| Ronald Cron | 9228e4a | 2025-10-05 16:25:43 +0200 | [diff] [blame^] | 1 | ## CMake as the only build system |
| 2 | CMake is now the only supported build system for Mbed TLS. |
| 3 | Support for the legacy GNU Make and Microsoft Visual Studio project-based build systems has been removed. |
| 4 | |
| 5 | The GNU Make build system is still used internally for testing, but it will be removed once all test components have been migrated to CMake. |
| 6 | The previous .sln/.vcxproj files are no longer distributed or generated. |
| 7 | |
| 8 | Builds must now be configured and executed through CMake. See `Compiling` section in README.md for initial build instructions. |
| 9 | If you develop in Microsoft Visual Studio, you could either generate a Visual Studio solution using a CMake generator, or open the CMake project directly in Visual Studio. |
| 10 | |
| 11 | ## Repository split |
| 12 | In Mbed TLS 4.0, the project was split into two repositories: |
| 13 | - [Mbed TLS](https://github.com/Mbed-TLS/mbedtls): provides TLS and X.509 functionality. |
| 14 | - [TF-PSA-Crypto](https://github.com/Mbed-TLS/TF-PSA-Crypto): provides the standalone cryptography library, implementing the PSA Cryptography API. |
| 15 | Mbed TLS consumes TF-PSA-Crypto as a submodule. |
| 16 | You should stay with Mbed TLS if you use TLS or X.509 functionality. You still have direct access to the PSA Cryptography API through the `tf-psa-crypto` submodule. |
| 17 | |
| 18 | ### File and directory relocations |
| 19 | |
| 20 | The following table summarizes the file and directory relocations resulting from the repository split between Mbed TLS and TF-PSA-Crypto. |
| 21 | These changes reflect the move of cryptographic, cryptographic-adjacent, and platform components from Mbed TLS into the new TF-PSA-Crypto repository. |
| 22 | |
| 23 | | Original location | New location(s) | Notes | |
| 24 | |--------------------------------------|--------------------------------------------------------------------------------------|-------| |
| 25 | | `library/` | `tf-psa-crypto/core/`<br>`tf-psa-crypto/drivers/builtin/src/` | Contains cryptographic, cryptographic-adjacent (e.g., ASN.1, Base64), and platform C modules and headers. | |
| 26 | | `include/mbedtls/` | `tf-psa-crypto/include/mbedtls/`<br>`tf-psa-crypto/drivers/builtin/include/private/` | Public headers moved to `include/mbedtls`; now internal headers moved to `include/private`. | |
| 27 | | `include/psa/` | `tf-psa-crypto/include/` | All PSA headers consolidated here. | |
| 28 | | `3rdparty/everest/`<br>`3rdparty/p256-m/` | `tf-psa-crypto/drivers/` | Third-party crypto driver implementations. | |
| 29 | |
| 30 | If you use your own build system to build Mbed TLS libraries, you will need to adapt to the new tree. |
| 31 | |
| 32 | ### Configuration file split |
| 33 | Cryptography and platform configuration options have been moved from `mbedtls_config.h` to `crypto_config.h`, which is now mandatory. See [Compile-time configuration](#compile-time-confiuration). |
| 34 | |
| 35 | ### Impact on some usages of the library |
| 36 | |
| 37 | #### Checking out a branch or a tag |
| 38 | After checking out a branch or tag of the Mbed TLS repository, you must now recursively update the submodules, as TF-PSA-Crypto contains itself a nested submodule: |
| 39 | ``` |
| 40 | git submodule update --init --recursive |
| 41 | ``` |
| 42 | |
| 43 | #### Linking directly to a built library |
| 44 | The Mbed TLS CMake build system still provides the cryptography libraries under their legacy name, `libmbedcrypto.<ext>`, so you can continue linking against them. |
