2016-07-21 06:03:12 +08:00
|
|
|
# Kconfig - Cryptography primitive options for mbed TLS
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Copyright (c) 2016 Intel Corporation
|
|
|
|
|
#
|
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
|
#
|
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
#
|
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
|
# limitations under the License.
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
menuconfig MBEDTLS
|
|
|
|
|
bool
|
|
|
|
|
prompt "mbedTLS Support"
|
|
|
|
|
default n
|
|
|
|
|
help
|
|
|
|
|
This option enables the mbedTLS cryptography library.
|
|
|
|
|
|
2017-12-11 19:36:26 +08:00
|
|
|
if MBEDTLS
|
|
|
|
|
|
|
|
|
|
choice
|
|
|
|
|
prompt "Select implementation"
|
|
|
|
|
default MBEDTLS_BUILTIN
|
|
|
|
|
|
2016-07-21 06:03:12 +08:00
|
|
|
config MBEDTLS_BUILTIN
|
|
|
|
|
bool "Enable mbedTLS integrated sources"
|
|
|
|
|
help
|
2017-12-13 23:08:21 +08:00
|
|
|
Link with local mbedTLS sources instead of external library.
|
2016-07-21 06:03:12 +08:00
|
|
|
|
2017-12-11 19:36:26 +08:00
|
|
|
config MBEDTLS_LIBRARY
|
|
|
|
|
bool "Enable mbedTLS external library"
|
|
|
|
|
help
|
2018-02-15 21:36:16 +08:00
|
|
|
This option enables mbedTLS library.
|
2017-12-11 19:36:26 +08:00
|
|
|
|
|
|
|
|
endchoice
|
|
|
|
|
|
2016-07-21 06:03:12 +08:00
|
|
|
config MBEDTLS_CFG_FILE
|
|
|
|
|
string "mbed TLS configuration file"
|
|
|
|
|
depends on MBEDTLS_BUILTIN
|
mbedtls: Switch default MBEDTLS_CFG_FILE to config-mini-tls1_2.h
The previous default, "config-threadnet.h", is more or less arbitrary
choice made in a commit 312def2c7857 1.5 years ago. In particular,
it's not related to Thread support in Zephyr per se (there was no
such support at that time).
It doesn't make sense to have a default intended for a particular,
not widely used (yet) protocol. Instead, the default should work
out of the box with a contemporary widely deployed arrays of TLS
servers, which are HTTPS server. config-mini-tls1_2.h works with
https://google.com, and by extension, with many other servers on
the Internet.
So, have that as the default, and let applications with special
needs to override that to what they need.
Addresses: #6132
Signed-off-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>
2018-02-15 21:34:11 +08:00
|
|
|
default "config-mini-tls1_2.h"
|
2016-07-21 06:03:12 +08:00
|
|
|
help
|
mbedtls: Switch default MBEDTLS_CFG_FILE to config-mini-tls1_2.h
The previous default, "config-threadnet.h", is more or less arbitrary
choice made in a commit 312def2c7857 1.5 years ago. In particular,
it's not related to Thread support in Zephyr per se (there was no
such support at that time).
It doesn't make sense to have a default intended for a particular,
not widely used (yet) protocol. Instead, the default should work
out of the box with a contemporary widely deployed arrays of TLS
servers, which are HTTPS server. config-mini-tls1_2.h works with
https://google.com, and by extension, with many other servers on
the Internet.
So, have that as the default, and let applications with special
needs to override that to what they need.
Addresses: #6132
Signed-off-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>
2018-02-15 21:34:11 +08:00
|
|
|
Use a specific mbed TLS configuration file. The default is suitable to
|
|
|
|
|
communicate with majority of HTTPS servers on the Internet, but has
|
|
|
|
|
relatively many features enabled. To optimize resources for special
|
|
|
|
|
TLS usage, an alternative config may be selected.
|
2016-07-21 06:03:12 +08:00
|
|
|
|
2017-06-22 20:38:37 +08:00
|
|
|
config MBEDTLS_DEBUG
|
2017-10-02 04:37:41 +08:00
|
|
|
bool "mbed TLS debug activation"
|
2017-06-22 20:38:37 +08:00
|
|
|
depends on MBEDTLS_BUILTIN
|
|
|
|
|
default n
|
|
|
|
|
help
|
2018-02-21 23:37:07 +08:00
|
|
|
Enable debugging activation for mbed TLS configuration. If you use
|
|
|
|
|
mbedTLS/Zephyr integration (e.g. net_app), this will activate debug
|
|
|
|
|
logging (of the level configured by MBEDTLS_DEBUG_LEVEL).
