mbedtls: add specific Kconfig option for MBEDTLS_USE_PSA_CRYPTO

MBEDTLS_PSA_CRYPTO_C and MBEDTLS_USE_PSA_CRYPTO are 2 different things and the former should not automatically enable the latter. The reson is that the user might want the MbedTLS PSA crypto toolbox to be built, but at the same time he/she does not want TLS/DTLS (and other intermediate modules such as PK, MD and Cipher) to use PSA APIs. For this reason this commit introduces a new Kconfig option named CONFIG_MBEDTLS_USE_PSA_CRYPTO to enable the corresponding build symbol. By default USE_PSA_CRYPTO is disabled. It is only explicilty enabled in tests/samples that were previously setting CRYPTO_C (since in those cases USE_PSA was set). Signed-off-by: Valerio Setti <vsetti@baylibre.com>
zephyrproject-rtos · May 8, 2024 · db03ff2 · db03ff2
1 parent 98b5874
commit db03ff2
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 0 deletions.
diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic
@@ -486,6 +486,12 @@ config MBEDTLS_PSA_CRYPTO_C
 	depends on MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG || MBEDTLS_PSA_CRYPTO_LEGACY_RNG
 	default y if UOSCORE || UEDHOC
 
+config MBEDTLS_USE_PSA_CRYPTO
+	bool "Use PSA APIs instead of legacy MbedTLS when possible"
+	help
+	  Use PSA APIs instead of legacy MbedTLS functions in TLS/DTLS and other
+	  "intermediate" modules such as PK, MD and Cipher.
+
 config MBEDTLS_LMS
 	bool "Support LMS signature schemes"
 	depends on MBEDTLS_PSA_CRYPTO_C

diff --git a/modules/mbedtls/configs/config-tls-generic.h b/modules/mbedtls/configs/config-tls-generic.h
@@ -474,7 +474,10 @@
 
 #if defined(CONFIG_MBEDTLS_PSA_CRYPTO_C)
 #define MBEDTLS_PSA_CRYPTO_C
+
+#if defined(CONFIG_MBEDTLS_USE_PSA_CRYPTO)
 #define MBEDTLS_USE_PSA_CRYPTO
+#endif
 
 #if defined(CONFIG_ARCH_POSIX) && !defined(CONFIG_PICOLIBC)
 #define MBEDTLS_PSA_KEY_SLOT_COUNT     64

diff --git a/samples/tfm_integration/psa_crypto/prj.conf b/samples/tfm_integration/psa_crypto/prj.conf
@@ -29,6 +29,7 @@ CONFIG_MBEDTLS_USER_CONFIG_ENABLE=y
 CONFIG_MBEDTLS_USER_CONFIG_FILE="user-tls-conf.h"
 
 CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_MBEDTLS_USE_PSA_CRYPTO=y
 CONFIG_MBEDTLS_ENTROPY_ENABLED=y
 CONFIG_MBEDTLS_ECP_C=y
 CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y

diff --git a/subsys/bluetooth/mesh/Kconfig b/subsys/bluetooth/mesh/Kconfig
@@ -1349,6 +1349,7 @@ config BT_MESH_USES_MBEDTLS_PSA
 	select MBEDTLS
 	select MBEDTLS_ZEPHYR_ENTROPY
 	select MBEDTLS_PSA_CRYPTO_C
+	select MBEDTLS_USE_PSA_CRYPTO
 	select MBEDTLS_MAC_CMAC_ENABLED
 	select MBEDTLS_CIPHER_AES_ENABLED
 	select MBEDTLS_AES_ROM_TABLES