Crypto: Align PSA headers entirely to Mbed TLS 3.6.0
This also simplifies the client attributes translation between
client view and service view and reorganized how the Mbed TLS
config files are handled between NS/S (client/service) sides.
At the same time, perform a CMake targets refactoring to allow
exporting a client side view of the config files.
Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
Change-Id: I9a715f9ef40fc223992575ecbac5cf23d162a326
diff --git a/lib/ext/mbedcrypto/0001-Add-TF-M-Builtin-Key-Loader-driver-entry-points.patch b/lib/ext/mbedcrypto/0001-Add-TF-M-Builtin-Key-Loader-driver-entry-points.patch
index c6de430..269e55d 100644
--- a/lib/ext/mbedcrypto/0001-Add-TF-M-Builtin-Key-Loader-driver-entry-points.patch
+++ b/lib/ext/mbedcrypto/0001-Add-TF-M-Builtin-Key-Loader-driver-entry-points.patch
@@ -1,12 +1,13 @@
-From 6a2f9ac84d44e2644056322efbc108f2973152eb Mon Sep 17 00:00:00 2001
+From f4355fd5675936015f1b822cc30b39c369ea9bfb Mon Sep 17 00:00:00 2001
From: Antonio de Angelis <Antonio.deAngelis@arm.com>
-Date: Fri, 6 Oct 2023 10:20:44 +0100
+Date: Thu, 21 Mar 2024 11:44:56 +0000
Subject: [PATCH 1/6] Add TF-M Builtin Key Loader driver entry points
-TF-M requires a mechanism to leverage the drivers and builtin keys
-at the same time to allow for "transparent builtin keys". More details
-are in the TF-M design doc. Provide directly the wrappers instead of
-modifying the autogen scripts, for the time being.
+TF-M requires a mechanism to leverage the drivers
+and builtin keys at the same time to allow for
+"transparent builtin keys". More details are in the
+TF-M design doc. Provide directly the wrappers instead
+of modifying the autogen scripts, for the time being.
Signed-off-by: Raef Coles <raef.coles@arm.com>
Co-authored-by: Antonio de Angelis <antonio.deangelis@arm.com>
@@ -17,12 +18,12 @@
3 files changed, 143 insertions(+), 9 deletions(-)
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
-index 1faf1dd6..52f34497 100644
+index 969c695ac..867b4019b 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
-@@ -85,6 +85,10 @@
- #include "mbedtls/sha512.h"
- #include "md_psa.h"
+@@ -73,6 +73,10 @@
+ #include "mbedtls/psa_util.h"
+ #include "mbedtls/threading.h"
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+#include "tfm_builtin_key_loader.h"
@@ -31,7 +32,7 @@
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND)
-@@ -1144,7 +1148,11 @@ static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
+@@ -1166,7 +1170,11 @@ static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
return status;
}
@@ -41,14 +42,14 @@
+ && PSA_KEY_LIFETIME_GET_LOCATION((*p_slot)->attr.lifetime) != TFM_BUILTIN_KEY_LOADER_KEY_LOCATION
+#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
+ ) {
- psa_unlock_key_slot(*p_slot);
+ psa_unregister_read_under_mutex(*p_slot);
*p_slot = NULL;
return PSA_ERROR_NOT_SUPPORTED;
diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h
-index 6ab95976..8b468b46 100644
+index ea6aee32e..2ea6358f9 100644
--- a/library/psa_crypto_driver_wrappers.h
+++ b/library/psa_crypto_driver_wrappers.h
-@@ -54,16 +54,32 @@
+@@ -42,16 +42,32 @@
#endif
@@ -85,7 +86,7 @@
/* END-driver id */
-@@ -85,6 +101,12 @@ static inline psa_status_t psa_driver_wrapper_init( void )
+@@ -73,6 +89,12 @@ static inline psa_status_t psa_driver_wrapper_init( void )
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
@@ -98,251 +99,251 @@
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
status = psa_init_all_se_drivers( );
if( status != PSA_SUCCESS )
-@@ -138,6 +160,9 @@ static inline psa_status_t psa_driver_wrapper_sign_message(
+@@ -126,6 +148,9 @@ static inline psa_status_t psa_driver_wrapper_sign_message(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -212,6 +237,9 @@ static inline psa_status_t psa_driver_wrapper_verify_message(
+@@ -200,6 +225,9 @@ static inline psa_status_t psa_driver_wrapper_verify_message(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -299,6 +327,9 @@ static inline psa_status_t psa_driver_wrapper_sign_hash(
+@@ -287,6 +315,9 @@ static inline psa_status_t psa_driver_wrapper_sign_hash(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -403,6 +434,9 @@ static inline psa_status_t psa_driver_wrapper_verify_hash(
+@@ -391,6 +422,9 @@ static inline psa_status_t psa_driver_wrapper_verify_hash(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -532,6 +566,9 @@ static inline psa_status_t psa_driver_wrapper_sign_hash_start(
+@@ -521,6 +555,9 @@ static inline psa_status_t psa_driver_wrapper_sign_hash_start(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
-@@ -620,6 +657,9 @@ static inline psa_status_t psa_driver_wrapper_verify_hash_start(
+@@ -613,6 +650,9 @@ static inline psa_status_t psa_driver_wrapper_verify_hash_start(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
-@@ -765,6 +805,9 @@ static inline psa_status_t psa_driver_wrapper_generate_key(
+@@ -775,6 +815,9 @@ static inline psa_status_t psa_driver_wrapper_generate_key(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
- /* Transparent drivers are limited to generating asymmetric keys */
- if( PSA_KEY_TYPE_IS_ASYMMETRIC( attributes->core.type ) )
-@@ -865,6 +908,9 @@ static inline psa_status_t psa_driver_wrapper_import_key(
+ /* Transparent drivers are limited to generating asymmetric keys. */
+ /* We don't support passing custom production parameters
+@@ -879,6 +922,9 @@ static inline psa_status_t psa_driver_wrapper_import_key(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -966,6 +1012,9 @@ static inline psa_status_t psa_driver_wrapper_export_key(
+@@ -980,6 +1026,9 @@ static inline psa_status_t psa_driver_wrapper_export_key(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
return( psa_export_key_internal( attributes,
key_buffer,
key_buffer_size,
-@@ -1072,6 +1121,9 @@ static inline psa_status_t psa_driver_wrapper_cipher_encrypt(
+@@ -1086,6 +1135,9 @@ static inline psa_status_t psa_driver_wrapper_cipher_encrypt(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -1162,6 +1214,9 @@ static inline psa_status_t psa_driver_wrapper_cipher_decrypt(
+@@ -1176,6 +1228,9 @@ static inline psa_status_t psa_driver_wrapper_cipher_decrypt(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -1239,6 +1294,9 @@ static inline psa_status_t psa_driver_wrapper_cipher_encrypt_setup(
+@@ -1253,6 +1308,9 @@ static inline psa_status_t psa_driver_wrapper_cipher_encrypt_setup(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -1312,6 +1370,9 @@ static inline psa_status_t psa_driver_wrapper_cipher_decrypt_setup(
+@@ -1326,6 +1384,9 @@ static inline psa_status_t psa_driver_wrapper_cipher_decrypt_setup(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -1712,6 +1773,9 @@ static inline psa_status_t psa_driver_wrapper_aead_encrypt(
+@@ -1726,6 +1787,9 @@ static inline psa_status_t psa_driver_wrapper_aead_encrypt(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
-@@ -1764,6 +1828,9 @@ static inline psa_status_t psa_driver_wrapper_aead_decrypt(
+@@ -1778,6 +1842,9 @@ static inline psa_status_t psa_driver_wrapper_aead_decrypt(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
-@@ -1813,6 +1880,9 @@ static inline psa_status_t psa_driver_wrapper_aead_encrypt_setup(
+@@ -1827,6 +1894,9 @@ static inline psa_status_t psa_driver_wrapper_aead_encrypt_setup(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
-@@ -1861,6 +1931,9 @@ static inline psa_status_t psa_driver_wrapper_aead_decrypt_setup(
+@@ -1875,6 +1945,9 @@ static inline psa_status_t psa_driver_wrapper_aead_decrypt_setup(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
-@@ -2197,6 +2270,9 @@ static inline psa_status_t psa_driver_wrapper_mac_compute(
+@@ -2211,6 +2284,9 @@ static inline psa_status_t psa_driver_wrapper_mac_compute(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -2261,6 +2337,9 @@ static inline psa_status_t psa_driver_wrapper_mac_sign_setup(
+@@ -2275,6 +2351,9 @@ static inline psa_status_t psa_driver_wrapper_mac_sign_setup(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -2333,6 +2412,9 @@ static inline psa_status_t psa_driver_wrapper_mac_verify_setup(
+@@ -2347,6 +2426,9 @@ static inline psa_status_t psa_driver_wrapper_mac_verify_setup(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -2533,6 +2615,9 @@ static inline psa_status_t psa_driver_wrapper_asymmetric_encrypt(
+@@ -2547,6 +2629,9 @@ static inline psa_status_t psa_driver_wrapper_asymmetric_encrypt(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -2591,6 +2676,9 @@ static inline psa_status_t psa_driver_wrapper_asymmetric_decrypt(
+@@ -2605,6 +2690,9 @@ static inline psa_status_t psa_driver_wrapper_asymmetric_decrypt(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -2655,6 +2743,9 @@ static inline psa_status_t psa_driver_wrapper_key_agreement(
+@@ -2669,6 +2757,9 @@ static inline psa_status_t psa_driver_wrapper_key_agreement(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -2735,6 +2826,9 @@ static inline psa_status_t psa_driver_wrapper_pake_setup(
+@@ -2749,6 +2840,9 @@ static inline psa_status_t psa_driver_wrapper_pake_setup(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
status = PSA_ERROR_NOT_SUPPORTED;
diff --git a/library/psa_crypto_driver_wrappers_no_static.c b/library/psa_crypto_driver_wrappers_no_static.c
-index de1511ba..af677746 100644
+index de8a5269b..436a650fc 100644
--- a/library/psa_crypto_driver_wrappers_no_static.c
+++ b/library/psa_crypto_driver_wrappers_no_static.c
-@@ -53,16 +53,32 @@
+@@ -41,16 +41,32 @@
#endif
@@ -379,7 +380,7 @@
/* END-driver id */
-@@ -124,6 +140,12 @@ psa_status_t psa_driver_wrapper_get_key_buffer_size(
+@@ -112,6 +128,12 @@ psa_status_t psa_driver_wrapper_get_key_buffer_size(
PSA_SUCCESS : PSA_ERROR_NOT_SUPPORTED );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -392,7 +393,7 @@
default:
(void)key_type;
(void)key_bits;
-@@ -165,6 +187,9 @@ psa_status_t psa_driver_wrapper_export_public_key(
+@@ -153,6 +175,9 @@ psa_status_t psa_driver_wrapper_export_public_key(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -402,10 +403,10 @@
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -255,6 +280,13 @@ psa_status_t psa_driver_wrapper_get_builtin_key(
+@@ -241,6 +266,13 @@ psa_status_t psa_driver_wrapper_get_builtin_key(
+ ));
+ #endif
-
- #endif /* PSA_CRYPTO_DRIVER_TEST */
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+ return( tfm_builtin_key_loader_get_builtin_key(
@@ -413,9 +414,9 @@
+ attributes,
+ key_buffer, key_buffer_size, key_buffer_length ) );
+#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
+
+ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
default:
- (void) slot_number;
- (void) key_buffer;
--
-2.25.1
+2.34.1
diff --git a/lib/ext/mbedcrypto/0002-Enable-crypto-code-sharing-between-independent-binar.patch b/lib/ext/mbedcrypto/0002-Enable-crypto-code-sharing-between-independent-binar.patch
index ed0309c..1b151b3 100644
--- a/lib/ext/mbedcrypto/0002-Enable-crypto-code-sharing-between-independent-binar.patch
+++ b/lib/ext/mbedcrypto/0002-Enable-crypto-code-sharing-between-independent-binar.patch
@@ -1,4 +1,4 @@
-From 3ff9c6c84191499859116b322f00da18e2472079 Mon Sep 17 00:00:00 2001
+From 897915891d0af5947b9391f13b75bf338fabbe94 Mon Sep 17 00:00:00 2001
From: Tamas Ban <tamas.ban@arm.com>
Date: Tue, 27 Oct 2020 08:55:37 +0000
Subject: [PATCH 2/6] Enable crypto code sharing between independent binaries
@@ -13,7 +13,7 @@
diff --git a/code_share.c b/code_share.c
new file mode 100644
-index 00000000..2bf67fb4
+index 000000000..2bf67fb42
--- /dev/null
+++ b/code_share.c
@@ -0,0 +1,3 @@
@@ -21,10 +21,10 @@
+ * extensive crypto code sharing was already applied on the mbedtls library.
