Create experiment branch

Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com
Change-Id: I665fb15b5e2f6e7f060756a38a748ebb5d7f4b43
diff --git a/config/config_base.cmake b/config/config_base.cmake
index f4970ca..371a420 100644
--- a/config/config_base.cmake
+++ b/config/config_base.cmake
@@ -115,6 +115,7 @@
 set(PLATFORM_DEFAULT_PROVISIONING       ON          CACHE BOOL      "Use default provisioning implementation")
 set(PLATFORM_DEFAULT_SYSTEM_RESET_HALT  ON          CACHE BOOL      "Use default system reset/halt implementation")
 set(PLATFORM_DEFAULT_IMAGE_SIGNING      ON          CACHE BOOL      "Use default image signing implementation")
+set(PLATFORM_DEFAULT_PROV_LINKER_SCRIPT ON          CACHE BOOL      "Use default provisioning linker script")
 
 set(TFM_DUMMY_PROVISIONING              ON          CACHE BOOL      "Provision with dummy values. NOT to be used in production")
 
diff --git a/config/config_base.h b/config/config_base.h
index ac96b74..b3c5060 100644
--- a/config/config_base.h
+++ b/config/config_base.h
@@ -197,6 +197,11 @@
 #define TFM_ITS_AUTH_TAG_LENGTH                16
 #endif
 
+/* The size of the key used when authentication/encryption of ITS files is enabled */
+#ifndef TFM_ITS_KEY_LENGTH
+#define TFM_ITS_KEY_LENGTH                16
+#endif
+
 /* The size of the nonce used when ITS file encryption is enabled */
 #ifndef TFM_ITS_ENC_NONCE_LENGTH
 #define TFM_ITS_ENC_NONCE_LENGTH               12
diff --git a/config/profile/config_profile_large.h b/config/profile/config_profile_large.h
index 948b040..7eeb516 100644
--- a/config/profile/config_profile_large.h
+++ b/config/profile/config_profile_large.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -100,6 +100,11 @@
 #define CRYPTO_NV_SEED                         1
 #endif
 
+/* Use external RNG to provide entropy */
+#ifndef CRYPTO_EXT_RNG
+#define CRYPTO_EXT_RNG                         0
+#endif
+
 /*
  * Only enable multi-part operations in Hash, MAC, AEAD and symmetric ciphers,
  * to optimize memory footprint in resource-constrained devices.
@@ -185,7 +190,11 @@
 
 /* The stack size of the Internal Trusted Storage Secure Partition */
 #ifndef ITS_STACK_SIZE
+#ifndef ITS_ENCRYPTION
 #define ITS_STACK_SIZE                         0x720
+#else
+#define ITS_STACK_SIZE                         0xC00
+#endif
 #endif
 
 /* PS Partition Configs */
diff --git a/config/profile/config_profile_medium.h b/config/profile/config_profile_medium.h
index 4787c62..408152c 100644
--- a/config/profile/config_profile_medium.h
+++ b/config/profile/config_profile_medium.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -100,6 +100,11 @@
 #define CRYPTO_NV_SEED                         1
 #endif
 
+/* Use external RNG to provide entropy */
+#ifndef CRYPTO_EXT_RNG
+#define CRYPTO_EXT_RNG                         0
+#endif
+
 /*
  * Only enable multi-part operations in Hash, MAC, AEAD and symmetric ciphers,
  * to optimize memory footprint in resource-constrained devices.
@@ -183,7 +188,11 @@
 
 /* The stack size of the Internal Trusted Storage Secure Partition */
 #ifndef ITS_STACK_SIZE
+#ifndef ITS_ENCRYPTION
 #define ITS_STACK_SIZE                         0x720
+#else
+#define ITS_STACK_SIZE                         0xC00
+#endif
 #endif
 
 /* PS Partition Configs */
diff --git a/config/profile/config_profile_medium_arotless.h b/config/profile/config_profile_medium_arotless.h
index 77be11f..61133f9 100644
--- a/config/profile/config_profile_medium_arotless.h
+++ b/config/profile/config_profile_medium_arotless.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022-2023, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -100,6 +100,11 @@
 #define CRYPTO_NV_SEED                         1
 #endif
 
+/* Use external RNG to provide entropy */
+#ifndef CRYPTO_EXT_RNG
+#define CRYPTO_EXT_RNG                         0
+#endif
+
 /*
  * Only enable multi-part operations in Hash, MAC, AEAD and symmetric ciphers,
  * to optimize memory footprint in resource-constrained devices.
@@ -183,7 +188,11 @@
 
 /* The stack size of the Internal Trusted Storage Secure Partition */
 #ifndef ITS_STACK_SIZE
+#ifndef ITS_ENCRYPTION
 #define ITS_STACK_SIZE                         0x720
+#else
+#define ITS_STACK_SIZE                         0xC00
+#endif
 #endif
 
 /* PS Partition Configs */
diff --git a/config/profile/config_profile_small.h b/config/profile/config_profile_small.h
index 7ebc130..655c715 100644
--- a/config/profile/config_profile_small.h
+++ b/config/profile/config_profile_small.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -97,6 +97,11 @@
 #define CRYPTO_NV_SEED                         1
 #endif
 
+/* Use external RNG to provide entropy */
+#ifndef CRYPTO_EXT_RNG
+#define CRYPTO_EXT_RNG                         0
+#endif
+
 /*
  * Only enable multi-part operations in Hash, MAC, AEAD and symmetric ciphers,
  * to optimize memory footprint in resource-constrained devices.
@@ -180,7 +185,11 @@
 
 /* The stack size of the Internal Trusted Storage Secure Partition */
 #ifndef ITS_STACK_SIZE
+#ifndef ITS_ENCRYPTION
 #define ITS_STACK_SIZE                         0x720
+#else
+#define ITS_STACK_SIZE                         0xC00
+#endif
 #endif
 
 /* PS Partition Configs */
diff --git a/docs/design_docs/services/tfm_its_service.rst b/docs/design_docs/services/tfm_its_service.rst
index 765cdba..efa9a21 100644
--- a/docs/design_docs/services/tfm_its_service.rst
+++ b/docs/design_docs/services/tfm_its_service.rst
@@ -337,6 +337,15 @@
 key-derivation key and the file id, which is used as a derivation label.
 The long-term key-derivation key must be managed by the target platform.
 
+There is a generic implementation of the abovementioned functions under
+``platform/ext/common/template/tfm_hal_its_encryption.c`` using PSA crypto calls
+similar to Protected Storage solution. When used, the default NV seed template
+under ``platform/ext/common/template/crypto_nv_seed.c`` must be disabled, as it
+relies on ITS. If there is a need for NV seed usage, an ITS independent
+implementation is required. If NV seed is not necessary, it can be turned off by
+setting ``CRYPTO_NV_SEED=0``.
+
+
 --------------
 
-*Copyright (c) 2019-2022, Arm Limited. All rights reserved.*
+*Copyright (c) 2019-2024, Arm Limited. All rights reserved.*
diff --git a/docs/platform/arm/mps3/corstone300/README.rst b/docs/platform/arm/mps3/corstone300/README.rst
index 731c3d4..9f783d8 100644
--- a/docs/platform/arm/mps3/corstone300/README.rst
+++ b/docs/platform/arm/mps3/corstone300/README.rst
@@ -154,7 +154,7 @@
 .. note::
 
    If ``-DPLATFORM_DEFAULT_PROVISIONING=OFF`` is set then the provisioning bundle has to
-   be placed on the ``0x10022400`` address by copying ``encrypted_provisioning_bundle.bin`` and
+   be placed on the ``0x10022400`` address by copying ``provisioning_bundle.bin`` and
    renaming it to ``prv.bin``, then extending the images.txt with::
 
     IMAGE2UPDATE: AUTO
@@ -220,7 +220,7 @@
 .. note::
 
    If ``-DPLATFORM_DEFAULT_PROVISIONING=OFF`` is set then the provisioning bundle has to
-   be placed on the ``0x10022400`` address by copying ``encrypted_provisioning_bundle.bin`` and
+   be placed on the ``0x10022400`` address by copying ``provisioning_bundle.bin`` and
    renaming it to ``prv.bin``, then extending the images.txt with::
 
     IMAGE2UPDATE: AUTO
@@ -268,9 +268,9 @@
    If ``-DPLATFORM_DEFAULT_PROVISIONING=OFF`` is set then the provisioning bundle has to
    be placed on the ``0x10022000`` address with::
 
-   $ ./FVP_Corstone_SSE-300_Ethos-U55 -a cpu0*="<path-to-build-directory>/bl2.axf" --data "<path-to-build-directory>/tfm_s_ns_signed.bin"@0x38000000 --data "<path-to-build-directory>/encrypted_provisioning_bundle.bin"@0x10022000
+   $ ./FVP_Corstone_SSE-300_Ethos-U55 -a cpu0*="<path-to-build-directory>/bl2.axf" --data "<path-to-build-directory>/tfm_s_ns_signed.bin"@0x38000000 --data "<path-to-build-directory>/provisioning_bundle.bin"@0x10022000
 
