modules: mbedtls: move CMakeLists.txt. into the main tree

We move the Zephyr-specific CMakeLists.txt file into
the main Zephyr tree. We also move the zephyr_init.c
source file.

Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>

modules/mbedtls/CMakeLists.txt

@@ -0,0 +1,56 @@
+if(CONFIG_MBEDTLS)
+zephyr_interface_library_named(mbedTLS)
+
+if(CONFIG_MBEDTLS_BUILTIN)
+  target_compile_definitions(mbedTLS INTERFACE
+	  MBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CFG_FILE}"
+	)
+
+  target_include_directories(mbedTLS INTERFACE
+    ${ZEPHYR_CURRENT_MODULE_DIR}/include
+    ${ZEPHYR_CURRENT_MODULE_DIR}/configs
+	)
+
+  zephyr_library()
+
+  file(GLOB
+    mbedtls_sources # This is an output parameter
+      ${ZEPHYR_CURRENT_MODULE_DIR}/library/*.c
+    )
+
+  zephyr_library_sources(
+    zephyr_init.c
+    ${mbedtls_sources}
+  )
+
+  zephyr_library_app_memory(k_mbedtls_partition)
+if(CONFIG_ARCH_POSIX AND CONFIG_ASAN AND NOT CONFIG_64BIT)
+  # i386 assembly code used in MBEDTLS does not compile with size optimization
+  # if address sanitizer is enabled, as such switch default optimization level
+  # to speed
+  set_property(SOURCE ${ZEPHYR_CURRENT_MODULE_DIR}/library/bignum.c APPEND PROPERTY COMPILE_OPTIONS
+      "${OPTIMIZE_FOR_SPEED_FLAG}")
+endif ()
+
+  zephyr_library_link_libraries(mbedTLS)
+else()
+  assert(CONFIG_MBEDTLS_LIBRARY "MBEDTLS was enabled, but neither BUILTIN or LIBRARY was selected.")
+
+  # NB: CONFIG_MBEDTLS_LIBRARY is not regression tested and is
+  # therefore susceptible to bit rot
+
+  target_include_directories(mbedTLS INTERFACE
+	${CONFIG_MBEDTLS_INSTALL_PATH}
+	)
+
+  zephyr_link_libraries(
+    mbedtls_external
+    -L${CONFIG_MBEDTLS_INSTALL_PATH}
+    gcc
+    )
+  # Lib mbedtls_external depends on libgcc (I assume?) so to allow
+  # mbedtls_external to link with gcc we need to ensure it is placed
+  # after mbedtls_external on the linkers command line.
+endif()
+
+endif()

modules/mbedtls/Kconfig

@@ -0,0 +1,147 @@
+# Cryptography primitive options for mbed TLS
+
+# Copyright (c) 2016 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+config ZEPHYR_MBEDTLS_MODULE
+	bool
+
+menuconfig MBEDTLS
+	bool "mbedTLS Support"
+	help
+	  This option enables the mbedTLS cryptography library.
+
+if MBEDTLS
+
+choice
+	prompt "Select implementation"
+	default MBEDTLS_BUILTIN
+
+config MBEDTLS_BUILTIN
+	bool "Use Zephyr in-tree mbedTLS version"
+	help
+	  Link with mbedTLS sources included with Zephyr distribution.
+	  Included mbedTLS version is well integrated with and supported
+	  by Zephyr, and the recommended choice for most users.
+
+config MBEDTLS_LIBRARY
+	bool "Use external mbedTLS library"
+	help
+	  Use external, out-of-tree prebuilt mbedTLS library. For advanced
+	  users only.
+
+endchoice
+
+config MBEDTLS_CFG_FILE
+	string "mbed TLS configuration file"
+	depends on MBEDTLS_BUILTIN
+	default "config-tls-generic.h"
+	help
+	  Use a specific mbedTLS configuration file. The default config file
+	  file can be tweaked with Kconfig. The default configuration is
+	  suitable to communicate with majority of HTTPS servers on the Internet,
+	  but has relatively many features enabled. To optimize resources for
+	  special TLS usage, use available Kconfig options, or select an
+	  alternative config.