+ */
diff --git a/library/platform.c b/library/platform.c
-index b15b7b29..dfd67410 100644
+index 890c4cbab..f8109c73f 100644
--- a/library/platform.c
+++ b/library/platform.c
-@@ -53,8 +53,8 @@ static void platform_free_uninit(void *ptr)
+@@ -41,8 +41,8 @@ static void platform_free_uninit(void *ptr)
#define MBEDTLS_PLATFORM_STD_FREE platform_free_uninit
#endif /* !MBEDTLS_PLATFORM_STD_FREE */
@@ -36,10 +36,10 @@
void *mbedtls_calloc(size_t nmemb, size_t size)
{
diff --git a/library/platform_util.c b/library/platform_util.c
-index 09216edf..3c0a50b0 100644
+index 0741bf575..b867c6da1 100644
--- a/library/platform_util.c
+++ b/library/platform_util.c
-@@ -100,7 +100,7 @@
+@@ -88,7 +88,7 @@
#if !defined(MBEDTLS_PLATFORM_HAS_EXPLICIT_BZERO) && !(defined(__STDC_LIB_EXT1__) && \
!defined(__IAR_SYSTEMS_ICC__)) \
&& !defined(_WIN32)
@@ -49,5 +49,5 @@
void mbedtls_platform_zeroize(void *buf, size_t len)
--
-2.25.1
+2.34.1
diff --git a/lib/ext/mbedcrypto/0003-Allow-SE-key-to-use-key-vendor-id-within-PSA-crypto.patch b/lib/ext/mbedcrypto/0003-Allow-SE-key-to-use-key-vendor-id-within-PSA-crypto.patch
index a08fc5c..d5d75a6 100644
--- a/lib/ext/mbedcrypto/0003-Allow-SE-key-to-use-key-vendor-id-within-PSA-crypto.patch
+++ b/lib/ext/mbedcrypto/0003-Allow-SE-key-to-use-key-vendor-id-within-PSA-crypto.patch
@@ -1,4 +1,4 @@
-From d5421c159bd09f557eb1a98dd10c56b961fa235b Mon Sep 17 00:00:00 2001
+From f3d7c2b7000b98a5191007cbdf0b8910642fb685 Mon Sep 17 00:00:00 2001
From: Benjamin Baratte <benjamin.baratte@st.com>
Date: Thu, 9 Feb 2023 10:35:01 +0100
Subject: [PATCH 3/6] Allow SE key to use key vendor id within PSA crypto
@@ -9,10 +9,10 @@
1 file changed, 4 insertions(+)
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
-index 52f34497..755091aa 100644
+index 867b4019b..fd1d28fc6 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
-@@ -1718,7 +1718,11 @@ static psa_status_t psa_validate_key_attributes(
+@@ -1703,7 +1703,11 @@ static psa_status_t psa_validate_key_attributes(
return PSA_ERROR_INVALID_ARGUMENT;
}
} else {
@@ -25,5 +25,5 @@
}
}
--
-2.25.1
+2.34.1
diff --git a/lib/ext/mbedcrypto/0004-Initialise-driver-wrappers-as-first-step-in-psa_cryp.patch b/lib/ext/mbedcrypto/0004-Initialise-driver-wrappers-as-first-step-in-psa_cryp.patch
index c94e50c..2b2b795 100644
--- a/lib/ext/mbedcrypto/0004-Initialise-driver-wrappers-as-first-step-in-psa_cryp.patch
+++ b/lib/ext/mbedcrypto/0004-Initialise-driver-wrappers-as-first-step-in-psa_cryp.patch
@@ -1,47 +1,39 @@
-From 05d237704ded16405382cbef7cc867e2d7382e13 Mon Sep 17 00:00:00 2001
+From ba6536c5140df75a669fc92cdef2729a6913f6af Mon Sep 17 00:00:00 2001
From: Antonio de Angelis <Antonio.deAngelis@arm.com>
-Date: Tue, 23 Aug 2022 13:06:07 +0100
+Date: Thu, 21 Mar 2024 11:58:19 +0000
Subject: [PATCH 4/6] Initialise driver wrappers as first step in
psa_crypto_init()
-This patch amends the order of initialisations performed in psa_crypto_init()
-to make sure that the driver wrappers based on the PSA driver API are initialised
-just after the key slots in memory, both of them at the beginning of the
-initialisation sequence.
+This patch amends the order of initialisations performed in
+psa_crypto_init() to make sure that the driver wrappers based
+on the PSA driver API are initialised just after the key slots
+in memory, both of them at the beginning of the initialisation
+sequence.
Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
---
- library/psa_crypto.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
+ library/psa_crypto.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
-index 755091aa..0b934079 100644
+index fd1d28fc6..1d91739da 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
-@@ -7730,6 +7730,11 @@ psa_status_t psa_crypto_init(void)
+@@ -8274,12 +8274,12 @@ psa_status_t psa_crypto_init(void)
return PSA_SUCCESS;
}
-+ status = psa_initialize_key_slots();
-+ if (status != PSA_SUCCESS) {
-+ goto exit;
-+ }
-+
- /* Init drivers */
- status = psa_driver_wrapper_init();
+- status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS);
++ status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS);
if (status != PSA_SUCCESS) {
-@@ -7746,11 +7751,6 @@ psa_status_t psa_crypto_init(void)
+ goto exit;
}
- global_data.rng_state = RNG_SEEDED;
-- status = psa_initialize_key_slots();
-- if (status != PSA_SUCCESS) {
-- goto exit;
-- }
--
- #if defined(PSA_CRYPTO_STORAGE_HAS_TRANSACTIONS)
- status = psa_crypto_load_transaction();
- if (status == PSA_SUCCESS) {
+- status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS);
++ status = mbedtls_psa_crypto_init_subsystem(PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS);
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
--
-2.25.1
+2.34.1
diff --git a/lib/ext/mbedcrypto/0005-Hardcode-CC3XX-entry-points.patch b/lib/ext/mbedcrypto/0005-Hardcode-CC3XX-entry-points.patch
index 4f5cd90..b8cb4ff 100644
--- a/lib/ext/mbedcrypto/0005-Hardcode-CC3XX-entry-points.patch
+++ b/lib/ext/mbedcrypto/0005-Hardcode-CC3XX-entry-points.patch
@@ -1,6 +1,6 @@
-From f80c7d78790db53422cf7d2347187033e7fbfd42 Mon Sep 17 00:00:00 2001
+From bb55d3718baa1c2d787cf996da8f01d85c99b00b Mon Sep 17 00:00:00 2001
From: Antonio de Angelis <Antonio.deAngelis@arm.com>
-Date: Sat, 30 Sep 2023 22:51:48 +0100
+Date: Thu, 21 Mar 2024 12:58:37 +0000
Subject: [PATCH 5/6] Hardcode CC3XX entry points
Manually hardcode PSA driver entry points for the CC3XX driver
@@ -14,13 +14,13 @@
.../psa/crypto_driver_contexts_primitives.h | 10 +
library/psa_crypto_driver_wrappers.h | 421 ++++++++++++++++--
.../psa_crypto_driver_wrappers_no_static.c | 24 +
- 4 files changed, 435 insertions(+), 30 deletions(-)
+ 4 files changed, 436 insertions(+), 29 deletions(-)
diff --git a/include/psa/crypto_driver_contexts_composites.h b/include/psa/crypto_driver_contexts_composites.h
-index d0188647..9da29765 100644
+index d717c5190..f6a54aefd 100644
--- a/include/psa/crypto_driver_contexts_composites.h
+++ b/include/psa/crypto_driver_contexts_composites.h
-@@ -42,6 +42,10 @@
+@@ -30,6 +30,10 @@
/* Include the context structure definitions for those drivers that were
* declared during the autogeneration process. */
@@ -31,7 +31,7 @@
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
#include <libtestdriver1/include/psa/crypto.h>
#endif
-@@ -130,6 +134,9 @@ typedef union {
+@@ -118,6 +122,9 @@ typedef union {
mbedtls_transparent_test_driver_mac_operation_t transparent_test_driver_ctx;
mbedtls_opaque_test_driver_mac_operation_t opaque_test_driver_ctx;
#endif
@@ -41,7 +41,7 @@
} psa_driver_mac_context_t;
typedef union {
-@@ -138,6 +145,9 @@ typedef union {
+@@ -126,6 +133,9 @@ typedef union {
#if defined(PSA_CRYPTO_DRIVER_TEST)
mbedtls_transparent_test_driver_aead_operation_t transparent_test_driver_ctx;
#endif
@@ -52,10 +52,10 @@
typedef union {
diff --git a/include/psa/crypto_driver_contexts_primitives.h b/include/psa/crypto_driver_contexts_primitives.h
-index b27a768e..dd657029 100644
+index c90a5fbe7..3f00006f8 100644
--- a/include/psa/crypto_driver_contexts_primitives.h
+++ b/include/psa/crypto_driver_contexts_primitives.h
-@@ -41,6 +41,10 @@
+@@ -29,6 +29,10 @@
/* Include the context structure definitions for those drivers that were
* declared during the autogeneration process. */
@@ -66,7 +66,7 @@
#if defined(MBEDTLS_TEST_LIBTESTDRIVER1)
#include <libtestdriver1/include/psa/crypto.h>
#endif
-@@ -102,6 +106,9 @@ typedef union {
+@@ -90,6 +94,9 @@ typedef union {
#if defined(PSA_CRYPTO_DRIVER_TEST)
mbedtls_transparent_test_driver_hash_operation_t test_driver_ctx;
#endif
@@ -76,7 +76,7 @@
} psa_driver_hash_context_t;
typedef union {
-@@ -111,6 +118,9 @@ typedef union {
+@@ -99,6 +106,9 @@ typedef union {
mbedtls_transparent_test_driver_cipher_operation_t transparent_test_driver_ctx;
mbedtls_opaque_test_driver_cipher_operation_t opaque_test_driver_ctx;
#endif
@@ -87,10 +87,10 @@
#endif /* PSA_CRYPTO_DRIVER_CONTEXTS_PRIMITIVES_H */
diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h
-index 8b468b46..bdaa25ca 100644
+index 2ea6358f9..3fa4583b7 100644
--- a/library/psa_crypto_driver_wrappers.h
+++ b/library/psa_crypto_driver_wrappers.h
-@@ -65,6 +65,16 @@
+@@ -53,6 +53,16 @@
#include "tfm_builtin_key_loader.h"
#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
@@ -107,7 +107,7 @@
/* END-driver headers */
/* Auto-generated values depending on which drivers are registered.
