From be8d1153c5b5d354f9ae535cba6ced3c0be22148 Mon Sep 17 00:00:00 2001 From: Tomi Fontanilles Date: Mon, 17 Mar 2025 11:55:07 +0200 Subject: [PATCH 1/8] Revert "[nrf noup]: Allow for using legacy when MBEDTLS_FORCE_LEGACY_MD/CIPHER" This reverts commit 98603a8c91660beac00e0ee1d76198fb7c4ed29b. Temporary revert to rework some conflicting commits. Signed-off-by: Tomi Fontanilles --- include/mbedtls/config_adjust_legacy_crypto.h | 4 ++-- include/mbedtls/md.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index fa6f8e17f0..04abb96ada 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -101,7 +101,7 @@ */ /* PSA accelerated implementations */ -#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(CONFIG_MBEDTLS_FORCE_LEGACY_MD) +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) #if defined(PSA_WANT_ALG_MD5) #define MBEDTLS_MD_CAN_MD5 #define MBEDTLS_MD_MD5_VIA_PSA @@ -208,7 +208,7 @@ * - MBEDTLS_BLOCK_CIPHER_xxx_VIA_LEGACY: xxx key type is supported through * a legacy module (i.e. MBEDTLS_xxx_C) */ -#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(CONFIG_MBEDTLS_FORCE_LEGACY_CIPHER) +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) #if defined(PSA_WANT_KEY_TYPE_AES) #define MBEDTLS_BLOCK_CIPHER_AES_VIA_PSA #define MBEDTLS_BLOCK_CIPHER_SOME_PSA diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h index 52a04ccd5f..6ccca3bdd3 100644 --- a/include/mbedtls/md.h +++ b/include/mbedtls/md.h @@ -37,7 +37,7 @@ */ /* PSA accelerated implementations */ -#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(CONFIG_MBEDTLS_FORCE_LEGACY_MD) +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) #if defined(PSA_WANT_ALG_MD5) #define MBEDTLS_MD_CAN_MD5 #define MBEDTLS_MD_MD5_VIA_PSA From d0f5f7daa43ef986cb173ea549f2853c05120d1c Mon Sep 17 00:00:00 2001 From: Tomi Fontanilles Date: Mon, 17 Mar 2025 11:55:08 +0200 Subject: [PATCH 2/8] Revert "[nrf noup] crypto: mbedtls: Make MD PSA Crypto client aware" This reverts commit 2cc273be7aa8ac022c466594288f18f4747b62b1. Reverting this noup to split it into its different logical parts. Part of the changes in this noup is re-applied from upstream commits now that PR 9562 is merged upstream. Signed-off-by: Tomi Fontanilles --- include/mbedtls/config_adjust_legacy_crypto.h | 46 +++++++++++-------- include/mbedtls/md.h | 2 +- include/mbedtls/psa_util.h | 1 - 3 files changed, 27 insertions(+), 22 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index 04abb96ada..3ba987ebb2 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -101,63 +101,64 @@ */ /* PSA accelerated implementations */ -#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) -#if defined(PSA_WANT_ALG_MD5) +#if defined(MBEDTLS_PSA_CRYPTO_C) + +#if defined(MBEDTLS_PSA_ACCEL_ALG_MD5) #define MBEDTLS_MD_CAN_MD5 #define MBEDTLS_MD_MD5_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(PSA_WANT_ALG_SHA_1) +#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_1) #define MBEDTLS_MD_CAN_SHA1 #define MBEDTLS_MD_SHA1_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(PSA_WANT_ALG_SHA_224) +#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_224) #define MBEDTLS_MD_CAN_SHA224 #define MBEDTLS_MD_SHA224_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(PSA_WANT_ALG_SHA_256) +#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_256) #define MBEDTLS_MD_CAN_SHA256 #define