1a8e1175bSopenharmony_ciPSA Cryptoprocessor driver developer's guide
2a8e1175bSopenharmony_ci============================================
3a8e1175bSopenharmony_ci
4a8e1175bSopenharmony_ci**This is a specification of work in progress. The implementation is not yet merged into Mbed TLS.**
5a8e1175bSopenharmony_ciFor a description of the current state of drivers Mbed TLS, see our [PSA Cryptoprocessor driver development examples](../psa-driver-example-and-guide.html).
6a8e1175bSopenharmony_ci
7a8e1175bSopenharmony_ciThis document describes how to write drivers of cryptoprocessors such as accelerators and secure elements for the PSA cryptography subsystem of Mbed TLS.
8a8e1175bSopenharmony_ci
9a8e1175bSopenharmony_ciThis document focuses on behavior that is specific to Mbed TLS. For a reference of the interface between Mbed TLS and drivers, refer to the [PSA Cryptoprocessor Driver Interface specification](psa-driver-interface.html).
10a8e1175bSopenharmony_ci
11a8e1175bSopenharmony_ciThe interface is not fully implemented in Mbed TLS yet. Please note that the interface may still change: until further notice, we do not guarantee backward compatibility with existing driver code.
12a8e1175bSopenharmony_ci
13a8e1175bSopenharmony_ci## Introduction
14a8e1175bSopenharmony_ci
15a8e1175bSopenharmony_ci### Purpose
16a8e1175bSopenharmony_ci
17a8e1175bSopenharmony_ciThe PSA cryptography driver interface provides a way to build Mbed TLS with additional code that implements certain cryptographic primitives. This is primarily intended to support platform-specific hardware.
18a8e1175bSopenharmony_ci
19a8e1175bSopenharmony_ciThere are two types of drivers:
20a8e1175bSopenharmony_ci
21a8e1175bSopenharmony_ci* **Transparent** drivers implement cryptographic operations on keys that are provided in cleartext at the beginning of each operation. They are typically used for hardware **accelerators**. When a transparent driver is available for a particular combination of parameters (cryptographic algorithm, key type and size, etc.), it is used instead of the default software implementation. Transparent drivers can also be pure software implementations that are distributed as plug-ins to a PSA Crypto implementation.
22a8e1175bSopenharmony_ci* **Opaque** drivers implement cryptographic operations on keys that can only be used inside a protected environment such as a **secure element**, a hardware security module, a smartcard, a secure enclave, etc. An opaque driver is invoked for the specific key location that the driver is registered for: the dispatch is based on the key's lifetime.
23a8e1175bSopenharmony_ci
24a8e1175bSopenharmony_ci### Deliverables for a driver
25a8e1175bSopenharmony_ci
26a8e1175bSopenharmony_ciTo write a driver, you need to implement some functions with C linkage, and to declare these functions in a **driver description file**. The driver description file declares which functions the driver implements and what cryptographic mechanisms they support. Depending on the driver type, you may also need to define some C types and macros in a header file.
27a8e1175bSopenharmony_ci
28a8e1175bSopenharmony_ciThe concrete syntax for a driver description file is JSON. The structure of this JSON file is specified in the section [“Driver description syntax”](psa-driver-interface.html#driver-description-syntax) of the PSA cryptography driver interface specification.
29a8e1175bSopenharmony_ci
30a8e1175bSopenharmony_ciA driver therefore consists of:
31a8e1175bSopenharmony_ci
32a8e1175bSopenharmony_ci* A driver description file (in JSON format).
33a8e1175bSopenharmony_ci* C header files defining the types required by the driver description. The names of these header files is declared in the driver description file.
34a8e1175bSopenharmony_ci* An object file compiled for the target platform defining the functions required by the driver description. Implementations may allow drivers to be provided as source files and compiled with the core instead of being pre-compiled.
35a8e1175bSopenharmony_ci
36a8e1175bSopenharmony_ci## Driver C interfaces
37a8e1175bSopenharmony_ci
38a8e1175bSopenharmony_ciMbed TLS calls driver entry points [as specified in the PSA Cryptography Driver Interface specification](psa-driver-interface.html#driver-entry-points) except as otherwise indicated in this section.
39a8e1175bSopenharmony_ci
40a8e1175bSopenharmony_ci## Mbed TLS extensions
41a8e1175bSopenharmony_ci
42a8e1175bSopenharmony_ciThe driver description can include Mbed TLS extensions (marked by the namespace "mbedtls"). Mbed TLS extensions are meant to extend/help integrating the driver into the library's infrastructure.
43a8e1175bSopenharmony_ci* `"mbedtls/h_condition"` (optional, string) can include complex preprocessor definitions to conditionally include header files for a given driver. 
44a8e1175bSopenharmony_ci* `"mbedtls/c_condition"` (optional, string) can include complex preprocessor definitions to conditionally enable dispatch capabilities for a driver.
45a8e1175bSopenharmony_ci
46a8e1175bSopenharmony_ci## Building and testing your driver
47a8e1175bSopenharmony_ci
48a8e1175bSopenharmony_ci<!-- TODO -->
49a8e1175bSopenharmony_ci
50a8e1175bSopenharmony_ci## Dependencies on the Mbed TLS configuration
51a8e1175bSopenharmony_ci
52a8e1175bSopenharmony_ci<!-- TODO -->
53