1# Cryptography primitive options for mbed TLS
2
3# Copyright (c) 2016 Intel Corporation
4# SPDX-License-Identifier: Apache-2.0
5
6config ZEPHYR_MBEDTLS_MODULE
7	bool
8config MBEDTLS_PROMPTLESS
9	bool
10	help
11	  Symbol to disable the prompt for MBEDTLS selection.
12	  This symbol may be used internally in a Kconfig tree to hide the
13	  mbed TLS menu prompt and instead handle the selection of MBEDTLS from
14	  dependent sub-configurations and thus prevent stuck symbol behavior.
15
16
17menuconfig MBEDTLS
18	bool "mbed TLS Support" if !MBEDTLS_PROMPTLESS
19	help
20	  This option enables the mbedTLS cryptography library.
21
22if MBEDTLS
23
24choice MBEDTLS_IMPLEMENTATION
25	prompt "Select implementation"
26	default MBEDTLS_BUILTIN
27
28config MBEDTLS_BUILTIN
29	bool "Use Zephyr in-tree mbedTLS version"
30	help
31	  Link with mbedTLS sources included with Zephyr distribution.
32	  Included mbedTLS version is well integrated with and supported
33	  by Zephyr, and the recommended choice for most users.
34
35config MBEDTLS_LIBRARY
36	bool "Use external mbedTLS library"
37	help
38	  Use external, out-of-tree prebuilt mbedTLS library. For advanced
39	  users only.
40
41endchoice
42
43config CUSTOM_MBEDTLS_CFG_FILE
44	bool "Custom mbed TLS configuration file"
45	help
46	  Allow user defined input for the MBEDTLS_CFG_FILE setting.
47	  You can specify the actual configuration file using the
48	  MBEDTLS_CFG_FILE setting.
49
50config MBEDTLS_CFG_FILE
51	string "mbed TLS configuration file" if CUSTOM_MBEDTLS_CFG_FILE
52	depends on MBEDTLS_BUILTIN
53	default "config-tls-generic.h"
54	help
55	  Use a specific mbedTLS configuration file. The default config file
56	  file can be tweaked with Kconfig. The default configuration is
57	  suitable to communicate with majority of HTTPS servers on the Internet,
58	  but has relatively many features enabled. To optimize resources for
59	  special TLS usage, use available Kconfig options, or select an
60	  alternative config.
61
62rsource "Kconfig.tls-generic"
63
64config MBEDTLS_SSL_MAX_CONTENT_LEN
65	int "Max payload size for TLS protocol message"
66	default 1500
67	depends on MBEDTLS_BUILTIN
68	help
69	  The TLS standards mandate max payload size of 16384 bytes. So, for
70	  maximum operability and for general-purpose usage, that value must
71	  be used. For specific usages, that value can be largely decreased.
72	  E.g. for DTLS, payload size is limited by UDP datagram size, and
73	  even for HTTPS REST API, the payload can be limited to max size of
74	  (REST request, REST response, server certificate(s)).
75	  mbedTLS uses this value separate for input and output buffers, so
76	  twice this value will be allocated (on mbedTLS own heap, so the
77	  value of MBEDTLS_HEAP_SIZE should accommodate that).
78
79module = MBEDTLS
80module-str = Log level mbedTLS library debug hook
81source "subsys/logging/Kconfig.template.log_config"
82
83config MBEDTLS_DEBUG
84	bool "mbed TLS debug activation"
85	help
86	  Enable debugging activation for mbed TLS configuration. If you use
87	  mbedTLS/Zephyr integration (e.g. native TLS sockets), this will
88	  activate debug logging.
89
90	  If you use mbedTLS directly instead, you will need to perform
91	  additional configuration yourself: call
92	  mbedtls_ssl_conf_dbg(&mbedtls.conf, zephyr_mbedtls_debug, NULL);
93	  function in your application. Alternatively implement your own debug
94	  hook function if zephyr_mbedtls_debug() doesn't suit your needs.
95
96if MBEDTLS_DEBUG
97
98config MBEDTLS_DEBUG_LEVEL
99	int
100	default 4 if MBEDTLS_LOG_LEVEL_DBG
101	default 3 if MBEDTLS_LOG_LEVEL_INF
102	default 2 if MBEDTLS_LOG_LEVEL_WRN
103	default 1 if MBEDTLS_LOG_LEVEL_ERR
104	default 0
105	range 0 4
106	help
107	  Default mbed TLS debug logging level for Zephyr integration code
108	  (from ext/lib/crypto/mbedtls/include/mbedtls/debug.h):
109	  0 No debug
110	  1 Error
111	  2 State change
112	  3 Information
113	  4 Verbose
114
115	  This makes Zephyr call mbedtls_debug_set_threshold() function during
116	  mbedTLS initialization, with the configured debug log level.
