Update p256-m to state that it's ready for production
Add some guidance as to whether and how to enable it. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine
parent
31beb2d449
commit
016db89107
1 changed files with 25 additions and 9 deletions
|
|
@ -856,16 +856,32 @@
|
||||||
//#define MBEDTLS_ECP_WITH_MPI_UINT
|
//#define MBEDTLS_ECP_WITH_MPI_UINT
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Uncomment to enable p256-m, which implements ECC key generation, ECDH,
|
* Uncomment to enable p256-m. This is an alternative implementation of
|
||||||
* and ECDSA for SECP256R1 curves. This driver is used as an example to
|
* key generation, ECDH and (randomized) ECDSA on the curve SECP256R1.
|
||||||
* document how a third-party driver or software accelerator can be integrated
|
* Compared to the default implementation:
|
||||||
* to work alongside Mbed TLS.
|
|
||||||
*
|
*
|
||||||
* \warning p256-m has only been included to serve as a sample implementation
|
* - p256-m has a much smaller code size and RAM footprint.
|
||||||
* of how a driver/accelerator can be integrated alongside Mbed TLS. It is not
|
* - p256-m is only available via the PSA API. This includes the pk module
|
||||||
* intended for use in production. p256-m files in Mbed TLS are not updated
|
* when #MBEDTLS_USE_PSA_CRYPTO is enabled.
|
||||||
* regularly, so they may not contain upstream fixes/improvements.
|
* - p256-m does not support deterministic ECDSA, EC-JPAKE, custom protocols
|
||||||
* DO NOT ENABLE/USE THIS MACRO IN PRODUCTION BUILDS!
|
* over the core arithmetic, or deterministic derivation of keys.
|
||||||
|
*
|
||||||
|
* We recommend enabling this option if your application uses the PSA API
|
||||||
|
* and the only elliptic curve support it needs is ECDH and ECDSA over
|
||||||
|
* SECP256R1.
|
||||||
|
*
|
||||||
|
* If you enable this option, you do not need to enable any ECC-related
|
||||||
|
* MBEDTLS_xxx option. You do need to separately request support for the
|
||||||
|
* cryptographic mechanisms through the PSA API:
|
||||||
|
* - #MBEDTLS_PSA_CRYPTO_C and #MBEDTLS_PSA_CRYPTO_CONFIG for PSA-based
|
||||||
|
* configuration;
|
||||||
|
* - #MBEDTLS_USE_PSA_CRYPTO if you want to use p256-m from PK, X.509 or TLS;
|
||||||
|
* - #PSA_WANT_ECC_SECP_R1_256;
|
||||||
|
* - #PSA_WANT_ALG_ECDH and/or #PSA_WANT_ALG_ECDSA as needed;
|
||||||
|
* - #PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY, #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC,
|
||||||
|
* #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT,
|
||||||
|
* #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT and/or
|
||||||
|
* #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE as needed.
|
||||||
*/
|
*/
|
||||||
//#define MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED
|
//#define MBEDTLS_P256M_EXAMPLE_DRIVER_ENABLED
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue