| Manuel Pégourié-Gonnard | 6d5f494 | 2023-07-07 12:00:49 +0200 | [diff] [blame] | 1 | This document explains how to create builds of Mbed TLS where some | 
|  | 2 | cryptographic mechanisms are provided only by PSA drivers (that is, no | 
|  | 3 | built-in implementation of those algorithms), from a user's perspective. | 
|  | 4 |  | 
|  | 5 | This is useful to save code size for people who are using either a hardware | 
| Manuel Pégourié-Gonnard | 030f11b | 2023-09-23 09:02:42 +0200 | [diff] [blame] | 6 | accelerator, or an alternative software implementation that is more | 
| Manuel Pégourié-Gonnard | 6d5f494 | 2023-07-07 12:00:49 +0200 | [diff] [blame] | 7 | aggressively optimized for code size than the default one in Mbed TLS. | 
|  | 8 |  | 
|  | 9 | General considerations | 
|  | 10 | ---------------------- | 
|  | 11 |  | 
|  | 12 | This document assumes that you already have a working driver. | 
|  | 13 | Otherwise, please see the [PSA driver example and | 
|  | 14 | guide](psa-driver-example-and-guide.md) for information on writing a | 
|  | 15 | driver. | 
|  | 16 |  | 
|  | 17 | In order to have some mechanism provided only by a driver, you'll want | 
|  | 18 | the following compile-time configuration options enabled: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 19 |  | 
| Manuel Pégourié-Gonnard | 6d5f494 | 2023-07-07 12:00:49 +0200 | [diff] [blame] | 20 | - `MBEDTLS_PSA_CRYPTO_C` (enabled by default) - this enables PSA Crypto. | 
|  | 21 | - `MBEDTLS_USE_PSA_CRYPTO` (disabled by default) - this makes PK, X.509 and | 
|  | 22 | TLS use PSA Crypto. You need to enable this if you're using PK, X.509 or TLS | 
|  | 23 | and want them to have access to the algorithms provided by your driver. (See | 
|  | 24 | [the dedicated document](use-psa-crypto.md) for details.) | 
|  | 25 | - `MBEDTLS_PSA_CRYPTO_CONFIG` (disabled by default) - this enables | 
|  | 26 | configuration of cryptographic algorithms using `PSA_WANT` macros in | 
|  | 27 | `include/psa/crypto_config.h`. See [Conditional inclusion of cryptographic | 
|  | 28 | mechanism through the PSA API in Mbed | 
|  | 29 | TLS](proposed/psa-conditional-inclusion-c.md) for details. | 
|  | 30 |  | 
|  | 31 | In addition, for each mechanism you want provided only by your driver: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 32 |  | 
| Manuel Pégourié-Gonnard | 6d5f494 | 2023-07-07 12:00:49 +0200 | [diff] [blame] | 33 | - Define the corresponding `PSA_WANT` macro in `psa/crypto_config.h` - this | 
|  | 34 | means the algorithm will be available in the PSA Crypto API. | 
| Manuel Pégourié-Gonnard | fb22c27 | 2023-07-18 10:40:56 +0200 | [diff] [blame] | 35 | - Define the corresponding `MBEDTLS_PSA_ACCEL` in your build. This could be | 
|  | 36 | defined in `psa/crypto_config.h` or your compiler's command line. This | 
|  | 37 | informs the PSA code that an accelerator is available for this mechanism. | 
| Manuel Pégourié-Gonnard | 6d5f494 | 2023-07-07 12:00:49 +0200 | [diff] [blame] | 38 | - Undefine / comment out the corresponding `MBEDTLS_xxx_C` macro in | 
|  | 39 | `mbedtls/mbedtls_config.h`. This ensures the built-in implementation is not | 
|  | 40 | included in the build. | 
|  | 41 |  | 
|  | 42 | For example, if you want SHA-256 to be provided only by a driver, you'll want | 
|  | 43 | `PSA_WANT_ALG_SHA_256` and `MBEDTLS_PSA_ACCEL_SHA_256` defined, and | 
|  | 44 | `MBEDTLS_SHA256_C` undefined. | 
|  | 45 |  | 
|  | 46 | In addition to these compile-time considerations, at runtime you'll need to | 
|  | 47 | make sure you call `psa_crypto_init()` before any function that uses the | 
| Manuel Pégourié-Gonnard | fb22c27 | 2023-07-18 10:40:56 +0200 | [diff] [blame] | 48 | driver-only mechanisms. Note that this is already a requirement for any use of | 
|  | 49 | the PSA Crypto API, as well as for use of the PK, X.509 and TLS modules when | 
|  | 50 | `MBEDTLS_USE_PSA_CRYPTO` is enabled, so in most cases your application will | 
|  | 51 | already be doing this. | 
| Manuel Pégourié-Gonnard | 6d5f494 | 2023-07-07 12:00:49 +0200 | [diff] [blame] | 52 |  | 
|  | 53 | Mechanisms covered | 
|  | 54 | ------------------ | 
|  | 55 |  | 
| Manuel Pégourié-Gonnard | c977751 | 2023-07-11 11:11:20 +0200 | [diff] [blame] | 56 | For now, only the following (families of) mechanisms are supported: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 57 |  | 
| Manuel Pégourié-Gonnard | 6d5f494 | 2023-07-07 12:00:49 +0200 | [diff] [blame] | 58 | - hashes: SHA-3, SHA-2, SHA-1, MD5, etc. | 
|  | 59 | - elliptic-curve cryptography (ECC): ECDH, ECDSA, EC J-PAKE, ECC key types. | 
| Manuel Pégourié-Gonnard | c977751 | 2023-07-11 11:11:20 +0200 | [diff] [blame] | 60 | - finite-field Diffie-Hellman: FFDH algorithm, DH key types. | 
| Manuel Pégourié-Gonnard | c1cea63 | 2024-01-08 11:02:26 +0100 | [diff] [blame] | 61 | - RSA: PKCS#1 v1.5 and v2.1 signature and encryption algorithms, RSA key types | 
