nrf_security: Refactor builtin key handling

This updates the way we handle the configuration
MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS so that it follows the
same logic as all the other PSA Crypto core configurations.
Also does minor cleanups for this option.

It also renames the configuration option
MBEDTLS_ENABLE_BUILTIN_KEYS->MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS.

This is a promptless option so no need to update any
sample/application because of this.

Ref: NCSDK-29543

Signed-off-by: Georgios Vasilakis <[email protected]>

Update subsys/nrf_security/Kconfig

Co-authored-by: Tomi Fontanilles <[email protected]>

Author: 2 people

modules/trusted-firmware-m/tfm_boards/external_core.cmake

@@ -93,7 +93,6 @@ if(TARGET psa_crypto_library_config)
     target_compile_definitions(psa_crypto_library_config
         INTERFACE
             MBEDTLS_PSA_CRYPTO_DRIVERS
-            MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
             $<$<BOOL:${CRYPTO_TFM_BUILTIN_KEYS_DRIVER}>:PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER>
     )
 endif()

subsys/nrf_security/CMakeLists.txt

@@ -117,14 +117,6 @@ target_compile_definitions(psa_crypto_library_config
 # The name and intent of this comes from TF-M distribution
 add_library(psa_interface INTERFACE)
 
-if(CONFIG_MBEDTLS_ENABLE_BUILTIN_KEYS)
-# Add config files required for PSA crypto interface
-target_compile_definitions(psa_interface
-  INTERFACE
-  MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
-)
-endif()
-
 # Add the includes from nrf_security, Oberon PSA core, and Arm Mbed TLS
 # to the psa_interface library
 target_include_directories(psa_interface

subsys/nrf_security/Kconfig

@@ -53,12 +53,12 @@ config PSA_PROMPTLESS
 
 if NRF_SECURITY
 
-config MBEDTLS_ENABLE_BUILTIN_KEYS
+config MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
 	bool
 	default y if SOC_SERIES_NRF54LX && (HW_UNIQUE_KEY || IDENTITY_KEY)
 	default y if SOC_SERIES_NRF54HX && (SOC_NRF54H20_CPUSEC || SOC_NRF54H20_ENGB_CPUSEC)
 	help
-	  Promptless option used to control if MBEDTLS should have support for builtin keys or not.
+	  Promptless option used to control if the PSA Crypto core should have support for builtin keys or not.
 
 config MBEDTLS_CFG_FILE
 	string "mbed TLS configuration file"

subsys/nrf_security/cmake/nrf_config.cmake

@@ -14,6 +14,7 @@ kconfig_check_and_set_base(MBEDTLS_PSA_CRYPTO_CLIENT)
 kconfig_check_and_set_base(MBEDTLS_PSA_CRYPTO_C)
 kconfig_check_and_set_base(MBEDTLS_USE_PSA_CRYPTO)
 kconfig_check_and_set_base(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
+kconfig_check_and_set_base(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
 
 # Platform
 kconfig_check_and_set_base(MBEDTLS_PLATFORM_C)

subsys/nrf_security/configs/legacy_crypto_config.h.template

@@ -1114,22 +1114,6 @@
  */
 #cmakedefine MBEDTLS_PKCS1_V21
 
-/** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
- *
- * Enable support for platform built-in keys. If you enable this feature,
- * you must implement the function mbedtls_psa_platform_get_builtin_key().
- * See the documentation of that function for more information.
- *
- * Built-in keys are typically derived from a hardware unique key or
- * stored in a secure element.
- *
- * Requires: MBEDTLS_PSA_CRYPTO_C.
- *
- * \warning This interface is experimental and may change or be removed
- * without notice.
- */
-//#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
-
 /** \def MBEDTLS_PSA_CRYPTO_CLIENT
  *
  * Enable support for PSA crypto client.

subsys/nrf_security/configs/nrf-config.h.template

@@ -23,6 +23,7 @@
 #cmakedefine MBEDTLS_PSA_CRYPTO_CLIENT
 #cmakedefine MBEDTLS_PSA_CRYPTO_C
 #cmakedefine MBEDTLS_USE_PSA_CRYPTO
+#cmakedefine MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
 /* Avoid redefinition as TF-M defines this on the command line */
 #ifndef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
 #cmakedefine MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER