1 /* 2 * Copyright The TrustedFirmware-M Contributors 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 * 6 */ 7 /** 8 * \file config.h 9 * 10 * \brief Configuration options (set of defines) 11 * 12 * This set of compile-time options may be used to enable 13 * or disable features selectively, and reduce the global 14 * memory footprint. 15 */ 16 17 #ifndef PROFILE_L_MBEDTLS_CONFIG_H 18 #define PROFILE_L_MBEDTLS_CONFIG_H 19 20 #include "config_tfm.h" 21 22 #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) 23 #define _CRT_SECURE_NO_DEPRECATE 1 24 #endif 25 26 /** 27 * \name SECTION: System support 28 * 29 * This section sets system specific settings. 30 * \{ 31 */ 32 33 /** 34 * \def MBEDTLS_HAVE_ASM 35 * 36 * The compiler has support for asm(). 37 * 38 * Requires support for asm() in compiler. 39 * 40 * Used in: 41 * library/aria.c 42 * library/timing.c 43 * include/mbedtls/bn_mul.h 44 * 45 * Required by: 46 * MBEDTLS_AESNI_C 47 * MBEDTLS_PADLOCK_C 48 * 49 * Comment to disable the use of assembly code. 50 */ 51 #define MBEDTLS_HAVE_ASM 52 53 /** 54 * \def MBEDTLS_PLATFORM_MEMORY 55 * 56 * Enable the memory allocation layer. 57 * 58 * By default mbed TLS uses the system-provided calloc() and free(). 59 * This allows different allocators (self-implemented or provided) to be 60 * provided to the platform abstraction layer. 61 * 62 * Enabling MBEDTLS_PLATFORM_MEMORY without the 63 * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide 64 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and 65 * free() function pointer at runtime. 66 * 67 * Enabling MBEDTLS_PLATFORM_MEMORY and specifying 68 * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the 69 * alternate function at compile time. 70 * 71 * Requires: MBEDTLS_PLATFORM_C 72 * 73 * Enable this layer to allow use of alternative memory allocators. 74 */ 75 #define MBEDTLS_PLATFORM_MEMORY 76 77 /* \} name SECTION: System support */ 78 79 /** 80 * \name SECTION: mbed TLS feature support 81 * 82 * This section sets support for features that are or are not needed 83 * within the modules that are enabled. 84 * \{ 85 */ 86 87 /** 88 * \def MBEDTLS_AES_ROM_TABLES 89 * 90 * Use precomputed AES tables stored in ROM. 91 * 92 * Uncomment this macro to use precomputed AES tables stored in ROM. 93 * Comment this macro to generate AES tables in RAM at runtime. 94 * 95 * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb 96 * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the 97 * initialization time before the first AES operation can be performed. 98 * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c 99 * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded 100 * performance if ROM access is slower than RAM access. 101 * 102 * This option is independent of \c MBEDTLS_AES_FEWER_TABLES. 103 * 104 */ 105 #define MBEDTLS_AES_ROM_TABLES 106 107 /** 108 * \def MBEDTLS_AES_FEWER_TABLES 109 * 110 * Use less ROM/RAM for AES tables. 111 * 112 * Uncommenting this macro omits 75% of the AES tables from 113 * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES) 114 * by computing their values on the fly during operations 115 * (the tables are entry-wise rotations of one another). 116 * 117 * Tradeoff: Uncommenting this reduces the RAM / ROM footprint 118 * by ~6kb but at the cost of more arithmetic operations during 119 * runtime. Specifically, one has to compare 4 accesses within 120 * different tables to 4 accesses with additional arithmetic 121 * operations within the same table. The performance gain/loss 122 * depends on the system and memory details. 123 * 124 * This option is independent of \c MBEDTLS_AES_ROM_TABLES. 125 * 126 */ 127 #define MBEDTLS_AES_FEWER_TABLES 128 129 /** 130 * \def MBEDTLS_ECP_NIST_OPTIM 131 * 132 * Enable specific 'modulo p' routines for each NIST prime. 133 * Depending on the prime and architecture, makes operations 4 to 8 times 134 * faster on the corresponding curve. 135 * 136 * Comment this macro to disable NIST curves optimisation. 137 */ 138 #define MBEDTLS_ECP_NIST_OPTIM 139 140 /** 141 * \def MBEDTLS_PK_PARSE_EC_EXTENDED 142 * 143 * Enhance support for reading EC keys using variants of SEC1 not allowed by 144 * RFC 5915 and RFC 5480. 145 * 146 * Currently this means parsing the SpecifiedECDomain choice of EC 147 * parameters (only known groups are supported, not arbitrary domains, to 148 * avoid validation issues). 149 * 150 * Disable if you only need to support RFC 5915 + 5480 key formats. 