mbedtls: some enhancement for PSA crypto core #80136
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
valeriosetti
force-pushed
the
psa-fix-for-bt
branch
6 times, most recently
from
6466c0e
to
ddf7a84
Compare
valeriosetti
force-pushed
the
psa-fix-for-bt
branch
from
ddf7a84
to
a8737af
Compare
zephyrbot
requested review from
alwa-nordic,
ceolin,
d3zd3z,
dkalowsk,
hermabe,
ithinuel,
jhedberg,
kartben,
mmahadevan108,
nashif,
rugeGerritsen,
sjanc,
Thalley,
theob-pro and
tomi-font
ceolin
previously approved these changes
Nov 3, 2024
jhedberg
previously approved these changes
Nov 3, 2024
jhedberg
previously approved these changes
Nov 6, 2024
nashif
previously approved these changes
Nov 6, 2024
tomi-font
previously approved these changes
Nov 6, 2024
doc/releases/migration-guide-4.0.rst
Outdated
Comment on lines
79
to
81
| is set), then the Kconfig option :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` | ||
| is the default choice for random number source instead of |
There was a problem hiding this comment.
Suggested change
| is set), then the Kconfig option :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` | |
| is the default choice for random number source instead of | |
| is set), the Kconfig option :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` | |
| is now the default choice for the random number source instead of |
|
please review @ceolin |
str4t0m
previously approved these changes
Nov 7, 2024
frkv
approved these changes
Nov 8, 2024
d3zd3z
previously approved these changes
Nov 13, 2024
Auto-select MBEDTLS_CIPHER_AES_ENABLED when AES support is requested through PSA (i.e. CONFIG_PSA_WANT_KEY_TYPE_AES) and the PSA support is provided through Mbed TLS itself (i.e. CONFIG_MBEDTLS_PSA_CRYPTO_C). This mimic what happens in Mbed TLS at build time: if AES support is required through PSA, but there's no one else providing it (i.e. no TF-M in Zephyr) then provide this support through legacy AES module. This is useful in samples/tests so that the user can simply use the PSA_WANT symbol to ask for AES support in PSA crypto and then tune the AES features (ex: CONFIG_MBEDTLS_AES_ROM_TABLES) without the need to also define CONFIG_MBEDTLS_CIPHER_AES_ENABLED. Signed-off-by: Valerio Setti <[email protected]>
valeriosetti
force-pushed
the
psa-fix-for-bt
branch
from
10c6a74
to
2283c41
Compare
The main problem of MBEDTLS_PSA_CRYPTO_LEGACY_RNG is that it brings in some legacy modules (entropy + ctr_drbg/hmac_drbg) which means extra ROM/RAM footprint. MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG instead simply calls to the CSPRNG which makes it definitely smaller. Signed-off-by: Valerio Setti <[email protected]>
As long as MBEDTLS_ENTROPY_C is enabled, Mbed TLS needs to poll some entropy source to gather data that will then be processed by CTR/HMAC-DRBG modules. This means that in most of the cases, once MBEDTLS_ENTROPY_C is enabled then also MBEDTLS_ENTROPY_POLL_ZEPHYR needs to be enabled. This was done manually until now, as the long list of samples/tests demonstrate. This commit solves this dependency by defaulting MBEDTLS_ENTROPY_POLL_ZEPHYR to on as soon as MBEDTLS_ENTROPY_C is set. As a consequence, all manual enablement of MBEDTLS_ENTROPY_POLL_ZEPHYR in samples/tests are removed. Signed-off-by: Valerio Setti <[email protected]>
valeriosetti
dismissed stale reviews from str4t0m, tomi-font, d3zd3z, nashif, and jhedberg
via
d5ba546
valeriosetti
force-pushed
the
psa-fix-for-bt
branch
from
2283c41
to
d5ba546
Compare
jhedberg
approved these changes
Nov 18, 2024
|
Sorry for the double rebase, but since 4.0 release was published last week, I need to move documentation updates in this PR from
This way it should be easier to check the changes that I did. |
tomi-font
approved these changes
Nov 18, 2024
| @@ -30,6 +30,12 @@ Modules | |||
| Mbed TLS | |||
| ======== | |||
|
|
|||
| * If a platform has a CSPRNG source available (i.e. :kconfig:option:`CONFIG_CSPRNG_ENABLED` | |||
| is set), then the Kconfig option :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` | |||
| is the default choice for random number source instead of | |||
There was a problem hiding this comment.
Suggested change
| is the default choice for random number source instead of | |
| is now the default choice for random number source instead of |
tomi-font
reviewed
Nov 18, 2024
| is set), then the Kconfig option :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` | ||
| is the default choice for random number source instead of | ||
| :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_LEGACY_RNG`. This helps in reducing | ||
| ROM/RAM footprint of the Mbed TLS library. |
There was a problem hiding this comment.
Suggested change
| ROM/RAM footprint of the Mbed TLS library. | |
| the ROM/RAM footprint of the Mbed TLS library. |
ceolin
approved these changes
Nov 20, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CONFIG_MBEDTLS_CIPHER_AES_ENABLEDwhenCONFIG_PSA_WANT_KEY_TYPE_AESis set and Mbed TLS is the PSA crypto API provider (i.e.CONFIG_MBEDTLS_PSA_CRYPTO_C). This mimic what happens in Mbed TLS at build time.CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNGinstead ofCONFIG_MBEDTLS_PSA_CRYPTO_LEGACY_RNGif the platform has any CSPRNG enabled. This helps reducing RAM/ROM footprint.