From 2f6ea8ed7708d62fc8e7f2cc53c382e252ad151f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 24 Oct 2024 14:35:53 +0200 Subject: [PATCH] mbedtls: add Kconfig symbol CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOTS Adding the Kconfig symbol CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOTS to allow Mbed TLS's PSA Crypto core to use static key buffers to store key's material. This helps reducing heap memory usage and, potentially, it also discard code implementing heap memory management if there's no other module in the build that makes use of it. Signed-off-by: Valerio Setti --- doc/releases/release-notes-4.1.rst | 6 ++++++ modules/mbedtls/Kconfig.tls-generic | 19 ++++++++++++++++++- modules/mbedtls/configs/config-tls-generic.h | 4 ++++ tests/crypto/secp256r1/mbedtls.conf | 1 + 4 files changed, 29 insertions(+), 1 deletion(-) diff --git a/doc/releases/release-notes-4.1.rst b/doc/releases/release-notes-4.1.rst index 876df997c4f..5d56706c392 100644 --- a/doc/releases/release-notes-4.1.rst +++ b/doc/releases/release-notes-4.1.rst @@ -267,6 +267,12 @@ Libraries / Subsystems * Crypto + * The Kconfig symbol :kconfig:option:`CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOTS` was + added to allow Mbed TLS to use statically allocated buffers to store key material + in its PSA Crypto core instead of heap-allocated ones. This can help reduce + (or remove, if no other component makes use of it) heap memory requirements + from the final application. + * CMSIS-NN * FPGA diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic index 779d3b356f8..f65c86a2d96 100644 --- a/modules/mbedtls/Kconfig.tls-generic +++ b/modules/mbedtls/Kconfig.tls-generic @@ -554,9 +554,10 @@ config MBEDTLS_LMS depends on MBEDTLS_SHA256 select PSA_WANT_ALG_SHA_256 +if MBEDTLS_PSA_CRYPTO_C + config MBEDTLS_PSA_P256M_DRIVER_ENABLED bool "P256-M driver" - depends on MBEDTLS_PSA_CRYPTO_C imply PSA_WANT_ALG_SHA_256 help Enable support for the optimized sofware implementation of the secp256r1 @@ -570,6 +571,22 @@ config MBEDTLS_PSA_P256M_DRIVER_RAW Warning: Usage of this Kconfig option is prohibited in Zephyr's codebase. Users can enable it in case of very memory-constrained devices, but be aware that the p256-m interface is absolutely not guaranted to remain stable over time. +config MBEDTLS_PSA_STATIC_KEY_SLOTS + bool "Use statically allocated key buffers to store key material" + default y if !MBEDTLS_ENABLE_HEAP + help + By default Mbed TLS's PSA Crypto core uses heap memory to store the + key material for each key slot. This might impose an undesired + requirement to support heap memory and its management code, affecting + RAM and ROM footprints at the same time. + Enabling this symbol causes Mbed TLS to pre-allocate all the key slot + buffers that are used to store the key material at build time, thus + removing the need for heap memory. Each buffer will be sized to + contain the largest asymmetric/symmetric key type enabled in the build + through PSA_WANT symbols. + +endif # MBEDTLS_PSA_CRYPTO_C + config MBEDTLS_SSL_DTLS_CONNECTION_ID bool "DTLS Connection ID extension" depends on MBEDTLS_DTLS diff --git a/modules/mbedtls/configs/config-tls-generic.h b/modules/mbedtls/configs/config-tls-generic.h index aff59f9e17e..3f2bc5354bb 100644 --- a/modules/mbedtls/configs/config-tls-generic.h +++ b/modules/mbedtls/configs/config-tls-generic.h @@ -494,6 +494,10 @@ #endif /* CONFIG_MBEDTLS_PSA_CRYPTO_C */ +#if defined(CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOTS) +#define MBEDTLS_PSA_STATIC_KEY_SLOTS +#endif + #if defined(CONFIG_MBEDTLS_USE_PSA_CRYPTO) #define MBEDTLS_USE_PSA_CRYPTO #endif diff --git a/tests/crypto/secp256r1/mbedtls.conf b/tests/crypto/secp256r1/mbedtls.conf index e87e14abd71..7c3a56ce20b 100644 --- a/tests/crypto/secp256r1/mbedtls.conf +++ b/tests/crypto/secp256r1/mbedtls.conf @@ -1,6 +1,7 @@ CONFIG_MBEDTLS=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y CONFIG_MBEDTLS_PSA_P256M_DRIVER_ENABLED=y +CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOTS=y CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y