1

Trying to build program for ARM Renesas RA6M1 controller with PSA Crypto API library. Looks like adding cryptography library to my project makes too big binary whe it is debug build. I need only little part of whole library functionality:

  • generate keys RSA 2048 Bit RSA PKCS #1 v2.2

  • sign and check signature functionality RSASSA-PKCS1-v1_5

  • encrypt functionality RSASSA-PKCS1-v1_5

I found file crypto_config.h that looks like configuration file that allows select what is needed. I'm right? But my Segger Embedded project does not includes this header. Why?

How to make binary smaller with crypto library configuration?

Content of crypto_config.h:

#ifndef PSA_CRYPTO_CONFIG_H
#define PSA_CRYPTO_CONFIG_H

#define PSA_WANT_ALG_DETERMINISTIC_ECDSA        1
#define PSA_WANT_ALG_ECDH                       1
#define PSA_WANT_ALG_ECDSA                      1
#define PSA_WANT_ALG_HKDF                       1
#define PSA_WANT_ALG_HMAC                       1
#define PSA_WANT_ALG_MD2                        1
#define PSA_WANT_ALG_MD4                        1
#define PSA_WANT_ALG_MD5                        1
#define PSA_WANT_ALG_RIPEMD160                  1
#define PSA_WANT_ALG_RSA_OAEP                   1
#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT         1
#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN          1
#define PSA_WANT_ALG_RSA_PSS                    1
#define PSA_WANT_ALG_SHA_1                      1
#define PSA_WANT_ALG_SHA_224                    1
#define PSA_WANT_ALG_SHA_256                    1
#define PSA_WANT_ALG_SHA_384                    1
#define PSA_WANT_ALG_SHA_512                    1
#define PSA_WANT_ALG_TLS12_PRF                  1
#define PSA_WANT_ALG_TLS12_PSK_TO_MS            1
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR          1
#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY        1
#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR          1
#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY        1

#endif /* PSA_CRYPTO_CONFIG_H */
vico
  • 17,051
  • 45
  • 159
  • 315
  • Have you tried setting all to 0 to confirm the file is indeed not included? – PhilMasteG Jun 10 '22 at 08:57
  • I have added line "blablabla" in order to corrupt header file and was expecting to get compile error. After rebuild no error was found. – vico Jun 10 '22 at 09:56
  • Did you try to optimize for size when compiling? It should be able to remove unused functions from the final elf. – Fra93 Jun 15 '22 at 09:52

1 Answers1

1

Mbed TLS 2.28/3.x has two ways to configure PSA crypto: legacy or next-generation. The default is the legacy method.

In the legacy configuration method, all mechanisms that are enabled through the legacy API (mbedtls_xxx) are also enabled through the PSA API (psa_xxx). For example, if you enable MBEDTLS_RSA_C, MBEDTLS_GENPRIME and MBEDTLS_PKCS1_V15 then RSA key import/generation, signature/verification with PSA_ALG_RSA_PKCS1V15_SIGN, and encryption/decryption with PSA_ALG_RSA_PKCS1V15-CRYPT are available through psa_xxx functions. Only mbedtls/mbedtls_config.h (mbedtls/config.h in Mbed TLS 2.x) is relevant, psa/crypto_config.h is ignored.

In the next-generation configuration method, PSA crypto is configured through psa/crypto_config.h. If a mechanism is enabled here and no driver is present for it, the corresponding MBEDTLS_XXX symbol will automatically be enabled. To enable the next-generation PSA crypto configuration method, set MBEDTLS_PSA_CRYPTO_CONFIG in mbedtls/mbedtls_config.h.

Gilles 'SO- stop being evil'
  • 104,111
  • 38
  • 209
  • 254