diff --git a/doc/releases/migration-guide-4.3.rst b/doc/releases/migration-guide-4.3.rst index 757041e1b2a13..2f4b2e7a5d03c 100644 --- a/doc/releases/migration-guide-4.3.rst +++ b/doc/releases/migration-guide-4.3.rst @@ -180,6 +180,13 @@ Bluetooth HCI * The deprecated ``ipm`` value was removed from ``bt-hci-bus`` devicetree property. ``ipc`` should be used instead. +Bluetooth Mesh +============== + +* Kconfigs ``CONFIG_BT_MESH_USES_MBEDTLS_PSA`` and ``CONFIG_BT_MESH_USES_TFM_PSA`` have + been removed. The selection of the PSA Crypto provider is now automatically controlled + by Kconfig :kconfig:option:`CONFIG_PSA_CRYPTO`. + Ethernet ======== diff --git a/doc/releases/release-notes-4.3.rst b/doc/releases/release-notes-4.3.rst index c4d94c0f75bae..a7c0daf6fc96c 100644 --- a/doc/releases/release-notes-4.3.rst +++ b/doc/releases/release-notes-4.3.rst @@ -345,6 +345,15 @@ Libraries / Subsystems via :kconfig:option:`CONFIG_LOG_RATELIMIT_FALLBACK` to either log all messages or drop them completely. For more details, see :ref:`logging_ratelimited`. +* Mbed TLS + + * Kconfig :kconfig:option:`CONFIG_PSA_CRYPTO` is added to simplify the enablement of a PSA + Crypto API provider. This is TF-M if :kconfig:option:`CONFIG_BUILD_WITH_TFM` is enabled, + or Mbed TLS otherwise. :kconfig:option:`CONFIG_PSA_CRYPTO_PROVIDER_TFM` is set in the former + case while :kconfig:option:`CONFIG_PSA_CRYPTO_PROVIDER_MBEDTLS` is set in the latter. + :kconfig:option:`CONFIG_PSA_CRYPTO_PROVIDER_CUSTOM` is also added to allow end users to + provide a custom solution. + * Secure storage * The experimental status has been removed. (:github:`96483`) diff --git a/drivers/bluetooth/hci/Kconfig b/drivers/bluetooth/hci/Kconfig index d62c3bb0b18e1..cb921c4553cf1 100644 --- a/drivers/bluetooth/hci/Kconfig +++ b/drivers/bluetooth/hci/Kconfig @@ -158,9 +158,7 @@ config BT_SILABS_EFR32 depends on ZEPHYR_HAL_SILABS_MODULE_BLOBS || BUILD_ONLY_NO_BLOBS depends on !PM || SOC_GECKO_PM_BACKEND_PMGR select SOC_GECKO_USE_RAIL - select MBEDTLS - select MBEDTLS_PSA_CRYPTO_C - select MBEDTLS_ENTROPY_C + select PSA_CRYPTO select HAS_BT_CTLR select BT_CTLR_PHY_UPDATE_SUPPORT select BT_CTLR_PER_INIT_FEAT_XCHG_SUPPORT diff --git a/drivers/bluetooth/hci/Kconfig.esp32 b/drivers/bluetooth/hci/Kconfig.esp32 index 63031d45ddaea..025c7b5ed519c 100644 --- a/drivers/bluetooth/hci/Kconfig.esp32 +++ b/drivers/bluetooth/hci/Kconfig.esp32 @@ -493,7 +493,6 @@ config ESP32_BT_LE_CRYPTO_STACK_MBEDTLS select MBEDTLS_ECP_DP_SECP256R1_ENABLED select MBEDTLS_ECDH_C select MBEDTLS_ENTROPY_C - select MBEDTLS_PSA_CRYPTO_C help Use mbedTLS library for BLE cryptographic operations. diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig index b29f76079e27c..df4cba7ba031e 100644 --- a/modules/hostap/Kconfig +++ b/modules/hostap/Kconfig @@ -207,7 +207,7 @@ endchoice config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA bool "Crypto Platform Secure Architecture support for WiFi" - imply MBEDTLS_PSA_CRYPTO_C + select PSA_CRYPTO select MBEDTLS_USE_PSA_CRYPTO select PSA_WANT_ALG_ECDH