1 /* 2 * Copyright The TrustedFirmware-M Contributors 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 * 6 */ 7 /** 8 * \file config.h 9 * 10 * \brief Configuration options (set of defines) 11 * 12 * This set of compile-time options may be used to enable 13 * or disable features selectively, and reduce the global 14 * memory footprint. 15 */ 16 17 #ifndef MBEDTLS_CONFIG_H 18 #define MBEDTLS_CONFIG_H 19 20 #include "config_tfm.h" 21 22 #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) 23 #define _CRT_SECURE_NO_DEPRECATE 1 24 #endif 25 26 /** 27 * \name SECTION: System support 28 * 29 * This section sets system specific settings. 30 * \{ 31 */ 32 33 /** 34 * \def MBEDTLS_HAVE_ASM 35 * 36 * The compiler has support for asm(). 37 * 38 * Requires support for asm() in compiler. 39 * 40 * Used in: 41 * library/aria.c 42 * library/timing.c 43 * include/mbedtls/bn_mul.h 44 * 45 * Required by: 46 * MBEDTLS_AESNI_C 47 * MBEDTLS_PADLOCK_C 48 * 49 * Comment to disable the use of assembly code. 50 */ 51 52 /* Due to an outstanding bug with mbedtls and arm compiler 6, this feature is 53 * disabled temporarily on cortex-m0 and m0-plus. 54 * https://github.com/ARMmbed/mbedtls/issues/1077 55 */ 56 #define MBEDTLS_HAVE_ASM 57 58 /** 59 * \def MBEDTLS_HAVE_TIME 60 * 61 * System has time.h and time(). 62 * The time does not need to be correct, only time differences are used, 63 * by contrast with MBEDTLS_HAVE_TIME_DATE 64 * 65 * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT, 66 * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and 67 * MBEDTLS_PLATFORM_STD_TIME. 68 * 69 * Comment if your system does not support time functions 70 */ 71 //#define MBEDTLS_HAVE_TIME 72 73 /** 74 * \def MBEDTLS_HAVE_TIME_DATE 75 * 76 * System has time.h, time(), and an implementation for 77 * mbedtls_platform_gmtime_r() (see below). 78 * The time needs to be correct (not necessarily very accurate, but at least 79 * the date should be correct). This is used to verify the validity period of 80 * X.509 certificates. 81 * 82 * Comment if your system does not have a correct clock. 83 * 84 * \note mbedtls_platform_gmtime_r() is an abstraction in platform_util.h that 85 * behaves similarly to the gmtime_r() function from the C standard. Refer to 86 * the documentation for mbedtls_platform_gmtime_r() for more information. 87 * 88 * \note It is possible to configure an implementation for 89 * mbedtls_platform_gmtime_r() at compile-time by using the macro 90 * MBEDTLS_PLATFORM_GMTIME_R_ALT. 91 */ 92 //#define MBEDTLS_HAVE_TIME_DATE 93 94 /** 95 * \def MBEDTLS_PLATFORM_MEMORY 96 * 97 * Enable the memory allocation layer. 98 * 99 * By default mbed TLS uses the system-provided calloc() and free(). 100 * This allows different allocators (self-implemented or provided) to be 101 * provided to the platform abstraction layer. 102 * 103 * Enabling MBEDTLS_PLATFORM_MEMORY without the 104 * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide 105 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and 106 * free() function pointer at runtime. 107 * 108 * Enabling MBEDTLS_PLATFORM_MEMORY and specifying 109 * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the 110 * alternate function at compile time. 111 * 112 * Requires: MBEDTLS_PLATFORM_C 113 * 114 * Enable this layer to allow use of alternative memory allocators. 115 */ 116 #define MBEDTLS_PLATFORM_MEMORY 117 118 /* \} name SECTION: System support */ 119 120 /** 121 * \name SECTION: mbed TLS feature support 122 * 123 * This section sets support for features that are or are not needed 124 * within the modules that are enabled. 125 * \{ 126 */ 127 128 /** 129 * \def MBEDTLS_ECP_NIST_OPTIM 130 * 131 * Enable specific 'modulo p' routines for each NIST prime. 132 * Depending on the prime and architecture, makes operations 4 to 8 times 133 * faster on the corresponding curve. 134 * 135 * Comment this macro to disable NIST curves optimisation. 136 */ 137 #define MBEDTLS_ECP_NIST_OPTIM 138 139 /** 140 * \def MBEDTLS_PK_PARSE_EC_EXTENDED 141 * 142 * Enhance support for reading EC keys using variants of SEC1 not allowed by 143 * RFC 5915 and RFC 5480. 