nrfconnect · Vge0rge · Sep 5, 2024 · Oct 2, 2025 · Oct 2, 2025 · Sep 23, 2025
diff --git a/doc/releases/release-notes-4.3.rst b/doc/releases/release-notes-4.3.rst
@@ -70,6 +70,11 @@ Deprecated APIs and options
 New APIs and options
 ====================
 
+* :kconfig:option:`CONFIG_PSA_CRYPTO` allows to automatically select a PSA Crypto API
+  provider based on the configuration. TF-M and Mbed TLS are the only options available
+  for now, but the user can select :kconfig:option:`CONFIG_PSA_CRYPTO_CUSTOM` to use
+  a custom solution.
+
 ..
   Link to new APIs here, in a group if you think it's necessary, no need to get
   fancy just list the link, that should contain the documentation. If you feel

diff --git a/drivers/bluetooth/hci/Kconfig b/drivers/bluetooth/hci/Kconfig
@@ -158,9 +158,7 @@ config BT_SILABS_EFR32
 	depends on ZEPHYR_HAL_SILABS_MODULE_BLOBS || BUILD_ONLY_NO_BLOBS
 	depends on !PM || SOC_GECKO_PM_BACKEND_PMGR
 	select SOC_GECKO_USE_RAIL
-	select MBEDTLS
-	select MBEDTLS_PSA_CRYPTO_C
-	select MBEDTLS_ENTROPY_C
+	select PSA_CRYPTO
 	select HAS_BT_CTLR
 	select BT_CTLR_PHY_UPDATE_SUPPORT
 	select BT_CTLR_PER_INIT_FEAT_XCHG_SUPPORT

diff --git a/drivers/bluetooth/hci/Kconfig.esp32 b/drivers/bluetooth/hci/Kconfig.esp32
@@ -492,7 +492,6 @@ config ESP32_BT_LE_CRYPTO_STACK_MBEDTLS
 	select MBEDTLS_ECP_DP_SECP256R1_ENABLED
 	select MBEDTLS_ECDH_C
 	select MBEDTLS_ENTROPY_C
-	select MBEDTLS_PSA_CRYPTO_C
 	help
 	  Use mbedTLS library for BLE cryptographic operations.
 

diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig
@@ -204,7 +204,7 @@ endchoice
 
 config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
 	bool "Crypto Platform Secure Architecture support for WiFi"
-	imply MBEDTLS_PSA_CRYPTO_C
+	select PSA_CRYPTO
 	select MBEDTLS_USE_PSA_CRYPTO
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_ALG_HMAC

diff --git a/modules/mbedtls/Kconfig.psa.logic b/modules/mbedtls/Kconfig.psa.logic
@@ -1,8 +1,35 @@
 # Copyright (c) 2024 BayLibre SAS
 # SPDX-License-Identifier: Apache-2.0
 
-# This file extends Kconfig.psa (which is automatically generated) by adding
-# some logic between PSA_WANT symbols.
+config PSA_CRYPTO
+	bool "PSA Crypto API"
+	help
+	  Enable a PSA Crypto API provider in the build. If TF-M is enabled then
+	  it will be used for this scope, otherwise Mbed TLS will be used.
+
+choice PSA_CRYPTO_PROVIDER
+	prompt "PSA Crypto API provider"
+	depends on PSA_CRYPTO
+
+config PSA_CRYPTO_PROVIDER_TFM
+	bool "Use TF-M"
+	depends on BUILD_WITH_TFM
+	select TFM_PARTITION_CRYPTO
+
+config PSA_CRYPTO_PROVIDER_MBEDTLS
+	bool "Use Mbed TLS"
+	depends on !BUILD_WITH_TFM
+	select MBEDTLS
+	select MBEDTLS_PSA_CRYPTO_C
+
+config PSA_CRYPTO_PROVIDER_CUSTOM
+	bool "Use an out-of-tree library"
+	depends on !BUILD_WITH_TFM
+
+endchoice # PSA_CRYPTO_PROVIDER
+
+# The following section extends Kconfig.psa.auto (which is automatically
+# generated) by adding some logic between PSA_WANT symbols.
 