select PSA_WANT_ALG_HMAC diff --git a/modules/mbedtls/Kconfig.psa.logic b/modules/mbedtls/Kconfig.psa.logic index dcea9e3540527..972054e105b0f 100644 --- a/modules/mbedtls/Kconfig.psa.logic +++ b/modules/mbedtls/Kconfig.psa.logic @@ -1,8 +1,37 @@ # Copyright (c) 2024 BayLibre SAS # SPDX-License-Identifier: Apache-2.0 -# This file extends Kconfig.psa (which is automatically generated) by adding -# some logic between PSA_WANT symbols. +config PSA_CRYPTO + bool "PSA Crypto API" + help + Enable a PSA Crypto API provider in the build. If TF-M is enabled then + it will be used for this scope, otherwise Mbed TLS will be used. + PSA_CRYPTO_PROVIDER_CUSTOM can be selected to use an out-of-tree + implementation. + +choice PSA_CRYPTO_PROVIDER + prompt "PSA Crypto API provider" + depends on PSA_CRYPTO + +config PSA_CRYPTO_PROVIDER_TFM + bool "Use TF-M" + depends on BUILD_WITH_TFM + select TFM_PARTITION_CRYPTO + +config PSA_CRYPTO_PROVIDER_MBEDTLS + bool "Use Mbed TLS" + depends on !BUILD_WITH_TFM + select MBEDTLS + select MBEDTLS_PSA_CRYPTO_C + +config PSA_CRYPTO_PROVIDER_CUSTOM + bool "Use an out-of-tree library" + depends on !BUILD_WITH_TFM + +endchoice # PSA_CRYPTO_PROVIDER + +# The following section extends Kconfig.psa.auto (which is automatically +# generated) by adding some logic between PSA_WANT symbols. config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC bool diff --git a/modules/openthread/Kconfig b/modules/openthread/Kconfig index 02a997028db40..2496e6ab5cdaa 100644 --- a/modules/openthread/Kconfig +++ b/modules/openthread/Kconfig @@ -320,7 +320,7 @@ config OPENTHREAD_MAC_SOFTWARE_CSMA_BACKOFF_ENABLE config OPENTHREAD_CRYPTO_PSA bool "ARM PSA crypto API" - depends on MBEDTLS_PSA_CRYPTO_CLIENT + depends on PSA_CRYPTO_CLIENT select OPENTHREAD_PLATFORM_KEY_REF if !OPENTHREAD_COPROCESSOR_RCP imply OPENTHREAD_PLATFORM_KEYS_EXPORTABLE_ENABLE help diff --git a/modules/uoscore-uedhoc/Kconfig b/modules/uoscore-uedhoc/Kconfig index 06eaecd7b2102..7662495531887 100644 --- a/modules/uoscore-uedhoc/Kconfig +++ b/modules/uoscore-uedhoc/Kconfig @@ -5,7 +5,6 @@ menuconfig UOSCORE bool "UOSCORE library" depends on ZCBOR depends on ZCBOR_CANONICAL - depends on MBEDTLS select UOSCORE_UEDHOC_CRYPTO_COMMON help @@ -22,7 +21,6 @@ menuconfig UEDHOC bool "UEDHOC library" depends on ZCBOR depends on ZCBOR_CANONICAL - depends on MBEDTLS select UOSCORE_UEDHOC_CRYPTO_COMMON help This option enables the UEDHOC library. @@ -38,7 +36,7 @@ if UOSCORE || UEDHOC config UOSCORE_UEDHOC_CRYPTO_COMMON bool - imply MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_ALG_ECDH select PSA_WANT_ALG_ECDSA select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT diff --git a/samples/net/sockets/http_server/Kconfig b/samples/net/sockets/http_server/Kconfig index 2f607259dfaa7..07d5b26e52d5e 100644 --- a/samples/net/sockets/http_server/Kconfig +++ b/samples/net/sockets/http_server/Kconfig @@ -17,7 +17,7 @@ config NET_SAMPLE_HTTP_SERVER_SERVICE_PORT config NET_SAMPLE_HTTPS_SERVICE bool "Enable https service" depends on NET_SOCKETS_SOCKOPT_TLS || TLS_CREDENTIALS - imply MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO if NET_SAMPLE_HTTPS_SERVICE diff --git a/samples/subsys/mgmt/updatehub/overlay-psa.conf b/samples/subsys/mgmt/updatehub/overlay-psa.conf index 4b5dcfd9af67d..8a70becc92d37 100644 --- a/samples/subsys/mgmt/updatehub/overlay-psa.conf +++ b/samples/subsys/mgmt/updatehub/overlay-psa.conf @@ -1,3 +1,2 @@ CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA=y -CONFIG_MBEDTLS=y -CONFIG_MBEDTLS_PSA_CRYPTO_C=y +CONFIG_PSA_CRYPTO=y diff --git a/subsys/bluetooth/crypto/Kconfig b/subsys/bluetooth/crypto/Kconfig index 0856daf9d9a5b..e9234e4157b34 100644 --- a/subsys/bluetooth/crypto/Kconfig +++ b/subsys/bluetooth/crypto/Kconfig @@ -3,8 +3,7 @@ config BT_CRYPTO bool - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_AES select PSA_WANT_ALG_CMAC select PSA_WANT_ALG_ECB_NO_PADDING diff --git a/subsys/bluetooth/host/Kconfig b/subsys/bluetooth/host/Kconfig index 72deb4343dc45..e89ca2bce9194 100644 --- a/subsys/bluetooth/host/Kconfig +++ b/subsys/bluetooth/host/Kconfig @@ -200,8 +200,7 @@ config BT_BUF_EVT_DISCARDABLE_COUNT config BT_HOST_CRYPTO bool "Use crypto functionality implemented in the Bluetooth host" default y if !BT_CTLR_CRYPTO - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_AES select PSA_WANT_ALG_ECB_NO_PADDING help @@ -1023,8 +1022,7 @@ endif # BT_DF config BT_ECC bool - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_ALG_ECDH select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT diff --git a/subsys/bluetooth/mesh/Kconfig b/subsys/bluetooth/mesh/Kconfig index 02845ab743c51..d8214b4165d6b 100644 --- a/subsys/bluetooth/mesh/Kconfig +++ b/subsys/bluetooth/mesh/Kconfig @@ -1492,17 +1492,10 @@ config BT_MESH_SECURE_STORAGE bool depends on SECURE_STORAGE -choice BT_MESH_CRYPTO_LIB - prompt "Crypto library:" - default BT_MESH_USES_TFM_PSA if BUILD_WITH_TFM - default BT_MESH_USES_MBEDTLS_PSA - help - Crypto library selection for mesh security. - -config BT_MESH_USES_MBEDTLS_PSA - bool "mbed TLS PSA" - select MBEDTLS - select MBEDTLS_PSA_CRYPTO_C +config BT_MESH_CRYPTO_LIB + bool + default y + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE @@ -1517,18 +1510,9 @@ config BT_MESH_USES_MBEDTLS_PSA select PSA_WANT_ALG_ECDH select PSA_WANT_ECC_SECP_R1_256 select BT_MESH_SECURE_STORAGE if BT_SETTINGS - imply MBEDTLS_AES_ROM_TABLES + imply MBEDTLS_AES_ROM_TABLES if PSA_CRYPTO_PROVIDER_MBEDTLS help - Use Mbed TLS as PSA Crypto API provider. - -config BT_MESH_USES_TFM_PSA - bool "TF-M PSA" - depends on BUILD_WITH_TFM - help - Use TF-M as PSA Crypto API provider. This is only possible on platforms - that support TF-M. - -endchoice + Crypto library support for mesh security. menu "Beacons" diff --git a/subsys/jwt/Kconfig b/subsys/jwt/Kconfig index 052908a777545..c1cafcc829cf5 100644 --- a/subsys/jwt/Kconfig +++ b/subsys/jwt/Kconfig @@ -28,8 +28,7 @@ config JWT_SIGN_RSA_LEGACY config JWT_SIGN_RSA_PSA bool "Use RSA signature (RS-256). Use PSA Crypto API." - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT select PSA_WANT_ALG_RSA_PKCS1V15_SIGN @@ -37,8 +36,7 @@ config JWT_SIGN_RSA_PSA config JWT_SIGN_ECDSA_PSA bool "Use ECDSA signature (ES-256). Use PSA Crypto API." - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT select PSA_WANT_ALG_ECDSA select PSA_WANT_ECC_SECP_R1_256 diff --git a/tests/bluetooth/mesh/brg/CMakeLists.txt b/tests/bluetooth/mesh/brg/CMakeLists.txt index 55e77eaef755d..e6b6a7d531bee 100644 --- a/tests/bluetooth/mesh/brg/CMakeLists.txt +++ b/tests/bluetooth/mesh/brg/CMakeLists.txt @@ -20,4 +20,4 @@ target_compile_options(app -DCONFIG_BT_SETTINGS -DCONFIG_BT_MESH_BRG_CFG_SRV -DCONFIG_BT_MESH_BRG_TABLE_ITEMS_MAX=16 - -DCONFIG_BT_MESH_USES_MBEDTLS_PSA) + -DCONFIG_PSA_CRYPTO_PROVIDER_MBEDTLS) diff --git a/tests/bluetooth/mesh/delayable_msg/CMakeLists.txt b/tests/bluetooth/mesh/delayable_msg/CMakeLists.txt index 96af1f0175cfc..f2148e05347e6 100644 --- a/tests/bluetooth/mesh/delayable_msg/CMakeLists.txt +++ b/tests/bluetooth/mesh/delayable_msg/CMakeLists.txt @@ -21,4 +21,4 @@ target_compile_options(app -DCONFIG_BT_MESH_ACCESS_DELAYABLE_MSG_COUNT=4 -DCONFIG_BT_MESH_ACCESS_DELAYABLE_MSG_CHUNK_SIZE=20 -DCONFIG_BT_MESH_ACCESS_DELAYABLE_MSG_CHUNK_COUNT=20 - -DCONFIG_BT_MESH_USES_MBEDTLS_PSA) + -DCONFIG_PSA_CRYPTO_PROVIDER_MBEDTLS) diff --git a/tests/bluetooth/mesh/rpl/CMakeLists.txt b/tests/bluetooth/mesh/rpl/CMakeLists.txt index 44bb865291a0f..8a90762d70d2c 100644 --- a/tests/bluetooth/mesh/rpl/CMakeLists.txt +++ b/tests/bluetooth/mesh/rpl/CMakeLists.txt @@ -20,4 +20,4 @@ target_compile_options(app -DCONFIG_BT_MESH_CRPL=10 -DCONFIG_BT_MESH_RPL_STORE_TIMEOUT=1 -DCONFIG_BT_SETTINGS - -DCONFIG_BT_MESH_USES_MBEDTLS_PSA) + -DCONFIG_PSA_CRYPTO_PROVIDER_MBEDTLS) diff --git a/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf b/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf index b836ab2c23b2b..bc7c220f62f61 100644 --- a/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf +++ b/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf @@ -1,3 +1,2 @@ -CONFIG_MBEDTLS=y -CONFIG_MBEDTLS_PSA_CRYPTO_C=y +CONFIG_PSA_CRYPTO=y CONFIG_PSA_CRYPTO_ENABLE_ALL=y diff --git a/tests/bsim/bluetooth/ll/conn/psa_overlay.conf b/tests/bsim/bluetooth/ll/conn/psa_overlay.conf index b836ab2c23b2b..bc7c220f62f61 100644 --- a/tests/bsim/bluetooth/ll/conn/psa_overlay.conf +++ b/tests/bsim/bluetooth/ll/conn/psa_overlay.conf @@ -1,3 +1,2 @@ -CONFIG_MBEDTLS=y -CONFIG_MBEDTLS_PSA_CRYPTO_C=y +CONFIG_PSA_CRYPTO=y CONFIG_PSA_CRYPTO_ENABLE_ALL=y diff --git a/tests/bsim/bluetooth/mesh/src/mesh_test.c b/tests/bsim/bluetooth/mesh/src/mesh_test.c index 255f8d8aa43ac..658aa48133b54 100644 --- a/tests/bsim/bluetooth/mesh/src/mesh_test.c +++ b/tests/bsim/bluetooth/mesh/src/mesh_test.c @@ -292,7 +292,7 @@ void bt_mesh_device_setup(const struct bt_mesh_prov *prov, const struct bt_mesh_ if (IS_ENABLED(CONFIG_BT_SETTINGS)) { LOG_INF("Loading stored settings"); - if (IS_ENABLED(CONFIG_BT_MESH_USES_MBEDTLS_PSA)) { + if (IS_ENABLED(CONFIG_PSA_CRYPTO_PROVIDER_MBEDTLS)) { settings_load_subtree("itsemul"); } settings_load_subtree("bt");