From c98ace0714ec16531ec9b45d26a772c9432a103f Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Wed, 19 Mar 2025 15:01:08 +0000 Subject: [PATCH 1/2] modules: mbedtls: Expose MBEDTLS_RSA_C Allow enabling MBEDTLS_RSA_C without key exchange enabled. This allows to use RSA without enabling x509 support too. Signed-off-by: Dominik Ermel --- modules/mbedtls/Kconfig.tls-generic | 9 +++++++++ modules/mbedtls/configs/config-tls-generic.h | 6 +++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic index 6505539082ad..226285867c23 100644 --- a/modules/mbedtls/Kconfig.tls-generic +++ b/modules/mbedtls/Kconfig.tls-generic @@ -44,6 +44,11 @@ menu "Ciphersuite configuration" comment "Supported key exchange modes" +config MBEDTLS_RSA_C + bool "RSA cryptosystem" + help + Base support for RSA, without key x509 exchange enabled. + config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED bool "All available ciphersuite modes" select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED @@ -70,6 +75,7 @@ config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED bool "RSA-PSK based ciphersuite modes" + select MBEDTLS_RSA_C config MBEDTLS_PSK_MAX_LEN int "Max size of TLS pre-shared keys" @@ -82,6 +88,7 @@ config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED bool "RSA-only based ciphersuite modes" default y if UOSCORE || UEDHOC select MBEDTLS_MD + select MBEDTLS_RSA_C if !PSA_CRYPTO_CLIENT select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY if PSA_CRYPTO_CLIENT select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT if PSA_CRYPTO_CLIENT select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT if PSA_CRYPTO_CLIENT @@ -89,9 +96,11 @@ config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED bool "DHE-RSA based ciphersuite modes" + select MBEDTLS_RSA_C config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED bool "ECDHE-RSA based ciphersuite modes" + select MBEDTLS_RSA_C depends on MBEDTLS_ECDH_C config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED diff --git a/modules/mbedtls/configs/config-tls-generic.h b/modules/mbedtls/configs/config-tls-generic.h index a605257668d9..f79cdf241eee 100644 --- a/modules/mbedtls/configs/config-tls-generic.h +++ b/modules/mbedtls/configs/config-tls-generic.h @@ -368,6 +368,11 @@ #define MBEDTLS_MD_C #endif +#if defined(CONFIG_MBEDTLS_RSA_C) +#define MBEDTLS_RSA_C +#define MBEDTLS_PKCS1_V21 +#endif + /* Automatic dependencies */ #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ @@ -379,7 +384,6 @@ defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) -#define MBEDTLS_RSA_C #define MBEDTLS_PKCS1_V15 #define MBEDTLS_PKCS1_V21 #endif From dc24286c0be7fb620460ddb3462b6068ad8fbbbe Mon Sep 17 00:00:00 2001 From: Dominik Ermel Date: Wed, 19 Mar 2025 15:32:38 +0000 Subject: [PATCH 2/2] manifest: MCUboot does not need that RSA Eh, cleanup of selected stuff again. Signed-off-by: Dominik Ermel --- west.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/west.yml b/west.yml index c4af3fb25c3a..31ad8cfce21c 100644 --- a/west.yml +++ b/west.yml @@ -23,6 +23,8 @@ manifest: url-base: https://github.com/zephyrproject-rtos - name: babblesim url-base: https://github.com/BabbleSim + - name: mcu-tools + url-base: https://github.com/mcu-tools group-filter: [-babblesim, -optional] @@ -303,7 +305,8 @@ manifest: groups: - crypto - name: mcuboot - revision: c8470fb145f8aff92696d05396fb77c3b8068b32 + remote: mcu-tools + revision: pull/2239/head path: bootloader/mcuboot groups: - bootloader