diff mbox series

[v2,1/6] mbedtls: Enable TLS 1.2 support

Message ID 20241024112449.1362319-2-ilias.apalodimas@linaro.org
State New
Headers show
Series Enable https for wget | expand

Commit Message

Ilias Apalodimas Oct. 24, 2024, 11:24 a.m. UTC 
Since lwIP and mbedTLS have been merged we can tweak the config options
and enable TLS1.2 support. Add RSA and ECDSA by default and enable
enough block cipher modes of operation to be comatible with modern
TLS requirements and webservers

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 lib/mbedtls/Kconfig              | 12 ++++++++
 lib/mbedtls/Makefile             | 31 +++++++++++++++++++
 lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++
 3 files changed, 95 insertions(+)

Comments

Raymond Mao Oct. 24, 2024, 2:13 p.m. UTC | #1 
Hi Ilias,

On Thu, 24 Oct 2024 at 07:25, Ilias Apalodimas <ilias.apalodimas@linaro.org>
wrote:

> Since lwIP and mbedTLS have been merged we can tweak the config options
> and enable TLS1.2 support. Add RSA and ECDSA by default and enable
> enough block cipher modes of operation to be comatible with modern
> TLS requirements and webservers
>
> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> ---
>  lib/mbedtls/Kconfig              | 12 ++++++++
>  lib/mbedtls/Makefile             | 31 +++++++++++++++++++
>  lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++
>  3 files changed, 95 insertions(+)
>
> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> index d71adc3648ad..f3e172633999 100644
> --- a/lib/mbedtls/Kconfig
> +++ b/lib/mbedtls/Kconfig
> @@ -430,4 +430,16 @@ endif # SPL
>
>  endif # MBEDTLS_LIB_X509
>
> +config MBEDTLS_LIB_TLS
> +       bool "MbedTLS TLS library"
> +       depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
> +       depends on X509_CERTIFICATE_PARSER_MBEDTLS
> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> +       depends on ASN1_DECODER_MBEDTLS
> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> +       depends on MBEDTLS_LIB_CRYPTO
> +       help
> +         Enable MbedTLS TLS library. If enabled HTTPs support will be
> enabled
> +         in wget
> +
>  endif # MBEDTLS_LIB
> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
> index 83cb3c2fa705..ce0a61e40541 100644
> --- a/lib/mbedtls/Makefile
> +++ b/lib/mbedtls/Makefile
> @@ -26,6 +26,7 @@ mbedtls_lib_crypto-y := \
>         $(MBEDTLS_LIB_DIR)/platform_util.o \
>         $(MBEDTLS_LIB_DIR)/constant_time.o \
>         $(MBEDTLS_LIB_DIR)/md.o
> +
>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) +=
> $(MBEDTLS_LIB_DIR)/md5.o
>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) +=
> $(MBEDTLS_LIB_DIR)/sha1.o
>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
> @@ -54,3 +55,33 @@
> mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/x509_crt.o
>  mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/pkcs7.o
> +
> +#mbedTLS TLS support
> +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
> +mbedtls_lib_tls-y := \
> +       $(MBEDTLS_LIB_DIR)/mps_reader.o \
> +       $(MBEDTLS_LIB_DIR)/mps_trace.o \
> +       $(MBEDTLS_LIB_DIR)/net_sockets.o \
> +       $(MBEDTLS_LIB_DIR)/pk_ecc.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_cache.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_client.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_cookie.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_msg.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_ticket.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_tls.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \
> +       $(MBEDTLS_LIB_DIR)/hmac_drbg.o \
> +       $(MBEDTLS_LIB_DIR)/ctr_drbg.o \
> +       $(MBEDTLS_LIB_DIR)/entropy.o \
> +       $(MBEDTLS_LIB_DIR)/entropy_poll.o \
> +       $(MBEDTLS_LIB_DIR)/aes.o \
> +       $(MBEDTLS_LIB_DIR)/cipher.o \
> +       $(MBEDTLS_LIB_DIR)/cipher_wrap.o \
> +       $(MBEDTLS_LIB_DIR)/ecdh.o \
> +       $(MBEDTLS_LIB_DIR)/ecdsa.o \
> +       $(MBEDTLS_LIB_DIR)/ecp.o \
> +       $(MBEDTLS_LIB_DIR)/ecp_curves.o \
> +       $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \
> +       $(MBEDTLS_LIB_DIR)/gcm.o \
> diff --git a/lib/mbedtls/mbedtls_def_config.h
> b/lib/mbedtls/mbedtls_def_config.h
> index 1af911c2003f..ac8f0bbf2c0e 100644
> --- a/lib/mbedtls/mbedtls_def_config.h
> +++ b/lib/mbedtls/mbedtls_def_config.h
> @@ -87,4 +87,56 @@
>
>  #endif /* #if defined CONFIG_MBEDTLS_LIB_X509 */
>
> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS)
>

