1 /** 2 * \file config.h 3 * 4 * \brief Configuration options (set of defines) 5 * 6 * This set of compile-time options may be used to enable 7 * or disable features selectively, and reduce the global 8 * memory footprint. 9 */ 10 /* 11 * Copyright (C) 2006-2023, ARM Limited, All Rights Reserved 12 * SPDX-License-Identifier: Apache-2.0 13 * 14 * Licensed under the Apache License, Version 2.0 (the "License"); you may 15 * not use this file except in compliance with the License. 16 * You may obtain a copy of the License at 17 * 18 * http://www.apache.org/licenses/LICENSE-2.0 19 * 20 * Unless required by applicable law or agreed to in writing, software 21 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 22 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 23 * See the License for the specific language governing permissions and 24 * limitations under the License. 25 * 26 * This file is part of mbed TLS (https://tls.mbed.org) 27 */ 28 29 #ifndef PROFILE_M_MBEDTLS_CONFIG_H 30 #define PROFILE_M_MBEDTLS_CONFIG_H 31 32 #include "config_tfm.h" 33 34 #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) 35 #define _CRT_SECURE_NO_DEPRECATE 1 36 #endif 37 38 /** 39 * \name SECTION: System support 40 * 41 * This section sets system specific settings. 42 * \{ 43 */ 44 45 /** 46 * \def MBEDTLS_HAVE_ASM 47 * 48 * The compiler has support for asm(). 49 * 50 * Requires support for asm() in compiler. 51 * 52 * Used in: 53 * library/aria.c 54 * library/timing.c 55 * include/mbedtls/bn_mul.h 56 * 57 * Required by: 58 * MBEDTLS_AESNI_C 59 * MBEDTLS_PADLOCK_C 60 * 61 * Comment to disable the use of assembly code. 62 */ 63 #define MBEDTLS_HAVE_ASM 64 65 /** 66 * \def MBEDTLS_PLATFORM_MEMORY 67 * 68 * Enable the memory allocation layer. 69 * 70 * By default mbed TLS uses the system-provided calloc() and free(). 71 * This allows different allocators (self-implemented or provided) to be 72 * provided to the platform abstraction layer. 73 * 74 * Enabling MBEDTLS_PLATFORM_MEMORY without the 75 * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide 76 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and 77 * free() function pointer at runtime. 78 * 79 * Enabling MBEDTLS_PLATFORM_MEMORY and specifying 80 * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the 81 * alternate function at compile time. 82 * 83 * Requires: MBEDTLS_PLATFORM_C 84 * 85 * Enable this layer to allow use of alternative memory allocators. 86 */ 87 #define MBEDTLS_PLATFORM_MEMORY 88 89 /* \} name SECTION: System support */ 90 91 /** 92 * \name SECTION: mbed TLS feature support 93 * 94 * This section sets support for features that are or are not needed 95 * within the modules that are enabled. 96 * \{ 97 */ 98 99 /** 100 * \def MBEDTLS_AES_ROM_TABLES 101 * 102 * Use precomputed AES tables stored in ROM. 103 * 104 * Uncomment this macro to use precomputed AES tables stored in ROM. 105 * Comment this macro to generate AES tables in RAM at runtime. 106 * 107 * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb 108 * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the 109 * initialization time before the first AES operation can be performed. 110 * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c 111 * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded 112 * performance if ROM access is slower than RAM access. 113 * 114 * This option is independent of \c MBEDTLS_AES_FEWER_TABLES. 115 * 116 */ 117 #define MBEDTLS_AES_ROM_TABLES 118 119 /** 120 * \def MBEDTLS_AES_FEWER_TABLES 121 * 122 * Use less ROM/RAM for AES tables. 123 * 124 * Uncommenting this macro omits 75% of the AES tables from 125 * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES) 126 * by computing their values on the fly during operations 127 * (the tables are entry-wise rotations of one another). 128 * 129 * Tradeoff: Uncommenting this reduces the RAM / ROM footprint 130 * by ~6kb but at the cost of more arithmetic operations during 131 * runtime. Specifically, one has to compare 4 accesses within 132 * different tables to 4 accesses with additional arithmetic 133 * operations within the same table. The performance gain/loss 134 * depends on the system and memory details. 135 * 136 * This option is independent of \c MBEDTLS_AES_ROM_TABLES. 137 * 138 */ 139 #define MBEDTLS_AES_FEWER_TABLES 140 141 /** 142 * \def MBEDTLS_ECP_NIST_OPTIM 143 * 144 * Enable specific 'modulo p' routines for each NIST prime. 145 * Depending on the prime and architecture, makes operations 4 to 8 times 146 * faster on the corresponding curve. 147 * 148 * Comment this macro to disable NIST curves optimisation. 149 */ 150 #define MBEDTLS_ECP_NIST_OPTIM 151 152 /** 153 * \def MBEDTLS_NO_PLATFORM_ENTROPY 154 * 155 * Do not use built-in platform entropy functions. 156 * This is useful if your platform does not support 157 * standards like the /dev/urandom or Windows CryptoAPI. 158 * 159 * Uncomment this macro to disable the built-in platform entropy functions. 