From f539b661d6011f44297137a11a6fd2e1573bf8d2 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 2 May 2024 15:54:56 +0200 Subject: [PATCH] mbedtls: add specific Kconfig option for MBEDTLS_USE_PSA_CRYPTO MBEDTLS_PSA_CRYPTO_C and MBEDTLS_USE_PSA_CRYPTO are 2 different things and the former should not automatically enable the latter. The reson is that the user might want the MbedTLS PSA crypto toolbox to be built, but at the same time he/she does not want TLS/DTLS (and other intermediate modules such as PK, MD and Cipher) to use PSA APIs. For this reason this commit introduces a new Kconfig option named CONFIG_MBEDTLS_USE_PSA_CRYPTO to enable the corresponding build symbol. By default USE_PSA_CRYPTO is disabled. It is only explicilty enabled in tests/samples that were previously setting CRYPTO_C (since in those cases USE_PSA was set). Signed-off-by: Valerio Setti --- modules/mbedtls/Kconfig.tls-generic | 6 ++++++ modules/mbedtls/configs/config-tls-generic.h | 3 +++ samples/tfm_integration/psa_crypto/prj.conf | 1 + subsys/bluetooth/mesh/Kconfig | 1 + 4 files changed, 11 insertions(+) diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic index b55111a5599..5087213bb27 100644 --- a/modules/mbedtls/Kconfig.tls-generic +++ b/modules/mbedtls/Kconfig.tls-generic @@ -486,6 +486,12 @@ config MBEDTLS_PSA_CRYPTO_C depends on MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG || MBEDTLS_PSA_CRYPTO_LEGACY_RNG default y if UOSCORE || UEDHOC +config MBEDTLS_USE_PSA_CRYPTO + bool "Use PSA APIs instead of legacy MbedTLS when possible" + help + Use PSA APIs instead of legacy MbedTLS functions in TLS/DTLS and other + "intermediate" modules such as PK, MD and Cipher. + config MBEDTLS_LMS bool "Support LMS signature schemes" depends on MBEDTLS_PSA_CRYPTO_C diff --git a/modules/mbedtls/configs/config-tls-generic.h b/modules/mbedtls/configs/config-tls-generic.h index 383ab44f18b..92ab1f66edb 100644 --- a/modules/mbedtls/configs/config-tls-generic.h +++ b/modules/mbedtls/configs/config-tls-generic.h @@ -474,7 +474,10 @@ #if defined(CONFIG_MBEDTLS_PSA_CRYPTO_C) #define MBEDTLS_PSA_CRYPTO_C + +#if defined(CONFIG_MBEDTLS_USE_PSA_CRYPTO) #define MBEDTLS_USE_PSA_CRYPTO +#endif #if defined(CONFIG_ARCH_POSIX) && !defined(CONFIG_PICOLIBC) #define MBEDTLS_PSA_KEY_SLOT_COUNT 64 diff --git a/samples/tfm_integration/psa_crypto/prj.conf b/samples/tfm_integration/psa_crypto/prj.conf index a7ac8db8f2e..f308a5aefaf 100644 --- a/samples/tfm_integration/psa_crypto/prj.conf +++ b/samples/tfm_integration/psa_crypto/prj.conf @@ -29,6 +29,7 @@ CONFIG_MBEDTLS_USER_CONFIG_ENABLE=y CONFIG_MBEDTLS_USER_CONFIG_FILE="user-tls-conf.h" CONFIG_MBEDTLS_PSA_CRYPTO_C=y +CONFIG_MBEDTLS_USE_PSA_CRYPTO=y CONFIG_MBEDTLS_ENTROPY_ENABLED=y CONFIG_MBEDTLS_ECP_C=y CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y diff --git a/subsys/bluetooth/mesh/Kconfig b/subsys/bluetooth/mesh/Kconfig index 88fccf0961c..74e377569b3 100644 --- a/subsys/bluetooth/mesh/Kconfig +++ b/subsys/bluetooth/mesh/Kconfig @@ -1349,6 +1349,7 @@ config BT_MESH_USES_MBEDTLS_PSA select MBEDTLS select MBEDTLS_ZEPHYR_ENTROPY select MBEDTLS_PSA_CRYPTO_C + select MBEDTLS_USE_PSA_CRYPTO select MBEDTLS_MAC_CMAC_ENABLED select MBEDTLS_CIPHER_AES_ENABLED select MBEDTLS_AES_ROM_TABLES