https://developer.trustedfirmware.org/T234 uncovered an error state in TF-M asserted in tfm_psa_veneer_sanity_check
We noticed that the error handling is broken in such a case.

enum tfm_status_e error code is returned from psa_call. The error is in positive range which reserved for SP logic.
The error code must be either converted to one of the PSA FF error codes or panic should be trigged.
In addition existing regression test did not detect this error - since it checks for >=0 error codes. I think test should be modified to test against more PSA FF error codes.