151 */ 152 #define MBEDTLS_PK_PARSE_EC_EXTENDED 153 154 /** 155 * \def MBEDTLS_NO_PLATFORM_ENTROPY 156 * 157 * Do not use built-in platform entropy functions. 158 * This is useful if your platform does not support 159 * standards like the /dev/urandom or Windows CryptoAPI. 160 * 161 * Uncomment this macro to disable the built-in platform entropy functions. 162 */ 163 #define MBEDTLS_NO_PLATFORM_ENTROPY 164 165 /** 166 * \def MBEDTLS_ENTROPY_NV_SEED 167 * 168 * Enable the non-volatile (NV) seed file-based entropy source. 169 * (Also enables the NV seed read/write functions in the platform layer) 170 * 171 * This is crucial (if not required) on systems that do not have a 172 * cryptographic entropy source (in hardware or kernel) available. 173 * 174 * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C 175 * 176 * \note The read/write functions that are used by the entropy source are 177 * determined in the platform layer, and can be modified at runtime and/or 178 * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used. 179 * 180 * \note If you use the default implementation functions that read a seedfile 181 * with regular fopen(), please make sure you make a seedfile with the 182 * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at 183 * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from 184 * and written to or you will get an entropy source error! The default 185 * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE 186 * bytes from the file. 187 * 188 * \note The entropy collector will write to the seed file before entropy is 189 * given to an external source, to update it. 190 */ 191 #define MBEDTLS_ENTROPY_NV_SEED 192 193 /** 194 * \def MBEDTLS_PK_RSA_ALT_SUPPORT 195 * 196 * Support external private RSA keys (eg from a HSM) in the PK layer. 197 * 198 * Comment this macro to disable support for external private RSA keys. 199 */ 200 #define MBEDTLS_PK_RSA_ALT_SUPPORT 201 202 /** 203 * \def MBEDTLS_PSA_CRYPTO_CONFIG 204 * 205 * This setting allows support for cryptographic mechanisms through the PSA 206 * API to be configured separately from support through the mbedtls API. 207 * 208 * When this option is disabled, the PSA API exposes the cryptographic 209 * mechanisms that can be implemented on top of the `mbedtls_xxx` API 210 * configured with `MBEDTLS_XXX` symbols. 211 * 212 * When this option is enabled, the PSA API exposes the cryptographic 213 * mechanisms requested by the `PSA_WANT_XXX` symbols defined in 214 * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are 215 * automatically enabled if required (i.e. if no PSA driver provides the 216 * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols 217 * in mbedtls_config.h. 218 * 219 * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies 220 * an alternative header to include instead of include/psa/crypto_config.h. 221 * 222 * This feature is still experimental and is not ready for production since 223 * it is not completed. 224 */ 225 #define MBEDTLS_PSA_CRYPTO_CONFIG 226 227 /* \} name SECTION: mbed TLS feature support */ 228 229 /** 230 * \name SECTION: mbed TLS modules 231 * 232 * This section enables or disables entire modules in mbed TLS 233 * \{ 234 */ 235 236 /** 237 * \def MBEDTLS_AES_C 238 * 239 * Enable the AES block cipher. 240 * 241 * Module: library/aes.c 242 * Caller: library/cipher.c 243 * library/pem.c 244 * library/ctr_drbg.c 245 * 246 * This module is required to support the TLS ciphersuites that use the AES 247 * cipher. 248 * 249 * PEM_PARSE uses AES for decrypting encrypted keys. 250 */ 251 #define MBEDTLS_AES_C 252 253 /** 254 * \def MBEDTLS_CIPHER_C 255 * 256 * Enable the generic cipher layer. 257 * 258 * Module: library/cipher.c 259 * 260 * Uncomment to enable generic cipher wrappers. 261 */ 262 #define MBEDTLS_CIPHER_C 263 264 /** 265 * \def MBEDTLS_CTR_DRBG_C 266 * 267 * Enable the CTR_DRBG AES-based random generator. 268 * The CTR_DRBG generator uses AES-256 by default. 269 * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below. 270 * 271 * Module: library/ctr_drbg.c 272 * Caller: 273 * 274 * Requires: MBEDTLS_AES_C 275 * 276 * This module provides the CTR_DRBG AES random number generator. 277 */ 278 //#define MBEDTLS_CTR_DRBG_C 279 280 /** 281 * \def MBEDTLS_ENTROPY_C 282 * 283 * Enable the platform-specific entropy code. 284 * 285 * Module: library/entropy.c 286 * Caller: 287 * 288 * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C 289 * 290 * This module provides a generic entropy pool 291 */ 292 #define MBEDTLS_ENTROPY_C 293 294 /** 295 * \def MBEDTLS_HKDF_C 296 * 297 * Enable the HKDF algorithm (RFC 5869). 