From 161287572b726c9bb774a58f002bb6c03a60fcb6 Mon Sep 17 00:00:00 2001 From: Georgios Vasilakis Date: Thu, 6 Feb 2025 13:59:43 +0100 Subject: [PATCH] nrf_security: Enable NRF_RNG_ENTROPY_DRIVER for fake entropy The NRF_RNG_ENTROPY_DRIVER provides entropy though the PSA APIs. This is used to seed/reseed the Oberon PSA random drivers (CTR_DRBG/HMAC_DRBG). Before this was only used to allow enabling this PSA driver with the devices which use the DT label 'rng'. We extend that now to allow this driver to be used with the fake entropy node which uses the DT label 'prng'. This is needed to unblock development until real RNG is enabled for all the needed applications/samples. In practice this means that when 'prng' is enabled a device can generate random numbers with the psa_generate_random call. Signed-off-by: Georgios Vasilakis --- .../nrf_security/src/drivers/zephyr/Kconfig | 2 +- .../src/drivers/zephyr/nrf_rng_entropy.c | 20 ++++++++++++++----- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/subsys/nrf_security/src/drivers/zephyr/Kconfig b/subsys/nrf_security/src/drivers/zephyr/Kconfig index 1fa2433bd40e..3fd5e1285846 100644 --- a/subsys/nrf_security/src/drivers/zephyr/Kconfig +++ b/subsys/nrf_security/src/drivers/zephyr/Kconfig @@ -10,6 +10,6 @@ config PSA_NEED_NRF_RNG_ENTROPY_DRIVER # Cannot select entropy-generator without creating a loop to ENTROPY_PSA_CRYPTO_RNG depends on ENTROPY_GENERATOR select PSA_ACCEL_GET_ENTROPY - depends on HAS_HW_NRF_RNG + depends on HAS_HW_NRF_RNG || FAKE_ENTROPY_NRF_PRNG depends on (!PSA_USE_CC3XX_CTR_DRBG_DRIVER && !PSA_USE_CC3XX_HMAC_DRBG_DRIVER) && \ (PSA_USE_CTR_DRBG_DRIVER || PSA_USE_HMAC_DRBG_DRIVER) diff --git a/subsys/nrf_security/src/drivers/zephyr/nrf_rng_entropy.c b/subsys/nrf_security/src/drivers/zephyr/nrf_rng_entropy.c index 717c2a2a7dd9..ac3a972943f9 100644 --- a/subsys/nrf_security/src/drivers/zephyr/nrf_rng_entropy.c +++ b/subsys/nrf_security/src/drivers/zephyr/nrf_rng_entropy.c @@ -17,19 +17,29 @@ * It uses a "Zephyr entropy driver" and can therefore only be used in * Zephyr images. * - * Note that it is only the device driver with the DT label 'rng' that - * is supported and that this rng label is only applied for the Zephyr - * driver that uses the HW peripheral NRF_RNG (entropy_nrf5.c). + * This is used for two uses cases, the first use case is when hardware + * crypto/entropy is not yet suported. This enables running software crypto + * with a non cryptographically secure random generator to unblock development + * when the device tree node with the DT label 'prng' is enabled. * - * An intended use-case is for instance nrf52820 which has an NRF_RNG + * The second use case is for instance nrf52820 which has an NRF_RNG * peripheral, but does not have a HW crypto trng like cryptocell. + * In this use case the device driver with the DT label 'rng' + * is supported and this rng label is only applied for the Zephyr + * driver that uses the HW peripheral NRF_RNG (entropy_nrf5.c). * * Note that NRF_RNG produces TRNG, not CSPRNG. */ +#ifdef CONFIG_FAKE_ENTROPY_NRF_PRNG +#define DTS_RNG_NODE_LABEL prng +#else +#define DTS_RNG_NODE_LABEL rng +#endif + psa_status_t nrf_rng_get_entropy(uint32_t flags, size_t *estimate_bits, uint8_t *output, size_t output_size) { - const struct device *dev = DEVICE_DT_GET(DT_NODELABEL(rng)); + const struct device *dev = DEVICE_DT_GET(DT_NODELABEL(DTS_RNG_NODE_LABEL)); uint16_t request_len = MIN(UINT16_MAX, output_size); int err;