Merge pull request #10393 from ronald-cron-arm/entropy-rng-clean-up

Cleanup following the simplification of entropy and RNG options

configs/crypto-config-ccm-psk-tls1_2.h

@@ -30,7 +30,6 @@
 /* Other MBEDTLS_HAVE_XXX flags irrelevant for this configuration */
 
 #define MBEDTLS_CTR_DRBG_C
-#define MBEDTLS_ENTROPY_C
 #define MBEDTLS_PSA_BUILTIN_GET_ENTROPY
 
 /* Save RAM at the expense of ROM */

configs/crypto-config-suite-b.h

@@ -48,7 +48,6 @@
 #define MBEDTLS_ASN1_PARSE_C
 #define MBEDTLS_ASN1_WRITE_C
 #define MBEDTLS_CTR_DRBG_C
-#define MBEDTLS_ENTROPY_C
 #define MBEDTLS_PK_C
 #define MBEDTLS_PK_PARSE_C
 #define MBEDTLS_PSA_BUILTIN_GET_ENTROPY

configs/crypto-config-thread.h

@@ -55,7 +55,6 @@
 #define MBEDTLS_ASN1_PARSE_C
 #define MBEDTLS_ASN1_WRITE_C
 #define MBEDTLS_CTR_DRBG_C
-#define MBEDTLS_ENTROPY_C
 #define MBEDTLS_HMAC_DRBG_C
 #define MBEDTLS_MD_C
 #define MBEDTLS_PK_C

programs/test/selftest.c

@@ -210,7 +210,7 @@ static int run_test_snprintf(void)
  * back.
  */
 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_ENTROPY_C)
-#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PLATFORM_GET_ENTROPY_ALT)
+#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PSA_DRIVER_GET_ENTROPY)
 static void dummy_entropy(unsigned char *output, size_t output_size)
 {
     srand(1);
@@ -239,7 +239,7 @@ static void create_entropy_seed_file(void)
 
 static int mbedtls_entropy_self_test_wrapper(int verbose)
 {
-#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PLATFORM_GET_ENTROPY_ALT)
+#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PSA_DRIVER_GET_ENTROPY)
     create_entropy_seed_file();
 #endif
     return mbedtls_entropy_self_test(verbose);

scripts/config.py

@@ -85,7 +85,6 @@ EXCLUDE_FROM_FULL = frozenset([
     'MBEDTLS_MEMORY_BUFFER_ALLOC_C', # makes sanitizers (e.g. ASan) less effective
     'MBEDTLS_MEMORY_DEBUG', # depends on MEMORY_BUFFER_ALLOC_C
     'MBEDTLS_NO_64BIT_MULTIPLICATION', # influences anything that uses bignum
-    'MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES', # removes a feature
     'MBEDTLS_NO_UDBL_DIVISION', # influences anything that uses bignum
     'MBEDTLS_PSA_DRIVER_GET_ENTROPY', # incompatible with MBEDTLS_PSA_BUILTIN_GET_ENTROPY
     'MBEDTLS_PSA_P256M_DRIVER_ENABLED', # influences SECP256R1 KeyGen/ECDH/ECDSA
@@ -180,8 +179,10 @@ def baremetal_adapter(name, value, active):
     """Config adapter for "baremetal"."""
     if not is_boolean_setting(name, value):
         return active
-    if name == 'MBEDTLS_PLATFORM_GET_ENTROPY_ALT':
+    if name == 'MBEDTLS_PSA_BUILTIN_GET_ENTROPY':
         # No OS-provided entropy source
+        return False
+    if name == 'MBEDTLS_PSA_DRIVER_GET_ENTROPY':
         return True
     return include_in_full(name) and keep_in_baremetal(name)
 

scripts/footprint.sh

@@ -19,14 +19,22 @@
 set -eu
 
 CONFIG_H='include/mbedtls/mbedtls_config.h'
+CRYPTO_CONFIG_H='tf-psa-crypto/include/psa/crypto_config.h'
 
