modules: mbedtls: bump to 4.0#104031
Draft
valeriosetti wants to merge 32 commits intozephyrproject-rtos:mainfrom
Draft
modules: mbedtls: bump to 4.0#104031valeriosetti wants to merge 32 commits intozephyrproject-rtos:mainfrom
valeriosetti wants to merge 32 commits intozephyrproject-rtos:mainfrom
Conversation
|
The following west manifest projects have changed revision in this Pull Request:
Additional metadata changed:
⛔ DNM label due to: 4 added projects, 3 projects with PR revision and 1 project with metadata changes Note: This message is automatically posted and updated by the Manifest GitHub Action. |
github-actions
bot
added
manifest
manifest-mbedtls-3.6.5
manifest-tf-psa-crypto
manifest-mcuboot
manifest-mbedtls
DNM (manifest)
valeriosetti
force-pushed
the
mbedtls4-integration
branch
3 times, most recently
from
ecc176b to
4ca507c
Compare
valeriosetti
force-pushed
the
mbedtls4-integration
branch
2 times, most recently
from
d0ffe43 to
42b0f80
Compare
This was referenced Feb 16, 2026
valeriosetti
force-pushed
the
mbedtls4-integration
branch
3 times, most recently
from
5aebdcb to
c5e7c8c
Compare
valeriosetti
force-pushed
the
mbedtls4-integration
branch
5 times, most recently
from
42bdbeb to
7bbc1db
Compare
valeriosetti
force-pushed
the
mbedtls4-integration
branch
from
6d91d3c to
2ea866b
Compare
MBEDTLS_KEY_EXCHANGE_RSA_ENABLED was removed from Mbed TLS 4.0 because it's no more supported. As a consequence Kconfig and build symbol are also removed. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Adding: - MBEDTLS_CIPHERSUITE_TLS1_3_AES_256_GCM_SHA384 - MBEDTLS_CIHPERSUITE_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 Signed-off-by: Valerio Setti <vsetti@baylibre.com>
- RSA based key exchanges were removed so the corresponding test case is also removed. It has been replaced with a PSK one, still using TLS 1.2. - Configuration overlay files were removed because thank to ciphersuite Kconfig it's now pretty trivial and compact to select what's required for a connection. pytest script was updated accordingly. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Ciphersuites using RSA encryption were removed from Mbed TLS 4.0. As a consequence this commit removes MBEDTLS_CIPHERSUITE_TLS_RSA_WITH_AES_256_CBC_SHA256 and replaces it with MBEDTLS_CIPHERSUITE_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 in tests/samples code. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Minor changes that are required in order to move from Mbed TLS 3.6.5 to TF-PSA-Crypto 1.x: - "psa_crypto_driver_wrappers.h" has been relocated - some extra include folders are required because they are directly included from "psa_crypto_driver_wrappers.h" but not exported from "mbedTLS" library since they are meant to remain private. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Starting from TF-PSA-Crypto 1.0 CTR-DRBG is an internal module and cannot be referenced directly by external code. Therefore CTR_DRBG_CSPRNG_GENERATOR cannot be used. However CTR-DRBG is still used internally by TF-PSA-Crypto when MBEDTLS_PSA_CRYPTO_LEGACY_RNG is set, so we take advantage of this for the replacement. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
This allows NS app to have these headers available at build time without any need to extend its CMake file to explicitly link to "tfm_api" zephyr library. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
valeriosetti
force-pushed
the
mbedtls4-integration
branch
6 times, most recently
from
ad7cd55 to
69f086d
Compare
These tests directly reference Mbed TLS/TF-PSA-Crypto include path in their CMakeLists file. This commits adjust the path with new values. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED has been removed so there is no need to disable it. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
RSA based key exchange has been removed from Mbed TLS 4. This commit replaces it with an ECDHE-ECDSA alternative. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Add PSA_WANT_ALG_SHA_1 to the TLS configuration. This is required to parse the certificate. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
DES and elliptic curves secp192r1, secp192k1 and secp224r1 were removed from tf-psa-crypto. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Remove inclusions that date back to the original addition of this driver and that are no more required when PSA API is used. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Add a Kconfig which still allows to get access to legacy (now internal) Mbed TLS crypto. Legacy header files are copied out of the private folder into the build directory and the folder is the added to the Zephyr build. Morevoer MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS is also set in the Mbed TLS build in order to access functions and macros that wouldn't be accessible otherwise. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Select only PSA_WANT and remove usage of legacy crypto. Extend also Mbed TLS's CMake to build a library which includes legacy Mbed TLS crypto modules that were removed from TF-PSA-Crypto. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Remove a legacy Mbed TLS error code that was removed in TF-PSA-Crypto used by the OpenThread module. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Include a fix for replacing usage of legacy crypto with PSA Crypto API and to prepare for tf-psa-crypto transition. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Add Kconfig choice to select between legacy Mbed TLS crypto and PSA Crypto API. The latter is the default choice. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Add Kconfigs for major.minor.patch numbers. These information can be helpful to condition some setting of Mbed TLS. New Kconfigs are intentionally added outside of the MBEDTLS guard in order to avoid cyclic dependencies problem. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
- replace legacy Kconfigs with corresponding PSA_WANT ones. - extend Mbed TLS' CMake file in order to include these legacy ecdh module that was removed from TF-PSA-Crypto when ESP32 BT and WiFi drivers are built. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
OT now uses "mbedtls_asn1_get_tag" which makes MBEDTLS_ASN1_PARSE_C required. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
valeriosetti
force-pushed
the
mbedtls4-integration
branch
from
69f086d to
cb39821
Compare
TF-PSA-Crypto's bignum module includes some assembly optimization for x86, x86_64 and ARM64 platforms. When building for "native_sim/native" on a 64 bit platform the compiler tries to set 32 bit compatibility mode, but of course assembly functions between 32 and 64 bits architectures don't match and therefore the build fails. Disabling optimizations prevents TF-PSA-Crypto from trying to use assembly and the test passes. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Draft because I need to run the CI on it to understand what still needs to be fixed. Moreover also some of the referenced repos are on my github account and that of course needs to be addressed as well.