Crypto: Use NV SEED as default entropy source
MBEDTLS_TEST_NULL_ENTROPY is removed from mbedtls 3.0.0.
Change to use 'MBEDTLS_ENTROPY_NV_SEED' as the default entropy source
if a platform doesn't generate entropy from hardware.
Change-Id: If03c9dec3c6fb0d7bb98721963ac2142d43ed00d
Signed-off-by: Summer Qin <summer.qin@arm.com>
diff --git a/config/check_config.cmake b/config/check_config.cmake
index a8904ac..97e283c 100644
--- a/config/check_config.cmake
+++ b/config/check_config.cmake
@@ -85,3 +85,7 @@
tfm_invalid_config(TFM_ENABLE_SLIH_TEST AND NOT TFM_PSA_API)
tfm_invalid_config(TFM_ENABLE_FLIH_TEST AND NOT TFM_PSA_API)
tfm_invalid_config(TFM_ENABLE_SLIH_TEST AND TFM_ENABLE_FLIH_TEST)
+
+########################### TF-M crypto ########################################
+
+tfm_invalid_config(PLATFORM_DUMMY_NV_SEED AND CRYPTO_HW_ACCELERATOR)
diff --git a/config/config_default.cmake b/config/config_default.cmake
index f32220e..85ff7d0 100644
--- a/config/config_default.cmake
+++ b/config/config_default.cmake
@@ -94,7 +94,7 @@
set(PLATFORM_DUMMY_ROTPK TRUE CACHE BOOL "Use dummy root of trust public key. Dummy key is the public key for the default keys in bl2. Should not be used in production.")
set(PLATFORM_DUMMY_IAK TRUE CACHE BOOL "Use dummy initial attestation_key. Should not be used in production.")
set(PLATFORM_DEFAULT_UART_STDOUT TRUE CACHE BOOL "Use default uart stdout implementation.")
-set(PLATFORM_DUMMY_NV_SEED FALSE CACHE BOOL "Use dummy NV seed implementation. Should not be used in production.")
+set(PLATFORM_DUMMY_NV_SEED TRUE CACHE BOOL "Use dummy NV seed implementation. Should not be used in production.")
############################ Partitions ########################################
diff --git a/docs/integration_guide/services/tfm_crypto_integration_guide.rst b/docs/integration_guide/services/tfm_crypto_integration_guide.rst
index a124bdf..3baacc0 100644
--- a/docs/integration_guide/services/tfm_crypto_integration_guide.rst
+++ b/docs/integration_guide/services/tfm_crypto_integration_guide.rst
@@ -82,11 +82,9 @@
.. Note::
The default entropy source configured for MbedTLS is
- MBEDTLS_TEST_NULL_ENTROPY and this does not provide randomness
- for production devices. It is required for production devices to select
- either a hardware entropy source via MBEDTLS_ENTROPY_HARDWARE_ALT or
- provision a unique seed for the device during production and use the
- MBEDTLS_ENTROPY_NV_SEED option.
+ MBEDTLS_ENTROPY_NV_SEED with unique seed. For production devices,
+ it can also select a hardware entropy source via
+ MBEDTLS_ENTROPY_HARDWARE_ALT
**************************
Crypto service integration
@@ -115,4 +113,4 @@
--------------
-*Copyright (c) 2018-2020, Arm Limited. All rights reserved.*
+*Copyright (c) 2018-2021, Arm Limited. All rights reserved.*
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h
index b96670d..9febb96 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h
@@ -497,23 +497,6 @@
//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT
/**
- * \def MBEDTLS_TEST_NULL_ENTROPY
- *
- * Enables testing and use of mbed TLS without any configured entropy sources.
- * This permits use of the library on platforms before an entropy source has
- * been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the
- * MBEDTLS_ENTROPY_NV_SEED switches).
- *
- * WARNING! This switch MUST be disabled in production builds, and is suitable
- * only for development.
- * Enabling the switch negates any security provided by the library.
