From 939be5c62f6f97b8397806afec51f4cff47a62df Mon Sep 17 00:00:00 2001 From: Ashish Sharma Date: Tue, 10 Feb 2026 18:28:02 +0800 Subject: [PATCH] fix(mbedtls): enable pthread threading by default --- components/mbedtls/Kconfig | 6 +++--- components/mbedtls/config/mbedtls_preset_default.conf | 2 +- docs/en/migration-guides/release-6.x/6.0/security.rst | 5 ++++- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index be66b17454..e970072ea6 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -32,7 +32,7 @@ menu "mbedTLS" config MBEDTLS_THREADING_C bool "Enable the threading abstraction layer" - default n + default y help If you do intend to use contexts between threads, you will need to enable this layer to prevent race conditions. @@ -40,14 +40,14 @@ menu "mbedTLS" config MBEDTLS_THREADING_ALT bool "Enable threading alternate implementation" depends on MBEDTLS_THREADING_C - default y + default n help Enable threading alt to allow your own alternate threading implementation. config MBEDTLS_THREADING_PTHREAD bool "Enable threading pthread implementation" depends on MBEDTLS_THREADING_C - default n + default y help Enable the pthread wrapper layer for the threading layer. diff --git a/components/mbedtls/config/mbedtls_preset_default.conf b/components/mbedtls/config/mbedtls_preset_default.conf index e4d7bd74e9..6427b071e4 100644 --- a/components/mbedtls/config/mbedtls_preset_default.conf +++ b/components/mbedtls/config/mbedtls_preset_default.conf @@ -4,7 +4,7 @@ # Core Configuration CONFIG_MBEDTLS_FS_IO=y -CONFIG_MBEDTLS_THREADING_C=n +CONFIG_MBEDTLS_THREADING_C=y CONFIG_MBEDTLS_ERROR_STRINGS=y CONFIG_MBEDTLS_VERSION_C=n CONFIG_MBEDTLS_HAVE_TIME=y diff --git a/docs/en/migration-guides/release-6.x/6.0/security.rst b/docs/en/migration-guides/release-6.x/6.0/security.rst index 7d98a63265..8f4edbc1e7 100644 --- a/docs/en/migration-guides/release-6.x/6.0/security.rst +++ b/docs/en/migration-guides/release-6.x/6.0/security.rst @@ -32,7 +32,7 @@ ESP-IDF v6.0 updates to Mbed TLS v4.0, where **PSA Crypto is the primary cryptog - **Breaking change**: certificates/peers using elliptic curves of less than 250 bits (for example secp192r1/secp224r1) are no longer supported in certificates and in TLS. - **Note**: - - void relying on Mbed TLS private declarations (for example headers under ``mbedtls/private/`` or declarations enabled via ``MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS`` / ``MBEDTLS_ALLOW_PRIVATE_ACCESS``). Such private interfaces may change without notice. + - Avoid relying on Mbed TLS private declarations (for example headers under ``mbedtls/private/`` or declarations enabled via ``MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS`` / ``MBEDTLS_ALLOW_PRIVATE_ACCESS``). Such private interfaces may change without notice. - The PSA Crypto migration (TF-PSA-Crypto) can increase flash footprint, depending on the features enabled. As reference points: .. list-table:: @@ -69,6 +69,9 @@ Default configuration changes - ``MBEDTLS_ARIA_C`` is disabled by default. Applications that rely on ARIA must explicitly enable it in ``menuconfig`` (Component config -> mbedTLS) or by customizing ``components/mbedtls/config/mbedtls_preset_default.conf``. - Support for ``secp192r1`` is disabled by default, consistent with the removal of support for elliptic curves smaller than 250 bits in certificates and TLS. If an application still requires legacy curve support outside TLS/certificates, it must be enabled explicitly (for example by defining ``PSA_WANT_ECC_SECP_R1_192=1``) and validated for compatibility. Note: this legacy support may be disabled in the next minor ESP-IDF release. +- ``MBEDTLS_THREADING_C`` is enabled by default. This provides thread-safety for the PSA Crypto key management API and ``psa_crypto_init()``. It is recommended to keep this configuration enabled when using PSA Crypto from multiple threads (for example, concurrent TLS connections, certificate operations, or any scenario where cryptographic operations may be invoked from different threads). Applications that only call PSA functions from a single thread are not affected by this change and can optionally disable threading support if desired. +- ``MBEDTLS_THREADING_PTHREAD`` is enabled by default. This enables Mbed TLS threading support using pthread primitives. +- ``MBEDTLS_THREADING_ALT`` is disabled by default. This disables Mbed TLS threading support using alternate threading primitives. References ^^^^^^^^^^