|
|
|
|
|
If you use mbedTLS directly instead, you will need to perform
|
|
|
|
|
additional configuration yourself: call
|
2017-12-13 23:08:21 +08:00
|
|
|
mbedtls_ssl_conf_dbg(&mbedtls.conf, my_debug, NULL);
|
2018-02-21 23:37:07 +08:00
|
|
|
mbedtls_debug_set_threshold(level);
|
2017-12-13 23:08:21 +08:00
|
|
|
functions in your application, and create the my_debug() function to
|
|
|
|
|
actually print something useful.
|
2017-06-22 20:38:37 +08:00
|
|
|
|
2018-02-21 23:37:07 +08:00
|
|
|
config MBEDTLS_DEBUG_LEVEL
|
|
|
|
|
int "mbed TLS default debug level"
|
|
|
|
|
depends on MBEDTLS_DEBUG
|
|
|
|
|
default 0
|
|
|
|
|
range 0 4
|
|
|
|
|
help
|
|
|
|
|
Default mbed TLS debug logging level for Zephyr integration code
|
|
|
|
|
(from ext/lib/crypto/mbedtls/include/mbedtls/debug.h):
|
|
|
|
|
0 No debug
|
|
|
|
|
1 Error
|
|
|
|
|
2 State change
|
|
|
|
|
3 Information
|
|
|
|
|
4 Verbose
|
|
|
|
|
|
2016-07-21 06:03:12 +08:00
|
|
|
config MBEDTLS_TEST
|
|
|
|
|
bool "Compile internal self test functions"
|
|
|
|
|
depends on MBEDTLS_BUILTIN
|
|
|
|
|
default n
|
|
|
|
|
help
|
2017-12-13 23:08:21 +08:00
|
|
|
Enable self test function for the crypto algorithms
|
2016-07-21 06:03:12 +08:00
|
|
|
|
|
|
|
|
config MBEDTLS_INSTALL_PATH
|
|
|
|
|
string "mbedTLS install path"
|
|
|
|
|
depends on MBEDTLS_LIBRARY
|
|
|
|
|
help
|
2017-12-13 23:08:21 +08:00
|
|
|
This option holds the path where the mbedTLS libraries and headers are
|
|
|
|
|
installed. Make sure this option is properly set when MBEDTLS_LIBRARY
|
|
|
|
|
is enabled otherwise the build will fail.
|
2017-06-22 21:23:39 +08:00
|
|
|
|
|
|
|
|
config MBEDTLS_ENABLE_HEAP
|
|
|
|
|
bool "Enable global heap for mbed TLS"
|
|
|
|
|
default n
|
|
|
|
|
help
|
2017-12-13 23:08:21 +08:00
|
|
|
This option enables the mbedtls to use the heap. This setting must
|
|
|
|
|
be global so that various applications and libraries in Zephyr do not
|
|
|
|
|
try to do this themselves as there can be only one heap defined
|
|
|
|
|
in mbedtls. If this is enabled, then the Zephyr will, during the device
|
|
|
|
|
startup, initialize the heap automatically.
|
2017-06-22 21:23:39 +08:00
|
|
|
|
|
|
|
|
config MBEDTLS_HEAP_SIZE
|
|
|
|
|
int "Heap size for mbed TLS"
|
2017-11-04 04:38:29 +08:00
|
|
|
default 512
|
2017-06-22 21:23:39 +08:00
|
|
|
depends on MBEDTLS_ENABLE_HEAP
|
|
|
|
|
help
|
2017-12-13 23:08:21 +08:00
|
|
|
The mbedtls routines will use this heap if enabled.
|
|
|
|
|
See ext/lib/crypto/mbedtls/include/mbedtls/config.h and
|
|
|
|
|
MBEDTLS_MEMORY_BUFFER_ALLOC_C option for details. That option is not
|
|
|
|
|
enabled by default.
|
|
|
|
|
Default value for the heap size is not set as it depends on the
|
|
|
|
|
application. For server application 15000 bytes should be enough.
|
|
|
|
|
For some dedicated and specific usage of mbedtls API, the 1000 bytes
|
|
|
|
|
might be ok.
|
2017-12-27 23:10:15 +08:00
|
|
|
|
|
|
|
|
config APP_LINK_WITH_MBEDTLS
|
|
|
|
|
bool "Link 'app' with MBEDTLS"
|
|
|
|
|
default y
|
|
|
|
|
depends on MBEDTLS
|
|
|
|
|
help
|
|
|
|
|
Add MBEDTLS header files to the 'app' include path. It may be
|
|
|
|
|
disabled if the include paths for MBEDTLS are causing aliasing
|
|
|
|
|
issues for 'app'.
|
2017-12-11 19:36:26 +08:00
|
|
|
|
|
|
|
|
endif
|
