mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2024-12-25 15:20:25 +00:00
Adapt TF-M configurations to config split
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
parent
5096b4cb4b
commit
2654081885
@ -9,37 +9,149 @@
|
||||
* \brief PSA crypto configuration options (set of defines)
|
||||
*
|
||||
*/
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
|
||||
/**
|
||||
* When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled in mbedtls_config.h,
|
||||
* this file determines which cryptographic mechanisms are enabled
|
||||
* through the PSA Cryptography API (\c psa_xxx() functions).
|
||||
*
|
||||
* To enable a cryptographic mechanism, uncomment the definition of
|
||||
* the corresponding \c PSA_WANT_xxx preprocessor symbol.
|
||||
* To disable a cryptographic mechanism, comment out the definition of
|
||||
* the corresponding \c PSA_WANT_xxx preprocessor symbol.
|
||||
* The names of cryptographic mechanisms correspond to values
|
||||
* defined in psa/crypto_values.h, with the prefix \c PSA_WANT_ instead
|
||||
* of \c PSA_.
|
||||
*
|
||||
* Note that many cryptographic mechanisms involve two symbols: one for
|
||||
* the key type (\c PSA_WANT_KEY_TYPE_xxx) and one for the algorithm
|
||||
* (\c PSA_WANT_ALG_xxx). Mechanisms with additional parameters may involve
|
||||
* additional symbols.
|
||||
*/
|
||||
#else
|
||||
/**
|
||||
* When \c MBEDTLS_PSA_CRYPTO_CONFIG is disabled in mbedtls_config.h,
|
||||
* this file is not used, and cryptographic mechanisms are supported
|
||||
* through the PSA API if and only if they are supported through the
|
||||
* mbedtls_xxx API.
|
||||
*/
|
||||
#endif
|
||||
|
||||
#ifndef PROFILE_M_PSA_CRYPTO_CONFIG_H
|
||||
#define PROFILE_M_PSA_CRYPTO_CONFIG_H
|
||||
|
||||
/**
|
||||
* \name SECTION: Platform abstraction layer
|
||||
*
|
||||
* This section sets platform specific settings.
|
||||
* \{
|
||||
*/
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
|
||||
*
|
||||
* Enable the buffer allocator implementation that makes use of a (stack)
|
||||
* based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
|
||||
* calls)
|
||||
*
|
||||
* Module: library/memory_buffer_alloc.c
|
||||
*
|
||||
* Requires: MBEDTLS_PLATFORM_C
|
||||
* MBEDTLS_PLATFORM_MEMORY (to use it within Mbed TLS)
|
||||
*
|
||||
* Enable this module to enable the buffer memory allocator.
|
||||
*/
|
||||
#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PLATFORM_C
|
||||
*
|
||||
* Enable the platform abstraction layer that allows you to re-assign
|
||||
* functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
|
||||
*
|
||||
* Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
|
||||
* or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
|
||||
* above to be specified at runtime or compile time respectively.
|
||||
*
|
||||
* \note This abstraction layer must be enabled on Windows (including MSYS2)
|
||||
* as other modules rely on it for a fixed snprintf implementation.
|
||||
*
|
||||
* Module: library/platform.c
|
||||
* Caller: Most other .c files
|
||||
*
|
||||
* This module enables abstraction of common (libc) functions.
|
||||
*/
|
||||
#define MBEDTLS_PLATFORM_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PLATFORM_MEMORY
|
||||
*
|
||||
* Enable the memory allocation layer.
|
||||
*
|
||||
* By default Mbed TLS uses the system-provided calloc() and free().
|
||||
* This allows different allocators (self-implemented or provided) to be
|
||||
* provided to the platform abstraction layer.
|
||||
*
|
||||
* Enabling #MBEDTLS_PLATFORM_MEMORY without the
|
||||
* MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
|
||||
* "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
|
||||
* free() function pointer at runtime.
|
||||
*
|
||||
* Enabling #MBEDTLS_PLATFORM_MEMORY and specifying
|
||||
* MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
|
||||
* alternate function at compile time.
|
||||
*
|
||||
* An overview of how the value of mbedtls_calloc is determined:
|
||||
*
|
||||
* - if !MBEDTLS_PLATFORM_MEMORY
|
||||
* - mbedtls_calloc = calloc
|
||||
* - if MBEDTLS_PLATFORM_MEMORY
|
||||
* - if (MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO):
|
||||
* - mbedtls_calloc = MBEDTLS_PLATFORM_CALLOC_MACRO
|
||||
* - if !(MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO):
|
||||
* - Dynamic setup via mbedtls_platform_set_calloc_free is now possible with a default value MBEDTLS_PLATFORM_STD_CALLOC.
|
||||
* - How is MBEDTLS_PLATFORM_STD_CALLOC handled?
|
||||
* - if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS:
|
||||
* - MBEDTLS_PLATFORM_STD_CALLOC is not set to anything;
|
||||
* - MBEDTLS_PLATFORM_STD_MEM_HDR can be included if present;
|
||||
* - if !MBEDTLS_PLATFORM_NO_STD_FUNCTIONS:
|
||||
* - if MBEDTLS_PLATFORM_STD_CALLOC is present:
|
||||
* - User-defined MBEDTLS_PLATFORM_STD_CALLOC is respected;
|
||||
* - if !MBEDTLS_PLATFORM_STD_CALLOC:
|
||||
* - MBEDTLS_PLATFORM_STD_CALLOC = calloc
|
||||
*
|
||||
* - At this point the presence of MBEDTLS_PLATFORM_STD_CALLOC is checked.
