[nrf fromlist] modules: mbedtls: add new helper Kconfig symbol PSA_CRYPTO

The goal of new Kconfig PSA_CRYPTO_PROVIDER is to automatically enable
any of the PSA Crypto API provider available for the platform without
having the user to manually pick the proper one. This provider can be
either TF-M, if that's enabled in the build, or Mbed TLS otherwise.

PSA_CRYPTO_PROVIDER simplifies also modules/subsystem Kconfigs removing
blocks as:
	select MBEDTLS if !BUILD_WITH_TFM
	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM

Kconfig PSA_CRYPTO_PROVIDER_CUSTOM is also added to allow the end user
to add a custom implementation of PSA Crypto API instead of TF-M or
Mbed TLS ones.

Upstream PR: 96415

Signed-off-by: Valerio Setti <[email protected]>

Author: valeriosetti

doc/releases/release-notes-4.3.rst

@@ -70,6 +70,11 @@ Deprecated APIs and options
 New APIs and options
 ====================
 
+* :kconfig:option:`CONFIG_PSA_CRYPTO` allows to automatically select a PSA Crypto API
+  provider based on the configuration. TF-M and Mbed TLS are the only options available
+  for now, but the user can select :kconfig:option:`CONFIG_PSA_CRYPTO_CUSTOM` to use
+  a custom solution.
+
 ..
   Link to new APIs here, in a group if you think it's necessary, no need to get
   fancy just list the link, that should contain the documentation. If you feel

drivers/bluetooth/hci/Kconfig

@@ -158,8 +158,7 @@ config BT_SILABS_EFR32
 	depends on ZEPHYR_HAL_SILABS_MODULE_BLOBS || BUILD_ONLY_NO_BLOBS
 	depends on !PM || SOC_GECKO_PM_BACKEND_PMGR
 	select SOC_GECKO_USE_RAIL
-	select MBEDTLS
-	select MBEDTLS_PSA_CRYPTO_C
+	select PSA_CRYPTO
 	select HAS_BT_CTLR
 	select BT_CTLR_PHY_UPDATE_SUPPORT
 	select BT_CTLR_PER_INIT_FEAT_XCHG_SUPPORT

modules/hostap/Kconfig

@@ -204,7 +204,7 @@ endchoice
 
 config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
 	bool "Crypto Platform Secure Architecture support for WiFi"
-	imply MBEDTLS_PSA_CRYPTO_C
+	select PSA_CRYPTO
 	select MBEDTLS_USE_PSA_CRYPTO
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_ALG_HMAC

modules/mbedtls/Kconfig.psa.logic

@@ -1,8 +1,35 @@
 # Copyright (c) 2024 BayLibre SAS
 # SPDX-License-Identifier: Apache-2.0
 
-# This file extends Kconfig.psa (which is automatically generated) by adding
-# some logic between PSA_WANT symbols.
+config PSA_CRYPTO
+	bool "PSA Crypto API"
+	help
+	  Enable a PSA Crypto API provider in the build. If TF-M is enabled then
+	  it will be used for this scope, otherwise Mbed TLS will be used.
+
+choice PSA_CRYPTO_PROVIDER
+	prompt "PSA Crypto API provider"
+	depends on PSA_CRYPTO
+
+config PSA_CRYPTO_PROVIDER_TFM
+	bool "Use TF-M"
+	depends on BUILD_WITH_TFM
+	select TFM_PARTITION_CRYPTO
+
+config PSA_CRYPTO_PROVIDER_MBEDTLS
+	bool "Use Mbed TLS"
+	depends on !BUILD_WITH_TFM
+	select MBEDTLS
+	select MBEDTLS_PSA_CRYPTO_C
+
+config PSA_CRYPTO_PROVIDER_CUSTOM
+	bool "Use an out-of-tree library"
+	depends on !BUILD_WITH_TFM
+
+endchoice # PSA_CRYPTO_PROVIDER
+
+# The following section extends Kconfig.psa.auto (which is automatically
+# generated) by adding some logic between PSA_WANT symbols.
 
 config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC
 	bool

modules/uoscore-uedhoc/Kconfig

@@ -5,7 +5,6 @@ menuconfig UOSCORE
 	bool "UOSCORE library"
 	depends on ZCBOR
 	depends on ZCBOR_CANONICAL
-	depends on MBEDTLS
 	select UOSCORE_UEDHOC_CRYPTO_COMMON
 
 	help
@@ -22,7 +21,6 @@ menuconfig UEDHOC
 	bool "UEDHOC library"
 	depends on ZCBOR
 	depends on ZCBOR_CANONICAL
-	depends on MBEDTLS
 	select UOSCORE_UEDHOC_CRYPTO_COMMON
 	help
 	  This option enables the UEDHOC library.
@@ -38,7 +36,7 @@ if UOSCORE || UEDHOC
 
 config UOSCORE_UEDHOC_CRYPTO_COMMON
 	bool
-	imply MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_ALG_ECDSA
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT

samples/net/sockets/http_server/Kconfig

@@ -17,7 +17,7 @@ config NET_SAMPLE_HTTP_SERVER_SERVICE_PORT
 config NET_SAMPLE_HTTPS_SERVICE
 	bool "Enable https service"
 	depends on NET_SOCKETS_SOCKOPT_TLS || TLS_CREDENTIALS
-	imply MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 
 if NET_SAMPLE_HTTPS_SERVICE
 

samples/subsys/mgmt/updatehub/overlay-psa.conf

@@ -1,3 +1,2 @@
 CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA=y
-CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_CRYPTO=y

subsys/bluetooth/crypto/Kconfig

@@ -3,8 +3,7 @@
 
 config BT_CRYPTO
 	bool
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_AES
 	select PSA_WANT_ALG_CMAC
 	select PSA_WANT_ALG_ECB_NO_PADDING

subsys/bluetooth/host/Kconfig

@@ -200,8 +200,7 @@ config BT_BUF_EVT_DISCARDABLE_COUNT
 config BT_HOST_CRYPTO
 	bool "Use crypto functionality implemented in the Bluetooth host"
 	default y if !BT_CTLR_CRYPTO
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_AES
 	select PSA_WANT_ALG_ECB_NO_PADDING
 	help
@@ -1041,8 +1040,7 @@ endif # BT_DF
 
 config BT_ECC
 	bool
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT

subsys/bluetooth/mesh/Kconfig

@@ -1516,8 +1516,7 @@ choice BT_MESH_CRYPTO_LIB
 
 config BT_MESH_USES_MBEDTLS_PSA
 	bool "mbed TLS PSA"
-	select MBEDTLS
-	select MBEDTLS_PSA_CRYPTO_C
+	select PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE