#
# Copyright (c) 2019-2022 Nordic Semiconductor
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#

menu "nRF Security"

config NORDIC_SECURITY_PROMPTLESS
	bool
	help
	  Internal setting to disable the Nordic security backend.
	  This setting is Kconfig internal that must be used by subsystems that
	  provide nRF Security selection groups.


config NORDIC_SECURITY_BACKEND
	bool
	prompt "Use nRF Security with Mbed TLS legacy crypto APIs support" \
		if !NORDIC_SECURITY_PROMPTLESS
	default y if BUILD_WITH_TFM
	depends on SOC_FAMILY_NORDIC_NRF
	select NRF_SECURITY
	select MBEDTLS_LEGACY_CRYPTO_C
	select OBERON_BACKEND if BUILD_WITH_TFM
	select DISABLE_MBEDTLS_BUILTIN if MBEDTLS
	help
	  Using this configuration enables legacy support for mbed TLS APIs
	  This configuration is not to be used for PSA API support.
	  Note that this will enable nrf_oberon by default. Multiple backends is
	  not supported.

config NRF_SECURITY
	bool
	prompt "Enable nRF Security" if !PSA_PROMPTLESS
	depends on SOC_FAMILY_NORDIC_NRF
	default y if BUILD_WITH_TFM
	# entropy is provided by PSA and NRF_SECURITY on NRF54LX
	default y if ENTROPY_PSA_CRYPTO_RNG && SOC_SERIES_NRF54LX
	select DISABLE_MBEDTLS_BUILTIN if MBEDTLS
	# Generating random requires a CRACEN PSA Crypto driver on nrf54L
	select PSA_CRYPTO_DRIVER_CRACEN if PSA_WANT_GENERATE_RANDOM && SOC_SERIES_NRF54LX
	# NCS does not use TF-M's BL2 bootloader, but uses it's own fork
	# of MCUBoot instead (CONFIG_BOOTLOADER_MCUBOOT).
	#
	# Select TFM_BL2_NOT_SUPPORTED to prevent users from enabling
	# CONFIG_TFM_BL2.
	select TFM_BL2_NOT_SUPPORTED if BUILD_WITH_TFM
	help
	  Set this configuration to enable nRF Security. This provides
	  Arm PSA cryptography APIs with RNG support (optionally).

config NRF_SECURITY_LEGACY_AND_PSA
	bool
	default y
	select EXPERIMENTAL
	depends on MBEDTLS_LEGACY_CRYPTO_C && MBEDTLS_PSA_CRYPTO_C
	# This configuration doesn't affect TF-M builds since the PSA
	# APIs are provided by TF-M.
	# When this configuration is enabled we manually enable
	# some symbols in the build_config.h file in the Oberon PSA core.
	# This requires only the Oberon PSA crypto driver to be enabled,
	# it requires the CC3XX platform library to get random data and
	# the trusted storage for ITS support. The depenedencies here
	# match what we enable in the build_config.h file so if we need to
	# modify the dependencies here we also need to modify the build_config.h.
	depends on PSA_CRYPTO_DRIVER_OBERON && !PSA_CRYPTO_DRIVER_CC3XX
	depends on NRF_CC3XX_PLATFORM
	depends on TRUSTED_STORAGE
	depends on !BUILD_WITH_TFM
	help
	   This is an option to support legacy mbedTLS and PSA crypto APIs
	   at the same time. This is not recommended as it is not fully
	   supported in our system. This feature might get changed/removed at
	   any time in the future. You are advised to use the PSA APIs
	   for any new developments.