-@@ -79,6 +89,9 @@ enum {
+@@ -67,6 +77,9 @@ enum {
#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
PSA_CRYPTO_TFM_BUILTIN_KEY_LOADER_DRIVER_ID,
#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
@@ -117,7 +117,7 @@
};
/* END-driver id */
-@@ -123,6 +136,11 @@ static inline psa_status_t psa_driver_wrapper_init( void )
+@@ -111,6 +124,12 @@ static inline psa_status_t psa_driver_wrapper_init( void )
return( status );
#endif
@@ -126,10 +126,11 @@
+ if (status != PSA_SUCCESS)
+ return ( status );
+#endif
++
(void) status;
return( PSA_SUCCESS );
}
-@@ -139,6 +157,10 @@ static inline void psa_driver_wrapper_free( void )
+@@ -127,6 +146,10 @@ static inline void psa_driver_wrapper_free( void )
mbedtls_test_transparent_free( );
mbedtls_test_opaque_free( );
#endif
@@ -140,12 +141,11 @@
}
/* Start delegation functions */
-@@ -181,8 +203,29 @@ static inline psa_status_t psa_driver_wrapper_sign_message(
+@@ -169,7 +192,29 @@ static inline psa_status_t psa_driver_wrapper_sign_message(
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
-#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
-- break;
+#if defined(PSA_CRYPTO_DRIVER_CC3XX)
+ status = cc3xx_sign_message(
+ attributes,
@@ -169,10 +169,10 @@
+ signature,
+ signature_size,
+ signature_length ) );
+ break;
/* Add cases for opaque driver here */
- #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -206,18 +249,8 @@ static inline psa_status_t psa_driver_wrapper_sign_message(
+@@ -194,18 +239,8 @@ static inline psa_status_t psa_driver_wrapper_sign_message(
default:
/* Key is declared with a lifetime not known to us */
(void)status;
@@ -192,7 +192,7 @@
}
static inline psa_status_t psa_driver_wrapper_verify_message(
-@@ -257,8 +290,27 @@ static inline psa_status_t psa_driver_wrapper_verify_message(
+@@ -245,8 +280,27 @@ static inline psa_status_t psa_driver_wrapper_verify_message(
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -221,7 +221,7 @@
/* Add cases for opaque driver here */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -281,17 +333,8 @@ static inline psa_status_t psa_driver_wrapper_verify_message(
+@@ -269,17 +323,8 @@ static inline psa_status_t psa_driver_wrapper_verify_message(
default:
/* Key is declared with a lifetime not known to us */
(void)status;
@@ -240,7 +240,7 @@
}
static inline psa_status_t psa_driver_wrapper_sign_hash(
-@@ -347,6 +390,18 @@ static inline psa_status_t psa_driver_wrapper_sign_hash(
+@@ -335,6 +380,18 @@ static inline psa_status_t psa_driver_wrapper_sign_hash(
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -257,9 +257,9 @@
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_CC3XX */
#if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED)
- if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) &&
+ if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) &&
PSA_ALG_IS_ECDSA(alg) &&
-@@ -454,6 +509,17 @@ static inline psa_status_t psa_driver_wrapper_verify_hash(
+@@ -442,6 +499,17 @@ static inline psa_status_t psa_driver_wrapper_verify_hash(
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -275,9 +275,9 @@
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_CC3XX */
#if defined (MBEDTLS_PSA_P256M_DRIVER_ENABLED)
- if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) &&
+ if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) &&
PSA_ALG_IS_ECDSA(alg) &&
-@@ -821,6 +887,12 @@ static inline psa_status_t psa_driver_wrapper_generate_key(
+@@ -834,6 +902,12 @@ static inline psa_status_t psa_driver_wrapper_generate_key(
if( status != PSA_ERROR_NOT_SUPPORTED )
break;
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -288,9 +288,9 @@
+ break;
+#endif /* PSA_CRYPTO_DRIVER_CC3XX */
#if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
- if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) &&
- attributes->core.type == PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) &&
-@@ -1143,6 +1215,20 @@ static inline psa_status_t psa_driver_wrapper_cipher_encrypt(
+ if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) &&
+ psa_get_key_type(attributes) == PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) &&
+@@ -1157,6 +1231,20 @@ static inline psa_status_t psa_driver_wrapper_cipher_encrypt(
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -311,7 +311,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
#if defined(MBEDTLS_PSA_BUILTIN_CIPHER)
-@@ -1234,6 +1320,18 @@ static inline psa_status_t psa_driver_wrapper_cipher_decrypt(
+@@ -1248,6 +1336,18 @@ static inline psa_status_t psa_driver_wrapper_cipher_decrypt(
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -330,7 +330,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
#if defined(MBEDTLS_PSA_BUILTIN_CIPHER)
-@@ -1314,6 +1412,16 @@ static inline psa_status_t psa_driver_wrapper_cipher_encrypt_setup(
+@@ -1328,6 +1428,16 @@ static inline psa_status_t psa_driver_wrapper_cipher_encrypt_setup(
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -347,7 +347,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
#if defined(MBEDTLS_PSA_BUILTIN_CIPHER)
/* Fell through, meaning no accelerator supports this operation */
-@@ -1390,6 +1498,16 @@ static inline psa_status_t psa_driver_wrapper_cipher_decrypt_setup(
+@@ -1404,6 +1514,16 @@ static inline psa_status_t psa_driver_wrapper_cipher_decrypt_setup(
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -364,7 +364,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
#if defined(MBEDTLS_PSA_BUILTIN_CIPHER)
/* Fell through, meaning no accelerator supports this operation */
-@@ -1459,6 +1577,12 @@ static inline psa_status_t psa_driver_wrapper_cipher_set_iv(
+@@ -1473,6 +1593,12 @@ static inline psa_status_t psa_driver_wrapper_cipher_set_iv(
&operation->ctx.opaque_test_driver_ctx,
iv, iv_length ) );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -377,7 +377,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
}
-@@ -1502,6 +1626,13 @@ static inline psa_status_t psa_driver_wrapper_cipher_update(
+@@ -1516,6 +1642,13 @@ static inline psa_status_t psa_driver_wrapper_cipher_update(
input, input_length,
output, output_size, output_length ) );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -391,7 +391,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
}
-@@ -1542,6 +1673,12 @@ static inline psa_status_t psa_driver_wrapper_cipher_finish(
+@@ -1556,6 +1689,12 @@ static inline psa_status_t psa_driver_wrapper_cipher_finish(
&operation->ctx.opaque_test_driver_ctx,
output, output_size, output_length ) );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -404,7 +404,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
}
-@@ -1582,6 +1719,15 @@ static inline psa_status_t psa_driver_wrapper_cipher_abort(
+@@ -1596,6 +1735,15 @@ static inline psa_status_t psa_driver_wrapper_cipher_abort(
sizeof( operation->ctx.opaque_test_driver_ctx ) );
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -420,7 +420,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
}
-@@ -1603,12 +1749,19 @@ static inline psa_status_t psa_driver_wrapper_hash_compute(
+@@ -1617,12 +1765,19 @@ static inline psa_status_t psa_driver_wrapper_hash_compute(
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
/* Try accelerators first */
@@ -441,7 +441,7 @@
/* If software fallback is compiled in, try fallback */
#if defined(MBEDTLS_PSA_BUILTIN_HASH)
-@@ -1635,6 +1788,7 @@ static inline psa_status_t psa_driver_wrapper_hash_setup(
+@@ -1649,6 +1804,7 @@ static inline psa_status_t psa_driver_wrapper_hash_setup(
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
/* Try setup on accelerators first */
@@ -449,7 +449,7 @@
#if defined(PSA_CRYPTO_DRIVER_TEST)
status = mbedtls_test_transparent_hash_setup(
&operation->ctx.test_driver_ctx, alg );
-@@ -1643,7 +1797,13 @@ static inline psa_status_t psa_driver_wrapper_hash_setup(
+@@ -1657,7 +1813,13 @@ static inline psa_status_t psa_driver_wrapper_hash_setup(
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
@@ -464,7 +464,7 @@
/* If software fallback is compiled in, try fallback */
#if defined(MBEDTLS_PSA_BUILTIN_HASH)
-@@ -1673,13 +1833,23 @@ static inline psa_status_t psa_driver_wrapper_hash_clone(
+@@ -1687,13 +1849,23 @@ static inline psa_status_t psa_driver_wrapper_hash_clone(
return( mbedtls_psa_hash_clone( &source_operation->ctx.mbedtls_ctx,
&target_operation->ctx.mbedtls_ctx ) );
#endif
@@ -489,7 +489,7 @@
default:
(void) target_operation;
return( PSA_ERROR_BAD_STATE );
-@@ -1698,12 +1868,20 @@ static inline psa_status_t psa_driver_wrapper_hash_update(
+@@ -1712,12 +1884,20 @@ static inline psa_status_t psa_driver_wrapper_hash_update(
return( mbedtls_psa_hash_update( &operation->ctx.mbedtls_ctx,
input, input_length ) );
#endif
@@ -511,7 +511,7 @@
default:
(void) input;
(void) input_length;
-@@ -1724,12 +1902,20 @@ static inline psa_status_t psa_driver_wrapper_hash_finish(
+@@ -1738,12 +1918,20 @@ static inline psa_status_t psa_driver_wrapper_hash_finish(
return( mbedtls_psa_hash_finish( &operation->ctx.mbedtls_ctx,
hash, hash_size, hash_length ) );
#endif
@@ -533,7 +533,7 @@
default:
(void) hash;
(void) hash_size;
-@@ -1747,11 +1933,18 @@ static inline psa_status_t psa_driver_wrapper_hash_abort(
+@@ -1761,11 +1949,18 @@ static inline psa_status_t psa_driver_wrapper_hash_abort(
case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
return( mbedtls_psa_hash_abort( &operation->ctx.mbedtls_ctx ) );
#endif
@@ -553,7 +553,7 @@
default:
return( PSA_ERROR_BAD_STATE );
}
-@@ -1792,6 +1985,17 @@ static inline psa_status_t psa_driver_wrapper_aead_encrypt(
+@@ -1806,6 +2001,17 @@ static inline psa_status_t psa_driver_wrapper_aead_encrypt(
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -571,7 +571,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
/* Fell through, meaning no accelerator supports this operation */
-@@ -1847,6 +2051,17 @@ static inline psa_status_t psa_driver_wrapper_aead_decrypt(
+@@ -1861,6 +2067,17 @@ static inline psa_status_t psa_driver_wrapper_aead_decrypt(
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -589,7 +589,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
/* Fell through, meaning no accelerator supports this operation */
-@@ -1898,6 +2113,15 @@ static inline psa_status_t psa_driver_wrapper_aead_encrypt_setup(
+@@ -1912,6 +2129,15 @@ static inline psa_status_t psa_driver_wrapper_aead_encrypt_setup(
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -605,7 +605,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
/* Fell through, meaning no accelerator supports this operation */
-@@ -1950,6 +2174,16 @@ static inline psa_status_t psa_driver_wrapper_aead_decrypt_setup(
+@@ -1964,6 +2190,16 @@ static inline psa_status_t psa_driver_wrapper_aead_decrypt_setup(
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -622,7 +622,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
/* Fell through, meaning no accelerator supports this operation */
-@@ -1996,6 +2230,12 @@ static inline psa_status_t psa_driver_wrapper_aead_set_nonce(
+@@ -2010,6 +2246,12 @@ static inline psa_status_t psa_driver_wrapper_aead_set_nonce(
/* Add cases for opaque driver here */
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -635,7 +635,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
}
-@@ -2030,6 +2270,12 @@ static inline psa_status_t psa_driver_wrapper_aead_set_lengths(
+@@ -2044,6 +2286,12 @@ static inline psa_status_t psa_driver_wrapper_aead_set_lengths(
/* Add cases for opaque driver here */
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -648,7 +648,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
}
-@@ -2064,6 +2310,12 @@ static inline psa_status_t psa_driver_wrapper_aead_update_ad(
+@@ -2078,6 +2326,12 @@ static inline psa_status_t psa_driver_wrapper_aead_update_ad(
/* Add cases for opaque driver here */
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -661,7 +661,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
}
-@@ -2103,6 +2355,13 @@ static inline psa_status_t psa_driver_wrapper_aead_update(
+@@ -2117,6 +2371,13 @@ static inline psa_status_t psa_driver_wrapper_aead_update(
/* Add cases for opaque driver here */
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -675,7 +675,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
}
-@@ -2147,6 +2406,13 @@ static inline psa_status_t psa_driver_wrapper_aead_finish(
+@@ -2161,6 +2422,13 @@ static inline psa_status_t psa_driver_wrapper_aead_finish(
/* Add cases for opaque driver here */
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -689,7 +689,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
}
-@@ -2211,6 +2477,13 @@ static inline psa_status_t psa_driver_wrapper_aead_verify(
+@@ -2225,6 +2493,13 @@ static inline psa_status_t psa_driver_wrapper_aead_verify(
/* Add cases for opaque driver here */
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -703,7 +703,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
}
-@@ -2243,6 +2516,11 @@ static inline psa_status_t psa_driver_wrapper_aead_abort(
+@@ -2257,6 +2532,11 @@ static inline psa_status_t psa_driver_wrapper_aead_abort(
/* Add cases for opaque driver here */
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -715,7 +715,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
}
-@@ -2285,6 +2563,12 @@ static inline psa_status_t psa_driver_wrapper_mac_compute(
+@@ -2299,6 +2579,12 @@ static inline psa_status_t psa_driver_wrapper_mac_compute(
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -728,7 +728,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
#if defined(MBEDTLS_PSA_BUILTIN_MAC)
/* Fell through, meaning no accelerator supports this operation */
-@@ -2356,6 +2640,15 @@ static inline psa_status_t psa_driver_wrapper_mac_sign_setup(
+@@ -2370,6 +2656,15 @@ static inline psa_status_t psa_driver_wrapper_mac_sign_setup(
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -744,7 +744,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
#if defined(MBEDTLS_PSA_BUILTIN_MAC)
/* Fell through, meaning no accelerator supports this operation */
-@@ -2431,6 +2724,15 @@ static inline psa_status_t psa_driver_wrapper_mac_verify_setup(
+@@ -2445,6 +2740,15 @@ static inline psa_status_t psa_driver_wrapper_mac_verify_setup(
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -760,7 +760,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
#if defined(MBEDTLS_PSA_BUILTIN_MAC)
/* Fell through, meaning no accelerator supports this operation */
-@@ -2498,6 +2800,10 @@ static inline psa_status_t psa_driver_wrapper_mac_update(
+@@ -2512,6 +2816,10 @@ static inline psa_status_t psa_driver_wrapper_mac_update(
&operation->ctx.opaque_test_driver_ctx,
input, input_length ) );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -771,7 +771,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
default:
(void) input;
-@@ -2532,6 +2838,11 @@ static inline psa_status_t psa_driver_wrapper_mac_sign_finish(
+@@ -2546,6 +2854,11 @@ static inline psa_status_t psa_driver_wrapper_mac_sign_finish(
&operation->ctx.opaque_test_driver_ctx,
mac, mac_size, mac_length ) );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -783,7 +783,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
default:
(void) mac;
-@@ -2566,6 +2877,12 @@ static inline psa_status_t psa_driver_wrapper_mac_verify_finish(
+@@ -2580,6 +2893,12 @@ static inline psa_status_t psa_driver_wrapper_mac_verify_finish(
&operation->ctx.opaque_test_driver_ctx,
mac, mac_length ) );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -796,7 +796,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
default:
(void) mac;
-@@ -2593,6 +2910,10 @@ static inline psa_status_t psa_driver_wrapper_mac_abort(
+@@ -2607,6 +2926,10 @@ static inline psa_status_t psa_driver_wrapper_mac_abort(
return( mbedtls_test_opaque_mac_abort(
&operation->ctx.opaque_test_driver_ctx ) );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -807,7 +807,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
default:
return( PSA_ERROR_INVALID_ARGUMENT );
-@@ -2630,6 +2951,20 @@ static inline psa_status_t psa_driver_wrapper_asymmetric_encrypt(
+@@ -2644,6 +2967,20 @@ static inline psa_status_t psa_driver_wrapper_asymmetric_encrypt(
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -828,7 +828,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
return( mbedtls_psa_asymmetric_encrypt( attributes,
key_buffer, key_buffer_size, alg, input, input_length,
-@@ -2691,6 +3026,20 @@ static inline psa_status_t psa_driver_wrapper_asymmetric_decrypt(
+@@ -2705,6 +3042,20 @@ static inline psa_status_t psa_driver_wrapper_asymmetric_decrypt(
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -849,7 +849,7 @@
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
return( mbedtls_psa_asymmetric_decrypt( attributes,
key_buffer, key_buffer_size, alg,input, input_length,
-@@ -2758,6 +3107,18 @@ static inline psa_status_t psa_driver_wrapper_key_agreement(
+@@ -2772,6 +3123,18 @@ static inline psa_status_t psa_driver_wrapper_key_agreement(
if( status != PSA_ERROR_NOT_SUPPORTED )
return( status );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -866,13 +866,13 @@
+ return( status );
+#endif /* PSA_CRYPTO_DRIVER_CC3XX */
#if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
- if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) &&
+ if( PSA_KEY_TYPE_IS_ECC( psa_get_key_type(attributes) ) &&
PSA_ALG_IS_ECDH(alg) &&
diff --git a/library/psa_crypto_driver_wrappers_no_static.c b/library/psa_crypto_driver_wrappers_no_static.c
-index af677746..a9df9a0a 100644
+index 436a650fc..bc65e2c7f 100644
--- a/library/psa_crypto_driver_wrappers_no_static.c
+++ b/library/psa_crypto_driver_wrappers_no_static.c
-@@ -64,6 +64,16 @@
+@@ -52,6 +52,16 @@
#include "tfm_builtin_key_loader.h"
#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
@@ -889,7 +889,7 @@
/* END-driver headers */
/* Auto-generated values depending on which drivers are registered.