-if [ -r $CONFIG_H ]; then :; else
+if [ ! -r $CONFIG_H ]; then
     echo "$CONFIG_H not found" >&2
     echo "This script needs to be run from the root of" >&2
     echo "a git checkout or uncompressed tarball" >&2
     exit 1
 fi
 
+if [ ! -r $CRYPTO_CONFIG_H ]; then
+    echo "$CRYPTO_CONFIG_H not found" >&2
+    echo "This script needs to be run from the root of" >&2
+    echo "a git checkout or uncompressed tarball" >&2
+    exit 1
+fi
+
 if grep -i cmake Makefile >/dev/null; then
     echo "Not compatible with CMake" >&2
     exit 1
@@ -56,15 +64,25 @@ doit()
     log "$NAME ($FILE):"
 
     cp $CONFIG_H ${CONFIG_H}.bak
+    cp $CRYPTO_CONFIG_H ${CRYPTO_CONFIG_H}.bak
     if [ "$FILE" != $CONFIG_H ]; then
+        CRYPTO_FILE="${FILE%/*}/crypto-${FILE##*/}"
         cp "$FILE"  $CONFIG_H
+        cp "$CRYPTO_FILE"  $CRYPTO_CONFIG_H
     fi
 
     {
+        scripts/config.py unset MBEDTLS_HAVE_TIME || true
+        scripts/config.py unset MBEDTLS_HAVE_TIME_DATE || true
         scripts/config.py unset MBEDTLS_NET_C || true
         scripts/config.py unset MBEDTLS_TIMING_C || true
         scripts/config.py unset MBEDTLS_FS_IO || true
-        scripts/config.py --force set MBEDTLS_PLATFORM_GET_ENTROPY_ALT || true
+        scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C || true
+        scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C || true
+        scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY || true
+        # Force the definition of MBEDTLS_PSA_DRIVER_GET_ENTROPY as it may
+        # not exist in custom configurations.
+        scripts/config.py --force -f ${CRYPTO_CONFIG_H} set MBEDTLS_PSA_DRIVER_GET_ENTROPY || true
     } >/dev/null 2>&1
 
     make clean >/dev/null
@@ -76,7 +94,8 @@ doit()
     log "$( head -n1 "$OUT" )"
     log "$( tail -n1 "$OUT" )"
 
-    cp ${CONFIG_H}.bak $CONFIG_H
+    mv ${CONFIG_H}.bak $CONFIG_H
+    mv ${CRYPTO_CONFIG_H}.bak $CRYPTO_CONFIG_H
 }
 
 # truncate the file just this time

tests/scripts/analyze_outcomes.py

@@ -124,10 +124,8 @@ class CoverageTask(outcome_analysis.CoverageTask):
             # Untested platform-specific optimizations.
             # https://github.com/Mbed-TLS/mbedtls/issues/9588
             'Config: MBEDTLS_HAVE_SSE2',
-            # Obsolete configuration options, to be replaced by
-            # PSA entropy drivers.
-            # https://github.com/Mbed-TLS/mbedtls/issues/8150
-            'Config: MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES',
+            # Obsolete config option that we are about to remove
+            'Config: MBEDTLS_PLATFORM_GET_ENTROPY_ALT',
             # Untested aspect of the platform interface.
             # https://github.com/Mbed-TLS/mbedtls/issues/9589
             'Config: MBEDTLS_PLATFORM_NO_STD_FUNCTIONS',

tests/scripts/components-configuration-crypto.sh

@@ -236,7 +236,6 @@ component_test_psa_external_rng_no_drbg_use_psa () {
     msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS"
     scripts/config.py full
     scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
-    scripts/config.py unset MBEDTLS_ENTROPY_C
     scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
     scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
     scripts/config.py unset MBEDTLS_CTR_DRBG_C
@@ -252,16 +251,18 @@ component_test_psa_external_rng_no_drbg_use_psa () {
 }
 
 component_test_psa_external_rng_use_psa_crypto () {
-    msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
+    msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED"
     scripts/config.py full
     scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
     scripts/config.py unset MBEDTLS_CTR_DRBG_C
+    scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
+    scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
     make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
 
