TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls.git / be352633ae83bbb6f99393c7cc6679f482a608cc / . / docs / proposed / config-split.md
blob: a76fa8e426e1485756242ae6ca41fb22cbb4deeb [file] [log] [blame] [view]
Ronald Cron5e292602024-09-03 16:01:48 +0200[diff] [blame]1Configuration file split
2========================
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]3
Ronald Cron4162c3a2024-09-19 11:05:56 +0200[diff] [blame]4## Why split the configuration file?
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]5
6The objective of the repository split is to reach the point where in Mbed TLS
Ronald Cron4162c3a2024-09-19 11:05:56 +0200[diff] [blame]7all the cryptography code and its tests are located in a `tf-psa-crypto`
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]8directory that just contains the TF-PSA-Crypto repository as a submodule.
9The cryptography APIs exposed by Mbed TLS are just the TF-PSA-Crypto ones.
10Mbed TLS relies solely on the TF-PSA-Crypto build system to build its
11cryptography library and its tests.
12
Ronald Cron075c7422024-09-09 15:43:38 +0200[diff] [blame]13The TF-PSA-Crypto configuration file `tf_psa_crypto_config.h` configures
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]14entirely the cryptography interface exposed by Mbed TLS through TF-PSA-Crypto.
Ronald Cron4162c3a2024-09-19 11:05:56 +0200[diff] [blame]15Mbed TLS configuration is split in two files: `mbedtls_config.h` for TLS and
Ronald Cron075c7422024-09-09 15:43:38 +0200[diff] [blame]16x509, `tf_psa_crypto_config.h` for the cryptography.
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]17
Ronald Cron5e292602024-09-03 16:01:48 +0200[diff] [blame]18## How do we split the configuration file?
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]19
Ronald Cron4162c3a2024-09-19 11:05:56 +0200[diff] [blame]20We extend the so-called PSA cryptographic configuration scheme based on
Ronald Cron075c7422024-09-09 15:43:38 +0200[diff] [blame]21`mbedtls_config.h` and `crypto_config.h`. The configuration file `crypto_config.h`
22is extended to become the TF-PSA-Crypto configuration file, `mbedtls_config.h`
Ronald Cron5e292602024-09-03 16:01:48 +0200[diff] [blame]23becomes the configuration file for the TLS and x509 libraries. All the options
24to select the cryptographic mechanisms and to configure their implementation
Ronald Cron075c7422024-09-09 15:43:38 +0200[diff] [blame]25are moved from `mbedtls_config.h` to `(tf_psa_)crypto_config.h`.
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]26
Ronald Cron5e292602024-09-03 16:01:48 +0200[diff] [blame]27The configuration options that are relevant to both Mbed TLS and TF-PSA-Crypto
Ronald Cron075c7422024-09-09 15:43:38 +0200[diff] [blame]28like platform or system ones are moved to `(tf_psa_)crypto_config.h`. That way
Ronald Cron5e292602024-09-03 16:01:48 +0200[diff] [blame]29they are available in both repositories (as Mbed TLS includes
Ronald Cron075c7422024-09-09 15:43:38 +0200[diff] [blame]30`tf_psa_crypto_config.h`) without duplication. Later, we may duplicate or
31create aliases for some of them to align with the naming conventions of the
Ronald Cron5e292602024-09-03 16:01:48 +0200[diff] [blame]32repositories.
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]33
Ronald Cron075c7422024-09-09 15:43:38 +0200[diff] [blame]34The layout of options into sections in `mbedtls_config.h` does not suit
35TF-PSA-Crypto well thus the configuration options `tf_psa_crypto_config.h` are
Ronald Cron5e292602024-09-03 16:01:48 +0200[diff] [blame]36organized into different sections (see below).
37
Ronald Cron075c7422024-09-09 15:43:38 +0200[diff] [blame]38## Configuration files and `config.py`
Ronald Cron5e292602024-09-03 16:01:48 +0200[diff] [blame]39
Ronald Cron075c7422024-09-09 15:43:38 +0200[diff] [blame]40Each repository contains a `config.py` script to create and modify
41configurations.