|  | 62 | (for now, only crypto, no X.509 or TLS support). | 
| Valerio Setti | 7e11dd6 | 2023-12-18 15:52:44 +0100 | [diff] [blame] | 63 | - AEADs: | 
|  | 64 | - GCM and CCM with AES, ARIA and Camellia key types | 
|  | 65 | - ChachaPoly with ChaCha20 Key type | 
| Valerio Setti | 92e5c69 | 2023-12-28 13:28:03 +0100 | [diff] [blame] | 66 | - Unauthenticated ciphers: | 
| Valerio Setti | 7e11dd6 | 2023-12-18 15:52:44 +0100 | [diff] [blame] | 67 | - key types: AES, ARIA, Camellia, DES | 
|  | 68 | - modes: ECB, CBC, CTR, CFB, OFB, XTS | 
| Manuel Pégourié-Gonnard | 6d5f494 | 2023-07-07 12:00:49 +0200 | [diff] [blame] | 69 |  | 
| Valerio Setti | 92e5c69 | 2023-12-28 13:28:03 +0100 | [diff] [blame] | 70 | For each family listed above, all the mentioned alorithms/key types are also | 
|  | 71 | all the mechanisms that exist in PSA API. | 
|  | 72 |  | 
| Manuel Pégourié-Gonnard | 6d5f494 | 2023-07-07 12:00:49 +0200 | [diff] [blame] | 73 | Supported means that when those are provided only by drivers, everything | 
|  | 74 | (including PK, X.509 and TLS if `MBEDTLS_USE_PSA_CRYPTO` is enabled) should | 
|  | 75 | work in the same way as if the mechanisms where built-in, except as documented | 
|  | 76 | in the "Limitations" sub-sections of the sections dedicated to each family | 
|  | 77 | below. | 
|  | 78 |  | 
| Manuel Pégourié-Gonnard | 6d5f494 | 2023-07-07 12:00:49 +0200 | [diff] [blame] | 79 | Hashes | 
|  | 80 | ------ | 
|  | 81 |  | 
| Manuel Pégourié-Gonnard | 030f11b | 2023-09-23 09:02:42 +0200 | [diff] [blame] | 82 | It is possible to have all hash operations provided only by a driver. | 
| Manuel Pégourié-Gonnard | 1f61b7b | 2023-09-22 10:15:22 +0200 | [diff] [blame] | 83 |  | 
|  | 84 | More precisely: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 85 |  | 
| Manuel Pégourié-Gonnard | 1f61b7b | 2023-09-22 10:15:22 +0200 | [diff] [blame] | 86 | - you can enable `PSA_WANT_ALG_SHA_256` without `MBEDTLS_SHA256_C`, provided | 
|  | 87 | you have `MBEDTLS_PSA_ACCEL_ALG_SHA_256` enabled; | 
|  | 88 | - and similarly for all supported hash algorithms: `MD5`, `RIPEMD160`, | 
|  | 89 | `SHA_1`, `SHA_224`, `SHA_256`, `SHA_384`, `SHA_512`, `SHA3_224`, `SHA3_256`, | 
|  | 90 | `SHA3_384`, `SHA3_512`. | 
|  | 91 |  | 
|  | 92 | In such a build, all crypto operations (via the PSA Crypto API, or non-PSA | 
|  | 93 | APIs), as well as X.509 and TLS, will work as usual, except that direct calls | 
|  | 94 | to low-level hash APIs (`mbedtls_sha256()` etc.) are not possible for the | 
|  | 95 | modules that are disabled. | 
|  | 96 |  | 
| Manuel Pégourié-Gonnard | 030f11b | 2023-09-23 09:02:42 +0200 | [diff] [blame] | 97 | You need to call `psa_crypto_init()` before any crypto operation that uses | 
|  | 98 | a hash algorithm that is provided only by a driver, as mentioned in [General | 
| Manuel Pégourié-Gonnard | 1f61b7b | 2023-09-22 10:15:22 +0200 | [diff] [blame] | 99 | considerations](#general-considerations) above. | 
|  | 100 |  | 
|  | 101 | If you want to check at compile-time whether a certain hash algorithm is | 
|  | 102 | available in the present build of Mbed TLS, regardless of whether it's | 
|  | 103 | provided by a driver or built-in, you should use the following macros: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 104 |  | 
| Manuel Pégourié-Gonnard | 1f61b7b | 2023-09-22 10:15:22 +0200 | [diff] [blame] | 105 | - for code that uses only the PSA Crypto API: `PSA_WANT_ALG_xxx` from | 
|  | 106 | `psa/crypto.h`; | 
| Manuel Pégourié-Gonnard | 030f11b | 2023-09-23 09:02:42 +0200 | [diff] [blame] | 107 | - for code that uses non-PSA crypto APIs: `MBEDTLS_MD_CAN_xxx` from | 
| Valerio Setti | 9f52105 | 2024-01-24 15:44:24 +0100 | [diff] [blame] | 108 | `mbedtls/config_adjust_legacy_crypto.h`. | 
|  | 109 |  | 
|  | 110 | ### HMAC | 
|  | 111 |  | 
|  | 112 | In addition to accelerated hash operations, it is also possible to accelerate | 
|  | 113 | HMAC by enabling and accelerating: | 
|  | 114 | - HMAC algorithm and key type, i.e. `[PSA_WANT|MBEDTLS_PSA_ACCEL]_ALG_HMAC` and | 
|  | 115 | `[PSA_WANT|MBEDTLS_PSA_ACCEL]KEY_TYPE_HMAC`. | 
|  | 116 | - Required hash algorithm(s) as explained in [Hashes](#hashes) section. | 
|  | 117 |  | 
|  | 118 | In such a build it is possible to disable legacy HMAC support by disabling | 
|  | 119 | `MBEDTLS_MD_C` and still getting crypto operations, X.509 and TLS to work as | 
|  | 120 | usual. Exceptions are: | 
| Valerio Setti | 18be2fb | 2024-01-26 15:07:02 +0100 | [diff] [blame] | 121 | - As mentioned in [Hashes](#hashes) direct calls to legacy lo-level hash APIs | 
|  | 122 | (`mbedtls_sha256()` etc.) will not be possible for the legacy modules that | 
|  | 123 | are disabled. | 
| Valerio Setti | 9f52105 | 2024-01-24 15:44:24 +0100 | [diff] [blame] | 124 | - Legacy HMAC support (`mbedtls_md_hmac_xxx()`) won't be possible. | 
|  | 125 | - `MBEDTLS_PKCS[5|7]_C`, `MBEDTLS_HMAC_DRBG_C` and `MBEDTLS_HKDF_C` since they | 
|  | 126 | depend on the legacy implementation of HMAC. | 
|  | 127 | - disabling HMAC_DRBG_C cause deterministic ECDSA (i.e. | 
|  | 128 | `MBEDTLS_DETERMINISTIC_ECDSA` on the legacy side and | 
|  | 129 | `PSA_WANT_ALG_DETERMINISTIC_ECDSA` on the PSA one) to be not available. | 
| Manuel Pégourié-Gonnard | 6d5f494 | 2023-07-07 12:00:49 +0200 | [diff] [blame] | 130 |  | 
|  | 131 | Elliptic-curve cryptography (ECC) | 
|  | 132 | --------------------------------- | 
|  | 133 |  | 
| Manuel Pégourié-Gonnard | 7a82e27 | 2023-07-07 16:43:56 +0200 | [diff] [blame] | 134 | It is possible to have most ECC operations provided only by a driver: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 135 |  | 
| Manuel Pégourié-Gonnard | 7a82e27 | 2023-07-07 16:43:56 +0200 | [diff] [blame] | 136 | - the ECDH, ECDSA and EC J-PAKE algorithms; | 
|  | 137 | - key import, export, and random generation. | 
|  | 138 |  | 
| Manuel Pégourié-Gonnard | 89ae266 | 2023-09-22 13:05:25 +0200 | [diff] [blame] | 139 | More precisely, if: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 140 |  | 
| Manuel Pégourié-Gonnard | 89ae266 | 2023-09-22 13:05:25 +0200 | [diff] [blame] | 141 | - you have driver support for ECC public and using private keys (that is, | 
|  | 142 | `MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY` and | 
|  | 143 | `MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC` are enabled), and | 
|  | 144 | - you have driver support for all ECC curves that are enabled (that is, for | 
|  | 145 | each `PSA_WANT_ECC_xxx` macro enabled, the corresponding | 
|  | 146 | `MBEDTLS_PSA_ACCEL_ECC_xxx` macros is enabled as well); | 
| Manuel Pégourié-Gonnard | 8c40f3d | 2023-09-28 11:06:09 +0200 | [diff] [blame] | 147 |  | 
| Manuel Pégourié-Gonnard | 89ae266 | 2023-09-22 13:05:25 +0200 | [diff] [blame] | 148 | then you can: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 149 |  | 
| Manuel Pégourié-Gonnard | 89ae266 | 2023-09-22 13:05:25 +0200 | [diff] [blame] | 150 | - enable `PSA_WANT_ALG_ECDH` without `MBEDTLS_ECDH_C`, provided | 
|  | 151 | `MBEDTLS_PSA_ACCEL_ALG_ECDH` is enabled | 
|  | 152 | - enable `PSA_WANT_ALG_ECDSA` without `MBEDTLS_ECDSA_C`, provided | 
| Manuel Pégourié-Gonnard | 7a82e27 | 2023-07-07 16:43:56 +0200 | [diff] [blame] | 153 | `MBEDTLS_PSA_ACCEL_ALG_ECDSA` is enabled; | 
| Manuel Pégourié-Gonnard | 89ae266 | 2023-09-22 13:05:25 +0200 | [diff] [blame] | 154 | - enable `PSA_WANT_ALG_JPAKE` without `MBEDTLS_ECJPAKE_C`, provided | 
| Manuel Pégourié-Gonnard | 7a82e27 | 2023-07-07 16:43:56 +0200 | [diff] [blame] | 155 | `MBEDTLS_PSA_ACCEL_ALG_JPAKE` is enabled. | 
|  | 156 |  | 
| Manuel Pégourié-Gonnard | 89ae266 | 2023-09-22 13:05:25 +0200 | [diff] [blame] | 157 | In addition, if: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 158 |  | 
| Manuel Pégourié-Gonnard | 89ae266 | 2023-09-22 13:05:25 +0200 | [diff] [blame] | 159 | - none of `MBEDTLS_ECDH_C`, `MBEDTLS_ECDSA_C`, `MBEDTLS_ECJPAKE_C` are enabled | 
|  | 160 | (see conditions above), and | 
|  | 161 | - you have driver support for all enabled ECC key pair operations - that is, | 
|  | 162 | for each `PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_xxx` macro enabled, the | 
|  | 163 | corresponding `MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_xxx` macros is also | 
|  | 164 | enabled, | 
| Manuel Pégourié-Gonnard | 8c40f3d | 2023-09-28 11:06:09 +0200 | [diff] [blame] | 165 |  | 
| Manuel Pégourié-Gonnard | 89ae266 | 2023-09-22 13:05:25 +0200 | [diff] [blame] | 166 | then you can also disable `MBEDTLS_ECP_C`. However, a small subset of it might | 
|  | 167 | still be included in the build, see limitations sub-section below. | 
| Manuel Pégourié-Gonnard | 7a82e27 | 2023-07-07 16:43:56 +0200 | [diff] [blame] | 168 |  | 
| Manuel Pégourié-Gonnard | 89ae266 | 2023-09-22 13:05:25 +0200 | [diff] [blame] | 169 | In addition, if: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 170 |  | 
| Manuel Pégourié-Gonnard | c1cea63 | 2024-01-08 11:02:26 +0100 | [diff] [blame] | 171 | - `MBEDTLS_ECP_C` is fully removed (see limitation sub-section below), | 
|  | 172 | - and support for RSA key types and algorithms is either fully disabled or | 
|  | 173 | fully provided by a driver, | 
|  | 174 | - and support for DH key types and the FFDH algorithm is either disabled or | 
| Manuel Pégourié-Gonnard | 89ae266 | 2023-09-22 13:05:25 +0200 | [diff] [blame] | 175 | fully provided by a driver, | 
| Manuel Pégourié-Gonnard | 8c40f3d | 2023-09-28 11:06:09 +0200 | [diff] [blame] | 176 |  | 
| Manuel Pégourié-Gonnard | 89ae266 | 2023-09-22 13:05:25 +0200 | [diff] [blame] | 177 | then you can also disable `MBEDTLS_BIGNUM_C`. | 