- *
- * Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
- *
- */
-#define MBEDTLS_TEST_NULL_ENTROPY
-
-/**
* \def MBEDTLS_ENTROPY_HARDWARE_ALT
*
* Uncomment this macro to let mbed TLS use your own implementation of a
@@ -798,7 +781,7 @@
*
* Uncomment this macro to prevent loading of default entropy functions.
*/
-#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
/**
* \def MBEDTLS_NO_PLATFORM_ENTROPY
@@ -853,7 +836,7 @@
* \note The entropy collector will write to the seed file before entropy is
* given to an external source, to update it.
*/
-//#define MBEDTLS_ENTROPY_NV_SEED
+#define MBEDTLS_ENTROPY_NV_SEED
/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
*
@@ -2030,6 +2013,8 @@
#ifdef CRYPTO_HW_ACCELERATOR
#include "mbedtls_accelerator_config.h"
+#else
+#include "mbedtls_entropy_nv_seed_config.h"
#endif
/* Target and application specific configurations
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h
index d4e1875..d1e57bc 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h
@@ -492,23 +492,6 @@
//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT
/**
- * \def MBEDTLS_TEST_NULL_ENTROPY
- *
- * Enables testing and use of mbed TLS without any configured entropy sources.
- * This permits use of the library on platforms before an entropy source has
- * been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the
- * MBEDTLS_ENTROPY_NV_SEED switches).
- *
- * WARNING! This switch MUST be disabled in production builds, and is suitable
- * only for development.
- * Enabling the switch negates any security provided by the library.
- *
- * Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
- *
- */
-#define MBEDTLS_TEST_NULL_ENTROPY
-
-/**
* \def MBEDTLS_ENTROPY_HARDWARE_ALT
*
* Uncomment this macro to let mbed TLS use your own implementation of a
@@ -793,7 +776,7 @@
*
* Uncomment this macro to prevent loading of default entropy functions.
*/
-#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
/**
* \def MBEDTLS_NO_PLATFORM_ENTROPY
@@ -848,7 +831,7 @@
* \note The entropy collector will write to the seed file before entropy is
* given to an external source, to update it.
*/
-//#define MBEDTLS_ENTROPY_NV_SEED
+#define MBEDTLS_ENTROPY_NV_SEED
/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
*
@@ -2025,6 +2008,8 @@
#ifdef CRYPTO_HW_ACCELERATOR
#include "mbedtls_accelerator_config.h"
+#else
+#include "mbedtls_entropy_nv_seed_config.h"
#endif
/* Target and application specific configurations
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h
index dd2d390..7472f60 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h
@@ -492,23 +492,6 @@
//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT
/**
- * \def MBEDTLS_TEST_NULL_ENTROPY
- *
- * Enables testing and use of mbed TLS without any configured entropy sources.
- * This permits use of the library on platforms before an entropy source has
- * been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the
- * MBEDTLS_ENTROPY_NV_SEED switches).
- *
- * WARNING! This switch MUST be disabled in production builds, and is suitable
- * only for development.
- * Enabling the switch negates any security provided by the library.
- *
- * Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
- *
- */
-#define MBEDTLS_TEST_NULL_ENTROPY
-
-/**
* \def MBEDTLS_ENTROPY_HARDWARE_ALT
*
* Uncomment this macro to let mbed TLS use your own implementation of a
@@ -793,7 +776,7 @@
*
* Uncomment this macro to prevent loading of default entropy functions.
*/
-#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
/**
* \def MBEDTLS_NO_PLATFORM_ENTROPY
@@ -848,7 +831,7 @@
* \note The entropy collector will write to the seed file before entropy is
* given to an external source, to update it.
*/
-//#define MBEDTLS_ENTROPY_NV_SEED
+#define MBEDTLS_ENTROPY_NV_SEED
/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
*
@@ -2025,6 +2008,8 @@
#ifdef CRYPTO_HW_ACCELERATOR
#include "mbedtls_accelerator_config.h"
+#else
+#include "mbedtls_entropy_nv_seed_config.h"
#endif
/* Target and application specific configurations
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h
index 5b2feaf..d787c65 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h
@@ -492,23 +492,6 @@
//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT
/**
- * \def MBEDTLS_TEST_NULL_ENTROPY
- *
- * Enables testing and use of mbed TLS without any configured entropy sources.
