mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-03-29 22:20:30 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add links and missing )

Browse Source 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard 2024-05-23 09:26:31 +02:00
parent 32bdf19a01
commit 4837f726d1
1 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
docs/architecture/psa-migration/strategy.md
View File

@ -18,9 +18,10 @@ needs to be changed to use new APIs. For a more detailed account of what's
implemented, see `docs/use-psa-crypto.md`, where new APIs are about (G2), and implemented, see `docs/use-psa-crypto.md`, where new APIs are about (G2), and
internal changes implement (G1). internal changes implement (G1).
As of Mbed TLS 3.6 (early 2024, work towards G5 is well advanced: it is now As of Mbed TLS 3.6 (early 2024), work towards G5 is well advanced: it is now
possible to have hashes/HMAC, ciphers/AEAD, and ECC provided only by drivers, possible to have hashes/HMAC, ciphers/AEAD, and ECC provided only by drivers,
with some limitations. See `docs/driver-only-builds.md` for details. with some limitations. See
[`docs/driver-only-builds.md`](../../driver-only-builds.html) for details.
The main gap is RSA in PK, X.509 and TLS; it should be resolved by 4.0 work. The main gap is RSA in PK, X.509 and TLS; it should be resolved by 4.0 work.
Generally speaking, the numbering above doesn't mean that each goal requires Generally speaking, the numbering above doesn't mean that each goal requires
@ -150,7 +151,7 @@ crypto API.
This strategy is currently (early 2023) used for all operations in the PK This strategy is currently (early 2023) used for all operations in the PK
layer; the MD layer uses a variant where it dispatches to PSA if a driver is layer; the MD layer uses a variant where it dispatches to PSA if a driver is
available and the driver subsystem has been initialized, regardless of whether available and the driver subsystem has been initialized, regardless of whether
`USE_PSA_CRYPTO` is enabled; see `md-cipher-dispatch.md` in the same directory `USE_PSA_CRYPTO` is enabled; see [`md-cipher-dispatch.md`](md-cipher-dispatch.html)
for details. for details.
This strategy is not very well suited to the Cipher layer, as the PSA This strategy is not very well suited to the Cipher layer, as the PSA
@ -176,7 +177,7 @@ Replace calls for each operation
This strategy is currently (early 2023) used for the MD layer and the Cipher This strategy is currently (early 2023) used for the MD layer and the Cipher
layer in X.509 and TLS. Crypto modules however always call to MD which may layer in X.509 and TLS. Crypto modules however always call to MD which may
then dispatch to PSA, see `md-cipher-dispatch.md`. then dispatch to PSA, see [`md-cipher-dispatch.md`](md-cipher-dispatch.html).
Opt-in use of PSA from the abstraction layer Opt-in use of PSA from the abstraction layer
-------------------------------------------- --------------------------------------------
@ -228,11 +229,11 @@ Strategies currently (early 2022) used with each abstraction layer:
- Cipher (G1, TLS): replace calls at each call site - Cipher (G1, TLS): replace calls at each call site
- Cipher (G5): create a new internal abstraction layer for (non-DES) block - Cipher (G5): create a new internal abstraction layer for (non-DES) block
ciphers that silently calls PSA when a driver is available, see ciphers that silently calls PSA when a driver is available, see
`md-cipher-dispatch.md`. [`md-cipher-dispatch.md`](md-cipher-dispatch.html).
- MD (G1, X.509 and TLS): replace calls at each call site (depending on - MD (G1, X.509 and TLS): replace calls at each call site (depending on
`USE_PSA_CRYPTO`) `USE_PSA_CRYPTO`)
- MD (G5): silently call PSA when a driver is available, see - MD (G5): silently call PSA when a driver is available, see
`md-cipher-dispatch.md`. [`md-cipher-dispatch.md`](md-cipher-dispatch.html).
Supporting builds with drivers without the software implementation Supporting builds with drivers without the software implementation
@ -301,7 +302,7 @@ Regarding PK, X.509, and TLS, this is mostly achieved with only a few gaps.
(The strategy was outlined in the previous section.) (The strategy was outlined in the previous section.)
Regarding libmbedcrypto: Regarding libmbedcrypto:
- for hashes and ciphers, see `md-cipher-dispatch.md` in the same directory; - for hashes and ciphers, see [`md-cipher-dispatch.md`](md-cipher-dispatch.html);
- for ECC, we have no internal uses of the top-level algorithms (ECDSA, ECDH, - for ECC, we have no internal uses of the top-level algorithms (ECDSA, ECDH,
ECJPAKE), however they all depend on `ECP_C` which in turn depends on ECJPAKE), however they all depend on `ECP_C` which in turn depends on
`BIGNUM_C`. So, direct calls from TLS, X.509 and PK to ECP and Bignum will `BIGNUM_C`. So, direct calls from TLS, X.509 and PK to ECP and Bignum will