SiSDK Platform - Security Features Version 5.2.0 (June 16, 2025) - Release Notes#
Simplicity SDK Platform Version 5.2.0
Simplicity SDK Version 2025.6.0
Release Summary#
Key Features | API Changes | Bug Fixes | Chip Enablement
Key Features#
xG29 device family support.
Code region support for External flash on Series-3.
Data region support for External flash on Series-3.
LTO support for SE Manager components.
Migrated PSA Crypto Apps initialization to sl_main.
API Changes#
None.
Bug Fixes#
None.
Chip Enablement#
Added support for xG29.
Key Features#
New Features | Enhancements | Removed Features | Deprecated Features
New Features#
Added SE Manager APIs for code regions in external flash support on Series-3, see New APIs
Added SE Manager APIs for data region in external flash support on Series-3, see New APIs
Added SE Manager APIs for lifecycle event flags on Series-3, see New APIs
Added SE Manager APIs for rollback counter on Series-3, see New APIs
Added SE Manager APIs for upgrade file version on Series-3, see New APIs
Added TrustZone veneer function for the sl_se_ecdh_compute_shared_secret API function in the SE Manager secure service.
Enhancements#
Added support for GCC LTO (Link Time Optimisation) in the SE Manager components. The plan is to support GCC LTO in all security components in the near future.
In sisdk-2025.6.0, SL_MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set to 1 by default. In sisdk-2024.12.1 ( and sisdk-2024.12.2 ) SL_MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS was introduced and set to 0 by default. That is "secure-by-default", ref ID # 1284341 in release note of sisdk-2024.12.1. This option addressed a security issue in Mbed TLS prior to version 3.6.0 (not inclusive) by implementing a counter-measure that protects input and output data ( in-use by the threads executing inside PSA Crypto API functions ) from external execution threads/ISRs (potentially untrusted). The counter-measure involves allocating internal buffers (potentially in secure RAM e.g. in Secure TrustZone) and copying the input and output data to/from the internal buffers. Hence there is a penalty of added latency, increased code size, and increased heap (ram) consumption which may be unacceptable when running on resource constrained devices ( with relatively small RAM and/or FLASH memory). In sisdk-2025.6.0, the disabled counter-measure improves performance by avoiding extra buffer copies, reducing memory usage and allocation overhead to accommodate resource constrained devices wrt "small-by-default out-of-the-box". However, it is NOT the most secure option and should only be enabled if all buffers passed to PSA functions are exclusively accessible to PSA and never shared with untrusted code. If buffers may cross trust boundaries (e.g. between NonSecure and Secure TrustZone), set this to 0 for best security.
Removed Features#
None.
Deprecated Features#
None.
API Changes#
New APIs | Modified APIs | Removed APIs | Deprecated APIs
New APIs#
New API Signature | Deprecated API replaced by this (if any) |
|---|---|
sl_status_t sl_se_code_region_get_config(sl_se_command_context_t *cmd_ctx, sl_se_code_region_config_t *regions_array, unsigned int start_region_idx, unsigned int region_array_size); | n/a |
sl_status_t sl_se_code_region_apply_config(sl_se_command_context_t *cmd_ctx, sl_se_code_region_config_t *regions_array, unsigned int start_region_idx, unsigned int region_array_size); | n/a |
sl_status_t sl_se_code_region_erase(sl_se_command_context_t *cmd_ctx, unsigned int region_idx); | n/a |
sl_status_t sl_se_code_region_partial_erase(sl_se_command_context_t *cmd_ctx, unsigned int region_idx, uint32_t block_offset, uint32_t num_blocks); | n/a |
sl_status_t sl_se_code_region_write(sl_se_command_context_t *cmd_ctx, unsigned int region_idx, uint32_t offset, const void *data, uint32_t num_bytes, sl_se_crypto_operation_t *decryption_info, sl_se_crypto_operation_t *integrity_check); | n/a |