- * This permits use of the library on platforms before an entropy source has
- * been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the
- * MBEDTLS_ENTROPY_NV_SEED switches).
- *
- * WARNING! This switch MUST be disabled in production builds, and is suitable
- * only for development.
- * Enabling the switch negates any security provided by the library.
- *
- * Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
- *
- */
-#define MBEDTLS_TEST_NULL_ENTROPY
-
-/**
* \def MBEDTLS_ENTROPY_HARDWARE_ALT
*
* Uncomment this macro to let mbed TLS use your own implementation of a
@@ -793,7 +776,7 @@
*
* Uncomment this macro to prevent loading of default entropy functions.
*/
-#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
/**
* \def MBEDTLS_NO_PLATFORM_ENTROPY
@@ -848,7 +831,7 @@
* \note The entropy collector will write to the seed file before entropy is
* given to an external source, to update it.
*/
-//#define MBEDTLS_ENTROPY_NV_SEED
+#define MBEDTLS_ENTROPY_NV_SEED
/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
*
@@ -2025,6 +2008,8 @@
#ifdef CRYPTO_HW_ACCELERATOR
#include "mbedtls_accelerator_config.h"
+#else
+#include "mbedtls_entropy_nv_seed_config.h"
#endif
/* Target and application specific configurations
diff --git a/platform/CMakeLists.txt b/platform/CMakeLists.txt
index 30f0df0..e9e248f 100755
--- a/platform/CMakeLists.txt
+++ b/platform/CMakeLists.txt
@@ -160,3 +160,20 @@
$<$<BOOL:${FORWARD_PROT_MSG}>:FORWARD_PROT_MSG=${FORWARD_PROT_MSG}>
$<$<BOOL:${TFM_CODE_SHARING}>:CODE_SHARING>
)
+
+#========================= Crypto =============================================#
+target_sources(tfm_psa_rot_partition_crypto
+ PRIVATE
+ $<$<BOOL:${PLATFORM_DUMMY_NV_SEED}>:${CMAKE_SOURCE_DIR}/platform/ext/common/template/crypto_nv_seed.c>
+ $<$<BOOL:${PLATFORM_DUMMY_NV_SEED}>:${CMAKE_SOURCE_DIR}/platform/ext/common/template/crypto_dummy_nv_seed.c>
+)
+
+target_compile_definitions(tfm_psa_rot_partition_crypto
+ PRIVATE
+ $<$<BOOL:${PLATFORM_DUMMY_NV_SEED}>:PLATFORM_DUMMY_NV_SEED>
+)
+
+target_include_directories(crypto_service_mbedcrypto
+ PUBLIC
+ $<$<BOOL:${PLATFORM_DUMMY_NV_SEED}>:${CMAKE_SOURCE_DIR}/platform/include>
+)
diff --git a/platform/ext/accelerator/cc312/mbedtls_accelerator_config.h b/platform/ext/accelerator/cc312/mbedtls_accelerator_config.h
index fc7f00d..beffcab 100644
--- a/platform/ext/accelerator/cc312/mbedtls_accelerator_config.h
+++ b/platform/ext/accelerator/cc312/mbedtls_accelerator_config.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -13,7 +13,7 @@
#endif /* __cplusplus */
/* RNG Config */
-#undef MBEDTLS_TEST_NULL_ENTROPY
+#undef MBEDTLS_ENTROPY_NV_SEED
#undef MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
#define MBEDTLS_PLATFORM_ENTROPY
diff --git a/platform/ext/common/template/crypto_dummy_nv_seed.c b/platform/ext/common/template/crypto_dummy_nv_seed.c
index cb21fc7..fd6c2c7 100644
--- a/platform/ext/common/template/crypto_dummy_nv_seed.c
+++ b/platform/ext/common/template/crypto_dummy_nv_seed.c
@@ -11,6 +11,7 @@
/* NOTE: The seed value here is only an example, please do not use it in
* production. Platform vendor should implement their own seed value.
