This commit introduces the option to place the mbed TLS heap in a custom
memory section. The heap might be quite large depending on concurrent
TLS connections, thus it might be needed to place this manually
Signed-off-by: Emil Lindqvist <emil@lindq.gr>
- Slightly improve the name of this kconfig adding the suffix
_POLL in order to highlight that this adds a callback
function used to poll data.
- Description was also updated to point out that this symbols
might not only use the (secure) entropy driver, but also
generic number generators, some of which are not really
secure.
- The symbol was move from Kconfig to Kconfig.tls-generic because
this is where MBEDTLS_ENTROPY_C is located and since
MBEDTLS_ENTROPY_HARDWARE_ALT depends on the former (it only
makes sense if the entropy module is also enabled), we add
also the "depends on".
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Create a new Kconfig named CONFIG_PSA_WANT_ALG_SHA_256 which allows to
enable PSA_WANT_ALG_SHA_256. This allows to use PSA functions to
compute SHA256 hashes. When PSA is provided by TFM this allows also
to remove legacy mbedtls_sha256() support and therefore reduce
footprint for the NS side.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Add a Kconfig option for enabling `MBEDTLS_PLATFORM_ZEROIZE_ALT`, which
is required if the mbed backend already provides an implementation.
For example, the Nordic cryptocell precompiled backends.
Signed-off-by: Jordan Yates <jordan.yates@data61.csiro.au>
Add a config flag to enable conditional mbebtls
initialization at startup, defaulting to enabled.
Also add a function, mbedtls_init(), that should be
called by platforms that wish to initialise mbedtls
at a time of their choosing.
Signed-off-by: Eugene Cohen <quic_egmc@quicinc.com>
Signed-off-by: Dave Aldridge <quic_daldridg@quicinc.com>
Debug log messages generated by mbedTLS library contain newline at the end
of log string. Remove this newline, if it exists, so that log output is
much more user friendly.
Add a dedicated Kconfig option for that, so it can be disabled on request.
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
So far LOG_DBG() was used inside debug hook for mbedTLS library. This meant
that it was hard to distinct log messages by simply looking at the log
level number, even though Zephyr logging subsystem supports colorful logs
depending on log level.
Choose an appropriate Zephyr LOG_*() macro based on log level coming from
mbedTLS library. Remove log level number from formatted log messages, as it
is now redundant.
One controversial thing about this change is that mbedTLS' "2 State change"
log level is mapped to Zephyr's "warning" log level. Those are not really
warnings in real life, but rather informational messages. However, using
"warning" log level for those allows to clearly distinguish between "2
State change" and "3 Informational" debug messages from mbedTLS.
Additionally, mbedTLS debug message implementation does not seem to be safe
to use in production, so keeping in mind MBEDTLS_DEBUG will be enabled just
during debugging phase, printing "2 State change" logs as warnings should
not be a big deal.
Set default MBEDTLS_DEBUG_LEVEL value depending on selected Zephyr logging
module level, so that only single option needs to be configured in
application project.
Remove prompt for MBEDTLS_DEBUG_LEVEL, so that interactively (e.g. via
menuconfig) adjusting MBEDTLS_LOG_LEVEL will always result in automatically
updating MBEDTLS_DEBUG_LEVEL option. This is to prevent so called "stuck
symbol syndrome".
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
So far there was a runtime basename extraction of filenames passed to
mbedTLS debug hook. This has both runtime penalty as well as code size
penalty.
Introduce a buildtime support of extracting basename of source filenames
logged using logging subsystem, so that there is no need to do it at
runtime.
Provide Kconfig options for both buildtime and runtime basename extraction,
as in some cases the buildtime basename extraction might not work,
depending on toolchain used for building Zephyr. Default to buildtime when
using Zephyr SDK, as that is proven to work. Use runtime basename
extraction in other cases (other toolchains used).
This saves approximately 204 bytes of code footprint for sample
application with native TLS sockets built for nRF52840.
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
mbedTLS library threshold initialization was done in native TLS socket
implementation (which tends to use mbedTLS now) and inside mbedTLS
benchmark test. Move that to mbedTLS module initialization, as this is a
global setting.
Update description of CONFIG_MBEDTLS_DEBUG_LEVEL to clarify when
mbedtls_debug_set_threshold() is called.
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
So far there was a debug log hook installed in TLS socket implementation.
However, mbedTLS (with debug enabled) might be used outside from TLS socket
and even outside from networking context.
Add new module, which implements debug log hook and makes it available
whenever CONFIG_MBEDTLS_DEBUG is enabled.
Note that debug hook needs to be installed for each mbedTLS context
separately, which means that this requires action from mbedTLS users, such
as TLS sockets implementation.
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
According to Kconfig guidelines, boolean prompts must not start with
"Enable...". The following command has been used to automate the changes
in this patch:
sed -i "s/bool \"[Ee]nables\? \(\w\)/bool \"\U\1/g" **/Kconfig*
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
Introducing MBEDTLS_PROMPTLESS and CUSTOM_MBEDTLS_CFG_FILE settings.
The MBEDTLS_PROMPTLESS can be set to true whenever configuration of
mbedTLS is done from a subsystem or module.
Such an example is OpenThread, which selects mbedTLS for some predefined
crypto settings using OPENTHREAD_MBEDTLS=y.
Unfortunately, extensive use of select can easily cause stuck symbol
syndrome making it harder than neccesarry for users to later reconfigure
as they easily get stuck in incompatible configurations.
Providing a MBEDTLS_PROMPTLESS allows such configurations to disable the
MBEDTLS prompt itself when selected but avoid stuck symbol if user
select another security configuration.
Similar with CUSTOM_MBEDTLS_CFG_FILE which ensures that user must
explicitly select this symbol before providing a custom mbedTLS config
file.
Today, other parts the Kconfig tree may set a default value for
MBEDTLS_CFG_FILE but that value is stuck and thus changed Kconfig
selections elsewhere in the tree will not adjust the value.
Introducing CUSTOM_MBEDTLS_CFG_FILE ensures it is known when the user
has provided the value.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
We move the Zephyr-specific CMakeLists.txt file into
the main Zephyr tree. We also move the zephyr_init.c
source file.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Emil Lindqvist