Simplicity SDK Platform - Security Features Version 6.0.1 - Release Notes (Mar 25, 2026)#
Simplicity SDK Platform Version 6.0.1
Release Summary#
Key Features | API Changes | Bug Fixes | Chip Enablement
Key Features#
Added in 6.0.1#
None.
Added in 6.0.0#
Added support for the Key Storage Unit (KSU) in the PSA Crypto API.
API Changes#
Changed in 6.0.1#
Added TrustZone feature to protect configurable ranges of persistent PSA key IDs from being accessed via the Non-Secure PSA Crypto API. Protected ranges are defined declaratively through SLCC component template contributions. Non-Secure callers that attempt to access a key within a protected range receive PSA_ERROR_NOT_PERMITTED. This feature is added to support use cases for secure partition code that are internal to Silicon Labs components and stacks.
Added new attribute flag PSA_STORAGE_FLAG_SECURE_ACCESSIBLE for the PSA ITS driver to enable TrustZone secure partition code to create ITS objects that are protected from any Non-Secure access. Non-Secure callers are prevented from reading, modifying, or removing objects created with this flag. Unlike the existing PSA_STORAGE_FLAG_WRITE_ONCE_SECURE_ACCESSIBLE, objects with this flag remain mutable by the Secure partition. This feature is added to support use cases for secure partition code that are internal to Silicon Labs components and stacks.
Updated PSA key ID range allocation. Added ranges for Platform, MATTER, Find Network, BLE, BLE Mesh, Z-Wave an Wisun. See sli_psa_crypto.h.
Changed in 6.0.0#
New API: sl_se_disable_ksu.
Removed API: sl_se_code_region_set_active_banked.
Bug Fixes#
Fixed in 6.0.1#
For SiXG301, improved stability for flash erase and write operations during high interrupt load. SE manager commands that lead to a flash erase or write operation will disable the L1ICACHE during execution of the command.
Fixed in 6.0.0#
Fixed security issue related to buffer handling for JPAKE functions.
Chip Enablement#
None.
Key Features#
New Features | Enhancements | Removed Features | Deprecated Features
New Features#
Added in 6.0.1#
None.
Added in 6.0.0#
Added support for the Key Storage Unit (KSU) in the PSA Crypto API. KSU is a hardware feature on xG301 devices.
psa_import_key can import plaintext keys to KSU.
psa_generate_key can request the SE to generate random keys and store them in the KSU (never visible for user).
sl_psa_key_derivation_single_shot can request the SE to derive keys using HKDF and PBKDF2 and store the output directly in the KSU (never visible for user).
psa_copy_key can copy wrapped keys (stored persistently in PSA ITS) to the KSU.
psa_destroy_key can destroy keys stored in the KSU.
The PSA Crypto APIs for Cipher, AEAD encryption and decryption can use the PSA key ids associated with the AES keys stored in the KSU.
The PSA Crypto APIs for HMAC compute and verify can use the PSA key ids associated with the HMAC keys stored in the KSU.
Enhancements#
Added in 6.0.1#
Updated PSA SE driver to allow ECDSA verification when algorithm is set to deterministic ECDSA. The verification algorithm of randomized and deterministic ECDSA is the same, hence the existing PSA SE driver can allow the user to set any of the two ECDSA algorithms for verification.
Added in 6.0.0#
Upgrade to Mbed TLS version 3.6.4
Mbed TLS 3.6 is a long-term support (LTS) branch. It will be supported with bug fixes and security fixes until at least March 2027.
Release Notes can be found at: https://github.com/Mbed-TLS/mbedtls/releases.
Because the PSA HOST SYMCRYPTO drivers implement a redundant set of hash and symmetric crypto functions, an internal config option called SLI_EXCLUDE_PSA_SE_SYMCRYPTO_DRIVERS to exclude the PSA SE hash and symmetric crypto drivers for Series 3 devices has been added. The config option is intended to reduce code size for a few use cases internal to Silicon Labs. However, the option may be applied by other users to reduce code size, since the PSA HOST SYMCRYPTO drivers for symmetric crypto and hash are selected by default, and the PSA SE drivers are typically not used explicitly.
The HOST SYMCRYPTO AES engine should be considered less secure than the SE AES engine which supports both DFA and DPA countermeasures while the HOST SYMCRYPTO AES engine supports DPA only.
This SLI_EXCLUDE_PSA_SE_SYMCRYPTO_DRIVERS is prefixed "SLI_" because it is an "internal" option and is not part of the public API of the SDK. Silicon Labs plans to implement a different solution to select PSA drivers by using user interface components.
Added support for GCC compiler option Link Time Optimization (LTO) in Platform Security components.
Removed Features#
None.
Deprecated Features#
None.
API Changes#
New APIs | Modified APIs | Removed APIs | Deprecated APIs
New APIs#
Added in 6.0.1#
None.
Added in 6.0.0#
New API Signature | Deprecated API replaced by this (if any) |
|---|---|
sl_status_t sl_se_disable_ksu(sl_se_command_context_t *cmd_ctx); | N/A |
Modified APIs#
None.
Removed APIs#
Removed in 6.0.1#
None.
Removed in 6.0.0#
Removed API Name |
|---|
sl_se_code_region_set_active_banked |
Deprecated APIs#
Deprecated in 6.0.1#
None.