|
||||
* - if !MBEDTLS_PLATFORM_STD_CALLOC
|
||||
* - MBEDTLS_PLATFORM_STD_CALLOC = uninitialized_calloc
|
||||
*
|
||||
* - mbedtls_calloc = MBEDTLS_PLATFORM_STD_CALLOC.
|
||||
*
|
||||
* Defining MBEDTLS_PLATFORM_CALLOC_MACRO and #MBEDTLS_PLATFORM_STD_CALLOC at the same time is not possible.
|
||||
* MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO must both be defined or undefined at the same time.
|
||||
* #MBEDTLS_PLATFORM_STD_CALLOC and #MBEDTLS_PLATFORM_STD_FREE do not have to be defined at the same time, as, if they are used,
|
||||
* dynamic setup of these functions is possible. See the tree above to see how are they handled in all cases.
|
||||
* An uninitialized #MBEDTLS_PLATFORM_STD_CALLOC always fails, returning a null pointer.
|
||||
* An uninitialized #MBEDTLS_PLATFORM_STD_FREE does not do anything.
|
||||
*
|
||||
* Requires: MBEDTLS_PLATFORM_C
|
||||
*
|
||||
* Enable this layer to allow use of alternative memory allocators.
|
||||
*/
|
||||
#define MBEDTLS_PLATFORM_MEMORY
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
|
||||
*
|
||||
* Do not assign standard functions in the platform layer (e.g. calloc() to
|
||||
* MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF)
|
||||
*
|
||||
* This makes sure there are no linking errors on platforms that do not support
|
||||
* these functions. You will HAVE to provide alternatives, either at runtime
|
||||
* via the platform_set_xxx() functions or at compile time by setting
|
||||
* the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a
|
||||
* MBEDTLS_PLATFORM_XXX_MACRO.
|
||||
*
|
||||
* Requires: MBEDTLS_PLATFORM_C
|
||||
*
|
||||
* Uncomment to prevent default assignment of standard functions in the
|
||||
* platform layer.
|
||||
*/
|
||||
#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
|
||||
|
||||
#define MBEDTLS_PLATFORM_PRINTF_ALT
|
||||
|
||||
/* To use the following function macros, MBEDTLS_PLATFORM_C must be enabled. */
|
||||
/* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf
|
||||
#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE
|
||||
#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS
|
||||
|
||||
#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h>
|
||||
|
||||
/** \} name SECTION: Platform abstraction layer */
|
||||
|
||||
/**
|
||||
* \name SECTION: SECTION Cryptographic mechanism selection (PSA API)
|
||||
*
|
||||
* This section sets PSA API settings.
|
||||
* \{
|
||||
*/
|
||||
/*
|
||||
* CBC-MAC is not yet supported via the PSA API in Mbed TLS.
|
||||
*/
|
||||
@ -125,6 +237,406 @@
|
||||
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
|
||||
//#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1
|
||||
|
||||
/** \} name SECTION Cryptographic mechanism selection (PSA API) */
|
||||
|
||||
/**
|
||||
* \name SECTION: PSA core
|
||||
*
|
||||
* This section sets PSA specific settings.
|
||||
* \{
|
||||
*/
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ENTROPY_C
|
||||
*
|
||||
* Enable the platform-specific entropy code.
|
||||
*
|
||||
* Module: library/entropy.c
|
||||
* Caller:
|
||||
*
|
||||
* Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
|
||||
*
|
||||
* This module provides a generic entropy pool
|
||||
*/
|
||||
#define MBEDTLS_ENTROPY_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ENTROPY_NV_SEED
|
||||
*
|
||||
* Enable the non-volatile (NV) seed file-based entropy source.
|
||||
* (Also enables the NV seed read/write functions in the platform layer)
|
||||
*
|
||||
* This is crucial (if not required) on systems that do not have a
|
||||
* cryptographic entropy source (in hardware or kernel) available.
|
||||
*
|
||||
* Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
|
||||
*
|
||||
* \note The read/write functions that are used by the entropy source are
|
||||
* determined in the platform layer, and can be modified at runtime and/or
|
||||
* compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
|
||||
*
|
||||
* \note If you use the default implementation functions that read a seedfile
|
||||
* with regular fopen(), please make sure you make a seedfile with the
|
||||
* proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
|
||||
* least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
|
||||
* and written to or you will get an entropy source error! The default
|
||||
* implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
|
||||
* bytes from the file.
|
||||
*
|
||||
* \note The entropy collector will write to the seed file before entropy is
|
||||
* given to an external source, to update it.
|
||||
*/
|
||||
#define MBEDTLS_ENTROPY_NV_SEED
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_NO_PLATFORM_ENTROPY
|
||||
*
|
||||
* Do not use built-in platform entropy functions.
|
||||
* This is useful if your platform does not support
|
||||
* standards like the /dev/urandom or Windows CryptoAPI.
|
||||
*
|
||||
* Uncomment this macro to disable the built-in platform entropy functions.