144 * 145 * Currently this means parsing the SpecifiedECDomain choice of EC 146 * parameters (only known groups are supported, not arbitrary domains, to 147 * avoid validation issues). 148 * 149 * Disable if you only need to support RFC 5915 + 5480 key formats. 150 */ 151 #define MBEDTLS_PK_PARSE_EC_EXTENDED 152 153 /** 154 * \def MBEDTLS_NO_PLATFORM_ENTROPY 155 * 156 * Do not use built-in platform entropy functions. 157 * This is useful if your platform does not support 158 * standards like the /dev/urandom or Windows CryptoAPI. 159 * 160 * Uncomment this macro to disable the built-in platform entropy functions. 161 */ 162 #define MBEDTLS_NO_PLATFORM_ENTROPY 163 164 /** 165 * \def MBEDTLS_ENTROPY_NV_SEED 166 * 167 * Enable the non-volatile (NV) seed file-based entropy source. 168 * (Also enables the NV seed read/write functions in the platform layer) 169 * 170 * This is crucial (if not required) on systems that do not have a 171 * cryptographic entropy source (in hardware or kernel) available. 172 * 173 * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C 174 * 175 * \note The read/write functions that are used by the entropy source are 176 * determined in the platform layer, and can be modified at runtime and/or 177 * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used. 178 * 179 * \note If you use the default implementation functions that read a seedfile 180 * with regular fopen(), please make sure you make a seedfile with the 181 * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at 182 * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from 183 * and written to or you will get an entropy source error! The default 184 * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE 185 * bytes from the file. 186 * 187 * \note The entropy collector will write to the seed file before entropy is 188 * given to an external source, to update it. 189 */ 190 //#define MBEDTLS_ENTROPY_NV_SEED 191 192 /** 193 * \def MBEDTLS_PK_RSA_ALT_SUPPORT 194 * 195 * Support external private RSA keys (eg from a HSM) in the PK layer. 196 * 197 * Comment this macro to disable support for external private RSA keys. 198 */ 199 #define MBEDTLS_PK_RSA_ALT_SUPPORT 200 201 /** \def MBEDTLS_PSA_CRYPTO_CLIENT 202 * 203 * Enable support for PSA crypto client. 204 * 205 * \note This option allows to include the code necessary for a PSA 206 * crypto client when the PSA crypto implementation is not included in 207 * the library (MBEDTLS_PSA_CRYPTO_C disabled). The code included is the 208 * code to set and get PSA key attributes. 209 * The development of PSA drivers partially relying on the library to 210 * fulfill the hardware gaps is another possible usage of this option. 211 * 212 * \warning This interface is experimental and may change or be removed 213 * without notice. 214 */ 215 #define MBEDTLS_PSA_CRYPTO_CLIENT 216 217 /** 218 * \def MBEDTLS_PSA_CRYPTO_CONFIG 219 * 220 * This setting allows support for cryptographic mechanisms through the PSA 221 * API to be configured separately from support through the mbedtls API. 222 * 223 * When this option is disabled, the PSA API exposes the cryptographic 224 * mechanisms that can be implemented on top of the `mbedtls_xxx` API 225 * configured with `MBEDTLS_XXX` symbols. 226 * 227 * When this option is enabled, the PSA API exposes the cryptographic 228 * mechanisms requested by the `PSA_WANT_XXX` symbols defined in 229 * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are 230 * automatically enabled if required (i.e. if no PSA driver provides the 231 * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols 232 * in mbedtls_config.h. 233 * 234 * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies 235 * an alternative header to include instead of include/psa/crypto_config.h. 236 * 237 * This feature is still experimental and is not ready for production since 238 * it is not completed. 239 */ 240 #define MBEDTLS_PSA_CRYPTO_CONFIG 241 242 /* \} name SECTION: mbed TLS feature support */ 243 244 /** 245 * \name SECTION: mbed TLS modules 246 * 247 * This section enables or disables entire modules in mbed TLS 248 * \{ 249 */ 250 251 /** 252 * \def MBEDTLS_AES_C 253 * 254 * Enable the AES block cipher. 