-@@ -78,6 +88,9 @@ enum {
+@@ -66,6 +76,9 @@ enum {
#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
PSA_CRYPTO_TFM_BUILTIN_KEY_LOADER_DRIVER_ID,
#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
@@ -899,7 +899,7 @@
};
/* END-driver id */
-@@ -208,6 +221,17 @@ psa_status_t psa_driver_wrapper_export_public_key(
+@@ -196,6 +209,17 @@ psa_status_t psa_driver_wrapper_export_public_key(
return( status );
#endif
@@ -918,5 +918,5 @@
status = p256_transparent_export_public_key
(attributes,
--
-2.25.1
+2.34.1
diff --git a/lib/ext/mbedcrypto/0006-Enable-psa_can_do_hash.patch b/lib/ext/mbedcrypto/0006-Enable-psa_can_do_hash.patch
index c5f036b..5690909 100644
--- a/lib/ext/mbedcrypto/0006-Enable-psa_can_do_hash.patch
+++ b/lib/ext/mbedcrypto/0006-Enable-psa_can_do_hash.patch
@@ -1,6 +1,6 @@
-From 5667b4408046e1c6384586cf84ee76b80513c68e Mon Sep 17 00:00:00 2001
-From: Summer Qin <summer.qin@arm.com>
-Date: Fri, 13 Oct 2023 15:22:59 +0800
+From a1dae597483b1f64327902adbaa1d6b20e661081 Mon Sep 17 00:00:00 2001
+From: Antonio de Angelis <Antonio.deAngelis@arm.com>
+Date: Thu, 21 Mar 2024 13:02:44 +0000
Subject: [PATCH 6/6] Enable psa_can_do_hash
CC312 driver want to use hash in md for entropy operations.
@@ -10,22 +10,23 @@
Signed-off-by: Summer Qin <summer.qin@arm.com>
---
- library/psa_crypto.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ library/psa_crypto.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
-index 0b934079..71ea2066 100644
+index 1d91739da..6219f8169 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
-@@ -130,7 +130,7 @@ mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state =
+@@ -288,7 +288,8 @@ static uint8_t psa_get_drivers_initialized(void)
int psa_can_do_hash(psa_algorithm_t hash_alg)
{
(void) hash_alg;
-- return global_data.drivers_initialized;
-+ return 1;
+- return psa_get_drivers_initialized();
++ /* Workaround for the legacy CryptoCell driver requiring hash during init */
++ return 1; //psa_get_drivers_initialized();
}
- #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \
- defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) || \
+
+ int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg)
--
-2.25.1
+2.34.1
diff --git a/lib/ext/mbedcrypto/CMakeLists.txt b/lib/ext/mbedcrypto/CMakeLists.txt
index 34d93d4..0020cd4 100644
--- a/lib/ext/mbedcrypto/CMakeLists.txt
+++ b/lib/ext/mbedcrypto/CMakeLists.txt
@@ -17,5 +17,5 @@
GIT_TAG ${MBEDCRYPTO_VERSION}
GIT_SHALLOW TRUE
GIT_PROGRESS TRUE
- GIT_SUBMODULES ""
+ GIT_SUBMODULES "framework"
)
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h
index d99c4c1..9da80f1 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h
@@ -211,20 +211,6 @@
#define MBEDTLS_PK_RSA_ALT_SUPPORT
/**
- * \def MBEDTLS_PSA_CRYPTO_SPM
- *
- * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
- * Partition Manager) integration which separates the code into two parts: a
- * NSPE (Non-Secure Process Environment) and an SPE (Secure Process
- * Environment).
- *
- * Module: library/psa_crypto.c
- * Requires: MBEDTLS_PSA_CRYPTO_C
- *
- */
-#define MBEDTLS_PSA_CRYPTO_SPM
-
-/**
* \def MBEDTLS_PSA_CRYPTO_CONFIG
*
* This setting allows support for cryptographic mechanisms through the PSA
@@ -402,6 +388,55 @@
*/
#define MBEDTLS_PSA_CRYPTO_STORAGE_C
+/**
+ * \def MBEDTLS_PSA_CRYPTO_SPM
+ *
+ * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
+ * Partition Manager) integration which separates the code into two parts: a
+ * NSPE (Non-Secure Process Environment) and an SPE (Secure Process
+ * Environment).
+ *
+ * If you enable this option, your build environment must include a header
+ * file `"crypto_spe.h"` (either in the `psa` subdirectory of the Mbed TLS
+ * header files, or in another directory on the compiler's include search
+ * path). Alternatively, your platform may customize the header
+ * `psa/crypto_platform.h`, in which case it can skip or replace the
+ * inclusion of `"crypto_spe.h"`.
+ *
+ * Module: library/psa_crypto.c
+ * Requires: MBEDTLS_PSA_CRYPTO_C
+ *
+ */
+#define MBEDTLS_PSA_CRYPTO_SPM
+
+/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+ *
+ * Enable key identifiers that encode a key owner identifier.
+ *
+ * The owner of a key is identified by a value of type ::mbedtls_key_owner_id_t
+ * which is currently hard-coded to be int32_t.
+ *
+ * Note that this option is meant for internal use only and may be removed
+ * without notice.
+ */
+#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+
+/** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
+ *
+ * Enable support for platform built-in keys. If you enable this feature,
+ * you must implement the function mbedtls_psa_platform_get_builtin_key().
+ * See the documentation of that function for more information.
+ *
+ * Built-in keys are typically derived from a hardware unique key or
+ * stored in a secure element.
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C.
+ *
+ * \warning This interface is experimental and may change or be removed
+ * without notice.
+ */
+#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
+
/* \} name SECTION: mbed TLS modules */
/**
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default_client.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default_client.h
new file mode 100644
index 0000000..57d7aae
--- /dev/null
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default_client.h
@@ -0,0 +1,519 @@
+/**
+ * \file config.h
+ *
+ * \brief Configuration options (set of defines)
+ *
+ * This set of compile-time options may be used to enable
+ * or disable features selectively, and reduce the global
+ * memory footprint.
+ */
+/*
+ * Copyright (C) 2006-2022, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CONFIG_H
+#define MBEDTLS_CONFIG_H
+
+#include "config_tfm.h"
+
+#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+/**
+ * \name SECTION: System support
+ *
+ * This section sets system specific settings.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_HAVE_ASM
+ *
+ * The compiler has support for asm().
+ *
+ * Requires support for asm() in compiler.
+ *
+ * Used in:
+ * library/aria.c
+ * library/timing.c
+ * include/mbedtls/bn_mul.h
+ *
+ * Required by:
+ * MBEDTLS_AESNI_C
+ * MBEDTLS_PADLOCK_C
+ *
+ * Comment to disable the use of assembly code.
+ */
+
+/* Due to an outstanding bug with mbedtls and arm compiler 6, this feature is
+ * disabled temporarily on cortex-m0 and m0-plus.
+ * https://github.com/ARMmbed/mbedtls/issues/1077
+ */
+#define MBEDTLS_HAVE_ASM
+
+/**
+ * \def MBEDTLS_HAVE_TIME
+ *
+ * System has time.h and time().
+ * The time does not need to be correct, only time differences are used,
+ * by contrast with MBEDTLS_HAVE_TIME_DATE
+ *
+ * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT,
+ * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and
+ * MBEDTLS_PLATFORM_STD_TIME.
+ *
+ * Comment if your system does not support time functions
+ */
+//#define MBEDTLS_HAVE_TIME
+
+/**
+ * \def MBEDTLS_HAVE_TIME_DATE
+ *
+ * System has time.h, time(), and an implementation for
+ * mbedtls_platform_gmtime_r() (see below).
+ * The time needs to be correct (not necessarily very accurate, but at least
+ * the date should be correct). This is used to verify the validity period of
+ * X.509 certificates.
+ *
+ * Comment if your system does not have a correct clock.
+ *
+ * \note mbedtls_platform_gmtime_r() is an abstraction in platform_util.h that
+ * behaves similarly to the gmtime_r() function from the C standard. Refer to
+ * the documentation for mbedtls_platform_gmtime_r() for more information.
+ *
+ * \note It is possible to configure an implementation for
+ * mbedtls_platform_gmtime_r() at compile-time by using the macro
+ * MBEDTLS_PLATFORM_GMTIME_R_ALT.
+ */
+//#define MBEDTLS_HAVE_TIME_DATE
+
+/**
+ * \def MBEDTLS_PLATFORM_MEMORY
+ *
+ * Enable the memory allocation layer.
+ *
+ * By default mbed TLS uses the system-provided calloc() and free().
+ * This allows different allocators (self-implemented or provided) to be
+ * provided to the platform abstraction layer.
+ *
+ * Enabling MBEDTLS_PLATFORM_MEMORY without the
+ * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
+ * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
+ * free() function pointer at runtime.
+ *
+ * Enabling MBEDTLS_PLATFORM_MEMORY and specifying
+ * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
+ * alternate function at compile time.
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ *
+ * Enable this layer to allow use of alternative memory allocators.
+ */
+#define MBEDTLS_PLATFORM_MEMORY
+
+/* \} name SECTION: System support */
+
+/**
+ * \name SECTION: mbed TLS feature support
+ *
+ * This section sets support for features that are or are not needed
+ * within the modules that are enabled.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_ECP_NIST_OPTIM
+ *
+ * Enable specific 'modulo p' routines for each NIST prime.
+ * Depending on the prime and architecture, makes operations 4 to 8 times
+ * faster on the corresponding curve.
+ *
+ * Comment this macro to disable NIST curves optimisation.
+ */
+#define MBEDTLS_ECP_NIST_OPTIM
+
+/**
+ * \def MBEDTLS_PK_PARSE_EC_EXTENDED
+ *
+ * Enhance support for reading EC keys using variants of SEC1 not allowed by
+ * RFC 5915 and RFC 5480.
+ *
+ * Currently this means parsing the SpecifiedECDomain choice of EC
+ * parameters (only known groups are supported, not arbitrary domains, to
+ * avoid validation issues).
+ *
+ * Disable if you only need to support RFC 5915 + 5480 key formats.
+ */
+#define MBEDTLS_PK_PARSE_EC_EXTENDED
+
+/**
+ * \def MBEDTLS_NO_PLATFORM_ENTROPY
+ *
+ * Do not use built-in platform entropy functions.
+ * This is useful if your platform does not support
+ * standards like the /dev/urandom or Windows CryptoAPI.
+ *
+ * Uncomment this macro to disable the built-in platform entropy functions.
+ */
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+
+/**
+ * \def MBEDTLS_ENTROPY_NV_SEED
+ *
+ * Enable the non-volatile (NV) seed file-based entropy source.
+ * (Also enables the NV seed read/write functions in the platform layer)
+ *
+ * This is crucial (if not required) on systems that do not have a
+ * cryptographic entropy source (in hardware or kernel) available.
+ *
+ * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
+ *
+ * \note The read/write functions that are used by the entropy source are
+ * determined in the platform layer, and can be modified at runtime and/or
+ * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
+ *
+ * \note If you use the default implementation functions that read a seedfile
+ * with regular fopen(), please make sure you make a seedfile with the
+ * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
+ * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
+ * and written to or you will get an entropy source error! The default
+ * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
+ * bytes from the file.
+ *
+ * \note The entropy collector will write to the seed file before entropy is
+ * given to an external source, to update it.
+ */
+#define MBEDTLS_ENTROPY_NV_SEED
+
+/**
+ * \def MBEDTLS_PK_RSA_ALT_SUPPORT
+ *
+ * Support external private RSA keys (eg from a HSM) in the PK layer.
+ *
+ * Comment this macro to disable support for external private RSA keys.
+ */
+#define MBEDTLS_PK_RSA_ALT_SUPPORT
+
+/** \def MBEDTLS_PSA_CRYPTO_CLIENT
+ *
+ * Enable support for PSA crypto client.
+ *
+ * \note This option allows to include the code necessary for a PSA
+ * crypto client when the PSA crypto implementation is not included in
+ * the library (MBEDTLS_PSA_CRYPTO_C disabled). The code included is the
+ * code to set and get PSA key attributes.
+ * The development of PSA drivers partially relying on the library to
+ * fulfill the hardware gaps is another possible usage of this option.
+ *
+ * \warning This interface is experimental and may change or be removed
+ * without notice.
+ */
+#define MBEDTLS_PSA_CRYPTO_CLIENT
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_CONFIG
+ *
+ * This setting allows support for cryptographic mechanisms through the PSA
+ * API to be configured separately from support through the mbedtls API.
