1# Cryptography primitive options for mbed TLS
2
3# Copyright (c) 2016 Intel Corporation
4# SPDX-License-Identifier: Apache-2.0
5
6config ZEPHYR_MBEDTLS_MODULE
7	bool
8config MBEDTLS_PROMPTLESS
9	bool
10	help
11	  Symbol to disable the prompt for MBEDTLS selection.
12	  This symbol may be used internally in a Kconfig tree to hide the
13	  mbed TLS menu prompt and instead handle the selection of MBEDTLS from
14	  dependent sub-configurations and thus prevent stuck symbol behavior.
15
16rsource "Kconfig.psa.auto"
17rsource "Kconfig.psa.logic"
18
19menuconfig MBEDTLS
20	bool "mbed TLS Support" if !MBEDTLS_PROMPTLESS
21	help
22	  This option enables the mbedTLS cryptography library.
23
24if MBEDTLS
25
26choice MBEDTLS_IMPLEMENTATION
27	prompt "Select implementation"
28	default MBEDTLS_BUILTIN
29
30config MBEDTLS_BUILTIN
31	bool "Use Zephyr in-tree mbedTLS version"
32	help
33	  Link with mbedTLS sources included with Zephyr distribution.
34	  Included mbedTLS version is well integrated with and supported
35	  by Zephyr, and the recommended choice for most users.
36
37config MBEDTLS_LIBRARY
38	bool "Use external mbedTLS library"
39	help
40	  Use external, out-of-tree prebuilt mbedTLS library. For advanced
41	  users only.
42
43endchoice
44
45config CUSTOM_MBEDTLS_CFG_FILE
46	bool "Custom mbed TLS configuration file"
47	help
48	  Allow user defined input for the MBEDTLS_CFG_FILE setting.
49	  You can specify the actual configuration file using the
50	  MBEDTLS_CFG_FILE setting.
51
52config MBEDTLS_CFG_FILE
53	string "mbed TLS configuration file" if CUSTOM_MBEDTLS_CFG_FILE
54	depends on MBEDTLS_BUILTIN
55	default "config-tls-generic.h"
56	help
57	  Use a specific mbedTLS configuration file. The default config file
58	  file can be tweaked with Kconfig. The default configuration is
59	  suitable to communicate with majority of HTTPS servers on the Internet,
60	  but has relatively many features enabled. To optimize resources for
61	  special TLS usage, use available Kconfig options, or select an
62	  alternative config.
63
64rsource "Kconfig.tls-generic"
65
66config MBEDTLS_SSL_MAX_CONTENT_LEN
67	int "Max payload size for TLS protocol message"
68	default 1500
69	depends on MBEDTLS_BUILTIN
70	help
71	  The TLS standards mandate max payload size of 16384 bytes. So, for
72	  maximum operability and for general-purpose usage, that value must
73	  be used. For specific usages, that value can be largely decreased.
74	  E.g. for DTLS, payload size is limited by UDP datagram size, and
75	  even for HTTPS REST API, the payload can be limited to max size of
76	  (REST request, REST response, server certificate(s)).
77	  mbedTLS uses this value separate for input and output buffers, so
78	  twice this value will be allocated (on mbedTLS own heap, so the
79	  value of MBEDTLS_HEAP_SIZE should accommodate that).
80
81module = MBEDTLS
82module-str = Log level mbedTLS library debug hook
83source "subsys/logging/Kconfig.template.log_config"
84
85config MBEDTLS_DEBUG
86	bool "mbed TLS debug activation"
87	help
88	  Enable debugging activation for mbed TLS configuration. If you use
89	  mbedTLS/Zephyr integration (e.g. native TLS sockets), this will
90	  activate debug logging.
91
92	  If you use mbedTLS directly instead, you will need to perform
93	  additional configuration yourself: call
94	  mbedtls_ssl_conf_dbg(&mbedtls.conf, zephyr_mbedtls_debug, NULL);
95	  function in your application. Alternatively implement your own debug
96	  hook function if zephyr_mbedtls_debug() doesn't suit your needs.
97
98if MBEDTLS_DEBUG
99
100config MBEDTLS_DEBUG_LEVEL
101	int
102	default 4 if MBEDTLS_LOG_LEVEL_DBG
103	default 3 if MBEDTLS_LOG_LEVEL_INF
104	default 2 if MBEDTLS_LOG_LEVEL_WRN
105	default 1 if MBEDTLS_LOG_LEVEL_ERR
106	default 0
107	range 0 4
108	help
109	  Default mbed TLS debug logging level for Zephyr integration code
110	  (from ext/lib/crypto/mbedtls/include/mbedtls/debug.h):
111	  0 No debug
112	  1 Error
113	  2 State change
114	  3 Information
115	  4 Verbose
116
117	  This makes Zephyr call mbedtls_debug_set_threshold() function during
118	  mbedTLS initialization, with the configured debug log level.
