When utilizing PSA crypto, enabling CONFIG_MBEDTLS_LEGACY_CRYPTO_C (such as by turning on OpenThread), the PSA crypto features such as native ITS storage are not functional.
Example prj.conf with working PSA:
CONFIG_NRF_SECURITY=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y # Enable persistent storage APIs CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y CONFIG_PSA_NATIVE_ITS=y CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=8192 CONFIG_PSA_CRYPTO_DRIVER_OBERON=y CONFIG_PSA_CRYPTO_DRIVER_CC3XX=n CONFIG_OBERON_BACKEND=y CONFIG_CC3XX_BACKEND=n CONFIG_PSA_WANT_ALG_CCM=n CONFIG_PSA_WANT_ALG_GCM=y CONFIG_PSA_WANT_ALG_CHACHA20_POLY1305=n CONFIG_PSA_WANT_ALG_CMAC=n CONFIG_PSA_WANT_ALG_RIPEMD160=n CONFIG_PSA_WANT_ALG_MD5=n CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=n CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=y CONFIG_PSA_WANT_ALG_CBC_PKCS7=y CONFIG_PSA_WANT_ALG_CFB=n CONFIG_PSA_WANT_ALG_CTR=n CONFIG_PSA_WANT_ALG_OFB=n CONFIG_PSA_WANT_ECC_SECP_K1_192=n CONFIG_PSA_WANT_ECC_SECP_K1_256=y CONFIG_PSA_WANT_ECC_SECP_R1_192=n CONFIG_PSA_WANT_ECC_SECP_R1_224=n CONFIG_PSA_WANT_ECC_SECP_R1_256=n CONFIG_PSA_WANT_ECC_SECP_R1_384=n CONFIG_PSA_WANT_ECC_SECP_R1_521=n CONFIG_PSA_WANT_ALG_STREAM_CIPHER=n # Force CBC to Oberon CONFIG_PSA_CRYPTO_DRIVER_ALG_CBC_NO_PADDING_CC3XX=n CONFIG_MBEDTLS_PSA_BUILTIN_ALG_ECDH=y CONFIG_MBEDTLS_LEGACY_CRYPTO_C=n
This config generates build/modules/nrfxlib/nrfxlib/nrf_security/src/include/generated/nrf-config.h and build/modules/nrfxlib/nrfxlib/nrf_security/src/include/generated/nrf-config-user.h which have the PSA crypto features enabled.
Changing CONFIG_MBEDTLS_LEGACY_CRYPTO_C to y generates a build/modules/nrfxlib/nrfxlib/nrf_security/src/include/generated/nrf-config-user.h that is empty:
/* * Copyright (c) 2021 Nordic Semiconductor * * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause * */ /* This file is intentionally empty.*/
This prevents the PSA crypto features from functioning.