+
+rsource "Kconfig.tls-generic"
+
+config MBEDTLS_SSL_MAX_CONTENT_LEN
+	int "Max payload size for TLS protocol message"
+	default 1500
+	depends on MBEDTLS_BUILTIN
+	help
+	  The TLS standards mandate max payload size of 16384 bytes. So, for
+	  maximum operability and for general-purpose usage, that value must
+	  be used. For specific usages, that value can be largely decreased.
+	  E.g. for DTLS, payload size is limited by UDP datagram size, and
+	  even for HTTPS REST API, the payload can be limited to max size of
+	  (REST request, REST response, server certificate(s)).
+	  mbedTLS uses this value separate for input and output buffers, so
+	  twice this value will be allocated (on mbedTLS own heap, so the
+	  value of MBEDTLS_HEAP_SIZE should accommodate that).
+
+config MBEDTLS_DEBUG
+	bool "mbed TLS debug activation"
+	depends on MBEDTLS_BUILTIN
+	help
+	  Enable debugging activation for mbed TLS configuration. If you use
+	  mbedTLS/Zephyr integration (e.g. net_app), this will activate debug
+	  logging (of the level configured by MBEDTLS_DEBUG_LEVEL).
+	  If you use mbedTLS directly instead, you will need to perform
+	  additional configuration yourself: call
+	  mbedtls_ssl_conf_dbg(&mbedtls.conf, my_debug, NULL);
+	  mbedtls_debug_set_threshold(level);
+	  functions in your application, and create the my_debug() function to
+	  actually print something useful.
+
+config MBEDTLS_DEBUG_LEVEL
+	int "mbed TLS default debug level"
+	depends on MBEDTLS_DEBUG
+	default 0
+	range 0 4
+	help
+	  Default mbed TLS debug logging level for Zephyr integration code
+	  (from ext/lib/crypto/mbedtls/include/mbedtls/debug.h):
+	  0 No debug
+	  1 Error
+	  2 State change
+	  3 Information
+	  4 Verbose
+
+config MBEDTLS_MEMORY_DEBUG
+	bool "mbed TLS memory debug activation"
+	depends on MBEDTLS_BUILTIN
+	help
+	  Enable debugging of buffer allocator memory issues. Automatically
+	  prints (to stderr) all (fatal) messages on memory allocation
+	  issues. Enables function for 'debug output' of allocated memory.
+
+config MBEDTLS_TEST
+	bool "Compile internal self test functions"
+	depends on MBEDTLS_BUILTIN
+	help
+	  Enable self test function for the crypto algorithms
+
+config MBEDTLS_INSTALL_PATH
+	string "mbedTLS install path"
+	depends on MBEDTLS_LIBRARY
+	help
+	  This option holds the path where the mbedTLS libraries and headers are
+	  installed. Make sure this option is properly set when MBEDTLS_LIBRARY
+	  is enabled otherwise the build will fail.
+
+config MBEDTLS_ENABLE_HEAP
+	bool "Enable global heap for mbed TLS"
+	help
+	  This option enables the mbedtls to use the heap. This setting must
+	  be global so that various applications and libraries in Zephyr do not
+	  try to do this themselves as there can be only one heap defined
+	  in mbedtls. If this is enabled, then the Zephyr will, during the device
+	  startup, initialize the heap automatically.
+
+config MBEDTLS_HEAP_SIZE
+	int "Heap size for mbed TLS"
+	default 10240 if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
+	default 512
+	depends on MBEDTLS_ENABLE_HEAP
+	help
+	  The mbedtls routines will use this heap if enabled.
+	  See ext/lib/crypto/mbedtls/include/mbedtls/config.h and
+	  MBEDTLS_MEMORY_BUFFER_ALLOC_C option for details. That option is not
+	  enabled by default.
+	  Default value for the heap size is not set as it depends on the
+	  application. For streaming communication with arbitrary (HTTPS)
+	  servers on the Internet, 32KB + overheads (up to another 20KB) may
+	  be needed. For some dedicated and specific usage of mbedtls API, the
+	  1000 bytes might be ok.
