From 984e8dce022ea6ccd43d5be654b17e7fc051068b Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Wed, 22 May 2024 08:37:53 +0200
Subject: [PATCH 01/11] config-symmetric-only.h: Remove obsolete comment

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 configs/config-symmetric-only.h | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/configs/config-symmetric-only.h b/configs/config-symmetric-only.h
index 512dd7616c..d7070b87c0 100644
--- a/configs/config-symmetric-only.h
+++ b/configs/config-symmetric-only.h
@@ -65,9 +65,6 @@
 #define MBEDTLS_PSA_ITS_FILE_C
 #define MBEDTLS_RIPEMD160_C
 #define MBEDTLS_SHA1_C
-/* The library does not currently support enabling SHA-224 without SHA-256.
- * A future version of the library will have this option disabled
- * by default. */
 #define MBEDTLS_SHA224_C
 #define MBEDTLS_SHA256_C
 #define MBEDTLS_SHA384_C

From 30b5d671f90c1f28c45f344ac63a6eec1839d4da Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Wed, 22 May 2024 08:45:19 +0200
Subject: [PATCH 02/11] config-symmetric-only.h: Add SHA3

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 configs/config-symmetric-only.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configs/config-symmetric-only.h b/configs/config-symmetric-only.h
index d7070b87c0..f73db3a7d7 100644
--- a/configs/config-symmetric-only.h
+++ b/configs/config-symmetric-only.h
@@ -69,6 +69,7 @@
 #define MBEDTLS_SHA256_C
 #define MBEDTLS_SHA384_C
 #define MBEDTLS_SHA512_C
+#define MBEDTLS_SHA3_C
 //#define MBEDTLS_THREADING_C
 #define MBEDTLS_TIMING_C
 #define MBEDTLS_VERSION_C

From f47f5459b1bd3b4ccd13b44dc01fef48409296ee Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Tue, 14 May 2024 10:51:27 +0200
Subject: [PATCH 03/11] Fix compat.sh filters

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 tests/scripts/test-ref-configs.pl | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl
index 055023a5f2..a6bc0ec742 100755
--- a/tests/scripts/test-ref-configs.pl
+++ b/tests/scripts/test-ref-configs.pl
@@ -17,11 +17,11 @@ use strict;
 
 my %configs = (
     'config-ccm-psk-tls1_2.h' => {
-        'compat' => '-m tls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'',
+        'compat' => '-m tls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'',
         'test_again_with_use_psa' => 1
     },
     'config-ccm-psk-dtls1_2.h' => {
-        'compat' => '-m dtls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'',
+        'compat' => '-m dtls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'',
         'opt' => ' ',
         'opt_needs_debug' => 1,
         'test_again_with_use_psa' => 1
@@ -29,7 +29,7 @@ my %configs = (
     'config-no-entropy.h' => {
     },
     'config-suite-b.h' => {
-        'compat' => "-m tls12 -f 'ECDHE-ECDSA.*AES.*GCM' -p mbedTLS",
+        'compat' => "-m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS",
         'test_again_with_use_psa' => 1,
         'opt' => ' ',
         'opt_needs_debug' => 1,

From e3283ed019e1e90b1b83b07ceceff60177539a08 Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Wed, 15 May 2024 11:22:04 +0200
Subject: [PATCH 04/11] test-ref-configs.pl: Detect automatically test with
 USE_PSA enabled

