Simplicity SDK Platform - Security Features Version 6.1.0 - Release Notes (Jun 23, 2026)#

Simplicity SDK Platform Version 6.1.0

Release Summary#

Key Features | API Changes | Bug Fixes | Chip Enablement

Key Features#

  • Added support for NIST SP 800-108r1 key derivation, enabling PUF-based key derivation on xG27 devices.

API Changes#

  • Added new fine-grained SLC components for Mbed TLS X509, PK, SSL, and DTLS client/server APIs to reduce code size for specific use cases.

Bug Fixes#

  • Fixed application properties being optimized out by GCC Link Time Optimization (LTO) in the TrustZone Secure Key Library Attestation Service.

  • Fixed the return code being overwritten in the TrustZone Secure Key Library Attestation Service.

Chip Enablement#

None.

Key Features#

New Features | Enhancements | Removed Features | Deprecated Features

New Features#

Added support for NIST SP800-108r1 key derivation, enabling derivation of keys from the internal PUF key. The derived keys are unique to each hardware unit, and the PUF key remains inaccessible to software.

This feature is available through the sl_psa_key_derivation_single_shot(PSA_ALG_SP800_108R1_CMAC, key_id, ...) function when key_id is obtained by opening the built-in PUF key with psa_open_key(SL_CRYPTOACC_BUILTIN_KEY_PUF_ID, &key_id).

This feature replaces the legacy PUF-based key derivation function, PSA_ALG_PBKDF2_AES_CMAC_PRF_128, when the input key is selected using SL_CRYPTOACC_BUILTIN_KEY_PUF_ID. The legacy function was removed in Simplicity SDK 2025.12.3 without a replacement. For more information, see the Simplicity SDK Platform Security Release Notes and CVE-2026-2815.

Enhancements#

  • Hardened secret-clearing operations (for example, key erasure) to ensure they are preserved during compiler optimization.

  • Added new SLC components to support more flexible SSL/TLS/DTLS client or server use cases provided by Mbed TLS. These components provide a more granular configuration model than the legacy components, allowing users to select a finer-grained set of Mbed TLS features. In some cases, this can reduce code size.

Removed Features#

None.

Deprecated Features#

None.

API Changes#

New APIs | Modified APIs | Removed APIs | Deprecated APIs

New APIs#

New SLC Components#

Added new SLC components to support more flexible use cases for SSL/TLS/DTLS client or server functionality provided by Mbed TLS. The new components are more granular than the existing components, allowing users to make a more fine-grained selection of Mbed TLS features and, in some cases, reduce code size.

The following table lists all new components:

New SLC components

Deprecated SLC components replaced by this

DTLS Protocol (mbedtls_ssl_proto_dtls.slcc)

DTLS (mbedtls_dtls.slcc)

DTLS Anti Replay (mbedtls_ssl_dtls_anti_replay.slcc)

DTLS (mbedtls_dtls.slcc)

DTLS Hello Verify (mbedtls_ssl_dtls_hello_verify.slcc)

DTLS (mbedtls_dtls.slcc)

DTLS Cookie (mbedtls_ssl_cookie.slcc)

DTLS (mbedtls_dtls.slcc)

SSL TLS generic (mbedtls_ssl_tls.slcc)

TLS Client (mbedtls_tls.slcc)

SSL Client (mbedtls_ssl_client)

TLS Client (mbedtls_tls.slcc)

SSL Keep Peer Certificate (mbedtls_ssl_keep_peer_certificate.slcc)

TLS Client (mbedtls_tls.slcc)

SSL Server Name Indication (mbedtls_ssl_server_name_indication.slcc)

TLS Client (mbedtls_tls.slcc)

SSL Server (mbedtls_ssl_server.slcc)

TLS Server (mbedtls_tls_server.slcc)

X.509 Use Certificates (mbedtls_x509_use.slcc)

X.509 (mbedtls_x509.slcc)

X.509 Create Certificates Core (mbedtls_x509_create.slcc)

X.509 (mbedtls_x509.slcc)

X.509 Parse Certificates (mbedtls_x509_crt_parse.slcc)

X.509 (mbedtls_x509.slcc)

X.509 Create Certificates (mbedtls_x509_crt_write.slcc)

X.509 (mbedtls_x509.slcc)

X.509 CRL Parsing (mbedtls_x509_crl_parse.slcc)

