| Manuel Pégourié-Gonnard | 6d5f494 | 2023-07-07 12:00:49 +0200 | [diff] [blame] | 1 | This document explains how to create builds of Mbed TLS where some | 
|  | 2 | cryptographic mechanisms are provided only by PSA drivers (that is, no | 
|  | 3 | built-in implementation of those algorithms), from a user's perspective. | 
|  | 4 |  | 
|  | 5 | This is useful to save code size for people who are using either a hardware | 
|  | 6 | accelerator, or an alternative software implementation that's more | 
|  | 7 | aggressively optimized for code size than the default one in Mbed TLS. | 
|  | 8 |  | 
|  | 9 | General considerations | 
|  | 10 | ---------------------- | 
|  | 11 |  | 
|  | 12 | This document assumes that you already have a working driver. | 
|  | 13 | Otherwise, please see the [PSA driver example and | 
|  | 14 | guide](psa-driver-example-and-guide.md) for information on writing a | 
|  | 15 | driver. | 
|  | 16 |  | 
|  | 17 | In order to have some mechanism provided only by a driver, you'll want | 
|  | 18 | the following compile-time configuration options enabled: | 
|  | 19 | - `MBEDTLS_PSA_CRYPTO_C` (enabled by default) - this enables PSA Crypto. | 
|  | 20 | - `MBEDTLS_USE_PSA_CRYPTO` (disabled by default) - this makes PK, X.509 and | 
|  | 21 | TLS use PSA Crypto. You need to enable this if you're using PK, X.509 or TLS | 
|  | 22 | and want them to have access to the algorithms provided by your driver. (See | 
|  | 23 | [the dedicated document](use-psa-crypto.md) for details.) | 
|  | 24 | - `MBEDTLS_PSA_CRYPTO_CONFIG` (disabled by default) - this enables | 
|  | 25 | configuration of cryptographic algorithms using `PSA_WANT` macros in | 
|  | 26 | `include/psa/crypto_config.h`. See [Conditional inclusion of cryptographic | 
|  | 27 | mechanism through the PSA API in Mbed | 
|  | 28 | TLS](proposed/psa-conditional-inclusion-c.md) for details. | 
|  | 29 |  | 
|  | 30 | In addition, for each mechanism you want provided only by your driver: | 
|  | 31 | - Define the corresponding `PSA_WANT` macro in `psa/crypto_config.h` - this | 
|  | 32 | means the algorithm will be available in the PSA Crypto API. | 
| Manuel Pégourié-Gonnard | fb22c27 | 2023-07-18 10:40:56 +0200 | [diff] [blame] | 33 | - Define the corresponding `MBEDTLS_PSA_ACCEL` in your build. This could be | 
|  | 34 | defined in `psa/crypto_config.h` or your compiler's command line. This | 
|  | 35 | informs the PSA code that an accelerator is available for this mechanism. | 
| Manuel Pégourié-Gonnard | 6d5f494 | 2023-07-07 12:00:49 +0200 | [diff] [blame] | 36 | - Undefine / comment out the corresponding `MBEDTLS_xxx_C` macro in | 
|  | 37 | `mbedtls/mbedtls_config.h`. This ensures the built-in implementation is not | 
|  | 38 | included in the build. | 
|  | 39 |  | 
|  | 40 | For example, if you want SHA-256 to be provided only by a driver, you'll want | 
|  | 41 | `PSA_WANT_ALG_SHA_256` and `MBEDTLS_PSA_ACCEL_SHA_256` defined, and | 
|  | 42 | `MBEDTLS_SHA256_C` undefined. | 
|  | 43 |  | 
|  | 44 | In addition to these compile-time considerations, at runtime you'll need to | 
|  | 45 | make sure you call `psa_crypto_init()` before any function that uses the | 
| Manuel Pégourié-Gonnard | fb22c27 | 2023-07-18 10:40:56 +0200 | [diff] [blame] | 46 | driver-only mechanisms. Note that this is already a requirement for any use of | 
|  | 47 | the PSA Crypto API, as well as for use of the PK, X.509 and TLS modules when | 
|  | 48 | `MBEDTLS_USE_PSA_CRYPTO` is enabled, so in most cases your application will | 
|  | 49 | already be doing this. | 
| Manuel Pégourié-Gonnard | 6d5f494 | 2023-07-07 12:00:49 +0200 | [diff] [blame] | 50 |  | 
|  | 51 | Mechanisms covered | 
|  | 52 | ------------------ | 
|  | 53 |  | 
| Manuel Pégourié-Gonnard | c977751 | 2023-07-11 11:11:20 +0200 | [diff] [blame] | 54 | For now, only the following (families of) mechanisms are supported: | 
| Manuel Pégourié-Gonnard | 6d5f494 | 2023-07-07 12:00:49 +0200 | [diff] [blame] | 55 | - hashes: SHA-3, SHA-2, SHA-1, MD5, etc. | 
|  | 56 | - elliptic-curve cryptography (ECC): ECDH, ECDSA, EC J-PAKE, ECC key types. | 
| Manuel Pégourié-Gonnard | c977751 | 2023-07-11 11:11:20 +0200 | [diff] [blame] | 57 | - finite-field Diffie-Hellman: FFDH algorithm, DH key types. | 
| Manuel Pégourié-Gonnard | 6d5f494 | 2023-07-07 12:00:49 +0200 | [diff] [blame] | 58 |  | 
|  | 59 | Supported means that when those are provided only by drivers, everything | 
|  | 60 | (including PK, X.509 and TLS if `MBEDTLS_USE_PSA_CRYPTO` is enabled) should | 
|  | 61 | work in the same way as if the mechanisms where built-in, except as documented | 
|  | 62 | in the "Limitations" sub-sections of the sections dedicated to each family | 
|  | 63 | below. | 
|  | 64 |  | 
|  | 65 | In the near future (end of 2023), we are planning to also add support for | 
|  | 66 | ciphers (AES) and AEADs (GCM, CCM, ChachaPoly). | 
|  | 67 |  | 
| Manuel Pégourié-Gonnard | c977751 | 2023-07-11 11:11:20 +0200 | [diff] [blame] | 68 | Currently (mid-2023) we don't have plans to extend this to RSA. If | 
|  | 69 | you're interested in driver-only support for RSA, please let us know. | 
| Manuel Pégourié-Gonnard | 6d5f494 | 2023-07-07 12:00:49 +0200 | [diff] [blame] | 70 |  | 
|  | 71 | Hashes | 
|  | 72 | ------ | 
|  | 73 |  | 
|  | 74 | TODO | 
|  | 75 |  | 
|  | 76 | Elliptic-curve cryptography (ECC) | 
|  | 77 | --------------------------------- | 
|  | 78 |  | 
| Manuel Pégourié-Gonnard | 7a82e27 | 2023-07-07 16:43:56 +0200 | [diff] [blame] | 79 | Note: things are still evolving. This section describes the situation right | 
|  | 80 | after #7452 has been merged. It will be updated again in #7757 when bignum is | 
|  | 81 | done. | 
|  | 82 |  | 
|  | 83 | It is possible to have most ECC operations provided only by a driver: | 
|  | 84 | - the ECDH, ECDSA and EC J-PAKE algorithms; | 
|  | 85 | - key import, export, and random generation. | 
|  | 86 |  | 
|  | 87 | More precisely: | 
|  | 88 | - you can enable `PSA_WANT_ALG_ECDH` without `MBEDTLS_ECDH_C` provided | 
|  | 89 | `MBEDTLS_PSA_ACCEL_ALG_ECDH` is enabled; | 
|  | 90 | - you can enable `PSA_WANT_ALG_ECDSA` without `MBEDTLS_ECDSA_C` provided | 
|  | 91 | `MBEDTLS_PSA_ACCEL_ALG_ECDSA` is enabled; | 
|  | 92 | - you can enable `PSA_WANT_ALG_JPAKE` without `MBEDTLS_ECJPAKE_C` provided | 
|  | 93 | `MBEDTLS_PSA_ACCEL_ALG_JPAKE` is enabled. | 
|  | 94 |  | 
|  | 95 | In addition, if none of `MBEDTLS_ECDH_C`, `MBEDTLS_ECDSA_C`, | 
| Manuel Pégourié-Gonnard | fb22c27 | 2023-07-18 10:40:56 +0200 | [diff] [blame] | 96 | `MBEDTLS_ECJPAKE_C` are enabled, you can enable: | 
| Manuel Pégourié-Gonnard | 7a82e27 | 2023-07-07 16:43:56 +0200 | [diff] [blame] | 97 | - `PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY`; | 
|  | 98 | - `PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC`; | 
|  | 99 | - `PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT`; | 
|  | 100 | - `PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT`; | 
|  | 101 | - `PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE`; | 
|  | 102 | without `MBEDTLS_ECP_C` provided the corresponding | 
|  | 103 | `MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx` are enabled. | 
|  | 104 |  | 