160 */ 161 #define MBEDTLS_NO_PLATFORM_ENTROPY 162 163 /** 164 * \def MBEDTLS_ENTROPY_NV_SEED 165 * 166 * Enable the non-volatile (NV) seed file-based entropy source. 167 * (Also enables the NV seed read/write functions in the platform layer) 168 * 169 * This is crucial (if not required) on systems that do not have a 170 * cryptographic entropy source (in hardware or kernel) available. 171 * 172 * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C 173 * 174 * \note The read/write functions that are used by the entropy source are 175 * determined in the platform layer, and can be modified at runtime and/or 176 * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used. 177 * 178 * \note If you use the default implementation functions that read a seedfile 179 * with regular fopen(), please make sure you make a seedfile with the 180 * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at 181 * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from 182 * and written to or you will get an entropy source error! The default 183 * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE 184 * bytes from the file. 185 * 186 * \note The entropy collector will write to the seed file before entropy is 187 * given to an external source, to update it. 188 */ 189 #define MBEDTLS_ENTROPY_NV_SEED 190 191 /** 192 * \def MBEDTLS_PSA_CRYPTO_SPM 193 * 194 * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure 195 * Partition Manager) integration which separates the code into two parts: a 196 * NSPE (Non-Secure Process Environment) and an SPE (Secure Process 197 * Environment). 198 * 199 * Module: library/psa_crypto.c 200 * Requires: MBEDTLS_PSA_CRYPTO_C 201 * 202 */ 203 #define MBEDTLS_PSA_CRYPTO_SPM 204 205 /** 206 * \def MBEDTLS_SHA256_SMALLER 207 * 208 * Enable an implementation of SHA-256 that has lower ROM footprint but also 209 * lower performance. 210 * 211 * The default implementation is meant to be a reasonnable compromise between 212 * performance and size. This version optimizes more aggressively for size at 213 * the expense of performance. Eg on Cortex-M4 it reduces the size of 214 * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about 215 * 30%. 216 * 217 * Uncomment to enable the smaller implementation of SHA256. 218 */ 219 #define MBEDTLS_SHA256_SMALLER 220 221 /** 222 * \def MBEDTLS_PSA_CRYPTO_CONFIG 223 * 224 * This setting allows support for cryptographic mechanisms through the PSA 225 * API to be configured separately from support through the mbedtls API. 226 * 227 * When this option is disabled, the PSA API exposes the cryptographic 228 * mechanisms that can be implemented on top of the `mbedtls_xxx` API 229 * configured with `MBEDTLS_XXX` symbols. 230 * 231 * When this option is enabled, the PSA API exposes the cryptographic 232 * mechanisms requested by the `PSA_WANT_XXX` symbols defined in 233 * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are 234 * automatically enabled if required (i.e. if no PSA driver provides the 235 * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols 236 * in mbedtls_config.h. 237 * 238 * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies 239 * an alternative header to include instead of include/psa/crypto_config.h. 240 * 241 * This feature is still experimental and is not ready for production since 242 * it is not completed. 243 */ 244 #define MBEDTLS_PSA_CRYPTO_CONFIG 245 246 /* \} name SECTION: mbed TLS feature support */ 247 248 /** 249 * \name SECTION: mbed TLS modules 250 * 251 * This section enables or disables entire modules in mbed TLS 252 * \{ 253 */ 254 255 /** 256 * \def MBEDTLS_AES_C 257 * 258 * Enable the AES block cipher. 259 * 260 * Module: library/aes.c 261 * Caller: library/cipher.c 262 * library/pem.c 263 * library/ctr_drbg.c 264 * 265 * This module is required to support the TLS ciphersuites that use the AES 266 * cipher. 267 * 268 * PEM_PARSE uses AES for decrypting encrypted keys. 269 */ 270 #define MBEDTLS_AES_C 271 272 /** 273 * \def MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH 274 * 275 * Use only 128-bit keys in AES operations to save ROM. 276 * 277 * Uncomment this macro to remove support for AES operations that use 192- 278 * or 256-bit keys. 279 * 280 * Uncommenting this macro reduces the size of AES code by ~300 bytes 281 * on v8-M/Thumb2. 282 * 283 * Module: library/aes.c 284 * 285 * Requires: MBEDTLS_AES_C 286 */ 287 #define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH 288 289 /** 290 * \def MBEDTLS_CIPHER_C 291 * 292 * Enable the generic cipher layer. 293 * 294 * Module: library/cipher.c 295 * 296 * Uncomment to enable generic cipher wrappers. 297 */ 298 #define MBEDTLS_CIPHER_C 299 300 /** 301 * \def MBEDTLS_CTR_DRBG_C 302 * 303 * Enable the CTR_DRBG AES-based random generator. 304 * The CTR_DRBG generator uses AES-256 by default. 305 * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below. 