This is why ECB is in the API as well and how users should use it (to implement a secure standard operation mode that is not supplied by Mbed TLS):https://arm-software.github.io/psa-api/crypto/1.2/api/ops/ciphers.html#c.PSA_ALG_ECB_NO_PADDING>
It is recommended that applications only use ECB if they need to construct an operating mode that the implementation does not provide
Hi,
ECB mode means that the block cipher is applied block by block to the message directly. This is indeed insecure. However, all modes, CBC/CMAC/CTR etc apply the block cipher to blocks that might be related to individual message blocks but are constructed in a way that the result is safe.
When Mbed TLS uses ECB mode internally, it means that the block cipher is applied to a block of data (not to the message directly) in order to implement a secure operation mode. This is why ECB is in the API as well and how users should use it (to implement a secure standard operation mode that is not supplied by Mbed TLS):
https://arm-software.github.io/psa-api/crypto/1.2/api/ops/ciphers.html#c.PSA_ALG_ECB_NO_PADDING
When we say PSA_ALG_ECB_NO_PADDING, we mean a single application of the block cipher to a single block of data and not the actual ECB mode (which means slicing up the message to blocks and applying the block cipher to each block directly).
This is why the code you linked is as expected, why using “ECB” to implement CMAC correct and why we can’t remove “ECB” mode.
Cheers,
Janos