From 594bebf6193cc453566bc0edd189e48b8667faf1 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 23 Sep 2025 11:35:34 +0200 Subject: [PATCH 1/6] modules: openthread: fix dependency for OPENTHREAD_CRYPTO_PSA The dependency should be PSA_CRYPTO_CLIENT and not MBEDTLS_PSA_CRYPTO_CLIENT because the former is more generic. TF-M can indeed provide PSA Crypto API, not only Mbed TLS. Signed-off-by: Valerio Setti --- modules/openthread/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/openthread/Kconfig b/modules/openthread/Kconfig index 02a997028db40..2496e6ab5cdaa 100644 --- a/modules/openthread/Kconfig +++ b/modules/openthread/Kconfig @@ -320,7 +320,7 @@ config OPENTHREAD_MAC_SOFTWARE_CSMA_BACKOFF_ENABLE config OPENTHREAD_CRYPTO_PSA bool "ARM PSA crypto API" - depends on MBEDTLS_PSA_CRYPTO_CLIENT + depends on PSA_CRYPTO_CLIENT select OPENTHREAD_PLATFORM_KEY_REF if !OPENTHREAD_COPROCESSOR_RCP imply OPENTHREAD_PLATFORM_KEYS_EXPORTABLE_ENABLE help From ffe8771319a1505e1b0aefe52e2cfe925be7f25d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 1 Oct 2025 00:51:44 +0200 Subject: [PATCH 2/6] drivers: bluetooth: esp32: remove selection of MBEDTLS_PSA_CRYPTO_C The driver code only relies on legacy Mbed TLS crypto, not on PSA API, so enabling MBEDTLS_PSA_CRYPTO_C is not needed here. Signed-off-by: Valerio Setti --- drivers/bluetooth/hci/Kconfig.esp32 | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/bluetooth/hci/Kconfig.esp32 b/drivers/bluetooth/hci/Kconfig.esp32 index 63031d45ddaea..025c7b5ed519c 100644 --- a/drivers/bluetooth/hci/Kconfig.esp32 +++ b/drivers/bluetooth/hci/Kconfig.esp32 @@ -493,7 +493,6 @@ config ESP32_BT_LE_CRYPTO_STACK_MBEDTLS select MBEDTLS_ECP_DP_SECP256R1_ENABLED select MBEDTLS_ECDH_C select MBEDTLS_ENTROPY_C - select MBEDTLS_PSA_CRYPTO_C help Use mbedTLS library for BLE cryptographic operations. From 57e8ab7afb1f8dfab6b7b339f8b49e12300c06c1 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 1 Oct 2025 00:58:16 +0200 Subject: [PATCH 3/6] drivers: bluetooth: hci: do not select MBEDTLS_ENTROPY_C in BT_SILABS_EFR32 The driver only uses psa_generate_random() so ENTROPY_C is not required. Signed-off-by: Valerio Setti --- drivers/bluetooth/hci/Kconfig | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/bluetooth/hci/Kconfig b/drivers/bluetooth/hci/Kconfig index d62c3bb0b18e1..65f3efc8b96f0 100644 --- a/drivers/bluetooth/hci/Kconfig +++ b/drivers/bluetooth/hci/Kconfig @@ -160,7 +160,6 @@ config BT_SILABS_EFR32 select SOC_GECKO_USE_RAIL select MBEDTLS select MBEDTLS_PSA_CRYPTO_C - select MBEDTLS_ENTROPY_C select HAS_BT_CTLR select BT_CTLR_PHY_UPDATE_SUPPORT select BT_CTLR_PER_INIT_FEAT_XCHG_SUPPORT From 6dd5e90e3484ec1d0a2dab0770e5604aa5963def Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 23 Sep 2025 11:31:29 +0200 Subject: [PATCH 4/6] modules: mbedtls: add new helper Kconfig symbol PSA_CRYPTO The goal of new Kconfig PSA_CRYPTO_PROVIDER is to automatically enable any of the PSA Crypto API provider available for the platform without having the user to manually pick the proper one. This provider can be either TF-M, if that's enabled in the build, or Mbed TLS otherwise. PSA_CRYPTO_PROVIDER simplifies also modules/subsystem Kconfigs removing blocks as: select MBEDTLS if !BUILD_WITH_TFM select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM Kconfig PSA_CRYPTO_PROVIDER_CUSTOM is also added to allow the end user to add a custom implementation of PSA Crypto API instead of TF-M or Mbed TLS ones. Signed-off-by: Valerio Setti --- drivers/bluetooth/hci/Kconfig | 3 +- modules/hostap/Kconfig | 2 +- modules/mbedtls/Kconfig.psa.logic | 33 +++++++++++++++++-- modules/uoscore-uedhoc/Kconfig | 4 +-- samples/net/sockets/http_server/Kconfig | 2 +- .../subsys/mgmt/updatehub/overlay-psa.conf | 3 +- subsys/bluetooth/crypto/Kconfig | 3 +- subsys/bluetooth/host/Kconfig | 6 ++-- subsys/jwt/Kconfig | 6 ++-- .../host/gatt/caching/psa_overlay.conf | 3 +- tests/bsim/bluetooth/ll/conn/psa_overlay.conf | 3 +- 11 files changed, 43 insertions(+), 25 deletions(-) diff --git a/drivers/bluetooth/hci/Kconfig b/drivers/bluetooth/hci/Kconfig index 65f3efc8b96f0..cb921c4553cf1 100644 --- a/drivers/bluetooth/hci/Kconfig +++ b/drivers/bluetooth/hci/Kconfig @@ -158,8 +158,7 @@ config BT_SILABS_EFR32 depends on ZEPHYR_HAL_SILABS_MODULE_BLOBS || BUILD_ONLY_NO_BLOBS depends on !PM || SOC_GECKO_PM_BACKEND_PMGR select SOC_GECKO_USE_RAIL - select MBEDTLS - select MBEDTLS_PSA_CRYPTO_C + select PSA_CRYPTO select HAS_BT_CTLR select BT_CTLR_PHY_UPDATE_SUPPORT select BT_CTLR_PER_INIT_FEAT_XCHG_SUPPORT diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig index b29f76079e27c..df4cba7ba031e 100644 --- a/modules/hostap/Kconfig +++ b/modules/hostap/Kconfig @@ -207,7 +207,7 @@ endchoice config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA bool "Crypto Platform Secure Architecture support for WiFi" - imply MBEDTLS_PSA_CRYPTO_C + select PSA_CRYPTO select MBEDTLS_USE_PSA_CRYPTO select PSA_WANT_ALG_ECDH select PSA_WANT_ALG_HMAC diff --git a/modules/mbedtls/Kconfig.psa.logic b/modules/mbedtls/Kconfig.psa.logic index dcea9e3540527..972054e105b0f 100644 --- a/modules/mbedtls/Kconfig.psa.logic +++ b/modules/mbedtls/Kconfig.psa.logic @@ -1,8 +1,37 @@ # Copyright (c) 2024 BayLibre SAS # SPDX-License-Identifier: Apache-2.0 -# This file extends Kconfig.psa (which is automatically generated) by adding -# some logic between PSA_WANT symbols. +config PSA_CRYPTO + bool "PSA Crypto API" + help + Enable a PSA Crypto API provider in the build. If TF-M is enabled then + it will be used for this scope, otherwise Mbed TLS will be used. + PSA_CRYPTO_PROVIDER_CUSTOM can be selected to use an out-of-tree + implementation. + +choice PSA_CRYPTO_PROVIDER + prompt "PSA Crypto API provider" + depends on PSA_CRYPTO + +config PSA_CRYPTO_PROVIDER_TFM + bool "Use TF-M" + depends on BUILD_WITH_TFM + select TFM_PARTITION_CRYPTO + +config PSA_CRYPTO_PROVIDER_MBEDTLS + bool "Use Mbed TLS" + depends on !BUILD_WITH_TFM + select MBEDTLS + select MBEDTLS_PSA_CRYPTO_C + +config PSA_CRYPTO_PROVIDER_CUSTOM + bool "Use an out-of-tree library" + depends on !BUILD_WITH_TFM + +endchoice # PSA_CRYPTO_PROVIDER + +# The following section extends Kconfig.psa.auto (which is automatically +# generated) by adding some logic between PSA_WANT symbols. config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC bool diff --git a/modules/uoscore-uedhoc/Kconfig b/modules/uoscore-uedhoc/Kconfig index 06eaecd7b2102..7662495531887 100644 --- a/modules/uoscore-uedhoc/Kconfig +++ b/modules/uoscore-uedhoc/Kconfig @@ -5,7 +5,6 @@ menuconfig UOSCORE bool "UOSCORE library" depends on