1 /** 2 * \file config.h 3 * 4 * \brief Configuration options (set of defines) 5 * 6 * This set of compile-time options may be used to enable 7 * or disable features selectively, and reduce the global 8 * memory footprint. 9 */ 10 /* 11 * Copyright (C) 2006-2022, ARM Limited, All Rights Reserved 12 * SPDX-License-Identifier: Apache-2.0 13 * 14 * Licensed under the Apache License, Version 2.0 (the "License"); you may 15 * not use this file except in compliance with the License. 16 * You may obtain a copy of the License at 17 * 18 * http://www.apache.org/licenses/LICENSE-2.0 19 * 20 * Unless required by applicable law or agreed to in writing, software 21 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 22 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 23 * See the License for the specific language governing permissions and 24 * limitations under the License. 25 * 26 * This file is part of mbed TLS (https://tls.mbed.org) 27 */ 28 29 #ifndef PROFILE_S_MBEDTLS_CONFIG_H 30 #define PROFILE_S_MBEDTLS_CONFIG_H 31 32 #include "config_crypto.h" 33 34 #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) 35 #define _CRT_SECURE_NO_DEPRECATE 1 36 #endif 37 38 /** 39 * \name SECTION: System support 40 * 41 * This section sets system specific settings. 42 * \{ 43 */ 44 45 /** 46 * \def MBEDTLS_HAVE_ASM 47 * 48 * The compiler has support for asm(). 49 * 50 * Requires support for asm() in compiler. 51 * 52 * Used in: 53 * library/aria.c 54 * library/timing.c 55 * include/mbedtls/bn_mul.h 56 * 57 * Required by: 58 * MBEDTLS_AESNI_C 59 * MBEDTLS_PADLOCK_C 60 * 61 * Comment to disable the use of assembly code. 62 */ 63 #define MBEDTLS_HAVE_ASM 64 65 /** 66 * \def MBEDTLS_PLATFORM_MEMORY 67 * 68 * Enable the memory allocation layer. 69 * 70 * By default mbed TLS uses the system-provided calloc() and free(). 71 * This allows different allocators (self-implemented or provided) to be 72 * provided to the platform abstraction layer. 73 * 74 * Enabling MBEDTLS_PLATFORM_MEMORY without the 75 * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide 76 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and 77 * free() function pointer at runtime. 78 * 79 * Enabling MBEDTLS_PLATFORM_MEMORY and specifying 80 * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the 81 * alternate function at compile time. 82 * 83 * Requires: MBEDTLS_PLATFORM_C 84 * 85 * Enable this layer to allow use of alternative memory allocators. 86 */ 87 #define MBEDTLS_PLATFORM_MEMORY 88 89 /* \} name SECTION: System support */ 90 91 /** 92 * \name SECTION: mbed TLS feature support 93 * 94 * This section sets support for features that are or are not needed 95 * within the modules that are enabled. 96 * \{ 97 */ 98 99 /** 100 * \def MBEDTLS_MD2_PROCESS_ALT 101 * 102 * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you 103 * alternate core implementation of symmetric crypto or hash function. Keep in 104 * mind that function prototypes should remain the same. 105 * 106 * This replaces only one function. The header file from mbed TLS is still 107 * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags. 108 * 109 * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will 110 * no longer provide the mbedtls_sha1_process() function, but it will still provide 111 * the other function (using your mbedtls_sha1_process() function) and the definition 112 * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible 113 * with this definition. 114 * 115 * \note Because of a signature change, the core AES encryption and decryption routines are 116 * currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt, 117 * respectively. When setting up alternative implementations, these functions should 118 * be overridden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt 119 * must stay untouched. 120 * 121 * \note If you use the AES_xxx_ALT macros, then is is recommended to also set 122 * MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES 123 * tables. 124 * 125 * Uncomment a macro to enable alternate implementation of the corresponding 126 * function. 127 * 128 * \warning MD2, MD4, MD5, DES and SHA-1 are considered weak and their use 129 * constitutes a security risk. If possible, we recommend avoiding 130 * dependencies on them, and considering stronger message digests 131 * and ciphers instead. 132 * 133 */ 134 #define MBEDTLS_AES_SETKEY_DEC_ALT 135 #define MBEDTLS_AES_DECRYPT_ALT 136 137 /** 138 * \def MBEDTLS_AES_ROM_TABLES 139 * 140 * Use precomputed AES tables stored in ROM. 141 * 142 * Uncomment this macro to use precomputed AES tables stored in ROM. 143 * Comment this macro to generate AES tables in RAM at runtime. 