From f23d8000948521d2fa60a566580a38bb2966f378 Mon Sep 17 00:00:00 2001
From: Valerio Setti <vsetti@baylibre.com>
Date: Thu, 1 Aug 2024 10:26:37 +0200
Subject: [PATCH] test: mbedtls: new test for PSA crypto initialization and RNG
 configuration

Add a simple test to showcase how RNG can be configured on different
platforms in order to allow Mbed TLS's PSA crypto implementation to
work properly.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
---
 tests/crypto/mbedtls_psa/CMakeLists.txt |  9 ++++++
 tests/crypto/mbedtls_psa/prj.conf       |  6 ++++
 tests/crypto/mbedtls_psa/src/main.c     | 26 ++++++++++++++++
 tests/crypto/mbedtls_psa/testcase.yaml  | 41 +++++++++++++++++++++++++
 4 files changed, 82 insertions(+)
 create mode 100644 tests/crypto/mbedtls_psa/CMakeLists.txt
 create mode 100644 tests/crypto/mbedtls_psa/prj.conf
 create mode 100644 tests/crypto/mbedtls_psa/src/main.c
 create mode 100644 tests/crypto/mbedtls_psa/testcase.yaml

diff --git a/tests/crypto/mbedtls_psa/CMakeLists.txt b/tests/crypto/mbedtls_psa/CMakeLists.txt
new file mode 100644
index 00000000000..ddb398ebe71
--- /dev/null
+++ b/tests/crypto/mbedtls_psa/CMakeLists.txt
@@ -0,0 +1,9 @@
+# Copyright (c) 2024 Nordic Semiconductor ASA
+# SPDX-License-Identifier: Apache-2.0
+
+
+cmake_minimum_required(VERSION 3.20.0)
+find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
+project(mbedtls)
+
+target_sources(app PRIVATE src/main.c)
diff --git a/tests/crypto/mbedtls_psa/prj.conf b/tests/crypto/mbedtls_psa/prj.conf
new file mode 100644
index 00000000000..0f4585d6b49
--- /dev/null
+++ b/tests/crypto/mbedtls_psa/prj.conf
@@ -0,0 +1,6 @@
+CONFIG_ZTEST_STACK_SIZE=2048
+CONFIG_ZTEST=y
+
+CONFIG_MBEDTLS=y
+CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
diff --git a/tests/crypto/mbedtls_psa/src/main.c b/tests/crypto/mbedtls_psa/src/main.c
new file mode 100644
index 00000000000..b54f21a4df9
--- /dev/null
+++ b/tests/crypto/mbedtls_psa/src/main.c
@@ -0,0 +1,26 @@
+/*
+ * Copyright (c) 2024 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*
+ * Test psa_crypto_init() and psa_generate_random() on the PSA implementation
+ * provided by Mbed TLS (platforms using TFM are filtered out in the yaml file).
+ */
+
+#include <zephyr/ztest.h>
+
+#include <psa/crypto.h>
+
+ZTEST_USER(test_fn, test_mbedtls_psa)
+{
+	uint8_t tmp[64];
+
+	zassert_equal(psa_crypto_init(), PSA_SUCCESS, "psa_crypto_init failed");
+	zassert_equal(psa_generate_random(tmp, sizeof(tmp)), PSA_SUCCESS,
+					"psa_generate_random failed");
+
+}
+
+ZTEST_SUITE(test_fn, NULL, NULL, NULL, NULL, NULL);
diff --git a/tests/crypto/mbedtls_psa/testcase.yaml b/tests/crypto/mbedtls_psa/testcase.yaml
new file mode 100644
index 00000000000..6b96e8ff5f6
--- /dev/null
+++ b/tests/crypto/mbedtls_psa/testcase.yaml
@@ -0,0 +1,41 @@
+# The goal here is to showcase that Mbed TLS's PSA crypto implementation can be
+# supported on any platform. A very minimal configuration is tested here: simply
+# enable support for PSA crypto APIs in Mbed TLS and then test them with:
+# - psa_crypto_init() which is required before any PSA crypto operation
+# - psa_generate_random() which is always available as long as PSA crypto is
+#   initialized.
+#
+# Since it might take too long to execute this test on all platforms
+# supported by Zephyr, we reduce to a very small selected group whose
+# characteristics are:
+# - no TF-M enabled devices because we assume that the TF-M implementation
+#   of PSA crypto is working fine on the platforms that support TF-M.
+# - platform should be testable by the CI.
+# - enable CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG in order to reduce as much
+#   as possible usage of legacy modules in Mbed TLS.
+# - pick 1 platform which supports entropy driver and 1 which does not. The
+#   latter case will allow to test
+#   CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG.
+common:
+  filter: not CONFIG_BUILD_WITH_TFM
+  tags:
+    - mbedtls
+    - psa
+tests:
+  crypto.mbedtls_psa.with_entropy_driver:
+    filter: CONFIG_CSPRNG_ENABLED
+    # Pick a platform which has an entropy driver and enable it.
+    integration_platforms:
+      - native_sim/native/64
+    extra_configs:
+      - CONFIG_ENTROPY_GENERATOR=y
+  crypto.mbedtls_psa.without_entropy_driver:
+    filter: not CONFIG_CSPRNG_ENABLED
+    # Pick a platform which does not have an entropy driver. In this case we
+    # enable the timer random generator because it's always available on all
+    # platforms.
+    integration_platforms:
+      - qemu_x86
+    extra_configs:
+      - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y
+      - CONFIG_TEST_RANDOM_GENERATOR=y