modules: tf-m: adapt to TF-PSA-Crypto

tomi-font · tomi-font · commit bb1dcb59da0a · 2026-05-11T15:05:14.000+03:00
Changes include:

- Updating TF-M revision with changes needed in the repo.

- Removing the unnecessary installation of many PSA Crypto
  header files.

- Adjusting include directories of psa_interface and moving
  them to a dedicated common CMake file instead of
  duplicating them.

- Moving the MBEDTLS_PLATFORM_*_ALT configs from the Mbed TLS
  to the crypto library config file
  (MBEDTLS_PLATFORM_PRINTF_ALT was needed for TF-M,
   MBEDTLS_ENTROPY_HARDWARE_ALT is gone with Mbed TLS 4,
   MBEDTLS_PLATFORM_ZEROIZE_ALT wasn't properly integrated).

- Some cleanup here and there.

Signed-off-by: Tomi Fontanilles &lt;tomi.fontanilles@nordicsemi.no&gt;
diff --git a/modules/trusted-firmware-m/tfm_boards/external_core.cmake b/modules/trusted-firmware-m/tfm_boards/external_core.cmake
@@ -27,26 +27,9 @@ if(TARGET tfm_api_ns)
     )
 endif()
 
-# Duplicates that can be removed
-#set(TFM_MBEDCRYPTO_CONFIG_PATH ${CONFIG_MBEDTLS_CONFIG_FILE})
-#set(TFM_MBEDCRYPTO_PSA_CRYPTO_CONFIG_PATH ${CONFIG_TF_PSA_CRYPTO_CONFIG_FILE})
-#set(TFM_MBEDCRYPTO_PSA_CRYPTO_USER_CONFIG_PATH ${CONFIG_TF_PSA_CRYPTO_USER_CONFIG_FILE})
-
-# Note: This is a duplicate from nrf_security/CMakeLists.txt
-#       with additions of the install-target for Oberon-psa-core includes
 if(TARGET psa_interface)
     set(EXTERNAL_CRYPTO_CORE_HANDLED_PSA_INTERFACE True)
-    target_include_directories(psa_interface
-        INTERFACE
-            ${NRF_SECURITY_DIR}/include
-            $<BUILD_INTERFACE:${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include>
-            # Oberon library
-            ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library
-            # Mbed TLS (mbedcrypto) PSA headers
-            ${ZEPHYR_MBEDTLS_MODULE_DIR}/library
-            ${ZEPHYR_MBEDTLS_MODULE_DIR}/include
-            ${ZEPHYR_MBEDTLS_MODULE_DIR}/include/library
-    )
+    include(${NRF_SECURITY_DIR}/cmake/psa_interface_include_directories.cmake)
 endif()
 
 # Constructing config libraries in partition/crypto/CMakeLists.txt
diff --git a/modules/trusted-firmware-m/tfm_boards/external_core_install.cmake b/modules/trusted-firmware-m/tfm_boards/external_core_install.cmake
diff --git a/subsys/nrf_security/CMakeLists.txt b/subsys/nrf_security/CMakeLists.txt
@@ -44,7 +44,7 @@ if(CONFIG_BUILD_WITH_TFM OR CONFIG_PSA_SSF_CRYPTO_CLIENT)
 
   # Add replacement platform.c for NS build
   list(APPEND src_zephyr
-    ${ZEPHYR_MBEDTLS_MODULE_DIR}/library/platform.c
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/platform/platform.c
   )
 
   # The current version of the mbed TLS deliverables requires mbedcrypto built
@@ -54,10 +54,7 @@ if(CONFIG_BUILD_WITH_TFM OR CONFIG_PSA_SSF_CRYPTO_CLIENT)
 
   get_cmake_property(all_vars VARIABLES)
 
-  # 1. Non-secure should not build the PSA core or drivers
-  set(CONFIG_MBEDTLS_PSA_CRYPTO_C               False)
-
-  # 2. Enable OBERON_BACKEND, disable CC3XX_BACKEND
+  # Enable OBERON_BACKEND, disable CC3XX_BACKEND
   set(CONFIG_NRF_OBERON                         True)
   set(CONFIG_OBERON_BACKEND                     True)
   set(CONFIG_CC3XX_BACKEND                      False)
@@ -66,7 +63,7 @@ if(CONFIG_BUILD_WITH_TFM OR CONFIG_PSA_SSF_CRYPTO_CLIENT)
   set(CONFIG_NRF_CC3XX_PLATFORM                 False)
   set(CONFIG_PSA_CRYPTO_DRIVER_CC3XX            False)
 
