subsys/nrf_security/Kconfig

#
# Copyright (c) 2019-2022 Nordic Semiconductor
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#

menu "nRF Security"

config NORDIC_SECURITY_PROMPTLESS
	bool
	help
	  Internal setting to disable the Nordic security backend.
	  This setting is Kconfig internal that must be used by subsystems that
	  provide nRF Security selection groups.


config NORDIC_SECURITY_BACKEND
	bool
	prompt "Use nRF Security with Mbed TLS legacy crypto APIs support" \
		if !NORDIC_SECURITY_PROMPTLESS
	depends on SOC_FAMILY_NORDIC_NRF
	select NRF_SECURITY
	select MBEDTLS_LEGACY_CRYPTO_C
	select OBERON_BACKEND if BUILD_WITH_TFM
	select DISABLE_MBEDTLS_BUILTIN if MBEDTLS
	help
	  Using this configuration enables legacy support for mbed TLS APIs
	  This configuration is not to be used for PSA API support.
	  Note that this will enable nrf_oberon by default. Multiple backends is
	  not supported.

config NRF_SECURITY
	bool
	prompt "Enable nRF Security" if !PSA_PROMPTLESS
	depends on SOC_FAMILY_NORDIC_NRF
	default y if BUILD_WITH_TFM
	# entropy is provided by PSA and NRF_SECURITY on NRF54LX
	default y if DT_HAS_ZEPHYR_PSA_CRYPTO_RNG_ENABLED && SOC_SERIES_NRF54LX && !IS_BOOTLOADER_IMG
	select DISABLE_MBEDTLS_BUILTIN if MBEDTLS
	# NCS does not use TF-M's BL2 bootloader, but uses it's own fork
	# of MCUBoot instead (CONFIG_BOOTLOADER_MCUBOOT).
	#
	# Select TFM_BL2_NOT_SUPPORTED to prevent users from enabling
	# CONFIG_TFM_BL2.
	select TFM_BL2_NOT_SUPPORTED if BUILD_WITH_TFM
	select PSA_CRYPTO_CLIENT
	help
	  Set this configuration to enable nRF Security. This provides
	  Arm PSA cryptography APIs with RNG support (optionally).

# Include Nordic-only PSA configurations
rsource "Kconfig.psa.nordic"

config PSA_PROMPTLESS
	bool

if NRF_SECURITY

config MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
	bool
	default y if SOC_SERIES_NRF54LX && PSA_CRYPTO_DRIVER_CRACEN
	default y if PSA_WANT_PLATFORM_KEYS
	help
	  Promptless option used to control if the PSA Crypto core should have support for builtin keys or not.

config MBEDTLS_CFG_FILE
	default "nrf-config.h"

config MBEDTLS_PSA_CRYPTO_CONFIG
	bool
	default y

config MBEDTLS_PSA_CRYPTO_CONFIG_FILE
	string "PSA want configuration file"
	default "nrf-psa-crypto-config.h"
	help
	  Name of the config file for PSA crypto (Containins PSA_WANT_XXXX configurations).
	  This file is generated and will contain PSA configurations if PSA crypto APIs
	  are enabled in the system.

config MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
	string "Additional PSA configuration file"
	default "nrf-psa-crypto-user-config.h"
	help
	  Name of the file containing extra PSA configuration.
	  This file may be generated andd will contain exte PSA configurations like the
	  PSA_NEED defines for different crypto accelerators.

config MBEDTLS_ENABLE_HEAP
	bool "Enable global heap for mbed TLS"
	help
	  This option enables the mbedtls to use the heap. This setting must
	  be global so that various applications and libraries in Zephyr do not
	  try to do this themselves as there can be only one heap defined
	  in mbedtls. If this is enabled, then the Zephyr will, during the device
	  startup, initialize the heap automatically.

config MBEDTLS_HEAP_SIZE
	int "Heap size for mbed TLS"
	default 15360 if OPENTHREAD_NRF_SECURITY
	default 512
	depends on MBEDTLS_ENABLE_HEAP
	help
	  Heap size for mbed TLS in bytes.
	  For streaming communication with arbitrary (HTTPS) servers on the
	  Internet, 32KB + overheads (up to another 20KB) may be needed.
	  Ensure to adjust the heap size according to the need of the
	  application.

config MBEDTLS_ENTROPY_POLL
	bool
	default y
	depends on !NRF_CC3XX_PLATFORM
	depends on !BUILD_WITH_TFM
	depends on ENTROPY_GENERATOR
	help
	  Add entropy_poll only if NRF_CC3XX_PLATFORM is not added.
	  This is because the nrf_cc3xx_platform library contains an
	  implementation of mbedtls_hardware_poll function.
	  This file is not useful for TF-M build where entropy should come
	  from SPE image, using psa_generate_random


