nrfconnect · carlescufi · May 22, 2026 · Feb 17, 2026 · Mar 10, 2026 · May 21, 2026
@@ -41,4 +41,4 @@ jobs:
         uses: nrfconnect/action-oss-history@main
         with:
           workspace: 'ncs'
-          args: -p zephyr -p wfa-qt-control-app
+          args: -p zephyr -p hostap -p wfa-qt-control-app
@@ -894,7 +894,6 @@
 /tests/bluetooth/bsim/nrf_auraconfig/     @nrfconnect/ncs-audio
 /tests/bluetooth/bsim/custom_ltk/         @nrfconnect/ncs-paladin
 /tests/bluetooth/tester/                  @carlescufi @nrfconnect/ncs-paladin
-/tests/crypto/                            @magnev
 /tests/drivers/audio/                     @nrfconnect/ncs-low-level-test
 /tests/drivers/can/                       @nrfconnect/ncs-low-level-test
 /tests/drivers/dect/dect_mdm/integration/ @nrfconnect/ncs-dect-nr-plus

@@ -381,7 +381,7 @@ The following example shows how the PSA key attribute values are converted when
       psa_set_key_usage_flags(&attr, PSA_KEY_USAGE_VERIFY_HASH);
       psa_set_key_lifetime(&attr, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
           CRACEN_KEY_PERSISTENCE_REVOKABLE, PSA_KEY_LOCATION_CRACEN_KMU));
-      psa_set_key_id(&attr, PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(
+      psa_set_key_id(&attr, PSA_KEY_ID_FROM_CRACEN_KMU_SLOT(
           CRACEN_KMU_KEY_USAGE_SCHEME_RAW, 226));
 
 #. The CRACEN driver :c:func:`convert_from_psa_attributes` function converts these PSA attributes to the following :c:struct:`kmu_metadata` field values:

@@ -56,7 +56,7 @@ To identify that the KMU is used as a persistent storage backend for a specific
        |
        | Keys that are read-only due to policy restrictions, rather than physical limitations, should not have this persistence level.
    * - ``key_id`` (``psa_set_key_id``)
-     - | ``PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(kmu_usage_scheme, kmu_slot_nr)``
+     - | ``PSA_KEY_ID_FROM_CRACEN_KMU_SLOT(kmu_usage_scheme, kmu_slot_nr)``
        |
        | For ``kmu_usage_scheme`` values, see :ref:`ug_kmu_guides_key_usage_schemes`.
        |

@@ -7,7 +7,6 @@
 # nrf documentation build configuration file
 
 import os
-import re
 import sys
 from pathlib import Path
 
@@ -21,6 +20,7 @@
 
 ZEPHYR_BASE = utils.get_projdir("zephyr")
 MCUBOOT_BASE = utils.get_projdir("mcuboot")
+MBEDTLS_BASE = NRF_BASE / ".." / "modules" / "crypto" / "mbedtls"
 
 # General configuration --------------------------------------------------------
 
@@ -143,17 +143,11 @@
 # create mbedtls config header (needed for Doxygen)
 _doxyrunner_outdir.mkdir(exist_ok=True, parents=True)
 
-fin_path = NRF_BASE / "subsys" / "nrf_security" / "configs" / "legacy_crypto_config.h.template"
+fin_path = MBEDTLS_BASE / "include" / "mbedtls" / "mbedtls_config.h"
 fout_path = _doxyrunner_outdir / "mbedtls_doxygen_config.h"
 
 with open(fin_path) as fin, open(fout_path, "w") as fout:
-    fout.write(
-        re.sub(
-            r"#cmakedefine ([A-Z0-9_-]+)",
-            r"#define \1",
-            fin.read()
-        )
-    )
+    fout.write(fin.read())
 
 # -- Options for doxybridge plugin ---------------------------------------------
 

@@ -31,8 +31,6 @@ Deprecation of legacy crypto support
 
 The following changes have been made to the legacy crypto support with the deprecation announcement:
 
-* Enabling the Kconfig option :kconfig:option:`CONFIG_NRF_SECURITY` replaces using the Kconfig option :kconfig:option:`CONFIG_NORDIC_SECURITY_BACKEND` to enable the legacy crypto support.
-  Setting :kconfig:option:`CONFIG_NORDIC_SECURITY_BACKEND` also enables :kconfig:option:`CONFIG_MBEDTLS_LEGACY_CRYPTO_C`, which shows a deprecation warning in the build output.
 * The legacy Mbed TLS APIs no longer support the glued functionality.
 * Legacy configurations no longer have an effect on the configurations for the secure image of a TF-M build.
 
@@ -49,19 +47,6 @@ These legacy crypto backends are provided as *alternative implementations* of th
 
 The legacy crypto configuration only allows one backend to be enabled at the same time.
 
