/* * Copyright (c) 2018-2023, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause * */ /** * \file psa/crypto_config.h * \brief PSA crypto configuration options (set of defines) * */ #if defined(MBEDTLS_PSA_CRYPTO_CONFIG) /** * When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled in mbedtls_config.h, * this file determines which cryptographic mechanisms are enabled * through the PSA Cryptography API (\c psa_xxx() functions). * * To enable a cryptographic mechanism, uncomment the definition of * the corresponding \c PSA_WANT_xxx preprocessor symbol. * To disable a cryptographic mechanism, comment out the definition of * the corresponding \c PSA_WANT_xxx preprocessor symbol. * The names of cryptographic mechanisms correspond to values * defined in psa/crypto_values.h, with the prefix \c PSA_WANT_ instead * of \c PSA_. * * Note that many cryptographic mechanisms involve two symbols: one for * the key type (\c PSA_WANT_KEY_TYPE_xxx) and one for the algorithm * (\c PSA_WANT_ALG_xxx). Mechanisms with additional parameters may involve * additional symbols. */ #else /** * When \c MBEDTLS_PSA_CRYPTO_CONFIG is disabled in mbedtls_config.h, * this file is not used, and cryptographic mechanisms are supported * through the PSA API if and only if they are supported through the * mbedtls_xxx API. */ #endif #ifndef PROFILE_M_PSA_CRYPTO_CONFIG_H #define PROFILE_M_PSA_CRYPTO_CONFIG_H /* * CBC-MAC is not yet supported via the PSA API in Mbed TLS. */ //#define PSA_WANT_ALG_CBC_MAC 1 //#define PSA_WANT_ALG_CBC_NO_PADDING 1 //#define PSA_WANT_ALG_CBC_PKCS7 1 #define PSA_WANT_ALG_CCM 1 //#define PSA_WANT_ALG_CMAC 1 //#define PSA_WANT_ALG_CFB 1 //#define PSA_WANT_ALG_CHACHA20_POLY1305 1 //#define PSA_WANT_ALG_CTR 1 //#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1 //#define PSA_WANT_ALG_ECB_NO_PADDING 1 #define PSA_WANT_ALG_ECDH 1 #define PSA_WANT_ALG_ECDSA 1 //#define PSA_WANT_ALG_GCM 1 #define PSA_WANT_ALG_HKDF 1 #define PSA_WANT_ALG_HMAC 1 //#define PSA_WANT_ALG_MD5 1 //#define PSA_WANT_ALG_OFB 1 /* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS. * Note: when adding support, also adjust include/mbedtls/config_psa.h */ //#define PSA_WANT_ALG_PBKDF2_HMAC 1 //#define PSA_WANT_ALG_RIPEMD160 1 //#define PSA_WANT_ALG_RSA_OAEP 1 //#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1 //#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1 //#define PSA_WANT_ALG_RSA_PSS 1 //#define PSA_WANT_ALG_SHA_1 1 #define PSA_WANT_ALG_SHA_224 1 #define PSA_WANT_ALG_SHA_256 1 //#define PSA_WANT_ALG_SHA_384 1 //#define PSA_WANT_ALG_SHA_512 1 //#define PSA_WANT_ALG_STREAM_CIPHER 1 #define PSA_WANT_ALG_TLS12_PRF 1 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 /* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS. * Note: when adding support, also adjust include/mbedtls/config_psa.h */ //#define PSA_WANT_ALG_XTS 1 //#define PSA_WANT_ECC_BRAINPOOL_P_R1_256 1 //#define PSA_WANT_ECC_BRAINPOOL_P_R1_384 1 //#define PSA_WANT_ECC_BRAINPOOL_P_R1_512 1 //#define PSA_WANT_ECC_MONTGOMERY_255 1 //#define PSA_WANT_ECC_MONTGOMERY_448 1 //#define PSA_WANT_ECC_SECP_K1_192 1 /* * SECP224K1 is buggy via the PSA API in Mbed TLS * (https://github.com/Mbed-TLS/mbedtls/issues/3541). Thus, do not enable it by * default. */ //#define PSA_WANT_ECC_SECP_K1_224 1 //#define PSA_WANT_ECC_SECP_K1_256 1 //#define PSA_WANT_ECC_SECP_R1_192 1 //#define PSA_WANT_ECC_SECP_R1_224 1 #define PSA_WANT_ECC_SECP_R1_256 1 //#define PSA_WANT_ECC_SECP_R1_384 1 //#define PSA_WANT_ECC_SECP_R1_521 1 #define PSA_WANT_KEY_TYPE_DERIVE 1 #define PSA_WANT_KEY_TYPE_HMAC 1 #define PSA_WANT_KEY_TYPE_AES 1 //#define PSA_WANT_KEY_TYPE_ARIA 1 //#define PSA_WANT_KEY_TYPE_CAMELLIA 1 //#define PSA_WANT_KEY_TYPE_CHACHA20 1 //#define PSA_WANT_KEY_TYPE_DES 1 //#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR 1 /* Deprecated */ #define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1 #define PSA_WANT_KEY_TYPE_RAW_DATA 1 //#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1 /* Deprecated */ //#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1 /* * The following symbols extend and deprecate the legacy * PSA_WANT_KEY_TYPE_xxx_KEY_PAIR ones. They include the usage of that key in * the name's suffix. "_USE" is the most generic and it can be used to describe * a generic suport, whereas other ones add more features on top of that and * they are more specific. */ #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1 //#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1 /***********************************************************/ /* Tweak the configuration to remove dependencies on TF-M. */ /***********************************************************/ /* MBEDTLS_PSA_CRYPTO_SPM needs third-party files, so disable it. */ #undef MBEDTLS_PSA_CRYPTO_SPM /* Disable buffer-based memory allocator. This isn't strictly required, * but using the native allocator is faster and works better with * memory management analysis frameworks such as ASan. */ #undef MBEDTLS_MEMORY_BUFFER_ALLOC_C // This macro is enabled in TFM Medium but is disabled here because it is // incompatible with baremetal builds in Mbed TLS. #undef MBEDTLS_PSA_CRYPTO_STORAGE_C // This macro is enabled in TFM Medium but is disabled here because it is // incompatible with baremetal builds in Mbed TLS. #undef MBEDTLS_ENTROPY_NV_SEED // These platform-related TF-M settings are not useful here. #undef MBEDTLS_PLATFORM_NO_STD_FUNCTIONS #undef MBEDTLS_PLATFORM_STD_MEM_HDR #undef MBEDTLS_PLATFORM_SNPRINTF_MACRO #undef MBEDTLS_PLATFORM_PRINTF_ALT #undef MBEDTLS_PLATFORM_STD_EXIT_SUCCESS #undef MBEDTLS_PLATFORM_STD_EXIT_FAILURE /* * In order to get an example config that works cleanly out-of-the-box * for both baremetal and non-baremetal builds, we detect baremetal builds * (either IAR, Arm compiler or __ARM_EABI__ defined), and adjust some * variables accordingly. */ #if defined(__IAR_SYSTEMS_ICC__) || defined(__ARMCC_VERSION) || defined(__ARM_EABI__) #define MBEDTLS_NO_PLATFORM_ENTROPY #else /* Use built-in platform entropy functions (TF-M provides its own). */ #undef MBEDTLS_NO_PLATFORM_ENTROPY #endif /*********************************************************************** * Local changes to crypto config below this delimiter **********************************************************************/ // We expect TF-M to pick this up soon #define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT /* CCM is the only cipher/AEAD enabled in TF-M configuration files, but it * does not need CIPHER_C to be enabled, so we can disable it in order * to reduce code size further. */ #undef MBEDTLS_CIPHER_C #ifdef CRYPTO_HW_ACCELERATOR #include "crypto_accelerator_config.h" #endif #endif /* PROFILE_M_PSA_CRYPTO_CONFIG_H */