Skip to content

modules: mbedtls: bump to 4.x #104031

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
MaureenHelm merged 22 commits into from
Mar 20, 2026
Merged

modules: mbedtls: bump to 4.x #104031

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
1fed3bc
manifest: add Mbed TLS 4.x and related modules
valeriosetti Jan 27, 2026
4ae805a
MAINTAINERS: add entries for newly added Mbed TLS and TF-PSA-Crypto
valeriosetti Mar 11, 2026
4b75a0b
manifest: hostap: include changes for Mbed TLS 4.x
valeriosetti Feb 24, 2026
7285056
modules: mbedtls: modify CMake to build Mbed TLS 4.x and TF-PSA-Crypt…
valeriosetti Feb 3, 2026
1fa354f
modules: mbedtls: split Mbed TLS and TF-PSA-Crypto configuration files
valeriosetti Feb 3, 2026
e2e667a
modules: mbedtls: fix entropy polling
valeriosetti Feb 3, 2026
f2c01a9
modules: mbedtls: remove deprecated build symbols
valeriosetti Feb 3, 2026
c2d2075
modules: mbedtls: include config-psa.h from config-tf-psa-crypto.h
valeriosetti Feb 5, 2026
354535d
modules: mbedtls: let config-tf-psa-crypto.h include config-mbedtls.h
valeriosetti Feb 7, 2026
524fc71
modules: mbedtls: remove deprecated PSA_WANT symbols
valeriosetti Feb 18, 2026
e3ec209
modules: mbedtls: add Kconfigs for major version
valeriosetti Feb 25, 2026
0d4ead9
modules: mbedtls: add Kconfig to give access to legacy crypto
valeriosetti Feb 24, 2026
f944246
modules: mbedtls: rephrasing and fixing typos in Kconfigs and their p…
valeriosetti Mar 19, 2026
622d0ab
modules: tf-m: keep building with Mbed TLS 3.6
valeriosetti Feb 10, 2026
c03930b
modules: tf-m: add interface headers to zephyr_interface library
valeriosetti Feb 17, 2026
44db7ed
modules: hostap: remove legacy crypto Kconfig
valeriosetti Feb 24, 2026
0c16cf0
net: lib: sockets: tls: do not specify random function to be used
valeriosetti Feb 7, 2026
e781b90
secure_storage: adapt build system for TF-PSA-Crypto
valeriosetti Feb 13, 2026
323d158
drivers: esp32: bt|wifi: adjust Kconfigs for TF-PSA-Crypto 1.x
valeriosetti Feb 27, 2026
ba046e7
modules: openthread: remove OPENTHREAD_CRYPTO_LEGACY_MBEDTLS_CONFIG
valeriosetti Mar 11, 2026
1e878dc
tests: adjust Mbed TLS header file path
valeriosetti Feb 17, 2026
19700cd
test: bluetooth: tester: disable optimizations for native_sim
valeriosetti Mar 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 11 additions & 1 deletion MAINTAINERS.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6447,7 +6447,7 @@ West:
- crypto.mbedtls
- psa.secure_storage

"West project: mbedtls-framework":
"West project: mbedtls-3.6":
status: maintained
maintainers:
- ceolin
Expand Down Expand Up @@ -6479,6 +6479,16 @@ West:
labels:
- "area: Tracing"

"West project: mldsa-native":
status: maintained
maintainers:
- ceolin
- valeriosetti
- tomi-font
files: []
labels:
- "area: TF-PSA-Crypto"

"West project: nanopb":
status: maintained
maintainers:
Expand Down
15 changes: 10 additions & 5 deletions drivers/bluetooth/hci/Kconfig.esp32
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -488,11 +488,16 @@ config ESP32_BT_LE_CRYPTO_STACK_MBEDTLS
bool "mbedTLS crypto stack"
depends on ESP32_BT_LE_SECURITY_ENABLE
default y
select MBEDTLS
select MBEDTLS_ECP_C
select MBEDTLS_ECP_DP_SECP256R1_ENABLED
select MBEDTLS_ECDH_C
select MBEDTLS_ENTROPY_C
select PSA_CRYPTO
select MBEDTLS_CTR_DRBG_C
select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
select PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
select PSA_WANT_ECC_SECP_R1_256
select PSA_WANT_ALG_ECDH
# Keep access to legacy crypto headers
select MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
help
Use mbedTLS library for BLE cryptographic operations.