119
120choice MBEDTLS_DEBUG_EXTRACT_BASENAME
121	prompt "Extract basename from filenames"
122	default MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_BUILDTIME if "$(ZEPHYR_TOOLCHAIN_VARIANT)" = "zephyr"
123	default MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME
124
125config MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_BUILDTIME
126	bool "Buildtime"
127	help
128	  Adds compile options, which should convert full source paths in
129	  __FILE__ macro to files' basenames. This will reduce code footprint
130	  when debug messages are enabled.
131
132	  This is compiler dependent, so if it does not work then please
133	  fallback to MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME instead.
134
135config MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME
136	bool "Runtime"
137	help
138	  Filename passed as argument to debug hook will be stripped from
139	  directory, so that only basename part is left and logged.
140
141config MBEDTLS_DEBUG_EXTRACT_BASENAME_DISABLED
142	bool "Disabled"
143	help
144	  Disable basename extraction from filenames in log mesasges. This will
145	  result in full paths or paths relative to west root directory
146	  appearing in log messages generated by mbedTLS library.
147
148endchoice
149
150config MBEDTLS_DEBUG_STRIP_NEWLINE
151	bool "Strip newlines"
152	default y
153	help
154	  Attempt to strip last character from logged string when it is a
155	  newline.
156
157endif # MBEDTLS_DEBUG
158
159config MBEDTLS_MEMORY_DEBUG
160	bool "mbed TLS memory debug activation"
161	depends on MBEDTLS_BUILTIN
162	help
163	  Enable debugging of buffer allocator memory issues. Automatically
164	  prints (to stderr) all (fatal) messages on memory allocation
165	  issues. Enables function for 'debug output' of allocated memory.
166
167config MBEDTLS_TEST
168	bool "Compile internal self test functions"
169	depends on MBEDTLS_BUILTIN
170	help
171	  Enable self test function for the crypto algorithms
172
173config MBEDTLS_INSTALL_PATH
174	string "mbedTLS install path"
175	depends on MBEDTLS_LIBRARY
176	help
177	  This option holds the path where the mbedTLS libraries and headers are
178	  installed. Make sure this option is properly set when MBEDTLS_LIBRARY
179	  is enabled otherwise the build will fail.
180
181config MBEDTLS_ENABLE_HEAP
182	bool "Global heap for mbed TLS"
183	help
184	  This option enables the mbedtls to use the heap. This setting must
185	  be global so that various applications and libraries in Zephyr do not
186	  try to do this themselves as there can be only one heap defined
187	  in mbedtls. If this is enabled, and MBEDTLS_INIT is enabled then the
188	  Zephyr will, during the device startup, initialize the heap automatically.
189
190if MBEDTLS_ENABLE_HEAP
191
192config MBEDTLS_HEAP_SIZE
193	int "Heap size for mbed TLS"
194	default 10240 if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
195	default 512
196	help
197	  The mbedtls routines will use this heap if enabled.
198	  See ext/lib/crypto/mbedtls/include/mbedtls/config.h and
199	  MBEDTLS_MEMORY_BUFFER_ALLOC_C option for details. That option is not
200	  enabled by default.
201	  Default value for the heap size is not set as it depends on the
202	  application. For streaming communication with arbitrary (HTTPS)
203	  servers on the Internet, 32KB + overheads (up to another 20KB) may
204	  be needed. For some dedicated and specific usage of mbedtls API, the
205	  1000 bytes might be ok.
206
207config MBEDTLS_HEAP_CUSTOM_SECTION
208	bool "Use a custom section for the Mbed TLS heap"
209	help
210	  Place Mbed TLS heap in custom section, with tag ".mbedtls_heap".
211	  This can be used by custom linker scripts to relocate the Mbed TLS
212	  heap to a custom location, such as another SRAM region or external memory.
213
214endif # MBEDTLS_ENABLE_HEAP
215
216config MBEDTLS_INIT
217	bool "Initialize mbed TLS at boot"
218	default y
219	help
220	  By default mbed TLS will be initialized at Zephyr init. Disabling this option
221	  will defer the initialization until explicitly called.
222
223config MBEDTLS_SHELL
224	bool "mbed TLS shell"
225	depends on MBEDTLS
226	depends on SHELL
227	help
228	  Enable mbed TLS shell module, which allows to show debug information
229	  about mbed TLS library, such as heap usage.
230
231config MBEDTLS_ZEROIZE_ALT
232	bool "mbed TLS alternate mbedtls_platform_zeroize implementation"
233	help
234	  mbed TLS configuration supplies an alternate implementation of
235	  mbedtls_platform_zeroize.
236
237config APP_LINK_WITH_MBEDTLS
238	bool "Link 'app' with MBEDTLS"
239	default y
240	help
241	  Add MBEDTLS header files to the 'app' include path. It may be
242	  disabled if the include paths for MBEDTLS are causing aliasing
243	  issues for 'app'.
244
245endif # MBEDTLS
246