|
||||
*/
|
||||
#define MBEDTLS_NO_PLATFORM_ENTROPY
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PSA_CRYPTO_C
|
||||
*
|
||||
* Enable the Platform Security Architecture cryptography API.
|
||||
*
|
||||
* Module: library/psa_crypto.c
|
||||
*
|
||||
* Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C,
|
||||
* or MBEDTLS_HMAC_DRBG_C and MBEDTLS_ENTROPY_C,
|
||||
* or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
|
||||
* Auto-enables: MBEDTLS_CIPHER_C if any unauthenticated (ie, non-AEAD) cipher
|
||||
* is enabled in PSA (unless it's fully accelerated, see
|
||||
* docs/driver-only-builds.md about that).
|
||||
*/
|
||||
#define MBEDTLS_PSA_CRYPTO_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PSA_CRYPTO_SPM
|
||||
*
|
||||
* When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
|
||||
* Partition Manager) integration which separates the code into two parts: a
|
||||
* NSPE (Non-Secure Process Environment) and an SPE (Secure Process
|
||||
* Environment).
|
||||
*
|
||||
* If you enable this option, your build environment must include a header
|
||||
* file `"crypto_spe.h"` (either in the `psa` subdirectory of the Mbed TLS
|
||||
* header files, or in another directory on the compiler's include search
|
||||
* path). Alternatively, your platform may customize the header
|
||||
* `psa/crypto_platform.h`, in which case it can skip or replace the
|
||||
* inclusion of `"crypto_spe.h"`.
|
||||
*
|
||||
* Module: library/psa_crypto.c
|
||||
* Requires: MBEDTLS_PSA_CRYPTO_C
|
||||
*
|
||||
*/
|
||||
#define MBEDTLS_PSA_CRYPTO_SPM
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PSA_CRYPTO_STORAGE_C
|
||||
*
|
||||
* Enable the Platform Security Architecture persistent key storage.
|
||||
*
|
||||
* Module: library/psa_crypto_storage.c
|
||||
*
|
||||
* Requires: MBEDTLS_PSA_CRYPTO_C,
|
||||
* either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
|
||||
* the PSA ITS interface
|
||||
*/
|
||||
#define MBEDTLS_PSA_CRYPTO_STORAGE_C
|
||||
|
||||
/** \} name SECTION: PSA core */
|
||||
|
||||
/**
|
||||
* \name SECTION: Builtin drivers
|
||||
*
|
||||
* This section sets driver specific settings.
|
||||
* \{
|
||||
*/
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_AES_ROM_TABLES
|
||||
*
|
||||
* Use precomputed AES tables stored in ROM.
|
||||
*
|
||||
* Uncomment this macro to use precomputed AES tables stored in ROM.
|
||||
* Comment this macro to generate AES tables in RAM at runtime.
|
||||
*
|
||||
* Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
|
||||
* (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
|
||||
* initialization time before the first AES operation can be performed.
|
||||
* It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
|
||||
* MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
|
||||
* performance if ROM access is slower than RAM access.
|
||||
*
|
||||
* This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
|
||||
*/
|
||||
#define MBEDTLS_AES_ROM_TABLES
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_AES_FEWER_TABLES
|
||||
*
|
||||
* Use less ROM/RAM for AES tables.
|
||||
*
|
||||
* Uncommenting this macro omits 75% of the AES tables from
|
||||
* ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
|
||||
* by computing their values on the fly during operations
|
||||
* (the tables are entry-wise rotations of one another).
|
||||
*
|
||||
* Tradeoff: Uncommenting this reduces the RAM / ROM footprint
|
||||
* by ~6kb but at the cost of more arithmetic operations during
|
||||
* runtime. Specifically, one has to compare 4 accesses within
|
||||
* different tables to 4 accesses with additional arithmetic
|
||||
* operations within the same table. The performance gain/loss
|
||||
* depends on the system and memory details.
|
||||
*
|
||||
* This option is independent of \c MBEDTLS_AES_ROM_TABLES.
|
||||
*/
|
||||
#define MBEDTLS_AES_FEWER_TABLES
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
|
||||
*
|
||||
* Use only 128-bit keys in AES operations to save ROM.
|
||||
*
|
||||
* Uncomment this macro to remove support for AES operations that use 192-
|
||||
* or 256-bit keys.
|
||||
*
|
||||
* Uncommenting this macro reduces the size of AES code by ~300 bytes
|
||||
* on v8-M/Thumb2.
|
||||
*
|
||||
* Module: library/aes.c
|
||||
*
|
||||
* Requires: MBEDTLS_AES_C
|
||||
*/
|
||||
#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ECP_NIST_OPTIM
|
||||
*
|
||||
* Enable specific 'modulo p' routines for each NIST prime.
|
||||
* Depending on the prime and architecture, makes operations 4 to 8 times
|
||||
* faster on the corresponding curve.
|
||||
*
|
||||
* Comment this macro to disable NIST curves optimisation.
|
||||
*/
|
||||
#define MBEDTLS_ECP_NIST_OPTIM
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_HAVE_ASM
|
||||
*
|
||||
* The compiler has support for asm().
|
||||
*
|
||||
* Requires support for asm() in compiler.
