1 /** 2 * \file config.h 3 * 4 * \brief Configuration options (set of defines) 5 * 6 * This set of compile-time options may be used to enable 7 * or disable features selectively, and reduce the global 8 * memory footprint. 9 */ 10 /* 11 * Copyright The Mbed TLS Contributors 12 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 13 */ 14 15 #ifndef PROFILE_M_MBEDTLS_CONFIG_H 16 #define PROFILE_M_MBEDTLS_CONFIG_H 17 18 #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) 19 #define _CRT_SECURE_NO_DEPRECATE 1 20 #endif 21 22 /** 23 * \name SECTION: System support 24 * 25 * This section sets system specific settings. 26 * \{ 27 */ 28 29 /** 30 * \def MBEDTLS_HAVE_ASM 31 * 32 * The compiler has support for asm(). 33 * 34 * Requires support for asm() in compiler. 35 * 36 * Used in: 37 * library/aria.c 38 * library/timing.c 39 * include/mbedtls/bn_mul.h 40 * 41 * Required by: 42 * MBEDTLS_AESNI_C 43 * MBEDTLS_PADLOCK_C 44 * 45 * Comment to disable the use of assembly code. 46 */ 47 #define MBEDTLS_HAVE_ASM 48 49 /** 50 * \def MBEDTLS_PLATFORM_MEMORY 51 * 52 * Enable the memory allocation layer. 53 * 54 * By default mbed TLS uses the system-provided calloc() and free(). 55 * This allows different allocators (self-implemented or provided) to be 56 * provided to the platform abstraction layer. 57 * 58 * Enabling MBEDTLS_PLATFORM_MEMORY without the 59 * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide 60 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and 61 * free() function pointer at runtime. 62 * 63 * Enabling MBEDTLS_PLATFORM_MEMORY and specifying 64 * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the 65 * alternate function at compile time. 66 * 67 * Requires: MBEDTLS_PLATFORM_C 68 * 69 * Enable this layer to allow use of alternative memory allocators. 70 */ 71 #define MBEDTLS_PLATFORM_MEMORY 72 73 /* \} name SECTION: System support */ 74 75 /** 76 * \name SECTION: mbed TLS feature support 77 * 78 * This section sets support for features that are or are not needed 79 * within the modules that are enabled. 80 * \{ 81 */ 82 83 /** 84 * \def MBEDTLS_MD2_PROCESS_ALT 85 * 86 * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you 87 * alternate core implementation of symmetric crypto or hash function. Keep in 88 * mind that function prototypes should remain the same. 89 * 90 * This replaces only one function. The header file from mbed TLS is still 91 * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags. 92 * 93 * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will 94 * no longer provide the mbedtls_sha1_process() function, but it will still provide 95 * the other function (using your mbedtls_sha1_process() function) and the definition 96 * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible 97 * with this definition. 98 * 99 * \note Because of a signature change, the core AES encryption and decryption routines are 100 * currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt, 101 * respectively. When setting up alternative implementations, these functions should 102 * be overridden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt 103 * must stay untouched. 104 * 105 * \note If you use the AES_xxx_ALT macros, then is is recommended to also set 106 * MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES 107 * tables. 108 * 109 * Uncomment a macro to enable alternate implementation of the corresponding 110 * function. 111 * 112 * \warning MD2, MD4, MD5, DES and SHA-1 are considered weak and their use 113 * constitutes a security risk. If possible, we recommend avoiding 114 * dependencies on them, and considering stronger message digests 115 * and ciphers instead. 116 * 117 */ 118 #define MBEDTLS_AES_SETKEY_DEC_ALT 119 #define MBEDTLS_AES_DECRYPT_ALT 120 121 /** 122 * \def MBEDTLS_AES_ROM_TABLES 123 * 124 * Use precomputed AES tables stored in ROM. 125 * 126 * Uncomment this macro to use precomputed AES tables stored in ROM. 127 * Comment this macro to generate AES tables in RAM at runtime. 