1 /* 2 * Copyright The TrustedFirmware-M Contributors 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 * 6 */ 7 /** 8 * \file config.h 9 * 10 * \brief Configuration options (set of defines) 11 * 12 * This set of compile-time options may be used to enable 13 * or disable features selectively, and reduce the global 14 * memory footprint. 15 */ 16 17 #ifndef MBEDTLS_CONFIG_H 18 #define MBEDTLS_CONFIG_H 19 20 #include "config_tfm.h" 21 22 #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) 23 #define _CRT_SECURE_NO_DEPRECATE 1 24 #endif 25 26 /** 27 * \name SECTION: System support 28 * 29 * This section sets system specific settings. 30 * \{ 31 */ 32 33 /** 34 * \def MBEDTLS_HAVE_ASM 35 * 36 * The compiler has support for asm(). 37 * 38 * Requires support for asm() in compiler. 39 * 40 * Used in: 41 * library/aria.c 42 * library/timing.c 43 * include/mbedtls/bn_mul.h 44 * 45 * Required by: 46 * MBEDTLS_AESNI_C 47 * MBEDTLS_PADLOCK_C 48 * 49 * Comment to disable the use of assembly code. 50 */ 51 52 /* Due to an outstanding bug with mbedtls and arm compiler 6, this feature is 53 * disabled temporarily on cortex-m0 and m0-plus. 54 * https://github.com/ARMmbed/mbedtls/issues/1077 55 */ 56 #define MBEDTLS_HAVE_ASM 57 58 /** 59 * \def MBEDTLS_HAVE_TIME 60 * 61 * System has time.h and time(). 62 * The time does not need to be correct, only time differences are used, 63 * by contrast with MBEDTLS_HAVE_TIME_DATE 64 * 65 * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT, 66 * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and 67 * MBEDTLS_PLATFORM_STD_TIME. 68 * 69 * Comment if your system does not support time functions 70 */ 71 //#define MBEDTLS_HAVE_TIME 72 73 /** 74 * \def MBEDTLS_HAVE_TIME_DATE 75 * 76 * System has time.h, time(), and an implementation for 77 * mbedtls_platform_gmtime_r() (see below). 78 * The time needs to be correct (not necessarily very accurate, but at least 79 * the date should be correct). This is used to verify the validity period of 80 * X.509 certificates. 81 * 82 * Comment if your system does not have a correct clock. 83 * 84 * \note mbedtls_platform_gmtime_r() is an abstraction in platform_util.h that 85 * behaves similarly to the gmtime_r() function from the C standard. Refer to 86 * the documentation for mbedtls_platform_gmtime_r() for more information. 87 * 88 * \note It is possible to configure an implementation for 89 * mbedtls_platform_gmtime_r() at compile-time by using the macro 90 * MBEDTLS_PLATFORM_GMTIME_R_ALT. 91 */ 92 //#define MBEDTLS_HAVE_TIME_DATE 93 94 /** 95 * \def MBEDTLS_PLATFORM_MEMORY 96 * 97 * Enable the memory allocation layer. 98 * 99 * By default mbed TLS uses the system-provided calloc() and free(). 100 * This allows different allocators (self-implemented or provided) to be 101 * provided to the platform abstraction layer. 102 * 103 * Enabling MBEDTLS_PLATFORM_MEMORY without the 104 * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide 105 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and 106 * free() function pointer at runtime. 107 * 108 * Enabling MBEDTLS_PLATFORM_MEMORY and specifying 109 * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the 110 * alternate function at compile time. 111 * 112 * Requires: MBEDTLS_PLATFORM_C 113 * 114 * Enable this layer to allow use of alternative memory allocators. 115 */ 116 #define MBEDTLS_PLATFORM_MEMORY 117 118 /* \} name SECTION: System support */ 119 120 /** 121 * \name SECTION: mbed TLS feature support 122 * 123 * This section sets support for features that are or are not needed 124 * within the modules that are enabled. 125 * \{ 126 */ 127 128 /** 129 * \def MBEDTLS_ECP_NIST_OPTIM 130 * 131 * Enable specific 'modulo p' routines for each NIST prime. 132 * Depending on the prime and architecture, makes operations 4 to 8 times 133 * faster on the corresponding curve. 134 * 135 * Comment this macro to disable NIST curves optimisation. 136 */ 137 #define MBEDTLS_ECP_NIST_OPTIM 138 139 /** 140 * \def MBEDTLS_NO_PLATFORM_ENTROPY 141 * 142 * Do not use built-in platform entropy functions. 143 * This is useful if your platform does not support 144 * standards like the /dev/urandom or Windows CryptoAPI. 145 * 146 * Uncomment this macro to disable the built-in platform entropy functions. 147 */ 148 #define MBEDTLS_NO_PLATFORM_ENTROPY 149 150 /** 151 * \def MBEDTLS_ENTROPY_NV_SEED 152 * 153 * Enable the non-volatile (NV) seed file-based entropy source. 154 * (Also enables the NV seed read/write functions in the platform layer) 155 * 156 * This is crucial (if not required) on systems that do not have a 157 * cryptographic entropy source (in hardware or kernel) available. 158 * 159 * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C 160 * 161 * \note The read/write functions that are used by the entropy source are 162 * determined in the platform layer, and can be modified at runtime and/or 163 * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used. 164 * 165 * \note If you use the default implementation functions that read a seedfile 166 * with regular fopen(), please make sure you make a seedfile with the 167 * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at 168 * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from 169 * and written to or you will get an entropy source error! The default 170 * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE 171 * bytes from the file. 172 * 173 * \note The entropy collector will write to the seed file before entropy is 174 * given to an external source, to update it. 175 */ 176 //#define MBEDTLS_ENTROPY_NV_SEED 177 178 /** 179 * \def MBEDTLS_PK_RSA_ALT_SUPPORT 180 * 181 * Support external private RSA keys (eg from a HSM) in the PK layer. 