Ronald Cron5e292602024-09-03 16:01:48 +0200[diff] [blame]42
Ronald Cron075c7422024-09-09 15:43:38 +0200[diff] [blame]43In Mbed TLS, `config.py` handles both `mbedtls_config.h` and
44`tf_psa_crypto_config.h`. It can set or unset TLS, x509 and cryptographic
Ronald Cron5e292602024-09-03 16:01:48 +0200[diff] [blame]45configuration options without having to specify the configuration file the
46options belong to. Commands like full and baremetal affect both configuration
47files.
48
Ronald Cron075c7422024-09-09 15:43:38 +0200[diff] [blame]49In TF-PSA-Crypto, `config.py` addresses only `tf_psa_crypto_config.h`.
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]50
Ronald Cron075c7422024-09-09 15:43:38 +0200[diff] [blame]51## Sections in `tf_psa_crypto_config.h`
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]52
Ronald Cron075c7422024-09-09 15:43:38 +0200[diff] [blame]53The `tf_psa_crypto_config.h` configuration file is organized into eight
54sections.
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]55
Ronald Cron075c7422024-09-09 15:43:38 +0200[diff] [blame]56The pre-split `mbedtls_config.h` configuration file contains configuration
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]57options that apply to the whole code base (TLS, x509, crypto and tests) mostly
Ronald Cron075c7422024-09-09 15:43:38 +0200[diff] [blame]58related to the platform abstraction layer and testing. In
59`tf_psa_crypto_config.h` these configurations options are organized into two
60sections, one for the platform abstraction layer options and one for the others,
Ronald Cron2c152fd2024-09-27 10:30:59 +0200[diff] [blame]61respectively named ["Platform abstraction layer"](#section-platform-abstraction-layer)
62and ["General and test configuration options"](#section-general-and-test-configuration-options).
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]63
Ronald Cron2c152fd2024-09-27 10:30:59 +0200[diff] [blame]64Then, the ["Cryptographic mechanism selection (PSA API)"](#section-cryptographic-mechanism-selection-PSA-API)
65section is the equivalent of the pre-split `crypto_config.h` configuration file
66containing the PSA_WANT_ prefixed macros.
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]67
Ronald Cron2c152fd2024-09-27 10:30:59 +0200[diff] [blame]68The following section named
69["Cryptographic mechanism selection (extended API)"](#section-cryptographic-mechanism-selection-extended-API)
Ronald Cron8e1b4632024-09-02 16:21:44 +0200[diff] [blame]70contains the configuration options for the cryptography mechanisms that are not
71yet part of the PSA cryptography API (like LMS or PK).
72
Ronald Cron2c152fd2024-09-27 10:30:59 +0200[diff] [blame]73It is followed by the ["Data format support"](#section-data-format-support)
74section that contains configuration options of utilities related to various data
75formats (like Base64 or ASN.1 APIs). These utilities aim to facilitate the
76usage of the PSA cryptography API in other cryptography projects.
Ronald Cron8e1b4632024-09-02 16:21:44 +0200[diff] [blame]77
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]78Compared to Mbed TLS, the cryptography code in TF-PSA-Crypto is not located
79in a single directory but split between the PSA core (core directory) and the
80PSA builtin drivers (drivers/builtin/src directory). This is reflected in
Ronald Cron2c152fd2024-09-27 10:30:59 +0200[diff] [blame]81`tf_psa_crypto_config.h` with two sections respectively named ["PSA core"](#section-psa-core)
82and ["Builtin drivers"](#section-builtin-drivers).
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]83
Ronald Cron2c152fd2024-09-27 10:30:59 +0200[diff] [blame]84Finally, the last section named ["Legacy cryptography"](#section-legacy-cryptography)
85contains the configuration options that will eventually be removed as duplicates
86of PSA_WANT_\* and MBEDTLS_PSA_ACCEL_\* configuration options.
Ronald Cronad62dce2024-09-02 14:22:24 +0200[diff] [blame]87
Ronald Cronbe352632024-09-27 10:55:25 +0200[diff] [blame^]88## Sections in `mbedtls_config.h`
89
90The sections in `mbedtls_config.h` are reorganized to be better aligned with
91the ones in `tf_psa_crypto_config.h`. The main change is the reorganization
92of the "Mbed TLS modules" and "Module configuration options" sections into
93the ["TLS feature selection"](#section-tls-feature-selection) and
94["X.509 feature selection"](#section-x.509-feature-selection) sections. That
95way both configuration files do not have a section dedicated to non boolean
96configuration options. The non boolean configuration options are located in the
97same section as the boolean option they are associated to.