| Manuel Pégourié-Gonnard | 7a82e27 | 2023-07-07 16:43:56 +0200 | [diff] [blame] | 178 |  | 
| Manuel Pégourié-Gonnard | 89ae266 | 2023-09-22 13:05:25 +0200 | [diff] [blame] | 179 | In such builds, all crypto operations via the PSA Crypto API will work as | 
|  | 180 | usual, as well as the PK, X.509 and TLS modules if `MBEDTLS_USE_PSA_CRYPTO` is | 
|  | 181 | enabled, with the following exceptions: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 182 |  | 
| Manuel Pégourié-Gonnard | 89ae266 | 2023-09-22 13:05:25 +0200 | [diff] [blame] | 183 | - direct calls to APIs from the disabled modules are not possible; | 
|  | 184 | - PK, X.509 and TLS will not support restartable ECC operations (see | 
|  | 185 | limitation sub-section below). | 
|  | 186 |  | 
|  | 187 | If you want to check at compile-time whether a certain curve is available in | 
|  | 188 | the present build of Mbed TLS, regardless of whether ECC is provided by a | 
|  | 189 | driver or built-in, you should use the following macros: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 190 |  | 
| Manuel Pégourié-Gonnard | 89ae266 | 2023-09-22 13:05:25 +0200 | [diff] [blame] | 191 | - for code that uses only the PSA Crypto API: `PSA_WANT_ECC_xxx` from | 
|  | 192 | `psa/crypto.h`; | 
|  | 193 | - for code that may also use non-PSA crypto APIs: `MBEDTLS_ECP_HAVE_xxx` from | 
|  | 194 | `mbedtls/build_info.h` where xxx can take the same values as for | 
|  | 195 | `MBEDTLS_ECP_DP_xxx` macros. | 
| Valerio Setti | d31b284 | 2023-08-15 10:59:58 +0200 | [diff] [blame] | 196 |  | 
| Manuel Pégourié-Gonnard | 140c08e | 2023-09-28 11:02:37 +0200 | [diff] [blame] | 197 | Note that for externally-provided drivers, the integrator is responsible for | 
|  | 198 | ensuring the appropriate `MBEDTLS_PSA_ACCEL_xxx` macros are defined. However, | 
|  | 199 | for the p256-m driver that's provided with the library, those macros are | 
|  | 200 | automatically defined when enabling `MBEDTLS_PSA_P256M_DRIVER_ENABLED`. | 
|  | 201 |  | 
| Manuel Pégourié-Gonnard | 7a82e27 | 2023-07-07 16:43:56 +0200 | [diff] [blame] | 202 | ### Limitations regarding fully removing `ecp.c` | 
|  | 203 |  | 
|  | 204 | A limited subset of `ecp.c` will still be automatically re-enabled if any of | 
|  | 205 | the following is enabled: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 206 |  | 
| Manuel Pégourié-Gonnard | 7a82e27 | 2023-07-07 16:43:56 +0200 | [diff] [blame] | 207 | - `MBEDTLS_PK_PARSE_EC_COMPRESSED` - support for parsing ECC keys where the | 
|  | 208 | public part is in compressed format; | 
|  | 209 | - `MBEDTLS_PK_PARSE_EC_EXTENDED` - support for parsing ECC keys where the | 
|  | 210 | curve is identified not by name, but by explicit parameters; | 
|  | 211 | - `PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE` - support for deterministic | 
|  | 212 | derivation of an ECC keypair with `psa_key_derivation_output_key()`. | 
|  | 213 |  | 
| Manuel Pégourié-Gonnard | 1937cf8 | 2023-07-11 11:14:15 +0200 | [diff] [blame] | 214 | Note: when any of the above options is enabled, a subset of `ecp.c` will | 
|  | 215 | automatically be included in the build in order to support it. Therefore | 
|  | 216 | you can still disable `MBEDTLS_ECP_C` in `mbedtls_config.h` and this will | 
|  | 217 | result in some code size savings, but not as much as when none of the | 
|  | 218 | above features are enabled. | 
| Manuel Pégourié-Gonnard | 7a82e27 | 2023-07-07 16:43:56 +0200 | [diff] [blame] | 219 |  | 
|  | 220 | We do have plans to support each of these with `ecp.c` fully removed in the | 
| Manuel Pégourié-Gonnard | fb22c27 | 2023-07-18 10:40:56 +0200 | [diff] [blame] | 221 | future, however there is no established timeline. If you're interested, please | 
|  | 222 | let us know, so we can take it into consideration in our planning. | 
| Manuel Pégourié-Gonnard | 7a82e27 | 2023-07-07 16:43:56 +0200 | [diff] [blame] | 223 |  | 
|  | 224 | ### Limitations regarding restartable / interruptible ECC operations | 
|  | 225 |  | 
| Manuel Pégourié-Gonnard | 89ae266 | 2023-09-22 13:05:25 +0200 | [diff] [blame] | 226 | At the moment, there is no driver support for interruptible operations | 
| Manuel Pégourié-Gonnard | 7a82e27 | 2023-07-07 16:43:56 +0200 | [diff] [blame] | 227 | (see `psa_sign_hash_start()` + `psa_sign_hash_complete()` etc.) so as a | 
|  | 228 | consequence these are not supported in builds without `MBEDTLS_ECDSA_C`. | 
|  | 229 |  | 
|  | 230 | Similarly, there is no PSA support for interruptible ECDH operations so these | 
|  | 231 | are not supported without `ECDH_C`. See also limitations regarding | 
|  | 232 | restartable operations with `MBEDTLS_USE_PSA_CRYPTO` in [its | 
|  | 233 | documentation](use-psa-crypto.md). | 
|  | 234 |  | 
| Manuel Pégourié-Gonnard | fb22c27 | 2023-07-18 10:40:56 +0200 | [diff] [blame] | 235 | Again, we have plans to support this in the future but not with an established | 