It would be better to use "#if defined CONFIG_MBEDTLS_LIB_TLS" here,
as in SPL build it implicitly expects a "CONFIG_SPL_MBEDTLS_LIB_TLS"
which we don't have.

[snip]

With above change,
Reviewed-by: Raymond Mao <raymond.mao@linaro.org>

Regards,
Raymond
Ilias Apalodimas Oct. 24, 2024, 2:43 p.m. UTC | #2 
Hi Raymond

On Thu, 24 Oct 2024 at 17:13, Raymond Mao <raymond.mao@linaro.org> wrote:
>
> Hi Ilias,
>
> On Thu, 24 Oct 2024 at 07:25, Ilias Apalodimas <ilias.apalodimas@linaro.org> wrote:
>>
>> Since lwIP and mbedTLS have been merged we can tweak the config options
>> and enable TLS1.2 support. Add RSA and ECDSA by default and enable
>> enough block cipher modes of operation to be comatible with modern
>> TLS requirements and webservers
>>
>> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
>> ---
>>  lib/mbedtls/Kconfig              | 12 ++++++++
>>  lib/mbedtls/Makefile             | 31 +++++++++++++++++++
>>  lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++
>>  3 files changed, 95 insertions(+)
>>
>> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
>> index d71adc3648ad..f3e172633999 100644
>> --- a/lib/mbedtls/Kconfig
>> +++ b/lib/mbedtls/Kconfig
>> @@ -430,4 +430,16 @@ endif # SPL
>>
>>  endif # MBEDTLS_LIB_X509
>>
>> +config MBEDTLS_LIB_TLS
>> +       bool "MbedTLS TLS library"
>> +       depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
>> +       depends on X509_CERTIFICATE_PARSER_MBEDTLS
>> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
>> +       depends on ASN1_DECODER_MBEDTLS
>> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
>> +       depends on MBEDTLS_LIB_CRYPTO
>> +       help
>> +         Enable MbedTLS TLS library. If enabled HTTPs support will be enabled
>> +         in wget
>> +
>>  endif # MBEDTLS_LIB
>> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
>> index 83cb3c2fa705..ce0a61e40541 100644
>> --- a/lib/mbedtls/Makefile
>> +++ b/lib/mbedtls/Makefile
>> @@ -26,6 +26,7 @@ mbedtls_lib_crypto-y := \
>>         $(MBEDTLS_LIB_DIR)/platform_util.o \
>>         $(MBEDTLS_LIB_DIR)/constant_time.o \
>>         $(MBEDTLS_LIB_DIR)/md.o
>> +
>>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += $(MBEDTLS_LIB_DIR)/md5.o
>>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += $(MBEDTLS_LIB_DIR)/sha1.o
>>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
>> @@ -54,3 +55,33 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
>>         $(MBEDTLS_LIB_DIR)/x509_crt.o
>>  mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
>>         $(MBEDTLS_LIB_DIR)/pkcs7.o
>> +
>> +#mbedTLS TLS support
>> +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
>> +mbedtls_lib_tls-y := \
>> +       $(MBEDTLS_LIB_DIR)/mps_reader.o \
>> +       $(MBEDTLS_LIB_DIR)/mps_trace.o \
>> +       $(MBEDTLS_LIB_DIR)/net_sockets.o \
>> +       $(MBEDTLS_LIB_DIR)/pk_ecc.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_cache.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_client.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_cookie.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_msg.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_ticket.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_tls.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \
>> +       $(MBEDTLS_LIB_DIR)/hmac_drbg.o \
>> +       $(MBEDTLS_LIB_DIR)/ctr_drbg.o \
>> +       $(MBEDTLS_LIB_DIR)/entropy.o \
>> +       $(MBEDTLS_LIB_DIR)/entropy_poll.o \
>> +       $(MBEDTLS_LIB_DIR)/aes.o \
>> +       $(MBEDTLS_LIB_DIR)/cipher.o \
>> +       $(MBEDTLS_LIB_DIR)/cipher_wrap.o \
>> +       $(MBEDTLS_LIB_DIR)/ecdh.o \
>> +       $(MBEDTLS_LIB_DIR)/ecdsa.o \
>> +       $(MBEDTLS_LIB_DIR)/ecp.o \
>> +       $(MBEDTLS_LIB_DIR)/ecp_curves.o \
>> +       $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \
>> +       $(MBEDTLS_LIB_DIR)/gcm.o \
>> diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h
>> index 1af911c2003f..ac8f0bbf2c0e 100644
>> --- a/lib/mbedtls/mbedtls_def_config.h
>> +++ b/lib/mbedtls/mbedtls_def_config.h
>> @@ -87,4 +87,56 @@
>>
>>  #endif /* #if defined CONFIG_MBEDTLS_LIB_X509 */
>>
>> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS)
>
>
> It would be better to use "#if defined CONFIG_MBEDTLS_LIB_TLS" here,
> as in SPL build it implicitly expects a "CONFIG_SPL_MBEDTLS_LIB_TLS"
> which we don't have.
>

