nrfconnect · nordicjm · Jul 13, 2023 · Jul 7, 2023 · Jul 11, 2023
@@ -146,10 +146,6 @@ config OPENTHREAD_PING_SENDER
 	bool
 	default y
 
-config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
-	bool
-	default n
-
 if !OPENTHREAD_THREAD_VERSION_1_1
 
 # Thread 1.2 dependencies

@@ -33,9 +33,6 @@ if(CONFIG_BUILD_WITH_TFM)
   # NS-build: PSA APIs are already compiled in TF-M image
   set(COMPILE_PSA_APIS                          False)
 
-  # Disable external RNG build as it is part of TF-M image
-  set(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG    False)
-
   # Execute Cmake logic to forward configurations to TF-M build
   include(${NRF_SECURITY_ROOT}/cmake/config_to_tf-m.cmake)
 

@@ -347,12 +347,7 @@ config MBEDTLS_HMAC_DRBG_C
 
 config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
 	bool
-	prompt "External RNG"
-	default y if CRYPTOCELL_USABLE
-	help
-	  Convenience layer for handling entropy before it is fully supported in
-	  PSA Crypto APIs and drivers. This is set by default for legacy and PSA
-	  modes.
+	default y
 
 config MBEDTLS_ENTROPY_C
 	bool

@@ -29,7 +29,7 @@ config PSA_WANT_ALG_HMAC_DRBG
 
 config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
 	bool
-	default y if CRYPTOCELL_USABLE
+	default y
 
 rsource "src/core/Kconfig"
 

@@ -71,13 +71,6 @@ if (COMPILE_PSA_APIS)
   )
 endif()
 
-# Add PSA RNG API for the entropy driver
-if(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG AND NOT CONFIG_BUILD_WITH_TFM)
-  list(APPEND src_crypto
-    random_ext.c
-  )
-endif()
-
 append_with_prefix(src_crypto ${ARM_MBEDTLS_PATH}/library
   pem.c
   pkcs12.c

@@ -106,6 +106,7 @@ config PSA_CRYPTO_DRIVER_ALG_PRNG_OBERON
 	bool
 	default y
 	depends on !PSA_CRYPTO_DRIVER_ALG_PRNG_CC3XX_PLATFORM
+	depends on !BUILD_WITH_TFM
 	depends on PSA_WANT_GENERATE_RANDOM
 
 config PSA_CRYPTO_DRIVER_ALG_CTR_DRBG_OBERON

@@ -53,7 +53,7 @@ append_with_prefix(src_crypto_legacy ${ARM_MBEDTLS_PATH}/library
 endif()
 
 # Legacy files should only be added in certain configurations
-if(NOT (MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG OR CONFIG_MBEDTLS_PSA_CRYPTO_SPM))
+if(NOT CONFIG_MBEDTLS_PSA_CRYPTO_SPM)
   append_with_prefix(src_crypto_legacy ${ARM_MBEDTLS_PATH}/library
     ctr_drbg.c
     entropy.c

@@ -53,9 +53,6 @@ set(CONFIG_MBEDTLS_LEGACY_CRYPTO_C                  False)
 set(CONFIG_MBEDTLS_NO_PLATFORM_ENTROPY              False)
 set(CONFIG_MBEDTLS_MD_C                             False)
 
-# Additional setting ensuring that external RNG is enabled inside TF-M image
-set(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG          True)
-
 # Platform cannot be selected when building for TF-M, because TF-M itself has
 # control of the CryptoCell. Therefore, specifically for building TF-M we
 # enable it manually.

@@ -39,112 +39,20 @@ const size_t test_vector_name_offset[] = {
 	offsetof(test_vector_ecjpake_t, p_test_vector_name),
 };
 
-#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-static int entropy_func(void *ctx, unsigned char *buf, size_t len)
-{
-	return entropy_get_entropy(ctx, buf, len);
-}
-#endif
-
-#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-
-mbedtls_psa_external_random_context_t drbg_ctx;
-
-int init_drbg(const unsigned char *p_optional_seed, size_t len)
-{
-	static const unsigned char ncs_seed[] = "ncs_drbg_seed";
-
-	const unsigned char *p_seed;
-
-	if (p_optional_seed == NULL) {
-		p_seed = ncs_seed;
-		len = sizeof(ncs_seed);
-	} else {
-		p_seed = p_optional_seed;
-	}
-
-	int ret = nrf_cc3xx_platform_ctr_drbg_init(
-		(nrf_cc3xx_platform_ctr_drbg_context_t *)&drbg_ctx, p_seed, len);
-	return ret;
-}
+/* Dummy context since we don't use it in the external_rng function */
+char drbg_ctx;
 
 int external_rng(void *ctx, unsigned char *output, size_t len)
 {
+	/* No context is required for the nrf_cc3xx_platform library */
+	(void) ctx;
 	int out_len;
-	int ret = mbedtls_psa_external_get_random(NULL, output, len, &out_len);
+	int ret = nrf_cc3xx_platform_ctr_drbg_get(NULL, output, len, &out_len);
 	return ret;
 }
 
 int (*drbg_random)(void *, unsigned char *, size_t) = &external_rng;
 
