zephyr: fix Mbed TLS configuration header file selection

valeriosetti · nordicjm · commit a43167e359d7 · 2025-03-07T07:11:42.000Z
Mbed TLS already provides MBEDTLS_CFG_FILE Kconfig when it's builtin. So
we only need to override that config when not using the builtin Mbed TLS
version.

This commit also fixes some hardcoding of "mcuboot-mbedtls-cfg.h" in
Kconfig and prj.conf.

Signed-off-by: Valerio Setti &lt;vsetti@baylibre.com&gt;
diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt
@@ -220,7 +220,7 @@ if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256)
   # to set MBEDTLS_CONFIG_FILE ourselves. When using Zephyr's copy, this
   # variable is set by its Kconfig in the Zephyr codebase.
   zephyr_library_compile_definitions(
-    MBEDTLS_CONFIG_FILE="${CMAKE_CURRENT_LIST_DIR}/include/mcuboot-mbedtls-cfg.h"
+    MBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CFG_FILE}"
     )
 elseif(CONFIG_BOOT_SIGNATURE_TYPE_NONE)
   zephyr_library_include_directories(
@@ -266,7 +266,7 @@ elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519 OR CONFIG_BOOT_ENCRYPT_X25519)
       ${TINYCRYPT_SHA512_DIR}/source/sha512.c
       )
     zephyr_library_compile_definitions(
-      MBEDTLS_CONFIG_FILE="${CMAKE_CURRENT_LIST_DIR}/include/mcuboot-mbedtls-cfg.h"
+      MBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CFG_FILE}"
       )
   else()
     zephyr_include_directories(include)
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
@@ -360,13 +360,12 @@ config MCUBOOT_CLEANUP_RAM
 	help
 	  Sets contents of memory to 0 before jumping to application.
 
-if MBEDTLS
-
 config MBEDTLS_CFG_FILE
-	default "config-tls-generic.h" if MBEDTLS_BUILTIN || BOOT_USE_PSA_CRYPTO
-	default "mcuboot-mbedtls-cfg.h" if BOOT_USE_MBEDTLS
-
-endif
+	# It might be awkward to define an Mbed TLS header file when TinyCrypt
+	# is used, but the fact is that Mbed TLS' ASN1 parse module is used
+	# also when TinyCrypt is used as crypto backend.
+	default "mcuboot-mbedtls-cfg.h" if BOOT_USE_TINYCRYPT
+	default "mcuboot-mbedtls-cfg.h" if BOOT_USE_MBEDTLS && !MBEDTLS_BUILTIN
 
 config BOOT_HW_KEY
 	bool "Use HW key for image verification"
diff --git a/boot/zephyr/prj.conf b/boot/zephyr/prj.conf
@@ -1,7 +1,6 @@
 CONFIG_PM=n
 
 CONFIG_MAIN_STACK_SIZE=10240
-CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h"
 
 CONFIG_BOOT_SWAP_SAVE_ENCTLV=n
 CONFIG_BOOT_ENCRYPT_IMAGE=n

Original file line number	Diff line number	Diff line change
`@@ -220,7 +220,7 @@ if(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256 OR CONFIG_BOOT_ENCRYPT_EC256)`
`220`	`220`	`# to set MBEDTLS_CONFIG_FILE ourselves. When using Zephyr's copy, this`
`221`	`221`	`# variable is set by its Kconfig in the Zephyr codebase.`
`222`	`222`	`zephyr_library_compile_definitions(`
`223`		`- MBEDTLS_CONFIG_FILE="${CMAKE_CURRENT_LIST_DIR}/include/mcuboot-mbedtls-cfg.h"`
	`223`	`+ MBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CFG_FILE}"`
`224`	`224`	`)`
`225`	`225`	`elseif(CONFIG_BOOT_SIGNATURE_TYPE_NONE)`
`226`	`226`	`zephyr_library_include_directories(`
`@@ -266,7 +266,7 @@ elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519 OR CONFIG_BOOT_ENCRYPT_X25519)`
`266`	`266`	`${TINYCRYPT_SHA512_DIR}/source/sha512.c`
`267`	`267`	`)`
`268`	`268`	`zephyr_library_compile_definitions(`
`269`		`- MBEDTLS_CONFIG_FILE="${CMAKE_CURRENT_LIST_DIR}/include/mcuboot-mbedtls-cfg.h"`
	`269`	`+ MBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CFG_FILE}"`
`270`	`270`	`)`
`271`	`271`	`else()`
`272`	`272`	`zephyr_include_directories(include)`