98
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]99
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]100## Repartition of the configuration options
101
Ronald Cron075c7422024-09-09 15:43:38 +0200[diff] [blame]102### In `tf_psa_crypto_config.h`, we have:
Ronald Cron2c152fd2024-09-27 10:30:59 +0200[diff] [blame]103#### SECTION Platform abstraction layer
Ronald Crona5a46d02024-09-10 09:40:59 +0200[diff] [blame]104```
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]105#define MBEDTLS_FS_IO
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]106#define MBEDTLS_HAVE_TIME
107#define MBEDTLS_HAVE_TIME_DATE
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]108//#define MBEDTLS_MEMORY_BACKTRACE
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]109//#define MBEDTLS_MEMORY_DEBUG
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]110#define MBEDTLS_PLATFORM_C
111//#define MBEDTLS_PLATFORM_EXIT_ALT
112//#define MBEDTLS_PLATFORM_FPRINTF_ALT
113//#define MBEDTLS_PLATFORM_GMTIME_R_ALT
114//#define MBEDTLS_PLATFORM_MEMORY
115//#define MBEDTLS_PLATFORM_MS_TIME_ALT
116//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
117//#define MBEDTLS_PLATFORM_NV_SEED_ALT
118//#define MBEDTLS_PLATFORM_PRINTF_ALT
119//#define MBEDTLS_PLATFORM_SETBUF_ALT
120//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
121//#define MBEDTLS_PLATFORM_SNPRINTF_ALT
122//#define MBEDTLS_PLATFORM_TIME_ALT
123//#define MBEDTLS_PLATFORM_VSNPRINTF_ALT
124//#define MBEDTLS_PLATFORM_ZEROIZE_ALT
Ronald Cron4f4a30c2024-09-02 15:00:54 +0200[diff] [blame]125//#define MBEDTLS_THREADING_ALT
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]126//#define MBEDTLS_THREADING_C
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]127//#define MBEDTLS_THREADING_PTHREAD
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]128
129//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]130//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]131//#define MBEDTLS_PLATFORM_EXIT_MACRO exit
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]132//#define MBEDTLS_PLATFORM_FREE_MACRO free
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]133//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]134//#define MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO int64_t
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]135//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read
136//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write
137//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf
138//#define MBEDTLS_PLATFORM_SETBUF_MACRO setbuf
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]139//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]140//#define MBEDTLS_PLATFORM_STD_CALLOC calloc
141//#define MBEDTLS_PLATFORM_STD_EXIT exit
142//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1
143//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0
144//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf
145//#define MBEDTLS_PLATFORM_STD_FREE free
146//#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h>
147//#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile"
148//#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read
149//#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write
150//#define MBEDTLS_PLATFORM_STD_PRINTF printf
151//#define MBEDTLS_PLATFORM_STD_SETBUF setbuf
152//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf
153//#define MBEDTLS_PLATFORM_STD_TIME time
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]154//#define MBEDTLS_PLATFORM_TIME_MACRO time
155//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t
156//#define MBEDTLS_PLATFORM_VSNPRINTF_MACRO vsnprintf
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]157//#define MBEDTLS_PRINTF_MS_TIME PRId64
Ronald Crona5a46d02024-09-10 09:40:59 +0200[diff] [blame]158```
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]159
Ronald Cron2c152fd2024-09-27 10:30:59 +0200[diff] [blame]160#### SECTION General and test configuration options
Ronald Crona5a46d02024-09-10 09:40:59 +0200[diff] [blame]161```
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]162//#define MBEDTLS_CHECK_RETURN_WARNING
163//#define MBEDTLS_DEPRECATED_REMOVED
164//#define MBEDTLS_DEPRECATED_WARNING
Ronald Cron717663b2024-09-02 15:30:10 +0200[diff] [blame]165#define MBEDTLS_SELF_TEST
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]166//#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
167//#define MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
168//#define MBEDTLS_TEST_HOOKS
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]169
Ronald Crone5d0f8c2024-09-02 15:43:10 +0200[diff] [blame]170//#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__))
171//#define MBEDTLS_IGNORE_RETURN( result ) ((void) !(result))
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]172//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
173//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
Ronald Crona5a46d02024-09-10 09:40:59 +0200[diff] [blame]174```
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]175
Ronald Cron2c152fd2024-09-27 10:30:59 +0200[diff] [blame]176#### SECTION Cryptographic mechanism selection (PSA API)
Ronald Cron075c7422024-09-09 15:43:38 +0200[diff] [blame]177PSA_WANT_\* macros as in current `crypto_config.h`.
