mbedtls: add a new Kconfig file for PSA_WANT logic

modules/mbedtls/Kconfig

@@ -13,7 +13,8 @@ config MBEDTLS_PROMPTLESS
 	  mbed TLS menu prompt and instead handle the selection of MBEDTLS from
 	  dependent sub-configurations and thus prevent stuck symbol behavior.
 
-rsource "Kconfig.psa"
+rsource "Kconfig.psa.auto"
+rsource "Kconfig.psa.logic"
 
 menuconfig MBEDTLS
 	bool "mbed TLS Support" if !MBEDTLS_PROMPTLESS

modules/mbedtls/Kconfig.psa.logic

@@ -0,0 +1,140 @@
+# Copyright (c) 2024 BayLibre SAS
+# SPDX-License-Identifier: Apache-2.0
+
+# This file extends Kconfig.psa (which is automatically generated) by adding
+# some logic between PSA_WANT symbols.
+
+# Start by defining some internal symbols that can be used to check whether there
+# is some kind of support in the PSA Crypto API.
+
+config PSA_CAN_SOME_HASH
+	bool
+	default y if (PSA_WANT_ALG_MD5      || \
+		      PSA_WANT_ALG_SHA_1    || \
+		      PSA_WANT_ALG_SHA_224  || \
+		      PSA_WANT_ALG_SHA_256  || \
+		      PSA_WANT_ALG_SHA_384  || \
+		      PSA_WANT_ALG_SHA_512  || \
+		      PSA_WANT_ALG_SHA3_224 || \
+		      PSA_WANT_ALG_SHA3_256 || \
+		      PSA_WANT_ALG_SHA3_384 || \
+		      PSA_WANT_ALG_SHA3_512)
+	help
+	  Promptless symbol that can be used to check if there's any type of hash
+	  support enabled (no matter which algorithm) in the PSA Crypto API.
+
+config PSA_CAN_SOME_ECC
+	bool
+	default y if (PSA_WANT_ECC_BRAINPOOL_P_R1_256 || \
+		      PSA_WANT_ECC_BRAINPOOL_P_R1_384 || \
+		      PSA_WANT_ECC_BRAINPOOL_P_R1_512 || \
+		      PSA_WANT_ECC_MONTGOMERY_255 || \
+		      PSA_WANT_ECC_MONTGOMERY_448 || \
+		      PSA_WANT_ECC_SECP_K1_192 || \
+		      PSA_WANT_ECC_SECP_K1_256 || \
+		      PSA_WANT_ECC_SECP_R1_192 || \
+		      PSA_WANT_ECC_SECP_R1_224 || \
+		      PSA_WANT_ECC_SECP_R1_256 || \
+		      PSA_WANT_ECC_SECP_R1_384 || \
+		      PSA_WANT_ECC_SECP_R1_521)
+	help
+	  Promptless symbol that can be used to check if there's at least one family
+	  of elliptic curve enabled in the PSA Crypto API.
+
+config PSA_CAN_ECDSA
+	bool
+	default y if (PSA_WANT_ALG_ECDSA || PSA_WANT_ALG_DETERMINISTIC_ECDSA) && \
+		      PSA_CAN_SOME_ECC
+	help
+	  Promptless symbol that can be used to check if the PSA Crypto API support
+	  ECDSA (either deterministic or not) for at least one curve family.
+
+config PSA_CAN_ECDH
+	bool
+	default y if PSA_WANT_ALG_ECDH && PSA_CAN_SOME_ECC
+	help
+	  Promptless symbol that can be used to check if the PSA Crypto API support
+	  ECDH (either deterministic or not) for at least one curve family.
+
+config PSA_CAN_ECJPAKE
+	bool
+	default y if PSA_WANT_ECC_SECP_R1_256 && PSA_WANT_ALG_SHA_256
+	help
+	  Promptless symbol that can be used to check if the PSA Crypto API support
+	  EC-JPAKE.
+
+# Dependencies between KDF (key derivation function) algorithms and low-level
+# crypto ones.
+
+config PSA_WANT_ALG_HKDF
+	depends on PSA_WANT_KEY_TYPE_HMAC
+	depends on PSA_WANT_ALG_HMAC
+	depends on PSA_CAN_SOME_HASH
+
+config PSA_WANT_ALG_HKDF_EXTRACT
+	depends on PSA_WANT_ALG_HKDF
+
+config PSA_WANT_ALG_HKDF_EXPAND
+	depends on PSA_WANT_ALG_HKDF
+
+config PSA_WANT_ALG_PBKDF2_HMAC
+	depends on PSA_WANT_KEY_TYPE_HMAC
+	depends on PSA_WANT_ALG_HMAC
+	depends on PSA_CAN_SOME_HASH
+
+config PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
+	depends on PSA_WANT_KEY_TYPE_AES
+	depends on PSA_WANT_ALG_CMAC
+
+config PSA_WANT_ALG_TLS12_PRF
+	depends on PSA_WANT_KEY_TYPE_HMAC
+	depends on PSA_WANT_ALG_HMAC
+	depends on (PSA_WANT_ALG_SHA_256 || \
+		    PSA_WANT_ALG_SHA_384)
+
+config PSA_WANT_ALG_TLS12_PSK_TO_MS
+	depends on PSA_WANT_KEY_TYPE_HMAC
+	depends on PSA_WANT_ALG_HMAC
+	depends on (PSA_WANT_ALG_SHA_256 || \
+		    PSA_WANT_ALG_SHA_384)
+
+config PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
+	depends on PSA_WANT_ALG_SHA_256
+
+# Mbed TLS makes assumptions on asymmetric key build symbols
+# (see modules/crypto/mbedtls/include/psa/crypto_adjust_config_key_pair_types.h):
+# - that PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_BASIC is automatically set whenever one of
+#   IMPORT|EXPORT|GENERATE|DERIVE is set;
+# - and that PSA_WANT_KEY_TYPE_xxx_PUBLIC_KEY is automatically set whenever any of
+#   IMPORT|EXPORT|GENERATE|DERIVE is set.
+#
+# Note: PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE is not supported in Mbed TLS so
+#       it's not included in the list below.
+
+config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC
+	select PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
+
+config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC
+	select PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
+
+config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC
+	select PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
+
+config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC
+	select PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
+
+config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
+	select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
+	select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
+
+config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
+	select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
+	select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
+
+config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
+	select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
+	select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY

modules/mbedtls/Kconfig.tls-generic

@@ -92,26 +92,28 @@ config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
 
 config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
 	bool "ECDHE-RSA based ciphersuite modes"
-	depends on MBEDTLS_ECDH_C
+	depends on MBEDTLS_ECDH_C || PSA_CAN_ECDH
 
 config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 	bool "ECDHE-ECDSA based ciphersuite modes"
-	depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C || (PSA_WANT_ALG_ECDH && PSA_WANT_ALG_ECDSA)
+	depends on (MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C) || \
+		   (PSA_CAN_ECDH && PSA_CAN_ECDSA)
 
 config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
 	bool "ECDH-ECDSA based ciphersuite modes"
-	depends on (MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C) || (PSA_WANT_ALG_ECDH && PSA_WANT_ALG_ECDSA)
+	depends on (MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C) || \
+		   (PSA_CAN_ECDH && PSA_CAN_ECDSA)
 
 config MBEDTLS_ECDSA_DETERMINISTIC
 	bool "Deterministic ECDSA (RFC 6979)"
 
 config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
 	bool "ECDH-RSA based ciphersuite modes"
-	depends on MBEDTLS_ECDH_C
+	depends on MBEDTLS_ECDH_C || PSA_CAN_ECDH
 
 config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
 	bool "ECJPAKE based ciphersuite modes"
-	depends on MBEDTLS_ECJPAKE_C
+	depends on MBEDTLS_ECJPAKE_C || PSA_CAN_ECJPAKE
 
 if MBEDTLS_TLS_VERSION_1_3
 

modules/mbedtls/configs/config-psa.h

@@ -5,7 +5,7 @@
  */
 
 /* This file was automatically generated by create_psa_files.py
- * from: ../../../modules/crypto/mbedtls/include/psa/crypto_config.h
+ * using: ../../../modules/crypto/mbedtls/include/psa/crypto_config.h
  * Do not edit it manually.
  */
 

modules/mbedtls/create_psa_files.py

@@ -14,7 +14,7 @@
                               "include", "psa", "crypto_config.h")
 INPUT_FILE = os.path.normpath(os.path.join(SCRIPT_PATH, INPUT_REL_PATH))
 
-KCONFIG_PATH=os.path.join(SCRIPT_PATH, "Kconfig.psa")
+KCONFIG_PATH=os.path.join(SCRIPT_PATH, "Kconfig.psa.auto")
 HEADER_PATH=os.path.join(SCRIPT_PATH, "configs", "config-psa.h")
 
 KCONFIG_HEADER="""\
@@ -47,7 +47,7 @@
  */
 
 /* This file was automatically generated by {}
- * from: {}
+ * using: {}
  * Do not edit it manually.
  */