-    msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
+    msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED"
     make test
 
-    msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
+    msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED"
     tests/ssl-opt.sh -f 'Default\|opaque'
 }
 
@@ -2090,9 +2091,9 @@ END
         #define PSA_WANT_ALG_SHA3_384  1
         #define PSA_WANT_ALG_SHA3_512  1
         #define PSA_WANT_KEY_TYPE_AES  1
-        #define MBEDTLS_CTR_DRBG_C
-        #define MBEDTLS_ENTROPY_C
         #define MBEDTLS_PSA_CRYPTO_C
+        #define MBEDTLS_CTR_DRBG_C
+        #define MBEDTLS_PSA_BUILTIN_GET_ENTROPY
         #define MBEDTLS_SELF_TEST
 END
 

tests/scripts/components-configuration-platform.sh

@@ -20,17 +20,18 @@ component_build_no_std_function () {
     make
 }
 
-component_test_platform_get_entropy_alt()
+component_test_psa_driver_get_entropy()
 {
-    msg "build: default config + MBEDTLS_PLATFORM_GET_ENTROPY_ALT"
+    msg "build: default - MBEDTLS_PSA_BUILTIN_GET_ENTROPY + MBEDTLS_PSA_DRIVER_GET_ENTROPY"
     # Use hardware polling as the only source for entropy
-    scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT
+    scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY
     scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
+    scripts/config.py set MBEDTLS_PSA_DRIVER_GET_ENTROPY
 
     make
 
     # Run all the tests
-    msg "test: default config + MBEDTLS_PLATFORM_GET_ENTROPY_ALT"
+    msg "test: default - MBEDTLS_PSA_BUILTIN_GET_ENTROPY + MBEDTLS_PSA_DRIVER_GET_ENTROPY"
     make test
 }
 
@@ -40,7 +41,8 @@ component_build_no_sockets () {
     msg "build: full config except net_sockets.c, make, gcc -std=c99 -pedantic" # ~ 30s
     scripts/config.py full
     scripts/config.py unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc.
-    scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT # prevent syscall() on GNU/Linux
+    scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY # prevent syscall() on GNU/Linux
+    scripts/config.py set MBEDTLS_PSA_DRIVER_GET_ENTROPY
     make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -std=c99 -pedantic' lib
 }
 

tests/scripts/components-configuration.sh

@@ -284,7 +284,8 @@ component_test_no_platform () {
     # Use the test alternative implementation of mbedtls_platform_get_entropy()
     # which is provided in "framework/tests/src/fake_external_rng_for_test.c"
     # since the default one is excluded in this scenario.
-    scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT
+    scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY
+    scripts/config.py set MBEDTLS_PSA_DRIVER_GET_ENTROPY
     # Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19,
     # to re-enable platform integration features otherwise disabled in C99 builds
     make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -Os -D_DEFAULT_SOURCE' lib programs

tests/scripts/depends.py

@@ -515,10 +515,10 @@ class DomainData:
             'curves': ExclusiveDomain(curve_symbols, build_and_test),
 
             # Hash algorithms. Excluding exclusive domains of MD, RIPEMD, SHA1, SHA3*,
-            # SHA224 and SHA384 because MBEDTLS_ENTROPY_C is extensively used
+            # SHA224 and SHA384 because the built-in entropy module is extensively used
             # across various modules, but it depends on either SHA256 or SHA512.
             # As a consequence an "exclusive" test of anything other than SHA256
-            # or SHA512 with MBEDTLS_ENTROPY_C enabled is not possible.
+            # or SHA512 with the built-in entropy module enabled is not possible.
             'hashes': DualDomain(hash_symbols, build_and_test,
                                  exclude=r'PSA_WANT_ALG_(?!SHA_(256|512))'),