 config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC
 	bool

diff --git a/modules/openthread/Kconfig b/modules/openthread/Kconfig
@@ -320,7 +320,7 @@ config OPENTHREAD_MAC_SOFTWARE_CSMA_BACKOFF_ENABLE
 
 config OPENTHREAD_CRYPTO_PSA
 	bool "ARM PSA crypto API"
-	depends on MBEDTLS_PSA_CRYPTO_CLIENT
+	depends on PSA_CRYPTO_CLIENT
 	select OPENTHREAD_PLATFORM_KEY_REF if !OPENTHREAD_COPROCESSOR_RCP
 	imply OPENTHREAD_PLATFORM_KEYS_EXPORTABLE_ENABLE
 	help

diff --git a/modules/uoscore-uedhoc/Kconfig b/modules/uoscore-uedhoc/Kconfig
@@ -5,7 +5,6 @@ menuconfig UOSCORE
 	bool "UOSCORE library"
 	depends on ZCBOR
 	depends on ZCBOR_CANONICAL
-	depends on MBEDTLS
 	select UOSCORE_UEDHOC_CRYPTO_COMMON
 
 	help
@@ -22,7 +21,6 @@ menuconfig UEDHOC
 	bool "UEDHOC library"
 	depends on ZCBOR
 	depends on ZCBOR_CANONICAL
-	depends on MBEDTLS
 	select UOSCORE_UEDHOC_CRYPTO_COMMON
 	help
 	  This option enables the UEDHOC library.
@@ -38,7 +36,7 @@ if UOSCORE || UEDHOC
 
 config UOSCORE_UEDHOC_CRYPTO_COMMON
 	bool
-	imply MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_ALG_ECDSA
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT

diff --git a/samples/net/sockets/http_server/Kconfig b/samples/net/sockets/http_server/Kconfig
@@ -17,7 +17,7 @@ config NET_SAMPLE_HTTP_SERVER_SERVICE_PORT
 config NET_SAMPLE_HTTPS_SERVICE
 	bool "Enable https service"
 	depends on NET_SOCKETS_SOCKOPT_TLS || TLS_CREDENTIALS
-	imply MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 
 if NET_SAMPLE_HTTPS_SERVICE
 

diff --git a/samples/subsys/mgmt/updatehub/overlay-psa.conf b/samples/subsys/mgmt/updatehub/overlay-psa.conf
@@ -1,3 +1,2 @@
 CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA=y
-CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_CRYPTO=y
diff --git a/subsys/bluetooth/crypto/Kconfig b/subsys/bluetooth/crypto/Kconfig
@@ -3,8 +3,7 @@
 
 config BT_CRYPTO
 	bool
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_AES
 	select PSA_WANT_ALG_CMAC
 	select PSA_WANT_ALG_ECB_NO_PADDING

diff --git a/subsys/bluetooth/host/Kconfig b/subsys/bluetooth/host/Kconfig
@@ -200,8 +200,7 @@ config BT_BUF_EVT_DISCARDABLE_COUNT
 config BT_HOST_CRYPTO
 	bool "Use crypto functionality implemented in the Bluetooth host"
 	default y if !BT_CTLR_CRYPTO
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_AES
 	select PSA_WANT_ALG_ECB_NO_PADDING
 	help
@@ -1041,8 +1040,7 @@ endif # BT_DF
 
 config BT_ECC
 	bool
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT

diff --git a/subsys/bluetooth/mesh/Kconfig b/subsys/bluetooth/mesh/Kconfig
@@ -1511,8 +1511,7 @@ choice BT_MESH_CRYPTO_LIB
 
 config BT_MESH_USES_MBEDTLS_PSA
 	bool "mbed TLS PSA"
-	select MBEDTLS
-	select MBEDTLS_PSA_CRYPTO_C
+	select PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE

diff --git a/subsys/jwt/Kconfig b/subsys/jwt/Kconfig
@@ -28,17 +28,15 @@ config JWT_SIGN_RSA_LEGACY
 
 config JWT_SIGN_RSA_PSA
 	bool "Use RSA signature (RS-256). Use PSA Crypto API."
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 	select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
 	select PSA_WANT_ALG_RSA_PKCS1V15_SIGN
 	select PSA_WANT_ALG_SHA_256
 
 config JWT_SIGN_ECDSA_PSA
 	bool "Use ECDSA signature (ES-256). Use PSA Crypto API."
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
 	select PSA_WANT_ALG_ECDSA
 	select PSA_WANT_ECC_SECP_R1_256

diff --git a/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf b/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf
@@ -1,3 +1,2 @@
-CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_CRYPTO=y
 CONFIG_PSA_CRYPTO_ENABLE_ALL=y
diff --git a/tests/bsim/bluetooth/ll/conn/psa_overlay.conf b/tests/bsim/bluetooth/ll/conn/psa_overlay.conf
@@ -1,3 +1,2 @@
-CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_CRYPTO=y
 CONFIG_PSA_CRYPTO_ENABLE_ALL=y