diff --git a/drivers/bluetooth/hci/Kconfig b/drivers/bluetooth/hci/Kconfig index f1ac3feae60..ecf22860302 100644 --- a/drivers/bluetooth/hci/Kconfig +++ b/drivers/bluetooth/hci/Kconfig @@ -86,7 +86,7 @@ config BT_SILABS_HCI select MBEDTLS select MBEDTLS_PSA_CRYPTO_C select MBEDTLS_ENTROPY_C - select MBEDTLS_ZEPHYR_ENTROPY + select MBEDTLS_ENTROPY_POLL_ZEPHYR help Use Silicon Labs binary Bluetooth library to connect to the controller. diff --git a/drivers/wifi/esp32/Kconfig.esp32 b/drivers/wifi/esp32/Kconfig.esp32 index 2805f5b2ce4..e98bbd18c30 100644 --- a/drivers/wifi/esp32/Kconfig.esp32 +++ b/drivers/wifi/esp32/Kconfig.esp32 @@ -270,7 +270,8 @@ config ESP32_WIFI_MBEDTLS_CRYPTO select MBEDTLS_PK_WRITE_C select MBEDTLS_CIPHER_MODE_CTR_ENABLED select MBEDTLS_CMAC - select MBEDTLS_ZEPHYR_ENTROPY + select MBEDTLS_ENTROPY_C + select MBEDTLS_ENTROPY_POLL_ZEPHYR help Select this option to use MbedTLS crypto APIs which utilize hardware acceleration. diff --git a/modules/mbedtls/CMakeLists.txt b/modules/mbedtls/CMakeLists.txt index 0fbf093d381..346492b87e9 100644 --- a/modules/mbedtls/CMakeLists.txt +++ b/modules/mbedtls/CMakeLists.txt @@ -7,7 +7,7 @@ if(CONFIG_MBEDTLS) zephyr_interface_library_named(mbedTLS) if(CONFIG_MBEDTLS_BUILTIN) - if(CONFIG_MBEDTLS_ZEPHYR_ENTROPY AND NOT CONFIG_ENTROPY_HAS_DRIVER) + if(CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR AND NOT CONFIG_ENTROPY_HAS_DRIVER) message(WARNING "No entropy device on the system, using fake entropy source!") endif() diff --git a/modules/mbedtls/Kconfig b/modules/mbedtls/Kconfig index dab5ef4215d..80435e32994 100644 --- a/modules/mbedtls/Kconfig +++ b/modules/mbedtls/Kconfig @@ -217,14 +217,6 @@ config MBEDTLS_SHELL Enable mbed TLS shell module, which allows to show debug information about mbed TLS library, such as heap usage. -config MBEDTLS_ZEPHYR_ENTROPY - bool "mbed TLS entropy source based on Zephyr entropy driver" - depends on MBEDTLS - help - This option enables the entropy source based on Zephyr entropy driver - for mbed TLS. The entropy source is registered automatically during - system initialization. - config MBEDTLS_ZEROIZE_ALT bool "mbed TLS alternate mbedtls_platform_zeroize implementation" help diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic index d79c4efd37a..a57f2d83f33 100644 --- a/modules/mbedtls/Kconfig.tls-generic +++ b/modules/mbedtls/Kconfig.tls-generic @@ -374,12 +374,22 @@ config MBEDTLS_HAVE_ASM config MBEDTLS_ENTROPY_C bool "Mbed TLS entropy accumulator" depends on MBEDTLS_SHA256 || MBEDTLS_SHA384 || MBEDTLS_SHA512 - default y if MBEDTLS_ZEPHYR_ENTROPY help This module gathers entropy data from enabled entropy sources. It's mostly used in conjunction with CTR_DRBG or HMAC_DRBG to create a deterministic random number generator. +config MBEDTLS_ENTROPY_POLL_ZEPHYR + bool "Provide entropy data to Mbed TLS through entropy driver or random generator" + depends on MBEDTLS_ENTROPY_C + help + Provide entropy data to the Mbed TLS's entropy module through either + an entropy driver (if available in the system) or a generic random + number generator. + Warning: the latter choice is potentially non secure because it might + end up using weaker/test-only sources (ex: random number generator + built on system timer). + config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED bool "MbedTLS optimizations for OpenThread" depends on NET_L2_OPENTHREAD diff --git a/modules/mbedtls/configs/config-tls-generic.h b/modules/mbedtls/configs/config-tls-generic.h index 9c7cb8dc099..404c5e423f9 100644 --- a/modules/mbedtls/configs/config-tls-generic.h +++ b/modules/mbedtls/configs/config-tls-generic.h @@ -23,7 +23,7 @@ #define MBEDTLS_PLATFORM_ZEROIZE_ALT #endif -#if defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) +#if defined(CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR) #define MBEDTLS_ENTROPY_HARDWARE_ALT #else #define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES diff --git a/modules/mbedtls/zephyr_init.c b/modules/mbedtls/zephyr_init.c index 89720fb9aa0..640a27c4bea 100644 --- a/modules/mbedtls/zephyr_init.c +++ b/modules/mbedtls/zephyr_init.c @@ -47,7 +47,7 @@ static void init_heap(void) #define init_heap(...) #endif /* CONFIG_MBEDTLS_ENABLE_HEAP && MBEDTLS_MEMORY_BUFFER_ALLOC_C */ -#if defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) +#if defined(CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR) static const struct device *const entropy_dev = DEVICE_DT_GET_OR_NULL(DT_CHOSEN(zephyr_entropy)); @@ -83,7 +83,7 @@ int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, return 0; } -#endif /* CONFIG_MBEDTLS_ZEPHYR_ENTROPY */ +#endif /* CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR */ static int _mbedtls_init(void) { diff --git a/subsys/bluetooth/mesh/Kconfig b/subsys/bluetooth/mesh/Kconfig index fb0d8ec3a50..bf002d921a5 100644 --- a/subsys/bluetooth/mesh/Kconfig +++ b/subsys/bluetooth/mesh/Kconfig @@ -1362,7 +1362,8 @@ config BT_MESH_USES_MBEDTLS_PSA bool "mbed TLS PSA [EXPERIMENTAL]" select EXPERIMENTAL select MBEDTLS - select MBEDTLS_ZEPHYR_ENTROPY + select MBEDTLS_ENTROPY_C + select MBEDTLS_ENTROPY_POLL_ZEPHYR select MBEDTLS_PSA_CRYPTO_C select MBEDTLS_USE_PSA_CRYPTO select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC diff --git a/tests/modules/uoscore/prj.conf b/tests/modules/uoscore/prj.conf index 5d2b3d18b78..f661156dbc1 100644 --- a/tests/modules/uoscore/prj.conf +++ b/tests/modules/uoscore/prj.conf @@ -12,7 +12,8 @@ CONFIG_UOSCORE=y CONFIG_MBEDTLS=y CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=2048 -CONFIG_MBEDTLS_ZEPHYR_ENTROPY=y +CONFIG_MBEDTLS_ENTROPY_C=y +CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR=y # PSA Crypto options