diff --git a/doc/releases/release-notes-4.1.rst b/doc/releases/release-notes-4.1.rst index 876df997c4f..5d56706c392 100644 --- a/doc/releases/release-notes-4.1.rst +++ b/doc/releases/release-notes-4.1.rst @@ -267,6 +267,12 @@ Libraries / Subsystems * Crypto + * The Kconfig symbol :kconfig:option:`CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOTS` was + added to allow Mbed TLS to use statically allocated buffers to store key material + in its PSA Crypto core instead of heap-allocated ones. This can help reduce + (or remove, if no other component makes use of it) heap memory requirements + from the final application. + * CMSIS-NN * FPGA diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic index 779d3b356f8..f65c86a2d96 100644 --- a/modules/mbedtls/Kconfig.tls-generic +++ b/modules/mbedtls/Kconfig.tls-generic @@ -554,9 +554,10 @@ config MBEDTLS_LMS depends on MBEDTLS_SHA256 select PSA_WANT_ALG_SHA_256 +if MBEDTLS_PSA_CRYPTO_C + config MBEDTLS_PSA_P256M_DRIVER_ENABLED bool "P256-M driver" - depends on MBEDTLS_PSA_CRYPTO_C imply PSA_WANT_ALG_SHA_256 help Enable support for the optimized sofware implementation of the secp256r1 @@ -570,6 +571,22 @@ config MBEDTLS_PSA_P256M_DRIVER_RAW Warning: Usage of this Kconfig option is prohibited in Zephyr's codebase. Users can enable it in case of very memory-constrained devices, but be aware that the p256-m interface is absolutely not guaranted to remain stable over time. +config MBEDTLS_PSA_STATIC_KEY_SLOTS + bool "Use statically allocated key buffers to store key material" + default y if !MBEDTLS_ENABLE_HEAP + help + By default Mbed TLS's PSA Crypto core uses heap memory to store the + key material for each key slot. This might impose an undesired + requirement to support heap memory and its management code, affecting + RAM and ROM footprints at the same time. + Enabling this symbol causes Mbed TLS to pre-allocate all the key slot + buffers that are used to store the key material at build time, thus + removing the need for heap memory. Each buffer will be sized to + contain the largest asymmetric/symmetric key type enabled in the build + through PSA_WANT symbols. + +endif # MBEDTLS_PSA_CRYPTO_C + config MBEDTLS_SSL_DTLS_CONNECTION_ID bool "DTLS Connection ID extension" depends on MBEDTLS_DTLS diff --git a/modules/mbedtls/configs/config-tls-generic.h b/modules/mbedtls/configs/config-tls-generic.h index aff59f9e17e..3f2bc5354bb 100644 --- a/modules/mbedtls/configs/config-tls-generic.h +++ b/modules/mbedtls/configs/config-tls-generic.h @@ -494,6 +494,10 @@ #endif /* CONFIG_MBEDTLS_PSA_CRYPTO_C */ +#if defined(CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOTS) +#define MBEDTLS_PSA_STATIC_KEY_SLOTS +#endif + #if defined(CONFIG_MBEDTLS_USE_PSA_CRYPTO) #define MBEDTLS_USE_PSA_CRYPTO #endif diff --git a/tests/crypto/secp256r1/mbedtls.conf b/tests/crypto/secp256r1/mbedtls.conf index e87e14abd71..7c3a56ce20b 100644 --- a/tests/crypto/secp256r1/mbedtls.conf +++ b/tests/crypto/secp256r1/mbedtls.conf @@ -1,6 +1,7 @@ CONFIG_MBEDTLS=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y CONFIG_MBEDTLS_PSA_P256M_DRIVER_ENABLED=y +CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOTS=y CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y