Expand Down
18 changes: 12 additions & 6 deletions drivers/wifi/esp32/Kconfig.esp32
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ menuconfig WIFI_ESP32
select NET_L2_ETHERNET_MGMT
select WIFI_USE_NATIVE_NETWORKING
select MBEDTLS
# This is needed because some guards in TLS now require PSA crypto stuff
# to be enabled
Comment on lines +15 to +16
Copy link
Copy Markdown
Contributor

@frkv frkv Mar 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not clear from the comment what gets set by this select that TLS depends on. Maybe just remove the comment?

select PSA_CRYPTO
select THREAD_STACK_INFO
select DYNAMIC_THREAD
select DYNAMIC_THREAD_ALLOC
Expand Down Expand Up @@ -367,15 +370,18 @@ config ESP32_WIFI_SOFTAP_SUPPORT

config ESP32_WIFI_MBEDTLS_CRYPTO
bool "Use MbedTLS crypto APIs"
select MBEDTLS_ECP_C
select MBEDTLS_ECDH_C
select MBEDTLS_ECDSA_C
select PSA_CRYPTO
select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
select PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
select PSA_WANT_ECC_SECP_R1_256
select PSA_WANT_ALG_ECDH
select PSA_WANT_ALG_ECDSA
select PSA_WANT_ALG_CMAC
select MBEDTLS_PKCS5_C
select MBEDTLS_MD_C
select MBEDTLS_PK_WRITE_C
select MBEDTLS_CIPHER_MODE_CTR_ENABLED
select MBEDTLS_CMAC
select MBEDTLS_ENTROPY_C
help
Select this option to use MbedTLS crypto APIs which utilize hardware acceleration.

Expand Down
29 changes: 7 additions & 22 deletions modules/hostap/Kconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,31 +173,16 @@ choice WIFI_NM_WPA_SUPPLICANT_CRYPTO_BACKEND
config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT
bool "Crypto Mbedtls alt support for WiFi"
select MBEDTLS
select MBEDTLS_CIPHER_MODE_CTR_ENABLED
select MBEDTLS_CIPHER_MODE_CBC_ENABLED
select MBEDTLS_CIPHER_AES_ENABLED
select MBEDTLS_CIPHER_DES_ENABLED
select MBEDTLS_SHA1
select MBEDTLS_SHA384
select MBEDTLS_ENTROPY_C
select MBEDTLS_CIPHER
select MBEDTLS_ECP_C
select MBEDTLS_ECP_ALL_ENABLED
select MBEDTLS_CMAC
select MBEDTLS_PKCS5_C
select MBEDTLS_MD_C
select MBEDTLS_PK_WRITE_C
select MBEDTLS_ECDH_C
select MBEDTLS_ECDSA_C
select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
select MBEDTLS_RSA_C
select MBEDTLS_PKCS1_V15
select MBEDTLS_PKCS1_V21
select MBEDTLS_X509_CRT_PARSE_C
select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
select MBEDTLS_CIPHERSUITE_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
select MBEDTLS_CIPHERSUITE_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
select MBEDTLS_NIST_KW_C
select MBEDTLS_DHM_C
select MBEDTLS_HKDF_C
select PSA_WANT_ALG_HKDF
select PSA_WANT_ALG_HKDF_EXTRACT
select PSA_WANT_ALG_HKDF_EXPAND
Comment thread
tomi-font marked this conversation as resolved.

config WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
bool "No Crypto support for WiFi"
Expand All @@ -217,7 +202,7 @@ config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
default y
depends on WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT
select PSA_CRYPTO
select MBEDTLS_USE_PSA_CRYPTO
select MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
select PSA_WANT_ALG_ECDH
select PSA_WANT_ALG_HMAC
select PSA_WANT_ALG_CCM
Expand Down Expand Up @@ -720,7 +705,7 @@ config SAE_PWE_EARLY_EXIT
Note that this is highly insecure and shouldn't be used in production

config WIFI_NM_WPA_SUPPLICANT_CRYPTO_TEST
bool
bool "Test crypto in HostAP"
depends on WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA

config WIFI_NM_WPA_CTRL_RESP_TIMEOUT_S
Expand Down
Loading
Loading