|  | 105 | [Coming soon] If `MBEDTLS_ECP_C` is disabled and `ecp.c` is fully removed (see | 
|  | 106 | "Limitations regarding fully removing `ecp.c`" below), and you're not using | 
|  | 107 | RSA or FFDH, then you can also disable `MBEDTLS_BIGNUM_C` for further code | 
|  | 108 | size saving. | 
|  | 109 |  | 
|  | 110 | ### Limitations regarding fully removing `ecp.c` | 
|  | 111 |  | 
|  | 112 | A limited subset of `ecp.c` will still be automatically re-enabled if any of | 
|  | 113 | the following is enabled: | 
|  | 114 | - `MBEDTLS_PK_PARSE_EC_COMPRESSED` - support for parsing ECC keys where the | 
|  | 115 | public part is in compressed format; | 
|  | 116 | - `MBEDTLS_PK_PARSE_EC_EXTENDED` - support for parsing ECC keys where the | 
|  | 117 | curve is identified not by name, but by explicit parameters; | 
|  | 118 | - `PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE` - support for deterministic | 
|  | 119 | derivation of an ECC keypair with `psa_key_derivation_output_key()`. | 
|  | 120 |  | 
| Manuel Pégourié-Gonnard | 1937cf8 | 2023-07-11 11:14:15 +0200 | [diff] [blame] | 121 | Note: when any of the above options is enabled, a subset of `ecp.c` will | 
|  | 122 | automatically be included in the build in order to support it. Therefore | 
|  | 123 | you can still disable `MBEDTLS_ECP_C` in `mbedtls_config.h` and this will | 
|  | 124 | result in some code size savings, but not as much as when none of the | 
|  | 125 | above features are enabled. | 
| Manuel Pégourié-Gonnard | 7a82e27 | 2023-07-07 16:43:56 +0200 | [diff] [blame] | 126 |  | 
|  | 127 | We do have plans to support each of these with `ecp.c` fully removed in the | 
| Manuel Pégourié-Gonnard | fb22c27 | 2023-07-18 10:40:56 +0200 | [diff] [blame] | 128 | future, however there is no established timeline. If you're interested, please | 
|  | 129 | let us know, so we can take it into consideration in our planning. | 
| Manuel Pégourié-Gonnard | 7a82e27 | 2023-07-07 16:43:56 +0200 | [diff] [blame] | 130 |  | 
|  | 131 | ### Limitations regarding restartable / interruptible ECC operations | 
|  | 132 |  | 
| Manuel Pégourié-Gonnard | 1937cf8 | 2023-07-11 11:14:15 +0200 | [diff] [blame] | 133 | At the moment, there is not driver support for interruptible operations | 
| Manuel Pégourié-Gonnard | 7a82e27 | 2023-07-07 16:43:56 +0200 | [diff] [blame] | 134 | (see `psa_sign_hash_start()` + `psa_sign_hash_complete()` etc.) so as a | 
|  | 135 | consequence these are not supported in builds without `MBEDTLS_ECDSA_C`. | 
|  | 136 |  | 
|  | 137 | Similarly, there is no PSA support for interruptible ECDH operations so these | 
|  | 138 | are not supported without `ECDH_C`. See also limitations regarding | 
|  | 139 | restartable operations with `MBEDTLS_USE_PSA_CRYPTO` in [its | 
|  | 140 | documentation](use-psa-crypto.md). | 
|  | 141 |  | 
| Manuel Pégourié-Gonnard | fb22c27 | 2023-07-18 10:40:56 +0200 | [diff] [blame] | 142 | Again, we have plans to support this in the future but not with an established | 
| Manuel Pégourié-Gonnard | 7a82e27 | 2023-07-07 16:43:56 +0200 | [diff] [blame] | 143 | timeline, please let us know if you're interested. | 
|  | 144 |  | 
|  | 145 | ### Limitations regarding the selection of curves | 
|  | 146 |  | 
|  | 147 | TODO: apparently we don't really support having some curves built-in and | 
|  | 148 | others driver-only... investigate and describe the situation. See also #7899. | 
| Manuel Pégourié-Gonnard | c977751 | 2023-07-11 11:11:20 +0200 | [diff] [blame] | 149 |  | 
|  | 150 | Finite-field Diffie-Hellman | 
|  | 151 | --------------------------- | 
|  | 152 |  | 
|  | 153 | TODO |