-  # 3. Special case: _ALT in CC3XX, not in OBERON (set  to False)
+  # Special case: _ALT in CC3XX, not in OBERON (set  to False)
   set(CONFIG_MBEDTLS_AES_ALT                    False)
   set(CONFIG_MBEDTLS_CCM_ALT                    False)
   set(CONFIG_MBEDTLS_CHACHAPOLY_ALT             False)
@@ -76,11 +73,11 @@ if(CONFIG_BUILD_WITH_TFM OR CONFIG_PSA_SSF_CRYPTO_CLIENT)
   set(CONFIG_MBEDTLS_DHM_ALT                    False)
   set(CONFIG_MBEDTLS_RSA_ALT                    False)
 
-  # 4. Special case: _ALT in ECJPAKE (only in OBERON, set to True)
-  #    Only has effect if ECJPAKE is enabled
+  # Special case: _ALT in ECJPAKE (only in OBERON, set to True)
+  # Only has effect if ECJPAKE is enabled
   set(CONFIG_MBEDTLS_ECJPAKE_ALT                True)
 
-  # 5. Special case: Handle platform specific configurations
+  # Special case: Handle platform specific configurations
   set(CONFIG_MBEDTLS_PLATFORM_EXIT_ALT                 False)
   set(CONFIG_MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT       False)
 else()
@@ -112,14 +109,7 @@ target_compile_definitions(psa_crypto_library_config
 # The name and intent of this comes from TF-M distribution
 add_library(psa_interface INTERFACE)
 
-target_include_directories(psa_interface
-  INTERFACE
-    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include
-    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library
-    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/core/
-    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/dispatch/
-    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/platform/
-)
+include(cmake/psa_interface_include_directories.cmake)
 
 # Finally adding the crypto lib
 add_subdirectory(${ZEPHYR_NRFXLIB_MODULE_DIR}/crypto crypto_copy)
diff --git a/subsys/nrf_security/Kconfig.legacy b/subsys/nrf_security/Kconfig.legacy
@@ -64,10 +64,6 @@ config MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
 	default y if CC3XX_BACKEND || PSA_CRYPTO_DRIVER_CC3XX
 	depends on !BUILD_WITH_TFM
 
-config MBEDTLS_ENTROPY_HARDWARE_ALT
-	bool
-	default y
-
 config MBEDTLS_THREADING_ALT
 	bool
 	default y if CC3XX_BACKEND || MBEDTLS_PSA_CRYPTO_C
diff --git a/subsys/nrf_security/cmake/nrf_config.cmake b/subsys/nrf_security/cmake/nrf_config.cmake
@@ -14,16 +14,6 @@ kconfig_check_and_set_base(MBEDTLS_DEBUG_C)
 kconfig_check_and_set_base(MBEDTLS_THREADING_C)
 kconfig_check_and_set_base(MBEDTLS_THREADING_ALT)
 
-# Platform configurations for _ALT defines
-kconfig_check_and_set_base(MBEDTLS_PLATFORM_EXIT_ALT)
-kconfig_check_and_set_base(MBEDTLS_PLATFORM_FPRINTF_ALT)
-kconfig_check_and_set_base(MBEDTLS_PLATFORM_PRINTF_ALT)
-kconfig_check_and_set_base(MBEDTLS_PLATFORM_SNPRINTF_ALT)
-kconfig_check_and_set_base(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
-kconfig_check_and_set_base(MBEDTLS_ENTROPY_HARDWARE_ALT)
-kconfig_check_and_set_base(MBEDTLS_THREADING_ALT)
-kconfig_check_and_set_base(MBEDTLS_PLATFORM_ZEROIZE_ALT)
-
 # Legacy configurations for _ALT defines
 kconfig_check_and_set_base(MBEDTLS_AES_SETKEY_ENC_ALT)
 kconfig_check_and_set_base(MBEDTLS_AES_SETKEY_DEC_ALT)
diff --git a/subsys/nrf_security/cmake/psa_crypto_config.cmake b/subsys/nrf_security/cmake/psa_crypto_config.cmake
@@ -20,6 +20,13 @@ kconfig_check_and_set_base(MBEDTLS_PLATFORM_MEMORY)
 kconfig_check_and_set_base(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
 kconfig_check_and_set_base(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
 
+# Platform _ALT
+kconfig_check_and_set_base_to_one(MBEDTLS_PLATFORM_EXIT_ALT)
+kconfig_check_and_set_base_to_one(MBEDTLS_PLATFORM_FPRINTF_ALT)
+kconfig_check_and_set_base_to_one(MBEDTLS_PLATFORM_PRINTF_ALT)
+kconfig_check_and_set_base_to_one(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
+kconfig_check_and_set_base_to_one(MBEDTLS_PLATFORM_SNPRINTF_ALT)
+
 # TF-M
 kconfig_check_and_set_base_to_one(MBEDTLS_PSA_CRYPTO_SPM)
 
diff --git a/subsys/nrf_security/cmake/psa_interface_include_directories.cmake b/subsys/nrf_security/cmake/psa_interface_include_directories.cmake
@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2026 Nordic Semiconductor
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+target_include_directories(psa_interface
+  INTERFACE
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/core
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/dispatch
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/platform
+    ${NRF_SECURITY_DIR}/include
+)
diff --git a/subsys/nrf_security/configs/nrf-config.h.template b/subsys/nrf_security/configs/nrf-config.h.template
@@ -20,14 +20,6 @@
 #cmakedefine MBEDTLS_NO_PLATFORM_ENTROPY
 #cmakedefine MBEDTLS_DEBUG_C
 
