From da26a5172c005f5b06b6469b534c9ab4f99c875e Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Wed, 6 Sep 2023 17:15:49 +0200
Subject: [PATCH] Disable PK_PARSE and PK_WRITE

This is what TF-M intended and they have done so since we copied the file.

It's either disable these options, or enable MBEDTLS_OID_C.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 configs/config-tfm.h | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/configs/config-tfm.h b/configs/config-tfm.h
index 500cb243f..64dce4874 100644
--- a/configs/config-tfm.h
+++ b/configs/config-tfm.h
@@ -35,8 +35,17 @@
 /* TF-M provides its own (dummy) implemenations which Mbed TLS doesn't need. */
 #undef MBEDTLS_AES_SETKEY_DEC_ALT
 #undef MBEDTLS_AES_DECRYPT_ALT
-/* pkparse.c fails to link without this. */
-#define MBEDTLS_OID_C
+/* The configuration we have enables MBEDTLS_PK_PARSE_C and MBEDTLS_PK_WRITE_C
+ * but not MBEDTLS_OID_C. This is inconsistent, and leads to a link error
+ * when using one of the mbedtls_pk_parse_xxx or mbedtls_pk_write_xxx
+ * functions that depend on an mbedtls_oid_xxx function.
+ * Mbed TLS needs PK parse/write for RSA with PSA, but the medium
+ * profile doesn't have RSA. Later versions of TF-M no longer enable
+ * PK parse/write: it wasn't a wanted feature. So disable it here
+ * (otherwise we'd have to enable MBEDTLS_OID_C).
+ */
+#undef MBEDTLS_PK_PARSE_C
+#undef MBEDTLS_PK_WRITE_C
 
 /* Use built-in platform entropy functions. */
 #undef MBEDTLS_NO_PLATFORM_ENTROPY