1# Cryptography primitive options for mbed TLS
2
3# Copyright (c) 2016 Intel Corporation
4# SPDX-License-Identifier: Apache-2.0
5
6config ZEPHYR_MBEDTLS_MODULE
7	bool
8config MBEDTLS_PROMPTLESS
9	bool
10	help
11	  Symbol to disable the prompt for MBEDTLS selection.
12	  This symbol may be used internally in a Kconfig tree to hide the
13	  mbed TLS menu prompt and instead handle the selection of MBEDTLS from
14	  dependent sub-configurations and thus prevent stuck symbol behavior.
15
16rsource "Kconfig.psa"
17
18menuconfig MBEDTLS
19	bool "mbed TLS Support" if !MBEDTLS_PROMPTLESS
20	help
21	  This option enables the mbedTLS cryptography library.
22
23if MBEDTLS
24
25choice MBEDTLS_IMPLEMENTATION
26	prompt "Select implementation"
27	default MBEDTLS_BUILTIN
28
29config MBEDTLS_BUILTIN
30	bool "Use Zephyr in-tree mbedTLS version"
31	help
32	  Link with mbedTLS sources included with Zephyr distribution.
33	  Included mbedTLS version is well integrated with and supported
34	  by Zephyr, and the recommended choice for most users.
35
36config MBEDTLS_LIBRARY
37	bool "Use external mbedTLS library"
38	help
39	  Use external, out-of-tree prebuilt mbedTLS library. For advanced
40	  users only.
41
42endchoice
43
44config CUSTOM_MBEDTLS_CFG_FILE
45	bool "Custom mbed TLS configuration file"
46	help
47	  Allow user defined input for the MBEDTLS_CFG_FILE setting.
48	  You can specify the actual configuration file using the
49	  MBEDTLS_CFG_FILE setting.
50
51config MBEDTLS_CFG_FILE
52	string "mbed TLS configuration file" if CUSTOM_MBEDTLS_CFG_FILE
53	depends on MBEDTLS_BUILTIN
54	default "config-tls-generic.h"
55	help
56	  Use a specific mbedTLS configuration file. The default config file
57	  file can be tweaked with Kconfig. The default configuration is
58	  suitable to communicate with majority of HTTPS servers on the Internet,
59	  but has relatively many features enabled. To optimize resources for
60	  special TLS usage, use available Kconfig options, or select an
61	  alternative config.
62
63rsource "Kconfig.tls-generic"
64
65config MBEDTLS_SSL_MAX_CONTENT_LEN
66	int "Max payload size for TLS protocol message"
67	default 1500
68	depends on MBEDTLS_BUILTIN
69	help
70	  The TLS standards mandate max payload size of 16384 bytes. So, for
71	  maximum operability and for general-purpose usage, that value must
72	  be used. For specific usages, that value can be largely decreased.
73	  E.g. for DTLS, payload size is limited by UDP datagram size, and
74	  even for HTTPS REST API, the payload can be limited to max size of
75	  (REST request, REST response, server certificate(s)).
76	  mbedTLS uses this value separate for input and output buffers, so
77	  twice this value will be allocated (on mbedTLS own heap, so the
78	  value of MBEDTLS_HEAP_SIZE should accommodate that).
79
80module = MBEDTLS
81module-str = Log level mbedTLS library debug hook
82source "subsys/logging/Kconfig.template.log_config"
83
84config MBEDTLS_DEBUG
85	bool "mbed TLS debug activation"
86	help
87	  Enable debugging activation for mbed TLS configuration. If you use
88	  mbedTLS/Zephyr integration (e.g. native TLS sockets), this will
89	  activate debug logging.
90
91	  If you use mbedTLS directly instead, you will need to perform
92	  additional configuration yourself: call
93	  mbedtls_ssl_conf_dbg(&mbedtls.conf, zephyr_mbedtls_debug, NULL);
94	  function in your application. Alternatively implement your own debug
95	  hook function if zephyr_mbedtls_debug() doesn't suit your needs.
96
97if MBEDTLS_DEBUG
98
99config MBEDTLS_DEBUG_LEVEL
100	int
101	default 4 if MBEDTLS_LOG_LEVEL_DBG
102	default 3 if MBEDTLS_LOG_LEVEL_INF
103	default 2 if MBEDTLS_LOG_LEVEL_WRN
104	default 1 if MBEDTLS_LOG_LEVEL_ERR
105	default 0
106	range 0 4
107	help
108	  Default mbed TLS debug logging level for Zephyr integration code
109	  (from ext/lib/crypto/mbedtls/include/mbedtls/debug.h):
110	  0 No debug
111	  1 Error
112	  2 State change
113	  3 Information
114	  4 Verbose
115
116	  This makes Zephyr call mbedtls_debug_set_threshold() function during
117	  mbedTLS initialization, with the configured debug log level.
