Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mbedtls: some enhancement for PSA crypto core #80136

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

mbedtls: some enhancement for PSA crypto core #80136

wants to merge 3 commits into from
+28 −13

Conversation

valeriosetti
Copy link
Collaborator

@valeriosetti valeriosetti commented Oct 21, 2024
edited
Loading

  • Add a new Kconfig symbol which allows to specify the number of key slots available in the PSA core.
  • Enable legacy CONFIG_MBEDTLS_CIPHER_AES_ENABLED when CONFIG_PSA_WANT_KEY_TYPE_AES is set and Mbed TLS is the PSA crypto API provider (i.e. CONFIG_MBEDTLS_PSA_CRYPTO_C). This mimic what happens in Mbed TLS at build time.
  • Enable CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG instead of CONFIG_MBEDTLS_PSA_CRYPTO_LEGACY_RNG if the platform has any CSPRNG enabled. This helps reducing RAM/ROM footprint.

@valeriosetti valeriosetti mentioned this pull request Oct 21, 2024
Draft
@valeriosetti valeriosetti removed the request for review from tomi-font October 21, 2024 11:31
@valeriosetti
mbedtls: auto-select MBEDTLS_CIPHER_AES_ENABLED when built-in in PSA
3287067 
Auto-select MBEDTLS_CIPHER_AES_ENABLED when AES support is requested
through PSA (i.e. CONFIG_PSA_WANT_KEY_TYPE_AES) and the PSA support is
provided through Mbed TLS itself (i.e. CONFIG_MBEDTLS_PSA_CRYPTO_C).

This mimic what happens in Mbed TLS at build time: if AES support
is required through PSA, but there's no one else providing it
(i.e. no TF-M in Zephyr) then provide this support through legacy
AES module.

This is useful in samples/tests so that the user can simply use the
PSA_WANT symbol to ask for AES support in PSA crypto and then tune
the AES features (ex: CONFIG_MBEDTLS_AES_ROM_TABLES) without the need
to also define CONFIG_MBEDTLS_CIPHER_AES_ENABLED.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
@valeriosetti valeriosetti force-pushed the psa-fix-for-bt branch 3 times, most recently from 4a7de08 to 7cc1204 Compare October 22, 2024 08:32
@valeriosetti
mbedtls: add Kconfig to select the number of key slot in PSA core
e334bc2 
Adding new CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT to select the number
of key slots in PSA core. The default value is 32 which is the
same value used in Mbed TLS by default. Be aware that key slots
consume RAM memory even if unused, so the proper value should be
a compromise between the number of slots required by the application
and the available RAM in the system.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
@valeriosetti
mbedtls: use CSPRNG whenever possible as PSA random source
6466c0e 
The main problem of MBEDTLS_PSA_CRYPTO_LEGACY_RNG is that it
brings in some legacy modules (entropy + ctr_drbg/hmac_drbg)
which means extra ROM/RAM footprint.
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG instead simply calls to the
CSPRNG which makes it definitely smaller.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@valeriosetti