*/
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
const unsigned char seed_value[MBEDTLS_ENTROPY_BLOCK_SIZE] = {
0x12, 0x13, 0x23, 0x34, 0x0a, 0x05, 0x89, 0x78,
0xa3, 0x66, 0x8c, 0x0d, 0x97, 0x55, 0x53, 0xca,
@@ -21,6 +22,14 @@
0x58, 0xb4, 0x16, 0xc8, 0x0f, 0x38, 0x91, 0xbb,
0x28, 0x17, 0xcd, 0x8a, 0xc9, 0x53, 0x72, 0x66,
};
+#else
+const unsigned char seed_value[MBEDTLS_ENTROPY_BLOCK_SIZE] = {
+ 0x12, 0x13, 0x23, 0x34, 0x0a, 0x05, 0x89, 0x78,
+ 0xa3, 0x66, 0x8c, 0x0d, 0x97, 0x55, 0x53, 0xca,
+ 0xb5, 0x76, 0x18, 0x62, 0x29, 0xc6, 0xb6, 0x79,
+ 0x75, 0xc8, 0x5a, 0x8d, 0x9e, 0x11, 0x8f, 0x85,
+};
+#endif
int tfm_plat_crypto_create_entropy_seed(void)
{
diff --git a/platform/ext/common/template/crypto_nv_seed.c b/platform/ext/common/template/crypto_nv_seed.c
index c868d95..90e3d0a 100644
--- a/platform/ext/common/template/crypto_nv_seed.c
+++ b/platform/ext/common/template/crypto_nv_seed.c
@@ -9,8 +9,33 @@
#include "tfm_plat_crypto_nv_seed.h"
#include "psa/internal_trusted_storage.h"
+#ifndef TFM_PSA_API
+#include "mbedtls/entropy.h"
+
+static unsigned char seed_buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+
+/*
+ \brief Copy the seed to the destination buffer
+
+ \param[out] p_dst Pointer to buffer where to store the seed
+ \param[in] p_src Pointer to the seed
+ \param[in] size Length of the seed
+*/
+static inline void copy_seed(uint8_t *p_dst, const uint8_t *p_src, size_t size)
+{
+ uint32_t i;
+
+ for (i = size; i > 0; i--) {
+ *p_dst = *p_src;
+ p_src++;
+ p_dst++;
+ }
+}
+#endif
+
int tfm_plat_crypto_nv_seed_read(unsigned char *buf, size_t buf_len)
{
+#ifdef TFM_PSA_API
psa_storage_uid_t uid = NV_SEED_FILE_ID;
psa_status_t status;
size_t data_length = 0;
@@ -22,10 +47,19 @@
} else {
return TFM_CRYPTO_NV_SEED_FAILED;
}
+#else
+ if (buf_len != MBEDTLS_ENTROPY_BLOCK_SIZE) {
+ return TFM_CRYPTO_NV_SEED_FAILED;
+ } else {
+ copy_seed(buf, seed_buf, buf_len);
+ return TFM_CRYPTO_NV_SEED_SUCCESS;
+ }
+#endif
}
int tfm_plat_crypto_nv_seed_write(const unsigned char *buf, size_t buf_len)
{
+#ifdef TFM_PSA_API
psa_storage_uid_t uid = NV_SEED_FILE_ID;
psa_status_t status;
@@ -36,4 +70,12 @@
} else {
return TFM_CRYPTO_NV_SEED_FAILED;
}
+#else
+ if (buf_len != MBEDTLS_ENTROPY_BLOCK_SIZE) {
+ return TFM_CRYPTO_NV_SEED_FAILED;
+ } else {
+ copy_seed(seed_buf, buf, buf_len);
+ return TFM_CRYPTO_NV_SEED_SUCCESS;
+ }
+#endif
}
diff --git a/platform/ext/target/arm/mps2/an521/CMakeLists.txt b/platform/ext/target/arm/mps2/an521/CMakeLists.txt
index cdd0e51..c6e0e6f 100644
--- a/platform/ext/target/arm/mps2/an521/CMakeLists.txt
+++ b/platform/ext/target/arm/mps2/an521/CMakeLists.txt
@@ -174,21 +174,3 @@
native_drivers
)
endif()
-
-#========================= Crypto =============================================#
-
-target_sources(tfm_psa_rot_partition_crypto
- PRIVATE
