Merge pull request #8264 from mpg/follow-up-8075

Follow up to 8075

include/mbedtls/check_config.h

@@ -125,6 +125,46 @@
 
 #endif /* MBEDTLS_PSA_CRYPTO_CONFIG || MBEDTLS_PSA_CRYPTO_C */
 
+/* Limitations on ECC key types acceleration: if we have any of `PUBLIC_KEY`,
+ * `KEY_PAIR_BASIC`, `KEY_PAIR_IMPORT`, `KEY_PAIR_EXPORT` then we must have
+ * all 4 of them.
+ */
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) || \
+    defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+    defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
+    defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) || \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT)
+#error "Unsupported partial support for ECC key type acceleration, see docs/driver-only-builds.md"
+#endif /* not all of public, basic, import, export */
+#endif /* one of public, basic, import, export */
+
+/* Limitations on ECC curves acceleration: partial curve acceleration is only
+ * supported with crypto excluding PK, X.509 or TLS.
+ * Note: no need to check X.509 as it depends on PK. */
+#if defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521)
+#if defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
+#if defined(MBEDTLS_PK_C) || \
+    defined(MBEDTLS_SSL_TLS_C)
+#error "Unsupported partial support for ECC curves acceleration, see docs/driver-only-builds.md"
+#endif /* modules beyond what's supported */
+#endif /* not all curves accelerated */
+#endif /* some curve accelerated */
+
 #if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C)
 #error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites"
 #endif

include/mbedtls/config_adjust_legacy_from_psa.h

@@ -159,35 +159,40 @@
 /* ECC: key types: is acceleration complete? */
 #if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \
     !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES_BASIC
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC
 #endif
 
 #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) && \
     !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES_BASIC
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC
 #endif
 
 #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT) && \
     !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
 #endif
 
 #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT) && \
     !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
 #endif
 
 #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) && \
     !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
 #endif
 
 /* Special case: we don't support cooked key derivation in drivers yet */
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE
+#endif
+
+/* Note: the condition is always true as DERIVE can't be accelerated yet */
 #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) && \
-    (1 || !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE))
-#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
 #endif
 
 /* ECC: curves: enable built-ins as needed.
@@ -199,7 +204,7 @@
  */
 #if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
 #if !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
     defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
 #define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_256 1
 #define MBEDTLS_ECP_DP_BP256R1_ENABLED
@@ -208,7 +213,7 @@
 
 #if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
 #if !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
     defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
 #define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_384 1
 #define MBEDTLS_ECP_DP_BP384R1_ENABLED
@@ -217,7 +222,7 @@
 
 #if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
 #if !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
     defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
 #define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_512 1
 #define MBEDTLS_ECP_DP_BP512R1_ENABLED
@@ -226,7 +231,7 @@
 
 #if defined(PSA_WANT_ECC_MONTGOMERY_255)
 #if !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
     defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
 #define MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_255 1
 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED
@@ -235,7 +240,7 @@
 
 #if defined(PSA_WANT_ECC_MONTGOMERY_448)
 #if !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
     defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
 #define MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_448 1
 #define MBEDTLS_ECP_DP_CURVE448_ENABLED
@@ -244,7 +249,7 @@
 
 #if defined(PSA_WANT_ECC_SECP_R1_192)
 #if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
     defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
 #define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_192 1
 #define MBEDTLS_ECP_DP_SECP192R1_ENABLED
@@ -253,7 +258,7 @@
 
 #if defined(PSA_WANT_ECC_SECP_R1_224)
 #if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
     defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
 #define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_224 1
 #define MBEDTLS_ECP_DP_SECP224R1_ENABLED
@@ -262,7 +267,7 @@
 
 #if defined(PSA_WANT_ECC_SECP_R1_256)
 #if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
     defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
 #define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256 1
 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
@@ -271,7 +276,7 @@
 
 #if defined(PSA_WANT_ECC_SECP_R1_384)
 #if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
     defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
 #define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_384 1
 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED
@@ -280,7 +285,7 @@
 
 #if defined(PSA_WANT_ECC_SECP_R1_521)
 #if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
     defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
 #define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_521 1
 #define MBEDTLS_ECP_DP_SECP521R1_ENABLED
@@ -289,7 +294,7 @@
 