MBEDTLS_MD_SHA256_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(PSA_WANT_ALG_SHA_384) +#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_384) #define MBEDTLS_MD_CAN_SHA384 #define MBEDTLS_MD_SHA384_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(PSA_WANT_ALG_SHA_512) +#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_512) #define MBEDTLS_MD_CAN_SHA512 #define MBEDTLS_MD_SHA512_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(PSA_WANT_ALG_RIPEMD160) +#if defined(MBEDTLS_PSA_ACCEL_ALG_RIPEMD160) #define MBEDTLS_MD_CAN_RIPEMD160 #define MBEDTLS_MD_RIPEMD160_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(PSA_WANT_ALG_SHA3_224) +#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_224) #define MBEDTLS_MD_CAN_SHA3_224 #define MBEDTLS_MD_SHA3_224_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(PSA_WANT_ALG_SHA3_256) +#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_256) #define MBEDTLS_MD_CAN_SHA3_256 #define MBEDTLS_MD_SHA3_256_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(PSA_WANT_ALG_SHA3_384) +#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_384) #define MBEDTLS_MD_CAN_SHA3_384 #define MBEDTLS_MD_SHA3_384_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(PSA_WANT_ALG_SHA3_512) +#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_512) #define MBEDTLS_MD_CAN_SHA3_512 #define MBEDTLS_MD_SHA3_512_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */ +#endif /* MBEDTLS_PSA_CRYPTO_C */ /* Built-in implementations */ #if defined(MBEDTLS_MD5_C) @@ -198,7 +199,12 @@ #endif /* MBEDTLS_MD_LIGHT */ -/* BLOCK_CIPHER module can dispatch to PSA +/* BLOCK_CIPHER module can dispatch to PSA when: + * - PSA is enabled and drivers have been initialized + * - desired key type is supported on the PSA side + * If the above conditions are not met, but the legacy support is enabled, then + * BLOCK_CIPHER will dynamically fallback to it. + * * In case BLOCK_CIPHER is defined (see below) the following symbols/helpers * can be used to define its capabilities: * - MBEDTLS_BLOCK_CIPHER_SOME_PSA: there is at least 1 key type between AES, @@ -208,20 +214,20 @@ * - MBEDTLS_BLOCK_CIPHER_xxx_VIA_LEGACY: xxx key type is supported through * a legacy module (i.e. MBEDTLS_xxx_C) */ -#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) -#if defined(PSA_WANT_KEY_TYPE_AES) +#if defined(MBEDTLS_PSA_CRYPTO_C) +#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES) #define MBEDTLS_BLOCK_CIPHER_AES_VIA_PSA #define MBEDTLS_BLOCK_CIPHER_SOME_PSA #endif -#if defined(PSA_WANT_KEY_TYPE_ARIA) +#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA) #define MBEDTLS_BLOCK_CIPHER_ARIA_VIA_PSA #define MBEDTLS_BLOCK_CIPHER_SOME_PSA #endif -#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) +#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA) #define MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_PSA #define MBEDTLS_BLOCK_CIPHER_SOME_PSA #endif -#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */ +#endif /* MBEDTLS_PSA_CRYPTO_C */ #if defined(MBEDTLS_AES_C) #define MBEDTLS_BLOCK_CIPHER_AES_VIA_LEGACY @@ -422,7 +428,7 @@ /* psa_util file features some ECDSA conversion functions, to convert between * legacy's ASN.1 DER format and PSA's raw one. */ -#if defined(MBEDTLS_ECDSA_C) || (defined(MBEDTLS_PSA_CRYPTO_CLIENT) && \ +#if (defined(MBEDTLS_PSA_CRYPTO_CLIENT) && \ (defined(PSA_WANT_ALG_ECDSA) || defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA))) #define