michaelh/zephyr
1
0
Fork 0
Code Releases Activity

mbedtls: add option to use CSPRNG as random source for PSA_CRYPTO_C

Browse source 
Add a choice to select between legacy modules
(i.e. ENTROPY + CTR_DRBG/HMAC_DRBG) and CSPRNG as random generators
for PSA_CRYPTO_C.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
This commit is contained in:
Valerio Setti 2024-04-24 16:22:31 +02:00 committed by Carles Cufí
commit a364fc8a41
3 changed files with 49 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

24
modules/mbedtls/Kconfig.tls-generic
View file

@ -460,10 +460,30 @@ config MBEDTLS_SSL_EXTENDED_MASTER_SECRET
which ensures that master secrets are different for every which ensures that master secrets are different for every
connection and every session. connection and every session.
choice MBEDTLS_PSA_CRYPTO_RND_SOURCE
prompt "Select random source for built-in PSA crypto"
default MBEDTLS_PSA_CRYPTO_LEGACY_RNG
config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
bool "Use a cryptographically secure driver as random source"
depends on CSPRNG_ENABLED
help
Use cryptographically secure random generator to provide random data
instead of legacy MbedTLS modules (ENTROPY + CTR_DRBG/HMAC_DRBG).
config MBEDTLS_PSA_CRYPTO_LEGACY_RNG
bool "Use legacy modules to generate random data"
select MBEDTLS_ENTROPY_ENABLED
select MBEDTLS_CTR_DRBG_ENABLED if !MBEDTLS_HMAC_DRBG_ENABLED
help
Use legacy MbedTLS modules (ENTROPY + CTR_DRBG/HMAC_DRBG) as random
source generators.
endchoice
config MBEDTLS_PSA_CRYPTO_C config MBEDTLS_PSA_CRYPTO_C
bool "Platform Security Architecture cryptography API" bool "Platform Security Architecture cryptography API"
depends on MBEDTLS_ENTROPY_ENABLED depends on MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG || MBEDTLS_PSA_CRYPTO_LEGACY_RNG
depends on MBEDTLS_CTR_DRBG_ENABLED || MBEDTLS_HMAC_DRBG_ENABLED
default y if UOSCORE || UEDHOC default y if UOSCORE || UEDHOC
config MBEDTLS_LMS config MBEDTLS_LMS

4
modules/mbedtls/configs/config-tls-generic.h
View file

@ -468,6 +468,10 @@
#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
#endif #endif
#if defined(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
#endif
#if defined(CONFIG_MBEDTLS_PSA_CRYPTO_C) #if defined(CONFIG_MBEDTLS_PSA_CRYPTO_C)
#define MBEDTLS_PSA_CRYPTO_C #define MBEDTLS_PSA_CRYPTO_C
#define MBEDTLS_USE_PSA_CRYPTO #define MBEDTLS_USE_PSA_CRYPTO

23
modules/mbedtls/zephyr_init.c
View file

@ -115,3 +115,26 @@ mbedtls_ms_time_t mbedtls_ms_time(void)
{ {
return (mbedtls_ms_time_t)k_uptime_get(); return (mbedtls_ms_time_t)k_uptime_get();
} }
#if defined(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
/* MBEDTLS_PSA_CRYPTO_C requires a random generator to work and this can
* be achieved through either legacy MbedTLS modules
* (ENTROPY + CTR_DRBG/HMAC_DRBG) or provided externally by enabling the
* CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. In the latter case the following
* callback functions needs to be defined.
*/
psa_status_t mbedtls_psa_external_get_random(
mbedtls_psa_external_random_context_t *context,
uint8_t *output, size_t output_size, size_t *output_length)
{
(void) context;
if (sys_csrand_get(output, output_size) != 0) {
return PSA_ERROR_GENERIC_ERROR;
}
*output_length = output_size;
return PSA_SUCCESS;
}
#endif