117
118choice MBEDTLS_DEBUG_EXTRACT_BASENAME
119	prompt "Extract basename from filenames"
120	default MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_BUILDTIME if "$(ZEPHYR_TOOLCHAIN_VARIANT)" = "zephyr"
121	default MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME
122
123config MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_BUILDTIME
124	bool "Buildtime"
125	help
126	  Adds compile options, which should convert full source paths in
127	  __FILE__ macro to files' basenames. This will reduce code footprint
128	  when debug messages are enabled.
129
130	  This is compiler dependent, so if it does not work then please
131	  fallback to MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME instead.
132
133config MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME
134	bool "Runtime"
135	help
136	  Filename passed as argument to debug hook will be stripped from
137	  directory, so that only basename part is left and logged.
138
139config MBEDTLS_DEBUG_EXTRACT_BASENAME_DISABLED
140	bool "Disabled"
141	help
142	  Disable basename extraction from filenames in log mesasges. This will
143	  result in full paths or paths relative to west root directory
144	  appearing in log messages generated by mbedTLS library.
145
146endchoice
147
148config MBEDTLS_DEBUG_STRIP_NEWLINE
149	bool "Strip newlines"
150	default y
151	help
152	  Attempt to strip last character from logged string when it is a
153	  newline.
154
155endif # MBEDTLS_DEBUG
156
157config MBEDTLS_MEMORY_DEBUG
158	bool "mbed TLS memory debug activation"
159	depends on MBEDTLS_BUILTIN
160	help
161	  Enable debugging of buffer allocator memory issues. Automatically
162	  prints (to stderr) all (fatal) messages on memory allocation
163	  issues. Enables function for 'debug output' of allocated memory.
164
165config MBEDTLS_TEST
166	bool "Compile internal self test functions"
167	depends on MBEDTLS_BUILTIN
168	help
169	  Enable self test function for the crypto algorithms
170
171config MBEDTLS_INSTALL_PATH
172	string "mbedTLS install path"
173	depends on MBEDTLS_LIBRARY
174	help
175	  This option holds the path where the mbedTLS libraries and headers are
176	  installed. Make sure this option is properly set when MBEDTLS_LIBRARY
177	  is enabled otherwise the build will fail.
178
179config MBEDTLS_ENABLE_HEAP
180	bool "Global heap for mbed TLS"
181	help
182	  This option enables the mbedtls to use the heap. This setting must
183	  be global so that various applications and libraries in Zephyr do not
184	  try to do this themselves as there can be only one heap defined
185	  in mbedtls. If this is enabled, and MBEDTLS_INIT is enabled then the
186	  Zephyr will, during the device startup, initialize the heap automatically.
187
188config MBEDTLS_HEAP_SIZE
189	int "Heap size for mbed TLS"
190	default 10240 if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
191	default 512
192	depends on MBEDTLS_ENABLE_HEAP
193	help
194	  The mbedtls routines will use this heap if enabled.
195	  See ext/lib/crypto/mbedtls/include/mbedtls/config.h and
196	  MBEDTLS_MEMORY_BUFFER_ALLOC_C option for details. That option is not
197	  enabled by default.
198	  Default value for the heap size is not set as it depends on the
199	  application. For streaming communication with arbitrary (HTTPS)
200	  servers on the Internet, 32KB + overheads (up to another 20KB) may
201	  be needed. For some dedicated and specific usage of mbedtls API, the
202	  1000 bytes might be ok.
203
204config MBEDTLS_INIT
205	bool "Initialize mbed TLS at boot"
206	default y
207	help
208	  By default mbed TLS will be initialized at Zephyr init. Disabling this option
209	  will defer the initialization until explicitly called.
210
211config MBEDTLS_SHELL
212	bool "mbed TLS shell"
213	depends on MBEDTLS
214	depends on SHELL
215	help
216	  Enable mbed TLS shell module, which allows to show debug information
217	  about mbed TLS library, such as heap usage.
218
219config MBEDTLS_ZEPHYR_ENTROPY
220	bool "mbed TLS entropy source based on Zephyr entropy driver"
221	depends on MBEDTLS
222	help
223	  This option enables the entropy source based on Zephyr entropy driver
224	  for mbed TLS. The entropy source is registered automatically during
225	  system initialization.
226
227config MBEDTLS_ZEROIZE_ALT
228	bool "mbed TLS alternate mbedtls_platform_zeroize implementation"
229	help
230	  mbed TLS configuration supplies an alternate implementation of
231	  mbedtls_platform_zeroize.
232
233config APP_LINK_WITH_MBEDTLS
234	bool "Link 'app' with MBEDTLS"
235	default y
236	help
237	  Add MBEDTLS header files to the 'app' include path. It may be
238	  disabled if the include paths for MBEDTLS are causing aliasing
239	  issues for 'app'.
240
241endif # MBEDTLS
242