Change the way we decide if for a given
configuration we need to run tests with
and without MBEDTLS_USE_PSA_CRYPTO enabled.
That makes the script suitable for 3.6 and
development branch.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 tests/scripts/test-ref-configs.pl | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl
index a6bc0ec742..edd778a11d 100755
--- a/tests/scripts/test-ref-configs.pl
+++ b/tests/scripts/test-ref-configs.pl
@@ -18,31 +18,25 @@ use strict;
 my %configs = (
     'config-ccm-psk-tls1_2.h' => {
         'compat' => '-m tls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'',
-        'test_again_with_use_psa' => 1
     },
     'config-ccm-psk-dtls1_2.h' => {
         'compat' => '-m dtls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'',
         'opt' => ' ',
         'opt_needs_debug' => 1,
-        'test_again_with_use_psa' => 1
     },
     'config-no-entropy.h' => {
     },
     'config-suite-b.h' => {
         'compat' => "-m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS",
-        'test_again_with_use_psa' => 1,
         'opt' => ' ',
         'opt_needs_debug' => 1,
     },
     'config-symmetric-only.h' => {
-        'test_again_with_use_psa' => 0, # Uses PSA by default, no need to test it twice
     },
     'config-tfm.h' => {
-        'test_again_with_use_psa' => 0, # Uses PSA by default, no need to test it twice
     },
     'config-thread.h' => {
         'opt' => '-f ECJPAKE.*nolog',
-        'test_again_with_use_psa' => 1,
     },
 );
 
@@ -148,7 +142,17 @@ sub perform_test {
 }
 
 foreach my $conf ( @configs_to_test ) {
-    my $test_with_psa = $configs{$conf}{'test_again_with_use_psa'};
+    my $test_with_psa = 0;
+
+    open(CONFIG_FILE, "<", "configs/$conf") or die "Opening config file '$conf': $!";
+    while (my $line = <CONFIG_FILE>) {
+        if ($line =~ /^\/\/#define MBEDTLS_USE_PSA_CRYPTO/) {
+            $test_with_psa = 1;
+            last;
+        }
+    }
+    close(CONFIG_FILE);
+
     if ( $test_with_psa )
     {
         perform_test( $conf, $configs{$conf}, $test_with_psa );

From a6ff719bc0f123042d57ec0947e672629dbb74e6 Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Wed, 15 May 2024 09:27:27 +0200
Subject: [PATCH 05/11] Resolve some HMAC dependencies automatically

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 configs/crypto-config-ccm-aes-sha256.h        |  4 +--
 include/mbedtls/config_psa.h                  |  2 ++
 .../psa/crypto_adjust_config_dependencies.h   | 27 +++++++++++++++++++
 3 files changed, 30 insertions(+), 3 deletions(-)
 create mode 100644 include/psa/crypto_adjust_config_dependencies.h

diff --git a/configs/crypto-config-ccm-aes-sha256.h b/configs/crypto-config-ccm-aes-sha256.h
index 7f8d58768c..68a9c0a539 100644
--- a/configs/crypto-config-ccm-aes-sha256.h
+++ b/configs/crypto-config-ccm-aes-sha256.h
@@ -2,7 +2,7 @@
  * \file configs/crypto-config-ccm-aes-sha256.h
  *
  * \brief PSA crypto configuration with only symmetric cryptography: CCM-AES,
- *        SHA-256, HMAC and key derivation
+ *        SHA-256 and key derivation (uses HMAC).
  */
 /*
  *  Copyright The Mbed TLS Contributors
@@ -13,12 +13,10 @@
 #define PSA_CRYPTO_CONFIG_H
 
 #define PSA_WANT_ALG_CCM 1
-#define PSA_WANT_ALG_HMAC 1
 #define PSA_WANT_ALG_SHA_256 1
 #define PSA_WANT_ALG_TLS12_PRF 1
 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
 #define PSA_WANT_KEY_TYPE_DERIVE 1
-#define PSA_WANT_KEY_TYPE_HMAC 1
 #define PSA_WANT_KEY_TYPE_AES 1
 #define PSA_WANT_KEY_TYPE_RAW_DATA 1
 
diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index 17da61b3e8..de961ec0f8 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -22,6 +22,8 @@
 
 #include "psa/crypto_adjust_config_synonyms.h"
 
+#include "psa/crypto_adjust_config_dependencies.h"
+
 #include "mbedtls/config_adjust_psa_superset_legacy.h"
 