 #if defined(PSA_WANT_ECC_SECP_K1_192)
 #if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
     defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
 #define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_192 1
 #define MBEDTLS_ECP_DP_SECP192K1_ENABLED
@@ -298,7 +303,7 @@
 
 #if defined(PSA_WANT_ECC_SECP_K1_224)
 #if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
     defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
 #define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_224 1
 #define MBEDTLS_ECP_DP_SECP224K1_ENABLED
@@ -309,7 +314,7 @@
 
 #if defined(PSA_WANT_ECC_SECP_K1_256)
 #if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
     defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
 #define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_256 1
 #define MBEDTLS_ECP_DP_SECP256K1_ENABLED
@@ -331,7 +336,7 @@
 #if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) || \
     defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES_BASIC)
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
 #define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA 1
 #define MBEDTLS_ECDSA_DETERMINISTIC
 #define MBEDTLS_HMAC_DRBG_C
@@ -347,7 +352,7 @@
 #if defined(PSA_WANT_ALG_ECDH)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH) || \
     defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES_BASIC)
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
 #define MBEDTLS_PSA_BUILTIN_ALG_ECDH 1
 #define MBEDTLS_ECDH_C
 #define MBEDTLS_ECP_C
@@ -358,7 +363,7 @@
 #if defined(PSA_WANT_ALG_ECDSA)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) || \
     defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES_BASIC)
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
 #define MBEDTLS_PSA_BUILTIN_ALG_ECDSA 1
 #define MBEDTLS_ECDSA_C
 #define MBEDTLS_ECP_C
@@ -371,7 +376,7 @@
 #if defined(PSA_WANT_ALG_JPAKE)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_JPAKE) || \
     !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256) || \
-    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEYTYPES_BASIC)
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
 #define MBEDTLS_PSA_BUILTIN_PAKE 1
 #define MBEDTLS_PSA_BUILTIN_ALG_JPAKE 1
 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
@@ -435,9 +440,9 @@
 #endif /* missing accel */
 #endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE */
 
-/* Special case: we don't support cooked key derivation in drivers yet */
+/* Note: the condition is always true as DERIVE can't be accelerated yet */
 #if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
-#if 1 || !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \
     defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1
 #define MBEDTLS_ECP_LIGHT

tests/configs/user-config-for-test.h

@@ -52,7 +52,11 @@
  * the test driver implemented. */
 #define MBEDTLS_PSA_ACCEL_KEY_TYPE_AES
 #define MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA
-#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE
 #define MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR
 #define MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING
 #define MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7

tests/scripts/all.sh

@@ -428,9 +428,9 @@ err_msg()
 
 check_tools()
 {
-    for TOOL in "$@"; do
-        if ! `type "$TOOL" >/dev/null 2>&1`; then
-            err_msg "$TOOL not found!"
+    for tool in "$@"; do
+        if ! `type "$tool" >/dev/null 2>&1`; then
+            err_msg "$tool not found!"
             exit 1
         fi
     done
@@ -884,10 +884,10 @@ pre_generate_files() {
 # Adjust the configuration - for both libtestdriver1 and main library,
 # as they should have the same PSA_WANT macros.
 helper_libtestdriver1_adjust_config() {
-    BASE_CONFIG=$1
+    base_config=$1
     # Select the base configuration
-    if [ "$BASE_CONFIG" != "default" ]; then
-        scripts/config.py "$BASE_CONFIG"
+    if [ "$base_config" != "default" ]; then
+        scripts/config.py "$base_config"
     fi
 
     # Enable PSA-based config (necessary to use drivers)
@@ -910,8 +910,8 @@ helper_disable_builtin_curves() {
     allowed_list="${1:-}"
     scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED"
 
-    for CURVE in $allowed_list; do
-        scripts/config.py set $CURVE
+    for curve in $allowed_list; do
+        scripts/config.py set $curve
     done
 }
 
@@ -920,8 +920,8 @@ helper_disable_builtin_curves() {
 # in the following helpers.
 helper_get_psa_curve_list () {
     loc_list=""
-    for ITEM in $(sed -n 's/^#define PSA_WANT_\(ECC_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do
-        loc_list="$loc_list $ITEM"
+    for item in $(sed -n 's/^#define PSA_WANT_\(ECC_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do
+        loc_list="$loc_list $item"
     done
 
     echo "$loc_list"
@@ -931,13 +931,13 @@ helper_get_psa_curve_list () {
 # is useful to easily get a list of key type symbols to accelerate.
 # The function accepts a single argument which is the key type: ECC, DH, RSA.
 helper_get_psa_key_type_list() {
-    KEY_TYPE="$1"
+    key_type="$1"
     loc_list=""
-    for ITEM in $(sed -n "s/^#define PSA_WANT_\(KEY_TYPE_${KEY_TYPE}_[0-9A-Z_a-z]*\).*/\1/p" <"$CRYPTO_CONFIG_H"); do
+    for item in $(sed -n "s/^#define PSA_WANT_\(KEY_TYPE_${key_type}_[0-9A-Z_a-z]*\).*/\1/p" <"$CRYPTO_CONFIG_H"); do
         # Skip DERIVE for elliptic keys since there is no driver dispatch for
         # it so it cannot be accelerated.
-        if [ "$ITEM" != "KEY_TYPE_ECC_KEY_PAIR_DERIVE" ]; then
-            loc_list="$loc_list $ITEM"
+        if [ "$item" != "KEY_TYPE_ECC_KEY_PAIR_DERIVE" ]; then
+            loc_list="$loc_list $item"
         fi
     done
 
@@ -2560,17 +2560,17 @@ component_test_psa_crypto_config_accel_ecc_some_key_types () {
 
 # Run tests with only (non-)Weierstrass accelerated
 # Common code used in:
-# - component_test_psa_crypto_config_accel_ecc_weirstrass_curves
-# - component_test_psa_crypto_config_accel_ecc_non_weirstrass_curves
+# - component_test_psa_crypto_config_accel_ecc_weierstrass_curves
+# - component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves
 common_test_psa_crypto_config_accel_ecc_some_curves () {
-    WEIERSTRASS=$1
-    if [ $WEIERSTRASS -eq 1 ]; then
-        DESC="Weierstrass"
+    weierstrass=$1
+    if [ $weierstrass -eq 1 ]; then
+        desc="Weierstrass"
     else
-        DESC="non-Weierstrass"
+        desc="non-Weierstrass"
     fi
 
-    msg "build: full with accelerated EC algs and $DESC curves"
+    msg "build: crypto_full minus PK with accelerated EC algs and $desc curves"
 
     # Algorithms and key types to accelerate
     loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
@@ -2585,17 +2585,17 @@ common_test_psa_crypto_config_accel_ecc_some_curves () {
     # helper_get_psa_curve_list that only keeps Weierstrass families.
     loc_weierstrass_list=""
     loc_non_weierstrass_list=""
-    for ITEM in $(sed -n 's/^#define PSA_WANT_\(ECC_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do
-        case $ITEM in
+    for item in $(sed -n 's/^#define PSA_WANT_\(ECC_[0-9A-Z_a-z]*\).*/\1/p' <"$CRYPTO_CONFIG_H"); do
+        case $item in
             ECC_BRAINPOOL*|ECC_SECP*)
-                loc_weierstrass_list="$loc_weierstrass_list $ITEM"
+                loc_weierstrass_list="$loc_weierstrass_list $item"
                 ;;
             *)
-                loc_non_weierstrass_list="$loc_non_weierstrass_list $ITEM"
+                loc_non_weierstrass_list="$loc_non_weierstrass_list $item"
                 ;;
         esac
     done
-    if [ $WEIERSTRASS -eq 1 ]; then
+    if [ $weierstrass -eq 1 ]; then
         loc_curve_list=$loc_weierstrass_list
     else
         loc_curve_list=$loc_non_weierstrass_list
@@ -2604,8 +2604,18 @@ common_test_psa_crypto_config_accel_ecc_some_curves () {
     # Configure
     # ---------
 
-    # start with config full for maximum coverage (also enables USE_PSA)
-    helper_libtestdriver1_adjust_config "full"
+    # Start with config crypto_full and remove PK_C:
+    # that's what's supported now, see docs/driver-only-builds.md.
+    helper_libtestdriver1_adjust_config "crypto_full"
+    scripts/config.py unset MBEDTLS_PK_C
+    scripts/config.py unset MBEDTLS_PK_PARSE_C
+    scripts/config.py unset MBEDTLS_PK_WRITE_C
+    # We need to disable RSA too or PK will be re-enabled.
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*"
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*"
+    scripts/config.py unset MBEDTLS_RSA_C
+    scripts/config.py unset MBEDTLS_PKCS1_V15
+    scripts/config.py unset MBEDTLS_PKCS1_V21
 