| Manuel Pégourié-Gonnard | 7a82e27 | 2023-07-07 16:43:56 +0200 | [diff] [blame] | 236 | timeline, please let us know if you're interested. | 
|  | 237 |  | 
| Manuel Pégourié-Gonnard | f7dc6cf | 2023-09-27 10:34:52 +0200 | [diff] [blame] | 238 | ### Limitations regarding "mixed" builds (driver and built-in) | 
|  | 239 |  | 
|  | 240 | In order for a build to be driver-only (no built-in implementation), all the | 
|  | 241 | requested algorithms, key types (key operations) and curves must be | 
|  | 242 | accelerated (plus a few other restrictions, see "Limitations regarding fully | 
|  | 243 | removing `ecp.c`" above). However, what if you have an accelerator that only | 
|  | 244 | supports some algorithms, some key types (key operations), or some curves, but | 
|  | 245 | want to have more enabled in you build? | 
|  | 246 |  | 
|  | 247 | It is possible to have acceleration for only a subset of the requested | 
|  | 248 | algorithms. In this case, the built-in implementation of the accelerated | 
|  | 249 | algorithms will be disabled, provided all the requested curves and key types | 
|  | 250 | that can be used with this algorithm are also declared as accelerated. | 
|  | 251 |  | 
|  | 252 | There is very limited support for having acceleration for only a subset of the | 
|  | 253 | requested key type operations. The only configuration that's tested is that of | 
|  | 254 | a driver accelerating `PUBLIC_KEY`, `KEY_PAIR_BASIC`, `KEY_PAIR_IMPORT`, | 
|  | 255 | `KEY_PAIR_EXPORT` but not `KEY_PAIR_GENERATE`. (Note: currently the driver | 
|  | 256 | interface does not support `KEY_PAIR_DERIVE`.) | 
|  | 257 |  | 
|  | 258 | There is limited support for having acceleration for only a subset of the | 
|  | 259 | requested curves. In such builds, only the PSA API is currently tested and | 
|  | 260 | working; there are known issues in PK, and X.509 and TLS are untested. | 
|  | 261 |  | 
| Manuel Pégourié-Gonnard | c977751 | 2023-07-11 11:11:20 +0200 | [diff] [blame] | 262 | Finite-field Diffie-Hellman | 
|  | 263 | --------------------------- | 
|  | 264 |  | 
| Valerio Setti | d31b284 | 2023-08-15 10:59:58 +0200 | [diff] [blame] | 265 | Support is pretty similar to the "Elliptic-curve cryptography (ECC)" section | 
|  | 266 | above. | 
|  | 267 | Key management and usage can be enabled by means of the usual `PSA_WANT` + | 
|  | 268 | `MBEDTLS_PSA_ACCEL` pairs: | 
|  | 269 |  | 
|  | 270 | - `[PSA_WANT|MBEDTLS_PSA_ACCEL]_KEY_TYPE_DH_PUBLIC_KEY`; | 
|  | 271 | - `[PSA_WANT|MBEDTLS_PSA_ACCEL]_KEY_TYPE_DH_KEY_PAIR_BASIC`; | 
|  | 272 | - `[PSA_WANT|MBEDTLS_PSA_ACCEL]_KEY_TYPE_DH_KEY_PAIR_IMPORT`; | 
|  | 273 | - `[PSA_WANT|MBEDTLS_PSA_ACCEL]_KEY_TYPE_DH_KEY_PAIR_EXPORT`; | 
|  | 274 | - `[PSA_WANT|MBEDTLS_PSA_ACCEL]_KEY_TYPE_DH_KEY_PAIR_GENERATE`; | 
|  | 275 |  | 
|  | 276 | The same holds for the associated algorithm: | 
| Valerio Setti | 7373a66 | 2023-09-04 13:59:03 +0200 | [diff] [blame] | 277 | `[PSA_WANT|MBEDTLS_PSA_ACCEL]_ALG_FFDH` allow builds accelerating FFDH and | 
| Valerio Setti | d31b284 | 2023-08-15 10:59:58 +0200 | [diff] [blame] | 278 | removing builtin support (i.e. `MBEDTLS_DHM_C`). | 
|  | 279 |  | 
| Gilles Peskine | 89ef2fa | 2024-04-30 14:25:30 +0200 | [diff] [blame] | 280 | Note that the PSA API only supports FFDH with RFC 7919 groups, whereas the | 
| Gilles Peskine | d78d695 | 2024-12-04 18:04:55 +0100 | [diff] [blame] | 281 | Mbed TLS legacy API supports custom groups. As a consequence, the TLS 1.2 | 
|  | 282 | layer of Mbed TLS only supports DHE cipher suites if built-in FFDH | 
| Gilles Peskine | 89ef2fa | 2024-04-30 14:25:30 +0200 | [diff] [blame] | 283 | (`MBEDTLS_DHM_C`) is present, even when `MBEDTLS_USE_PSA_CRYPTO` is enabled. | 
| Gilles Peskine | d78d695 | 2024-12-04 18:04:55 +0100 | [diff] [blame] | 284 | (The TLS 1.3 layer uses PSA, and this is not a limitation because the | 
|  | 285 | protocol does not allow custom FFDH groups.) | 
| Gilles Peskine | 89ef2fa | 2024-04-30 14:25:30 +0200 | [diff] [blame] | 286 |  | 
| Manuel Pégourié-Gonnard | c1cea63 | 2024-01-08 11:02:26 +0100 | [diff] [blame] | 287 | RSA | 
|  | 288 | --- | 
|  | 289 |  | 
|  | 290 | It is possible for all RSA operations to be provided only by a driver. | 
|  | 291 |  | 
|  | 292 | More precisely, if: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 293 |  | 
| Manuel Pégourié-Gonnard | c1cea63 | 2024-01-08 11:02:26 +0100 | [diff] [blame] | 294 | - all the RSA algorithms that are enabled (`PSA_WANT_ALG_RSA_*`) are also | 
|  | 295 | accelerated (`MBEDTLS_PSA_ACCEL_ALG_RSA_*`), | 
|  | 296 | - and all the RSA key types that are enabled (`PSA_WANT_KEY_TYPE_RSA_*`) are | 
|  | 297 | also accelerated (`MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_*`), | 
|  | 298 |  | 
|  | 299 | then you can disable `MBEDTLS_RSA_C`, `MBEDTLS_PKCS1_V15` and | 
