Security
This section provides an overview of core security features available in Nordic Semiconductor products. The features are made available either as built-ins in modules, drivers, and subsystems, or are shown in samples or applications in nRF Connect SDK.
The nRF Connect SDK v3.3.0 allows you to develop applications with the following versions of security components:
nRF Connect SDK release |
TF-M version |
IronSide Secure Enclave version |
Mbed TLS version |
|---|---|---|---|
v3.3.0 |
v2.2.2 |
v23.7.0+30 |
3.6.6 |
Upcoming release (currently on the |
v2.3.0 |
v23.7.0+30 |
3.6.6 |
Expand the following section to see the table listing versions of different security components implemented since the nRF Connect SDK v2.1.0.
Note
Not all official TF-M releases are implemented by the nRF Connect SDK. This is because the nRF Connect SDK implements TF-M through Zephyr. Zephyr adds specific patches to the TF-M version, which are then upmerged into the nRF Connect SDK with changes specific to the nRF Connect SDK.
Similarly, not all official Mbed TLS releases are implemented by the nRF Connect SDK through the sdk-mbedtls repository.
nRF Connect SDK release |
TF-M version |
IronSide Secure Enclave version |
Mbed TLS version |
|---|---|---|---|
Upcoming release (currently on the |
v2.3.0 |
v23.7.0+30 |
3.6.6 |
v3.3.0 |
v2.2.2 |
v23.7.0+30 |
3.6.6 |
v3.2.0 |
v2.2.0 |
v23.7.0+30 |
3.6.5 |
v3.1.0, v3.1.1 |
v2.1.2 |
n/a |
3.6.4 |
v3.0.0 (up to v3.0.2) |
v2.1.1 |
n/a |
3.6.3 |
v2.9.0 (up to v2.9.2) |
v2.1.1 |
n/a |
3.6.2 |
v2.8.0 |
v2.1.1 |
n/a |
3.6.2 |
v2.7.0 |
v2.0.0 |
n/a |
3.5.2 |
v2.6.0 (up to v2.6.4) |
v2.0.0 |
n/a |
3.5.2 |
v2.5.0 (up to v2.5.3) |
v1.8.0 |
n/a |
3.3.0 |
v2.4.0 (up to v2.4.4) |
v1.7.0 |
n/a |
3.3.0 |
v2.3.0 |
v1.6.0 |
n/a |
3.1.0 |
v2.2.0 |
v1.6.0 |
n/a |
3.1.0 |
v2.1.0 (up to v2.1.4) |
v1.6.0 |
n/a |
3.1.0 |
The following table lists the available general security features. Some of them are documented in detail in other parts of this documentation, while others are documented in the subpages in this section.
Security feature
Description
Configuration
Related components
Access port protection (AP-Protect)
When enabled, this mechanism blocks the debugger from read and write access to all CPU registers and memory-mapped addresses.
—
Bootloader and Device Firmware Upgrade (DFU)
The nRF Connect SDK supports MCUboot and nRF Secure Immutable Bootloader (NSIB) for secure boot, and DFU procedures using MCUboot.
See Bootloaders and DFU.
Cryptographic operations
The nRF Connect SDK follows the PSA Crypto standard and provides two different implementations, Oberon PSA Crypto and TF-M Crypto Service. The nRF Security library acts as an orchestrator for the different cryptographic libraries available in the system. HW accelerated libraries are prioritized over SW libraries when both are enabled.
CONFIG_NRF_SECURITY(more info)Trusted Firmware-M (TF-M)
TF-M is the reference implementation of Platform Security Architecture (PSA). On boards with the /ns variant, TF-M is used to configure and boot an application with security by separation.
Processing environments (CMSE)
The boards supported by the SDK distinguish entries according to which CPU is to be targeted (for multi-core SoCs) and whether Cortex-M Security Extensions (CMSE) are used or not. When CMSE is used, the firmware is split in accordance with the security by separation architecture principle to better protect sensitive assets and code. In the nRF Connect SDK, the CMSE support is implemented using Trusted Firmware-M (TF-M).
All samples and applications that support the
*/nsvariant of the boards.Secure storage
Secure storage enables you to provide features like integrity, confidentiality and authenticity of the stored data, with or without TF-M.
Hardware unique key (HUK)
Nordic Semiconductor devices featuring the CryptoCell cryptographic accelerator allow the usage of a hardware unique key (HUK) for key derivation. A HUK is a unique symmetric cryptographic key which is loaded in special hardware registers allowing the application to use the key by reference, without any access to the key material.