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]178
179
Ronald Cron2c152fd2024-09-27 10:30:59 +0200[diff] [blame]180#### SECTION Cryptographic mechanism selection (extended API)
Ronald Crona5a46d02024-09-10 09:40:59 +0200[diff] [blame]181```
Ronald Cron8e1b4632024-09-02 16:21:44 +0200[diff] [blame]182#define MBEDTLS_LMS_C
183//#define MBEDTLS_LMS_PRIVATE
184#define MBEDTLS_MD_C
185#define MBEDTLS_NIST_KW_C
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]186#define MBEDTLS_PKCS5_C
187#define MBEDTLS_PKCS12_C
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]188#define MBEDTLS_PK_C
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]189#define MBEDTLS_PK_PARSE_C
Ronald Cron8e1b4632024-09-02 16:21:44 +0200[diff] [blame]190#define MBEDTLS_PK_PARSE_EC_COMPRESSED
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]191#define MBEDTLS_PK_PARSE_EC_EXTENDED
Ronald Cron8e1b4632024-09-02 16:21:44 +0200[diff] [blame]192#define MBEDTLS_PK_RSA_ALT_SUPPORT
Ronald Cron8e1b4632024-09-02 16:21:44 +0200[diff] [blame]193#define MBEDTLS_PK_WRITE_C
Ronald Cron8e1b4632024-09-02 16:21:44 +0200[diff] [blame]194
Ronald Cron8e1b4632024-09-02 16:21:44 +0200[diff] [blame]195//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48
Ronald Cron8e1b4632024-09-02 16:21:44 +0200[diff] [blame]196//#define MBEDTLS_CTR_DRBG_MAX_INPUT 256
197//#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024
198//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]199//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000
Ronald Cron8e1b4632024-09-02 16:21:44 +0200[diff] [blame]200//#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256
201//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024
202//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]203//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000
204//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
Ronald Crona5a46d02024-09-10 09:40:59 +0200[diff] [blame]205```
Ronald Cron8e1b4632024-09-02 16:21:44 +0200[diff] [blame]206
207
Ronald Cron2c152fd2024-09-27 10:30:59 +0200[diff] [blame]208#### SECTION Data format support
Ronald Crona5a46d02024-09-10 09:40:59 +0200[diff] [blame]209```
Ronald Cron8e1b4632024-09-02 16:21:44 +0200[diff] [blame]210#define MBEDTLS_ASN1_PARSE_C
211#define MBEDTLS_ASN1_WRITE_C
212#define MBEDTLS_BASE64_C
213#define MBEDTLS_OID_C
214#define MBEDTLS_PEM_PARSE_C
215#define MBEDTLS_PEM_WRITE_C
Ronald Crona5a46d02024-09-10 09:40:59 +0200[diff] [blame]216```
Ronald Cron8e1b4632024-09-02 16:21:44 +0200[diff] [blame]217
218
Ronald Cron2c152fd2024-09-27 10:30:59 +0200[diff] [blame]219#### SECTION PSA core
Ronald Crona5a46d02024-09-10 09:40:59 +0200[diff] [blame]220```
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]221#define MBEDTLS_ENTROPY_C
222//#define MBEDTLS_ENTROPY_FORCE_SHA256
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]223//#define MBEDTLS_ENTROPY_HARDWARE_ALT
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]224//#define MBEDTLS_ENTROPY_NV_SEED
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]225//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
226//#define MBEDTLS_NO_PLATFORM_ENTROPY
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]227//#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
228//#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]229#define MBEDTLS_PSA_CRYPTO_C
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]230//#define MBEDTLS_PSA_CRYPTO_CLIENT
231//#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]232//#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]233//#define MBEDTLS_PSA_CRYPTO_SPM
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]234#define MBEDTLS_PSA_CRYPTO_STORAGE_C
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]235//#define MBEDTLS_PSA_INJECT_ENTROPY
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]236#define MBEDTLS_PSA_ITS_FILE_C
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]237
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]238//#define MBEDTLS_ENTROPY_MAX_GATHER 128
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]239//#define MBEDTLS_ENTROPY_MAX_SOURCES 20
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]240//#define MBEDTLS_ENTROPY_MIN_HARDWARE 32
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]241//#define MBEDTLS_PSA_CRYPTO_PLATFORM_FILE "psa/crypto_platform_alt.h"