 
 -------------
 
-*Copyright (c) 2020-2023, Arm Limited. All rights reserved.*
+*Copyright (c) 2020-2024, Arm Limited. All rights reserved.*
diff --git a/docs/platform/arm/mps3/corstone310/README.rst b/docs/platform/arm/mps3/corstone310/README.rst
index 8e631ee..e45b543 100644
--- a/docs/platform/arm/mps3/corstone310/README.rst
+++ b/docs/platform/arm/mps3/corstone310/README.rst
@@ -155,7 +155,7 @@
 .. note::
 
    If ``-DPLATFORM_DEFAULT_PROVISIONING=OFF`` is set then the provisioning bundle has to
-   be placed on the ``0x11022400`` address by copying ``encrypted_provisioning_bundle.bin`` and
+   be placed on the ``0x11022400`` address by copying ``provisioning_bundle.bin`` and
    renaming it to ``prv.bin``, then extending the images.txt with::
 
     IMAGE2UPDATE: RAM
@@ -203,9 +203,9 @@
    If ``-DPLATFORM_DEFAULT_PROVISIONING=OFF`` is set then the provisioning bundle has to
    be placed on the ``0x11022000`` address with::
 
-   $ ./FVP_Corstone_SSE-310 -a cpu0*="<path-to-build-directory>/bl2.axf" --data "<path-to-build-directory>/tfm_s_ns_signed.bin"@0x38000000 --data "<path-to-build-directory>/encrypted_provisioning_bundle.bin"@0x11022000
+   $ ./FVP_Corstone_SSE-310 -a cpu0*="<path-to-build-directory>/bl2.axf" --data "<path-to-build-directory>/tfm_s_ns_signed.bin"@0x38000000 --data "<path-to-build-directory>/provisioning_bundle.bin"@0x11022000
 
 
 -------------
 
-*Copyright (c) 2021-2023, Arm Limited. All rights reserved.*
+*Copyright (c) 2021-2024, Arm Limited. All rights reserved.*
diff --git a/platform/CMakeLists.txt b/platform/CMakeLists.txt
index 4555caf..271ac4d 100644
--- a/platform/CMakeLists.txt
+++ b/platform/CMakeLists.txt
@@ -63,6 +63,7 @@
 target_include_directories(platform_s
     PUBLIC
         $<$<BOOL:${CRYPTO_HW_ACCELERATOR}>:${CMAKE_CURRENT_SOURCE_DIR}/ext/accelerator/interface>
+        ../secure_fw/spm/include/private
 )
 
 target_sources(platform_s
diff --git a/platform/ext/target/arm/mps3/common/provisioning/CMakeLists.txt b/platform/ext/common/provisioning_bundle/CMakeLists.txt
similarity index 83%
rename from platform/ext/target/arm/mps3/common/provisioning/CMakeLists.txt
rename to platform/ext/common/provisioning_bundle/CMakeLists.txt
index 5ce424b..26f6bd9 100644
--- a/platform/ext/target/arm/mps3/common/provisioning/CMakeLists.txt
+++ b/platform/ext/common/provisioning_bundle/CMakeLists.txt
@@ -11,14 +11,14 @@
 add_executable(provisioning_bundle)
 
 if(${TFM_DUMMY_PROVISIONING})
-    include(${CMAKE_SOURCE_DIR}/platform/ext/target/arm/mps3/common/provisioning/provisioning_config.cmake)
+    include(${CMAKE_SOURCE_DIR}/platform/ext/common/provisioning_bundle/provisioning_config.cmake)
 else()
     include("${PROVISIONING_KEYS_CONFIG}" OPTIONAL RESULT_VARIABLE PROVISIONING_KEYS_CONFIG_PATH)
     if(NOT PROVISIONING_KEYS_CONFIG_PATH)
         message(WARNING "The PROVISIONING_KEYS_CONFIG is not set. If the keys are not passed via the command line then \
                         random numbers will be used for HUK/IAK etc. \
                         To create and use a PROVISIONING_KEYS_CONFIG file, \
-                        see the example in: tf-m/platform/ext/target/arm/mps3/common/provisioning/provisioning_config.cmake")
+                        see the example in: tf-m/platform/ext/common/provisioning_bundle/provisioning_config.cmake")
     endif()
 endif()
 
@@ -28,11 +28,13 @@
         RUNTIME_OUTPUT_DIRECTORY "${CMAKE_BINARY_DIR}/bin"
 )
 
-target_add_scatter_file(provisioning_bundle
-    $<$<C_COMPILER_ID:ARMClang>:${CMAKE_CURRENT_SOURCE_DIR}/provisioning_bundle.sct>
-    $<$<C_COMPILER_ID:GNU>:${CMAKE_CURRENT_SOURCE_DIR}/provisioning_bundle.ld>
-    $<$<C_COMPILER_ID:IAR>:${CMAKE_CURRENT_SOURCE_DIR}/provisioning_bundle.icf>
-)
+if(${PLATFORM_DEFAULT_PROV_LINKER_SCRIPT})
+    target_add_scatter_file(provisioning_bundle
+        $<$<C_COMPILER_ID:ARMClang>:${CMAKE_CURRENT_SOURCE_DIR}/provisioning_bundle.sct>
+        $<$<C_COMPILER_ID:GNU>:${CMAKE_CURRENT_SOURCE_DIR}/provisioning_bundle.ld>
+        $<$<C_COMPILER_ID:IAR>:${CMAKE_CURRENT_SOURCE_DIR}/provisioning_bundle.icf>
+    )
+endif()
 
 target_link_options(provisioning_bundle
     PRIVATE
@@ -75,23 +77,23 @@
         MBEDTLS_PSA_CRYPTO_CONFIG_FILE="${CMAKE_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/crypto_config_default.h"
 )
 
-add_custom_target(encrypted_provisioning_bundle
+add_custom_target(provisioning_bundle_bin
     ALL
-    SOURCES encrypted_provisioning_bundle.bin
+    SOURCES provisioning_bundle.bin
 )
 
-add_custom_command(OUTPUT encrypted_provisioning_bundle.bin
+add_custom_command(OUTPUT provisioning_bundle.bin
     DEPENDS $<TARGET_FILE_DIR:provisioning_bundle>/provisioning_bundle.axf
     DEPENDS provisioning_bundle
     DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/create_provisioning_bundle.py
     COMMAND ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/create_provisioning_bundle.py
                     --provisioning_bundle_axf ${CMAKE_BINARY_DIR}/bin/provisioning_bundle.axf
-                    --bundle_output_file encrypted_provisioning_bundle.bin
+                    --bundle_output_file provisioning_bundle.bin
                     --code_pad_size ${PROVISIONING_CODE_PADDED_SIZE}
                     --data_pad_size ${PROVISIONING_DATA_PADDED_SIZE}
                     --values_pad_size ${PROVISIONING_VALUES_PADDED_SIZE}
                     --magic "0xC0DEFEED"
-    COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/encrypted_provisioning_bundle.bin ${CMAKE_BINARY_DIR}/bin/encrypted_provisioning_bundle.bin
+    COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/provisioning_bundle.bin ${CMAKE_BINARY_DIR}/bin/provisioning_bundle.bin
 )
 
 target_sources(platform_s
@@ -124,6 +126,7 @@
         ${CMAKE_CURRENT_BINARY_DIR}/provisioning_data.c
         --bl2_rot_priv_key_0=${MCUBOOT_KEY_S}
         --bl2_rot_priv_key_1=${MCUBOOT_KEY_NS}
+        --bl2_mcuboot_hw_key=${MCUBOOT_HW_KEY}
         --template_path=${CMAKE_CURRENT_SOURCE_DIR}
         --secure_debug_pk=${SECURE_DEBUG_PK}
         --huk=${HUK}
diff --git a/platform/ext/target/arm/mps3/common/provisioning/bl2_provisioning.c b/platform/ext/common/provisioning_bundle/bl2_provisioning.c
similarity index 88%
rename from platform/ext/target/arm/mps3/common/provisioning/bl2_provisioning.c
rename to platform/ext/common/provisioning_bundle/bl2_provisioning.c
index f956385..761a6a4 100644
--- a/platform/ext/target/arm/mps3/common/provisioning/bl2_provisioning.c
+++ b/platform/ext/common/provisioning_bundle/bl2_provisioning.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021-2023, Arm Limited. All rights reserved.
+ * Copyright (c) 2021-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -13,7 +13,7 @@
 #include "string.h"
 #include "provisioning_bundle.h"
 
-static const volatile struct provisioning_bundle *encrypted_bundle =
+static const volatile struct provisioning_bundle *bundle =
 (const struct provisioning_bundle *)PROVISIONING_BUNDLE_START;
 
 static enum tfm_plat_err_t provision_assembly_and_test(void);
@@ -72,8 +72,8 @@
     if (lcs == PLAT_OTP_LCS_ASSEMBLY_AND_TEST) {
 