 #if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
diff --git a/include/psa/crypto_adjust_config_dependencies.h b/include/psa/crypto_adjust_config_dependencies.h
new file mode 100644
index 0000000000..776f05b422
--- /dev/null
+++ b/include/psa/crypto_adjust_config_dependencies.h
@@ -0,0 +1,27 @@
+/**
+ * \file psa/crypto_adjust_config_dependencies.h
+ * \brief Adjust PSA configuration by resolving some dependencies.
+ *
+ * See docs/proposed/psa-conditional-inclusion-c.md.
+ * If a cryptographic mechanism A depends on a cryptographic mechanism B and
+ * A is enabled then enable B.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H
+#define PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H
+
+#if defined(PSA_WANT_ALG_TLS12_PRF) || \
+    defined(PSA_WANT_ALG_TLS12_PSK_TO_MS) || \
+    defined(PSA_WANT_ALG_HKDF) || \
+    defined(PSA_WANT_ALG_HKDF_EXTRACT) || \
+    defined(PSA_WANT_ALG_HKDF_EXPAND) || \
+    defined(PSA_WANT_ALG_PBKDF2_HMAC)
+#define PSA_WANT_ALG_HMAC 1
+#define PSA_WANT_KEY_TYPE_HMAC 1
+#endif
+
+#endif /* PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H */

From 7d949ae1a333ffe595050185440af92b1018051a Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Wed, 15 May 2024 18:31:17 +0200
Subject: [PATCH 06/11] Resolve PBKDF2_AES_CMAC_PRF_128 dependencies

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 include/psa/crypto_adjust_config_dependencies.h | 5 +++++
 tests/scripts/all.sh                            | 8 ++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/include/psa/crypto_adjust_config_dependencies.h b/include/psa/crypto_adjust_config_dependencies.h
index 776f05b422..ffca8ca373 100644
--- a/include/psa/crypto_adjust_config_dependencies.h
+++ b/include/psa/crypto_adjust_config_dependencies.h
@@ -24,4 +24,9 @@
 #define PSA_WANT_KEY_TYPE_HMAC 1
 #endif
 
+#if defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128)
+#define PSA_WANT_KEY_TYPE_AES 1
+#define PSA_WANT_ALG_CMAC 1
+#endif
+
 #endif /* PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H */
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index b8eb3a259b..5cdc52625a 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1725,6 +1725,7 @@ common_test_full_no_cipher_with_psa_crypto () {
         scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR
         scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING
         scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB
+        scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
         scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER
         scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
     else
@@ -4090,6 +4091,7 @@ common_block_cipher_dispatch() {
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
 
     # Disable direct dependency on AES_C
     scripts/config.py unset MBEDTLS_NIST_KW_C
@@ -5538,9 +5540,11 @@ component_build_psa_config_file () {
     make clean
 
     msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE + MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s
-    # In the user config, disable one feature, which will reflect on the
-    # mbedtls configuration so we can query it with query_compile_time_config.
+    # In the user config, disable one feature and its dependencies, which will
+    # reflect on the mbedtls configuration so we can query it with
+    # query_compile_time_config.
     echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h
+    echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h
     scripts/config.py unset MBEDTLS_CMAC_C
     make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'"
     not programs/test/query_compile_time_config MBEDTLS_CMAC_C

From f313902890ee43a2e14f0e1bab6c880db333917f Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Wed, 15 May 2024 12:49:02 +0200
Subject: [PATCH 07/11] Fix "maybe-uninitialized" warning with GCC 11.3

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 tests/suites/test_suite_pk.function | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index ad7da32222..1188137b33 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -1818,7 +1818,7 @@ void pk_psa_sign(int psa_type, int bits, int rsa_padding)
     int ret;
 #endif /* MBEDTLS_RSA_C || MBEDTLS_PK_WRITE_C */
 #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
-    mbedtls_ecp_group_id ecp_grp_id;
+    mbedtls_ecp_group_id ecp_grp_id = MBEDTLS_ECP_DP_NONE;
 #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
 
