Simplicity SDK Platform - Security Features Version 6.0.0 - Release Notes (Jan 22, 2026)#
Simplicity SDK Platform Version 6.0.0
Simplicity SDK Version 2025.12.0
Release Summary#
Key Features | API Changes | Bug Fixes | Chip Enablement
Key Features#
Added support for the Key Storage Unit (KSU) in the PSA Crypto API.
API Changes#
New API: sl_se_disable_ksu
Removed API: sl_se_code_region_set_active_banked
Bug Fixes#
Fixed security issue related to buffer handling for JPAKE functions.
Chip Enablement#
None.
Key Features#
New Features | Enhancements | Removed Features | Deprecated Features
New Features#
Added support for the Key Storage Unit (KSU) in the PSA Crypto API. KSU is a hardware feature on xG301 devices.
psa_import_key can import plaintext keys to KSU.
psa_generate_key can request the SE to generate random keys and store them in the KSU (never visible for user).
sl_psa_key_derivation_single_shot can request the SE to derive keys using HKDF and PBKDF2 and store the output directly in the KSU (never visible for user).
psa_copy_key can copy wrapped keys (stored persistently in PSA ITS) to the KSU.
psa_destroy_key can destroy keys stored in the KSU.
The PSA Crypto APIs for Cipher, AEAD encryption and decryption can use the PSA key ids associated with the AES keys stored in the KSU.
The PSA Crypto APIs for HMAC compute and verify can use the PSA key ids associated with the HMAC keys stored in the KSU.
Enhancements#
Upgrade to Mbed TLS version 3.6.4
Mbed TLS 3.6 is a long-term support (LTS) branch. It will be supported with bug fixes and security fixes until at least March 2027.
Release Notes can be found at: https://github.com/Mbed-TLS/mbedtls/releases.
Because the PSA HOST SYMCRYPTO drivers implement a redundant set of hash and symmetric crypto functions, an internal config option called SLI_EXCLUDE_PSA_SE_SYMCRYPTO_DRIVERS to exclude the PSA SE hash and symmetric crypto drivers for Series 3 devices has been added. The config option is intended to reduce code size for a few use cases internal to Silicon Labs. However, the option may be applied by other users to reduce code size, since the PSA HOST SYMCRYPTO drivers for symmetric crypto and hash are selected by default, and the PSA SE drivers are typically not used explicitly.
The HOST SYMCRYPTO AES engine should be considered less secure than the SE AES engine which supports both DFA and DPA countermeasures while the HOST SYMCRYPTO AES engine supports DPA only.
This SLI_EXCLUDE_PSA_SE_SYMCRYPTO_DRIVERS is prefixed "SLI_" because it is an "internal" option and is not part of the public API of the SDK. Silicon Labs plans to implement a different solution to select PSA drivers by using user interface components.
Added support for GCC compiler option Link Time Optimization (LTO) in Platform Security components.
Removed Features#
None.
Deprecated Features#
None.
API Changes#
New APIs | Modified APIs | Removed APIs | Deprecated APIs
New APIs#
New API Signature | Deprecated API replaced by this (if any) |
|---|---|
sl_status_t sl_se_disable_ksu(sl_se_command_context_t *cmd_ctx); | N/A |
Modified APIs#
None.
Removed APIs#
Removed API Name |
|---|
sl_se_code_region_set_active_banked |
Deprecated APIs#
Deprecated Software:
Mbed TLS Legacy API(s) in Mbed TLS 3.6 LTS release branch
and corresponding MBedTLS ALT implementations from Silicon Labs.
Reason: Long-term changes in the underlying mbedtls library lead to legacy APIs (prefixed with the mbedtls_ namespace) being discontinued in Mbed TLS version 4.0.0 which was released Oct 15. 2025, see release notes https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-4.0.0. The main change is that the PSA Crypto library is split out to a new repository called TF-PSA-Crypto which was released Oct 15. 2025, see release notes for https://github.com/Mbed-TLS/TF-PSA-Crypto/releases/tag/tf-psa-crypto-1.0.0. For details on which Mbed TLS APIs are affected , see
the migration guide : https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/v1.0.0/docs/1.0-migration-guide.md
MBedtLS long term support plan https://mbed-tls.readthedocs.io/en/latest/project/long-term-plans/
Maintenance Period: The Simplicity SDK Version 2025.12.0 is based on Mbed TLS 3.6.(4) which is a long-term support (LTS) release branch. The upstream Mbed TLS repo on GitHub will be supported with bug-fixes and security fixes until at least March 2027 ( https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.4 ). However the Simplicity SDK Version 2026.12.0 is planned to upgrade to Mbed TLS 4.x and TF-PSA-Crypto 1.x in December 2026.
End of Service Date for MBedTLS legacy APIs (planned): December 2026 - Simplicity SDK Version 2026.12.0
Migration: From now until the cutover date, users are recommended to evaluate usage of PSA Crypto APIs instead of Legacy Mbed TLS APIs, in order to pave the road for smooth upgrades (low-to-zero conflicts) to new Simplicity SDK versions in the future. The PSA Crypto API covers most of the legacy crypto APIs, hence new and existing application should select PSA Crypto APIs whenever applicable. Existing applications using Legacy APIs that plan to upgrade to sisdk-2025.12.0 are recommended to evaluate migration to PSA Crypto APIs. See the migration guide https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/v1.0.0/docs/1.0-migration-guide.md.
Summary of Legacy API replacements:
mbedtls_ecjpake_* - use psa_pake
mbedtls_mpi_* - migrate to psa bignum implementation
mbedtls_ecp_* - migrate to psa_generate_key, psa_generate_key_custom, psa_import_key and psa_export_key
mbedtls_ecdh_* - use psa_raw_key_agreement(PSA_ALG_ECDH,...
mbedtls_sha256_* - use psa_hash_*
mbedtls_aes_* - use psa_cipher_*
mbedtls_ccm_* - use psa_aead_*
mbedtls_md_* - use psa_mac_*
mbedtls_pk_* - use psa_import_key, psa_export_key, psa_sign_, psa_verify_
mbedtls_ecdsa_genkey - use psa_generate_key
MBedTLS ALT interface - re-implement all alternate functions with new psa_crypto interface
MBEDTLS error codes - where-relevant, rewrite using new PSA error code
Bug Fixes#
| ID | Issue Description | GitHub / Salesforce Reference (if any) | Affected Software Variants, Hardware, Modes, Host Interfaces |
|---|---|---|---|
| 1542933 | Fixed security issue related to buffer handling for JPAKE functions. | None |
|
Chip Enablement#
None.
Application Example Changes#
New Examples | Modified Examples | Removed Examples | Deprecated Examples
New Examples#
None.
Modified Examples#
| Example Name | Changes | Supported Software Variants if applicable | Supported Modes | Supported OPNs / Boards / OPN Combinations | Supported Host Interfaces |
|---|---|---|---|---|---|
|
Platform Security - SoC SE Manager Asymmetric Key Handling See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Attestation See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Block Cipher See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Key Agreement (ECDH) See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Key Agreement (ECJPAKE) See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Hash See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Key Derivation (HKDF and PBKDF2) See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Key Provisioning See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Secure Debug See README. |
>Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Secure Identity See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Digital Signature (ECDSA and EdDSA) See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Stream Cipher See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Symmetric Key Handling See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager Tamper See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
|
Platform Security - SoC SE Manager User Data See README. |
Migrated initialization flow from sl_system_init() to sl_main() | NA | SoC | Series 2 and 3 Devices | VCOM |
Removed Examples#
None.
Deprecated Examples#
None.
Known Issues and Limitations#
| ID | Issue or Limitation Description | GitHub / Salesforce Reference (if any) | Workaround (if any) | Affected Software Variants, Hardware, Modes, Host Interfaces |
|---|---|---|---|---|
| There is a known limitation in the PSA Crypto APIs for Multipart CMAC operation on xG301 devices. The key material passed by the user when calling psa_sign_setup and psa_verify_setup is not stored internally in the psa_mac_operation_t operation object. Only the pointer to the key buffer is stored. This limitation is planned to be fixed in a future version of the Simplicity SDK. | None. | Make sure the key material in the key buffer does not change during the multipart CMAC session until psa_mac_sign_finish and psa_mac_verify_finish returns to complete the multipart session. | None. |