From 1d425cee8ee91f47fa38a3c19cbf6cca48673a6b Mon Sep 17 00:00:00 2001 From: Laukik Hase Date: Tue, 10 Feb 2026 13:52:00 +0530 Subject: [PATCH] feat(esp_tee): Remove unused components from the PSA Crypto library --- .../mbedtls/esp_tee/esp_tee_mbedtls.cmake | 33 ++++---- .../mbedtls/esp_tee/esp_tee_mbedtls_config.h | 78 ++++++++++--------- .../mbedtls/port/include/mbedtls/esp_config.h | 4 +- .../psa_crypto_driver_esp_hmac_transparent.c | 44 +++++------ 4 files changed, 82 insertions(+), 77 deletions(-) diff --git a/components/mbedtls/esp_tee/esp_tee_mbedtls.cmake b/components/mbedtls/esp_tee/esp_tee_mbedtls.cmake index efb85ccc62..75247db9aa 100644 --- a/components/mbedtls/esp_tee/esp_tee_mbedtls.cmake +++ b/components/mbedtls/esp_tee/esp_tee_mbedtls.cmake @@ -79,31 +79,29 @@ if(CONFIG_SOC_AES_SUPPORTED) "${COMPONENT_DIR}/port/aes/esp_aes_common.c" "${COMPONENT_DIR}/port/aes/esp_aes_xts.c") target_include_directories(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/include/aes") - if(CONFIG_MBEDTLS_HARDWARE_AES) - target_sources(tfpsacrypto PRIVATE - "${COMPONENT_DIR}/port/psa_driver/esp_aes/psa_crypto_driver_esp_aes.c" - "${COMPONENT_DIR}/port/psa_driver/esp_aes/psa_crypto_driver_esp_aes_gcm.c" - ) - endif() - + target_sources(tfpsacrypto PRIVATE + "${COMPONENT_DIR}/port/psa_driver/esp_aes/psa_crypto_driver_esp_aes.c" + "${COMPONENT_DIR}/port/psa_driver/esp_aes/psa_crypto_driver_esp_aes_gcm.c" + ) endif() # SHA implementation if(CONFIG_SOC_SHA_SUPPORTED) target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/psa_driver/esp_sha/psa_crypto_driver_esp_sha.c" - "${COMPONENT_DIR}/port/psa_driver/esp_sha/core/psa_crypto_driver_esp_sha1.c" "${COMPONENT_DIR}/port/psa_driver/esp_sha/core/psa_crypto_driver_esp_sha256.c" - "${COMPONENT_DIR}/port/psa_driver/esp_sha/core/psa_crypto_driver_esp_sha512.c" "${COMPONENT_DIR}/port/sha/core/sha.c" "${COMPONENT_DIR}/port/sha/esp_sha.c" - "${COMPONENT_DIR}/port/psa_driver/esp_mac/psa_crypto_driver_esp_hmac_transparent.c" - ) -endif() - -if(CONFIG_MBEDTLS_ROM_MD5) - target_sources(tfpsacrypto PRIVATE - "${COMPONENT_DIR}/port/psa_driver/esp_md/psa_crypto_driver_esp_md5.c" ) + if(CONFIG_MBEDTLS_SHA1_C) + target_sources(tfpsacrypto PRIVATE + "${COMPONENT_DIR}/port/psa_driver/esp_sha/core/psa_crypto_driver_esp_sha1.c" + ) + endif() + if(CONFIG_SOC_SHA_SUPPORT_SHA512 AND CONFIG_MBEDTLS_SHA512_C) + target_sources(tfpsacrypto PRIVATE + "${COMPONENT_DIR}/port/psa_driver/esp_sha/core/psa_crypto_driver_esp_sha512.c" + ) + endif() endif() if(CONFIG_SOC_ECC_SUPPORTED) @@ -116,6 +114,9 @@ if(CONFIG_SOC_HMAC_SUPPORTED) target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/psa_driver/esp_mac/psa_crypto_driver_esp_hmac_opaque.c") target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/esp_hmac_pbkdf2.c") target_link_libraries(tfpsacrypto PRIVATE idf::efuse) +else() + target_sources(tfpsacrypto PRIVATE + "${COMPONENT_DIR}/port/psa_driver/esp_mac/psa_crypto_driver_esp_hmac_transparent.c") endif() # PSA Attestation diff --git a/components/mbedtls/esp_tee/esp_tee_mbedtls_config.h b/components/mbedtls/esp_tee/esp_tee_mbedtls_config.h index cde4e8ec6c..8a333c814d 100644 --- a/components/mbedtls/esp_tee/esp_tee_mbedtls_config.h +++ b/components/mbedtls/esp_tee/esp_tee_mbedtls_config.h @@ -40,7 +40,7 @@ #undef MBEDTLS_TIMING_C #define MBEDTLS_PLATFORM_C -#if CONFIG_MBEDTLS_HARDWARE_AES +#if SOC_AES_SUPPORTED #define ESP_AES_DRIVER_ENABLED #define MBEDTLS_PSA_ACCEL_KEY_TYPE_AES #endif @@ -65,29 +65,41 @@ #define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1 #else #undef PSA_WANT_ALG_DETERMINISTIC_ECDSA +#undef MBEDTLS_HMAC_DRBG_C #endif -#if CONFIG_MBEDTLS_SHA1_C -#define MBEDTLS_SHA1_C -#endif -#define MBEDTLS_SHA224_C -#define MBEDTLS_SHA256_C - #if SOC_SHA_SUPPORTED #define ESP_SHA_DRIVER_ENABLED -#define ESP_HMAC_TRANSPARENT_DRIVER_ENABLED -#undef MBEDTLS_PSA_BUILTIN_ALG_HMAC #if CONFIG_MBEDTLS_SHA1_C - #define MBEDTLS_PSA_ACCEL_ALG_SHA_1 - #undef MBEDTLS_PSA_BUILTIN_ALG_SHA_1 - #undef MBEDTLS_SHA1_C +#define MBEDTLS_PSA_ACCEL_ALG_SHA_1 +#undef MBEDTLS_PSA_BUILTIN_ALG_SHA_1 +#undef MBEDTLS_SHA1_C +#else +#undef PSA_WANT_ALG_SHA_1 #endif +#define MBEDTLS_PSA_ACCEL_ALG_SHA_224 #undef MBEDTLS_PSA_BUILTIN_ALG_SHA_224 #undef MBEDTLS_SHA224_C -#define MBEDTLS_PSA_ACCEL_ALG_SHA_224 #undef MBEDTLS_PSA_BUILTIN_ALG_SHA_256 #define MBEDTLS_PSA_ACCEL_ALG_SHA_256 #undef MBEDTLS_SHA256_C +#if SOC_SHA_SUPPORT_SHA512 && CONFIG_MBEDTLS_SHA512_C +#define MBEDTLS_PSA_ACCEL_ALG_SHA_384 +#undef MBEDTLS_PSA_BUILTIN_ALG_SHA_384 +#define MBEDTLS_PSA_ACCEL_ALG_SHA_512 +#undef MBEDTLS_PSA_BUILTIN_ALG_SHA_512 +#undef MBEDTLS_SHA384_C +#undef MBEDTLS_SHA512_C +#else +#undef PSA_WANT_ALG_SHA_384 +#undef PSA_WANT_ALG_SHA_512 +#undef MBEDTLS_SHA512_ALT +#endif +#if !SOC_HMAC_SUPPORTED +#define ESP_HMAC_TRANSPARENT_DRIVER_ENABLED +#define MBEDTLS_PSA_ACCEL_ALG_HMAC +#undef MBEDTLS_PSA_BUILTIN_ALG_HMAC +#endif #endif #if SOC_ECC_SUPPORTED @@ -97,17 +109,6 @@ #if SOC_HMAC_SUPPORTED #define