bad6945588c5ae7431cd66d060
Signed-off-by: Joakim Andersson <[email protected]>
(cherry picked from commit 90e0c06)
Signed-off-by: Markus Swarowsky <[email protected]>

…ormation

Store the callee saved registers in the exception information logging.
We store the current exception frame, which has the registers of the
caller saved registers when the exception occurs, but the callee saved
register information is lost during the exception handling.
This provides us with an incomplete picture of the state at the time
the exception occurred.

Change-Id: I3d15f9eccf1aa8c2c1b99e75e38229ab82420f36
Signed-off-by: Joakim Andersson <[email protected]>
(cherry picked from commit dbdcfa0)
Signed-off-by: Markus Swarowsky <[email protected]>

Move the SPU fault handling to only dump fault information on UART
when TFM_EXCEPTION_INFO_DUMP is enabled.
Store the exception info for later retrieval as the SPU handler clears
the events.

Change-Id: I3da12c30dc845e81e8725c687aefb498c82c90d7
Signed-off-by: Joakim Andersson <[email protected]>
(cherry picked from commit 7eace88)
Signed-off-by: Markus Swarowsky <[email protected]>

Unify the target configuration header, the target configuration source
has already been unified.

Change-Id: I23e3b47ac8e80fb5e54a24660fbb4e8313f54c78
Signed-off-by: Joakim Andersson <[email protected]>
(cherry picked from commit 7316fe1)
Signed-off-by: Markus Swarowsky <[email protected]>

…ation

Refactor peripheral SPU configuration to use peripheral ID instead
of address.
Remove helper function that is only used once.
Refactor peripheral SPU init configuration to be a loop over an
array of peripheral IDs.
This is done to save flash-usage of this function.

Change-Id: If22956dcc791dcee4cddc3715edc65af8bafad58
Signed-off-by: Joakim Andersson <[email protected]>
(cherry picked from commit 8f8929b)
Signed-off-by: Markus Swarowsky <[email protected]>

If MBEDTLS_P256M_ENABLED is not set then do not add the compile definitions and includes to the target

upstream PR:https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/26339

Signed-off-by: Markus Swarowsky <[email protected]>
Change-Id: I1bd8fda71e6c3fa90acc79c31bf967e60ac42e3a
Signed-off-by: Markus Swarowsky <[email protected]>

Move CMake code for adding a startup file into common code.

This improves portability.
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/25902

Signed-off-by: Sebastian Bøe <[email protected]>
Signed-off-by: Markus Swarowsky <[email protected]>
Change-Id: Ic59d3d01744eae3bb2ef2e0175a5294f7269c610
(cherry picked from commit 0f3bed474c9eabfe4423de27ee85ee26ca6a7d41)
Signed-off-by: Markus Swarowsky <[email protected]>

The MBEDTLS_PSA_CRYPTO_CONFIG_FILE gets already defined in the
mbedtls_common target and is included in the nrf-config.h file.
TF-M adds the compile definition again, causing a redefined warning when
building

Signed-off-by: Markus Swarowsky <[email protected]>
Change-Id: Idd813911f6886da279c16bcd8b81d07039a4db50

[nrf fromlist] because this was cherry-picked from
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/25904/1

Document FlashInfo fields.

NB: I found this commit was missing from the TF-M upmerge branch. I
don't know how it went missing.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I9f92711edd754f7972a36baba2cd5c8e2675b03a
Signed-off-by: Markus Swarowsky <[email protected]>

[nrf fromlist] because this was cherry-picked from
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/25899/2

Remove unused driver functions.

We are currently implementing several functions that TF-M is not
using.

This is bad practice as they are untested and may therefore be
unreliable if TF-M were to start to use them.

They also bloat the size of the binary and have a code maintenance
cost.

It would be better to implement the functions when they become used.

NB: I found this commit was missing from the TF-M upmerge branch. I
don't know how it went missing.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: Icd7df7caa38ea890742b4b70118d642b196c4d71
Signed-off-by: Markus Swarowsky <[email protected]>

[nrf fromlist] because this was cherry-picked from
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/25903/1

Remove the function ARM_Flash_Uninitialize is it is only used in BL1
and BL2 integration and nordic is not compatible with BL1 or BL2.

It is bad practice to have an unused function available as it is
untested and may therefore be unreliable if TF-M were to start to
using it.

It also bloats the size of the binary and has a code maintenance cost.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I319b13b916e78f7692fab23a4f542877b8484bcb
Signed-off-by: Markus Swarowsky <[email protected]>

We added the option for sharing a UART instance for the
secure and non-secure application. To do that we have
to call stdio_uninit from the secure side in order to
configure the UART as non-secure.

This was done before but got dropped with the latest
update.

Change-Id: Ic65ab61ba22b59b893f96e1c63f7e2f8da61c45b

The spu_peripheral_config_(non_)secure calls takes the
ID of the peripheral as the argument and not the register
address.

Signed-off-by: Georgios Vasilakis <[email protected]>
Change-Id: I2546cd8e4ed4c09c742911bd0807f732de335f7c

TF-M checks if P256M is available during build time using
MBEDCRYPTO_PATH which is set to the TF-M repo to use custom
mbed TLS cmake configurations, but this means the script can not be
found. But as mbed TLS software crypto is not used anyway we can
hardcode P256M to be disabled.

Signed-off-by: Markus Swarowsky <[email protected]>
Change-Id: I94fde1f41e3493e840823cae284256176a364863
Signed-off-by: Markus Swarowsky <[email protected]>

Add support for 54l

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I3574d73222dd23d202e5259a863f2e1b4b001739

…nifest

This commit is [nrf noup] because I would like to user-test this for a
few months in case of unintended side-effects before upstreaming.

In the TF-M build scripts we run the manifest tool twice, first from
CMake and then from ninja.

It is bad practice to configure CMake projects like this. Instead, if
configuration from CMake is necessary, one should configure from CMake
only, and then re-run CMake when necessary, not just the command.

This organization has been causing problems for our users as they have
been required to rebuild TF-M twice.

This is due to this scenario playing out:

CMake generates config_impl.cmake by invoking the manifest tool at
Configure time.

CMake generates build.ninja.

Ninja generates config_impl.cmake by invoking the manifest tool at
build time.

When the user then invokes ninja a second time config_impl.cmake will
be newer than build.ninja. But CMake is supposed to be includ'ing
config_impl.cmake, so build.ninja is now considered out-of-date
wrt. config_impl.cmake.

ninja therefore invokes CMake again, and then ninja afterwards.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: Icef588479d27fa3a172b40b09eacad417922fba5

This is noup commit as upstream TF-M relies on the mbed TLS PSA Core
hat does not support the PAKE API's according to 1.2 at the moment.
Once this exists then this can be up streamed, or removed if TF-M adds
it themself.

Added PAKE API support accoding the PSA crypto spec 1.2

Ref: NCSDK-22416

Change-Id: Ie3254db411e21b0d9408ca1c81f74917be2e632f
Signed-off-by: Markus Swarowsky <[email protected]>

Add missing SPU functions for nRF54L15.
SPU support in nrfx seems limited at the moment for
nRF54L15 and this is a workaround.
That's a noup because we expect to revert it when
support is more mature.

Ref: NCSDK-26277

Signed-off-by: Georgios Vasilakis <[email protected]>

This reverts commit a22fef3.

Signed-off-by: Andrzej Głąbek <[email protected]>

Following APIs are in psa/crypto.h hence they need to be linkable
by partitions/applications:

* psa_key_derivation_input_integer
* psa_key_derivation_verify_bytes
* psa_key_derivation_verify_key

Only psa_key_derivation_input_integer is currently implemented by
Mbed TLS 3.5.0 as the PSA Crypto backend hence it's the only one
requiring full plumbing from interface through service up to the
Crypto backend library call.

Signed-off-by: Summer Qin <[email protected]>
Change-Id: I69f262e5a95e04935c8bec05b0b6b509f4b65ad4
(cherry picked from commit cec79b0)
Signed-off-by: Vidar Lillebø <[email protected]>

Please check the advisory document for details.

Signed-off-by: Anton Komlev <[email protected]>
Change-Id: I3fc948c948379e5a36cc577bdbac7c5f7a2c3d1e

Ref: NCSDK-26942
(cherry picked from commit e6f5d8c)
Signed-off-by: Markus Swarowsky <[email protected]>

fromlist:
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/27311

It is supported to disable PS_ENCRYPTION, but when one tries to do so
you get a compilation error because ps_object_defs.h is using
encryption symbols unconditionally.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: Iebfc88ada9ccc45152224108cd8530de331ef1c5

fromlist:
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/27313

Add MDK defines required by tfm_ns.

Not all platforms need these defines. But to ease porting we
unconditionally add them to all platforms.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I434a817f13a198e6368710e1d6fffd96c1bea64f

fromlist:
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/27314

Add support for more UARTs.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: Iffdce1df87fd603cf76f435028896c12f1d2c276

fromlist:
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/27315

Support the RRAMC driver from nrfx.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I5c797d15f4acb4f59aeb9f737b41294ff624dfb1

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

Move files from nrf to TF-M to make the platform support more aligned
and therefore easier to understand.

Also, add misc. files required to get psa-arch-tests to work.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I2e20b71414b4e28a6243e35e940d9217aa51405d

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

The HW guys said it should be set to 0.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I335401d70b8aa8088c6af2c9c824e3d0af087698

Include autoconf.h from target_cfg.c so we can configure the TF-M
image based on the non-secure image's Kconfig.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I2212f2ec3428f16618334c5583b0e641aa30ea08

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

use uart30 instead of uart22 as the secure UART

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I3d54602043a9d984908bfa4d9732bc2158fdca2b

…RT0 instance

fixup! [nrf noup] area: previous short log goes here

support 54L as well.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I06171d72b7d55d45f9719c531fc551fa4be47641

Allows custom key-loader to be used for the PSA core and allows
configuring CMAC KDF usage for PS.

noup-reason: PSA_ALG_SP800_108_COUNTER_CMAC is not available in upstream.
After testing and verifying the solution (determining if we need further
changes) we should try to upstream this.

Signed-off-by: Vidar Lillebø <[email protected]>

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

Configure the XL1 and XL2 to be controlled by GPIO or peripheral.
This is need to ust the ow-frequency crystal oscillator (LFXO). This can
only been done from secure therefore do it in TF-M

Ref: NCSDK-26595
Signed-off-by: Markus Swarowsky <[email protected]>

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

The Product spec says:
 To enable port protection access for both secure and non-secure modes,
 use the registers UICR.SECUREAPPROTECT and UICR.APPROTECT.

 Which is the same behavior than on the 91 platforms so TF-M doesn't
 need to do anything.

 Ref: NCSDK-25047

Signed-off-by: Markus Swarowsky <[email protected]>

The NRF_RRAMC peripheral is hardware-fixed to S so the non-secure
image cannot configure the peripheral without costly TF-M system
calls.

To fix this we do static configuration of the NRF_RRAMC_S peripheral
for the NRF_RRAMC_S->CONFIG value during TF-M boot.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I3a3224e01b6fed022c79489ddaa8a50acf0dc6a6

This commit is a noup because we want an NCS specific error message.

Detect wrong headers being included. See comment for details.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I23089b08cee5961a5800707ffb222e306004cfee

For Secure only builds on 53 there exists the Kconfig
CONFIG_SOC_ENABLE_LFXO to define if the XL1 and XL2 pin should be
configured to used for the LFXO oscillator. TF-M should have the same
behavior, to enable the possibility to use these pins for something else

noup as we don't have the NCS Kconfigs available in upstream TF-M,
the change to pull them in was done in the noup commit:
1a17888

Ref: NCSDK-20678
Signed-off-by: Markus Swarowsky <[email protected]>

diff --git a/platform/ext/target/nordic_nrf/common/core/target_cfg.c b/platform/ext/target/nordic_nrf/common/core/target_cfg.c
index 81150740e..f1f0f1e4c 100644
--- a/platform/ext/target/nordic_nrf/common/core/target_cfg.c
+++ b/platform/ext/target/nordic_nrf/common/core/target_cfg.c
@@ -1230,8 +1230,11 @@ static const uint8_t target_peripherals[] = {
      * register fields are not accessible. That's why it is placed here.
      */
 #ifdef NRF53_SERIES
+#if defined(CONFIG_SOC_ENABLE_LFXO) && CONFIG_SOC_ENABLE_LFXO == 1
+/* CONFIG_SOC_ENABLE_LFXO doesn't exist for 54L15 target, might be changed in future */
     nrf_gpio_pin_control_select(PIN_XL1, NRF_GPIO_PIN_SEL_PERIPHERAL);
     nrf_gpio_pin_control_select(PIN_XL2, NRF_GPIO_PIN_SEL_PERIPHERAL);
+#endif /* CONFIG_SOC_ENABLE_LFXO */
 #endif
 #ifdef NRF54L15_ENGA_XXAA
     /* NRF54L has a different define */

!fixup [nrf noup] Support CMAC KDF and custom builtin solution

Pass the PS_CRYPTO_KDF_ALG to the its partition where it will be used

Signed-off-by: Markus Swarowsky <[email protected]>

!fixup [nrf noup] platform: nordic_nrf: Add support for 54l

Ref: NCSDK-26630
Signed-off-by: Markus Swarowsky <[email protected]>

!fixup [nrf noup] platform: nordic_nrf: Add support for 54l

Add an PSA/Cracen implementation for ITS encryption.

