1# Cryptography primitive options for mbed TLS 2 3# Copyright (c) 2016 Intel Corporation 4# SPDX-License-Identifier: Apache-2.0 5 6config ZEPHYR_MBEDTLS_MODULE 7 bool 8config MBEDTLS_PROMPTLESS 9 bool 10 help 11 Symbol to disable the prompt for MBEDTLS selection. 12 This symbol may be used internally in a Kconfig tree to hide the 13 mbed TLS menu prompt and instead handle the selection of MBEDTLS from 14 dependent sub-configurations and thus prevent stuck symbol behavior. 15 16 17menuconfig MBEDTLS 18 bool "mbed TLS Support" if !MBEDTLS_PROMPTLESS 19 help 20 This option enables the mbedTLS cryptography library. 21 22if MBEDTLS 23 24choice MBEDTLS_IMPLEMENTATION 25 prompt "Select implementation" 26 default MBEDTLS_BUILTIN 27 28config MBEDTLS_BUILTIN 29 bool "Use Zephyr in-tree mbedTLS version" 30 help 31 Link with mbedTLS sources included with Zephyr distribution. 32 Included mbedTLS version is well integrated with and supported 33 by Zephyr, and the recommended choice for most users. 34 35config MBEDTLS_LIBRARY 36 bool "Use external mbedTLS library" 37 help 38 Use external, out-of-tree prebuilt mbedTLS library. For advanced 39 users only. 40 41endchoice 42 43config CUSTOM_MBEDTLS_CFG_FILE 44 bool "Custom mbed TLS configuration file" 45 help 46 Allow user defined input for the MBEDTLS_CFG_FILE setting. 47 You can specify the actual configuration file using the 48 MBEDTLS_CFG_FILE setting. 49 50config MBEDTLS_CFG_FILE 51 string "mbed TLS configuration file" if CUSTOM_MBEDTLS_CFG_FILE 52 depends on MBEDTLS_BUILTIN 53 default "config-tls-generic.h" 54 help 55 Use a specific mbedTLS configuration file. The default config file 56 file can be tweaked with Kconfig. The default configuration is 57 suitable to communicate with majority of HTTPS servers on the Internet, 58 but has relatively many features enabled. To optimize resources for 59 special TLS usage, use available Kconfig options, or select an 60 alternative config. 61 62rsource "Kconfig.tls-generic" 63 64config MBEDTLS_SSL_MAX_CONTENT_LEN 65 int "Max payload size for TLS protocol message" 66 default 1500 67 depends on MBEDTLS_BUILTIN 68 help 69 The TLS standards mandate max payload size of 16384 bytes. So, for 70 maximum operability and for general-purpose usage, that value must 71 be used. For specific usages, that value can be largely decreased. 72 E.g. for DTLS, payload size is limited by UDP datagram size, and 73 even for HTTPS REST API, the payload can be limited to max size of 74 (REST request, REST response, server certificate(s)). 75 mbedTLS uses this value separate for input and output buffers, so 76 twice this value will be allocated (on mbedTLS own heap, so the 77 value of MBEDTLS_HEAP_SIZE should accommodate that). 78 79module = MBEDTLS 80module-str = Log level mbedTLS library debug hook 81source "subsys/logging/Kconfig.template.log_config" 82 83config MBEDTLS_DEBUG 84 bool "mbed TLS debug activation" 85 help 86 Enable debugging activation for mbed TLS configuration. If you use 87 mbedTLS/Zephyr integration (e.g. native TLS sockets), this will 88 activate debug logging. 89 90 If you use mbedTLS directly instead, you will need to perform 91 additional configuration yourself: call 92 mbedtls_ssl_conf_dbg(&mbedtls.conf, zephyr_mbedtls_debug, NULL); 93 function in your application. Alternatively implement your own debug 94 hook function if zephyr_mbedtls_debug() doesn't suit your needs. 95 96if MBEDTLS_DEBUG 97 98config MBEDTLS_DEBUG_LEVEL 99 int 100 default 4 if MBEDTLS_LOG_LEVEL_DBG 101 default 3 if MBEDTLS_LOG_LEVEL_INF 102 default 2 if MBEDTLS_LOG_LEVEL_WRN 103 default 1 if MBEDTLS_LOG_LEVEL_ERR 104 default 0 105 range 0 4 106 help 107 Default mbed TLS debug logging level for Zephyr integration code 108 (from ext/lib/crypto/mbedtls/include/mbedtls/debug.h): 109 0 No debug 110 1 Error 111 2 State change 112 3 Information 113 4 Verbose 114 115 This makes Zephyr call mbedtls_debug_set_threshold() function during 116 mbedTLS initialization, with the configured debug log level. 117 118choice MBEDTLS_DEBUG_EXTRACT_BASENAME 119 prompt "Extract basename from filenames" 120 default MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_BUILDTIME if "$(ZEPHYR_TOOLCHAIN_VARIANT)" = "zephyr" 121 default MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME 122 123config MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_BUILDTIME 124 bool "Buildtime" 125 help 126 Adds compile options, which should convert full source paths in 127 __FILE__ macro to files' basenames. This will reduce code footprint 128 when debug messages are enabled. 