|
||||
*
|
||||
* Used in:
|
||||
* library/aesni.h
|
||||
* library/aria.c
|
||||
* library/bn_mul.h
|
||||
* library/constant_time.c
|
||||
*
|
||||
* Required by:
|
||||
* MBEDTLS_AESCE_C
|
||||
* MBEDTLS_AESNI_C (on some platforms)
|
||||
*
|
||||
* Comment to disable the use of assembly code.
|
||||
*/
|
||||
#define MBEDTLS_HAVE_ASM
|
||||
|
||||
/**
|
||||
* Uncomment to enable p256-m. This is an alternative implementation of
|
||||
* key generation, ECDH and (randomized) ECDSA on the curve SECP256R1.
|
||||
* Compared to the default implementation:
|
||||
*
|
||||
* - p256-m has a much smaller code size and RAM footprint.
|
||||
* - p256-m is only available via the PSA API. This includes the pk module.
|
||||
* - p256-m does not support deterministic ECDSA, EC-JPAKE, custom protocols
|
||||
* over the core arithmetic, or deterministic derivation of keys.
|
||||
*
|
||||
* We recommend enabling this option if your application uses the PSA API
|
||||
* and the only elliptic curve support it needs is ECDH and ECDSA over
|
||||
* SECP256R1.
|
||||
*
|
||||
* If you enable this option, you do not need to enable any ECC-related
|
||||
* MBEDTLS_xxx option. You do need to separately request support for the
|
||||
* cryptographic mechanisms through the PSA API:
|
||||
* - #MBEDTLS_PSA_CRYPTO_C for PSA-based configuration;
|
||||
* - #PSA_WANT_ECC_SECP_R1_256;
|
||||
* - #PSA_WANT_ALG_ECDH and/or #PSA_WANT_ALG_ECDSA as needed;
|
||||
* - #PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY, #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC,
|
||||
* #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT,
|
||||
* #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT and/or
|
||||
* #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE as needed.
|
||||
*
|
||||
* \note To benefit from the smaller code size of p256-m, make sure that you
|
||||
* do not enable any ECC-related option not supported by p256-m: this
|
||||
* would cause the built-in ECC implementation to be built as well, in
|
||||
* order to provide the required option.
|
||||
* Make sure #PSA_WANT_ALG_DETERMINISTIC_ECDSA, #PSA_WANT_ALG_JPAKE and
|
||||
* #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE, and curves other than
|
||||
* SECP256R1 are disabled as they are not supported by this driver.
|
||||
* Also, avoid defining #MBEDTLS_PK_PARSE_EC_COMPRESSED or
|
||||
* #MBEDTLS_PK_PARSE_EC_EXTENDED as those currently require a subset of
|
||||
* the built-in ECC implementation, see docs/driver-only-builds.md.
|
||||
*/
|
||||
#define MBEDTLS_PSA_P256M_DRIVER_ENABLED
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SHA256_SMALLER
|
||||
*
|
||||
* Enable an implementation of SHA-256 that has lower ROM footprint but also
|
||||
* lower performance.
|
||||
*
|
||||
* The default implementation is meant to be a reasonable compromise between
|
||||
* performance and size. This version optimizes more aggressively for size at
|
||||
* the expense of performance. Eg on Cortex-M4 it reduces the size of
|
||||
* mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
|
||||
* 30%.
|
||||
*
|
||||
* Uncomment to enable the smaller implementation of SHA256.
|
||||
*/
|
||||
#define MBEDTLS_SHA256_SMALLER
|
||||
|
||||
/* ECP options */
|
||||
#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Disable fixed-point speed-up */
|
||||
|
||||
/** \} name SECTION: Builtin drivers */
|
||||
|
||||
/**
|
||||
* \name SECTION: Legacy cryptography
|
||||
*
|
||||
* This section sets legacy settings.
|
||||
* \{
|
||||
*/
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_AES_C
|
||||
*
|
||||
* Enable the AES block cipher.
|
||||
*
|
||||
* Module: library/aes.c
|
||||
* Caller: library/cipher.c
|
||||
* library/pem.c
|
||||
* library/ctr_drbg.c
|
||||
*
|
||||
* This module enables the following ciphersuites (if other requisites are
|
||||
* enabled as well):
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
|
||||
* MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
|
||||
* MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
|
||||
* MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
|
||||
* MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
|
||||
*
|
||||
* PEM_PARSE uses AES for decrypting encrypted keys.
|
||||
*/
|
||||
#define MBEDTLS_AES_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_CIPHER_C
|
||||
*
|
||||
* Enable the generic cipher layer.
|
||||
*
|
||||
* Module: library/cipher.c
|
||||
* Caller: library/ccm.c
|
||||
* library/cmac.c
|
||||
* library/gcm.c
|
||||
* library/nist_kw.c
|
||||
* library/pkcs12.c
|
||||
* library/pkcs5.c
|
||||
* library/psa_crypto_aead.c
|
||||
* library/psa_crypto_mac.c
|
||||
* library/ssl_ciphersuites.c
|
||||
* library/ssl_msg.c
|
||||
* Auto-enabled by: MBEDTLS_PSA_CRYPTO_C depending on which ciphers are enabled
|
||||
* (see the documentation of that option for details).
|
||||
*
|
||||
* Uncomment to enable generic cipher wrappers.
|
||||
*/
|
||||
#define MBEDTLS_CIPHER_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_CTR_DRBG_C
|
||||
*
|
||||
* Enable the CTR_DRBG AES-based random generator.
