PSA crypto features not enabled when CONFIG_MBEDTLS_LEGACY_CRYPTO_C is enabled

When utilizing PSA crypto, enabling CONFIG_MBEDTLS_LEGACY_CRYPTO_C (such as by turning on OpenThread), the PSA crypto features such as native ITS storage are not functional.

Example prj.conf with working PSA:

CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y

# Enable persistent storage APIs
CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y
CONFIG_PSA_NATIVE_ITS=y

CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=8192
CONFIG_PSA_CRYPTO_DRIVER_OBERON=y
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=n
CONFIG_OBERON_BACKEND=y
CONFIG_CC3XX_BACKEND=n

CONFIG_PSA_WANT_ALG_CCM=n
CONFIG_PSA_WANT_ALG_GCM=y
CONFIG_PSA_WANT_ALG_CHACHA20_POLY1305=n
CONFIG_PSA_WANT_ALG_CMAC=n
CONFIG_PSA_WANT_ALG_RIPEMD160=n
CONFIG_PSA_WANT_ALG_MD5=n
CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=n
CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=y
CONFIG_PSA_WANT_ALG_CBC_PKCS7=y
CONFIG_PSA_WANT_ALG_CFB=n
CONFIG_PSA_WANT_ALG_CTR=n
CONFIG_PSA_WANT_ALG_OFB=n
CONFIG_PSA_WANT_ECC_SECP_K1_192=n
CONFIG_PSA_WANT_ECC_SECP_K1_256=y
CONFIG_PSA_WANT_ECC_SECP_R1_192=n
CONFIG_PSA_WANT_ECC_SECP_R1_224=n
CONFIG_PSA_WANT_ECC_SECP_R1_256=n
CONFIG_PSA_WANT_ECC_SECP_R1_384=n
CONFIG_PSA_WANT_ECC_SECP_R1_521=n
CONFIG_PSA_WANT_ALG_STREAM_CIPHER=n

# Force CBC to Oberon
CONFIG_PSA_CRYPTO_DRIVER_ALG_CBC_NO_PADDING_CC3XX=n
CONFIG_MBEDTLS_PSA_BUILTIN_ALG_ECDH=y

CONFIG_MBEDTLS_LEGACY_CRYPTO_C=n

This config generates build/modules/nrfxlib/nrfxlib/nrf_security/src/include/generated/nrf-config.h and build/modules/nrfxlib/nrfxlib/nrf_security/src/include/generated/nrf-config-user.h which have the PSA crypto features enabled.

Changing CONFIG_MBEDTLS_LEGACY_CRYPTO_C to y generates a build/modules/nrfxlib/nrfxlib/nrf_security/src/include/generated/nrf-config-user.h that is empty: 

/*
* Copyright (c) 2021 Nordic Semiconductor
*
* SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
*
*/

/* This file is intentionally empty.*/

This prevents the PSA crypto features from functioning. 

Parents Reply Children
Related