306 * 307 * Module: library/ctr_drbg.c 308 * Caller: 309 * 310 * Requires: MBEDTLS_AES_C 311 * 312 * This module provides the CTR_DRBG AES random number generator. 313 */ 314 #define MBEDTLS_CTR_DRBG_C 315 316 /** 317 * \def MBEDTLS_ENTROPY_C 318 * 319 * Enable the platform-specific entropy code. 320 * 321 * Module: library/entropy.c 322 * Caller: 323 * 324 * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C 325 * 326 * This module provides a generic entropy pool 327 */ 328 #define MBEDTLS_ENTROPY_C 329 330 /** 331 * \def MBEDTLS_HKDF_C 332 * 333 * Enable the HKDF algorithm (RFC 5869). 334 * 335 * Module: library/hkdf.c 336 * Caller: 337 * 338 * Requires: MBEDTLS_MD_C 339 * 340 * This module adds support for the Hashed Message Authentication Code 341 * (HMAC)-based key derivation function (HKDF). 342 */ 343 //#define MBEDTLS_HKDF_C /* Used for HUK deriviation */ 344 345 /** 346 * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C 347 * 348 * Enable the buffer allocator implementation that makes use of a (stack) 349 * based buffer to 'allocate' dynamic memory. (replaces calloc() and free() 350 * calls) 351 * 352 * Module: library/memory_buffer_alloc.c 353 * 354 * Requires: MBEDTLS_PLATFORM_C 355 * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS) 356 * 357 * Enable this module to enable the buffer memory allocator. 358 */ 359 #define MBEDTLS_MEMORY_BUFFER_ALLOC_C 360 361 /** 362 * \def MBEDTLS_PLATFORM_C 363 * 364 * Enable the platform abstraction layer that allows you to re-assign 365 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). 366 * 367 * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT 368 * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned 369 * above to be specified at runtime or compile time respectively. 370 * 371 * \note This abstraction layer must be enabled on Windows (including MSYS2) 372 * as other module rely on it for a fixed snprintf implementation. 373 * 374 * Module: library/platform.c 375 * Caller: Most other .c files 376 * 377 * This module enables abstraction of common (libc) functions. 378 */ 379 #define MBEDTLS_PLATFORM_C 380 381 #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS 382 #define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> 383 384 #include <stdio.h> 385 386 #define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf 387 #define MBEDTLS_PLATFORM_PRINTF_ALT 388 #define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS 389 #define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE 390 391 /** 392 * \def MBEDTLS_PSA_CRYPTO_C 393 * 394 * Enable the Platform Security Architecture cryptography API. 395 * 396 * Module: library/psa_crypto.c 397 * 398 * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C 399 * 400 */ 401 #define MBEDTLS_PSA_CRYPTO_C 402 403 /** 404 * \def MBEDTLS_PSA_CRYPTO_STORAGE_C 405 * 406 * Enable the Platform Security Architecture persistent key storage. 407 * 408 * Module: library/psa_crypto_storage.c 409 * 410 * Requires: MBEDTLS_PSA_CRYPTO_C, 411 * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of 412 * the PSA ITS interface 413 */ 414 #define MBEDTLS_PSA_CRYPTO_STORAGE_C 415 416 /* \} name SECTION: mbed TLS modules */ 417 418 /** 419 * \name SECTION: General configuration options 420 * 421 * This section contains Mbed TLS build settings that are not associated 422 * with a particular module. 423 * 424 * \{ 425 */ 426 427 /** 428 * \def MBEDTLS_CONFIG_FILE 429 * 430 * If defined, this is a header which will be included instead of 431 * `"mbedtls/mbedtls_config.h"`. 432 * This header file specifies the compile-time configuration of Mbed TLS. 433 * Unlike other configuration options, this one must be defined on the 434 * compiler command line: a definition in `mbedtls_config.h` would have 435 * no effect. 436 * 437 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 438 * non-standard feature of the C language, so this feature is only available 439 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 440 * 441 * The value of this symbol is typically a path in double quotes, either 442 * absolute or relative to a directory on the include search path. 443 */ 444 //#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" 445 446 /** 447 * \def MBEDTLS_USER_CONFIG_FILE 448 * 449 * If defined, this is a header which will be included after 450 * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE. 451 * This allows you to modify the default configuration, including the ability 452 * to undefine options that are enabled by default. 453 * 454 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 455 * non-standard feature of the C language, so this feature is only available 456 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 457 * 458 * The value of this symbol is typically a path in double quotes, either 459 * absolute or relative to a directory on the include search path. 460 */ 461 //#define MBEDTLS_USER_CONFIG_FILE "/dev/null" 462 463 /** 464 * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE 465 * 466 * If defined, this is a header which will be included instead of 467 * `"psa/crypto_config.h"`. 