1 /* 2 * Copyright The TrustedFirmware-M Contributors 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 * 6 */ 7 /** 8 * \file config.h 9 * 10 * \brief Configuration options (set of defines) 11 * 12 * This set of compile-time options may be used to enable 13 * or disable features selectively, and reduce the global 14 * memory footprint. 15 */ 16 17 #ifndef PROFILE_S_MBEDTLS_CONFIG_H 18 #define PROFILE_S_MBEDTLS_CONFIG_H 19 20 #include "config_tfm.h" 21 22 #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) 23 #define _CRT_SECURE_NO_DEPRECATE 1 24 #endif 25 26 /** 27 * \name SECTION: System support 28 * 29 * This section sets system specific settings. 30 * \{ 31 */ 32 33 /** 34 * \def MBEDTLS_HAVE_ASM 35 * 36 * The compiler has support for asm(). 37 * 38 * Requires support for asm() in compiler. 39 * 40 * Used in: 41 * library/aria.c 42 * library/timing.c 43 * include/mbedtls/bn_mul.h 44 * 45 * Required by: 46 * MBEDTLS_AESNI_C 47 * MBEDTLS_PADLOCK_C 48 * 49 * Comment to disable the use of assembly code. 50 */ 51 #define MBEDTLS_HAVE_ASM 52 53 /** 54 * \def MBEDTLS_PLATFORM_MEMORY 55 * 56 * Enable the memory allocation layer. 57 * 58 * By default mbed TLS uses the system-provided calloc() and free(). 59 * This allows different allocators (self-implemented or provided) to be 60 * provided to the platform abstraction layer. 61 * 62 * Enabling MBEDTLS_PLATFORM_MEMORY without the 63 * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide 64 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and 65 * free() function pointer at runtime. 66 * 67 * Enabling MBEDTLS_PLATFORM_MEMORY and specifying 68 * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the 69 * alternate function at compile time. 70 * 71 * Requires: MBEDTLS_PLATFORM_C 72 * 73 * Enable this layer to allow use of alternative memory allocators. 74 */ 75 #define MBEDTLS_PLATFORM_MEMORY 76 77 /* \} name SECTION: System support */ 78 79 /** 80 * \name SECTION: mbed TLS feature support 81 * 82 * This section sets support for features that are or are not needed 83 * within the modules that are enabled. 84 * \{ 85 */ 86 87 /** 88 * \def MBEDTLS_AES_ROM_TABLES 89 * 90 * Use precomputed AES tables stored in ROM. 91 * 92 * Uncomment this macro to use precomputed AES tables stored in ROM. 93 * Comment this macro to generate AES tables in RAM at runtime. 94 * 95 * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb 96 * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the 97 * initialization time before the first AES operation can be performed. 98 * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c 99 * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded 100 * performance if ROM access is slower than RAM access. 101 * 102 * This option is independent of \c MBEDTLS_AES_FEWER_TABLES. 103 * 104 */ 105 #define MBEDTLS_AES_ROM_TABLES 106 107 /** 108 * \def MBEDTLS_AES_FEWER_TABLES 109 * 110 * Use less ROM/RAM for AES tables. 111 * 112 * Uncommenting this macro omits 75% of the AES tables from 113 * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES) 114 * by computing their values on the fly during operations 115 * (the tables are entry-wise rotations of one another). 116 * 117 * Tradeoff: Uncommenting this reduces the RAM / ROM footprint 118 * by ~6kb but at the cost of more arithmetic operations during 119 * runtime. Specifically, one has to compare 4 accesses within 120 * different tables to 4 accesses with additional arithmetic 121 * operations within the same table. The performance gain/loss 122 * depends on the system and memory details. 123 * 124 * This option is independent of \c MBEDTLS_AES_ROM_TABLES. 125 * 126 */ 127 #define MBEDTLS_AES_FEWER_TABLES 128 129 /** 130 * \def MBEDTLS_NO_PLATFORM_ENTROPY 131 * 132 * Do not use built-in platform entropy functions. 133 * This is useful if your platform does not support 134 * standards like the /dev/urandom or Windows CryptoAPI. 135 * 136 * Uncomment this macro to disable the built-in platform entropy functions. 137 */ 138 #define MBEDTLS_NO_PLATFORM_ENTROPY 139 140 /** 141 * \def MBEDTLS_ENTROPY_NV_SEED 142 * 143 * Enable the non-volatile (NV) seed file-based entropy source. 144 * (Also enables the NV seed read/write functions in the platform layer) 145 * 146 * This is crucial (if not required) on systems that do not have a 147 * cryptographic entropy source (in hardware or kernel) available. 