118
119choice MBEDTLS_DEBUG_EXTRACT_BASENAME
120	prompt "Extract basename from filenames"
121	default MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_BUILDTIME if "$(ZEPHYR_TOOLCHAIN_VARIANT)" = "zephyr"
122	default MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME
123
124config MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_BUILDTIME
125	bool "Buildtime"
126	help
127	  Adds compile options, which should convert full source paths in
128	  __FILE__ macro to files' basenames. This will reduce code footprint
129	  when debug messages are enabled.
130
131	  This is compiler dependent, so if it does not work then please
132	  fallback to MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME instead.
133
134config MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME
135	bool "Runtime"
136	help
137	  Filename passed as argument to debug hook will be stripped from
138	  directory, so that only basename part is left and logged.
139
140config MBEDTLS_DEBUG_EXTRACT_BASENAME_DISABLED
141	bool "Disabled"
142	help
143	  Disable basename extraction from filenames in log mesasges. This will
144	  result in full paths or paths relative to west root directory
145	  appearing in log messages generated by mbedTLS library.
146
147endchoice
148
149config MBEDTLS_DEBUG_STRIP_NEWLINE
150	bool "Strip newlines"
151	default y
152	help
153	  Attempt to strip last character from logged string when it is a
154	  newline.
155
156endif # MBEDTLS_DEBUG
157
158config MBEDTLS_MEMORY_DEBUG
159	bool "mbed TLS memory debug activation"
160	depends on MBEDTLS_BUILTIN
161	help
162	  Enable debugging of buffer allocator memory issues. Automatically
163	  prints (to stderr) all (fatal) messages on memory allocation
164	  issues. Enables function for 'debug output' of allocated memory.
165
166config MBEDTLS_TEST
167	bool "Compile internal self test functions"
168	depends on MBEDTLS_BUILTIN
169	help
170	  Enable self test function for the crypto algorithms
171
172config MBEDTLS_INSTALL_PATH
173	string "mbedTLS install path"
174	depends on MBEDTLS_LIBRARY
175	help
176	  This option holds the path where the mbedTLS libraries and headers are
177	  installed. Make sure this option is properly set when MBEDTLS_LIBRARY
178	  is enabled otherwise the build will fail.
179
180config MBEDTLS_ENABLE_HEAP
181	bool "Global heap for mbed TLS"
182	help
183	  This option enables the mbedtls to use the heap. This setting must
184	  be global so that various applications and libraries in Zephyr do not
185	  try to do this themselves as there can be only one heap defined
186	  in mbedtls. If this is enabled, and MBEDTLS_INIT is enabled then the
187	  Zephyr will, during the device startup, initialize the heap automatically.
188
189config MBEDTLS_HEAP_SIZE
190	int "Heap size for mbed TLS"
191	default 10240 if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
192	default 512
193	depends on MBEDTLS_ENABLE_HEAP
194	help
195	  The mbedtls routines will use this heap if enabled.
196	  See ext/lib/crypto/mbedtls/include/mbedtls/config.h and
197	  MBEDTLS_MEMORY_BUFFER_ALLOC_C option for details. That option is not
198	  enabled by default.
199	  Default value for the heap size is not set as it depends on the
200	  application. For streaming communication with arbitrary (HTTPS)
201	  servers on the Internet, 32KB + overheads (up to another 20KB) may
202	  be needed. For some dedicated and specific usage of mbedtls API, the
203	  1000 bytes might be ok.
204
205config MBEDTLS_INIT
206	bool "Initialize mbed TLS at boot"
207	default y
208	help
209	  By default mbed TLS will be initialized at Zephyr init. Disabling this option
210	  will defer the initialization until explicitly called.
211
212config MBEDTLS_SHELL
213	bool "mbed TLS shell"
214	depends on MBEDTLS
215	depends on SHELL
216	help
217	  Enable mbed TLS shell module, which allows to show debug information
218	  about mbed TLS library, such as heap usage.
219
220config MBEDTLS_ZEPHYR_ENTROPY
221	bool "mbed TLS entropy source based on Zephyr entropy driver"
222	depends on MBEDTLS
223	help
224	  This option enables the entropy source based on Zephyr entropy driver
225	  for mbed TLS. The entropy source is registered automatically during
226	  system initialization.
227
228config MBEDTLS_ZEROIZE_ALT
229	bool "mbed TLS alternate mbedtls_platform_zeroize implementation"
230	help
231	  mbed TLS configuration supplies an alternate implementation of
232	  mbedtls_platform_zeroize.
233
234config APP_LINK_WITH_MBEDTLS
235	bool "Link 'app' with MBEDTLS"
236	default y
237	help
238	  Add MBEDTLS header files to the 'app' include path. It may be
239	  disabled if the include paths for MBEDTLS are causing aliasing
240	  issues for 'app'.
241
242endif # MBEDTLS
243