298 * 299 * Module: library/hkdf.c 300 * Caller: 301 * 302 * Requires: MBEDTLS_MD_C 303 * 304 * This module adds support for the Hashed Message Authentication Code 305 * (HMAC)-based key derivation function (HKDF). 306 */ 307 //#define MBEDTLS_HKDF_C /* Used for HUK deriviation */ 308 309 /** 310 * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C 311 * 312 * Enable the buffer allocator implementation that makes use of a (stack) 313 * based buffer to 'allocate' dynamic memory. (replaces calloc() and free() 314 * calls) 315 * 316 * Module: library/memory_buffer_alloc.c 317 * 318 * Requires: MBEDTLS_PLATFORM_C 319 * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS) 320 * 321 * Enable this module to enable the buffer memory allocator. 322 */ 323 #define MBEDTLS_MEMORY_BUFFER_ALLOC_C 324 325 /** 326 * \def MBEDTLS_PLATFORM_C 327 * 328 * Enable the platform abstraction layer that allows you to re-assign 329 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). 330 * 331 * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT 332 * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned 333 * above to be specified at runtime or compile time respectively. 334 * 335 * \note This abstraction layer must be enabled on Windows (including MSYS2) 336 * as other module rely on it for a fixed snprintf implementation. 337 * 338 * Module: library/platform.c 339 * Caller: Most other .c files 340 * 341 * This module enables abstraction of common (libc) functions. 342 */ 343 #define MBEDTLS_PLATFORM_C 344 345 #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS 346 #define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> 347 348 #include <stdio.h> 349 350 #define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf 351 #define MBEDTLS_PLATFORM_PRINTF_ALT 352 #define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS 353 #define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE 354 355 /** 356 * \def MBEDTLS_PSA_CRYPTO_C 357 * 358 * Enable the Platform Security Architecture cryptography API. 359 * 360 * Module: library/psa_crypto.c 361 * 362 * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C 363 * 364 */ 365 #define MBEDTLS_PSA_CRYPTO_C 366 367 /** 368 * \def MBEDTLS_PSA_CRYPTO_STORAGE_C 369 * 370 * Enable the Platform Security Architecture persistent key storage. 371 * 372 * Module: library/psa_crypto_storage.c 373 * 374 * Requires: MBEDTLS_PSA_CRYPTO_C, 375 * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of 376 * the PSA ITS interface 377 */ 378 #define MBEDTLS_PSA_CRYPTO_STORAGE_C 379 380 /** 381 * \def MBEDTLS_PSA_CRYPTO_SPM 382 * 383 * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure 384 * Partition Manager) integration which separates the code into two parts: a 385 * NSPE (Non-Secure Process Environment) and an SPE (Secure Process 386 * Environment). 387 * 388 * If you enable this option, your build environment must include a header 389 * file `"crypto_spe.h"` (either in the `psa` subdirectory of the Mbed TLS 390 * header files, or in another directory on the compiler's include search 391 * path). Alternatively, your platform may customize the header 392 * `psa/crypto_platform.h`, in which case it can skip or replace the 393 * inclusion of `"crypto_spe.h"`. 394 * 395 * Module: library/psa_crypto.c 396 * Requires: MBEDTLS_PSA_CRYPTO_C 397 * 398 */ 399 #define MBEDTLS_PSA_CRYPTO_SPM 400 401 /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 402 * 403 * Enable key identifiers that encode a key owner identifier. 404 * 405 * The owner of a key is identified by a value of type ::mbedtls_key_owner_id_t 406 * which is currently hard-coded to be int32_t. 407 * 408 * Note that this option is meant for internal use only and may be removed 409 * without notice. 410 */ 411 #define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 412 413 /** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS 414 * 415 * Enable support for platform built-in keys. If you enable this feature, 416 * you must implement the function mbedtls_psa_platform_get_builtin_key(). 417 * See the documentation of that function for more information. 418 * 419 * Built-in keys are typically derived from a hardware unique key or 420 * stored in a secure element. 421 * 422 * Requires: MBEDTLS_PSA_CRYPTO_C. 423 * 424 * \warning This interface is experimental and may change or be removed 425 * without notice. 