• State Not Answered
  • Replies 0 replies
  • Subscribers 86 subscribers
  • Views 9 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 360189
Options

nRF54L10 Bare Metal SDK: Which security features are officially supported without Zephyr/TF-M?

Namuk Kim

Hello Nordic team,

We are evaluating nRF54L10 for a battery-powered Bluetooth LE medical device.

We are considering the nRF Connect SDK Bare Metal option instead of Zephyr/TF-M, because we would like to avoid using an RTOS in the final regulated product.

I understand that nRF54L10 hardware can support several security features, such as secure boot, secure firmware update, TrustZone-M, PSA Crypto, KMU/CRACEN, side-channel countermeasures, tamper detection, and debug protection.

My question is:

Which of these security features are officially supported and considered production-ready in the nRF54L10 Bare Metal SDK path, without using Zephyr/TF-M?

In particular, could you clarify whether the following are supported in Bare Metal:

  1. Secure boot with signed image verification
  2. Signed DFU and anti-rollback
  3. PSA Crypto
  4. Secure Storage
  5. Application-level KMU/CRACEN key protection, for example non-exportable device identity keys or application authentication keys
  6. TrustZone Secure/Non-secure separation
  7. SoftDevice S115/S145 together with TrustZone
  8. Tamper detection and debug protection
  9. Attestation or device identity support

For TrustZone specifically, we would like to know whether Bare Metal officially supports a Secure image plus a Non-secure Bare Metal application, including NSC/Secure Gateway calls and Secure attribution of peripherals such as GPIO, TIMER, or PWM.

For KMU/CRACEN specifically, we would like to know whether support is limited to boot/DFU verification, or whether Bare Metal application code can also use KMU-backed non-exportable keys through an official production-supported API.

Because this is for a regulated medical device, we need to avoid relying on undocumented register-level usage unless Nordic considers it production-supported and can provide documentation, samples, and known limitations.

If TrustZone, PSA Crypto, Secure Storage, or application-level KMU/CRACEN key protection are not recommended in the Bare Metal path, would Nordic recommend using Zephyr/TF-M instead for those security features?

Thank you.

Related
Terms of service