     # Disable modules that are accelerated - some will be re-enabled
     scripts/config.py unset MBEDTLS_ECDSA_C
@@ -2641,7 +2651,7 @@ common_test_psa_crypto_config_accel_ecc_some_curves () {
     # - functions with mxz in the name are specific to Montgomery curves
     # - ecp_muladd is specific to Weierstrass curves
     ##nm library/ecp.o | tee ecp.syms
-    if [ $WEIERSTRASS -eq 1 ]; then
+    if [ $weierstrass -eq 1 ]; then
         not grep mbedtls_ecp_muladd library/ecp.o
         grep mxz library/ecp.o
     else
@@ -2650,7 +2660,7 @@ common_test_psa_crypto_config_accel_ecc_some_curves () {
     fi
     # We expect ECDSA and ECJPAKE to be re-enabled only when
     # Weierstrass curves are not accelerated
-    if [ $WEIERSTRASS -eq 1 ]; then
+    if [ $weierstrass -eq 1 ]; then
         not grep mbedtls_ecdsa library/ecdsa.o
         not grep mbedtls_ecjpake  library/ecjpake.o
     else
@@ -2661,16 +2671,15 @@ common_test_psa_crypto_config_accel_ecc_some_curves () {
     # Run the tests
     # -------------
 
-    msg "test suites: full with accelerated EC algs and $DESC curves"
-    # does not work for PK (and above), see #8255
-    make test SKIP_TEST_SUITES=pk,pkparse,pkwrite,x509parse,x509write,ssl,debug
+    msg "test suites: crypto_full minus PK with accelerated EC algs and $desc curves"
+    make test
 }
 
-component_test_psa_crypto_config_accel_ecc_weirstrass_curves () {
+component_test_psa_crypto_config_accel_ecc_weierstrass_curves () {
     common_test_psa_crypto_config_accel_ecc_some_curves 1
 }
 
-component_test_psa_crypto_config_accel_ecc_non_weirstrass_curves () {
+component_test_psa_crypto_config_accel_ecc_non_weierstrass_curves () {
     common_test_psa_crypto_config_accel_ecc_some_curves 0
 }
 
@@ -2686,10 +2695,10 @@ component_test_psa_crypto_config_accel_ecc_non_weirstrass_curves () {
 # - component_test_psa_crypto_config_reference_ecc_ecp_light_only.
 # This supports comparing their test coverage with analyze_outcomes.py.
 config_psa_crypto_config_ecp_light_only () {
-    DRIVER_ONLY="$1"
+    driver_only="$1"
     # start with config full for maximum coverage (also enables USE_PSA)
     helper_libtestdriver1_adjust_config "full"
-    if [ "$DRIVER_ONLY" -eq 1 ]; then
+    if [ "$driver_only" -eq 1 ]; then
         # Disable modules that are accelerated
         scripts/config.py unset MBEDTLS_ECDSA_C
         scripts/config.py unset MBEDTLS_ECDH_C
@@ -2783,11 +2792,11 @@ component_test_psa_crypto_config_reference_ecc_ecp_light_only () {
 # PK_C and RSA_C are always disabled to ensure there is no remaining dependency
 # on the ECP module.
 config_psa_crypto_no_ecp_at_all () {
-    DRIVER_ONLY="$1"
+    driver_only="$1"
     # start with full config for maximum coverage (also enables USE_PSA)
     helper_libtestdriver1_adjust_config "full"
 
-    if [ "$DRIVER_ONLY" -eq 1 ]; then
+    if [ "$driver_only" -eq 1 ]; then
         # Disable modules that are accelerated
         scripts/config.py unset MBEDTLS_ECDSA_C
         scripts/config.py unset MBEDTLS_ECDH_C
@@ -2901,12 +2910,12 @@ component_test_psa_crypto_config_reference_ecc_no_ecp_at_all () {
 # $2: a string value which states which components are tested. Allowed values
 #     are "ECC" or "ECC_DH".
 config_psa_crypto_config_accel_ecc_ffdh_no_bignum() {
-    DRIVER_ONLY="$1"
-    TEST_TARGET="$2"
+    driver_only="$1"
+    test_target="$2"
     # start with full config for maximum coverage (also enables USE_PSA)
     helper_libtestdriver1_adjust_config "full"
 
-    if [ "$DRIVER_ONLY" -eq 1 ]; then
+    if [ "$driver_only" -eq 1 ]; then
         # Disable modules that are accelerated
         scripts/config.py unset MBEDTLS_ECDSA_C
         scripts/config.py unset MBEDTLS_ECDH_C
@@ -2937,7 +2946,7 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum() {
     scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
     scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
 
-    if [ "$TEST_TARGET" = "ECC" ]; then
+    if [ "$test_target" = "ECC" ]; then
         # When testing ECC only, we disable FFDH support, both from builtin and
         # PSA sides, and also disable the key exchanges that depend on DHM.
         scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_FFDH
@@ -2948,7 +2957,7 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum() {
     else
         # When testing ECC and DH instead, we disable DHM and depending key
         # exchanges only in the accelerated build
-        if [ "$DRIVER_ONLY" -eq 1 ]; then
+        if [ "$driver_only" -eq 1 ]; then
             scripts/config.py unset MBEDTLS_DHM_C
             scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
             scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
@@ -2973,18 +2982,18 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum() {
 # common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum() for drivers
 # coverage analysis in the "analyze_outcomes.py" script.
 common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
-    TEST_TARGET="$1"
+    test_target="$1"
 
     # This is an internal helper to simplify text message handling
-    if [ "$TEST_TARGET" = "ECC_DH" ]; then
-        ACCEL_TEXT="ECC/FFDH"
-        REMOVED_TEXT="ECP - DH"
+    if [ "$test_target" = "ECC_DH" ]; then
+        accel_text="ECC/FFDH"
+        removed_text="ECP - DH"
     else
-        ACCEL_TEXT="ECC"
-        REMOVED_TEXT="ECP"
+        accel_text="ECC"
+        removed_text="ECP"
     fi
 
-    msg "build: full + accelerated $ACCEL_TEXT algs + USE_PSA - $REMOVED_TEXT - BIGNUM"
+    msg "build: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM"
 
     # By default we accelerate all EC keys/algs
     loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
@@ -2992,7 +3001,7 @@ common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
                     ALG_JPAKE \
                     $(helper_get_psa_key_type_list "ECC")"
     # Optionally we can also add DH to the list of accelerated items
-    if [ "$TEST_TARGET" = "ECC_DH" ]; then
+    if [ "$test_target" = "ECC_DH" ]; then
         loc_accel_list="$loc_accel_list \
                         ALG_FFDH \
                         $(helper_get_psa_key_type_list "DH")"
@@ -3007,7 +3016,7 @@ common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
     # ---------
 
     # Set common configurations between library's and driver's builds
-    config_psa_crypto_config_accel_ecc_ffdh_no_bignum 1 "$TEST_TARGET"
+    config_psa_crypto_config_accel_ecc_ffdh_no_bignum 1 "$test_target"
     # Disable all the builtin curves. All the required algs are accelerated.
     helper_disable_builtin_curves
 
@@ -3036,11 +3045,11 @@ common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
     # Run the tests
     # -------------
 
-    msg "test suites: full + accelerated $ACCEL_TEXT algs + USE_PSA - $REMOVED_TEXT - DHM - BIGNUM"
+    msg "test suites: full + accelerated $accel_text algs + USE_PSA - $removed_text - DHM - BIGNUM"
 
     make test
 
-    msg "ssl-opt: full + accelerated $ACCEL_TEXT algs + USE_PSA - $REMOVED_TEXT - BIGNUM"
+    msg "ssl-opt: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM"
     tests/ssl-opt.sh
 }
 
@@ -3056,25 +3065,25 @@ common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
 # common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum() for drivers'
 # coverage analysis in "analyze_outcomes.py" script.
 common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () {
-    TEST_TARGET="$1"
+    test_target="$1"
 
     # This is an internal helper to simplify text message handling
-    if [ "$TEST_TARGET" = "ECC_DH" ]; then
-        ACCEL_TEXT="ECC/FFDH"
+    if [ "$test_target" = "ECC_DH" ]; then
+        accel_text="ECC/FFDH"
     else
-        ACCEL_TEXT="ECC"
+        accel_text="ECC"
     fi
 
