diff --git a/subsys/net/openthread/Kconfig.defconfig b/subsys/net/openthread/Kconfig.defconfig index 22a06404f66f..b6334ae59820 100644 --- a/subsys/net/openthread/Kconfig.defconfig +++ b/subsys/net/openthread/Kconfig.defconfig @@ -146,10 +146,6 @@ config OPENTHREAD_PING_SENDER bool default y -config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG - bool - default n - if !OPENTHREAD_THREAD_VERSION_1_1 # Thread 1.2 dependencies diff --git a/subsys/nrf_security/CMakeLists.txt b/subsys/nrf_security/CMakeLists.txt index 286269939d5e..99ebc89ff16d 100644 --- a/subsys/nrf_security/CMakeLists.txt +++ b/subsys/nrf_security/CMakeLists.txt @@ -33,9 +33,6 @@ if(CONFIG_BUILD_WITH_TFM) # NS-build: PSA APIs are already compiled in TF-M image set(COMPILE_PSA_APIS False) - # Disable external RNG build as it is part of TF-M image - set(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG False) - # Execute Cmake logic to forward configurations to TF-M build include(${NRF_SECURITY_ROOT}/cmake/config_to_tf-m.cmake) diff --git a/subsys/nrf_security/Kconfig.legacy b/subsys/nrf_security/Kconfig.legacy index 90b5377eb0aa..20ebe37dbb6d 100644 --- a/subsys/nrf_security/Kconfig.legacy +++ b/subsys/nrf_security/Kconfig.legacy @@ -347,12 +347,7 @@ config MBEDTLS_HMAC_DRBG_C config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG bool - prompt "External RNG" - default y if CRYPTOCELL_USABLE - help - Convenience layer for handling entropy before it is fully supported in - PSA Crypto APIs and drivers. This is set by default for legacy and PSA - modes. + default y config MBEDTLS_ENTROPY_C bool diff --git a/subsys/nrf_security/Kconfig.psa b/subsys/nrf_security/Kconfig.psa index 7b5448c8ad2d..bac204880d30 100644 --- a/subsys/nrf_security/Kconfig.psa +++ b/subsys/nrf_security/Kconfig.psa @@ -29,7 +29,7 @@ config PSA_WANT_ALG_HMAC_DRBG config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG bool - default y if CRYPTOCELL_USABLE + default y rsource "src/core/Kconfig" diff --git a/subsys/nrf_security/src/CMakeLists.txt b/subsys/nrf_security/src/CMakeLists.txt index 9c73a0022c51..d54c2311c59a 100644 --- a/subsys/nrf_security/src/CMakeLists.txt +++ b/subsys/nrf_security/src/CMakeLists.txt @@ -71,13 +71,6 @@ if (COMPILE_PSA_APIS) ) endif() -# Add PSA RNG API for the entropy driver -if(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG AND NOT CONFIG_BUILD_WITH_TFM) - list(APPEND src_crypto - random_ext.c - ) -endif() - append_with_prefix(src_crypto ${ARM_MBEDTLS_PATH}/library pem.c pkcs12.c diff --git a/subsys/nrf_security/src/drivers/nrf_oberon/Kconfig b/subsys/nrf_security/src/drivers/nrf_oberon/Kconfig index 596ec93e5b26..d3a281aa75c0 100644 --- a/subsys/nrf_security/src/drivers/nrf_oberon/Kconfig +++ b/subsys/nrf_security/src/drivers/nrf_oberon/Kconfig @@ -106,6 +106,7 @@ config PSA_CRYPTO_DRIVER_ALG_PRNG_OBERON bool default y depends on !PSA_CRYPTO_DRIVER_ALG_PRNG_CC3XX_PLATFORM + depends on !BUILD_WITH_TFM depends on PSA_WANT_GENERATE_RANDOM config PSA_CRYPTO_DRIVER_ALG_CTR_DRBG_OBERON diff --git a/subsys/nrf_security/src/legacy/CMakeLists.txt b/subsys/nrf_security/src/legacy/CMakeLists.txt index 0ab8c2465b2d..df721a70b72b 100644 --- a/subsys/nrf_security/src/legacy/CMakeLists.txt +++ b/subsys/nrf_security/src/legacy/CMakeLists.txt @@ -53,7 +53,7 @@ append_with_prefix(src_crypto_legacy ${ARM_MBEDTLS_PATH}/library endif() # Legacy files should only be added in certain configurations -if(NOT (MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG OR CONFIG_MBEDTLS_PSA_CRYPTO_SPM)) +if(NOT CONFIG_MBEDTLS_PSA_CRYPTO_SPM) append_with_prefix(src_crypto_legacy ${ARM_MBEDTLS_PATH}/library ctr_drbg.c entropy.c diff --git a/subsys/nrf_security/src/random_ext.c b/subsys/nrf_security/src/random_ext.c deleted file mode 100644 index 732575371fa3..000000000000 --- a/subsys/nrf_security/src/random_ext.c +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright (c) 2021 Nordic Semiconductor - * - * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause - * - */ - -#include "common.h" -#include "nrf_cc3xx_platform_ctr_drbg.h" -#include "nrf_cc3xx_platform_hmac_drbg.h" -#include "psa/crypto.h" -#include "psa/crypto_platform.h" - -psa_status_t mbedtls_psa_external_get_random(mbedtls_psa_external_random_context_t *context, - uint8_t *output, size_t output_size, - size_t *output_length) -{ - int ret; - -#if defined(CONFIG_PSA_WANT_ALG_CTR_DRBG) - ret = nrf_cc3xx_platform_ctr_drbg_get(NULL, output, output_size, output_length); -#elif defined(CONFIG_PSA_WANT_ALG_HMAC_DRBG) - ret = nrf_cc3xx_platform_hmac_drbg_get(NULL, output, output_size, output_length); -#else -#error "Enable CONFIG_PSA_WANT_ALG_CTR_DRBG or CONFIG_PSA_WANT_ALG_HMAC_DRBG" -#endif - - if (ret != NRF_CC3XX_PLATFORM_SUCCESS) { - return PSA_ERROR_HARDWARE_FAILURE; - } - - if (output_size != *output_length) { - return PSA_ERROR_INSUFFICIENT_ENTROPY; - } - - return PSA_SUCCESS; -} diff --git a/subsys/nrf_security/tfm/CMakeLists.txt b/subsys/nrf_security/tfm/CMakeLists.txt index d9e25af950ee..3384784d0fc6 100644 --- a/subsys/nrf_security/tfm/CMakeLists.txt +++ b/subsys/nrf_security/tfm/CMakeLists.txt @@ -53,9 +53,6 @@ set(CONFIG_MBEDTLS_LEGACY_CRYPTO_C False) set(CONFIG_MBEDTLS_NO_PLATFORM_ENTROPY False) set(CONFIG_MBEDTLS_MD_C False) -# Additional setting ensuring that external RNG is enabled inside TF-M image -set(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG True) - # Platform cannot be selected when building for TF-M, because TF-M itself has # control of the CryptoCell. Therefore, specifically for building TF-M we # enable it manually. diff --git a/tests/crypto/src/common_test.c b/tests/crypto/src/common_test.c index 89ffcd8bfb30..bab224ee2fe0 100644 --- a/tests/crypto/src/common_test.c +++ b/tests/crypto/src/common_test.c @@ -48,30 +48,22 @@ static int entropy_func(void *ctx, unsigned char *buf, size_t len) #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) -mbedtls_psa_external_random_context_t drbg_ctx; +/* Dummy context since we don't use it in the external_rng function */ +char drbg_ctx; int init_drbg(const unsigned char *p_optional_seed, size_t len) { - static const unsigned char ncs_seed[] = "ncs_drbg_seed"; - - const unsigned char *p_seed; - - if (p_optional_seed == NULL) { - p_seed = ncs_seed; - len = sizeof(ncs_seed); - } else { - p_seed = p_optional_seed; + if (p_optional_seed != NULL) { + return -EINVAL; } - int ret = nrf_cc3xx_platform_ctr_drbg_init( - (nrf_cc3xx_platform_ctr_drbg_context_t *)&drbg_ctx, p_seed, len); - return ret; + return 0; } int external_rng(void *ctx, unsigned char *output, size_t len) { int out_len; - int ret = mbedtls_psa_external_get_random(NULL, output, len, &out_len); + int ret = nrf_cc3xx_platform_ctr_drbg_get(NULL, output, len, &out_len); return ret; } diff --git a/tests/crypto/src/common_test.h b/tests/crypto/src/common_test.h index 0a16f7d3b9e0..0c93c03f946a 100644 --- a/tests/crypto/src/common_test.h +++ b/tests/crypto/src/common_test.h @@ -56,7 +56,7 @@ size_t hex2bin_safe(const char *hex, uint8_t *buf, size_t buflen); #include "psa/crypto.h" #include "nrf_cc3xx_platform_ctr_drbg.h" -extern mbedtls_psa_external_random_context_t drbg_ctx; +extern char drbg_ctx; #elif defined(MBEDTLS_CTR_DRBG_C)