1# Cryptography primitive options for mbed TLS
2
3# Copyright (c) 2016 Intel Corporation
4# SPDX-License-Identifier: Apache-2.0
5
6config ZEPHYR_MBEDTLS_MODULE
7	bool
8config MBEDTLS_PROMPTLESS
9	bool
10	help
11	  Symbol to disable the prompt for MBEDTLS selection.
12	  This symbol may be used internally in a Kconfig tree to hide the
13	  mbed TLS menu prompt and instead handle the selection of MBEDTLS from
14	  dependent sub-configurations and thus prevent stuck symbol behavior.
15
16rsource "Kconfig.psa.auto"
17rsource "Kconfig.psa.logic"
18
19menuconfig MBEDTLS
20	bool "mbed TLS Support" if !MBEDTLS_PROMPTLESS
21	help
22	  This option enables the mbedTLS cryptography library.
23
24if MBEDTLS
25
26choice MBEDTLS_IMPLEMENTATION
27	prompt "Select implementation"
28	default MBEDTLS_BUILTIN
29
30config MBEDTLS_BUILTIN
31	bool "Use Zephyr in-tree mbedTLS version"
32	help
33	  Link with mbedTLS sources included with Zephyr distribution.
34	  Included mbedTLS version is well integrated with and supported
35	  by Zephyr, and the recommended choice for most users.
36
37config MBEDTLS_LIBRARY
38	bool "Use external mbedTLS library"
39	help
40	  Use external, out-of-tree prebuilt mbedTLS library. For advanced
41	  users only.
42
43endchoice
44
45config CUSTOM_MBEDTLS_CFG_FILE
46	bool "Custom mbed TLS configuration file"
47	help
48	  Allow user defined input for the MBEDTLS_CFG_FILE setting.
49	  You can specify the actual configuration file using the
50	  MBEDTLS_CFG_FILE setting.
51
52config MBEDTLS_CFG_FILE
53	string "mbed TLS configuration file" if CUSTOM_MBEDTLS_CFG_FILE
54	depends on MBEDTLS_BUILTIN
55	default "config-mbedtls.h"
56	help
57	  Use a specific mbedTLS configuration file. The default config file
58	  file can be tweaked with Kconfig. The default configuration is
59	  suitable to communicate with majority of HTTPS servers on the Internet,
60	  but has relatively many features enabled. To optimize resources for
61	  special TLS usage, use available Kconfig options, or select an
62	  alternative config.
63
64rsource "Kconfig.mbedtls"
65rsource "Kconfig.deprecated"
66
67config MBEDTLS_SSL_MAX_CONTENT_LEN
68	int "Max payload size for TLS protocol message"
69	default 1500
70	depends on MBEDTLS_BUILTIN
71	help
72	  The TLS standards mandate max payload size of 16384 bytes. So, for
73	  maximum operability and for general-purpose usage, that value must
74	  be used. For specific usages, that value can be largely decreased.
75	  E.g. for DTLS, payload size is limited by UDP datagram size, and
76	  even for HTTPS REST API, the payload can be limited to max size of
77	  (REST request, REST response, server certificate(s)).
78	  mbedTLS uses this value separate for input and output buffers, so
79	  twice this value will be allocated (on mbedTLS own heap, so the
80	  value of MBEDTLS_HEAP_SIZE should accommodate that).
81
82module = MBEDTLS
83module-str = Log level mbedTLS library debug hook
84source "subsys/logging/Kconfig.template.log_config"
85
86config MBEDTLS_DEBUG
87	bool "mbed TLS debug activation"
88	help
89	  Enable debugging activation for mbed TLS configuration. If you use
90	  mbedTLS/Zephyr integration (e.g. native TLS sockets), this will
91	  activate debug logging.
92
93	  If you use mbedTLS directly instead, you will need to perform
94	  additional configuration yourself: call
95	  mbedtls_ssl_conf_dbg(&mbedtls.conf, zephyr_mbedtls_debug, NULL);
96	  function in your application. Alternatively implement your own debug
97	  hook function if zephyr_mbedtls_debug() doesn't suit your needs.
98
99if MBEDTLS_DEBUG
100
101config MBEDTLS_DEBUG_LEVEL
102	int
103	default 4 if MBEDTLS_LOG_LEVEL_DBG
104	default 3 if MBEDTLS_LOG_LEVEL_INF
105	default 2 if MBEDTLS_LOG_LEVEL_WRN
106	default 1 if MBEDTLS_LOG_LEVEL_ERR
107	default 0
108	range 0 4
109	help
110	  Default mbed TLS debug logging level for Zephyr integration code
111	  (from ext/lib/crypto/mbedtls/include/mbedtls/debug.h):
112	  0 No debug
113	  1 Error
114	  2 State change
115	  3 Information
116	  4 Verbose
117
118	  This makes Zephyr call mbedtls_debug_set_threshold() function during
119	  mbedTLS initialization, with the configured debug log level.