- $<$<BOOL:${TFM_PSA_API}>:${CMAKE_SOURCE_DIR}/platform/ext/common/template/crypto_nv_seed.c>
- $<$<AND:$<BOOL:${TFM_PSA_API}>,$<BOOL:${PLATFORM_DUMMY_NV_SEED}>>:${CMAKE_SOURCE_DIR}/platform/ext/common/template/crypto_dummy_nv_seed.c>
-)
-
-target_compile_definitions(tfm_psa_rot_partition_crypto
- PRIVATE
- $<$<AND:$<BOOL:${TFM_PSA_API}>,$<BOOL:${PLATFORM_DUMMY_NV_SEED}>>:PLATFORM_DUMMY_NV_SEED>
-)
-
-target_include_directories(crypto_service_mbedcrypto
- PUBLIC
- ${CMAKE_SOURCE_DIR}/platform/include
-)
diff --git a/platform/ext/target/arm/mps2/an521/config.cmake b/platform/ext/target/arm/mps2/an521/config.cmake
index b0dbc04..4e15cf4 100644
--- a/platform/ext/target/arm/mps2/an521/config.cmake
+++ b/platform/ext/target/arm/mps2/an521/config.cmake
@@ -8,6 +8,8 @@
set(TFM_EXTRA_GENERATED_FILE_LIST_PATH ${CMAKE_CURRENT_SOURCE_DIR}/platform/ext/target/arm/mps2/an521/generated_file_list.yaml CACHE PATH "Path to extra generated file list. Appended to stardard TFM generated file list." FORCE)
if(TFM_PSA_API)
- set(TFM_MBEDCRYPTO_PLATFORM_EXTRA_CONFIG_PATH ${CMAKE_CURRENT_LIST_DIR}/mbedtls_an521_conf.h CACHE FILEPATH "Config to append to standard Mbed Crypto config, used by platforms to configure feature support")
- set(PLATFORM_DUMMY_NV_SEED TRUE CACHE BOOL "Use dummy NV seed implementation. Should not be used in production.")
+ if (NOT TFM_ENABLE_SLIH_TEST)
+ # FLIH and SLIH testing can not be enabled at the same time
+ set(TFM_ENABLE_FLIH_TEST ON CACHE BOOL "Enable FLIH testing")
+ endif()
endif()
diff --git a/platform/ext/target/arm/musca_b1/secure_enclave/config.cmake b/platform/ext/target/arm/musca_b1/secure_enclave/config.cmake
index 34c3058..040daa4 100644
--- a/platform/ext/target/arm/musca_b1/secure_enclave/config.cmake
+++ b/platform/ext/target/arm/musca_b1/secure_enclave/config.cmake
@@ -23,5 +23,6 @@
# Crypto hardware accelerator is turned on by default
set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
+set(PLATFORM_DUMMY_NV_SEED FALSE CACHE BOOL "Use dummy NV seed implementation. Should not be used in production.")
set(PSA_API_TEST_TARGET "musca_b1" CACHE STRING "Target to use when building the PSA API tests")
diff --git a/platform/ext/target/arm/musca_b1/sse_200/config.cmake b/platform/ext/target/arm/musca_b1/sse_200/config.cmake
index 15dc300..86c5c5c 100644
--- a/platform/ext/target/arm/musca_b1/sse_200/config.cmake
+++ b/platform/ext/target/arm/musca_b1/sse_200/config.cmake
@@ -11,6 +11,7 @@
if (NOT FORWARD_PROT_MSG)
set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
+ set(PLATFORM_DUMMY_NV_SEED FALSE CACHE BOOL "Use dummy NV seed implementation. Should not be used in production.")
if(CRYPTO_HW_ACCELERATOR_OTP_STATE STREQUAL "ENABLED")
set(PLATFORM_DUMMY_CRYPTO_KEYS FALSE CACHE BOOL "Use dummy crypto keys. Should not be used in production.")
