Autonomous random driver: create configuration option

Create a configuration option for autonomous random drivers, i.e. PSA
crypto drivers that provide a random generator, that have their own
entropy source and do not support injecting entropy from another
source.

This commit only creates the configuration option. Subsequent commits
will add the implementation and tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2020-11-13 17:36:48 +01:00
parent 30524eb7e5
commit f08b3f8624
5 changed files with 48 additions and 5 deletions

View file

@ -573,9 +573,10 @@
#endif
#if defined(MBEDTLS_PSA_CRYPTO_C) && \
!( defined(MBEDTLS_CTR_DRBG_C) && \
defined(MBEDTLS_ENTROPY_C) )
#error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites"
!( ( defined(MBEDTLS_CTR_DRBG_C) && \
defined(MBEDTLS_ENTROPY_C) ) || \
defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) )
#error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites (missing RNG)"
#endif
#if defined(MBEDTLS_PSA_CRYPTO_SPM) && !defined(MBEDTLS_PSA_CRYPTO_C)

View file

@ -1337,6 +1337,35 @@
*/
//#define MBEDTLS_PSA_CRYPTO_DRIVERS
/** \def MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
*
* Make the PSA Crypto module use an external random generator provided
* by a driver, instead of Mbed TLS's entropy and DRBG modules.
*
* If you enable this option, you must supply a type called
* \c mbedtls_psa_external_random_context_t and a function called
* mbedtls_psa_external_get_random() with the following prototype:
* ```
* psa_status_t mbedtls_psa_external_get_random(
* mbedtls_psa_external_random_context_t *context,
* uint8_t *output, size_t output_size, size_t *output_length);
* );
* ```
* The \c context value is initialized to 0 before the first call.
* The function must fill the \c output buffer with \p output_size bytes
* of random data and set \c *output_length to \p output_size.
*
* Requires: MBEDTLS_PSA_CRYPTO_C
*
* \warning If you enable this option, code that uses the PSA cryptography
* interface will not use any of the entropy sources set up for
* the entropy module, nor the NV seed that MBEDTLS_ENTROPY_NV_SEED
* enables.
*
* \note This option is experimental and may be removed without notice.
*/
//#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
/**
* \def MBEDTLS_PSA_CRYPTO_SPM
*
@ -3115,7 +3144,8 @@
*
* Module: library/psa_crypto.c
*
* Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C
* Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C,
* or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
*
*/
#define MBEDTLS_PSA_CRYPTO_C

View file

@ -438,6 +438,9 @@ static const char * const features[] = {
#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS)
"MBEDTLS_PSA_CRYPTO_DRIVERS",
#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS */
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
"MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG",
#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
#if defined(MBEDTLS_PSA_CRYPTO_SPM)
"MBEDTLS_PSA_CRYPTO_SPM",
#endif /* MBEDTLS_PSA_CRYPTO_SPM */

View file

@ -1224,6 +1224,14 @@ int query_config( const char *config )
}
#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS */
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
if( strcmp( "MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG );
return( 0 );
}
#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
#if defined(MBEDTLS_PSA_CRYPTO_SPM)
if( strcmp( "MBEDTLS_PSA_CRYPTO_SPM", config ) == 0 )
{

View file

@ -185,6 +185,7 @@ EXCLUDE_FROM_FULL = frozenset([
'MBEDTLS_PKCS11_C', # build dependency (libpkcs11-helper)
'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', # removes a feature
'MBEDTLS_PSA_CRYPTO_CONFIG', # toggles old/new style PSA config
'MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG', # behavior change + build dependency
'MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER', # incompatible with USE_PSA_CRYPTO
'MBEDTLS_PSA_CRYPTO_SPM', # platform dependency (PSA SPM)
'MBEDTLS_PSA_INJECT_ENTROPY', # build dependency (hook functions)