nrf_security: Remove random_ext.c

Remove the random_ext.c file and the MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG option since it is not used anymore by the Oberon PSA core. With the current configuration the options: PSA_CRYPTO_DRIVER_ALG_CTR_DRBG_* are used to specifiy the random number generator algorithm. Ref: NCSDK-21868 Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
nrfconnect · Jul 13, 2023 · d9f1289 · d9f1289
1 parent c644f13
commit d9f1289
Show file tree

Hide file tree

Showing 11 changed files with 11 additions and 77 deletions.
diff --git a/subsys/net/openthread/Kconfig.defconfig b/subsys/net/openthread/Kconfig.defconfig
@@ -146,10 +146,6 @@ config OPENTHREAD_PING_SENDER
  bool
  default y
 
-config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
- bool
- default n
-
 if !OPENTHREAD_THREAD_VERSION_1_1
 
 # Thread 1.2 dependencies

diff --git a/subsys/nrf_security/CMakeLists.txt b/subsys/nrf_security/CMakeLists.txt
@@ -33,9 +33,6 @@ if(CONFIG_BUILD_WITH_TFM)
  # NS-build: PSA APIs are already compiled in TF-M image
  set(COMPILE_PSA_APIS False)
 
- # Disable external RNG build as it is part of TF-M image
- set(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG False)
-
  # Execute Cmake logic to forward configurations to TF-M build
  include(${NRF_SECURITY_ROOT}/cmake/config_to_tf-m.cmake)
 

diff --git a/subsys/nrf_security/Kconfig.legacy b/subsys/nrf_security/Kconfig.legacy
@@ -347,12 +347,7 @@ config MBEDTLS_HMAC_DRBG_C
 
 config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
  bool
- prompt "External RNG"
- default y if CRYPTOCELL_USABLE
- help
- Convenience layer for handling entropy before it is fully supported in
- PSA Crypto APIs and drivers. This is set by default for legacy and PSA
- modes.
+ default y
 
 config MBEDTLS_ENTROPY_C
  bool

diff --git a/subsys/nrf_security/Kconfig.psa b/subsys/nrf_security/Kconfig.psa
@@ -29,7 +29,7 @@ config PSA_WANT_ALG_HMAC_DRBG
 
 config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
  bool
- default y if CRYPTOCELL_USABLE
+ default y
 
 rsource "src/core/Kconfig"
 

diff --git a/subsys/nrf_security/src/CMakeLists.txt b/subsys/nrf_security/src/CMakeLists.txt
@@ -71,13 +71,6 @@ if (COMPILE_PSA_APIS)
  )
 endif()
 
-# Add PSA RNG API for the entropy driver
-if(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG AND NOT CONFIG_BUILD_WITH_TFM)
- list(APPEND src_crypto
- random_ext.c
- )
-endif()
-
 append_with_prefix(src_crypto ${ARM_MBEDTLS_PATH}/library
  pem.c
  pkcs12.c

diff --git a/subsys/nrf_security/src/drivers/nrf_oberon/Kconfig b/subsys/nrf_security/src/drivers/nrf_oberon/Kconfig
@@ -106,6 +106,7 @@ config PSA_CRYPTO_DRIVER_ALG_PRNG_OBERON
  bool
  default y
  depends on !PSA_CRYPTO_DRIVER_ALG_PRNG_CC3XX_PLATFORM
+ depends on !BUILD_WITH_TFM
  depends on PSA_WANT_GENERATE_RANDOM
 
 config PSA_CRYPTO_DRIVER_ALG_CTR_DRBG_OBERON

diff --git a/subsys/nrf_security/src/legacy/CMakeLists.txt b/subsys/nrf_security/src/legacy/CMakeLists.txt
@@ -53,7 +53,7 @@ append_with_prefix(src_crypto_legacy ${ARM_MBEDTLS_PATH}/library
 endif()
 
 # Legacy files should only be added in certain configurations
-if(NOT (MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG OR CONFIG_MBEDTLS_PSA_CRYPTO_SPM))
+if(NOT CONFIG_MBEDTLS_PSA_CRYPTO_SPM)
  append_with_prefix(src_crypto_legacy ${ARM_MBEDTLS_PATH}/library
  ctr_drbg.c
  entropy.c

diff --git a/subsys/nrf_security/src/random_ext.c b/subsys/nrf_security/src/random_ext.c
diff --git a/subsys/nrf_security/tfm/CMakeLists.txt b/subsys/nrf_security/tfm/CMakeLists.txt
@@ -53,9 +53,6 @@ set(CONFIG_MBEDTLS_LEGACY_CRYPTO_C False)
 set(CONFIG_MBEDTLS_NO_PLATFORM_ENTROPY False)
 set(CONFIG_MBEDTLS_MD_C False)
 
-# Additional setting ensuring that external RNG is enabled inside TF-M image
-set(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG True)
-
 # Platform cannot be selected when building for TF-M, because TF-M itself has
 # control of the CryptoCell. Therefore, specifically for building TF-M we
 # enable it manually.

diff --git a/tests/crypto/src/common_test.c b/tests/crypto/src/common_test.c
@@ -48,30 +48,22 @@ static int entropy_func(void *ctx, unsigned char *buf, size_t len)
 
 #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
 
-mbedtls_psa_external_random_context_t drbg_ctx;
+/* Dummy context since we don't use it in the external_rng function */
+char drbg_ctx;
 
 int init_drbg(const unsigned char *p_optional_seed, size_t len)
 {
- static const unsigned char ncs_seed[] = "ncs_drbg_seed";
-
- const unsigned char *p_seed;
-
- if (p_optional_seed == NULL) {
- p_seed = ncs_seed;
- len = sizeof(ncs_seed);
- } else {
- p_seed = p_optional_seed;
+ if (p_optional_seed != NULL) {
+ return -EINVAL;
  }
 
- int ret = nrf_cc3xx_platform_ctr_drbg_init(
- (nrf_cc3xx_platform_ctr_drbg_context_t *)&drbg_ctx, p_seed, len);
- return ret;
+ return 0;
 }
 
 int external_rng(void *ctx, unsigned char *output, size_t len)
 {
  int out_len;
- int ret = mbedtls_psa_external_get_random(NULL, output, len, &out_len);
+ int ret = nrf_cc3xx_platform_ctr_drbg_get(NULL, output, len, &out_len);
  return ret;
 }
 

diff --git a/tests/crypto/src/common_test.h b/tests/crypto/src/common_test.h
@@ -56,7 +56,7 @@ size_t hex2bin_safe(const char *hex, uint8_t *buf, size_t buflen);
 #include "psa/crypto.h"
 #include "nrf_cc3xx_platform_ctr_drbg.h"
 
-extern mbedtls_psa_external_random_context_t drbg_ctx;
+extern char drbg_ctx;
 
 #elif defined(MBEDTLS_CTR_DRBG_C)