zephyrproject-rtos · valeriosetti · Jan 27, 2026 · Feb 3, 2026 · Feb 3, 2026 · Feb 3, 2026
diff --git a/boards/nxp/lpcxpresso55s69/Kconfig.defconfig b/boards/nxp/lpcxpresso55s69/Kconfig.defconfig
@@ -42,9 +42,6 @@ config FLASH_LOAD_SIZE
 	default 0x40000 if (!TFM_BL2 && BUILD_WITH_TFM)
 	default $(dt_chosen_reg_size_hex,$(DT_CHOSEN_Z_CODE_PARTITION))
 
-config PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
-	default y if MBEDTLS_PSA_CRYPTO_CLIENT && MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-
 endif # TRUSTED_EXECUTION_NONSECURE || BOARD_LPCXPRESSO55S69_LPC55S69_CPU1
 
 choice TFM_PROFILE_TYPE

diff --git a/drivers/bluetooth/hci/Kconfig.esp32 b/drivers/bluetooth/hci/Kconfig.esp32
@@ -488,11 +488,16 @@ config ESP32_BT_LE_CRYPTO_STACK_MBEDTLS
 	bool "mbedTLS crypto stack"
 	depends on ESP32_BT_LE_SECURITY_ENABLE
 	default y
-	select MBEDTLS
-	select MBEDTLS_ECP_C
-	select MBEDTLS_ECP_DP_SECP256R1_ENABLED
-	select MBEDTLS_ECDH_C
-	select MBEDTLS_ENTROPY_C
+	select PSA_CRYPTO
+	select MBEDTLS_CTR_DRBG_C
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
+	select PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
+	select PSA_WANT_ECC_SECP_R1_256
+	select PSA_WANT_ALG_ECDH
+	# Keep access to legacy crypto headers
+	select MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
 	help
 	  Use mbedTLS library for BLE cryptographic operations.
 

diff --git a/drivers/crypto/crypto_mbedtls_shim.c b/drivers/crypto/crypto_mbedtls_shim.c
@@ -15,20 +15,14 @@
 #include <errno.h>
 #include <zephyr/crypto/crypto.h>
 
-#if !defined(CONFIG_MBEDTLS_CFG_FILE)
-#include "mbedtls/config.h"
-#else
-#include CONFIG_MBEDTLS_CFG_FILE
-#endif /* CONFIG_MBEDTLS_CFG_FILE */
-
 #include <psa/crypto.h>
 
 #define MBEDTLS_SUPPORT (CAP_RAW_KEY | CAP_SEPARATE_IO_BUFS | CAP_SYNC_OPS | \
 		      CAP_NO_IV_PREFIX)
 
 #define LOG_LEVEL CONFIG_CRYPTO_LOG_LEVEL
 #include <zephyr/logging/log.h>
-LOG_MODULE_REGISTER(mbedtls);
+LOG_MODULE_REGISTER(mbedtls_shim);
 
 struct mbedtls_shim_session {
 	union {
@@ -46,12 +40,6 @@ struct mbedtls_shim_session mbedtls_sessions[CRYPTO_MAX_SESSION];
 
 static K_MUTEX_DEFINE(mbedtls_sessions_lock);
 
-#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
-#include "mbedtls/memory_buffer_alloc.h"
-#else
-#error "You need to define MBEDTLS_MEMORY_BUFFER_ALLOC_C"
-#endif /* MBEDTLS_MEMORY_BUFFER_ALLOC_C */
-
 static struct mbedtls_shim_session *mbedtls_get_unused_session(void)
 {
 	struct mbedtls_shim_session *session = NULL;

diff --git a/drivers/entropy/Kconfig.mcux b/drivers/entropy/Kconfig.mcux
@@ -52,8 +52,8 @@ choice RNG_GENERATOR_CHOICE
 	default XOSHIRO_RANDOM_GENERATOR if ENTROPY_MCUX_TRNG
 endchoice
 
