nrf_security: fix entropy always enabled by `MBEDTLS_PSA_CRYPTO_C` by tomi-font · Pull Request #28484 · nrfconnect/sdk-nrf

tomi-font · 2026-05-04T06:45:36Z

No description provided.

github-actions · 2026-05-04T06:45:49Z

Since quarantine was modified, please make sure you are following the process described in Quarantine Process.

NordicBuilder · 2026-05-04T06:46:19Z

The following west manifest projects have changed revision in this Pull Request:

Name	Old Revision	New Revision	Diff
zephyr	nrfconnect/sdk-zephyr@`05f2699`	nrfconnect/sdk-zephyr@`2b3d253` (`main`)	nrfconnect/sdk-zephyr@05f26996..2b3d2531

✅ All manifest checks OK

Note: This message is automatically posted and updated by the Manifest GitHub Action.

NordicBuilder · 2026-05-04T06:50:45Z

CI Information

^{To view the history of this post, click the 'edited' button above}
Build number: 8

Inputs:

Sources:

sdk-nrf: PR head: 6d6d3dd845e6e8de26a50d8d18438878d1d3c182
zephyr: PR head: 2b3d25313ec3e7740d369f03ea86a4dbe83a6e19

more details

sdk-nrf:

PR head: 6d6d3dd845e6e8de26a50d8d18438878d1d3c182
merge base: c642d1787d8abe07a805305a6e137be2edc8b569
target head (main): d6656a287f610b6047deb53030772e7f253b8b15
Diff

zephyr:

PR head: 2b3d25313ec3e7740d369f03ea86a4dbe83a6e19
merge base: 05f2699619bf6e18029a51ccf3ae012f6b72b4ca
Diff

Github labels

Enabled	Name	Description
	ci-disabled	Disable the ci execution
	ci-all-test	Run all of ci, no test spec filtering will be done
	ci-force-downstream	Force execution of downstream even if twister fails
	ci-run-twister	Force run twister
	ci-run-zephyr-twister	Force run zephyr twister

List of changed files detected by CI (14)

samples
│  ├── dfu
│  │  ├── single_slot
│  │  │  ├── sysbuild
│  │  │  │  ├── mcuboot
│  │  │  │  │  ├── boards
│  │  │  │  │  │  │ nrf54ls05dk_nrf54ls05b_cpuapp.conf
scripts
│  │ quarantine.yaml
subsys
│  ├── nrf_security
│  │  ├── CMakeLists.txt
│  │  ├── Kconfig
│  │  ├── Kconfig.psa.nordic
│  │  ├── Kconfig.tf-psa-crypto
│  │  ├── tfm
│  │  │  │ CMakeLists.txt
│  ├── secure_storage
│  │  ├── compatibility
│  │  │  │ Kconfig
tests
│  ├── subsys
│  │  ├── bootloader
│  │  │  ├── upgrade
│  │  │  │  ├── ref_smp_svr
│  │  │  │  │  ├── sysbuild
│  │  │  │  │  │  ├── mcuboot
│  │  │  │  │  │  │  ├── boards
│  │  │  │  │  │  │  │  │ nrf54ls05dk_nrf54ls05b_cpuapp.conf
west.yml
zephyr
│  ├── lib
│  │  ├── uuid
│  │  │  ├── CMakeLists.txt
│  │  │  │ Kconfig
│  ├── modules
│  │  ├── mbedtls
│  │  │  │ Kconfig.tf-psa-crypto
│  ├── tests
│  │  ├── lib
│  │  │  ├── uuid
│  │  │  │  │ testcase.yaml

Outputs:

Toolchain

Version: eb11c27a58
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:eb11c27a58_5ea73affbf

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

◻️ Toolchain - Skipped: existing toolchain is used
✅ Build twister
✅ Integration tests
- ✅ test_ble_nrf_config
- ✅ test-fw-nrfconnect-chip
- ✅ test-fw-nrfconnect-nrf-iot_thingy91
- ✅ test-fw-nrfconnect-nrf_crypto
- ✅ test-fw-nrfconnect-rs
- ✅ test-fw-nrfconnect-fem
- ✅ test-fw-nrfconnect-tfm
- ✅ test-fw-nrfconnect-thread-main
- ✅ test-sdk-find-my
- ✅ test-sdk-mcuboot
- ✅ test-sdk-dfu
- ⚠️ test-fw-nrfconnect-nrf-iot_cloud

Disabled integration tests

- test-fw-nrfconnect-nrf_lrcs_mosh
- test-fw-nrfconnect-nrf_lrcs_positioning
- desktop52_verification
- test-fw-nrfconnect-apps
- test-fw-nrfconnect-ble_mesh
- test-fw-nrfconnect-ble_samples
- test-fw-nrfconnect-nfc
- test-fw-nrfconnect-nrf-iot_libmodem-nrf
- test-fw-nrfconnect-nrf-iot_lwm2m
- test-fw-nrfconnect-nrf-iot_samples
- test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
- test-fw-nrfconnect-ps-main
- test-fw-nrfconnect-rpc
- test-low-level
- test-sdk-audio
- test-sdk-wifi
- test-secdom-samples-public

Note: This message is automatically posted and updated by the CI

github-actions · 2026-05-04T07:33:41Z

You can find the documentation preview for this PR here.