         BOOT_LOG_INF("Waiting for provisioning bundle");
-        while (encrypted_bundle->magic != BUNDLE_MAGIC ||
-               encrypted_bundle->magic2 != BUNDLE_MAGIC) {
+        while (bundle->magic != BUNDLE_MAGIC ||
+               bundle->magic2 != BUNDLE_MAGIC) {
         }
 
         err = provision_assembly_and_test();
@@ -91,13 +91,13 @@
 
     /* TODO replace this with decrypt and auth */
     memcpy((void*)PROVISIONING_BUNDLE_CODE_START,
-           (void *)encrypted_bundle->code,
+           (void *)bundle->code,
            PROVISIONING_BUNDLE_CODE_SIZE);
     memcpy((void*)PROVISIONING_BUNDLE_DATA_START,
-           (void *)&encrypted_bundle->data,
+           (void *)&bundle->data,
            PROVISIONING_BUNDLE_DATA_SIZE);
     memcpy((void*)PROVISIONING_BUNDLE_VALUES_START,
-           (void *)&encrypted_bundle->values,
+           (void *)&bundle->values,
            PROVISIONING_BUNDLE_VALUES_SIZE);
 
     BOOT_LOG_INF("Running provisioning bundle");
diff --git a/platform/ext/target/arm/mps3/common/provisioning/create_provisioning_bundle.py b/platform/ext/common/provisioning_bundle/create_provisioning_bundle.py
similarity index 100%
rename from platform/ext/target/arm/mps3/common/provisioning/create_provisioning_bundle.py
rename to platform/ext/common/provisioning_bundle/create_provisioning_bundle.py
diff --git a/platform/ext/target/arm/mps3/common/provisioning/create_provisioning_data.py b/platform/ext/common/provisioning_bundle/create_provisioning_data.py
similarity index 80%
rename from platform/ext/target/arm/mps3/common/provisioning/create_provisioning_data.py
rename to platform/ext/common/provisioning_bundle/create_provisioning_data.py
index 8ec7f44..a4f629f 100644
--- a/platform/ext/target/arm/mps3/common/provisioning/create_provisioning_data.py
+++ b/platform/ext/common/provisioning_bundle/create_provisioning_data.py
@@ -31,11 +31,20 @@
 os.environ['LANG'] = 'C.UTF-8'
 
 
-def get_key_hash_c_array(key_file):
+def get_key_hash_c_array(key_file, mcuboot_hw_key):
     key = imgtool.main.load_key(key_file)
-    digest = Hash(SHA256())
-    digest.update(key.get_public_bytes())
-    return hex_to_c_array(digest.finalize())
+    key_bytes = []
+    if mcuboot_hw_key == "ON":
+        digest = Hash(SHA256())
+        digest.update(key.get_public_bytes())
+        key_bytes = digest.finalize()
+    else:
+        # If the full key is used then use only the raw key
+        # bit string (subjectPublicKey). The offset of the
+        # bit string is 26, so drop the first 26 bytes.
+        key_bytes = key.get_public_bytes()[26:]
+
+    return hex_to_c_array(key_bytes)
 
 
 @click.argument('outfile')
@@ -43,6 +52,7 @@
 @click.option('--bl2_rot_priv_key_1', metavar='filename', required=False)
 @click.option('--bl2_rot_priv_key_2', metavar='filename', required=False)
 @click.option('--bl2_rot_priv_key_3', metavar='filename', required=False)
+@click.option('--bl2_mcuboot_hw_key', metavar='string', required=True)
 @click.option('--template_path', metavar='filename', required=True)
 @click.option('--secure_debug_pk', metavar='key', required=False)
 @click.option('--huk', metavar='key', required=False)
@@ -58,7 +68,7 @@
                provisioning_data_template.jinja2 template which is located in
                "template_path" and outputs it to "outfile"''')
 def generate_provisioning_data_c(outfile, bl2_rot_priv_key_0,
-                                 bl2_rot_priv_key_1,
+                                 bl2_rot_priv_key_1, bl2_mcuboot_hw_key,
                                  template_path, bl2_rot_priv_key_2,
                                  bl2_rot_priv_key_3,
                                  secure_debug_pk, huk, iak, boot_seed,
@@ -72,19 +82,23 @@
 
     bl2_rot_pub_key_0_hash = ""
     if bool(bl2_rot_priv_key_0) is True:
-        bl2_rot_pub_key_0_hash = get_key_hash_c_array(bl2_rot_priv_key_0)
+        bl2_rot_pub_key_0_hash = get_key_hash_c_array(
+            bl2_rot_priv_key_0, bl2_mcuboot_hw_key)
 
     bl2_rot_pub_key_1_hash = ""
     if bool(bl2_rot_priv_key_1) is True:
-        bl2_rot_pub_key_1_hash = get_key_hash_c_array(bl2_rot_priv_key_1)
+        bl2_rot_pub_key_1_hash = get_key_hash_c_array(
+            bl2_rot_priv_key_1, bl2_mcuboot_hw_key)
 
     bl2_rot_pub_key_2_hash = ""
     if bool(bl2_rot_priv_key_2) is True:
-        bl2_rot_pub_key_2_hash = get_key_hash_c_array(bl2_rot_priv_key_2)
+        bl2_rot_pub_key_2_hash = get_key_hash_c_array(
+            bl2_rot_priv_key_2, bl2_mcuboot_hw_key)
 
     bl2_rot_pub_key_3_hash = ""
     if bool(bl2_rot_priv_key_3) is True:
-        bl2_rot_pub_key_3_hash = get_key_hash_c_array(bl2_rot_priv_key_3)
+        bl2_rot_pub_key_3_hash = get_key_hash_c_array(
+            bl2_rot_priv_key_3, bl2_mcuboot_hw_key)
 
     if bool(huk) is False:
         huk = hex_to_c_array(os.urandom(32))
diff --git a/platform/ext/target/arm/mps3/common/provisioning/provisioning_bundle.h b/platform/ext/common/provisioning_bundle/provisioning_bundle.h
similarity index 72%
rename from platform/ext/target/arm/mps3/common/provisioning/provisioning_bundle.h
rename to platform/ext/common/provisioning_bundle/provisioning_bundle.h
index 4a7edb1..c6e55c1 100644
--- a/platform/ext/target/arm/mps3/common/provisioning/provisioning_bundle.h
+++ b/platform/ext/common/provisioning_bundle/provisioning_bundle.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023, Arm Limited. All rights reserved.
+ * Copyright (c) 2023-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -18,6 +18,20 @@
 
 #define BUNDLE_MAGIC 0xC0DEFEED
 
+#ifdef MCUBOOT_SIGN_EC384
+#define PUB_KEY_HASH_SIZE (48)
+#define PUB_KEY_SIZE      (100) /* Size must be aligned to 4 Bytes */
+#else
+#define PUB_KEY_HASH_SIZE (32)
+#define PUB_KEY_SIZE      (68)  /* Size must be aligned to 4 Bytes */
+#endif /* MCUBOOT_SIGN_EC384 */
+
+#ifdef MCUBOOT_BUILTIN_KEY
+#define PROV_ROTPK_DATA_SIZE    PUB_KEY_SIZE
+#else
+#define PROV_ROTPK_DATA_SIZE    PUB_KEY_HASH_SIZE
+#endif /* MCUBOOT_BUILTIN_KEY */
+
 __PACKED_STRUCT tfm_assembly_and_test_provisioning_data_t {
     uint8_t huk[32];
 };
@@ -40,13 +54,13 @@
 };
 
 __PACKED_STRUCT bl2_assembly_and_test_provisioning_data_t {
-    uint8_t bl2_rotpk_0[32];
-    uint8_t bl2_rotpk_1[32];
+    uint8_t bl2_rotpk_0[PROV_ROTPK_DATA_SIZE];
+    uint8_t bl2_rotpk_1[PROV_ROTPK_DATA_SIZE];
 #if (MCUBOOT_IMAGE_NUMBER > 2)
-    uint8_t bl2_rotpk_2[32];
+    uint8_t bl2_rotpk_2[PROV_ROTPK_DATA_SIZE];
 #endif
 #if (MCUBOOT_IMAGE_NUMBER > 3)
-    uint8_t bl2_rotpk_3[32];
+    uint8_t bl2_rotpk_3[PROV_ROTPK_DATA_SIZE];
 #endif
 