Ref: NCSDK-26678

Signed-off-by: Markus Swarowsky <[email protected]>

diff --git a/platform/ext/target/nordic_nrf/common/core/CMakeLists.txt b/platform/ext/target/nordic_nrf/common/core/CMakeLists.txt
index 43c7b7662..19e2aee64 100644

Signed-off-by: Markus Swarowsky <[email protected]>
--- a/platform/ext/target/nordic_nrf/common/core/CMakeLists.txt
+++ b/platform/ext/target/nordic_nrf/common/core/CMakeLists.txt
@@ -26,8 +26,10 @@ if((NRF_SOC_VARIANT STREQUAL nrf54l15) OR (target STREQUAL nrf54l15))
   # Maybe we only need to check one of these options but these
   # variables keep changing so we check both to be future proof
   set(HAS_RRAMC 1)
+  set(HAS_CRACEN 1)
 else()
   set(HAS_NVMC 1)
+  set(HAS_CRACEN 0)
 endif()

 #========================= Platform dependencies ===============================#
@@ -99,7 +101,8 @@ target_sources(platform_s
         $<$<BOOL:${TFM_EXCEPTION_INFO_DUMP}>:${CMAKE_CURRENT_SOURCE_DIR}/nrf_exception_info.c>
         $<$<OR:$<BOOL:${TFM_S_REG_TEST}>,$<BOOL:${TFM_NS_REG_TEST}>>:${CMAKE_CURRENT_SOURCE_DIR}/plat_test.c>
         $<$<BOOL:${TEST_PSA_API}>:${CMAKE_CURRENT_SOURCE_DIR}/pal_plat_test.c>
-        $<$<BOOL:${ITS_ENCRYPTION}>:${CMAKE_CURRENT_SOURCE_DIR}/tfm_hal_its_encryption.c>
+        $<$<AND:$<BOOL:${ITS_ENCRYPTION}>,$<NOT:${HAS_CRACEN}>>:${CMAKE_CURRENT_SOURCE_DIR}/tfm_hal_its_encryption.c>
+        $<$<AND:$<BOOL:${ITS_ENCRYPTION}>,$<BOOL:${HAS_CRACEN}>>:${CMAKE_CURRENT_SOURCE_DIR}/tfm_hal_its_encryption_cracen.c>
 )