128 * 129 * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb 130 * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the 131 * initialization time before the first AES operation can be performed. 132 * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c 133 * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded 134 * performance if ROM access is slower than RAM access. 135 * 136 * This option is independent of \c MBEDTLS_AES_FEWER_TABLES. 137 * 138 */ 139 #define MBEDTLS_AES_ROM_TABLES 140 141 /** 142 * \def MBEDTLS_AES_FEWER_TABLES 143 * 144 * Use less ROM/RAM for AES tables. 145 * 146 * Uncommenting this macro omits 75% of the AES tables from 147 * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES) 148 * by computing their values on the fly during operations 149 * (the tables are entry-wise rotations of one another). 150 * 151 * Tradeoff: Uncommenting this reduces the RAM / ROM footprint 152 * by ~6kb but at the cost of more arithmetic operations during 153 * runtime. Specifically, one has to compare 4 accesses within 154 * different tables to 4 accesses with additional arithmetic 155 * operations within the same table. The performance gain/loss 156 * depends on the system and memory details. 157 * 158 * This option is independent of \c MBEDTLS_AES_ROM_TABLES. 159 * 160 */ 161 #define MBEDTLS_AES_FEWER_TABLES 162 163 /** 164 * \def MBEDTLS_ECP_NIST_OPTIM 165 * 166 * Enable specific 'modulo p' routines for each NIST prime. 167 * Depending on the prime and architecture, makes operations 4 to 8 times 168 * faster on the corresponding curve. 169 * 170 * Comment this macro to disable NIST curves optimisation. 171 */ 172 #define MBEDTLS_ECP_NIST_OPTIM 173 174 /** 175 * \def MBEDTLS_ERROR_STRERROR_DUMMY 176 * 177 * Enable a dummy error function to make use of mbedtls_strerror() in 178 * third party libraries easier when MBEDTLS_ERROR_C is disabled 179 * (no effect when MBEDTLS_ERROR_C is enabled). 180 * 181 * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're 182 * not using mbedtls_strerror() or error_strerror() in your application. 183 * 184 * Disable if you run into name conflicts and want to really remove the 185 * mbedtls_strerror() 186 */ 187 #define MBEDTLS_ERROR_STRERROR_DUMMY 188 189 /** 190 * \def MBEDTLS_NO_PLATFORM_ENTROPY 191 * 192 * Do not use built-in platform entropy functions. 193 * This is useful if your platform does not support 194 * standards like the /dev/urandom or Windows CryptoAPI. 195 * 196 * Uncomment this macro to disable the built-in platform entropy functions. 197 */ 198 #define MBEDTLS_NO_PLATFORM_ENTROPY 199 200 /** 201 * \def MBEDTLS_ENTROPY_NV_SEED 202 * 203 * Enable the non-volatile (NV) seed file-based entropy source. 204 * (Also enables the NV seed read/write functions in the platform layer) 205 * 206 * This is crucial (if not required) on systems that do not have a 207 * cryptographic entropy source (in hardware or kernel) available. 208 * 209 * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C 210 * 211 * \note The read/write functions that are used by the entropy source are 212 * determined in the platform layer, and can be modified at runtime and/or 213 * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used. 214 * 215 * \note If you use the default implementation functions that read a seedfile 216 * with regular fopen(), please make sure you make a seedfile with the 217 * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at 218 * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from 219 * and written to or you will get an entropy source error! The default 220 * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE 221 * bytes from the file. 222 * 223 * \note The entropy collector will write to the seed file before entropy is 224 * given to an external source, to update it. 225 */ 226 // This macro is enabled in TFM Medium but is disabled here because it is 227 // incompatible with baremetal builds in Mbed TLS. 228 //#define MBEDTLS_ENTROPY_NV_SEED 229 230 /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 231 * 232 * Enable key identifiers that encode a key owner identifier. 