242//#define MBEDTLS_PSA_CRYPTO_STRUCT_FILE "psa/crypto_struct_alt.h"
243//#define MBEDTLS_PSA_KEY_SLOT_COUNT 32
Ronald Crona5a46d02024-09-10 09:40:59 +0200[diff] [blame]244```
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]245
Ronald Cron2c152fd2024-09-27 10:30:59 +0200[diff] [blame]246#### SECTION Builtin drivers
Ronald Crona5a46d02024-09-10 09:40:59 +0200[diff] [blame]247```
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]248#define MBEDTLS_AESCE_C
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]249#define MBEDTLS_AESNI_C
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]250//#define MBEDTLS_AES_FEWER_TABLES
251//#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]252//#define MBEDTLS_AES_ROM_TABLES
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]253//#define MBEDTLS_AES_USE_HARDWARE_ONLY
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]254//#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]255//#define MBEDTLS_CAMELLIA_SMALL_MEMORY
256//#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
257#define MBEDTLS_ECP_NIST_OPTIM
Ronald Cron4f4a30c2024-09-02 15:00:54 +0200[diff] [blame]258//#define MBEDTLS_ECP_RESTARTABLE
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]259//#define MBEDTLS_ECP_WITH_MPI_UINT
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]260//#define MBEDTLS_GCM_LARGE_TABLE
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]261#define MBEDTLS_HAVE_ASM
262//#define MBEDTLS_HAVE_SSE2
263//#define MBEDTLS_NO_UDBL_DIVISION
264//#define MBEDTLS_NO_64BIT_MULTIPLICATION
265//#define MBEDTLS_PSA_P256M_DRIVER_ENABLED
266//#define MBEDTLS_RSA_NO_CRT
267//#define MBEDTLS_SHA256_SMALLER
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]268//#define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]269//#define MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]270//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
271//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]272//#define MBEDTLS_SHA512_SMALLER
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]273//#define MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
274//#define MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]275
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]276//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]277//#define MBEDTLS_ECP_WINDOW_SIZE 4
278//#define MBEDTLS_MPI_MAX_SIZE 1024
279//#define MBEDTLS_MPI_WINDOW_SIZE 2
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]280//#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024
Ronald Crona5a46d02024-09-10 09:40:59 +0200[diff] [blame]281```
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]282
283
Ronald Cron2c152fd2024-09-27 10:30:59 +0200[diff] [blame]284#### SECTION Legacy cryptography
Ronald Crona5a46d02024-09-10 09:40:59 +0200[diff] [blame]285```
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]286#define MBEDTLS_AES_C
287#define MBEDTLS_ARIA_C
288#define MBEDTLS_BIGNUM_C
289#define MBEDTLS_CAMELLIA_C
290#define MBEDTLS_CCM_C
291#define MBEDTLS_CHACHA20_C
292#define MBEDTLS_CHACHAPOLY_C
Ronald Cron2589ee32024-09-09 16:22:56 +0200[diff] [blame]293#define MBEDTLS_CIPHER_C
Ronald Cronad62dce2024-09-02 14:22:24 +0200[diff] [blame]294#define MBEDTLS_CIPHER_MODE_CBC
295#define MBEDTLS_CIPHER_MODE_CFB
296#define MBEDTLS_CIPHER_MODE_CTR
297#define MBEDTLS_CIPHER_MODE_OFB
298#define MBEDTLS_CIPHER_MODE_XTS
Ronald Cronad62dce2024-09-02 14:22:24 +0200[diff] [blame]299#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]300#define MBEDTLS_CIPHER_PADDING_PKCS7
Ronald Cronad62dce2024-09-02 14:22:24 +0200[diff] [blame]301#define MBEDTLS_CIPHER_PADDING_ZEROS
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]302#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]303#define MBEDTLS_CMAC_C
Ronald Cron2589ee32024-09-09 16:22:56 +0200[diff] [blame]304#define MBEDTLS_CTR_DRBG_C
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]305//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
306#define MBEDTLS_DES_C
307#define MBEDTLS_DHM_C
308#define MBEDTLS_ECDH_C
309#define MBEDTLS_ECP_C
Ronald Cronad62dce2024-09-02 14:22:24 +0200[diff] [blame]310#define MBEDTLS_ECP_DP_BP256R1_ENABLED
311#define MBEDTLS_ECP_DP_BP384R1_ENABLED
312#define MBEDTLS_ECP_DP_BP512R1_ENABLED