 if (NRF_HW_INIT_RESET_ON_BOOT)
diff --git a/platform/ext/target/nordic_nrf/common/core/tfm_hal_its_encryption_cracen.c b/platform/ext/target/nordic_nrf/common/core/tfm_hal_its_encryption_cracen.c
new file mode 100644
index 000000000..bbcbb97a0
--- /dev/null
+++ b/platform/ext/target/nordic_nrf/common/core/tfm_hal_its_encryption_cracen.c
@@ -0,0 +1,273 @@
+/*
+ * Copyright (c) 2023 Nordic Semiconductor ASA.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdint.h>
+#include <string.h>
+
+#include "config_tfm.h"
+#include "platform/include/tfm_hal_its_encryption.h"
+#include "platform/include/tfm_hal_its.h"
+#include "psa/crypto.h"
+#include "tfm_crypto_defs.h"
+
+#define CHACHA20_KEY_SIZE 32
+#define TFM_ITS_AEAD_ALG PSA_ALG_CHACHA20_POLY1305
+
+#define ITS_ENCRYPTION_SUCCESS 0
+
+#define HUK_KMU_SLOT 2
+#define HUK_KMU_SIZE_BITS 128
+
+/* Global encryption counter which resets per boot. The counter ensures that
+ * the nonce will not be identical for consecutive file writes during the same
+ * boot.
+ */
+static uint32_t g_enc_counter;
+
+/* The global nonce seed which is fetched once in every boot. The seed is used
+ * as part of the nonce and allows the platforms to diversify their nonces
+ * across resets. Note that the way that this seed is generated is platform
+ * specific, so the diversification is optional.
+ */
+static uint8_t g_enc_nonce_seed[TFM_ITS_ENC_NONCE_LENGTH -
+                                sizeof(g_enc_counter)];
+
+/* TFM_ITS_ENC_NONCE_LENGTH is configurable but this implementation expects
+ * the seed to be 8 bytes and the nonce length to be 12.
+ */
+#if TFM_ITS_ENC_NONCE_LENGTH != 12
+#error "This implementation only supports a ITS nonce of size 12"
+#endif
+
+/*
+ * This implementation doesn't use monotonic counters, but therfore a 64 bit
+ * seed combined with a counter, that gets reset on each reboot.
+ * This still has the risk of getting a collision on the seed resulting in
+ * nonce's beeing the same after a reboot.
+ * It would still need 3.3x10^9 resets to get a collision with a probability of
+ * 0.25.
+ */
+enum tfm_hal_status_t tfm_hal_its_aead_generate_nonce(uint8_t *nonce,
+                                                      const size_t nonce_size)
+{
+    if(nonce == NULL){
+        return TFM_HAL_ERROR_INVALID_INPUT;
+    }
+
+    if(nonce_size < sizeof(g_enc_nonce_seed) + sizeof(g_enc_counter)){
+        return TFM_HAL_ERROR_INVALID_INPUT;
+    }
+
+    /* To avoid wrap-around of the g_enc_counter and subsequent re-use of the
+     * nonce we check the counter value for its max value
+     */
+    if(g_enc_counter ==  UINT32_MAX) {
+        return TFM_HAL_ERROR_GENERIC;
+    }
+
+    /* psa_generate_random is not using any key/its functions wo we can use it here*/
+    if (g_enc_counter == 0) {
+        psa_status_t status = psa_generate_random(g_enc_nonce_seed, sizeof(g_enc_nonce_seed));
+        if (status != PSA_SUCCESS) {
+            return TFM_HAL_ERROR_GENERIC;
+        }
+    }
+
+    memcpy(nonce, g_enc_nonce_seed, sizeof(g_enc_nonce_seed));
+    memcpy(nonce + sizeof(g_enc_nonce_seed),
+               &g_enc_counter,
+               sizeof(g_enc_counter));
+
+    g_enc_counter++;
+
+    return TFM_HAL_SUCCESS;
+}
+
+static bool ctx_is_valid(struct tfm_hal_its_auth_crypt_ctx *ctx)
+{
+    bool ret;
+
+    if (ctx == NULL) {
+        return false;
+    }
+
+    ret = (ctx->deriv_label == NULL && ctx->deriv_label_size != 0) ||
+          (ctx->aad == NULL && ctx->add_size != 0) ||
+          (ctx->nonce == NULL && ctx->nonce_size != 0);
+
+    return !ret;
+}
+
+/*
+ * The cracen driver code doesn't use any persistent keys so no calls to its
+ * therefore the PSA API's can be used directly.
+ */
+psa_status_t tfm_hal_its_get_aead(struct tfm_hal_its_auth_crypt_ctx *ctx,
+                                  uint8_t *plaintext,
+                                  const size_t plaintext_size,
+                                  uint8_t *ciphertext,
+                                  const size_t ciphertext_size,
+                                  uint8_t *tag,
+                                  const size_t tag_size,
+                                  bool encrypt)
+{
+    psa_status_t status;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_derivation_operation_t op = PSA_KEY_DERIVATION_OPERATION_INIT;
+    psa_key_id_t key;
+    size_t ciphertext_length;
+    size_t tag_length = PSA_AEAD_TAG_LENGTH(PSA_KEY_TYPE_CHACHA20,
+                                            PSA_BYTES_TO_BITS(CHACHA20_KEY_SIZE),
+                                            TFM_ITS_AEAD_ALG);
+
+    if (!ctx_is_valid(ctx) || tag == NULL) {
+        return TFM_HAL_ERROR_INVALID_INPUT;
+    }
+
+    if(tag_size < tag_length){
+        return TFM_HAL_ERROR_INVALID_INPUT;
+    }
+
+    if (ciphertext_size < PSA_AEAD_ENCRYPT_OUTPUT_SIZE(PSA_KEY_TYPE_CHACHA20,
+                                                       TFM_ITS_AEAD_ALG,
+                                                       plaintext_size)){
+        return TFM_HAL_ERROR_INVALID_INPUT;
+    }
+
+    /* Set the key attributes for the key */
+    psa_set_key_usage_flags(&attributes, (PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT));
+    psa_set_key_algorithm(&attributes, TFM_ITS_AEAD_ALG);
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_CHACHA20);
+    psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(CHACHA20_KEY_SIZE));
+
+    status = psa_key_derivation_setup(&op, PSA_ALG_SP800_108_COUNTER_CMAC);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    /* Set up a key derivation operation with HUK  */
+    status = psa_key_derivation_input_key(&op, PSA_KEY_DERIVATION_INPUT_SECRET,
+                                          TFM_BUILTIN_KEY_ID_HUK);
+    if (status != PSA_SUCCESS) {
+        goto err_release_op;
+    }
+
+    /* Supply the PS key label as an input to the key derivation */
+    status = psa_key_derivation_input_bytes(&op, PSA_KEY_DERIVATION_INPUT_LABEL,
+                                            ctx->deriv_label,
+                                            ctx->deriv_label_size);
+    if (status != PSA_SUCCESS) {
+        goto err_release_op;
+    }
+
+    /* Create the storage key from the key derivation operation */
+    status = psa_key_derivation_output_key(&attributes, &op, &key);
+    if (status != PSA_SUCCESS) {
+        goto err_release_op;
+    }
+
+    /* Free resources associated with the key derivation operation */
+    status = psa_key_derivation_abort(&op);
+    if (status != PSA_SUCCESS) {
+        goto err_release_key;
+    }
+
+    if (encrypt) {
+        status = psa_aead_encrypt(key,
+                                  TFM_ITS_AEAD_ALG,
+                                  ctx->nonce,
+                                  ctx->nonce_size,
+                                  ctx->aad,
+                                  ctx->add_size,
+                                  plaintext,
+                                  plaintext_size,
+                                  ciphertext,
+                                  ciphertext_size,
+                                  &ciphertext_length);
+    } else {
+        status = psa_aead_decrypt(key,
+                                  TFM_ITS_AEAD_ALG,
+                                  ctx->nonce,
+                                  ctx->nonce_size,
+                                  ctx->aad,
+                                  ctx->add_size,
+                                  ciphertext,
+                                  ciphertext_size,
+                                  plaintext,
+                                  plaintext_size,
+                                  &ciphertext_length);
+    }
+    if(status != PSA_SUCCESS){
+        goto err_release_key;
+    }
+
+    /* copy tag from ciphertext buffer to tag buffer */
+    memcpy(tag, ciphertext + ciphertext_length - tag_length, tag_length);
+
+err_release_key:
+    (void)psa_destroy_key(key);
+
+    return status;
+
+err_release_op:
+    (void)psa_key_derivation_abort(&op);
+
+    return PSA_ERROR_GENERIC_ERROR;
+}
+
+enum tfm_hal_status_t tfm_hal_its_aead_encrypt(struct tfm_hal_its_auth_crypt_ctx *ctx,
+                                               const uint8_t *plaintext,
+                                               const size_t plaintext_size,
+                                               uint8_t *ciphertext,
+                                               const size_t ciphertext_size,
+                                               uint8_t *tag,
+                                               const size_t tag_size)
+{
+    psa_status_t status = tfm_hal_its_get_aead(ctx,
+                                               plaintext,
+                                               plaintext_size,
+                                               ciphertext,
+                                               ciphertext_size,
+                                               tag,
+                                               tag_size,
+                                               true);
+    if (status != PSA_SUCCESS) {
+        return TFM_HAL_ERROR_GENERIC;
+    }
+
+    return TFM_HAL_SUCCESS;
+}
+
+enum tfm_hal_status_t tfm_hal_its_aead_decrypt(struct tfm_hal_its_auth_crypt_ctx *ctx,
+                                               const uint8_t *ciphertext,
+                                               const size_t ciphertext_size,
+                                               uint8_t *tag,
+                                               const size_t tag_size,
+                                               uint8_t *plaintext,
+                                               const size_t plaintext_size)
+{
+    psa_status_t status = tfm_hal_its_get_aead(ctx,
+                                               ciphertext,
+                                               ciphertext_size,
+                                               plaintext,
+                                               plaintext_size,
+                                               tag,
+                                               tag_size,
+                                               false);
+
+    return TFM_HAL_SUCCESS;
+}
+

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

This allows select which UART instance is used for TF-M

Ref: NCSDK-25009
Signed-off-by: Markus Swarowsky <[email protected]>

diff --git a/platform/ext/target/nordic_nrf/common/core/cmsis_drivers/Driver_USART.c b/platform/ext/target/nordic_nrf/common/core/cmsis_drivers/Driver_USART.c
index d69a84fa6..f2ffaf1a6 100644

Signed-off-by: Markus Swarowsky <[email protected]>
--- a/platform/ext/target/nordic_nrf/common/core/cmsis_drivers/Driver_USART.c
+++ b/platform/ext/target/nordic_nrf/common/core/cmsis_drivers/Driver_USART.c
@@ -40,7 +40,8 @@

 #define ARM_USART_DRV_VERSION  ARM_DRIVER_VERSION_MAJOR_MINOR(2, 2)

-#if RTE_USART0 || RTE_USART1 || RTE_USART2 || RTE_USART3 || RTE_USART20 || RTE_USART30
+#if RTE_USART0 || RTE_USART1 || RTE_USART2 || RTE_USART3 || \
+    RTE_UART00 || RTE_USART20 || RTE_UART21 || RTE_UART22 || RTE_USART30

 #define PSEL_DISCONNECTED 0xFFFFFFFFUL

@@ -439,11 +440,22 @@ DRIVER_USART(2);
 DRIVER_USART(3);
 #endif

-// TODO: NCSDK-25009: Support choosing an instance for TF-M
+#if RTE_USART00
+DRIVER_USART(00);
+#endif
+
 #if RTE_USART20
 DRIVER_USART(20);
 #endif

+#if RTE_USART21
+DRIVER_USART(21);
+#endif
+
+#if RTE_USART22
+DRIVER_USART(22);
+#endif
+
 #if RTE_USART30
 DRIVER_USART(30);
 #endif
diff --git a/platform/ext/target/nordic_nrf/common/core/nrfx_config.h b/platform/ext/target/nordic_nrf/common/core/nrfx_config.h
index 1bbe75f6e..f76e49cdd 100644
--- a/platform/ext/target/nordic_nrf/common/core/nrfx_config.h
+++ b/platform/ext/target/nordic_nrf/common/core/nrfx_config.h
@@ -48,7 +48,8 @@

 #endif /* RTE_FLASH0 */

-#if RTE_USART0 || RTE_USART1 || RTE_USART2 || RTE_USART3 || RTE_USART20 || RTE_USART30
+#if RTE_USART0 || RTE_USART1 || RTE_USART2 || RTE_USART3 || \
+    RTE_USART00 || RTE_USART20 || RTE_USART21 || RTE_USART22 || RTE_USART30
 #define NRFX_UARTE_ENABLED 1
 #endif
 #if RTE_USART0
@@ -64,10 +65,19 @@
 #define NRFX_UARTE3_ENABLED 1
 #endif

-// TODO: NCSDK-25009: Moonlight: Make it possible to use different UARTS with TF-M
+/* 54L15 has different UART instances */
+#if RTE_USART00
+#define NRFX_UARTE00_ENABLED 1
+#endif
 #if RTE_USART20
 #define NRFX_UARTE20_ENABLED 1
 #endif
+#if RTE_USART21
+#define NRFX_UARTE21_ENABLED 1
+#endif
+#if RTE_USART22
+#define NRFX_UARTE22_ENABLED 1
+#endif
 #if RTE_USART30
 #define NRFX_UARTE30_ENABLED 1
 #endif
diff --git a/platform/ext/target/nordic_nrf/common/core/target_cfg.c b/platform/ext/target/nordic_nrf/common/core/target_cfg.c
index f4b8c534e..fa1a8eda6 100644
--- a/platform/ext/target/nordic_nrf/common/core/target_cfg.c
+++ b/platform/ext/target/nordic_nrf/common/core/target_cfg.c
@@ -44,6 +44,11 @@

 #endif

+#define SPU_ADDRESS_REGION    (0x50000000)
+#define GET_SPU_SLAVE_INDEX(periph) ((periph.periph_start & 0x0003F000) >> 12)
+#define GET_SPU_INSTANCE(periph) ((NRF_SPU_Type*)(SPU_ADDRESS_REGION | (periph.periph_start & 0x00FC0000)))
+
+
 #ifdef CACHE_PRESENT
 #include <hal/nrf_cache.h>
 #endif
@@ -263,6 +268,34 @@ struct platform_data_t tfm_peripheral_uarte3 = {
 };
 #endif

+#if TFM_PERIPHERAL_UARTE00_SECURE
+struct platform_data_t tfm_peripheral_uarte00 = {
+    NRF_UARTE00_S_BASE,
+    NRF_UARTE00_S_BASE + (sizeof(NRF_UARTE_Type) - 1),
+};
+#endif
+
+#if TFM_PERIPHERAL_UARTE20_SECURE
+struct platform_data_t tfm_peripheral_uarte20 = {
+    NRF_UARTE20_S_BASE,
+    NRF_UARTE20_S_BASE + (sizeof(NRF_UARTE_Type) - 1),
+};
+#endif
+
+#if TFM_PERIPHERAL_UARTE21_SECURE
+struct platform_data_t tfm_peripheral_uarte21 = {
+    NRF_UARTE21_S_BASE,
+    NRF_UARTE21_S_BASE + (sizeof(NRF_UARTE_Type) - 1),
+};
+#endif
+
+#if TFM_PERIPHERAL_UARTE22_SECURE
+struct platform_data_t tfm_peripheral_uarte22 = {
+    NRF_UARTE22_S_BASE,
+    NRF_UARTE22_S_BASE + (sizeof(NRF_UARTE_Type) - 1),
+};
+#endif
+
 #if TFM_PERIPHERAL_UARTE30_SECURE
 struct platform_data_t tfm_peripheral_uarte30 = {
     NRF_UARTE30_S_BASE,
@@ -1051,8 +1084,7 @@ enum tfm_plat_err_t spu_periph_init_cfg(void)
 			}
 		}

-		/* TODO: NCSDK-22597: Configure UART30 pins as secure */
-
+		/* TODO: NCSDK-22597: Make peripherals configurable */
 		for(uint8_t index = 0; index < ARRAY_SIZE(spu_instance->PERIPH); index++) {
 			if(!nrf_spu_periph_perm_present_get(spu_instance, index)) {
 				/* Peripheral is not present, nothing to configure */
@@ -1072,16 +1104,34 @@ enum tfm_plat_err_t spu_periph_init_cfg(void)
 			}

 			/* Note that we don't configure dmasec because it has no effect when secattr is non-secure */
-
-			/* nrf_spu_periph_perm_lock_enable TODO: NCSDK-25009: Lock it down without breaking TF-M UART */
 		}
 	}

-	/* Configure TF-M's UART30 peripheral to be secure with secure DMA */
+	/* Configure TF-M's UART peripheral to be secure with secure DMA */
+#if NRF_SECURE_UART_INSTANCE == 00
+    uint32_t UART_SPU_SLAVE_INDEX = GET_SPU_SLAVE_INDEX(tfm_peripheral_uarte00);
+    NRF_SPU_Type * p_spu_instance = GET_SPU_INSTANCE(tfm_peripheral_uarte00);
+#endif
+#if NRF_SECURE_UART_INSTANCE == 20
+    uint32_t UART_SPU_SLAVE_INDEX = GET_SPU_SLAVE_INDEX(tfm_peripheral_uarte20);
+    NRF_SPU_Type * p_spu_instance = GET_SPU_INSTANCE(tfm_peripheral_uarte20);
+#endif
+#if NRF_SECURE_UART_INSTANCE == 21
+    uint32_t UART_SPU_SLAVE_INDEX = GET_SPU_SLAVE_INDEX(tfm_peripheral_uarte21);
+    NRF_SPU_Type * p_spu_instance = GET_SPU_INSTANCE(tfm_peripheral_uarte21);
+#endif
+#if NRF_SECURE_UART_INSTANCE == 22
+    uint32_t UART_SPU_SLAVE_INDEX = GET_SPU_SLAVE_INDEX(tfm_peripheral_uarte22);
+    NRF_SPU_Type * p_spu_instance = GET_SPU_INSTANCE(tfm_peripheral_uarte22);
+#endif
+#if NRF_SECURE_UART_INSTANCE == 30
+    uint32_t UART_SPU_SLAVE_INDEX = GET_SPU_SLAVE_INDEX(tfm_peripheral_uarte30);
+    NRF_SPU_Type * p_spu_instance = GET_SPU_INSTANCE(tfm_peripheral_uarte30);
+#endif
 	bool enable = true; /* true means secure */
-	uint32_t UART30_SLAVE_INDEX = (NRF_UARTE30_S_BASE & 0x0003F000) >> 12;
-	nrf_spu_periph_perm_secattr_set(NRF_SPU30, UART30_SLAVE_INDEX, enable);
-	nrf_spu_periph_perm_dmasec_set(NRF_SPU30, UART30_SLAVE_INDEX, enable);
+	nrf_spu_periph_perm_secattr_set(p_spu_instance, UART_SPU_SLAVE_INDEX, enable);
+	nrf_spu_periph_perm_dmasec_set(p_spu_instance, UART_SPU_SLAVE_INDEX, enable);
+    nrf_spu_periph_perm_lock_enable(p_spu_instance,UART_SPU_SLAVE_INDEX);

 #else
 static const uint8_t target_peripherals[] = {
@@ -1114,9 +1164,13 @@ static const uint8_t target_peripherals[] = {
     /* When UART0 is a secure peripheral we need to leave Serial-Box 0 as Secure.
      * The UART Driver will configure it as non-secure when it uninitializes.
      */
+#if defined(NRF54L15_ENGA_XXAA)
+    NRFX_PERIPHERAL_ID_GET(NRF_SPIM00),
+#else
 #if !(defined(SECURE_UART1) && NRF_SECURE_UART_INSTANCE == 0)
     NRFX_PERIPHERAL_ID_GET(NRF_SPIM0),
-#endif
+#endif /* !(defined(SECURE_UART1) && NRF_SECURE_UART_INSTANCE == 0) */
+#endif /* NRF54L15_ENGA_XXAA */

     /* When UART1 is a secure peripheral we need to leave Serial-Box 1 as Secure */
 #if !(defined(SECURE_UART1) && NRF_SECURE_UART_INSTANCE == 1)
@@ -1124,9 +1178,19 @@ static const uint8_t target_peripherals[] = {
 #endif
     NRFX_PERIPHERAL_ID_GET(NRF_SPIM2),
     NRFX_PERIPHERAL_ID_GET(NRF_SPIM3),
-    /* When UART30 is a secure peripheral we need to leave Serial-Box 30 as Secure */
-#if !(defined(SECURE_UART1) && NRF_SECURE_UART_INSTANCE == 30)
-    // TODO: NCSDK-25009: spu_peripheral_config_non_secure((uint32_t)NRF_SPIM30, false);
+
+/* For Moonlight if a UART instance is selected to be the secure instance leave it as secure */
+#if NRF_SECURE_UART_INSTANCE == 20
+    NRFX_PERIPHERAL_ID_GET(NRF_SPIM20),
+#endif
+#if NRF_SECURE_UART_INSTANCE == 21
+    NRFX_PERIPHERAL_ID_GET(NRF_SPIM21),
+#endif
+#if NRF_SECURE_UART_INSTANCE == 22
+    NRFX_PERIPHERAL_ID_GET(NRF_SPIM22),
+#endif
+#if NRF_SECURE_UART_INSTANCE == 30
+    NRFX_PERIPHERAL_ID_GET(NRF_SPIM30),
 #endif

 #ifdef NRF_SPIM4
diff --git a/platform/ext/target/nordic_nrf/common/core/target_cfg.h b/platform/ext/target/nordic_nrf/common/core/target_cfg.h
index e430737c4..afa0f672a 100644
--- a/platform/ext/target/nordic_nrf/common/core/target_cfg.h
+++ b/platform/ext/target/nordic_nrf/common/core/target_cfg.h
@@ -35,22 +35,22 @@
 #include "tfm_plat_defs.h"
 #include "region_defs.h"

-// TODO: NCSDK-25009: Support configuring which UART is used by TF-M on nrf54L
-
 #if NRF_SECURE_UART_INSTANCE == 0
 #define TFM_DRIVER_STDIO    Driver_USART0
 #elif NRF_SECURE_UART_INSTANCE == 1
 #define TFM_DRIVER_STDIO    Driver_USART1
+#elif NRF_SECURE_UART_INSTANCE == 00
+#define TFM_DRIVER_STDIO    Driver_USART00
+#elif NRF_SECURE_UART_INSTANCE == 20
+#define TFM_DRIVER_STDIO    Driver_USART20
+#elif NRF_SECURE_UART_INSTANCE == 21
+#define TFM_DRIVER_STDIO    Driver_USART21
+#elif NRF_SECURE_UART_INSTANCE == 22
+#define TFM_DRIVER_STDIO    Driver_USART22
 #elif NRF_SECURE_UART_INSTANCE == 30
 #define TFM_DRIVER_STDIO    Driver_USART30
 #endif

-#ifdef NRF54L15_ENGA_XXAA
-#define NS_DRIVER_STDIO     Driver_USART20
-#else
-#define NS_DRIVER_STDIO     Driver_USART0
-#endif
-
 /**
  * \brief Store the addresses of memory regions
  */

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

Improve MPC configuration documentation.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I191ca14ba8a6880217cc740a77ea2806af1e0d61
Signed-off-by: Markus Swarowsky <[email protected]>

diff --git a/platform/ext/target/nordic_nrf/common/core/target_cfg.c b/platform/ext/target/nordic_nrf/common/core/target_cfg.c
index fa1a8eda6..66929256a 100644
--- a/platform/ext/target/nordic_nrf/common/core/target_cfg.c
+++ b/platform/ext/target/nordic_nrf/common/core/target_cfg.c
@@ -963,10 +963,30 @@ enum tfm_plat_err_t nrf_mpc_init_cfg(void)
 	/* On 54l the NRF_MPC00->REGION[]'s are fixed in HW and the
 	 * OVERRIDE indexes (that are useful to us) start at 0 and end
 	 * (inclusive) at 4.
+	 *
+	 * Note that the MPC regions configure all volatile and non-volatile memory as secure, so we only
+	 * need to explicitly OVERRIDE the non-secure addresses to permit non-secure access.
+	 *
+	 * Explicitly configuring memory as secure is not necessary.
+	 *
+	 * The last OVERRIDE in 54L is fixed in HW and exists to prevent
+	 * other bus masters than the KMU from accessing CRACEN protected RAM.
+	 *
+	 * Note that we must take care not to configure an OVERRIDE that
+	 * affects an active bus transaction.
+	 *
+	 * Note that we don't configure the NSC region to be NS because
+	 * from the MPC's perspective it is secure. NSC is only configurable from the SAU.
+	 *
+	 * Note that OVERRIDE[n].MASTERPORT has a reasonable reset value
+	 * so it is left unconfigured.
+	 *
+	 * Note that there are two owners in 54L. KMU with owner ID 1, and everything else with owner ID 0.
 	 */
-	uint32_t index = 0;

-	/* Configure the non-secure partition of the non-volatile
+	uint32_t index = 0;
+	/*
+	 * Configure the non-secure partition of the non-volatile
 	 * memory. This MPC region is intended to cover both the
 	 * non-secure partition in the NVM and also the FICR. The FICR
 	 * starts after the NVM and ends just before the UICR.
@@ -1001,13 +1021,8 @@ enum tfm_plat_err_t nrf_mpc_init_cfg(void)
 		tfm_core_panic();
 	}

-	/* TODO: NCSDK-25050: Review configuration. Any other addresses we need to override? */

-	/* Note that we don't configure the NSC region to be NS because it is secure */

-	/* Note that OVERRIDE[n].MASTERPORT has a reasonable reset value
-	 * so it is left unconfigured.
-	 */

 	return TFM_PLAT_ERR_SUCCESS;
 }

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

Lock and disable any unused MPC overrides to prevent malicious
configuration.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I1956f113012d6b67100d814a52d7ce1490663953

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

Adds handling of MPC and SPC errors.

Signed-off-by: Vidar Lillebø <[email protected]>

…e base addr

Refactor spu_peripheral_config to use base addresses instead of IDs as
future platforms will need the base address to identify which spu
instance to use.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: Ife60d1e76adffeb62f5ad32e0a85da8cfa467203

…resses

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

Refactor spu_peripheral_config to use base addresses instead of IDs as
future platforms will need the base address to identify which spu
instance to use.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: Ife60d1e76adffeb62f5ad32e0a85da8cfa467203

…tances

Add driver function.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: Ib1e442a54d599c4e42e74903d49920f24e9d8ec9

Port spu_peripheral_config to also support the new API.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I1763874ce74ad39cbf0ef256ef8edc669038d226

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

Configure pins as secure on 54L.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: Id50ef81807c5109c01ed6405376f3cfa882c66e0

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

Delete dead code in target_cfg.c.

It is redundant with the memset.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I96ffb4002d70a08c827d47fe87ae938b57731f0c

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

Refactor UART security configuration to use
spu_peripheral_config_secure.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I00d21c4401fa7c67d51eaf14804c992262c73710

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

Configure misc. peripherals as Secure.

See the code for which peripherals and why.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I3cf4f42d5d3bc0aa4dc266e0c1d8035ad69372a1

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

Due to dependencies problems between the ITS and crypto partitions
refactoring the ITS encryption interface to use the HUK library and the
cracen driver directly.

Signed-off-by: Markus Swarowsky <[email protected]>

…ecure

Dont configure the volatile memory controller as a non-secure peripheral

(cherry picked from commit c670a6af1f0a3d7d6389e8879e8de17c1bd442fe)

Change-Id: I2489defaf6deb89beba7447ba079ea3e5afebca5
Signed-off-by: Markus Rekdal <[email protected]>

Fix linking errors with psa_crypto_config observed in TFM test
applications.

To be reverted during the next TFM upmerge, as this isolated change is
already part of a larger commit upstream.

Signed-off-by: Robert Lubos <[email protected]>

!fixup [nrf noup] platform: nordic_nrf: Add support for 54l

Change the implementation for cracen ITS encryption to match
cryptocell.

Signed-off-by: Markus Swarowsky <[email protected]>

diff --git a/platform/ext/target/nordic_nrf/common/core/tfm_hal_its_encryption_cracen.c b/platform/ext/target/nordic_nrf/common/core/tfm_hal_its_encryption_cracen.c
index f75901622..8871bc2e9 100644

Signed-off-by: Markus Swarowsky <[email protected]>
--- a/platform/ext/target/nordic_nrf/common/core/tfm_hal_its_encryption_cracen.c
+++ b/platform/ext/target/nordic_nrf/common/core/tfm_hal_its_encryption_cracen.c
@@ -110,10 +110,10 @@ static bool ctx_is_valid(struct tfm_hal_its_auth_crypt_ctx *ctx)
 }

 psa_status_t tfm_hal_its_get_aead(struct tfm_hal_its_auth_crypt_ctx *ctx,
-                                  const uint8_t *plaintext,
-                                  const size_t plaintext_size,
-                                  uint8_t *ciphertext,
-                                  const size_t ciphertext_size,
+                                  const uint8_t *input,
+                                  const size_t input_size,
+                                  uint8_t *output,
+                                  const size_t output_size,
                                   uint8_t *tag,
                                   const size_t tag_size,
                                   bool encrypt)
@@ -121,7 +121,8 @@ psa_status_t tfm_hal_its_get_aead(struct tfm_hal_its_auth_crypt_ctx *ctx,
     psa_status_t status;
     uint8_t key_out[CHACHA20_KEY_SIZE];
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-    size_t ciphertext_length;
+    cracen_aead_operation_t operation = {0};
+    size_t out_length;
     size_t tag_length = PSA_AEAD_TAG_LENGTH(PSA_KEY_TYPE_CHACHA20,
                                             PSA_BYTES_TO_BITS(CHACHA20_KEY_SIZE),
                                             TFM_ITS_AEAD_ALG);
@@ -134,13 +135,12 @@ psa_status_t tfm_hal_its_get_aead(struct tfm_hal_its_auth_crypt_ctx *ctx,
         return TFM_HAL_ERROR_INVALID_INPUT;
     }

-    if (encrypt && (ciphertext_size < PSA_AEAD_ENCRYPT_OUTPUT_SIZE(PSA_KEY_TYPE_CHACHA20,
+    if (encrypt && (output_size < PSA_AEAD_ENCRYPT_OUTPUT_SIZE(PSA_KEY_TYPE_CHACHA20,
                                                                    TFM_ITS_AEAD_ALG,
-                                                                   plaintext_size))){
+                                                                   input_size))){
         return TFM_HAL_ERROR_INVALID_INPUT;
     }

-
     status = hw_unique_key_derive_key(HUK_KEYSLOT_MKEK, NULL, 0, ctx->deriv_label, ctx->deriv_label_size, key_out, sizeof(key_out));
     if (status != HW_UNIQUE_KEY_SUCCESS) {
         return TFM_HAL_ERROR_GENERIC;
@@ -152,40 +152,35 @@ psa_status_t tfm_hal_its_get_aead(struct tfm_hal_its_auth_crypt_ctx *ctx,
     psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(CHACHA20_KEY_SIZE));

     if (encrypt) {
-        status = cracen_aead_encrypt(&attributes,
-                                  key_out,
-                                  sizeof(key_out),
-                                  TFM_ITS_AEAD_ALG,
-                                  ctx->nonce,
-                                  ctx->nonce_size,
-                                  ctx->aad,
-                                  ctx->add_size,
-                                  plaintext,
-                                  plaintext_size,
-                                  ciphertext,
-                                  ciphertext_size,
-                                  &ciphertext_length);
+        status = cracen_aead_encrypt_setup(&operation, &attributes, key_out, sizeof(key_out), TFM_ITS_AEAD_ALG);
     } else {
-        status = cracen_aead_decrypt(&attributes,
-                                  key_out,
-                                  sizeof(key_out),
-                                  TFM_ITS_AEAD_ALG,
-                                  ctx->nonce,
-                                  ctx->nonce_size,
-                                  ctx->aad,
-                                  ctx->add_size,
-                                  plaintext,
-                                  plaintext_size,
-                                  ciphertext,
-                                  ciphertext_size,
-                                  &ciphertext_length);
-    }
-    if(status != PSA_SUCCESS){
+        status = cracen_aead_decrypt_setup(&operation, &attributes, key_out, sizeof(key_out), TFM_ITS_AEAD_ALG);
+    }
+
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    status = cracen_aead_set_nonce(&operation, ctx->nonce, ctx->nonce_size);
+    if (status != PSA_SUCCESS) {
         return status;
     }

