subsys/random/Kconfig - third_party/github/zephyrproject-rtos/zephyr - Git at Google

 # Random configuration options

 # Copyright (c) 2017 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0

 menu "Random Number Generators"

 config TEST_RANDOM_GENERATOR
 	bool "Allow non-random number generator"
 	help
 	  This option signifies that a non-random number generator is allowed to
 	  be used and the kernel's random number APIs are permitted to return
 	  values that are not truly random.

 	  This capability is provided for testing purposes when a truly random
 	  number generator is not available. The non-random number generator
 	  should not be used in a production environment.

 	  This option is intended to be selected only by application-level
 	  configurations (e.g. in tests and samples) to indicate that the
 	  application is allowed to run with a random number generator that is not
 	  truly random. Board-level configurations must not select this option
 	  unless the sole purpose of the board is testing (e.g. QEMU emulation
 	  boards).

 	  Note that this option does not imply that a non-random number generator
 	  is selected -- that is indicated by RNG_GENERATOR_CHOICE. An entropy
 	  device-backed random number generator, if available, will be selected by
 	  default even when CONFIG_TEST_RANDOM_GENERATOR=y.

 config TIMER_RANDOM_INITIAL_STATE
 	int "Initial state used by clock based number generator"
 	default 123456789
 	help
 	  Initial state value used by TIMER_RANDOM_GENERATOR and
 	  early random number genenator.


 choice RNG_GENERATOR_CHOICE
 	prompt "Random generator"
 	default ENTROPY_DEVICE_RANDOM_GENERATOR if ENTROPY_HAS_DRIVER
 	default TIMER_RANDOM_GENERATOR if TEST_RANDOM_GENERATOR
 	depends on ENTROPY_HAS_DRIVER || TEST_RANDOM_GENERATOR
 	help
 	  Platform dependent non-cryptographically secure random number support.

 	  If the entropy support of the platform has sufficient performance
 	  to support random request then select that. Otherwise, select the
 	  XOSHIRO algorithm

 config TIMER_RANDOM_GENERATOR
 	bool "System timer clock based number generator"
 	depends on TEST_RANDOM_GENERATOR
 	help
 	  This options enables number generator based on system timer
 	  clock. This number generator is not random and used for
 	  testing only.

 config ENTROPY_DEVICE_RANDOM_GENERATOR
 	bool "Use entropy driver to generate random numbers"
 	depends on ENTROPY_HAS_DRIVER
 	help
 	  Enables a random number generator that uses the enabled hardware
 	  entropy gathering driver to generate random numbers. Should only be
 	  selected if hardware entropy driver is designed to be a random
 	  number generator source.

 config XOSHIRO_RANDOM_GENERATOR
 	bool "Use Xoshiro128++ as PRNG"
 	depends on ENTROPY_HAS_DRIVER
 	help
 	  Enables the Xoshiro128++ pseudo-random number generator, that uses
 	  the entropy driver as a seed source. This is a fast general-purpose
 	  non-cryptographically secure random number generator.

 endchoice # RNG_GENERATOR_CHOICE


 DT_CHOSEN_Z_ENTROPY := zephyr,entropy
 config ENTROPY_NODE_ENABLED
 	bool
 	default y if $(dt_chosen_enabled,$(DT_CHOSEN_Z_ENTROPY))
 	help
 	  Helper to state that in the DT the "zephyr,entropy" property points to
 	  the node of an entropy generator unit.
 	  Warning #1: unfortunately having this property set does not guarantee in
 	  all cases that enabling CONFIG_ENTROPY_GENERATOR will make the corresponding
 	  driver available. This because that driver might be gated by other
 	  Kconfig that are not enabled in the build.
 	  Warning #2: even in case blindly enabling CONFIG_ENTROPY_GENERATOR whenever
 	  CONFIG_ENTROPY_NODE_ENABLED is set works fine, it might not be the desired
 	  effect for all the scenarios because then the driver will effectively be
 	  enabled even if there is no usage of it.
 	  The only workaround for these problems to tentatively enable
 	  CONFIG_CSPRNG_NEEDED and check the "return value" on CONFIG_CSPRNG_ENABLED.

 config CSPRNG_NEEDED
 	bool "Use CSPRNG if possible on the current platform"
 	select ENTROPY_GENERATOR if ENTROPY_NODE_ENABLED
 	help
 	  If a DT node exists for an entropy generator (i.e. CONFIG_ENTROPY_NODE_ENABLED
 	  is set) then enable this symbol and check the "result" in CONFIG_CSPRNG_ENABLED
 	  to see if the corresponding driver was really enabled in the build.
 	  This will ensure that (a) there really is a entropy driver for this platform and
 	  (b) it will only get enabled when there is someone needing it.