+ *
+ * When this option is disabled, the PSA API exposes the cryptographic
+ * mechanisms that can be implemented on top of the `mbedtls_xxx` API
+ * configured with `MBEDTLS_XXX` symbols.
+ *
+ * When this option is enabled, the PSA API exposes the cryptographic
+ * mechanisms requested by the `PSA_WANT_XXX` symbols defined in
+ * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are
+ * automatically enabled if required (i.e. if no PSA driver provides the
+ * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols
+ * in mbedtls_config.h.
+ *
+ * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies
+ * an alternative header to include instead of include/psa/crypto_config.h.
+ *
+ * This feature is still experimental and is not ready for production since
+ * it is not completed.
+ */
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+
+/* \} name SECTION: mbed TLS feature support */
+
+/**
+ * \name SECTION: mbed TLS modules
+ *
+ * This section enables or disables entire modules in mbed TLS
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_AES_C
+ *
+ * Enable the AES block cipher.
+ *
+ * Module: library/aes.c
+ * Caller: library/cipher.c
+ * library/pem.c
+ * library/ctr_drbg.c
+ *
+ * This module is required to support the TLS ciphersuites that use the AES
+ * cipher.
+ *
+ * PEM_PARSE uses AES for decrypting encrypted keys.
+ */
+#define MBEDTLS_AES_C
+
+/**
+ * \def MBEDTLS_CIPHER_C
+ *
+ * Enable the generic cipher layer.
+ *
+ * Module: library/cipher.c
+ *
+ * Uncomment to enable generic cipher wrappers.
+ */
+#define MBEDTLS_CIPHER_C
+
+/**
+ * \def MBEDTLS_CTR_DRBG_C
+ *
+ * Enable the CTR_DRBG AES-based random generator.
+ * The CTR_DRBG generator uses AES-256 by default.
+ * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below.
+ *
+ * Module: library/ctr_drbg.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_AES_C
+ *
+ * This module provides the CTR_DRBG AES random number generator.
+ */
+//#define MBEDTLS_CTR_DRBG_C
+
+/**
+ * \def MBEDTLS_ENTROPY_C
+ *
+ * Enable the platform-specific entropy code.
+ *
+ * Module: library/entropy.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
+ *
+ * This module provides a generic entropy pool
+ */
+#define MBEDTLS_ENTROPY_C
+
+/**
+ * \def MBEDTLS_HKDF_C
+ *
+ * Enable the HKDF algorithm (RFC 5869).
+ *
+ * Module: library/hkdf.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * This module adds support for the Hashed Message Authentication Code
+ * (HMAC)-based key derivation function (HKDF).
+ */
+//#define MBEDTLS_HKDF_C /* Used for HUK deriviation */
+
+/**
+ * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ *
+ * Enable the buffer allocator implementation that makes use of a (stack)
+ * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
+ * calls)
+ *
+ * Module: library/memory_buffer_alloc.c
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)
+ *
+ * Enable this module to enable the buffer memory allocator.
+ */
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+
+/**
+ * \def MBEDTLS_PLATFORM_C
+ *
+ * Enable the platform abstraction layer that allows you to re-assign
+ * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
+ *
+ * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
+ * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
+ * above to be specified at runtime or compile time respectively.
+ *
+ * \note This abstraction layer must be enabled on Windows (including MSYS2)
+ * as other module rely on it for a fixed snprintf implementation.
+ *
+ * Module: library/platform.c
+ * Caller: Most other .c files
+ *
+ * This module enables abstraction of common (libc) functions.
+ */
+#define MBEDTLS_PLATFORM_C
+
+#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h>
+
+#include <stdio.h>
+
+#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf
+#define MBEDTLS_PLATFORM_PRINTF_ALT
+#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_C
+ *
+ * Enable the Platform Security Architecture cryptography API.
+ *
+ * Module: library/psa_crypto.c
+ *
+ * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C
+ *
+ */
+//#define MBEDTLS_PSA_CRYPTO_C
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_STORAGE_C
+ *
+ * Enable the Platform Security Architecture persistent key storage.
+ *
+ * Module: library/psa_crypto_storage.c
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C,
+ * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
+ * the PSA ITS interface
+ */
+//#define MBEDTLS_PSA_CRYPTO_STORAGE_C
+
+/* \} name SECTION: mbed TLS modules */
+
+/**
+ * \name SECTION: General configuration options
+ *
+ * This section contains Mbed TLS build settings that are not associated
+ * with a particular module.
+ *
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included instead of
+ * `"mbedtls/mbedtls_config.h"`.
+ * This header file specifies the compile-time configuration of Mbed TLS.
+ * Unlike other configuration options, this one must be defined on the
+ * compiler command line: a definition in `mbedtls_config.h` would have
+ * no effect.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h"
+
+/**
+ * \def MBEDTLS_USER_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included after
+ * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE.
+ * This allows you to modify the default configuration, including the ability
+ * to undefine options that are enabled by default.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included instead of
+ * `"psa/crypto_config.h"`.
+ * This header file specifies which cryptographic mechanisms are available
+ * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and
+ * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included after
+ * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE.
+ * This allows you to modify the default configuration, including the ability
+ * to undefine options that are enabled by default.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
+
+/** \} name SECTION: General configuration options */
+
+/**
+ * \name SECTION: Module configuration options
+ *
+ * This section allows for the setting of module specific sizes and
+ * configuration options. The default values are already present in the
+ * relevant header files and should suffice for the regular use cases.
+ *
+ * Our advice is to enable options and change their values here
+ * only if you have a good reason and know the consequences.
+ *
+ * Please check the respective header file for documentation on these
+ * parameters (to prevent duplicate documentation).
+ * \{
+ */
+
+/* ECP options */
+#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Disable fixed-point speed-up */
+
+/* \} name SECTION: Customisation configuration options */
+
+#if CRYPTO_NV_SEED
+#include "tfm_mbedcrypto_config_extra_nv_seed.h"
+#endif /* CRYPTO_NV_SEED */
+
+#if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED)
+#include "mbedtls_entropy_nv_seed_config.h"
+#endif
+
+#endif /* MBEDTLS_CONFIG_H */
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h
index 37f76b1..7540dbb 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h
@@ -212,20 +212,6 @@
#define MBEDTLS_PK_RSA_ALT_SUPPORT
/**
- * \def MBEDTLS_PSA_CRYPTO_SPM
- *
- * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
- * Partition Manager) integration which separates the code into two parts: a
- * NSPE (Non-Secure Process Environment) and an SPE (Secure Process
- * Environment).
- *
- * Module: library/psa_crypto.c
- * Requires: MBEDTLS_PSA_CRYPTO_C
- *
- */
-#define MBEDTLS_PSA_CRYPTO_SPM
-
-/**
* \def MBEDTLS_PSA_CRYPTO_CONFIG
*
* This setting allows support for cryptographic mechanisms through the PSA
@@ -403,6 +389,55 @@
*/
#define MBEDTLS_PSA_CRYPTO_STORAGE_C
+/**
+ * \def MBEDTLS_PSA_CRYPTO_SPM
+ *
+ * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
+ * Partition Manager) integration which separates the code into two parts: a
+ * NSPE (Non-Secure Process Environment) and an SPE (Secure Process
+ * Environment).
+ *
+ * If you enable this option, your build environment must include a header
+ * file `"crypto_spe.h"` (either in the `psa` subdirectory of the Mbed TLS
+ * header files, or in another directory on the compiler's include search
+ * path). Alternatively, your platform may customize the header
+ * `psa/crypto_platform.h`, in which case it can skip or replace the
+ * inclusion of `"crypto_spe.h"`.
+ *
+ * Module: library/psa_crypto.c
+ * Requires: MBEDTLS_PSA_CRYPTO_C
+ *
+ */
+#define MBEDTLS_PSA_CRYPTO_SPM
+
+/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+ *
+ * Enable key identifiers that encode a key owner identifier.
+ *
+ * The owner of a key is identified by a value of type ::mbedtls_key_owner_id_t
+ * which is currently hard-coded to be int32_t.
+ *
+ * Note that this option is meant for internal use only and may be removed
+ * without notice.
+ */
+#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+
+/** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
+ *
+ * Enable support for platform built-in keys. If you enable this feature,
+ * you must implement the function mbedtls_psa_platform_get_builtin_key().
+ * See the documentation of that function for more information.
+ *
+ * Built-in keys are typically derived from a hardware unique key or
+ * stored in a secure element.
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C.
+ *
+ * \warning This interface is experimental and may change or be removed
+ * without notice.
+ */
+#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
+
/* \} name SECTION: mbed TLS modules */
/**
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large_client.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large_client.h
new file mode 100644
index 0000000..97bf55b
--- /dev/null
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large_client.h
@@ -0,0 +1,520 @@
+/**
+ * \file config.h
+ *
+ * \brief Configuration options (set of defines)
+ *
+ * This set of compile-time options may be used to enable
+ * or disable features selectively, and reduce the global
+ * memory footprint.
+ */
+/*
+ * Copyright (C) 2006-2022, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef PROFILE_L_MBEDTLS_CONFIG_H
+#define PROFILE_L_MBEDTLS_CONFIG_H
+
+#include "config_tfm.h"
+
+#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+/**
+ * \name SECTION: System support
+ *
+ * This section sets system specific settings.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_HAVE_ASM
+ *
+ * The compiler has support for asm().
+ *
+ * Requires support for asm() in compiler.
+ *
+ * Used in:
+ * library/aria.c
+ * library/timing.c
+ * include/mbedtls/bn_mul.h
+ *
+ * Required by:
+ * MBEDTLS_AESNI_C
+ * MBEDTLS_PADLOCK_C
+ *
+ * Comment to disable the use of assembly code.
+ */
+#define MBEDTLS_HAVE_ASM
+
+/**
+ * \def MBEDTLS_PLATFORM_MEMORY
+ *
+ * Enable the memory allocation layer.
+ *
+ * By default mbed TLS uses the system-provided calloc() and free().
+ * This allows different allocators (self-implemented or provided) to be
+ * provided to the platform abstraction layer.
+ *
+ * Enabling MBEDTLS_PLATFORM_MEMORY without the
+ * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
+ * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
+ * free() function pointer at runtime.
+ *
+ * Enabling MBEDTLS_PLATFORM_MEMORY and specifying
+ * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
+ * alternate function at compile time.
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ *
+ * Enable this layer to allow use of alternative memory allocators.
+ */
+#define MBEDTLS_PLATFORM_MEMORY
+
+/* \} name SECTION: System support */
+
+/**
+ * \name SECTION: mbed TLS feature support
+ *
+ * This section sets support for features that are or are not needed
+ * within the modules that are enabled.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_AES_ROM_TABLES
+ *
+ * Use precomputed AES tables stored in ROM.
+ *
+ * Uncomment this macro to use precomputed AES tables stored in ROM.
+ * Comment this macro to generate AES tables in RAM at runtime.
+ *
+ * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
+ * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
+ * initialization time before the first AES operation can be performed.
+ * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
+ * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
+ * performance if ROM access is slower than RAM access.
+ *
+ * This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
+ *
+ */
+#define MBEDTLS_AES_ROM_TABLES
+
+/**
+ * \def MBEDTLS_AES_FEWER_TABLES
+ *
+ * Use less ROM/RAM for AES tables.
+ *
+ * Uncommenting this macro omits 75% of the AES tables from
+ * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
+ * by computing their values on the fly during operations
+ * (the tables are entry-wise rotations of one another).
+ *
+ * Tradeoff: Uncommenting this reduces the RAM / ROM footprint
+ * by ~6kb but at the cost of more arithmetic operations during
+ * runtime. Specifically, one has to compare 4 accesses within
+ * different tables to 4 accesses with additional arithmetic
+ * operations within the same table. The performance gain/loss
+ * depends on the system and memory details.
+ *
+ * This option is independent of \c MBEDTLS_AES_ROM_TABLES.
+ *
+ */
+#define MBEDTLS_AES_FEWER_TABLES
+
+/**
+ * \def MBEDTLS_ECP_NIST_OPTIM
+ *
+ * Enable specific 'modulo p' routines for each NIST prime.
+ * Depending on the prime and architecture, makes operations 4 to 8 times
+ * faster on the corresponding curve.
+ *
+ * Comment this macro to disable NIST curves optimisation.
+ */
+#define MBEDTLS_ECP_NIST_OPTIM
+
+/**
+ * \def MBEDTLS_PK_PARSE_EC_EXTENDED
+ *
+ * Enhance support for reading EC keys using variants of SEC1 not allowed by
+ * RFC 5915 and RFC 5480.
+ *
+ * Currently this means parsing the SpecifiedECDomain choice of EC
+ * parameters (only known groups are supported, not arbitrary domains, to
+ * avoid validation issues).
+ *
+ * Disable if you only need to support RFC 5915 + 5480 key formats.
+ */
+#define MBEDTLS_PK_PARSE_EC_EXTENDED
+
+/**
+ * \def MBEDTLS_NO_PLATFORM_ENTROPY
+ *
+ * Do not use built-in platform entropy functions.
+ * This is useful if your platform does not support
+ * standards like the /dev/urandom or Windows CryptoAPI.
+ *
+ * Uncomment this macro to disable the built-in platform entropy functions.
+ */
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+
+/**
+ * \def MBEDTLS_ENTROPY_NV_SEED
+ *
+ * Enable the non-volatile (NV) seed file-based entropy source.
+ * (Also enables the NV seed read/write functions in the platform layer)
+ *
+ * This is crucial (if not required) on systems that do not have a
+ * cryptographic entropy source (in hardware or kernel) available.
+ *
+ * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
+ *
+ * \note The read/write functions that are used by the entropy source are
+ * determined in the platform layer, and can be modified at runtime and/or
+ * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
+ *
+ * \note If you use the default implementation functions that read a seedfile
+ * with regular fopen(), please make sure you make a seedfile with the
+ * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
+ * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
+ * and written to or you will get an entropy source error! The default
+ * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
+ * bytes from the file.
+ *
+ * \note The entropy collector will write to the seed file before entropy is
+ * given to an external source, to update it.
+ */
+#define MBEDTLS_ENTROPY_NV_SEED
+
+/**
+ * \def MBEDTLS_PK_RSA_ALT_SUPPORT
+ *
+ * Support external private RSA keys (eg from a HSM) in the PK layer.
+ *
+ * Comment this macro to disable support for external private RSA keys.
+ */
+#define MBEDTLS_PK_RSA_ALT_SUPPORT
+
+/** \def MBEDTLS_PSA_CRYPTO_CLIENT
+ *
+ * Enable support for PSA crypto client.
+ *
+ * \note This option allows to include the code necessary for a PSA
+ * crypto client when the PSA crypto implementation is not included in
+ * the library (MBEDTLS_PSA_CRYPTO_C disabled). The code included is the
+ * code to set and get PSA key attributes.
+ * The development of PSA drivers partially relying on the library to
+ * fulfill the hardware gaps is another possible usage of this option.
+ *
+ * \warning This interface is experimental and may change or be removed
+ * without notice.
+ */
+#define MBEDTLS_PSA_CRYPTO_CLIENT
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_CONFIG
+ *
+ * This setting allows support for cryptographic mechanisms through the PSA
+ * API to be configured separately from support through the mbedtls API.
+ *
+ * When this option is disabled, the PSA API exposes the cryptographic
+ * mechanisms that can be implemented on top of the `mbedtls_xxx` API
+ * configured with `MBEDTLS_XXX` symbols.
+ *
+ * When this option is enabled, the PSA API exposes the cryptographic
+ * mechanisms requested by the `PSA_WANT_XXX` symbols defined in
+ * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are
+ * automatically enabled if required (i.e. if no PSA driver provides the
+ * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols
+ * in mbedtls_config.h.
+ *
+ * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies
+ * an alternative header to include instead of include/psa/crypto_config.h.
+ *
+ * This feature is still experimental and is not ready for production since
+ * it is not completed.
+ */
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+
+/* \} name SECTION: mbed TLS feature support */
+
+/**
+ * \name SECTION: mbed TLS modules
+ *
+ * This section enables or disables entire modules in mbed TLS
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_AES_C
+ *
+ * Enable the AES block cipher.
+ *
+ * Module: library/aes.c
+ * Caller: library/cipher.c
+ * library/pem.c
+ * library/ctr_drbg.c
+ *
+ * This module is required to support the TLS ciphersuites that use the AES
+ * cipher.
+ *
+ * PEM_PARSE uses AES for decrypting encrypted keys.
+ */
+#define MBEDTLS_AES_C
+
+/**
+ * \def MBEDTLS_CIPHER_C
+ *
+ * Enable the generic cipher layer.
+ *
+ * Module: library/cipher.c
+ *
+ * Uncomment to enable generic cipher wrappers.
+ */
+#define MBEDTLS_CIPHER_C
+
+/**
+ * \def MBEDTLS_CTR_DRBG_C
+ *
+ * Enable the CTR_DRBG AES-based random generator.
+ * The CTR_DRBG generator uses AES-256 by default.
+ * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below.
+ *
+ * Module: library/ctr_drbg.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_AES_C
+ *
+ * This module provides the CTR_DRBG AES random number generator.
+ */
+//#define MBEDTLS_CTR_DRBG_C
+
+/**
+ * \def MBEDTLS_ENTROPY_C
+ *
+ * Enable the platform-specific entropy code.
+ *
+ * Module: library/entropy.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
+ *
+ * This module provides a generic entropy pool
+ */
+#define MBEDTLS_ENTROPY_C
+
+/**
+ * \def MBEDTLS_HKDF_C
+ *
+ * Enable the HKDF algorithm (RFC 5869).
+ *
+ * Module: library/hkdf.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * This module adds support for the Hashed Message Authentication Code
+ * (HMAC)-based key derivation function (HKDF).
+ */
+//#define MBEDTLS_HKDF_C /* Used for HUK deriviation */
+
+/**
+ * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ *
+ * Enable the buffer allocator implementation that makes use of a (stack)
+ * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
+ * calls)
+ *
+ * Module: library/memory_buffer_alloc.c
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)
+ *
+ * Enable this module to enable the buffer memory allocator.
+ */
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+
+/**
+ * \def MBEDTLS_PLATFORM_C
+ *
+ * Enable the platform abstraction layer that allows you to re-assign
+ * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
+ *
+ * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
+ * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
+ * above to be specified at runtime or compile time respectively.
+ *
+ * \note This abstraction layer must be enabled on Windows (including MSYS2)
+ * as other module rely on it for a fixed snprintf implementation.
+ *
+ * Module: library/platform.c
+ * Caller: Most other .c files
+ *
+ * This module enables abstraction of common (libc) functions.
+ */
+#define MBEDTLS_PLATFORM_C
+
+#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h>
+
+#include <stdio.h>
+
+#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf
+#define MBEDTLS_PLATFORM_PRINTF_ALT
+#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_C
+ *
+ * Enable the Platform Security Architecture cryptography API.
+ *
+ * Module: library/psa_crypto.c
+ *
+ * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C
+ *
+ */
+//#define MBEDTLS_PSA_CRYPTO_C
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_STORAGE_C
+ *
+ * Enable the Platform Security Architecture persistent key storage.
+ *
+ * Module: library/psa_crypto_storage.c
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C,
+ * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
+ * the PSA ITS interface
+ */
+//#define MBEDTLS_PSA_CRYPTO_STORAGE_C
+
+/* \} name SECTION: mbed TLS modules */
+
+/**
+ * \name SECTION: General configuration options
+ *
+ * This section contains Mbed TLS build settings that are not associated
+ * with a particular module.
+ *
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included instead of
+ * `"mbedtls/mbedtls_config.h"`.
+ * This header file specifies the compile-time configuration of Mbed TLS.
+ * Unlike other configuration options, this one must be defined on the
+ * compiler command line: a definition in `mbedtls_config.h` would have
+ * no effect.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h"
+
+/**
+ * \def MBEDTLS_USER_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included after
+ * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE.
+ * This allows you to modify the default configuration, including the ability
+ * to undefine options that are enabled by default.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included instead of
+ * `"psa/crypto_config.h"`.
+ * This header file specifies which cryptographic mechanisms are available
+ * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and
+ * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included after
+ * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE.
+ * This allows you to modify the default configuration, including the ability
+ * to undefine options that are enabled by default.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
+
+/** \} name SECTION: General configuration options */
+
+/**
+ * \name SECTION: Module configuration options
+ *
+ * This section allows for the setting of module specific sizes and
+ * configuration options. The default values are already present in the
+ * relevant header files and should suffice for the regular use cases.
+ *
+ * Our advice is to enable options and change their values here
+ * only if you have a good reason and know the consequences.
+ *
+ * Please check the respective header file for documentation on these
+ * parameters (to prevent duplicate documentation).
+ * \{
+ */
+
+/* ECP options */
+#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Disable fixed-point speed-up */
+
+/* \} name SECTION: Customisation configuration options */
+
+#if CRYPTO_NV_SEED
+#include "tfm_mbedcrypto_config_extra_nv_seed.h"
+#endif /* CRYPTO_NV_SEED */
+
+#if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED)
+#include "mbedtls_entropy_nv_seed_config.h"
+#endif
+
+#endif /* PROFILE_L_MBEDTLS_CONFIG_H */
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h
index ecdecea..fb19120 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h
@@ -189,20 +189,6 @@
#define MBEDTLS_ENTROPY_NV_SEED
/**
- * \def MBEDTLS_PSA_CRYPTO_SPM
- *
- * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
- * Partition Manager) integration which separates the code into two parts: a
- * NSPE (Non-Secure Process Environment) and an SPE (Secure Process
- * Environment).
- *
- * Module: library/psa_crypto.c
- * Requires: MBEDTLS_PSA_CRYPTO_C
- *
- */
-#define MBEDTLS_PSA_CRYPTO_SPM
-
-/**
* \def MBEDTLS_SHA256_SMALLER
*
* Enable an implementation of SHA-256 that has lower ROM footprint but also
@@ -413,6 +399,55 @@
*/
#define MBEDTLS_PSA_CRYPTO_STORAGE_C
+/**
+ * \def MBEDTLS_PSA_CRYPTO_SPM
+ *
+ * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
+ * Partition Manager) integration which separates the code into two parts: a
+ * NSPE (Non-Secure Process Environment) and an SPE (Secure Process
+ * Environment).
+ *
+ * If you enable this option, your build environment must include a header
+ * file `"crypto_spe.h"` (either in the `psa` subdirectory of the Mbed TLS
+ * header files, or in another directory on the compiler's include search
+ * path). Alternatively, your platform may customize the header
+ * `psa/crypto_platform.h`, in which case it can skip or replace the
+ * inclusion of `"crypto_spe.h"`.
+ *
+ * Module: library/psa_crypto.c
+ * Requires: MBEDTLS_PSA_CRYPTO_C
+ *
+ */
+#define MBEDTLS_PSA_CRYPTO_SPM
+
+/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+ *
+ * Enable key identifiers that encode a key owner identifier.
+ *
+ * The owner of a key is identified by a value of type ::mbedtls_key_owner_id_t
+ * which is currently hard-coded to be int32_t.
+ *
+ * Note that this option is meant for internal use only and may be removed
+ * without notice.
+ */
+#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+
+/** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
+ *
+ * Enable support for platform built-in keys. If you enable this feature,
+ * you must implement the function mbedtls_psa_platform_get_builtin_key().
+ * See the documentation of that function for more information.
+ *
+ * Built-in keys are typically derived from a hardware unique key or
+ * stored in a secure element.
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C.
+ *
+ * \warning This interface is experimental and may change or be removed
+ * without notice.
+ */
+#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
+
/* \} name SECTION: mbed TLS modules */
/**
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium_client.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium_client.h
new file mode 100644
index 0000000..17e8dcd
--- /dev/null
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium_client.h
@@ -0,0 +1,571 @@
+/**
+ * \file config.h
+ *
+ * \brief Configuration options (set of defines)
+ *
+ * This set of compile-time options may be used to enable
+ * or disable features selectively, and reduce the global
+ * memory footprint.
+ */
+/*
+ * Copyright (C) 2006-2023, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef PROFILE_M_MBEDTLS_CONFIG_H
+#define PROFILE_M_MBEDTLS_CONFIG_H
+
+#include "config_tfm.h"
+
+#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+/**
+ * \name SECTION: System support
+ *
+ * This section sets system specific settings.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_HAVE_ASM
+ *
+ * The compiler has support for asm().
+ *
+ * Requires support for asm() in compiler.
+ *
+ * Used in:
+ * library/aria.c
+ * library/timing.c
+ * include/mbedtls/bn_mul.h
+ *
+ * Required by:
+ * MBEDTLS_AESNI_C
+ * MBEDTLS_PADLOCK_C
+ *
+ * Comment to disable the use of assembly code.
+ */
+#define MBEDTLS_HAVE_ASM
+
+/**
+ * \def MBEDTLS_PLATFORM_MEMORY
+ *
+ * Enable the memory allocation layer.
+ *
+ * By default mbed TLS uses the system-provided calloc() and free().
+ * This allows different allocators (self-implemented or provided) to be
+ * provided to the platform abstraction layer.
+ *
+ * Enabling MBEDTLS_PLATFORM_MEMORY without the
+ * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
+ * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
+ * free() function pointer at runtime.
+ *
+ * Enabling MBEDTLS_PLATFORM_MEMORY and specifying
+ * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
+ * alternate function at compile time.
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ *
+ * Enable this layer to allow use of alternative memory allocators.
+ */
+#define MBEDTLS_PLATFORM_MEMORY
+
+/* \} name SECTION: System support */
+
+/**
+ * \name SECTION: mbed TLS feature support
+ *
+ * This section sets support for features that are or are not needed
+ * within the modules that are enabled.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_AES_ROM_TABLES
+ *
+ * Use precomputed AES tables stored in ROM.
+ *
+ * Uncomment this macro to use precomputed AES tables stored in ROM.
+ * Comment this macro to generate AES tables in RAM at runtime.
+ *
+ * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
+ * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
+ * initialization time before the first AES operation can be performed.
+ * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
+ * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
+ * performance if ROM access is slower than RAM access.
+ *
+ * This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
+ *
+ */
+#define MBEDTLS_AES_ROM_TABLES
+
+/**
+ * \def MBEDTLS_AES_FEWER_TABLES
+ *
+ * Use less ROM/RAM for AES tables.
+ *
+ * Uncommenting this macro omits 75% of the AES tables from
+ * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
+ * by computing their values on the fly during operations
+ * (the tables are entry-wise rotations of one another).
