mbedtls: make PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_BASIC promptless

modules/mbedtls/Kconfig

@@ -13,7 +13,8 @@ config MBEDTLS_PROMPTLESS
 	  mbed TLS menu prompt and instead handle the selection of MBEDTLS from
 	  dependent sub-configurations and thus prevent stuck symbol behavior.
 
-rsource "Kconfig.psa"
+rsource "Kconfig.psa.auto"
+rsource "Kconfig.psa.logic"
 
 menuconfig MBEDTLS
 	bool "mbed TLS Support" if !MBEDTLS_PROMPTLESS

modules/mbedtls/Kconfig.psa → modules/mbedtls/Kconfig.psa.auto

@@ -300,10 +300,6 @@ config PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 	bool "PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
 
-config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC
-	bool "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
 config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
 	bool "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
@@ -320,10 +316,6 @@ config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 	bool "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
 
-config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
-	bool "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
 config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
 	bool "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
@@ -336,10 +328,6 @@ config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
 	bool "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
 
-config PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC
-	bool "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
 config PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
 	bool "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL

modules/mbedtls/Kconfig.psa.logic

@@ -0,0 +1,27 @@
+# Copyright (c) 2024 BayLibre SAS
+# SPDX-License-Identifier: Apache-2.0
+
+# This file extends Kconfig.psa (which is automatically generated) by adding
+# some logic between PSA_WANT symbols.
+
+config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC
+	bool
+	default y
+	depends on PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT || \
+		   PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT || \
+		   PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE || \
+		   PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
+
+config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
+	bool
+	default y
+	depends on PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT || \
+		   PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT || \
+		   PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
+
+config PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC
+	bool
+	default y
+	depends on PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT || \
+		   PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT || \
+		   PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE

modules/mbedtls/create_psa_files.py

@@ -14,7 +14,7 @@
                               "include", "psa", "crypto_config.h")
 INPUT_FILE = os.path.normpath(os.path.join(SCRIPT_PATH, INPUT_REL_PATH))
 
-KCONFIG_PATH=os.path.join(SCRIPT_PATH, "Kconfig.psa")
+KCONFIG_PATH=os.path.join(SCRIPT_PATH, "Kconfig.psa.auto")
 HEADER_PATH=os.path.join(SCRIPT_PATH, "configs", "config-psa.h")
 
 KCONFIG_HEADER="""\
@@ -57,6 +57,20 @@
 
 H_FOOTER="\n#endif /* CONFIG_PSA_H */\n"
 
+# In Mbed TLS the PSA_WANT_KEY_TYPE_[ECC|RSA|DH]_KEY_PAIR_BASIC build symbols
+# are automatically enabled whenever any other _IMPORT, _EXPORT, _GENERATE or
+# _DERIVE feature is set for the same key type
+# (see "modules/crypto/mbedtls/include/psa/crypto_adjust_config_key_pair_types.h").
+# Therefore we mimic the same pattern with Kconfigs as follows:
+# - do not add _BASIC Kconfigs to the automatic generated file (KCONFIG_PATH);
+# - add _BASIC Kconfigs to Kconfig.psa.logic and let them "default y" as soon as
+#   any other _IMPORT, _EXPORT, _GENERATE or _DERIVE Kconfigs are enabled.
+SKIP_SYMBOLS = [
+    "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC",
+    "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC",
+    "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC"
+]
+
 def parse_psa_symbols(input_file: str):
     symbols = []
     with open(input_file) as file:
@@ -70,6 +84,8 @@ def parse_psa_symbols(input_file: str):
 def generate_kconfig_content(symbols: List[str]) -> str:
     output = []
     for sym in symbols:
+        if sym in SKIP_SYMBOLS:
+            continue
         output.append("""
 config {0}
 \tbool "{0}" if !MBEDTLS_PROMPTLESS

tests/net/socket/tls_configurations/overlay-ec.conf

@@ -1,5 +1,7 @@
 CONFIG_PSA_WANT_ALG_ECDH=y
 CONFIG_PSA_WANT_ALG_ECDSA=y
-CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC=y
 CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE=y
 CONFIG_PSA_WANT_ECC_SECP_R1_256=y