426 */ 427 #define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS 428 429 /* \} name SECTION: mbed TLS modules */ 430 431 /** 432 * \name SECTION: General configuration options 433 * 434 * This section contains Mbed TLS build settings that are not associated 435 * with a particular module. 436 * 437 * \{ 438 */ 439 440 /** 441 * \def MBEDTLS_CONFIG_FILE 442 * 443 * If defined, this is a header which will be included instead of 444 * `"mbedtls/mbedtls_config.h"`. 445 * This header file specifies the compile-time configuration of Mbed TLS. 446 * Unlike other configuration options, this one must be defined on the 447 * compiler command line: a definition in `mbedtls_config.h` would have 448 * no effect. 449 * 450 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 451 * non-standard feature of the C language, so this feature is only available 452 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 453 * 454 * The value of this symbol is typically a path in double quotes, either 455 * absolute or relative to a directory on the include search path. 456 */ 457 //#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" 458 459 /** 460 * \def MBEDTLS_USER_CONFIG_FILE 461 * 462 * If defined, this is a header which will be included after 463 * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE. 464 * This allows you to modify the default configuration, including the ability 465 * to undefine options that are enabled by default. 466 * 467 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 468 * non-standard feature of the C language, so this feature is only available 469 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 470 * 471 * The value of this symbol is typically a path in double quotes, either 472 * absolute or relative to a directory on the include search path. 473 */ 474 //#define MBEDTLS_USER_CONFIG_FILE "/dev/null" 475 476 /** 477 * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE 478 * 479 * If defined, this is a header which will be included instead of 480 * `"psa/crypto_config.h"`. 481 * This header file specifies which cryptographic mechanisms are available 482 * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and 483 * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled. 484 * 485 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 486 * non-standard feature of the C language, so this feature is only available 487 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 488 * 489 * The value of this symbol is typically a path in double quotes, either 490 * absolute or relative to a directory on the include search path. 491 */ 492 //#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" 493 494 /** 495 * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE 496 * 497 * If defined, this is a header which will be included after 498 * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE. 499 * This allows you to modify the default configuration, including the ability 500 * to undefine options that are enabled by default. 501 * 502 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 503 * non-standard feature of the C language, so this feature is only available 504 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 505 * 506 * The value of this symbol is typically a path in double quotes, either 507 * absolute or relative to a directory on the include search path. 508 */ 509 //#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" 510 511 /** \} name SECTION: General configuration options */ 512 513 /** 514 * \name SECTION: Module configuration options 515 * 516 * This section allows for the setting of module specific sizes and 517 * configuration options. The default values are already present in the 518 * relevant header files and should suffice for the regular use cases. 519 * 520 * Our advice is to enable options and change their values here 521 * only if you have a good reason and know the consequences. 522 * 523 * Please check the respective header file for documentation on these 524 * parameters (to prevent duplicate documentation). 525 * \{ 526 */ 527 528 /* ECP options */ 529 #define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Disable fixed-point speed-up */ 530 531 /* \} name SECTION: Customisation configuration options */ 532 533 #if CRYPTO_NV_SEED 534 #include "tfm_mbedcrypto_config_extra_nv_seed.h" 535 #endif /* CRYPTO_NV_SEED */ 536 537 #if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED) 538 #include "mbedtls_entropy_nv_seed_config.h" 539 #endif 540 541 #ifdef CRYPTO_HW_ACCELERATOR 542 #include "mbedtls_accelerator_config.h" 543 #endif 544 545 #endif /* PROFILE_L_MBEDTLS_CONFIG_H */ 546