 #
 # Implied dependency on a cryptographically secure entropy source when
 # enabling CS generators. ENTROPY_HAS_DRIVER is the flag indicating the
 # CS entropy source.
 #
 config CSPRNG_ENABLED
 	bool
 	default y
 	depends on ENTROPY_HAS_DRIVER
 	help
 	  Helper to confirm that there is an hardware entropy unit enabled in the build
 	  that can be used to provide CS random values.


 choice CSPRNG_GENERATOR_CHOICE
 	prompt "Cryptographically secure random generator"
 	default HARDWARE_DEVICE_CS_GENERATOR
 	default TEST_CSPRNG_GENERATOR
 	help
 	  Platform dependent cryptographically secure random number support.

 	  If the hardware entropy support of the platform has sufficient
 	  performance to support CSRNG then select that. Otherwise, select
 	  CTR-DRBG CSPRNG as that is a FIPS140-2 recommended CSPRNG.

 config HARDWARE_DEVICE_CS_GENERATOR
 	bool "Use hardware random driver for CS random numbers"
 	depends on ENTROPY_HAS_DRIVER
 	help
 	  Enables a cryptographically secure random number generator that
 	  uses the enabled hardware random number driver to generate
 	  random numbers.

 config CTR_DRBG_CSPRNG_GENERATOR
 	bool "Use CTR-DRBG CSPRNG"
 	depends on PSA_CRYPTO
 	select DEPRECATED
 	help
 	  Enables the CTR-DRBG pseudo-random number generator. This CSPRNG
 	  shall use the entropy API for an initialization seed. The CTR-DRBG
 	  is a FIPS140-2 recommended cryptographically secure random number
 	  generator.

 config PSA_CSPRNG_GENERATOR
 	bool "Use PSA CSPRNG"
 	depends on PSA_CRYPTO
 	help
 	  Enables a cryptographically secure random number generator
 	  that uses the PSA Crypto API. This CSPRNG implementation
 	  leverages the underlying PSA Crypto library's secure random
 	  number generation capabilities, which may use hardware
 	  entropy sources when available. The PSA CSPRNG provides
 	  cryptographically secure random numbers suitable for
 	  security-sensitive applications.


 config TEST_CSPRNG_GENERATOR
 	bool "Use insecure CSPRNG for testing purposes"
 	depends on TEST_RANDOM_GENERATOR
 	help
 	  Route calls to `sys_csrand_get` through `sys_rand_get` to enable
 	  libraries that use the former to be tested with ZTEST.

 endchoice # CSPRNG_GENERATOR_CHOICE

 config CS_CTR_DRBG_PERSONALIZATION
 	string "CTR-DRBG Personalization string"
 	default "zephyr ctr-drbg seed"
 	depends on CTR_DRBG_CSPRNG_GENERATOR
 	help
 	  This option is deprecated (no longer needed) and will be
 	  removed in further release.

 endmenu
	# Random configuration options

	# Copyright (c) 2017 Intel Corporation
	# SPDX-License-Identifier: Apache-2.0

	menu "Random Number Generators"

	config TEST_RANDOM_GENERATOR
	bool "Allow non-random number generator"
	help
	This option signifies that a non-random number generator is allowed to
	be used and the kernel's random number APIs are permitted to return
	values that are not truly random.

	This capability is provided for testing purposes when a truly random
	number generator is not available. The non-random number generator
	should not be used in a production environment.

	This option is intended to be selected only by application-level
	configurations (e.g. in tests and samples) to indicate that the
	application is allowed to run with a random number generator that is not
	truly random. Board-level configurations must not select this option
	unless the sole purpose of the board is testing (e.g. QEMU emulation
	boards).

	Note that this option does not imply that a non-random number generator
	is selected -- that is indicated by RNG_GENERATOR_CHOICE. An entropy
	device-backed random number generator, if available, will be selected by
	default even when CONFIG_TEST_RANDOM_GENERATOR=y.

	config TIMER_RANDOM_INITIAL_STATE
	int "Initial state used by clock based number generator"
	default 123456789
	help
	Initial state value used by TIMER_RANDOM_GENERATOR and
	early random number genenator.


	choice RNG_GENERATOR_CHOICE
	prompt "Random generator"
	default ENTROPY_DEVICE_RANDOM_GENERATOR if ENTROPY_HAS_DRIVER
	default TIMER_RANDOM_GENERATOR if TEST_RANDOM_GENERATOR
	depends on ENTROPY_HAS_DRIVER \|\| TEST_RANDOM_GENERATOR
	help
	Platform dependent non-cryptographically secure random number support.

