From bb6071673cf9cf0a372fa8a7b7d5281fb2cd1c05 Mon Sep 17 00:00:00 2001 From: Georgios Vasilakis Date: Thu, 5 Sep 2024 10:41:36 +0200 Subject: [PATCH 1/7] [nrf noup] boards: nordic: Enable PSA RNG for nrf54h20 Noup since Ironside not available upstream and it is required for PSA RNG. This enables the PSA RNG as the default Zephyr entropy provider for the nrf54h20dk cpuapp and cpurad targets. Signed-off-by: Georgios Vasilakis --- .../nrf54h20dk/nrf54h20dk_nrf54h20_cpuapp.dts | 7 ++++++- .../nrf54h20dk/nrf54h20dk_nrf54h20_cpurad.dts | 16 +++++++++++----- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/boards/nordic/nrf54h20dk/nrf54h20dk_nrf54h20_cpuapp.dts b/boards/nordic/nrf54h20dk/nrf54h20dk_nrf54h20_cpuapp.dts index ae330e209aa..184291ba145 100644 --- a/boards/nordic/nrf54h20dk/nrf54h20dk_nrf54h20_cpuapp.dts +++ b/boards/nordic/nrf54h20dk/nrf54h20dk_nrf54h20_cpuapp.dts @@ -27,7 +27,7 @@ zephyr,bt-hci = &bt_hci_ipc0; nordic,802154-spinel-ipc = &ipc0; zephyr,canbus = &can120; - zephyr,entropy = &prng; + zephyr,entropy = &psa_rng; }; aliases { @@ -111,6 +111,11 @@ prng: prng { compatible = "nordic,entropy-prng"; + status = "disabled"; + }; + + psa_rng: psa-rng { + compatible = "zephyr,psa-crypto-rng"; status = "okay"; }; }; diff --git a/boards/nordic/nrf54h20dk/nrf54h20dk_nrf54h20_cpurad.dts b/boards/nordic/nrf54h20dk/nrf54h20dk_nrf54h20_cpurad.dts index 7e1a1c8e9e0..18013a744c7 100644 --- a/boards/nordic/nrf54h20dk/nrf54h20dk_nrf54h20_cpurad.dts +++ b/boards/nordic/nrf54h20dk/nrf54h20dk_nrf54h20_cpurad.dts @@ -28,17 +28,23 @@ zephyr,ieee802154 = &cpurad_ieee802154; zephyr,bt-hci-ipc = &ipc0; nordic,802154-spinel-ipc = &ipc0; - zephyr,entropy = &prng; - }; - prng: prng { - compatible = "nordic,entropy-prng"; - status = "okay"; + zephyr,entropy = &psa_rng; }; aliases { ipc-to-cpusys = &cpurad_cpusys_ipc; resetinfo = &cpurad_resetinfo; }; + + prng: prng { + compatible = "nordic,entropy-prng"; + status = "disabled"; + }; + + psa_rng: psa-rng { + compatible = "zephyr,psa-crypto-rng"; + status = "okay"; + }; }; &cpurad_bellboard { From 7ed2949b43d6275925af0ada7b51e821144f597c Mon Sep 17 00:00:00 2001 From: Georgios Vasilakis Date: Thu, 2 Oct 2025 12:40:10 +0200 Subject: [PATCH 2/7] [nrf noup] tests: arm_irq_vector_table: Remove unused SSF client option nrf-squash! [nrf noup] tests: arm_irq_vector_table: Disable starting of SSF client This option does not exist anymore so remove it. Signed-off-by: Georgios Vasilakis --- .../arm_irq_vector_table/boards/nrf54h20dk_nrf54h20_cpuapp.conf | 1 - .../arm_irq_vector_table/boards/nrf54h20dk_nrf54h20_cpurad.conf | 1 - 2 files changed, 2 deletions(-) diff --git a/tests/arch/arm/arm_irq_vector_table/boards/nrf54h20dk_nrf54h20_cpuapp.conf b/tests/arch/arm/arm_irq_vector_table/boards/nrf54h20dk_nrf54h20_cpuapp.conf index 6457f0efce7..e12e413d9e5 100644 --- a/tests/arch/arm/arm_irq_vector_table/boards/nrf54h20dk_nrf54h20_cpuapp.conf +++ b/tests/arch/arm/arm_irq_vector_table/boards/nrf54h20dk_nrf54h20_cpuapp.conf @@ -2,4 +2,3 @@ # SPDX-License-Identifier: Apache-2.0 CONFIG_POWER_DOMAIN=n -CONFIG_SSF_CLIENT_SYS_INIT=n diff --git a/tests/arch/arm/arm_irq_vector_table/boards/nrf54h20dk_nrf54h20_cpurad.conf