| Ronald Cron | 9228e4a | 2025-10-05 16:25:43 +0200 | [diff] [blame] | 1 | ## CMake as the only build system |
| Ronald Cron | a5e1b6d | 2025-10-08 09:10:54 +0200 | [diff] [blame] | 2 | Mbed TLS now uses CMake exclusively to configure and drive its build process. |
| 3 | Support for the GNU Make and Microsoft Visual Studio project-based build systems has been removed. |
| Ronald Cron | 9228e4a | 2025-10-05 16:25:43 +0200 | [diff] [blame] | 4 | |
| Ronald Cron | a5e1b6d | 2025-10-08 09:10:54 +0200 | [diff] [blame] | 5 | The previous `.sln` and `.vcxproj` files are no longer distributed or generated. |
| Ronald Cron | 9228e4a | 2025-10-05 16:25:43 +0200 | [diff] [blame] | 6 | |
| Ronald Cron | a5e1b6d | 2025-10-08 09:10:54 +0200 | [diff] [blame] | 7 | See the `Compiling` section in README.md for instructions on building the Mbed TLS libraries and tests with CMake. |
| Ronald Cron | 9228e4a | 2025-10-05 16:25:43 +0200 | [diff] [blame] | 8 | If you develop in Microsoft Visual Studio, you could either generate a Visual Studio solution using a CMake generator, or open the CMake project directly in Visual Studio. |
| 9 | |
| 10 | ## Repository split |
| 11 | In Mbed TLS 4.0, the project was split into two repositories: |
| 12 | - [Mbed TLS](https://github.com/Mbed-TLS/mbedtls): provides TLS and X.509 functionality. |
| 13 | - [TF-PSA-Crypto](https://github.com/Mbed-TLS/TF-PSA-Crypto): provides the standalone cryptography library, implementing the PSA Cryptography API. |
| 14 | Mbed TLS consumes TF-PSA-Crypto as a submodule. |
| Ronald Cron | c764624 | 2025-10-08 09:59:01 +0200 | [diff] [blame^] | 15 | You should stay with Mbed TLS if you use TLS or X.509 functionality. You still have direct access to the cryptography library. |
| Ronald Cron | 9228e4a | 2025-10-05 16:25:43 +0200 | [diff] [blame] | 16 | |
| 17 | ### File and directory relocations |
| 18 | |
| 19 | The following table summarizes the file and directory relocations resulting from the repository split between Mbed TLS and TF-PSA-Crypto. |
| 20 | These changes reflect the move of cryptographic, cryptographic-adjacent, and platform components from Mbed TLS into the new TF-PSA-Crypto repository. |
| 21 | |
| 22 | | Original location | New location(s) | Notes | |
| 23 | |--------------------------------------|--------------------------------------------------------------------------------------|-------| |
| 24 | | `library/` | `tf-psa-crypto/core/`<br>`tf-psa-crypto/drivers/builtin/src/` | Contains cryptographic, cryptographic-adjacent (e.g., ASN.1, Base64), and platform C modules and headers. | |
| 25 | | `include/mbedtls/` | `tf-psa-crypto/include/mbedtls/`<br>`tf-psa-crypto/drivers/builtin/include/private/` | Public headers moved to `include/mbedtls`; now internal headers moved to `include/private`. | |
| 26 | | `include/psa/` | `tf-psa-crypto/include/` | All PSA headers consolidated here. | |
| 27 | | `3rdparty/everest/`<br>`3rdparty/p256-m/` | `tf-psa-crypto/drivers/` | Third-party crypto driver implementations. | |
| 28 | |
| 29 | If you use your own build system to build Mbed TLS libraries, you will need to adapt to the new tree. |
| 30 | |
| 31 | ### Configuration file split |
| 32 | Cryptography and platform configuration options have been moved from `mbedtls_config.h` to `crypto_config.h`, which is now mandatory. See [Compile-time configuration](#compile-time-confiuration). |
| 33 | |
| 34 | ### Impact on some usages of the library |
| 35 | |
| 36 | #### Checking out a branch or a tag |
| 37 | After checking out a branch or tag of the Mbed TLS repository, you must now recursively update the submodules, as TF-PSA-Crypto contains itself a nested submodule: |
| 38 | ``` |
| 39 | git submodule update --init --recursive |
| 40 | ``` |
| 41 | |
| 42 | #### Linking directly to a built library |
| 43 | The Mbed TLS CMake build system still provides the cryptography libraries under their legacy name, `libmbedcrypto.<ext>`, so you can continue linking against them. |
| 44 | The cryptography libraries are also now provided as `libtfpsacrypto.<ext>` like in the TF-PSA-Crypto repository. |
| 45 | |
| 46 | #### Linking through a CMake target of the cryptography library |
| 47 | The base name of the CMake cryptography library target has been changed from `mbedcrypto` to `tfpsacrypto`. |
| 48 | If no target prefix is specified through the MBEDTLS_TARGET_PREFIX option, the associated CMake target is thus now `tfpsacrypto`. |
| 49 | |
| 50 | The same renaming applies to the cryptography library targets declared as part of the Mbed TLS CMake package. |
| 51 | When no global target prefix is defined, use `MbedTLS::tfpsacrypto` instead of `MbedTLS::mbedcrypto`. |
| 52 | |
| 53 | As an example, the following CMake code: |
| 54 | ``` |
| 55 | find_package(MbedTLS REQUIRED) |
| 56 | target_link_libraries(myapp PRIVATE MbedTLS::mbedtls MbedTLS::mbedx509 MbedTLS::mbedcrypto) |
| 57 | |
| 58 | ``` |
| 59 | would be updated to something like |
| 60 | ``` |
| 61 | find_package(MbedTLS REQUIRED) |
| 62 | target_link_libraries(myapp PRIVATE MbedTLS::mbedtls MbedTLS::mbedx509 MbedTLS::tfpsacrypto) |
| 63 | ``` |
| 64 | |
| 65 | For more information, see the CMake section of `README.md`. |
| 66 | You can also refer to the following example programs demonstrating how to consume Mbed TLS via CMake: |
| 67 | * `programs/test/cmake_subproject` |
| 68 | * `programs/test/cmake_package` |
| 69 | * `programs/test/cmake_package_install`. |
| 70 | |
| 71 | #### Using Mbed TLS Crypto pkg-config file |
| 72 | The Mbed TLS CMake build system still provides the pkg-config file mbedcrypto.pc, so you can continue using it. Internally, it now references the `tfpsacrypto` library. |
| Ronald Cron | c764624 | 2025-10-08 09:59:01 +0200 | [diff] [blame^] | 73 | A new pkg-config file, `tfpsacrypto.pc`, is also provided. |
| Ronald Cron | 9228e4a | 2025-10-05 16:25:43 +0200 | [diff] [blame] | 74 | Both `mbedcrypto.pc` and `tfpsacrypto.pc` are functionally equivalent, providing the same compiler and linker flags. |
| 75 | |
| 76 | ### Audience-Specific Notes |
| 77 | |
| 78 | #### Application Developers using a distribution package |
| Ronald Cron | 9228e4a | 2025-10-05 16:25:43 +0200 | [diff] [blame] | 79 | - See [Impact on usages of the library](#impact-on-some-usages-of-the-library) for the possible impacts on: |
| 80 | - Linking against the cryptography library or CMake targets. |
| 81 | - Use the updated `pkg-config` files (`mbedcrypto.pc` / `tfpsacrypto.pc`). |
| 82 | |
| 83 | ### Developer or package maintainers |
| 84 | If you build or distribute Mbed TLS: |
| 85 | - The build system is now CMake only, Makefiles and Visual Studio projects are removed. |
| 86 | - You may need to adapt packaging scripts to handle the TF-PSA-Crypto submodule. |
| 87 | - You should update submodules recursively after checkout. |
| 88 | - Review [File and directory relocations](#file-and-directory-relocations) for updated paths. |
| 89 | - See [Impact on usages of the library](#impact-on-some-usages-of-the-library) for the possible impacts on: |
| 90 | - Linking against the cryptography library or CMake targets. |
| 91 | - Use the updated `pkg-config` files (`mbedcrypto.pc` / `tfpsacrypto.pc`). |
| 92 | - Configuration note: cryptography and platform options are now in `crypto_config.h` (see [Configuration file split](#configuration-file-split)). |
| 93 | |
| 94 | ### Platform Integrators |
| 95 | If you integrate Mbed TLS with a platform or hardware drivers: |
| 96 | - TF-PSA-Crypto is now a submodule, update integration scripts to initialize submodules recursively. |
| 97 | - The PSA driver wrapper is now generated in TF-PSA-Crypto. |
| 98 | - Platform-specific configuration are now handled in `crypto_config.h`. |
| 99 | - See [Repository split](#repository-split) for how platform components moved to TF-PSA-Crypto. |