mbedtls: add Kconfig option for PSA_WANT_ALG_SHA_256

Create a new Kconfig named CONFIG_PSA_WANT_ALG_SHA_256 which allows to
enable PSA_WANT_ALG_SHA_256. This allows to use PSA functions to
compute SHA256 hashes. When PSA is provided by TFM this allows also
to remove legacy mbedtls_sha256() support and therefore reduce
footprint for the NS side.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>

modules/mbedtls/Kconfig

@@ -13,6 +13,7 @@ config MBEDTLS_PROMPTLESS
 	  mbed TLS menu prompt and instead handle the selection of MBEDTLS from
 	  dependent sub-configurations and thus prevent stuck symbol behavior.
 
+rsource "Kconfig.psa"
 
 menuconfig MBEDTLS
 	bool "mbed TLS Support" if !MBEDTLS_PROMPTLESS

modules/mbedtls/Kconfig.psa

@@ -0,0 +1,14 @@
+# Copyright (c) 2024 Nordic Semiconductor ASA
+# SPDX-License-Identifier: Apache-2.0
+
+config MBEDTLS_PSA_CRYPTO_CLIENT
+	bool
+	default y
+	depends on BUILD_WITH_TFM || MBEDTLS_PSA_CRYPTO_C
+
+if MBEDTLS_PSA_CRYPTO_CLIENT
+
+config PSA_WANT_ALG_SHA_256
+	bool "SHA-256 hash algorithm through PSA"
+
+endif # MBEDTLS_PSA_CRYPTO_CLIENT

modules/mbedtls/configs/config-tls-generic.h

@@ -496,8 +496,15 @@
 #endif
 
 #if defined(CONFIG_BUILD_WITH_TFM)
-#define MBEDTLS_PSA_CRYPTO_CLIENT
 #undef MBEDTLS_PSA_CRYPTO_C
 #endif /* CONFIG_BUILD_WITH_TFM */
 
+#if defined(CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT)
+#define MBEDTLS_PSA_CRYPTO_CLIENT
+#endif
+
+#if defined(CONFIG_PSA_WANT_ALG_SHA_256)
+#define PSA_WANT_ALG_SHA_256 1
+#endif
+
 #endif /* MBEDTLS_CONFIG_H */