ZCBOR depends on ZCBOR_CANONICAL - depends on MBEDTLS select UOSCORE_UEDHOC_CRYPTO_COMMON help @@ -22,7 +21,6 @@ menuconfig UEDHOC bool "UEDHOC library" depends on ZCBOR depends on ZCBOR_CANONICAL - depends on MBEDTLS select UOSCORE_UEDHOC_CRYPTO_COMMON help This option enables the UEDHOC library. @@ -38,7 +36,7 @@ if UOSCORE || UEDHOC config UOSCORE_UEDHOC_CRYPTO_COMMON bool - imply MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_ALG_ECDH select PSA_WANT_ALG_ECDSA select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT diff --git a/samples/net/sockets/http_server/Kconfig b/samples/net/sockets/http_server/Kconfig index 2f607259dfaa7..07d5b26e52d5e 100644 --- a/samples/net/sockets/http_server/Kconfig +++ b/samples/net/sockets/http_server/Kconfig @@ -17,7 +17,7 @@ config NET_SAMPLE_HTTP_SERVER_SERVICE_PORT config NET_SAMPLE_HTTPS_SERVICE bool "Enable https service" depends on NET_SOCKETS_SOCKOPT_TLS || TLS_CREDENTIALS - imply MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO if NET_SAMPLE_HTTPS_SERVICE diff --git a/samples/subsys/mgmt/updatehub/overlay-psa.conf b/samples/subsys/mgmt/updatehub/overlay-psa.conf index 4b5dcfd9af67d..8a70becc92d37 100644 --- a/samples/subsys/mgmt/updatehub/overlay-psa.conf +++ b/samples/subsys/mgmt/updatehub/overlay-psa.conf @@ -1,3 +1,2 @@ CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA=y -CONFIG_MBEDTLS=y -CONFIG_MBEDTLS_PSA_CRYPTO_C=y +CONFIG_PSA_CRYPTO=y diff --git a/subsys/bluetooth/crypto/Kconfig b/subsys/bluetooth/crypto/Kconfig index 0856daf9d9a5b..e9234e4157b34 100644 --- a/subsys/bluetooth/crypto/Kconfig +++ b/subsys/bluetooth/crypto/Kconfig @@ -3,8 +3,7 @@ config BT_CRYPTO bool - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_AES select PSA_WANT_ALG_CMAC select PSA_WANT_ALG_ECB_NO_PADDING diff --git a/subsys/bluetooth/host/Kconfig b/subsys/bluetooth/host/Kconfig index 72deb4343dc45..e89ca2bce9194 100644 --- a/subsys/bluetooth/host/Kconfig +++ b/subsys/bluetooth/host/Kconfig @@ -200,8 +200,7 @@ config BT_BUF_EVT_DISCARDABLE_COUNT config BT_HOST_CRYPTO bool "Use crypto functionality implemented in the Bluetooth host" default y if !BT_CTLR_CRYPTO - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_AES select PSA_WANT_ALG_ECB_NO_PADDING help @@ -1023,8 +1022,7 @@ endif # BT_DF config BT_ECC bool - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_ALG_ECDH select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT diff --git a/subsys/jwt/Kconfig b/subsys/jwt/Kconfig index 052908a777545..c1cafcc829cf5 100644 --- a/subsys/jwt/Kconfig +++ b/subsys/jwt/Kconfig @@ -28,8 +28,7 @@ config JWT_SIGN_RSA_LEGACY config JWT_SIGN_RSA_PSA bool "Use RSA signature (RS-256). Use PSA Crypto API." - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT select PSA_WANT_ALG_RSA_PKCS1V15_SIGN @@ -37,8 +36,7 @@ config JWT_SIGN_RSA_PSA config JWT_SIGN_ECDSA_PSA bool "Use ECDSA signature (ES-256). Use PSA Crypto API." - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT select PSA_WANT_ALG_ECDSA select PSA_WANT_ECC_SECP_R1_256 diff --git a/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf b/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf index b836ab2c23b2b..bc7c220f62f61 100644 --- a/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf +++ b/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf @@ -1,3 +1,2 @@ -CONFIG_MBEDTLS=y -CONFIG_MBEDTLS_PSA_CRYPTO_C=y +CONFIG_PSA_CRYPTO=y CONFIG_PSA_CRYPTO_ENABLE_ALL=y diff --git a/tests/bsim/bluetooth/ll/conn/psa_overlay.conf b/tests/bsim/bluetooth/ll/conn/psa_overlay.conf index b836ab2c23b2b..bc7c220f62f61 100644 --- a/tests/bsim/bluetooth/ll/conn/psa_overlay.conf +++ b/tests/bsim/bluetooth/ll/conn/psa_overlay.conf @@ -1,3 +1,2 @@ -CONFIG_MBEDTLS=y -CONFIG_MBEDTLS_PSA_CRYPTO_C=y +CONFIG_PSA_CRYPTO=y CONFIG_PSA_CRYPTO_ENABLE_ALL=y From 92025221119526efa1fa8444b1186b3cd2264742 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 10 Oct 2025 12:02:03 +0200 Subject: [PATCH 5/6] bluetooth: mesh: use new Kconfig CONFIG_PSA_CRYPTO Remove previous Kconfig choices CONFIG_BT_MESH_USES_MBEDTLS_PSA and CONFIG_BT_MESH_USES_TFM_PSA and use CONFIG_PSA_CRYPTO instead. This commit also updates test code accordingly. Signed-off-by: Valerio Setti --- doc/releases/migration-guide-4.3.rst | 7 +++++ subsys/bluetooth/mesh/Kconfig | 28 ++++--------------- tests/bluetooth/mesh/brg/CMakeLists.txt | 2 +- .../mesh/delayable_msg/CMakeLists.txt | 2 +- tests/bluetooth/mesh/rpl/CMakeLists.txt | 2 +- tests/bsim/bluetooth/mesh/src/mesh_test.c | 2 +- 6 files changed, 17 insertions(+), 26 deletions(-) diff --git a/doc/releases/migration-guide-4.3.rst b/doc/releases/migration-guide-4.3.rst index 757041e1b2a13..2f4b2e7a5d03c 100644 --- a/doc/releases/migration-guide-4.3.rst +++ b/doc/releases/migration-guide-4.3.rst @@ -180,6 +180,13 @@ Bluetooth HCI * The deprecated ``ipm`` value was removed from ``bt-hci-bus`` devicetree property. ``ipc`` should be used instead. +Bluetooth Mesh +============== + +* Kconfigs ``CONFIG_BT_MESH_USES_MBEDTLS_PSA`` and ``CONFIG_BT_MESH_USES_TFM_PSA`` have + been removed. The selection of the PSA Crypto provider is now automatically controlled + by Kconfig :kconfig:option:`CONFIG_PSA_CRYPTO`. + Ethernet ======== diff --git a/subsys/bluetooth/mesh/Kconfig b/subsys/bluetooth/mesh/Kconfig index 02845ab743c51..d8214b4165d6b 100644 --- a/subsys/bluetooth/mesh/Kconfig +++ b/subsys/bluetooth/mesh/Kconfig @@ -1492,17 +1492,10 @@ config BT_MESH_SECURE_STORAGE bool depends on SECURE_STORAGE -choice BT_MESH_CRYPTO_LIB - prompt "Crypto library:" - default BT_MESH_USES_TFM_PSA if BUILD_WITH_TFM - default BT_MESH_USES_MBEDTLS_PSA - help - Crypto library selection for mesh security. - -config BT_MESH_USES_MBEDTLS_PSA - bool "mbed TLS PSA" - select MBEDTLS - select MBEDTLS_PSA_CRYPTO_C +config BT_MESH_CRYPTO_LIB + bool + default y + select PSA_CRYPTO select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE @@ -1517,18 +1510,9 @@ config BT_MESH_USES_MBEDTLS_PSA select PSA_WANT_ALG_ECDH select PSA_WANT_ECC_SECP_R1_256 select BT_MESH_SECURE_STORAGE if BT_SETTINGS - imply MBEDTLS_AES_ROM_TABLES + imply MBEDTLS_AES_ROM_TABLES if PSA_CRYPTO_PROVIDER_MBEDTLS help - Use Mbed TLS as PSA Crypto API provider. - -config BT_MESH_USES_TFM_PSA - bool "TF-M PSA" - depends on BUILD_WITH_TFM - help - Use TF-M as PSA Crypto API provider. This is only possible on platforms - that support TF-M. - -endchoice + Crypto library support for mesh security. menu "Beacons" diff --git a/tests/bluetooth/mesh/brg/CMakeLists.txt b/tests/bluetooth/mesh/brg/CMakeLists.txt index 55e77eaef755d..e6b6a7d531bee 100644 --- a/tests/bluetooth/mesh/brg/CMakeLists.txt +++ b/tests/bluetooth/mesh/brg/CMakeLists.txt @@ -20,4 +20,4 @@ target_compile_options(app -DCONFIG_BT_SETTINGS -DCONFIG_BT_MESH_BRG_CFG_SRV -DCONFIG_BT_MESH_BRG_TABLE_ITEMS_MAX=16 - -DCONFIG_BT_MESH_USES_MBEDTLS_PSA) + -DCONFIG_PSA_CRYPTO_PROVIDER_MBEDTLS) diff --git a/tests/bluetooth/mesh/delayable_msg/CMakeLists.txt b/tests/bluetooth/mesh/delayable_msg/CMakeLists.txt index 96af1f0175cfc..f2148e05347e6 100644 --- a/tests/bluetooth/mesh/delayable_msg/CMakeLists.txt +++ b/tests/bluetooth/mesh/delayable_msg/CMakeLists.txt @@ -21,4 +21,4 @@ target_compile_options(app -DCONFIG_BT_MESH_ACCESS_DELAYABLE_MSG_COUNT=4 -DCONFIG_BT_MESH_ACCESS_DELAYABLE_MSG_CHUNK_SIZE=20 -DCONFIG_BT_MESH_ACCESS_DELAYABLE_MSG_CHUNK_COUNT=20 - -DCONFIG_BT_MESH_USES_MBEDTLS_PSA) + -DCONFIG_PSA_CRYPTO_PROVIDER_MBEDTLS) diff --git a/tests/bluetooth/mesh/rpl/CMakeLists.txt b/tests/bluetooth/mesh/rpl/CMakeLists.txt index 44bb865291a0f..8a90762d70d2c 100644 --- a/tests/bluetooth/mesh/rpl/CMakeLists.txt +++ b/tests/bluetooth/mesh/rpl/CMakeLists.txt @@ -20,4 +20,4 @@ target_compile_options(app -DCONFIG_BT_MESH_CRPL=10 -DCONFIG_BT_MESH_RPL_STORE_TIMEOUT=1 -DCONFIG_BT_SETTINGS - -DCONFIG_BT_MESH_USES_MBEDTLS_PSA) + -DCONFIG_PSA_CRYPTO_PROVIDER_MBEDTLS) diff --git a/tests/bsim/bluetooth/mesh/src/mesh_test.c b/tests/bsim/bluetooth/mesh/src/mesh_test.c index 255f8d8aa43ac..658aa48133b54 100644 --- a/tests/bsim/bluetooth/mesh/src/mesh_test.c +++ b/tests/bsim/bluetooth/mesh/src/mesh_test.c @@ -292,7 +292,7 @@ void bt_mesh_device_setup(const struct bt_mesh_prov *prov, const struct bt_mesh_ if (IS_ENABLED(CONFIG_BT_SETTINGS)) { LOG_INF("Loading stored settings"); - if (IS_ENABLED(CONFIG_BT_MESH_USES_MBEDTLS_PSA)) { + if (IS_ENABLED(CONFIG_PSA_CRYPTO_PROVIDER_MBEDTLS)) { settings_load_subtree("itsemul"); } settings_load_subtree("bt"); From da2fcc441bda81d82e32d778e2c3e344c8e8142b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 10 Oct 2025 12:03:07 +0200 Subject: [PATCH 6/6] doc: releases: add note about CONFIG_PSA_CRYPTO addition in Mbed TLS Update release-notes about the following additions: - CONFIG_PSA_CRYPTO - CONFIG_PSA_CRYPTO_PROVIDER_TFM - CONFIG_PSA_CRYPTO_PROVIDER_MBEDTLS - CONFIG_PSA_CRYPTO_PROVIDER_CUSTOM Signed-off-by: Valerio Setti --- doc/releases/release-notes-4.3.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/doc/releases/release-notes-4.3.rst b/doc/releases/release-notes-4.3.rst index c4d94c0f75bae..a7c0daf6fc96c 100644 --- a/doc/releases/release-notes-4.3.rst +++ b/doc/releases/release-notes-4.3.rst @@ -345,6 +345,15 @@ Libraries / Subsystems via :kconfig:option:`CONFIG_LOG_RATELIMIT_FALLBACK` to either log all messages or drop them completely. For more details, see :ref:`logging_ratelimited`. +* Mbed TLS + + * Kconfig :kconfig:option:`CONFIG_PSA_CRYPTO` is added to simplify the enablement of a PSA + Crypto API provider. This is TF-M if :kconfig:option:`CONFIG_BUILD_WITH_TFM` is enabled, + or Mbed TLS otherwise. :kconfig:option:`CONFIG_PSA_CRYPTO_PROVIDER_TFM` is set in the former + case while :kconfig:option:`CONFIG_PSA_CRYPTO_PROVIDER_MBEDTLS` is set in the latter. + :kconfig:option:`CONFIG_PSA_CRYPTO_PROVIDER_CUSTOM` is also added to allow end users to + provide a custom solution. + * Secure storage * The experimental status has been removed. (:github:`96483`)