[nrf noup] boot: bootutil: encrypted*.c: fix Mbed TLS header inclusion

michalek-no · tomi-font · commit 3c08c6c9c949 · 2026-05-20T15:33:01.000+03:00
It's needed for MBEDTLS_OID_EC_ALG_UNRESTRICTED, which is gone from the
Mbed TLS repo itself and is now in a different header in TF-PSA-Crypto.

Enable MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS in PSA ECDSA and ED25519
builds otherwise we get errors because of missing types in the inclusion
of this new header file.

Signed-off-by: Tomi Fontanilles &lt;tomi.fontanilles@nordicsemi.no&gt;
diff --git a/boot/bootutil/src/encrypted.c b/boot/bootutil/src/encrypted.c
@@ -38,7 +38,7 @@
 #if defined(MCUBOOT_ENCRYPT_EC256) || defined(MCUBOOT_ENCRYPT_X25519)
 #include "bootutil/crypto/sha.h"
 #include "bootutil/crypto/hmac_sha256.h"
-#include "mbedtls/oid.h"
+#include "crypto_oid.h"
 #include "mbedtls/asn1.h"
 #endif
 #endif
diff --git a/boot/bootutil/src/encrypted_psa.c b/boot/bootutil/src/encrypted_psa.c
@@ -14,7 +14,7 @@
 #define MBEDTLS_ASN1_PARSE_C
 
 #include "bootutil/crypto/sha.h"
-#include "mbedtls/oid.h"
+#include "crypto_oid.h"
 #include "mbedtls/asn1.h"
 
 #include "bootutil/image.h"
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
@@ -98,6 +98,7 @@ config BOOT_ED25519_PSA_DEPENDENCIES
 	select PSA_WANT_ECC_TWISTED_EDWARDS_255
 	select PSA_WANT_ECC_MONTGOMERY_255
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT if !PSA_CORE_LITE
+	select MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS if BOOT_ENCRYPT_X25519
 	help
 	  Dependencies for ed25519 signature
 
@@ -127,6 +128,7 @@ config BOOT_ECDSA_PSA_DEPENDENCIES
 	select PSA_WANT_ALG_ECDSA
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT if !PSA_CORE_LITE
 	select PSA_WANT_ECC_SECP_R1_256
+	select MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS if BOOT_ENCRYPT_EC256
 	help
 	  Dependencies for ECDSA signature
 
@@ -289,6 +291,10 @@ config BOOT_SIGNATURE_TYPE_ECDSA_P256
 	bool "Elliptic curve digital signatures with curve P-256"
 	select BOOT_ENCRYPTION_SUPPORT
 	select BOOT_IMG_HASH_ALG_SHA256_ALLOW
+	# Enable nrf_security for include paths to oberon-psa-crypto which has mbedtls headers
+	# (e.g. crypto_oid.h), needed also in cases other than BOOT_ECDSA_PSA.
+	select NRF_SECURITY
+	imply MBEDTLS_ASN1_PARSE_C
 
 if BOOT_SIGNATURE_TYPE_ECDSA_P256
 choice BOOT_ECDSA_IMPLEMENTATION
