Skip to content

Commit

Permalink
mbedtls: use CSPRNG whenever possible as PSA random source
Browse files Browse the repository at this point in the history
The main problem of MBEDTLS_PSA_CRYPTO_LEGACY_RNG is that it
brings in some legacy modules (entropy + ctr_drbg/hmac_drbg)
which means extra ROM/RAM footprint.
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG instead simply calls to the
CSPRNG which makes it definitely smaller.

Signed-off-by: Valerio Setti <[email protected]>
  • Loading branch information
valeriosetti committed Oct 31, 2024
1 parent 4ed76be commit a8737af
Show file tree
Hide file tree
Showing 12 changed files with 16 additions and 10 deletions.
6 changes: 6 additions & 0 deletions doc/releases/migration-guide-4.0.rst
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,12 @@ Mbed TLS
corresponding build symbol was removed in Mbed TLS 3.1.0 and is now assumed to
be enabled. (:github:`77657`)

* If a platform has a CSPRNG source available (i.e. :kconfig:option:`CONFIG_CSPRNG_ENABLED`
is set), then the Kconfig option :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG`
is the default choice for random number source instead of
:kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_LEGACY_RNG`. This helps in reducing
ROM/RAM footprint of the Mbed TLS library.

TinyCrypt
=========

Expand Down
1 change: 1 addition & 0 deletions modules/mbedtls/Kconfig.tls-generic
Original file line number Diff line number Diff line change
Expand Up @@ -481,6 +481,7 @@ config MBEDTLS_SSL_EXTENDED_MASTER_SECRET
choice MBEDTLS_PSA_CRYPTO_RNG_SOURCE
prompt "Select random source for built-in PSA crypto"
depends on MBEDTLS_PSA_CRYPTO_C
default MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if CSPRNG_ENABLED
default MBEDTLS_PSA_CRYPTO_LEGACY_RNG

config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
Expand Down
1 change: 0 additions & 1 deletion samples/psa/its/overlay-entropy_driver.conf
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
# SPDX-License-Identifier: Apache-2.0

CONFIG_ENTROPY_GENERATOR=y
CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
1 change: 0 additions & 1 deletion samples/psa/persistent_key/overlay-entropy_driver.conf
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
# SPDX-License-Identifier: Apache-2.0

CONFIG_ENTROPY_GENERATOR=y
CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
1 change: 0 additions & 1 deletion tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,3 @@ CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_PSA_CRYPTO_ENABLE_ALL=y

CONFIG_ENTROPY_GENERATOR=y
CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
1 change: 0 additions & 1 deletion tests/bsim/bluetooth/ll/conn/psa_overlay.conf
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,3 @@ CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_PSA_CRYPTO_ENABLE_ALL=y

CONFIG_ENTROPY_GENERATOR=y
CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
1 change: 0 additions & 1 deletion tests/crypto/mbedtls_psa/prj.conf
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,3 @@ CONFIG_ZTEST=y

CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
5 changes: 3 additions & 2 deletions tests/crypto/mbedtls_psa/testcase.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,6 @@
# - no TF-M enabled devices because we assume that the TF-M implementation
# of PSA crypto is working fine on the platforms that support TF-M.
# - platform should be testable by the CI.
# - enable CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG in order to reduce as much
# as possible usage of legacy modules in Mbed TLS.
# - pick 1 platform which supports entropy driver and 1 which does not. The
# latter case will allow to test
# CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG.
Expand All @@ -34,8 +32,11 @@ tests:
# Pick a platform which does not have an entropy driver. In this case we
# enable the timer random generator because it's always available on all
# platforms.
# Explicitly select CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG because this is
# not "automatically selected" when there is CSPRNG available.
integration_platforms:
- qemu_x86
extra_configs:
- CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
- CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y
- CONFIG_TEST_RANDOM_GENERATOR=y
1 change: 0 additions & 1 deletion tests/crypto/secp256r1/mbedtls.conf
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_PSA_P256M_DRIVER_ENABLED=y

Expand Down
1 change: 0 additions & 1 deletion tests/crypto/secp256r1/p256-m_raw.conf
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_PSA_P256M_DRIVER_ENABLED=y
CONFIG_MBEDTLS_PSA_P256M_DRIVER_RAW=y
1 change: 0 additions & 1 deletion tests/net/socket/tls_configurations/prj.conf
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2048
CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
# Build the PSA Crypto core so that the TLS stack uses the PSA crypto API.
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
CONFIG_ENTROPY_GENERATOR=y

# Disable some Kconfigs that are implied by CONFIG_NET_SOCKETS_SOCKOPT_TLS.
Expand Down
6 changes: 6 additions & 0 deletions tests/subsys/jwt/testcase.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ tests:
extra_configs:
- CONFIG_JWT_SIGN_ECDSA=y
- CONFIG_JWT_USE_PSA=y
# Explicitly select CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG because this
# is not automatically selected on platforms that do not have a CSPRNG
# source.
- CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
- CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y
libraries.encoding.jwt.rsa.legacy:
Expand All @@ -28,5 +31,8 @@ tests:
extra_configs:
- CONFIG_JWT_SIGN_RSA=y
- CONFIG_JWT_USE_PSA=y
# Explicitly select CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG because this
# is not automatically selected on platforms that do not have a CSPRNG
# source.
- CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
- CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y

0 comments on commit a8737af

Please sign in to comment.