Boot Linux faster!

Check our new training course

Boot Linux faster!

Check our new training course
and Creative Commons CC-BY-SA
lecture and lab materials

Bootlin logo

Elixir Cross Referencer

# Kconfig.tls - TLS/DTLS related options

#
# Copyright (c) 2018 Intel Corporation
# Copyright (c) 2018 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: Apache-2.0
#

menu "TLS configuration"

menu "Supported TLS version"

config MBEDTLS_TLS_VERSION_1_0
	bool "Enable support for TLS 1.0"
	select MBEDTLS_MAC_MD5_ENABLED
	select MBEDTLS_MAC_SHA1_ENABLED

config MBEDTLS_TLS_VERSION_1_1
	bool "Enable support for TLS 1.1 (DTLS 1.0)"
	select MBEDTLS_MAC_MD5_ENABLED
	select MBEDTLS_MAC_SHA1_ENABLED

config MBEDTLS_TLS_VERSION_1_2
	bool "Enable support for TLS 1.2 (DTLS 1.2)"
	default y

config MBEDTLS_DTLS
	bool "Enable support for DTLS"
	depends on MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2

config MBEDTLS_SSL_EXPORT_KEYS
	bool "Enable support for exporting SSL key block and master secret"
	depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2

endmenu

menu "Ciphersuite configuration"

comment "Supported key exchange modes"

config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
	bool "Enable all available ciphersuite modes"
	select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
	select MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
	select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
	select MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
	select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
	select MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
	select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
	select MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
	select MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
	select MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
	select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED

config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
	bool "Enable the PSK based ciphersuite modes"

config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
	bool "Enable the DHE-PSK based ciphersuite modes"

config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
	bool "Enable the ECDHE-PSK based ciphersuite modes"

config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
	bool "Enable the RSA-PSK based ciphersuite modes"

config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
	bool "Enable the RSA-only based ciphersuite modes"
	default y

config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
	bool "Enable the DHE-RSA based ciphersuite modes"

config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
	bool "Enable the ECDHE-RSA based ciphersuite modes"

config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
	bool "Enable the ECDHE-ECDSA based ciphersuite modes"

config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
	bool "Enable the ECDH-ECDSA based ciphersuite modes"

config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
	bool "Enable the ECDH-RSA based ciphersuite modes"

config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
	bool "Enable the ECJPAKE based ciphersuite modes"

if MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
	MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \
	MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || \
	MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED || \
	MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || \
	MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED

comment "Supported elliptic curves"

config MBEDTLS_ECP_ALL_ENABLED
	bool "Enable all available elliptic curves"
	select MBEDTLS_ECP_DP_SECP192R1_ENABLED
	select MBEDTLS_ECP_DP_SECP192R1_ENABLED
	select MBEDTLS_ECP_DP_SECP224R1_ENABLED
	select MBEDTLS_ECP_DP_SECP256R1_ENABLED
	select MBEDTLS_ECP_DP_SECP384R1_ENABLED
	select MBEDTLS_ECP_DP_SECP521R1_ENABLED
	select MBEDTLS_ECP_DP_SECP192K1_ENABLED
	select MBEDTLS_ECP_DP_SECP224K1_ENABLED
	select MBEDTLS_ECP_DP_SECP256K1_ENABLED
	select MBEDTLS_ECP_DP_BP256R1_ENABLED
	select MBEDTLS_ECP_DP_BP384R1_ENABLED
	select MBEDTLS_ECP_DP_BP512R1_ENABLED
	select MBEDTLS_ECP_DP_CURVE25519_ENABLED
	select MBEDTLS_ECP_DP_CURVE448_ENABLED
	select MBEDTLS_ECP_NIST_OPTIM

config MBEDTLS_ECP_DP_SECP192R1_ENABLED
	bool "Enable SECP192R1 elliptic curve"

config MBEDTLS_ECP_DP_SECP224R1_ENABLED
	bool "Enable SECP224R1 elliptic curve"

config MBEDTLS_ECP_DP_SECP256R1_ENABLED
	bool "Enable SECP256R1 elliptic curve"

config MBEDTLS_ECP_DP_SECP384R1_ENABLED
	bool "Enable SECP384R1 elliptic curve"

config MBEDTLS_ECP_DP_SECP521R1_ENABLED
	bool "Enable SECP521R1 elliptic curve"

config MBEDTLS_ECP_DP_SECP192K1_ENABLED
	bool "Enable SECP192K1 elliptic curve"

config MBEDTLS_ECP_DP_SECP224K1_ENABLED
	bool "Enable SECP224K1 elliptic curve"

config MBEDTLS_ECP_DP_SECP256K1_ENABLED
	bool "Enable SECP256K1 elliptic curve"

config MBEDTLS_ECP_DP_BP256R1_ENABLED
	bool "Enable BP256R1 elliptic curve"

config MBEDTLS_ECP_DP_BP384R1_ENABLED
	bool "Enable BP384R1 elliptic curve"

config MBEDTLS_ECP_DP_BP512R1_ENABLED
	bool "Enable BP512R1 elliptic curve"

config MBEDTLS_ECP_DP_CURVE25519_ENABLED
	bool "Enable CURVE25519 elliptic curve"

config MBEDTLS_ECP_DP_CURVE448_ENABLED
	bool "Enable CURVE448 elliptic curve"

config MBEDTLS_ECP_NIST_OPTIM
	bool "Enable NSIT curves optimization"

endif

comment "Supported cipher modes"