MBEDTLS_PSA_UTIL_HAVE_ECDSA #endif diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h index 6ccca3bdd3..fc0604688d 100644 --- a/include/mbedtls/md.h +++ b/include/mbedtls/md.h @@ -37,7 +37,7 @@ */ /* PSA accelerated implementations */ -#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) +#if defined(MBEDTLS_PSA_CRYPTO_C) #if defined(PSA_WANT_ALG_MD5) #define MBEDTLS_MD_CAN_MD5 #define MBEDTLS_MD_MD5_VIA_PSA diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 6056e775db..7350eafcb7 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -13,7 +13,6 @@ #include "mbedtls/private_access.h" #include "mbedtls/build_info.h" -#include "mbedtls/md.h" #include "psa/crypto.h" From 9701e92c0a6089617da30f3d52a165c00f256478 Mon Sep 17 00:00:00 2001 From: Tomi Fontanilles Date: Mon, 17 Mar 2025 11:55:08 +0200 Subject: [PATCH 3/8] Revert "[nrf noup] Replace MBEDTLS_ACCEL->PSA_WANT in md.h" This reverts commit d75b3f6aa97654d3e5bfe33162a05b2be73bafbc. This duplicated what was done in config_adjust_legacy_crypto.h by 2cc273be7aa8ac022c466594288f18f4747b62b1. Signed-off-by: Tomi Fontanilles --- include/mbedtls/md.h | 114 ------------------------------------------- 1 file changed, 114 deletions(-) diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h index fc0604688d..478e9f7667 100644 --- a/include/mbedtls/md.h +++ b/include/mbedtls/md.h @@ -20,120 +20,6 @@ #include "mbedtls/build_info.h" #include "mbedtls/platform_util.h" -#if defined(MBEDTLS_MD_LIGHT) - -/* - * - MBEDTLS_MD_CAN_xxx is defined if the md module can perform xxx. - * - MBEDTLS_MD_xxx_VIA_PSA is defined if the md module may perform xxx via PSA - * (see below). - * - MBEDTLS_MD_SOME_PSA is defined if at least one algorithm may be performed - * via PSA (see below). - * - MBEDTLS_MD_SOME_LEGACY is defined if at least one algorithm may be performed - * via a direct legacy call (see below). - * - * The md module performs an algorithm via PSA if there is a PSA hash - * accelerator and the PSA driver subsytem is initialized at the time the - * operation is started, and makes a direct legacy call otherwise. - */ - -/* PSA accelerated implementations */ -#if defined(MBEDTLS_PSA_CRYPTO_C) -#if defined(PSA_WANT_ALG_MD5) -#define MBEDTLS_MD_CAN_MD5 -#define MBEDTLS_MD_MD5_VIA_PSA -#define MBEDTLS_MD_SOME_PSA -#endif -#if defined(PSA_WANT_ALG_SHA_1) -#define MBEDTLS_MD_CAN_SHA1 -#define MBEDTLS_MD_SHA1_VIA_PSA -#define MBEDTLS_MD_SOME_PSA -#endif -#if defined(PSA_WANT_ALG_SHA_224) -#define MBEDTLS_MD_CAN_SHA224 -#define MBEDTLS_MD_SHA224_VIA_PSA -#define MBEDTLS_MD_SOME_PSA -#endif -#if defined(PSA_WANT_ALG_SHA_256) -#define MBEDTLS_MD_CAN_SHA256 -#define MBEDTLS_MD_SHA256_VIA_PSA -#define MBEDTLS_MD_SOME_PSA -#endif -#if defined(PSA_WANT_ALG_SHA_384) -#define MBEDTLS_MD_CAN_SHA384 -#define MBEDTLS_MD_SHA384_VIA_PSA -#define MBEDTLS_MD_SOME_PSA -#endif -#if defined(PSA_WANT_ALG_SHA_512) -#define MBEDTLS_MD_CAN_SHA512 -#define MBEDTLS_MD_SHA512_VIA_PSA -#define MBEDTLS_MD_SOME_PSA -#endif -#if defined(PSA_WANT_ALG_RIPEMD160) -#define MBEDTLS_MD_CAN_RIPEMD160 -#define MBEDTLS_MD_RIPEMD160_VIA_PSA -#define MBEDTLS_MD_SOME_PSA -#endif -#if defined(PSA_WANT_ALG_SHA3_224) -#define MBEDTLS_MD_CAN_SHA3_224 -#define MBEDTLS_MD_SHA3_224_VIA_PSA -#define MBEDTLS_MD_SOME_PSA -#endif -#if defined(PSA_WANT_ALG_SHA3_256) -#define MBEDTLS_MD_CAN_SHA3_256 -#define MBEDTLS_MD_SHA3_256_VIA_PSA -#define MBEDTLS_MD_SOME_PSA -#endif -#if defined(PSA_WANT_ALG_SHA3_384) -#define MBEDTLS_MD_CAN_SHA3_384 -#define MBEDTLS_MD_SHA3_384_VIA_PSA -#define MBEDTLS_MD_SOME_PSA -#endif -#if defined(PSA_WANT_ALG_SHA3_512) -#define MBEDTLS_MD_CAN_SHA3_512 -#define MBEDTLS_MD_SHA3_512_VIA_PSA -#define MBEDTLS_MD_SOME_PSA -#endif -#endif /* MBEDTLS_PSA_CRYPTO_C */ - -/* Built-in implementations */ -#if defined(MBEDTLS_MD5_C) -#define MBEDTLS_MD_CAN_MD5 -#define MBEDTLS_MD_SOME_LEGACY -#endif -#if defined(MBEDTLS_SHA1_C) -#define MBEDTLS_MD_CAN_SHA1 -#define MBEDTLS_MD_SOME_LEGACY -#endif -#if defined(MBEDTLS_SHA224_C) -#define MBEDTLS_MD_CAN_SHA224 -#define MBEDTLS_MD_SOME_LEGACY -#endif -#if defined(MBEDTLS_SHA256_C) -#define MBEDTLS_MD_CAN_SHA256 -#define MBEDTLS_MD_SOME_LEGACY -#endif -#if defined(MBEDTLS_SHA384_C) -#define MBEDTLS_MD_CAN_SHA384 -#define MBEDTLS_MD_SOME_LEGACY -#endif -#if defined(MBEDTLS_SHA512_C) -#define MBEDTLS_MD_CAN_SHA512 -#define MBEDTLS_MD_SOME_LEGACY -#endif -#if defined(MBEDTLS_SHA3_C) -#define MBEDTLS_MD_CAN_SHA3_224 -#define MBEDTLS_MD_CAN_SHA3_256 -#define MBEDTLS_MD_CAN_SHA3_384 -#define MBEDTLS_MD_CAN_SHA3_512 -#define MBEDTLS_MD_SOME_LEGACY -#endif -#if defined(MBEDTLS_RIPEMD160_C) -#define MBEDTLS_MD_CAN_RIPEMD160 -#define MBEDTLS_MD_SOME_LEGACY -#endif - -#endif /* MBEDTLS_MD_LIGHT */ - /** The selected feature is not available. */ #define MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE -0x5080 /** Bad input parameters to function. */ From ca832c076e2fa3d440ec52c4fb156724b4ea22f8 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 13 Sep 2024 10:55:22 +0200 Subject: [PATCH 4/8] [nrf fromtree] md: allow dispatch to PSA whenever CRYPTO_CLIENT is enabled Instead of allowing PSA dispatching only when CRYPTO_C is set and some MBEDTLS_PSA_ACCEL_ALG_xxx is set, we enable dispatching when CRYPTO_CLIENT and PSA_WANT_ALG_xxx are set. This makes the feature more useful in cases where the PSA support is provided externally, like for example TF-M in Zephyr. This commit also add proper guards for tests trying to use MD+PSA dispatch. Signed-off-by: Valerio Setti (cherry picked from commit c516307ad90d24de7f6f83e6b2fd825329ce5824) Signed-off-by: Tomi Fontanilles --- include/mbedtls/config_adjust_legacy_crypto.h | 26 +++++++++---------- tests/suites/test_suite_md.function | 2 +- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index 3ba987ebb2..54dd8de915 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -101,64 +101,64 @@ */ /* PSA accelerated implementations */ -#if defined(MBEDTLS_PSA_CRYPTO_C) +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) -#if defined(MBEDTLS_PSA_ACCEL_ALG_MD5) +#if defined(PSA_WANT_ALG_MD5) #define MBEDTLS_MD_CAN_MD5 #define MBEDTLS_MD_MD5_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_1) +#if defined(PSA_WANT_ALG_SHA_1) #define MBEDTLS_MD_CAN_SHA1 #define MBEDTLS_MD_SHA1_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_224) +#if defined(PSA_WANT_ALG_SHA_224) #define MBEDTLS_MD_CAN_SHA224 #define MBEDTLS_MD_SHA224_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_256) +#if defined(PSA_WANT_ALG_SHA_256) #define MBEDTLS_MD_CAN_SHA256 #define MBEDTLS_MD_SHA256_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_384) +#if defined(PSA_WANT_ALG_SHA_384) #define MBEDTLS_MD_CAN_SHA384 #define MBEDTLS_MD_SHA384_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_512) +#if