 #ifdef PLATFORM_PSA_ADAC_SECURE_DEBUG
@@ -63,7 +77,7 @@
 struct __attribute__((__packed__)) provisioning_bundle {
     /* This section is authenticated */
     uint32_t magic;
-    /* This section is encrypted */
+
     uint8_t code[PROVISIONING_BUNDLE_CODE_SIZE];
     union __attribute__((__packed__)) {
         const struct provisioning_data_t values;
diff --git a/platform/ext/target/arm/mps3/common/provisioning/provisioning_bundle.icf b/platform/ext/common/provisioning_bundle/provisioning_bundle.icf
similarity index 100%
rename from platform/ext/target/arm/mps3/common/provisioning/provisioning_bundle.icf
rename to platform/ext/common/provisioning_bundle/provisioning_bundle.icf
diff --git a/platform/ext/target/arm/mps3/common/provisioning/provisioning_bundle.ld b/platform/ext/common/provisioning_bundle/provisioning_bundle.ld
similarity index 100%
rename from platform/ext/target/arm/mps3/common/provisioning/provisioning_bundle.ld
rename to platform/ext/common/provisioning_bundle/provisioning_bundle.ld
diff --git a/platform/ext/target/arm/mps3/common/provisioning/provisioning_bundle.sct b/platform/ext/common/provisioning_bundle/provisioning_bundle.sct
similarity index 100%
rename from platform/ext/target/arm/mps3/common/provisioning/provisioning_bundle.sct
rename to platform/ext/common/provisioning_bundle/provisioning_bundle.sct
diff --git a/platform/ext/target/arm/mps3/common/provisioning/provisioning_code.c b/platform/ext/common/provisioning_bundle/provisioning_code.c
similarity index 100%
rename from platform/ext/target/arm/mps3/common/provisioning/provisioning_code.c
rename to platform/ext/common/provisioning_bundle/provisioning_code.c
diff --git a/platform/ext/target/arm/mps3/common/provisioning/provisioning_config.cmake b/platform/ext/common/provisioning_bundle/provisioning_config.cmake
similarity index 100%
rename from platform/ext/target/arm/mps3/common/provisioning/provisioning_config.cmake
rename to platform/ext/common/provisioning_bundle/provisioning_config.cmake
diff --git a/platform/ext/target/arm/mps3/common/provisioning/provisioning_data_template.jinja2 b/platform/ext/common/provisioning_bundle/provisioning_data_template.jinja2
similarity index 100%
rename from platform/ext/target/arm/mps3/common/provisioning/provisioning_data_template.jinja2
rename to platform/ext/common/provisioning_bundle/provisioning_data_template.jinja2
diff --git a/platform/ext/target/arm/mps3/common/provisioning/runtime_stub_provisioning.c b/platform/ext/common/provisioning_bundle/runtime_stub_provisioning.c
similarity index 100%
rename from platform/ext/target/arm/mps3/common/provisioning/runtime_stub_provisioning.c
rename to platform/ext/common/provisioning_bundle/runtime_stub_provisioning.c
diff --git a/platform/ext/common/template/tfm_hal_its_encryption.c b/platform/ext/common/template/tfm_hal_its_encryption.c
new file mode 100644
index 0000000..a7a8f68
--- /dev/null
+++ b/platform/ext/common/template/tfm_hal_its_encryption.c
@@ -0,0 +1,274 @@
+/*
+ * Copyright (c) 2023 Nordic Semiconductor ASA.
+ * Copyright (c) 2024, Arm Limited. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * Derived from platform/ext/target/nordic_nrf/common/core/tfm_hal_its_encryption.c
+ */
+
+#include <stdint.h>
+#include <string.h>
+
+
+#include "config_tfm.h"
+#include "platform/include/tfm_hal_its_encryption.h"
+#include "platform/include/tfm_hal_its.h"
+#include "platform/include/tfm_platform_system.h"
+
+#include "tfm_plat_crypto_keys.h"
+#include "crypto_keys/tfm_builtin_key_ids.h"
+#include "tfm_plat_otp.h"
+#include "psa_manifest/pid.h"
+#include "tfm_builtin_key_loader.h"
+
+
+#ifndef ITS_CRYPTO_AEAD_ALG
+#define ITS_CRYPTO_AEAD_ALG PSA_ALG_GCM
+#endif
+
+/* The PSA key type used by this implementation */
+#define ITS_KEY_TYPE PSA_KEY_TYPE_AES
+/* The PSA key usage required by this implementation */
+#define ITS_KEY_USAGE (PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT)
+
+/* The PSA algorithm used by this implementation */
+#define ITS_CRYPTO_ALG \
+    PSA_ALG_AEAD_WITH_SHORTENED_TAG(ITS_CRYPTO_AEAD_ALG, TFM_ITS_AUTH_TAG_LENGTH)
+
+static uint32_t g_enc_counter;
+static uint8_t g_enc_nonce_seed[TFM_ITS_ENC_NONCE_LENGTH -
+                                sizeof(g_enc_counter)];
+
+#if TFM_ITS_ENC_NONCE_LENGTH != 12
+#error "This implementation only supports a ITS nonce of size 12"
+#endif
+
+/* Copy PS solution */
+static psa_status_t its_crypto_setkey(psa_key_handle_t *its_key,
+                                      const uint8_t *key_label,
+                                      size_t key_label_len)
+{
+    psa_status_t status;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_derivation_operation_t op = PSA_KEY_DERIVATION_OPERATION_INIT;
+    psa_key_handle_t seed_key = mbedtls_svc_key_id_make(TFM_SP_ITS, TFM_BUILTIN_KEY_ID_HUK);
+
+    if (key_label_len == 0 || key_label == NULL) {
+        return PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    /* Set the key attributes for the storage key */
+    psa_set_key_usage_flags(&attributes, ITS_KEY_USAGE);
+    psa_set_key_algorithm(&attributes, ITS_CRYPTO_ALG);
+    psa_set_key_type(&attributes, ITS_KEY_TYPE);
+    psa_set_key_bits(&attributes, PSA_BYTES_TO_BITS(TFM_ITS_KEY_LENGTH));
+
+    status = psa_key_derivation_setup(&op, PSA_ALG_HKDF(PSA_ALG_SHA_256));
+    if (status != PSA_SUCCESS) {
+        return status;
+    }
+
+    /* Set up a key derivation operation with HUK  */
+    status = psa_key_derivation_input_key(&op, PSA_KEY_DERIVATION_INPUT_SECRET,
+                                          seed_key);
+    if (status != PSA_SUCCESS) {
+        goto err_release_op;
+    }
+
+    /* Supply the ITS key label as an input to the key derivation */
+    status = psa_key_derivation_input_bytes(&op, PSA_KEY_DERIVATION_INPUT_INFO,
+                                            key_label,
+                                            key_label_len);
+    if (status != PSA_SUCCESS) {
+        goto err_release_op;
+    }
+
+    /* Create the storage key from the key derivation operation */
+    status = psa_key_derivation_output_key(&attributes, &op, its_key);
+    if (status != PSA_SUCCESS) {
+        goto err_release_op;
+    }
+
+    /* Free resources associated with the key derivation operation */
+    status = psa_key_derivation_abort(&op);
+    if (status != PSA_SUCCESS) {
+        goto err_release_key;
+    }
+
+    return PSA_SUCCESS;
+
+err_release_key:
+    (void)psa_destroy_key(*its_key);
+
+err_release_op:
+    (void)psa_key_derivation_abort(&op);
+
+    return PSA_ERROR_GENERIC_ERROR;
+}
+
+enum tfm_hal_status_t tfm_hal_its_aead_generate_nonce(uint8_t *nonce,
+                                                      const size_t nonce_size)
+{
+    psa_status_t status = PSA_ERROR_GENERIC_ERROR;
+    size_t output_length;
+
+    if (nonce == NULL){
+        return TFM_HAL_ERROR_INVALID_INPUT;
+    }
+
+    if (g_enc_counter ==  UINT32_MAX) {
+        return TFM_HAL_ERROR_GENERIC;
+    }
+
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+    if (g_enc_counter == 0) {
+        status = mbedtls_psa_external_get_random(NULL, &g_enc_nonce_seed[0],
+                                                 sizeof(g_enc_nonce_seed),
+                                                 &output_length);
+        if ((status != PSA_SUCCESS) || (sizeof(g_enc_nonce_seed) != output_length)) {
+            return TFM_HAL_ERROR_GENERIC;
+        }
+    }
+#else
+    return TFM_HAL_ERROR_NOT_SUPPORTED;
+#endif
+
+    memcpy(nonce, g_enc_nonce_seed, sizeof(g_enc_nonce_seed));
+    memcpy(nonce + sizeof(g_enc_nonce_seed),
+               &g_enc_counter,
+               sizeof(g_enc_counter));
+
+    g_enc_counter++;
+
+    return TFM_HAL_SUCCESS;
+}
+
+static bool ctx_is_valid(struct tfm_hal_its_auth_crypt_ctx *ctx)
+{
+    bool ret;
+
+    if (ctx == NULL) {
+        return false;
+    }
+
+    ret = (ctx->deriv_label == NULL && ctx->deriv_label_size != 0) ||
+          (ctx->aad == NULL && ctx->aad_size != 0) ||
+          (ctx->nonce == NULL && ctx->nonce_size != 0);
+
+    return !ret;
+}
+
+enum tfm_hal_status_t tfm_hal_its_aead_encrypt(
+                                        struct tfm_hal_its_auth_crypt_ctx *ctx,
+                                        const uint8_t *plaintext,
+                                        const size_t plaintext_size,
+                                        uint8_t *ciphertext,
+                                        const size_t ciphertext_size,
+                                        uint8_t *tag,
+                                        const size_t tag_size)
+{
+
+    psa_status_t status;
+    psa_key_handle_t its_key = PSA_KEY_HANDLE_INIT;
+    size_t ciphertext_length;
+
+    if (!ctx_is_valid(ctx) || tag == NULL) {
+        return TFM_HAL_ERROR_INVALID_INPUT;
+    }
+
+    if (plaintext_size > ciphertext_size) {
+        return TFM_HAL_ERROR_INVALID_INPUT;
+    }
+
+    status = its_crypto_setkey(&its_key, ctx->deriv_label, ctx->deriv_label_size);
+    if (status != PSA_SUCCESS) {
+        return TFM_HAL_ERROR_GENERIC;
+    }
+
+    status = psa_aead_encrypt(its_key, ITS_CRYPTO_ALG,
+                              ctx->nonce, ctx->nonce_size,
+                              ctx->aad, ctx->aad_size,
+                              plaintext, plaintext_size,
+                              ciphertext, ciphertext_size,
+                              &ciphertext_length);
+    if (status != PSA_SUCCESS) {
+        (void)psa_destroy_key(its_key);
+        return TFM_HAL_ERROR_GENERIC;
+    }
+
+    /* Copy the tag out of the output buffer */
+    ciphertext_length -= TFM_ITS_AUTH_TAG_LENGTH;
+    (void)memcpy(tag, (ciphertext + ciphertext_length), tag_size);
+
+    /* Destroy the transient key */
+    status = psa_destroy_key(its_key);
+    if (status != PSA_SUCCESS) {
+        return PSA_ERROR_GENERIC_ERROR;
+    }
+
+    return TFM_HAL_SUCCESS;
+}
+
+enum tfm_hal_status_t tfm_hal_its_aead_decrypt(
+                                        struct tfm_hal_its_auth_crypt_ctx *ctx,
+                                        const uint8_t *ciphertext,
+                                        const size_t ciphertext_size,
+                                        uint8_t *tag,
+                                        const size_t tag_size,
+                                        uint8_t *plaintext,
+                                        const size_t plaintext_size)
+{
+    psa_status_t status;
+    psa_key_handle_t its_key = PSA_KEY_HANDLE_INIT;
+    size_t ciphertext_and_tag_size, out_len;
+
+    if (!ctx_is_valid(ctx) || tag == NULL) {
+        return TFM_HAL_ERROR_INVALID_INPUT;
+    }
+
+    if (plaintext_size < ciphertext_size) {
+        return TFM_HAL_ERROR_INVALID_INPUT;
+    }
+
+    /* Copy the tag into the input buffer */
+    (void)memcpy((ciphertext + ciphertext_size), tag, TFM_ITS_AUTH_TAG_LENGTH);
+    ciphertext_and_tag_size = ciphertext_size + TFM_ITS_AUTH_TAG_LENGTH;
+
+    status = its_crypto_setkey(&its_key, ctx->deriv_label, ctx->deriv_label_size);
+    if (status != PSA_SUCCESS) {
+        return TFM_HAL_ERROR_GENERIC;
+    }
+
+    status = psa_aead_decrypt(its_key, ITS_CRYPTO_ALG,
+                              ctx->nonce, ctx->nonce_size,
+                              ctx->aad, ctx->aad_size,
+                              ciphertext, ciphertext_and_tag_size,
+                              plaintext, plaintext_size,
+                              &out_len);
+    if (status != PSA_SUCCESS) {
+        (void)psa_destroy_key(its_key);
+        return TFM_HAL_ERROR_GENERIC;
+    }
+
+    /* Destroy the transient key */
+    status = psa_destroy_key(its_key);
+    if (status != PSA_SUCCESS) {
+        return PSA_ERROR_GENERIC_ERROR;
+    }
+
+    return TFM_HAL_SUCCESS;
+}
+
diff --git a/platform/ext/target/arm/corstone1000/config_tfm_target.h b/platform/ext/target/arm/corstone1000/config_tfm_target.h
index 2c7341a..bcd6de6 100644
--- a/platform/ext/target/arm/corstone1000/config_tfm_target.h
+++ b/platform/ext/target/arm/corstone1000/config_tfm_target.h
@@ -11,6 +11,9 @@
 /* Use stored NV seed to provide entropy */
 #define CRYPTO_NV_SEED                         0
 
