nrfconnect · carlescufi · May 22, 2026 · May 8, 2026 · May 10, 2026 · May 11, 2026
diff --git a/cmake/install.cmake b/cmake/install.cmake
@@ -83,7 +83,6 @@ endif()
 
 if (TFM_PARTITION_CRYPTO)
         if(PSA_CRYPTO_EXTERNAL_CORE)
-                include(${TFM_BOARDS_NRF_DIR}/external_core_install.cmake)
                 install(FILES       ${INTERFACE_INC_DIR}/tfm_crypto_defs.h
                         DESTINATION ${INSTALL_INTERFACE_INC_DIR})
         else()

diff --git a/interface/src/tfm_crypto_api.c b/interface/src/tfm_crypto_api.c
@@ -85,36 +85,6 @@ TFM_CRYPTO_API(int, psa_can_do_cipher)(psa_key_type_t key_type, psa_algorithm_t
     return (int)true;
 }
 
-TFM_CRYPTO_API(psa_status_t, psa_open_key)(psa_key_id_t id,
-                                           psa_key_id_t *key)
-{
-    const struct tfm_crypto_pack_iovec iov = {
-        .function_id = TFM_CRYPTO_OPEN_KEY_SID,
-        .key_id = id,
-    };
-    psa_invec in_vec[] = {
-        {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
-    };
-    psa_outvec out_vec[] = {
-        {.base = key, .len = sizeof(psa_key_id_t)},
-    };
-
-    return API_DISPATCH(in_vec, out_vec);
-}
-
-TFM_CRYPTO_API(psa_status_t, psa_close_key)(psa_key_id_t key)
-{
-    const struct tfm_crypto_pack_iovec iov = {
-        .function_id = TFM_CRYPTO_CLOSE_KEY_SID,
-        .key_id = key,
-    };
-    psa_invec in_vec[] = {
-        {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
-    };
-
-    return API_DISPATCH_NO_OUTVEC(in_vec);
-}
-
 TFM_CRYPTO_API(psa_status_t, psa_import_key)(const psa_key_attributes_t *attributes,
                                              const uint8_t *data,
                                              size_t data_length,

diff --git a/platform/ext/common/template/tfm_hal_its_encryption.c b/platform/ext/common/template/tfm_hal_its_encryption.c
@@ -57,14 +57,14 @@ static uint8_t g_enc_nonce_seed[TFM_ITS_ENC_NONCE_LENGTH -
 #endif
 
 /* Copy PS solution */
-static psa_status_t its_crypto_setkey(psa_key_handle_t *its_key,
+static psa_status_t its_crypto_setkey(psa_key_id_t *its_key,
                                       const uint8_t *key_label,
                                       size_t key_label_len)
 {
     psa_status_t status;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
     psa_key_derivation_operation_t op = PSA_KEY_DERIVATION_OPERATION_INIT;
-    psa_key_handle_t seed_key = mbedtls_svc_key_id_make(TFM_SP_ITS, TFM_BUILTIN_KEY_ID_HUK);
+    psa_key_id_t seed_key = mbedtls_svc_key_id_make(TFM_SP_ITS, TFM_BUILTIN_KEY_ID_HUK);
 
     if (key_label_len == 0 || key_label == NULL) {
         return PSA_ERROR_INVALID_ARGUMENT;
@@ -182,7 +182,7 @@ enum tfm_hal_status_t tfm_hal_its_aead_encrypt(
 {
 
     psa_status_t status;
-    psa_key_handle_t its_key = PSA_KEY_HANDLE_INIT;
+    psa_key_id_t its_key = PSA_KEY_HANDLE_INIT;
     size_t ciphertext_length;
 
     if (!ctx_is_valid(ctx) || tag == NULL) {
@@ -232,7 +232,7 @@ enum tfm_hal_status_t tfm_hal_its_aead_decrypt(
                                         const size_t plaintext_size)
 {
     psa_status_t status;
-    psa_key_handle_t its_key = PSA_KEY_HANDLE_INIT;
+    psa_key_id_t its_key = PSA_KEY_HANDLE_INIT;
     size_t ciphertext_and_tag_size, out_len;
 
     if (!ctx_is_valid(ctx) || tag == NULL) {
@@ -271,4 +271,3 @@ enum tfm_hal_status_t tfm_hal_its_aead_decrypt(
 