-/* Platform configurations for _ALT defines */
-#cmakedefine MBEDTLS_PLATFORM_EXIT_ALT
-#cmakedefine MBEDTLS_PLATFORM_FPRINTF_ALT
-#cmakedefine MBEDTLS_PLATFORM_PRINTF_ALT
-#cmakedefine MBEDTLS_PLATFORM_SNPRINTF_ALT
-#cmakedefine MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
-#cmakedefine MBEDTLS_ENTROPY_HARDWARE_ALT
-
 /* Threading configurations */
 #cmakedefine MBEDTLS_THREADING_C
 #cmakedefine MBEDTLS_THREADING_ALT
diff --git a/subsys/nrf_security/configs/psa_crypto_config.h.template b/subsys/nrf_security/configs/psa_crypto_config.h.template
@@ -23,6 +23,13 @@
 #cmakedefine MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
 #cmakedefine MBEDTLS_MEMORY_BUFFER_ALLOC_C
 
+/* Platform _ALT */
+#cmakedefine MBEDTLS_PLATFORM_EXIT_ALT
+#cmakedefine MBEDTLS_PLATFORM_FPRINTF_ALT
+#cmakedefine MBEDTLS_PLATFORM_PRINTF_ALT
+#cmakedefine MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
+#cmakedefine MBEDTLS_PLATFORM_SNPRINTF_ALT
+
 /* TF-M */
 #cmakedefine MBEDTLS_PSA_CRYPTO_SPM
 
diff --git a/subsys/nrf_security/src/CMakeLists.txt b/subsys/nrf_security/src/CMakeLists.txt
@@ -171,8 +171,7 @@ endif()
 # Add drivers (for legacy and PSA crypto build)
 add_subdirectory(drivers)
 
-# Add legacy Mbed TLS APIs
-if(CONFIG_MBEDTLS_LEGACY_CRYPTO_C OR (CONFIG_NRF_OBERON AND CONFIG_BUILD_WITH_TFM))
+if(CONFIG_MBEDTLS_LEGACY_CRYPTO_C)
   add_subdirectory(legacy)
 endif()
 
diff --git a/subsys/nrf_security/src/core/nrf_oberon/CMakeLists.txt b/subsys/nrf_security/src/core/nrf_oberon/CMakeLists.txt
@@ -20,27 +20,18 @@ append_with_prefix(src_crypto_core_oberon ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}
   psa_crypto_storage.c
 )
 
-add_library(psa_core STATIC
-    ${src_crypto_core_oberon}
-)
-
-# Add the nordic version of psa_crypto_driver_wrappers with the core (out of tree)
-target_sources(psa_core
-  PRIVATE
-    ${NRF_SECURITY_DIR}/src/psa_crypto_driver_wrappers.c
+append_with_prefix(src_crypto_core_oberon ${NRF_SECURITY_DIR}/src/
+  psa_crypto_driver_wrappers.c
 )
 
 if(CONFIG_MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
-  target_sources(psa_core
-    PRIVATE
-      ${NRF_SECURITY_DIR}/src/mbedtls_psa_platform.c
+  append_with_prefix(src_crypto_core_oberon ${NRF_SECURITY_DIR}/src/
+    mbedtls_psa_platform.c
   )
 endif()
 
-target_link_libraries(psa_core
-  PRIVATE
-    psa_crypto_library_config
-    psa_interface
+add_library(psa_core STATIC
+    ${src_crypto_core_oberon}
 )
 
 target_compile_definitions(psa_core
diff --git a/subsys/nrf_security/tfm/CMakeLists.txt b/subsys/nrf_security/tfm/CMakeLists.txt
@@ -61,9 +61,6 @@ endif()
 set(CONFIG_MBEDTLS_THREADING_ALT                    False)
 set(CONFIG_MBEDTLS_THREADING_C                      False)
 
-# mbedtls_printf is used to print messages including error information.
-set(MBEDTLS_PLATFORM_PRINTF_ALT                     True)
-
 # Set the a define stating that KEY_ID encodes owner
 set(CONFIG_MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER  True)
 
diff --git a/west.yml b/west.yml
@@ -150,7 +150,7 @@ manifest:
     - name: trusted-firmware-m
       repo-path: sdk-trusted-firmware-m
       path: modules/tee/tf-m/trusted-firmware-m
-      revision: 7c7180bd5ac51bea384adfb6bd98979f948b692c
+      revision: pull/253/head
     - name: psa-arch-tests
       repo-path: sdk-psa-arch-tests
       path: modules/tee/tf-m/psa-arch-tests
