michaelh/zephyr
1
0
Fork 0
Code Releases Activity

mbedtls: select ENTROPY_GENERATOR when a driver is available

Browse source 
This is based on the introduction of a helper Kconfig symbol in
"subsys/random/Kconfig" which is named CSPRNG_AVAILABLE. When this is
enabled it means that there is a "zephyr,entropy" property defined in the
device-tree, therefore Mbed TLS can select ENTROPY_GENERATOR to allow
the platform specific driver to be included into the build.

This commit also changes other locations where CSPRNG_ENABLED was used
moving it to CSPRNG_AVAILABLE in order to solve dependency loop
build failures.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
This commit is contained in:
Valerio Setti 2024-12-11 14:48:38 +01:00 committed by Benjamin Cabé
commit 39068cc70e
7 changed files with 29 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

12
modules/mbedtls/Kconfig.tls-generic
View file

@ -482,11 +482,17 @@ config MBEDTLS_SSL_EXTENDED_MASTER_SECRET
choice MBEDTLS_PSA_CRYPTO_RNG_SOURCE choice MBEDTLS_PSA_CRYPTO_RNG_SOURCE
prompt "Select random source for built-in PSA crypto" prompt "Select random source for built-in PSA crypto"
depends on MBEDTLS_PSA_CRYPTO_C depends on MBEDTLS_PSA_CRYPTO_C
default MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if CSPRNG_ENABLED # The only way to check if there is any entropy driver available on the
# platform is to check if the "zephyr,entropy" chosen property exists.
# CONFIG_CSPRNG_ENABLED cannot be used for this because it gets enabled by
# entropy drivers but these are gated by CONFIG_ENTROPY_GENERATOR which
# is disabled by default.
default MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if CSPRNG_AVAILABLE
default MBEDTLS_PSA_CRYPTO_LEGACY_RNG default MBEDTLS_PSA_CRYPTO_LEGACY_RNG
config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
bool "Use a cryptographically secure driver as random source" bool "Use a cryptographically secure driver as random source"
select ENTROPY_GENERATOR
help help
Use a cryptographically secure random generator to provide random data Use a cryptographically secure random generator to provide random data
instead of legacy Mbed TLS modules. This has a smaller footprint instead of legacy Mbed TLS modules. This has a smaller footprint
@ -501,6 +507,10 @@ config MBEDTLS_PSA_CRYPTO_LEGACY_RNG
bool "Use legacy modules to generate random data" bool "Use legacy modules to generate random data"
select MBEDTLS_ENTROPY_C select MBEDTLS_ENTROPY_C
select MBEDTLS_HMAC_DRBG_ENABLED if !MBEDTLS_CTR_DRBG_ENABLED select MBEDTLS_HMAC_DRBG_ENABLED if !MBEDTLS_CTR_DRBG_ENABLED
# If there is any entropy driver in the system, then the choice would be
# CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. If we fall here, then the only
# way to get some random data is to enable CONFIG_TEST_RANDOM_GENERATOR.
select TEST_RANDOM_GENERATOR
help help
Use legacy Mbed TLS modules to generate random data. In this Use legacy Mbed TLS modules to generate random data. In this
configuration the entropy module is used to gather some data and then configuration the entropy module is used to gather some data and then

3
soc/nxp/imxrt/Kconfig.defconfig
View file

@ -82,8 +82,7 @@ choice SEGGER_SYSVIEW_SECTION
endchoice endchoice
config MBEDTLS config MBEDTLS
default y if CSPRNG_ENABLED default y if CSPRNG_AVAILABLE
depends on ENTROPY_GENERATOR
if MBEDTLS if MBEDTLS
# #

3
soc/nxp/imxrt/imxrt5xx/Kconfig.defconfig
View file

@ -21,8 +21,7 @@ config ZTEST_NO_YIELD
default y if (PM && ZTEST) default y if (PM && ZTEST)
config MBEDTLS config MBEDTLS
default y if CSPRNG_ENABLED default y if CSPRNG_AVAILABLE
depends on ENTROPY_GENERATOR
if MBEDTLS if MBEDTLS
# #

3
soc/nxp/imxrt/imxrt6xx/Kconfig.defconfig
View file

@ -39,8 +39,7 @@ config ZTEST_NO_YIELD
default y if (ZTEST && PM) default y if (ZTEST && PM)
config MBEDTLS config MBEDTLS
default y if CSPRNG_ENABLED default y if CSPRNG_AVAILABLE
depends on ENTROPY_GENERATOR
if MBEDTLS if MBEDTLS
# #

2
subsys/jwt/Kconfig
View file

@ -18,7 +18,7 @@ choice
config JWT_SIGN_RSA_LEGACY config JWT_SIGN_RSA_LEGACY
bool "Use RSA signature (RS-256). Use Mbed TLS as crypto library." bool "Use RSA signature (RS-256). Use Mbed TLS as crypto library."
depends on CSPRNG_ENABLED depends on CSPRNG_AVAILABLE
select MBEDTLS select MBEDTLS
select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED

2
subsys/mgmt/osdp/Kconfig
View file

@ -71,7 +71,7 @@ config OSDP_SKIP_MARK_BYTE
config OSDP_SC_ENABLED config OSDP_SC_ENABLED
bool "OSDP Secure Channel" bool "OSDP Secure Channel"
depends on CSPRNG_ENABLED depends on CSPRNG_AVAILABLE
default y default y
select CRYPTO select CRYPTO
select CRYPTO_MBEDTLS_SHIM select CRYPTO_MBEDTLS_SHIM

13
subsys/random/Kconfig
View file

@ -75,6 +75,19 @@ config XOSHIRO_RANDOM_GENERATOR
endchoice # RNG_GENERATOR_CHOICE endchoice # RNG_GENERATOR_CHOICE
DT_CHOSEN_Z_ENTROPY := zephyr,entropy
config CSPRNG_AVAILABLE
bool
default y if $(dt_chosen_enabled,$(DT_CHOSEN_Z_ENTROPY))
help
Helper that can be used to check if the platform is capable of generating
CS random values. For this to be enabled, there must be the "zephyr,entropy"
chosen property defined in the devicetree. This means that there is an
HW entropy generator that can be used for this purpose.
Once CONFIG_CSPRNG_AVAILABLE is set, then CONFIG_ENTROPY_GENERATOR can
be enabled to enable the platform specific entropy driver.
# #
# Implied dependency on a cryptographically secure entropy source when # Implied dependency on a cryptographically secure entropy source when
# enabling CS generators. ENTROPY_HAS_DRIVER is the flag indicating the # enabling CS generators. ENTROPY_HAS_DRIVER is the flag indicating the