     return TFM_HAL_SUCCESS;
 }
-
diff --git a/platform/ext/target/arm/mps4/common/crypto_keys.c b/platform/ext/target/arm/mps4/common/crypto_keys.c
@@ -60,8 +60,8 @@ static enum tfm_plat_err_t tfm_plat_get_iak(const void *ctx,
     enum kmu_error_t kmu_err;
     psa_key_attributes_t seed_attributes = PSA_KEY_ATTRIBUTES_INIT;
     psa_key_attributes_t transient_attr = PSA_KEY_ATTRIBUTES_INIT;
-    psa_key_handle_t seed_key = PSA_KEY_HANDLE_INIT;
-    psa_key_handle_t transient_key = PSA_KEY_HANDLE_INIT;
+    psa_key_id_t seed_key = PSA_KEY_HANDLE_INIT;
+    psa_key_id_t transient_key = PSA_KEY_HANDLE_INIT;
     psa_key_derivation_operation_t op = PSA_KEY_DERIVATION_OPERATION_INIT;
 
     (void)ctx;

diff --git a/platform/ext/target/arm/rse/common/crypto_keys.c b/platform/ext/target/arm/rse/common/crypto_keys.c
@@ -60,8 +60,8 @@ static enum tfm_plat_err_t tfm_plat_get_iak(const void *ctx,
     enum kmu_error_t kmu_err;
     psa_key_attributes_t seed_attributes = PSA_KEY_ATTRIBUTES_INIT;
     psa_key_attributes_t transient_attr = PSA_KEY_ATTRIBUTES_INIT;
-    psa_key_handle_t seed_key = PSA_KEY_HANDLE_INIT;
-    psa_key_handle_t transient_key = PSA_KEY_HANDLE_INIT;
+    psa_key_id_t seed_key = PSA_KEY_HANDLE_INIT;
+    psa_key_id_t transient_key = PSA_KEY_HANDLE_INIT;
     psa_key_derivation_operation_t op = PSA_KEY_DERIVATION_OPERATION_INIT;
 
     if (buf_len < PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(ATTEST_KEY_BITS)) {

diff --git a/platform/ext/target/stm/common/secure_element/stsafea/se_psa/se_psa.c b/platform/ext/target/stm/common/secure_element/stsafea/se_psa/se_psa.c
@@ -116,11 +116,11 @@ psa_status_t se_st_to_psa_error(int32_t  ret)
 static psa_status_t register_key_in_all_domain(mbedtls_svc_key_id_t key,
                                                psa_key_attributes_t *attr) {
   psa_status_t psa_status = PSA_ERROR_GENERIC_ERROR;
-  
-  
-  psa_key_handle_t key_handle;
-    
-    
+
+
+  psa_key_id_t key_handle;
+
+
  /* check if keys are present */
   SE_ST_PSA_PRINT("checking key existance %x\n", key.MBEDTLS_PRIVATE(key_id));
   psa_status = psa_open_key(key, &key_handle);
@@ -142,7 +142,7 @@ static psa_status_t register_key_in_all_domain(mbedtls_svc_key_id_t key,
   }
 
 exit:
-  
+
   return psa_status;
 }
 
@@ -204,7 +204,7 @@ static psa_status_t register_se_keys(void)
     /* check if keys are present */
 #ifdef TOP_CHECK_KEY
     mbedtls_svc_key_id_t key_id = {0,tfm_nspm_get_current_client_id()};
-    psa_key_handle_t key_handle;
+    psa_key_id_t key_handle;
 
     key_id.MBEDTLS_PRIVATE(key_id) = SE_ST_ID_TO_PSA_ID(SE_ST_SERIAL_NUMBER);
     psa_status = psa_open_key(key_id, &key_handle);
@@ -237,7 +237,7 @@ static psa_status_t psa_se_st_init(psa_drv_se_context_t *drv_context,
   /* Not used by SE_API */
   if (drv_context == NULL)
   {
-    
+
     return PSA_ERROR_INVALID_ARGUMENT;
   }
   memset(&se_st_t_ctx, 0, sizeof(se_st_t_ctx));
@@ -249,7 +249,7 @@ static psa_status_t psa_se_st_init(psa_drv_se_context_t *drv_context,
   if (location != PSA_SE_ST_LOCATION)
   {
     SE_ST_PSA_PRINT("Invalid driver\n");
-    
+
     return PSA_ERROR_GENERIC_ERROR;
   }
 
