From 75fb9f89c558b3233638f2e48f7edb5899a8e57c Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 11 Dec 2024 15:33:06 +0100 Subject: [PATCH] mbedtls: make PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_BASIC Kconfig promptless The corresponding build symbols are automatically enabled in Mbed TLS header files whenever any key pair feature between IMPORT,EXPORT, GENERATE,DERIVE is set. So we do the same with Kconfig symbols: - make BASIC promptless - let key pair features (IMPORT,EXPORT,GENERATE,DERIVE) select BASIC. The 2nd point is achieved by adding a new Kconfig file which is meant to hold the logic between PSA_WANT symbols. This is necessary because Kconfig.psa is automatically generated. This commit also removes manual enablement of CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC from one test case. Signed-off-by: Valerio Setti --- modules/mbedtls/Kconfig | 1 + modules/mbedtls/Kconfig.psa | 6 ++--- modules/mbedtls/Kconfig.psa.logic | 24 +++++++++++++++++++ modules/mbedtls/create_psa_files.py | 22 ++++++++++++++--- .../socket/tls_configurations/overlay-ec.conf | 1 - 5 files changed, 47 insertions(+), 7 deletions(-) create mode 100644 modules/mbedtls/Kconfig.psa.logic diff --git a/modules/mbedtls/Kconfig b/modules/mbedtls/Kconfig index d15c420f5075cf1..a0d27069238165a 100644 --- a/modules/mbedtls/Kconfig +++ b/modules/mbedtls/Kconfig @@ -14,6 +14,7 @@ config MBEDTLS_PROMPTLESS dependent sub-configurations and thus prevent stuck symbol behavior. rsource "Kconfig.psa" +rsource "Kconfig.psa.logic" menuconfig MBEDTLS bool "mbed TLS Support" if !MBEDTLS_PROMPTLESS diff --git a/modules/mbedtls/Kconfig.psa b/modules/mbedtls/Kconfig.psa index 7562032bf3d4edb..b59b758734425b1 100644 --- a/modules/mbedtls/Kconfig.psa +++ b/modules/mbedtls/Kconfig.psa @@ -301,7 +301,7 @@ config PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY default y if PSA_CRYPTO_ENABLE_ALL config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC - bool "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC" if !MBEDTLS_PROMPTLESS + bool default y if PSA_CRYPTO_ENABLE_ALL config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT @@ -321,7 +321,7 @@ config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE default y if PSA_CRYPTO_ENABLE_ALL config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC - bool "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" if !MBEDTLS_PROMPTLESS + bool default y if PSA_CRYPTO_ENABLE_ALL config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT @@ -337,7 +337,7 @@ config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE default y if PSA_CRYPTO_ENABLE_ALL config PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC - bool "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC" if !MBEDTLS_PROMPTLESS + bool default y if PSA_CRYPTO_ENABLE_ALL config PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT diff --git a/modules/mbedtls/Kconfig.psa.logic b/modules/mbedtls/Kconfig.psa.logic new file mode 100644 index 000000000000000..d8d816ebdc41041 --- /dev/null +++ b/modules/mbedtls/Kconfig.psa.logic @@ -0,0 +1,24 @@ +# Copyright (c) 2024 BayLibre SAS +# SPDX-License-Identifier: Apache-2.0 + +# This file extends Kconfig.psa (which is automatically generated) by adding +# some logic between PSA_WANT symbols. + +config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC + default y + depends on PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT || \ + PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT || \ + PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE || \ + PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE + +config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC + default y + depends on PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT || \ + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT || \ + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE + +config PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC + default y + depends on PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT || \ + PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT || \ + PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE diff --git a/modules/mbedtls/create_psa_files.py b/modules/mbedtls/create_psa_files.py index fe6d0b79b465554..a43f61a0b0642d1 100755 --- a/modules/mbedtls/create_psa_files.py +++ b/modules/mbedtls/create_psa_files.py @@ -57,6 +57,18 @@ H_FOOTER="\n#endif /* CONFIG_PSA_H */\n" +# In Mbed TLS the following build symbols are automatically enabled whenever +# any other _IMPORT, _EXPORT, _GENERATE, _DERIVE feature is set for the same key +# type (see "modules/crypto/mbedtls/include/psa/crypto_adjust_config_key_pair_types.h"). +# Therefore we make the corresponding Kconfigs promptless so that they can +# be selected by other IMPORT,EXPORT,GENERATE,DERIVE Kconfigs, replicating +# the same pattern of Mbed TLS. +PROMPTLESS_SYMBOLS = [ + "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC", + "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC", + "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC" +] + def parse_psa_symbols(input_file: str): symbols = [] with open(input_file) as file: @@ -70,11 +82,15 @@ def parse_psa_symbols(input_file: str): def generate_kconfig_content(symbols: List[str]) -> str: output = [] for sym in symbols: + if sym in PROMPTLESS_SYMBOLS: + prompt = "" + else: + prompt = " \"{}\" if !MBEDTLS_PROMPTLESS".format(sym) output.append(""" -config {0} -\tbool "{0}" if !MBEDTLS_PROMPTLESS +config {} +\tbool{} \tdefault y if PSA_CRYPTO_ENABLE_ALL -""".format(sym)) +""".format(sym, prompt)) return KCONFIG_HEADER + "".join(output) + KCONFIG_FOOTER diff --git a/tests/net/socket/tls_configurations/overlay-ec.conf b/tests/net/socket/tls_configurations/overlay-ec.conf index b53dc4bcb555b9b..5a0772f37c586b9 100644 --- a/tests/net/socket/tls_configurations/overlay-ec.conf +++ b/tests/net/socket/tls_configurations/overlay-ec.conf @@ -1,5 +1,4 @@ CONFIG_PSA_WANT_ALG_ECDH=y CONFIG_PSA_WANT_ALG_ECDSA=y -CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC=y CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y CONFIG_PSA_WANT_ECC_SECP_R1_256=y