|  | 300 | `MBEDTLS_PKCS1_V21`, and RSA will still work in PSA Crypto. | 
|  | 301 |  | 
|  | 302 | ### Limitations on RSA acceleration | 
|  | 303 |  | 
|  | 304 | Unlike other mechanisms, for now in configurations with driver-only RSA, only | 
|  | 305 | PSA Crypto works. In particular, PK, X.509 and TLS will _not_ work with | 
|  | 306 | driver-only RSA even if `MBEDTLS_USE_PSA_CRYPTO` is enabled. | 
|  | 307 |  | 
|  | 308 | Currently (early 2024) we don't have plans to extend this support. If you're | 
|  | 309 | interested in wider driver-only support for RSA, please let us know. | 
|  | 310 |  | 
| Valerio Setti | 045d680 | 2023-12-29 15:42:22 +0100 | [diff] [blame] | 311 | Ciphers (unauthenticated and AEAD) | 
|  | 312 | ---------------------------------- | 
| Valerio Setti | 20e93a2 | 2023-12-04 11:29:36 +0100 | [diff] [blame] | 313 |  | 
| Valerio Setti | 8c1e6bb | 2023-12-21 15:02:48 +0100 | [diff] [blame] | 314 | It is possible to have all ciphers and AEAD operations provided only by a | 
| Valerio Setti | 7e11dd6 | 2023-12-18 15:52:44 +0100 | [diff] [blame] | 315 | driver. More precisely, for each desired combination of key type and | 
|  | 316 | algorithm/mode you can: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 317 |  | 
| Valerio Setti | 92e5c69 | 2023-12-28 13:28:03 +0100 | [diff] [blame] | 318 | - Enable desired PSA key type(s): | 
| Valerio Setti | 7e11dd6 | 2023-12-18 15:52:44 +0100 | [diff] [blame] | 319 | - `PSA_WANT_KEY_TYPE_AES`, | 
|  | 320 | - `PSA_WANT_KEY_TYPE_ARIA`, | 
|  | 321 | - `PSA_WANT_KEY_TYPE_CAMELLIA`, | 
|  | 322 | - `PSA_WANT_KEY_TYPE_CHACHA20`, | 
| Valerio Setti | 8c1e6bb | 2023-12-21 15:02:48 +0100 | [diff] [blame] | 323 | - `PSA_WANT_KEY_TYPE_DES`. | 
| Valerio Setti | 92e5c69 | 2023-12-28 13:28:03 +0100 | [diff] [blame] | 324 | - Enable desired PSA algorithm(s): | 
|  | 325 | - Unauthenticated ciphers modes: | 
| Valerio Setti | 7e11dd6 | 2023-12-18 15:52:44 +0100 | [diff] [blame] | 326 | - `PSA_WANT_ALG_CBC_NO_PADDING`, | 
|  | 327 | - `PSA_WANT_ALG_CBC_PKCS7`, | 
|  | 328 | - `PSA_WANT_ALG_CCM_STAR_NO_TAG`, | 
|  | 329 | - `PSA_WANT_ALG_CFB`, | 
|  | 330 | - `PSA_WANT_ALG_CTR`, | 
|  | 331 | - `PSA_WANT_ALG_ECB_NO_PADDING`, | 
|  | 332 | - `PSA_WANT_ALG_OFB`, | 
| Valerio Setti | 8c1e6bb | 2023-12-21 15:02:48 +0100 | [diff] [blame] | 333 | - `PSA_WANT_ALG_STREAM_CIPHER`. | 
| Valerio Setti | 7e11dd6 | 2023-12-18 15:52:44 +0100 | [diff] [blame] | 334 | - AEADs: | 
|  | 335 | - `PSA_WANT_ALG_CCM`, | 
|  | 336 | - `PSA_WANT_ALG_GCM`, | 
| Valerio Setti | 8c1e6bb | 2023-12-21 15:02:48 +0100 | [diff] [blame] | 337 | - `PSA_WANT_ALG_CHACHA20_POLY1305`. | 
| Valerio Setti | 92e5c69 | 2023-12-28 13:28:03 +0100 | [diff] [blame] | 338 | - Enable `MBEDTLS_PSA_ACCEL_[KEY_TYPE_xxx|ALG_yyy]` symbol(s) which correspond | 
| Valerio Setti | f333b3f | 2023-12-29 14:49:03 +0100 | [diff] [blame] | 339 | to the `PSA_WANT_KEY_TYPE_xxx` and `PSA_WANT_ALG_yyy` of the previous steps. | 
| Valerio Setti | 92e5c69 | 2023-12-28 13:28:03 +0100 | [diff] [blame] | 340 | - Disable builtin support of key types: | 
| Valerio Setti | 7e11dd6 | 2023-12-18 15:52:44 +0100 | [diff] [blame] | 341 | - `MBEDTLS_AES_C`, | 
|  | 342 | - `MBEDTLS_ARIA_C`, | 
|  | 343 | - `MBEDTLS_CAMELLIA_C`, | 
|  | 344 | - `MBEDTLS_DES_C`, | 
| Valerio Setti | f333b3f | 2023-12-29 14:49:03 +0100 | [diff] [blame] | 345 | - `MBEDTLS_CHACHA20_C`. | 
| Valerio Setti | 7e11dd6 | 2023-12-18 15:52:44 +0100 | [diff] [blame] | 346 | and algorithms/modes: | 
| Valerio Setti | f333b3f | 2023-12-29 14:49:03 +0100 | [diff] [blame] | 347 | - `MBEDTLS_CBC_C`, | 
|  | 348 | - `MBEDTLS_CFB_C`, | 
|  | 349 | - `MBEDTLS_CTR_C`, | 
|  | 350 | - `MBEDTLS_OFB_C`, | 
|  | 351 | - `MBEDTLS_XTS_C`, | 
|  | 352 | - `MBEDTLS_CCM_C`, | 
|  | 353 | - `MBEDTLS_GCM_C`, | 
|  | 354 | - `MBEDTLS_CHACHAPOLY_C`, | 
|  | 355 | - `MBEDTLS_NULL_CIPHER`. | 
| Valerio Setti | acd7baf | 2023-12-06 15:17:12 +0100 | [diff] [blame] | 356 |  | 
| Valerio Setti | 49067d7 | 2023-12-21 17:07:10 +0100 | [diff] [blame] | 357 | Once a key type and related algorithm are accelerated, all the PSA Crypto APIs | 
| Valerio Setti | f333b3f | 2023-12-29 14:49:03 +0100 | [diff] [blame] | 358 | will work, as well as X.509 and TLS (with `MBEDTLS_USE_PSA_CRYPTO` enabled) but | 
| Valerio Setti | 49067d7 | 2023-12-21 17:07:10 +0100 | [diff] [blame] | 359 | some non-PSA APIs will be absent or have reduced functionality, see | 
| Valerio Setti | 045d680 | 2023-12-29 15:42:22 +0100 | [diff] [blame] | 360 | [Restrictions](#restrictions) for details. | 
| Valerio Setti | 20e93a2 | 2023-12-04 11:29:36 +0100 | [diff] [blame] | 361 |  | 
| Valerio Setti | 6613466 | 2023-12-20 17:06:13 +0100 | [diff] [blame] | 362 | ### Restrictions | 
|  | 363 |  | 
| Valerio Setti | f333b3f | 2023-12-29 14:49:03 +0100 | [diff] [blame] | 364 | - If an algorithm other than CCM and GCM (see | 