|
||||
* The CTR_DRBG generator uses AES-256 by default.
|
||||
* To use AES-128 instead, enable \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY above.
|
||||
*
|
||||
* AES support can either be achieved through builtin (MBEDTLS_AES_C) or PSA.
|
||||
* Builtin is the default option when MBEDTLS_AES_C is defined otherwise PSA
|
||||
* is used.
|
||||
*
|
||||
* \warning When using PSA, the user should call `psa_crypto_init()` before
|
||||
* using any CTR_DRBG operation (except `mbedtls_ctr_drbg_init()`).
|
||||
*
|
||||
* \note AES-128 will be used if \c MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH is set.
|
||||
*
|
||||
* \note To achieve a 256-bit security strength with CTR_DRBG,
|
||||
* you must use AES-256 *and* use sufficient entropy.
|
||||
* See ctr_drbg.h for more details.
|
||||
*
|
||||
* Module: library/ctr_drbg.c
|
||||
* Caller:
|
||||
*
|
||||
* Requires: MBEDTLS_AES_C or
|
||||
* (PSA_WANT_KEY_TYPE_AES and PSA_WANT_ALG_ECB_NO_PADDING and
|
||||
* MBEDTLS_PSA_CRYPTO_C)
|
||||
*
|
||||
* This module provides the CTR_DRBG AES random number generator.
|
||||
*/
|
||||
#define MBEDTLS_CTR_DRBG_C
|
||||
/** \} name SECTION: Legacy cryptography */
|
||||
|
||||
/***********************************************************/
|
||||
/* Tweak the configuration to remove dependencies on TF-M. */
|
||||
/***********************************************************/
|
||||
@ -178,6 +690,14 @@
|
||||
* to reduce code size further. */
|
||||
#undef MBEDTLS_CIPHER_C
|
||||
|
||||
#if CRYPTO_NV_SEED
|
||||
#include "tfm_mbedcrypto_config_extra_nv_seed.h"
|
||||
#endif /* CRYPTO_NV_SEED */
|
||||
|
||||
#if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED)
|
||||
#include "mbedtls_entropy_nv_seed_config.h"
|
||||
#endif
|
||||
|
||||
#ifdef CRYPTO_HW_ACCELERATOR
|
||||
#include "crypto_accelerator_config.h"
|
||||
#endif
|
||||
|
@ -35,385 +35,6 @@
|
||||
#define _CRT_SECURE_NO_DEPRECATE 1
|
||||
#endif
|
||||
|
||||
/**
|
||||
* \name SECTION: System support
|
||||
*
|
||||
* This section sets system specific settings.
|
||||
* \{
|
||||
*/
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_HAVE_ASM
|
||||
*
|
||||
* The compiler has support for asm().
|
||||
*
|
||||
* Requires support for asm() in compiler.
|
||||
*
|
||||
* Used in:
|
||||
* library/aria.c
|
||||
* library/timing.c
|
||||
* include/mbedtls/bn_mul.h
|
||||
*
|
||||
* Required by:
|
||||
* MBEDTLS_AESNI_C
|
||||
*
|
||||
* Comment to disable the use of assembly code.
|
||||
*/
|
||||
#define MBEDTLS_HAVE_ASM
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PLATFORM_MEMORY
|
||||
*
|
||||
* Enable the memory allocation layer.
|
||||
*
|
||||
* By default mbed TLS uses the system-provided calloc() and free().
|
||||
* This allows different allocators (self-implemented or provided) to be
|
||||
* provided to the platform abstraction layer.
|
||||
*
|
||||
* Enabling MBEDTLS_PLATFORM_MEMORY without the
|
||||
* MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
|
||||
* "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
|
||||
* free() function pointer at runtime.
|
||||
*
|
||||
* Enabling MBEDTLS_PLATFORM_MEMORY and specifying
|
||||
* MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
|
||||
* alternate function at compile time.
|
||||
*
|
||||
* Requires: MBEDTLS_PLATFORM_C
|
||||
*
|
||||
* Enable this layer to allow use of alternative memory allocators.
|
||||
*/
|
||||
#define MBEDTLS_PLATFORM_MEMORY
|
||||
|
||||
/* \} name SECTION: System support */
|
||||
|
||||
/**
|
||||
* \name SECTION: mbed TLS feature support
|
||||
*
|
||||
* This section sets support for features that are or are not needed
|
||||
* within the modules that are enabled.
|
||||
* \{
|
||||
*/
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_AES_ROM_TABLES
|
||||
*
|
||||
* Use precomputed AES tables stored in ROM.
|
||||
*
|
||||
* Uncomment this macro to use precomputed AES tables stored in ROM.
|
||||
* Comment this macro to generate AES tables in RAM at runtime.
|
||||
*
|
||||
* Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
|
||||
* (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
|
||||
* initialization time before the first AES operation can be performed.
|
||||
* It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
|
||||
* MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
|
||||
* performance if ROM access is slower than RAM access.
|
||||
*
|
||||
* This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
|
||||
*
|
||||
*/
|
||||
#define MBEDTLS_AES_ROM_TABLES
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_AES_FEWER_TABLES
|
||||
*
|
||||
* Use less ROM/RAM for AES tables.
