mbedtls: auto-enable PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_BASIC

PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_BASIC build symbols are automatically enabled in Mbed TLS header files whenever any key pair feature between IMPORT,EXPORT, GENERATE,DERIVE is set. So we mimic the same behavior with Kconfig symbols: - do not add BASIC to the automatic generated Kconfig file; - let BASIC be auto-enabled as soon as any other feature (IMPORT,EXPORT, GENERATE,DERIVE) is enabled for the same key type. The 2nd point is achieved by adding a new Kconfig file which is meant to hold the logic between PSA_WANT symbols. This is necessary because Kconfig.psa is automatically generated. Signed-off-by: Valerio Setti <[email protected]>
zephyrproject-rtos · Dec 12, 2024 · 91999fb · 91999fb
1 parent 90ff9c0
commit 91999fb
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 12 deletions.
diff --git a/modules/mbedtls/Kconfig b/modules/mbedtls/Kconfig
@@ -14,6 +14,7 @@ config MBEDTLS_PROMPTLESS
 	  dependent sub-configurations and thus prevent stuck symbol behavior.
 
 rsource "Kconfig.psa"
+rsource "Kconfig.psa.logic"
 
 menuconfig MBEDTLS
 	bool "mbed TLS Support" if !MBEDTLS_PROMPTLESS

diff --git a/modules/mbedtls/Kconfig.psa b/modules/mbedtls/Kconfig.psa
@@ -300,10 +300,6 @@ config PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
 	bool "PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
 
-config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC
-	bool "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
 config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
 	bool "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
@@ -320,10 +316,6 @@ config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 	bool "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
 
-config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
-	bool "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
 config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
 	bool "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
@@ -336,10 +328,6 @@ config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
 	bool "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
 
-config PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC
-	bool "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
 config PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
 	bool "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL

diff --git a/modules/mbedtls/Kconfig.psa.logic b/modules/mbedtls/Kconfig.psa.logic
@@ -0,0 +1,27 @@
+# Copyright (c) 2024 BayLibre SAS
+# SPDX-License-Identifier: Apache-2.0
+
+# This file extends Kconfig.psa (which is automatically generated) by adding
+# some logic between PSA_WANT symbols.
+
+config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC
+	bool
+	default y
+	depends on PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT || \
+		   PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT || \
+		   PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE || \
+		   PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
+
+config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
+	bool
+	default y
+	depends on PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT || \
+		   PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT || \
+		   PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
+
+config PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC
+	bool
+	default y
+	depends on PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT || \
+		   PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT || \
+		   PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE
diff --git a/modules/mbedtls/create_psa_files.py b/modules/mbedtls/create_psa_files.py
@@ -57,6 +57,20 @@
 
 H_FOOTER="\n#endif /* CONFIG_PSA_H */\n"
 
+# In Mbed TLS the PSA_WANT_KEY_TYPE_[ECC|RSA|DH]_KEY_PAIR_BASIC build symbols
+# are automatically enabled whenever any other _IMPORT, _EXPORT, _GENERATE or
+# _DERIVE feature is set for the same key type
+# (see "modules/crypto/mbedtls/include/psa/crypto_adjust_config_key_pair_types.h").
+# Therefore we mimic the same pattern with Kconfigs as follows:
+# - do not add _BASIC Kconfigs to the automatic generated file (KCONFIG_PATH);
+# - add _BASIC Kconfigs to Kconfig.psa.logic and let them "default y" as soon as
+#   any other _IMPORT, _EXPORT, _GENERATE or _DERIVE Kconfigs are enabled.
+SKIP_SYMBOLS = [
+    "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC",
+    "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC",
+    "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC"
+]
+
 def parse_psa_symbols(input_file: str):
     symbols = []
     with open(input_file) as file:
@@ -70,6 +84,8 @@ def parse_psa_symbols(input_file: str):
 def generate_kconfig_content(symbols: List[str]) -> str:
     output = []
     for sym in symbols:
+        if sym in SKIP_SYMBOLS:
+            continue
         output.append("""
 config {0}
 \tbool "{0}" if !MBEDTLS_PROMPTLESS