We usually prefer CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS) regardless of an
SPL flag or not.

Thanks
/Ilias
> [snip]
>
> With above change,
> Reviewed-by: Raymond Mao <raymond.mao@linaro.org>
>
> Regards,
> Raymond
Raymond Mao Oct. 24, 2024, 4:54 p.m. UTC | #3 
Hi Ilias,

On Thu, 24 Oct 2024 at 10:44, Ilias Apalodimas <ilias.apalodimas@linaro.org>
wrote:

> Hi Raymond
>
> On Thu, 24 Oct 2024 at 17:13, Raymond Mao <raymond.mao@linaro.org> wrote:
> >
> > Hi Ilias,
> >
> > On Thu, 24 Oct 2024 at 07:25, Ilias Apalodimas <
> ilias.apalodimas@linaro.org> wrote:
> >>
> >> Since lwIP and mbedTLS have been merged we can tweak the config options
> >> and enable TLS1.2 support. Add RSA and ECDSA by default and enable
> >> enough block cipher modes of operation to be comatible with modern
> >> TLS requirements and webservers
> >>
> >> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> >> ---
> >>  lib/mbedtls/Kconfig              | 12 ++++++++
> >>  lib/mbedtls/Makefile             | 31 +++++++++++++++++++
> >>  lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++
> >>  3 files changed, 95 insertions(+)
> >>
> >> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> >> index d71adc3648ad..f3e172633999 100644
> >> --- a/lib/mbedtls/Kconfig
> >> +++ b/lib/mbedtls/Kconfig
> >> @@ -430,4 +430,16 @@ endif # SPL
> >>
> >>  endif # MBEDTLS_LIB_X509
> >>
> >> +config MBEDTLS_LIB_TLS
> >> +       bool "MbedTLS TLS library"
> >> +       depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
> >> +       depends on X509_CERTIFICATE_PARSER_MBEDTLS
> >> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> >> +       depends on ASN1_DECODER_MBEDTLS
> >> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> >> +       depends on MBEDTLS_LIB_CRYPTO
> >> +       help
> >> +         Enable MbedTLS TLS library. If enabled HTTPs support will be
> enabled
> >> +         in wget
> >> +
> >>  endif # MBEDTLS_LIB
> >> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
> >> index 83cb3c2fa705..ce0a61e40541 100644
> >> --- a/lib/mbedtls/Makefile
> >> +++ b/lib/mbedtls/Makefile
> >> @@ -26,6 +26,7 @@ mbedtls_lib_crypto-y := \
> >>         $(MBEDTLS_LIB_DIR)/platform_util.o \
> >>         $(MBEDTLS_LIB_DIR)/constant_time.o \
> >>         $(MBEDTLS_LIB_DIR)/md.o
> >> +
> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) +=
> $(MBEDTLS_LIB_DIR)/md5.o
> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) +=
> $(MBEDTLS_LIB_DIR)/sha1.o
> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
> >> @@ -54,3 +55,33 @@
> mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
> >>         $(MBEDTLS_LIB_DIR)/x509_crt.o
> >>  mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
> >>         $(MBEDTLS_LIB_DIR)/pkcs7.o
> >> +
> >> +#mbedTLS TLS support
> >> +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
> >> +mbedtls_lib_tls-y := \
> >> +       $(MBEDTLS_LIB_DIR)/mps_reader.o \
> >> +       $(MBEDTLS_LIB_DIR)/mps_trace.o \
> >> +       $(MBEDTLS_LIB_DIR)/net_sockets.o \
> >> +       $(MBEDTLS_LIB_DIR)/pk_ecc.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_cache.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_client.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_cookie.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_msg.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_ticket.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_tls.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \
> >> +       $(MBEDTLS_LIB_DIR)/hmac_drbg.o \
> >> +       $(MBEDTLS_LIB_DIR)/ctr_drbg.o \
> >> +       $(MBEDTLS_LIB_DIR)/entropy.o \
> >> +       $(MBEDTLS_LIB_DIR)/entropy_poll.o \
> >> +       $(MBEDTLS_LIB_DIR)/aes.o \
> >> +       $(MBEDTLS_LIB_DIR)/cipher.o \
> >> +       $(MBEDTLS_LIB_DIR)/cipher_wrap.o \
> >> +       $(MBEDTLS_LIB_DIR)/ecdh.o \
> >> +       $(MBEDTLS_LIB_DIR)/ecdsa.o \
> >> +       $(MBEDTLS_LIB_DIR)/ecp.o \
> >> +       $(MBEDTLS_LIB_DIR)/ecp_curves.o \
> >> +       $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \
> >> +       $(MBEDTLS_LIB_DIR)/gcm.o \
> >> diff --git a/lib/mbedtls/mbedtls_def_config.h
> b/lib/mbedtls/mbedtls_def_config.h
> >> index 1af911c2003f..ac8f0bbf2c0e 100644
> >> --- a/lib/mbedtls/mbedtls_def_config.h
> >> +++ b/lib/mbedtls/mbedtls_def_config.h
> >> @@ -87,4 +87,56 @@
> >>
> >>  #endif /* #if defined CONFIG_MBEDTLS_LIB_X509 */
> >>
> >> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS)
> >
> >
> > It would be better to use "#if defined CONFIG_MBEDTLS_LIB_TLS" here,
> > as in SPL build it implicitly expects a "CONFIG_SPL_MBEDTLS_LIB_TLS"
> > which we don't have.
> >
>
> We usually prefer CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS) regardless of an
> SPL flag or not.
>
> If the flag is never expected to be enabled in SPL build, that is OK.
Because in SPL, CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS) will be always false
without a CONFIG_SPL_MBEDTLS_LIB_TLS.

Regards,
Raymond
diff mbox series

Patch

diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index d71adc3648ad..f3e172633999 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -430,4 +430,16 @@  endif # SPL
 