+/* Use external RNG to provide entropy */
+#define CRYPTO_EXT_RNG                         1
+
 /* Size of output buffer in platform service. */
 #define PLATFORM_SERVICE_OUTPUT_BUFFER_SIZE    256
 
diff --git a/platform/ext/target/arm/mps3/an524/CMakeLists.txt b/platform/ext/target/arm/mps3/an524/CMakeLists.txt
index 9e0f1ba..dc47bd7 100644
--- a/platform/ext/target/arm/mps3/an524/CMakeLists.txt
+++ b/platform/ext/target/arm/mps3/an524/CMakeLists.txt
@@ -138,10 +138,11 @@
         PROVISIONING_CODE_PADDED_SIZE=${PROVISIONING_CODE_PADDED_SIZE}
         PROVISIONING_VALUES_PADDED_SIZE=${PROVISIONING_VALUES_PADDED_SIZE}
         PROVISIONING_DATA_PADDED_SIZE=${PROVISIONING_DATA_PADDED_SIZE}
+        $<$<BOOL:${MCUBOOT_BUILTIN_KEY}>:MCUBOOT_BUILTIN_KEY>
 )
 
 if(NOT PLATFORM_DEFAULT_PROVISIONING)
-    add_subdirectory(${PLATFORM_DIR}/ext/target/arm/mps3/common/provisioning provisioning)
+    add_subdirectory(${PLATFORM_DIR}/ext/common/provisioning_bundle provisioning)
 endif()
 
 #========================= Files for building NS side platform ================#
diff --git a/platform/ext/target/arm/mps3/corstone300/common/common.cmake b/platform/ext/target/arm/mps3/corstone300/common/common.cmake
index 0ea802d..27162a1 100644
--- a/platform/ext/target/arm/mps3/corstone300/common/common.cmake
+++ b/platform/ext/target/arm/mps3/corstone300/common/common.cmake
@@ -236,10 +236,11 @@
         PROVISIONING_CODE_PADDED_SIZE=${PROVISIONING_CODE_PADDED_SIZE}
         PROVISIONING_VALUES_PADDED_SIZE=${PROVISIONING_VALUES_PADDED_SIZE}
         PROVISIONING_DATA_PADDED_SIZE=${PROVISIONING_DATA_PADDED_SIZE}
+        $<$<BOOL:${MCUBOOT_BUILTIN_KEY}>:MCUBOOT_BUILTIN_KEY>
 )
 
 if(NOT PLATFORM_DEFAULT_PROVISIONING)
-add_subdirectory(${PLATFORM_DIR}/ext/target/arm/mps3/common/provisioning provisioning)
+    add_subdirectory(${PLATFORM_DIR}/ext/common/provisioning_bundle provisioning)
 endif()
 
 #========================= Files for building NS side platform ================#
diff --git a/platform/ext/target/arm/mps3/corstone310/common/common.cmake b/platform/ext/target/arm/mps3/corstone310/common/common.cmake
index 6dc9dfb..05a8931 100644
--- a/platform/ext/target/arm/mps3/corstone310/common/common.cmake
+++ b/platform/ext/target/arm/mps3/corstone310/common/common.cmake
@@ -236,10 +236,11 @@
         PROVISIONING_CODE_PADDED_SIZE=${PROVISIONING_CODE_PADDED_SIZE}
         PROVISIONING_VALUES_PADDED_SIZE=${PROVISIONING_VALUES_PADDED_SIZE}
         PROVISIONING_DATA_PADDED_SIZE=${PROVISIONING_DATA_PADDED_SIZE}
+        $<$<BOOL:${MCUBOOT_BUILTIN_KEY}>:MCUBOOT_BUILTIN_KEY>
 )
 
 if(NOT PLATFORM_DEFAULT_PROVISIONING)
-add_subdirectory(${PLATFORM_DIR}/ext/target/arm/mps3/common/provisioning provisioning)
+    add_subdirectory(${PLATFORM_DIR}/ext/common/provisioning_bundle provisioning)
 endif()
 
 #========================= Files for building NS side platform ================#
diff --git a/platform/ext/target/arm/musca_b1/config_tfm_target.h b/platform/ext/target/arm/musca_b1/config_tfm_target.h
index 599db96..f34850c 100644
--- a/platform/ext/target/arm/musca_b1/config_tfm_target.h
+++ b/platform/ext/target/arm/musca_b1/config_tfm_target.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -11,4 +11,7 @@
 /* Use stored NV seed to provide entropy */
 #define CRYPTO_NV_SEED                         0
 
+/* Use external RNG to provide entropy */
+#define CRYPTO_EXT_RNG                         1
+
 #endif /* __CONFIG_TFM_TARGET_H__ */
diff --git a/platform/ext/target/arm/musca_s1/config_tfm_target.h b/platform/ext/target/arm/musca_s1/config_tfm_target.h
index 0d91448..d96a051 100644
--- a/platform/ext/target/arm/musca_s1/config_tfm_target.h
+++ b/platform/ext/target/arm/musca_s1/config_tfm_target.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022-2023, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -11,6 +11,9 @@
 /* Use stored NV seed to provide entropy */
 #define CRYPTO_NV_SEED                         0
 
