diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic index 5c8ac8b569b..32c91b25523 100644 --- a/modules/mbedtls/Kconfig.tls-generic +++ b/modules/mbedtls/Kconfig.tls-generic @@ -482,11 +482,17 @@ config MBEDTLS_SSL_EXTENDED_MASTER_SECRET choice MBEDTLS_PSA_CRYPTO_RNG_SOURCE prompt "Select random source for built-in PSA crypto" depends on MBEDTLS_PSA_CRYPTO_C - default MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if CSPRNG_ENABLED + # The only way to check if there is any entropy driver available on the + # platform is to check if the "zephyr,entropy" chosen property exists. + # CONFIG_CSPRNG_ENABLED cannot be used for this because it gets enabled by + # entropy drivers but these are gated by CONFIG_ENTROPY_GENERATOR which + # is disabled by default. + default MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if CSPRNG_AVAILABLE default MBEDTLS_PSA_CRYPTO_LEGACY_RNG config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG bool "Use a cryptographically secure driver as random source" + select ENTROPY_GENERATOR help Use a cryptographically secure random generator to provide random data instead of legacy Mbed TLS modules. This has a smaller footprint @@ -501,6 +507,10 @@ config MBEDTLS_PSA_CRYPTO_LEGACY_RNG bool "Use legacy modules to generate random data" select MBEDTLS_ENTROPY_C select MBEDTLS_HMAC_DRBG_ENABLED if !MBEDTLS_CTR_DRBG_ENABLED + # If there is any entropy driver in the system, then the choice would be + # CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. If we fall here, then the only + # way to get some random data is to enable CONFIG_TEST_RANDOM_GENERATOR. + select TEST_RANDOM_GENERATOR help Use legacy Mbed TLS modules to generate random data. In this configuration the entropy module is used to gather some data and then diff --git a/soc/nxp/imxrt/Kconfig.defconfig b/soc/nxp/imxrt/Kconfig.defconfig index 5a05de8bb20..f5a0906ec9d 100644 --- a/soc/nxp/imxrt/Kconfig.defconfig +++ b/soc/nxp/imxrt/Kconfig.defconfig @@ -82,8 +82,7 @@ choice SEGGER_SYSVIEW_SECTION endchoice config MBEDTLS - default y if CSPRNG_ENABLED - depends on ENTROPY_GENERATOR + default y if CSPRNG_AVAILABLE if MBEDTLS # diff --git a/soc/nxp/imxrt/imxrt5xx/Kconfig.defconfig b/soc/nxp/imxrt/imxrt5xx/Kconfig.defconfig index dba7c8831fb..592645782e1 100644 --- a/soc/nxp/imxrt/imxrt5xx/Kconfig.defconfig +++ b/soc/nxp/imxrt/imxrt5xx/Kconfig.defconfig @@ -21,8 +21,7 @@ config ZTEST_NO_YIELD default y if (PM && ZTEST) config MBEDTLS - default y if CSPRNG_ENABLED - depends on ENTROPY_GENERATOR + default y if CSPRNG_AVAILABLE if MBEDTLS # diff --git a/soc/nxp/imxrt/imxrt6xx/Kconfig.defconfig b/soc/nxp/imxrt/imxrt6xx/Kconfig.defconfig index f934bd91363..53fd19e0eff 100644 --- a/soc/nxp/imxrt/imxrt6xx/Kconfig.defconfig +++ b/soc/nxp/imxrt/imxrt6xx/Kconfig.defconfig @@ -39,8 +39,7 @@ config ZTEST_NO_YIELD default y if (ZTEST && PM) config MBEDTLS - default y if CSPRNG_ENABLED - depends on ENTROPY_GENERATOR + default y if CSPRNG_AVAILABLE if MBEDTLS # diff --git a/subsys/jwt/Kconfig b/subsys/jwt/Kconfig index 97446e27d9e..367ba43d225 100644 --- a/subsys/jwt/Kconfig +++ b/subsys/jwt/Kconfig @@ -18,7 +18,7 @@ choice config JWT_SIGN_RSA_LEGACY bool "Use RSA signature (RS-256). Use Mbed TLS as crypto library." - depends on CSPRNG_ENABLED + depends on CSPRNG_AVAILABLE select MBEDTLS select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED diff --git a/subsys/mgmt/osdp/Kconfig b/subsys/mgmt/osdp/Kconfig index 31f67e7237c..2523f2b0aaf 100644 --- a/subsys/mgmt/osdp/Kconfig +++ b/subsys/mgmt/osdp/Kconfig @@ -71,7 +71,7 @@ config OSDP_SKIP_MARK_BYTE config OSDP_SC_ENABLED bool "OSDP Secure Channel" - depends on CSPRNG_ENABLED + depends on CSPRNG_AVAILABLE default y select CRYPTO select CRYPTO_MBEDTLS_SHIM diff --git a/subsys/random/Kconfig b/subsys/random/Kconfig index 137929d78d2..0e455630471 100644 --- a/subsys/random/Kconfig +++ b/subsys/random/Kconfig @@ -75,6 +75,19 @@ config XOSHIRO_RANDOM_GENERATOR endchoice # RNG_GENERATOR_CHOICE + +DT_CHOSEN_Z_ENTROPY := zephyr,entropy +config CSPRNG_AVAILABLE + bool + default y if $(dt_chosen_enabled,$(DT_CHOSEN_Z_ENTROPY)) + help + Helper that can be used to check if the platform is capable of generating + CS random values. For this to be enabled, there must be the "zephyr,entropy" + chosen property defined in the devicetree. This means that there is an + HW entropy generator that can be used for this purpose. + Once CONFIG_CSPRNG_AVAILABLE is set, then CONFIG_ENTROPY_GENERATOR can + be enabled to enable the platform specific entropy driver. + # # Implied dependency on a cryptographically secure entropy source when # enabling CS generators. ENTROPY_HAS_DRIVER is the flag indicating the