144 * 145 * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb 146 * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the 147 * initialization time before the first AES operation can be performed. 148 * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c 149 * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded 150 * performance if ROM access is slower than RAM access. 151 * 152 * This option is independent of \c MBEDTLS_AES_FEWER_TABLES. 153 * 154 */ 155 #define MBEDTLS_AES_ROM_TABLES 156 157 /** 158 * \def MBEDTLS_AES_FEWER_TABLES 159 * 160 * Use less ROM/RAM for AES tables. 161 * 162 * Uncommenting this macro omits 75% of the AES tables from 163 * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES) 164 * by computing their values on the fly during operations 165 * (the tables are entry-wise rotations of one another). 166 * 167 * Tradeoff: Uncommenting this reduces the RAM / ROM footprint 168 * by ~6kb but at the cost of more arithmetic operations during 169 * runtime. Specifically, one has to compare 4 accesses within 170 * different tables to 4 accesses with additional arithmetic 171 * operations within the same table. The performance gain/loss 172 * depends on the system and memory details. 173 * 174 * This option is independent of \c MBEDTLS_AES_ROM_TABLES. 175 * 176 */ 177 #define MBEDTLS_AES_FEWER_TABLES 178 179 /** 180 * \def MBEDTLS_ERROR_STRERROR_DUMMY 181 * 182 * Enable a dummy error function to make use of mbedtls_strerror() in 183 * third party libraries easier when MBEDTLS_ERROR_C is disabled 184 * (no effect when MBEDTLS_ERROR_C is enabled). 185 * 186 * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're 187 * not using mbedtls_strerror() or error_strerror() in your application. 188 * 189 * Disable if you run into name conflicts and want to really remove the 190 * mbedtls_strerror() 191 */ 192 #define MBEDTLS_ERROR_STRERROR_DUMMY 193 194 /** 195 * \def MBEDTLS_NO_PLATFORM_ENTROPY 196 * 197 * Do not use built-in platform entropy functions. 198 * This is useful if your platform does not support 199 * standards like the /dev/urandom or Windows CryptoAPI. 200 * 201 * Uncomment this macro to disable the built-in platform entropy functions. 202 */ 203 #define MBEDTLS_NO_PLATFORM_ENTROPY 204 205 /** 206 * \def MBEDTLS_ENTROPY_NV_SEED 207 * 208 * Enable the non-volatile (NV) seed file-based entropy source. 209 * (Also enables the NV seed read/write functions in the platform layer) 210 * 211 * This is crucial (if not required) on systems that do not have a 212 * cryptographic entropy source (in hardware or kernel) available. 213 * 214 * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C 215 * 216 * \note The read/write functions that are used by the entropy source are 217 * determined in the platform layer, and can be modified at runtime and/or 218 * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used. 219 * 220 * \note If you use the default implementation functions that read a seedfile 221 * with regular fopen(), please make sure you make a seedfile with the 222 * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at 223 * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from 224 * and written to or you will get an entropy source error! The default 225 * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE 226 * bytes from the file. 227 * 228 * \note The entropy collector will write to the seed file before entropy is 229 * given to an external source, to update it. 230 */ 231 #define MBEDTLS_ENTROPY_NV_SEED 232 233 /** 234 * \def MBEDTLS_PSA_CRYPTO_SPM 235 * 236 * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure 237 * Partition Manager) integration which separates the code into two parts: a 238 * NSPE (Non-Secure Process Environment) and an SPE (Secure Process 239 * Environment). 240 * 241 * Module: library/psa_crypto.c 242 * Requires: MBEDTLS_PSA_CRYPTO_C 243 * 244 */ 245 #define MBEDTLS_PSA_CRYPTO_SPM 246 247 /** 248 * \def MBEDTLS_SHA256_SMALLER 249 * 250 * Enable an implementation of SHA-256 that has lower ROM footprint but also 251 * lower performance. 252 * 253 * The default implementation is meant to be a reasonnable compromise between 254 * performance and size. This version optimizes more aggressively for size at 255 * the expense of performance. Eg on Cortex-M4 it reduces the size of 256 * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about 257 * 30%. 258 * 259 * Uncomment to enable the smaller implementation of SHA256. 