This is a specification of work in progress. The implementation is not yet merged into Mbed TLS.
This document describes how to write drivers of cryptoprocessors such as accelerators and secure elements for the PSA cryptography subsystem of Mbed TLS.
This document focuses on behavior that is specific to Mbed TLS. For a reference of the interface between Mbed TLS and drivers, refer to the PSA Cryptoprocessor Driver Interface specification.
The interface is not fully implemented in Mbed TLS yet and is disabled by default. You can enable the experimental work in progress by setting
MBEDTLS_PSA_CRYPTO_DRIVERS in the compile-time configuration. Please note that the interface may still change: until further notice, we do not guarantee backward compatibility with existing driver code when
MBEDTLS_PSA_CRYPTO_DRIVERS is enabled.
The PSA cryptography driver interface provides a way to build Mbed TLS with additional code that implements certain cryptographic primitives. This is primarily intended to support platform-specific hardware.
There are two types of drivers:
To write a driver, you need to implement some functions with C linkage, and to declare these functions in a driver description file. The driver description file declares which functions the driver implements and what cryptographic mechanisms they support. Depending on the driver type, you may also need to define some C types and macros in a header file.
The concrete syntax for a driver description file is JSON. The structure of this JSON file is specified in the section “Driver description syntax” of the PSA cryptography driver interface specification.
A driver therefore consists of:
Mbed TLS calls driver entry points as specified in the PSA Cryptography Driver Interface specification except as otherwise indicated in this section.