mbedtls: add Kconfig to select the number of key slot in PSA Crypto core

Adding new CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT to select the number
of key slots in PSA Crypto core. The default value is 16. Be aware
that key slots consume RAM memory even if unused, so the proper value
should be a compromise between the number of slots required by
the application and the available RAM in the system.

This commit also:
- updates tests/crypto/secp256r1/mbedtls.conf to showcase how to
  use this new symbol to reduce RAM footprint.
- tests/bsim/bluetooth/mesh/overlay_psa.conf to support all the
  keys used in the test.

Signed-off-by: Valerio Setti <[email protected]>

Author: valeriosetti

doc/releases/migration-guide-4.1.rst

@@ -36,6 +36,14 @@ Mbed TLS
   :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_LEGACY_RNG`. This helps in reducing
   ROM/RAM footprint of the Mbed TLS library.
 
+* The newly-added Kconfig option :kconfig:option:`CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT`
+  allows to specify the number of key slots available in the PSA Crypto core.
+  Previously this value was not explicitly set, so Mbed TLS's default value of
+  32 was used. The new Kconfig option defaults to 16 instead in order to find
+  a reasonable compromise between RAM consumption and most common use cases.
+  It can be further trimmed down to reduce RAM consumption if the final
+  application doesn't need that many key slots simultaneously.
+
 Trusted Firmware-M
 ==================
 

doc/releases/release-notes-4.1.rst

@@ -273,6 +273,12 @@ Libraries / Subsystems
     (or remove, if no other component makes use of it) heap memory requirements
     from the final application.
 
+  * The Kconfig symbol :kconfig:option:`CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT` was
+    added to allow selecting the number of key slots available in the Mbed TLS
+    implementation of the PSA Crypto core. It defaults to 16. Since each
+    slot consumes RAM memory even if unused, this value can be tweaked in order
+    to minimize RAM usage.
+
 * CMSIS-NN
 
 * FPGA

modules/mbedtls/Kconfig.tls-generic

@@ -585,6 +585,19 @@ config MBEDTLS_PSA_STATIC_KEY_SLOTS
 	  contain the largest asymmetric/symmetric key type enabled in the build
 	  through PSA_WANT symbols.
 
+config MBEDTLS_PSA_KEY_SLOT_COUNT
+	int "Number of key slots in PSA Crypto core"
+	default 16
+	help
+	  Set the number of key slots that are available in the PSA Crypto core.
+	  Be aware that each slot, even if unused, increases RAM consumption
+	  by ~40 bytes plus:
+	  * the length of the largest asymmetric/symmetric key type enabled in
+	    the build through PSA_WANT symbols, if MBEDTLS_PSA_STATIC_KEY_SLOTS
+	    is set. (This is all defined statically at build time).
+	  * the heap-allocated memory to store the key material of a given slot,
+	    if it is used and MBEDTLS_PSA_STATIC_KEY_SLOTS is not set.
+
 endif # MBEDTLS_PSA_CRYPTO_C
 
 config MBEDTLS_SSL_DTLS_CONNECTION_ID

modules/mbedtls/configs/config-tls-generic.h

@@ -483,7 +483,6 @@
 #endif
 
 #if defined(CONFIG_ARCH_POSIX) && !defined(CONFIG_PICOLIBC)
-#define MBEDTLS_PSA_KEY_SLOT_COUNT 64 /* for BLE Mesh tests */
 #define MBEDTLS_PSA_ITS_FILE_C
 #define MBEDTLS_FS_IO
 #endif
@@ -498,6 +497,10 @@
 #define MBEDTLS_PSA_STATIC_KEY_SLOTS
 #endif
 
+#if defined(CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT)
+#define MBEDTLS_PSA_KEY_SLOT_COUNT CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT
+#endif
+
 #if defined(CONFIG_MBEDTLS_USE_PSA_CRYPTO)
 #define MBEDTLS_USE_PSA_CRYPTO
 #endif

tests/bsim/bluetooth/mesh/overlay_psa.conf

@@ -1,5 +1,8 @@
 # Enable PSA as a crypto backend in host
 CONFIG_BT_USE_PSA_API=y
 
+# Increase the number of key slots in PSA Crypto core
+CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT=64
+
 # Enable mbedTLS PSA as a crypto backend
 CONFIG_BT_MESH_USES_MBEDTLS_PSA=y

tests/crypto/secp256r1/mbedtls.conf

@@ -2,6 +2,7 @@ CONFIG_MBEDTLS=y
 CONFIG_MBEDTLS_PSA_CRYPTO_C=y
 CONFIG_MBEDTLS_PSA_P256M_DRIVER_ENABLED=y
 CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOTS=y
+CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT=2
 
 CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
 CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y