From ddd97abf1272dc61cd0c89901f4ab1751ca78ff5 Mon Sep 17 00:00:00 2001
From: Anton Zyma <anton.zyma@nordicsemi.no>
Date: Fri, 3 Oct 2025 13:14:05 +0300
Subject: [PATCH] nrf_security: CRACEN: Make KDF operations struct depend on
 project config

cracen_key_derivation_operation_t struct is modified so as to include
KDF algorithms required by the project configuration.

Ref: NCSDK-35675

Signed-off-by: Anton Zyma <anton.zyma@nordicsemi.no>
---
 .../cracenpsa/include/cracen_psa_primitives.h | 14 +++--
 .../cracen/cracenpsa/src/key_derivation.c     | 59 ++++++++++++++++++-
 .../src/drivers/cracen/psa_driver.Kconfig     |  4 +-
 3 files changed, 70 insertions(+), 7 deletions(-)

diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa_primitives.h b/subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa_primitives.h
index f2881e50566e..9ef17bd75dbc 100644
--- a/subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa_primitives.h
+++ b/subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa_primitives.h
@@ -240,6 +240,7 @@ struct cracen_key_derivation_operation {
 		cracen_hash_operation_t hash_op;
 	};
 	union {
+#if defined(CONFIG_PSA_NEED_CRACEN_HKDF)
 		struct {
 			uint8_t blk_counter;
 			uint8_t prk[SX_HASH_MAX_ENABLED_BLOCK_SIZE];
@@ -248,7 +249,8 @@ struct cracen_key_derivation_operation {
 			size_t info_length;
 			bool info_set;
 		} hkdf;
-
+#endif /* CONFIG_PSA_NEED_CRACEN_HKDF */
+#if defined(CONFIG_PSA_NEED_CRACEN_PBKDF2_HMAC)
 		struct {
 			uint64_t input_cost;
 			char password[SX_HASH_MAX_ENABLED_BLOCK_SIZE];
@@ -259,7 +261,8 @@ struct cracen_key_derivation_operation {
 			uint8_t uj[PSA_MAC_MAX_SIZE];
 			uint8_t tj[PSA_MAC_MAX_SIZE];
 		} pbkdf2;
-
+#endif /* CONFIG_PSA_NEED_CRACEN_PBKDF2_HMAC */
+#if defined(CONFIG_PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC)
 		struct {
 			uint8_t key_buffer[CRACEN_MAX_AES_KEY_SIZE];
 			struct sxkeyref keyref;
@@ -275,11 +278,13 @@ struct cracen_key_derivation_operation {
 			uint32_t L;
 			uint8_t K_0[SX_BLKCIPHER_AES_BLK_SZ];
 		} cmac_ctr;
-
+#endif /* CONFIG_PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC */
+#if defined(CONFIG_PSA_NEED_CRACEN_TLS12_ECJPAKE_TO_PMS)
 		struct {
 			uint8_t key[32];
 		} ecjpake_to_pms;
-
+#endif /* PSA_NEED_CRACEN_TLS12_ECJPAKE_TO_PMS */
+#if defined(CONFIG_PSA_NEED_CRACEN_TLS12_PRF) || defined(CONFIG_PSA_NEED_CRACEN_TLS12_PSK_TO_MS)
 		struct {
 			/* May contain secret, length of secret as uint16be, other secret
 			 * and other secret length as uint16be.
@@ -293,6 +298,7 @@ struct cracen_key_derivation_operation {
 			size_t counter;
 			uint8_t a[SX_HASH_MAX_ENABLED_BLOCK_SIZE];
 		} tls12;
+#endif /* CONFIG_PSA_NEED_CRACEN_TLS12_PRF || CONFIG_PSA_NEED_CRACEN_TLS12_PSK_TO_MS */
 	};
 };
 typedef struct cracen_key_derivation_operation cracen_key_derivation_operation_t;
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_derivation.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_derivation.c
index 8380d2f9749e..9b96c4411cb2 100644
--- a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_derivation.c
+++ b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_derivation.c
@@ -151,7 +151,7 @@ static psa_status_t cracen_ecdh_montgmr_calc_secret(const struct sx_pk_ecurve *c
 
