diff --git a/doc/releases/migration-guide-4.1.rst b/doc/releases/migration-guide-4.1.rst index 90dfad9a0e2370..8fa72c627cc7cb 100644 --- a/doc/releases/migration-guide-4.1.rst +++ b/doc/releases/migration-guide-4.1.rst @@ -36,6 +36,14 @@ Mbed TLS :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_LEGACY_RNG`. This helps in reducing ROM/RAM footprint of the Mbed TLS library. +* The newly-added Kconfig option :kconfig:option:`CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT` + allows to specify the number of key slots available in the PSA Crypto core. + Previously this value was not explicitly set, so Mbed TLS's default value of + 32 was used. The new Kconfig option defaults to 16 instead in order to find + a reasonable compromise between RAM consumption and most common use cases. + It can be further trimmed down to reduce RAM consumption if the final + application doesn't need that many key slots simultaneously. + Trusted Firmware-M ================== diff --git a/doc/releases/release-notes-4.1.rst b/doc/releases/release-notes-4.1.rst index 00d28be78a0e08..0549b4b8c30cbc 100644 --- a/doc/releases/release-notes-4.1.rst +++ b/doc/releases/release-notes-4.1.rst @@ -256,6 +256,12 @@ Libraries / Subsystems (or remove, if no other component makes use of it) heap memory requirements from the final application. + * The Kconfig symbol :kconfig:option:`CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT` was + added to allow selecting the number of key slots available in the Mbed TLS + implementation of the PSA Crypto core. It defaults to 16. Since each + slot consumes RAM memory even if unused, this value can be tweaked in order + to minimize RAM usage. + * CMSIS-NN * FPGA diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic index f65c86a2d967d0..5c8ac8b569b15d 100644 --- a/modules/mbedtls/Kconfig.tls-generic +++ b/modules/mbedtls/Kconfig.tls-generic @@ -585,6 +585,19 @@ config MBEDTLS_PSA_STATIC_KEY_SLOTS contain the largest asymmetric/symmetric key type enabled in the build through PSA_WANT symbols. +config MBEDTLS_PSA_KEY_SLOT_COUNT + int "Number of key slots in PSA Crypto core" + default 16 + help + Set the number of key slots that are available in the PSA Crypto core. + Be aware that each slot, even if unused, increases RAM consumption + by ~40 bytes plus: + * the length of the largest asymmetric/symmetric key type enabled in + the build through PSA_WANT symbols, if MBEDTLS_PSA_STATIC_KEY_SLOTS + is set. (This is all defined statically at build time). + * the heap-allocated memory to store the key material of a given slot, + if it is used and MBEDTLS_PSA_STATIC_KEY_SLOTS is not set. + endif # MBEDTLS_PSA_CRYPTO_C config MBEDTLS_SSL_DTLS_CONNECTION_ID diff --git a/modules/mbedtls/configs/config-tls-generic.h b/modules/mbedtls/configs/config-tls-generic.h index 3f2bc5354bbd56..989d0ad70f2cd5 100644 --- a/modules/mbedtls/configs/config-tls-generic.h +++ b/modules/mbedtls/configs/config-tls-generic.h @@ -483,7 +483,6 @@ #endif #if defined(CONFIG_ARCH_POSIX) && !defined(CONFIG_PICOLIBC) -#define MBEDTLS_PSA_KEY_SLOT_COUNT 64 /* for BLE Mesh tests */ #define MBEDTLS_PSA_ITS_FILE_C #define MBEDTLS_FS_IO #endif @@ -498,6 +497,10 @@ #define MBEDTLS_PSA_STATIC_KEY_SLOTS #endif +#if defined(CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT) +#define MBEDTLS_PSA_KEY_SLOT_COUNT CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT +#endif + #if defined(CONFIG_MBEDTLS_USE_PSA_CRYPTO) #define MBEDTLS_USE_PSA_CRYPTO #endif diff --git a/tests/bsim/bluetooth/mesh/overlay_psa.conf b/tests/bsim/bluetooth/mesh/overlay_psa.conf index 764d8cb6ea4949..f5a776bc6da322 100644 --- a/tests/bsim/bluetooth/mesh/overlay_psa.conf +++ b/tests/bsim/bluetooth/mesh/overlay_psa.conf @@ -1,5 +1,8 @@ # Enable PSA as a crypto backend in host CONFIG_BT_USE_PSA_API=y +# Increase the number of key slots in PSA Crypto core +CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT=64 + # Enable mbedTLS PSA as a crypto backend CONFIG_BT_MESH_USES_MBEDTLS_PSA=y diff --git a/tests/crypto/secp256r1/mbedtls.conf b/tests/crypto/secp256r1/mbedtls.conf index 7c3a56ce20b5ec..bbc2eb0e65638c 100644 --- a/tests/crypto/secp256r1/mbedtls.conf +++ b/tests/crypto/secp256r1/mbedtls.conf @@ -2,6 +2,7 @@ CONFIG_MBEDTLS=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y CONFIG_MBEDTLS_PSA_P256M_DRIVER_ENABLED=y CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOTS=y +CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT=2 CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y