Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mbedtls: some enhancement for PSA crypto core #80136

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

mbedtls: some enhancement for PSA crypto core #80136

wants to merge 3 commits into from
+19 −20

Commits on Nov 6, 2024

  1. mbedtls: auto-select MBEDTLS_CIPHER_AES_ENABLED when built-in in PSA 

    Auto-select MBEDTLS_CIPHER_AES_ENABLED when AES support is requested
through PSA (i.e. CONFIG_PSA_WANT_KEY_TYPE_AES) and the PSA support is
provided through Mbed TLS itself (i.e. CONFIG_MBEDTLS_PSA_CRYPTO_C).

This mimic what happens in Mbed TLS at build time: if AES support
is required through PSA, but there's no one else providing it
(i.e. no TF-M in Zephyr) then provide this support through legacy
AES module.

This is useful in samples/tests so that the user can simply use the
PSA_WANT symbol to ask for AES support in PSA crypto and then tune
the AES features (ex: CONFIG_MBEDTLS_AES_ROM_TABLES) without the need
to also define CONFIG_MBEDTLS_CIPHER_AES_ENABLED.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
    @valeriosetti
    valeriosetti committed Nov 6, 2024
    Configuration menu
    Copy the full SHA
    83dd9c9 View commit details
    Browse the repository at this point in the history

  2. mbedtls: use CSPRNG whenever possible as PSA random source 

    The main problem of MBEDTLS_PSA_CRYPTO_LEGACY_RNG is that it
brings in some legacy modules (entropy + ctr_drbg/hmac_drbg)
which means extra ROM/RAM footprint.
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG instead simply calls to the
CSPRNG which makes it definitely smaller.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
    @valeriosetti
    valeriosetti committed Nov 6, 2024
    Configuration menu
    Copy the full SHA
    dddc796 View commit details
    Browse the repository at this point in the history

  3. mbedtls: MBEDTLS_ENTROPY_POLL_ZEPHYR default on if MBEDTLS_ENTROPY_C 

    As long as MBEDTLS_ENTROPY_C is enabled, Mbed TLS needs to
poll some entropy source to gather data that will then be
processed by CTR/HMAC-DRBG modules. This means that in most
of the cases, once MBEDTLS_ENTROPY_C is enabled then also
MBEDTLS_ENTROPY_POLL_ZEPHYR needs to be enabled. This was
done manually until now, as the long list of samples/tests
demonstrate.

This commit solves this dependency by defaulting
MBEDTLS_ENTROPY_POLL_ZEPHYR to on as soon as
MBEDTLS_ENTROPY_C is set. As a consequence, all manual
enablement of MBEDTLS_ENTROPY_POLL_ZEPHYR in samples/tests
are removed.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
    @valeriosetti
    valeriosetti committed Nov 6, 2024
    Configuration menu
    Copy the full SHA
    10c6a74 View commit details
    Browse the repository at this point in the history