313#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
314#define MBEDTLS_ECP_DP_CURVE448_ENABLED
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]315#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
316#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
317#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
318#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
319#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
320#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
321#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
322#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
Ronald Cronad62dce2024-09-02 14:22:24 +0200[diff] [blame]323#define MBEDTLS_ECDSA_C
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]324#define MBEDTLS_ECDSA_DETERMINISTIC
Ronald Cronad62dce2024-09-02 14:22:24 +0200[diff] [blame]325#define MBEDTLS_ECJPAKE_C
Ronald Cronad62dce2024-09-02 14:22:24 +0200[diff] [blame]326#define MBEDTLS_GCM_C
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]327#define MBEDTLS_GENPRIME
Ronald Cronad62dce2024-09-02 14:22:24 +0200[diff] [blame]328#define MBEDTLS_HKDF_C
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]329#define MBEDTLS_HMAC_DRBG_C
Ronald Cronad62dce2024-09-02 14:22:24 +0200[diff] [blame]330#define MBEDTLS_MD5_C
331#define MBEDTLS_PADLOCK_C
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]332#define MBEDTLS_PKCS1_V15
333#define MBEDTLS_PKCS1_V21
Ronald Cronad62dce2024-09-02 14:22:24 +0200[diff] [blame]334#define MBEDTLS_POLY1305_C
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]335//#define MBEDTLS_PSA_CRYPTO_CONFIG
Ronald Cronad62dce2024-09-02 14:22:24 +0200[diff] [blame]336//#define MBEDTLS_PSA_CRYPTO_SE_C
337#define MBEDTLS_RIPEMD160_C
338#define MBEDTLS_RSA_C
339#define MBEDTLS_SHA1_C
340#define MBEDTLS_SHA224_C
341#define MBEDTLS_SHA256_C
342#define MBEDTLS_SHA384_C
Ronald Cronad62dce2024-09-02 14:22:24 +0200[diff] [blame]343#define MBEDTLS_SHA3_C
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]344#define MBEDTLS_SHA512_C
Ronald Crona5a46d02024-09-10 09:40:59 +0200[diff] [blame]345```
Ronald Cronad62dce2024-09-02 14:22:24 +0200[diff] [blame]346
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]347
Ronald Cron075c7422024-09-09 15:43:38 +0200[diff] [blame]348### In `mbedtls_config.h`, we have:
Ronald Cron2c152fd2024-09-27 10:30:59 +0200[diff] [blame]349#### SECTION Platform abstraction layer
Ronald Crona5a46d02024-09-10 09:40:59 +0200[diff] [blame]350```
Ronald Cron34a40862024-09-02 15:33:45 +0200[diff] [blame]351#define MBEDTLS_NET_C
Ronald Cron2589ee32024-09-09 16:22:56 +0200[diff] [blame]352//#define MBEDTLS_TIMING_ALT
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]353#define MBEDTLS_TIMING_C
Ronald Crona5a46d02024-09-10 09:40:59 +0200[diff] [blame]354```
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]355
Ronald Cronbe352632024-09-27 10:55:25 +0200[diff] [blame^]356
Ronald Cronb992bc82024-09-27 10:45:13 +0200[diff] [blame]357#### SECTION General configuration options
358```
359//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h"
360//#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
361```
362
Ronald Cronbe352632024-09-27 10:55:25 +0200[diff] [blame^]363
364#### SECTION TLS feature selection
Ronald Cronb992bc82024-09-27 10:45:13 +0200[diff] [blame]365```
366#define MBEDTLS_DEBUG_C
367#define MBEDTLS_ERROR_C
Ronald Cronb992bc82024-09-27 10:45:13 +0200[diff] [blame]368#define MBEDTLS_SSL_CACHE_C
369#define MBEDTLS_SSL_CLI_C
370#define MBEDTLS_SSL_COOKIE_C
371#define MBEDTLS_SSL_SRV_C
372#define MBEDTLS_SSL_TICKET_C
373#define MBEDTLS_SSL_TLS_C
Ronald Cronb992bc82024-09-27 10:45:13 +0200[diff] [blame]374
Ronald Cronb992bc82024-09-27 10:45:13 +0200[diff] [blame]375//#define MBEDTLS_PSK_MAX_LEN 32
376//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50
377//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400
378//#define MBEDTLS_SSL_CID_IN_LEN_MAX 32
379//#define MBEDTLS_SSL_CID_OUT_LEN_MAX 32
380//#define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16
381//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
382//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60
383//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768
384//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384
385//#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024