260 */ 261 #define MBEDTLS_SHA256_SMALLER 262 263 /** 264 * \def MBEDTLS_PSA_CRYPTO_CONFIG 265 * 266 * This setting allows support for cryptographic mechanisms through the PSA 267 * API to be configured separately from support through the mbedtls API. 268 * 269 * When this option is disabled, the PSA API exposes the cryptographic 270 * mechanisms that can be implemented on top of the `mbedtls_xxx` API 271 * configured with `MBEDTLS_XXX` symbols. 272 * 273 * When this option is enabled, the PSA API exposes the cryptographic 274 * mechanisms requested by the `PSA_WANT_XXX` symbols defined in 275 * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are 276 * automatically enabled if required (i.e. if no PSA driver provides the 277 * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols 278 * in mbedtls_config.h. 279 * 280 * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies 281 * an alternative header to include instead of include/psa/crypto_config.h. 282 * 283 * This feature is still experimental and is not ready for production since 284 * it is not completed. 285 */ 286 #define MBEDTLS_PSA_CRYPTO_CONFIG 287 288 /* \} name SECTION: mbed TLS feature support */ 289 290 /** 291 * \name SECTION: mbed TLS modules 292 * 293 * This section enables or disables entire modules in mbed TLS 294 * \{ 295 */ 296 297 /** 298 * \def MBEDTLS_AES_C 299 * 300 * Enable the AES block cipher. 301 * 302 * Module: library/aes.c 303 * Caller: library/cipher.c 304 * library/pem.c 305 * library/ctr_drbg.c 306 * 307 * This module is required to support the TLS ciphersuites that use the AES 308 * cipher. 309 * 310 * PEM_PARSE uses AES for decrypting encrypted keys. 311 */ 312 #define MBEDTLS_AES_C 313 314 /** 315 * \def MBEDTLS_CIPHER_C 316 * 317 * Enable the generic cipher layer. 318 * 319 * Module: library/cipher.c 320 * 321 * Uncomment to enable generic cipher wrappers. 322 */ 323 #define MBEDTLS_CIPHER_C 324 325 /** 326 * \def MBEDTLS_CTR_DRBG_C 327 * 328 * Enable the CTR_DRBG AES-based random generator. 329 * The CTR_DRBG generator uses AES-256 by default. 330 * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below. 331 * 332 * Module: library/ctr_drbg.c 333 * Caller: 334 * 335 * Requires: MBEDTLS_AES_C 336 * 337 * This module provides the CTR_DRBG AES random number generator. 338 */ 339 #define MBEDTLS_CTR_DRBG_C 340 341 /** 342 * \def MBEDTLS_ENTROPY_C 343 * 344 * Enable the platform-specific entropy code. 345 * 346 * Module: library/entropy.c 347 * Caller: 348 * 349 * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C 350 * 351 * This module provides a generic entropy pool 352 */ 353 #define MBEDTLS_ENTROPY_C 354 355 /** 356 * \def MBEDTLS_ERROR_C 357 * 358 * Enable error code to error string conversion. 359 * 360 * Module: library/error.c 361 * Caller: 362 * 363 * This module enables mbedtls_strerror(). 364 */ 365 #define MBEDTLS_ERROR_C 366 367 /** 368 * \def MBEDTLS_HKDF_C 369 * 370 * Enable the HKDF algorithm (RFC 5869). 371 * 372 * Module: library/hkdf.c 373 * Caller: 374 * 375 * Requires: MBEDTLS_MD_C 376 * 377 * This module adds support for the Hashed Message Authentication Code 378 * (HMAC)-based key derivation function (HKDF). 379 */ 380 #define MBEDTLS_HKDF_C /* Used for HUK deriviation */ 381 382 /** 383 * \def MBEDTLS_MD_C 384 * 385 * Enable the generic message digest layer. 386 * 387 * Module: library/md.c 388 * Caller: 389 * 390 * Uncomment to enable generic message digest wrappers. 391 */ 392 #define MBEDTLS_MD_C 393 394 /** 395 * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C 396 * 397 * Enable the buffer allocator implementation that makes use of a (stack) 398 * based buffer to 'allocate' dynamic memory. (replaces calloc() and free() 399 * calls) 400 * 401 * Module: library/memory_buffer_alloc.c 402 * 403 * Requires: MBEDTLS_PLATFORM_C 404 * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS) 405 * 406 * Enable this module to enable the buffer memory allocator. 407 */ 408 #define MBEDTLS_MEMORY_BUFFER_ALLOC_C 409 410 /** 411 * \def MBEDTLS_PLATFORM_C 412 * 413 * Enable the platform abstraction layer that allows you to re-assign 414 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). 415 * 416 * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT 417 * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned 418 * above to be specified at runtime or compile time respectively. 419 * 420 * \note This abstraction layer must be enabled on Windows (including MSYS2) 421 * as other module rely on it for a fixed snprintf implementation. 422 * 423 * Module: library/platform.c 424 * Caller: Most other .c files 425 * 426 * This module enables abstraction of common (libc) functions. 