TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 20e93a2a9d958329cf46a4bff33f3f45406f6773^! / .
commit20e93a2a9d958329cf46a4bff33f3f45406f6773[log] [tgz]
authorValerio Setti <valerio.setti@nordicsemi.no>Mon Dec 04 11:29:36 2023 +0100
committerValerio Setti <valerio.setti@nordicsemi.no>Mon Dec 04 15:24:25 2023 +0100
treeeab5db836ed93b7bc5641996a5785ad605333f54
parent10149c9516812e700922afd5d8b8832415b2e18d [diff]
driver-only-builds: update documentation for AEADs

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>

diff --git a/docs/driver-only-builds.md b/docs/driver-only-builds.md
index 4bad2e8..200f439 100644
--- a/docs/driver-only-builds.md
+++ b/docs/driver-only-builds.md

@@ -55,6 +55,7 @@
 - hashes: SHA-3, SHA-2, SHA-1, MD5, etc.
 - elliptic-curve cryptography (ECC): ECDH, ECDSA, EC J-PAKE, ECC key types.
 - finite-field Diffie-Hellman: FFDH algorithm, DH key types.
+- AEADs: GCM, CCM and ChachaPoly
 
 Supported means that when those are provided only by drivers, everything
 (including PK, X.509 and TLS if `MBEDTLS_USE_PSA_CRYPTO` is enabled) should
@@ -63,7 +64,7 @@
 below.
 
 In the near future (end of 2023), we are planning to also add support for
-ciphers (AES) and AEADs (GCM, CCM, ChachaPoly).
+ciphers (AES, ARIA, Camellia).
 
 Currently (mid-2023) we don't have plans to extend this to RSA. If
 you're interested in driver-only support for RSA, please let us know.
@@ -240,3 +241,26 @@
 ### Limitations
 Support for deterministic derivation of a DH keypair
 (i.e. `PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE`) is not supported.
+
+AEADs
+-----
+
+It is possible to have all AEADs operations provided only by a driver.
+
+More precisely you can:
+- enable desired PSA algorithm(s) and key type(s):
+  - `PSA_WANT_ALG_[CCM|GCM]` with `PSA_WANT_KEY_TYPE_[AES|ARIA|CAMELLIA]`
+  - `PSA_WANT_ALG_CHACHA20_POLY1305` with `PSA_WANT_KEY_TYPE_CHACHA20`;
+- enable `MBEDTLS_PSA_ACCEL_xxx` symbol(s) which correspond to the
+  `PSA_WANT_xxx` of the previous step;
+- disable builtin support of `MBEDTLS_[CCM|GCM|CHACHAPOLY]_C` algorithms and
+  key types `MBEDTLS_[AES|ARIA|CAMELLIA|CHACHA20]_C` for AEADs which are
+  accelerated.
+
+In such a build all AEADs operations requested through the PSA Crypto API
+(including those in TLS and X.509) will be performed by the provided driver.
+Of course direct calls to the disabled builtin modules
+(ex: `mbedtls_ccm_init()`, etc) won't be possible.
+
+If no other non-authenticated cipher is required, it is also possible to
+disable `MBEDTLS_CIPHER_C` in order to further reduce code's footprint.