b/tests/arch/arm/arm_irq_vector_table/boards/nrf54h20dk_nrf54h20_cpurad.conf index 6457f0efce7..e12e413d9e5 100644 --- a/tests/arch/arm/arm_irq_vector_table/boards/nrf54h20dk_nrf54h20_cpurad.conf +++ b/tests/arch/arm/arm_irq_vector_table/boards/nrf54h20dk_nrf54h20_cpurad.conf @@ -2,4 +2,3 @@ # SPDX-License-Identifier: Apache-2.0 CONFIG_POWER_DOMAIN=n -CONFIG_SSF_CLIENT_SYS_INIT=n From 3282d05938dd5ef7ebbc472bba57098e692379d0 Mon Sep 17 00:00:00 2001 From: Georgios Vasilakis Date: Thu, 2 Oct 2025 14:10:25 +0200 Subject: [PATCH 3/7] [nrf fromlist] secure_storage: Forbid usage with NRF_IRONSIDE The NRF_IRONSIDE is a provider of PSA services (including storage) so it cannot be used along with the secure storage subsystem which provides PSA storage APIs. Upstream PR: 96915 Signed-off-by: Georgios Vasilakis --- subsys/secure_storage/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/subsys/secure_storage/Kconfig b/subsys/secure_storage/Kconfig index b0ac8c08a14..d7faa81ea81 100644 --- a/subsys/secure_storage/Kconfig +++ b/subsys/secure_storage/Kconfig @@ -4,6 +4,7 @@ menuconfig SECURE_STORAGE bool "Secure storage subsystem" depends on !BUILD_WITH_TFM + depends on !NRF_IRONSIDE select MBEDTLS_PSA_CRYPTO_STORAGE_C if MBEDTLS_PSA_CRYPTO_C select EXPERIMENTAL help From 9c0f1db7bb2794811ed1891f6510e70e3d79db14 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 23 Sep 2025 11:35:34 +0200 Subject: [PATCH 4/7] [nrf fromlist] modules: openthread: fix dependency for OPENTHREAD_CRYPTO_PSA The dependency should be PSA_CRYPTO_CLIENT and not MBEDTLS_PSA_CRYPTO_CLIENT because the former is more generic. TF-M can indeed provide PSA Crypto API, not only Mbed TLS. Upstream PR: 96415 Signed-off-by: Valerio Setti --- modules/openthread/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/openthread/Kconfig b/modules/openthread/Kconfig index 99a90633f13..afbc479b4fd 100644 --- a/modules/openthread/Kconfig +++ b/modules/openthread/Kconfig @@ -320,7 +320,7 @@ config OPENTHREAD_MAC_SOFTWARE_CSMA_BACKOFF_ENABLE config OPENTHREAD_CRYPTO_PSA bool "ARM PSA crypto API" - depends on MBEDTLS_PSA_CRYPTO_CLIENT + depends on PSA_CRYPTO_CLIENT select OPENTHREAD_PLATFORM_KEY_REF if !OPENTHREAD_COPROCESSOR_RCP imply OPENTHREAD_PLATFORM_KEYS_EXPORTABLE_ENABLE help From 92c44737d73c19af4a33b185ad61e1f317a17193 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 1 Oct 2025 00:51:44 +0200 Subject: [PATCH 5/7] [nrf fromlist] drivers: bluetooth: esp32: remove selection of MBEDTLS_PSA_CRYPTO_C The driver code only relies on legacy Mbed TLS crypto, not on PSA API, so enabling MBEDTLS_PSA_CRYPTO_C is not needed here. Upstream PR: 96415 Signed-off-by: Valerio Setti --- drivers/bluetooth/hci/Kconfig.esp32 | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/bluetooth/hci/Kconfig.esp32 b/drivers/bluetooth/hci/Kconfig.esp32 index 9f363ebc700..501c5238db7 100644 --- a/drivers/bluetooth/hci/Kconfig.esp32 +++ b/drivers/bluetooth/hci/Kconfig.esp32 @@ -492,7 +492,6 @@ config ESP32_BT_LE_CRYPTO_STACK_MBEDTLS select MBEDTLS_ECP_DP_SECP256R1_ENABLED select MBEDTLS_ECDH_C select MBEDTLS_ENTROPY_C - select MBEDTLS_PSA_CRYPTO_C help Use mbedTLS library for BLE cryptographic operations. From 8ff2b915eedf57aa1bc416566cfc5bc8eece6f30 