mbedtls/docs/proposed/psa-driver-integration-guide.md

Building Mbed TLS with PSA cryptoprocessor drivers
==================================================

**This is a specification of work in progress. The implementation is not yet merged into Mbed TLS.**
For a description of the current state of drivers Mbed TLS, see our [PSA Cryptoprocessor driver development examples](../psa-driver-example-and-guide.html).

This document describes how to build Mbed TLS with additional cryptoprocessor drivers that follow the PSA cryptoprocessor driver interface.

The interface is not fully implemented in Mbed TLS yet. Please note that the interface may still change: until further notice, we do not guarantee backward compatibility with existing driver code.

## Introduction

The PSA cryptography driver interface provides a way to build Mbed TLS with additional code that implements certain cryptographic primitives. This is primarily intended to support platform-specific hardware.

Note that such drivers are only available through the PSA cryptography API (crypto functions beginning with `psa_`, and X.509 and TLS interfaces that reference PSA types).

Concretely speaking, a driver consists of one or more **driver description files** in JSON format and some code to include in the build. The driver code can either be provided in binary form as additional object file to link, or in source form.

## How to build Mbed TLS with drivers

To build Mbed TLS with drivers:

1. Pass the driver description files through the Make variable `PSA_DRIVERS` when building the library.

    ```
    cd /path/to/mbedtls
    make PSA_DRIVERS="/path/to/acme/driver.json /path/to/nadir/driver.json" lib
    ```

2. Link your application with the implementation of the driver functions.

    ```
    cd /path/to/application
    ld myapp.o -L/path/to/acme -lacmedriver -L/path/to/nadir -lnadirdriver -L/path/to/mbedtls -lmbedcrypto
    ```

<!-- TODO: what if the driver is provided as C source code? -->

<!-- TODO: what about additional include files? -->
Start Mbed TLS guides to PSA drivers Driver developer's guide: introduction on how to write a driver. Driver integration guide: how to build Mbed TLS with drivers. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2020-07-13 11:28:20 +02:00			`Building Mbed TLS with PSA cryptoprocessor drivers`
			`==================================================`

			`This is a specification of work in progress. The implementation is not yet merged into Mbed TLS.`
Add link to examples in relevant places Some documents about driver describe a state of things that is ahead of the reality. They already contain a warning about it, but no way to know that the current reality is; add a pointer to a document that describes it. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> 2023-08-07 11:36:14 +02:00			`For a description of the current state of drivers Mbed TLS, see our [PSA Cryptoprocessor driver development examples](../psa-driver-example-and-guide.html).`
Start Mbed TLS guides to PSA drivers Driver developer's guide: introduction on how to write a driver. Driver integration guide: how to build Mbed TLS with drivers. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2020-07-13 11:28:20 +02:00
			`This document describes how to build Mbed TLS with additional cryptoprocessor drivers that follow the PSA cryptoprocessor driver interface.`

psa: Remove MBEDTLS_PSA_CRYPTO_DRIVERS configuration option The support for the PSA crypto driver interface is not optional anymore as the implementation of the PSA cryptography interface has been restructured around the PSA crypto driver interface (see psa-crypto-implementation-structure.md). There is thus no purpose for the configuration options MBEDTLS_PSA_CRYPTO_DRIVERS anymore. Signed-off-by: Ronald Cron <ronald.cron@arm.com> 2023-01-16 16:56:51 +01:00			`The interface is not fully implemented in Mbed TLS yet. Please note that the interface may still change: until further notice, we do not guarantee backward compatibility with existing driver code.`
Start Mbed TLS guides to PSA drivers Driver developer's guide: introduction on how to write a driver. Driver integration guide: how to build Mbed TLS with drivers. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2020-07-13 11:28:20 +02:00
			`## Introduction`

			`The PSA cryptography driver interface provides a way to build Mbed TLS with additional code that implements certain cryptographic primitives. This is primarily intended to support platform-specific hardware.`

			Note that such drivers are only available through the PSA cryptography API (crypto functions beginning with `psa_`, and X.509 and TLS interfaces that reference PSA types).

			`Concretely speaking, a driver consists of one or more driver description files in JSON format and some code to include in the build. The driver code can either be provided in binary form as additional object file to link, or in source form.`

			`## How to build Mbed TLS with drivers`

			`To build Mbed TLS with drivers:`

psa: Remove MBEDTLS_PSA_CRYPTO_DRIVERS configuration option The support for the PSA crypto driver interface is not optional anymore as the implementation of the PSA cryptography interface has been restructured around the PSA crypto driver interface (see psa-crypto-implementation-structure.md). There is thus no purpose for the configuration options MBEDTLS_PSA_CRYPTO_DRIVERS anymore. Signed-off-by: Ronald Cron <ronald.cron@arm.com> 2023-01-16 16:56:51 +01:00			1. Pass the driver description files through the Make variable `PSA_DRIVERS` when building the library.
Start Mbed TLS guides to PSA drivers Driver developer's guide: introduction on how to write a driver. Driver integration guide: how to build Mbed TLS with drivers. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2020-07-13 11:28:20 +02:00
			```
			`cd /path/to/mbedtls`
			`make PSA_DRIVERS="/path/to/acme/driver.json /path/to/nadir/driver.json" lib`
			```

psa: Remove MBEDTLS_PSA_CRYPTO_DRIVERS configuration option The support for the PSA crypto driver interface is not optional anymore as the implementation of the PSA cryptography interface has been restructured around the PSA crypto driver interface (see psa-crypto-implementation-structure.md). There is thus no purpose for the configuration options MBEDTLS_PSA_CRYPTO_DRIVERS anymore. Signed-off-by: Ronald Cron <ronald.cron@arm.com> 2023-01-16 16:56:51 +01:00			`2. Link your application with the implementation of the driver functions.`
Start Mbed TLS guides to PSA drivers Driver developer's guide: introduction on how to write a driver. Driver integration guide: how to build Mbed TLS with drivers. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2020-07-13 11:28:20 +02:00
			```
			`cd /path/to/application`
			`ld myapp.o -L/path/to/acme -lacmedriver -L/path/to/nadir -lnadirdriver -L/path/to/mbedtls -lmbedcrypto`
			```

			`<!-- TODO: what if the driver is provided as C source code? -->`

			`<!-- TODO: what about additional include files? -->`