 /**
  * \brief Initialize and set up the MAC operation that will be used to generate pseudo-random
- *        bytes for HDKF and PBKDF2.
+ *        bytes for HKDF and PBKDF2.
  *
  * \param[in, out] operation        Cracen key derivation operation object.
  * \param[in]      key_buffer       Key buffer or HKDF salt.
@@ -180,6 +180,7 @@ static psa_status_t start_mac_operation(cracen_key_derivation_operation_t *opera
 				     mac_alg);
 }
 
+#if defined(CONFIG_PSA_NEED_CRACEN_PBKDF2_HMAC)
 static size_t pbkdf2_prf_output_length(psa_algorithm_t alg)
 {
 	if (alg == PSA_ALG_PBKDF2_AES_CMAC_PRF_128) {
@@ -188,12 +189,14 @@ static size_t pbkdf2_prf_output_length(psa_algorithm_t alg)
 		return PSA_HASH_LENGTH(PSA_ALG_GET_HASH(alg));
 	}
 }
+#endif /* CONFIG_PSA_NEED_CRACEN_PBKDF2_HMAC */
 
 psa_status_t cracen_key_derivation_setup(cracen_key_derivation_operation_t *operation,
 					 psa_algorithm_t alg)
 {
 	operation->alg = alg;
 
+#if defined(CONFIG_PSA_NEED_CRACEN_HKDF)
 	if (IS_ENABLED(PSA_NEED_CRACEN_HKDF) && (PSA_ALG_IS_HKDF(operation->alg) ||
 	PSA_ALG_IS_HKDF_EXPAND(operation->alg))) {
 		size_t hash_size = PSA_HASH_LENGTH(PSA_ALG_HKDF_GET_HASH(alg));
@@ -222,7 +225,9 @@ psa_status_t cracen_key_derivation_setup(cracen_key_derivation_operation_t *oper
 
 		return PSA_SUCCESS;
 	}
+#endif /* CONFIG_PSA_NEED_CRACEN_HKDF */
 
+#if defined(CONFIG_PSA_NEED_CRACEN_PBKDF2_HMAC)
 	if (IS_ENABLED(PSA_NEED_CRACEN_PBKDF2_HMAC) && PSA_ALG_IS_PBKDF2(operation->alg)) {
 		size_t output_length = pbkdf2_prf_output_length(operation->alg);
 
@@ -234,7 +239,9 @@ psa_status_t cracen_key_derivation_setup(cracen_key_derivation_operation_t *oper
 		operation->state = CRACEN_KD_STATE_PBKDF2_INIT;
 		return PSA_SUCCESS;
 	}
+#endif /* CONFIG_PSA_NEED_CRACEN_PBKDF2_HMAC */
 
+#if defined(CONFIG_PSA_NEED_CRACEN_TLS12_ECJPAKE_TO_PMS)
 	if (IS_ENABLED(PSA_NEED_CRACEN_TLS12_ECJPAKE_TO_PMS)) {
 		if (operation->alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
 			operation->capacity = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE;
@@ -242,7 +249,9 @@ psa_status_t cracen_key_derivation_setup(cracen_key_derivation_operation_t *oper
 			return PSA_SUCCESS;
 		}
 	}
+#endif /* CONFIG_PSA_NEED_CRACEN_TLS12_ECJPAKE_TO_PMS */
 
+#if defined(CONFIG_PSA_NEED_CRACEN_TLS12_PRF) || defined(CONFIG_PSA_NEED_CRACEN_TLS12_PSK_TO_MS)
 	if (IS_ENABLED(PSA_NEED_CRACEN_TLS12_PRF) && PSA_ALG_IS_TLS12_PRF(operation->alg)) {
 		operation->state = CRACEN_KD_STATE_TLS12_PRF_INIT;
 		operation->capacity = UINT64_MAX;
@@ -255,6 +264,7 @@ psa_status_t cracen_key_derivation_setup(cracen_key_derivation_operation_t *oper
 		operation->capacity = UINT64_MAX;
 		return PSA_SUCCESS;
 	}
+#endif /* CONFIG_PSA_NEED_CRACEN_TLS12_PRF || CONFIG_PSA_NEED_CRACEN_TLS12_PSK_TO_MS */
 
 	if (IS_ENABLED(PSA_NEED_CRACEN_SRP_PASSWORD_HASH) && PSA_ALG_IS_SRP_PASSWORD_HASH(alg)) {
 		if (PSA_ALG_HKDF_GET_HASH(alg) != CRACEN_SRP_HASH_ALG) {
@@ -264,6 +274,7 @@ psa_status_t cracen_key_derivation_setup(cracen_key_derivation_operation_t *oper
 		return PSA_SUCCESS;
 	}
 
+#if defined(CONFIG_PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC)
 	if (operation->alg == PSA_ALG_SP800_108_COUNTER_CMAC) {
 		operation->capacity = PSA_ALG_SP800_108_COUNTER_CMAC_INIT_CAPACITY;
 		operation->state = CRACEN_KD_STATE_CMAC_CTR_INIT;
@@ -272,6 +283,7 @@ psa_status_t cracen_key_derivation_setup(cracen_key_derivation_operation_t *oper
 
 		return PSA_SUCCESS;
 	}
+#endif /* CONFIG_PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC */
 
 	return PSA_ERROR_NOT_SUPPORTED;
 }
@@ -291,6 +303,7 @@ psa_status_t cracen_key_derivation_set_capacity(cracen_key_derivation_operation_
 	return PSA_SUCCESS;
 }
 
+#if defined(CONFIG_PSA_NEED_CRACEN_HKDF)
 static psa_status_t
 cracen_key_derivation_input_bytes_hkdf(cracen_key_derivation_operation_t *operation,
 				       psa_key_derivation_step_t step, const uint8_t *data,
@@ -374,7 +387,9 @@ cracen_key_derivation_input_bytes_hkdf(cracen_key_derivation_operation_t *operat
 
 	return PSA_SUCCESS;
 }
+#endif /* CONFIG_PSA_NEED_CRACEN_HKDF */
 
+#if defined(CONFIG_PSA_NEED_CRACEN_PBKDF2_HMAC)
 static psa_status_t
 cracen_key_derivation_input_bytes_pbkdf2(cracen_key_derivation_operation_t *operation,
 					 psa_key_derivation_step_t step, const uint8_t *data,
@@ -445,7 +460,9 @@ cracen_key_derivation_input_bytes_pbkdf2(cracen_key_derivation_operation_t *oper
 
 	return PSA_SUCCESS;
 }
+#endif /* CONFIG_PSA_NEED_CRACEN_PBKDF2_HMAC */
 
+#if defined(CONFIG_PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC)
 static psa_status_t
 cracen_key_derivation_input_bytes_cmac_ctr(cracen_key_derivation_operation_t *operation,
 					   psa_key_derivation_step_t step, const uint8_t *data,
@@ -502,7 +519,9 @@ cracen_key_derivation_input_bytes_cmac_ctr(cracen_key_derivation_operation_t *op
 
 	return PSA_SUCCESS;
 }
+#endif /* CONFIG_PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC */
 
+#if defined(CONFIG_PSA_NEED_CRACEN_TLS12_PRF) || defined(CONFIG_PSA_NEED_CRACEN_TLS12_PSK_TO_MS)
 static psa_status_t
 cracen_key_derivation_input_bytes_tls12(cracen_key_derivation_operation_t *operation,
 					psa_key_derivation_step_t step, const uint8_t *data,
@@ -576,6 +595,7 @@ cracen_key_derivation_input_bytes_tls12(cracen_key_derivation_operation_t *opera
 	}
 	return PSA_SUCCESS;
 }
+#endif /* CONFIG_PSA_NEED_CRACEN_TLS12_PRF || CONFIG_PSA_NEED_CRACEN_TLS12_PSK_TO_MS */
 
 static psa_status_t
 cracen_key_derivation_input_bytes_srp(cracen_key_derivation_operation_t *operation,
@@ -641,6 +661,7 @@ psa_status_t cracen_key_derivation_input_bytes(cracen_key_derivation_operation_t
 					       psa_key_derivation_step_t step, const uint8_t *data,
 					       size_t data_length)
 {
+#if defined(CONFIG_PSA_NEED_CRACEN_HKDF)
 	if (IS_ENABLED(PSA_NEED_CRACEN_HKDF) && (PSA_ALG_IS_HKDF(operation->alg) ||
 	PSA_ALG_IS_HKDF_EXTRACT(operation->alg))) {
 		return cracen_key_derivation_input_bytes_hkdf(operation, step, data, data_length);
@@ -657,17 +678,23 @@ psa_status_t cracen_key_derivation_input_bytes(cracen_key_derivation_operation_t
 		}
 		return cracen_key_derivation_input_bytes_hkdf(operation, step, data, data_length);
 	}
+#endif /* CONFIG_PSA_NEED_CRACEN_HKDF */
 