+
+config APP_LINK_WITH_MBEDTLS
+	bool "Link 'app' with MBEDTLS"
+	default y
+	help
+	  Add MBEDTLS header files to the 'app' include path. It may be
+	  disabled if the include paths for MBEDTLS are causing aliasing
+	  issues for 'app'.
+
+endif # MBEDTLS

modules/mbedtls/Kconfig.tls-generic

@@ -0,0 +1,358 @@
+# TLS/DTLS related options
+
+# Copyright (c) 2018 Intel Corporation
+# Copyright (c) 2018 Nordic Semiconductor ASA
+# SPDX-License-Identifier: Apache-2.0
+
+menu "TLS configuration"
+	depends on MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h"
+
+menu "Supported TLS version"
+
+config MBEDTLS_TLS_VERSION_1_0
+	bool "Enable support for TLS 1.0"
+	select MBEDTLS_CIPHER
+	select MBEDTLS_MAC_MD5_ENABLED
+	select MBEDTLS_MAC_SHA1_ENABLED
+	select MBEDTLS_MD
+
+config MBEDTLS_TLS_VERSION_1_1
+	bool "Enable support for TLS 1.1 (DTLS 1.0)"
+	select MBEDTLS_CIPHER
+	select MBEDTLS_MAC_MD5_ENABLED
+	select MBEDTLS_MAC_SHA1_ENABLED
+	select MBEDTLS_MD
+
+config MBEDTLS_TLS_VERSION_1_2
+	bool "Enable support for TLS 1.2 (DTLS 1.2)"
+	default y if !NET_L2_OPENTHREAD
+	select MBEDTLS_CIPHER
+	select MBEDTLS_MD
+
+config MBEDTLS_DTLS
+	bool "Enable support for DTLS"
+	depends on MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
+
+config MBEDTLS_SSL_EXPORT_KEYS
+	bool "Enable support for exporting SSL key block and master secret"
+	depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
+
+config MBEDTLS_SSL_ALPN
+	bool "Enable support for setting the supported Application Layer Protocols"
+	depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
+
+endmenu
+
+menu "Ciphersuite configuration"
+
+comment "Supported key exchange modes"
+
+config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
+	bool "Enable all available ciphersuite modes"
+	select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+	select MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+	select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+	select MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+	select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+	select MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+	select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+	select MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+	select MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+	select MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+	select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
+
+config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+	bool "Enable the PSK based ciphersuite modes"
+
+config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+	bool "Enable the DHE-PSK based ciphersuite modes"
+
+config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+	bool "Enable the ECDHE-PSK based ciphersuite modes"
+
+config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+	bool "Enable the RSA-PSK based ciphersuite modes"
+
+config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+	bool "Enable the RSA-only based ciphersuite modes"
+	default y if !NET_L2_OPENTHREAD
+
+config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+	bool "Enable the DHE-RSA based ciphersuite modes"
+
+config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+	bool "Enable the ECDHE-RSA based ciphersuite modes"
+
+config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+	bool "Enable the ECDHE-ECDSA based ciphersuite modes"
+