	If the entropy support of the platform has sufficient performance
	to support random request then select that. Otherwise, select the
	XOSHIRO algorithm

	config TIMER_RANDOM_GENERATOR
	bool "System timer clock based number generator"
	depends on TEST_RANDOM_GENERATOR
	help
	This options enables number generator based on system timer
	clock. This number generator is not random and used for
	testing only.

	config ENTROPY_DEVICE_RANDOM_GENERATOR
	bool "Use entropy driver to generate random numbers"
	depends on ENTROPY_HAS_DRIVER
	help
	Enables a random number generator that uses the enabled hardware
	entropy gathering driver to generate random numbers. Should only be
	selected if hardware entropy driver is designed to be a random
	number generator source.

	config XOSHIRO_RANDOM_GENERATOR
	bool "Use Xoshiro128++ as PRNG"
	depends on ENTROPY_HAS_DRIVER
	help
	Enables the Xoshiro128++ pseudo-random number generator, that uses
	the entropy driver as a seed source. This is a fast general-purpose
	non-cryptographically secure random number generator.

	endchoice # RNG_GENERATOR_CHOICE


	DT_CHOSEN_Z_ENTROPY := zephyr,entropy
	config ENTROPY_NODE_ENABLED
	bool
	default y if $(dt_chosen_enabled,$(DT_CHOSEN_Z_ENTROPY))
	help
	Helper to state that in the DT the "zephyr,entropy" property points to
	the node of an entropy generator unit.
	Warning #1: unfortunately having this property set does not guarantee in
	all cases that enabling CONFIG_ENTROPY_GENERATOR will make the corresponding
	driver available. This because that driver might be gated by other
	Kconfig that are not enabled in the build.
	Warning #2: even in case blindly enabling CONFIG_ENTROPY_GENERATOR whenever
	CONFIG_ENTROPY_NODE_ENABLED is set works fine, it might not be the desired
	effect for all the scenarios because then the driver will effectively be
	enabled even if there is no usage of it.
	The only workaround for these problems to tentatively enable
	CONFIG_CSPRNG_NEEDED and check the "return value" on CONFIG_CSPRNG_ENABLED.

	config CSPRNG_NEEDED
	bool "Use CSPRNG if possible on the current platform"
	select ENTROPY_GENERATOR if ENTROPY_NODE_ENABLED
	help
	If a DT node exists for an entropy generator (i.e. CONFIG_ENTROPY_NODE_ENABLED
	is set) then enable this symbol and check the "result" in CONFIG_CSPRNG_ENABLED
	to see if the corresponding driver was really enabled in the build.
	This will ensure that (a) there really is a entropy driver for this platform and
	(b) it will only get enabled when there is someone needing it.

	#
	# Implied dependency on a cryptographically secure entropy source when
	# enabling CS generators. ENTROPY_HAS_DRIVER is the flag indicating the
	# CS entropy source.
	#
	config CSPRNG_ENABLED
	bool
	default y
	depends on ENTROPY_HAS_DRIVER
	help
	Helper to confirm that there is an hardware entropy unit enabled in the build
	that can be used to provide CS random values.


	choice CSPRNG_GENERATOR_CHOICE
	prompt "Cryptographically secure random generator"
	default HARDWARE_DEVICE_CS_GENERATOR
	default TEST_CSPRNG_GENERATOR
	help
	Platform dependent cryptographically secure random number support.

	If the hardware entropy support of the platform has sufficient
	performance to support CSRNG then select that. Otherwise, select
	CTR-DRBG CSPRNG as that is a FIPS140-2 recommended CSPRNG.

	config HARDWARE_DEVICE_CS_GENERATOR
	bool "Use hardware random driver for CS random numbers"
	depends on ENTROPY_HAS_DRIVER
	help
	Enables a cryptographically secure random number generator that
	uses the enabled hardware random number driver to generate
	random numbers.

	config CTR_DRBG_CSPRNG_GENERATOR
	bool "Use CTR-DRBG CSPRNG"
	depends on PSA_CRYPTO
	select DEPRECATED
	help
	Enables the CTR-DRBG pseudo-random number generator. This CSPRNG
	shall use the entropy API for an initialization seed. The CTR-DRBG
	is a FIPS140-2 recommended cryptographically secure random number
	generator.

	config PSA_CSPRNG_GENERATOR
	bool "Use PSA CSPRNG"
	depends on PSA_CRYPTO
	help
	Enables a cryptographically secure random number generator
	that uses the PSA Crypto API. This CSPRNG implementation
	leverages the underlying PSA Crypto library's secure random
	number generation capabilities, which may use hardware
	entropy sources when available. The PSA CSPRNG provides
	cryptographically secure random numbers suitable for
	security-sensitive applications.


	config TEST_CSPRNG_GENERATOR
	bool "Use insecure CSPRNG for testing purposes"
	depends on TEST_RANDOM_GENERATOR
	help
	Route calls to `sys_csrand_get` through `sys_rand_get` to enable
	libraries that use the former to be tested with ZTEST.

	endchoice # CSPRNG_GENERATOR_CHOICE

	config CS_CTR_DRBG_PERSONALIZATION
	string "CTR-DRBG Personalization string"
	default "zephyr ctr-drbg seed"
	depends on CTR_DRBG_CSPRNG_GENERATOR
	help
	This option is deprecated (no longer needed) and will be
	removed in further release.

	endmenu