From 3dd9add2945662006ac1ec58237dd5ac4322d4ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 22 Mar 2023 16:17:54 +0100 Subject: [PATCH] Use PSA Crypto: try clarifying what it means MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- docs/use-psa-crypto.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md index c63e65a9a9..e0e9d1500b 100644 --- a/docs/use-psa-crypto.md +++ b/docs/use-psa-crypto.md @@ -21,6 +21,19 @@ use PSA Crypto or not depending on the value of this option are: You need to enable `MBEDTLS_USE_PSA_CRYPTO` if you want TLS 1.3 to use PSA everywhere. +**Important note:** Even with this option disabled, some modules may still use +PSA Crypto. However, it is then their responsibility to make sure it's safe to +do so; in particular those modules do not require `psa_crypto_init()` to be +called. So, enabling `MBEDTLS_USE_PSA_CRYPTO` basically means: +- as a user, you promise to call `psa_crypto_init()` before using any function + from PK, X.509 or TLS; +- in return, those modules will use PSA Crypto as much as possible (see + exceptions belos). +Conversely, not enabling this option means you have no obligation to call +`psa_crypto_init()` (unless as documented by other options such as TLS 1.3), +but modules can still decide to use PSA if they can determine it is available +and initialized. + New APIs / API extensions -------------------------