233 * 234 * This is only meaningful when building the library as part of a 235 * multi-client service. When you activate this option, you must provide an 236 * implementation of the type mbedtls_key_owner_id_t and a translation from 237 * mbedtls_svc_key_id_t to file name in all the storage backends that you 238 * you wish to support. 239 * 240 * Note that while this define has been removed from TF-M's copy of this config 241 * file, TF-M still passes this option to Mbed TLS during the build via CMake. 242 * Therefore we keep it in our copy. See discussion on PR #7426 for more info. 243 * 244 */ 245 #define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 246 247 /** 248 * \def MBEDTLS_PSA_CRYPTO_SPM 249 * 250 * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure 251 * Partition Manager) integration which separates the code into two parts: a 252 * NSPE (Non-Secure Process Environment) and an SPE (Secure Process 253 * Environment). 254 * 255 * Module: library/psa_crypto.c 256 * Requires: MBEDTLS_PSA_CRYPTO_C 257 * 258 */ 259 #define MBEDTLS_PSA_CRYPTO_SPM 260 261 /** 262 * \def MBEDTLS_SHA256_SMALLER 263 * 264 * Enable an implementation of SHA-256 that has lower ROM footprint but also 265 * lower performance. 266 * 267 * The default implementation is meant to be a reasonnable compromise between 268 * performance and size. This version optimizes more aggressively for size at 269 * the expense of performance. Eg on Cortex-M4 it reduces the size of 270 * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about 271 * 30%. 272 * 273 * Uncomment to enable the smaller implementation of SHA256. 274 */ 275 #define MBEDTLS_SHA256_SMALLER 276 277 /** 278 * \def MBEDTLS_PSA_CRYPTO_CONFIG 279 * 280 * This setting allows support for cryptographic mechanisms through the PSA 281 * API to be configured separately from support through the mbedtls API. 282 * 283 * When this option is disabled, the PSA API exposes the cryptographic 284 * mechanisms that can be implemented on top of the `mbedtls_xxx` API 285 * configured with `MBEDTLS_XXX` symbols. 286 * 287 * When this option is enabled, the PSA API exposes the cryptographic 288 * mechanisms requested by the `PSA_WANT_XXX` symbols defined in 289 * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are 290 * automatically enabled if required (i.e. if no PSA driver provides the 291 * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols 292 * in mbedtls_config.h. 293 * 294 * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies 295 * an alternative header to include instead of include/psa/crypto_config.h. 296 * 297 * This feature is still experimental and is not ready for production since 298 * it is not completed. 299 */ 300 #define MBEDTLS_PSA_CRYPTO_CONFIG 301 302 /* \} name SECTION: mbed TLS feature support */ 303 304 /** 305 * \name SECTION: mbed TLS modules 306 * 307 * This section enables or disables entire modules in mbed TLS 308 * \{ 309 */ 310 311 /** 312 * \def MBEDTLS_AES_C 313 * 314 * Enable the AES block cipher. 315 * 316 * Module: library/aes.c 317 * Caller: library/cipher.c 318 * library/pem.c 319 * library/ctr_drbg.c 320 * 321 * This module is required to support the TLS ciphersuites that use the AES 322 * cipher. 323 * 324 * PEM_PARSE uses AES for decrypting encrypted keys. 325 */ 326 #define MBEDTLS_AES_C 327 328 /** 329 * \def MBEDTLS_CIPHER_C 330 * 331 * Enable the generic cipher layer. 332 * 333 * Module: library/cipher.c 334 * 335 * Uncomment to enable generic cipher wrappers. 336 */ 337 #define MBEDTLS_CIPHER_C 338 339 /** 340 * \def MBEDTLS_CTR_DRBG_C 341 * 342 * Enable the CTR_DRBG AES-based random generator. 343 * The CTR_DRBG generator uses AES-256 by default. 344 * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below. 345 * 346 * Module: library/ctr_drbg.c 347 * Caller: 348 * 349 * Requires: MBEDTLS_AES_C 350 * 351 * This module provides the CTR_DRBG AES random number generator. 352 */ 353 #define MBEDTLS_CTR_DRBG_C 354 355 /** 356 * \def MBEDTLS_ENTROPY_C 357 * 358 * Enable the platform-specific entropy code. 359 * 360 * Module: library/entropy.c 361 * Caller: 362 * 363 * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C 364 * 365 * This module provides a generic entropy pool 366 */ 367 #define MBEDTLS_ENTROPY_C 368 369 /** 370 * \def MBEDTLS_ERROR_C 371 * 372 * Enable error code to error string conversion. 