150 lines
5.0 KiB
Plaintext
150 lines
5.0 KiB
Plaintext
# Kconfig - Cryptography primitive options for mbed TLS
|
|
|
|
#
|
|
# Copyright (c) 2016 Intel Corporation
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
|
|
|
|
menuconfig MBEDTLS
|
|
bool "mbedTLS Support"
|
|
help
|
|
This option enables the mbedTLS cryptography library.
|
|
|
|
if MBEDTLS
|
|
|
|
choice
|
|
prompt "Select implementation"
|
|
default MBEDTLS_BUILTIN
|
|
|
|
config MBEDTLS_BUILTIN
|
|
bool "Enable mbedTLS integrated sources"
|
|
help
|
|
Link with local mbedTLS sources instead of external library.
|
|
|
|
config MBEDTLS_LIBRARY
|
|
bool "Enable mbedTLS external library"
|
|
help
|
|
This option enables mbedTLS library.
|
|
|
|
endchoice
|
|
|
|
config MBEDTLS_CFG_FILE
|
|
string "mbed TLS configuration file"
|
|
depends on MBEDTLS_BUILTIN
|
|
default "config-tls-generic.h"
|
|
help
|
|
Use a specific mbed TLS configuration file. The default config file
|
|
file can be tweaked with Kconfig. The default configuration is
|
|
suitable to communicate with majority of HTTPS servers on the Internet,
|
|
but has relatively many features enabled. To optimize resources for
|
|
special TLS usage, use available Kconfig options, or select an
|
|
alternative config.
|
|
|
|
if MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h"
|
|
source "ext/lib/crypto/mbedtls/Kconfig.tls-generic"
|
|
endif
|
|
|
|
config MBEDTLS_SSL_MAX_CONTENT_LEN
|
|
int "Max payload size for TLS protocol message"
|
|
default 1500
|
|
depends on MBEDTLS_BUILTIN
|
|
help
|
|
The TLS standards mandate max payload size of 16384 bytes. So, for
|
|
maximum operability and for general-purpose usage, that value must
|
|
be used. For specific usages, that value can be largely decreased.
|
|
E.g. for DTLS, payload size is limited by UDP datagram size, and
|
|
even for HTTPS REST API, the payload can be limited to max size of
|
|
(REST request, REST response, server certificate(s)).
|
|
mbedTLS uses this value separate for input and output buffers, so
|
|
twice this value will be allocated (on mbedTLS own heap, so the
|
|
value of MBEDTLS_HEAP_SIZE should accommodate that).
|
|
|
|
config MBEDTLS_DEBUG
|
|
bool "mbed TLS debug activation"
|
|
depends on MBEDTLS_BUILTIN
|
|
help
|
|
Enable debugging activation for mbed TLS configuration. If you use
|
|
mbedTLS/Zephyr integration (e.g. net_app), this will activate debug
|
|
logging (of the level configured by MBEDTLS_DEBUG_LEVEL).
|
|
If you use mbedTLS directly instead, you will need to perform
|
|
additional configuration yourself: call
|
|
mbedtls_ssl_conf_dbg(&mbedtls.conf, my_debug, NULL);
|
|
mbedtls_debug_set_threshold(level);
|
|
functions in your application, and create the my_debug() function to
|
|
actually print something useful.
|
|
|
|
config MBEDTLS_DEBUG_LEVEL
|
|
int "mbed TLS default debug level"
|
|
depends on MBEDTLS_DEBUG
|
|
default 0
|
|
range 0 4
|
|
help
|
|
Default mbed TLS debug logging level for Zephyr integration code
|
|
(from ext/lib/crypto/mbedtls/include/mbedtls/debug.h):
|
|
0 No debug
|
|
1 Error
|
|
2 State change
|
|
3 Information
|
|
4 Verbose
|
|
|
|
config MBEDTLS_TEST
|
|
bool "Compile internal self test functions"
|
|
depends on MBEDTLS_BUILTIN
|
|
help
|
|
Enable self test function for the crypto algorithms
|
|
|
|
config MBEDTLS_INSTALL_PATH
|
|
string "mbedTLS install path"
|
|
depends on MBEDTLS_LIBRARY
|
|
help
|
|
This option holds the path where the mbedTLS libraries and headers are
|
|
installed. Make sure this option is properly set when MBEDTLS_LIBRARY
|
|
is enabled otherwise the build will fail.
|
|
|
|
config MBEDTLS_ENABLE_HEAP
|
|
bool "Enable global heap for mbed TLS"
|
|
help
|
|
This option enables the mbedtls to use the heap. This setting must
|
|
be global so that various applications and libraries in Zephyr do not
|
|
try to do this themselves as there can be only one heap defined
|
|
in mbedtls. If this is enabled, then the Zephyr will, during the device
|
|
startup, initialize the heap automatically.
|
|
|
|
config MBEDTLS_HEAP_SIZE
|
|
int "Heap size for mbed TLS"
|
|
default 512
|
|
depends on MBEDTLS_ENABLE_HEAP
|
|
help
|
|
The mbedtls routines will use this heap if enabled.
|
|
See ext/lib/crypto/mbedtls/include/mbedtls/config.h and
|
|
MBEDTLS_MEMORY_BUFFER_ALLOC_C option for details. That option is not
|
|
enabled by default.
|
|
Default value for the heap size is not set as it depends on the
|
|
application. For streaming communication with arbitrary (HTTPS)
|
|
servers on the Internet, 32KB + overheads (up to another 20KB) may
|
|
be needed. For some dedicated and specific usage of mbedtls API, the
|
|
1000 bytes might be ok.
|
|
|
|
config APP_LINK_WITH_MBEDTLS
|
|
bool "Link 'app' with MBEDTLS"
|
|
default y
|
|
depends on MBEDTLS
|
|
help
|
|
Add MBEDTLS header files to the 'app' include path. It may be
|
|
disabled if the include paths for MBEDTLS are causing aliasing
|
|
issues for 'app'.
|
|
|
|
endif
|