# Musca-B1 with OTP enabled is provisioned with a random Initial
diff --git a/platform/ext/target/arm/musca_s1/config.cmake b/platform/ext/target/arm/musca_s1/config.cmake
index 443f9ce..523264b 100644
--- a/platform/ext/target/arm/musca_s1/config.cmake
+++ b/platform/ext/target/arm/musca_s1/config.cmake
@@ -6,6 +6,7 @@
#-------------------------------------------------------------------------------
set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
+set(PLATFORM_DUMMY_NV_SEED FALSE CACHE BOOL "Use dummy NV seed implementation. Should not be used in production.")
set(TFM_CRYPTO_TEST_ALG_CFB OFF CACHE BOOL "Test CFB cryptography mode")
if(CRYPTO_HW_ACCELERATOR_OTP_STATE STREQUAL "ENABLED")
diff --git a/platform/ext/target/stm/nucleo_l552ze_q/accelerator/mbedtls_accelerator_config.h b/platform/ext/target/stm/nucleo_l552ze_q/accelerator/mbedtls_accelerator_config.h
index fe13fc6..97c8e2b 100644
--- a/platform/ext/target/stm/nucleo_l552ze_q/accelerator/mbedtls_accelerator_config.h
+++ b/platform/ext/target/stm/nucleo_l552ze_q/accelerator/mbedtls_accelerator_config.h
@@ -15,7 +15,7 @@
/* RNG Config */
-#undef MBEDTLS_TEST_NULL_ENTROPY
+#undef MBEDTLS_ENTROPY_NV_SEED
#undef MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
#define MBEDTLS_PLATFORM_ENTROPY
#define MBEDTLS_ENTROPY_C
diff --git a/platform/ext/target/stm/nucleo_l552ze_q/config.cmake b/platform/ext/target/stm/nucleo_l552ze_q/config.cmake
index 74c5a80..a1158ce 100644
--- a/platform/ext/target/stm/nucleo_l552ze_q/config.cmake
+++ b/platform/ext/target/stm/nucleo_l552ze_q/config.cmake
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2020, Arm Limited. All rights reserved.
+# Copyright (c) 2020-2021, Arm Limited. All rights reserved.
# Copyright (c) 2021 STMicroelectronics. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
@@ -12,4 +12,5 @@
################################## Dependencies ################################
set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
+set(PLATFORM_DUMMY_NV_SEED FALSE CACHE BOOL "Use dummy NV seed implementation. Should not be used in production.")
set(MBEDCRYPTO_BUILD_TYPE minsizerel CACHE STRING "Build type of Mbed Crypto library")
diff --git a/platform/ext/target/stm/stm32l562e_dk/accelerator/mbedtls_accelerator_config.h b/platform/ext/target/stm/stm32l562e_dk/accelerator/mbedtls_accelerator_config.h
index c93f90a..58d5c8a 100644
--- a/platform/ext/target/stm/stm32l562e_dk/accelerator/mbedtls_accelerator_config.h
+++ b/platform/ext/target/stm/stm32l562e_dk/accelerator/mbedtls_accelerator_config.h
@@ -15,7 +15,7 @@
/* RNG Config */
-#undef MBEDTLS_TEST_NULL_ENTROPY
+#undef MBEDTLS_ENTROPY_NV_SEED
#undef MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
#undef MBEDTLS_ECP_NIST_OPTIM
#define MBEDTLS_PLATFORM_ENTROPY
diff --git a/platform/ext/target/stm/stm32l562e_dk/config.cmake b/platform/ext/target/stm/stm32l562e_dk/config.cmake
index 1f43c21..5e98476 100644
--- a/platform/ext/target/stm/stm32l562e_dk/config.cmake
+++ b/platform/ext/target/stm/stm32l562e_dk/config.cmake
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2020, Arm Limited. All rights reserved.
