Improve the documentation of MBEDTLS_PSA_KEY_SLOT_COUNT

The description was misleading: setting the option doesn't “restrict” the number of slots, that restriction exists anyway. Setting the option merely determines the value of the limit. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-01-30 06:33:06 +00:00 · 2024-07-16 21:29:13 +02:00 · 2024-07-16 21:29:13 +02:00 · 2cb03a5532
commit 2cb03a5532
parent ab89fcf7f8
1 changed files with 11 additions and 6 deletions
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@ -3883,13 +3883,18 @@
 //#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256

 /** \def MBEDTLS_PSA_KEY_SLOT_COUNT
- * Restrict the PSA library to supporting a maximum amount of simultaneously
- * loaded keys. A loaded key is a key stored by the PSA Crypto core as a
- * volatile key, or a persistent key which is loaded temporarily by the
- * library as part of a crypto operation in flight.
 *
- * If this option is unset, the library will fall back to a default value of
- * 32 keys.
+ * The maximum amount of PSA keys simultaneously in memory. This counts all
+ * volatile keys, plus loaded persistent keys.
+ *
+ * Currently, persistent keys do not need to be loaded all the time while
+ * a multipart operation is in progress, only while the operation is being
+ * set up. This may change in future versions of the library.
+ *
+ * Currently, the library traverses of the whole table on each access to a
+ * persistent key. Therefore large values may cause poor performance.
+ *
+ * This option has no effect when #MBEDTLS_PSA_CRYPTO_C is disabled.
 */
 //#define MBEDTLS_PSA_KEY_SLOT_COUNT 32