From 08f02b0faaefae15fffa2c44a04833da2e8a28b2 Mon Sep 17 00:00:00 2001 From: Ashish Sharma Date: Thu, 22 Jan 2026 15:39:03 +0800 Subject: [PATCH] change(mbedtls): update mbedTLS default configs 1. Disables MBEDTLS_ARIA_C by default 2. SECP192R1 support is disabled by default --- components/mbedtls/Kconfig | 5 ++++- components/mbedtls/config/mbedtls_preset_default.conf | 2 +- components/mbedtls/port/include/mbedtls/esp_config.h | 2 -- docs/en/migration-guides/release-6.x/6.0/security.rst | 10 ++++++++++ 4 files changed, 15 insertions(+), 4 deletions(-) diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index d06280fdf1..d4be891dbb 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -868,7 +868,7 @@ menu "mbedTLS" config MBEDTLS_ARIA_C bool "ARIA block cipher" - default y + default n config MBEDTLS_CAMELLIA_SMALL_MEMORY bool "Use small memory implementation of Camellia" @@ -1272,6 +1272,7 @@ menu "mbedTLS" help Enable hardware accelerated ECDSA peripheral to verify signature on curve SECP192R1 and SECP256R1 in mbedTLS. + Note that SECP192R1 support is disabled by default. menu "Enable Software Countermeasure for ECDSA signing using on-chip ECDSA peripheral" depends on MBEDTLS_HARDWARE_ECDSA_SIGN @@ -1312,6 +1313,7 @@ menu "mbedTLS" help Enable hardware accelerated ECDSA peripheral to sign data on curve SECP192R1 and SECP256R1 in mbedTLS. + Note that SECP192R1 support is disabled by default. Note that for signing, the private key has to be burnt in an efuse key block with key purpose set to ECDSA_KEY. @@ -1332,6 +1334,7 @@ menu "mbedTLS" help Enable hardware accelerated ECC point multiplication and point verification for points on curve SECP192R1 and SECP256R1 in mbedTLS + Note that SECP192R1 support is disabled by default. config MBEDTLS_ECC_OTHER_CURVES_SOFT_FALLBACK bool "Fallback to software implementation for curves not supported in hardware" diff --git a/components/mbedtls/config/mbedtls_preset_default.conf b/components/mbedtls/config/mbedtls_preset_default.conf index 8e7a211649..e4d7bd74e9 100644 --- a/components/mbedtls/config/mbedtls_preset_default.conf +++ b/components/mbedtls/config/mbedtls_preset_default.conf @@ -92,7 +92,7 @@ CONFIG_MBEDTLS_SSL_PROTO_DTLS=n # Symmetric Ciphers CONFIG_MBEDTLS_AES_C=y CONFIG_MBEDTLS_CAMELLIA_C=n -CONFIG_MBEDTLS_ARIA_C=y +CONFIG_MBEDTLS_ARIA_C=n CONFIG_MBEDTLS_DES_C=n CONFIG_MBEDTLS_CCM_C=y CONFIG_MBEDTLS_CIPHER_MODE_CBC=y diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index 64dd7635d7..8fd8408ec0 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -60,8 +60,6 @@ */ #define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS -#define PSA_WANT_ECC_SECP_R1_192 1 - /** * \name SECTION: System support * diff --git a/docs/en/migration-guides/release-6.x/6.0/security.rst b/docs/en/migration-guides/release-6.x/6.0/security.rst index 707e7354e0..7d98a63265 100644 --- a/docs/en/migration-guides/release-6.x/6.0/security.rst +++ b/docs/en/migration-guides/release-6.x/6.0/security.rst @@ -60,6 +60,16 @@ ESP-IDF v6.0 updates to Mbed TLS v4.0, where **PSA Crypto is the primary cryptog - 41084 - 4.97 + + +Default configuration changes +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +- Note: The default Mbed TLS configuration in ESP-IDF v6.0 has been tightened for security and footprint: + + - ``MBEDTLS_ARIA_C`` is disabled by default. Applications that rely on ARIA must explicitly enable it in ``menuconfig`` (Component config -> mbedTLS) or by customizing ``components/mbedtls/config/mbedtls_preset_default.conf``. + - Support for ``secp192r1`` is disabled by default, consistent with the removal of support for elliptic curves smaller than 250 bits in certificates and TLS. If an application still requires legacy curve support outside TLS/certificates, it must be enabled explicitly (for example by defining ``PSA_WANT_ECC_SECP_R1_192=1``) and validated for compatibility. Note: this legacy support may be disabled in the next minor ESP-IDF release. + References ^^^^^^^^^^