nrfconnect · nordicjm · Oct 22, 2024 · Oct 17, 2024 · Oct 17, 2024 · Oct 20, 2024
@@ -1,6 +1,5 @@
 #-------------------------------------------------------------------------------
-# Copyright (c) 2024, Arm Limited. All rights reserved.
-# Copyright (c) 2024, Nordic Semiconductor ASA.
+# Copyright (c) 2024, Nordic Semiconductor
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
 #
@@ -93,7 +92,6 @@ if(TARGET psa_crypto_library_config)
     target_compile_definitions(psa_crypto_library_config
         INTERFACE
             MBEDTLS_PSA_CRYPTO_DRIVERS
-            MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
             $<$<BOOL:${CRYPTO_TFM_BUILTIN_KEYS_DRIVER}>:PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER>
     )
 endif()

@@ -117,14 +117,6 @@ target_compile_definitions(psa_crypto_library_config
 # The name and intent of this comes from TF-M distribution
 add_library(psa_interface INTERFACE)
 
-if(CONFIG_MBEDTLS_ENABLE_BUILTIN_KEYS)
-# Add config files required for PSA crypto interface
-target_compile_definitions(psa_interface
-  INTERFACE
-  MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
-)
-endif()
-
 # Add the includes from nrf_security, Oberon PSA core, and Arm Mbed TLS
 # to the psa_interface library
 target_include_directories(psa_interface

@@ -53,12 +53,12 @@ config PSA_PROMPTLESS
 
 if NRF_SECURITY
 
-config MBEDTLS_ENABLE_BUILTIN_KEYS
+config MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
 	bool
-	default y if SOC_SERIES_NRF54LX && (HW_UNIQUE_KEY || IDENTITY_KEY)
+	default y if SOC_SERIES_NRF54LX && PSA_CRYPTO_DRIVER_CRACEN
 	default y if SOC_SERIES_NRF54HX && (SOC_NRF54H20_CPUSEC || SOC_NRF54H20_ENGB_CPUSEC)
 	help
-	  Promptless option used to control if MBEDTLS should have support for builtin keys or not.
+	  Promptless option used to control if the PSA Crypto core should have support for builtin keys or not.
 
 config MBEDTLS_CFG_FILE
 	string "mbed TLS configuration file"

@@ -14,6 +14,7 @@ kconfig_check_and_set_base(MBEDTLS_PSA_CRYPTO_CLIENT)
 kconfig_check_and_set_base(MBEDTLS_PSA_CRYPTO_C)
 kconfig_check_and_set_base(MBEDTLS_USE_PSA_CRYPTO)
 kconfig_check_and_set_base(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
+kconfig_check_and_set_base(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
 
 # Platform
 kconfig_check_and_set_base(MBEDTLS_PLATFORM_C)

@@ -1114,22 +1114,6 @@
  */
 #cmakedefine MBEDTLS_PKCS1_V21
 
-/** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
- *
- * Enable support for platform built-in keys. If you enable this feature,
- * you must implement the function mbedtls_psa_platform_get_builtin_key().
- * See the documentation of that function for more information.
- *
- * Built-in keys are typically derived from a hardware unique key or
- * stored in a secure element.
- *
- * Requires: MBEDTLS_PSA_CRYPTO_C.
- *
- * \warning This interface is experimental and may change or be removed
- * without notice.
- */
-//#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
-
 /** \def MBEDTLS_PSA_CRYPTO_CLIENT
  *
  * Enable support for PSA crypto client.

@@ -23,6 +23,7 @@
 #cmakedefine MBEDTLS_PSA_CRYPTO_CLIENT
 #cmakedefine MBEDTLS_PSA_CRYPTO_C
 #cmakedefine MBEDTLS_USE_PSA_CRYPTO
+#cmakedefine MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
 /* Avoid redefinition as TF-M defines this on the command line */
 #ifndef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
 #cmakedefine MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER

@@ -59,7 +59,7 @@ if(CONFIG_PSA_NEED_CRACEN_MAC_DRIVER)
   )
 endif()
 
-if(CONFIG_PSA_NEED_CRACEN_KEY_MANAGEMENT_DRIVER OR CONFIG_PSA_NEED_CRACEN_KMU_DRIVER)
+if(CONFIG_PSA_NEED_CRACEN_KEY_MANAGEMENT_DRIVER OR CONFIG_PSA_NEED_CRACEN_KMU_DRIVER OR CONFIG_MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
   list(APPEND cracen_driver_sources
     ${CMAKE_CURRENT_LIST_DIR}/src/key_management.c
   )