427 */ 428 #define MBEDTLS_PLATFORM_C 429 430 #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS 431 #define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> 432 433 #include <stdio.h> 434 435 #define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf 436 #define MBEDTLS_PLATFORM_PRINTF_ALT 437 #define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS 438 #define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE 439 440 /** 441 * \def MBEDTLS_PSA_CRYPTO_C 442 * 443 * Enable the Platform Security Architecture cryptography API. 444 * 445 * Module: library/psa_crypto.c 446 * 447 * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C 448 * 449 */ 450 #define MBEDTLS_PSA_CRYPTO_C 451 452 /** 453 * \def MBEDTLS_PSA_CRYPTO_STORAGE_C 454 * 455 * Enable the Platform Security Architecture persistent key storage. 456 * 457 * Module: library/psa_crypto_storage.c 458 * 459 * Requires: MBEDTLS_PSA_CRYPTO_C, 460 * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of 461 * the PSA ITS interface 462 */ 463 #define MBEDTLS_PSA_CRYPTO_STORAGE_C 464 465 /* \} name SECTION: mbed TLS modules */ 466 467 /** 468 * \name SECTION: General configuration options 469 * 470 * This section contains Mbed TLS build settings that are not associated 471 * with a particular module. 472 * 473 * \{ 474 */ 475 476 /** 477 * \def MBEDTLS_CONFIG_FILE 478 * 479 * If defined, this is a header which will be included instead of 480 * `"mbedtls/mbedtls_config.h"`. 481 * This header file specifies the compile-time configuration of Mbed TLS. 482 * Unlike other configuration options, this one must be defined on the 483 * compiler command line: a definition in `mbedtls_config.h` would have 484 * no effect. 485 * 486 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 487 * non-standard feature of the C language, so this feature is only available 488 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 489 * 490 * The value of this symbol is typically a path in double quotes, either 491 * absolute or relative to a directory on the include search path. 492 */ 493 //#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" 494 495 /** 496 * \def MBEDTLS_USER_CONFIG_FILE 497 * 498 * If defined, this is a header which will be included after 499 * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE. 500 * This allows you to modify the default configuration, including the ability 501 * to undefine options that are enabled by default. 502 * 503 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 504 * non-standard feature of the C language, so this feature is only available 505 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 506 * 507 * The value of this symbol is typically a path in double quotes, either 508 * absolute or relative to a directory on the include search path. 509 */ 510 //#define MBEDTLS_USER_CONFIG_FILE "/dev/null" 511 512 /** 513 * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE 514 * 515 * If defined, this is a header which will be included instead of 516 * `"psa/crypto_config.h"`. 517 * This header file specifies which cryptographic mechanisms are available 518 * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and 519 * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled. 520 * 521 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 522 * non-standard feature of the C language, so this feature is only available 523 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 524 * 525 * The value of this symbol is typically a path in double quotes, either 526 * absolute or relative to a directory on the include search path. 527 */ 528 //#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" 529 530 /** 531 * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE 532 * 533 * If defined, this is a header which will be included after 534 * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE. 535 * This allows you to modify the default configuration, including the ability 536 * to undefine options that are enabled by default. 537 * 538 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 539 * non-standard feature of the C language, so this feature is only available 540 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 541 * 542 * The value of this symbol is typically a path in double quotes, either 543 * absolute or relative to a directory on the include search path. 544 */ 545 //#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" 546 547 /** \} name SECTION: General configuration options */ 548 549 #if CRYPTO_NV_SEED 550 #include "tfm_mbedcrypto_config_extra_nv_seed.h" 551 #endif /* CRYPTO_NV_SEED */ 552 553 #if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED) 554 #include "mbedtls_entropy_nv_seed_config.h" 555 #endif 556 557 #ifdef CRYPTO_HW_ACCELERATOR 558 #include "mbedtls_accelerator_config.h" 559 #endif 560 561 #endif /* PROFILE_S_MBEDTLS_CONFIG_H */ 562