+ *
+ * Tradeoff: Uncommenting this reduces the RAM / ROM footprint
+ * by ~6kb but at the cost of more arithmetic operations during
+ * runtime. Specifically, one has to compare 4 accesses within
+ * different tables to 4 accesses with additional arithmetic
+ * operations within the same table. The performance gain/loss
+ * depends on the system and memory details.
+ *
+ * This option is independent of \c MBEDTLS_AES_ROM_TABLES.
+ *
+ */
+#define MBEDTLS_AES_FEWER_TABLES
+
+/**
+ * \def MBEDTLS_ECP_NIST_OPTIM
+ *
+ * Enable specific 'modulo p' routines for each NIST prime.
+ * Depending on the prime and architecture, makes operations 4 to 8 times
+ * faster on the corresponding curve.
+ *
+ * Comment this macro to disable NIST curves optimisation.
+ */
+#define MBEDTLS_ECP_NIST_OPTIM
+
+/**
+ * \def MBEDTLS_NO_PLATFORM_ENTROPY
+ *
+ * Do not use built-in platform entropy functions.
+ * This is useful if your platform does not support
+ * standards like the /dev/urandom or Windows CryptoAPI.
+ *
+ * Uncomment this macro to disable the built-in platform entropy functions.
+ */
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+
+/**
+ * \def MBEDTLS_ENTROPY_NV_SEED
+ *
+ * Enable the non-volatile (NV) seed file-based entropy source.
+ * (Also enables the NV seed read/write functions in the platform layer)
+ *
+ * This is crucial (if not required) on systems that do not have a
+ * cryptographic entropy source (in hardware or kernel) available.
+ *
+ * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
+ *
+ * \note The read/write functions that are used by the entropy source are
+ * determined in the platform layer, and can be modified at runtime and/or
+ * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
+ *
+ * \note If you use the default implementation functions that read a seedfile
+ * with regular fopen(), please make sure you make a seedfile with the
+ * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
+ * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
+ * and written to or you will get an entropy source error! The default
+ * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
+ * bytes from the file.
+ *
+ * \note The entropy collector will write to the seed file before entropy is
+ * given to an external source, to update it.
+ */
+#define MBEDTLS_ENTROPY_NV_SEED
+
+/**
+ * \def MBEDTLS_SHA256_SMALLER
+ *
+ * Enable an implementation of SHA-256 that has lower ROM footprint but also
+ * lower performance.
+ *
+ * The default implementation is meant to be a reasonnable compromise between
+ * performance and size. This version optimizes more aggressively for size at
+ * the expense of performance. Eg on Cortex-M4 it reduces the size of
+ * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
+ * 30%.
+ *
+ * Uncomment to enable the smaller implementation of SHA256.
+ */
+#define MBEDTLS_SHA256_SMALLER
+
+/** \def MBEDTLS_PSA_CRYPTO_CLIENT
+ *
+ * Enable support for PSA crypto client.
+ *
+ * \note This option allows to include the code necessary for a PSA
+ * crypto client when the PSA crypto implementation is not included in
+ * the library (MBEDTLS_PSA_CRYPTO_C disabled). The code included is the
+ * code to set and get PSA key attributes.
+ * The development of PSA drivers partially relying on the library to
+ * fulfill the hardware gaps is another possible usage of this option.
+ *
+ * \warning This interface is experimental and may change or be removed
+ * without notice.
+ */
+#define MBEDTLS_PSA_CRYPTO_CLIENT
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_CONFIG
+ *
+ * This setting allows support for cryptographic mechanisms through the PSA
+ * API to be configured separately from support through the mbedtls API.
+ *
+ * When this option is disabled, the PSA API exposes the cryptographic
+ * mechanisms that can be implemented on top of the `mbedtls_xxx` API
+ * configured with `MBEDTLS_XXX` symbols.
+ *
+ * When this option is enabled, the PSA API exposes the cryptographic
+ * mechanisms requested by the `PSA_WANT_XXX` symbols defined in
+ * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are
+ * automatically enabled if required (i.e. if no PSA driver provides the
+ * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols
+ * in mbedtls_config.h.
+ *
+ * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies
+ * an alternative header to include instead of include/psa/crypto_config.h.
+ *
+ * This feature is still experimental and is not ready for production since
+ * it is not completed.
+ */
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+
+/* \} name SECTION: mbed TLS feature support */
+
+/**
+ * \name SECTION: mbed TLS modules
+ *
+ * This section enables or disables entire modules in mbed TLS
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_AES_C
+ *
+ * Enable the AES block cipher.
+ *
+ * Module: library/aes.c
+ * Caller: library/cipher.c
+ * library/pem.c
+ * library/ctr_drbg.c
+ *
+ * This module is required to support the TLS ciphersuites that use the AES
+ * cipher.
+ *
+ * PEM_PARSE uses AES for decrypting encrypted keys.
+ */
+#define MBEDTLS_AES_C
+
+/**
+ * \def MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+ *
+ * Use only 128-bit keys in AES operations to save ROM.
+ *
+ * Uncomment this macro to remove support for AES operations that use 192-
+ * or 256-bit keys.
+ *
+ * Uncommenting this macro reduces the size of AES code by ~300 bytes
+ * on v8-M/Thumb2.
+ *
+ * Module: library/aes.c
+ *
+ * Requires: MBEDTLS_AES_C
+ */
+#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+
+/**
+ * \def MBEDTLS_CIPHER_C
+ *
+ * Enable the generic cipher layer.
+ *
+ * Module: library/cipher.c
+ *
+ * Uncomment to enable generic cipher wrappers.
+ */
+#define MBEDTLS_CIPHER_C
+
+/**
+ * \def MBEDTLS_CTR_DRBG_C
+ *
+ * Enable the CTR_DRBG AES-based random generator.
+ * The CTR_DRBG generator uses AES-256 by default.
+ * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below.
+ *
+ * Module: library/ctr_drbg.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_AES_C
+ *
+ * This module provides the CTR_DRBG AES random number generator.
+ */
+#define MBEDTLS_CTR_DRBG_C
+
+/**
+ * \def MBEDTLS_ENTROPY_C
+ *
+ * Enable the platform-specific entropy code.
+ *
+ * Module: library/entropy.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
+ *
+ * This module provides a generic entropy pool
+ */
+#define MBEDTLS_ENTROPY_C
+
+/**
+ * \def MBEDTLS_HKDF_C
+ *
+ * Enable the HKDF algorithm (RFC 5869).
+ *
+ * Module: library/hkdf.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * This module adds support for the Hashed Message Authentication Code
+ * (HMAC)-based key derivation function (HKDF).
+ */
+//#define MBEDTLS_HKDF_C /* Used for HUK deriviation */
+
+/**
+ * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ *
+ * Enable the buffer allocator implementation that makes use of a (stack)
+ * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
+ * calls)
+ *
+ * Module: library/memory_buffer_alloc.c
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)
+ *
+ * Enable this module to enable the buffer memory allocator.
+ */
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+
+/**
+ * \def MBEDTLS_PLATFORM_C
+ *
+ * Enable the platform abstraction layer that allows you to re-assign
+ * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
+ *
+ * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
+ * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
+ * above to be specified at runtime or compile time respectively.
+ *
+ * \note This abstraction layer must be enabled on Windows (including MSYS2)
+ * as other module rely on it for a fixed snprintf implementation.
+ *
+ * Module: library/platform.c
+ * Caller: Most other .c files
+ *
+ * This module enables abstraction of common (libc) functions.
+ */
+#define MBEDTLS_PLATFORM_C
+
+#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h>
+
+#include <stdio.h>
+
+#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf
+#define MBEDTLS_PLATFORM_PRINTF_ALT
+#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_C
+ *
+ * Enable the Platform Security Architecture cryptography API.
+ *
+ * Module: library/psa_crypto.c
+ *
+ * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C
+ *
+ */
+//#define MBEDTLS_PSA_CRYPTO_C
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_STORAGE_C
+ *
+ * Enable the Platform Security Architecture persistent key storage.
+ *
+ * Module: library/psa_crypto_storage.c
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C,
+ * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
+ * the PSA ITS interface
+ */
+//#define MBEDTLS_PSA_CRYPTO_STORAGE_C
+
+/* \} name SECTION: mbed TLS modules */
+
+/**
+ * \name SECTION: General configuration options
+ *
+ * This section contains Mbed TLS build settings that are not associated
+ * with a particular module.
+ *
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included instead of
+ * `"mbedtls/mbedtls_config.h"`.
+ * This header file specifies the compile-time configuration of Mbed TLS.
+ * Unlike other configuration options, this one must be defined on the
+ * compiler command line: a definition in `mbedtls_config.h` would have
+ * no effect.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h"
+
+/**
+ * \def MBEDTLS_USER_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included after
+ * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE.
+ * This allows you to modify the default configuration, including the ability
+ * to undefine options that are enabled by default.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included instead of
+ * `"psa/crypto_config.h"`.
+ * This header file specifies which cryptographic mechanisms are available
+ * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and
+ * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included after
+ * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE.
+ * This allows you to modify the default configuration, including the ability
+ * to undefine options that are enabled by default.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
+
+/** \} name SECTION: General configuration options */
+
+/**
+ * \name SECTION: Module configuration options
+ *
+ * This section allows for the setting of module specific sizes and
+ * configuration options. The default values are already present in the
+ * relevant header files and should suffice for the regular use cases.
+ *
+ * Our advice is to enable options and change their values here
+ * only if you have a good reason and know the consequences.
+ *
+ * Please check the respective header file for documentation on these
+ * parameters (to prevent duplicate documentation).
+ * \{
+ */
+
+/* ECP options */
+#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Disable fixed-point speed-up */
+
+/**
+ * Uncomment to enable p256-m. This is an alternative implementation of
+ * key generation, ECDH and (randomized) ECDSA on the curve SECP256R1.
+ * Compared to the default implementation:
+ *
+ * - p256-m has a much smaller code size and RAM footprint.
+ * - p256-m is only available via the PSA API. This includes the pk module
+ * when #MBEDTLS_USE_PSA_CRYPTO is enabled.
+ * - p256-m does not support deterministic ECDSA, EC-JPAKE, custom protocols
+ * over the core arithmetic, or deterministic derivation of keys.
+ *
+ * We recommend enabling this option if your application uses the PSA API
+ * and the only elliptic curve support it needs is ECDH and ECDSA over
+ * SECP256R1.
+ *
+ * If you enable this option, you do not need to enable any ECC-related
+ * MBEDTLS_xxx option. You do need to separately request support for the
+ * cryptographic mechanisms through the PSA API:
+ * - #MBEDTLS_PSA_CRYPTO_C and #MBEDTLS_PSA_CRYPTO_CONFIG for PSA-based
+ * configuration;
+ * - #MBEDTLS_USE_PSA_CRYPTO if you want to use p256-m from PK, X.509 or TLS;
+ * - #PSA_WANT_ECC_SECP_R1_256;
+ * - #PSA_WANT_ALG_ECDH and/or #PSA_WANT_ALG_ECDSA as needed;
+ * - #PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY, #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC,
+ * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT,
+ * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT and/or
+ * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE as needed.
+ *
+ * \note To benefit from the smaller code size of p256-m, make sure that you
+ * do not enable any ECC-related option not supported by p256-m: this
+ * would cause the built-in ECC implementation to be built as well, in
+ * order to provide the required option.
+ * Make sure #PSA_WANT_ALG_DETERMINISTIC_ECDSA, #PSA_WANT_ALG_JPAKE and
+ * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE, and curves other than
+ * SECP256R1 are disabled as they are not supported by this driver.
+ * Also, avoid defining #MBEDTLS_PK_PARSE_EC_COMPRESSED or
+ * #MBEDTLS_PK_PARSE_EC_EXTENDED as those currently require a subset of
+ * the built-in ECC implementation, see docs/driver-only-builds.md.
+ */
+//#define MBEDTLS_PSA_P256M_DRIVER_ENABLED
+
+/* \} name SECTION: Customisation configuration options */
+
+#if CRYPTO_NV_SEED
+#include "tfm_mbedcrypto_config_extra_nv_seed.h"
+#endif /* CRYPTO_NV_SEED */
+
+#if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED)
+#include "mbedtls_entropy_nv_seed_config.h"
+#endif
+
+#endif /* PROFILE_M_MBEDTLS_CONFIG_H */
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h
index 6c0c5cb..ac7dc25 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h
@@ -178,20 +178,6 @@
#define MBEDTLS_ENTROPY_NV_SEED
/**
- * \def MBEDTLS_PSA_CRYPTO_SPM
- *
- * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
- * Partition Manager) integration which separates the code into two parts: a
- * NSPE (Non-Secure Process Environment) and an SPE (Secure Process
- * Environment).
- *
- * Module: library/psa_crypto.c
- * Requires: MBEDTLS_PSA_CRYPTO_C
- *
- */
-#define MBEDTLS_PSA_CRYPTO_SPM
-
-/**
* \def MBEDTLS_SHA256_SMALLER
*
* Enable an implementation of SHA-256 that has lower ROM footprint but also
@@ -414,6 +400,55 @@
*/
#define MBEDTLS_PSA_CRYPTO_STORAGE_C
+/**
+ * \def MBEDTLS_PSA_CRYPTO_SPM
+ *
+ * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
+ * Partition Manager) integration which separates the code into two parts: a
+ * NSPE (Non-Secure Process Environment) and an SPE (Secure Process
+ * Environment).
