mbedtls: some enhancement for PSA crypto core #80136
Conversation
valeriosetti
force-pushed
the
psa-fix-for-bt
branch
6 times, most recently
from
6466c0e
to
ddf7a84
Compare
valeriosetti
force-pushed
the
psa-fix-for-bt
branch
from
ddf7a84
to
a8737af
Compare
zephyrbot
requested review from
alwa-nordic,
ceolin,
d3zd3z,
dkalowsk,
hermabe,
ithinuel,
jhedberg,
kartben,
mmahadevan108,
nashif,
rugeGerritsen,
sjanc,
Thalley,
theob-pro and
tomi-font
|
As this has a migration guide for 4.0 change, I'm guessing this is desired to be in 4.0. Given that we're at RC2 now, it's going to need a GitHub Issue to make that happen. I'm 90% sure this can just be linked to the deprecation of TinyCrypt but I'll leave that up to you :-) If you think this should be part of 4.0 please add the Milestone. |
This is only required for #79931 which is still drafted, so no this won't be part of 4.0. I'll move the documentation |
valeriosetti
force-pushed
the
psa-fix-for-bt
branch
4 times, most recently
from
fd5c53f
to
9dc4b33
Compare
|
As discussed in the Release meeting today, we want to consider the deprecation of Tinycrypt a release blocker item for 4.0. That would mean Part1, Part2, and the mbedTLS changes would all need to be merged in. This is one of the changes identified for inclusion. @ceolin any objection to this course of action? The point was raised that Tinycrypt has been "just about to be deprecated" for 5 years now, but never seems to make it. We'd like to make it happen now. |
Auto-select MBEDTLS_CIPHER_AES_ENABLED when AES support is requested through PSA (i.e. CONFIG_PSA_WANT_KEY_TYPE_AES) and the PSA support is provided through Mbed TLS itself (i.e. CONFIG_MBEDTLS_PSA_CRYPTO_C). This mimic what happens in Mbed TLS at build time: if AES support is required through PSA, but there's no one else providing it (i.e. no TF-M in Zephyr) then provide this support through legacy AES module. This is useful in samples/tests so that the user can simply use the PSA_WANT symbol to ask for AES support in PSA crypto and then tune the AES features (ex: CONFIG_MBEDTLS_AES_ROM_TABLES) without the need to also define CONFIG_MBEDTLS_CIPHER_AES_ENABLED. Signed-off-by: Valerio Setti <[email protected]>
valeriosetti
force-pushed
the
psa-fix-for-bt
branch
from
9dc4b33
to
b89fce8
Compare
The main problem of MBEDTLS_PSA_CRYPTO_LEGACY_RNG is that it brings in some legacy modules (entropy + ctr_drbg/hmac_drbg) which means extra ROM/RAM footprint. MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG instead simply calls to the CSPRNG which makes it definitely smaller. Signed-off-by: Valerio Setti <[email protected]>
As long as MBEDTLS_ENTROPY_C is enabled, Mbed TLS needs to poll some entropy source to gather data that will then be processed by CTR/HMAC-DRBG modules. This means that in most of the cases, once MBEDTLS_ENTROPY_C is enabled then also MBEDTLS_ENTROPY_POLL_ZEPHYR needs to be enabled. This was done manually until now, as the long list of samples/tests demonstrate. This commit solves this dependency by defaulting MBEDTLS_ENTROPY_POLL_ZEPHYR to on as soon as MBEDTLS_ENTROPY_C is set. As a consequence, all manual enablement of MBEDTLS_ENTROPY_POLL_ZEPHYR in samples/tests are removed. Signed-off-by: Valerio Setti <[email protected]>
valeriosetti
force-pushed
the
psa-fix-for-bt
branch
from
b89fce8
to
10c6a74
Compare
| is set), then the Kconfig option :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` | ||
| is the default choice for random number source instead of |
There was a problem hiding this comment.
| is set), then the Kconfig option :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` | |
| is the default choice for random number source instead of | |
| is set), the Kconfig option :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` | |
| is now the default choice for the random number source instead of |
|
please review @ceolin |
CONFIG_MBEDTLS_CIPHER_AES_ENABLEDwhenCONFIG_PSA_WANT_KEY_TYPE_AESis set and Mbed TLS is the PSA crypto API provider (i.e.CONFIG_MBEDTLS_PSA_CRYPTO_C). This mimic what happens in Mbed TLS at build time.CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNGinstead ofCONFIG_MBEDTLS_PSA_CRYPTO_LEGACY_RNGif the platform has any CSPRNG enabled. This helps reducing RAM/ROM footprint.