mbedtls: select ENTROPY_GENERATOR when a driver is available

This is based on the introduction of a helper Kconfig symbol in "subsys/random/Kconfig" which is named CSPRNG_AVAILABLE. When this is enabled it means that there is a "zephyr,entropy" property defined in the device-tree, therefore Mbed TLS can select ENTROPY_GENERATOR to allow the platform specific driver to be included into the build. This commit also changes other locations where CSPRNG_ENABLED was used moving it to CSPRNG_AVAILABLE in order to solve dependency loop build failures. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2024-12-11 14:48:38 +01:00 · 2024-12-11 14:48:38 +01:00 · 39068cc70e
commit 39068cc70e
parent 2cea407afb
7 changed files with 29 additions and 9 deletions
--- a/modules/mbedtls/Kconfig.tls-generic
+++ b/modules/mbedtls/Kconfig.tls-generic
@ -482,11 +482,17 @@ config MBEDTLS_SSL_EXTENDED_MASTER_SECRET
 choice MBEDTLS_PSA_CRYPTO_RNG_SOURCE
 	prompt "Select random source for built-in PSA crypto"
 	depends on MBEDTLS_PSA_CRYPTO_C
-	default MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if CSPRNG_ENABLED
+	# The only way to check if there is any entropy driver available on the
+	# platform is to check if the "zephyr,entropy" chosen property exists.
+	# CONFIG_CSPRNG_ENABLED cannot be used for this because it gets enabled by
+	# entropy drivers but these are gated by CONFIG_ENTROPY_GENERATOR which
+	# is disabled by default.
+	default MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if CSPRNG_AVAILABLE
 	default MBEDTLS_PSA_CRYPTO_LEGACY_RNG

 config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
 	bool "Use a cryptographically secure driver as random source"
+	select ENTROPY_GENERATOR
 	help
 	  Use a cryptographically secure random generator to provide random data
 	  instead of legacy Mbed TLS modules. This has a smaller footprint
@ -501,6 +507,10 @@ config MBEDTLS_PSA_CRYPTO_LEGACY_RNG
 	bool "Use legacy modules to generate random data"
 	select MBEDTLS_ENTROPY_C
 	select MBEDTLS_HMAC_DRBG_ENABLED if !MBEDTLS_CTR_DRBG_ENABLED
+	# If there is any entropy driver in the system, then the choice would be
+	# CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. If we fall here, then the only
+	# way to get some random data is to enable CONFIG_TEST_RANDOM_GENERATOR.
+	select TEST_RANDOM_GENERATOR
 	help
 	  Use legacy Mbed TLS modules to generate random data. In this
 	  configuration the entropy module is used to gather some data and then
--- a/soc/nxp/imxrt/Kconfig.defconfig
+++ b/soc/nxp/imxrt/Kconfig.defconfig
@ -82,8 +82,7 @@ choice SEGGER_SYSVIEW_SECTION
 endchoice

 config MBEDTLS
-	default y if CSPRNG_ENABLED
-	depends on ENTROPY_GENERATOR
+	default y if CSPRNG_AVAILABLE

 if MBEDTLS
 #
--- a/soc/nxp/imxrt/imxrt5xx/Kconfig.defconfig
+++ b/soc/nxp/imxrt/imxrt5xx/Kconfig.defconfig
@ -21,8 +21,7 @@ config ZTEST_NO_YIELD
 	default y if (PM && ZTEST)

 config MBEDTLS
-	default y if CSPRNG_ENABLED
-	depends on ENTROPY_GENERATOR
+	default y if CSPRNG_AVAILABLE

 if MBEDTLS
 #
--- a/soc/nxp/imxrt/imxrt6xx/Kconfig.defconfig
+++ b/soc/nxp/imxrt/imxrt6xx/Kconfig.defconfig
@ -39,8 +39,7 @@ config ZTEST_NO_YIELD
 	default y if (ZTEST && PM)

 config MBEDTLS
-	default y if CSPRNG_ENABLED
-	depends on ENTROPY_GENERATOR
+	default y if CSPRNG_AVAILABLE

 if MBEDTLS
 #
--- a/subsys/jwt/Kconfig
+++ b/subsys/jwt/Kconfig
@ -18,7 +18,7 @@ choice

 config JWT_SIGN_RSA_LEGACY
 	bool "Use RSA signature (RS-256). Use Mbed TLS as crypto library."
-	depends on CSPRNG_ENABLED
+	depends on CSPRNG_AVAILABLE
 	select MBEDTLS
 	select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED

--- a/subsys/mgmt/osdp/Kconfig
+++ b/subsys/mgmt/osdp/Kconfig
@ -71,7 +71,7 @@ config OSDP_SKIP_MARK_BYTE

 config OSDP_SC_ENABLED
 	bool "OSDP Secure Channel"
-	depends on CSPRNG_ENABLED
+	depends on CSPRNG_AVAILABLE
 	default y
 	select CRYPTO
 	select CRYPTO_MBEDTLS_SHIM
--- a/subsys/random/Kconfig
+++ b/subsys/random/Kconfig
@ -75,6 +75,19 @@ config XOSHIRO_RANDOM_GENERATOR

 endchoice # RNG_GENERATOR_CHOICE

+
+DT_CHOSEN_Z_ENTROPY := zephyr,entropy
+config CSPRNG_AVAILABLE
+	bool
+	default y if $(dt_chosen_enabled,$(DT_CHOSEN_Z_ENTROPY))
+	help
+	  Helper that can be used to check if the platform is capable of generating
+	  CS random values. For this to be enabled, there must be the "zephyr,entropy"
+	  chosen property defined in the devicetree. This means that there is an
+	  HW entropy generator that can be used for this purpose.
+	  Once CONFIG_CSPRNG_AVAILABLE is set, then CONFIG_ENTROPY_GENERATOR can
+	  be enabled to enable the platform specific entropy driver.
+
 #
 # Implied dependency on a cryptographically secure entropy source when
 # enabling CS generators. ENTROPY_HAS_DRIVER is the flag indicating the