Improve "abstraction layers" section
- fix inaccuracy about PSA hash implementation
- add note about context-less operations
- provide summary
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/docs/architecture/psa-migration/strategy.md b/docs/architecture/psa-migration/strategy.md
index a166b27..d63ad70 100644
--- a/docs/architecture/psa-migration/strategy.md
+++ b/docs/architecture/psa-migration/strategy.md
@@ -156,8 +156,8 @@
This strategy is currently used for ECDSA signature verification in the PK
layer, and could be extended to all operations in the PK layer.
-This strategy is not very well suited to the Cipher and MD layers, as the PSA
-implementation is currently done on top of those layers.
+This strategy is not very well suited to the Cipher layer, as the PSA
+implementation is currently done on top of that layer.
Replace calls for each operation
--------------------------------
@@ -184,6 +184,9 @@
- Downside: when the context is typically set up by the application, requires
changes in application code.
+This strategy is not useful when no context is used, for example with the
+one-shot function `mbedtls_md()`.
+
There are two variants of this strategy: one where using the new setup
function also allows for key isolation (the key is only held by PSA,
supporting both G1 and G2 in that area), and one without isolation (the key is
@@ -207,6 +210,16 @@
application code, while the other requires no application change to get
support for drivers, but fails to provide isolation support.
+Summary
+-------
+
+Stategies currently used with each abstraction layer:
+
+- PK (for G1): silently call PSA
+- PK (for G2): opt-in use of PSA (new key type)
+- Cipher (G1): opt-in use of PSA (new setup function)
+- MD (G1): replace calls at each call site
+
Migrating away from the legacy API
==================================