# Cryptography primitive options for mbed TLS # Copyright (c) 2016 Intel Corporation # SPDX-License-Identifier: Apache-2.0 config ZEPHYR_MBEDTLS_MODULE bool config MBEDTLS_PROMPTLESS bool help Symbol to disable the prompt for MBEDTLS selection. This symbol may be used internally in a Kconfig tree to hide the mbed TLS menu prompt and instead handle the selection of MBEDTLS from dependent sub-configurations and thus prevent stuck symbol behavior. menuconfig MBEDTLS bool "mbed TLS Support" if !MBEDTLS_PROMPTLESS help This option enables the mbedTLS cryptography library. if MBEDTLS choice MBEDTLS_IMPLEMENTATION prompt "Select implementation" default MBEDTLS_BUILTIN config MBEDTLS_BUILTIN bool "Use Zephyr in-tree mbedTLS version" help Link with mbedTLS sources included with Zephyr distribution. Included mbedTLS version is well integrated with and supported by Zephyr, and the recommended choice for most users. config MBEDTLS_LIBRARY bool "Use external mbedTLS library" help Use external, out-of-tree prebuilt mbedTLS library. For advanced users only. endchoice config CUSTOM_MBEDTLS_CFG_FILE bool "Custom mbed TLS configuration file" help Allow user defined input for the MBEDTLS_CFG_FILE setting. You can specify the actual configuration file using the MBEDTLS_CFG_FILE setting. config MBEDTLS_CFG_FILE string "mbed TLS configuration file" if CUSTOM_MBEDTLS_CFG_FILE depends on MBEDTLS_BUILTIN default "config-tls-generic.h" help Use a specific mbedTLS configuration file. The default config file file can be tweaked with Kconfig. The default configuration is suitable to communicate with majority of HTTPS servers on the Internet, but has relatively many features enabled. To optimize resources for special TLS usage, use available Kconfig options, or select an alternative config. rsource "Kconfig.tls-generic" config MBEDTLS_SSL_MAX_CONTENT_LEN int "Max payload size for TLS protocol message" default 1500 depends on MBEDTLS_BUILTIN help The TLS standards mandate max payload size of 16384 bytes. So, for maximum operability and for general-purpose usage, that value must be used. For specific usages, that value can be largely decreased. E.g. for DTLS, payload size is limited by UDP datagram size, and even for HTTPS REST API, the payload can be limited to max size of (REST request, REST response, server certificate(s)). mbedTLS uses this value separate for input and output buffers, so twice this value will be allocated (on mbedTLS own heap, so the value of MBEDTLS_HEAP_SIZE should accommodate that). config MBEDTLS_DEBUG bool "mbed TLS debug activation" depends on MBEDTLS_BUILTIN help Enable debugging activation for mbed TLS configuration. If you use mbedTLS/Zephyr integration (e.g. net_app), this will activate debug logging (of the level configured by MBEDTLS_DEBUG_LEVEL). If you use mbedTLS directly instead, you will need to perform additional configuration yourself: call mbedtls_ssl_conf_dbg(&mbedtls.conf, my_debug, NULL); mbedtls_debug_set_threshold(level); functions in your application, and create the my_debug() function to actually print something useful. config MBEDTLS_DEBUG_LEVEL int "mbed TLS default debug level" depends on MBEDTLS_DEBUG default 0 range 0 4 help Default mbed TLS debug logging level for Zephyr integration code (from ext/lib/crypto/mbedtls/include/mbedtls/debug.h): 0 No debug 1 Error 2 State change 3 Information 4 Verbose config MBEDTLS_MEMORY_DEBUG bool "mbed TLS memory debug activation" depends on MBEDTLS_BUILTIN help Enable debugging of buffer allocator memory issues. Automatically prints (to stderr) all (fatal) messages on memory allocation issues. Enables function for 'debug output' of allocated memory. config MBEDTLS_TEST bool "Compile internal self test functions" depends on MBEDTLS_BUILTIN help Enable self test function for the crypto algorithms config MBEDTLS_INSTALL_PATH string "mbedTLS install path" depends on MBEDTLS_LIBRARY help This option holds the path where the mbedTLS libraries and headers are installed. Make sure this option is properly set when MBEDTLS_LIBRARY is enabled otherwise the build will fail. config MBEDTLS_ENABLE_HEAP bool "Global heap for mbed TLS" help This option enables the mbedtls to use the heap. This setting must be global so that various applications and libraries in Zephyr do not try to do this themselves as there can be only one heap defined in mbedtls. If this is enabled, then the Zephyr will, during the device startup, initialize the heap automatically. config MBEDTLS_HEAP_SIZE int "Heap size for mbed TLS" default 10240 if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER default 512 depends on MBEDTLS_ENABLE_HEAP help The mbedtls routines will use this heap if enabled. See ext/lib/crypto/mbedtls/include/mbedtls/config.h and MBEDTLS_MEMORY_BUFFER_ALLOC_C option for details. That option is not enabled by default. Default value for the heap size is not set as it depends on the application. For streaming communication with arbitrary (HTTPS) servers on the Internet, 32KB + overheads (up to another 20KB) may be needed. For some dedicated and specific usage of mbedtls API, the 1000 bytes might be ok. config MBEDTLS_SHELL bool "mbed TLS shell" depends on MBEDTLS depends on SHELL help Enable mbed TLS shell module, which allows to show debug information about mbed TLS library, such as heap usage. config APP_LINK_WITH_MBEDTLS bool "Link 'app' with MBEDTLS" default y help Add MBEDTLS header files to the 'app' include path. It may be disabled if the include paths for MBEDTLS are causing aliasing issues for 'app'. endif # MBEDTLS