driver-only-build: update AEADs section

Note: this section shouldn't actually be updated in #8357, but
rather in #8358 which is the wrapup related to cipher and AEADs
accelaration. As a consequence we start the AEAD section with
a disclaimer explaining that the information written there will
be updated soon by a follow up PR.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This commit is contained in:
Valerio Setti 2023-12-06 15:17:12 +01:00
parent 1e3fcc5692
commit acd7bafcbb

View file

@ -245,6 +245,9 @@ Support for deterministic derivation of a DH keypair
AEADs
-----
[This section might contain incomplete data and it is going to be updated in
#8358, i.e. the wrap-up task for accelerated ciphers and AEADs.]
It is possible to have all AEADs operations provided only by a driver.
More precisely you can:
@ -252,15 +255,20 @@ More precisely you can:
- `PSA_WANT_ALG_[CCM|GCM]` with `PSA_WANT_KEY_TYPE_[AES|ARIA|CAMELLIA]`
- `PSA_WANT_ALG_CHACHA20_POLY1305` with `PSA_WANT_KEY_TYPE_CHACHA20`;
- enable `MBEDTLS_PSA_ACCEL_xxx` symbol(s) which correspond to the
`PSA_WANT_xxx` of the previous step;
- disable builtin support of `MBEDTLS_[CCM|GCM|CHACHAPOLY]_C` algorithms and
key types `MBEDTLS_[AES|ARIA|CAMELLIA|CHACHA20]_C` for AEADs which are
accelerated.
`PSA_WANT_xxx` of the previous step (both for algorithms and key types);
- disable builtin support of `MBEDTLS_[CCM|GCM|CHACHAPOLY|POLY1305]_C`
algorithms and key types `MBEDTLS_[AES|ARIA|CAMELLIA|CHACHA20]_C` for AEADs
which are accelerated.
In such a build all AEADs operations requested through the PSA Crypto API
(including those in TLS and X.509) will be performed by the provided driver.
Of course direct calls to the disabled builtin modules
(ex: `mbedtls_ccm_init()`, etc) won't be possible.
In a build in which all AEADs algorithms and related key types are accelerated
all AEADs operations requested through the PSA Crypto API (including those in
TLS and X.509) will be performed by the driver.
Moreover if no unauthenticated cipher is required, it is also possible to
disable all built-in block cipher's key types
(i.e. `MBEDTLS_[AES|ARIA|CAMELLIA|CHACHA20]_C`) and `MBEDTLS_CIPHER_C`. This
helps in further reducing code's footprint, but unfortunately it makes the
following modules unavailable:
- `MBEDTLS_PKCS[5|12]_C`
- `MBEDTLS_CTR_DRBG_C`
- `MBEDTLS_NIST_KW_C`
If no other non-authenticated cipher is required, it is also possible to
disable `MBEDTLS_CIPHER_C` in order to further reduce code's footprint.