Google Git
Sign in
pigweed / third_party / github / zephyrproject-rtos / zephyr / 25a71f39727cc3257c218d4cd9205fe97a159e5f^! / .
commit25a71f39727cc3257c218d4cd9205fe97a159e5f[log] [tgz]
authorValerio Setti <vsetti@baylibre.com>Fri Oct 24 15:38:33 2025 +0200
committerJohan Hedberg <johan.hedberg@gmail.com>Fri Oct 24 23:06:47 2025 +0300
treecdec4b2f74c90b26d2a94ee31f6af43473611803
parentb4556ea92304fa492b58e4f4a1e1fe821a2266a5 [diff]
modules: mbedtls: let CSPRNG_AVAILABLE select ENTROPY_GENERATOR

It might happen that some boards have "zephyr,entropy" node set, but under
the hood the driver is not available (ex: entropy_bt_hci not being
available because CONFIG_BT_HOST is not enabled in the build).

This commit changes the behavior so that:
1. if "zephyr,entropy" is set in the DT then CONFIG_CSPRNG_AVAILABLE get
   enabled;
2. CONFIG_CSPRNG_AVAILABLE selects CONFIG_ENTROPY_GENERATOR
3. if there really is a driver available then CONFIG_ENTROPY_HAS_DRIVER
   will be enabled by that driver;
4. CONFIG_ENTROPY_HAS_DRIVER selects CONFIG_CSPRNG_ENABLED;
4. Mbed TLS can consume the CONFIG_CSPRNG_ENABLED information to
   decide whethere to enable CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG or
   the legacy CONFIG_MBEDTLS_PSA_CRYPTO_LEGACY_RNG.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>

diff --git a/modules/mbedtls/Kconfig.mbedtls b/modules/mbedtls/Kconfig.mbedtls
index af16af8..fa33f9e 100644
--- a/modules/mbedtls/Kconfig.mbedtls
+++ b/modules/mbedtls/Kconfig.mbedtls

@@ -522,6 +522,13 @@
 	  which ensures that master secrets are different for every
 	  connection and every session.
 
+# CONFIG_CSPRNG_AVAILABLE must automatically enable CONFIG_ENTROPY_GENERATOR.
+# But we're doing it here because this enablement should be gated by Mbed TLS
+# being also enabled in the build, otherwise this will result in entropy
+# drivers being enabled without anyone needing them.
+config CSPRNG_AVAILABLE
+	select ENTROPY_GENERATOR
+
 choice MBEDTLS_PSA_CRYPTO_RNG_SOURCE
 	prompt "Select random source for built-in PSA crypto"
 	depends on MBEDTLS_PSA_CRYPTO_C
@@ -530,12 +537,11 @@
 	# CONFIG_CSPRNG_ENABLED cannot be used for this because it gets enabled by
 	# entropy drivers but these are gated by CONFIG_ENTROPY_GENERATOR which
 	# is disabled by default.
-	default MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if CSPRNG_AVAILABLE
+	default MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if CSPRNG_ENABLED
 	default MBEDTLS_PSA_CRYPTO_LEGACY_RNG
 
 config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
 	bool "Use a cryptographically secure driver as random source"
-	select ENTROPY_GENERATOR
 	help
 	  Use a cryptographically secure random generator to provide random data
 	  instead of legacy Mbed TLS modules. This has a smaller footprint