-#elif defined(MBEDTLS_CTR_DRBG_C)
-mbedtls_ctr_drbg_context drbg_ctx;
-int (*drbg_random)(void *, unsigned char *, size_t) = &mbedtls_ctr_drbg_random;
-
-int init_drbg(const unsigned char *p_optional_seed, size_t len)
-{
-	static const unsigned char ncs_seed[] = "ncs_drbg_seed";
-
-	const unsigned char *p_seed;
-
-	if (p_optional_seed == NULL) {
-		p_seed = ncs_seed;
-		len = sizeof(ncs_seed);
-	} else {
-		p_seed = p_optional_seed;
-	}
-
-	const struct device *p_device = DEVICE_DT_GET(DT_CHOSEN(zephyr_entropy));
-
-	if (!device_is_ready(p_device)) {
-		return -ENODEV;
-	}
-
-	// Ensure previously run test is properly deallocated
-	// (This frees the mutex inside ctr_drbg context)
-	mbedtls_ctr_drbg_free(&drbg_ctx);
-	mbedtls_ctr_drbg_init(&drbg_ctx);
-	return mbedtls_ctr_drbg_seed(&drbg_ctx, entropy_func, (void *)p_device,
-				     p_seed, len);
-}
-#elif defined(MBEDTLS_HMAC_DRBG_C)
-
-mbedtls_hmac_drbg_context drbg_ctx;
-int (*drbg_random)(void *, unsigned char *, size_t) = &mbedtls_hmac_drbg_random;
-
-int init_drbg(const unsigned char *p_optional_seed, size_t len)
-{
-	static const unsigned char ncs_seed[] = "ncs_drbg_seed";
-
-	const unsigned char *p_seed;
-
-	if (p_optional_seed == NULL) {
-		p_seed = ncs_seed;
-		len = sizeof(ncs_seed);
-	} else {
-		p_seed = p_optional_seed;
-	}
-
-	// Ensure previously run test is properly deallocated
-	// (This frees the mutex inside hmac_drbg context)
-	mbedtls_hmac_drbg_free(&drbg_ctx);
-	mbedtls_hmac_drbg_init(&drbg_ctx);
-
-	const struct device *p_device = DEVICE_DT_GET(DT_CHOSEN(zephyr_entropy));
-
-	if (!device_is_ready(p_device)) {
-		return -ENODEV;
-	}
-
-	const mbedtls_md_info_t *p_info =
-		mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
-
-	return mbedtls_hmac_drbg_seed(&drbg_ctx, p_info, entropy_func,
-		(void *)p_device, p_seed, len);
-}
-
-#endif
-
 const char *get_vector_name(const test_case_t *tc, uint32_t v)
 {
 	uint32_t tv_offset = test_vector_sizes[tc->vector_type] * v;

@@ -52,26 +52,12 @@ int init_drbg(const unsigned char *p_optional_seed, size_t len);
 size_t hex2bin_safe(const char *hex, uint8_t *buf, size_t buflen);
 
 #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-
 #include "psa/crypto.h"
 #include "nrf_cc3xx_platform_ctr_drbg.h"
+extern char drbg_ctx;
 
-extern mbedtls_psa_external_random_context_t drbg_ctx;
-
-#elif defined(MBEDTLS_CTR_DRBG_C)
-
-#include <mbedtls/ctr_drbg.h>
-
-/* This context will be populated by init_drbg.
- * If the initialization is successful it can be used in subsequent calls to
- * mbedtls drbg APIs.
- */
-extern mbedtls_ctr_drbg_context drbg_ctx;
-
-#elif defined(MBEDTLS_HMAC_DRBG_C)
-
-#include <mbedtls/hmac_drbg.h>
-extern mbedtls_hmac_drbg_context drbg_ctx;
+#else
+#error "No RNG is enabled, MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG needs to be defined in nrf-config.h"
 
 #endif