mbedtls icon indicating copy to clipboard operation
mbedtls copied to clipboard

Published 20 hours ago verified publisher icon Mbed-TLS

PSA client-server build: disable client-side crypto

Open gilles-peskine-arm opened this issue 11 months ago • 0 comments

In the PSA client-server build (see https://github.com/Mbed-TLS/mbedtls/issues/8963), disable all client-side crypto.

This may turn up problems because the X.509/TLS layers are trying to call low-level crypto functions even when MBEDTLS_USE_PSA_CRYPTO is enabled. The “driver-only” work should have handled most of these, apart from RSA which we initially disabled.

Depending on the problems that turn up, this issue may be resolved gradually, temporarily keeping some local crypto enabled.

Hard prerequisite: https://github.com/Mbed-TLS/mbedtls/issues/8963 May be done before, after or in parallel with https://github.com/Mbed-TLS/mbedtls/issues/8966 — TBD

Follow-ups to complete the work, covering topics which can't easily be done until the PSAification of the library has made some progress:

  • RSA
  • Restartable operations? Maybe not worth the effort, given that restartable operations are intended for extremely limited devices and client-server operations need a device that's not so limited.

gilles-peskine-arm avatar Mar 21 '24 10:03 gilles-peskine-arm