468 * This header file specifies which cryptographic mechanisms are available 469 * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and 470 * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled. 471 * 472 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 473 * non-standard feature of the C language, so this feature is only available 474 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 475 * 476 * The value of this symbol is typically a path in double quotes, either 477 * absolute or relative to a directory on the include search path. 478 */ 479 //#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" 480 481 /** 482 * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE 483 * 484 * If defined, this is a header which will be included after 485 * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE. 486 * This allows you to modify the default configuration, including the ability 487 * to undefine options that are enabled by default. 488 * 489 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 490 * non-standard feature of the C language, so this feature is only available 491 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 492 * 493 * The value of this symbol is typically a path in double quotes, either 494 * absolute or relative to a directory on the include search path. 495 */ 496 //#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" 497 498 /** \} name SECTION: General configuration options */ 499 500 /** 501 * \name SECTION: Module configuration options 502 * 503 * This section allows for the setting of module specific sizes and 504 * configuration options. The default values are already present in the 505 * relevant header files and should suffice for the regular use cases. 506 * 507 * Our advice is to enable options and change their values here 508 * only if you have a good reason and know the consequences. 509 * 510 * Please check the respective header file for documentation on these 511 * parameters (to prevent duplicate documentation). 512 * \{ 513 */ 514 515 /* ECP options */ 516 #define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Disable fixed-point speed-up */ 517 518 /** 519 * Uncomment to enable p256-m. This is an alternative implementation of 520 * key generation, ECDH and (randomized) ECDSA on the curve SECP256R1. 521 * Compared to the default implementation: 522 * 523 * - p256-m has a much smaller code size and RAM footprint. 524 * - p256-m is only available via the PSA API. This includes the pk module 525 * when #MBEDTLS_USE_PSA_CRYPTO is enabled. 526 * - p256-m does not support deterministic ECDSA, EC-JPAKE, custom protocols 527 * over the core arithmetic, or deterministic derivation of keys. 528 * 529 * We recommend enabling this option if your application uses the PSA API 530 * and the only elliptic curve support it needs is ECDH and ECDSA over 531 * SECP256R1. 532 * 533 * If you enable this option, you do not need to enable any ECC-related 534 * MBEDTLS_xxx option. You do need to separately request support for the 535 * cryptographic mechanisms through the PSA API: 536 * - #MBEDTLS_PSA_CRYPTO_C and #MBEDTLS_PSA_CRYPTO_CONFIG for PSA-based 537 * configuration; 538 * - #MBEDTLS_USE_PSA_CRYPTO if you want to use p256-m from PK, X.509 or TLS; 539 * - #PSA_WANT_ECC_SECP_R1_256; 540 * - #PSA_WANT_ALG_ECDH and/or #PSA_WANT_ALG_ECDSA as needed; 541 * - #PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY, #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC, 542 * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT, 543 * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT and/or 544 * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE as needed. 545 * 546 * \note To benefit from the smaller code size of p256-m, make sure that you 547 * do not enable any ECC-related option not supported by p256-m: this 548 * would cause the built-in ECC implementation to be built as well, in 549 * order to provide the required option. 550 * Make sure #PSA_WANT_ALG_DETERMINISTIC_ECDSA, #PSA_WANT_ALG_JPAKE and 551 * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE, and curves other than 552 * SECP256R1 are disabled as they are not supported by this driver. 553 * Also, avoid defining #MBEDTLS_PK_PARSE_EC_COMPRESSED or 554 * #MBEDTLS_PK_PARSE_EC_EXTENDED as those currently require a subset of 555 * the built-in ECC implementation, see docs/driver-only-builds.md. 556 */ 557 #define MBEDTLS_PSA_P256M_DRIVER_ENABLED 558 559 /* \} name SECTION: Customisation configuration options */ 560 561 #if CRYPTO_NV_SEED 562 #include "tfm_mbedcrypto_config_extra_nv_seed.h" 563 #endif /* CRYPTO_NV_SEED */ 564 565 #if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED) 566 #include "mbedtls_entropy_nv_seed_config.h" 567 #endif 568 569 #ifdef CRYPTO_HW_ACCELERATOR 570 #include "mbedtls_accelerator_config.h" 571 #endif 572 573 #endif /* PROFILE_M_MBEDTLS_CONFIG_H */ 574
