diff --git a/doc/releases/migration-guide-4.1.rst b/doc/releases/migration-guide-4.1.rst index 6fc151701a2..90dfad9a0e2 100644 --- a/doc/releases/migration-guide-4.1.rst +++ b/doc/releases/migration-guide-4.1.rst @@ -30,6 +30,12 @@ Modules Mbed TLS ======== +* If a platform has a CSPRNG source available (i.e. :kconfig:option:`CONFIG_CSPRNG_ENABLED` + is set), then the Kconfig option :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` + is the default choice for random number source instead of + :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_LEGACY_RNG`. This helps in reducing + ROM/RAM footprint of the Mbed TLS library. + Trusted Firmware-M ================== diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic index 10825873157..2e6e6b7f8c3 100644 --- a/modules/mbedtls/Kconfig.tls-generic +++ b/modules/mbedtls/Kconfig.tls-generic @@ -481,6 +481,7 @@ config MBEDTLS_SSL_EXTENDED_MASTER_SECRET choice MBEDTLS_PSA_CRYPTO_RNG_SOURCE prompt "Select random source for built-in PSA crypto" depends on MBEDTLS_PSA_CRYPTO_C + default MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if CSPRNG_ENABLED default MBEDTLS_PSA_CRYPTO_LEGACY_RNG config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG diff --git a/samples/psa/its/overlay-entropy_driver.conf b/samples/psa/its/overlay-entropy_driver.conf index b2fea61e044..0feb3ad0949 100644 --- a/samples/psa/its/overlay-entropy_driver.conf +++ b/samples/psa/its/overlay-entropy_driver.conf @@ -1,4 +1,3 @@ # SPDX-License-Identifier: Apache-2.0 CONFIG_ENTROPY_GENERATOR=y -CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y diff --git a/samples/psa/persistent_key/overlay-entropy_driver.conf b/samples/psa/persistent_key/overlay-entropy_driver.conf index b2fea61e044..0feb3ad0949 100644 --- a/samples/psa/persistent_key/overlay-entropy_driver.conf +++ b/samples/psa/persistent_key/overlay-entropy_driver.conf @@ -1,4 +1,3 @@ # SPDX-License-Identifier: Apache-2.0 CONFIG_ENTROPY_GENERATOR=y -CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y diff --git a/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf b/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf index 7086f66d96d..49282c5e502 100644 --- a/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf +++ b/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf @@ -4,4 +4,3 @@ CONFIG_MBEDTLS_PSA_CRYPTO_C=y CONFIG_PSA_CRYPTO_ENABLE_ALL=y CONFIG_ENTROPY_GENERATOR=y -CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y diff --git a/tests/bsim/bluetooth/ll/conn/psa_overlay.conf b/tests/bsim/bluetooth/ll/conn/psa_overlay.conf index 7086f66d96d..49282c5e502 100644 --- a/tests/bsim/bluetooth/ll/conn/psa_overlay.conf +++ b/tests/bsim/bluetooth/ll/conn/psa_overlay.conf @@ -4,4 +4,3 @@ CONFIG_MBEDTLS_PSA_CRYPTO_C=y CONFIG_PSA_CRYPTO_ENABLE_ALL=y CONFIG_ENTROPY_GENERATOR=y -CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y diff --git a/tests/crypto/mbedtls_psa/prj.conf b/tests/crypto/mbedtls_psa/prj.conf index 0f4585d6b49..54dd833011b 100644 --- a/tests/crypto/mbedtls_psa/prj.conf +++ b/tests/crypto/mbedtls_psa/prj.conf @@ -3,4 +3,3 @@ CONFIG_ZTEST=y CONFIG_MBEDTLS=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y -CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y diff --git a/tests/crypto/mbedtls_psa/testcase.yaml b/tests/crypto/mbedtls_psa/testcase.yaml index 6b96e8ff5f6..187e25b1976 100644 --- a/tests/crypto/mbedtls_psa/testcase.yaml +++ b/tests/crypto/mbedtls_psa/testcase.yaml @@ -11,8 +11,6 @@ # - no TF-M enabled devices because we assume that the TF-M implementation # of PSA crypto is working fine on the platforms that support TF-M. # - platform should be testable by the CI. -# - enable CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG in order to reduce as much -# as possible usage of legacy modules in Mbed TLS. # - pick 1 platform which supports entropy driver and 1 which does not. The # latter case will allow to test # CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG. @@ -34,8 +32,11 @@ tests: # Pick a platform which does not have an entropy driver. In this case we # enable the timer random generator because it's always available on all # platforms. + # Explicitly select CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG because this is + # not "automatically selected" when there is no CSPRNG available. integration_platforms: - qemu_x86 extra_configs: + - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y - CONFIG_TEST_RANDOM_GENERATOR=y diff --git a/tests/crypto/secp256r1/mbedtls.conf b/tests/crypto/secp256r1/mbedtls.conf index dd8231a21ca..e87e14abd71 100644 --- a/tests/crypto/secp256r1/mbedtls.conf +++ b/tests/crypto/secp256r1/mbedtls.conf @@ -1,5 +1,4 @@ CONFIG_MBEDTLS=y -CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y CONFIG_MBEDTLS_PSA_P256M_DRIVER_ENABLED=y diff --git a/tests/crypto/secp256r1/p256-m_raw.conf b/tests/crypto/secp256r1/p256-m_raw.conf index 801a31df91a..5ac706ef29b 100644 --- a/tests/crypto/secp256r1/p256-m_raw.conf +++ b/tests/crypto/secp256r1/p256-m_raw.conf @@ -1,5 +1,4 @@ CONFIG_MBEDTLS=y -CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y CONFIG_MBEDTLS_PSA_P256M_DRIVER_ENABLED=y CONFIG_MBEDTLS_PSA_P256M_DRIVER_RAW=y diff --git a/tests/net/socket/tls_configurations/prj.conf b/tests/net/socket/tls_configurations/prj.conf index 93a8c0f8b12..23842f6a641 100644 --- a/tests/net/socket/tls_configurations/prj.conf +++ b/tests/net/socket/tls_configurations/prj.conf @@ -28,7 +28,6 @@ CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2048 CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y # Build the PSA Crypto core so that the TLS stack uses the PSA crypto API. CONFIG_MBEDTLS_PSA_CRYPTO_C=y -CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y CONFIG_ENTROPY_GENERATOR=y # Disable some Kconfigs that are implied by CONFIG_NET_SOCKETS_SOCKOPT_TLS. diff --git a/tests/subsys/jwt/testcase.yaml b/tests/subsys/jwt/testcase.yaml index f439e9aea9e..8744d51bbd0 100644 --- a/tests/subsys/jwt/testcase.yaml +++ b/tests/subsys/jwt/testcase.yaml @@ -12,6 +12,9 @@ tests: libraries.encoding.jwt.ecdsa.psa: extra_configs: - CONFIG_JWT_SIGN_ECDSA_PSA=y + # Explicitly select CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG because this + # is not automatically selected on platforms that do not have a CSPRNG + # source. - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y libraries.encoding.jwt.rsa.legacy: @@ -21,5 +24,8 @@ tests: libraries.encoding.jwt.rsa.psa: extra_configs: - CONFIG_JWT_SIGN_RSA_PSA=y + # Explicitly select CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG because this + # is not automatically selected on platforms that do not have a CSPRNG + # source. - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y