nrfconnect · Vge0rge · Sep 5, 2024 · Oct 2, 2025 · Oct 2, 2025 · Sep 23, 2025
diff --git a/boards/nordic/nrf54h20dk/nrf54h20dk_nrf54h20_cpuapp.dts b/boards/nordic/nrf54h20dk/nrf54h20dk_nrf54h20_cpuapp.dts
@@ -27,7 +27,7 @@
 		zephyr,bt-hci = &bt_hci_ipc0;
 		nordic,802154-spinel-ipc = &ipc0;
 		zephyr,canbus = &can120;
-		zephyr,entropy = &prng;
+		zephyr,entropy = &psa_rng;
 	};
 
 	aliases {
@@ -111,6 +111,11 @@
 
 	prng: prng {
 		compatible = "nordic,entropy-prng";
+		status = "disabled";
+	};
+
+	psa_rng: psa-rng {
+		compatible = "zephyr,psa-crypto-rng";
 		status = "okay";
 	};
 };

diff --git a/boards/nordic/nrf54h20dk/nrf54h20dk_nrf54h20_cpurad.dts b/boards/nordic/nrf54h20dk/nrf54h20dk_nrf54h20_cpurad.dts
@@ -28,17 +28,23 @@
 		zephyr,ieee802154 = &cpurad_ieee802154;
 		zephyr,bt-hci-ipc = &ipc0;
 		nordic,802154-spinel-ipc = &ipc0;
-		zephyr,entropy = &prng;
-	};
-	prng: prng {
-		compatible = "nordic,entropy-prng";
-		status = "okay";
+		zephyr,entropy = &psa_rng;
 	};
 
 	aliases {
 		ipc-to-cpusys = &cpurad_cpusys_ipc;
 		resetinfo = &cpurad_resetinfo;
 	};
+
+	prng: prng {
+		compatible = "nordic,entropy-prng";
+		status = "disabled";
+	};
+
+	psa_rng: psa-rng {
+		compatible = "zephyr,psa-crypto-rng";
+		status = "okay";
+	};
 };
 
 &cpurad_bellboard {

diff --git a/doc/releases/release-notes-4.3.rst b/doc/releases/release-notes-4.3.rst
@@ -70,6 +70,11 @@ Deprecated APIs and options
 New APIs and options
 ====================
 
+* :kconfig:option:`CONFIG_PSA_CRYPTO` allows to automatically select a PSA Crypto API
+  provider based on the configuration. TF-M and Mbed TLS are the only options available
+  for now, but the user can select :kconfig:option:`CONFIG_PSA_CRYPTO_CUSTOM` to use
+  a custom solution.
+
 ..
   Link to new APIs here, in a group if you think it's necessary, no need to get
   fancy just list the link, that should contain the documentation. If you feel

diff --git a/drivers/bluetooth/hci/Kconfig b/drivers/bluetooth/hci/Kconfig
@@ -158,9 +158,7 @@ config BT_SILABS_EFR32
 	depends on ZEPHYR_HAL_SILABS_MODULE_BLOBS || BUILD_ONLY_NO_BLOBS
 	depends on !PM || SOC_GECKO_PM_BACKEND_PMGR
 	select SOC_GECKO_USE_RAIL
-	select MBEDTLS
-	select MBEDTLS_PSA_CRYPTO_C
-	select MBEDTLS_ENTROPY_C
+	select PSA_CRYPTO
 	select HAS_BT_CTLR
 	select BT_CTLR_PHY_UPDATE_SUPPORT
 	select BT_CTLR_PER_INIT_FEAT_XCHG_SUPPORT

diff --git a/drivers/bluetooth/hci/Kconfig.esp32 b/drivers/bluetooth/hci/Kconfig.esp32
@@ -492,7 +492,6 @@ config ESP32_BT_LE_CRYPTO_STACK_MBEDTLS
 	select MBEDTLS_ECP_DP_SECP256R1_ENABLED
 	select MBEDTLS_ECDH_C
 	select MBEDTLS_ENTROPY_C
-	select MBEDTLS_PSA_CRYPTO_C
 	help
 	  Use mbedTLS library for BLE cryptographic operations.
 

diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig
@@ -204,7 +204,7 @@ endchoice
 
 config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
 	bool "Crypto Platform Secure Architecture support for WiFi"
-	imply MBEDTLS_PSA_CRYPTO_C
+	select PSA_CRYPTO
 	select MBEDTLS_USE_PSA_CRYPTO
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_ALG_HMAC

diff --git a/modules/mbedtls/Kconfig.psa.logic b/modules/mbedtls/Kconfig.psa.logic
@@ -1,8 +1,35 @@
 # Copyright (c) 2024 BayLibre SAS
 # SPDX-License-Identifier: Apache-2.0
 
-# This file extends Kconfig.psa (which is automatically generated) by adding
-# some logic between PSA_WANT symbols.
+config PSA_CRYPTO
+	bool "PSA Crypto API"
+	help
+	  Enable a PSA Crypto API provider in the build. If TF-M is enabled then
+	  it will be used for this scope, otherwise Mbed TLS will be used.
+
+choice PSA_CRYPTO_PROVIDER
+	prompt "PSA Crypto API provider"
+	depends on PSA_CRYPTO
+
+config PSA_CRYPTO_PROVIDER_TFM
+	bool "Use TF-M"
+	depends on BUILD_WITH_TFM
+	select TFM_PARTITION_CRYPTO
+
+config PSA_CRYPTO_PROVIDER_MBEDTLS
+	bool "Use Mbed TLS"
+	depends on !BUILD_WITH_TFM
+	select MBEDTLS
+	select MBEDTLS_PSA_CRYPTO_C
+
+config PSA_CRYPTO_PROVIDER_CUSTOM
+	bool "Use an out-of-tree library"
+	depends on !BUILD_WITH_TFM
+
+endchoice # PSA_CRYPTO_PROVIDER
+
+# The following section extends Kconfig.psa.auto (which is automatically
+# generated) by adding some logic between PSA_WANT symbols.
 
 config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC
 	bool

diff --git a/modules/openthread/Kconfig b/modules/openthread/Kconfig
@@ -320,7 +320,7 @@ config OPENTHREAD_MAC_SOFTWARE_CSMA_BACKOFF_ENABLE
 
 config OPENTHREAD_CRYPTO_PSA
 	bool "ARM PSA crypto API"
-	depends on MBEDTLS_PSA_CRYPTO_CLIENT
+	depends on PSA_CRYPTO_CLIENT
 	select OPENTHREAD_PLATFORM_KEY_REF if !OPENTHREAD_COPROCESSOR_RCP
 	imply OPENTHREAD_PLATFORM_KEYS_EXPORTABLE_ENABLE
 	help

diff --git a/modules/uoscore-uedhoc/Kconfig b/modules/uoscore-uedhoc/Kconfig
@@ -5,7 +5,6 @@ menuconfig UOSCORE
 	bool "UOSCORE library"
 	depends on ZCBOR
 	depends on ZCBOR_CANONICAL
-	depends on MBEDTLS
 	select UOSCORE_UEDHOC_CRYPTO_COMMON
 
 	help
@@ -22,7 +21,6 @@ menuconfig UEDHOC
 	bool "UEDHOC library"
 	depends on ZCBOR
 	depends on ZCBOR_CANONICAL
-	depends on MBEDTLS
 	select UOSCORE_UEDHOC_CRYPTO_COMMON
 	help
 	  This option enables the UEDHOC library.
@@ -38,7 +36,7 @@ if UOSCORE || UEDHOC
 
 config UOSCORE_UEDHOC_CRYPTO_COMMON
 	bool
-	imply MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_ALG_ECDSA
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT

diff --git a/samples/net/sockets/http_server/Kconfig b/samples/net/sockets/http_server/Kconfig
@@ -17,7 +17,7 @@ config NET_SAMPLE_HTTP_SERVER_SERVICE_PORT
 config NET_SAMPLE_HTTPS_SERVICE
 	bool "Enable https service"
 	depends on NET_SOCKETS_SOCKOPT_TLS || TLS_CREDENTIALS
-	imply MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 
 if NET_SAMPLE_HTTPS_SERVICE
 