-choice CSPRNG_GENERATOR_CHOICE
-	default CTR_DRBG_CSPRNG_GENERATOR if ENTROPY_MCUX_TRNG
+choice MBEDTLS_PSA_CRYPTO_RNG_SOURCE
+	default MBEDTLS_PSA_CRYPTO_LEGACY_RNG if ENTROPY_MCUX_TRNG
 endchoice
 
 if ENTROPY_MCUX_CAAM

diff --git a/drivers/wifi/esp32/Kconfig.esp32 b/drivers/wifi/esp32/Kconfig.esp32
@@ -12,6 +12,9 @@ menuconfig WIFI_ESP32
 	select NET_L2_ETHERNET_MGMT
 	select WIFI_USE_NATIVE_NETWORKING
 	select MBEDTLS
+	# This is needed because some guards in TLS now require PSA crypto stuff
+	# to be enabled
+	select PSA_CRYPTO
 	select THREAD_STACK_INFO
 	select DYNAMIC_THREAD
 	select DYNAMIC_THREAD_ALLOC
@@ -367,15 +370,19 @@ config ESP32_WIFI_SOFTAP_SUPPORT
 
 config ESP32_WIFI_MBEDTLS_CRYPTO
 	bool "Use MbedTLS crypto APIs"
-	select MBEDTLS_ECP_C
-	select MBEDTLS_ECDH_C
-	select MBEDTLS_ECDSA_C
+	select PSA_CRYPTO
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
+	select PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
+	select PSA_WANT_ECC_SECP_R1_256
+	select PSA_WANT_ALG_ECDH
+	select PSA_WANT_ALG_ECDSA
+	select PSA_WANT_ALG_CMAC
 	select MBEDTLS_PKCS5_C
 	select MBEDTLS_MD_C
 	select MBEDTLS_PK_WRITE_C
 	select MBEDTLS_CIPHER_MODE_CTR_ENABLED
-	select MBEDTLS_CMAC
-	select MBEDTLS_ENTROPY_C
 	help
 	  Select this option to use MbedTLS crypto APIs which utilize hardware acceleration.
 

diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig
@@ -177,26 +177,16 @@ config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT
 	select MBEDTLS_CIPHER_MODE_CBC_ENABLED
 	select MBEDTLS_CIPHER_AES_ENABLED
 	select MBEDTLS_CIPHER_DES_ENABLED
-	select MBEDTLS_SHA1
-	select MBEDTLS_SHA384
-	select MBEDTLS_ENTROPY_C
 	select MBEDTLS_CIPHER
-	select MBEDTLS_ECP_C
-	select MBEDTLS_ECP_ALL_ENABLED
-	select MBEDTLS_CMAC
 	select MBEDTLS_PKCS5_C
 	select MBEDTLS_MD_C
 	select MBEDTLS_PK_WRITE_C
-	select MBEDTLS_ECDH_C
-	select MBEDTLS_ECDSA_C
-	select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-	select MBEDTLS_RSA_C
-	select MBEDTLS_PKCS1_V15
-	select MBEDTLS_PKCS1_V21
-	select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+	select MBEDTLS_CIHPERSUITE_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
+	select MBEDTLS_CIPHERSUITE_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 	select MBEDTLS_NIST_KW_C
-	select MBEDTLS_DHM_C
-	select MBEDTLS_HKDF_C
+	select PSA_WANT_ALG_HKDF
+	select PSA_WANT_ALG_HKDF_EXTRACT
+	select PSA_WANT_ALG_HKDF_EXPAND
 
 config WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
 	bool "No Crypto support for WiFi"
@@ -217,6 +207,7 @@ config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
 	depends on WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT
 	select PSA_CRYPTO
 	select MBEDTLS_USE_PSA_CRYPTO
+	select MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_ALG_HMAC
 	select PSA_WANT_ALG_CCM
@@ -717,7 +708,7 @@ config SAE_PWE_EARLY_EXIT
 	  Note that this is highly insecure and shouldn't be used in production
 
 config WIFI_NM_WPA_SUPPLICANT_CRYPTO_TEST
-	bool
+	bool "Test crypto in HostAP"
 	depends on WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
 
 config WIFI_NM_WPA_CTRL_RESP_TIMEOUT_S