| Valerio Setti | 6613466 | 2023-12-20 17:06:13 +0100 | [diff] [blame] | 365 | ["Partial acceleration for CCM/GCM"](#partial-acceleration-for-ccmgcm) below) | 
| Valerio Setti | f333b3f | 2023-12-29 14:49:03 +0100 | [diff] [blame] | 366 | is enabled but not accelerated, then all key types that can be used with it | 
| Valerio Setti | 92e5c69 | 2023-12-28 13:28:03 +0100 | [diff] [blame] | 367 | will need to be built-in. | 
| Valerio Setti | 7406b74 | 2024-01-03 14:47:36 +0100 | [diff] [blame] | 368 | - If a key type is enabled but not accelerated, then all algorithms that can be | 
| Valerio Setti | 6613466 | 2023-12-20 17:06:13 +0100 | [diff] [blame] | 369 | used with it will need to be built-in. | 
|  | 370 |  | 
| Valerio Setti | 045d680 | 2023-12-29 15:42:22 +0100 | [diff] [blame] | 371 | Some legacy modules can't take advantage of PSA drivers yet, and will either | 
|  | 372 | need to be disabled, or have reduced features when the built-in implementations | 
|  | 373 | of some ciphers are removed: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 374 |  | 
| Valerio Setti | 045d680 | 2023-12-29 15:42:22 +0100 | [diff] [blame] | 375 | - `MBEDTLS_NIST_KW_C` needs built-in AES: it must be disabled when | 
|  | 376 | `MBEDTLS_AES_C` is disabled. | 
|  | 377 | - `MBEDTLS_CMAC_C` needs built-in AES/DES: it must be disabled when | 
|  | 378 | `MBEDTLS_AES_C` and `MBEDTLS_DES_C` are both disabled. When only one of them | 
|  | 379 | is enabled, then only the corresponding cipher will be available at runtime | 
|  | 380 | for use with `mbedtls_cipher_cmac_xxx`. (Note: if there is driver support for | 
|  | 381 | CMAC and all compatible key types, then `PSA_WANT_ALG_CMAC` can be enabled | 
|  | 382 | without `MBEDTLS_CMAC_C` and CMAC will be usable with `psa_max_xxx` APIs.) | 
|  | 383 | - `MBEDTLS_CIPHER_C`: the `mbedtls_cipher_xxx()` APIs will only work with | 
|  | 384 | ciphers that are built-in - that is, both the underlying cipher | 
|  | 385 | (eg `MBEDTLS_AES_C`) and the mode (eg `MBEDTLS_CIPHER_MODE_CBC` or | 
|  | 386 | `MBEDTLS_GCM_C`). | 
|  | 387 | - `MBEDTLS_PKCS5_C`: encryption/decryption (PBES2, PBE) will only work with | 
|  | 388 | ciphers that are built-in. | 
|  | 389 | - PEM decryption will only work with ciphers that are built-in. | 
|  | 390 | - PK parse will only be able to parse encrypted keys using built-in ciphers. | 
|  | 391 |  | 
|  | 392 | Note that if you also disable `MBEDTLS_CIPHER_C`, there will be additional | 
|  | 393 | restrictions, see [Disabling `MBEDTLS_CIPHER_C`](#disabling-mbedtls_cipher_c). | 
|  | 394 |  | 
| Valerio Setti | 7e11dd6 | 2023-12-18 15:52:44 +0100 | [diff] [blame] | 395 | ### Legacy <-> PSA matching | 
| Valerio Setti | 20e93a2 | 2023-12-04 11:29:36 +0100 | [diff] [blame] | 396 |  | 
| Valerio Setti | f333b3f | 2023-12-29 14:49:03 +0100 | [diff] [blame] | 397 | Note that the relationship between legacy (i.e. `MBEDTLS_xxx_C`) and PSA | 
| Valerio Setti | 92e5c69 | 2023-12-28 13:28:03 +0100 | [diff] [blame] | 398 | (i.e. `PSA_WANT_xxx`) symbols is not always 1:1. For example: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 399 |  | 
| Valerio Setti | f333b3f | 2023-12-29 14:49:03 +0100 | [diff] [blame] | 400 | - ECB mode is always enabled in the legacy configuration for each key type that | 
| Valerio Setti | 7e11dd6 | 2023-12-18 15:52:44 +0100 | [diff] [blame] | 401 | allows it (AES, ARIA, Camellia, DES), whereas it must be explicitly enabled | 
| Valerio Setti | 92e5c69 | 2023-12-28 13:28:03 +0100 | [diff] [blame] | 402 | in PSA with `PSA_WANT_ALG_ECB_NO_PADDING`. | 
| Valerio Setti | f333b3f | 2023-12-29 14:49:03 +0100 | [diff] [blame] | 403 | - In the legacy API, `MBEDTLS_CHACHA20_C` enables the ChaCha20 stream cipher, and | 
|  | 404 | enabling `MBEDTLS_CHACHAPOLY_C` also enables the ChaCha20-Poly1305 AEAD. In the | 
|  | 405 | PSA API, you need to enable `PSA_KEY_TYPE_CHACHA20` for both, plus | 
|  | 406 | `PSA_ALG_STREAM_CIPHER` or `PSA_ALG_CHACHA20_POLY1305` as desired. | 
| Valerio Setti | 92e5c69 | 2023-12-28 13:28:03 +0100 | [diff] [blame] | 407 | - The legacy symbol `MBEDTLS_CCM_C` adds support for both cipher and AEAD, | 
|  | 408 | whereas in PSA there are 2 different symbols: `PSA_WANT_ALG_CCM_STAR_NO_TAG` | 
|  | 409 | and `PSA_WANT_ALG_CCM`, respectively. | 
| Valerio Setti | 7e11dd6 | 2023-12-18 15:52:44 +0100 | [diff] [blame] | 410 |  | 
|  | 411 | ### Partial acceleration for CCM/GCM | 
|  | 412 |  | 
| Valerio Setti | f333b3f | 2023-12-29 14:49:03 +0100 | [diff] [blame] | 413 | In case legacy CCM/GCM algorithms are enabled, it is still possible to benefit | 
| Valerio Setti | 92e5c69 | 2023-12-28 13:28:03 +0100 | [diff] [blame] | 414 | from PSA acceleration of the underlying block cipher by enabling support for | 
