Crypto: Adjust CRYPTO_ENGINE_BUF_SIZE in profiles with RSA encryption

If a profile supports RSA encryption/decryption, increase the default size of the CRYPTO_ENGINE_BUF_SIZE to 0x3000 to avoid PSA_ERROR_INSUFFICIENT_MEMORY when calling into Mbed TLS using RSA-2048 keys. Existing value is calibrated for RSA-1024 which is less relevant nowadays from security perspective. Signed-off-by: Antonio de Angelis <[email protected]> Change-Id: I3dc3e1fd26da9d9e69bce5b0b480228e896aa025 (cherry picked from commit c271e4a)
zephyrproject-rtos · Nov 28, 2024 · fa020a8 · fa020a8
1 parent 83c8b2a
commit fa020a8
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 11 deletions.
diff --git a/config/config_base.h b/config/config_base.h
@@ -36,11 +36,12 @@
 /* Crypto Partition Configs */
 
 /*
- * Heap size for the crypto backend
- * CRYPTO_ENGINE_BUF_SIZE needs to be >8KB for EC signing by attest module.
+ * Heap size for the crypto backend. This is statically allocated
+ * inside the Crypto service and used as heap through the default
+ * Mbed TLS allocator
  */
 #ifndef CRYPTO_ENGINE_BUF_SIZE
-#define CRYPTO_ENGINE_BUF_SIZE                 0x2080
+#define CRYPTO_ENGINE_BUF_SIZE                 0x3000
 #endif
 
 /* The max number of concurrent operations that can be active (allocated) at any time in Crypto */

diff --git a/config/profile/config_profile_large.h b/config/profile/config_profile_large.h
@@ -43,11 +43,12 @@
 #endif
 
 /*
- * Heap size for the crypto backend
- * CRYPTO_ENGINE_BUF_SIZE needs to be >8KB for EC signing by attest module.
+ * Heap size for the crypto backend. This is statically allocated
+ * inside the Crypto service and used as heap through the default
+ * Mbed TLS allocator
  */
 #ifndef CRYPTO_ENGINE_BUF_SIZE
-#define CRYPTO_ENGINE_BUF_SIZE                 0x2380
+#define CRYPTO_ENGINE_BUF_SIZE                 0x3000
 #endif
 
 /* The max number of concurrent operations that can be active (allocated) at any time in Crypto */

diff --git a/config/profile/config_profile_medium.h b/config/profile/config_profile_medium.h
@@ -33,8 +33,9 @@
 /* Crypto Partition Configs */
 
 /*
- * Heap size for the crypto backend
- * CRYPTO_ENGINE_BUF_SIZE needs to be >8KB for EC signing by attest module.
+ * Heap size for the crypto backend. This is statically allocated
+ * inside the Crypto service and used as heap through the default
+ * Mbed TLS allocator
  */
 #ifndef CRYPTO_ENGINE_BUF_SIZE
 #define CRYPTO_ENGINE_BUF_SIZE                 0x2080

diff --git a/config/profile/config_profile_medium_arotless.h b/config/profile/config_profile_medium_arotless.h
@@ -33,8 +33,9 @@
 /* Crypto Partition Configs */
 
 /*
- * Heap size for the crypto backend
- * CRYPTO_ENGINE_BUF_SIZE needs to be >8KB for EC signing by attest module.
+ * Heap size for the crypto backend. This is statically allocated
+ * inside the Crypto service and used as heap through the default
+ * Mbed TLS allocator
  */
 #ifndef CRYPTO_ENGINE_BUF_SIZE
 #define CRYPTO_ENGINE_BUF_SIZE                 0x2080

diff --git a/config/profile/config_profile_small.h b/config/profile/config_profile_small.h
@@ -32,7 +32,11 @@
 
 /* Crypto Partition Configs */
 
-/* Heap size for the crypto backend */
+/*
+ * Heap size for the crypto backend. This is statically allocated
+ * inside the Crypto service and used as heap through the default
+ * Mbed TLS allocator
+ */
 #ifndef CRYPTO_ENGINE_BUF_SIZE
 #define CRYPTO_ENGINE_BUF_SIZE                 0x400
 #endif