145 lines
4.9 KiB
Plaintext
145 lines
4.9 KiB
Plaintext
# Cryptography primitive options for mbed TLS
|
|
|
|
# Copyright (c) 2016 Intel Corporation
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
menuconfig MBEDTLS
|
|
bool "mbedTLS Support"
|
|
help
|
|
This option enables the mbedTLS cryptography library.
|
|
|
|
if MBEDTLS
|
|
|
|
choice
|
|
prompt "Select implementation"
|
|
default MBEDTLS_BUILTIN
|
|
|
|
config MBEDTLS_BUILTIN
|
|
bool "Use Zephyr in-tree mbedTLS version"
|
|
help
|
|
Link with mbedTLS sources included with Zephyr distribution.
|
|
Included mbedTLS version is well integrated with and supported
|
|
by Zephyr, and the recommended choice for most users.
|
|
|
|
config MBEDTLS_LIBRARY
|
|
bool "Use external mbedTLS library"
|
|
help
|
|
Use external, out-of-tree prebuilt mbedTLS library. For advanced
|
|
users only.
|
|
|
|
endchoice
|
|
|
|
config MBEDTLS_CFG_FILE
|
|
string "mbed TLS configuration file"
|
|
depends on MBEDTLS_BUILTIN
|
|
default "config-tls-generic.h"
|
|
help
|
|
Use a specific mbedTLS configuration file. The default config file
|
|
file can be tweaked with Kconfig. The default configuration is
|
|
suitable to communicate with majority of HTTPS servers on the Internet,
|
|
but has relatively many features enabled. To optimize resources for
|
|
special TLS usage, use available Kconfig options, or select an
|
|
alternative config.
|
|
|
|
rsource "Kconfig.tls-generic"
|
|
|
|
config MBEDTLS_SSL_MAX_CONTENT_LEN
|
|
int "Max payload size for TLS protocol message"
|
|
default 1500
|
|
depends on MBEDTLS_BUILTIN
|
|
help
|
|
The TLS standards mandate max payload size of 16384 bytes. So, for
|
|
maximum operability and for general-purpose usage, that value must
|
|
be used. For specific usages, that value can be largely decreased.
|
|
E.g. for DTLS, payload size is limited by UDP datagram size, and
|
|
even for HTTPS REST API, the payload can be limited to max size of
|
|
(REST request, REST response, server certificate(s)).
|
|
mbedTLS uses this value separate for input and output buffers, so
|
|
twice this value will be allocated (on mbedTLS own heap, so the
|
|
value of MBEDTLS_HEAP_SIZE should accommodate that).
|
|
|
|
config MBEDTLS_DEBUG
|
|
bool "mbed TLS debug activation"
|
|
depends on MBEDTLS_BUILTIN
|
|
help
|
|
Enable debugging activation for mbed TLS configuration. If you use
|
|
mbedTLS/Zephyr integration (e.g. net_app), this will activate debug
|
|
logging (of the level configured by MBEDTLS_DEBUG_LEVEL).
|
|
If you use mbedTLS directly instead, you will need to perform
|
|
additional configuration yourself: call
|
|
mbedtls_ssl_conf_dbg(&mbedtls.conf, my_debug, NULL);
|
|
mbedtls_debug_set_threshold(level);
|
|
functions in your application, and create the my_debug() function to
|
|
actually print something useful.
|
|
|
|
config MBEDTLS_DEBUG_LEVEL
|
|
int "mbed TLS default debug level"
|
|
depends on MBEDTLS_DEBUG
|
|
default 0
|
|
range 0 4
|
|
help
|
|
Default mbed TLS debug logging level for Zephyr integration code
|
|
(from ext/lib/crypto/mbedtls/include/mbedtls/debug.h):
|
|
0 No debug
|
|
1 Error
|
|
2 State change
|
|
3 Information
|
|
4 Verbose
|
|
|
|
config MBEDTLS_MEMORY_DEBUG
|
|
bool "mbed TLS memory debug activation"
|
|
depends on MBEDTLS_BUILTIN
|
|
help
|
|
Enable debugging of buffer allocator memory issues. Automatically
|
|
prints (to stderr) all (fatal) messages on memory allocation
|
|
issues. Enables function for 'debug output' of allocated memory.
|
|
|
|
config MBEDTLS_TEST
|
|
bool "Compile internal self test functions"
|
|
depends on MBEDTLS_BUILTIN
|
|
help
|
|
Enable self test function for the crypto algorithms
|
|
|
|
config MBEDTLS_INSTALL_PATH
|
|
string "mbedTLS install path"
|
|
depends on MBEDTLS_LIBRARY
|
|
help
|
|
This option holds the path where the mbedTLS libraries and headers are
|
|
installed. Make sure this option is properly set when MBEDTLS_LIBRARY
|
|
is enabled otherwise the build will fail.
|
|
|
|
config MBEDTLS_ENABLE_HEAP
|
|
bool "Enable global heap for mbed TLS"
|
|
help
|
|
This option enables the mbedtls to use the heap. This setting must
|
|
be global so that various applications and libraries in Zephyr do not
|
|
try to do this themselves as there can be only one heap defined
|
|
in mbedtls. If this is enabled, then the Zephyr will, during the device
|
|
startup, initialize the heap automatically.
|
|
|
|
config MBEDTLS_HEAP_SIZE
|
|
int "Heap size for mbed TLS"
|
|
default 10240 if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
|
|
default 512
|
|
depends on MBEDTLS_ENABLE_HEAP
|
|
help
|
|
The mbedtls routines will use this heap if enabled.
|
|
See ext/lib/crypto/mbedtls/include/mbedtls/config.h and
|
|
MBEDTLS_MEMORY_BUFFER_ALLOC_C option for details. That option is not
|
|
enabled by default.
|
|
Default value for the heap size is not set as it depends on the
|
|
application. For streaming communication with arbitrary (HTTPS)
|
|
servers on the Internet, 32KB + overheads (up to another 20KB) may
|
|
be needed. For some dedicated and specific usage of mbedtls API, the
|
|
1000 bytes might be ok.
|
|
|
|
config APP_LINK_WITH_MBEDTLS
|
|
bool "Link 'app' with MBEDTLS"
|
|
default y
|
|
help
|
|
Add MBEDTLS header files to the 'app' include path. It may be
|
|
disabled if the include paths for MBEDTLS are causing aliasing
|
|
issues for 'app'.
|
|
|
|
endif # MBEDTLS
|