Misc updates to strategy.md
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/docs/architecture/psa-migration/strategy.md b/docs/architecture/psa-migration/strategy.md
index fe15bc1..e508975 100644
--- a/docs/architecture/psa-migration/strategy.md
+++ b/docs/architecture/psa-migration/strategy.md
@@ -39,7 +39,10 @@
The reasons why `MBEDTLS_USE_PSA_CRYPTO` is optional and disabled by default
are:
-- it's incompatible with `MBEDTLS_ECP_RESTARTABLE`, and `MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER`;
+- it's incompatible with `MBEDTLS_ECP_RESTARTABLE`;
+- historical: used to be incompatible
+ `MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER` (fixed early 2022, see
+ <https://github.com/ARMmbed/mbedtls/issues/5259>);
- it does not work well with `MBEDTLS_PSA_CRYPTO_CONFIG` (could compile with
both of them, but then `MBEDTLS_PSA_CRYPTO_CONFIG` won't have the desired
effect)
@@ -47,10 +50,13 @@
`MBEDTLS_PSA_CRYPTO_C`, for backards compatibility reasons:
- when `MBEDTLS_PSA_CRYPTO_C` is enabled and used, applications need to call
`psa_crypto_init()` before TLS/X.509 uses PSA functions
- - `MBEDTLS_PSA_CRYPTO_C` has a hard depend on `MBEDTLS_ENTROPY_C` but it's
- currently possible to compilte TLS and X.509 without `MBEDTLS_ENTROPY_C`.
+ - `MBEDTLS_PSA_CRYPTO_C` has a hard depend on `MBEDTLS_ENTROPY_C ||
+ MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` but it's
+ currently possible to compilte TLS and X.509 without any of the options.
Also, we can't just auto-enable `MBEDTLS_ENTROPY_C` as it doesn't build
- out of the box on all platforms.
+ out of the box on all platforms, and even less
+ `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` as it requires a user-provided RNG
+ function.
The downside of this approach is that until we feel ready to make
`MBDEDTLS_USE_PSA_CRYPTO` non-optional (always enabled), we have to maintain
@@ -82,6 +88,8 @@
### `MBEDTLS_PSA_CRYPTO_CONFIG`
+(This section taken from a comment by Gilles.)
+
X509 and TLS code use `MBEDTLS_xxx` macros to decide whether an algorithm is
supported. This doesn't make `MBEDTLS_USE_PSA_CRYPTO` incompatible with
`MBEDTLS_PSA_CRYPTO_CONFIG` per se, but it makes it incompatible with most
@@ -106,22 +114,6 @@
whereas extending to more procotol features will require the same amount of
work either way.
-### `MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER`
-
-When `MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER` is enabled, the library is
-built for use with an RPC server that dispatches PSA crypto function calls
-from multiple clients. In such a build, all the `psa_xxx` functions that take
-would normally take a `psa_key_id_t` as argument instead take a structure
-containing both the key id and the client id. And so if e.g. a TLS function
-calls `psa_import_key`, it would have to pass this structure, not just the
-`psa_key_id_t` key id.
-
-A solution is to use `mbedtls_svc_key_id_t` throughout instead of
-`psa_key_id_t`, and use similar abstractions to define values.
-
-That's what we're implemementing in early 2022, see
-https://github.com/ARMmbed/mbedtls/issues/5259
-
### Backwars compatibility issues with making it always on
1. Existing applications may not be calling `psa_crypto_init()` before using
