Skip to content

modules: mbedtls: bump to 4.0#104031

Draft
valeriosetti wants to merge 32 commits intozephyrproject-rtos:mainfrom
valeriosetti:mbedtls4-integration
Draft

modules: mbedtls: bump to 4.0#104031
valeriosetti wants to merge 32 commits intozephyrproject-rtos:mainfrom
valeriosetti:mbedtls4-integration

Conversation

@valeriosetti
Copy link
Contributor

@valeriosetti valeriosetti commented Feb 12, 2026

Draft because I need to run the CI on it to understand what still needs to be fixed. Moreover also some of the referenced repos are on my github account and that of course needs to be addressed as well.

@github-actions
Copy link

github-actions bot commented Feb 12, 2026

The following west manifest projects have changed revision in this Pull Request:

Name Old Revision New Revision Diff
hostap zephyrproject-rtos/hostap@8fa6fe8 zephyrproject-rtos/hostap#125 zephyrproject-rtos/hostap#125/files
mbedtls valeriosetti/mbedtls@c5b06d8 valeriosetti/mbedtls@zephyr-mbedtls-4.0 valeriosetti/mbedtls@c5b06d89..zephyr-mbedtls-4.0
mbedtls-3.6.5 🆕 N/A (Added) valeriosetti/zephyr-mbedtls@remove-mbedtls-v3.6.5 N/A
mbedtls-framework 🆕 N/A (Added) valeriosetti/mbedtls-framework@421f7a2 N/A
mcuboot zephyrproject-rtos/mcuboot@d9c2ba1 (main) zephyrproject-rtos/mcuboot#140 zephyrproject-rtos/mcuboot#140/files
openthread zephyrproject-rtos/openthread@9a40380 (main) zephyrproject-rtos/openthread#225 zephyrproject-rtos/openthread#225/files
tf-psa-crypto 🆕 N/A (Added) valeriosetti/TF-PSA-Crypto@zephyr-tfpsacrypto-1.0 N/A
tf-psa-crypto-framework 🆕 N/A (Added) valeriosetti/mbedtls-framework@8ebca51 N/A

Additional metadata changed:

Name URL Submodules West cmds module.yml Blobs
mbedtls

DNM label due to: 4 added projects, 3 projects with PR revision and 1 project with metadata changes

Note: This message is automatically posted and updated by the Manifest GitHub Action.

@tomi-font tomi-font self-requested a review February 13, 2026 07:12
@valeriosetti valeriosetti force-pushed the mbedtls4-integration branch 3 times, most recently from ecc176b to 4ca507c Compare February 13, 2026 13:52
@valeriosetti valeriosetti force-pushed the mbedtls4-integration branch 2 times, most recently from d0ffe43 to 42b0f80 Compare February 13, 2026 23:16
@valeriosetti valeriosetti force-pushed the mbedtls4-integration branch 3 times, most recently from 5aebdcb to c5e7c8c Compare February 17, 2026 12:01
@valeriosetti valeriosetti force-pushed the mbedtls4-integration branch 5 times, most recently from 42bdbeb to 7bbc1db Compare February 18, 2026 23:03
MBEDTLS_KEY_EXCHANGE_RSA_ENABLED was removed from Mbed TLS 4.0 because
it's no more supported. As a consequence Kconfig and build symbol are
also removed.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Adding:
- MBEDTLS_CIPHERSUITE_TLS1_3_AES_256_GCM_SHA384
- MBEDTLS_CIHPERSUITE_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
- RSA based key exchanges were removed so the corresponding test case is
  also removed. It has been replaced with a PSK one, still using TLS 1.2.
- Configuration overlay files were removed because thank to ciphersuite
  Kconfig it's now pretty trivial and compact to select what's required
  for a connection.

pytest script was updated accordingly.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Ciphersuites using RSA encryption were removed from Mbed TLS 4.0. As a
consequence this commit removes
MBEDTLS_CIPHERSUITE_TLS_RSA_WITH_AES_256_CBC_SHA256 and replaces it with
MBEDTLS_CIPHERSUITE_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 in tests/samples
code.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Minor changes that are required in order to move from Mbed TLS 3.6.5
to TF-PSA-Crypto 1.x:

- "psa_crypto_driver_wrappers.h" has been relocated
- some extra include folders are required because they are directly
  included from "psa_crypto_driver_wrappers.h" but not exported from
  "mbedTLS" library since they are meant to remain private.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Starting from TF-PSA-Crypto 1.0 CTR-DRBG is an internal module and cannot
be referenced directly by external code. Therefore
CTR_DRBG_CSPRNG_GENERATOR cannot be used. However CTR-DRBG is still
used internally by TF-PSA-Crypto when MBEDTLS_PSA_CRYPTO_LEGACY_RNG
is set, so we take advantage of this for the replacement.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
This allows NS app to have these headers available at build time without
any need to extend its CMake file to explicitly link to "tfm_api"
zephyr library.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
@valeriosetti valeriosetti force-pushed the mbedtls4-integration branch 6 times, most recently from ad7cd55 to 69f086d Compare February 28, 2026 06:30
These tests directly reference Mbed TLS/TF-PSA-Crypto include path in
their CMakeLists file. This commits adjust the path with new values.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED has been removed so there is
no need to disable it.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
RSA based key exchange has been removed from Mbed TLS 4. This commit
replaces it with an ECDHE-ECDSA alternative.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Add PSA_WANT_ALG_SHA_1 to the TLS configuration. This is required to
parse the certificate.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
DES and elliptic curves secp192r1, secp192k1 and secp224r1 were removed
from tf-psa-crypto.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Remove inclusions that date back to the original addition of this driver
and that are no more required when PSA API is used.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Add a Kconfig which still allows to get access to legacy (now internal)
Mbed TLS crypto.
Legacy header files are copied out of the private folder into the
build directory and the folder is the added to the Zephyr build.
Morevoer MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS is also set in the Mbed TLS
build in order to access functions and macros that wouldn't be
accessible otherwise.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Select only PSA_WANT and remove usage of legacy crypto.

Extend also Mbed TLS's CMake to build a library which includes legacy
Mbed TLS crypto modules that were removed from TF-PSA-Crypto.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Remove a legacy Mbed TLS error code that was removed in TF-PSA-Crypto
used by the OpenThread module.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Include a fix for replacing usage of legacy crypto with PSA Crypto API
and to prepare for tf-psa-crypto transition.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Add Kconfig choice to select between legacy Mbed TLS crypto and PSA Crypto
API. The latter is the default choice.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Add Kconfigs for major.minor.patch numbers. These information can be
helpful to condition some setting of Mbed TLS.
New Kconfigs are intentionally added outside of the MBEDTLS guard in order
to avoid cyclic dependencies problem.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
- replace legacy Kconfigs with corresponding PSA_WANT ones.
- extend Mbed TLS' CMake file in order to include these legacy ecdh module
  that was removed from TF-PSA-Crypto when ESP32 BT and WiFi drivers are
  built.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
OT now uses "mbedtls_asn1_get_tag" which makes MBEDTLS_ASN1_PARSE_C
required.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
TF-PSA-Crypto's bignum module includes some assembly optimization for
x86, x86_64 and ARM64 platforms. When building for "native_sim/native"
on a 64 bit platform the compiler tries to set 32 bit compatibility mode,
but of course assembly functions between 32 and 64 bits architectures
don't match and therefore the build fails.
Disabling optimizations prevents TF-PSA-Crypto from trying to use
assembly and the test passes.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment