nrfconnect · carlescufi · May 22, 2026 · Apr 28, 2026 · May 15, 2026 · May 15, 2026
@@ -68,15 +68,14 @@ if (CONFIG_NRF_SECURITY)
         zephyr_include_directories($<TARGET_PROPERTY:psa_crypto_config,INTERFACE_INCLUDE_DIRECTORIES>)
     else()
         zephyr_include_directories($<TARGET_PROPERTY:psa_crypto_library_config,INTERFACE_INCLUDE_DIRECTORIES>)
-        matter_add_flags(-DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE=<nrf-psa-crypto-user-config.h>)
+        matter_add_flags(-DTF_PSA_CRYPTO_USER_CONFIG_FILE=<nrf-psa-crypto-user-config.h>)
     endif()
 
     zephyr_include_directories($<TARGET_PROPERTY:psa_interface,INTERFACE_INCLUDE_DIRECTORIES>)
     if(TARGET platform_cc3xx)
         zephyr_include_directories($<TARGET_PROPERTY:platform_cc3xx,INTERFACE_INCLUDE_DIRECTORIES>)
     endif()
-    matter_add_flags(-DMBEDTLS_CONFIG_FILE=<nrf-config.h>)
-    matter_add_flags(-DMBEDTLS_PSA_CRYPTO_CONFIG_FILE=<nrf-psa-crypto-config.h>)
+    matter_add_flags(-DTF_PSA_CRYPTO_CONFIG_FILE=<nrf-psa-crypto-config.h>)
 elseif(CONFIG_MBEDTLS)
     zephyr_include_directories($<TARGET_PROPERTY:mbedTLS,INTERFACE_INCLUDE_DIRECTORIES>)
     zephyr_compile_definitions($<TARGET_PROPERTY:mbedTLS,INTERFACE_COMPILE_DEFINITIONS>)

@@ -247,8 +247,8 @@ config CHIP_FACTORY_DATA_GENERATE_ONBOARDING_CODES
 	default y
 	help
 	  Enables generation of onboarding codes (manual pairing code and QR code)
-	  during the generation of a factory data set. You can provide the 
-	  onboarding codes a Matter controller to commission a device to a Matter 
+	  during the generation of a factory data set. You can provide the
+	  onboarding codes a Matter controller to commission a device to a Matter
 	  network.
 
 # Select source of the certificates
@@ -512,25 +512,24 @@ choice CHIP_WIFI_CRYPTO_BACKEND
 
 config CHIP_WIFI_CRYPTO_BACKEND_PSA
 	bool "Matter WiFi PSA crypto backend"
-    select PSA_WANT_ALG_ECDSA
-    select PSA_WANT_ALG_ECDH
-    select PSA_WANT_ECC_SECP_R1_256
-    select PSA_WANT_ALG_HKDF
-    select PSA_INTERNAL_TRUSTED_STORAGE
-    select MBEDTLS_PSA_CRYPTO_STORAGE_C if !BUILD_WITH_TFM
-    select TRUSTED_STORAGE if !BUILD_WITH_TFM
-    select HW_UNIQUE_KEY_WRITE_ON_CRYPTO_INIT if (SOC_NRF5340_CPUAPP || SOC_SERIES_NRF54L)
-    select MBEDTLS_PSA_CRYPTO_C
-    select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
+	select PSA_WANT_ALG_ECDSA
+	select PSA_WANT_ALG_ECDH
+	select PSA_WANT_ECC_SECP_R1_256
+	select PSA_WANT_ALG_HKDF
+	select PSA_INTERNAL_TRUSTED_STORAGE
+	select MBEDTLS_PSA_CRYPTO_STORAGE_C if !BUILD_WITH_TFM
+	select TRUSTED_STORAGE if !BUILD_WITH_TFM
+	select HW_UNIQUE_KEY_WRITE_ON_CRYPTO_INIT if (SOC_NRF5340_CPUAPP || SOC_SERIES_NRF54L)
+	select MBEDTLS_PSA_CRYPTO_C
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 
 config CHIP_WIFI_CRYPTO_BACKEND_MBEDTLS
 	bool "Matter WiFi mbedTLS crypto backend"
 	select MBEDTLS
-	imply NORDIC_SECURITY_BACKEND
-	imply MBEDTLS_PSA_CRYPTO_C
+	imply PSA_CRYPTO
 	imply MBEDTLS_PROMPTLESS
 
