Support per-deployment configuration of MbedTLS
Up until now, only libmbedcrypto has been used for builds of the
MbedTLS external component. In preparation for using other libraries
produced by MbedTLS (e.g. libmbedx509), this change moves the build
configuration to be defined by a deployment that depends on MbedTLS
in some way. This allows a deployment specific configuration to be
applied that impacts the complete set of mbedTLS library dependencies.
To allow for reuse of common configurations, a new config directory
has been added under external/MbedTLS to provide a home for reusable
config header files.
Signed-off-by: Julian Hall <julian.hall@arm.com>
Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Change-Id: Icfdeb796d9bda185c30f68e525f7644f1edd4770
diff --git a/components/service/crypto/backend/mbedcrypto/component.cmake b/components/service/crypto/backend/mbedcrypto/component.cmake
index 4b531b7..bd7f4ae 100644
--- a/components/service/crypto/backend/mbedcrypto/component.cmake
+++ b/components/service/crypto/backend/mbedcrypto/component.cmake
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+# Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -12,15 +12,9 @@
"${CMAKE_CURRENT_LIST_DIR}/mbedcrypto_backend.c"
)
-# Force use of the mbed crypto configuration required by the crypto service
-# provider. This configuration includes enabling the use of the PSA ITS API
-# for persistent key storage which is realised by the its client adapter
-# for the secure storage service.
-set(MBEDTLS_USER_CONFIG_FILE
- "${CMAKE_CURRENT_LIST_DIR}/config_mbedtls_user.h"
- CACHE STRING "Configuration file for Mbed TLS" FORCE)
-
+# Use secure storage client to realize PSA ITS C API used by libmbedcrypto for
+# persistent key storage.
set(MBEDTLS_EXTRA_INCLUDES
"${TS_ROOT}/components/service/common/include"
"${TS_ROOT}/components/service/secure_storage/include"
- CACHE STRING "PSA ITS for Mbed TLS" FORCE)
+ CACHE STRING "PSA ITS for MbedTLS" FORCE)
diff --git a/components/service/crypto/backend/mbedcrypto/config_mbedtls_user.h b/components/service/crypto/backend/mbedcrypto/config_mbedtls_user.h
deleted file mode 100644
index b92bded..0000000
--- a/components/service/crypto/backend/mbedcrypto/config_mbedtls_user.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- */
-
-#ifndef CONFIG_MBEDTLS_USER_H
-#define CONFIG_MBEDTLS_USER_H
-
-/**
- * Mbed TLS configuration for building libmbedcrypto to act as a backend
- * for the crypto service provider running in an isolated secure processing
- * environment. Note that supported crypto operations are configured
- * separately using the PSA crypto build interface (PSA_WANT_xxx). This
- * decouples Mbed TLS specific configuration from the more general crypto
- * capabilities configuration.
- */
-#define MBEDTLS_PSA_CRYPTO_CONFIG
-#define MBEDTLS_NO_UDBL_DIVISION
-#undef MBEDTLS_HAVE_TIME
-#undef MBEDTLS_HAVE_TIME_DATE
-#undef MBEDTLS_FS_IO
-#define MBEDTLS_ENTROPY_HARDWARE_ALT
-#define MBEDTLS_NO_PLATFORM_ENTROPY
-#undef MBEDTLS_SELF_TEST
-#undef MBEDTLS_PLATFORM_C
-#undef MBEDTLS_PSA_ITS_FILE_C
-#undef MBEDTLS_TIMING_C
-#undef MBEDTLS_AESNI_C
-#undef MBEDTLS_AESCE_C
-#undef MBEDTLS_PADLOCK_C
-
-
-#endif /* CONFIG_MBEDTLS_USER_H */