mbedtls: Remove "unsafe" warning, enable AES by default & make SHA/MPI optional
This commit is contained in:
Angus Gratton
Angus Gratton
parent
afb6119504
commit
0ea4cd67dd
3 changed files with 45 additions and 32 deletions
|
|
@ -31,26 +31,18 @@ config MBEDTLS_DEBUG
|
|||
at runtime in order to enable mbedTLS debug output via the ESP
|
||||
log mechanism.
|
||||
|
||||
config MBEDTLS_UNSAFE_ACCELERATION
|
||||
bool "Allow buggy hardware acceleration features"
|
||||
depends on !FREERTOS_UNICORE
|
||||
default n
|
||||
help
|
||||
A bug currently prevents dual cores & crypto hardware acceleration from being used together.
|
||||
|
||||
Enable this option to allow hardware acceleration anyhow (note that invalid results or crashes may occur.)
|
||||
|
||||
config MBEDTLS_HARDWARE_AES
|
||||
bool "Enable hardware AES acceleration"
|
||||
depends on MBEDTLS_UNSAFE_ACCELERATION || FREERTOS_UNICORE
|
||||
default y
|
||||
help
|
||||
Enable hardware accelerated AES encryption & decryption.
|
||||
|
||||
Note that if the ESP32 CPU is running at 240MHz, hardware AES does not
|
||||
offer any speed boost over software AES.
|
||||
|
||||
config MBEDTLS_HARDWARE_MPI
|
||||
bool "Enable hardware MPI (bignum) acceleration"
|
||||
depends on MBEDTLS_UNSAFE_ACCELERATION || FREERTOS_UNICORE
|
||||
default y
|
||||
default n
|
||||
help
|
||||
Enable hardware accelerated multiple precision integer operations.
|
||||
|
||||
|
|
@ -62,7 +54,7 @@ config MBEDTLS_HARDWARE_MPI
|
|||
config MBEDTLS_MPI_USE_INTERRUPT
|
||||
bool "Use interrupt for MPI operations"
|
||||
depends on MBEDTLS_HARDWARE_MPI
|
||||
default y
|
||||
default n
|
||||
help
|
||||
Use an interrupt to coordinate MPI operations.
|
||||
|
||||
|
|
@ -71,16 +63,18 @@ config MBEDTLS_MPI_USE_INTERRUPT
|
|||
|
||||
config MBEDTLS_HARDWARE_SHA
|
||||
bool "Enable hardware SHA acceleration"
|
||||
depends on MBEDTLS_UNSAFE_ACCELERATION || FREERTOS_UNICORE
|
||||
default y
|
||||
default n
|
||||
help
|
||||
Enable hardware accelerated SHA1, SHA256, SHA384 & SHA512 in mbedTLS.
|
||||
|
||||
Due to a hardware limitation, hardware acceleration is only
|
||||
guaranteed if SHA digests are calculated one at a time. If more
|
||||
than one SHA digest is calculated at the same time, only will
|
||||
than one SHA digest is calculated at the same time, one will
|
||||
be calculated fully in hardware and the rest will be calculated
|
||||
(at least partially calculated) in software.
|
||||
(at least partially calculated) in software. This happens automatically.
|
||||
|
||||
SHA hardware acceleration is faster than software in some situations but
|
||||
slower in others. You should benchmark to find the best setting for you.
|
||||
|
||||
config MBEDTLS_HAVE_TIME
|
||||
bool "Enable mbedtls time"
|
||||
|
|
|
|||
|
|
@ -119,13 +119,15 @@ static void tskRunSHA256Test(void *pvParameters)
|
|||
vTaskDelete(NULL);
|
||||
}
|
||||
|
||||
TEST_CASE("mbedtls SHA multithreading", "[mbedtls][ignore]")
|
||||
#define SHA_TASK_STACK_SIZE (10*1024)
|
||||
|
||||
TEST_CASE("mbedtls SHA multithreading", "[mbedtls]")
|
||||
{
|
||||
done_sem = xSemaphoreCreateCounting(4, 0);
|
||||
xTaskCreate(tskRunSHA1Test, "SHA1Task1", 8192, NULL, 3, NULL);
|
||||
xTaskCreate(tskRunSHA1Test, "SHA1Task2", 8192, NULL, 3, NULL);
|
||||
xTaskCreate(tskRunSHA256Test, "SHA256Task1", 8192, NULL, 3, NULL);
|
||||
xTaskCreate(tskRunSHA256Test, "SHA256Task2", 8192, NULL, 3, NULL);
|
||||
xTaskCreate(tskRunSHA1Test, "SHA1Task1", SHA_TASK_STACK_SIZE, NULL, 3, NULL);
|
||||
xTaskCreate(tskRunSHA1Test, "SHA1Task2", SHA_TASK_STACK_SIZE, NULL, 3, NULL);
|
||||
