User-provided Mbed TLS configuration header

The nRF Security subsystem provides a Kconfig- and CMake-based build system to configure the Mbed TLS, nrf_cc3xx_mbedcrypto library, and nrf_oberon crypto library libraries. The recommended method for generating the Mbed TLS header is through this build system, as it also enforces dependencies between the libraries. However, for use cases that cannot be configured through the build system, you must provide custom Mbed TLS configuration headers.

Complete the following steps:

  1. Generate the Mbed TLS configuration header.

  2. Create a copy of the nrf-config.h Mbed TLS header file in the build directory and give it a custom name.

  3. Move this custom Mbed TLS header file to your source directory.

  4. In the project configuration, make the following changes:


    • CONFIG_MBEDTLS_CFG_FILE=”custom-name-nrf-config.h”.

  5. Edit custom-name-nrf-config.h with your custom configuration.

  6. If the header files are not already in the include path, add them by editing the application build scripts.


When providing custom Mbed TLS configuration headers with CryptoCell in use, it is important that the following criteria are still met:

  • Entropy length of 144, that is, #define MBEDTLS_ENTROPY_MAX_GATHER 144.

  • SHA-256 is used for entropy, that is, #define MBEDTLS_ENTROPY_FORCE_SHA256 is set.

  • Entropy max sources is set to 1, that is #define MBEDTLS_ENTROPY_MAX_SOURCES 1.


Providing custom Mbed TLS configuration headers is not supported when TF-M is enabled.