 endchoice

@@ -365,8 +365,6 @@ endif # CHIP_WIFI
 
 choice OPENTHREAD_SECURITY_CONFIG
     default OPENTHREAD_NRF_SECURITY_PSA_CHOICE if CHIP_CRYPTO_PSA
-    default OPENTHREAD_NRF_SECURITY_CHOICE
-
 endchoice
 
 choice RNG_GENERATOR_CHOICE
@@ -420,9 +418,6 @@ endif # CHIP_CRYPTO_PSA
 
 if !CHIP_CRYPTO_PSA
 
-config OBERON_BACKEND
-    default y
-
 config MBEDTLS_AES_C
     default y
 
@@ -435,9 +430,6 @@ config MBEDTLS_CIPHER_MODE_CTR
 config MBEDTLS_MD_C
     default y
 
-config MBEDTLS_SHA1_C
-    default y if CHIP_WIFI
-
 config MBEDTLS_SHA256_C
     default y
 
@@ -459,49 +451,22 @@ config MBEDTLS_X509_CSR_WRITE_C
 config MBEDTLS_ECP_C
     default y
 
-config MBEDTLS_ECP_DP_SECP256R1_ENABLED
-    default y
-
 endif # !CHIP_CRYPTO_PSA
 
+config MBEDTLS_ASN1_WRITE_C
+    default y
+
 config MBEDTLS_SSL_OUT_CONTENT_LEN
     default 900 if CHIP_WIFI
 
 # Disable unneeded crypto operations
 
-config MBEDTLS_SHA384_C
-    default n
-
-config MBEDTLS_SHA512_C
-    default n
-
-config MBEDTLS_CIPHER_MODE_XTS
-    default n
-
-config MBEDTLS_CHACHA20_C
-    default n
-
-config MBEDTLS_POLY1305_C
-    default n
-
-config MBEDTLS_CHACHAPOLY_C
-    default n
-
-config MBEDTLS_GCM_C
-    default n
-
-config MBEDTLS_RSA_C
-    default n
-
 config MBEDTLS_SSL_SRV_C
     default n
 
 config MBEDTLS_SSL_COOKIE_C
     default n
 
-config MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
-    default y
-
 # ==============================================================================
 # Logging configuration
 # ==============================================================================

@@ -35,10 +35,15 @@
 
 #include <psa/crypto.h>
 
+#if (MBEDTLS_VERSION_NUMBER >= 0x04000000)
+#include <mbedtls/private/bignum.h>
+#include <mbedtls/private/ecp.h>
+#else
 #include <mbedtls/bignum.h>
 #include <mbedtls/ecp.h>
+#endif
+
 #include <mbedtls/error.h>
-#include <mbedtls/x509_csr.h>
 
 #include <string.h>
 #include <type_traits>

@@ -19,10 +19,15 @@
 
 #include <lib/support/logging/CHIPLogging.h>
 
-#include <mbedtls/ecp.h>
 #include <mbedtls/error.h>
 #include <mbedtls/version.h>
 
+#if (MBEDTLS_VERSION_NUMBER >= 0x04000000)
+#include <mbedtls/private/ecp.h>
+#else
+#include <mbedtls/ecp.h>
+#endif
+
 namespace chip {
 namespace Crypto {
 

@@ -28,12 +28,18 @@
 #include <lib/support/CodeUtils.h>
 #include <lib/support/SafeInt.h>
 
