Hello Nordic team, We are evaluating nRF54L10 for a battery-powered Bluetooth LE medical device . We are considering the nRF Connect SDK Bare Metal option instead of Zephyr/TF-M, because we would like to avoid using an RTOS in the final regulated product. I understand that nRF54L10 hardware can support several security features, such as secure boot, secure firmware update, TrustZone-M, PSA Crypto, KMU/CRACEN, side-channel countermeasures, tamper detection, and debug protection. My question is: Which of these security features are officially supported and considered production-ready in the nRF54L10 Bare Metal SDK path, without using Zephyr/TF-M? In particular, could you clarify whether the following are supported in Bare Metal: Secure boot with signed image verification Signed DFU and anti-rollback PSA Crypto Secure Storage Application-level KMU/CRACEN key protection, for example non-exportable device identity keys or application authentication keys TrustZone Secure/Non-secure separation SoftDevice S115/S145 together with TrustZone Tamper detection and debug protection Attestation or device identity support For TrustZone specifically, we would like to know whether Bare Metal officially supports a Secure image plus a Non-secure Bare Metal application, including NSC/Secure Gateway calls and Secure attribution of peripherals such as GPIO, TIMER, or PWM. For KMU/CRACEN specifically, we would like to know whether support is limited to boot/DFU verification, or whether Bare Metal application code can also use KMU-backed non-exportable keys through an official production-supported API. Because this is for a regulated medical device, we need to avoid relying on undocumented register-level usage unless Nordic considers it production-supported and can provide documentation, samples, and known limitations. If TrustZone, PSA Crypto, Secure Storage, or application-level KMU/CRACEN key protection are not recommended in the Bare Metal path, would Nordic recommend using Zephyr/TF-M instead for those security features? Thank you.

nRF54L10 Bare Metal SDK: Which security features are officially supported without Zephyr/TF-M?

Hello Nordic team,

We are evaluating nRF54L10 for a battery-powered Bluetooth LE medical device.

We are considering the nRF Connect SDK Bare Metal option instead of Zephyr/TF-M, because we would like to avoid using an RTOS in the final regulated product.

I understand that nRF54L10 hardware can support several security features, such as secure boot, secure firmware update, TrustZone-M, PSA Crypto, KMU/CRACEN, side-channel countermeasures, tamper detection, and debug protection.

My question is:

Which of these security features are officially supported and considered production-ready in the nRF54L10 Bare Metal SDK path, without using Zephyr/TF-M?

In particular, could you clarify whether the following are supported in Bare Metal:

Secure boot with signed image verification
Signed DFU and anti-rollback
PSA Crypto
Secure Storage
Application-level KMU/CRACEN key protection, for example non-exportable device identity keys or application authentication keys
TrustZone Secure/Non-secure separation
SoftDevice S115/S145 together with TrustZone
Tamper detection and debug protection
Attestation or device identity support

For TrustZone specifically, we would like to know whether Bare Metal officially supports a Secure image plus a Non-secure Bare Metal application, including NSC/Secure Gateway calls and Secure attribution of peripherals such as GPIO, TIMER, or PWM.

For KMU/CRACEN specifically, we would like to know whether support is limited to boot/DFU verification, or whether Bare Metal application code can also use KMU-backed non-exportable keys through an official production-supported API.

Because this is for a regulated medical device, we need to avoid relying on undocumented register-level usage unless Nordic considers it production-supported and can provide documentation, samples, and known limitations.

If TrustZone, PSA Crypto, Secure Storage, or application-level KMU/CRACEN key protection are not recommended in the Bare Metal path, would Nordic recommend using Zephyr/TF-M instead for those security features?

Thank you.

Parents

0 Amanda Hsieh 3 days ago
Hi,

The nRF54L10 supports a broad set of security features (TrustZone, CRACEN/KMU, secure boot/update, tamper-related hardware, and more). However, the nRF Connect SDK Bare Metal provides a narrower, production-supported security scope: mainly signed boot/DFU via Immutable MCUboot (IRoT) with CRACEN/KMU for bootloader verification keys, plus S115/S145 Bluetooth LE.

In particular, could you clarify whether the following are supported in Bare Metal:

Secure boot with signed image verification

Signed DFU and anti-rollback

Since the nRF Connect SDK Bare Metal option v1.0.0, it has supported Single-bank DFU and CRACEN/KMU and bootloader key verification, but not for anti-rollback(DOWNGRADE_PREVENTION).

PSA Crypto

Secure Storage

Application-level KMU/CRACEN key protection, for example non-exportable device identity keys or application authentication keys

TrustZone Secure/Non-secure separation

SoftDevice S115/S145 together with TrustZone

Attestation or device identity support

The nRF Connect SDK Bare Metal is explicitly targeting simple Bluetooth LE applications that do not require advanced features. For your security requirements, I strongly suggest you consider the nRF Connect SDK for the full security feature set. See NCS/Security, Trusted Firmware-M in the nRF Connect SDK, and the KMU and CRACEN doc.

Tamper detection and debug protection

It can be enabled by writing the register (see Enabling device protection on nRF54L). The nRF Connect SDK Bare Metal doesn't have any configs for that.

Regards,
Amanda H.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Amanda Hsieh 3 days ago
Hi,

The nRF54L10 supports a broad set of security features (TrustZone, CRACEN/KMU, secure boot/update, tamper-related hardware, and more). However, the nRF Connect SDK Bare Metal provides a narrower, production-supported security scope: mainly signed boot/DFU via Immutable MCUboot (IRoT) with CRACEN/KMU for bootloader verification keys, plus S115/S145 Bluetooth LE.

In particular, could you clarify whether the following are supported in Bare Metal:

Secure boot with signed image verification

Signed DFU and anti-rollback

Since the nRF Connect SDK Bare Metal option v1.0.0, it has supported Single-bank DFU and CRACEN/KMU and bootloader key verification, but not for anti-rollback(DOWNGRADE_PREVENTION).

PSA Crypto

Secure Storage

Application-level KMU/CRACEN key protection, for example non-exportable device identity keys or application authentication keys

TrustZone Secure/Non-secure separation

SoftDevice S115/S145 together with TrustZone

Attestation or device identity support

The nRF Connect SDK Bare Metal is explicitly targeting simple Bluetooth LE applications that do not require advanced features. For your security requirements, I strongly suggest you consider the nRF Connect SDK for the full security feature set. See NCS/Security, Trusted Firmware-M in the nRF Connect SDK, and the KMU and CRACEN doc.

Tamper detection and debug protection

It can be enabled by writing the register (see Enabling device protection on nRF54L). The nRF Connect SDK Bare Metal doesn't have any configs for that.

Regards,
Amanda H.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data