mbedtls icon indicating copy to clipboard operation
mbedtls copied to clipboard
verified publisher icon Mbed-TLS

Study: PSA_CRYPTO_CONFIG always on

Open daverodgman opened this issue 2 years ago • 4 comments

Remove all options from mbedtls_config.h which have equivalent functionality via the crypto config (PSA_WANT_xxx) mechanism.

Look at corresponding clean-up in the library to see if references to the legacy option can be replaced with a suitable PSA macro, or if it needs to be kept as a non-user-visible macro (i.e., set via config_psa.h to control what gets built).

The list of options is probably simply everything that gets set automatically via config_adjust_legacy_from_psa.h and config_adjust_psa_superset_legacy.h, i.e. grep '#define MBEDTLS_' config_adjust_legacy_from_psa.h|sort|uniq|perl -pe 's/#define ([^ ]*).*/\1/'

Also remove config_adjust_psa_from_legacy.h and config_adjust_psa_superset_legacy.h (and verify that this does not result in any changes in configuration as a result).

config_adjust_ssl.h should stay but a few references to legacy options probably need to be replaced with the PSA equivalent (e.g. replace MBEDTLS_ECDH_Cwith PSA_WANT_ALG_ECDH ).

Remove obsolete parts of psa/crypto_adjust_config_key_pair_types.h

In summary:

  • Remove legacy options which have PSA_WANT equivalents from mbedtls_config.h NOT IN SCOPE OF THE REPO SPLIT WORK. IT WILL BE DONE AS PART OF THE 4.0 WORK AND LIKELY AFTER THE REPO SPLIT.
  • [ ] Remove / update the config_adjust headers
  • [ ] Remove MBEDTLS_PSA_CRYPTO_CONFIG from mbedtls_config.
  • [ ] Remove references to MBEDTLS_PSA_CRYPTO_CONFIG from the library and tests
  • [ ] Study: breakdown work to update test dependencies and eliminate tests which use legacy config to do the same thing as a test using crypto config.

Subset of https://github.com/Mbed-TLS/mbedtls/issues/8147

daverodgman avatar Sep 01 '23 17:09 daverodgman

Note: there is also significant work to update lots of test dependencies

daverodgman avatar Nov 28 '23 11:11 daverodgman

Remove tests which test the same thing with/without PSA_CRYPTO_CONFIG

daverodgman avatar Nov 28 '23 11:11 daverodgman

Note: TF-PSA-Crypto has tasks to do some of this already

daverodgman avatar Nov 28 '23 11:11 daverodgman

We should also take care that the testing done in all.sh components where PSA_CRYPTO_CONFIG is disabled stay eventually the same with PSA_CRYPTO_CONFIG always enabled. In a component where PSA_CRYPTO_CONFIG is disabled and a crypto mechanism is disabled but gets enabled through the PSA_CRYPTO_CONFIG mechanism, the testing is not the same anymore when PSA_CRYPTO_CONFIG is enabled: a crypto mechanism that was intended to be disabled in the test component is enabled eventually. I have been through all.sh components and I have found that the following components are impacted:

  • [x] test_psa_crypto_rsa_no_genprime (see also issue #63 in TF-PSA-Crypto) #9040
  • [x] test_ref_configs (see test_ccm_aes_sha256 as example) #9057
  • [x] test_tls1_2_default_stream_cipher_only_use_psa, test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa, test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa #9062
  • [x] test_everest_curve25519_only (@tom-daubney-arm)
  • [x] test_crypto_full_md_light_only, test_full_no_cipher_with_psa_crypto, test_full_no_bignum, test_when_no_ciphersuites_have_mac #9185
  • [ ] components running depends.py (see https://github.com/orgs/Mbed-TLS/projects/1#column-19877217)

ronald-cron-arm avatar Apr 12 '24 10:04 ronald-cron-arm