+/* Use external RNG to provide entropy */
+#define CRYPTO_EXT_RNG                         1
+
 #ifdef PSA_API_TEST_CRYPTO
 #define CRYPTO_STACK_SIZE                      0x2500
 #endif
diff --git a/platform/ext/target/arm/rse/common/libraries/sds.c b/platform/ext/target/arm/rse/common/libraries/sds.c
index 9e73304..f6acf86 100644
--- a/platform/ext/target/arm/rse/common/libraries/sds.c
+++ b/platform/ext/target/arm/rse/common/libraries/sds.c
@@ -14,6 +14,7 @@
 #include "sds.h"
 #include "tfm_plat_defs.h"
 #include "utilities.h"
+#include "private/assert.h" /* temporarily included - to be removed */
 
 /*!
  * \brief Aligns a value to the next multiple.
diff --git a/platform/ext/target/arm/rse/kronos/config_tfm_target.h b/platform/ext/target/arm/rse/kronos/config_tfm_target.h
index 197cad2..5ce14fa 100644
--- a/platform/ext/target/arm/rse/kronos/config_tfm_target.h
+++ b/platform/ext/target/arm/rse/kronos/config_tfm_target.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022-2023, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -12,6 +12,9 @@
 #undef CRYPTO_NV_SEED
 #define CRYPTO_NV_SEED                         0
 
+/* Use external RNG to provide entropy */
+#define CRYPTO_EXT_RNG                         1
+
 #define NS_AGENT_MAILBOX_STACK_SIZE            0xC00
 
 /* Run the scheduler after handling a secure interrupt if the NSPE was pre-empted */
diff --git a/platform/ext/target/arm/rse/rdfremont/config_tfm_target.h b/platform/ext/target/arm/rse/rdfremont/config_tfm_target.h
index 60a4580..f998c28 100644
--- a/platform/ext/target/arm/rse/rdfremont/config_tfm_target.h
+++ b/platform/ext/target/arm/rse/rdfremont/config_tfm_target.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023, Arm Limited. All rights reserved.
+ * Copyright (c) 2023-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -11,6 +11,9 @@
 /* Use stored NV seed to provide entropy */
 #define CRYPTO_NV_SEED                         0
 
+/* Use external RNG to provide entropy */
+#define CRYPTO_EXT_RNG                         1
+
 /* Set the initial attestation token profile */
 #undef ATTEST_TOKEN_PROFILE_PSA_IOT_1
 #undef ATTEST_TOKEN_PROFILE_PSA_2_0_0
diff --git a/platform/ext/target/arm/rse/tc/config_tfm_target.h b/platform/ext/target/arm/rse/tc/config_tfm_target.h
index c436529..62457fb 100644
--- a/platform/ext/target/arm/rse/tc/config_tfm_target.h
+++ b/platform/ext/target/arm/rse/tc/config_tfm_target.h
@@ -11,6 +11,9 @@
 /* Use stored NV seed to provide entropy */
 #define CRYPTO_NV_SEED                         0
 
+/* Use external RNG to provide entropy */
+#define CRYPTO_EXT_RNG                         1
+
 /* Set the initial attestation token profile */
 #undef ATTEST_TOKEN_PROFILE_PSA_IOT_1
 #undef ATTEST_TOKEN_PROFILE_PSA_2_0_0
diff --git a/platform/ext/target/nordic_nrf/common/core/common/nrfx_glue.h b/platform/ext/target/nordic_nrf/common/core/common/nrfx_glue.h
index 7cbe5a5..fbf11f9 100644
--- a/platform/ext/target/nordic_nrf/common/core/common/nrfx_glue.h
+++ b/platform/ext/target/nordic_nrf/common/core/common/nrfx_glue.h
@@ -32,7 +32,13 @@
 #ifndef NRFX_GLUE_H__
 #define NRFX_GLUE_H__
 
+/* Include the spm utilities for the SPM_ASSERT symbol */
+#if defined(DOMAIN_NS) && (DOMAIN_NS == 1)
+#include <assert.h>
+#else
 #include <utilities.h>
+#include "private/assert.h" /* temporarily included - to be removed */
+#endif
 
 #include <soc/nrfx_coredep.h>
 
@@ -59,8 +65,12 @@
 #if defined(NDEBUG)
 #define NRFX_ASSERT(expression)  if (0 && (expression)) {}
 #else
+#if defined(DOMAIN_NS) && (DOMAIN_NS == 1)
+#define NRFX_ASSERT(expression)  assert(expression)
+#else
 #define NRFX_ASSERT(expression)  SPM_ASSERT(expression)
 #endif
+#endif
 
 /**
  * @brief Macro for placing a compile time assertion.
diff --git a/platform/ext/target/nordic_nrf/common/core/tfm_hal_its_encryption.c b/platform/ext/target/nordic_nrf/common/core/tfm_hal_its_encryption.c
index 6e2b097..5ac449c 100644
--- a/platform/ext/target/nordic_nrf/common/core/tfm_hal_its_encryption.c
+++ b/platform/ext/target/nordic_nrf/common/core/tfm_hal_its_encryption.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2023 Nordic Semiconductor ASA.
+ * Copyright (c) 2024, Arm Limited. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -112,7 +113,7 @@
     }
 
     ret = (ctx->deriv_label == NULL && ctx->deriv_label_size != 0) ||
-          (ctx->aad == NULL && ctx->add_size != 0) ||
+          (ctx->aad == NULL && ctx->aad_size != 0) ||
           (ctx->nonce == NULL && ctx->nonce_size != 0);
 
     return !ret;
@@ -153,7 +154,7 @@
                                                        ctx->nonce,
                                                        ctx->nonce_size,
                                                        ctx->aad,
-                                                       ctx->add_size,
+                                                       ctx->aad_size,
                                                        tag,
                                                        tag_size);
     if (err != NRF_CC3XX_PLATFORM_SUCCESS) {
diff --git a/platform/ext/target/nxp/lpcxpresso55s69/config_tfm_target.h b/platform/ext/target/nxp/lpcxpresso55s69/config_tfm_target.h
index c2c2630..6381736 100644
--- a/platform/ext/target/nxp/lpcxpresso55s69/config_tfm_target.h
+++ b/platform/ext/target/nxp/lpcxpresso55s69/config_tfm_target.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
  * Copyright 2022 NXP. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
@@ -12,6 +12,7 @@
 /* Using of stored NV seed to provide entropy is disabled, when CRYPTO_HW_ACCELERATOR is defined.  */
 #ifdef CRYPTO_HW_ACCELERATOR
 #define CRYPTO_NV_SEED       0
+#define CRYPTO_EXT_RNG       1
 #endif
 
 /* The maximum asset size to be stored in the Protected Storage area. */
diff --git a/platform/ext/target/nxp/lpcxpresso55s69/target_cfg.c b/platform/ext/target/nxp/lpcxpresso55s69/target_cfg.c
index 9bb2f31..8aefc34 100644
--- a/platform/ext/target/nxp/lpcxpresso55s69/target_cfg.c
+++ b/platform/ext/target/nxp/lpcxpresso55s69/target_cfg.c
@@ -22,6 +22,7 @@
 #include "region_defs.h"
 #include "tfm_plat_defs.h"
 #include "utilities.h"
+#include "private/assert.h" /* temporarily included - to be removed */
 #include "tfm_spm_log.h"
 
 extern const struct memory_region_limits memory_regions;
diff --git a/platform/ext/target/stm/b_u585i_iot02a/config_tfm_target.h b/platform/ext/target/stm/b_u585i_iot02a/config_tfm_target.h
index 6656537..6a5535c 100644
--- a/platform/ext/target/stm/b_u585i_iot02a/config_tfm_target.h
+++ b/platform/ext/target/stm/b_u585i_iot02a/config_tfm_target.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -11,6 +11,9 @@
 /* Use stored NV seed to provide entropy */
 #define CRYPTO_NV_SEED                         0
 
+/* Use external RNG to provide entropy */
+#define CRYPTO_EXT_RNG                         1
+
 #define ITS_NUM_ASSETS                         32
 
 #endif /* __CONFIG_TFM_TARGET_H__ */
diff --git a/platform/ext/target/stm/nucleo_l552ze_q/config_tfm_target.h b/platform/ext/target/stm/nucleo_l552ze_q/config_tfm_target.h
index 599db96..f34850c 100644
--- a/platform/ext/target/stm/nucleo_l552ze_q/config_tfm_target.h
+++ b/platform/ext/target/stm/nucleo_l552ze_q/config_tfm_target.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -11,4 +11,7 @@
 /* Use stored NV seed to provide entropy */
 #define CRYPTO_NV_SEED                         0
 
+/* Use external RNG to provide entropy */
+#define CRYPTO_EXT_RNG                         1
+
 #endif /* __CONFIG_TFM_TARGET_H__ */
diff --git a/platform/ext/target/stm/stm32h573i_dk/config_tfm_target.h b/platform/ext/target/stm/stm32h573i_dk/config_tfm_target.h
index f90984a..3ce4d7d 100644
--- a/platform/ext/target/stm/stm32h573i_dk/config_tfm_target.h
+++ b/platform/ext/target/stm/stm32h573i_dk/config_tfm_target.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -12,4 +12,7 @@
 #undef CRYPTO_NV_SEED
 #define CRYPTO_NV_SEED                         0
 
