mbedtls: rename CONFIG_MBEDTLS_ZEPHYR_ENTROPY and move it

- Slightly improve the name of this kconfig adding the suffix
  _POLL in order to highlight that this adds a callback
  function used to poll data.

- Description was also updated to point out that this symbols
  might not only use the (secure) entropy driver, but also
  generic number generators, some of which are not really
  secure.

- The symbol was move from Kconfig to Kconfig.tls-generic because
  this is where MBEDTLS_ENTROPY_C is located and since
  MBEDTLS_ENTROPY_HARDWARE_ALT depends on the former (it only
  makes sense if the entropy module is also enabled), we add
  also the "depends on".

Signed-off-by: Valerio Setti <vsetti@baylibre.com>

drivers/bluetooth/hci/Kconfig

@@ -86,7 +86,7 @@ config BT_SILABS_HCI
 	select MBEDTLS
 	select MBEDTLS_PSA_CRYPTO_C
 	select MBEDTLS_ENTROPY_C
-	select MBEDTLS_ZEPHYR_ENTROPY
+	select MBEDTLS_ENTROPY_POLL_ZEPHYR
 	help
 	  Use Silicon Labs binary Bluetooth library to connect to the
 	  controller.

drivers/wifi/esp32/Kconfig.esp32

@@ -270,7 +270,8 @@ config ESP32_WIFI_MBEDTLS_CRYPTO
 	select MBEDTLS_PK_WRITE_C
 	select MBEDTLS_CIPHER_MODE_CTR_ENABLED
 	select MBEDTLS_CMAC
-	select MBEDTLS_ZEPHYR_ENTROPY
+	select MBEDTLS_ENTROPY_C
+	select MBEDTLS_ENTROPY_POLL_ZEPHYR
 	help
 	  Select this option to use MbedTLS crypto APIs which utilize hardware acceleration.
 

modules/mbedtls/CMakeLists.txt

@@ -7,7 +7,7 @@ if(CONFIG_MBEDTLS)
 zephyr_interface_library_named(mbedTLS)
 
   if(CONFIG_MBEDTLS_BUILTIN)
-    if(CONFIG_MBEDTLS_ZEPHYR_ENTROPY AND NOT CONFIG_ENTROPY_HAS_DRIVER)
+    if(CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR AND NOT CONFIG_ENTROPY_HAS_DRIVER)
       message(WARNING "No entropy device on the system, using fake entropy source!")
     endif()
 

modules/mbedtls/Kconfig

@@ -217,14 +217,6 @@ config MBEDTLS_SHELL
 	  Enable mbed TLS shell module, which allows to show debug information
 	  about mbed TLS library, such as heap usage.
 
-config MBEDTLS_ZEPHYR_ENTROPY
-	bool "mbed TLS entropy source based on Zephyr entropy driver"
-	depends on MBEDTLS
-	help
-	  This option enables the entropy source based on Zephyr entropy driver
-	  for mbed TLS. The entropy source is registered automatically during
-	  system initialization.
-
 config MBEDTLS_ZEROIZE_ALT
 	bool "mbed TLS alternate mbedtls_platform_zeroize implementation"
 	help

modules/mbedtls/Kconfig.tls-generic

@@ -374,12 +374,22 @@ config MBEDTLS_HAVE_ASM
 config MBEDTLS_ENTROPY_C
 	bool "Mbed TLS entropy accumulator"
 	depends on MBEDTLS_SHA256 || MBEDTLS_SHA384 || MBEDTLS_SHA512
-	default y if MBEDTLS_ZEPHYR_ENTROPY
 	help
 	  This module gathers entropy data from enabled entropy sources. It's
 	  mostly used in conjunction with CTR_DRBG or HMAC_DRBG to create
 	  a deterministic random number generator.
 
+config MBEDTLS_ENTROPY_POLL_ZEPHYR
+	bool "Provide entropy data to Mbed TLS through entropy driver or random generator"
+	depends on MBEDTLS_ENTROPY_C
+	help
+	  Provide entropy data to the Mbed TLS's entropy module through either
+	  an entropy driver (if available in the system) or a generic random
+	  number generator.
+	  Warning: the latter choice is potentially non secure because it might
+	  end up using weaker/test-only sources (ex: random number generator
+	  built on system timer).
+
 config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED
 	bool "MbedTLS optimizations for OpenThread"
 	depends on NET_L2_OPENTHREAD

modules/mbedtls/configs/config-tls-generic.h

@@ -23,7 +23,7 @@
 #define MBEDTLS_PLATFORM_ZEROIZE_ALT
 #endif
 
-#if defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY)
+#if defined(CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR)
 #define MBEDTLS_ENTROPY_HARDWARE_ALT
 #else
 #define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES

modules/mbedtls/zephyr_init.c

@@ -47,7 +47,7 @@ static void init_heap(void)
 #define init_heap(...)
 #endif /* CONFIG_MBEDTLS_ENABLE_HEAP && MBEDTLS_MEMORY_BUFFER_ALLOC_C */
 
-#if defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY)
+#if defined(CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR)
 static const struct device *const entropy_dev =
 			DEVICE_DT_GET_OR_NULL(DT_CHOSEN(zephyr_entropy));
 
@@ -83,7 +83,7 @@ int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len,
 
 	return 0;
 }
-#endif /* CONFIG_MBEDTLS_ZEPHYR_ENTROPY */
+#endif /* CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR */
 
 static int _mbedtls_init(void)
 {

subsys/bluetooth/mesh/Kconfig

@@ -1362,7 +1362,8 @@ config BT_MESH_USES_MBEDTLS_PSA
 	bool "mbed TLS PSA [EXPERIMENTAL]"
 	select EXPERIMENTAL
 	select MBEDTLS
-	select MBEDTLS_ZEPHYR_ENTROPY
+	select MBEDTLS_ENTROPY_C
+	select MBEDTLS_ENTROPY_POLL_ZEPHYR
 	select MBEDTLS_PSA_CRYPTO_C
 	select MBEDTLS_USE_PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC

tests/modules/uoscore/prj.conf

@@ -12,7 +12,8 @@ CONFIG_UOSCORE=y
 CONFIG_MBEDTLS=y
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=2048
-CONFIG_MBEDTLS_ZEPHYR_ENTROPY=y
+CONFIG_MBEDTLS_ENTROPY_C=y
+CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR=y
 
 # PSA Crypto options