129 130 This is compiler dependent, so if it does not work then please 131 fallback to MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME instead. 132 133config MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME 134 bool "Runtime" 135 help 136 Filename passed as argument to debug hook will be stripped from 137 directory, so that only basename part is left and logged. 138 139config MBEDTLS_DEBUG_EXTRACT_BASENAME_DISABLED 140 bool "Disabled" 141 help 142 Disable basename extraction from filenames in log mesasges. This will 143 result in full paths or paths relative to west root directory 144 appearing in log messages generated by mbedTLS library. 145 146endchoice 147 148config MBEDTLS_DEBUG_STRIP_NEWLINE 149 bool "Strip newlines" 150 default y 151 help 152 Attempt to strip last character from logged string when it is a 153 newline. 154 155endif # MBEDTLS_DEBUG 156 157config MBEDTLS_MEMORY_DEBUG 158 bool "mbed TLS memory debug activation" 159 depends on MBEDTLS_BUILTIN 160 help 161 Enable debugging of buffer allocator memory issues. Automatically 162 prints (to stderr) all (fatal) messages on memory allocation 163 issues. Enables function for 'debug output' of allocated memory. 164 165config MBEDTLS_TEST 166 bool "Compile internal self test functions" 167 depends on MBEDTLS_BUILTIN 168 help 169 Enable self test function for the crypto algorithms 170 171config MBEDTLS_INSTALL_PATH 172 string "mbedTLS install path" 173 depends on MBEDTLS_LIBRARY 174 help 175 This option holds the path where the mbedTLS libraries and headers are 176 installed. Make sure this option is properly set when MBEDTLS_LIBRARY 177 is enabled otherwise the build will fail. 178 179config MBEDTLS_ENABLE_HEAP 180 bool "Global heap for mbed TLS" 181 help 182 This option enables the mbedtls to use the heap. This setting must 183 be global so that various applications and libraries in Zephyr do not 184 try to do this themselves as there can be only one heap defined 185 in mbedtls. If this is enabled, and MBEDTLS_INIT is enabled then the 186 Zephyr will, during the device startup, initialize the heap automatically. 187 188config MBEDTLS_HEAP_SIZE 189 int "Heap size for mbed TLS" 190 default 10240 if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER 191 default 512 192 depends on MBEDTLS_ENABLE_HEAP 193 help 194 The mbedtls routines will use this heap if enabled. 195 See ext/lib/crypto/mbedtls/include/mbedtls/config.h and 196 MBEDTLS_MEMORY_BUFFER_ALLOC_C option for details. That option is not 197 enabled by default. 198 Default value for the heap size is not set as it depends on the 199 application. For streaming communication with arbitrary (HTTPS) 200 servers on the Internet, 32KB + overheads (up to another 20KB) may 201 be needed. For some dedicated and specific usage of mbedtls API, the 202 1000 bytes might be ok. 203 204config MBEDTLS_INIT 205 bool "Initialize mbed TLS at boot" 206 default y 207 help 208 By default mbed TLS will be initialized at Zephyr init. Disabling this option 209 will defer the initialization until explicitly called. 210 211config MBEDTLS_SHELL 212 bool "mbed TLS shell" 213 depends on MBEDTLS 214 depends on SHELL 215 help 216 Enable mbed TLS shell module, which allows to show debug information 217 about mbed TLS library, such as heap usage. 218 219config MBEDTLS_ZEPHYR_ENTROPY 220 bool "mbed TLS entropy source based on Zephyr entropy driver" 221 depends on MBEDTLS 222 help 223 This option enables the entropy source based on Zephyr entropy driver 224 for mbed TLS. The entropy source is registered automatically during 225 system initialization. 226 227config MBEDTLS_ZEROIZE_ALT 228 bool "mbed TLS alternate mbedtls_platform_zeroize implementation" 229 help 230 mbed TLS configuration supplies an alternate implementation of 231 mbedtls_platform_zeroize. 232 233config APP_LINK_WITH_MBEDTLS 234 bool "Link 'app' with MBEDTLS" 235 default y 236 help 237 Add MBEDTLS header files to the 'app' include path. It may be 238 disabled if the include paths for MBEDTLS are causing aliasing 239 issues for 'app'. 240 241endif # MBEDTLS 242