148 * 149 * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C 150 * 151 * \note The read/write functions that are used by the entropy source are 152 * determined in the platform layer, and can be modified at runtime and/or 153 * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used. 154 * 155 * \note If you use the default implementation functions that read a seedfile 156 * with regular fopen(), please make sure you make a seedfile with the 157 * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at 158 * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from 159 * and written to or you will get an entropy source error! The default 160 * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE 161 * bytes from the file. 162 * 163 * \note The entropy collector will write to the seed file before entropy is 164 * given to an external source, to update it. 165 */ 166 #define MBEDTLS_ENTROPY_NV_SEED 167 168 /** 169 * \def MBEDTLS_SHA256_SMALLER 170 * 171 * Enable an implementation of SHA-256 that has lower ROM footprint but also 172 * lower performance. 173 * 174 * The default implementation is meant to be a reasonnable compromise between 175 * performance and size. This version optimizes more aggressively for size at 176 * the expense of performance. Eg on Cortex-M4 it reduces the size of 177 * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about 178 * 30%. 179 * 180 * Uncomment to enable the smaller implementation of SHA256. 181 */ 182 #define MBEDTLS_SHA256_SMALLER 183 184 /** 185 * \def MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS 186 * 187 * Assume all buffers passed to PSA functions are owned exclusively by the 188 * PSA function and are not stored in shared memory. 189 * 190 * This option may be enabled if all buffers passed to any PSA function reside 191 * in memory that is accessible only to the PSA function during its execution. 192 * 193 * This option MUST be disabled whenever buffer arguments are in memory shared 194 * with an untrusted party, for example where arguments to PSA calls are passed 195 * across a trust boundary. 196 * 197 * \note Enabling this option reduces memory usage and code size. 198 * 199 * \note Enabling this option causes overlap of input and output buffers 200 * not to be supported by PSA functions. 201 */ 202 #define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS 203 204 /** 205 * \def MBEDTLS_PSA_CRYPTO_CONFIG 206 * 207 * This setting allows support for cryptographic mechanisms through the PSA 208 * API to be configured separately from support through the mbedtls API. 209 * 210 * When this option is disabled, the PSA API exposes the cryptographic 211 * mechanisms that can be implemented on top of the `mbedtls_xxx` API 212 * configured with `MBEDTLS_XXX` symbols. 213 * 214 * When this option is enabled, the PSA API exposes the cryptographic 215 * mechanisms requested by the `PSA_WANT_XXX` symbols defined in 216 * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are 217 * automatically enabled if required (i.e. if no PSA driver provides the 218 * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols 219 * in mbedtls_config.h. 220 * 221 * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies 222 * an alternative header to include instead of include/psa/crypto_config.h. 223 * 224 * This feature is still experimental and is not ready for production since 225 * it is not completed. 226 */ 227 #define MBEDTLS_PSA_CRYPTO_CONFIG 228 229 /* \} name SECTION: mbed TLS feature support */ 230 231 /** 232 * \name SECTION: mbed TLS modules 233 * 234 * This section enables or disables entire modules in mbed TLS 235 * \{ 236 */ 237 238 /** 239 * \def MBEDTLS_AES_C 240 * 241 * Enable the AES block cipher. 242 * 243 * Module: library/aes.c 244 * Caller: library/cipher.c 245 * library/pem.c 246 * library/ctr_drbg.c 247 * 248 * This module is required to support the TLS ciphersuites that use the AES 249 * cipher. 250 * 251 * PEM_PARSE uses AES for decrypting encrypted keys. 252 */ 253 #define MBEDTLS_AES_C 254 255 /** 256 * \def MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH 257 * 258 * Use only 128-bit keys in AES operations to save ROM. 259 * 260 * Uncomment this macro to remove support for AES operations that use 192- 261 * or 256-bit keys. 262 * 263 * Uncommenting this macro reduces the size of AES code by ~300 bytes 264 * on v8-M/Thumb2. 265 * 266 * Module: library/aes.c 267 * 268 * Requires: MBEDTLS_AES_C 269 */ 270 #define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH 271 272 /** 273 * \def MBEDTLS_CIPHER_C 274 * 275 * Enable the generic cipher layer. 276 * 277 * Module: library/cipher.c 278 * 279 * Uncomment to enable generic cipher wrappers. 280 */ 281 #define MBEDTLS_CIPHER_C 282 283 /** 284 * \def MBEDTLS_CTR_DRBG_C 285 * 286 * Enable the CTR_DRBG AES-based random generator. 