nrfconnect · Vge0rge · Jun 2, 2026 · May 28, 2026 · May 28, 2026 · Apr 28, 2026
diff --git a/.github/workflows/manifest-PR.yml b/.github/workflows/manifest-PR.yml
@@ -0,0 +1,39 @@
+name: handle manifest PR
+on:
+  pull_request_target:
+    types: [opened, synchronize, closed, reopened]
+    branches:
+      - main
+      - ncs-v*-branch
+
+permissions:
+  contents: read
+
+jobs:
+  call-manifest-pr-action:
+    runs-on: ubuntu-latest
+    outputs:
+      base-branch: ${{ steps.set-base-branch.outputs.base_branch }}
+    steps:
+      #      Determine the base branch:
+      #        * sdk-zephyr/main -> sdk-nrf/main
+      #        * sdk-zephyr/ncs-vX.Y-branch -> sdk-nrf/vX.Y-branch
+      - name: Set base branch
+        id: set-base-branch
+        run: |
+          if [[ "${{ github.event.pull_request.base.ref }}" == "main" ]]; then
+            echo "base_branch=main" >> "$GITHUB_OUTPUT"
+          elif [[ "${{ github.event.pull_request.base.ref }}" =~ ^ncs-(v[0-9]+\.[0-9]+-branch)$ ]]; then
+            branch_name="${{ github.event.pull_request.base.ref }}"
+            branch_name="${branch_name#ncs-}"
+            echo "base_branch=${branch_name}" >> "$GITHUB_OUTPUT"
+          else
+            echo "Error: Unsupported base branch: ${{ github.event.pull_request.base.ref }}" >&2
+            exit 1
+          fi
+      - name: handle manifest PR
+        uses: nrfconnect/action-manifest-pr@main
+        with:
+          token: ${{ secrets.NCS_GITHUB_TOKEN }}
+          manifest-pr-title-details: ${{ github.event.pull_request.title }}
+          base-branch: ${{ steps.set-base-branch.outputs.base_branch }}
diff --git a/cmake/install.cmake b/cmake/install.cmake
@@ -105,9 +105,6 @@ if (TFM_PARTITION_CRYPTO)
                             ${INTERFACE_INC_DIR}/psa/crypto.h
                             ${INTERFACE_INC_DIR}/psa/crypto_compat.h
                             ${INTERFACE_INC_DIR}/psa/crypto_driver_common.h
-                            ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_composites.h
-                            ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_key_derivation.h
-                            ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_primitives.h
                             ${INTERFACE_INC_DIR}/psa/crypto_driver_random.h
                             ${INTERFACE_INC_DIR}/psa/crypto_extra.h
                             ${INTERFACE_INC_DIR}/psa/crypto_platform.h
@@ -335,9 +332,14 @@ install(FILES       ${MBEDTLS_PSA_CRYPTO_PLATFORM_FILE}
 
 target_compile_definitions(psa_crypto_config
         INTERFACE
-        $<INSTALL_INTERFACE:TFM_PSA_CRYPTO_CLIENT_ONLY>
-        $<INSTALL_INTERFACE:TF_PSA_CRYPTO_CONFIG_FILE="$<INSTALL_PREFIX>/${INSTALL_INTERFACE_INC_DIR}/mbedtls/tf_psa_crypto_config.h">
-        $<INSTALL_INTERFACE:$<$<BOOL:${MBEDTLS_PSA_CRYPTO_PLATFORM_FILE}>:MBEDTLS_PSA_CRYPTO_PLATFORM_FILE="$<INSTALL_PREFIX>/${INSTALL_INTERFACE_INC_DIR}/mbedtls/tfm_mbedtls_psa_crypto_platform.h">>)
+        $<INSTALL_INTERFACE:TFM_PSA_CRYPTO_CLIENT_ONLY>)
+
+if(NOT PSA_CRYPTO_EXTERNAL_CORE)
+    target_compile_definitions(psa_crypto_config
+            INTERFACE
+            $<INSTALL_INTERFACE:TF_PSA_CRYPTO_CONFIG_FILE="$<INSTALL_PREFIX>/${INSTALL_INTERFACE_INC_DIR}/mbedtls/tf_psa_crypto_config.h">
+            $<INSTALL_INTERFACE:$<$<BOOL:${MBEDTLS_PSA_CRYPTO_PLATFORM_FILE}>:MBEDTLS_PSA_CRYPTO_PLATFORM_FILE="$<INSTALL_PREFIX>/${INSTALL_INTERFACE_INC_DIR}/mbedtls/tfm_mbedtls_psa_crypto_platform.h">>)
+endif()
 
