modules/mbedtls: Stop copying private headers into build tree

krish2718 · krish2718 · commit 694e751f2f9b · 2026-05-13T22:50:36.000+05:30
CONFIG_MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS no longer mirrors TF-PSA-Crypto
builtin private headers into CMAKE_BINARY_DIR without the private/
segment. Consumers must include mbedtls/private/... explicitly; the
mbedtls library INTERFACE already exposes drivers/builtin/include.

When building the MCUboot image, add drivers/builtin/src to the mbedTLS
INTERFACE include path so bootutil can include rsa_alt_helpers.h by
basename.

Signed-off-by: Chaitanya Tata &lt;Chaitanya.Tata@nordicsemi.no&gt;
Assisted-by: Cursor: Auto
diff --git a/modules/mbedtls/Kconfig.tf-psa-crypto b/modules/mbedtls/Kconfig.tf-psa-crypto
@@ -374,12 +374,13 @@ config MBEDTLS_NIST_KW_C
 config MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
 	bool "Legacy crypto support (private)"
 	help
-	  Legacy crypto is now private inside TF-PSA-Crypto and they should
-	  no more be directly accessed. However there might be code that still
-	  needs to be transitioned and in this case enabling this Kconfig
-	  allows internal headers related to legacy crypto to be made public.
-	  The long term goal is to get rid of this support so all the code
-	  should be transitioned to the PSA Crypto API as soon as possible.
+	  Legacy crypto is now private inside TF-PSA-Crypto and should not be
+	  used from new code. Enable this only while transitioning callers that
+	  still need legacy declarations: with MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
+	  defined, those APIs are reachable via mbedtls/private/*.h (under the
+	  TF-PSA-Crypto builtin include path exported by the mbedtls target).
+	  The long term goal is to remove this option once all users are on the
+	  PSA Crypto API.
 
 config TF_PSA_CRYPTO_PQCP_MLDSA_ENABLED
 	bool "mldsa-native from the PQCP (post-quantum code package) driver [EXPERIMENTAL]"
diff --git a/modules/mbedtls/legacy_support.cmake b/modules/mbedtls/legacy_support.cmake
@@ -2,43 +2,24 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-# Copy header files related to legacy crypto to the build folder in a path
-# that does not contain "private" in the name. This allows legacy includes
-# like "#include <mbedtls/ecp.h>" to still work. This is a temporary
-# fix in order not to break external modules (ex: hostap) which are
-# still referencing legacy includes. However these files are private now
-# and all the users of legacy Mbed TLS should transition to PSA API as soon
-# as possible!
+# When CONFIG_MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS is enabled, legacy crypto
+# declarations live under mbedtls/private/*.h in TF-PSA-Crypto builtin
+# includes. The mbedtls CMake target already exports
+# tf-psa-crypto/drivers/builtin/include on its INTERFACE, so consumers must
+# include the private paths explicitly (no flattened header copy).
 if(CONFIG_MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS)
   message(WARNING "
     Enabling CONFIG_MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS is discouraged as it
     gives access to Mbed TLS crypto functions which are internal and may be removed
     or modified at any time. Please transition to the PSA Crypto API."
   )
-  set(MBEDTLS_PRIVATE_INCLUDE_PATH "${ZEPHYR_TF_PSA_CRYPTO_MODULE_DIR}/drivers/builtin/include/mbedtls/private")
-  set(legacy_headers
-    ${MBEDTLS_PRIVATE_INCLUDE_PATH}/aes.h
-    ${MBEDTLS_PRIVATE_INCLUDE_PATH}/bignum.h
-    ${MBEDTLS_PRIVATE_INCLUDE_PATH}/cipher.h
-    ${MBEDTLS_PRIVATE_INCLUDE_PATH}/cmac.h
-    ${MBEDTLS_PRIVATE_INCLUDE_PATH}/ecdsa.h
-    ${MBEDTLS_PRIVATE_INCLUDE_PATH}/ecp.h
-    ${MBEDTLS_PRIVATE_INCLUDE_PATH}/pkcs5.h
-    ${MBEDTLS_PRIVATE_INCLUDE_PATH}/error_common.h
-    ${MBEDTLS_PRIVATE_INCLUDE_PATH}/sha256.h
-    ${MBEDTLS_PRIVATE_INCLUDE_PATH}/rsa.h
-  )
-  file(COPY ${legacy_headers} DESTINATION ${CMAKE_BINARY_DIR}/legacy-mbedtls-headers/mbedtls/)
+  # MCUBoot bootutil includes rsa_alt_helpers.h by basename; the header lives
+  # next to builtin RSA sources under drivers/builtin/src.
   if(CONFIG_MCUBOOT)
-    set(MBEDTLS_BUILTIN_SRC_PATH "${ZEPHYR_TF_PSA_CRYPTO_MODULE_DIR}/drivers/builtin/src")
-    set(legacy_headers
-      ${MBEDTLS_BUILTIN_SRC_PATH}/rsa_alt_helpers.h
+    target_include_directories(mbedTLS INTERFACE
+      ${ZEPHYR_TF_PSA_CRYPTO_MODULE_DIR}/drivers/builtin/src
     )
-    file(COPY ${legacy_headers} DESTINATION ${CMAKE_BINARY_DIR}/legacy-mbedtls-headers/)
   endif()
-  target_include_directories(mbedTLS INTERFACE
-    ${CMAKE_BINARY_DIR}/legacy-mbedtls-headers/
-  )
 endif()
 
 set(MBEDTLS_EXPORT_REMOVED_HEADERS  OFF)