 endif # MBEDTLS_LIB_X509
 
+config MBEDTLS_LIB_TLS
+	bool "MbedTLS TLS library"
+	depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
+	depends on X509_CERTIFICATE_PARSER_MBEDTLS
+	depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
+	depends on ASN1_DECODER_MBEDTLS
+	depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
+	depends on MBEDTLS_LIB_CRYPTO
+	help
+	  Enable MbedTLS TLS library. If enabled HTTPs support will be enabled
+	  in wget
+
 endif # MBEDTLS_LIB
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index 83cb3c2fa705..ce0a61e40541 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -26,6 +26,7 @@  mbedtls_lib_crypto-y := \
 	$(MBEDTLS_LIB_DIR)/platform_util.o \
 	$(MBEDTLS_LIB_DIR)/constant_time.o \
 	$(MBEDTLS_LIB_DIR)/md.o
+
 mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += $(MBEDTLS_LIB_DIR)/md5.o
 mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += $(MBEDTLS_LIB_DIR)/sha1.o
 mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
@@ -54,3 +55,33 @@  mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
 	$(MBEDTLS_LIB_DIR)/x509_crt.o
 mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
 	$(MBEDTLS_LIB_DIR)/pkcs7.o
+
+#mbedTLS TLS support
+obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
+mbedtls_lib_tls-y := \
+	$(MBEDTLS_LIB_DIR)/mps_reader.o \
+	$(MBEDTLS_LIB_DIR)/mps_trace.o \
+	$(MBEDTLS_LIB_DIR)/net_sockets.o \
+	$(MBEDTLS_LIB_DIR)/pk_ecc.o \
+	$(MBEDTLS_LIB_DIR)/ssl_cache.o \
+	$(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \
+	$(MBEDTLS_LIB_DIR)/ssl_client.o \
+	$(MBEDTLS_LIB_DIR)/ssl_cookie.o \
+	$(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \
+	$(MBEDTLS_LIB_DIR)/ssl_msg.o \
+	$(MBEDTLS_LIB_DIR)/ssl_ticket.o \
+	$(MBEDTLS_LIB_DIR)/ssl_tls.o \
+	$(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \
+	$(MBEDTLS_LIB_DIR)/hmac_drbg.o \
+	$(MBEDTLS_LIB_DIR)/ctr_drbg.o \
+	$(MBEDTLS_LIB_DIR)/entropy.o \
+	$(MBEDTLS_LIB_DIR)/entropy_poll.o \
+	$(MBEDTLS_LIB_DIR)/aes.o \
+	$(MBEDTLS_LIB_DIR)/cipher.o \
+	$(MBEDTLS_LIB_DIR)/cipher_wrap.o \
+	$(MBEDTLS_LIB_DIR)/ecdh.o \
+	$(MBEDTLS_LIB_DIR)/ecdsa.o \
+	$(MBEDTLS_LIB_DIR)/ecp.o \
+	$(MBEDTLS_LIB_DIR)/ecp_curves.o \
+	$(MBEDTLS_LIB_DIR)/ecp_curves_new.o \
+	$(MBEDTLS_LIB_DIR)/gcm.o \
diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h
index 1af911c2003f..ac8f0bbf2c0e 100644
--- a/lib/mbedtls/mbedtls_def_config.h
+++ b/lib/mbedtls/mbedtls_def_config.h
@@ -87,4 +87,56 @@ 
 
 #endif /* #if defined CONFIG_MBEDTLS_LIB_X509 */
 
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS)
+#include "rtc.h"
+
+/* Generic options */
+#define MBEDTLS_ENTROPY_HARDWARE_ALT
+#define MBEDTLS_HAVE_TIME
+#define MBEDTLS_PLATFORM_MS_TIME_ALT
+#define MBEDTLS_PLATFORM_TIME_MACRO rtc_mktime
+#define MBEDTLS_PLATFORM_C
+#define MBEDTLS_SSL_CLI_C
+#define MBEDTLS_SSL_TLS_C
+#define MBEDTLS_CIPHER_C
+#define MBEDTLS_MD_C
+#define MBEDTLS_CTR_DRBG_C
+#define MBEDTLS_AES_C
+#define MBEDTLS_ENTROPY_C
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+#define MBEDTLS_SSL_PROTO_TLS1_2
+#define MBEDTLS_SSL_SERVER_NAME_INDICATION
+#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+
+/* RSA */
+#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+#define MBEDTLS_GCM_C
+
+/* ECDSA */
+#define MBEDTLS_ECDSA_C
+#define MBEDTLS_ECDH_C
+#define MBEDTLS_ECDSA_DETERMINISTIC
+#define MBEDTLS_HMAC_DRBG_C
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+#define MBEDTLS_CAN_ECDH
+#define MBEDTLS_PK_CAN_ECDSA_SIGN
+#define MBEDTLS_ECP_C
+#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#define MBEDTLS_ECP_DP_BP256R1_ENABLED
+#define MBEDTLS_ECP_DP_BP384R1_ENABLED
+#define MBEDTLS_ECP_DP_BP512R1_ENABLED
+
+#endif /* #if defined CONFIG_MBEDTLS_LIB_TLS */
+
 #endif /* #if defined CONFIG_MBEDTLS_LIB */