xTaskCreate(tskRunSHA256Test, "SHA256Task1", SHA_TASK_STACK_SIZE, NULL, 3, NULL);
|
||||
xTaskCreate(tskRunSHA256Test, "SHA256Task2", SHA_TASK_STACK_SIZE, NULL, 3, NULL);
|
||||
|
||||
for(int i = 0; i < 4; i++) {
|
||||
if(!xSemaphoreTake(done_sem, 10000/portTICK_PERIOD_MS)) {
|
||||
|
|
@ -165,14 +167,10 @@ void tskRunSHASelftests(void *param)
|
|||
TEST_CASE("mbedtls SHA self-tests multithreaded", "[mbedtls]")
|
||||
{
|
||||
done_sem = xSemaphoreCreateCounting(2, 0);
|
||||
xTaskCreate(tskRunSHASelftests, "SHASelftests1", 8192, NULL, 3, NULL);
|
||||
xTaskCreate(tskRunSHASelftests, "SHASelftests2", 8192, NULL, 3, NULL);
|
||||
xTaskCreate(tskRunSHASelftests, "SHASelftests1", SHA_TASK_STACK_SIZE, NULL, 3, NULL);
|
||||
xTaskCreate(tskRunSHASelftests, "SHASelftests2", SHA_TASK_STACK_SIZE, NULL, 3, NULL);
|
||||
|
||||
#ifdef CONFIG_MBEDTLS_HARDWARE_SHA
|
||||
const int TIMEOUT_MS = 12000;
|
||||
#else
|
||||
const int TIMEOUT_MS = 20000; // Soft-only SHA may need a little longer
|
||||
#endif
|
||||
const int TIMEOUT_MS = 20000;
|
||||
|
||||
for(int i = 0; i < 2; i++) {
|
||||
if(!xSemaphoreTake(done_sem, TIMEOUT_MS/portTICK_PERIOD_MS)) {
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ CONFIG_LOG_BOOTLOADER_LEVEL_WARN=y
|
|||
# CONFIG_LOG_BOOTLOADER_LEVEL_DEBUG is not set
|
||||
# CONFIG_LOG_BOOTLOADER_LEVEL_VERBOSE is not set
|
||||
CONFIG_LOG_BOOTLOADER_LEVEL=2
|
||||
# CONFIG_BOOTLOADER_LTO is not set
|
||||
|
||||
#
|
||||
# Security features
|
||||
|
|
@ -174,6 +173,11 @@ CONFIG_ESP32_DEEP_SLEEP_WAKEUP_DELAY=0
|
|||
# CONFIG_ESP32_XTAL_FREQ_26 is not set
|
||||
CONFIG_ESP32_XTAL_FREQ_AUTO=y
|
||||
CONFIG_ESP32_XTAL_FREQ=0
|
||||
# CONFIG_NO_BLOBS is not set
|
||||
|
||||
#
|
||||
# Wi-Fi
|
||||
#
|
||||
CONFIG_ESP32_WIFI_STATIC_RX_BUFFER_NUM=10
|
||||
CONFIG_ESP32_WIFI_DYNAMIC_RX_BUFFER_NUM=0
|
||||
# CONFIG_ESP32_WIFI_STATIC_TX_BUFFER is not set
|
||||
|
|
@ -181,8 +185,9 @@ CONFIG_ESP32_WIFI_DYNAMIC_TX_BUFFER=y
|
|||
CONFIG_ESP32_WIFI_TX_BUFFER_TYPE=1
|
||||
CONFIG_ESP32_WIFI_DYNAMIC_TX_BUFFER_NUM=32
|
||||
CONFIG_ESP32_WIFI_AMPDU_ENABLED=y
|
||||
CONFIG_ESP32_WIFI_TX_BA_WIN=6
|
||||
CONFIG_ESP32_WIFI_RX_BA_WIN=6
|
||||
CONFIG_ESP32_WIFI_NVS_ENABLED=y
|
||||
CONFIG_PHY_ENABLED=y
|
||||
|
||||
#
|
||||
# PHY
|
||||
|
|
@ -280,10 +285,16 @@ CONFIG_TCP_SYNMAXRTX=6
|
|||
CONFIG_TCP_MSS=1436
|
||||
CONFIG_TCP_SND_BUF_DEFAULT=5744
|
||||
CONFIG_TCP_WND_DEFAULT=5744
|
||||
CONFIG_TCP_RECVMBOX_SIZE=6
|
||||
CONFIG_TCP_QUEUE_OOSEQ=y
|
||||
CONFIG_TCP_OVERSIZE_MSS=y
|
||||
# CONFIG_TCP_OVERSIZE_QUARTER_MSS is not set
|
||||
# CONFIG_TCP_OVERSIZE_DISABLE is not set
|
||||
|
||||
#
|
||||
# UDP
|
||||
#
|
||||
CONFIG_UDP_RECVMBOX_SIZE=6
|
||||
# CONFIG_LWIP_DHCP_DOES_ARP_CHECK is not set
|
||||
CONFIG_TCPIP_TASK_STACK_SIZE=2048
|
||||
# CONFIG_PPP_SUPPORT is not set
|
||||
|
|
@ -299,7 +310,10 @@ CONFIG_TCPIP_TASK_STACK_SIZE=2048
|
|||
#
|
||||
CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384
|
||||
# CONFIG_MBEDTLS_DEBUG is not set
|
||||
# CONFIG_MBEDTLS_UNSAFE_ACCELERATION is not set
|
||||
CONFIG_MBEDTLS_HARDWARE_AES=y
|
||||
CONFIG_MBEDTLS_HARDWARE_MPI=y
|
||||
CONFIG_MBEDTLS_MPI_USE_INTERRUPT=y
|
||||
CONFIG_MBEDTLS_HARDWARE_SHA=y
|
||||
CONFIG_MBEDTLS_HAVE_TIME=y
|
||||
# CONFIG_MBEDTLS_HAVE_TIME_DATE is not set
|
||||
|
||||
|
|
@ -315,3 +329,10 @@ CONFIG_OPENSSL_ASSERT_DO_NOTHING=y
|
|||
#
|
||||
# CONFIG_SPI_FLASH_ENABLE_COUNTERS is not set
|
||||
CONFIG_SPI_FLASH_ROM_DRIVER_PATCH=y
|
||||
|
||||
#
|
||||
# Wear Levelling
|
||||
#
|
||||
# CONFIG_WL_SECTOR_SIZE_512 is not set
|
||||
CONFIG_WL_SECTOR_SIZE_4096=y
|
||||
CONFIG_WL_SECTOR_SIZE=4096
|
||||
|
|
|
|||
Loading…
Reference in a new issue