Which among others make it so that entropy is not enabled by default. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>

This is what we have been doing for a long time, but since 60ab340 we just force the value to `y` in CMake which should not be done. Now we make sure to make the MBEDTLS_PSA_CRYPTO_RNG_SOURCE choice default to EXTERNAL_RNG by overriding Zephyr's defaults. Changes include: - Adding a dedicated Kconfig file for TF-PSA-Crypto. Other Kconfig options that belong there can be moved later. - Moving inclusion of Kconfig.tf-psa-crypto down for better grouping. - Moving PSA_PROMPTLESS to Kconfig.psa.nordic. - Reverting what bdc795aca127f047b795c4bd7f79919ed941f6c2 did. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>

…r ls05" This reverts commit 791c59f. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>

Now that the underlying issue is fixed. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>

- Make it default y if ENTROPY_PSA_CRYPTO_RNG instead of redefining that Kconfig option to select it. - Select it only when NRF_SECURITY is enabled. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>

NordicBuilder · 2026-05-06T11:27:02Z

Memory footprint analysis revealed the following potential issues

applications.hpf.gpio.mbox[nrf54l15dk/nrf54l15/cpuflpr]: High RAM usage: 7202[B] - link (cc: @nrfconnect/ncs-ll-ursus)
applications.hpf.gpio.mbox[nrf54l15dk/nrf54l15/cpuflpr]: High ROM usage: 3958[B] - link (cc: @nrfconnect/ncs-ll-ursus)

Note: This message is automatically posted and updated by the CI (latest/sdk-nrf/PR-28484/8)

tomi-font requested review from a team as code owners May 4, 2026 06:45

NordicBuilder added the manifest label May 4, 2026

NordicBuilder requested a review from a team May 4, 2026 06:46

NordicBuilder added manifest-zephyr DNM labels May 4, 2026

tomi-font added the no-changelog label May 4, 2026

tomi-font force-pushed the fix_entropy_enabled_by_mbedtls_psa_crypto_c branch from 7a37ca9 to 51bae2d Compare May 4, 2026 06:49

tomi-font requested a review from MarekPieta May 4, 2026 06:51

nordic-piks approved these changes May 4, 2026

View reviewed changes

MarekPieta approved these changes May 4, 2026

View reviewed changes

adsz-nordic approved these changes May 4, 2026

View reviewed changes

tomi-font added the upmerge label May 4, 2026

tomi-font force-pushed the fix_entropy_enabled_by_mbedtls_psa_crypto_c branch 3 times, most recently from 6823fe6 to 387b5e0 Compare May 5, 2026 07:27

nordicjm approved these changes May 5, 2026

View reviewed changes

AntonZma approved these changes May 5, 2026

View reviewed changes

MarekPieta approved these changes May 5, 2026

View reviewed changes

tomi-font added 4 commits May 6, 2026 09:12

manifest: zephyr: pull MBEDTLS_PSA_CRYPTO_C fixes

e3c600f

Which among others make it so that entropy is not enabled by default. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>

Revert "scripts: quarantine: add applications.nrf_desktop.zrelease fo…

63b80be

…r ls05" This reverts commit 791c59f. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>

samples/tests: mcuboot: stop disabling CONFIG_ENTROPY_PSA_CRYPTO_RNG

4f07540

Now that the underlying issue is fixed. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>

nrf_security: improve CONFIG_PSA_WANT_GENERATE_RANDOM

6d6d3dd

- Make it default y if ENTROPY_PSA_CRYPTO_RNG instead of redefining that Kconfig option to select it. - Select it only when NRF_SECURITY is enabled. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>

tomi-font force-pushed the fix_entropy_enabled_by_mbedtls_psa_crypto_c branch from 387b5e0 to 6d6d3dd Compare May 6, 2026 06:12

NordicBuilder removed the DNM label May 6, 2026

rlubos approved these changes May 6, 2026

View reviewed changes

rlubos merged commit 7e1d25a into nrfconnect:main May 6, 2026
25 of 26 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

nrf_security: fix entropy always enabled by `MBEDTLS_PSA_CRYPTO_C`#28484

nrf_security: fix entropy always enabled by `MBEDTLS_PSA_CRYPTO_C`#28484
rlubos merged 5 commits into
nrfconnect:mainfrom
tomi-font:fix_entropy_enabled_by_mbedtls_psa_crypto_c

tomi-font commented May 4, 2026

Uh oh!

github-actions Bot commented May 4, 2026

Uh oh!

NordicBuilder commented May 4, 2026 •

edited

Loading

Uh oh!

NordicBuilder commented May 4, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented May 4, 2026

Uh oh!

NordicBuilder commented May 6, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

Conversation

tomi-font commented May 4, 2026

Uh oh!

github-actions Bot commented May 4, 2026

Uh oh!

NordicBuilder commented May 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

NordicBuilder commented May 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CI Information

Inputs:

Sources:

Github labels

Outputs:

Toolchain

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

Uh oh!

github-actions Bot commented May 4, 2026

Uh oh!

NordicBuilder commented May 6, 2026

Memory footprint analysis revealed the following potential issues

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

NordicBuilder commented May 4, 2026 •

edited

Loading

NordicBuilder commented May 4, 2026 •

edited

Loading