287 * The CTR_DRBG generator uses AES-256 by default. 288 * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below. 289 * 290 * Module: library/ctr_drbg.c 291 * Caller: 292 * 293 * Requires: MBEDTLS_AES_C 294 * 295 * This module provides the CTR_DRBG AES random number generator. 296 */ 297 #define MBEDTLS_CTR_DRBG_C 298 299 /** 300 * \def MBEDTLS_ENTROPY_C 301 * 302 * Enable the platform-specific entropy code. 303 * 304 * Module: library/entropy.c 305 * Caller: 306 * 307 * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C 308 * 309 * This module provides a generic entropy pool 310 */ 311 #define MBEDTLS_ENTROPY_C 312 313 /** 314 * \def MBEDTLS_HKDF_C 315 * 316 * Enable the HKDF algorithm (RFC 5869). 317 * 318 * Module: library/hkdf.c 319 * Caller: 320 * 321 * Requires: MBEDTLS_MD_C 322 * 323 * This module adds support for the Hashed Message Authentication Code 324 * (HMAC)-based key derivation function (HKDF). 325 */ 326 //#define MBEDTLS_HKDF_C /* Used for HUK deriviation */ 327 328 /** 329 * \def MBEDTLS_MD_C 330 * 331 * Enable the generic message digest layer. 332 * 333 * Module: library/md.c 334 * Caller: 335 * 336 * Uncomment to enable generic message digest wrappers. 337 */ 338 //#define MBEDTLS_MD_C 339 340 /** 341 * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C 342 * 343 * Enable the buffer allocator implementation that makes use of a (stack) 344 * based buffer to 'allocate' dynamic memory. (replaces calloc() and free() 345 * calls) 346 * 347 * Module: library/memory_buffer_alloc.c 348 * 349 * Requires: MBEDTLS_PLATFORM_C 350 * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS) 351 * 352 * Enable this module to enable the buffer memory allocator. 353 */ 354 #define MBEDTLS_MEMORY_BUFFER_ALLOC_C 355 356 /** 357 * \def MBEDTLS_PLATFORM_C 358 * 359 * Enable the platform abstraction layer that allows you to re-assign 360 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). 361 * 362 * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT 363 * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned 364 * above to be specified at runtime or compile time respectively. 365 * 366 * \note This abstraction layer must be enabled on Windows (including MSYS2) 367 * as other module rely on it for a fixed snprintf implementation. 368 * 369 * Module: library/platform.c 370 * Caller: Most other .c files 371 * 372 * This module enables abstraction of common (libc) functions. 373 */ 374 #define MBEDTLS_PLATFORM_C 375 376 #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS 377 #define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> 378 379 #include <stdio.h> 380 381 #define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf 382 #define MBEDTLS_PLATFORM_PRINTF_ALT 383 #define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS 384 #define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE 385 386 /** 387 * \def MBEDTLS_PSA_CRYPTO_C 388 * 389 * Enable the Platform Security Architecture cryptography API. 390 * 391 * Module: library/psa_crypto.c 392 * 393 * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C 394 * 395 */ 396 #define MBEDTLS_PSA_CRYPTO_C 397 398 /** 399 * \def MBEDTLS_PSA_CRYPTO_STORAGE_C 400 * 401 * Enable the Platform Security Architecture persistent key storage. 402 * 403 * Module: library/psa_crypto_storage.c 404 * 405 * Requires: MBEDTLS_PSA_CRYPTO_C, 406 * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of 407 * the PSA ITS interface 408 */ 409 #define MBEDTLS_PSA_CRYPTO_STORAGE_C 410 411 /** 412 * \def MBEDTLS_PSA_CRYPTO_SPM 413 * 414 * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure 415 * Partition Manager) integration which separates the code into two parts: a 416 * NSPE (Non-Secure Process Environment) and an SPE (Secure Process 417 * Environment). 418 * 419 * If you enable this option, your build environment must include a header 420 * file `"crypto_spe.h"` (either in the `psa` subdirectory of the Mbed TLS 421 * header files, or in another directory on the compiler's include search 422 * path). Alternatively, your platform may customize the header 423 * `psa/crypto_platform.h`, in which case it can skip or replace the 424 * inclusion of `"crypto_spe.h"`. 425 * 426 * Module: library/psa_crypto.c 427 * Requires: MBEDTLS_PSA_CRYPTO_C 428 * 429 */ 430 #define MBEDTLS_PSA_CRYPTO_SPM 431 432 /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 433 * 434 * Enable key identifiers that encode a key owner identifier. 435 * 436 * The owner of a key is identified by a value of type ::mbedtls_key_owner_id_t 437 * which is currently hard-coded to be int32_t. 438 * 439 * Note that this option is meant for internal use only and may be removed 440 * without notice. 