defined(PSA_WANT_ALG_SHA_512) #define MBEDTLS_MD_CAN_SHA512 #define MBEDTLS_MD_SHA512_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(MBEDTLS_PSA_ACCEL_ALG_RIPEMD160) +#if defined(PSA_WANT_ALG_RIPEMD160) #define MBEDTLS_MD_CAN_RIPEMD160 #define MBEDTLS_MD_RIPEMD160_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_224) +#if defined(PSA_WANT_ALG_SHA3_224) #define MBEDTLS_MD_CAN_SHA3_224 #define MBEDTLS_MD_SHA3_224_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_256) +#if defined(PSA_WANT_ALG_SHA3_256) #define MBEDTLS_MD_CAN_SHA3_256 #define MBEDTLS_MD_SHA3_256_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_384) +#if defined(PSA_WANT_ALG_SHA3_384) #define MBEDTLS_MD_CAN_SHA3_384 #define MBEDTLS_MD_SHA3_384_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_512) +#if defined(PSA_WANT_ALG_SHA3_512) #define MBEDTLS_MD_CAN_SHA3_512 #define MBEDTLS_MD_SHA3_512_VIA_PSA #define MBEDTLS_MD_SOME_PSA #endif -#endif /* MBEDTLS_PSA_CRYPTO_C */ +#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */ /* Built-in implementations */ #if defined(MBEDTLS_MD5_C) diff --git a/tests/suites/test_suite_md.function b/tests/suites/test_suite_md.function index 2a885e2371..eea47418f1 100644 --- a/tests/suites/test_suite_md.function +++ b/tests/suites/test_suite_md.function @@ -423,7 +423,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C */ void md_psa_dynamic_dispatch(int md_type, int pre_psa_ret, int post_psa_engine) { const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_type); From 0ed197f225185e9c33696b2fa4d6b7572be3d95b Mon Sep 17 00:00:00 2001 From: Tomi Fontanilles Date: Mon, 17 Mar 2025 15:23:17 +0200 Subject: [PATCH 5/8] [nrf noup] enable PSA_UTIL_HAVE_ECDSA also when ECDSA_C This change is re-applied from commit 2cc273be7aa8ac022c466594288f18f4747b62b1 that was reverted to split it into separate noups. Signed-off-by: Tomi Fontanilles --- include/mbedtls/config_adjust_legacy_crypto.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index 54dd8de915..0a0f769598 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -428,7 +428,7 @@ /* psa_util file features some ECDSA conversion functions, to convert between * legacy's ASN.1 DER format and PSA's raw one. */ -#if (defined(MBEDTLS_PSA_CRYPTO_CLIENT) && \ +#if defined(MBEDTLS_ECDSA_C) || (defined(MBEDTLS_PSA_CRYPTO_CLIENT) && \ (defined(PSA_WANT_ALG_ECDSA) || defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA))) #define MBEDTLS_PSA_UTIL_HAVE_ECDSA #endif From ff66b1885cae4e97eedc8ade34d84f292b909de1 Mon Sep 17 00:00:00 2001 From: Tomi Fontanilles Date: Tue, 18 Mar 2025 09:03:27 +0200 Subject: [PATCH 6/8] [nrf noup] include md.h in psa_util.h Make definitions from md.h available in psa_util.h. This change is re-applied from commit 2cc273be7aa8ac022c466594288f18f4747b62b1 that was reverted to split it into separate noups. This is needed otherwise we get errors regarding missing definitions, e.g. of mbedtls_md_type_t in mbedtls_md_type_from_psa_alg(). Signed-off-by: Tomi Fontanilles --- include/mbedtls/psa_util.