182 * 183 * Comment this macro to disable support for external private RSA keys. 184 */ 185 #define MBEDTLS_PK_RSA_ALT_SUPPORT 186 187 /** \def MBEDTLS_PSA_CRYPTO_CLIENT 188 * 189 * Enable support for PSA crypto client. 190 * 191 * \note This option allows to include the code necessary for a PSA 192 * crypto client when the PSA crypto implementation is not included in 193 * the library (MBEDTLS_PSA_CRYPTO_C disabled). The code included is the 194 * code to set and get PSA key attributes. 195 * The development of PSA drivers partially relying on the library to 196 * fulfill the hardware gaps is another possible usage of this option. 197 * 198 * \warning This interface is experimental and may change or be removed 199 * without notice. 200 */ 201 #define MBEDTLS_PSA_CRYPTO_CLIENT 202 203 /** 204 * \def MBEDTLS_PSA_CRYPTO_CONFIG 205 * 206 * This setting allows support for cryptographic mechanisms through the PSA 207 * API to be configured separately from support through the mbedtls API. 208 * 209 * When this option is disabled, the PSA API exposes the cryptographic 210 * mechanisms that can be implemented on top of the `mbedtls_xxx` API 211 * configured with `MBEDTLS_XXX` symbols. 212 * 213 * When this option is enabled, the PSA API exposes the cryptographic 214 * mechanisms requested by the `PSA_WANT_XXX` symbols defined in 215 * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are 216 * automatically enabled if required (i.e. if no PSA driver provides the 217 * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols 218 * in mbedtls_config.h. 219 * 220 * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies 221 * an alternative header to include instead of include/psa/crypto_config.h. 222 * 223 * This feature is still experimental and is not ready for production since 224 * it is not completed. 225 */ 226 #define MBEDTLS_PSA_CRYPTO_CONFIG 227 228 /* \} name SECTION: mbed TLS feature support */ 229 230 /** 231 * \name SECTION: mbed TLS modules 232 * 233 * This section enables or disables entire modules in mbed TLS 234 * \{ 235 */ 236 237 /** 238 * \def MBEDTLS_AES_C 239 * 240 * Enable the AES block cipher. 241 * 242 * Module: library/aes.c 243 * Caller: library/cipher.c 244 * library/pem.c 245 * library/ctr_drbg.c 246 * 247 * This module is required to support the TLS ciphersuites that use the AES 248 * cipher. 249 * 250 * PEM_PARSE uses AES for decrypting encrypted keys. 251 */ 252 #define MBEDTLS_AES_C 253 254 /** 255 * \def MBEDTLS_CIPHER_C 256 * 257 * Enable the generic cipher layer. 258 * 259 * Module: library/cipher.c 260 * 261 * Uncomment to enable generic cipher wrappers. 262 */ 263 #define MBEDTLS_CIPHER_C 264 265 /** 266 * \def MBEDTLS_CTR_DRBG_C 267 * 268 * Enable the CTR_DRBG AES-based random generator. 269 * The CTR_DRBG generator uses AES-256 by default. 270 * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below. 271 * 272 * Module: library/ctr_drbg.c 273 * Caller: 274 * 275 * Requires: MBEDTLS_AES_C 276 * 277 * This module provides the CTR_DRBG AES random number generator. 278 */ 279 //#define MBEDTLS_CTR_DRBG_C 280 281 /** 282 * \def MBEDTLS_ENTROPY_C 283 * 284 * Enable the platform-specific entropy code. 285 * 286 * Module: library/entropy.c 287 * Caller: 288 * 289 * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C 290 * 291 * This module provides a generic entropy pool 292 */ 293 //#define MBEDTLS_ENTROPY_C 294 295 /** 296 * \def MBEDTLS_HKDF_C 297 * 298 * Enable the HKDF algorithm (RFC 5869). 299 * 300 * Module: library/hkdf.c 301 * Caller: 302 * 303 * Requires: MBEDTLS_MD_C 304 * 305 * This module adds support for the Hashed Message Authentication Code 306 * (HMAC)-based key derivation function (HKDF). 307 */ 308 //#define MBEDTLS_HKDF_C /* Used for HUK deriviation */ 309 310 /** 311 * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C 312 * 313 * Enable the buffer allocator implementation that makes use of a (stack) 314 * based buffer to 'allocate' dynamic memory. (replaces calloc() and free() 315 * calls) 316 * 317 * Module: library/memory_buffer_alloc.c 318 * 319 * Requires: MBEDTLS_PLATFORM_C 320 * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS) 321 * 322 * Enable this module to enable the buffer memory allocator. 323 */ 324 #define MBEDTLS_MEMORY_BUFFER_ALLOC_C 325 326 /** 327 * \def MBEDTLS_PLATFORM_C 328 * 329 * Enable the platform abstraction layer that allows you to re-assign 330 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). 331 * 332 * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT 333 * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned 334 * above to be specified at runtime or compile time respectively. 335 * 336 * \note This abstraction layer must be enabled on Windows (including MSYS2) 337 * as other module rely on it for a fixed snprintf implementation. 338 * 339 * Module: library/platform.c 340 * Caller: Most other .c files 341 * 342 * This module enables abstraction of common (libc) functions. 