+#if defined(CONFIG_PSA_NEED_CRACEN_PBKDF2_HMAC)
 	if (IS_ENABLED(PSA_NEED_CRACEN_PBKDF2_HMAC) && PSA_ALG_IS_PBKDF2(operation->alg)) {
 		return cracen_key_derivation_input_bytes_pbkdf2(operation, step, data, data_length);
 	}
+#endif /* CONFIG_PSA_NEED_CRACEN_PBKDF2_HMAC */
 
+#if defined(CONFIG_PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC)
 	if (IS_ENABLED(PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC) &&
 	    (operation->alg == PSA_ALG_SP800_108_COUNTER_CMAC)) {
 		return cracen_key_derivation_input_bytes_cmac_ctr(operation, step, data,
 								  data_length);
 	}
+#endif /* CONFIG_PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC */
 
+#if defined(CONFIG_PSA_NEED_CRACEN_TLS12_ECJPAKE_TO_PMS)
 	if (IS_ENABLED(PSA_NEED_CRACEN_TLS12_ECJPAKE_TO_PMS) &&
 	    operation->alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
 		if (operation->state != CRACEN_KD_STATE_TLS12_ECJPAKE_TO_PMS_INIT) {
@@ -682,7 +709,9 @@ psa_status_t cracen_key_derivation_input_bytes(cracen_key_derivation_operation_t
 		       sizeof(operation->ecjpake_to_pms.key));
 		return PSA_SUCCESS;
 	}
+#endif /* CONFIG_PSA_NEED_CRACEN_TLS12_ECJPAKE_TO_PMS */
 
+#if defined(CONFIG_PSA_NEED_CRACEN_TLS12_PRF) || defined(CONFIG_PSA_NEED_CRACEN_TLS12_PSK_TO_MS)
 	if (IS_ENABLED(PSA_NEED_CRACEN_TLS12_PRF) && PSA_ALG_IS_TLS12_PRF(operation->alg)) {
 		return cracen_key_derivation_input_bytes_tls12(operation, step, data, data_length);
 	}
@@ -691,6 +720,7 @@ psa_status_t cracen_key_derivation_input_bytes(cracen_key_derivation_operation_t
 	    PSA_ALG_IS_TLS12_PSK_TO_MS(operation->alg)) {
 		return cracen_key_derivation_input_bytes_tls12(operation, step, data, data_length);
 	}
+#endif /* CONFIG_PSA_NEED_CRACEN_TLS12_PRF || CONFIG_PSA_NEED_CRACEN_TLS12_PSK_TO_MS */
 
 	if (IS_ENABLED(PSA_NEED_CRACEN_SRP_PASSWORD_HASH) &&
 	    PSA_ALG_IS_SRP_PASSWORD_HASH(operation->alg)) {
@@ -705,13 +735,16 @@ psa_status_t cracen_key_derivation_input_key(cracen_key_derivation_operation_t *
 					     const psa_key_attributes_t *attributes,
 					     const uint8_t *key_buffer, size_t key_buffer_size)
 {
+#if defined(CONFIG_PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC)
 	psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+#endif /* CONFIG_PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC */
 
 	if (operation->alg != PSA_ALG_SP800_108_COUNTER_CMAC) {
 		return cracen_key_derivation_input_bytes(operation, step, key_buffer,
 							 key_buffer_size);
 	}
 