+config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+	bool "Enable the ECDH-ECDSA based ciphersuite modes"
+
+config MBEDTLS_ECDSA_DETERMINISTIC
+	bool "Enable deterministic ECDSA (RFC 6979)"
+
+config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+	bool "Enable the ECDH-RSA based ciphersuite modes"
+
+config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
+	bool "Enable the ECJPAKE based ciphersuite modes"
+
+if MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
+	MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \
+	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || \
+	MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED || \
+	MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || \
+	MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
+
+comment "Supported elliptic curves"
+
+config MBEDTLS_ECP_ALL_ENABLED
+	bool "Enable all available elliptic curves"
+	select MBEDTLS_ECP_DP_SECP192R1_ENABLED
+	select MBEDTLS_ECP_DP_SECP192R1_ENABLED
+	select MBEDTLS_ECP_DP_SECP224R1_ENABLED
+	select MBEDTLS_ECP_DP_SECP256R1_ENABLED
+	select MBEDTLS_ECP_DP_SECP384R1_ENABLED
+	select MBEDTLS_ECP_DP_SECP521R1_ENABLED
+	select MBEDTLS_ECP_DP_SECP192K1_ENABLED
+	select MBEDTLS_ECP_DP_SECP224K1_ENABLED
+	select MBEDTLS_ECP_DP_SECP256K1_ENABLED
+	select MBEDTLS_ECP_DP_BP256R1_ENABLED
+	select MBEDTLS_ECP_DP_BP384R1_ENABLED
+	select MBEDTLS_ECP_DP_BP512R1_ENABLED
+	select MBEDTLS_ECP_DP_CURVE25519_ENABLED
+	select MBEDTLS_ECP_DP_CURVE448_ENABLED
+	select MBEDTLS_ECP_NIST_OPTIM
+
+config MBEDTLS_ECP_DP_SECP192R1_ENABLED
+	bool "Enable SECP192R1 elliptic curve"
+
+config MBEDTLS_ECP_DP_SECP224R1_ENABLED
+	bool "Enable SECP224R1 elliptic curve"
+
+config MBEDTLS_ECP_DP_SECP256R1_ENABLED
+	bool "Enable SECP256R1 elliptic curve"
+
+config MBEDTLS_ECP_DP_SECP384R1_ENABLED
+	bool "Enable SECP384R1 elliptic curve"
+
+config MBEDTLS_ECP_DP_SECP521R1_ENABLED
+	bool "Enable SECP521R1 elliptic curve"
+
+config MBEDTLS_ECP_DP_SECP192K1_ENABLED
+	bool "Enable SECP192K1 elliptic curve"
+
+config MBEDTLS_ECP_DP_SECP224K1_ENABLED
+	bool "Enable SECP224K1 elliptic curve"
+
+config MBEDTLS_ECP_DP_SECP256K1_ENABLED
+	bool "Enable SECP256K1 elliptic curve"
+
+config MBEDTLS_ECP_DP_BP256R1_ENABLED
+	bool "Enable BP256R1 elliptic curve"
+
+config MBEDTLS_ECP_DP_BP384R1_ENABLED
+	bool "Enable BP384R1 elliptic curve"
+
+config MBEDTLS_ECP_DP_BP512R1_ENABLED
+	bool "Enable BP512R1 elliptic curve"
+
+config MBEDTLS_ECP_DP_CURVE25519_ENABLED
+	bool "Enable CURVE25519 elliptic curve"
+
+config MBEDTLS_ECP_DP_CURVE448_ENABLED
+	bool "Enable CURVE448 elliptic curve"
+
+config MBEDTLS_ECP_NIST_OPTIM
+	bool "Enable NSIT curves optimization"
+
+endif
+
+comment "Supported cipher modes"
+
+config MBEDTLS_CIPHER_ALL_ENABLED
+	bool "Enable all available ciphers"
+	select MBEDTLS_CIPHER_AES_ENABLED
+	select MBEDTLS_CIPHER_CAMELLIA_ENABLED
+	select MBEDTLS_CIPHER_DES_ENABLED
+	select MBEDTLS_CIPHER_ARC4_ENABLED
+	select MBEDTLS_CIPHER_CHACHA20_ENABLED
+	select MBEDTLS_CIPHER_BLOWFISH_ENABLED
+	select MBEDTLS_CIPHER_CCM_ENABLED
+	select MBEDTLS_CIPHER_GCM_ENABLED
+	select MBEDTLS_CIPHER_MODE_XTS_ENABLED
+	select MBEDTLS_CIPHER_MODE_CBC_ENABLED
+	select MBEDTLS_CIPHER_MODE_CTR_ENABLED
+	select MBEDTLS_CHACHAPOLY_AEAD_ENABLED
+
+config MBEDTLS_CIPHER_AES_ENABLED
+	bool "Enable the AES block cipher"
+	default y
+
+config MBEDTLS_AES_ROM_TABLES
+	depends on MBEDTLS_CIPHER_AES_ENABLED
+	bool "Use precomputed AES tables stored in ROM."