|
||||
*
|
||||
* Uncommenting this macro omits 75% of the AES tables from
|
||||
* ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
|
||||
* by computing their values on the fly during operations
|
||||
* (the tables are entry-wise rotations of one another).
|
||||
*
|
||||
* Tradeoff: Uncommenting this reduces the RAM / ROM footprint
|
||||
* by ~6kb but at the cost of more arithmetic operations during
|
||||
* runtime. Specifically, one has to compare 4 accesses within
|
||||
* different tables to 4 accesses with additional arithmetic
|
||||
* operations within the same table. The performance gain/loss
|
||||
* depends on the system and memory details.
|
||||
*
|
||||
* This option is independent of \c MBEDTLS_AES_ROM_TABLES.
|
||||
*
|
||||
*/
|
||||
#define MBEDTLS_AES_FEWER_TABLES
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ECP_NIST_OPTIM
|
||||
*
|
||||
* Enable specific 'modulo p' routines for each NIST prime.
|
||||
* Depending on the prime and architecture, makes operations 4 to 8 times
|
||||
* faster on the corresponding curve.
|
||||
*
|
||||
* Comment this macro to disable NIST curves optimisation.
|
||||
*/
|
||||
#define MBEDTLS_ECP_NIST_OPTIM
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_NO_PLATFORM_ENTROPY
|
||||
*
|
||||
* Do not use built-in platform entropy functions.
|
||||
* This is useful if your platform does not support
|
||||
* standards like the /dev/urandom or Windows CryptoAPI.
|
||||
*
|
||||
* Uncomment this macro to disable the built-in platform entropy functions.
|
||||
*/
|
||||
#define MBEDTLS_NO_PLATFORM_ENTROPY
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ENTROPY_NV_SEED
|
||||
*
|
||||
* Enable the non-volatile (NV) seed file-based entropy source.
|
||||
* (Also enables the NV seed read/write functions in the platform layer)
|
||||
*
|
||||
* This is crucial (if not required) on systems that do not have a
|
||||
* cryptographic entropy source (in hardware or kernel) available.
|
||||
*
|
||||
* Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
|
||||
*
|
||||
* \note The read/write functions that are used by the entropy source are
|
||||
* determined in the platform layer, and can be modified at runtime and/or
|
||||
* compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
|
||||
*
|
||||
* \note If you use the default implementation functions that read a seedfile
|
||||
* with regular fopen(), please make sure you make a seedfile with the
|
||||
* proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
|
||||
* least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
|
||||
* and written to or you will get an entropy source error! The default
|
||||
* implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
|
||||
* bytes from the file.
|
||||
*
|
||||
* \note The entropy collector will write to the seed file before entropy is
|
||||
* given to an external source, to update it.
|
||||
*/
|
||||
#define MBEDTLS_ENTROPY_NV_SEED
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PSA_CRYPTO_SPM
|
||||
*
|
||||
* When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
|
||||
* Partition Manager) integration which separates the code into two parts: a
|
||||
* NSPE (Non-Secure Process Environment) and an SPE (Secure Process
|
||||
* Environment).
|
||||
*
|
||||
* Module: library/psa_crypto.c
|
||||
* Requires: MBEDTLS_PSA_CRYPTO_C
|
||||
*
|
||||
*/
|
||||
#define MBEDTLS_PSA_CRYPTO_SPM
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SHA256_SMALLER
|
||||
*
|
||||
* Enable an implementation of SHA-256 that has lower ROM footprint but also
|
||||
* lower performance.
|
||||
*
|
||||
* The default implementation is meant to be a reasonnable compromise between
|
||||
* performance and size. This version optimizes more aggressively for size at
|
||||
* the expense of performance. Eg on Cortex-M4 it reduces the size of
|
||||
* mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
|
||||
* 30%.
|
||||
*
|
||||
* Uncomment to enable the smaller implementation of SHA256.
|
||||
*/
|
||||
#define MBEDTLS_SHA256_SMALLER
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
*
|
||||
* This setting allows support for cryptographic mechanisms through the PSA
|
||||
* API to be configured separately from support through the mbedtls API.
|
||||
*
|
||||
* When this option is disabled, the PSA API exposes the cryptographic
|
||||
* mechanisms that can be implemented on top of the `mbedtls_xxx` API
|
||||
* configured with `MBEDTLS_XXX` symbols.
|
||||
*
|
||||
* When this option is enabled, the PSA API exposes the cryptographic
|
||||
* mechanisms requested by the `PSA_WANT_XXX` symbols defined in
|
||||
* include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are
|
||||
* automatically enabled if required (i.e. if no PSA driver provides the
|
||||
* mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols
|
||||
* in mbedtls_config.h.
|
||||
*
|
||||
* If the symbol #TF_PSA_CRYPTO_CONFIG_FILE is defined, it specifies
|
||||
* an alternative header to include instead of include/psa/crypto_config.h.
|
||||
*
|
||||
* This feature is still experimental and is not ready for production since
|
||||
* it is not completed.
|
||||
*/
|
||||
#define MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
|
||||
/* \} name SECTION: mbed TLS feature support */
|
||||
|
||||
/**
|
||||
* \name SECTION: mbed TLS modules
|
||||
*
|
||||
* This section enables or disables entire modules in mbed TLS
|
||||
* \{
|
||||
*/
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_AES_C
|
||||
*
|
||||
* Enable the AES block cipher.
|
||||
*
|
||||
* Module: library/aes.c
|
||||
* Caller: library/cipher.c
|
||||
* library/pem.c
|
||||
* library/ctr_drbg.c
|
||||
*
|
||||
* This module is required to support the TLS ciphersuites that use the AES
|
||||
* cipher.
|
||||
*
|
||||
* PEM_PARSE uses AES for decrypting encrypted keys.
|
||||
*/
|
||||
#define MBEDTLS_AES_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
|
||||
*
|
||||
* Use only 128-bit keys in AES operations to save ROM.
|
||||
*
|
||||
* Uncomment this macro to remove support for AES operations that use 192-
|
||||
* or 256-bit keys.
|
||||
*
|
||||
* Uncommenting this macro reduces the size of AES code by ~300 bytes
|
||||
* on v8-M/Thumb2.
|
||||
*
|
||||
* Module: library/aes.c
|
||||
*
|
||||
* Requires: MBEDTLS_AES_C
|
||||
*/
|
||||
#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_CIPHER_C
|
||||
*
|
||||
* Enable the generic cipher layer.
|
||||
*
|
||||
* Module: library/cipher.c
|
||||
*
|
||||
* Uncomment to enable generic cipher wrappers.
|
||||
*/
|
||||
#define MBEDTLS_CIPHER_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_CTR_DRBG_C
|
||||
*
|
||||
* Enable the CTR_DRBG AES-based random generator.
|
||||
* The CTR_DRBG generator uses AES-256 by default.
|
||||
* To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below.
|
||||
*
|
||||
* Module: library/ctr_drbg.c
|
||||
* Caller:
|
||||
*
|
||||
* Requires: MBEDTLS_AES_C
|
||||
*
|
||||
* This module provides the CTR_DRBG AES random number generator.
|
||||
*/
|
||||
#define MBEDTLS_CTR_DRBG_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ENTROPY_C
|
||||
*
|
||||
* Enable the platform-specific entropy code.
|
||||
*
|
||||
* Module: library/entropy.c
|
||||
* Caller:
|
||||
*
|
||||
* Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
|
||||
*
|
||||
* This module provides a generic entropy pool
|
||||
*/
|
||||
#define MBEDTLS_ENTROPY_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_HKDF_C
|
||||
*
|
||||
* Enable the HKDF algorithm (RFC 5869).
|
||||
*
|
||||
* Module: library/hkdf.c
|
||||
* Caller:
|
||||
*
|
||||
* Requires: MBEDTLS_MD_C
|
||||
*
|
||||
* This module adds support for the Hashed Message Authentication Code
|
||||
* (HMAC)-based key derivation function (HKDF).
|
||||
*/
|
||||
//#define MBEDTLS_HKDF_C /* Used for HUK deriviation */
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
|
||||
*
|
||||
* Enable the buffer allocator implementation that makes use of a (stack)
|
||||
* based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
|
||||
* calls)
|
||||
*
|
||||
* Module: library/memory_buffer_alloc.c
|
||||
*
|
||||
* Requires: MBEDTLS_PLATFORM_C
|
||||
* MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)
|
||||
*
|
||||
* Enable this module to enable the buffer memory allocator.
|
||||
*/
|
||||
#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PLATFORM_C
|
||||
*
|
||||
* Enable the platform abstraction layer that allows you to re-assign
|
||||
* functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
|
||||
*
|
||||
* Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
|
||||
* or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
|
||||
* above to be specified at runtime or compile time respectively.
|
||||
*
|
||||
* \note This abstraction layer must be enabled on Windows (including MSYS2)
|
||||
* as other module rely on it for a fixed snprintf implementation.
|
||||
*
|
||||
* Module: library/platform.c
|
||||
* Caller: Most other .c files
|
||||
*
|
||||
* This module enables abstraction of common (libc) functions.
|
||||
*/
|
||||
#define MBEDTLS_PLATFORM_C
|
||||
|
||||
#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
|
||||
#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h>
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf
|
||||
#define MBEDTLS_PLATFORM_PRINTF_ALT
|
||||
#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS
|
||||
#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PSA_CRYPTO_C
|
||||
*
|
||||
* Enable the Platform Security Architecture cryptography API.
|
||||
*
|
||||
* Module: library/psa_crypto.c
|
||||
*
|
||||
* Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C
|
||||
*
|
||||
*/
|
||||
#define MBEDTLS_PSA_CRYPTO_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PSA_CRYPTO_STORAGE_C
|
||||
*
|
||||
* Enable the Platform Security Architecture persistent key storage.
|
||||
*
|
||||
* Module: library/psa_crypto_storage.c
|
||||
*
|
||||
* Requires: MBEDTLS_PSA_CRYPTO_C,
|
||||
* either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
|
||||
* the PSA ITS interface
|
||||
*/
|
||||
#define MBEDTLS_PSA_CRYPTO_STORAGE_C
|
||||
|
||||
/* \} name SECTION: mbed TLS modules */
|
||||
|
||||
/**
|
||||
* \name SECTION: General configuration options
|
||||
*
|
||||
@ -459,112 +80,6 @@
|
||||
*/
|
||||
//#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
|
||||
|
||||
/**
|
||||
* \def TF_PSA_CRYPTO_CONFIG_FILE
|
||||
*
|
||||
* If defined, this is a header which will be included instead of
|
||||
* `"psa/crypto_config.h"`.
