diff options
author | Summer Qin <summer.qin@arm.com> | 2021-07-12 18:57:57 +0800 |
---|---|---|
committer | Ken Liu <ken.liu@arm.com> | 2021-07-21 09:26:05 +0200 |
commit | 9347dc7fa2b46d55061778362173f4687c2238f9 (patch) | |
tree | 5942ead2d91b1dc6c3c998b41fd9d9c13099bbf3 /lib | |
parent | 8c9efa78922916d90ecdacc7370e2369e84a93b4 (diff) | |
download | trusted-firmware-m-9347dc7fa2b46d55061778362173f4687c2238f9.tar.gz |
Crypto: Use NV SEED as default entropy source
MBEDTLS_TEST_NULL_ENTROPY is removed from mbedtls 3.0.0.
Change to use 'MBEDTLS_ENTROPY_NV_SEED' as the default entropy source
if a platform doesn't generate entropy from hardware.
Change-Id: If03c9dec3c6fb0d7bb98721963ac2142d43ed00d
Signed-off-by: Summer Qin <summer.qin@arm.com>
Diffstat (limited to 'lib')
4 files changed, 16 insertions, 76 deletions
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h index b96670de76..9febb96649 100644 --- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h +++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h @@ -497,23 +497,6 @@ //#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT /** - * \def MBEDTLS_TEST_NULL_ENTROPY - * - * Enables testing and use of mbed TLS without any configured entropy sources. - * This permits use of the library on platforms before an entropy source has - * been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the - * MBEDTLS_ENTROPY_NV_SEED switches). - * - * WARNING! This switch MUST be disabled in production builds, and is suitable - * only for development. - * Enabling the switch negates any security provided by the library. - * - * Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES - * - */ -#define MBEDTLS_TEST_NULL_ENTROPY - -/** * \def MBEDTLS_ENTROPY_HARDWARE_ALT * * Uncomment this macro to let mbed TLS use your own implementation of a @@ -798,7 +781,7 @@ * * Uncomment this macro to prevent loading of default entropy functions. */ -#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES +//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES /** * \def MBEDTLS_NO_PLATFORM_ENTROPY @@ -853,7 +836,7 @@ * \note The entropy collector will write to the seed file before entropy is * given to an external source, to update it. */ -//#define MBEDTLS_ENTROPY_NV_SEED +#define MBEDTLS_ENTROPY_NV_SEED /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER * @@ -2030,6 +2013,8 @@ #ifdef CRYPTO_HW_ACCELERATOR #include "mbedtls_accelerator_config.h" +#else +#include "mbedtls_entropy_nv_seed_config.h" #endif /* Target and application specific configurations diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h index d4e187597b..d1e57bc0fe 100644 --- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h +++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h @@ -492,23 +492,6 @@ //#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT /** - * \def MBEDTLS_TEST_NULL_ENTROPY - * - * Enables testing and use of mbed TLS without any configured entropy sources. - * This permits use of the library on platforms before an entropy source has - * been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the - * MBEDTLS_ENTROPY_NV_SEED switches). - * - * WARNING! This switch MUST be disabled in production builds, and is suitable - * only for development. - * Enabling the switch negates any security provided by the library. - * - * Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES - * - */ -#define MBEDTLS_TEST_NULL_ENTROPY - -/** * \def MBEDTLS_ENTROPY_HARDWARE_ALT * * Uncomment this macro to let mbed TLS use your own implementation of a @@ -793,7 +776,7 @@ * * Uncomment this macro to prevent loading of default entropy functions. */ -#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES +//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES /** * \def MBEDTLS_NO_PLATFORM_ENTROPY @@ -848,7 +831,7 @@ * \note The entropy collector will write to the seed file before entropy is * given to an external source, to update it. */ -//#define MBEDTLS_ENTROPY_NV_SEED +#define MBEDTLS_ENTROPY_NV_SEED /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER * @@ -2025,6 +2008,8 @@ #ifdef CRYPTO_HW_ACCELERATOR #include "mbedtls_accelerator_config.h" +#else +#include "mbedtls_entropy_nv_seed_config.h" #endif /* Target and application specific configurations diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h index dd2d390615..7472f600a8 100644 --- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h +++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h @@ -492,23 +492,6 @@ //#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT /** - * \def MBEDTLS_TEST_NULL_ENTROPY - * - * Enables testing and use of mbed TLS without any configured entropy sources. - * This permits use of the library on platforms before an entropy source has - * been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the - * MBEDTLS_ENTROPY_NV_SEED switches). - * - * WARNING! This switch MUST be disabled in production builds, and is suitable - * only for development. - * Enabling the switch negates any security provided by the library. - * - * Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES - * - */ -#define MBEDTLS_TEST_NULL_ENTROPY - -/** * \def MBEDTLS_ENTROPY_HARDWARE_ALT * * Uncomment this macro to let mbed TLS use your own implementation of a @@ -793,7 +776,7 @@ * * Uncomment this macro to prevent loading of default entropy functions. */ -#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES +//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES /** * \def MBEDTLS_NO_PLATFORM_ENTROPY @@ -848,7 +831,7 @@ * \note The entropy collector will write to the seed file before entropy is * given to an external source, to update it. */ -//#define MBEDTLS_ENTROPY_NV_SEED +#define MBEDTLS_ENTROPY_NV_SEED /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER * @@ -2025,6 +2008,8 @@ #ifdef CRYPTO_HW_ACCELERATOR #include "mbedtls_accelerator_config.h" +#else +#include "mbedtls_entropy_nv_seed_config.h" #endif /* Target and application specific configurations diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h index 5b2feaf726..d787c65337 100644 --- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h +++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h @@ -492,23 +492,6 @@ //#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT /** - * \def MBEDTLS_TEST_NULL_ENTROPY - * - * Enables testing and use of mbed TLS without any configured entropy sources. - * This permits use of the library on platforms before an entropy source has - * been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the - * MBEDTLS_ENTROPY_NV_SEED switches). - * - * WARNING! This switch MUST be disabled in production builds, and is suitable - * only for development. - * Enabling the switch negates any security provided by the library. - * - * Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES - * - */ -#define MBEDTLS_TEST_NULL_ENTROPY - -/** * \def MBEDTLS_ENTROPY_HARDWARE_ALT * * Uncomment this macro to let mbed TLS use your own implementation of a @@ -793,7 +776,7 @@ * * Uncomment this macro to prevent loading of default entropy functions. */ -#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES +//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES /** * \def MBEDTLS_NO_PLATFORM_ENTROPY @@ -848,7 +831,7 @@ * \note The entropy collector will write to the seed file before entropy is * given to an external source, to update it. */ -//#define MBEDTLS_ENTROPY_NV_SEED +#define MBEDTLS_ENTROPY_NV_SEED /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER * @@ -2025,6 +2008,8 @@ #ifdef CRYPTO_HW_ACCELERATOR #include "mbedtls_accelerator_config.h" +#else +#include "mbedtls_entropy_nv_seed_config.h" #endif /* Target and application specific configurations |