ESP_HMAC_OPAQUE_DRIVER_ENABLED -#else -#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_HMAC -#endif - -#if CONFIG_MBEDTLS_ROM_MD5 -#define ESP_MD5_DRIVER_ENABLED -#define MBEDTLS_PSA_ACCEL_ALG_MD5 -#undef MBEDTLS_PSA_BUILTIN_ALG_MD5 -#else -#undef PSA_WANT_ALG_MD5 -#undef MBEDTLS_MD5_C #endif #undef PSA_WANT_ECC_SECP_R1_192 @@ -139,6 +140,19 @@ #undef MBEDTLS_RIPEMD160_C #undef PSA_WANT_ALG_CHACHA20 #undef MBEDTLS_CHACHA20_C +#undef PSA_WANT_ALG_CHACHA20_POLY1305 +#undef MBEDTLS_CHACHAPOLY_C +#undef PSA_WANT_ALG_CCM +#undef PSA_WANT_ALG_CMAC + +#undef MBEDTLS_AES_C +#define MBEDTLS_AES_ROM_TABLES +#if SOC_AES_SUPPORTED +#define MBEDTLS_AES_FEWER_TABLES +#endif + +#undef PSA_WANT_ALG_MD5 +#undef MBEDTLS_MD5_C #undef PSA_WANT_ALG_SHA3_224 #undef MBEDTLS_SHA3_224_C #undef PSA_WANT_ALG_SHA3_256 @@ -167,22 +181,12 @@ #undef PSA_WANT_ALG_FFDH #undef MBEDTLS_ECDH_C -#undef MBEDTLS_CCM_C -#undef MBEDTLS_CHACHA20_C -#undef MBEDTLS_CHACHAPOLY_C #undef MBEDTLS_DEBUG_C - +#undef MBEDTLS_PSA_ITS_FILE_C +#undef MBEDTLS_PSA_CRYPTO_STORAGE_C #undef MBEDTLS_SSL_CLI_C #undef MBEDTLS_SSL_SRV_C -#undef PSA_WANT_ALG_PBKDF2_HMAC #undef PSA_WANT_ALG_TLS12_PRF +#undef PSA_WANT_ALG_PBKDF2_HMAC #undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 -#undef PSA_WANT_ALG_CCM -#undef PSA_WANT_ALG_CMAC - -#undef MBEDTLS_AES_C -#define MBEDTLS_AES_ROM_TABLES -#if SOC_AES_SUPPORTED -#define MBEDTLS_AES_FEWER_TABLES -#endif diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index ef905ccfd6..990a124316 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -203,9 +203,9 @@ #define MBEDTLS_PSA_BUILTIN_ALG_HMAC #if SOC_SHA_SUPPORT_SHA512 #define MBEDTLS_PSA_ACCEL_ALG_SHA_384 -#undef MBEDTLS_PSA_ACCEL_ALG_SHA_384 +#undef MBEDTLS_PSA_BUILTIN_ALG_SHA_384 #define MBEDTLS_PSA_ACCEL_ALG_SHA_512 -#undef MBEDTLS_PSA_ACCEL_ALG_SHA_512 +#undef MBEDTLS_PSA_BUILTIN_ALG_SHA_512 #undef MBEDTLS_SHA512_C #undef MBEDTLS_SHA384_C #undef MBEDTLS_PSA_BUILTIN_ALG_HMAC diff --git a/components/mbedtls/port/psa_driver/esp_mac/psa_crypto_driver_esp_hmac_transparent.c b/components/mbedtls/port/psa_driver/esp_mac/psa_crypto_driver_esp_hmac_transparent.c index d08533c9fe..4d3cbf04b7 100644 --- a/components/mbedtls/port/psa_driver/esp_mac/psa_crypto_driver_esp_hmac_transparent.c +++ b/components/mbedtls/port/psa_driver/esp_mac/psa_crypto_driver_esp_hmac_transparent.c @@ -16,12 +16,12 @@ psa_status_t esp_hmac_abort_transparent(esp_hmac_transparent_operation_t *esp_hm { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; -#if