sl_status_t sl_se_code_region_close(sl_se_command_context_t *cmd_ctx, unsigned int region_idx, uint32_t version); | n/a |
sl_status_t sl_se_code_region_get_version(sl_se_command_context_t *cmd_ctx, unsigned int region_idx, uint32_t *version); | n/a |
sl_status_t sl_se_data_region_get_location(sl_se_command_context_t *cmd_ctx, void **address, size_t *size); | n/a |
sl_status_t sl_se_data_region_write(sl_se_command_context_t *cmd_ctx, void *address, const void *data, size_t num_bytes); | n/a |
sl_status_t sl_se_data_region_erase(sl_se_command_context_t *cmd_ctx, void *start_address, size_t num_sectors); | n/a |
sl_status_t sl_se_get_lifecycle_event_flags(sl_se_command_context_t *cmd_ctx, uint64_t *event_flags); | n/a |
__STATIC_INLINE bool sl_se_lifecycle_event_flag_is_set(uint64_t *flags, sl_se_lifecycle_event_flag_t flag_index) | n/a |
sl_status_t sl_se_get_rollback_counter(sl_se_command_context_t *cmd_ctx, uint32_t *rollback_counter); | n/a |
sl_status_t sl_se_increment_rollback_counter(sl_se_command_context_t *cmd_ctx, uint32_t *rollback_counter); | n/a |
sl_status_t sl_se_get_upgrade_file_version(sl_se_command_context_t *cmd_ctx, uint32_t *version); | n/a |
sl_status_t sl_se_set_upgrade_file_version(sl_se_command_context_t *cmd_ctx, uint32_t version); | n/a |
sl_status_t sl_se_get_user_data(sl_se_command_context_t *cmd_ctx, void *output_data, size_t num_bytes); | n/a |
Modified APIs#
Series-2 API | Series-3 API |
|---|---|
sl_status_t sl_se_write_user_data (sl_se_command_context_t *cmd_ctx, uint32_t offset, void *data, uint32_t num_bytes); | sl_status_t sl_se_write_user_data (sl_se_command_context_t *cmd_ctx, const void *data, size_t num_bytes); |
Removed APIs#
The API called sl_se_erase_user_data exists on Series-2 but does not exist on Series-3 where it is replaced by sl_se_data_region_erase, see New APIs
Deprecated APIs#
Deprecated API Name | Planned Removal Date |
|---|---|
sl_se_code_region_set_active_banked | December 2025 - sisdk-2025.12.0 |
Bug Fixes#
None.
Chip Enablement#
xG29 family support for SE and cryptographic accelerator hardware.
Application Example Changes#
New Examples | Modified Examples | Removed Examples | Deprecated Examples
New Examples#
None.
Modified Examples#
| Example Name | Changes | Supported Software Variants if applicable | Supported Modes | Supported OPNs / Boards / OPN Combinations | Supported Host Interfaces |
|---|---|---|---|---|---|
|
Platform Security - SoC SE Manager Asymmetric Key Handling See README. |
|
NA |
|
|
VCOM |
|
Platform Security - SoC SE Manager Attestation See README. |
|
NA |
|
|
VCOM |
|
Platform Security - SoC SE Manager Block Cipher See README. |
|
NA |
|
|
VCOM |
|
Platform Security - SoC SE Manager Key Agreement (ECDH) See README. |
|
NA |
|
|
VCOM |
|
Platform Security - SoC SE Manager Key Agreement (ECJPAKE) See README. |
|
NA |
|
|
VCOM |
|
Platform Security - SoC SE Manager Hash See README. |
|
NA |
|
|
VCOM |
|
Platform Security - SoC SE Manager Key Derivation (HKDF and PBKDF2) See README. |
|
NA |
|
|
VCOM |
|
Platform Security - SoC SE Manager Key Provisioning See README. |
|
NA |
|
|
VCOM |
|
Platform Security - SoC SE Manager Secure Debug See README. |
|
NA |
|
|
VCOM |
|
Platform Security - SoC SE Manager Secure Identity See README. |
|
NA |
|
|
VCOM |
|
Platform Security - SoC SE Manager Digital Signature (ECDSA and EdDSA) See README. |
|
NA |
|
|
VCOM |
|
Platform Security - SoC SE Manager Stream Cipher See README. |
|
NA |
|
|
VCOM |
|
Platform Security - SoC SE Manager Symmetric Key Handling See README. |
|
NA |
|
|
VCOM |
|
Platform Security - SoC SE Manager Tamper See README. |
|
NA |
|
|
VCOM |
|
Platform Security - SoC SE Manager User Data See README. |
|
NA |
|
|
VCOM |
Removed Examples#
None. |
Deprecated Examples#
None.
Known Issues and Limitations#
None.