c9d9b1fdb1
Actually not much to change there, from a high level perspective things are quite simple: you used to be able to disable ECP_C, now you can disable BIGNUM_C too. There will be more to update in driver-only-build.md which is the right place for a more detailed explanation of the limitations. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
23 lines
1.5 KiB
Text
23 lines
1.5 KiB
Text
Features
|
|
* When a PSA driver for ECDH is present, it is now possible to disable
|
|
MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
|
|
key exchanges based on ECDH(E) to work, this requires
|
|
MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
|
|
TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
|
|
as PSA does not have an API for restartable ECDH yet.
|
|
* When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
|
|
a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
|
|
if not required by another module) and still get support for ECC keys and
|
|
algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
|
|
for details.
|
|
API changes
|
|
* Mbed TLS 3.4 introduced support for omitting the built-in implementation
|
|
of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
|
|
their was a flaw in the logic checking if the built-in implementation, in
|
|
that if failed to check if all the relevant curves were supported by the
|
|
accelerator. As a result, it was possible to declare no curves as
|
|
accelerated and still have the built-in implementation compiled out.
|
|
Starting with this release, it is necessary to declare which curves are
|
|
accelerated (using MBEDTLS_PSA_ACCEL_ECC_xxx macros), or they will be
|
|
considered not accelerated, and the built-in implementation of the curves
|
|
and any algorithm possible using them will be included in the build.
|