373 * 374 * Module: library/error.c 375 * Caller: 376 * 377 * This module enables mbedtls_strerror(). 378 */ 379 #define MBEDTLS_ERROR_C 380 381 /** 382 * \def MBEDTLS_HKDF_C 383 * 384 * Enable the HKDF algorithm (RFC 5869). 385 * 386 * Module: library/hkdf.c 387 * Caller: 388 * 389 * Requires: MBEDTLS_MD_C 390 * 391 * This module adds support for the Hashed Message Authentication Code 392 * (HMAC)-based key derivation function (HKDF). 393 */ 394 #define MBEDTLS_HKDF_C /* Used for HUK deriviation */ 395 396 /** 397 * \def MBEDTLS_MD_C 398 * 399 * Enable the generic layer for message digest (hashing) and HMAC. 400 * 401 * Requires: one of: MBEDTLS_MD5_C, MBEDTLS_RIPEMD160_C, MBEDTLS_SHA1_C, 402 * MBEDTLS_SHA224_C, MBEDTLS_SHA256_C, MBEDTLS_SHA384_C, 403 * MBEDTLS_SHA512_C, or MBEDTLS_PSA_CRYPTO_C with at least 404 * one hash. 405 * Module: library/md.c 406 * Caller: library/constant_time.c 407 * library/ecdsa.c 408 * library/ecjpake.c 409 * library/hkdf.c 410 * library/hmac_drbg.c 411 * library/pk.c 412 * library/pkcs5.c 413 * library/pkcs12.c 414 * library/psa_crypto_ecp.c 415 * library/psa_crypto_rsa.c 416 * library/rsa.c 417 * library/ssl_cookie.c 418 * library/ssl_msg.c 419 * library/ssl_tls.c 420 * library/x509.c 421 * library/x509_crt.c 422 * library/x509write_crt.c 423 * library/x509write_csr.c 424 * 425 * Uncomment to enable generic message digest wrappers. 426 */ 427 #define MBEDTLS_MD_C 428 429 /** 430 * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C 431 * 432 * Enable the buffer allocator implementation that makes use of a (stack) 433 * based buffer to 'allocate' dynamic memory. (replaces calloc() and free() 434 * calls) 435 * 436 * Module: library/memory_buffer_alloc.c 437 * 438 * Requires: MBEDTLS_PLATFORM_C 439 * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS) 440 * 441 * Enable this module to enable the buffer memory allocator. 442 */ 443 #define MBEDTLS_MEMORY_BUFFER_ALLOC_C 444 445 /** 446 * \def MBEDTLS_PLATFORM_C 447 * 448 * Enable the platform abstraction layer that allows you to re-assign 449 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). 450 * 451 * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT 452 * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned 453 * above to be specified at runtime or compile time respectively. 454 * 455 * \note This abstraction layer must be enabled on Windows (including MSYS2) 456 * as other module rely on it for a fixed snprintf implementation. 457 * 458 * Module: library/platform.c 459 * Caller: Most other .c files 460 * 461 * This module enables abstraction of common (libc) functions. 462 */ 463 #define MBEDTLS_PLATFORM_C 464 465 466 /** 467 * \def MBEDTLS_PSA_CRYPTO_C 468 * 469 * Enable the Platform Security Architecture cryptography API. 470 * 471 * Module: library/psa_crypto.c 472 * 473 * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C 474 * 475 */ 476 #define MBEDTLS_PSA_CRYPTO_C 477 478 /** 479 * \def MBEDTLS_PSA_CRYPTO_STORAGE_C 480 * 481 * Enable the Platform Security Architecture persistent key storage. 482 * 483 * Module: library/psa_crypto_storage.c 484 * 485 * Requires: MBEDTLS_PSA_CRYPTO_C, 486 * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of 487 * the PSA ITS interface 488 */ 489 // This macro is enabled in TFM Medium but is disabled here because it is 490 // incompatible with baremetal builds in Mbed TLS. 491 //#define MBEDTLS_PSA_CRYPTO_STORAGE_C 492 493 /* \} name SECTION: mbed TLS modules */ 494 495 /** 496 * \name SECTION: General configuration options 497 * 498 * This section contains Mbed TLS build settings that are not associated 499 * with a particular module. 500 * 501 * \{ 502 */ 503 504 /** 505 * \def MBEDTLS_CONFIG_FILE 506 * 507 * If defined, this is a header which will be included instead of 508 * `"mbedtls/mbedtls_config.h"`. 