# Cryptography primitive options for mbed TLS

# Copyright (c) 2016 Intel Corporation
# SPDX-License-Identifier: Apache-2.0

config ZEPHYR_MBEDTLS_MODULE
	bool

config MBEDTLS_PROMPTLESS
	bool
	help
	  Symbol to disable the prompt for MBEDTLS selection.
	  This symbol may be used internally in a Kconfig tree to hide the
	  mbed TLS menu prompt and instead handle the selection of MBEDTLS from
	  dependent sub-configurations and thus prevent stuck symbol behavior.

config MBEDTLS_VERSION_4_x
	bool
	default y
	help
	  Hidden Kconfig symbol used internally to mark support for Mbed TLS 4.x.

rsource "Kconfig.psa.auto"
rsource "Kconfig.psa.logic"

menuconfig MBEDTLS
	bool "mbed TLS Support" if !MBEDTLS_PROMPTLESS
	help
	  This option enables the mbedTLS cryptography library.

if MBEDTLS

choice MBEDTLS_IMPLEMENTATION
	prompt "Select implementation"
	default MBEDTLS_BUILTIN

config MBEDTLS_BUILTIN
	bool "Zephyr in-tree mbedTLS version"
	help
	  Link with mbedTLS sources included with Zephyr distribution.
	  Included mbedTLS version is well integrated with and supported
	  by Zephyr, and the recommended choice for most users.

config MBEDTLS_CUSTOM
	bool "Custom mbedTLS library"
	help
	  The mbedTLS library must be configured and added out of tree.

config MBEDTLS_LIBRARY
	bool "External mbedTLS library [DEPRECATED]"
	select DEPRECATED
	help
	  Use external, out-of-tree prebuilt mbedTLS library. For advanced
	  users only.
	  This option is deprecated. Use MBEDTLS_CUSTOM instead.

if MBEDTLS_LIBRARY

config MBEDTLS_INSTALL_PATH
	string "mbedTLS install path"
	help
	  This option holds the path where the mbedTLS libraries and headers are
	  installed. Make sure this option is properly set when MBEDTLS_LIBRARY
	  is enabled otherwise the build will fail.

endif # MBEDTLS_LIBRARY

endchoice # MBEDTLS_IMPLEMENTATION

rsource "Kconfig.mbedtls"
rsource "Kconfig.tf-psa-crypto"
rsource "Kconfig.ciphersuites"
rsource "Kconfig.deprecated"

config MBEDTLS_DEBUG
	bool "mbed TLS debug activation"
	imply MBEDTLS_DEBUG_C
	help
	  Enable debugging activation for mbed TLS configuration. If you use
	  mbedTLS/Zephyr integration (e.g. native TLS sockets), this will
	  activate debug logging.

	  If you use mbedTLS directly instead, you will need to perform
	  additional configuration yourself: call
	  mbedtls_ssl_conf_dbg(&mbedtls.conf, zephyr_mbedtls_debug, NULL);
	  function in your application. Alternatively implement your own debug
	  hook function if zephyr_mbedtls_debug() doesn't suit your needs.

if MBEDTLS_DEBUG

module = MBEDTLS
module-str = Log level mbedTLS library debug hook
source "subsys/logging/Kconfig.template.log_config"

config MBEDTLS_DEBUG_LEVEL
	int
	default 4 if MBEDTLS_LOG_LEVEL_DBG
	default 3 if MBEDTLS_LOG_LEVEL_INF
	default 2 if MBEDTLS_LOG_LEVEL_WRN
	default 1 if MBEDTLS_LOG_LEVEL_ERR
	default 0
	range 0 4
	help
	  Default mbed TLS debug logging level for Zephyr integration code
	  (from ext/lib/crypto/mbedtls/include/mbedtls/debug.h):
	  0 No debug
	  1 Error
	  2 State change
	  3 Information
	  4 Verbose

	  This makes Zephyr call mbedtls_debug_set_threshold() function during
	  mbedTLS initialization, with the configured debug log level.

choice MBEDTLS_DEBUG_EXTRACT_BASENAME
	prompt "Extract basename from filenames"
	default MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_BUILDTIME if "$(ZEPHYR_TOOLCHAIN_VARIANT)" = "zephyr"
	default MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME

config MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_BUILDTIME
	bool "Buildtime"
	help
	  Adds compile options, which should convert full source paths in
	  __FILE__ macro to files' basenames. This will reduce code footprint
	  when debug messages are enabled.

	  This is compiler dependent, so if it does not work then please
	  fallback to MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME instead.

config MBEDTLS_DEBUG_EXTRACT_BASENAME_AT_RUNTIME
	bool "Runtime"
	help
	  Filename passed as argument to debug hook will be stripped from
	  directory, so that only basename part is left and logged.

config MBEDTLS_DEBUG_EXTRACT_BASENAME_DISABLED
	bool "Disabled"
	help
	  Disable basename extraction from filenames in log mesasges. This will
	  result in full paths or paths relative to west root directory
	  appearing in log messages generated by mbedTLS library.

endchoice # MBEDTLS_DEBUG_EXTRACT_BASENAME

config MBEDTLS_DEBUG_STRIP_NEWLINE
	bool "Strip newlines"
	default y
	help
	  Attempt to strip last character from logged string when it is a
	  newline.

endif # MBEDTLS_DEBUG

config MBEDTLS_ENABLE_HEAP
	bool "Global heap for mbed TLS"
	help
	  This option enables the mbedtls to use the heap. This setting must
	  be global so that various applications and libraries in Zephyr do not
	  try to do this themselves as there can be only one heap defined
	  in mbedtls. If this is enabled, and MBEDTLS_INIT is enabled then the
	  Zephyr will, during the device startup, initialize the heap automatically.

if MBEDTLS_ENABLE_HEAP

config MBEDTLS_HEAP_SIZE
	int "Heap size for mbed TLS"
	default 15360 if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
	default 1024 if OPENTHREAD_CRYPTO_PSA
	default 512
	help
	  The mbedtls routines will use this heap if enabled.
	  See ext/lib/crypto/mbedtls/include/mbedtls/config.h and
	  MBEDTLS_MEMORY_BUFFER_ALLOC_C option for details. That option is not
	  enabled by default.
	  Default value for the heap size is not set as it depends on the
	  application. For streaming communication with arbitrary (HTTPS)
	  servers on the Internet, 32KB + overheads (up to another 20KB) may
	  be needed. For some dedicated and specific usage of mbedtls API, the
	  1000 bytes might be ok.

config MBEDTLS_HEAP_CUSTOM_SECTION
	bool "Use a custom section for the Mbed TLS heap"
	help
	  Place Mbed TLS heap in custom section, with tag ".mbedtls_heap".
	  This can be used by custom linker scripts to relocate the Mbed TLS
	  heap to a custom location, such as another SRAM region or external memory.

endif # MBEDTLS_ENABLE_HEAP

config MBEDTLS_INIT
	bool "Initialize mbed TLS at boot"
	default y
	help
	  By default mbed TLS will be initialized at Zephyr init. Disabling this option
	  will defer the initialization until explicitly called.

config MBEDTLS_SHELL
	bool "mbed TLS shell"
	depends on SHELL
	help
	  Enable mbed TLS shell module, which allows to show debug information
	  about mbed TLS library, such as heap usage.

config APP_LINK_WITH_MBEDTLS
	bool "Link 'app' with MBEDTLS"
	default y
	help
	  Add MBEDTLS header files to the 'app' include path. It may be
	  disabled if the include paths for MBEDTLS are causing aliasing
	  issues for 'app'.

endif # MBEDTLS
