Security

This section provides an overview of core security features available in Nordic Semiconductor products. The features are made available either as built-ins in modules, drivers, and subsystems, or are shown in samples or applications in nRF Connect SDK.

The following table lists the available general security features. Some of them are documented in detail in other parts of this documentation, while others are documented in the subpages in this section.

Security feature	Description	Configuration	Related components
Access port protection (AP-Protect)	When enabled, this mechanism blocks the debugger from read and write access to all CPU registers and memory-mapped addresses.	See Enabling access port protection mechanism.	—
Bootloader and Device Firmware Upgrade (DFU)	The nRF Connect SDK supports MCUboot and nRF Secure Immutable Bootloader (NSIB) for secure boot, and DFU procedures using MCUboot and Software Updates for Internet of Things (SUIT).	See Bootloaders and DFU.	- nRF Secure Immutable Bootloader (NSIB) - DFU libraries - Software Updates for Internet of Things (SUIT) - MCUboot
Processing environments (CMSE)	The boards supported by the SDK distinguish entries according to which CPU is to be targeted (for multi-core SoCs) and whether Cortex-M Security Extensions (CMSE) are used or not. When CMSE is used, the firmware is split in accordance with the security by separation architecture principle to better protect sensitive assets and code. In the nRF Connect SDK, the CMSE support is implemented using Trusted Firmware-M (TF-M).	See Processing environments.	All samples and applications that support the */ns variant of the boards.
Trusted Firmware-M (TF-M)	TF-M is the reference implementation of Platform Security Architecture (PSA). On nRF5340, nRF54L and nRF91 Series devices, TF-M is used to configure and boot an application with CMSE enabled.	See Running applications with Trusted Firmware-M.	- Trusted Firmware-M (TF-M) samples - Cryptography samples - TF-M integration samples in Zephyr
Cryptographic operations (nRF Security)	The nRF Security library acts as an orchestrator for the different cryptographic libraries available in the system. HW accelerated libraries are prioritized over SW libraries when both are enabled. | Find more information on nRF54L Series-specific cryptography operations and the related configuration in nRF54L Series cryptography.	CONFIG_NRF_SECURITY (more info)	- nRF Security library with nRF Security drivers - Crypto Libraries - Cryptography samples
Trusted storage	The trusted storage library enables you to provide features like integrity, confidentiality and authenticity of the stored data, without using the TF-M Platform Root of Trust (PRoT).	See Trusted storage in the nRF Connect SDK and trusted storage library configuration.	Trusted storage library
Hardware unique key (HUK)	Nordic Semiconductor devices featuring the CryptoCell cryptographic accelerator allow the usage of a hardware unique key (HUK) for key derivation. A HUK is a unique symmetric cryptographic key which is loaded in special hardware registers allowing the application to use the key by reference, without any access to the key material.	CONFIG_HW_UNIQUE_KEY	- HUK library - HUK sample

Subpages:

• Enabling access port protection mechanism
  • Implementation overview
  • Configuration overview in the nRF Connect SDK
• Running applications with Trusted Firmware-M
  • Overview
  • Building
  • Logging
  • Provisioning
  • Limitations
  • TF-M partition alignment requirements
  • Migrating from Secure Partition Manager to Trusted Firmware-M
• Trusted storage in the nRF Connect SDK