386//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384
387//#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1
388//#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000
389//#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32
Ronald Cronbe352632024-09-27 10:55:25 +0200[diff] [blame^]390```
391
392
393#### SECTION X.509 feature selection
394```
395#define MBEDTLS_PKCS7_C
396#define MBEDTLS_X509_CREATE_C
397#define MBEDTLS_X509_CRL_PARSE_C
398#define MBEDTLS_X509_CRT_PARSE_C
399#define MBEDTLS_X509_CRT_WRITE_C
400#define MBEDTLS_X509_CSR_PARSE_C
401#define MBEDTLS_X509_CSR_WRITE_C
402#define MBEDTLS_X509_USE_C
403
Ronald Cronb992bc82024-09-27 10:45:13 +0200[diff] [blame]404//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
405//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8
406```
407
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]408
Ronald Cron2c152fd2024-09-27 10:30:59 +0200[diff] [blame]409#### SECTION Mbed TLS feature support
Ronald Crona5a46d02024-09-10 09:40:59 +0200[diff] [blame]410```
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]411//#define MBEDTLS_CIPHER_NULL_CIPHER
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]412#define MBEDTLS_ERROR_STRERROR_DUMMY
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]413#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]414#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]415#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]416#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
417#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]418#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
419#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
420//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]421#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
422#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
423#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]424#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]425#define MBEDTLS_SSL_ALPN
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]426//#define MBEDTLS_SSL_ASYNC_PRIVATE
427#define MBEDTLS_SSL_CONTEXT_SERIALIZATION
428//#define MBEDTLS_SSL_DEBUG_ALL
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]429#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
430#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
431#define MBEDTLS_SSL_DTLS_CONNECTION_ID
432#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0
433#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
434//#define MBEDTLS_SSL_DTLS_SRTP
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]435//#define MBEDTLS_SSL_EARLY_DATA
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]436#define MBEDTLS_SSL_ENCRYPT_THEN_MAC
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]437#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
438#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]439#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]440#define MBEDTLS_SSL_PROTO_DTLS
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]441#define MBEDTLS_SSL_PROTO_TLS1_2
442#define MBEDTLS_SSL_PROTO_TLS1_3
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]443//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT
444#define MBEDTLS_SSL_RENEGOTIATION
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]445#define MBEDTLS_SSL_SERVER_NAME_INDICATION
Ronald Cronf50ae422024-09-09 16:04:23 +0200[diff] [blame]446#define MBEDTLS_SSL_SESSION_TICKETS
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]447#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
448#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
449#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
450#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]451//#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
452//#define MBEDTLS_USE_PSA_CRYPTO
Ronald Crona25e9db2024-09-03 09:56:46 +0200[diff] [blame]453#define MBEDTLS_VERSION_C
454#define MBEDTLS_VERSION_FEATURES
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]455//#define MBEDTLS_X509_REMOVE_INFO
456#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
Ronald Cron294b5e02024-09-27 10:04:31 +0200[diff] [blame]457//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
Ronald Crona5a46d02024-09-10 09:40:59 +0200[diff] [blame]458```