Gate entropy injection through a dedicated configuration option

Entropy injection has specific testing requirements. Therefore it
should depend on a specific option.

library/psa_crypto.c

@@ -60,7 +60,6 @@
 #include "mbedtls/ecdh.h"
 #include "mbedtls/ecp.h"
 #include "mbedtls/entropy.h"
-#include "mbedtls/entropy_poll.h"
 #include "mbedtls/error.h"
 #include "mbedtls/gcm.h"
 #include "mbedtls/md2.h"
@@ -4419,13 +4418,12 @@ psa_status_t psa_generate_random( uint8_t *output,
     return( mbedtls_to_psa_error( ret ) );
 }
 
-#if defined(MBEDTLS_ENTROPY_NV_SEED) && \
-    defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+#include "mbedtls/entropy_poll.h"
+
 psa_status_t mbedtls_psa_inject_entropy( const unsigned char *seed,
                                          size_t seed_size )
 {
-    psa_status_t status;
-    struct psa_storage_info_t p_info;
     if( global_data.initialized )
         return( PSA_ERROR_NOT_PERMITTED );
 
@@ -4434,20 +4432,9 @@ psa_status_t mbedtls_psa_inject_entropy( const unsigned char *seed,
           ( seed_size > MBEDTLS_ENTROPY_MAX_SEED_SIZE ) )
             return( PSA_ERROR_INVALID_ARGUMENT );
 
-    status = psa_its_get_info( PSA_CRYPTO_ITS_RANDOM_SEED_UID, &p_info );
-
-    if( PSA_ERROR_DOES_NOT_EXIST == status ) /* No seed exists */
-    {
-        status = psa_its_set( PSA_CRYPTO_ITS_RANDOM_SEED_UID, seed_size, seed, 0 );
-    }
-    else if( PSA_SUCCESS == status )
-    {
-        /* You should not be here. Seed needs to be injected only once */
-        status = PSA_ERROR_NOT_PERMITTED;
-    }
-    return( status );
+    return( mbedtls_psa_storage_inject_entropy( seed, seed_size ) );
 }
-#endif
+#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
 
 psa_status_t psa_generate_key( psa_key_handle_t handle,
                                psa_key_type_t type,

library/psa_crypto_storage.c

@@ -391,4 +391,26 @@ exit:
     return( status );
 }
 
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+psa_status_t mbedtls_psa_storage_inject_entropy( const unsigned char *seed,
+                                                 size_t seed_size )
+{
+    psa_status_t status;
+    struct psa_storage_info_t p_info;
+
+    status = psa_its_get_info( PSA_CRYPTO_ITS_RANDOM_SEED_UID, &p_info );
+
+    if( PSA_ERROR_DOES_NOT_EXIST == status ) /* No seed exists */
+    {
+        status = psa_its_set( PSA_CRYPTO_ITS_RANDOM_SEED_UID, seed_size, seed, 0 );
+    }
+    else if( PSA_SUCCESS == status )
+    {
+        /* You should not be here. Seed needs to be injected only once */
+        status = PSA_ERROR_NOT_PERMITTED;
+    }
+    return( status );
+}
+#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
+
 #endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */

library/psa_crypto_storage.h

@@ -203,6 +203,22 @@ psa_status_t psa_parse_key_data_from_storage( const uint8_t *storage_data,
                                               psa_key_type_t *type,
                                               psa_key_policy_t *policy );
 
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+/** Backend side of mbedtls_psa_inject_entropy().
+ *
+ * This function stores the supplied data into the entropy seed file.
+ *
+ * \retval #PSA_SUCCESS
+ *         Success
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ *         The entropy seed file already exists.
+ */
+psa_status_t mbedtls_psa_storage_inject_entropy( const unsigned char *seed,
+                                                 size_t seed_size );
+#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
+
 #ifdef __cplusplus
 }
 #endif

library/version_features.c

@@ -432,6 +432,9 @@ static const char *features[] = {
 #if defined(MBEDTLS_PSA_CRYPTO_SPM)
     "MBEDTLS_PSA_CRYPTO_SPM",
 #endif /* MBEDTLS_PSA_CRYPTO_SPM */
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+    "MBEDTLS_PSA_INJECT_ENTROPY",
+#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
 #if defined(MBEDTLS_RSA_NO_CRT)
     "MBEDTLS_RSA_NO_CRT",
 #endif /* MBEDTLS_RSA_NO_CRT */