	   This option doesn't use the nrf_security for the internal
	   PSA configuration. It always use the Oberon PSA driver
	   for all the crypto operations expect for the PRNG which
	   uses the nrf_cc3xx_platform library.

config PSA_PROMPTLESS
	bool

if NRF_SECURITY

config MBEDTLS_CFG_FILE
	string "mbed TLS configuration file"
	default "nrf-config.h"
	help
	  Name of the config file for mbed TLS. This configuration file is used
	  in configurations with or without PSA APIs supported.

config MBEDTLS_USER_CONFIG_FILE
	string "mbed TLS user configuration file"
	default "nrf-config-user-empty.h"
	help
	  Name of the file that will contain additional configurations for mbed TLS.
	  This file is empty by default.

config MBEDTLS_PSA_CRYPTO_CONFIG_FILE
	string "PSA want configuration file"
	default "nrf-psa-crypto-want-config.h"
	help
	  Name of the config file containins the PSA configuration.
	  This file may be generated and will contain PSA configurations if PSA APIs
	  are generated in the system.

config MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
	string "Additional PSA configuration file"
	default "nrf-psa-crypto-config.h"
	help
	  Name of the file containing extra PSA configuration.
	  This file may be generated andd will contain exte PSA configurations like the
	  PSA_NEED defines for different crypto accelerators.

config GENERATE_MBEDTLS_CFG_FILE
	bool
	prompt "Generate mbed TLS config files"
	default y
	help
	  nrf_security will generate mbed TLS configuration file(s)
	  based on the selection of configuration options in Kconfig.
	  However, if the generated configuration file needs custom
	  adjustments, this setting can be used to disable generating the
	  mbed TLS configuration file. Only disable this setting if you know
	  what you are doing.

config MBEDTLS_ENABLE_HEAP
	bool "Enable global heap for mbed TLS"
	default y if BUILD_WITH_TFM
	help
	  This option enables the mbedtls to use the heap. This setting must
	  be global so that various applications and libraries in Zephyr do not
	  try to do this themselves as there can be only one heap defined
	  in mbedtls. If this is enabled, then the Zephyr will, during the device
	  startup, initialize the heap automatically.

config MBEDTLS_HEAP_SIZE
	int "Heap size for mbed TLS"
	default 15360 if OPENTHREAD_NRF_SECURITY
	default 512
	depends on MBEDTLS_ENABLE_HEAP
	help
	  Heap size for mbed TLS in bytes.
	  For streaming communication with arbitrary (HTTPS) servers on the
	  Internet, 32KB + overheads (up to another 20KB) may be needed.
	  Ensure to adjust the heap size according to the need of the
	  application.

config MBEDTLS_ENTROPY_POLL
	bool
	default y
	depends on !NRF_CC3XX_PLATFORM
	depends on !BUILD_WITH_TFM
	depends on ENTROPY_GENERATOR
	help
	  Add entropy_poll only if NRF_CC3XX_PLATFORM is not added.
	  This is because the nrf_cc3xx_platform library contains an
	  implementation of mbedtls_hardware_poll function.
	  This file is not useful for TF-M build where entropy should come
	  from SPE image, using psa_generate_random


# Include TLS/DTLS and x509 configurations
rsource "Kconfig.tls"

# Include PSA Crypto configurations
rsource "Kconfig.psa"

# Include Legacy mbed TLS configurations
rsource "Kconfig.legacy"

endif # NRF_SECURITY

menu "Zephyr legacy configurations"
	depends on MBEDTLS_LIBRARY_NRF_SECURITY

config MBEDTLS_TLS_VERSION_1_2
	bool "Enable support for TLS 1.2 (DTLS 1.2)"
	select PSA_WANT_ALG_SHA_1
	select PSA_WANT_ALG_SHA_224
	select PSA_WANT_ALG_SHA_256
	select PSA_WANT_ALG_SHA_384
	select PSA_WANT_ALG_SHA_512
	select MBEDTLS_CIPHER

config MBEDTLS_DTLS
	bool "Enable support for DTLS"
	depends on MBEDTLS_TLS_VERSION_1_2 || MBEDTLS_SSL_PROTO_TLS1_2
	select MBEDTLS_SSL_PROTO_DTLS

config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
	bool "Enable all available ciphersuites"
	help
	  The default behaviour with nrf_security is to always enable every ciphersuite
	  that is available. This configuration has no effect, but ensures that samples
	  and subsystem usage doesn't break.

config MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
	bool "Enable some PSK ciphersuites"
	help
	  The default behaviour of nrf_security is to always enable some ciphersuites.
	  This configuration has no effect but ensures that samples and subsystem usage
	  doesn't break.

config MBEDTLS_ECP_ALL_ENABLED
	bool "Enable all available elliptic curves"
	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
	select PSA_WANT_ECC_SECP_R1_192
	select PSA_WANT_ECC_SECP_R1_224
	select PSA_WANT_ECC_SECP_R1_256
	select PSA_WANT_ECC_SECP_R1_384
	select PSA_WANT_ECC_SECP_R1_521
	select PSA_WANT_ECC_SECP_K1_192
	select PSA_WANT_ECC_SECP_K1_224
	select PSA_WANT_ECC_SECP_K1_256
	select PSA_WANT_ECC_BRAINPOOL_P_R1_256
	select PSA_WANT_ECC_BRAINPOOL_P_R1_384
	select PSA_WANT_ECC_BRAINPOOL_P_R1_512
	select PSA_WANT_ECC_MONTGOMERY_255
	select PSA_WANT_ECC_MONTGOMERY_448

config MBEDTLS_CIPHER_ALL_ENABLED
	bool "Enable all available ciphers"
	select PSA_WANT_KEY_TYPE_AES
	select PSA_WANT_ALG_ECB_NO_PADDING
	select PSA_WANT_ALG_CBC_NO_PADDING
	select PSA_WANT_ALG_CBC_PKCS7
	select PSA_WANT_ALG_CFB
	select PSA_WANT_ALG_CTR
	select PSA_WANT_ALG_OFB
	select PSA_WANT_ALG_CCM
	select PSA_WANT_ALG_GCM
	select PSA_WANT_KEY_TYPE_CHACHA20
	select PSA_WANT_ALG_CHACHA20_POLY1305
	select PSA_WANT_ALG_STREAM_CIPHER

config MBEDTLS_MAC_ALL_ENABLED
	bool "Enable all available MAC methods"
	select PSA_WANT_KEY_TYPE_AES
	select PSA_WANT_ALG_CMAC
	select PSA_WANT_ALG_HMAC
	select PSA_WANT_ALG_SHA_1
	select PSA_WANT_ALG_SHA_224
	select PSA_WANT_ALG_SHA_256
	select PSA_WANT_ALG_SHA_384
	select PSA_WANT_ALG_SHA_512

config MBEDTLS_MAC_SHA256_ENABLED
	bool "Enable the SHA-224 and SHA-256 hash algorithms"
	default y
	select PSA_WANT_ALG_SHA_224
	select PSA_WANT_ALG_SHA_256
	select PSA_WANT_ALG_HMAC

config MBEDTLS_MAC_MD5_ENABLED
	bool "MD5 hash algorithm"

config MBEDTLS_CTR_DRBG_ENABLED
	bool "Enable the CTR_DRBG AES-256-based random generator"
	select PSA_WANT_ALG_CTR_DRBG

config MBEDTLS_HMAC_DRBG_ENABLED
	bool "Enable the HMAC_DRBG random generator"
	select PSA_WANT_ALG_HMAC_DRBG

config MBEDTLS_CIPHER
	bool "Enable the generic cipher layer"

config MBEDTLS_MD
	bool "Enable the generic message digest layer"

config MBEDTLS_ENTROPY_ENABLED
	bool "Enable mbedTLS generic entropy pool"

config MBEDTLS_GENPRIME_ENABLED
	bool "Enable the prime-number generation code"

endmenu # Zephyr legacy configurations

#
# Provide a new choice to override the mbedtls_external library completely
# and not have to provide a "dummy" path for the implementation
#
choice MBEDTLS_IMPLEMENTATION
	default MBEDTLS_LIBRARY_NRF_SECURITY

config MBEDTLS_LIBRARY_NRF_SECURITY
	bool "Use nRF Security mbedTLS version"
	depends on NORDIC_SECURITY_BACKEND || NRF_SECURITY
	help
	  Use Mbed TLS library from Nordic provided security backend

endchoice

endmenu