config MBEDTLS_CIPHER_ALL_ENABLED
	bool "Enable all available ciphers"
	select MBEDTLS_CIPHER_AES_ENABLED
	select MBEDTLS_CIPHER_CAMELLIA_ENABLED
	select MBEDTLS_CIPHER_DES_ENABLED
	select MBEDTLS_CIPHER_ARC4_ENABLED
	select MBEDTLS_CIPHER_CHACHA20_ENABLED
	select MBEDTLS_CIPHER_BLOWFISH_ENABLED
	select MBEDTLS_CIPHER_CCM_ENABLED
	select MBEDTLS_CIPHER_MODE_XTS_ENABLED
	select MBEDTLS_CIPHER_MODE_GCM_ENABLED
	select MBEDTLS_CIPHER_CBC_ENABLED
	select MBEDTLS_CHACHAPOLY_AEAD_ENABLED

config MBEDTLS_CIPHER_AES_ENABLED
	bool "Enable the AES block cipher"
	default y

config MBEDTLS_AES_ROM_TABLES
	depends on MBEDTLS_CIPHER_AES_ENABLED
	bool "Use precomputed AES tables stored in ROM."
	default y

config MBEDTLS_CIPHER_CAMELLIA_ENABLED
	bool "Enable the Camellia block cipher"

config MBEDTLS_CIPHER_DES_ENABLED
	bool "Enable the DES block cipher"
	default y

config MBEDTLS_CIPHER_ARC4_ENABLED
	bool "Enable the ARC4 stream cipher"

config MBEDTLS_CIPHER_CHACHA20_ENABLED
	bool "Enable the ChaCha20 stream cipher"

config MBEDTLS_CIPHER_BLOWFISH_ENABLED
	bool "Enable the Blowfish block cipher"

config MBEDTLS_CIPHER_CCM_ENABLED
	bool "Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher"
	depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED

config MBEDTLS_CIPHER_MODE_XTS_ENABLED
	bool "Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES"
	depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED

config MBEDTLS_CIPHER_MODE_GCM_ENABLED
	bool "Enable the Galois/Counter Mode (GCM) for AES"
	depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED

config MBEDTLS_CIPHER_CBC_ENABLED
	bool "Enable Cipher Block Chaining mode (CBC) for symmetric ciphers"
	default y

config MBEDTLS_CHACHAPOLY_AEAD_ENABLED
	bool "Enable the ChaCha20-Poly1305 AEAD algorithm"
	depends on MBEDTLS_CIPHER_CHACHA20_ENABLED || MBEDTLS_MAC_POLY1305_ENABLED

comment "Supported message authentication methods"

config MBEDTLS_MAC_ALL_ENABLED
	bool "Enable all available MAC methods"
	select MBEDTLS_MAC_MD4_ENABLED
	select MBEDTLS_MAC_MD5_ENABLED
	select MBEDTLS_MAC_SHA1_ENABLED
	select MBEDTLS_MAC_SHA256_ENABLED
	select MBEDTLS_MAC_SHA512_ENABLED
	select MBEDTLS_MAC_POLY1305_ENABLED
	select MBEDTLS_MAC_CMAC_ENABLED

config MBEDTLS_MAC_MD4_ENABLED
	bool "Enable the MD4 hash algorithm"

config MBEDTLS_MAC_MD5_ENABLED
	bool "Enable the MD5 hash algorithm"
	default y

config MBEDTLS_MAC_SHA1_ENABLED
	bool "Enable the SHA1 hash algorithm"
	default y

config MBEDTLS_MAC_SHA256_ENABLED
	bool "Enable the SHA-224 and SHA-256 hash algorithms"
	default y

config MBEDTLS_SHA256_SMALLER
	bool "Enable smaller SHA-256 implementation"
	depends on MBEDTLS_MAC_SHA256_ENABLED
	default y
	help
	  Enable an implementation of SHA-256 that has lower ROM footprint but also
	  lower performance

config MBEDTLS_MAC_SHA512_ENABLED
	bool "Enable the SHA-384 and SHA-512 hash algorithms"

config MBEDTLS_MAC_POLY1305_ENABLED
	bool "Enable the Poly1305 MAC algorithm"

config MBEDTLS_MAC_CMAC_ENABLED
	bool "Enable the CMAC (Cipher-based Message Authentication Code) mode for block ciphers."
	depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED

endmenu

comment "Random number generators"

config MBEDTLS_CTR_DRBG_ENABLED
	bool "Enable the CTR_DRBG AES-256-based random generator"
	depends on MBEDTLS_CIPHER_AES_ENABLED
	default y

config MBEDTLS_HMAC_DRBG_ENABLED
	bool "Enable the HMAC_DRBG random generator"

comment "Other configurations"

config MBEDTLS_GENPRIME_ENABLED
	bool "Enable the prime-number generation code."

config MBEDTLS_PEM_CERTIFICATE_FORMAT
	bool "Enable support for PEM certificate format"
	help
	  By default only DER (binary) format of certificates is supported. Enable
	  this option to enable support for PEM format.

config MBEDTLS_HAVE_ASM
	bool "Enable use of assembly code"
	default y if !ARM
	help
	  Enable use of assembly code in mbedTLS. This improves the performances
	  of asymetric cryptography, however this might have an impact on the
	  code size.

config MBEDTLS_ENTROPY_ENABLED
	bool "Enable mbedTLS generic entropy pool"
	depends on MBEDTLS_MAC_SHA256_ENABLED || MBEDTLS_MAC_SHA512_ENABLED

config MBEDTLS_USER_CONFIG_ENABLE
	bool "Enable user mbedTLS config file"
	help
	  Enable user mbedTLS config file that will be included at the end of
	  the generic config file.

config MBEDTLS_USER_CONFIG_FILE
	string "User configuration file for mbedTLS"
	depends on MBEDTLS_USER_CONFIG_ENABLE
	help
	  User config file that can contain mbedTLS configs that were not
	  covered by the generic config file.

endmenu