+#if defined(CONFIG_PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC)
 	if (psa_get_key_type(attributes) != PSA_KEY_TYPE_AES) {
 		return PSA_ERROR_NOT_SUPPORTED;
 	}
@@ -739,12 +772,15 @@ psa_status_t cracen_key_derivation_input_key(cracen_key_derivation_operation_t *
 
 	operation->state = CRACEN_KD_STATE_CMAC_CTR_KEY_LOADED;
 	return status;
+#else
+	return PSA_ERROR_INVALID_ARGUMENT;
+#endif /* CONFIG_PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC */
 }
 
 psa_status_t cracen_key_derivation_input_integer(cracen_key_derivation_operation_t *operation,
 						 psa_key_derivation_step_t step, uint64_t value)
 {
-
+#if defined(CONFIG_PSA_NEED_CRACEN_PBKDF2_HMAC)
 	if (IS_ENABLED(PSA_NEED_CRACEN_PBKDF2_HMAC)) {
 		if ((PSA_ALG_IS_PBKDF2(operation->alg)) && step == PSA_KEY_DERIVATION_INPUT_COST) {
 			if (operation->pbkdf2.input_cost) {
@@ -755,10 +791,12 @@ psa_status_t cracen_key_derivation_input_integer(cracen_key_derivation_operation
 			return PSA_SUCCESS;
 		}
 	}
+#endif /* CONFIG_PSA_NEED_CRACEN_PBKDF2_HMAC */
 
 	return PSA_ERROR_NOT_SUPPORTED;
 }
 
+#if defined(CONFIG_PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC)
 static int
 cracen_key_derivation_cmac_ctr_add_core_fixed_input(cracen_key_derivation_operation_t *operation,
 						    struct sxmac *cmac_ctx)
@@ -870,7 +908,9 @@ cracen_key_derivation_cmac_ctr_generate_block(cracen_key_derivation_operation_t
 	operation->cmac_ctr.counter++;
 	return PSA_SUCCESS;
 }
+#endif /* CONFIG_PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC */
 
+#if defined(CONFIG_PSA_NEED_CRACEN_HKDF)
 /**
  * \brief Generates the next block for HKDF.
  *
@@ -922,7 +962,9 @@ cracen_key_derivation_hkdf_generate_block(cracen_key_derivation_operation_t *ope
 
 	return PSA_SUCCESS;
 }
+#endif /* CONFIG_PSA_NEED_CRACEN_HKDF */
 
+#if defined(CONFIG_PSA_NEED_CRACEN_PBKDF2_HMAC)
 /**
  * \brief Generates the next block for PBKDF2.
  *
@@ -992,7 +1034,9 @@ cracen_key_derivation_pbkdf2_generate_block(cracen_key_derivation_operation_t *o
 
 	return PSA_SUCCESS;
 }
+#endif /* CONFIG_PSA_NEED_CRACEN_PBKDF2_HMAC */
 
+#if defined(CONFIG_PSA_NEED_CRACEN_TLS12_PRF) || defined(CONFIG_PSA_NEED_CRACEN_TLS12_PSK_TO_MS)
 static psa_status_t
 cracen_key_derivation_tls12_prf_generate_block(cracen_key_derivation_operation_t *operation)
 {
@@ -1072,6 +1116,7 @@ cracen_key_derivation_tls12_prf_generate_block(cracen_key_derivation_operation_t
 
 	return status;
 }
+#endif /* CONFIG_PSA_NEED_CRACEN_TLS12_PRF || CONFIG_PSA_NEED_CRACEN_TLS12_PSK_TO_MS */
 
 psa_status_t cracen_key_agreement(const psa_key_attributes_t *attributes, const uint8_t *priv_key,
 				  size_t priv_key_size, const uint8_t *publ_key,
@@ -1127,6 +1172,7 @@ psa_status_t cracen_key_derivation_output_bytes(cracen_key_derivation_operation_
 {
 	psa_status_t (*generator)(cracen_key_derivation_operation_t *) = NULL;
 
+#if defined(CONFIG_PSA_NEED_CRACEN_HKDF)
 	if (IS_ENABLED(PSA_NEED_CRACEN_HKDF) && (PSA_ALG_IS_HKDF(operation->alg) ||
 	PSA_ALG_IS_HKDF_EXPAND(operation->alg))) {
 		if (operation->state < CRACEN_KD_STATE_HKDF_KEYED || !operation->hkdf.info_set) {
@@ -1153,7 +1199,9 @@ psa_status_t cracen_key_derivation_output_bytes(cracen_key_derivation_operation_
 		memcpy(output, operation->hkdf.prk, prk_length);
 		return PSA_SUCCESS;
 	}
+#endif /* CONFIG_PSA_NEED_CRACEN_HKDF */
 