|
||||
* This header file specifies which cryptographic mechanisms are available
|
||||
* through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and
|
||||
* is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
|
||||
*
|
||||
* This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
|
||||
* non-standard feature of the C language, so this feature is only available
|
||||
* with compilers that perform macro expansion on an <tt>\#include</tt> line.
|
||||
*
|
||||
* The value of this symbol is typically a path in double quotes, either
|
||||
* absolute or relative to a directory on the include search path.
|
||||
*/
|
||||
//#define TF_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
|
||||
|
||||
/**
|
||||
* \def TF_PSA_CRYPTO_USER_CONFIG_FILE
|
||||
*
|
||||
* If defined, this is a header which will be included after
|
||||
* `"psa/crypto_config.h"` or #TF_PSA_CRYPTO_CONFIG_FILE.
|
||||
* This allows you to modify the default configuration, including the ability
|
||||
* to undefine options that are enabled by default.
|
||||
*
|
||||
* This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
|
||||
* non-standard feature of the C language, so this feature is only available
|
||||
* with compilers that perform macro expansion on an <tt>\#include</tt> line.
|
||||
*
|
||||
* The value of this symbol is typically a path in double quotes, either
|
||||
* absolute or relative to a directory on the include search path.
|
||||
*/
|
||||
//#define TF_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
|
||||
|
||||
/** \} name SECTION: General configuration options */
|
||||
|
||||
/**
|
||||
* \name SECTION: Module configuration options
|
||||
*
|
||||
* This section allows for the setting of module specific sizes and
|
||||
* configuration options. The default values are already present in the
|
||||
* relevant header files and should suffice for the regular use cases.
|
||||
*
|
||||
* Our advice is to enable options and change their values here
|
||||
* only if you have a good reason and know the consequences.
|
||||
*
|
||||
* Please check the respective header file for documentation on these
|
||||
* parameters (to prevent duplicate documentation).
|
||||
* \{
|
||||
*/
|
||||
|
||||
/* ECP options */
|
||||
#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Disable fixed-point speed-up */
|
||||
|
||||
/**
|
||||
* Uncomment to enable p256-m. This is an alternative implementation of
|
||||
* key generation, ECDH and (randomized) ECDSA on the curve SECP256R1.
|
||||
* Compared to the default implementation:
|
||||
*
|
||||
* - p256-m has a much smaller code size and RAM footprint.
|
||||
* - p256-m is only available via the PSA API. This includes the pk module.
|
||||
* - p256-m does not support deterministic ECDSA, EC-JPAKE, custom protocols
|
||||
* over the core arithmetic, or deterministic derivation of keys.
|
||||
*
|
||||
* We recommend enabling this option if your application uses the PSA API
|
||||
* and the only elliptic curve support it needs is ECDH and ECDSA over
|
||||
* SECP256R1.
|
||||
*
|
||||
* If you enable this option, you do not need to enable any ECC-related
|
||||
* MBEDTLS_xxx option. You do need to separately request support for the
|
||||
* cryptographic mechanisms through the PSA API:
|
||||
* - #MBEDTLS_PSA_CRYPTO_C and #MBEDTLS_PSA_CRYPTO_CONFIG for PSA-based
|
||||
* configuration;
|
||||
* - #PSA_WANT_ECC_SECP_R1_256;
|
||||
* - #PSA_WANT_ALG_ECDH and/or #PSA_WANT_ALG_ECDSA as needed;
|
||||
* - #PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY, #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC,
|
||||
* #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT,
|
||||
* #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT and/or
|
||||
* #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE as needed.
|
||||
*
|
||||
* \note To benefit from the smaller code size of p256-m, make sure that you
|
||||
* do not enable any ECC-related option not supported by p256-m: this
|
||||
* would cause the built-in ECC implementation to be built as well, in
|
||||
* order to provide the required option.
|
||||
* Make sure #PSA_WANT_ALG_DETERMINISTIC_ECDSA, #PSA_WANT_ALG_JPAKE and
|
||||
* #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE, and curves other than
|
||||
* SECP256R1 are disabled as they are not supported by this driver.
|
||||
* Also, avoid defining #MBEDTLS_PK_PARSE_EC_COMPRESSED or
|
||||
* #MBEDTLS_PK_PARSE_EC_EXTENDED as those currently require a subset of
|
||||
* the built-in ECC implementation, see docs/driver-only-builds.md.
|
||||
*/
|
||||
#define MBEDTLS_PSA_P256M_DRIVER_ENABLED
|
||||
|
||||
/* \} name SECTION: Customisation configuration options */
|
||||
|
||||
#if CRYPTO_NV_SEED
|
||||
#include "tfm_mbedcrypto_config_extra_nv_seed.h"
|
||||
#endif /* CRYPTO_NV_SEED */
|
||||
|
||||
#if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED)
|
||||
#include "mbedtls_entropy_nv_seed_config.h"
|
||||
#endif
|
||||
|
||||
#ifdef CRYPTO_HW_ACCELERATOR
|
||||
#include "mbedtls_accelerator_config.h"
|
||||
#endif
|
||||
|
||||
#endif /* PROFILE_M_MBEDTLS_CONFIG_H */
|
||||
|
Loading…
Reference in New Issue
Block a user