TI mbed TLS User's Guide

Table of Contents

Overview

The TI mbed TLS Component is a fork of the mbed TLS repo maintained here:

• https://github.com/ARMmbed/mbedtls

TI’s general policy is to select the most recent LTS branch, add TI device/build support, and provide pre-built libraries appropriate for a given SDK.

By design, TI makes an effort to limit all changes to the ti/ subdirectory. This minimizes the steps necessary for users to update to newer mbed TLS versions (described below).

Rebuilding mbed TLS libraries

The pre-built libraries are “generously” configured, and enable a wide range of features, suitable for most development. However, users may need to make changes to these config files to optimize their system (e.g. to remove features they don’t need to save memory). This is done by 1) modifying the mbed TLS config file, and 2) rebuilding the mbed TLS libraries.

The config files are provided in the ti/configs/ directory. Users can modify those config files (the mbed TLS project documents these config options directly in those config headers), then run the appropriate makefile. In particular, it should be noted that mbedTLS’s default configuration file, ‘mbedtls_config.h’, should not be used as a baseline for configuration. There are certain configurations which must remain disabled. Some examples include MBEDTLS_NET_C and MBEDTLS_HAVE_TIME - these introduce unsupported POSIX dependencies.

For example, to rebuild the ARM M33F library, built with the TI toolchain, users can edit the ti/configs/config-<device>.h file to their liking, then change into the ti/lib/[TOOL]/m33f directory and run make.

The build system locates dependencies using the variables in ti/defs.mak. In some cases (e.g. SimpleLink SDKs), the mbed TLS dependencies are found using variables already set in the SDK (e.g. the imports.mak file at the root of the SDK). In other cases, users may have to define these variables explicitly. See the comments in ti/defs.mak for details.

Updating mbed TLS

There may be times when users need to change the version of mbed TLS, for example to make use of security fixes in the mbed TLS LTS branches. Users can obtain the newer mbed TLS release (e.g. git clone from the upstream project’s git repo), copy the ti/ directory into that copy, and rebuild the TI libraries as described above.

The mbed TLS project intentionally aims to maintain source compatibility on LTS branches, which is a key reason TI bases its work on those LTS branches. Because of this, it should be fairly easy for users to update to a newer release on a given LTS branch using the steps described above.

Using mbed TLS in a project

TI mbed TLS is available as a pre-built standalone library for multiple compilers. For information on rebuilding the mbed TLS library for a user’s custom configuration, see the [Rebuilding mbed TLS libraries] section above.

To use the mbed TLS library, start from an existing project from the desired device SDK. For example, if using a SimpleLink SDK, begin by importing the Empty project in the examples/rtos/<device>/drivers folder.

To add TI mbed TLS to a project, go to Properties and add mbedtls.a to the linker file search path. If using a SimpleLink SDK, this pre-built library can be found in source/third_party/mbedtls/ti/lib/<compiler>/<device type>/mbedtls.a. Add the include paths for mbedtls/include, mbedtls/ti, and mbedtls/ti/port.

The CC13x4/CC26x4 porting files utilize dynamic instances of all cryptographic drivers. Therefore, no driver instances need to be defined in SysConfig to use TI mbed TLS.

The CC27xx/CC35xx devices require the “PSA Crypto and KeyStore” SysConfig module to be activated for use of mbed TLS (versions 3.6.2 and onward). This is because mbed TLS depends on the PSA Cryptographic API, which is defined by a TI-provided library (at least for HW-accelerated cryptographic operations).