+#if defined(CONFIG_PSA_NEED_CRACEN_PBKDF2_HMAC)
 	if (IS_ENABLED(PSA_NEED_CRACEN_PBKDF2_HMAC) && PSA_ALG_IS_PBKDF2(operation->alg)) {
 		/* Salt, password and input cost must have been provided. */
 		if (!operation->pbkdf2.input_cost) {
@@ -1168,7 +1216,9 @@ psa_status_t cracen_key_derivation_output_bytes(cracen_key_derivation_operation_
 		operation->state = CRACEN_KD_STATE_PBKDF2_OUTPUT;
 		generator = cracen_key_derivation_pbkdf2_generate_block;
 	}
+#endif /* CONFIG_PSA_NEED_CRACEN_PBKDF2_HMAC */
 
+#if defined(CONFIG_PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC)
 	if (IS_ENABLED(PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC) &&
 	    (operation->alg == PSA_ALG_SP800_108_COUNTER_CMAC)) {
 		if (operation->state == CRACEN_KD_STATE_CMAC_CTR_KEY_LOADED ||
@@ -1189,7 +1239,9 @@ psa_status_t cracen_key_derivation_output_bytes(cracen_key_derivation_operation_
 			return PSA_ERROR_BAD_STATE;
 		}
 	}
+#endif /* CONFIG_PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC */
 
+#if defined(CONFIG_PSA_NEED_CRACEN_TLS12_ECJPAKE_TO_PMS)
 	if (IS_ENABLED(PSA_NEED_CRACEN_TLS12_ECJPAKE_TO_PMS) &&
 	    operation->alg == PSA_ALG_TLS12_ECJPAKE_TO_PMS) {
 		size_t outlen;
@@ -1204,7 +1256,9 @@ psa_status_t cracen_key_derivation_output_bytes(cracen_key_derivation_operation_
 		}
 		return PSA_SUCCESS;
 	}
+#endif /* CONFIG_PSA_NEED_CRACEN_TLS12_ECJPAKE_TO_PMS */
 
+#if defined(CONFIG_PSA_NEED_CRACEN_TLS12_PRF) || defined(CONFIG_PSA_NEED_CRACEN_TLS12_PSK_TO_MS)
 	if (IS_ENABLED(PSA_NEED_CRACEN_TLS12_PRF) && PSA_ALG_IS_TLS12_PRF(operation->alg)) {
 		operation->state = CRACEN_KD_STATE_TLS12_PRF_OUTPUT;
 		generator = cracen_key_derivation_tls12_prf_generate_block;
@@ -1215,6 +1269,7 @@ psa_status_t cracen_key_derivation_output_bytes(cracen_key_derivation_operation_
 		operation->state = CRACEN_KD_STATE_TLS12_PSK_TO_MS_OUTPUT;
 		generator = cracen_key_derivation_tls12_prf_generate_block;
 	}
+#endif /* CONFIG_PSA_NEED_CRACEN_TLS12_PRF || CONFIG_PSA_NEED_CRACEN_TLS12_PSK_TO_MS */
 
 	if (IS_ENABLED(PSA_NEED_CRACEN_SRP_PASSWORD_HASH) &&
 	    PSA_ALG_IS_SRP_PASSWORD_HASH(operation->alg)) {
diff --git a/subsys/nrf_security/src/drivers/cracen/psa_driver.Kconfig b/subsys/nrf_security/src/drivers/cracen/psa_driver.Kconfig
index 9b99d5b0c95f..62fd50e01b54 100644
--- a/subsys/nrf_security/src/drivers/cracen/psa_driver.Kconfig
+++ b/subsys/nrf_security/src/drivers/cracen/psa_driver.Kconfig
@@ -1858,7 +1858,9 @@ config PSA_NEED_CRACEN_KEY_DERIVATION_DRIVER
 		   PSA_NEED_CRACEN_TLS12_ECJPAKE_TO_PMS || \
 		   PSA_NEED_CRACEN_PBKDF2_HMAC		|| \
 		   PSA_NEED_CRACEN_SRP_PASSWORD_HASH    || \
-		   PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC
+		   PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC	|| \
+		   PSA_NEED_CRACEN_TLS12_PRF	|| \
+		   PSA_NEED_CRACEN_TLS12_PSK_TO_MS
 
 config PSA_NEED_CRACEN_KMU_DRIVER
 	bool