In an effort to shave off code size, remove out-of-the-box
enabling of crypto features (except SHA-256).
Configurations are adjusted to enable what they need.
Bonuses:
- When enabled, AES now defaults to using a smaller version
(`CONFIG_MBEDTLS_AES_ROM_TABLES` isn't default enabled anymore,
and if enabled, `CONFIG_MBEDTLS_AES_FEWER_TABLES` defaults to y).
- Conditions around Mbed TLS Kconfig options have been improved
to reflect the reality of the dependencies.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Add "sha3.c" source file that was previously missing from
CMakeLists.txt and that has been added in MbedTLS 3.6 release.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Fix undefined reference to mbedtls_pk_ecc_xxx functions following update
to latest mbedtls version.
Signed-off-by: Joel Guittet <joelguittet@gmail.com>
Include `psa_crypto_ffdh.c` when compiling MbedTLS with PSA support, as
`MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY` references the included
functions.
Signed-off-by: Jordan Yates <jordan@embeint.com>
Use TF-M PSA API headers when compiling with TF-M enabled.
Fixes: #43249
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Signed-off-by: Markus Swarowsky <markus.swarowsky@nordicsemi.no>
Update trusted-firmware-m to 1.8.0, mbedtls to 3.4.0, and tf-m-tests to
1.8.0. Includes minor cmake changes due to file renames and such, as well
as adjusting the return type of a callback function that has changed since
the previous version of trusted-firmware-m.
Signed-off-by: David Brown <david.brown@linaro.org>
TFM redefines functions from mbed TLS's psa_crypto_slot_management.c,
therefore that file should not be included in build when TFM is enabled.
Otherwise, the linker reports an error about redefined functions like
psa_open_key() etc.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Update trusted-firmware-m to 1.8.0, mbedtls to 3.4.0, and tf-m-tests to
1.8.0. Includes minor cmake changes due to file renames and such, as well
as adjusting the return type of a callback function that has changed since
the previous version of trusted-firmware-m.
Signed-off-by: David Brown <david.brown@linaro.org>
A mesh key type has been added to be able to choose the different
key representation for different security libraries.
The type as well as some functionality related to Mesh key
management has been added as a public API.
If tynicrypt is chosen then keys have representation
as 16 bytes array. If mbedTLS with PSA is used then keys are
the PSA key id. Raw value is not kept within BLE Mesh stack
for mbedTLS. Keys are imported into the security library
and key ids are gotten back. This refactoring has been done
for the network(including all derivated keys), application,
device, and session keys.
Signed-off-by: Aleksandr Khromykh <aleksandr.khromykh@nordicsemi.no>
Previously, Zephyr's mbedtls module's cmake build created a single static
library, rather than the collection of libraries (mbedtls, mbedcrypto,
and mbedx509) that upstream mbedTLS cmake provides.
To give better control at link time to choose the required libraries to
link, this commit updates the Zephyr MbedTLS module to also define a
collection of libraries rather than a single static MbedTLS library.
One benefit of the three library approach is that if mbedTLS is used in
Zephyr in the the non-secure application in addition to TFM's PSA Crypto
API on the secure side with TF-M, PSA API calls on the non-secure side
will be redirected to the TFM PSA implementation, and the mbedcrypto
library will only be linked to the secure (TF-M) binary, with the mbedtls
and mbedx509 libraries linked against the non-secure (Zephyr) binary,
enabling TLS calls to PSA crypto to be redirected to mbedcrypto in the
secure partition and avoiding function duplication in the non-secure
binary.
Signed-off-by: Rajkumar Kanagaraj <rajkumar.kanagaraj@linaro.org>
So far there was a runtime basename extraction of filenames passed to
mbedTLS debug hook. This has both runtime penalty as well as code size
penalty.
Introduce a buildtime support of extracting basename of source filenames
logged using logging subsystem, so that there is no need to do it at
runtime.
Provide Kconfig options for both buildtime and runtime basename extraction,
as in some cases the buildtime basename extraction might not work,
depending on toolchain used for building Zephyr. Default to buildtime when
using Zephyr SDK, as that is proven to work. Use runtime basename
extraction in other cases (other toolchains used).
This saves approximately 204 bytes of code footprint for sample
application with native TLS sockets built for nRF52840.
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
So far there was a debug log hook installed in TLS socket implementation.
However, mbedTLS (with debug enabled) might be used outside from TLS socket
and even outside from networking context.
Add new module, which implements debug log hook and makes it available
whenever CONFIG_MBEDTLS_DEBUG is enabled.
Note that debug hook needs to be installed for each mbedTLS context
separately, which means that this requires action from mbedTLS users, such
as TLS sockets implementation.
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
Add module specific compiler flags to suppress reporting unused
variables and unused functions in mbedtls building.
Signed-off-by: Eugene Cohen <quic_egmc@quicinc.com>
Signed-off-by: Dave Aldridge <quic_daldridg@quicinc.com>
psa_crypto_cipher.c includes an internal header with <>, causing
complication errors in Zephyr (header not found).
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Use the Mbed TLS module, expecting the upstream directory layout rather
than the nested directory we've been using before.
Signed-off-by: David Brown <david.brown@linaro.org>
-The current scheme in zephyr has the two choices MBEDTLS_BUILTIN
and MBEDTLS_LIBRARY, but the choice of MBEDTLS_LIBRARY requires
setting CONFIG_MBEDTLS_INSTALL_PATH for includes and library linking.
This may not be neccesary when an alternative implementation of the
library is being used. This adds support for custom choices in
MBEDTLS_IMPLEMENTATION which can be added in an out-of-tree Kconfig
file.
-Made else an elseif(CONFIG_MBEDTLS_LIBRARY.
-Removed reduntant assertion between the two choices.
Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Updates in CMakeLists.txt to reflect the restructuring
in the module directory. This also bumps mbetls version
to 2.26.0.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
We move the Zephyr-specific CMakeLists.txt file into
the main Zephyr tree. We also move the zephyr_init.c
source file.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