 # Install config files and remap tfm_config definitions to point to them
 if(PROJECT_CONFIG_HEADER_FILE)

diff --git a/cmake/remote_library.cmake b/cmake/remote_library.cmake
@@ -134,6 +134,11 @@ function(fetch_remote_library)
     else()
         string(TOUPPER ${ARG_LIB_NAME} ARG_LIB_NAME_UPCASE)
         set(FETCHCONTENT_SOURCE_DIR_${ARG_LIB_NAME_UPCASE} ${${ARG_LIB_SOURCE_PATH_VAR}})
+
+        # User-supplied source path: do not let MakeAvailable add_subdirectory it,
+        # because it may rely on a parent project's CMake extensions (e.g. Zephyr's).
+        list(APPEND ARG_FETCH_CONTENT_ARGS
+         SOURCE_SUBDIR _fetch_remote_library_no_add_subdirectory)
     endif()
 
     # list all available patches in absolute names

diff --git a/cmake/version.cmake b/cmake/version.cmake
@@ -16,7 +16,7 @@ execute_process(COMMAND git describe --always --candidates=1
     OUTPUT_STRIP_TRAILING_WHITESPACE
     RESULTS_VARIABLE GIT_RESULT)
 
-if(GIT_RESULT EQUAL 128)
+if(TRUE)
     # Git execution fails.
     # Applying a manual version assuming the code tree is a local copy.
     set(TFM_VERSION_FULL "v${TFM_VERSION_MANUAL}")

diff --git a/config/check_config.cmake b/config/check_config.cmake
@@ -21,6 +21,8 @@ tfm_invalid_config(TFM_HYBRID_PLATFORM_API_BROKER AND NOT TFM_MULTI_CORE_TOPOLOG
 tfm_invalid_config(TFM_ISOLATION_LEVEL EQUAL 3 AND CONFIG_TFM_STACK_WATERMARKS)
 tfm_invalid_config(CONFIG_TFM_INCLUDE_STDLIBC AND CMAKE_C_COMPILER_ID STREQUAL Clang)
 
+tfm_invalid_config(CONFIG_TFM_LOG_SHARE_UART AND NOT SECURE_UART1)
+
 ########################## BL1 #################################################
 
 tfm_invalid_config(TFM_BL1_2_IN_OTP AND TFM_BL1_2_IN_FLASH)

diff --git a/config/config_base.cmake b/config/config_base.cmake
@@ -117,6 +117,8 @@ set(CONFIG_TFM_STACK_WATERMARKS         OFF         CACHE BOOL      "Whether to
 
 set(CONFIG_TFM_BRANCH_PROTECTION_FEAT   BRANCH_PROTECTION_DISABLED   CACHE STRING    "Set default branch protection usage to disabled")
 
+set(CONFIG_TFM_LOG_SHARE_UART           OFF         CACHE BOOL      "Allow TF-M and the non-secure application to share the UART instance. TF-M will use it while it is booting, after which the non-secure application will use it until an eventual fatal error is handled and logged by TF-M. Logging from TF-M will therefore otherwise be suppressed")
+
 ############################ Platform ##########################################
 
 set(NUM_MAILBOX_QUEUE_SLOT              1           CACHE BOOL      "Number of mailbox queue slots")
@@ -166,6 +168,7 @@ set(PS_ENCRYPTION                       ON          CACHE BOOL      "Enable encr
 set(PS_ROLLBACK_PROTECTION              ON          CACHE BOOL      "Enable rollback protection for Protected Storage partition")
 set(PS_SUPPORT_FORMAT_TRANSITION        OFF         CACHE BOOL      "Enable reading the older format of Protected Storage data")
 set(PS_CRYPTO_AEAD_ALG                  PSA_ALG_GCM CACHE STRING    "The AEAD algorithm to use for authenticated encryption in Protected Storage")
+set(PS_CRYPTO_KDF_ALG                   PSA_ALG_HKDF\(PSA_ALG_SHA_256\) CACHE STRING "KDF Algorithm to use for Protect Storage")
 set(PS_AES_KEY_USAGE_LIMIT              0           CACHE STRING    "Number of blocks to use a key for before changing it. 0 for no limit")
 
 set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE OFF      CACHE BOOL      "Enable Internal Trusted Storage partition")