nrf_security: Add SSF client without nrf_security

Add configuration to allow enabling the SSF PSA client
when nrf_security is not enabled.
This is particularly useful for the applications that only
want to use the PSA rng and no other crypto. Enabling
nrf_security in these applications will result to an
increased application footprint and configuration complexity
without any reason.

The approach that I took here is to avoid doing the conversion
of Kconfig->Cmake->Header that we do in nrf_security.
First the PSA SSF client is not configurable at all so
adding configuration options doesn't give anything.

Signed-off-by: Georgios Vasilakis <[email protected]>

subsys/CMakeLists.txt

@@ -21,7 +21,10 @@ if(NOT SYSBUILD)
   endif()
 endif()
 
-add_subdirectory_ifdef(CONFIG_NRF_SECURITY nrf_security)
+if(CONFIG_NRF_SECURITY OR CONFIG_PSA_SSF_CRYPTO_CLIENT)
+add_subdirectory(nrf_security)
+endif()
+
 add_subdirectory_ifdef(CONFIG_TRUSTED_STORAGE trusted_storage)
 
 add_subdirectory(net)

subsys/nrf_security/CMakeLists.txt

@@ -102,8 +102,29 @@ endif()
 
 set(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG  True)
 
+if(CONFIG_PSA_SSF_CRYPTO_CLIENT AND NOT CONFIG_NRF_SECURITY)
+  zephyr_compile_definitions(MBEDTLS_PSA_CRYPTO_CONFIG)
+  zephyr_compile_definitions(MBEDTLS_PSA_CRYPTO_CLIENT)
+  zephyr_compile_definitions(MBEDTLS_PSA_CRYPTO_CONFIG_FILE="ssf_crypto_config_empty.h")
+  zephyr_compile_definitions(MBEDTLS_CONFIG_FILE="ssf_crypto_config_empty.h")
+
+  zephyr_include_directories(
+    ${NRF_SECURITY_ROOT}/include
+    # Oberon PSA headers
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library
+    # Mbed TLS (mbedcrypto) PSA headers
+    ${ARM_MBEDTLS_PATH}/include
+    ${ARM_MBEDTLS_PATH}/library
+  )
+
+  zephyr_sources(${CMAKE_CURRENT_LIST_DIR}/src/ssf_secdom/ssf_crypto.c)
+
+else()
+
 # Finally adding the crypto lib
 add_subdirectory(${NRFXLIB_DIR}/crypto crypto_copy)
 
 # Add mbed TLS Libraries
 add_subdirectory(src)
+endif()