MBEDTLS_ECDSA_DETERMINISTIC in a PSA world

[gilles-peskine-arm]

This issue is about the fate of MBEDTLS_ECDSA_DETERMINISTIC in TF-PSA-Crypto 1.0 and Mbed TLS 4.0.

In Mbed TLS ≤3.x, this option controls which variant of ECDSA signature is performed. This affects the PK, X.509 and TLS code. In a PSA-only world, the crypto API is not affected, since the caller explicitly chooses between PSA_WANT_ALG_ECDSA and PSA_WANT_ALG_DETERMINISTIC_ECDSA. But in code that just knows that it wants to perform an ECDSA signature (mbedtls_pk_sign, x509 write, TLS ECDSA cipher suites), should we have a user option to select the ECDSA variant?

[gilles-peskine-arm]

MUST: at a very minimum, change the documentation of MBEDTLS_ECDSA_DETERMINISTIC to reflect what it does in a pure-PSA world.

SHOULD: remove this compilation option?

[gilles-peskine-arm]

In Mbed TLS ≤3.x using the legacy crypto API, if deterministic ECDSA is enabled (which you do by defining MBEDTLS_ECDSA_DETERMINISTIC), then pk/x509/tls will prefer deterministic ECDSA.

In TF-PSA-Crypto 1.0, if deterministic ECDSA is enabled (which you do by defining PSA_WANT_ALG_DETERMINISTIC_ECDSA), then pk/x509/tls will prefer deterministic ECDSA. The macro MBEDTLS_ECDSA_DETERMINISTIC is no longer a compilation option that users can set.

The situation is the same, with different macros involved (which correspond to the legacy→PSA transition for crypto configuration). So this is done in 1.0.