CONFIG_MBEDTLS_ROM_MD5 +#if defined(ESP_MD5_DRIVER_ENABLED) psa_algorithm_t hash_alg = PSA_ALG_GET_HASH(esp_hmac_ctx->alg); if (hash_alg == PSA_ALG_MD5) { status = esp_md5_hash_abort(&esp_hmac_ctx->md5_ctx); } else -#endif // CONFIG_MBEDTLS_ROM_MD5 +#endif // defined(ESP_MD5_DRIVER_ENABLED) { status = esp_sha_hash_abort(&esp_hmac_ctx->esp_sha_ctx); } @@ -68,9 +68,9 @@ psa_status_t esp_hmac_setup_transparent(esp_hmac_transparent_operation_t *esp_hm memset(esp_hmac_ctx->opad, 0, PSA_HMAC_MAX_HASH_BLOCK_SIZE); if ( -#if CONFIG_MBEDTLS_ROM_MD5 +#if defined(ESP_MD5_DRIVER_ENABLED) hash_alg != PSA_ALG_MD5 && -#endif // CONFIG_MBEDTLS_ROM_MD5 +#endif // defined(ESP_MD5_DRIVER_ENABLED) (hash_alg < PSA_ALG_SHA_1 #if SOC_SHA_SUPPORT_SHA512 || hash_alg > PSA_ALG_SHA_512 @@ -95,12 +95,12 @@ psa_status_t esp_hmac_setup_transparent(esp_hmac_transparent_operation_t *esp_hm } if (key_buffer_size > block_size) { -#if CONFIG_MBEDTLS_ROM_MD5 +#if defined(ESP_MD5_DRIVER_ENABLED) if (hash_alg == PSA_ALG_MD5) { status = esp_md5_hash_compute(hash_alg, key_buffer, key_buffer_size, ipad, sizeof(ipad), &key_buffer_size); } else -#endif // CONFIG_MBEDTLS_ROM_MD5 +#endif // defined(ESP_MD5_DRIVER_ENABLED) { status = esp_sha_hash_compute(hash_alg, key_buffer, key_buffer_size, ipad, sizeof(ipad), &key_buffer_size); @@ -163,11 +163,11 @@ psa_status_t esp_hmac_setup_transparent(esp_hmac_transparent_operation_t *esp_hm memset(esp_hmac_ctx->opad + key_buffer_size, 0x5C, fill_size); } -#if CONFIG_MBEDTLS_ROM_MD5 +#if defined(ESP_MD5_DRIVER_ENABLED) if (hash_alg == PSA_ALG_MD5) { status = esp_md5_hash_setup(&esp_hmac_ctx->md5_ctx, hash_alg); } else -#endif // CONFIG_MBEDTLS_ROM_MD5 +#endif // defined(ESP_MD5_DRIVER_ENABLED) { status = esp_sha_hash_setup(&esp_hmac_ctx->esp_sha_ctx, hash_alg); } @@ -175,11 +175,11 @@ psa_status_t esp_hmac_setup_transparent(esp_hmac_transparent_operation_t *esp_hm goto error; } -#if CONFIG_MBEDTLS_ROM_MD5 +#if defined(ESP_MD5_DRIVER_ENABLED) if (hash_alg == PSA_ALG_MD5) { status = esp_md5_hash_update(&esp_hmac_ctx->md5_ctx, ipad, block_size); } else -#endif // CONFIG_MBEDTLS_ROM_MD5 +#endif // defined(ESP_MD5_DRIVER_ENABLED) { status = esp_sha_hash_update(&esp_hmac_ctx->esp_sha_ctx, ipad, block_size); } @@ -201,12 +201,12 @@ psa_status_t esp_hmac_update_transparent(esp_hmac_transparent_operation_t *esp_h return PSA_ERROR_INVALID_ARGUMENT; } -#if CONFIG_MBEDTLS_ROM_MD5 +#if defined(ESP_MD5_DRIVER_ENABLED) psa_algorithm_t hash_alg = PSA_ALG_GET_HASH(esp_hmac_ctx->alg); if (hash_alg == PSA_ALG_MD5) { return esp_md5_hash_update(&esp_hmac_ctx->md5_ctx, data, data_length); } else -#endif // CONFIG_MBEDTLS_ROM_MD5 +#endif // defined(ESP_MD5_DRIVER_ENABLED) { return esp_sha_hash_update(&esp_hmac_ctx->esp_sha_ctx, data, data_length); } @@ -230,11 +230,11 @@ psa_status_t esp_hmac_finish_transparent( size_t hash_size = 0; size_t block_size = PSA_HASH_BLOCK_LENGTH(hash_alg); -#if CONFIG_MBEDTLS_ROM_MD5 +#if defined(ESP_MD5_DRIVER_ENABLED) if (hash_alg == PSA_ALG_MD5) { status = esp_md5_hash_finish(&esp_hmac_ctx->md5_ctx, tmp, sizeof(tmp), &hash_size); } else -#endif // CONFIG_MBEDTLS_ROM_MD5 +#endif // defined(ESP_MD5_DRIVER_ENABLED) { status = esp_sha_hash_finish(&esp_hmac_ctx->esp_sha_ctx, tmp, sizeof(tmp), &hash_size); } @@ -243,11 +243,11 @@ psa_status_t esp_hmac_finish_transparent( } /* From here on, tmp needs to be wiped. */ -#if CONFIG_MBEDTLS_ROM_MD5 +#if defined(ESP_MD5_DRIVER_ENABLED) if (hash_alg == PSA_ALG_MD5) { status = esp_md5_hash_setup(&esp_hmac_ctx->md5_ctx, hash_alg); } else -#endif // CONFIG_MBEDTLS_ROM_MD5 +#endif // defined(ESP_MD5_DRIVER_ENABLED) { status = esp_sha_hash_setup(&esp_hmac_ctx->esp_sha_ctx, hash_alg); } @@ -255,11 +255,11 @@ psa_status_t esp_hmac_finish_transparent( goto exit; } -#if CONFIG_MBEDTLS_ROM_MD5 +#if defined(ESP_MD5_DRIVER_ENABLED) if (hash_alg == PSA_ALG_MD5) { status = esp_md5_hash_update(&esp_hmac_ctx->md5_ctx, esp_hmac_ctx->opad, block_size); } else -#endif // CONFIG_MBEDTLS_ROM_MD5 +#endif // defined(ESP_MD5_DRIVER_ENABLED) { status = esp_sha_hash_update(&esp_hmac_ctx->esp_sha_ctx, esp_hmac_ctx->opad, block_size); } @@ -267,11 +267,11 @@ psa_status_t esp_hmac_finish_transparent( goto exit; } -#if CONFIG_MBEDTLS_ROM_MD5 +#if defined(ESP_MD5_DRIVER_ENABLED) if (hash_alg == PSA_ALG_MD5) { status = esp_md5_hash_update(&esp_hmac_ctx->md5_ctx, tmp, hash_size); } else -#endif // CONFIG_MBEDTLS_ROM_MD5 +#endif // defined(ESP_MD5_DRIVER_ENABLED) { status = esp_sha_hash_update(&esp_hmac_ctx->esp_sha_ctx, tmp, hash_size); } @@ -279,11 +279,11 @@ psa_status_t esp_hmac_finish_transparent( goto exit; } -#if CONFIG_MBEDTLS_ROM_MD5 +#if defined(ESP_MD5_DRIVER_ENABLED) if (hash_alg == PSA_ALG_MD5) { status = esp_md5_hash_finish(&esp_hmac_ctx->md5_ctx, tmp, sizeof(tmp), &hash_size); } else -#endif // CONFIG_MBEDTLS_ROM_MD5 +#endif // defined(ESP_MD5_DRIVER_ENABLED) { status = esp_sha_hash_finish(&esp_hmac_ctx->esp_sha_ctx, tmp, sizeof(tmp), &hash_size); }