120
121choice MBEDTLS_DEBUG_EXTRACT_BASENAME
122	prompt "Extract basename from filenames"
123	default MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_BUILDTIME if "$(ZEPHYR_TOOLCHAIN_VARIANT)" = "zephyr"
124	default MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME
125
126config MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_BUILDTIME
127	bool "Buildtime"
128	help
129	  Adds compile options, which should convert full source paths in
130	  __FILE__ macro to files' basenames. This will reduce code footprint
131	  when debug messages are enabled.
132
133	  This is compiler dependent, so if it does not work then please
134	  fallback to MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME instead.
135
136config MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME
137	bool "Runtime"
138	help
139	  Filename passed as argument to debug hook will be stripped from
140	  directory, so that only basename part is left and logged.
141
142config MBEDTLS_DEBUG_EXTRACT_BASENAME_DISABLED
143	bool "Disabled"
144	help
145	  Disable basename extraction from filenames in log mesasges. This will
146	  result in full paths or paths relative to west root directory
147	  appearing in log messages generated by mbedTLS library.
148
149endchoice
150
151config MBEDTLS_DEBUG_STRIP_NEWLINE
152	bool "Strip newlines"
153	default y
154	help
155	  Attempt to strip last character from logged string when it is a
156	  newline.
157
158endif # MBEDTLS_DEBUG
159
160config MBEDTLS_MEMORY_DEBUG
161	bool "mbed TLS memory debug activation"
162	depends on MBEDTLS_BUILTIN
163	help
164	  Enable debugging of buffer allocator memory issues. Automatically
165	  prints (to stderr) all (fatal) messages on memory allocation
166	  issues. Enables function for 'debug output' of allocated memory.
167
168config MBEDTLS_TEST
169	bool "Compile internal self test functions"
170	depends on MBEDTLS_BUILTIN
171	help
172	  Enable self test function for the crypto algorithms
173
174config MBEDTLS_INSTALL_PATH
175	string "mbedTLS install path"
176	depends on MBEDTLS_LIBRARY
177	help
178	  This option holds the path where the mbedTLS libraries and headers are
179	  installed. Make sure this option is properly set when MBEDTLS_LIBRARY
180	  is enabled otherwise the build will fail.
181
182config MBEDTLS_ENABLE_HEAP
183	bool "Global heap for mbed TLS"
184	help
185	  This option enables the mbedtls to use the heap. This setting must
186	  be global so that various applications and libraries in Zephyr do not
187	  try to do this themselves as there can be only one heap defined
188	  in mbedtls. If this is enabled, and MBEDTLS_INIT is enabled then the
189	  Zephyr will, during the device startup, initialize the heap automatically.
190
191if MBEDTLS_ENABLE_HEAP
192
193config MBEDTLS_HEAP_SIZE
194	int "Heap size for mbed TLS"
195	default 10240 if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
196	default 512
197	help
198	  The mbedtls routines will use this heap if enabled.
199	  See ext/lib/crypto/mbedtls/include/mbedtls/config.h and
200	  MBEDTLS_MEMORY_BUFFER_ALLOC_C option for details. That option is not
201	  enabled by default.
202	  Default value for the heap size is not set as it depends on the
203	  application. For streaming communication with arbitrary (HTTPS)
204	  servers on the Internet, 32KB + overheads (up to another 20KB) may
205	  be needed. For some dedicated and specific usage of mbedtls API, the
206	  1000 bytes might be ok.
207
208config MBEDTLS_HEAP_CUSTOM_SECTION
209	bool "Use a custom section for the Mbed TLS heap"
210	help
211	  Place Mbed TLS heap in custom section, with tag ".mbedtls_heap".
212	  This can be used by custom linker scripts to relocate the Mbed TLS
213	  heap to a custom location, such as another SRAM region or external memory.
214
215endif # MBEDTLS_ENABLE_HEAP
216
217config MBEDTLS_INIT
218	bool "Initialize mbed TLS at boot"
219	default y
220	help
221	  By default mbed TLS will be initialized at Zephyr init. Disabling this option
222	  will defer the initialization until explicitly called.
223
224config MBEDTLS_SHELL
225	bool "mbed TLS shell"
226	depends on MBEDTLS
227	depends on SHELL
228	help
229	  Enable mbed TLS shell module, which allows to show debug information
230	  about mbed TLS library, such as heap usage.
231
232config MBEDTLS_ZEROIZE_ALT
233	bool "mbed TLS alternate mbedtls_platform_zeroize implementation"
234	help
235	  mbed TLS configuration supplies an alternate implementation of
236	  mbedtls_platform_zeroize.
237
238config APP_LINK_WITH_MBEDTLS
239	bool "Link 'app' with MBEDTLS"
240	default y
241	help
242	  Add MBEDTLS header files to the 'app' include path. It may be
243	  disabled if the include paths for MBEDTLS are causing aliasing
244	  issues for 'app'.
245
246endif # MBEDTLS
247