Simplicity SDK Platform - Security Features Version 5.2.2 (September 24, 2025) - Release Notes#

Simplicity SDK Platform Version 5.2.2

Simplicity SDK Version 2025.6.2

Release Summary#

Key Features | API Changes | Bug Fixes | Chip Enablement

Key Features#

Added in 5.2.2#

SiXG301 device family support.

Added in 5.2.1#

Underlying platform changes only.

Added in 5.2.0#

  • xG29 device family support.

  • Code region support for External flash on Series-3.

  • Data region support for External flash on Series-3.

  • LTO support for SE Manager components.

  • Migrated PSA Crypto Apps initialization to sl_main.

API Changes#

None.

Bug Fixes#

Fixed in 5.2.2#

  • Fixed a bug in the ITS subsystem where changing maximum ITS files between two application versions could cause corruption when upgrading the application.

  • Fixed a classification bug on Series-3 devices by moving CCM* No-Tag support from the AEAD driver to the Cipher driver.

  • Fixed bug in PSA SE MAC driver on Series-3 for algorithm AES-HMAC-MMO which caused psa_hmac_compute to fail.

Fixed in 5.2.1#

None.

Fixed in 5.2.0#

None.

Chip Enablement#

Added in 5.2.2#

Added support for the SiXG301 device family.

Added in 5.2.1#

None.

Added in 5.2.0#

Added support for the xG29 device family.

Key Features#

New Features | Enhancements | Removed Features | Deprecated Features

New Features#

Added in 5.2.2#

Added support for SE and cryptographic accelerator hardware in the SiXG301 device family.

Added in 5.2.1#

None.

Added in 5.2.0#

  • Added SE Manager APIs for code regions in external flash support on Series-3, see New APIs

  • Added SE Manager APIs for data region in external flash support on Series-3, see New APIs

  • Added SE Manager APIs for lifecycle event flags on Series-3, see New APIs

  • Added SE Manager APIs for rollback counter on Series-3, see New APIs

  • Added SE Manager APIs for upgrade file version on Series-3, see New APIs

  • Added TrustZone veneer function for the sl_se_ecdh_compute_shared_secret API function in the SE Manager secure service.

Enhancements#

Added in 5.2.2#

  • The default value of the config option SL_MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS has been changed to 0 (disabled) for all Trustzone aware applications. In TrustZone, when this option is disabled, PSA Crypto API functions will internally copy or stage buffer arguments into the Secure RAM. This ensures that untrusted code in the NonSecure application cannot access or modify buffers while a PSA Crypto API operation is in progress, providing stronger isolation and security across trust boundaries. The trade-off is additional memory use and allocation overhead, and potential performance impact due to extra buffer copies.

    To accommodate the memory overhead from the secure buffer path, the Secure-zone flash allocation has been increased by 8 KB and, as a result, non-secure flash start addresses have been shifted forward by 8 KB in the following OpenThread Trustzone example applications:

    • OpenThread BLE DMP - SoC FreeRTOS (TrustZone)

    • OpenThread - SoC CLI (FTD) (TrustZone)

    • OpenThread - SoC CLI (MTD) (TrustZone)

    • Sample project for TrustZone Secure Key Library

  • Added an internal config option called SLI_EXCLUDE_PSA_SE_SYMCRYPTO_DRIVERS to exclude the PSA SE hash and symmetric crypto drivers for Series-3 devices since the PSA HOSTCRYPTO drivers implement a redundant set of hash and symmetric crypto functions. The config option is intended to reduce code size for a few use cases internal to Silicon Labs. However the option may be applied by other users to reduce code size, since the PSA HOSTCRYPTO drivers for symmetric crypto and hash are selected by default, and the PSA SE drivers are typically not used explicitly.

    NOTE: This SLI_EXCLUDE_PSA_SE_SYMCRYPTO_DRIVERS is prefixed "SLI_" because it is an "internal" option and is not part of the public API of the SDK. Silicon Labs plans to implement a different solution to select PSA drivers by using user interface components.

  • Added separate components for the legacy Mbed TLS SHA224 and SHA384 algorithms in order to save code space when only a subset of SHA224, SHA256, SHA384 and SHA512 is needed by the application. In previous releases, SHA224 and SHA256 were combined in the same component, called mbedtls_sha256.slcc, which represented the legacy sha256.h interface implementing both SHA224 and SHA256. Likewise, SHA384 and SHA512 were combined in the same component called, mbedtls_sha512.slcc, which represented the legacy sha512.h interface implementing both SHA384 and SHA512.

Added in 5.2.1#

None.

Added in 5.2.0#

  • Added support for GCC LTO (Link Time Optimisation) in the SE Manager components. The plan is to support GCC LTO in all security components in the near future.

  • In sisdk-2025.6.1, SL_MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set to 1 by default. In sisdk-2024.12.1 ( and sisdk-2024.12.2 ) SL_MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS was introduced and set to 0 by default. That is "secure-by-default", ref ID # 1284341 in release note of sisdk-2024.12.1. This option addressed a security issue in Mbed TLS prior to version 3.6.0 (not inclusive) by implementing a counter-measure that protects input and output data ( in-use by the threads executing inside PSA Crypto API functions ) from external execution threads/ISRs (potentially untrusted). The counter-measure involves allocating internal buffers (potentially in secure RAM e.g. in Secure TrustZone) and copying the input and output data to/from the internal buffers. Hence there is a penalty of added latency, increased code size, and increased heap (ram) consumption which may be unacceptable when running on resource constrained devices ( with relatively small RAM and/or FLASH memory). In sisdk-2025.6.1, the disabled counter-measure improves performance by avoiding extra buffer copies, reducing memory usage and allocation overhead to accommodate resource constrained devices wrt "small-by-default out-of-the-box". However, it is NOT the most secure option and should only be enabled if all buffers passed to PSA functions are exclusively accessible to PSA and never shared with untrusted code. If buffers may cross trust boundaries (e.g. between NonSecure and Secure TrustZone), set this to 0 for best security.

Removed Features#

None.

Deprecated Features#

None.

API Changes#

New APIs | Modified APIs | Removed APIs | Deprecated APIs

New APIs#

Added in 5.2.2#

None.

Added in 5.2.1#

None.

Added in 5.2.0#

New API Signature

Deprecated API replaced by this (if any)

sl_status_t sl_se_code_region_get_config(sl_se_command_context_t *cmd_ctx, sl_se_code_region_config_t *regions_array, unsigned int start_region_idx, unsigned int region_array_size);

n/a

sl_status_t sl_se_code_region_apply_config(sl_se_command_context_t *cmd_ctx, sl_se_code_region_config_t *regions_array, unsigned int start_region_idx, unsigned int region_array_size);

n/a

sl_status_t sl_se_code_region_erase(sl_se_command_context_t *cmd_ctx, unsigned int region_idx);

n/a

sl_status_t sl_se_code_region_partial_erase(sl_se_command_context_t *cmd_ctx, unsigned int region_idx, uint32_t block_offset, uint32_t num_blocks);

n/a

sl_status_t sl_se_code_region_write(sl_se_command_context_t *cmd_ctx, unsigned int region_idx, uint32_t offset, const void *data, uint32_t num_bytes, sl_se_crypto_operation_t *decryption_info, sl_se_crypto_operation_t *integrity_check);

n/a

sl_status_t sl_se_code_region_close(sl_se_command_context_t *cmd_ctx, unsigned int region_idx, uint32_t version);

n/a

sl_status_t sl_se_code_region_get_version(sl_se_command_context_t *cmd_ctx, unsigned int region_idx, uint32_t *version);

n/a

sl_status_t sl_se_data_region_get_location(sl_se_command_context_t *cmd_ctx, void **address, size_t *size);

n/a

sl_status_t sl_se_data_region_write(sl_se_command_context_t *cmd_ctx, void *address, const void *data, size_t num_bytes);

n/a

sl_status_t sl_se_data_region_erase(sl_se_command_context_t *cmd_ctx, void *start_address, size_t num_sectors);

n/a

sl_status_t sl_se_get_lifecycle_event_flags(sl_se_command_context_t *cmd_ctx, uint64_t *event_flags);

n/a

__STATIC_INLINE bool sl_se_lifecycle_event_flag_is_set(uint64_t *flags, sl_se_lifecycle_event_flag_t flag_index)

n/a

sl_status_t sl_se_get_rollback_counter(sl_se_command_context_t *cmd_ctx, uint32_t *rollback_counter);

n/a

sl_status_t sl_se_increment_rollback_counter(sl_se_command_context_t *cmd_ctx, uint32_t *rollback_counter);

n/a

sl_status_t sl_se_get_upgrade_file_version(sl_se_command_context_t *cmd_ctx, uint32_t *version);

n/a

sl_status_t sl_se_set_upgrade_file_version(sl_se_command_context_t *cmd_ctx, uint32_t version);

n/a

sl_status_t sl_se_get_user_data(sl_se_command_context_t *cmd_ctx, void *output_data, size_t num_bytes);

n/a

Modified APIs#

Modified in 5.2.2#

None.

Modified in 5.2.1#

None.

Modified in 5.2.0#

Series-2 API

Series-3 API

sl_status_t sl_se_write_user_data (sl_se_command_context_t *cmd_ctx, uint32_t offset, void *data, uint32_t num_bytes);

sl_status_t sl_se_write_user_data (sl_se_command_context_t *cmd_ctx, const void *data, size_t num_bytes);

Removed APIs#

Removed in 5.2.2#

None.

Removed in 5.2.1#

None.

Removed in 5.2.0#

The API called sl_se_erase_user_data exists on Series-2 but does not exist on Series-3 where it is replaced by sl_se_data_region_erase, see New APIs

Deprecated APIs#

Deprecated in 5.2.2#

None.

Deprecated in 5.2.1#

None.

Deprecated in 5.2.0#

Deprecated API Name

Planned Removal Date

sl_se_code_region_set_active_banked

December 2025 - sisdk-2025.12.0

Bug Fixes#

Fixed in 5.2.2#

ID Issue Description GitHub / Salesforce Reference (if any) Affected Software Variants, Hardware, Modes, Host Interfaces
1457629 and 1458488 Fixed a bug in the ITS subsystem where changing maximum ITS files between two application versions could cause corruption when upgrading the application. None
  • Affected devices: All Series-2 (xG2x) and Series-3 (xG3x).
  • Affected SDKs: Simplicity SDK 2025.6.1 and earlier
1480929 Fixed a classification bug on Series-3 devices by moving CCM* No-Tag support from the AEAD driver to the Cipher driver. Per the PSA Crypto specification, PSA_ALG_CCM_STAR_NO_TAG is an unauthenticated cipher (used via psa_cipher_xxx()), whereas CCM with a non-zero tag (PSA_ALG_CCM) is an AEAD (used via psa_aead_xxx()). None
  • Affected devices: All Series-3 (xG3x)
  • Affected SDKs: Simplicity SDK 2025.6.1 and earlier.
1481058 Fixed bug in PSA SE MAC driver on Series-3 for algorithm AES-HMAC-MMO when calling psa_hmac_compute, which failed returning PSA_ERROR_NOT_SUPPORTED because the PSA_ALG_AES_MMO_ZIGBEE entry was missing in the PSA_HASH_LENGTH macro. None
  • Affected devices: All Series-3 (xG3x)
  • Affected SDKs: Simplicity SDK 2025.6.1.

Fixed in 5.2.1#

None.

Fixed in 5.2.0#

None.

Chip Enablement#

Added in 5.2.2#

Added support for SE and cryptographic accelerator hardware in the SiXG301 device family.

Added in 5.2.1#

None.

Added in 5.2.0#

Added support for SE and cryptographic accelerator hardware in the xG29 device family.

Application Example Changes#

New Examples | Modified Examples | Removed Examples | Deprecated Examples

New Examples#

None.

Modified Examples#

Added in 5.2.2#

None.

Added in 5.2.1#

None.

Added in 5.2.0#

Example Name Changes Supported Software Variants if applicable Supported Modes Supported OPNs / Boards / OPN Combinations Supported Host Interfaces

Platform Security - SoC SE Manager Asymmetric Key Handling

See README.

 Migrated initialization flow from sl_system_init() to sl_main() NA SoC Series 2 & 3 Devices VCOM

Platform Security - SoC SE Manager Attestation

See README.

 Migrated initialization flow from sl_system_init() to sl_main() NA SoC Series 2 & 3 Devices VCOM

Platform Security - SoC SE Manager Block Cipher

See README.

 Migrated initialization flow from sl_system_init() to sl_main() NA SoC Series 2 & 3 Devices VCOM

Platform Security - SoC SE Manager Key Agreement (ECDH)

See README.

 Migrated initialization flow from sl_system_init() to sl_main() NA SoC Series 2 & 3 Devices VCOM

Platform Security - SoC SE Manager Key Agreement (ECJPAKE)

See README.

 Migrated initialization flow from sl_system_init() to sl_main() NA SoC Series 2 & 3 Devices VCOM

Platform Security - SoC SE Manager Hash

See README.

 Migrated initialization flow from sl_system_init() to sl_main() NA SoC Series 2 & 3 Devices VCOM

Platform Security - SoC SE Manager Key Derivation (HKDF and PBKDF2)

See README.

 Migrated initialization flow from sl_system_init() to sl_main() NA SoC Series 2 & 3 Devices VCOM

Platform Security - SoC SE Manager Key Provisioning

See README.

 Migrated initialization flow from sl_system_init() to sl_main() NA SoC Series 2 & 3 Devices VCOM

Platform Security - SoC SE Manager Secure Debug

See README.

 >Migrated initialization flow from sl_system_init() to sl_main() NA SoC Series 2 & 3 Devices VCOM

Platform Security - SoC SE Manager Secure Identity

See README.

 Migrated initialization flow from sl_system_init() to sl_main() NA SoC Series 2 & 3 Devices VCOM

Platform Security - SoC SE Manager Digital Signature (ECDSA and EdDSA)

See README.

 Migrated initialization flow from sl_system_init() to sl_main() NA SoC Series 2 & 3 Devices VCOM

Platform Security - SoC SE Manager Stream Cipher

See README.

 Migrated initialization flow from sl_system_init() to sl_main() NA SoC Series 2 & 3 Devices VCOM

Platform Security - SoC SE Manager Symmetric Key Handling

See README.

 Migrated initialization flow from sl_system_init() to sl_main() NA SoC Series 2 & 3 Devices VCOM

Platform Security - SoC SE Manager Tamper

See README.

 Migrated initialization flow from sl_system_init() to sl_main() NA SoC Series 2 & 3 Devices VCOM

Platform Security - SoC SE Manager User Data

See README.

 Migrated initialization flow from sl_system_init() to sl_main() NA SoC Series 2 & 3 Devices VCOM

Removed Examples#

None.

Deprecated Examples#

None.

Known Issues and Limitations#

None.