| 45 | The cryptography libraries are also now provided as `libtfpsacrypto.<ext>` like in the TF-PSA-Crypto repository. |
| 46 | |
| 47 | #### Linking through a CMake target of the cryptography library |
| 48 | The base name of the CMake cryptography library target has been changed from `mbedcrypto` to `tfpsacrypto`. |
| 49 | If no target prefix is specified through the MBEDTLS_TARGET_PREFIX option, the associated CMake target is thus now `tfpsacrypto`. |
| 50 | |
| 51 | The same renaming applies to the cryptography library targets declared as part of the Mbed TLS CMake package. |
| 52 | When no global target prefix is defined, use `MbedTLS::tfpsacrypto` instead of `MbedTLS::mbedcrypto`. |
| 53 | |
| 54 | As an example, the following CMake code: |
| 55 | ``` |
| 56 | find_package(MbedTLS REQUIRED) |
| 57 | target_link_libraries(myapp PRIVATE MbedTLS::mbedtls MbedTLS::mbedx509 MbedTLS::mbedcrypto) |
| 58 | |
| 59 | ``` |
| 60 | would be updated to something like |
| 61 | ``` |
| 62 | find_package(MbedTLS REQUIRED) |
| 63 | target_link_libraries(myapp PRIVATE MbedTLS::mbedtls MbedTLS::mbedx509 MbedTLS::tfpsacrypto) |
| 64 | ``` |
| 65 | |
| 66 | For more information, see the CMake section of `README.md`. |
| 67 | You can also refer to the following example programs demonstrating how to consume Mbed TLS via CMake: |
| 68 | * `programs/test/cmake_subproject` |
| 69 | * `programs/test/cmake_package` |
| 70 | * `programs/test/cmake_package_install`. |
| 71 | |
| 72 | #### Using Mbed TLS Crypto pkg-config file |
| 73 | The Mbed TLS CMake build system still provides the pkg-config file mbedcrypto.pc, so you can continue using it. Internally, it now references the `tfpsacrypto` library. |
| 74 | A new pkg-config file, `tfpsacrypto.pc`, is also provided. |
| 75 | Both `mbedcrypto.pc` and `tfpsacrypto.pc` are functionally equivalent, providing the same compiler and linker flags. |
| 76 | |
| 77 | ### Audience-Specific Notes |
| 78 | |
| 79 | #### Application Developers using a distribution package |
| 80 | You should stay with Mbed TLS if you use TLS or X.509 functionality. |
| 81 | - See [Impact on usages of the library](#impact-on-some-usages-of-the-library) for the possible impacts on: |
| 82 | - Linking against the cryptography library or CMake targets. |
| 83 | - Use the updated `pkg-config` files (`mbedcrypto.pc` / `tfpsacrypto.pc`). |
| 84 | |
| 85 | ### Developer or package maintainers |
| 86 | If you build or distribute Mbed TLS: |
| 87 | - The build system is now CMake only, Makefiles and Visual Studio projects are removed. |
| 88 | - You may need to adapt packaging scripts to handle the TF-PSA-Crypto submodule. |
| 89 | - You should update submodules recursively after checkout. |
| 90 | - Review [File and directory relocations](#file-and-directory-relocations) for updated paths. |
| 91 | - See [Impact on usages of the library](#impact-on-some-usages-of-the-library) for the possible impacts on: |
| 92 | - Linking against the cryptography library or CMake targets. |
| 93 | - Use the updated `pkg-config` files (`mbedcrypto.pc` / `tfpsacrypto.pc`). |
| 94 | - Configuration note: cryptography and platform options are now in `crypto_config.h` (see [Configuration file split](#configuration-file-split)). |
| 95 | |
| 96 | ### Platform Integrators |
| 97 | If you integrate Mbed TLS with a platform or hardware drivers: |
| 98 | - TF-PSA-Crypto is now a submodule, update integration scripts to initialize submodules recursively. |
| 99 | - The PSA driver wrapper is now generated in TF-PSA-Crypto. |
| 100 | - Platform-specific configuration are now handled in `crypto_config.h`. |
| 101 | - See [Repository split](#repository-split) for how platform components moved to TF-PSA-Crypto. |