michaelh/zephyr
1
0
Fork 0
Code Releases Activity

mbedtls: add TEST_CSPRNG_GENERATOR to the list of non-CS sources

Browse source 
Strong entropy/random sources are a must to get secure crypto algorithms,
but sometimes its useful to allow non-CS sources as well for sake of
test purposes. MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG was
designed exactly for this scope, but recently also TEST_CSPRNG_GENERATOR
was added and it acts similarly:

- MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG operates in
  "zephyr/modules/mbedtls/zephyr_entropy.c" allowing
  mbedtls_psa_external_get_random() to try both sys_csrand_get() first
  and then sys_rand_get() as fallback.

- TEST_CSPRNG_GENERATOR instead operates in
  "zephyr/subsys/random/random_test_csprng.c" and it basically wraps
  the call to sys_csrand_get() with a call to sys_rand_get().

Albeit they operate at different level, the result is identical, so
Mbed TLS should support both of them when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
is set and there is no CSPRNG_ENABLED.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
This commit is contained in:
Valerio Setti 2024-12-13 14:14:36 +01:00 committed by Benjamin Cabé
commit 46b8536a27
1 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
modules/mbedtls/CMakeLists.txt
View file

@ -12,7 +12,8 @@ zephyr_interface_library_named(mbedTLS)
endif()
if(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
if(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG)
if(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG OR
CONFIG_TEST_CSPRNG_GENERATOR)
message(WARNING "
Non cryptographycally secure sources are enabled for psa_generate_random().
This is meant to be used only for tests, not in production!")