| # Cryptography primitive options for mbed TLS |
| |
| # Copyright (c) 2016 Intel Corporation |
| # SPDX-License-Identifier: Apache-2.0 |
| |
| config ZEPHYR_MBEDTLS_MODULE |
| bool |
| config MBEDTLS_PROMPTLESS |
| bool |
| help |
| Symbol to disable the prompt for MBEDTLS selection. |
| This symbol may be used internally in a Kconfig tree to hide the |
| mbed TLS menu prompt and instead handle the selection of MBEDTLS from |
| dependent sub-configurations and thus prevent stuck symbol behavior. |
| |
| rsource "Kconfig.psa" |
| |
| menuconfig MBEDTLS |
| bool "mbed TLS Support" if !MBEDTLS_PROMPTLESS |
| help |
| This option enables the mbedTLS cryptography library. |
| |
| if MBEDTLS |
| |
| choice MBEDTLS_IMPLEMENTATION |
| prompt "Select implementation" |
| default MBEDTLS_BUILTIN |
| |
| config MBEDTLS_BUILTIN |
| bool "Use Zephyr in-tree mbedTLS version" |
| help |
| Link with mbedTLS sources included with Zephyr distribution. |
| Included mbedTLS version is well integrated with and supported |
| by Zephyr, and the recommended choice for most users. |
| |
| config MBEDTLS_LIBRARY |
| bool "Use external mbedTLS library" |
| help |
| Use external, out-of-tree prebuilt mbedTLS library. For advanced |
| users only. |
| |
| endchoice |
| |
| config CUSTOM_MBEDTLS_CFG_FILE |
| bool "Custom mbed TLS configuration file" |
| help |
| Allow user defined input for the MBEDTLS_CFG_FILE setting. |
| You can specify the actual configuration file using the |
| MBEDTLS_CFG_FILE setting. |
| |
| config MBEDTLS_CFG_FILE |
| string "mbed TLS configuration file" if CUSTOM_MBEDTLS_CFG_FILE |
| depends on MBEDTLS_BUILTIN |
| default "config-tls-generic.h" |
| help |
| Use a specific mbedTLS configuration file. The default config file |
| file can be tweaked with Kconfig. The default configuration is |
| suitable to communicate with majority of HTTPS servers on the Internet, |
| but has relatively many features enabled. To optimize resources for |
| special TLS usage, use available Kconfig options, or select an |
| alternative config. |
| |
| rsource "Kconfig.tls-generic" |
| |
| config MBEDTLS_SSL_MAX_CONTENT_LEN |
| int "Max payload size for TLS protocol message" |
| default 1500 |
| depends on MBEDTLS_BUILTIN |
| help |
| The TLS standards mandate max payload size of 16384 bytes. So, for |
| maximum operability and for general-purpose usage, that value must |
| be used. For specific usages, that value can be largely decreased. |
| E.g. for DTLS, payload size is limited by UDP datagram size, and |
| even for HTTPS REST API, the payload can be limited to max size of |
| (REST request, REST response, server certificate(s)). |
| mbedTLS uses this value separate for input and output buffers, so |
| twice this value will be allocated (on mbedTLS own heap, so the |
| value of MBEDTLS_HEAP_SIZE should accommodate that). |
| |
| module = MBEDTLS |
| module-str = Log level mbedTLS library debug hook |
| source "subsys/logging/Kconfig.template.log_config" |
| |
| config MBEDTLS_DEBUG |
| bool "mbed TLS debug activation" |
| help |
| Enable debugging activation for mbed TLS configuration. If you use |
| mbedTLS/Zephyr integration (e.g. native TLS sockets), this will |
| activate debug logging. |
| |
| If you use mbedTLS directly instead, you will need to perform |
| additional configuration yourself: call |
| mbedtls_ssl_conf_dbg(&mbedtls.conf, zephyr_mbedtls_debug, NULL); |
| function in your application. Alternatively implement your own debug |
| hook function if zephyr_mbedtls_debug() doesn't suit your needs. |
| |
| if MBEDTLS_DEBUG |
| |
| config MBEDTLS_DEBUG_LEVEL |
| int |
| default 4 if MBEDTLS_LOG_LEVEL_DBG |
| default 3 if MBEDTLS_LOG_LEVEL_INF |
| default 2 if MBEDTLS_LOG_LEVEL_WRN |
| default 1 if MBEDTLS_LOG_LEVEL_ERR |
| default 0 |
| range 0 4 |
| help |
| Default mbed TLS debug logging level for Zephyr integration code |
| (from ext/lib/crypto/mbedtls/include/mbedtls/debug.h): |
| 0 No debug |
| 1 Error |
| 2 State change |
| 3 Information |
| 4 Verbose |
| |
| This makes Zephyr call mbedtls_debug_set_threshold() function during |
| mbedTLS initialization, with the configured debug log level. |
| |
| choice MBEDTLS_DEBUG_EXTRACT_BASENAME |
| prompt "Extract basename from filenames" |
| default MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_BUILDTIME if "$(ZEPHYR_TOOLCHAIN_VARIANT)" = "zephyr" |
| default MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME |
| |
| config MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_BUILDTIME |
| bool "Buildtime" |
| help |
| Adds compile options, which should convert full source paths in |
| __FILE__ macro to files' basenames. This will reduce code footprint |
| when debug messages are enabled. |
| |
| This is compiler dependent, so if it does not work then please |
| fallback to MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME instead. |
| |
| config MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME |
| bool "Runtime" |
| help |
| Filename passed as argument to debug hook will be stripped from |
| directory, so that only basename part is left and logged. |
| |
| config MBEDTLS_DEBUG_EXTRACT_BASENAME_DISABLED |
| bool "Disabled" |
| help |
| Disable basename extraction from filenames in log mesasges. This will |
| result in full paths or paths relative to west root directory |
| appearing in log messages generated by mbedTLS library. |
| |
| endchoice |
| |
| config MBEDTLS_DEBUG_STRIP_NEWLINE |
| bool "Strip newlines" |
| default y |
| help |
| Attempt to strip last character from logged string when it is a |
| newline. |
| |
| endif # MBEDTLS_DEBUG |
| |
| config MBEDTLS_MEMORY_DEBUG |
| bool "mbed TLS memory debug activation" |
| depends on MBEDTLS_BUILTIN |
| help |
| Enable debugging of buffer allocator memory issues. Automatically |
| prints (to stderr) all (fatal) messages on memory allocation |
| issues. Enables function for 'debug output' of allocated memory. |
| |
| config MBEDTLS_TEST |
| bool "Compile internal self test functions" |
| depends on MBEDTLS_BUILTIN |
| help |
| Enable self test function for the crypto algorithms |
| |
| config MBEDTLS_INSTALL_PATH |
| string "mbedTLS install path" |
| depends on MBEDTLS_LIBRARY |
| help |
| This option holds the path where the mbedTLS libraries and headers are |
| installed. Make sure this option is properly set when MBEDTLS_LIBRARY |
| is enabled otherwise the build will fail. |
| |
| config MBEDTLS_ENABLE_HEAP |
| bool "Global heap for mbed TLS" |
| help |
| This option enables the mbedtls to use the heap. This setting must |
| be global so that various applications and libraries in Zephyr do not |
| try to do this themselves as there can be only one heap defined |
| in mbedtls. If this is enabled, and MBEDTLS_INIT is enabled then the |
| Zephyr will, during the device startup, initialize the heap automatically. |
| |
| if MBEDTLS_ENABLE_HEAP |
| |
| config MBEDTLS_HEAP_SIZE |
| int "Heap size for mbed TLS" |
| default 10240 if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER |
| default 512 |
| help |
| The mbedtls routines will use this heap if enabled. |
| See ext/lib/crypto/mbedtls/include/mbedtls/config.h and |
| MBEDTLS_MEMORY_BUFFER_ALLOC_C option for details. That option is not |
| enabled by default. |
| Default value for the heap size is not set as it depends on the |
| application. For streaming communication with arbitrary (HTTPS) |
| servers on the Internet, 32KB + overheads (up to another 20KB) may |
| be needed. For some dedicated and specific usage of mbedtls API, the |
| 1000 bytes might be ok. |
| |
| config MBEDTLS_HEAP_CUSTOM_SECTION |
| bool "Use a custom section for the Mbed TLS heap" |
| help |
| Place Mbed TLS heap in custom section, with tag ".mbedtls_heap". |
| This can be used by custom linker scripts to relocate the Mbed TLS |
| heap to a custom location, such as another SRAM region or external memory. |
| |
| endif # MBEDTLS_ENABLE_HEAP |
| |
| config MBEDTLS_INIT |
| bool "Initialize mbed TLS at boot" |
| default y |
| help |
| By default mbed TLS will be initialized at Zephyr init. Disabling this option |
| will defer the initialization until explicitly called. |
| |
| config MBEDTLS_SHELL |
| bool "mbed TLS shell" |
| depends on MBEDTLS |
| depends on SHELL |
| help |
| Enable mbed TLS shell module, which allows to show debug information |
| about mbed TLS library, such as heap usage. |
| |
| config MBEDTLS_ZEROIZE_ALT |
| bool "mbed TLS alternate mbedtls_platform_zeroize implementation" |
| help |
| mbed TLS configuration supplies an alternate implementation of |
| mbedtls_platform_zeroize. |
| |
| config APP_LINK_WITH_MBEDTLS |
| bool "Link 'app' with MBEDTLS" |
| default y |
| help |
| Add MBEDTLS header files to the 'app' include path. It may be |
| disabled if the include paths for MBEDTLS are causing aliasing |
| issues for 'app'. |
| |
| endif # MBEDTLS |