modules: mbedtls: Add mbed TLS entropy source based on Zephyr entropy

Add entropy source for mbed TLS based on Zephyr entropy driver.

Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>

modules/mbedtls/CMakeLists.txt

@@ -31,13 +31,17 @@ if(CONFIG_MBEDTLS_BUILTIN)
   zephyr_library_sources_ifdef(CONFIG_MBEDTLS_SHELL shell.c)
 
   zephyr_library_app_memory(k_mbedtls_partition)
-if(CONFIG_ARCH_POSIX AND CONFIG_ASAN AND NOT CONFIG_64BIT)
-  # i386 assembly code used in MBEDTLS does not compile with size optimization
-  # if address sanitizer is enabled, as such switch default optimization level
-  # to speed
-  set_property(SOURCE ${ZEPHYR_CURRENT_MODULE_DIR}/mbedtls/library/bignum.c APPEND PROPERTY COMPILE_OPTIONS
-      "${OPTIMIZE_FOR_SPEED_FLAG}")
-endif ()
+  if(CONFIG_ARCH_POSIX AND CONFIG_ASAN AND NOT CONFIG_64BIT)
+    # i386 assembly code used in MBEDTLS does not compile with size optimization
+    # if address sanitizer is enabled, as such switch default optimization level
+    # to speed
+    set_property(SOURCE ${ZEPHYR_CURRENT_MODULE_DIR}/mbedtls/library/bignum.c APPEND PROPERTY COMPILE_OPTIONS
+        "${OPTIMIZE_FOR_SPEED_FLAG}")
+  endif ()
+
+  if(CONFIG_MBEDTLS_ZEPHYR_ENTROPY AND NOT CONFIG_ENTROPY_HAS_DRIVER)
+    message(WARNING "No entropy device on the system, using fake entropy source!")
+  endif()
 
   zephyr_library_link_libraries(mbedTLS)
 elseif (CONFIG_MBEDTLS_LIBRARY)

modules/mbedtls/Kconfig

@@ -159,6 +159,14 @@ config MBEDTLS_SHELL
 	  Enable mbed TLS shell module, which allows to show debug information
 	  about mbed TLS library, such as heap usage.
 
+config MBEDTLS_ZEPHYR_ENTROPY
+	bool "mbed TLS entropy source based on Zephyr entropy driver"
+	depends on MBEDTLS
+	help
+	  This option enables the entropy source based on Zephyr entropy driver
+	  for mbed TLS. The entropy source is registered automatically during
+	  system initialization.
+
 config APP_LINK_WITH_MBEDTLS
 	bool "Link 'app' with MBEDTLS"
 	default y

modules/mbedtls/configs/config-tls-generic.h

@@ -17,7 +17,12 @@
 #define MBEDTLS_MEMORY_BUFFER_ALLOC_C
 #define MBEDTLS_PLATFORM_EXIT_ALT
 #define MBEDTLS_NO_PLATFORM_ENTROPY
+
+#if defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY)
+#define MBEDTLS_ENTROPY_HARDWARE_ALT
+#else
 #define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+#endif
 
 #if defined(CONFIG_MBEDTLS_HAVE_ASM)
 #define MBEDTLS_HAVE_ASM

modules/mbedtls/zephyr_init.c

@@ -12,6 +12,9 @@
 
 #include <zephyr/init.h>
 #include <zephyr/app_memory/app_memdomain.h>
+#include <zephyr/drivers/entropy.h>
+#include <zephyr/random/rand32.h>
+#include <mbedtls/entropy.h>
 
 #if defined(CONFIG_MBEDTLS)
 #if !defined(CONFIG_MBEDTLS_CFG_FILE)
@@ -40,6 +43,42 @@ static void init_heap(void)
 #define init_heap(...)
 #endif /* CONFIG_MBEDTLS_ENABLE_HEAP && MBEDTLS_MEMORY_BUFFER_ALLOC_C */
 
+static const struct device *const entropy_dev =
+			DEVICE_DT_GET_OR_NULL(DT_CHOSEN(zephyr_entropy));
+
+int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len,
+			  size_t *olen)
+{
+	int ret;
+	uint16_t request_len = len > UINT16_MAX ? UINT16_MAX : len;
+
+	ARG_UNUSED(data);
+
+	if (output == NULL || olen == NULL || len == 0) {
+		return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+	}
+
+	if (!IS_ENABLED(CONFIG_ENTROPY_HAS_DRIVER)) {
+		sys_rand_get(output, len);
+		*olen = len;
+
+		return 0;
+	}
+
+	if (!device_is_ready(entropy_dev)) {
+		return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+	}
+
+	ret = entropy_get_entropy(entropy_dev, (uint8_t *)output, request_len);
+	if (ret < 0) {
+		return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+	}
+
+	*olen = request_len;
+
+	return 0;
+}
+
 static int _mbedtls_init(const struct device *device)
 {
 	ARG_UNUSED(device);