+# Copyright (c) 2020-2021, Arm Limited. All rights reserved.
# Copyright (c) 2021 STMicroelectronics. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
@@ -12,5 +12,6 @@
################################## Dependencies ################################
set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
+set(PLATFORM_DUMMY_NV_SEED FALSE CACHE BOOL "Use dummy NV seed implementation. Should not be used in production.")
set(MBEDCRYPTO_BUILD_TYPE minsizerel CACHE STRING "Build type of Mbed Crypto library")
-set(TFM_EXTRA_GENERATED_FILE_LIST_PATH ${CMAKE_CURRENT_SOURCE_DIR}/platform/ext/target/stm/common/generated_file_list.yaml CACHE PATH "Path to extra generated file list. Appended to stardard TFM generated file list." FORCE)
\ No newline at end of file
+set(TFM_EXTRA_GENERATED_FILE_LIST_PATH ${CMAKE_CURRENT_SOURCE_DIR}/platform/ext/target/stm/common/generated_file_list.yaml CACHE PATH "Path to extra generated file list. Appended to stardard TFM generated file list." FORCE)
diff --git a/platform/ext/target/arm/mps2/an521/mbedtls_an521_conf.h b/platform/include/mbedtls_entropy_nv_seed_config.h
similarity index 81%
rename from platform/ext/target/arm/mps2/an521/mbedtls_an521_conf.h
rename to platform/include/mbedtls_entropy_nv_seed_config.h
index ba37aff..1ea442b 100644
--- a/platform/ext/target/arm/mps2/an521/mbedtls_an521_conf.h
+++ b/platform/include/mbedtls_entropy_nv_seed_config.h
@@ -4,8 +4,8 @@
* SPDX-License-Identifier: BSD-3-Clause
*
*/
-#ifndef __MBEDTLS_AN521_CONF_H__
-#define __MBEDTLS_AN521_CONF_H__
+#ifndef __MBEDTLS_ENTROPY_NV_SEED_CONF_H__
+#define __MBEDTLS_ENTROPY_NV_SEED_CONF_H__
#include "tfm_plat_crypto_nv_seed.h"
@@ -13,7 +13,6 @@
extern "C" {
#endif /* __cplusplus */
-#undef MBEDTLS_TEST_NULL_ENTROPY
#undef MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
#undef MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
@@ -29,4 +28,4 @@
}
#endif /* __cplusplus */
-#endif /* __MBEDTLS_AN521_CONF_H__ */
+#endif /* __MBEDTLS_ENTROPY_NV_SEED_CONF_H__ */
diff --git a/secure_fw/partitions/crypto/crypto_init.c b/secure_fw/partitions/crypto/crypto_init.c
index bcb336e..6dd7bf2 100644
--- a/secure_fw/partitions/crypto/crypto_init.c
+++ b/secure_fw/partitions/crypto/crypto_init.c
@@ -276,12 +276,8 @@
static psa_status_t tfm_crypto_engine_init(void)
{
- /* Log unsafe entropy source */
-#if defined (MBEDTLS_TEST_NULL_ENTROPY)
- LOG_INFFMT("\033[1;34m[Crypto] MBEDTLS_TEST_NULL_ENTROPY is not suitable for production!\033[0m\r\n");
-#endif
-
#ifdef PLATFORM_DUMMY_NV_SEED
+ LOG_INFFMT("\033[1;34m[Crypto] Dummy Entropy NV Seed is not suitable for production!\033[0m\r\n");
if (tfm_plat_crypto_create_entropy_seed() != TFM_CRYPTO_NV_SEED_SUCCESS) {
return PSA_ERROR_GENERIC_ERROR;
}