-    /* copy tag from ciphertext buffer to tag buffer */
-    memcpy(tag, ciphertext + ciphertext_length - tag_length, tag_length);
+    status = cracen_aead_update_ad(&operation, ctx->aad, ctx->add_size);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    status = cracen_aead_update(&operation, input, input_size, output, output_size, &out_length);
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    if (encrypt) {
+        status = cracen_aead_finish(&operation, output + out_length, output_size - out_length, &out_length, tag, tag_size, &tag_length);
+    } else {
+        status = cracen_aead_verify(&operation, output + out_length, output_size - out_length, &out_length , tag, tag_size);
+    }

     return status;
 }

Version check depends on upstream's tagging scheme which differs
from NCS's

Signed-off-by: Vidar Lillebø <[email protected]>

Configure NRF_REGULATORS and NRF_OSCILLATORS as secure for security
reasons.

Also, invoke nordicsemi_nrf54l_init from TF-M as the non-secure image
can no longer configure power or clocks.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I9bc7f2b158c0ad9da0c434954c9619da5b70d754

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

Remove TODO that has been addressed.

VPR is configured to be non-secure when NRF_SPU is memset to 0.

Signed-off-by: Sebastian Bøe <[email protected]>
Change-Id: I8f1ee39a51f0d87855d2476b6337994cea5901f5

There are some hardware registers in Nordic platforms
which are mapped as secure only. In order to allow the
non-secure application to control these registers I added
here a secure service which allows 32-bit writes to secure
mapped memory. The writes are only allowed on  addresses and
masks defined in a header list. It is also possible to
provide an allowed_values list in order to further limit
the accepted values.

Renamed:  tfm_read_ranges.h -> tfm_platform_user_memory_ranges.h
since now it can be used for both reads and writes.

The list in the current platforms is empty and might be populated
later.

Signed-off-by: Georgios Vasilakis <[email protected]>
Change-Id: Ifa31ba73ec07b216a7e987653255fcc6e9d3989c
(cherry picked from commit 57b33427d15fbbb966ee3991c1ae4471364259b4)

Add a custom section in the linker script for the CRACEN KMU
driver use by nRF54L15. We need a buffer in a static memory
location which wil be used by the KMU to perform push
operations.

It's a noup since the KMU is not supported fully upstream
yet.

Ref: NCSDK-25121

Signed-off-by: Georgios Vasilakis <[email protected]>

Adds support for handling secure interrupts and secure peripherals
for nRF54L.

Signed-off-by: Vidar Lillebø <[email protected]>

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

Adding missing definitions for UART ports to build the regression tests

Ref: NCSDK-27431
Signed-off-by: Markus Swarowsky <[email protected]>

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

Adding missing definitions for UART ports to build the regression tests

Ref: NCSDK-27431
Signed-off-by: Markus Swarowsky <[email protected]>

The check for whether file should be encrypted, and be fully written
missed some PS usage.

Upstream-PR: https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/30056
Signed-off-by: Vidar Lillebø <[email protected]>
Change-Id: Ifa7fe00e511a6071b2b5c455df84b8e4f0535c84

!fixup [nrf noup] platform: ext: nordic_nrf: Custom nRF54L15 linker file

This was missed in a previous commit without this the linker will place
the initialization of this global variable which is 0 at the address of
S_DATA_START in Flash, now it will be discarded.

Ref. NCSDK-25121

Signed-off-by: Sigvart Hovland <[email protected]>

NRF_APPROTECT and NRF_SECURE_APPROTECT
to take precedence over other mechanisms when configuring
debugging for TF-M.

For nRF53 and nRF91x1 the actual locking of firmware is done
elsewhere. This further locks the UICR.

nRF9160 supports only hardware APPROTECT. This will lock the
APPROTECT / SECUREAPPROTECT in the next boot, when the above
settings are configured.

Change-Id: I5e304be0f8a34c0016488d9ec09929bbcb38481f
Signed-off-by: Markus Lassila <[email protected]>
(cherry picked from commit 734a51d3b18422ad516e08e7ddc107e921d64180)

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

Clear the MPC events before you enable the MPC interrupt.

Signed-off-by: Georgios Vasilakis <[email protected]>

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

MPC triggers a MEMACCERR even when address 0xFFFFFFFE is
accessed. This is an issue since this addres is very commonly
acccesed by GDB because of some return values in TF-M.

This update the MPC handler to return execution if it
is triggered for this address.

Ref: NCSDK-28128

Signed-off-by: Georgios Vasilakis <[email protected]>

fixup! [nrf noup] platform: nordic_nrf: Add support for 54l

Removed an ifdef which was never used because it was included
in the else statement with the same symbol.

In nRF54L by default we configure all peripherals as non-secure and
then we excplicitely configure as secure the ones needed. So this
was in other case not needed.

Signed-off-by: Georgios Vasilakis <[email protected]>

On certain nRF plaforms, like nRF9160, reading UICR registers
might need special handling, which is already implemented in
nrfx_nvmc_uicr_word_read() so use that, instead on memcpy().

For more information, see nRF9160 Errata 7.

Change-Id: Iea9d0bf4184decd5650b4d4b620fbef0c64a55f6
Signed-off-by: Seppo Takalo <[email protected]>
(cherry picked from commit ca03e40149cc7a376c7d8f5511df60431b832929)

The anomaly only appears on nRF91 platforms and some
platforms do not have NVMC so the header cannot be
included.

Change-Id: I02c73c9a752599ca9be9320dc19f390aea0f767a
Signed-off-by: Seppo Takalo <[email protected]>
(cherry picked from commit 539dd8949b2f7a9785f447907dfc1e242eeb0965)

Fix incorrect error code to align with what TFM_S_ITS_TEST_1020 expects.

Change-Id: I1a5ac1440a4784953f0ae28220dd79b2cf1fc596
Signed-off-by: Vidar Lillebø <[email protected]>
(cherry picked from commit 26d594c472b58bf1391b910d86c1457e7e64bb49)