-#include <mbedtls/ecp.h>
+#if CHIP_CRYPTO_USE_X509
 #include <mbedtls/oid.h>
+
+#if (MBEDTLS_VERSION_NUMBER >= 0x04000000)
+#include <mbedtls/private/ecp.h>
+#else
+#include <mbedtls/ecp.h>
+#endif
+
 #include <mbedtls/x509.h>
 #include <mbedtls/x509_csr.h>
 
-#if CHIP_CRYPTO_USE_X509
 #include <mbedtls/x509_crt.h>
 #endif // CHIP_CRYPTO_USE_X509
 

@@ -126,7 +126,7 @@ CHIP_ERROR FactoryDataProvider<FlashFactoryData>::MoveDACPrivateKeyToSecureStora
 
 // If key should be migrated to KMU save the KMU key slot to keyId.
 #ifdef CONFIG_CHIP_CRYPTO_PSA_DAC_PRIV_KEY_KMU
-    mDACPrivKeyId = static_cast<psa_key_id_t>(PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(
+    mDACPrivKeyId = static_cast<psa_key_id_t>(PSA_KEY_ID_FROM_CRACEN_KMU_SLOT(
 #ifdef CONFIG_CHIP_CRYPTO_PSA_DAC_PRIV_KEY_KMU_ENCRYPTED
         CRACEN_KMU_KEY_USAGE_SCHEME_ENCRYPTED,
 #else

@@ -39,11 +39,11 @@
 #endif
 
 // Define the start of the KMU slots for Matter.
-#define KMU_NOC_SLOT_START PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, CONFIG_CHIP_KMU_SLOT_RANGE_START)
+#define KMU_NOC_SLOT_START PSA_KEY_ID_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, CONFIG_CHIP_KMU_SLOT_RANGE_START)
 #define KMU_ICD_SLOT_START                                                                                                         \
-    PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, (KMU_NOC_SLOT_START + KMU_SLOTS_NOC_MAX_NUMBER))
+    PSA_KEY_ID_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, (KMU_NOC_SLOT_START + KMU_SLOTS_NOC_MAX_NUMBER))
 #define KMU_GROUP_KEYS_SLOT_START                                                                                                  \
-    PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, (KMU_ICD_SLOT_START + KMU_SLOTS_ICD_MAX_NUMBER))
+    PSA_KEY_ID_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, (KMU_ICD_SLOT_START + KMU_SLOTS_ICD_MAX_NUMBER))
 
 // Check whether the DAC KMU slot does not overlap with the KMU slots dedicated for Matter core.
 #if defined(CONFIG_CHIP_CRYPTO_PSA_DAC_PRIV_KEY_KMU) &&                                                                            \
@@ -59,8 +59,7 @@ class KMUKeyAllocator : public chip::Crypto::PSAKeyAllocator
 public:
     psa_key_id_t GetDacKeyId() override
     {
-        return PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW,
-                                                   CONFIG_CHIP_CRYPTO_PSA_DAC_PRIV_KEY_KMU_SLOT_ID);
+        return PSA_KEY_ID_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, CONFIG_CHIP_CRYPTO_PSA_DAC_PRIV_KEY_KMU_SLOT_ID);
     }
     psa_key_id_t GetOpKeyId(FabricIndex fabricIndex) override
     {
@@ -79,9 +78,9 @@ class KMUKeyAllocator : public chip::Crypto::PSAKeyAllocator
     {
         // Set the key lifetime to persistent and the location to CRACEN_KMU if key is in a proper range
         if (psa_get_key_id(&attrs) >=
-                PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, CONFIG_CHIP_KMU_SLOT_RANGE_START) &&
+                PSA_KEY_ID_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, CONFIG_CHIP_KMU_SLOT_RANGE_START) &&
             psa_get_key_id(&attrs) <
-                PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, CONFIG_CHIP_KMU_SLOT_RANGE_END))
+                PSA_KEY_ID_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, CONFIG_CHIP_KMU_SLOT_RANGE_END))
         {
             psa_set_key_lifetime(
                 &attrs, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_PERSISTENCE_DEFAULT, PSA_KEY_LOCATION_CRACEN_KMU));