@@ -278,12 +278,12 @@ static psa_status_t psa_se_st_validate_slot_number_fct(
   psa_key_slot_number_t key_slot)
 {
   psa_key_type_t type = psa_get_key_type(attributes);
-  
+
   /* support registration and import only for memory region */
   if (method != PSA_KEY_CREATION_REGISTER)
   {
     SE_ST_PSA_PRINT("Key slot validation cannot operate with method : %x\n", method);
-    
+
     return PSA_ERROR_NOT_SUPPORTED;
   }
   /* if type = PSA_KEY_TYPE_RAW_DATA check if SE_ST_SERIAL_NUMBER */
@@ -300,16 +300,16 @@ static psa_status_t psa_se_st_validate_slot_number_fct(
   }
 
   /* if already exists do not return error */
-  
+
   return PSA_SUCCESS;
 }
 
 /**
   * @brief   psa_se_st_export_public_fct
-  *          
+  *
   * @note    Not implemented
   *
-  * @param   drv_context 
+  * @param   drv_context
   * @param   key
   * @param   p_data
   * @param   data_size
@@ -328,15 +328,15 @@ static psa_status_t psa_se_st_export_public_fct(psa_drv_se_context_t *drv_contex
 
 /**
   * @brief   psa_se_st_gen_key_fct
-  *          
+  *
   * @note    Not implemented
   *
-  * @param   drv_context 
-  * @param   key_slot 
-  * @param   attributes 
-  * @param   pubkey 
-  * @param   pubkey_size 
-  * @param   pubkey_length 
+  * @param   drv_context
+  * @param   key_slot
+  * @param   attributes
+  * @param   pubkey
+  * @param   pubkey_size
+  * @param   pubkey_length
   * @retval  PSA_ERROR_NOT_SUPPORTED
   */
 static psa_status_t psa_se_st_gen_key_fct(
@@ -350,7 +350,7 @@ static psa_status_t psa_se_st_gen_key_fct(
 
 /**
   * @brief   psa_se_st_import_fct
-  *         
+  *
   * @note    PSA_ERROR_NOT_SUPPORTED
   *
   * @param   drv_context
@@ -389,14 +389,14 @@ static void byte2char(uint8_t b, uint8_t *c)
 
 static psa_status_t psa_se_st_get_serial(uint8_t *data, size_t data_size, size_t *p_data_length)
 {
-  uint8_t sn_data[] = { 0x14, 0x11, 0xFC, 0xBE };  
+  uint8_t sn_data[] = { 0x14, 0x11, 0xFC, 0xBE };
   uint8_t r_data[100];
   uint8_t *sn = &r_data[10];
   int32_t ret = 0;
   if (data_size < 9)
   {
     SE_ST_PSA_PRINT("Serial Number cannot be set in a buffer of size : %d\n", data_size);
-    
+
     return PSA_ERROR_BUFFER_TOO_SMALL;
   }
 
@@ -410,7 +410,7 @@ static psa_status_t psa_se_st_get_serial(uint8_t *data, size_t data_size, size_t
   {
     return PSA_ERROR_HARDWARE_FAILURE;
   }
-  
+
   if (data_size >= 19)
   {
     for (int i = 0; i < 9; i++)
@@ -435,17 +435,17 @@ static psa_status_t psa_se_st_get_serial(uint8_t *data, size_t data_size, size_t
   if (ret != 0)
   {
     SE_ST_PSA_PRINT("Serial Number cannot be recovered\n");
-    
+
     return PSA_ERROR_HARDWARE_FAILURE;
   }
-  
+
   return PSA_SUCCESS;
 }
 
 /**
   * @brief   psa_se_st_export_fct
   *          export serial number from SE
-  * @note    
+  * @note
   *
   * @param   drv_context : psa_drv_se_context_t structure to keep persistent data and transient data
   * @param   key_slot : internal key index
@@ -462,12 +462,12 @@ static psa_status_t psa_se_st_export(psa_drv_se_context_t *drv_context,
                               size_t *p_data_length)
 {
   const uint16_t slot = key;
-  
+
   switch (slot)
   {
     case SE_ST_SERIAL_NUMBER :
     {
-      return psa_se_st_get_serial(data, data_size, p_data_length);      
+      return psa_se_st_get_serial(data, data_size, p_data_length);
     }
     default:
       return PSA_ERROR_NOT_SUPPORTED;
@@ -477,7 +477,7 @@ static psa_status_t psa_se_st_export(psa_drv_se_context_t *drv_context,
 