     /*

From c8953c9083365f1b720a4008380a389a0284715c Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Fri, 17 May 2024 11:19:57 +0200
Subject: [PATCH 08/11] Fix the resolution of dependencies on HMAC

The Mbed TLS implementations of ALG_TLS12_PRF,
ALG_TLS12_PSK_TO_MS, ALG_HKDF, ALG_HKDF_EXTRACT,
ALG_HKDF_EXPAND and ALG_PBKDF2 rely on HMAC
operations through the driver interface. Thus
if one of these algorithms is enabled and not
accelerated, we need ALG_HMAC to be enabled
(PSA_WANT_ALG_HMAC and PSA_WANT_KEY_TYPE_HMAC
defined). As HMAC operations occur through
the driver interface, HMAC operations can be
accelerated even if the caller algorithm
is not.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 .../mbedtls/config_adjust_legacy_from_psa.h    |  6 ------
 .../psa/crypto_adjust_config_dependencies.h    | 18 ++++++++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/include/mbedtls/config_adjust_legacy_from_psa.h b/include/mbedtls/config_adjust_legacy_from_psa.h
index 0091e246b2..0e4759de74 100644
--- a/include/mbedtls/config_adjust_legacy_from_psa.h
+++ b/include/mbedtls/config_adjust_legacy_from_psa.h
@@ -498,7 +498,6 @@
  * The PSA implementation has its own implementation of HKDF, separate from
  * hkdf.c. No need to enable MBEDTLS_HKDF_C here.
  */
-#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1
 #endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF */
 #endif /* PSA_WANT_ALG_HKDF */
@@ -509,7 +508,6 @@
  * The PSA implementation has its own implementation of HKDF, separate from
  * hkdf.c. No need to enable MBEDTLS_HKDF_C here.
  */
-#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT 1
 #endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT */
 #endif /* PSA_WANT_ALG_HKDF_EXTRACT */
@@ -520,7 +518,6 @@
  * The PSA implementation has its own implementation of HKDF, separate from
  * hkdf.c. No need to enable MBEDTLS_HKDF_C here.
  */
-#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND 1
 #endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND */
 #endif /* PSA_WANT_ALG_HKDF_EXPAND */
@@ -630,9 +627,6 @@
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC)
 #define MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC 1
 #define PSA_HAVE_SOFT_PBKDF2_HMAC 1
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
-#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_HMAC */
 #endif /* !MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
 #endif /* PSA_WANT_ALG_PBKDF2_HMAC */
 
diff --git a/include/psa/crypto_adjust_config_dependencies.h b/include/psa/crypto_adjust_config_dependencies.h
index ffca8ca373..ac6344d891 100644
--- a/include/psa/crypto_adjust_config_dependencies.h
+++ b/include/psa/crypto_adjust_config_dependencies.h
@@ -14,12 +14,18 @@
 #ifndef PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H
 #define PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H
 
-#if defined(PSA_WANT_ALG_TLS12_PRF) || \
-    defined(PSA_WANT_ALG_TLS12_PSK_TO_MS) || \
-    defined(PSA_WANT_ALG_HKDF) || \
-    defined(PSA_WANT_ALG_HKDF_EXTRACT) || \
-    defined(PSA_WANT_ALG_HKDF_EXPAND) || \
-    defined(PSA_WANT_ALG_PBKDF2_HMAC)
+#if (defined(PSA_WANT_ALG_TLS12_PRF) && \
+    !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF)) || \
+    (defined(PSA_WANT_ALG_TLS12_PSK_TO_MS) && \
+    !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS)) || \
+    (defined(PSA_WANT_ALG_HKDF) && \
+    !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)) || \
+    (defined(PSA_WANT_ALG_HKDF_EXTRACT) && \
+    !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT)) || \
+    (defined(PSA_WANT_ALG_HKDF_EXPAND) && \
+    !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND)) || \
+    (defined(PSA_WANT_ALG_PBKDF2_HMAC) && \
+    !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC))
 #define PSA_WANT_ALG_HMAC 1
 #define PSA_WANT_KEY_TYPE_HMAC 1
 #endif

