Google Git
Sign in
pigweed / third_party / github / zephyrproject-rtos / zephyr / 7f670c078e37ec2e353b27de088a05d114e446d3^! / .
commit7f670c078e37ec2e353b27de088a05d114e446d3[log] [tgz]
authorAksel Skauge Mellbye <aksel.mellbye@silabs.com>Mon Sep 08 09:22:37 2025 +0200
committerJohan Hedberg <johan.hedberg@gmail.com>Fri Oct 17 22:02:05 2025 +0300
treeb02f36f8bc535a6b8dcd3bb947be62b18daa3ddc
parent31e84adf49e9a554bd85c04bd0bb2c50591369bf [diff]
modules: mbedtls: add Kconfig symbol MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS

Add a new Kconfig symbol MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS to wrap the
Mbed TLS configuration option with the same name. Built-in key
support enables platforms implementing
mbedtls_psa_platform_get_builtin_key() to use keys derived from a
hardware unique key or stored in a secure element.

Signed-off-by: Aksel Skauge Mellbye <aksel.mellbye@silabs.com>

diff --git a/doc/releases/release-notes-4.3.rst b/doc/releases/release-notes-4.3.rst
index 5644568..30a2c02 100644
--- a/doc/releases/release-notes-4.3.rst
+++ b/doc/releases/release-notes-4.3.rst

@@ -146,6 +146,10 @@
 
     * :kconfig:option:`CONFIG_CPU_FREQ`
 
+* Crypto
+
+  * :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS`
+
 * Display
 
   * :c:enumerator:`PIXEL_FORMAT_AL_88`

diff --git a/modules/mbedtls/Kconfig.mbedtls b/modules/mbedtls/Kconfig.mbedtls
index 4a71ec4..69f7b63 100644
--- a/modules/mbedtls/Kconfig.mbedtls
+++ b/modules/mbedtls/Kconfig.mbedtls

@@ -653,6 +653,15 @@
 	  * the heap-allocated memory to store the key material of a given slot,
 	    if it is used and MBEDTLS_PSA_STATIC_KEY_SLOTS is not set.
 
+config MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
+	bool "Built-in key support in PSA Crypto core"
+	help
+	  Enable support for platform built-in keys in PSA Crypto. Built-in keys
+	  are typically derived from a hardware unique key or stored in a secure
+	  element. Mbed TLS uses key IDs from MBEDTLS_PSA_KEY_ID_BUILTIN_MIN to
+	  MBEDTLS_PSA_KEY_ID_BUILTIN_MAX for built-in keys. The platform must
+	  implement mbedtls_psa_platform_get_builtin_key().
+
 endif # MBEDTLS_PSA_CRYPTO_C
 
 config MBEDTLS_SSL_DTLS_CONNECTION_ID

diff --git a/modules/mbedtls/configs/config-mbedtls.h b/modules/mbedtls/configs/config-mbedtls.h
index d6d4f73..64b2bbf 100644
--- a/modules/mbedtls/configs/config-mbedtls.h
+++ b/modules/mbedtls/configs/config-mbedtls.h

@@ -510,6 +510,10 @@
 #define MBEDTLS_USE_PSA_CRYPTO
 #endif
 
+#if defined(CONFIG_MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
+#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
+#endif
+
 #if defined(CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT)
 #define MBEDTLS_PSA_CRYPTO_CLIENT
 #define MBEDTLS_PSA_CRYPTO_CONFIG