From acd7bafcbbc1d97abc82551958cdba8d580e1f74 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 6 Dec 2023 15:17:12 +0100 Subject: [PATCH] driver-only-build: update AEADs section Note: this section shouldn't actually be updated in #8357, but rather in #8358 which is the wrapup related to cipher and AEADs accelaration. As a consequence we start the AEAD section with a disclaimer explaining that the information written there will be updated soon by a follow up PR. Signed-off-by: Valerio Setti --- docs/driver-only-builds.md | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/docs/driver-only-builds.md b/docs/driver-only-builds.md index 200f439413..2dcfe67975 100644 --- a/docs/driver-only-builds.md +++ b/docs/driver-only-builds.md @@ -245,6 +245,9 @@ Support for deterministic derivation of a DH keypair AEADs ----- +[This section might contain incomplete data and it is going to be updated in +#8358, i.e. the wrap-up task for accelerated ciphers and AEADs.] + It is possible to have all AEADs operations provided only by a driver. More precisely you can: @@ -252,15 +255,20 @@ More precisely you can: - `PSA_WANT_ALG_[CCM|GCM]` with `PSA_WANT_KEY_TYPE_[AES|ARIA|CAMELLIA]` - `PSA_WANT_ALG_CHACHA20_POLY1305` with `PSA_WANT_KEY_TYPE_CHACHA20`; - enable `MBEDTLS_PSA_ACCEL_xxx` symbol(s) which correspond to the - `PSA_WANT_xxx` of the previous step; -- disable builtin support of `MBEDTLS_[CCM|GCM|CHACHAPOLY]_C` algorithms and - key types `MBEDTLS_[AES|ARIA|CAMELLIA|CHACHA20]_C` for AEADs which are - accelerated. + `PSA_WANT_xxx` of the previous step (both for algorithms and key types); +- disable builtin support of `MBEDTLS_[CCM|GCM|CHACHAPOLY|POLY1305]_C` + algorithms and key types `MBEDTLS_[AES|ARIA|CAMELLIA|CHACHA20]_C` for AEADs + which are accelerated. -In such a build all AEADs operations requested through the PSA Crypto API -(including those in TLS and X.509) will be performed by the provided driver. -Of course direct calls to the disabled builtin modules -(ex: `mbedtls_ccm_init()`, etc) won't be possible. +In a build in which all AEADs algorithms and related key types are accelerated +all AEADs operations requested through the PSA Crypto API (including those in +TLS and X.509) will be performed by the driver. +Moreover if no unauthenticated cipher is required, it is also possible to +disable all built-in block cipher's key types +(i.e. `MBEDTLS_[AES|ARIA|CAMELLIA|CHACHA20]_C`) and `MBEDTLS_CIPHER_C`. This +helps in further reducing code's footprint, but unfortunately it makes the +following modules unavailable: +- `MBEDTLS_PKCS[5|12]_C` +- `MBEDTLS_CTR_DRBG_C` +- `MBEDTLS_NIST_KW_C` -If no other non-authenticated cipher is required, it is also possible to -disable `MBEDTLS_CIPHER_C` in order to further reduce code's footprint.