+ *
+ * If you enable this option, your build environment must include a header
+ * file `"crypto_spe.h"` (either in the `psa` subdirectory of the Mbed TLS
+ * header files, or in another directory on the compiler's include search
+ * path). Alternatively, your platform may customize the header
+ * `psa/crypto_platform.h`, in which case it can skip or replace the
+ * inclusion of `"crypto_spe.h"`.
+ *
+ * Module: library/psa_crypto.c
+ * Requires: MBEDTLS_PSA_CRYPTO_C
+ *
+ */
+#define MBEDTLS_PSA_CRYPTO_SPM
+
+/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+ *
+ * Enable key identifiers that encode a key owner identifier.
+ *
+ * The owner of a key is identified by a value of type ::mbedtls_key_owner_id_t
+ * which is currently hard-coded to be int32_t.
+ *
+ * Note that this option is meant for internal use only and may be removed
+ * without notice.
+ */
+#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+
+/** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
+ *
+ * Enable support for platform built-in keys. If you enable this feature,
+ * you must implement the function mbedtls_psa_platform_get_builtin_key().
+ * See the documentation of that function for more information.
+ *
+ * Built-in keys are typically derived from a hardware unique key or
+ * stored in a secure element.
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C.
+ *
+ * \warning This interface is experimental and may change or be removed
+ * without notice.
+ */
+#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
+
/* \} name SECTION: mbed TLS modules */
/**
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small_client.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small_client.h
new file mode 100644
index 0000000..ae1f2cf
--- /dev/null
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small_client.h
@@ -0,0 +1,511 @@
+/**
+ * \file config.h
+ *
+ * \brief Configuration options (set of defines)
+ *
+ * This set of compile-time options may be used to enable
+ * or disable features selectively, and reduce the global
+ * memory footprint.
+ */
+/*
+ * Copyright (C) 2006-2022, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef PROFILE_S_MBEDTLS_CONFIG_H
+#define PROFILE_S_MBEDTLS_CONFIG_H
+
+#include "config_tfm.h"
+
+#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+/**
+ * \name SECTION: System support
+ *
+ * This section sets system specific settings.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_HAVE_ASM
+ *
+ * The compiler has support for asm().
+ *
+ * Requires support for asm() in compiler.
+ *
+ * Used in:
+ * library/aria.c
+ * library/timing.c
+ * include/mbedtls/bn_mul.h
+ *
+ * Required by:
+ * MBEDTLS_AESNI_C
+ * MBEDTLS_PADLOCK_C
+ *
+ * Comment to disable the use of assembly code.
+ */
+#define MBEDTLS_HAVE_ASM
+
+/**
+ * \def MBEDTLS_PLATFORM_MEMORY
+ *
+ * Enable the memory allocation layer.
+ *
+ * By default mbed TLS uses the system-provided calloc() and free().
+ * This allows different allocators (self-implemented or provided) to be
+ * provided to the platform abstraction layer.
+ *
+ * Enabling MBEDTLS_PLATFORM_MEMORY without the
+ * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
+ * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
+ * free() function pointer at runtime.
+ *
+ * Enabling MBEDTLS_PLATFORM_MEMORY and specifying
+ * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
+ * alternate function at compile time.
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ *
+ * Enable this layer to allow use of alternative memory allocators.
+ */
+#define MBEDTLS_PLATFORM_MEMORY
+
+/* \} name SECTION: System support */
+
+/**
+ * \name SECTION: mbed TLS feature support
+ *
+ * This section sets support for features that are or are not needed
+ * within the modules that are enabled.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_AES_ROM_TABLES
+ *
+ * Use precomputed AES tables stored in ROM.
+ *
+ * Uncomment this macro to use precomputed AES tables stored in ROM.
+ * Comment this macro to generate AES tables in RAM at runtime.
+ *
+ * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
+ * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
+ * initialization time before the first AES operation can be performed.
+ * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
+ * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
+ * performance if ROM access is slower than RAM access.
+ *
+ * This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
+ *
+ */
+#define MBEDTLS_AES_ROM_TABLES
+
+/**
+ * \def MBEDTLS_AES_FEWER_TABLES
+ *
+ * Use less ROM/RAM for AES tables.
+ *
+ * Uncommenting this macro omits 75% of the AES tables from
+ * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
+ * by computing their values on the fly during operations
+ * (the tables are entry-wise rotations of one another).
+ *
+ * Tradeoff: Uncommenting this reduces the RAM / ROM footprint
+ * by ~6kb but at the cost of more arithmetic operations during
+ * runtime. Specifically, one has to compare 4 accesses within
+ * different tables to 4 accesses with additional arithmetic
+ * operations within the same table. The performance gain/loss
+ * depends on the system and memory details.
+ *
+ * This option is independent of \c MBEDTLS_AES_ROM_TABLES.
+ *
+ */
+#define MBEDTLS_AES_FEWER_TABLES
+
+/**
+ * \def MBEDTLS_NO_PLATFORM_ENTROPY
+ *
+ * Do not use built-in platform entropy functions.
+ * This is useful if your platform does not support
+ * standards like the /dev/urandom or Windows CryptoAPI.
+ *
+ * Uncomment this macro to disable the built-in platform entropy functions.
+ */
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+
+/**
+ * \def MBEDTLS_ENTROPY_NV_SEED
+ *
+ * Enable the non-volatile (NV) seed file-based entropy source.
+ * (Also enables the NV seed read/write functions in the platform layer)
+ *
+ * This is crucial (if not required) on systems that do not have a
+ * cryptographic entropy source (in hardware or kernel) available.
+ *
+ * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
+ *
+ * \note The read/write functions that are used by the entropy source are
+ * determined in the platform layer, and can be modified at runtime and/or
+ * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
+ *
+ * \note If you use the default implementation functions that read a seedfile
+ * with regular fopen(), please make sure you make a seedfile with the
+ * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
+ * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
+ * and written to or you will get an entropy source error! The default
+ * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
+ * bytes from the file.
+ *
+ * \note The entropy collector will write to the seed file before entropy is
+ * given to an external source, to update it.
+ */
+#define MBEDTLS_ENTROPY_NV_SEED
+
+/**
+ * \def MBEDTLS_SHA256_SMALLER
+ *
+ * Enable an implementation of SHA-256 that has lower ROM footprint but also
+ * lower performance.
+ *
+ * The default implementation is meant to be a reasonnable compromise between
+ * performance and size. This version optimizes more aggressively for size at
+ * the expense of performance. Eg on Cortex-M4 it reduces the size of
+ * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
+ * 30%.
+ *
+ * Uncomment to enable the smaller implementation of SHA256.
+ */
+#define MBEDTLS_SHA256_SMALLER
+
+/** \def MBEDTLS_PSA_CRYPTO_CLIENT
+ *
+ * Enable support for PSA crypto client.
+ *
+ * \note This option allows to include the code necessary for a PSA
+ * crypto client when the PSA crypto implementation is not included in
+ * the library (MBEDTLS_PSA_CRYPTO_C disabled). The code included is the
+ * code to set and get PSA key attributes.
+ * The development of PSA drivers partially relying on the library to
+ * fulfill the hardware gaps is another possible usage of this option.
+ *
+ * \warning This interface is experimental and may change or be removed
+ * without notice.
+ */
+#define MBEDTLS_PSA_CRYPTO_CLIENT
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_CONFIG
+ *
+ * This setting allows support for cryptographic mechanisms through the PSA
+ * API to be configured separately from support through the mbedtls API.
+ *
+ * When this option is disabled, the PSA API exposes the cryptographic
+ * mechanisms that can be implemented on top of the `mbedtls_xxx` API
+ * configured with `MBEDTLS_XXX` symbols.
+ *
+ * When this option is enabled, the PSA API exposes the cryptographic
+ * mechanisms requested by the `PSA_WANT_XXX` symbols defined in
+ * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are
+ * automatically enabled if required (i.e. if no PSA driver provides the
+ * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols
+ * in mbedtls_config.h.
+ *
+ * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies
+ * an alternative header to include instead of include/psa/crypto_config.h.
+ *
+ * This feature is still experimental and is not ready for production since
+ * it is not completed.
+ */
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+
+/* \} name SECTION: mbed TLS feature support */
+
+/**
+ * \name SECTION: mbed TLS modules
+ *
+ * This section enables or disables entire modules in mbed TLS
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_AES_C
+ *
+ * Enable the AES block cipher.
+ *
+ * Module: library/aes.c
+ * Caller: library/cipher.c
+ * library/pem.c
+ * library/ctr_drbg.c
+ *
+ * This module is required to support the TLS ciphersuites that use the AES
+ * cipher.
+ *
+ * PEM_PARSE uses AES for decrypting encrypted keys.
+ */
+#define MBEDTLS_AES_C
+
+/**
+ * \def MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+ *
+ * Use only 128-bit keys in AES operations to save ROM.
+ *
+ * Uncomment this macro to remove support for AES operations that use 192-
+ * or 256-bit keys.
+ *
+ * Uncommenting this macro reduces the size of AES code by ~300 bytes
+ * on v8-M/Thumb2.
+ *
+ * Module: library/aes.c
+ *
+ * Requires: MBEDTLS_AES_C
+ */
+#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+
+/**
+ * \def MBEDTLS_CIPHER_C
+ *
+ * Enable the generic cipher layer.
+ *
+ * Module: library/cipher.c
+ *
+ * Uncomment to enable generic cipher wrappers.
+ */
+#define MBEDTLS_CIPHER_C
+
+/**
+ * \def MBEDTLS_CTR_DRBG_C
+ *
+ * Enable the CTR_DRBG AES-based random generator.
+ * The CTR_DRBG generator uses AES-256 by default.
+ * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below.
+ *
+ * Module: library/ctr_drbg.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_AES_C
+ *
+ * This module provides the CTR_DRBG AES random number generator.
+ */
+#define MBEDTLS_CTR_DRBG_C
+
+/**
+ * \def MBEDTLS_ENTROPY_C
+ *
+ * Enable the platform-specific entropy code.
+ *
+ * Module: library/entropy.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
+ *
+ * This module provides a generic entropy pool
+ */
+#define MBEDTLS_ENTROPY_C
+
+/**
+ * \def MBEDTLS_HKDF_C
+ *
+ * Enable the HKDF algorithm (RFC 5869).
+ *
+ * Module: library/hkdf.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * This module adds support for the Hashed Message Authentication Code
+ * (HMAC)-based key derivation function (HKDF).
+ */
+//#define MBEDTLS_HKDF_C /* Used for HUK deriviation */
+
+/**
+ * \def MBEDTLS_MD_C
+ *
+ * Enable the generic message digest layer.
+ *
+ * Module: library/md.c
+ * Caller:
+ *
+ * Uncomment to enable generic message digest wrappers.
+ */
+#define MBEDTLS_MD_C
+
+/**
+ * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ *
+ * Enable the buffer allocator implementation that makes use of a (stack)
+ * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
+ * calls)
+ *
+ * Module: library/memory_buffer_alloc.c
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)
+ *
+ * Enable this module to enable the buffer memory allocator.
+ */
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+
+/**
+ * \def MBEDTLS_PLATFORM_C
+ *
+ * Enable the platform abstraction layer that allows you to re-assign
+ * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
+ *
+ * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
+ * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
+ * above to be specified at runtime or compile time respectively.
+ *
+ * \note This abstraction layer must be enabled on Windows (including MSYS2)
+ * as other module rely on it for a fixed snprintf implementation.
+ *
+ * Module: library/platform.c
+ * Caller: Most other .c files
+ *
+ * This module enables abstraction of common (libc) functions.
+ */
+#define MBEDTLS_PLATFORM_C
+
+#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h>
+
+#include <stdio.h>
+
+#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf
+#define MBEDTLS_PLATFORM_PRINTF_ALT
+#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_C
+ *
+ * Enable the Platform Security Architecture cryptography API.
+ *
+ * Module: library/psa_crypto.c
+ *
+ * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C
+ *
+ */
+//#define MBEDTLS_PSA_CRYPTO_C
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_STORAGE_C
+ *
+ * Enable the Platform Security Architecture persistent key storage.
+ *
+ * Module: library/psa_crypto_storage.c
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C,
+ * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
+ * the PSA ITS interface
+ */
+//#define MBEDTLS_PSA_CRYPTO_STORAGE_C
+
+/* \} name SECTION: mbed TLS modules */
+
+/**
+ * \name SECTION: General configuration options
+ *
+ * This section contains Mbed TLS build settings that are not associated
+ * with a particular module.
+ *
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included instead of
+ * `"mbedtls/mbedtls_config.h"`.
+ * This header file specifies the compile-time configuration of Mbed TLS.
+ * Unlike other configuration options, this one must be defined on the
+ * compiler command line: a definition in `mbedtls_config.h` would have
+ * no effect.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h"
+
+/**
+ * \def MBEDTLS_USER_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included after
+ * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE.
+ * This allows you to modify the default configuration, including the ability
+ * to undefine options that are enabled by default.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included instead of
+ * `"psa/crypto_config.h"`.
+ * This header file specifies which cryptographic mechanisms are available
+ * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and
+ * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included after
+ * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE.
+ * This allows you to modify the default configuration, including the ability
+ * to undefine options that are enabled by default.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
+
+/** \} name SECTION: General configuration options */
+
+#if CRYPTO_NV_SEED
+#include "tfm_mbedcrypto_config_extra_nv_seed.h"
+#endif /* CRYPTO_NV_SEED */
+
+#if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED)
+#include "mbedtls_entropy_nv_seed_config.h"
+#endif
+
+#endif /* PROFILE_S_MBEDTLS_CONFIG_H */