From c5292ba505523782c0404eac741a079dd298ce5b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 23 Sep 2025 11:35:34 +0200 Subject: [PATCH 1/4] modules: openthread: fix dependency for OPENTHREAD_CRYPTO_PSA The dependency should be PSA_CRYPTO_CLIENT and not MBEDTLS_PSA_CRYPTO_CLIENT because the former is more generic. TF-M can indeed provide PSA Crypto API, not only Mbed TLS. Signed-off-by: Valerio Setti --- modules/openthread/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/openthread/Kconfig b/modules/openthread/Kconfig index 99a90633f13..afbc479b4fd 100644 --- a/modules/openthread/Kconfig +++ b/modules/openthread/Kconfig @@ -320,7 +320,7 @@ config OPENTHREAD_MAC_SOFTWARE_CSMA_BACKOFF_ENABLE config OPENTHREAD_CRYPTO_PSA bool "ARM PSA crypto API" - depends on MBEDTLS_PSA_CRYPTO_CLIENT + depends on PSA_CRYPTO_CLIENT select OPENTHREAD_PLATFORM_KEY_REF if !OPENTHREAD_COPROCESSOR_RCP imply OPENTHREAD_PLATFORM_KEYS_EXPORTABLE_ENABLE help From bae1e7bd922996bfdf7a993f794e82d9a97be5f5 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 1 Oct 2025 00:51:44 +0200 Subject: [PATCH 2/4] drivers: bluetooth: esp32: remove selection of MBEDTLS_PSA_CRYPTO_C The driver code only relies on legacy Mbed TLS crypto, not on PSA API, so enabling MBEDTLS_PSA_CRYPTO_C is not needed here. Signed-off-by: Valerio Setti --- drivers/bluetooth/hci/Kconfig.esp32 | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/bluetooth/hci/Kconfig.esp32 b/drivers/bluetooth/hci/Kconfig.esp32 index 9f363ebc700..501c5238db7 100644 --- a/drivers/bluetooth/hci/Kconfig.esp32 +++ b/drivers/bluetooth/hci/Kconfig.esp32 @@ -492,7 +492,6 @@ config ESP32_BT_LE_CRYPTO_STACK_MBEDTLS select MBEDTLS_ECP_DP_SECP256R1_ENABLED select MBEDTLS_ECDH_C select MBEDTLS_ENTROPY_C - select MBEDTLS_PSA_CRYPTO_C help Use mbedTLS library for BLE cryptographic operations. From 56adef3713d97eb01af7b48318d286db28f81116 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 1 Oct 2025 00:58:16 +0200 Subject: [PATCH 3/4] drivers: bluetooth: hci: do not select MBEDTLS_ENTROPY_C in BT_SILABS_EFR32 The driver only uses psa_generate_random() so ENTROPY_C is not required. Signed-off-by: Valerio Setti --- drivers/bluetooth/hci/Kconfig | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/bluetooth/hci/Kconfig b/drivers/bluetooth/hci/Kconfig index f1d1939259d..ba218d73160 100644 --- a/drivers/bluetooth/hci/Kconfig +++ b/drivers/bluetooth/hci/Kconfig @@ -160,7 +160,6 @@ config BT_SILABS_EFR32 select SOC_GECKO_USE_RAIL select MBEDTLS select MBEDTLS_PSA_CRYPTO_C - select MBEDTLS_ENTROPY_C select HAS_BT_CTLR select BT_CTLR_PHY_UPDATE_SUPPORT select BT_CTLR_PER_INIT_FEAT_XCHG_SUPPORT From 2a37b40f730e9cfd97936d14a25c3ac1d2733c7d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 23 Sep 2025 11:31:29 +0200 Subject: [PATCH 4/4] modules: mbedtls: add new helper symbol PSA_CRYPTO_PROVIDER The goal of new Kconfig PSA_CRYPTO_PROVIDER is to automatically enable any of the PSA Crypto API provider available for the platform without having the user to manually pick the proper one. This provider can be either TF-M, if that's enabled in the build, or Mbed TLS otherwise. PSA_CRYPTO_PROVIDER simplifies also modules/subsystem Kconfigs removing blocks as: select MBEDTLS if !BUILD_WITH_TFM select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM Kconfig PSA_CRYPTO_PROVIDER_CUSTOM is also added to allow the end user to add a custom implementation of PSA Crypto API instead of TF-M or Mbed TLS ones. Signed-off-by: Valerio Setti --- doc/releases/release-notes-4.3.rst | 5 +++ drivers/bluetooth/hci/Kconfig | 3 +- modules/hostap/Kconfig | 2 +- modules/mbedtls/Kconfig.psa.logic | 33 +++++++++++++++++-- modules/uoscore-uedhoc/Kconfig | 4 +-- samples/net/sockets/http_server/Kconfig | 2 +- .../subsys/mgmt/updatehub/overlay-psa.conf | 3 +- subsys/bluetooth/crypto/Kconfig | 3 +- subsys/bluetooth/host/Kconfig | 6 ++-- subsys/bluetooth/mesh/Kconfig | 3 +- subsys/jwt/Kconfig | 6 ++-- .../host/gatt/caching/psa_overlay.conf | 3 +- tests/bsim/bluetooth/ll/conn/psa_overlay.conf | 3 +- 13 files changed, 49 insertions(+), 27 deletions(-) diff --git a/doc/releases/release-notes-4.3.rst b/doc/releases/release-notes-4.3.rst index 6dfc304b3ef..7f7fd2abe25 100644 --- a/doc/releases/release-notes-4.3.rst +++ b/doc/releases/release-notes-4.3.rst @@ -70,6 +70,11 @@ Deprecated APIs and options New APIs and options ==================== +* :kconfig:option:`CONFIG_PSA_CRYPTO` allows to automatically select a PSA Crypto API + provider based on the configuration. TF-M and Mbed TLS are the only options available + for now, but the user can select :kconfig:option:`CONFIG_PSA_CRYPTO_CUSTOM` to use + a custom solution. + .. Link to new APIs here, in a group if you think it's necessary, no need to get fancy just list the link, that should contain the documentation. If you feel diff --git a/drivers/bluetooth/hci/Kconfig b/drivers/bluetooth/hci/Kconfig index ba218d73160..92f4d4fa3d7 100644 --- a/drivers/bluetooth/hci/Kconfig +++ b/drivers/bluetooth/hci/Kconfig @@ -158,8 +158,7 @@ config BT_SILABS_EFR32 depends on ZEPHYR_HAL_SILABS_MODULE_BLOBS || BUILD_ONLY_NO_BLOBS depends on !PM || SOC_GECKO_PM_BACKEND_PMGR select SOC_GECKO_USE_RAIL - select MBEDTLS - select MBEDTLS_PSA_CRYPTO_C + select PSA_CRYPTO select HAS_BT_CTLR select BT_CTLR_PHY_UPDATE_SUPPORT select BT_CTLR_PER_INIT_FEAT_XCHG_SUPPORT diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig index aa6d5d8689f..1aa21670bb7 100644 --- a/modules/hostap/Kconfig +++ b/modules/hostap/Kconfig @@ -204,7 +204,7 @@ endchoice config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA bool "Crypto Platform Secure Architecture support for WiFi" - imply MBEDTLS_PSA_CRYPTO_C + select PSA_CRYPTO select MBEDTLS_USE_PSA_CRYPTO select PSA_WANT_ALG_ECDH select PSA_WANT_ALG_HMAC diff --git a/modules/mbedtls/Kconfig.psa.logic b/modules/mbedtls/Kconfig.psa.logic index 2de81163dc1..c2c02c33b13 100644 --- a/modules/mbedtls/Kconfig.psa.logic +++ b/modules/mbedtls/Kconfig.psa.logic @@ -1,8 +1,37 @@ # Copyright (c) 2024 BayLibre SAS # SPDX-License-Identifier: Apache-2.0 -# This file extends Kconfig.psa (which is automatically generated) by adding -# some logic between PSA_WANT symbols. +config PSA_CRYPTO + bool "PSA Crypto API" + help + Enable a PSA Crypto API provider in the build. If TF-M is enabled then + it will be used for this scope, otherwise Mbed TLS will be used. + +choice PSA_CRYPTO_PROVIDER + prompt "PSA Crypto API provider" + depends on PSA_CRYPTO + default PSA_CRYPTO_PROVIDER_TFM if BUILD_WITH_TFM + default PSA_CRYPTO_PROVIDER_MBEDTLS + +config PSA_CRYPTO_PROVIDER_TFM + bool "Use TF-M" + depends on BUILD_WITH_TFM + select TFM_PARTITION_CRYPTO + +config PSA_CRYPTO_PROVIDER_MBEDTLS + bool "Use Mbed TLS" + depends on !BUILD_WITH_TFM + select MBEDTLS + select MBEDTLS_PSA_CRYPTO_C + +config PSA_CRYPTO_PROVIDER_CUSTOM + bool "Use an out-of-tree library" + depends on !BUILD_WITH_TFM + +endchoice # PSA_CRYPTO_PROVIDER + +# The following section extends Kconfig.psa.auto (which is automatically +# generated) by adding some logic between PSA_WANT symbols. config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC bool diff --git a/modules/uoscore-uedhoc/Kconfig b/modules/uoscore-uedhoc/Kconfig index 06eaecd7b21..76624955318 100644 --- a/modules/uoscore-uedhoc/Kconfig +++ b/modules/uoscore-uedhoc/Kconfig @@ -5,7 +5,6 @@ menuconfig UOSCORE bool "UOSCORE library" depends on ZCBOR depends on ZCBOR_CANONICAL - depends on MBEDTLS select UOSCORE_UEDHOC_CRYPTO_COMMON help @@ -22,7 +21,6 @@ menuconfig UEDHOC bool "UEDHOC library" depends on ZCBOR depends on ZCBOR_CANONICAL - depends on MBEDTLS select UOSCORE_UEDHOC_CRYPTO_COMMON help This option enables the UEDHOC library. @@ -38,7 +36,7 @@ if UOSCORE || UEDHOC config UOSCORE_UEDHOC_CRYPTO_COMMON bool - imply MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_ALG_ECDH select PSA_WANT_ALG_ECDSA select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT diff --git a/samples/net/sockets/http_server/Kconfig b/samples/net/sockets/http_server/Kconfig index 2f607259dfa..07d5b26e52d 100644 --- a/samples/net/sockets/http_server/Kconfig +++ b/samples/net/sockets/http_server/Kconfig @@ -17,7 +17,7 @@ config NET_SAMPLE_HTTP_SERVER_SERVICE_PORT config NET_SAMPLE_HTTPS_SERVICE bool "Enable https service" depends on NET_SOCKETS_SOCKOPT_TLS || TLS_CREDENTIALS - imply MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO if NET_SAMPLE_HTTPS_SERVICE diff --git a/samples/subsys/mgmt/updatehub/overlay-psa.conf b/samples/subsys/mgmt/updatehub/overlay-psa.conf index 4b5dcfd9af6..8a70becc92d 100644 --- a/samples/subsys/mgmt/updatehub/overlay-psa.conf +++ b/samples/subsys/mgmt/updatehub/overlay-psa.conf @@ -1,3 +1,2 @@ CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA=y -CONFIG_MBEDTLS=y -CONFIG_MBEDTLS_PSA_CRYPTO_C=y +CONFIG_PSA_CRYPTO=y diff --git a/subsys/bluetooth/crypto/Kconfig b/subsys/bluetooth/crypto/Kconfig index 0f46a0f59a0..0e382060278 100644 --- a/subsys/bluetooth/crypto/Kconfig +++ b/subsys/bluetooth/crypto/Kconfig @@ -3,8 +3,7 @@ config BT_CRYPTO bool - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_AES select PSA_WANT_ALG_CMAC select PSA_WANT_ALG_ECB_NO_PADDING diff --git a/subsys/bluetooth/host/Kconfig b/subsys/bluetooth/host/Kconfig index 126649f1502..2fb1b4198e3 100644 --- a/subsys/bluetooth/host/Kconfig +++ b/subsys/bluetooth/host/Kconfig @@ -200,8 +200,7 @@ config BT_BUF_EVT_DISCARDABLE_COUNT config BT_HOST_CRYPTO bool "Use crypto functionality implemented in the Bluetooth host" default y if !BT_CTLR_CRYPTO - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_AES select PSA_WANT_ALG_ECB_NO_PADDING help @@ -1041,8 +1040,7 @@ endif # BT_DF config BT_ECC bool - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_ALG_ECDH select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT diff --git a/subsys/bluetooth/mesh/Kconfig b/subsys/bluetooth/mesh/Kconfig index 80846310c63..8ba16ff521e 100644 --- a/subsys/bluetooth/mesh/Kconfig +++ b/subsys/bluetooth/mesh/Kconfig @@ -1511,8 +1511,7 @@ choice BT_MESH_CRYPTO_LIB config BT_MESH_USES_MBEDTLS_PSA bool "mbed TLS PSA" - select MBEDTLS - select MBEDTLS_PSA_CRYPTO_C + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE diff --git a/subsys/jwt/Kconfig b/subsys/jwt/Kconfig index 052908a7775..c1cafcc829c 100644 --- a/subsys/jwt/Kconfig +++ b/subsys/jwt/Kconfig @@ -28,8 +28,7 @@ config JWT_SIGN_RSA_LEGACY config JWT_SIGN_RSA_PSA bool "Use RSA signature (RS-256). Use PSA Crypto API." - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT select PSA_WANT_ALG_RSA_PKCS1V15_SIGN @@ -37,8 +36,7 @@ config JWT_SIGN_RSA_PSA config JWT_SIGN_ECDSA_PSA bool "Use ECDSA signature (ES-256). Use PSA Crypto API." - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT select PSA_WANT_ALG_ECDSA select PSA_WANT_ECC_SECP_R1_256 diff --git a/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf b/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf index b836ab2c23b..bc7c220f62f 100644 --- a/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf +++ b/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf @@ -1,3 +1,2 @@ -CONFIG_MBEDTLS=y -CONFIG_MBEDTLS_PSA_CRYPTO_C=y +CONFIG_PSA_CRYPTO=y CONFIG_PSA_CRYPTO_ENABLE_ALL=y diff --git a/tests/bsim/bluetooth/ll/conn/psa_overlay.conf b/tests/bsim/bluetooth/ll/conn/psa_overlay.conf index b836ab2c23b..bc7c220f62f 100644 --- a/tests/bsim/bluetooth/ll/conn/psa_overlay.conf +++ b/tests/bsim/bluetooth/ll/conn/psa_overlay.conf @@ -1,3 +1,2 @@ -CONFIG_MBEDTLS=y -CONFIG_MBEDTLS_PSA_CRYPTO_C=y +CONFIG_PSA_CRYPTO=y CONFIG_PSA_CRYPTO_ENABLE_ALL=y