 /**
   * @brief   psa_se_st_allocate_key
-  *          
+  *
   *
   * @param   drv_context
   * @param   persistent_data
@@ -625,4 +625,3 @@ int se_st_engine_init(void)
     return 0;
 }
 #endif /* PSA_USE_SE_ST */
-
diff --git a/secure_fw/partitions/crypto/crypto_key_management.c b/secure_fw/partitions/crypto/crypto_key_management.c
@@ -66,22 +66,6 @@ psa_status_t tfm_crypto_key_management_interface(psa_invec in_vec[],
         *key_id = CRYPTO_LIBRARY_GET_KEY_ID(library_key);
     }
     break;
-    case TFM_CRYPTO_OPEN_KEY_SID:
-    {
-        psa_key_id_t *key_id = out_vec[0].base;
-        if ((out_vec[0].base == NULL) || (out_vec[0].len < sizeof(psa_key_id_t))) {
-            return PSA_ERROR_PROGRAMMER_ERROR;
-        }
-
-        status = psa_open_key(library_key, &library_key);
-        *key_id = CRYPTO_LIBRARY_GET_KEY_ID(library_key);
-    }
-    break;
-    case TFM_CRYPTO_CLOSE_KEY_SID:
-    {
-        status = psa_close_key(library_key);
-    }
-    break;
     case TFM_CRYPTO_DESTROY_KEY_SID:
     {
         status = psa_destroy_key(library_key);

diff --git a/secure_fw/partitions/crypto/crypto_library.c b/secure_fw/partitions/crypto/crypto_library.c
@@ -40,7 +40,7 @@
  * \brief This Mbed TLS include is needed to retrieve version information for
  *        display
  */
-#include "mbedtls/version.h"
+//#include "mbedtls/version.h"
 
 #ifndef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
 #error "MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER must be selected in Mbed TLS config file"
@@ -82,7 +82,7 @@ tfm_crypto_library_key_id_t tfm_crypto_library_key_id_init(int32_t owner, psa_ke
 
 char *tfm_crypto_library_get_info(void)
 {
-    memcpy(mbedtls_version_full, MBEDTLS_VERSION_STRING_FULL, sizeof(MBEDTLS_VERSION_STRING_FULL));
+    //memcpy(mbedtls_version_full, MBEDTLS_VERSION_STRING_FULL, sizeof(MBEDTLS_VERSION_STRING_FULL));
     return mbedtls_version_full;
 }
 

diff --git a/secure_fw/partitions/crypto/crypto_spe.h b/secure_fw/partitions/crypto/crypto_spe.h
@@ -77,10 +77,6 @@
         PSA_FUNCTION_NAME(psa_aead_verify)
 #define psa_aead_abort \
         PSA_FUNCTION_NAME(psa_aead_abort)
-#define psa_open_key \
-        PSA_FUNCTION_NAME(psa_open_key)
-#define psa_close_key \
-        PSA_FUNCTION_NAME(psa_close_key)
 #define psa_import_key \
         PSA_FUNCTION_NAME(psa_import_key)
 #define psa_destroy_key \

diff --git a/secure_fw/partitions/initial_attestation/attest_core.c b/secure_fw/partitions/initial_attestation/attest_core.c
@@ -522,7 +522,7 @@ static enum psa_attest_err_t attest_get_t_cose_algorithm(
 {
     psa_status_t status;
     psa_key_attributes_t attr;
-    psa_key_handle_t handle = TFM_BUILTIN_KEY_ID_IAK;
+    psa_key_id_t handle = TFM_BUILTIN_KEY_ID_IAK;
     psa_key_type_t key_type;
 
     status = psa_get_key_attributes(handle, &attr);

diff --git a/secure_fw/partitions/initial_attestation/attest_token_encode.c b/secure_fw/partitions/initial_attestation/attest_token_encode.c
@@ -100,7 +100,7 @@ attest_token_encode_start(struct attest_token_encode_ctx *me,
                           int32_t cose_alg_id,
                           const struct q_useful_buf *out_buf)
 {
-    psa_key_handle_t key_handle = TFM_BUILTIN_KEY_ID_IAK;
+    psa_key_id_t key_handle = TFM_BUILTIN_KEY_ID_IAK;
     struct t_cose_key attest_key;
     enum psa_attest_err_t attest_ret;
     enum t_cose_err_t cose_ret;
@@ -233,7 +233,7 @@ attest_token_encode_start(struct attest_token_encode_ctx *me,
     enum psa_attest_err_t attest_ret;
     enum t_cose_err_t cose_ret;
     struct t_cose_key attest_key;
-    psa_key_handle_t private_key = TFM_BUILTIN_KEY_ID_IAK;
+    psa_key_id_t private_key = TFM_BUILTIN_KEY_ID_IAK;
     struct q_useful_buf_c attest_key_id = NULL_Q_USEFUL_BUF_C;
 
     /* Remember some of the configuration values */