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 1 Oct 2025 00:58:16 +0200 Subject: [PATCH 6/7] [nrf fromlist] drivers: bluetooth: hci: do not select MBEDTLS_ENTROPY_C in BT_SILABS_EFR32 The driver only uses psa_generate_random() so ENTROPY_C is not required. Upstream PR: 96415 Signed-off-by: Valerio Setti --- drivers/bluetooth/hci/Kconfig | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/bluetooth/hci/Kconfig b/drivers/bluetooth/hci/Kconfig index f1d1939259d..ba218d73160 100644 --- a/drivers/bluetooth/hci/Kconfig +++ b/drivers/bluetooth/hci/Kconfig @@ -160,7 +160,6 @@ config BT_SILABS_EFR32 select SOC_GECKO_USE_RAIL select MBEDTLS select MBEDTLS_PSA_CRYPTO_C - select MBEDTLS_ENTROPY_C select HAS_BT_CTLR select BT_CTLR_PHY_UPDATE_SUPPORT select BT_CTLR_PER_INIT_FEAT_XCHG_SUPPORT From 78cc58432b43214654b9b53edb41bf278aa69d2c Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 23 Sep 2025 11:31:29 +0200 Subject: [PATCH 7/7] [nrf fromlist] modules: mbedtls: add new helper Kconfig symbol PSA_CRYPTO The goal of new Kconfig PSA_CRYPTO_PROVIDER is to automatically enable any of the PSA Crypto API provider available for the platform without having the user to manually pick the proper one. This provider can be either TF-M, if that's enabled in the build, or Mbed TLS otherwise. PSA_CRYPTO_PROVIDER simplifies also modules/subsystem Kconfigs removing blocks as: select MBEDTLS if !BUILD_WITH_TFM select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM Kconfig PSA_CRYPTO_PROVIDER_CUSTOM is also added to allow the end user to add a custom implementation of PSA Crypto API instead of TF-M or Mbed TLS ones. Upstream PR: 96415 Signed-off-by: Valerio Setti --- doc/releases/release-notes-4.3.rst | 5 +++ drivers/bluetooth/hci/Kconfig | 3 +- modules/hostap/Kconfig | 2 +- modules/mbedtls/Kconfig.psa.logic | 31 +++++++++++++++++-- modules/uoscore-uedhoc/Kconfig | 4 +-- samples/net/sockets/http_server/Kconfig | 2 +- .../subsys/mgmt/updatehub/overlay-psa.conf | 3 +- subsys/bluetooth/crypto/Kconfig | 3 +- subsys/bluetooth/host/Kconfig | 6 ++-- subsys/bluetooth/mesh/Kconfig | 3 +- subsys/jwt/Kconfig | 6 ++-- .../host/gatt/caching/psa_overlay.conf | 3 +- tests/bsim/bluetooth/ll/conn/psa_overlay.conf | 3 +- 13 files changed, 47 insertions(+), 27 deletions(-) diff --git a/doc/releases/release-notes-4.3.rst b/doc/releases/release-notes-4.3.rst index 6dfc304b3ef..7f7fd2abe25 100644 --- a/doc/releases/release-notes-4.3.rst +++ b/doc/releases/release-notes-4.3.rst @@ -70,6 +70,11 @@ Deprecated APIs and options New APIs and options ==================== +* :kconfig:option:`CONFIG_PSA_CRYPTO` allows to automatically select a PSA Crypto API + provider based on the configuration. TF-M and Mbed TLS are the only options available + for now, but the user can select :kconfig:option:`CONFIG_PSA_CRYPTO_CUSTOM` to use + a custom solution. + .. Link to new APIs here, in a group if you think it's necessary, no need to get fancy just list the link, that should contain the documentation. If you feel diff --git a/drivers/bluetooth/hci/Kconfig b/drivers/bluetooth/hci/Kconfig index ba218d73160..92f4d4fa3d7 100644 --- a/drivers/bluetooth/hci/Kconfig +++ b/drivers/bluetooth/hci/Kconfig @@ -158,8 +158,7 @@ config