On a project at my company, we're using mbedtls to encrypt and sign our data. We began the project with mbedtls 2.2.6, and have continuously upgraded until now, 3.6.0.
I've noticed my application has grown greatly since then, even though we are only using the following APIs:
Encryption:(only decryption on the embedded side)
- mbedtls_aes_init - mbedtls_aes_setkey_dec - mbedtls_aes_crypt_cbc
Signing (only verification on the embedded side)
- mbedtls_ecp_point_read_binary - mbedtls_sha256_init/free - mbedtls_sha256_starts_ret - mbedtls_sha256_update_ret - mbedtls_sha256_finish_ret - mbedtls_ecdsa_init/free - mbedtls_ecp_group_load - mbedtls_ecdsa_read_signature
The size of libembedcrypto.a has grown from under 400K to almost 800K. I've tried reducing it with mbedtls_config,h, but it is not entirely clear to me which #defines do what. I tried one of the sample configs which by it;s name looked promising (crypto-config-ccm-aes-sha256.h), and it reduced the size of the library by 90%, but left me with link errors for all of the above functions. Going one #define at a time manually to see if it saves or grows is slow, and so I hoped I could find some assistance here.
Thanks in advance
Hi Steven,
The Mbed TLS config options are primarily feature-based, so the best approach is to start with a blank config, add the options needed for the features required and use include/mbedtls/check_config.h to find and enable the dependencies of those options. Using this approach, I've been able to construct the following config file:
#define MBEDTLS_AES_C #define MBEDTLS_CIPHER_MODE_CBC
#define MBEDTLS_SHA256_C
#define MBEDTLS_ECP_C #define MBEDTLS_BIGNUM_C
#define MBEDTLS_ECDSA_C #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_ECP_DP_SECP256R1_ENABLED /* Note: replace with your preferred curve option */
#define MBEDTLS_NO_PLATFORM_ENTROPY
Which enables all of the functions that you have listed, while keeping size to a minimum. When compiled for Cortex-M33, libmbedcrypto.a is around 28KB by my measurement.
Note that in Mbed TLS 4.0 all crypto options will be configured through the PSA crypto API, which will automatically enable dependencies of features that are configured. This should make it much easier to build minimal configurations without having to worry about dependencies.
I hope that helps.
Many thanks, David Horstmann Mbed TLS Developer
________________________________ From: Steven Burck via mbed-tls mbed-tls@lists.trustedfirmware.org Sent: 01 July 2024 09:52 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] 3.6.0 library size
On a project at my company, we're using mbedtls to encrypt and sign our data. We began the project with mbedtls 2.2.6, and have continuously upgraded until now, 3.6.0.
I've noticed my application has grown greatly since then, even though we are only using the following APIs:
Encryption:(only decryption on the embedded side)
* mbedtls_aes_init * mbedtls_aes_setkey_dec * mbedtls_aes_crypt_cbc
Signing (only verification on the embedded side)
* mbedtls_ecp_point_read_binary * mbedtls_sha256_init/free * mbedtls_sha256_starts_ret * mbedtls_sha256_update_ret * mbedtls_sha256_finish_ret * mbedtls_ecdsa_init/free * mbedtls_ecp_group_load * mbedtls_ecdsa_read_signature
The size of libembedcrypto.a has grown from under 400K to almost 800K. I've tried reducing it with mbedtls_config,h, but it is not entirely clear to me which #defines do what. I tried one of the sample configs which by it;s name looked promising (crypto-config-ccm-aes-sha256.h), and it reduced the size of the library by 90%, but left me with link errors for all of the above functions. Going one #define at a time manually to see if it saves or grows is slow, and so I hoped I could find some assistance here.
Thanks in advance
Very helpful! I'll start trying to implement it right now.
On Mon, Jul 1, 2024 at 5:22 PM David Horstmann David.Horstmann@arm.com wrote:
Hi Steven,
The Mbed TLS config options are primarily feature-based, so the best approach is to start with a blank config, add the options needed for the features required and use include/mbedtls/check_config.h to find and enable the dependencies of those options. Using this approach, I've been able to construct the following config file:
#define MBEDTLS_AES_C #define MBEDTLS_CIPHER_MODE_CBC
#define MBEDTLS_SHA256_C
#define MBEDTLS_ECP_C #define MBEDTLS_BIGNUM_C
#define MBEDTLS_ECDSA_C #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_ECP_DP_SECP256R1_ENABLED /* Note: replace with your preferred curve option */
#define MBEDTLS_NO_PLATFORM_ENTROPY
Which enables all of the functions that you have listed, while keeping size to a minimum. When compiled for Cortex-M33, libmbedcrypto.a is around 28KB by my measurement.
Note that in Mbed TLS 4.0 all crypto options will be configured through the PSA crypto API, which will automatically enable dependencies of features that are configured. This should make it much easier to build minimal configurations without having to worry about dependencies.
I hope that helps.
Many thanks, David Horstmann Mbed TLS Developer
*From:* Steven Burck via mbed-tls mbed-tls@lists.trustedfirmware.org *Sent:* 01 July 2024 09:52 *To:* mbed-tls@lists.trustedfirmware.org < mbed-tls@lists.trustedfirmware.org> *Subject:* [mbed-tls] 3.6.0 library size
On a project at my company, we're using mbedtls to encrypt and sign our data. We began the project with mbedtls 2.2.6, and have continuously upgraded until now, 3.6.0.
I've noticed my application has grown greatly since then, even though we are only using the following APIs:
Encryption:(only decryption on the embedded side)
- mbedtls_aes_init
- mbedtls_aes_setkey_dec
- mbedtls_aes_crypt_cbc
Signing (only verification on the embedded side)
- mbedtls_ecp_point_read_binary
- mbedtls_sha256_init/free
- mbedtls_sha256_starts_ret
- mbedtls_sha256_update_ret
- mbedtls_sha256_finish_ret
- mbedtls_ecdsa_init/free
- mbedtls_ecp_group_load
- mbedtls_ecdsa_read_signature
The size of libembedcrypto.a has grown from under 400K to almost 800K. I've tried reducing it with mbedtls_config,h, but it is not entirely clear to me which #defines do what. I tried one of the sample configs which by it;s name looked promising (crypto-config-ccm-aes-sha256.h), and it reduced the size of the library by 90%, but left me with link errors for all of the above functions. Going one #define at a time manually to see if it saves or grows is slow, and so I hoped I could find some assistance here.
Thanks in advance
mbed-tls@lists.trustedfirmware.org
-
David Horstmann -
Steven Burck