509 * This header file specifies the compile-time configuration of Mbed TLS. 510 * Unlike other configuration options, this one must be defined on the 511 * compiler command line: a definition in `mbedtls_config.h` would have 512 * no effect. 513 * 514 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 515 * non-standard feature of the C language, so this feature is only available 516 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 517 * 518 * The value of this symbol is typically a path in double quotes, either 519 * absolute or relative to a directory on the include search path. 520 */ 521 //#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" 522 523 /** 524 * \def MBEDTLS_USER_CONFIG_FILE 525 * 526 * If defined, this is a header which will be included after 527 * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE. 528 * This allows you to modify the default configuration, including the ability 529 * to undefine options that are enabled by default. 530 * 531 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 532 * non-standard feature of the C language, so this feature is only available 533 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 534 * 535 * The value of this symbol is typically a path in double quotes, either 536 * absolute or relative to a directory on the include search path. 537 */ 538 //#define MBEDTLS_USER_CONFIG_FILE "/dev/null" 539 540 /** 541 * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE 542 * 543 * If defined, this is a header which will be included instead of 544 * `"psa/crypto_config.h"`. 545 * This header file specifies which cryptographic mechanisms are available 546 * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and 547 * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled. 548 * 549 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 550 * non-standard feature of the C language, so this feature is only available 551 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 552 * 553 * The value of this symbol is typically a path in double quotes, either 554 * absolute or relative to a directory on the include search path. 555 */ 556 //#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" 557 558 /** 559 * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE 560 * 561 * If defined, this is a header which will be included after 562 * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE. 563 * This allows you to modify the default configuration, including the ability 564 * to undefine options that are enabled by default. 565 * 566 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 567 * non-standard feature of the C language, so this feature is only available 568 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 569 * 570 * The value of this symbol is typically a path in double quotes, either 571 * absolute or relative to a directory on the include search path. 572 */ 573 //#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" 574 575 /** \} name SECTION: General configuration options */ 576 577 /** 578 * \name SECTION: Module configuration options 579 * 580 * This section allows for the setting of module specific sizes and 581 * configuration options. The default values are already present in the 582 * relevant header files and should suffice for the regular use cases. 583 * 584 * Our advice is to enable options and change their values here 585 * only if you have a good reason and know the consequences. 586 * 587 * Please check the respective header file for documentation on these 588 * parameters (to prevent duplicate documentation). 589 * \{ 590 */ 591 592 /* ECP options */ 593 #define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Disable fixed-point speed-up */ 594 595 /* \} name SECTION: Customisation configuration options */ 596 597 #if CRYPTO_NV_SEED 598 #include "tfm_mbedcrypto_config_extra_nv_seed.h" 599 #endif /* CRYPTO_NV_SEED */ 600 601 #if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED) 602 #include "mbedtls_entropy_nv_seed_config.h" 603 #endif 604 605 #ifdef CRYPTO_HW_ACCELERATOR 606 #include "mbedtls_accelerator_config.h" 607 #endif 608 609 #endif /* PROFILE_M_MBEDTLS_CONFIG_H */ 610