BT_SILABS_EFR32 depends on ZEPHYR_HAL_SILABS_MODULE_BLOBS || BUILD_ONLY_NO_BLOBS depends on !PM || SOC_GECKO_PM_BACKEND_PMGR select SOC_GECKO_USE_RAIL - select MBEDTLS - select MBEDTLS_PSA_CRYPTO_C + select PSA_CRYPTO select HAS_BT_CTLR select BT_CTLR_PHY_UPDATE_SUPPORT select BT_CTLR_PER_INIT_FEAT_XCHG_SUPPORT diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig index aa6d5d8689f..1aa21670bb7 100644 --- a/modules/hostap/Kconfig +++ b/modules/hostap/Kconfig @@ -204,7 +204,7 @@ endchoice config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA bool "Crypto Platform Secure Architecture support for WiFi" - imply MBEDTLS_PSA_CRYPTO_C + select PSA_CRYPTO select MBEDTLS_USE_PSA_CRYPTO select PSA_WANT_ALG_ECDH select PSA_WANT_ALG_HMAC diff --git a/modules/mbedtls/Kconfig.psa.logic b/modules/mbedtls/Kconfig.psa.logic index 2de81163dc1..3235efc8745 100644 --- a/modules/mbedtls/Kconfig.psa.logic +++ b/modules/mbedtls/Kconfig.psa.logic @@ -1,8 +1,35 @@ # Copyright (c) 2024 BayLibre SAS # SPDX-License-Identifier: Apache-2.0 -# This file extends Kconfig.psa (which is automatically generated) by adding -# some logic between PSA_WANT symbols. +config PSA_CRYPTO + bool "PSA Crypto API" + help + Enable a PSA Crypto API provider in the build. If TF-M is enabled then + it will be used for this scope, otherwise Mbed TLS will be used. + +choice PSA_CRYPTO_PROVIDER + prompt "PSA Crypto API provider" + depends on PSA_CRYPTO + +config PSA_CRYPTO_PROVIDER_TFM + bool "Use TF-M" + depends on BUILD_WITH_TFM + select TFM_PARTITION_CRYPTO + +config PSA_CRYPTO_PROVIDER_MBEDTLS + bool "Use Mbed TLS" + depends on !BUILD_WITH_TFM + select MBEDTLS + select MBEDTLS_PSA_CRYPTO_C + +config PSA_CRYPTO_PROVIDER_CUSTOM + bool "Use an out-of-tree library" + depends on !BUILD_WITH_TFM + +endchoice # PSA_CRYPTO_PROVIDER + +# The following section extends Kconfig.psa.auto (which is automatically +# generated) by adding some logic between PSA_WANT symbols. config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC bool diff --git a/modules/uoscore-uedhoc/Kconfig b/modules/uoscore-uedhoc/Kconfig index 06eaecd7b21..76624955318 100644 --- a/modules/uoscore-uedhoc/Kconfig +++ b/modules/uoscore-uedhoc/Kconfig @@ -5,7 +5,6 @@ menuconfig UOSCORE bool "UOSCORE library" depends on ZCBOR depends on ZCBOR_CANONICAL - depends on MBEDTLS select UOSCORE_UEDHOC_CRYPTO_COMMON help @@ -22,7 +21,6 @@ menuconfig UEDHOC bool "UEDHOC library" depends on ZCBOR depends on ZCBOR_CANONICAL - depends on MBEDTLS select UOSCORE_UEDHOC_CRYPTO_COMMON help This option enables the UEDHOC library. @@ -38,7 +36,7 @@ if UOSCORE || UEDHOC config UOSCORE_UEDHOC_CRYPTO_COMMON bool - imply MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_ALG_ECDH select PSA_WANT_ALG_ECDSA select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT diff --git a/samples/net/sockets/http_server/Kconfig b/samples/net/sockets/http_server/Kconfig index 2f607259dfa..07d5b26e52d 100644 --- a/samples/net/sockets/http_server/Kconfig +++ b/samples/net/sockets/http_server/Kconfig @@ -17,7 +17,7 @@ config NET_SAMPLE_HTTP_SERVER_SERVICE_PORT config NET_SAMPLE_HTTPS_SERVICE bool "Enable https service" depends on NET_SOCKETS_SOCKOPT_TLS || TLS_CREDENTIALS - imply MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO if NET_SAMPLE_HTTPS_SERVICE diff --git a/samples/subsys/mgmt/updatehub/overlay-psa.conf b/samples/subsys/mgmt/updatehub/overlay-psa.conf index 4b5dcfd9af6..8a70becc92d 100644 --- a/samples/subsys/mgmt/updatehub/overlay-psa.conf +++ b/samples/subsys/mgmt/updatehub/overlay-psa.conf @@ -1,3 +1,2 @@ CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA=y -CONFIG_MBEDTLS=y -CONFIG_MBEDTLS_PSA_CRYPTO_C=y +CONFIG_PSA_CRYPTO=y diff --git a/subsys/bluetooth/crypto/Kconfig b/subsys/bluetooth/crypto/Kconfig index 0f46a0f59a0..0e382060278 100644 --- a/subsys/bluetooth/crypto/Kconfig +++ b/subsys/bluetooth/crypto/Kconfig @@ -3,8 +3,7 @@ config BT_CRYPTO bool - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_AES select PSA_WANT_ALG_CMAC select PSA_WANT_ALG_ECB_NO_PADDING diff --git a/subsys/bluetooth/host/Kconfig b/subsys/bluetooth/host/Kconfig index 126649f1502..2fb1b4198e3 100644 --- a/subsys/bluetooth/host/Kconfig +++ b/subsys/bluetooth/host/Kconfig @@ -200,8 +200,7 @@ config BT_BUF_EVT_DISCARDABLE_COUNT config BT_HOST_CRYPTO bool "Use crypto functionality implemented in the Bluetooth host" default y if !BT_CTLR_CRYPTO - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_AES select PSA_WANT_ALG_ECB_NO_PADDING help @@ -1041,8 +1040,7 @@ endif # BT_DF config BT_ECC bool - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_ALG_ECDH select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT diff --git a/subsys/bluetooth/mesh/Kconfig b/subsys/bluetooth/mesh/Kconfig index 80846310c63..8ba16ff521e 100644 --- a/subsys/bluetooth/mesh/Kconfig +++ b/subsys/bluetooth/mesh/Kconfig @@ -1511,8 +1511,7 @@ choice BT_MESH_CRYPTO_LIB config BT_MESH_USES_MBEDTLS_PSA bool "mbed TLS PSA" - select MBEDTLS - select MBEDTLS_PSA_CRYPTO_C + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE diff --git a/subsys/jwt/Kconfig b/subsys/jwt/Kconfig index 052908a7775..c1cafcc829c 100644 --- a/subsys/jwt/Kconfig +++ b/subsys/jwt/Kconfig @@ -28,8 +28,7 @@ config JWT_SIGN_RSA_LEGACY config JWT_SIGN_RSA_PSA bool "Use RSA signature (RS-256). Use PSA Crypto API." - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT select PSA_WANT_ALG_RSA_PKCS1V15_SIGN @@ -37,8 +36,7 @@ config JWT_SIGN_RSA_PSA config JWT_SIGN_ECDSA_PSA bool "Use ECDSA signature (ES-256). Use PSA Crypto API." - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT select PSA_WANT_ALG_ECDSA select PSA_WANT_ECC_SECP_R1_256 diff --git a/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf b/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf index b836ab2c23b..bc7c220f62f 100644 --- a/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf +++ b/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf @@ -1,3 +1,2 @@ -CONFIG_MBEDTLS=y -CONFIG_MBEDTLS_PSA_CRYPTO_C=y +CONFIG_PSA_CRYPTO=y CONFIG_PSA_CRYPTO_ENABLE_ALL=y diff --git a/tests/bsim/bluetooth/ll/conn/psa_overlay.conf b/tests/bsim/bluetooth/ll/conn/psa_overlay.conf index b836ab2c23b..bc7c220f62f 100644 --- a/tests/bsim/bluetooth/ll/conn/psa_overlay.conf +++ b/tests/bsim/bluetooth/ll/conn/psa_overlay.conf @@ -1,3 +1,2 @@ -CONFIG_MBEDTLS=y -CONFIG_MBEDTLS_PSA_CRYPTO_C=y +CONFIG_PSA_CRYPTO=y CONFIG_PSA_CRYPTO_ENABLE_ALL=y