mbedtls: use CSPRNG whenever possible as PSA random source
The main problem of MBEDTLS_PSA_CRYPTO_LEGACY_RNG is that it brings in some legacy modules (entropy + ctr_drbg/hmac_drbg) which means extra ROM/RAM footprint. MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG instead simply calls to the CSPRNG which makes it definitely smaller. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
This commit is contained in:
Valerio Setti
Anas Nashif
parent
ac6d834272
commit
08bd9c72bd
12 changed files with 16 additions and 10 deletions
|
|
@ -4,4 +4,3 @@ CONFIG_MBEDTLS_PSA_CRYPTO_C=y
|
|||
CONFIG_PSA_CRYPTO_ENABLE_ALL=y
|
||||
|
||||
CONFIG_ENTROPY_GENERATOR=y
|
||||
CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
|
||||
|
|
|
|||
|
|
@ -4,4 +4,3 @@ CONFIG_MBEDTLS_PSA_CRYPTO_C=y
|
|||
CONFIG_PSA_CRYPTO_ENABLE_ALL=y
|
||||
|
||||
CONFIG_ENTROPY_GENERATOR=y
|
||||
CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
|
||||
|
|
|
|||
|
|
@ -3,4 +3,3 @@ CONFIG_ZTEST=y
|
|||
|
||||
CONFIG_MBEDTLS=y
|
||||
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
|
||||
CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
|
||||
|
|
|
|||
|
|
@ -11,8 +11,6 @@
|
|||
# - no TF-M enabled devices because we assume that the TF-M implementation
|
||||
# of PSA crypto is working fine on the platforms that support TF-M.
|
||||
# - platform should be testable by the CI.
|
||||
# - enable CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG in order to reduce as much
|
||||
# as possible usage of legacy modules in Mbed TLS.
|
||||
# - pick 1 platform which supports entropy driver and 1 which does not. The
|
||||
# latter case will allow to test
|
||||
# CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG.
|
||||
|
|
@ -34,8 +32,11 @@ tests:
|
|||
# Pick a platform which does not have an entropy driver. In this case we
|
||||
# enable the timer random generator because it's always available on all
|
||||
# platforms.
|
||||
# Explicitly select CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG because this is
|
||||
# not "automatically selected" when there is no CSPRNG available.
|
||||
integration_platforms:
|
||||
- qemu_x86
|
||||
extra_configs:
|
||||
- CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
|
||||
- CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y
|
||||
- CONFIG_TEST_RANDOM_GENERATOR=y
|
||||
|
|
|
|||
|
|
@ -1,5 +1,4 @@
|
|||
CONFIG_MBEDTLS=y
|
||||
CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
|
||||
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
|
||||
CONFIG_MBEDTLS_PSA_P256M_DRIVER_ENABLED=y
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,4 @@
|
|||
CONFIG_MBEDTLS=y
|
||||
CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
|
||||
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
|
||||
CONFIG_MBEDTLS_PSA_P256M_DRIVER_ENABLED=y
|
||||
CONFIG_MBEDTLS_PSA_P256M_DRIVER_RAW=y
|
||||
|
|
|
|||
|
|
@ -28,7 +28,6 @@ CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2048
|
|||
CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
|
||||
# Build the PSA Crypto core so that the TLS stack uses the PSA crypto API.
|
||||
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
|
||||
CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
|
||||
CONFIG_ENTROPY_GENERATOR=y
|
||||
|
||||
# Disable some Kconfigs that are implied by CONFIG_NET_SOCKETS_SOCKOPT_TLS.
|
||||
|
|
|
|||
|
|
@ -12,6 +12,9 @@ tests:
|
|||
libraries.encoding.jwt.ecdsa.psa:
|
||||
extra_configs:
|
||||
- CONFIG_JWT_SIGN_ECDSA_PSA=y
|
||||
# Explicitly select CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG because this
|
||||
# is not automatically selected on platforms that do not have a CSPRNG
|
||||
# source.
|
||||
- CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
|
||||
- CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y
|
||||
libraries.encoding.jwt.rsa.legacy:
|
||||
|
|
@ -21,5 +24,8 @@ tests:
|
|||
libraries.encoding.jwt.rsa.psa:
|
||||
extra_configs:
|
||||
- CONFIG_JWT_SIGN_RSA_PSA=y
|
||||
# Explicitly select CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG because this
|
||||
# is not automatically selected on platforms that do not have a CSPRNG
|
||||
# source.
|
||||
- CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
|
||||
- CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue