zephyrproject-rtos · valeriosetti · Oct 21, 2024 · Oct 22, 2024 · Nov 5, 2024 · tomi-font
diff --git a/doc/releases/migration-guide-4.0.rst b/doc/releases/migration-guide-4.0.rst
@@ -75,6 +75,12 @@ Mbed TLS
   corresponding build symbol was removed in Mbed TLS 3.1.0 and is now assumed to
   be enabled. (:github:`77657`)
 
+* If a platform has a CSPRNG source available (i.e. :kconfig:option:`CONFIG_CSPRNG_ENABLED`
+  is set), then the Kconfig option :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG`
+  is the default choice for random number source instead of
-  is set), then the Kconfig option :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG`
-  is the default choice for random number source instead of
+  is set), the Kconfig option :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG`
+  is now the default choice for the random number source instead of
-  is set), then the Kconfig option :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG`
-  is the default choice for random number source instead of
+  is set), the Kconfig option :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG`
+  is now the default choice for the random number source instead of
+  :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_LEGACY_RNG`. This helps in reducing
+  ROM/RAM footprint of the Mbed TLS library.
+
 TinyCrypt
 =========
 

@@ -112,7 +112,6 @@ config BT_SILABS_EFR32
 	select MBEDTLS
 	select MBEDTLS_PSA_CRYPTO_C
 	select MBEDTLS_ENTROPY_C
-	select MBEDTLS_ENTROPY_POLL_ZEPHYR
 	help
 	  Use Silicon Labs binary Bluetooth library to connect to the
 	  controller.

diff --git a/drivers/wifi/esp32/Kconfig.esp32 b/drivers/wifi/esp32/Kconfig.esp32
@@ -377,7 +377,6 @@ config ESP32_WIFI_MBEDTLS_CRYPTO
 	select MBEDTLS_CIPHER_MODE_CTR_ENABLED
 	select MBEDTLS_CMAC
 	select MBEDTLS_ENTROPY_C
-	select MBEDTLS_ENTROPY_POLL_ZEPHYR
 	help
 	  Select this option to use MbedTLS crypto APIs which utilize hardware acceleration.
 

diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic
@@ -246,6 +246,7 @@ config MBEDTLS_SOME_CIPHER_ENABLED
 
 config MBEDTLS_CIPHER_AES_ENABLED
 	bool "AES block cipher"
+	default y if PSA_WANT_KEY_TYPE_AES && MBEDTLS_PSA_CRYPTO_C
 
 if MBEDTLS_CIPHER_AES_ENABLED
 
@@ -397,6 +398,7 @@ config MBEDTLS_ENTROPY_C
 
 config MBEDTLS_ENTROPY_POLL_ZEPHYR
 	bool "Provide entropy data to Mbed TLS through entropy driver or random generator"
+	default y
 	depends on MBEDTLS_ENTROPY_C
 	help
 	  Provide entropy data to the Mbed TLS's entropy module through either
@@ -480,6 +482,7 @@ config MBEDTLS_SSL_EXTENDED_MASTER_SECRET
 choice MBEDTLS_PSA_CRYPTO_RNG_SOURCE
 	prompt "Select random source for built-in PSA crypto"
 	depends on MBEDTLS_PSA_CRYPTO_C
+	default MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if CSPRNG_ENABLED
 	default MBEDTLS_PSA_CRYPTO_LEGACY_RNG
 
 config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG

diff --git a/samples/net/wifi/shell/boards/frdm_rw612.conf b/samples/net/wifi/shell/boards/frdm_rw612.conf
@@ -103,7 +103,6 @@ CONFIG_MBEDTLS_USER_CONFIG_FILE="wpa_supp_els_pkc_mbedtls_config.h"
 CONFIG_ENTROPY_GENERATOR=y
 CONFIG_MBEDTLS_PSA_CRYPTO_C=y
 CONFIG_MBEDTLS_ENTROPY_C=y
-CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR=y
 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=8192
 
 # power management

diff --git a/samples/net/wifi/shell/boards/rd_rw612_bga.conf b/samples/net/wifi/shell/boards/rd_rw612_bga.conf
@@ -102,7 +102,6 @@ CONFIG_MBEDTLS_USER_CONFIG_FILE="wpa_supp_els_pkc_mbedtls_config.h"
 CONFIG_ENTROPY_GENERATOR=y
 CONFIG_MBEDTLS_PSA_CRYPTO_C=y
 CONFIG_MBEDTLS_ENTROPY_C=y
-CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR=y
 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=8192
 
 # power management

diff --git a/samples/psa/its/overlay-entropy_driver.conf b/samples/psa/its/overlay-entropy_driver.conf
@@ -1,4 +1,3 @@
 # SPDX-License-Identifier: Apache-2.0
 
 CONFIG_ENTROPY_GENERATOR=y
-CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
diff --git a/samples/psa/its/overlay-entropy_not_secure.conf b/samples/psa/its/overlay-entropy_not_secure.conf
@@ -2,4 +2,3 @@
 
 CONFIG_TEST_RANDOM_GENERATOR=y
 CONFIG_TIMER_RANDOM_GENERATOR=y
-CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR=y
diff --git a/samples/psa/persistent_key/overlay-entropy_driver.conf b/samples/psa/persistent_key/overlay-entropy_driver.conf
@@ -1,4 +1,3 @@
 # SPDX-License-Identifier: Apache-2.0
 
 CONFIG_ENTROPY_GENERATOR=y
-CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
diff --git a/samples/psa/persistent_key/overlay-entropy_not_secure.conf b/samples/psa/persistent_key/overlay-entropy_not_secure.conf
@@ -2,4 +2,3 @@
 
 CONFIG_TEST_RANDOM_GENERATOR=y
 CONFIG_TIMER_RANDOM_GENERATOR=y
-CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR=y
diff --git a/subsys/bluetooth/mesh/Kconfig b/subsys/bluetooth/mesh/Kconfig
@@ -1478,7 +1478,6 @@ config BT_MESH_USES_MBEDTLS_PSA
 	select EXPERIMENTAL
 	select MBEDTLS
 	select MBEDTLS_ENTROPY_C
-	select MBEDTLS_ENTROPY_POLL_ZEPHYR
 	select MBEDTLS_PSA_CRYPTO_C
 	select MBEDTLS_USE_PSA_CRYPTO
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT

diff --git a/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf b/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf
@@ -4,4 +4,3 @@ CONFIG_MBEDTLS_PSA_CRYPTO_C=y
 CONFIG_PSA_CRYPTO_ENABLE_ALL=y
 
 CONFIG_ENTROPY_GENERATOR=y
-CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
diff --git a/tests/bsim/bluetooth/ll/conn/psa_overlay.conf b/tests/bsim/bluetooth/ll/conn/psa_overlay.conf
@@ -4,4 +4,3 @@ CONFIG_MBEDTLS_PSA_CRYPTO_C=y
 CONFIG_PSA_CRYPTO_ENABLE_ALL=y
 
 CONFIG_ENTROPY_GENERATOR=y
-CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
diff --git a/tests/crypto/mbedtls_psa/prj.conf b/tests/crypto/mbedtls_psa/prj.conf
@@ -3,4 +3,3 @@ CONFIG_ZTEST=y
 
 CONFIG_MBEDTLS=y
 CONFIG_MBEDTLS_PSA_CRYPTO_C=y
-CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
diff --git a/tests/crypto/mbedtls_psa/testcase.yaml b/tests/crypto/mbedtls_psa/testcase.yaml
@@ -11,8 +11,6 @@
 # - no TF-M enabled devices because we assume that the TF-M implementation
 #   of PSA crypto is working fine on the platforms that support TF-M.
 # - platform should be testable by the CI.
-# - enable CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG in order to reduce as much
-#   as possible usage of legacy modules in Mbed TLS.
 # - pick 1 platform which supports entropy driver and 1 which does not. The
 #   latter case will allow to test
 #   CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG.
@@ -34,8 +32,11 @@ tests:
     # Pick a platform which does not have an entropy driver. In this case we
     # enable the timer random generator because it's always available on all
     # platforms.
+    # Explicitly select CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG because this is
+    # not "automatically selected" when there is no CSPRNG available.
     integration_platforms:
       - qemu_x86
     extra_configs:
+      - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
       - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y
       - CONFIG_TEST_RANDOM_GENERATOR=y
diff --git a/tests/crypto/secp256r1/mbedtls.conf b/tests/crypto/secp256r1/mbedtls.conf
@@ -1,5 +1,4 @@
 CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
 CONFIG_MBEDTLS_PSA_CRYPTO_C=y
 CONFIG_MBEDTLS_PSA_P256M_DRIVER_ENABLED=y
 

diff --git a/tests/crypto/secp256r1/p256-m_raw.conf b/tests/crypto/secp256r1/p256-m_raw.conf
@@ -1,5 +1,4 @@
 CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
 CONFIG_MBEDTLS_PSA_CRYPTO_C=y
 CONFIG_MBEDTLS_PSA_P256M_DRIVER_ENABLED=y
 CONFIG_MBEDTLS_PSA_P256M_DRIVER_RAW=y
diff --git a/tests/modules/uoscore/prj.conf b/tests/modules/uoscore/prj.conf
@@ -13,7 +13,6 @@ CONFIG_MBEDTLS=y
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=2048
 CONFIG_MBEDTLS_ENTROPY_C=y
-CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR=y
 
 # PSA Crypto options
 

diff --git a/tests/net/socket/tls_configurations/prj.conf b/tests/net/socket/tls_configurations/prj.conf
@@ -28,7 +28,6 @@ CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2048
 CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
 # Build the PSA Crypto core so that the TLS stack uses the PSA crypto API.
 CONFIG_MBEDTLS_PSA_CRYPTO_C=y
-CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
 CONFIG_ENTROPY_GENERATOR=y
 
 # Disable some Kconfigs that are implied by CONFIG_NET_SOCKETS_SOCKOPT_TLS.

diff --git a/tests/subsys/jwt/testcase.yaml b/tests/subsys/jwt/testcase.yaml
@@ -12,6 +12,9 @@ tests:
   libraries.encoding.jwt.ecdsa.psa:
     extra_configs:
       - CONFIG_JWT_SIGN_ECDSA_PSA=y
+      # Explicitly select CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG because this
+      # is not automatically selected on platforms that do not have a CSPRNG
+      # source.
       - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
       - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y
   libraries.encoding.jwt.rsa.legacy:
@@ -21,5 +24,8 @@ tests:
   libraries.encoding.jwt.rsa.psa:
     extra_configs:
       - CONFIG_JWT_SIGN_RSA_PSA=y
+      # Explicitly select CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG because this
+      # is not automatically selected on platforms that do not have a CSPRNG
+      # source.
       - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
       - CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y
diff --git a/tests/subsys/secure_storage/psa/crypto/overlay-secure_storage.conf b/tests/subsys/secure_storage/psa/crypto/overlay-secure_storage.conf
@@ -4,7 +4,6 @@ CONFIG_MAIN_STACK_SIZE=2048
 CONFIG_MBEDTLS=y
 CONFIG_TEST_RANDOM_GENERATOR=y
 CONFIG_TIMER_RANDOM_GENERATOR=y
-CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR=y
 CONFIG_MBEDTLS_PSA_CRYPTO_C=y
 
 CONFIG_SECURE_STORAGE=y

diff --git a/tests/subsys/secure_storage/psa/its/overlay-default_transform.conf b/tests/subsys/secure_storage/psa/its/overlay-default_transform.conf
@@ -1,7 +1,6 @@
 CONFIG_MBEDTLS=y
 CONFIG_TEST_RANDOM_GENERATOR=y
 CONFIG_TIMER_RANDOM_GENERATOR=y
-CONFIG_MBEDTLS_ENTROPY_POLL_ZEPHYR=y
 CONFIG_MBEDTLS_PSA_CRYPTO_C=y
 
 # SETTINGS_MAX_VAL_LEN (256) - flags (1) - CONFIG_SECURE_STORAGE_ITS_TRANSFORM_OUTPUT_OVERHEAD (28)

diff --git a/tests/subsys/storage/flash_map/overlay-psa.conf b/tests/subsys/storage/flash_map/overlay-psa.conf
@@ -1,3 +1,4 @@
 CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA=y
 CONFIG_MBEDTLS=y
 CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_TEST_RANDOM_GENERATOR=y