| Valerio Setti | 045d680 | 2023-12-29 15:42:22 +0100 | [diff] [blame] | 415 | ECB mode (`PSA_WANT_ALG_ECB_NO_PADDING` + `MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING`) | 
|  | 416 | together with desired key type(s) (`PSA_WANT_KEY_TYPE_[AES|ARIA|CAMELLIA]` + | 
|  | 417 | `MBEDTLS_PSA_ACCEL_KEY_TYPE_[AES|ARIA|CAMELLIA]`). | 
| Manuel Pégourié-Gonnard | dc4103e | 2024-01-08 10:54:47 +0100 | [diff] [blame] | 418 |  | 
| Valerio Setti | 045d680 | 2023-12-29 15:42:22 +0100 | [diff] [blame] | 419 | In such configurations it is possible to: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 420 |  | 
| Valerio Setti | 045d680 | 2023-12-29 15:42:22 +0100 | [diff] [blame] | 421 | - Use CCM and GCM via the PSA Crypto APIs. | 
| Manuel Pégourié-Gonnard | dc4103e | 2024-01-08 10:54:47 +0100 | [diff] [blame] | 422 | - Use CCM and GCM via legacy functions `mbedtls_[ccm|gcm]_xxx()` (but not the | 
|  | 423 | legacy functions `mbedtls_cipher_xxx()`). | 
| Valerio Setti | 92e5c69 | 2023-12-28 13:28:03 +0100 | [diff] [blame] | 424 | - Disable legacy key types (`MBEDTLS_[AES|ARIA|CAMELLIA]_C`) if there is no | 
| Valerio Setti | f333b3f | 2023-12-29 14:49:03 +0100 | [diff] [blame] | 425 | other dependency requiring them. | 
| Valerio Setti | 7e11dd6 | 2023-12-18 15:52:44 +0100 | [diff] [blame] | 426 |  | 
| Valerio Setti | f333b3f | 2023-12-29 14:49:03 +0100 | [diff] [blame] | 427 | ChaChaPoly has no such feature, so it requires full acceleration (key type + | 
| Valerio Setti | 7e11dd6 | 2023-12-18 15:52:44 +0100 | [diff] [blame] | 428 | algorithm) in order to work with a driver. | 
|  | 429 |  | 
|  | 430 | ### CTR-DRBG | 
|  | 431 |  | 
| Valerio Setti | 92e5c69 | 2023-12-28 13:28:03 +0100 | [diff] [blame] | 432 | The legacy CTR-DRBG module (enabled by `MBEDTLS_CTR_DRBG_C`) can also benefit | 
|  | 433 | from PSA acceleration if both of the following conditions are met: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 434 |  | 
| Valerio Setti | 92e5c69 | 2023-12-28 13:28:03 +0100 | [diff] [blame] | 435 | - The legacy AES module (`MBEDTLS_AES_C`) is not enabled and | 
| Valerio Setti | 8c1e6bb | 2023-12-21 15:02:48 +0100 | [diff] [blame] | 436 | - AES is supported on the PSA side together with ECB mode, i.e. | 
| Valerio Setti | 7e11dd6 | 2023-12-18 15:52:44 +0100 | [diff] [blame] | 437 | `PSA_WANT_KEY_TYPE_AES` + `PSA_WANT_ALG_ECB_NO_PADDING`. | 
|  | 438 |  | 
| Valerio Setti | 045d680 | 2023-12-29 15:42:22 +0100 | [diff] [blame] | 439 | ### Disabling `MBEDTLS_CIPHER_C` | 
| Valerio Setti | 7e11dd6 | 2023-12-18 15:52:44 +0100 | [diff] [blame] | 440 |  | 
| Valerio Setti | 92e5c69 | 2023-12-28 13:28:03 +0100 | [diff] [blame] | 441 | It is possible to save code size by disabling MBEDTLS_CIPHER_C when all of the | 
|  | 442 | following conditions are met: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 443 |  | 
| Valerio Setti | 92e5c69 | 2023-12-28 13:28:03 +0100 | [diff] [blame] | 444 | - The application is not using the `mbedtls_cipher_` API. | 
|  | 445 | - In PSA, all unauthenticated (that is, non-AEAD) ciphers are either disabled or | 
|  | 446 | fully accelerated (that is, all compatible key types are accelerated too). | 
|  | 447 | - Either TLS is disabled, or `MBEDTLS_USE_PSA_CRYPTO` is enabled. | 
|  | 448 | - `MBEDTLS_NIST_KW` is disabled. | 
| Valerio Setti | 045d680 | 2023-12-29 15:42:22 +0100 | [diff] [blame] | 449 | - `MBEDTLS_CMAC_C` is disabled. (Note: support for CMAC in PSA can be provided by | 
|  | 450 | a driver.) | 
| Valerio Setti | 7e11dd6 | 2023-12-18 15:52:44 +0100 | [diff] [blame] | 451 |  | 
| Valerio Setti | 92e5c69 | 2023-12-28 13:28:03 +0100 | [diff] [blame] | 452 | In such a build, everything will work as usual except for the following: | 
| Manuel Pégourié-Gonnard | e334486 | 2024-01-10 10:24:31 +0100 | [diff] [blame] | 453 |  | 
| Valerio Setti | 92e5c69 | 2023-12-28 13:28:03 +0100 | [diff] [blame] | 454 | - Encryption/decryption functions from the PKCS5 and PKCS12 module will not be | 
|  | 455 | available (only key derivation functions). | 
|  | 456 | - Parsing of PKCS5- or PKCS12-encrypted keys in PK parse will fail. | 
| Valerio Setti | 7e11dd6 | 2023-12-18 15:52:44 +0100 | [diff] [blame] | 457 |  | 
| Valerio Setti | 92e5c69 | 2023-12-28 13:28:03 +0100 | [diff] [blame] | 458 | Note: AEAD ciphers (CCM, GCM, ChachaPoly) do not have a dependency on | 
|  | 459 | MBEDTLS_CIPHER_C even when using the built-in implementations. | 
|  | 460 |  | 
| Valerio Setti | 045d680 | 2023-12-29 15:42:22 +0100 | [diff] [blame] | 461 | If you also have some ciphers fully accelerated and the built-ins removed, see | 
|  | 462 | [Restrictions](#restrictions) for restrictions related to removing the built-ins. | 
|  | 463 |  | 
| Valerio Setti | 7e11dd6 | 2023-12-18 15:52:44 +0100 | [diff] [blame] | 464 |  | 
| Valerio Setti | 20e93a2 | 2023-12-04 11:29:36 +0100 | [diff] [blame] | 465 |  |