diff --git a/docs/driver-only-builds.md b/docs/driver-only-builds.md index 200f439413..2dcfe67975 100644 --- a/docs/driver-only-builds.md +++ b/docs/driver-only-builds.md @@ -245,6 +245,9 @@ Support for deterministic derivation of a DH keypair AEADs ----- +[This section might contain incomplete data and it is going to be updated in +#8358, i.e. the wrap-up task for accelerated ciphers and AEADs.] + It is possible to have all AEADs operations provided only by a driver. More precisely you can: @@ -252,15 +255,20 @@ More precisely you can: - `PSA_WANT_ALG_[CCM|GCM]` with `PSA_WANT_KEY_TYPE_[AES|ARIA|CAMELLIA]` - `PSA_WANT_ALG_CHACHA20_POLY1305` with `PSA_WANT_KEY_TYPE_CHACHA20`; - enable `MBEDTLS_PSA_ACCEL_xxx` symbol(s) which correspond to the - `PSA_WANT_xxx` of the previous step; -- disable builtin support of `MBEDTLS_[CCM|GCM|CHACHAPOLY]_C` algorithms and - key types `MBEDTLS_[AES|ARIA|CAMELLIA|CHACHA20]_C` for AEADs which are - accelerated. + `PSA_WANT_xxx` of the previous step (both for algorithms and key types); +- disable builtin support of `MBEDTLS_[CCM|GCM|CHACHAPOLY|POLY1305]_C` + algorithms and key types `MBEDTLS_[AES|ARIA|CAMELLIA|CHACHA20]_C` for AEADs + which are accelerated. -In such a build all AEADs operations requested through the PSA Crypto API -(including those in TLS and X.509) will be performed by the provided driver. -Of course direct calls to the disabled builtin modules -(ex: `mbedtls_ccm_init()`, etc) won't be possible. +In a build in which all AEADs algorithms and related key types are accelerated +all AEADs operations requested through the PSA Crypto API (including those in +TLS and X.509) will be performed by the driver. +Moreover if no unauthenticated cipher is required, it is also possible to +disable all built-in block cipher's key types +(i.e. `MBEDTLS_[AES|ARIA|CAMELLIA|CHACHA20]_C`) and `MBEDTLS_CIPHER_C`. This +helps in further reducing code's footprint, but unfortunately it makes the +following modules unavailable: +- `MBEDTLS_PKCS[5|12]_C` +- `MBEDTLS_CTR_DRBG_C` +- `MBEDTLS_NIST_KW_C` -If no other non-authenticated cipher is required, it is also possible to -disable `MBEDTLS_CIPHER_C` in order to further reduce code's footprint.