| # Kconfig - Cryptography primitive options for mbed TLS |
| |
| # Copyright (c) 2016 Intel Corporation |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| |
| menuconfig MBEDTLS |
| bool "mbedTLS Support" |
| help |
| This option enables the mbedTLS cryptography library. |
| |
| if MBEDTLS |
| |
| choice |
| prompt "Select implementation" |
| default MBEDTLS_BUILTIN |
| |
| config MBEDTLS_BUILTIN |
| bool "Enable mbedTLS integrated sources" |
| help |
| Link with local mbedTLS sources instead of external library. |
| |
| config MBEDTLS_LIBRARY |
| bool "Enable mbedTLS external library" |
| help |
| This option enables mbedTLS library. |
| |
| endchoice |
| |
| config MBEDTLS_CFG_FILE |
| string "mbed TLS configuration file" |
| depends on MBEDTLS_BUILTIN |
| default "config-tls-generic.h" |
| help |
| Use a specific mbed TLS configuration file. The default config file |
| file can be tweaked with Kconfig. The default configuration is |
| suitable to communicate with majority of HTTPS servers on the Internet, |
| but has relatively many features enabled. To optimize resources for |
| special TLS usage, use available Kconfig options, or select an |
| alternative config. |
| |
| if MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" |
| rsource "Kconfig.tls-generic" |
| endif |
| |
| config MBEDTLS_SSL_MAX_CONTENT_LEN |
| int "Max payload size for TLS protocol message" |
| default 1500 |
| depends on MBEDTLS_BUILTIN |
| help |
| The TLS standards mandate max payload size of 16384 bytes. So, for |
| maximum operability and for general-purpose usage, that value must |
| be used. For specific usages, that value can be largely decreased. |
| E.g. for DTLS, payload size is limited by UDP datagram size, and |
| even for HTTPS REST API, the payload can be limited to max size of |
| (REST request, REST response, server certificate(s)). |
| mbedTLS uses this value separate for input and output buffers, so |
| twice this value will be allocated (on mbedTLS own heap, so the |
| value of MBEDTLS_HEAP_SIZE should accommodate that). |
| |
| config MBEDTLS_DEBUG |
| bool "mbed TLS debug activation" |
| depends on MBEDTLS_BUILTIN |
| help |
| Enable debugging activation for mbed TLS configuration. If you use |
| mbedTLS/Zephyr integration (e.g. net_app), this will activate debug |
| logging (of the level configured by MBEDTLS_DEBUG_LEVEL). |
| If you use mbedTLS directly instead, you will need to perform |
| additional configuration yourself: call |
| mbedtls_ssl_conf_dbg(&mbedtls.conf, my_debug, NULL); |
| mbedtls_debug_set_threshold(level); |
| functions in your application, and create the my_debug() function to |
| actually print something useful. |
| |
| config MBEDTLS_DEBUG_LEVEL |
| int "mbed TLS default debug level" |
| depends on MBEDTLS_DEBUG |
| default 0 |
| range 0 4 |
| help |
| Default mbed TLS debug logging level for Zephyr integration code |
| (from ext/lib/crypto/mbedtls/include/mbedtls/debug.h): |
| 0 No debug |
| 1 Error |
| 2 State change |
| 3 Information |
| 4 Verbose |
| |
| config MBEDTLS_TEST |
| bool "Compile internal self test functions" |
| depends on MBEDTLS_BUILTIN |
| help |
| Enable self test function for the crypto algorithms |
| |
| config MBEDTLS_INSTALL_PATH |
| string "mbedTLS install path" |
| depends on MBEDTLS_LIBRARY |
| help |
| This option holds the path where the mbedTLS libraries and headers are |
| installed. Make sure this option is properly set when MBEDTLS_LIBRARY |
| is enabled otherwise the build will fail. |
| |
| config MBEDTLS_ENABLE_HEAP |
| bool "Enable global heap for mbed TLS" |
| help |
| This option enables the mbedtls to use the heap. This setting must |
| be global so that various applications and libraries in Zephyr do not |
| try to do this themselves as there can be only one heap defined |
| in mbedtls. If this is enabled, then the Zephyr will, during the device |
| startup, initialize the heap automatically. |
| |
| config MBEDTLS_HEAP_SIZE |
| int "Heap size for mbed TLS" |
| default 512 |
| depends on MBEDTLS_ENABLE_HEAP |
| help |
| The mbedtls routines will use this heap if enabled. |
| See ext/lib/crypto/mbedtls/include/mbedtls/config.h and |
| MBEDTLS_MEMORY_BUFFER_ALLOC_C option for details. That option is not |
| enabled by default. |
| Default value for the heap size is not set as it depends on the |
| application. For streaming communication with arbitrary (HTTPS) |
| servers on the Internet, 32KB + overheads (up to another 20KB) may |
| be needed. For some dedicated and specific usage of mbedtls API, the |
| 1000 bytes might be ok. |
| |
| config APP_LINK_WITH_MBEDTLS |
| bool "Link 'app' with MBEDTLS" |
| default y |
| help |
| Add MBEDTLS header files to the 'app' include path. It may be |
| disabled if the include paths for MBEDTLS are causing aliasing |
| issues for 'app'. |
| |
| endif # MBEDTLS |