| Gilles Peskine | 278e5eb | 2020-07-13 11:28:20 +0200 | [diff] [blame] | 1 | Building Mbed TLS with PSA cryptoprocessor drivers |
| 2 | ================================================== |
| 3 | |
| 4 | **This is a specification of work in progress. The implementation is not yet merged into Mbed TLS.** |
| 5 | |
| 6 | This document describes how to build Mbed TLS with additional cryptoprocessor drivers that follow the PSA cryptoprocessor driver interface. |
| 7 | |
| 8 | The interface is not fully implemented in Mbed TLS yet and is disabled by default. You can enable the experimental work in progress by setting `MBEDTLS_PSA_CRYPTO_DRIVERS` in the compile-time configuration. Please note that the interface may still change: until further notice, we do not guarantee backward compatibility with existing driver code when `MBEDTLS_PSA_CRYPTO_DRIVERS` is enabled. |
| 9 | |
| 10 | ## Introduction |
| 11 | |
| 12 | The PSA cryptography driver interface provides a way to build Mbed TLS with additional code that implements certain cryptographic primitives. This is primarily intended to support platform-specific hardware. |
| 13 | |
| 14 | Note that such drivers are only available through the PSA cryptography API (crypto functions beginning with `psa_`, and X.509 and TLS interfaces that reference PSA types). |
| 15 | |
| 16 | Concretely speaking, a driver consists of one or more **driver description files** in JSON format and some code to include in the build. The driver code can either be provided in binary form as additional object file to link, or in source form. |
| 17 | |
| 18 | ## How to build Mbed TLS with drivers |
| 19 | |
| 20 | To build Mbed TLS with drivers: |
| 21 | |
| 22 | 1. Activate `MBEDTLS_PSA_CRYPTO_DRIVERS` in the library configuration. |
| 23 | |
| 24 | ``` |
| 25 | cd /path/to/mbedtls |
| 26 | scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS |
| 27 | ``` |
| 28 | |
| 29 | 2. Pass the driver description files through the Make variable `PSA_DRIVERS` when building the library. |
| 30 | |
| 31 | ``` |
| 32 | cd /path/to/mbedtls |
| 33 | make PSA_DRIVERS="/path/to/acme/driver.json /path/to/nadir/driver.json" lib |
| 34 | ``` |
| 35 | |
| 36 | 3. Link your application with the implementation of the driver functions. |
| 37 | |
| 38 | ``` |
| 39 | cd /path/to/application |
| 40 | ld myapp.o -L/path/to/acme -lacmedriver -L/path/to/nadir -lnadirdriver -L/path/to/mbedtls -lmbedcrypto |
| 41 | ``` |
| 42 | |
| 43 | <!-- TODO: what if the driver is provided as C source code? --> |
| 44 | |
| 45 | <!-- TODO: what about additional include files? --> |