+	default y
+
+config MBEDTLS_CIPHER_CAMELLIA_ENABLED
+	bool "Enable the Camellia block cipher"
+
+config MBEDTLS_CIPHER_DES_ENABLED
+	bool "Enable the DES block cipher"
+	default y if !NET_L2_OPENTHREAD
+
+config MBEDTLS_CIPHER_ARC4_ENABLED
+	bool "Enable the ARC4 stream cipher"
+
+config MBEDTLS_CIPHER_CHACHA20_ENABLED
+	bool "Enable the ChaCha20 stream cipher"
+
+config MBEDTLS_CIPHER_BLOWFISH_ENABLED
+	bool "Enable the Blowfish block cipher"
+
+config MBEDTLS_CIPHER_CCM_ENABLED
+	bool "Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher"
+	depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
+
+config MBEDTLS_CIPHER_GCM_ENABLED
+	bool "Enable the Galois/Counter Mode (GCM) for AES"
+	depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
+
+config MBEDTLS_CIPHER_MODE_XTS_ENABLED
+	bool "Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES"
+	depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
+
+config MBEDTLS_CIPHER_MODE_CBC_ENABLED
+	bool "Enable Cipher Block Chaining mode (CBC) for symmetric ciphers"
+	default y if !NET_L2_OPENTHREAD
+
+config MBEDTLS_CIPHER_MODE_CTR_ENABLED
+	bool "Enable Counter Block Cipher mode (CTR) for symmetric ciphers."
+
+config MBEDTLS_CHACHAPOLY_AEAD_ENABLED
+	bool "Enable the ChaCha20-Poly1305 AEAD algorithm"
+	depends on MBEDTLS_CIPHER_CHACHA20_ENABLED || MBEDTLS_MAC_POLY1305_ENABLED
+
+comment "Supported message authentication methods"
+
+config MBEDTLS_MAC_ALL_ENABLED
+	bool "Enable all available MAC methods"
+	select MBEDTLS_MAC_MD4_ENABLED
+	select MBEDTLS_MAC_MD5_ENABLED
+	select MBEDTLS_MAC_SHA1_ENABLED
+	select MBEDTLS_MAC_SHA256_ENABLED
+	select MBEDTLS_MAC_SHA512_ENABLED
+	select MBEDTLS_MAC_POLY1305_ENABLED
+	select MBEDTLS_MAC_CMAC_ENABLED
+
+config MBEDTLS_MAC_MD4_ENABLED
+	bool "Enable the MD4 hash algorithm"
+
+config MBEDTLS_MAC_MD5_ENABLED
+	bool "Enable the MD5 hash algorithm"
+	default y if !NET_L2_OPENTHREAD
+
+config MBEDTLS_MAC_SHA1_ENABLED
+	bool "Enable the SHA1 hash algorithm"
+	default y if !NET_L2_OPENTHREAD
+
+config MBEDTLS_MAC_SHA256_ENABLED
+	bool "Enable the SHA-224 and SHA-256 hash algorithms"
+	default y
+
+config MBEDTLS_SHA256_SMALLER
+	bool "Enable smaller SHA-256 implementation"
+	depends on MBEDTLS_MAC_SHA256_ENABLED
+	default y
+	help
+	  Enable an implementation of SHA-256 that has lower ROM footprint but also
+	  lower performance
+
+config MBEDTLS_MAC_SHA512_ENABLED
+	bool "Enable the SHA-384 and SHA-512 hash algorithms"
+
+config MBEDTLS_MAC_POLY1305_ENABLED
+	bool "Enable the Poly1305 MAC algorithm"
+
+config MBEDTLS_MAC_CMAC_ENABLED
+	bool "Enable the CMAC (Cipher-based Message Authentication Code) mode for block ciphers."
+	depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED
+
+endmenu
+
+comment "Random number generators"
+
+config MBEDTLS_CTR_DRBG_ENABLED
+	bool "Enable the CTR_DRBG AES-256-based random generator"
+	depends on MBEDTLS_CIPHER_AES_ENABLED
+	default y
+
+config MBEDTLS_HMAC_DRBG_ENABLED
+	bool "Enable the HMAC_DRBG random generator"
+	select MBEDTLS_MD
+
+comment "Other configurations"
+
+config MBEDTLS_CIPHER
+	bool "Enable the generic cipher layer."
+
+config MBEDTLS_MD
+	bool "Enable the generic message digest layer."