+/* Use external RNG to provide entropy */
+#define CRYPTO_EXT_RNG                         1
+
 #endif /* __CONFIG_TFM_TARGET_H__ */
diff --git a/platform/ext/target/stm/stm32l562e_dk/config_tfm_target.h b/platform/ext/target/stm/stm32l562e_dk/config_tfm_target.h
index 599db96..f34850c 100644
--- a/platform/ext/target/stm/stm32l562e_dk/config_tfm_target.h
+++ b/platform/ext/target/stm/stm32l562e_dk/config_tfm_target.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -11,4 +11,7 @@
 /* Use stored NV seed to provide entropy */
 #define CRYPTO_NV_SEED                         0
 
+/* Use external RNG to provide entropy */
+#define CRYPTO_EXT_RNG                         1
+
 #endif /* __CONFIG_TFM_TARGET_H__ */
diff --git a/platform/include/tfm_hal_its_encryption.h b/platform/include/tfm_hal_its_encryption.h
index 0229382..4522e63 100644
--- a/platform/include/tfm_hal_its_encryption.h
+++ b/platform/include/tfm_hal_its_encryption.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (c) 2020, Cypress Semiconductor Corporation. All rights reserved.
- * Copyright (c) 2020-2021, Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -25,7 +25,7 @@
     uint8_t *deriv_label;    /* The derivation label for AEAD */
     size_t deriv_label_size; /* Size of the deriv_label in bytes */
     uint8_t *aad;            /* The additional authenticated data for AEAD */
-    size_t add_size;         /* Size of the add in bytes */
+    size_t aad_size;         /* Size of the aad in bytes */
     uint8_t *nonce;          /* The nonce for AEAD */
     size_t nonce_size;       /* Size of the nonce in bytes */
 };
diff --git a/secure_fw/partitions/crypto/config_crypto_check.h b/secure_fw/partitions/crypto/config_crypto_check.h
index 9dbcd34..61faadf 100644
--- a/secure_fw/partitions/crypto/config_crypto_check.h
+++ b/secure_fw/partitions/crypto/config_crypto_check.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -11,12 +11,12 @@
 #include "config_tfm.h"
 
 /* Check invalid configs. */
-#if CRYPTO_NV_SEED && defined(CRYPTO_HW_ACCELERATOR)
-#error "Invalid config: CRYPTO_NV_SEED AND CRYPTO_HW_ACCELERATOR!"
+#if CRYPTO_NV_SEED && CRYPTO_EXT_RNG
+#error "Invalid config: CRYPTO_NV_SEED AND CRYPTO_EXT_RNG!"
 #endif
 
-#if (!CRYPTO_NV_SEED) && (!defined(CRYPTO_HW_ACCELERATOR))
-#error "Invalid config: NOT CRYPTO_NV_SEED AND NOT CRYPTO_HW_ACCELERATOR!"
+#if (!CRYPTO_NV_SEED) && (!CRYPTO_EXT_RNG)
+#error "Invalid config: NOT CRYPTO_NV_SEED AND NOT CRYPTO_EXT_RNG!"
 #endif
 
 #endif /* __CONFIG_PARTITION_CRYPTO_H__ */
diff --git a/secure_fw/partitions/internal_trusted_storage/flash_fs/its_flash_fs.h b/secure_fw/partitions/internal_trusted_storage/flash_fs/its_flash_fs.h
index 281d48e..4132d2b 100644
--- a/secure_fw/partitions/internal_trusted_storage/flash_fs/its_flash_fs.h
+++ b/secure_fw/partitions/internal_trusted_storage/flash_fs/its_flash_fs.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018-2023, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2024, Arm Limited. All rights reserved.
  * Copyright (c) 2020, Cypress Semiconductor Corporation. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
@@ -181,9 +181,9 @@
     uint32_t flags;       /*!< Flags set when the file was created */
 #ifdef ITS_ENCRYPTION
     /*!< Additional authenticated data */
-    uint8_t add[ITS_FILE_ID_SIZE + ITS_DATA_SIZE_FIELD_SIZE + ITS_FLAG_SIZE];
-    uint8_t nonce[12];/*!< Nonce/IV for encrypted files */
-    uint8_t tag[16];   /*!< Authentication tag */
+    uint8_t aad[ITS_FILE_ID_SIZE + ITS_DATA_SIZE_FIELD_SIZE + ITS_FLAG_SIZE];
+    uint8_t nonce[TFM_ITS_ENC_NONCE_LENGTH]; /*!< Nonce/IV for encrypted files */
+    uint8_t tag[TFM_ITS_AUTH_TAG_LENGTH];    /*!< Authentication tag */
 #endif
 };
 
diff --git a/secure_fw/partitions/internal_trusted_storage/its_crypto_interface.c b/secure_fw/partitions/internal_trusted_storage/its_crypto_interface.c
index f2f721d..8ca642d 100644
--- a/secure_fw/partitions/internal_trusted_storage/its_crypto_interface.c
+++ b/secure_fw/partitions/internal_trusted_storage/its_crypto_interface.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -107,8 +107,8 @@
         file_size = finfo->size_current;
     }
 
-    err =  tfm_its_fill_enc_add(finfo->add,
-                                sizeof(finfo->add),
+    err =  tfm_its_fill_enc_add(finfo->aad,
+                                sizeof(finfo->aad),
                                 fid,
                                 fid_size,
                                 finfo->flags,
@@ -131,8 +131,8 @@
     aead_ctx.nonce_size = sizeof(finfo->nonce);
     aead_ctx.deriv_label = fid;
     aead_ctx.deriv_label_size = fid_size;
-    aead_ctx.aad = finfo->add;
-    aead_ctx.add_size = sizeof(finfo->add);
+    aead_ctx.aad = finfo->aad;
+    aead_ctx.aad_size = sizeof(finfo->aad);
 
 
     if (is_encrypt) {
diff --git a/secure_fw/partitions/internal_trusted_storage/tfm_internal_trusted_storage.c b/secure_fw/partitions/internal_trusted_storage/tfm_internal_trusted_storage.c
index 691db53..515743b 100644
--- a/secure_fw/partitions/internal_trusted_storage/tfm_internal_trusted_storage.c
+++ b/secure_fw/partitions/internal_trusted_storage/tfm_internal_trusted_storage.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2023, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2024, Arm Limited. All rights reserved.
  * Copyright (c) 2022 Cypress Semiconductor Corporation (an Infineon company)
  * or an affiliate of Cypress Semiconductor Corporation. All rights reserved.
  *
@@ -45,8 +45,13 @@
  * Note: size must be aligned to the max flash program unit to meet the
  * alignment requirement of the filesystem.
  */
+#ifndef ITS_ENCRYPTION
 static uint8_t __ALIGNED(4) asset_data[ITS_UTILS_ALIGN(ITS_BUF_SIZE,
                                           ITS_FLASH_MAX_ALIGNMENT)];
+#else
+static uint8_t __ALIGNED(4) asset_data[ITS_UTILS_ALIGN(ITS_MAX_ASSET_SIZE,
+                                              ITS_FLASH_MAX_ALIGNMENT)];
+#endif
 #endif
 
 #ifdef TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
@@ -85,11 +90,12 @@
 }
 
 #ifdef ITS_ENCRYPTION
-/* Buffer to store the encrypted asset data before it is stored in the
- * filesystem.
+/* Buffer to store the encrypted asset data and the authentication tag before it
+ * is stored in the filesystem.
  */
-static uint8_t enc_asset_data[ITS_UTILS_ALIGN(ITS_BUF_SIZE,
-                                              ITS_FLASH_MAX_ALIGNMENT)];
+static uint8_t __ALIGNED(4) enc_asset_data[ITS_UTILS_ALIGN(ITS_MAX_ASSET_SIZE +
+                                           TFM_ITS_AUTH_TAG_LENGTH,
+                                           ITS_FLASH_MAX_ALIGNMENT)];
 
 static psa_status_t buffer_size_check(int32_t client_id, size_t buffer_size)
 {
@@ -102,8 +108,8 @@
         /* When encryption is enabled the whole file needs to fit in the
          * global buffer.
          */
-        if (buffer_size > sizeof(enc_asset_data)) {
-            return PSA_ERROR_BUFFER_TOO_SMALL;
+        if (buffer_size > ITS_MAX_ASSET_SIZE) {
+            return PSA_ERROR_INVALID_ARGUMENT;
         }
     }
     return PSA_SUCCESS;
@@ -111,7 +117,8 @@
 