# Include TLS/DTLS and x509 configurations
rsource "Kconfig.tls"

# Include PSA Crypto configurations
rsource "Kconfig.psa"

# Include Legacy mbed TLS configurations
rsource "Kconfig.legacy"

endif # NRF_SECURITY

menu "Zephyr legacy configurations"
	depends on MBEDTLS_LIBRARY_NRF_SECURITY

config MBEDTLS_TLS_VERSION_1_2
	bool "Enable support for TLS 1.2 (DTLS 1.2)"
	select PSA_WANT_ALG_SHA_1
	select PSA_WANT_ALG_SHA_224
	select PSA_WANT_ALG_SHA_256
	select PSA_WANT_ALG_SHA_384
	select PSA_WANT_ALG_SHA_512
	select MBEDTLS_CIPHER

config MBEDTLS_DTLS
	bool "Enable support for DTLS"
	depends on MBEDTLS_TLS_VERSION_1_2 || MBEDTLS_SSL_PROTO_TLS1_2
	select MBEDTLS_SSL_PROTO_DTLS

config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
	bool "Enable all available ciphersuites"
	help
	  The default behaviour with nrf_security is to always enable every ciphersuite
	  that is available. This configuration has no effect, but ensures that samples
	  and subsystem usage doesn't break.

config MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
	bool "Enable some PSK ciphersuites"
	help
	  The default behaviour of nrf_security is to always enable some ciphersuites.
	  This configuration has no effect but ensures that samples and subsystem usage
	  doesn't break.

config MBEDTLS_ECP_ALL_ENABLED
	bool "Enable all available elliptic curves"
	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
	select PSA_WANT_ECC_SECP_R1_192
	select PSA_WANT_ECC_SECP_R1_224
	select PSA_WANT_ECC_SECP_R1_256
	select PSA_WANT_ECC_SECP_R1_384
	select PSA_WANT_ECC_SECP_R1_521
	select PSA_WANT_ECC_SECP_K1_192
	select PSA_WANT_ECC_SECP_K1_224
	select PSA_WANT_ECC_SECP_K1_256
	select PSA_WANT_ECC_BRAINPOOL_P_R1_256
	select PSA_WANT_ECC_BRAINPOOL_P_R1_384
	select PSA_WANT_ECC_BRAINPOOL_P_R1_512
	select PSA_WANT_ECC_MONTGOMERY_255
	select PSA_WANT_ECC_MONTGOMERY_448

config MBEDTLS_CIPHER_ALL_ENABLED
	bool "Enable all available ciphers"
	select PSA_WANT_KEY_TYPE_AES
	select PSA_WANT_ALG_ECB_NO_PADDING
	select PSA_WANT_ALG_CBC_NO_PADDING
	select PSA_WANT_ALG_CBC_PKCS7
	select PSA_WANT_ALG_CTR
	select PSA_WANT_ALG_CCM
	select PSA_WANT_ALG_GCM
	select PSA_WANT_KEY_TYPE_CHACHA20
	select PSA_WANT_ALG_CHACHA20_POLY1305
	select PSA_WANT_ALG_STREAM_CIPHER

config MBEDTLS_MAC_ALL_ENABLED
	bool "Enable all available MAC methods"
	select PSA_WANT_KEY_TYPE_AES
	select PSA_WANT_ALG_CMAC
	select PSA_WANT_ALG_HMAC
	select PSA_WANT_ALG_SHA_1
	select PSA_WANT_ALG_SHA_224
	select PSA_WANT_ALG_SHA_256
	select PSA_WANT_ALG_SHA_384
	select PSA_WANT_ALG_SHA_512

config MBEDTLS_MAC_SHA256_ENABLED
	bool "Enable the SHA-224 and SHA-256 hash algorithms"
	default y
	select PSA_WANT_ALG_SHA_224
	select PSA_WANT_ALG_SHA_256
	select PSA_WANT_ALG_HMAC

config MBEDTLS_MAC_MD5_ENABLED
	bool "MD5 hash algorithm"

config MBEDTLS_CTR_DRBG_ENABLED
	bool "Enable the CTR_DRBG AES-256-based random generator"
	select PSA_WANT_ALG_CTR_DRBG

config MBEDTLS_HMAC_DRBG_ENABLED
	bool "Enable the HMAC_DRBG random generator"
	select PSA_WANT_ALG_HMAC_DRBG

config MBEDTLS_CIPHER
	bool "Enable the generic cipher layer"

config MBEDTLS_MD
	bool "Enable the generic message digest layer"

config MBEDTLS_ENTROPY_ENABLED
	bool "Enable mbedTLS generic entropy pool"

config MBEDTLS_GENPRIME_ENABLED
	bool "Enable the prime-number generation code"

endmenu # Zephyr legacy configurations

#
# Provide a new choice to override the mbedtls_external library completely
# and not have to provide a "dummy" path for the implementation
#
choice MBEDTLS_IMPLEMENTATION
	default MBEDTLS_LIBRARY_NRF_SECURITY

config MBEDTLS_LIBRARY_NRF_SECURITY
	bool "Use nRF Security mbedTLS version"
	depends on NORDIC_SECURITY_BACKEND || NRF_SECURITY
	help
	  Use Mbed TLS library from Nordic provided security backend

endchoice

endmenu