From 106700481d14de07f478f8a51e176f28af99ebd4 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 26 Sep 2025 13:15:58 +0200 Subject: [PATCH] Improve explanations of configuration translation Signed-off-by: Gilles Peskine --- docs/psa-transition.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/psa-transition.md b/docs/psa-transition.md index f83d146476..7c9482ce58 100644 --- a/docs/psa-transition.md +++ b/docs/psa-transition.md @@ -230,7 +230,7 @@ If you have a working configuration file with legacy configuration options, run programs/test/query_compile_time_config -l ``` -The lines with `PSA_WANT_...=1` should constitute a PSA configuration that is similar to your legacy configuration. You can translate this into `#define` line with the following bash/Linux/macOS shell snippet: +The lines with `PSA_WANT_...=1` should constitute a PSA configuration that is similar to your legacy configuration. That is, for every line `PSA_WANT_XXX=1` in the output of `query_compile_time_config -l`, make sure the line `#define PSA_WANT_XXX 1` is enabled in `include/psa/crypto_config.h` (or alternate `TF_PSA_CRYPTO_CONFIG_FILE`). You use the following bash/Linux/macOS shell snippet to automate this translation: ``` programs/test/query_compile_time_config -l | sed -n 's/^\(PSA_WANT_.*\)=1/#define \1/p' @@ -238,6 +238,8 @@ programs/test/query_compile_time_config -l | sed -n 's/^\(PSA_WANT_.*\)=1/#defin Please review the result as the configuration may not be fully equivalent in all cases. It will generally provide at least the same features, but sometimes this translation results in more than desired. +Note that this only generates the new selection of cryptographic mechanisms. You will also need to remove config lines that set legacy crypto options. Note also that TF-PSA-Crypto 1.0 has changed a few other options; see the [1.0 migration guide](1.0-migration-guide.md#configuration-of-tf-psa-crypto) for more information. + #### Implicit activation of crypto features If a mechanism is not enabled by `PSA_WANT_xxx`, Mbed TLS will normally not include it. This allows builds that use few features to have a small code size. However, this is not guaranteed: a mechanism that is not explicitly requested can be enabled because it is a dependency of another configuration option, because it is used internally, or because the granularity is not fine enough to distinguish between it and another mechanism that is requested.