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 7350eafcb7..6056e775db 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -13,6 +13,7 @@ #include "mbedtls/private_access.h" #include "mbedtls/build_info.h" +#include "mbedtls/md.h" #include "psa/crypto.h" From 08ad357dd6bcf4f8946ac12970a5ee5fa7caae00 Mon Sep 17 00:00:00 2001 From: Tomi Fontanilles Date: Thu, 20 Mar 2025 11:25:18 +0200 Subject: [PATCH 7/8] [nrf noup] make legacy CCM/GCM dispatch to PSA Make block_cipher call into PSA. This allows code calling legacy CCM/GCM to end up calling PSA Crypto, especially useful from NS when TF-M is in use. This change is re-applied from commit 2cc273be7aa8ac022c466594288f18f4747b62b1 that was reverted to split it into separate noups. Signed-off-by: Tomi Fontanilles --- include/mbedtls/config_adjust_legacy_crypto.h | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index 0a0f769598..e742732abb 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -199,11 +199,7 @@ #endif /* MBEDTLS_MD_LIGHT */ -/* BLOCK_CIPHER module can dispatch to PSA when: - * - PSA is enabled and drivers have been initialized - * - desired key type is supported on the PSA side - * If the above conditions are not met, but the legacy support is enabled, then - * BLOCK_CIPHER will dynamically fallback to it. +/* BLOCK_CIPHER module can dispatch to PSA * * In case BLOCK_CIPHER is defined (see below) the following symbols/helpers * can be used to define its capabilities: @@ -214,20 +210,20 @@ * - MBEDTLS_BLOCK_CIPHER_xxx_VIA_LEGACY: xxx key type is supported through * a legacy module (i.e. MBEDTLS_xxx_C) */ -#if defined(MBEDTLS_PSA_CRYPTO_C) -#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES) +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) +#if defined(PSA_WANT_KEY_TYPE_AES) #define MBEDTLS_BLOCK_CIPHER_AES_VIA_PSA #define MBEDTLS_BLOCK_CIPHER_SOME_PSA #endif -#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA) +#if defined(PSA_WANT_KEY_TYPE_ARIA) #define MBEDTLS_BLOCK_CIPHER_ARIA_VIA_PSA #define MBEDTLS_BLOCK_CIPHER_SOME_PSA #endif -#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA) +#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) #define MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_PSA #define MBEDTLS_BLOCK_CIPHER_SOME_PSA #endif -#endif /* MBEDTLS_PSA_CRYPTO_C */ +#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */ #if defined(MBEDTLS_AES_C) #define MBEDTLS_BLOCK_CIPHER_AES_VIA_LEGACY From 918f858af55a7e4b76ca7de3751f813e774272d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Frank=20Audun=20Kvamtr=C3=B8?= Date: Mon, 30 Sep 2024 14:54:46 +0200 Subject: [PATCH 8/8] [nrf noup]: Allow for using legacy when MBEDTLS_FORCE_LEGACY_MD/CIPHER MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -This allows TF-M minimal configuration to stil dispatch using legacy while we are waiting for more apps/samples to be ported to use PSA crypto APIs Signed-off-by: Frank Audun Kvamtrø (edited cherry pick of 98603a8c91660beac00e0ee1d76198fb7c4ed29b) Signed-off-by: Tomi Fontanilles --- include/mbedtls/config_adjust_legacy_crypto.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index e742732abb..dd65f1ca6c 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -101,7 +101,7 @@ */ /* PSA accelerated implementations */ -#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(CONFIG_MBEDTLS_FORCE_LEGACY_MD) #if defined(PSA_WANT_ALG_MD5) #define MBEDTLS_MD_CAN_MD5 @@ -210,7 +210,7 @@ * - MBEDTLS_BLOCK_CIPHER_xxx_VIA_LEGACY: xxx key type is supported through * a legacy module (i.e. MBEDTLS_xxx_C) */ -#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(CONFIG_MBEDTLS_FORCE_LEGACY_CIPHER) #if defined(PSA_WANT_KEY_TYPE_AES) #define MBEDTLS_BLOCK_CIPHER_AES_VIA_PSA #define MBEDTLS_BLOCK_CIPHER_SOME_PSA