From 7237563d4bf720263078b68aecb9372cfa3bc2cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 21 May 2024 11:43:20 +0200 Subject: [PATCH] Update psa-migration/strategy.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Just reflecting recent/on-going work. Signed-off-by: Manuel Pégourié-Gonnard --- docs/architecture/psa-migration/strategy.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/docs/architecture/psa-migration/strategy.md b/docs/architecture/psa-migration/strategy.md index b985a77faa..4301ed353c 100644 --- a/docs/architecture/psa-migration/strategy.md +++ b/docs/architecture/psa-migration/strategy.md @@ -18,11 +18,15 @@ needs to be changed to use new APIs. For a more detailed account of what's implemented, see `docs/use-psa-crypto.md`, where new APIs are about (G2), and internal changes implement (G1). -As of early 2023, work towards G5 is in progress: Mbed TLS 3.3 and 3.4 saw -some improvements in this area, and more will be coming in future releases. +As of Mbed TLS 3.6 (early 2024, work towards G5 is well advanced: it is now +possible to have hashes/HMAC, ciphers/AEAD, and ECC provided only by drivers, +with some limitations. See `docs/driver-only-builds.md` for details. +The main gap is RSA in PK, X.509 and TLS; it should be resolved by 4.0 work. Generally speaking, the numbering above doesn't mean that each goal requires -the preceding ones to be completed. +the preceding ones to be completed. (As an example, much progress towards G5 +was made in 3.x, while G4 will be mostly 4.0 and probably not fully complete +until 5.0.) Compile-time options @@ -219,7 +223,12 @@ Strategies currently (early 2022) used with each abstraction layer: - PK (for G1): silently call PSA - PK (for G2): opt-in use of PSA (new key type) -- Cipher (G1): replace calls at each call site +- PK (for G5): store keys in PSA-friendly format when `ECP_C` is disabled and + `USE_PSA` is enabled +- Cipher (G1, TLS): replace calls at each call site +- Cipher (G5): create a new internal abstraction layer for (non-DES) block + ciphers that silently calls PSA when a driver is available, see + `md-cipher-dispatch.md`. - MD (G1, X.509 and TLS): replace calls at each call site (depending on `USE_PSA_CRYPTO`) - MD (G5): silently call PSA when a driver is available, see