255 * 256 * Module: library/aes.c 257 * Caller: library/cipher.c 258 * library/pem.c 259 * library/ctr_drbg.c 260 * 261 * This module is required to support the TLS ciphersuites that use the AES 262 * cipher. 263 * 264 * PEM_PARSE uses AES for decrypting encrypted keys. 265 */ 266 #define MBEDTLS_AES_C 267 268 /** 269 * \def MBEDTLS_CIPHER_C 270 * 271 * Enable the generic cipher layer. 272 * 273 * Module: library/cipher.c 274 * 275 * Uncomment to enable generic cipher wrappers. 276 */ 277 #define MBEDTLS_CIPHER_C 278 279 /** 280 * \def MBEDTLS_CTR_DRBG_C 281 * 282 * Enable the CTR_DRBG AES-based random generator. 283 * The CTR_DRBG generator uses AES-256 by default. 284 * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below. 285 * 286 * Module: library/ctr_drbg.c 287 * Caller: 288 * 289 * Requires: MBEDTLS_AES_C 290 * 291 * This module provides the CTR_DRBG AES random number generator. 292 */ 293 //#define MBEDTLS_CTR_DRBG_C 294 295 /** 296 * \def MBEDTLS_ENTROPY_C 297 * 298 * Enable the platform-specific entropy code. 299 * 300 * Module: library/entropy.c 301 * Caller: 302 * 303 * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C 304 * 305 * This module provides a generic entropy pool 306 */ 307 //#define MBEDTLS_ENTROPY_C 308 309 /** 310 * \def MBEDTLS_HKDF_C 311 * 312 * Enable the HKDF algorithm (RFC 5869). 313 * 314 * Module: library/hkdf.c 315 * Caller: 316 * 317 * Requires: MBEDTLS_MD_C 318 * 319 * This module adds support for the Hashed Message Authentication Code 320 * (HMAC)-based key derivation function (HKDF). 321 */ 322 //#define MBEDTLS_HKDF_C /* Used for HUK deriviation */ 323 324 /** 325 * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C 326 * 327 * Enable the buffer allocator implementation that makes use of a (stack) 328 * based buffer to 'allocate' dynamic memory. (replaces calloc() and free() 329 * calls) 330 * 331 * Module: library/memory_buffer_alloc.c 332 * 333 * Requires: MBEDTLS_PLATFORM_C 334 * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS) 335 * 336 * Enable this module to enable the buffer memory allocator. 337 */ 338 #define MBEDTLS_MEMORY_BUFFER_ALLOC_C 339 340 /** 341 * \def MBEDTLS_PLATFORM_C 342 * 343 * Enable the platform abstraction layer that allows you to re-assign 344 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). 345 * 346 * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT 347 * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned 348 * above to be specified at runtime or compile time respectively. 349 * 350 * \note This abstraction layer must be enabled on Windows (including MSYS2) 351 * as other module rely on it for a fixed snprintf implementation. 352 * 353 * Module: library/platform.c 354 * Caller: Most other .c files 355 * 356 * This module enables abstraction of common (libc) functions. 357 */ 358 #define MBEDTLS_PLATFORM_C 359 360 #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS 361 #define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> 362 363 #include <stdio.h> 364 365 #define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf 366 #define MBEDTLS_PLATFORM_PRINTF_ALT 367 #define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS 368 #define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE 369 370 /** 371 * \def MBEDTLS_PSA_CRYPTO_C 372 * 373 * Enable the Platform Security Architecture cryptography API. 374 * 375 * Module: library/psa_crypto.c 376 * 377 * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C 378 * 379 */ 380 //#define MBEDTLS_PSA_CRYPTO_C 381 382 /** 383 * \def MBEDTLS_PSA_CRYPTO_STORAGE_C 384 * 385 * Enable the Platform Security Architecture persistent key storage. 386 * 387 * Module: library/psa_crypto_storage.c 388 * 389 * Requires: MBEDTLS_PSA_CRYPTO_C, 390 * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of 391 * the PSA ITS interface 392 */ 393 //#define MBEDTLS_PSA_CRYPTO_STORAGE_C 394 395 /* \} name SECTION: mbed TLS modules */ 396 397 /** 398 * \name SECTION: General configuration options 399 * 400 * This section contains Mbed TLS build settings that are not associated 401 * with a particular module. 