441 */ 442 #define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER 443 444 /** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS 445 * 446 * Enable support for platform built-in keys. If you enable this feature, 447 * you must implement the function mbedtls_psa_platform_get_builtin_key(). 448 * See the documentation of that function for more information. 449 * 450 * Built-in keys are typically derived from a hardware unique key or 451 * stored in a secure element. 452 * 453 * Requires: MBEDTLS_PSA_CRYPTO_C. 454 * 455 * \warning This interface is experimental and may change or be removed 456 * without notice. 457 */ 458 #define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS 459 460 /* \} name SECTION: mbed TLS modules */ 461 462 /** 463 * \name SECTION: General configuration options 464 * 465 * This section contains Mbed TLS build settings that are not associated 466 * with a particular module. 467 * 468 * \{ 469 */ 470 471 /** 472 * \def MBEDTLS_CONFIG_FILE 473 * 474 * If defined, this is a header which will be included instead of 475 * `"mbedtls/mbedtls_config.h"`. 476 * This header file specifies the compile-time configuration of Mbed TLS. 477 * Unlike other configuration options, this one must be defined on the 478 * compiler command line: a definition in `mbedtls_config.h` would have 479 * no effect. 480 * 481 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 482 * non-standard feature of the C language, so this feature is only available 483 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 484 * 485 * The value of this symbol is typically a path in double quotes, either 486 * absolute or relative to a directory on the include search path. 487 */ 488 //#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" 489 490 /** 491 * \def MBEDTLS_USER_CONFIG_FILE 492 * 493 * If defined, this is a header which will be included after 494 * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE. 495 * This allows you to modify the default configuration, including the ability 496 * to undefine options that are enabled by default. 497 * 498 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 499 * non-standard feature of the C language, so this feature is only available 500 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 501 * 502 * The value of this symbol is typically a path in double quotes, either 503 * absolute or relative to a directory on the include search path. 504 */ 505 //#define MBEDTLS_USER_CONFIG_FILE "/dev/null" 506 507 /** 508 * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE 509 * 510 * If defined, this is a header which will be included instead of 511 * `"psa/crypto_config.h"`. 512 * This header file specifies which cryptographic mechanisms are available 513 * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and 514 * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled. 515 * 516 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 517 * non-standard feature of the C language, so this feature is only available 518 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 519 * 520 * The value of this symbol is typically a path in double quotes, either 521 * absolute or relative to a directory on the include search path. 522 */ 523 //#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" 524 525 /** 526 * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE 527 * 528 * If defined, this is a header which will be included after 529 * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE. 530 * This allows you to modify the default configuration, including the ability 531 * to undefine options that are enabled by default. 532 * 533 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 534 * non-standard feature of the C language, so this feature is only available 535 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 536 * 537 * The value of this symbol is typically a path in double quotes, either 538 * absolute or relative to a directory on the include search path. 539 */ 540 //#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" 541 542 /** \} name SECTION: General configuration options */ 543 544 #if CRYPTO_NV_SEED 545 #include "tfm_mbedcrypto_config_extra_nv_seed.h" 546 #endif /* CRYPTO_NV_SEED */ 547 548 #if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED) 549 #include "mbedtls_entropy_nv_seed_config.h" 550 #endif 551 552 #ifdef CRYPTO_HW_ACCELERATOR 553 #include "mbedtls_accelerator_config.h" 554 #endif 555 556 #endif /* PROFILE_S_MBEDTLS_CONFIG_H */ 557