 static psa_status_t tfm_its_crypt_data(int32_t client_id,
                                 uint8_t **input,
-                                size_t input_size)
+                                size_t input_size,
+                                size_t offset)
 {
     psa_status_t status;
 #ifdef TFM_PARTITION_PROTECTED_STORAGE
@@ -119,6 +126,11 @@
 #else
     {
 #endif /* TFM_PARTITION_PROTECTED_STORAGE */
+        if (offset != 0) {
+            /* If the data will be encrypted the whole file needs to be written */
+            return PSA_ERROR_INVALID_ARGUMENT;
+        }
+
         status = tfm_its_crypt_file(&g_file_info,
                                     g_fid,
                                     sizeof(g_fid),
@@ -392,11 +404,7 @@
     psa_status_t status;
     uint8_t *buffer_ptr = data;
 #ifdef ITS_ENCRYPTION /* ITS_ENCRYPTION */
-    /* If the data will be encrypted the whole file needs to be written */
-    if (offset != 0) {
-        return PSA_ERROR_INVALID_ARGUMENT;
-    }
-    status = tfm_its_crypt_data(client_id, &buffer_ptr, data_size);
+    status = tfm_its_crypt_data(client_id, &buffer_ptr, data_size, offset);
     if (status != PSA_SUCCESS) {
         return status;
     }
diff --git a/secure_fw/partitions/ns_agent_mailbox/tfm_spe_mailbox.c b/secure_fw/partitions/ns_agent_mailbox/tfm_spe_mailbox.c
index c288ca3..c15286e 100644
--- a/secure_fw/partitions/ns_agent_mailbox/tfm_spe_mailbox.c
+++ b/secure_fw/partitions/ns_agent_mailbox/tfm_spe_mailbox.c
@@ -17,6 +17,7 @@
 #include "internal_status_code.h"
 #include "psa/error.h"
 #include "utilities.h"
+#include "private/assert.h"
 #include "tfm_arch.h"
 #include "thread.h"
 #include "tfm_psa_call_pack.h"
diff --git a/secure_fw/spm/core/arch/tfm_arch_v6m_v7m.h b/secure_fw/spm/core/arch/tfm_arch_v6m_v7m.h
index 67c658f..f5fc7ee 100644
--- a/secure_fw/spm/core/arch/tfm_arch_v6m_v7m.h
+++ b/secure_fw/spm/core/arch/tfm_arch_v6m_v7m.h
@@ -11,6 +11,7 @@
 #include <stdbool.h>
 #include "cmsis_compiler.h"
 #include "utilities.h"
+#include "private/assert.h"
 
 #if !TFM_MULTI_CORE_TOPOLOGY
 #error "Armv6-M/Armv7-M can only support multi-core TF-M now."
diff --git a/secure_fw/spm/core/backend_ipc.c b/secure_fw/spm/core/backend_ipc.c
index e29aa3d..28c494b 100644
--- a/secure_fw/spm/core/backend_ipc.c
+++ b/secure_fw/spm/core/backend_ipc.c
@@ -24,6 +24,7 @@
 #include "tfm_nspm.h"
 #include "ffm/backend.h"
 #include "utilities.h"
+#include "private/assert.h"
 #include "memory_symbols.h"
 #include "load/partition_defs.h"
 #include "load/service_defs.h"
diff --git a/secure_fw/spm/core/backend_sfn.c b/secure_fw/spm/core/backend_sfn.c
index 1b7919d..a37215d 100644
--- a/secure_fw/spm/core/backend_sfn.c
+++ b/secure_fw/spm/core/backend_sfn.c
@@ -23,6 +23,7 @@
 #include "psa/service.h"
 #include "spm.h"
 #include "memory_symbols.h"
+#include "private/assert.h"
 
 /* SFN Partition state */
 #define SFN_PARTITION_STATE_NOT_INITED        0
diff --git a/secure_fw/spm/core/spm_connection_pool.c b/secure_fw/spm/core/spm_connection_pool.c
index 5ba540e..8eb453c 100644
--- a/secure_fw/spm/core/spm_connection_pool.c
+++ b/secure_fw/spm/core/spm_connection_pool.c
@@ -10,6 +10,7 @@
 #include "spm.h"
 #include "tfm_pools.h"
 #include "load/service_defs.h"
+#include "private/assert.h"
 
 #if !(defined CONFIG_TFM_CONN_HANDLE_MAX_NUM) || (CONFIG_TFM_CONN_HANDLE_MAX_NUM == 0)
 #error "CONFIG_TFM_CONN_HANDLE_MAX_NUM must be defined and not zero."
diff --git a/secure_fw/spm/core/spm_ipc.c b/secure_fw/spm/core/spm_ipc.c
index 810cebd..7b8771c 100644
--- a/secure_fw/spm/core/spm_ipc.c
+++ b/secure_fw/spm/core/spm_ipc.c
@@ -39,6 +39,7 @@
 #include "load/asset_defs.h"
 #include "load/spm_load_api.h"
 #include "tfm_nspm.h"
+#include "private/assert.h"
 
 /* Partition and service runtime data list head/runtime data table */
 static struct service_head_t services_listhead;
diff --git a/secure_fw/spm/core/tfm_pools.c b/secure_fw/spm/core/tfm_pools.c
index 7d8a305..3880ab7 100644
--- a/secure_fw/spm/core/tfm_pools.c
+++ b/secure_fw/spm/core/tfm_pools.c
@@ -14,6 +14,7 @@
 #include "internal_status_code.h"
 #include "cmsis_compiler.h"
 #include "utilities.h"
+#include "private/assert.h"
 #include "lists.h"
 #include "tfm_pools.h"
 
diff --git a/secure_fw/spm/core/tfm_rpc.c b/secure_fw/spm/core/tfm_rpc.c
index cdea721..0ebb5ad 100644
--- a/secure_fw/spm/core/tfm_rpc.c
+++ b/secure_fw/spm/core/tfm_rpc.c
@@ -14,6 +14,7 @@
 #include "ffm/psa_api.h"
 #include "tfm_rpc.h"
 #include "utilities.h"
+#include "private/assert.h"
 #include "load/partition_defs.h"
 #include "tfm_psa_call_pack.h"
 
diff --git a/secure_fw/spm/core/thread.c b/secure_fw/spm/core/thread.c
index e83f0ae..e4bba68 100644
--- a/secure_fw/spm/core/thread.c
+++ b/secure_fw/spm/core/thread.c
@@ -12,6 +12,7 @@
 #include "thread.h"
 #include "tfm_arch.h"
 #include "utilities.h"
+#include "private/assert.h"
 #include "critical_section.h"
 
 /* Declaration of current thread pointer. */
diff --git a/secure_fw/spm/include/private/assert.h b/secure_fw/spm/include/private/assert.h
new file mode 100644
index 0000000..5f5174c
--- /dev/null
+++ b/secure_fw/spm/include/private/assert.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (c) 2024, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+#ifndef __TFM_PRIV_ASSERT_H__
+#define __TFM_PRIV_ASSERT_H__
+
+#include <string.h>
+#include "tfm_spm_log.h"
+
+#ifndef NDEBUG
+#define SPM_ASSERT(cond)                                \
+            do {                                        \
+                if (!(cond)) {                          \
+                    SPMLOG_INFMSG("Assert:");           \
+                    SPMLOG_INFMSG(__func__);            \
+                    SPMLOG_INFMSGVAL(",", __LINE__);    \
+                    while (1) {                         \
+                        ;                               \
+                    }                                   \
+                }                                       \
+            } while (0)
+#else
+#define SPM_ASSERT(cond)
+#endif
+
+#define assert(cond) SPM_ASSERT(cond)
+
+#endif /* __TFM_PRIV_ASSERT_H__ */
diff --git a/secure_fw/spm/include/tfm_arch_v8m.h b/secure_fw/spm/include/tfm_arch_v8m.h
index d302bc3..43b47f0 100644
--- a/secure_fw/spm/include/tfm_arch_v8m.h
+++ b/secure_fw/spm/include/tfm_arch_v8m.h
@@ -13,6 +13,7 @@
 #include "cmsis_compiler.h"
 #include "tfm_core_trustzone.h"
 #include "utilities.h"
+#include "private/assert.h"
 
 #define EXC_RETURN_RES1                         (0x1FFFFUL << 7)
 
diff --git a/secure_fw/spm/include/utilities.h b/secure_fw/spm/include/utilities.h
index bef9cdd..6c96ced 100644
--- a/secure_fw/spm/include/utilities.h
+++ b/secure_fw/spm/include/utilities.h
@@ -16,22 +16,6 @@
  */
 void tfm_core_panic(void);
 
-/* SPM assert */
-#ifndef NDEBUG
-#define SPM_ASSERT(cond)                                                    \
-            do {                                                            \
-                if (!(cond)) {                                              \
-                    SPMLOG_INFMSG("Assert:");                               \
-                    SPMLOG_INFMSG(__func__);                                \
-                    SPMLOG_INFMSGVAL(",", __LINE__);                        \
-                    while (1)                                               \
-                        ;                                                   \
-                }                                                           \
-            } while (0)
-#else
-#define SPM_ASSERT(cond)
-#endif
-
 /* Get container structure start address from member */
 #define TO_CONTAINER(ptr, type, member) \
     (type *)((unsigned long)(ptr) - offsetof(type, member))