diff --git a/samples/subsys/mgmt/updatehub/overlay-psa.conf b/samples/subsys/mgmt/updatehub/overlay-psa.conf
@@ -1,3 +1,2 @@
 CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA=y
-CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_CRYPTO=y
diff --git a/subsys/bluetooth/crypto/Kconfig b/subsys/bluetooth/crypto/Kconfig
@@ -3,8 +3,7 @@
 
 config BT_CRYPTO
 	bool
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_AES
 	select PSA_WANT_ALG_CMAC
 	select PSA_WANT_ALG_ECB_NO_PADDING

diff --git a/subsys/bluetooth/host/Kconfig b/subsys/bluetooth/host/Kconfig
@@ -200,8 +200,7 @@ config BT_BUF_EVT_DISCARDABLE_COUNT
 config BT_HOST_CRYPTO
 	bool "Use crypto functionality implemented in the Bluetooth host"
 	default y if !BT_CTLR_CRYPTO
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_AES
 	select PSA_WANT_ALG_ECB_NO_PADDING
 	help
@@ -1041,8 +1040,7 @@ endif # BT_DF
 
 config BT_ECC
 	bool
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT

diff --git a/subsys/bluetooth/mesh/Kconfig b/subsys/bluetooth/mesh/Kconfig
@@ -1511,8 +1511,7 @@ choice BT_MESH_CRYPTO_LIB
 
 config BT_MESH_USES_MBEDTLS_PSA
 	bool "mbed TLS PSA"
-	select MBEDTLS
-	select MBEDTLS_PSA_CRYPTO_C
+	select PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE

diff --git a/subsys/jwt/Kconfig b/subsys/jwt/Kconfig
@@ -28,17 +28,15 @@ config JWT_SIGN_RSA_LEGACY
 
 config JWT_SIGN_RSA_PSA
 	bool "Use RSA signature (RS-256). Use PSA Crypto API."
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 	select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
 	select PSA_WANT_ALG_RSA_PKCS1V15_SIGN
 	select PSA_WANT_ALG_SHA_256
 
 config JWT_SIGN_ECDSA_PSA
 	bool "Use ECDSA signature (ES-256). Use PSA Crypto API."
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
 	select PSA_WANT_ALG_ECDSA
 	select PSA_WANT_ECC_SECP_R1_256

diff --git a/subsys/secure_storage/Kconfig b/subsys/secure_storage/Kconfig
@@ -4,6 +4,7 @@
 menuconfig SECURE_STORAGE
 	bool "Secure storage subsystem"
 	depends on !BUILD_WITH_TFM
+	depends on !NRF_IRONSIDE
 	select MBEDTLS_PSA_CRYPTO_STORAGE_C if MBEDTLS_PSA_CRYPTO_C
 	select EXPERIMENTAL
 	help

diff --git a/tests/arch/arm/arm_irq_vector_table/boards/nrf54h20dk_nrf54h20_cpuapp.conf b/tests/arch/arm/arm_irq_vector_table/boards/nrf54h20dk_nrf54h20_cpuapp.conf
@@ -2,4 +2,3 @@
 # SPDX-License-Identifier: Apache-2.0
 
 CONFIG_POWER_DOMAIN=n
-CONFIG_SSF_CLIENT_SYS_INIT=n
diff --git a/tests/arch/arm/arm_irq_vector_table/boards/nrf54h20dk_nrf54h20_cpurad.conf b/tests/arch/arm/arm_irq_vector_table/boards/nrf54h20dk_nrf54h20_cpurad.conf
@@ -2,4 +2,3 @@
 # SPDX-License-Identifier: Apache-2.0
 
 CONFIG_POWER_DOMAIN=n
-CONFIG_SSF_CLIENT_SYS_INIT=n
diff --git a/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf b/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf
@@ -1,3 +1,2 @@
-CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_CRYPTO=y
 CONFIG_PSA_CRYPTO_ENABLE_ALL=y
diff --git a/tests/bsim/bluetooth/ll/conn/psa_overlay.conf b/tests/bsim/bluetooth/ll/conn/psa_overlay.conf
@@ -1,3 +1,2 @@
-CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_CRYPTO=y
 CONFIG_PSA_CRYPTO_ENABLE_ALL=y
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,4 +2,3 @@
		# SPDX-License-Identifier: Apache-2.0

		CONFIG_POWER_DOMAIN=n
		CONFIG_SSF_CLIENT_SYS_INIT=n