mbedtls: add option to use CSPRNG as random source for PSA_CRYPTO_C

Add a choice to select between legacy modules (i.e. ENTROPY + CTR_DRBG/HMAC_DRBG) and CSPRNG as random generators for PSA_CRYPTO_C. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2024-04-24 16:22:31 +02:00 · 2024-04-24 16:22:31 +02:00 · a364fc8a41
commit a364fc8a41
parent b25f322b73
3 changed files with 49 additions and 2 deletions
--- a/modules/mbedtls/Kconfig.tls-generic
+++ b/modules/mbedtls/Kconfig.tls-generic
@ -460,10 +460,30 @@ config MBEDTLS_SSL_EXTENDED_MASTER_SECRET
 	  which ensures that master secrets are different for every
 	  connection and every session.

+choice MBEDTLS_PSA_CRYPTO_RND_SOURCE
+	prompt "Select random source for built-in PSA crypto"
+	default MBEDTLS_PSA_CRYPTO_LEGACY_RNG
+
+config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
+	bool "Use a cryptographically secure driver as random source"
+	depends on CSPRNG_ENABLED
+	help
+	  Use cryptographically secure random generator to provide random data
+	  instead of legacy MbedTLS modules (ENTROPY + CTR_DRBG/HMAC_DRBG).
+
+config MBEDTLS_PSA_CRYPTO_LEGACY_RNG
+	bool "Use legacy modules to generate random data"
+	select MBEDTLS_ENTROPY_ENABLED
+	select MBEDTLS_CTR_DRBG_ENABLED if !MBEDTLS_HMAC_DRBG_ENABLED
+	help
+	  Use legacy MbedTLS modules (ENTROPY + CTR_DRBG/HMAC_DRBG) as random
+	  source generators.
+
+endchoice
+
 config MBEDTLS_PSA_CRYPTO_C
 	bool "Platform Security Architecture cryptography API"
-	depends on MBEDTLS_ENTROPY_ENABLED
-	depends on MBEDTLS_CTR_DRBG_ENABLED || MBEDTLS_HMAC_DRBG_ENABLED
+	depends on MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG || MBEDTLS_PSA_CRYPTO_LEGACY_RNG
 	default y if UOSCORE || UEDHOC

 config MBEDTLS_LMS
--- a/modules/mbedtls/configs/config-tls-generic.h
+++ b/modules/mbedtls/configs/config-tls-generic.h
@ -468,6 +468,10 @@
 #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
 #endif

+#if defined(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
+#endif
+
 #if defined(CONFIG_MBEDTLS_PSA_CRYPTO_C)
 #define MBEDTLS_PSA_CRYPTO_C
 #define MBEDTLS_USE_PSA_CRYPTO
--- a/modules/mbedtls/zephyr_init.c
+++ b/modules/mbedtls/zephyr_init.c
@ -115,3 +115,26 @@ mbedtls_ms_time_t mbedtls_ms_time(void)
 {
 	return (mbedtls_ms_time_t)k_uptime_get();
 }
+
+#if defined(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+/* MBEDTLS_PSA_CRYPTO_C requires a random generator to work and this can
+ * be achieved through either legacy MbedTLS modules
+ * (ENTROPY + CTR_DRBG/HMAC_DRBG) or provided externally by enabling the
+ * CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. In the latter case the following
+ * callback functions needs to be defined.
+ */
+psa_status_t mbedtls_psa_external_get_random(
+	mbedtls_psa_external_random_context_t *context,
+	uint8_t *output, size_t output_size, size_t *output_length)
+{
+	(void) context;
+
+	if (sys_csrand_get(output, output_size) != 0) {
+		return PSA_ERROR_GENERIC_ERROR;
+	}
+
+	*output_length = output_size;
+
+	return PSA_SUCCESS;
+}
+#endif