X.509 (mbedtls_x509.slcc)

X.509 CSR Parsing (mbedtls_x509_csr_parse.slcc)

X.509 (mbedtls_x509.slcc)

X.509 CSR Creating (mbedtls_x509_csr_write.slcc)

X.509 (mbedtls_x509.slcc)

PEM Parsing (mbedtls_pem_parse.slcc)

PEM Parsing and Writing (mbedtls_pem.slcc)

PEM Writing (mbedtls_pem_write.slcc)

PEM Parsing and Writing (mbedtls_pem.slcc)

Public-Key Core Abstraction Layer (mbedtls_pk.slcc)

Public-Key Abstraction Layer (mbedtls_pki.slcc)

Public-Key Parse API (mbedtls_pk_parse.slcc)

Public-Key Abstraction Layer (mbedtls_pki.slcc)

Public-Key Write API (mbedtls_pk_write.slcc)

Public-Key Abstraction Layer (mbedtls_pki.slcc)

ASN.1 Parsing only (mbedtls_asn1_parse.slcc)

ASN.1 Parsing (mbedtls_asn1.slcc)

ASN.1 Writer (mbedtls_asn1_write.slcc)

ASN.1 Parsing (mbedtls_asn1.slcc)

Modified APIs#

None.

Removed APIs#

None.

Deprecated APIs#

Deprecated SLC Components#

Deprecated SLC components

Replacements ( new SLC components )

DTLS (mbedtls_dtls.slcc)

partially DTLS Protocol (mbedtls_ssl_proto_dtls.slcc)

DTLS (mbedtls_dtls.slcc)

partially DTLS Anti Replay (mbedtls_ssl_dtls_anti_replay.slcc)

DTLS (mbedtls_dtls.slcc)

partially DTLS Hello Verify (mbedtls_ssl_dtls_hello_verify.slcc)

DTLS (mbedtls_dtls.slcc)

partially DTLS Cookie (mbedtls_ssl_cookie.slcc)

TLS Client (mbedtls_tls.slcc)

partially SSL TLS generic (mbedtls_ssl_tls.slcc)

TLS Client (mbedtls_tls.slcc)

partially SSL Client (mbedtls_ssl_client)

TLS Client (mbedtls_tls.slcc)

partially SSL Keep Peer Certificate (mbedtls_ssl_keep_peer_certificate.slcc)

TLS Client (mbedtls_tls.slcc)

partially SSL Server Name Indication (mbedtls_ssl_server_name_indication.slcc)

TLS Server (mbedtls_tls_server.slcc)

SSL Server (mbedtls_ssl_server.slcc)

X.509 (mbedtls_x509.slcc)

partially X.509 Use Certificates (mbedtls_x509_use.slcc)

X.509 (mbedtls_x509.slcc)

partially X.509 Create Certificates Core (mbedtls_x509_create.slcc)

X.509 (mbedtls_x509.slcc)

partially X.509 Parse Certificates (mbedtls_x509_crt_parse.slcc)

X.509 (mbedtls_x509.slcc)

partially X.509 Create Certificates (mbedtls_x509_crt_write.slcc)

X.509 (mbedtls_x509.slcc)

partially X.509 CRL Parsing (mbedtls_x509_crl_parse.slcc)

X.509 (mbedtls_x509.slcc)

partially X.509 CSR Parsing (mbedtls_x509_csr_parse.slcc)

X.509 (mbedtls_x509.slcc)

partially X.509 CSR Creating (mbedtls_x509_csr_write.slcc)

PEM Parsing and Writing (mbedtls_pem.slcc)

partially PEM Parsing (mbedtls_pem_parse.slcc)

PEM Parsing and Writing (mbedtls_pem.slcc)

partially PEM Writing (mbedtls_pem_write.slcc)

Public-Key Abstraction Layer (mbedtls_pki.slcc)

partially Public-Key Core Abstraction Layer (mbedtls_pk.slcc)

Public-Key Abstraction Layer (mbedtls_pki.slcc)

partially Public-Key Parse API (mbedtls_pk_parse.slcc)

Public-Key Abstraction Layer (mbedtls_pki.slcc)

partially Public-Key Write API (mbedtls_pk_write.slcc)

ASN.1 Parsing (mbedtls_asn1.slcc)

partially ASN.1 Parsing only (mbedtls_asn1_parse.slcc)

ASN.1 Parsing (mbedtls_asn1.slcc)

partially ASN.1 Writer (mbedtls_asn1_write.slcc)

Deprecated Software#

  • Mbed TLS Legacy API(s) in Mbed TLS 3.6 LTS release branch.

  • Corresponding Mbed TLS ALT implementations from Silicon Labs.

Reason for Deprecation#

Long-term changes in the underlying Mbed TLS library have resulted in the discontinuation of legacy APIs (prefixed with the mbedtls_ namespace) in Mbed TLS 4.0.0, released on October 15, 2025. For more information, see the Mbed TLS 4.0.0 release notes

A major change in Mbed TLS 4.0.0 is the separation of the PSA Crypto library into a new repository, TF-PSA-Crypto, which was also released on October 15, 2025. For more information, see the TF-PSA-Crypto 1.0.0 release notes

For information about the affected Mbed TLS APIs, see:

Maintenance Period#

Simplicity SDK 2025.12.0 is based on Mbed TLS 3.6.4, which is a long-term support (LTS) release. The upstream Mbed TLS repository on GitHub will continue to receive bug fixes and security fixes for the duration of the Mbed TLS 3.6 LTS maintenance period:

A future Simplicity SDK release is planned to upgrade to Mbed TLS 4.x and TF-PSA-Crypto 1.x.

Planned End of Service#

June 2027 (planned)

Migration Guidance#

Before the planned transition to Mbed TLS 4.x, evaluate the use of PSA Crypto APIs instead of legacy Mbed TLS APIs to help ensure a smooth upgrade to future Simplicity SDK releases.

The PSA Crypto API covers most legacy cryptographic APIs. For new development, use PSA Crypto APIs whenever applicable. Existing applications that use legacy APIs and plan to upgrade to Simplicity SDK 2025.12.0 should evaluate migration to PSA Crypto APIs.

For migration information, see Migration guide

The following list summarizes the legacy API replacements:

  • mbedtls_ecjpake_* - use psa_pake

  • mbedtls_mpi_* - migrate to psa bignum implementation

  • mbedtls_ecp_* - migrate to psa_generate_key, psa_generate_key_custom, psa_import_key and psa_export_key

  • mbedtls_ecdh_* - use psa_raw_key_agreement(PSA_ALG_ECDH,...

  • mbedtls_sha256_* - use psa_hash_*

  • mbedtls_aes_* - use psa_cipher_*

  • mbedtls_ccm_* - use psa_aead_*

  • mbedtls_md_* - use psa_mac_*

  • mbedtls_pk_* - use psa_import_key, psa_export_key, psa_sign_, psa_verify_

  • mbedtls_ecdsa_genkey - use psa_generate_key

  • MBedTLS ALT interface - re-implement all alternate functions with new psa_crypto interface

  • MBEDTLS error codes - where-relevant, rewrite using new PSA error code

Bug Fixes#

ID Issue Description GitHub / Salesforce Reference (if any) Affected Software Variants, Hardware, Modes, Host Interfaces
1543373 Fixed application properties being optimized out when using Link Time Optimization (LTO) with the GCC toolchain in the TrustZone Secure Key Library Attestation Service. None
  • Affected devices: All HSE Series-2 (xG2x).
  • Affected SDKs: All SDK versions since Simplicity SDK 2025.12.0
1543373 Fixed the return code being overwritten in the TrustZone Secure Key Library Attestation Service. None
  • Affected devices: All Series-2 (xG2x).
  • Affected SDKs: All SDK versions since GSDK 4.2.2, March 2023.

Chip Enablement#

None.

Application Example Changes#

New Examples | Modified Examples | Removed Examples | Deprecated Examples

New Examples#

None.

Modified Examples#

None.

Removed Examples#

None.

Deprecated Examples#

None.

Known Issues and Limitations#

ID Issue or Limitation Description GitHub / Salesforce Reference (if any) Workaround (if any) Affected Software Variants, Hardware, Modes, Host Interfaces
1556256 The existing TrustZone Secure Key Library (TZ SKL) feature in the Simplicity SDK does not build with the IAR compiler toolchain. A fix is planned for a future Simplicity SDK release. The TZ SKL feature is supported with the GCC compiler toolchain in this release (6.1.0). None. None.
  • Affected devices: All HSE Series-2 (xG2x).
  • Affected SDKs: All SDK versions since Simplicity SDK 2025.12.0
    		•