Deprecated in 6.0.0#
Deprecated Software:
Mbed TLS Legacy API(s) in Mbed TLS 3.6 LTS release branch.
and corresponding MBedTLS ALT implementations from Silicon Labs.
Reason: Long-term changes in the underlying mbedtls library lead to legacy APIs (prefixed with the mbedtls_ namespace) being discontinued in Mbed TLS version 4.0.0 which was released Oct 15. 2025, see release notes https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-4.0.0. The main change is that the PSA Crypto library is split out to a new repository called TF-PSA-Crypto which was released Oct 15. 2025, see release notes for https://github.com/Mbed-TLS/TF-PSA-Crypto/releases/tag/tf-psa-crypto-1.0.0.
For details on which Mbed TLS APIs are affected, see:
the migration guide : https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/v1.0.0/docs/1.0-migration-guide.md
MBedtLS long term support plan https://mbed-tls.readthedocs.io/en/latest/project/long-term-plans/
Maintenance Period: The Simplicity SDK Version 2025.12.0 is based on Mbed TLS 3.6.(4) which is a long-term support (LTS) release branch. The upstream Mbed TLS repo on GitHub will be supported with bug-fixes and security fixes until at least March 2027 ( https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.4 ). However the Simplicity SDK Version 2026.12.0 is planned to upgrade to Mbed TLS 4.x and TF-PSA-Crypto 1.x in December 2026.
End of Service Date for MBedTLS legacy APIs (planned): December 2026 - Simplicity SDK Version 2026.12.0
Migration: From now until the cutover date, users are recommended to evaluate usage of PSA Crypto APIs instead of Legacy Mbed TLS APIs, in order to pave the road for smooth upgrades (low-to-zero conflicts) to new Simplicity SDK versions in the future. The PSA Crypto API covers most of the legacy crypto APIs, hence new and existing application should select PSA Crypto APIs whenever applicable. Existing applications using Legacy APIs that plan to upgrade to Simplicity SDK 2025.12.0 are recommended to evaluate migration to PSA Crypto APIs. See the migration guide https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/v1.0.0/docs/1.0-migration-guide.md.
Summary of Legacy API replacements:
mbedtls_ecjpake_* - use psa_pake
mbedtls_mpi_* - migrate to psa bignum implementation
mbedtls_ecp_* - migrate to psa_generate_key, psa_generate_key_custom, psa_import_key and psa_export_key
mbedtls_ecdh_* - use psa_raw_key_agreement(PSA_ALG_ECDH,...
mbedtls_sha256_* - use psa_hash_*
mbedtls_aes_* - use psa_cipher_*
mbedtls_ccm_* - use psa_aead_*
mbedtls_md_* - use psa_mac_*
mbedtls_pk_* - use psa_import_key, psa_export_key, psa_sign_, psa_verify_
mbedtls_ecdsa_genkey - use psa_generate_key
MBedTLS ALT interface - re-implement all alternate functions with new psa_crypto interface
MBEDTLS error codes - where-relevant, rewrite using new PSA error code
Bug Fixes#
Fixed in 6.0.1#
| ID | Issue Description | GitHub / Salesforce Reference (if any) | Affected Software Variants, Hardware, Modes, Host Interfaces |
|---|---|---|---|
| 1581949 | For XG301, improved stability for flash erase and write operations during high interrupt load. For SE manager commands that lead to a flash erase or write operation, the L1ICACHE is disabled during execution of the command. | None |
|
Fixed in 6.0.0#
| ID | Issue Description | GitHub / Salesforce Reference (if any) | Affected Software Variants, Hardware, Modes, Host Interfaces |
|---|---|---|---|
| 1542933 | Fixed security issue related to buffer handling for JPAKE functions. | None |
|
Chip Enablement#
None.
Application Example Changes#
New Examples | Modified Examples | Removed Examples | Deprecated Examples
New Examples#
None.
Modified Examples#
| Example Name | Changes | Supported Software Variants if applicable | Supported Modes | Supported OPNs / Boards / OPN Combinations | Supported Host Interfaces |
|---|---|---|---|---|---|
|
Platform Security - SoC SE Manager Asymmetric Key Handling See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Attestation See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Block Cipher See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Key Agreement (ECDH) See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Key Agreement (ECJPAKE) See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Hash See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Key Derivation (HKDF and PBKDF2) See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Key Provisioning See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Secure Debug See README. |
>Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Secure Identity See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Digital Signature (ECDSA and EdDSA) See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Stream Cipher See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Symmetric Key Handling See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Tamper See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager User Data See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
Removed Examples#
None.
Deprecated Examples#
None.
Known Issues and Limitations#
| ID | Issue or Limitation Description | GitHub / Salesforce Reference (if any) | Workaround (if any) | Affected Software Variants, Hardware, Modes, Host Interfaces |
|---|---|---|---|---|
| The following was reported in 6.0.0 based on incorrect information. Specifically, this was a false negative report and not an issue. There is a known limitation in the PSA Crypto APIs for Multipart CMAC operation on xG301 devices. The key material passed by the user when calling psa_sign_setup and psa_verify_setup is not stored internally in the psa_mac_operation_t operation object. Only the pointer to the key buffer is stored. This limitation is planned to be fixed in a future version of the Simplicity SDK. | None. | This was reported in 6.0.0 based on incorrect information. Not an issue. | None. |