From 0fd2d04566a61cb54169e60363db4bfe1dbcc140 Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Fri, 17 May 2024 13:11:24 +0200
Subject: [PATCH 09/11] Fix PBKDF2_AES_CMAC_PRF_128 dependencies

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 include/psa/crypto_adjust_config_dependencies.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/psa/crypto_adjust_config_dependencies.h b/include/psa/crypto_adjust_config_dependencies.h
index ac6344d891..aeedf681b6 100644
--- a/include/psa/crypto_adjust_config_dependencies.h
+++ b/include/psa/crypto_adjust_config_dependencies.h
@@ -30,7 +30,8 @@
 #define PSA_WANT_KEY_TYPE_HMAC 1
 #endif
 
-#if defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128)
+#if (defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128) && \
+    !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_AES_CMAC_PRF_128))
 #define PSA_WANT_KEY_TYPE_AES 1
 #define PSA_WANT_ALG_CMAC 1
 #endif

From 8b1c5ebfc83c11d3e4fd2d0fe6750e95393a0a8a Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Fri, 17 May 2024 13:18:52 +0200
Subject: [PATCH 10/11] Fix crypto_adjust_config_dependencies.h documentation

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 include/psa/crypto_adjust_config_dependencies.h | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/include/psa/crypto_adjust_config_dependencies.h b/include/psa/crypto_adjust_config_dependencies.h
index aeedf681b6..5a22205bf3 100644
--- a/include/psa/crypto_adjust_config_dependencies.h
+++ b/include/psa/crypto_adjust_config_dependencies.h
@@ -2,9 +2,13 @@
  * \file psa/crypto_adjust_config_dependencies.h
  * \brief Adjust PSA configuration by resolving some dependencies.
  *
+ * This is an internal header. Do not include it directly.
+ *
  * See docs/proposed/psa-conditional-inclusion-c.md.
- * If a cryptographic mechanism A depends on a cryptographic mechanism B and
- * A is enabled then enable B.
+ * If the Mbed TLS implementation of a cryptographic mechanism A depends on a
+ * cryptographic mechanism B then if the cryptographic mechanism A is enabled
+ * and not accelerated enable B. Note that if A is enabled and accelerated, it
+ * is not necessary to enable B for A support.
  */
 /*
  *  Copyright The Mbed TLS Contributors

From 8526751ec42064685631bda500cd9719cc4b529e Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Fri, 17 May 2024 14:11:31 +0200
Subject: [PATCH 11/11] Improve test-ref-configs.pl

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 tests/scripts/test-ref-configs.pl | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl
index edd778a11d..5557de3276 100755
--- a/tests/scripts/test-ref-configs.pl
+++ b/tests/scripts/test-ref-configs.pl
@@ -142,16 +142,9 @@ sub perform_test {
 }
 
 foreach my $conf ( @configs_to_test ) {
-    my $test_with_psa = 0;
-
-    open(CONFIG_FILE, "<", "configs/$conf") or die "Opening config file '$conf': $!";
-    while (my $line = <CONFIG_FILE>) {
-        if ($line =~ /^\/\/#define MBEDTLS_USE_PSA_CRYPTO/) {
-            $test_with_psa = 1;
-            last;
-        }
-    }
-    close(CONFIG_FILE);
+    system("grep '//#define MBEDTLS_USE_PSA_CRYPTO' configs/$conf > /dev/null");
+    die "grep ... configs/$conf: $!" if $? != 0 && $? != 0x100;
+    my $test_with_psa = $? == 0;
 
     if ( $test_with_psa )
     {