+
+config MBEDTLS_GENPRIME_ENABLED
+	bool "Enable the prime-number generation code."
+
+config MBEDTLS_PEM_CERTIFICATE_FORMAT
+	bool "Enable support for PEM certificate format"
+	help
+	  By default only DER (binary) format of certificates is supported. Enable
+	  this option to enable support for PEM format.
+
+config MBEDTLS_HAVE_ASM
+	bool "Enable use of assembly code"
+	default y if !ARM
+	help
+	  Enable use of assembly code in mbedTLS. This improves the performances
+	  of asymmetric cryptography, however this might have an impact on the
+	  code size.
+
+config MBEDTLS_ENTROPY_ENABLED
+	bool "Enable mbedTLS generic entropy pool"
+	depends on MBEDTLS_MAC_SHA256_ENABLED || MBEDTLS_MAC_SHA512_ENABLED
+
+config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED
+	bool "Enable mbedTLS optimizations for OpenThread"
+	depends on NET_L2_OPENTHREAD
+	default y if !NET_SOCKETS_SOCKOPT_TLS
+	help
+	  Enable some OpenThread specific mbedTLS optimizations that allows to
+	  save some RAM/ROM when OpenThread is used. Note, that when application
+	  aims to use other mbedTLS services on top of OpenThread (e.g. secure
+	  sockets), it's advised to disable this option.
+
+config MBEDTLS_USER_CONFIG_ENABLE
+	bool "Enable user mbedTLS config file"
+	help
+	  Enable user mbedTLS config file that will be included at the end of
+	  the generic config file.
+
+config MBEDTLS_USER_CONFIG_FILE
+	string "User configuration file for mbedTLS"
+	depends on MBEDTLS_USER_CONFIG_ENABLE
+	help
+	  User config file that can contain mbedTLS configs that were not
+	  covered by the generic config file.
+
+config MBEDTLS_SERVER_NAME_INDICATION
+	bool "Enable support for RFC 6066 server name indication (SNI) in SSL"
+	help
+	  Enable this to support RFC 6066 server name indication (SNI) in SSL.
+	  This requires that MBEDTLS_X509_CRT_PARSE_C is also set.
+
+config MBEDTLS_PK_WRITE_C
+	bool "Enable the generic public (asymetric) key writer"
+	help
+	  Enable generic public key write functions.
+
+endmenu

modules/mbedtls/zephyr_init.c

@@ -0,0 +1,52 @@
+/** @file
+ * @brief mbed TLS initialization
+ *
+ * Initialize the mbed TLS library like setup the heap etc.
+ */
+
+/*
+ * Copyright (c) 2017 Intel Corporation
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#include <init.h>
+#include <app_memory/app_memdomain.h>
+
+#if defined(CONFIG_MBEDTLS)
+#if !defined(CONFIG_MBEDTLS_CFG_FILE)
+#include "mbedtls/config.h"
+#else
+#include CONFIG_MBEDTLS_CFG_FILE
+#endif /* CONFIG_MBEDTLS_CFG_FILE */
+#endif
+
+#if defined(CONFIG_MBEDTLS_ENABLE_HEAP) && \
+					defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#include <mbedtls/memory_buffer_alloc.h>
+
+#if !defined(CONFIG_MBEDTLS_HEAP_SIZE)
+#error "Please set heap size to be used. Set value to CONFIG_MBEDTLS_HEAP_SIZE \
+option."
+#endif
+
+static unsigned char _mbedtls_heap[CONFIG_MBEDTLS_HEAP_SIZE];
+
+static void init_heap(void)
+{
+	mbedtls_memory_buffer_alloc_init(_mbedtls_heap, sizeof(_mbedtls_heap));
+}
+#else
+#define init_heap(...)
+#endif /* CONFIG_MBEDTLS_ENABLE_HEAP && MBEDTLS_MEMORY_BUFFER_ALLOC_C */
+
+static int _mbedtls_init(const struct device *device)
+{
+	ARG_UNUSED(device);
+
+	init_heap();
+
+	return 0;
+}
+
+SYS_INIT(_mbedtls_init, POST_KERNEL, 0);