bootutil: Use mbedtls/private paths for TF-PSA-Crypto

[krish2718]

MCUboot Mbed TLS crypto wrappers and simulator custom crypto helpers included legacy headers as mbedtls/.h. TF-PSA-Crypto now exposes these declarations only under mbedtls/private/.

Assisted-by: Cursor: Auto

[d3zd3z]

This will probably take a bit to get to be "right". One thing I'm curious about (I might investigate this next week) is if this change is sufficient to get everything to pass against mbed TLS 4.1. Change #2713 ends up bringing in both 4.1 and 3.6 because of this issue.

My other concern is how can we encourage the use of the private headers to "go away" at some point. We definitely want to make sure we aren't introducing new instances.

[krish2718]

This will probably take a bit to get to be "right". One thing I'm curious about (I might investigate this next week) is if this change is sufficient to get everything to pass against mbed TLS 4.1. Change #2713 ends up bringing in both 4.1 and 3.6 because of this issue

Ah I see, so, if we are maintaining both 3.6 and 4.1 version, then can we absorb this change in 4.1 specific code?

My other concern is how can we encourage the use of the private headers to "go away" at some point. We definitely want to make sure we aren't introducing new instances.

That's actually one of the reasons for this PR (and associated ones), the current Zephyr copies these headers and drops "private", so, the users would have no idea that they are using headers that could be removed. And as for the actual deletion, it depends on migrating to PSA only versions and that might take a while esp. if the ecosystem continues to use these deprecated algos.