-The following table lists the available legacy crypto backends with their respective Kconfig options and the corresponding hardware platforms.
-
-+-----------------------------------------------+-----------------------------------------+----------------------------------------------------------+
-|                Driver library                 |          Legacy crypto backend          |               Supported hardware platforms               |
-+===============================================+=========================================+==========================================================+
-| :ref:`nrf_cc3xx_mbedcrypto_readme`            | :kconfig:option:`CONFIG_CC3XX_BACKEND`  | nRF52840, nRF5340, nRF91 Series devices                  |
-+-----------------------------------------------+-----------------------------------------+----------------------------------------------------------+
-| :ref:`nrf_oberon <nrfxlib:nrf_oberon_readme>` | :kconfig:option:`CONFIG_OBERON_BACKEND` | nRF devices with Arm Cortex®-M0, -M4, or -M33 processors |
-+-----------------------------------------------+-----------------------------------------+----------------------------------------------------------+
-
-.. note::
-   Enabling the CryptoCell by using :kconfig:option:`CONFIG_CC3XX_BACKEND` in a non-secure image of a TF-M build will have no effect.
-
 AES configuration
 *****************
 
@@ -115,8 +100,6 @@ To configure AES cipher modes, set the following Kconfig options:
 +--------------+----------------------------------------------------+----------------------------------------+
 | CBC          | :kconfig:option:`CONFIG_MBEDTLS_CIPHER_MODE_CBC`   |                                        |
 +--------------+----------------------------------------------------+----------------------------------------+
-| XTS          | :kconfig:option:`CONFIG_MBEDTLS_CIPHER_MODE_XTS`   | nrf_oberon only                        |
-+--------------+----------------------------------------------------+----------------------------------------+
 
 .. note::
    AES cipher modes are dependent on enabling AES core support according to `AES configuration`_.
@@ -169,8 +152,6 @@ Feature support
 CMAC configuration
 ******************
 
-To configure Cipher-based Message Authentication Code (CMAC) support, set the :kconfig:option:`CONFIG_MBEDTLS_CMAC_C` Kconfig option.
-
 Feature support
 ===============
 
@@ -205,12 +186,6 @@ To configure Authenticated Encryption with Associated Data (AEAD), set the follo
 +--------------+------------------------------------------------+-----------------------------------------+
 | AES GCM      | :kconfig:option:`CONFIG_MBEDTLS_GCM_C`         | nrf_oberon or nrf_cc312                 |
 +--------------+------------------------------------------------+-----------------------------------------+
-| ChaCha20     | :kconfig:option:`CONFIG_MBEDTLS_CHACHA20_C`    |                                         |
-+--------------+------------------------------------------------+-----------------------------------------+
-| Poly1305     | :kconfig:option:`CONFIG_MBEDTLS_POLY1305_C`    |                                         |
-+--------------+------------------------------------------------+-----------------------------------------+
-| ChaCha-Poly  | :kconfig:option:`CONFIG_MBEDTLS_CHACHAPOLY_C`  | Requires `Poly1305` and `ChaCha20`      |
-+--------------+------------------------------------------------+-----------------------------------------+
 
 .. note::
    * AEAD AES cipher modes are dependent on enabling AES core support according to `AES configuration`_.
@@ -267,8 +242,6 @@ Feature support
 DHM configurations
 ******************
 
-To configure Diffie-Hellman-Merkle (DHM) support, set the :kconfig:option:`CONFIG_MBEDTLS_DHM_C` Kconfig option.
-
 Feature support
 ===============
 
@@ -326,14 +299,6 @@ Feature support
 ECDH configurations
 *******************
 
-To configure Elliptic Curve Diffie-Hellman (ECDH) support, set the :kconfig:option:`CONFIG_MBEDTLS_ECDH_C` Kconfig option.
-
-+--------------+---------------------------------------------+
-| Algorithm    | Configurations                              |
-+==============+=============================================+
-| ECDH         | :kconfig:option:`CONFIG_MBEDTLS_ECDH_C`     |
-+--------------+---------------------------------------------+
-
 .. note::
    * ECDH support depends on `ECC Configurations`_ being enabled.
    * The :ref:`nrf_cc3xx_mbedcrypto_readme` does not integrate on ECP layer.
@@ -420,14 +385,6 @@ Feature support
 ECJPAKE configurations
 **********************
 
-To configure Elliptic Curve, Password Authenticated Key Exchange by Juggling (ECJPAKE) support, set the :kconfig:option:`CONFIG_MBEDTLS_ECJPAKE_C` Kconfig option.
-
-+--------------+----------------------------------------------+
-| Algorithm    | Configurations                               |
-+==============+==============================================+
-| ECJPAKE      | :kconfig:option:`CONFIG_MBEDTLS_ECJPAKE_C`   |
-+--------------+----------------------------------------------+
-
 .. note::
    ECJPAKE support depends upon `ECC Configurations`_ being enabled.
 
@@ -450,26 +407,6 @@ ECC curves configurations
 
 It is possible to configure the curves that should be supported in the system depending on the backend selected.
 
-The following curves can be enabled:
-
-+-----------------------------+------------------------------------------------------------+--------------------------+
-| Curve                       | Configurations                                             | Note                     |
-+=============================+============================================================+==========================+
-| NIST secp224r1              | :kconfig:option:`CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED`  |                          |
-+-----------------------------+------------------------------------------------------------+--------------------------+
-| NIST secp256r1              | :kconfig:option:`CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED`  |                          |
-+-----------------------------+------------------------------------------------------------+--------------------------+
-| NIST secp384r1              | :kconfig:option:`CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED`  |                          |
-+-----------------------------+------------------------------------------------------------+--------------------------+
-| NIST secp521r1              | :kconfig:option:`CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED`  |                          |
-+-----------------------------+------------------------------------------------------------+--------------------------+
-| Koblitz secp224k1           | :kconfig:option:`CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED`  |                          |
-+-----------------------------+------------------------------------------------------------+--------------------------+
-| Koblitz secp256k1           | :kconfig:option:`CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED`  |                          |
-+-----------------------------+------------------------------------------------------------+--------------------------+
-| Curve25519                  | :kconfig:option:`CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED` |                          |
-+-----------------------------+------------------------------------------------------------+--------------------------+
-
 .. note::
    * The :ref:`nrf_oberon_readme` only supports ECC curve secp224r1 and secp256r1.
    * Choosing the nrf_oberon backend does not allow enabling the rest of the ECC curve types.
@@ -520,14 +457,8 @@ To configure the Secure Hash algorithms, set the following Kconfig options:
 +--------------+--------------------+---------------------------------------------+
 | Algorithm    | Support            | Backend selection                           |
 +==============+====================+=============================================+
-| SHA-1        |                    | :kconfig:option:`CONFIG_MBEDTLS_SHA1_C`     |
-+--------------+--------------------+---------------------------------------------+
-| SHA-224      |                    | :kconfig:option:`CONFIG_MBEDTLS_SHA224_C`   |
-+--------------+--------------------+---------------------------------------------+
 | SHA-256      |                    | :kconfig:option:`CONFIG_MBEDTLS_SHA256_C`   |
 +--------------+--------------------+---------------------------------------------+
-| SHA-384      |                    | :kconfig:option:`CONFIG_MBEDTLS_SHA384_C`   |
-+--------------+--------------------+---------------------------------------------+
 | SHA-512      |                    | :kconfig:option:`CONFIG_MBEDTLS_SHA512_C`   |
 +--------------+--------------------+---------------------------------------------+
 

@@ -5023,8 +5023,8 @@ NCSDK-25144: Enabling Kconfig option :kconfig:option:`CONFIG_SECURE_BOOT_CRYPTO`
 
 .. rst-class:: v2-4-3 v2-4-2 v2-4-1 v2-4-0
 
-NCSDK-22091: Selecting both :kconfig:option:`CONFIG_NORDIC_SECURITY_BACKEND` and :kconfig:option:`CONFIG_PSA_CORE` causes a build failure
-  Selecting both :kconfig:option:`CONFIG_NORDIC_SECURITY_BACKEND` and :kconfig:option:`CONFIG_PSA_CORE` results in a build failure due to undefined references to different structs.
+NCSDK-22091: Selecting both ``CONFIG_NORDIC_SECURITY_BACKEND`` and :kconfig:option:`CONFIG_PSA_CORE` causes a build failure
+  Selecting both ``CONFIG_NORDIC_SECURITY_BACKEND`` and :kconfig:option:`CONFIG_PSA_CORE` results in a build failure due to undefined references to different structs.
 
   **Workaround:** Manually define ``PSA_CORE_BUILTIN`` in the file :file:`nrf_security/configs/legacy_crypto_config.h.template`.
 