343 */ 344 #define MBEDTLS_PLATFORM_C 345 346 #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS 347 #define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> 348 349 #include <stdio.h> 350 351 #define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf 352 #define MBEDTLS_PLATFORM_PRINTF_ALT 353 #define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS 354 #define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE 355 356 /** 357 * \def MBEDTLS_PSA_CRYPTO_C 358 * 359 * Enable the Platform Security Architecture cryptography API. 360 * 361 * Module: library/psa_crypto.c 362 * 363 * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C 364 * 365 */ 366 //#define MBEDTLS_PSA_CRYPTO_C 367 368 /** 369 * \def MBEDTLS_PSA_CRYPTO_STORAGE_C 370 * 371 * Enable the Platform Security Architecture persistent key storage. 372 * 373 * Module: library/psa_crypto_storage.c 374 * 375 * Requires: MBEDTLS_PSA_CRYPTO_C, 376 * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of 377 * the PSA ITS interface 378 */ 379 //#define MBEDTLS_PSA_CRYPTO_STORAGE_C 380 381 /* \} name SECTION: mbed TLS modules */ 382 383 /** 384 * \name SECTION: General configuration options 385 * 386 * This section contains Mbed TLS build settings that are not associated 387 * with a particular module. 388 * 389 * \{ 390 */ 391 392 /** 393 * \def MBEDTLS_CONFIG_FILE 394 * 395 * If defined, this is a header which will be included instead of 396 * `"mbedtls/mbedtls_config.h"`. 397 * This header file specifies the compile-time configuration of Mbed TLS. 398 * Unlike other configuration options, this one must be defined on the 399 * compiler command line: a definition in `mbedtls_config.h` would have 400 * no effect. 401 * 402 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 403 * non-standard feature of the C language, so this feature is only available 404 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 405 * 406 * The value of this symbol is typically a path in double quotes, either 407 * absolute or relative to a directory on the include search path. 408 */ 409 //#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" 410 411 /** 412 * \def MBEDTLS_USER_CONFIG_FILE 413 * 414 * If defined, this is a header which will be included after 415 * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE. 416 * This allows you to modify the default configuration, including the ability 417 * to undefine options that are enabled by default. 418 * 419 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 420 * non-standard feature of the C language, so this feature is only available 421 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 422 * 423 * The value of this symbol is typically a path in double quotes, either 424 * absolute or relative to a directory on the include search path. 425 */ 426 //#define MBEDTLS_USER_CONFIG_FILE "/dev/null" 427 428 /** 429 * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE 430 * 431 * If defined, this is a header which will be included instead of 432 * `"psa/crypto_config.h"`. 433 * This header file specifies which cryptographic mechanisms are available 434 * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and 435 * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled. 436 * 437 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 438 * non-standard feature of the C language, so this feature is only available 439 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 440 * 441 * The value of this symbol is typically a path in double quotes, either 442 * absolute or relative to a directory on the include search path. 443 */ 444 //#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" 445 446 /** 447 * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE 448 * 449 * If defined, this is a header which will be included after 450 * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE. 451 * This allows you to modify the default configuration, including the ability 452 * to undefine options that are enabled by default. 453 * 454 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 455 * non-standard feature of the C language, so this feature is only available 456 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 457 * 458 * The value of this symbol is typically a path in double quotes, either 459 * absolute or relative to a directory on the include search path. 460 */ 461 //#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" 462 463 /** \} name SECTION: General configuration options */ 464 465 /** 466 * \name SECTION: Module configuration options 467 * 468 * This section allows for the setting of module specific sizes and 469 * configuration options. The default values are already present in the 470 * relevant header files and should suffice for the regular use cases. 471 * 472 * Our advice is to enable options and change their values here 473 * only if you have a good reason and know the consequences. 474 * 475 * Please check the respective header file for documentation on these 476 * parameters (to prevent duplicate documentation). 477 * \{ 478 */ 479 480 /* ECP options */ 481 #define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Disable fixed-point speed-up */ 482 483 /* \} name SECTION: Customisation configuration options */ 484 485 #endif /* MBEDTLS_CONFIG_H */ 486
