nrfconnect · carlescufi · Oct 17, 2025
@@ -261,15 +261,15 @@ The Bluetooth Mesh security toolbox based on the `PSA Certified Crypto API`_ doe
 After Bluetooth Mesh receives an open key value, it immediately imports the key into the crypto library and receives the unique key identifier.
 The key identifiers are used in the security toolbox and stored in the persistent memory.
 The crypto library is responsible for storing of the key values in the Internal Trusted Storage (`PSA Certified Secure Storage API 1.0`_).
-Bluetooth Mesh data structures based on Tinycrypt and the PSA API, as well as images of these structures stored in the persistent memory, are not compatible due to different key representations.
-When a provisioned device updates its firmware binary from the Tinycrypt-based toolbox to firmware binary that uses the PSA API based toolbox, a provisioned device must be unprovisioned first and reprovisioned after the update.
+Bluetooth Mesh data structures based on TinyCrypt (now removed from the SDK) and the PSA API, as well as images of these structures stored in the persistent memory, are not compatible due to different key representations.
+When a provisioned device updates its firmware binary from the TinyCrypt-based toolbox to firmware binary that uses the PSA API based toolbox, a provisioned device must be unprovisioned first and reprovisioned after the update.
 The provisioned device cannot restore data from the persistent memory after firmware update.
 If the image is changed over Mesh DFU, it is recommended to use :c:enumerator:`BT_MESH_DFU_EFFECT_UNPROV`.
 
-A provisioned device can update its firmware image from the Tinycrypt-based toolbox to firmware image that uses the PSA API based toolbox without unprovisioning if the key importer functionality is used.
+A provisioned device can update its firmware image from the TinyCrypt-based toolbox to firmware image that uses the PSA API based toolbox without unprovisioning if the key importer functionality is used.
 The :kconfig:option:`CONFIG_BT_MESH_KEY_IMPORTER` Kconfig option enables the key importer functionality.
 The key importer is an application initialization functionality that is called with kernel initialization priority before starting main.
-This functionality reads out the persistently stored Bluetooth Mesh data and if it finds keys stored by the Tinycrypt-based security toolbox, it imports them over the PSA API into the crypto library and stores the key identifiers in a format based on the PSA API toolbox.
+This functionality reads out the persistently stored Bluetooth Mesh data and if it finds keys stored by the TinyCrypt-based security toolbox, it imports them over the PSA API into the crypto library and stores the key identifiers in a format based on the PSA API toolbox.
 Once the new firmware image starts Bluetooth Mesh initialization, the persistent area already has the stored data in the correct format.
 
 The device can be vulnerable to attacks while the device uses the key importer functionality.

@@ -4491,7 +4491,7 @@ NCSDK-29460: Encryption: Build error for default configuration on the ``nrf52840
 
   **Affected platforms:** nRF52840
 
-  **Workaround:** Switch the signature algorithm to RSA or change the crypto library to tinycrypt.
+  **Workaround:** Switch the signature algorithm to RSA or change the crypto library to TinyCrypt.
 
 .. rst-class:: v2-9-0-nRF54H20-1 v2-9-2 v2-9-1 v2-9-0 v2-8-0
 

@@ -739,7 +739,7 @@ Bluetooth Mesh
 
 .. toggle::
 
-   * Support for Tinycrypt-based security toolbox (:kconfig:option:`CONFIG_BT_MESH_USES_TINYCRYPT`) has started the deprecation procedure and is not recommended for future designs.
+   * Support for TinyCrypt-based security toolbox (:kconfig:option:`CONFIG_BT_MESH_USES_TINYCRYPT`) has started the deprecation procedure and is not recommended for future designs.
    * For platforms that do not support the TF-M: The default security toolbox is based on the Mbed TLS PSA API (:kconfig:option:`CONFIG_BT_MESH_USES_MBEDTLS_PSA`).
    * For platforms that support the TF-M: The default security toolbox is based on the TF-M PSA API (:kconfig:option:`CONFIG_BT_MESH_USES_TFM_PSA`).
 

@@ -6,11 +6,6 @@
 ################################################################################
 # Application overlay - nrf5340dk non secure image
 
-# The option adds TinyCrypt based bt_rand.
-CONFIG_BT_HOST_CRYPTO=n
-# The option adds GATT caching feature that is based on TinyCrypt.
-CONFIG_BT_GATT_CACHING=n
-
 CONFIG_SOC_FLASH_NRF_PARTIAL_ERASE=n
 
 # Use the TF-M Profile Small to save ROM and be able to fit when using bootloader

@@ -6,9 +6,4 @@
 ################################################################################
 # Application overlay - nrf5340dk non secure image
 
-# The option adds TinyCrypt based bt_rand.
-CONFIG_BT_HOST_CRYPTO=n
-# The option adds GATT caching feature that is based on TinyCrypt.
-CONFIG_BT_GATT_CACHING=n
-
 CONFIG_SOC_FLASH_NRF_PARTIAL_ERASE=n
@@ -6,9 +6,4 @@
 ################################################################################
 # Application overlay - nrf5340dk non secure image
 
-# The option adds TinyCrypt based bt_rand.
-CONFIG_BT_HOST_CRYPTO=n
-# The option adds GATT caching feature that is based on TinyCrypt.
-CONFIG_BT_GATT_CACHING=n
-
 CONFIG_SOC_FLASH_NRF_PARTIAL_ERASE=n
@@ -6,9 +6,4 @@
 ################################################################################
 # Application overlay - nrf5340dk non secure image
 
-# The option adds TinyCrypt based bt_rand.
-CONFIG_BT_HOST_CRYPTO=n
-# The option adds GATT caching feature that is based on TinyCrypt.
-CONFIG_BT_GATT_CACHING=n
-
 CONFIG_SOC_FLASH_NRF_PARTIAL_ERASE=n
@@ -48,7 +48,6 @@ bluetooth:
   files:
     - modules/crypto/mbedtls/
     - modules/crypto/oberon-psa-crypto/
-    - modules/crypto/tinycrypt/
     - modules/lib/memfault-firmware-sdk/
     - nrf/applications/ipc_radio/
     - nrf/cmake/
@@ -351,7 +350,6 @@ find_my:
     - find-my/
     - modules/crypto/mbedtls/
     - modules/crypto/oberon-psa-crypto/
-    - modules/crypto/tinycrypt/
     - modules/lib/open-amp/
     - nrf/applications/ipc_radio/
     - nrf/cmake/
@@ -397,7 +395,6 @@ ci_samples_cellular:
     - bootloader/mcuboot/
     - modules/crypto/mbedtls/
     - modules/crypto/oberon-psa-crypto/
-    - modules/crypto/tinycrypt/
     - modules/hal/nordic/nrfx/
     - modules/lib/cjson/
     - modules/lib/hostap/

@@ -394,8 +394,6 @@
     - drivers.eeprom.shell
     - drivers.can.shell
     - shell.shell_custom_header
-    - crypto.tinycrypt
-    - crypto.tinycrypt.hmac_prng
     - net.mqtt_sn.packet
     - net.http.server.common
     - net.coap.server.common
@@ -441,8 +439,6 @@
 - scenarios:
     - cpp.libcxx.glibcxx.picolibc
     - crypto.mbedtls
-    - crypto.tinycrypt
-    - crypto.tinycrypt.hmac_prng
     - drivers.can.shell
     - kernel.common
     - kernel.common.lto

@@ -89,9 +89,7 @@
     - crypto.rand32.random_hw_xoshiro
     - crypto.rand32.random_sw_systimer
     - drivers.rand32.random_psa_crypto
-    - crypto.tinycrypt
     - crypto.mbedtls
-    - crypto.tinycrypt.hmac_prng
   platforms:
     - mps2_an521
     - native_sim/native

@@ -497,15 +497,11 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
       set_config_bool(mcuboot CONFIG_FW_INFO y)
 
       if(SB_CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256)
-        if(SB_CONFIG_SOC_SERIES_NRF54LX)
-          set_config_bool(mcuboot CONFIG_BOOT_ECDSA_TINYCRYPT y)
-        else()
-          if(SB_CONFIG_BOOT_SHARED_CRYPTO_ECDSA_P256)
-            add_overlay_config(
-              mcuboot
-              ${ZEPHYR_MCUBOOT_MODULE_DIR}/boot/zephyr/external_crypto.conf
-              )
-            endif()
+        if(SB_CONFIG_BOOT_SHARED_CRYPTO_ECDSA_P256)
+          add_overlay_config(
+            mcuboot
+            ${ZEPHYR_MCUBOOT_MODULE_DIR}/boot/zephyr/external_crypto.conf
+            )
         endif()
       endif()
 

@@ -108,7 +108,6 @@ manifest:
           - picolibc
           - segger
           - tf-m-tests
-          - tinycrypt
           - uoscore-uedhoc
           - zcbor
           - zscilib