402 * 403 * \{ 404 */ 405 406 /** 407 * \def MBEDTLS_CONFIG_FILE 408 * 409 * If defined, this is a header which will be included instead of 410 * `"mbedtls/mbedtls_config.h"`. 411 * This header file specifies the compile-time configuration of Mbed TLS. 412 * Unlike other configuration options, this one must be defined on the 413 * compiler command line: a definition in `mbedtls_config.h` would have 414 * no effect. 415 * 416 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 417 * non-standard feature of the C language, so this feature is only available 418 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 419 * 420 * The value of this symbol is typically a path in double quotes, either 421 * absolute or relative to a directory on the include search path. 422 */ 423 //#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" 424 425 /** 426 * \def MBEDTLS_USER_CONFIG_FILE 427 * 428 * If defined, this is a header which will be included after 429 * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE. 430 * This allows you to modify the default configuration, including the ability 431 * to undefine options that are enabled by default. 432 * 433 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 434 * non-standard feature of the C language, so this feature is only available 435 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 436 * 437 * The value of this symbol is typically a path in double quotes, either 438 * absolute or relative to a directory on the include search path. 439 */ 440 //#define MBEDTLS_USER_CONFIG_FILE "/dev/null" 441 442 /** 443 * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE 444 * 445 * If defined, this is a header which will be included instead of 446 * `"psa/crypto_config.h"`. 447 * This header file specifies which cryptographic mechanisms are available 448 * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and 449 * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled. 450 * 451 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 452 * non-standard feature of the C language, so this feature is only available 453 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 454 * 455 * The value of this symbol is typically a path in double quotes, either 456 * absolute or relative to a directory on the include search path. 457 */ 458 //#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" 459 460 /** 461 * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE 462 * 463 * If defined, this is a header which will be included after 464 * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE. 465 * This allows you to modify the default configuration, including the ability 466 * to undefine options that are enabled by default. 467 * 468 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 469 * non-standard feature of the C language, so this feature is only available 470 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 471 * 472 * The value of this symbol is typically a path in double quotes, either 473 * absolute or relative to a directory on the include search path. 474 */ 475 //#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" 476 477 /** \} name SECTION: General configuration options */ 478 479 /** 480 * \name SECTION: Module configuration options 481 * 482 * This section allows for the setting of module specific sizes and 483 * configuration options. The default values are already present in the 484 * relevant header files and should suffice for the regular use cases. 485 * 486 * Our advice is to enable options and change their values here 487 * only if you have a good reason and know the consequences. 488 * 489 * Please check the respective header file for documentation on these 490 * parameters (to prevent duplicate documentation). 491 * \{ 492 */ 493 494 /* ECP options */ 495 #define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Disable fixed-point speed-up */ 496 497 /* \} name SECTION: Customisation configuration options */ 498 499 #endif /* MBEDTLS_CONFIG_H */ 500