-    msg "build: full + non accelerated $ACCEL_TEXT algs + USE_PSA"
+    msg "build: full + non accelerated $accel_text algs + USE_PSA"
 
-    config_psa_crypto_config_accel_ecc_ffdh_no_bignum 0 "$TEST_TARGET"
+    config_psa_crypto_config_accel_ecc_ffdh_no_bignum 0 "$test_target"
 
     make
 
     msg "test suites: full + non accelerated EC algs + USE_PSA"
     make test
 
-    msg "ssl-opt: full + non accelerated $ACCEL_TEXT algs + USE_PSA"
+    msg "ssl-opt: full + non accelerated $accel_text algs + USE_PSA"
     tests/ssl-opt.sh
 }
 
@@ -3189,14 +3198,14 @@ component_test_tfm_config() {
 # - build
 # - test only TLS (i.e. test_suite_tls and ssl-opt)
 build_full_minus_something_and_test_tls () {
-    SYMBOLS_TO_DISABLE="$1"
+    symbols_to_disable="$1"
 
     msg "build: full minus something, test TLS"
 
     scripts/config.py full
-    for SYM in $SYMBOLS_TO_DISABLE; do
-        echo "Disabling $SYM"
-        scripts/config.py unset $SYM
+    for sym in $symbols_to_disable; do
+        echo "Disabling $sym"
+        scripts/config.py unset $sym
     done
 
     make
@@ -3225,22 +3234,22 @@ component_full_without_ecdhe_ecdsa_and_tls13 () {
 # - $1 is the key type under test, i.e. ECC/RSA/DH
 # - $2 is the key option to be unset (i.e. generate, derive, etc)
 build_and_test_psa_want_key_pair_partial() {
-    KEY_TYPE=$1
-    UNSET_OPTION=$2
-    DISABLED_PSA_WANT="PSA_WANT_KEY_TYPE_${KEY_TYPE}_KEY_PAIR_${UNSET_OPTION}"
+    key_type=$1
+    unset_option=$2
+    disabled_psa_want="PSA_WANT_KEY_TYPE_${key_type}_KEY_PAIR_${unset_option}"
 
-    msg "build: full - MBEDTLS_USE_PSA_CRYPTO - ${DISABLED_PSA_WANT}"
+    msg "build: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}"
     scripts/config.py full
     scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
     scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
 
     # All the PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy are enabled by default in
     # crypto_config.h so we just disable the one we don't want.
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$DISABLED_PSA_WANT"
+    scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$disabled_psa_want"
 
     make CC=gcc CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
 
-    msg "test: full - MBEDTLS_USE_PSA_CRYPTO - ${DISABLED_PSA_WANT}"
+    msg "test: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}"
     make test
 }
 
@@ -3445,10 +3454,10 @@ component_test_psa_crypto_config_accel_hash_keep_builtins () {
 
 # Auxiliary function to build config for hashes with and without drivers
 config_psa_crypto_hash_use_psa () {
-    DRIVER_ONLY="$1"
+    driver_only="$1"
     # start with config full for maximum coverage (also enables USE_PSA)
     helper_libtestdriver1_adjust_config "full"
-    if [ "$DRIVER_ONLY" -eq 1 ]; then
+    if [ "$driver_only" -eq 1 ]; then
         # disable the built-in implementation of hashes
         scripts/config.py unset MBEDTLS_MD5_C
         scripts/config.py unset MBEDTLS_RIPEMD160_C
@@ -3664,33 +3673,6 @@ component_build_psa_accel_alg_ecdh() {
     make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
 }
 
-# This should be renamed to test and updated once the accelerator ECC key pair code is in place and ready to test.
-component_build_psa_accel_key_type_ecc_key_pair() {
-    msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_xxx"
-    scripts/config.py full
-    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    scripts/config.py -f "$CRYPTO_CONFIG_H" set-all "PSA_WANT_KEY_TYPE_ECC_[0-9A-Z_a-z]*"
-    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
-}
-
-# This should be renamed to test and updated once the accelerator ECC public key code is in place and ready to test.
-component_build_psa_accel_key_type_ecc_public_key() {
-    msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY"
-    scripts/config.py full
-    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
-    scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
-    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
-}
-
 # This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test.
 component_build_psa_accel_alg_hmac() {
     msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HMAC"