nrf_security: stop using MBEDTLS_CONFIG_FILE for PSA Crypto

tomi-font · tomi-font · commit 454d5f1fdbc8 · 2026-05-11T08:46:02.000+03:00
It's now only used for Mbed TLS itself, not TF-PSA-Crypto, so stop
generating/feeding the file in those cases and guard the Kconfig option
behind CONFIG_MBEDTLS (configdefault didn't work).

Signed-off-by: Tomi Fontanilles &lt;tomi.fontanilles@nordicsemi.no&gt;
diff --git a/modules/trusted-firmware-m/tfm_boards/external_core.cmake b/modules/trusted-firmware-m/tfm_boards/external_core.cmake
@@ -56,7 +56,6 @@ if(TARGET psa_crypto_config)
     set(EXTERNAL_CRYPTO_CORE_HANDLED_PSA_CRYPTO_CONFIG True)
     target_compile_definitions(psa_crypto_config
         INTERFACE
-            MBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CONFIG_FILE}"
             TF_PSA_CRYPTO_CONFIG_FILE="${CONFIG_TF_PSA_CRYPTO_CONFIG_FILE}"
             # Give a signal that we are inside TF-M build to prevent check_config.h
             # complaining about lacking legacy features for Mbed TLS wrapper APIs, TLS/DTLS and X.509.
@@ -77,7 +76,6 @@ if(TARGET psa_crypto_library_config)
     set(EXTERNAL_CRYPTO_CORE_HANDLED_PSA_CRYPTO_LIBRARY_CONFIG True)
     target_compile_definitions(psa_crypto_library_config
         INTERFACE
-            MBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CONFIG_FILE}"
             TF_PSA_CRYPTO_CONFIG_FILE="${CONFIG_TF_PSA_CRYPTO_CONFIG_FILE}"
             TF_PSA_CRYPTO_USER_CONFIG_FILE="${CONFIG_TF_PSA_CRYPTO_USER_CONFIG_FILE}"
     )
@@ -119,7 +117,6 @@ if(TARGET tfm_sprt)
     set(EXTERNAL_CRYPTO_CORE_HANDLED_TFM_SPRT True)
     target_compile_definitions(tfm_sprt
         PRIVATE
-            MBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CONFIG_FILE}"
             TF_PSA_CRYPTO_CONFIG_FILE="${CONFIG_TF_PSA_CRYPTO_CONFIG_FILE}"
             INSIDE_TFM_BUILD
     )
diff --git a/modules/trusted-firmware-m/tfm_boards/external_core_install.cmake b/modules/trusted-firmware-m/tfm_boards/external_core_install.cmake
@@ -37,7 +37,6 @@ install(
 
 install(
   FILES
-    ${PSA_CRYPTO_CONFIG_INTERFACE_PATH}/${CONFIG_MBEDTLS_CONFIG_FILE}
     ${PSA_CRYPTO_CONFIG_INTERFACE_PATH}/${CONFIG_TF_PSA_CRYPTO_CONFIG_FILE}
   DESTINATION
     ${INSTALL_INTERFACE_INC_DIR}/
diff --git a/subsys/nrf_security/Kconfig b/subsys/nrf_security/Kconfig
@@ -62,6 +62,7 @@ config MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
 	  Promptless option used to control if the PSA Crypto core should have support for builtin keys or not.
 
 config MBEDTLS_CONFIG_FILE
+	depends on MBEDTLS
 	default "nrf-config.h"
 
 if MBEDTLS_ENABLE_HEAP
diff --git a/subsys/nrf_security/cmake/generate_configs.cmake b/subsys/nrf_security/cmake/generate_configs.cmake
@@ -47,7 +47,7 @@ macro(generate_mbedcrypto_interface_configs)
     # Generate MBEDCRYPTO_CONFIG_FILE
     if(CONFIG_MBEDTLS_LEGACY_CRYPTO_C)
       include(${NRF_SECURITY_DIR}/cmake/legacy_crypto_config.cmake)
-    else()
+    elseif(CONFIG_MBEDTLS)
       include(${NRF_SECURITY_DIR}/cmake/nrf_config.cmake)
     endif()
 
@@ -128,7 +128,7 @@ macro(generate_mbedcrypto_library_configs)
     # Generate MBEDCRYPTO_CONFIG_FILE
     if(CONFIG_MBEDTLS_LEGACY_CRYPTO_C)
       include(${NRF_SECURITY_DIR}/cmake/legacy_crypto_config.cmake)
-    else()
+    elseif(CONFIG_MBEDTLS)
       include(${NRF_SECURITY_DIR}/cmake/nrf_config.cmake)
     endif()
 
