From 95aaa97dc305a2d3980fd4bfcc1cbe2d93a24924 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 21 Oct 2024 12:12:29 +0200 Subject: [PATCH] mbedtls: add Kconfig to select the number of key slot in PSA Crypto core Adding new CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT to select the number of key slots in PSA Crypto core. The default value is 16. Be aware that key slots consume RAM memory even if unused, so the proper value should be a compromise between the number of slots required by the application and the available RAM in the system. This commit also: - updates tests/crypto/secp256r1/mbedtls.conf to showcase how to use this new symbol to reduce RAM footprint. - tests/bsim/bluetooth/mesh/overlay_psa.conf to support all the keys used in the test. Signed-off-by: Valerio Setti --- doc/releases/migration-guide-4.1.rst | 8 ++++++++ doc/releases/release-notes-4.1.rst | 6 ++++++ modules/mbedtls/Kconfig.tls-generic | 13 +++++++++++++ modules/mbedtls/configs/config-tls-generic.h | 5 ++++- tests/bsim/bluetooth/mesh/overlay_psa.conf | 3 +++ tests/crypto/secp256r1/mbedtls.conf | 1 + 6 files changed, 35 insertions(+), 1 deletion(-) diff --git a/doc/releases/migration-guide-4.1.rst b/doc/releases/migration-guide-4.1.rst index e7420af4941..75ebd3a761a 100644 --- a/doc/releases/migration-guide-4.1.rst +++ b/doc/releases/migration-guide-4.1.rst @@ -36,6 +36,14 @@ Mbed TLS :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_LEGACY_RNG`. This helps in reducing ROM/RAM footprint of the Mbed TLS library. +* The newly-added Kconfig option :kconfig:option:`CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT` + allows to specify the number of key slots available in the PSA Crypto core. + Previously this value was not explicitly set, so Mbed TLS's default value of + 32 was used. The new Kconfig option defaults to 16 instead in order to find + a reasonable compromise between RAM consumption and most common use cases. + It can be further trimmed down to reduce RAM consumption if the final + application doesn't need that many key slots simultaneously. + Trusted Firmware-M ================== diff --git a/doc/releases/release-notes-4.1.rst b/doc/releases/release-notes-4.1.rst index 5d56706c392..00d3f74f506 100644 --- a/doc/releases/release-notes-4.1.rst +++ b/doc/releases/release-notes-4.1.rst @@ -273,6 +273,12 @@ Libraries / Subsystems (or remove, if no other component makes use of it) heap memory requirements from the final application. + * The Kconfig symbol :kconfig:option:`CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT` was + added to allow selecting the number of key slots available in the Mbed TLS + implementation of the PSA Crypto core. It defaults to 16. Since each + slot consumes RAM memory even if unused, this value can be tweaked in order + to minimize RAM usage. + * CMSIS-NN * FPGA diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic index f65c86a2d96..5c8ac8b569b 100644 --- a/modules/mbedtls/Kconfig.tls-generic +++ b/modules/mbedtls/Kconfig.tls-generic @@ -585,6 +585,19 @@ config MBEDTLS_PSA_STATIC_KEY_SLOTS contain the largest asymmetric/symmetric key type enabled in the build through PSA_WANT symbols. +config MBEDTLS_PSA_KEY_SLOT_COUNT + int "Number of key slots in PSA Crypto core" + default 16 + help + Set the number of key slots that are available in the PSA Crypto core. + Be aware that each slot, even if unused, increases RAM consumption + by ~40 bytes plus: + * the length of the largest asymmetric/symmetric key type enabled in + the build through PSA_WANT symbols, if MBEDTLS_PSA_STATIC_KEY_SLOTS + is set. (This is all defined statically at build time). + * the heap-allocated memory to store the key material of a given slot, + if it is used and MBEDTLS_PSA_STATIC_KEY_SLOTS is not set. + endif # MBEDTLS_PSA_CRYPTO_C config MBEDTLS_SSL_DTLS_CONNECTION_ID diff --git a/modules/mbedtls/configs/config-tls-generic.h b/modules/mbedtls/configs/config-tls-generic.h index 3f2bc5354bb..989d0ad70f2 100644 --- a/modules/mbedtls/configs/config-tls-generic.h +++ b/modules/mbedtls/configs/config-tls-generic.h @@ -483,7 +483,6 @@ #endif #if defined(CONFIG_ARCH_POSIX) && !defined(CONFIG_PICOLIBC) -#define MBEDTLS_PSA_KEY_SLOT_COUNT 64 /* for BLE Mesh tests */ #define MBEDTLS_PSA_ITS_FILE_C #define MBEDTLS_FS_IO #endif @@ -498,6 +497,10 @@ #define MBEDTLS_PSA_STATIC_KEY_SLOTS #endif +#if defined(CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT) +#define MBEDTLS_PSA_KEY_SLOT_COUNT CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT +#endif + #if defined(CONFIG_MBEDTLS_USE_PSA_CRYPTO) #define MBEDTLS_USE_PSA_CRYPTO #endif diff --git a/tests/bsim/bluetooth/mesh/overlay_psa.conf b/tests/bsim/bluetooth/mesh/overlay_psa.conf index 764d8cb6ea4..f5a776bc6da 100644 --- a/tests/bsim/bluetooth/mesh/overlay_psa.conf +++ b/tests/bsim/bluetooth/mesh/overlay_psa.conf @@ -1,5 +1,8 @@ # Enable PSA as a crypto backend in host CONFIG_BT_USE_PSA_API=y +# Increase the number of key slots in PSA Crypto core +CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT=64 + # Enable mbedTLS PSA as a crypto backend CONFIG_BT_MESH_USES_MBEDTLS_PSA=y diff --git a/tests/crypto/secp256r1/mbedtls.conf b/tests/crypto/secp256r1/mbedtls.conf index 7c3a56ce20b..bbc2eb0e656 100644 --- a/tests/crypto/secp256r1/mbedtls.conf +++ b/tests/crypto/secp256r1/mbedtls.conf @@ -2,6 +2,7 @@ CONFIG_MBEDTLS=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y CONFIG_MBEDTLS_PSA_P256M_DRIVER_ENABLED=y CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOTS=y +CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT=2 CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y