@@ -435,7 +435,7 @@ In addition to documentation related to the changes listed above, the following
 * :ref:`ug_nfc` - added
 * :ref:`ug_bootloader` - added upgradeable bootloader
 * Cloud client - updated
-* :ref:`crypto_test` - added
+* Cryptography tests - added
 * :ref:`libraries` - improved the structure of the library documentation
 * :ref:`bt_mesh` (and subpages) - added
 * :ref:`nrf_bt_scan_readme` - updated

@@ -374,7 +374,7 @@ Thread
 * Updated:
 
   * The default cryptography backend for Thread is now Arm PSA Crypto API instead of Mbed TLS, which was used in earlier versions.
-    You can still build all examples with deprecated Mbed TLS support by setting the :kconfig:option:`CONFIG_OPENTHREAD_NRF_SECURITY_CHOICE` Kconfig option to ``y``, but you must build the Thread libraries from sources.
+    You can still build all examples with deprecated Mbed TLS support by setting the ``CONFIG_OPENTHREAD_NRF_SECURITY_CHOICE`` Kconfig option to ``y``, but you must build the Thread libraries from sources.
     To :ref:`inherit Thread certification <ug_thread_cert_inheritance_without_modifications>` from Nordic Semiconductor, you must use the PSA Crypto API backend.
 
   * nRF5340 SoC targets that do not include :ref:`Trusted Firmware-M <ug_tfm>` now use Hardware Unique Key (HUK, see the :ref:`lib_hw_unique_key` library) for PSA Internal Trusted Storage (ITS).

@@ -746,7 +746,7 @@ Cryptography samples
     * Support for the nRF54L15 PDK board for all crypto samples.
     * Support for the :zephyr:board:`nrf54h20dk` board in all crypto samples, except :ref:`crypto_persistent_key` and :ref:`crypto_tls`.
     * Support for the :zephyr:board:`nrf9151dk` board for all crypto samples.
-    * Support for the :ref:`nRF9161 DK <ug_nrf9161>` board for the :ref:`crypto_test`.
+    * Support for the :ref:`nRF9161 DK <ug_nrf9161>` board for the Cryptography tests.
 
 Common samples
 --------------

@@ -340,7 +340,7 @@ Security
   * TF-M support for the :zephyr:board:`nrf54l15dk` (board target ``nrf54l15dk/nrf54l15/cpuapp/ns``), replacing the nRF54L15 PDK (board target ``nrf54l15pdk/nrf54l15/cpuapp/ns``).
   * The ``west ncs-provision`` command, which allows to provision signature verification keys to the nRF54L15 SoC over the J-Link interface.
 
-* Deprecated legacy Mbed TLS crypto toolbox APIs that are enabled when the :kconfig:option:`CONFIG_NORDIC_SECURITY_BACKEND` Kconfig option is set.
+* Deprecated legacy Mbed TLS crypto toolbox APIs that are enabled when the ``CONFIG_NORDIC_SECURITY_BACKEND`` Kconfig option is set.
   Use the nRF Security (enabled with the :kconfig:option:`CONFIG_NRF_SECURITY` Kconfig option) and PSA crypto APIs instead.
 
 Protocols

@@ -468,7 +468,7 @@ Cryptography samples
 
 * Added:
 
-  * Support for ``nrf54lv10dk/nrf54lv10a/cpuapp`` and ``nrf54lv10dk/nrf54lv10a/cpuapp/ns`` board targets to all samples (except :ref:`crypto_test`).
+  * Support for ``nrf54lv10dk/nrf54lv10a/cpuapp`` and ``nrf54lv10dk/nrf54lv10a/cpuapp/ns`` board targets to all samples (except Cryptography tests).
   * The :ref:`crypto_kmu_cracen_usage` sample.
 
 * :ref:`crypto_aes_ctr` sample:

@@ -816,7 +816,7 @@ Cryptography samples
 
 * Added:
 
-  * Support for the ``nrf54lv10dk/nrf54lv10a/cpuapp`` and ``nrf54lv10dk/nrf54lv10a/cpuapp/ns`` board targets to all samples (except :ref:`crypto_test`).
+  * Support for the ``nrf54lv10dk/nrf54lv10a/cpuapp`` and ``nrf54lv10dk/nrf54lv10a/cpuapp/ns`` board targets to all samples (except Cryptography tests).
   * Support for the ``nrf54h20dk/nrf54h20/cpuapp`` board target to the :ref:`crypto_persistent_key` sample, demonstrating use of Internal Trusted Storage (ITS) on the nRF54H20 DK.
   * Support for the ``nrf54lm20dk/nrf54lm20a/cpuapp/ns`` board target in all supported cryptography samples.
   * Support for the ``nrf54lm20dk/nrf54lm20a/cpuapp`` board target in the following samples:

@@ -18,4 +18,3 @@ The samples use :ref:`PSA Crypto API <ug_psa_certified_api_overview_crypto>` and
    :glob:
 
    ../../../samples/crypto/*/README
-   ../../tests/crypto/README
Original file line number	Diff line number	Diff line change
Expand Up		@@ -18,4 +18,3 @@ The samples use :ref:`PSA Crypto API <ug_psa_certified_api_overview_crypto>` and
		:glob:

		../../../samples/crypto/*/README
		../../tests/crypto/README