[nrf noup] boot: bootutil: encrypted*.c: fix Mbed TLS header inclusion

michalek-no · carlescufi · commit e3f0d991b708 · 2026-05-22T10:32:05.000+02:00
It's needed for MBEDTLS_OID_EC_ALG_UNRESTRICTED, which is gone from the
Mbed TLS repo itself and is now in a different header in TF-PSA-Crypto.

Enable MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS in PSA ECDSA and ED25519
builds otherwise we get errors because of missing types in the inclusion
of this new header file.

Signed-off-by: Tomi Fontanilles &lt;tomi.fontanilles@nordicsemi.no&gt;
diff --git a/boot/bootutil/src/encrypted.c b/boot/bootutil/src/encrypted.c
@@ -38,7 +38,7 @@
 #if defined(MCUBOOT_ENCRYPT_EC256) || defined(MCUBOOT_ENCRYPT_X25519)
 #include "bootutil/crypto/sha.h"
 #include "bootutil/crypto/hmac_sha256.h"
-#include "mbedtls/oid.h"
+#include "crypto_oid.h"
 #include "mbedtls/asn1.h"
 #endif
 #endif
diff --git a/boot/bootutil/src/encrypted_psa.c b/boot/bootutil/src/encrypted_psa.c
@@ -14,7 +14,7 @@
 #define MBEDTLS_ASN1_PARSE_C
 
 #include "bootutil/crypto/sha.h"
-#include "mbedtls/oid.h"
+#include "crypto_oid.h"
 #include "mbedtls/asn1.h"
 
 #include "bootutil/image.h"
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
@@ -98,6 +98,7 @@ config BOOT_ED25519_PSA_DEPENDENCIES
 	select PSA_WANT_ECC_TWISTED_EDWARDS_255
 	select PSA_WANT_ECC_MONTGOMERY_255
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT if !PSA_CORE_LITE
+	select MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS if BOOT_ENCRYPT_X25519
 	help
 	  Dependencies for ed25519 signature
 
@@ -127,6 +128,7 @@ config BOOT_ECDSA_PSA_DEPENDENCIES
 	select PSA_WANT_ALG_ECDSA
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT if !PSA_CORE_LITE
 	select PSA_WANT_ECC_SECP_R1_256
+	select MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS if BOOT_ENCRYPT_EC256
 	help
 	  Dependencies for ECDSA signature
 
@@ -289,6 +291,10 @@ config BOOT_SIGNATURE_TYPE_ECDSA_P256
 	bool "Elliptic curve digital signatures with curve P-256"
 	select BOOT_ENCRYPTION_SUPPORT
 	select BOOT_IMG_HASH_ALG_SHA256_ALLOW
+	# Enable nrf_security for include paths to oberon-psa-crypto which has mbedtls headers
+	# (e.g. crypto_oid.h), needed also in cases other than BOOT_ECDSA_PSA.
+	select NRF_SECURITY
+	imply MBEDTLS_ASN1_PARSE_C
 
 if BOOT_SIGNATURE_TYPE_ECDSA_P256
 choice BOOT_ECDSA_IMPLEMENTATION
@@ -329,6 +335,9 @@ config BOOT_SIGNATURE_TYPE_ED25519
 	select BOOT_IMG_HASH_ALG_SHA256_ALLOW if !BOOT_SIGNATURE_TYPE_PURE
 	# The SHA is used only for key hashing, not for images.
 	select BOOT_SIGNATURE_TYPE_PURE_ALLOW
+	# Enable nrf_security for include paths to oberon-psa-crypto which has mbedtls headers
+	# (e.g. crypto_oid.h), needed also in cases other than BOOT_ED25519_PSA.
+	select NRF_SECURITY
 	help
 	  This is ed25519 signature calculated over SHA512 of SHA256 of application
 	  image.
@@ -358,6 +367,14 @@ config BOOT_ED25519_TINYCRYPT
 	select BOOT_IMG_HASH_ALG_SHA256_ALLOW
 	select BOOT_IMG_HASH_ALG_SHA512_ALLOW
 
+if BOOT_ED25519_TINYCRYPT
+	# config-ed25519.h defines MBEDTLS_MPI_MAX_SIZE as 64, so
+	# set the correct Kconfig value too to avoid differing definitions
+	config MBEDTLS_MPI_MAX_SIZE
+	range 64 2048
+	default 64
+endif
+
 config BOOT_ED25519_MBEDTLS
 	bool "Use mbedTLS"
 	select BOOT_USE_MBEDTLS
