modules: mbedtls: add helper Kconfig PSA_CRYPTO

doc/releases/migration-guide-4.3.rst

@@ -180,6 +180,13 @@ Bluetooth HCI
 * The deprecated ``ipm`` value was removed from ``bt-hci-bus`` devicetree property.
   ``ipc`` should be used instead.
 
+Bluetooth Mesh
+==============
+
+* Kconfigs ``CONFIG_BT_MESH_USES_MBEDTLS_PSA`` and ``CONFIG_BT_MESH_USES_TFM_PSA`` have
+  been removed. The selection of the PSA Crypto provider is now automatically controlled
+  by Kconfig :kconfig:option:`CONFIG_PSA_CRYPTO`.
+
 Ethernet
 ========
 

doc/releases/release-notes-4.3.rst

@@ -345,6 +345,15 @@ Libraries / Subsystems
     via :kconfig:option:`CONFIG_LOG_RATELIMIT_FALLBACK` to either log all messages or drop them completely.
     For more details, see :ref:`logging_ratelimited`.
 
+* Mbed TLS
+
+  * Kconfig :kconfig:option:`CONFIG_PSA_CRYPTO` is added to simplify the enablement of a PSA
+    Crypto API provider. This is TF-M if :kconfig:option:`CONFIG_BUILD_WITH_TFM` is enabled,
+    or Mbed TLS otherwise. :kconfig:option:`CONFIG_PSA_CRYPTO_PROVIDER_TFM` is set in the former
+    case while :kconfig:option:`CONFIG_PSA_CRYPTO_PROVIDER_MBEDTLS` is set in the latter.
+    :kconfig:option:`CONFIG_PSA_CRYPTO_PROVIDER_CUSTOM` is also added to allow end users to
+    provide a custom solution.
+
 * Secure storage
 
   * The experimental status has been removed. (:github:`96483`)

drivers/bluetooth/hci/Kconfig

@@ -158,9 +158,7 @@ config BT_SILABS_EFR32
 	depends on ZEPHYR_HAL_SILABS_MODULE_BLOBS || BUILD_ONLY_NO_BLOBS
 	depends on !PM || SOC_GECKO_PM_BACKEND_PMGR
 	select SOC_GECKO_USE_RAIL
-	select MBEDTLS
-	select MBEDTLS_PSA_CRYPTO_C
-	select MBEDTLS_ENTROPY_C
+	select PSA_CRYPTO
 	select HAS_BT_CTLR
 	select BT_CTLR_PHY_UPDATE_SUPPORT
 	select BT_CTLR_PER_INIT_FEAT_XCHG_SUPPORT

drivers/bluetooth/hci/Kconfig.esp32

@@ -493,7 +493,6 @@ config ESP32_BT_LE_CRYPTO_STACK_MBEDTLS
 	select MBEDTLS_ECP_DP_SECP256R1_ENABLED
 	select MBEDTLS_ECDH_C
 	select MBEDTLS_ENTROPY_C
-	select MBEDTLS_PSA_CRYPTO_C
 	help
 	  Use mbedTLS library for BLE cryptographic operations.
 

modules/hostap/Kconfig

@@ -207,7 +207,7 @@ endchoice
 
 config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
 	bool "Crypto Platform Secure Architecture support for WiFi"
-	imply MBEDTLS_PSA_CRYPTO_C
+	select PSA_CRYPTO
 	select MBEDTLS_USE_PSA_CRYPTO
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_ALG_HMAC

modules/mbedtls/Kconfig.psa.logic

@@ -1,8 +1,37 @@
 # Copyright (c) 2024 BayLibre SAS
 # SPDX-License-Identifier: Apache-2.0
 
-# This file extends Kconfig.psa (which is automatically generated) by adding
-# some logic between PSA_WANT symbols.
+config PSA_CRYPTO
+	bool "PSA Crypto API"
+	help
+	  Enable a PSA Crypto API provider in the build. If TF-M is enabled then
+	  it will be used for this scope, otherwise Mbed TLS will be used.
+	  PSA_CRYPTO_PROVIDER_CUSTOM can be selected to use an out-of-tree
+	  implementation.
+
+choice PSA_CRYPTO_PROVIDER
+	prompt "PSA Crypto API provider"
+	depends on PSA_CRYPTO
+
+config PSA_CRYPTO_PROVIDER_TFM
+	bool "Use TF-M"
+	depends on BUILD_WITH_TFM
+	select TFM_PARTITION_CRYPTO
+
+config PSA_CRYPTO_PROVIDER_MBEDTLS
+	bool "Use Mbed TLS"
+	depends on !BUILD_WITH_TFM
+	select MBEDTLS
+	select MBEDTLS_PSA_CRYPTO_C
+
+config PSA_CRYPTO_PROVIDER_CUSTOM
+	bool "Use an out-of-tree library"
+	depends on !BUILD_WITH_TFM
+
+endchoice # PSA_CRYPTO_PROVIDER
+
+# The following section extends Kconfig.psa.auto (which is automatically
+# generated) by adding some logic between PSA_WANT symbols.
 
 config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC
 	bool

modules/openthread/Kconfig

@@ -320,7 +320,7 @@ config OPENTHREAD_MAC_SOFTWARE_CSMA_BACKOFF_ENABLE
 
 config OPENTHREAD_CRYPTO_PSA
 	bool "ARM PSA crypto API"
-	depends on MBEDTLS_PSA_CRYPTO_CLIENT
+	depends on PSA_CRYPTO_CLIENT
 	select OPENTHREAD_PLATFORM_KEY_REF if !OPENTHREAD_COPROCESSOR_RCP
 	imply OPENTHREAD_PLATFORM_KEYS_EXPORTABLE_ENABLE
 	help

modules/uoscore-uedhoc/Kconfig

@@ -5,7 +5,6 @@ menuconfig UOSCORE
 	bool "UOSCORE library"
 	depends on ZCBOR
 	depends on ZCBOR_CANONICAL
-	depends on MBEDTLS
 	select UOSCORE_UEDHOC_CRYPTO_COMMON
 
 	help
@@ -22,7 +21,6 @@ menuconfig UEDHOC
 	bool "UEDHOC library"
 	depends on ZCBOR
 	depends on ZCBOR_CANONICAL
-	depends on MBEDTLS
 	select UOSCORE_UEDHOC_CRYPTO_COMMON
 	help
 	  This option enables the UEDHOC library.
@@ -38,7 +36,7 @@ if UOSCORE || UEDHOC
 
 config UOSCORE_UEDHOC_CRYPTO_COMMON
 	bool
-	imply MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_ALG_ECDSA
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT

samples/net/sockets/http_server/Kconfig

@@ -17,7 +17,7 @@ config NET_SAMPLE_HTTP_SERVER_SERVICE_PORT
 config NET_SAMPLE_HTTPS_SERVICE
 	bool "Enable https service"
 	depends on NET_SOCKETS_SOCKOPT_TLS || TLS_CREDENTIALS
-	imply MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 
 if NET_SAMPLE_HTTPS_SERVICE
 

samples/subsys/mgmt/updatehub/overlay-psa.conf

@@ -1,3 +1,2 @@
 CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA=y
-CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_CRYPTO=y

subsys/bluetooth/crypto/Kconfig

@@ -3,8 +3,7 @@
 
 config BT_CRYPTO
 	bool
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_AES
 	select PSA_WANT_ALG_CMAC
 	select PSA_WANT_ALG_ECB_NO_PADDING

subsys/bluetooth/host/Kconfig

@@ -200,8 +200,7 @@ config BT_BUF_EVT_DISCARDABLE_COUNT
 config BT_HOST_CRYPTO
 	bool "Use crypto functionality implemented in the Bluetooth host"
 	default y if !BT_CTLR_CRYPTO
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_AES
 	select PSA_WANT_ALG_ECB_NO_PADDING
 	help
@@ -1023,8 +1022,7 @@ endif # BT_DF
 
 config BT_ECC
 	bool
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT

subsys/bluetooth/mesh/Kconfig

@@ -1492,17 +1492,10 @@ config BT_MESH_SECURE_STORAGE
 	bool
 	depends on SECURE_STORAGE
 
