From aeac0b31accc9b7ece5398ea30eb31668f981e88 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 10 Jul 2025 13:00:36 +0200 Subject: [PATCH 1/3] Disable new platform-related option Signed-off-by: Gilles Peskine --- scripts/config.py | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/config.py b/scripts/config.py index e5182a6a59..8d2ed10e03 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -89,6 +89,7 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_NO_64BIT_MULTIPLICATION', # influences anything that uses bignum 'MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES', # removes a feature 'MBEDTLS_NO_UDBL_DIVISION', # influences anything that uses bignum + 'MBEDTLS_PSA_DRIVER_GET_ENTROPY', # incompatible with MBEDTLS_PSA_BUILTIN_GET_ENTROPY 'MBEDTLS_PSA_P256M_DRIVER_ENABLED', # influences SECP256R1 KeyGen/ECDH/ECDSA 'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', # removes a feature 'MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS', # removes a feature From 606671b6a55c8f4c6b4957f77c2aaacd89a80d5d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 15 Jul 2025 13:09:00 +0200 Subject: [PATCH 2/3] Explicitly enable built-in entropy in sample and test configs Now that built-in entropy is a positive option `MBEDTLS_PSA_BUILTIN_GET_ENTROPY` instead of a negative option `MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES`, it needs to be enabled explicitly in sample and test configurations. Signed-off-by: Gilles Peskine --- configs/crypto-config-ccm-psk-tls1_2.h | 8 +------- configs/crypto-config-suite-b.h | 7 +------ configs/crypto-config-thread.h | 1 + 3 files changed, 3 insertions(+), 13 deletions(-) diff --git a/configs/crypto-config-ccm-psk-tls1_2.h b/configs/crypto-config-ccm-psk-tls1_2.h index e4de8b3fb6..163520ed34 100644 --- a/configs/crypto-config-ccm-psk-tls1_2.h +++ b/configs/crypto-config-ccm-psk-tls1_2.h @@ -31,15 +31,9 @@ #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ENTROPY_C +#define MBEDTLS_PSA_BUILTIN_GET_ENTROPY /* Save RAM at the expense of ROM */ #define MBEDTLS_AES_ROM_TABLES -/* - * You should adjust this to the exact number of sources you're using: default - * is the "platform_entropy_poll" source, but you may want to add other ones - * Minimum is 2 for the entropy test suite. - */ -#define MBEDTLS_ENTROPY_MAX_SOURCES 2 - #endif /* PSA_CRYPTO_CONFIG_H */ diff --git a/configs/crypto-config-suite-b.h b/configs/crypto-config-suite-b.h index dd304c1c5d..0437bda3ce 100644 --- a/configs/crypto-config-suite-b.h +++ b/configs/crypto-config-suite-b.h @@ -51,6 +51,7 @@ #define MBEDTLS_ENTROPY_C #define MBEDTLS_PK_C #define MBEDTLS_PK_PARSE_C +#define MBEDTLS_PSA_BUILTIN_GET_ENTROPY /* For test certificates */ #define MBEDTLS_BASE64_C @@ -69,10 +70,4 @@ /* Significant speed benefit at the expense of some ROM */ #define MBEDTLS_ECP_NIST_OPTIM -/* - * You should adjust this to the exact number of sources you're using: default - * is the "mbedtls_platform_entropy_poll" source, but you may want to add other ones. - * Minimum is 2 for the entropy test suite. - */ -#define MBEDTLS_ENTROPY_MAX_SOURCES 2 #endif /* PSA_CRYPTO_CONFIG_H */ diff --git a/configs/crypto-config-thread.h b/configs/crypto-config-thread.h index 18206e1a9f..5475a0af20 100644 --- a/configs/crypto-config-thread.h +++ b/configs/crypto-config-thread.h @@ -60,6 +60,7 @@ #define MBEDTLS_MD_C #define MBEDTLS_PK_C #define MBEDTLS_PK_PARSE_C +#define MBEDTLS_PSA_BUILTIN_GET_ENTROPY /* Save RAM at the expense of ROM */ #define MBEDTLS_AES_ROM_TABLES From 3c2a1cb1d61363c73fdeebb6125e0e5f85c1ba01 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 15 Jul 2025 19:09:08 +0200 Subject: [PATCH 3/3] Prepare to ignore a new test case Signed-off-by: Gilles Peskine --- tests/scripts/analyze_outcomes.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 429a04f7f5..21845137f8 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -62,6 +62,12 @@ class CoverageTask(outcome_analysis.CoverageTask): # https://github.com/Mbed-TLS/mbedtls/issues/9586 'Config: !MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED', ], + 'test_suite_config.crypto_combinations': [ + # New thing in crypto. Not intended to be tested separately + # in mbedtls. + # https://github.com/Mbed-TLS/mbedtls/issues/10300 + 'Config: entropy: NV seed only', + ], 'test_suite_config.psa_boolean': [ # We don't test with HMAC disabled. # https://github.com/Mbed-TLS/mbedtls/issues/9591