From 12ff947568679765f1b84cca4c2967bc67f4bd07 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 13 May 2024 14:35:37 +0200 Subject: [PATCH] mbedtls: add new PSA_CRYPTO_CLIENT config Using MBEDTLS_PSA_CRYPTO_CLIENT to guard all PSA_WANT symbols is not completely correct because: 1. the prefix MBEDTLS suggests that it's something related to MbedTLS, while actually PSA APIs can be provided also by other implementations (ex: TFM) 2. there might applications which are willing to use PSA APIs without using MbedTLS at all. For example computing an hash can be as simple as writing psa_hash_compute() and, if the PSA function is provided thorugh TFM, then MbedTLS is not required at all Therefore this commit: - moves MBEDTLS_PSA_CRYPTO_CLIENT to Kconfig.tls-generic since that symbol belongs to MbedTLS - adds a new symbol named PSA_CRYPTO_CLIENT as a generic way to state that there is "some" PSA crypto API provider - let MBEDTLS_PSA_CRYPTO_CLIENT automatically select PSA_CRYPTO_CLIENT, since the former is an implementation of the latter. Signed-off-by: Valerio Setti --- modules/mbedtls/Kconfig.psa | 11 ++++++----- modules/mbedtls/Kconfig.tls-generic | 6 ++++++ modules/mbedtls/create_psa_files.py | 11 ++++++----- modules/trusted-firmware-m/Kconfig.tfm | 1 + 4 files changed, 19 insertions(+), 10 deletions(-) diff --git a/modules/mbedtls/Kconfig.psa b/modules/mbedtls/Kconfig.psa index e6121ed9173..7562032bf3d 100644 --- a/modules/mbedtls/Kconfig.psa +++ b/modules/mbedtls/Kconfig.psa @@ -5,12 +5,13 @@ # from: ../../../modules/crypto/mbedtls/include/psa/crypto_config.h. # Do not edit it manually. -config MBEDTLS_PSA_CRYPTO_CLIENT +config PSA_CRYPTO_CLIENT bool - default y - depends on BUILD_WITH_TFM || MBEDTLS_PSA_CRYPTO_C + help + Promptless symbol to state that there is a PSA crypto API provider + enabled in the system. This allows to select desired PSA_WANT features. -if MBEDTLS_PSA_CRYPTO_CLIENT +if PSA_CRYPTO_CLIENT config PSA_CRYPTO_ENABLE_ALL bool "All PSA crypto features" @@ -351,4 +352,4 @@ config PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE bool "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE" if !MBEDTLS_PROMPTLESS default y if PSA_CRYPTO_ENABLE_ALL -endif # MBEDTLS_PSA_CRYPTO_CLIENT +endif # PSA_CRYPTO_CLIENT diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic index 6117424f8a4..b3e620d94b9 100644 --- a/modules/mbedtls/Kconfig.tls-generic +++ b/modules/mbedtls/Kconfig.tls-generic @@ -493,6 +493,12 @@ config MBEDTLS_USE_PSA_CRYPTO Use PSA APIs instead of legacy MbedTLS functions in TLS/DTLS and other "intermediate" modules such as PK, MD and Cipher. +config MBEDTLS_PSA_CRYPTO_CLIENT + bool + default y + depends on BUILD_WITH_TFM || MBEDTLS_PSA_CRYPTO_C + select PSA_CRYPTO_CLIENT + config MBEDTLS_LMS bool "Support LMS signature schemes" depends on MBEDTLS_PSA_CRYPTO_CLIENT diff --git a/modules/mbedtls/create_psa_files.py b/modules/mbedtls/create_psa_files.py index fd5d21c9ad9..fe6d0b79b46 100755 --- a/modules/mbedtls/create_psa_files.py +++ b/modules/mbedtls/create_psa_files.py @@ -25,18 +25,19 @@ KCONFIG_HEADER="""\ # from: {}. # Do not edit it manually. -config MBEDTLS_PSA_CRYPTO_CLIENT +config PSA_CRYPTO_CLIENT bool - default y - depends on BUILD_WITH_TFM || MBEDTLS_PSA_CRYPTO_C + help + Promptless symbol to state that there is a PSA crypto API provider + enabled in the system. This allows to select desired PSA_WANT features. -if MBEDTLS_PSA_CRYPTO_CLIENT +if PSA_CRYPTO_CLIENT config PSA_CRYPTO_ENABLE_ALL bool "All PSA crypto features" """.format(os.path.basename(__file__), INPUT_REL_PATH) -KCONFIG_FOOTER="\nendif # MBEDTLS_PSA_CRYPTO_CLIENT\n" +KCONFIG_FOOTER="\nendif # PSA_CRYPTO_CLIENT\n" H_HEADER="""\ /* diff --git a/modules/trusted-firmware-m/Kconfig.tfm b/modules/trusted-firmware-m/Kconfig.tfm index 1c11a997cf7..e8f860fa2f6 100644 --- a/modules/trusted-firmware-m/Kconfig.tfm +++ b/modules/trusted-firmware-m/Kconfig.tfm @@ -33,6 +33,7 @@ menuconfig BUILD_WITH_TFM imply INIT_ARCH_HW_AT_BOOT imply ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS imply MBEDTLS + imply PSA_CRYPTO_ENABLE_ALL help When enabled, this option instructs the Zephyr build process to additionally generate a TF-M image for the Secure Execution