-choice BT_MESH_CRYPTO_LIB
-	prompt "Crypto library:"
-	default BT_MESH_USES_TFM_PSA if BUILD_WITH_TFM
-	default BT_MESH_USES_MBEDTLS_PSA
-	help
-	  Crypto library selection for mesh security.
-
-config BT_MESH_USES_MBEDTLS_PSA
-	bool "mbed TLS PSA"
-	select MBEDTLS
-	select MBEDTLS_PSA_CRYPTO_C
+config BT_MESH_CRYPTO_LIB
+	bool
+	default y
+	select PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
@@ -1517,18 +1510,9 @@ config BT_MESH_USES_MBEDTLS_PSA
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_ECC_SECP_R1_256
 	select BT_MESH_SECURE_STORAGE if BT_SETTINGS
-	imply MBEDTLS_AES_ROM_TABLES
+	imply MBEDTLS_AES_ROM_TABLES if PSA_CRYPTO_PROVIDER_MBEDTLS
 	help
-	  Use Mbed TLS as PSA Crypto API provider.
-
-config BT_MESH_USES_TFM_PSA
-	bool "TF-M PSA"
-	depends on BUILD_WITH_TFM
-	help
-	  Use TF-M as PSA Crypto API provider. This is only possible on platforms
-	  that support TF-M.
-
-endchoice
+	  Crypto library support for mesh security.
 
 menu "Beacons"
 

subsys/jwt/Kconfig

@@ -28,17 +28,15 @@ config JWT_SIGN_RSA_LEGACY
 
 config JWT_SIGN_RSA_PSA
 	bool "Use RSA signature (RS-256). Use PSA Crypto API."
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 	select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
 	select PSA_WANT_ALG_RSA_PKCS1V15_SIGN
 	select PSA_WANT_ALG_SHA_256
 
 config JWT_SIGN_ECDSA_PSA
 	bool "Use ECDSA signature (ES-256). Use PSA Crypto API."
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
+	select PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
 	select PSA_WANT_ALG_ECDSA
 	select PSA_WANT_ECC_SECP_R1_256

tests/bluetooth/mesh/brg/CMakeLists.txt

@@ -20,4 +20,4 @@ target_compile_options(app
 	-DCONFIG_BT_SETTINGS
 	-DCONFIG_BT_MESH_BRG_CFG_SRV
 	-DCONFIG_BT_MESH_BRG_TABLE_ITEMS_MAX=16
-	-DCONFIG_BT_MESH_USES_MBEDTLS_PSA)
+	-DCONFIG_PSA_CRYPTO_PROVIDER_MBEDTLS)

tests/bluetooth/mesh/delayable_msg/CMakeLists.txt

@@ -21,4 +21,4 @@ target_compile_options(app
 	-DCONFIG_BT_MESH_ACCESS_DELAYABLE_MSG_COUNT=4
 	-DCONFIG_BT_MESH_ACCESS_DELAYABLE_MSG_CHUNK_SIZE=20
 	-DCONFIG_BT_MESH_ACCESS_DELAYABLE_MSG_CHUNK_COUNT=20
-	-DCONFIG_BT_MESH_USES_MBEDTLS_PSA)
+	-DCONFIG_PSA_CRYPTO_PROVIDER_MBEDTLS)

tests/bluetooth/mesh/rpl/CMakeLists.txt

@@ -20,4 +20,4 @@ target_compile_options(app
 	-DCONFIG_BT_MESH_CRPL=10
 	-DCONFIG_BT_MESH_RPL_STORE_TIMEOUT=1
 	-DCONFIG_BT_SETTINGS
-	-DCONFIG_BT_MESH_USES_MBEDTLS_PSA)
+	-DCONFIG_PSA_CRYPTO_PROVIDER_MBEDTLS)

tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf

@@ -1,3 +1,2 @@
-CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_CRYPTO=y
 CONFIG_PSA_CRYPTO_ENABLE_ALL=y

tests/bsim/bluetooth/ll/conn/psa_overlay.conf

@@ -1,3 +1,2 @@
-CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_CRYPTO=y
 CONFIG_PSA_CRYPTO_ENABLE_ALL=y

tests/bsim/bluetooth/mesh/src/mesh_test.c

@@ -292,7 +292,7 @@ void bt_mesh_device_setup(const struct bt_mesh_prov *prov, const struct bt_mesh_
 
 	if (IS_ENABLED(CONFIG_BT_SETTINGS)) {
 		LOG_INF("Loading stored settings");
-		if (IS_ENABLED(CONFIG_BT_MESH_USES_MBEDTLS_PSA)) {
+		if (IS_ENABLED(CONFIG_PSA_CRYPTO_PROVIDER_MBEDTLS)) {
 			settings_load_subtree("itsemul");
 		}
 		settings_load_subtree("bt");