# Random configuration options # Copyright (c) 2017 Intel Corporation # SPDX-License-Identifier: Apache-2.0 menu "Random Number Generators" config TEST_RANDOM_GENERATOR bool "Allow non-random number generator" help This option signifies that a non-random number generator is allowed to be used and the kernel's random number APIs are permitted to return values that are not truly random. This capability is provided for testing purposes when a truly random number generator is not available. The non-random number generator should not be used in a production environment. This option is intended to be selected only by application-level configurations (e.g. in tests and samples) to indicate that the application is allowed to run with a random number generator that is not truly random. Board-level configurations must not select this option unless the sole purpose of the board is testing (e.g. QEMU emulation boards). Note that this option does not imply that a non-random number generator is selected -- that is indicated by RNG_GENERATOR_CHOICE. An entropy device-backed random number generator, if available, will be selected by default even when CONFIG_TEST_RANDOM_GENERATOR=y. config TIMER_RANDOM_INITIAL_STATE int "Initial state used by clock based number generator" default 123456789 help Initial state value used by TIMER_RANDOM_GENERATOR and early random number genenator. choice RNG_GENERATOR_CHOICE prompt "Random generator" default ENTROPY_DEVICE_RANDOM_GENERATOR if ENTROPY_HAS_DRIVER default TIMER_RANDOM_GENERATOR if TEST_RANDOM_GENERATOR depends on ENTROPY_HAS_DRIVER || TEST_RANDOM_GENERATOR help Platform dependent non-cryptographically secure random number support. If the entropy support of the platform has sufficient performance to support random request then select that. Otherwise, select the XOSHIRO algorithm config TIMER_RANDOM_GENERATOR bool "System timer clock based number generator" depends on TEST_RANDOM_GENERATOR help This options enables number generator based on system timer clock. This number generator is not random and used for testing only. config ENTROPY_DEVICE_RANDOM_GENERATOR bool "Use entropy driver to generate random numbers" depends on ENTROPY_HAS_DRIVER help Enables a random number generator that uses the enabled hardware entropy gathering driver to generate random numbers. Should only be selected if hardware entropy driver is designed to be a random number generator source. config XOSHIRO_RANDOM_GENERATOR bool "Use Xoshiro128++ as PRNG" depends on ENTROPY_HAS_DRIVER help Enables the Xoshiro128++ pseudo-random number generator, that uses the entropy driver as a seed source. This is a fast general-purpose non-cryptographically secure random number generator. endchoice # RNG_GENERATOR_CHOICE DT_CHOSEN_Z_ENTROPY := zephyr,entropy config CSPRNG_AVAILABLE bool default y if $(dt_chosen_enabled,$(DT_CHOSEN_Z_ENTROPY)) help Helper that can be used to check if the platform is capable of generating CS random values. For this to be enabled, there must be the "zephyr,entropy" chosen property defined in the devicetree. This means that there is an HW entropy generator that can be used for this purpose. Once CONFIG_CSPRNG_AVAILABLE is set, then CONFIG_ENTROPY_GENERATOR can be enabled to enable the platform specific entropy driver. # # Implied dependency on a cryptographically secure entropy source when # enabling CS generators. ENTROPY_HAS_DRIVER is the flag indicating the # CS entropy source. # config CSPRNG_ENABLED bool default y depends on ENTROPY_HAS_DRIVER choice CSPRNG_GENERATOR_CHOICE prompt "Cryptographically secure random generator" default HARDWARE_DEVICE_CS_GENERATOR default TEST_CSPRNG_GENERATOR help Platform dependent cryptographically secure random number support. If the hardware entropy support of the platform has sufficient performance to support CSRNG then select that. Otherwise, select CTR-DRBG CSPRNG as that is a FIPS140-2 recommended CSPRNG. config HARDWARE_DEVICE_CS_GENERATOR bool "Use hardware random driver for CS random numbers" depends on ENTROPY_HAS_DRIVER help Enables a cryptographically secure random number generator that uses the enabled hardware random number driver to generate random numbers. config CTR_DRBG_CSPRNG_GENERATOR bool "Use CTR-DRBG CSPRNG" depends on MBEDTLS depends on ENTROPY_HAS_DRIVER select MBEDTLS_CIPHER_AES_ENABLED help Enables the CTR-DRBG pseudo-random number generator. This CSPRNG shall use the entropy API for an initialization seed. The CTR-DRBG is a FIPS140-2 recommended cryptographically secure random number generator. config TEST_CSPRNG_GENERATOR bool "Use insecure CSPRNG for testing purposes" depends on TEST_RANDOM_GENERATOR help Route calls to `sys_csrand_get` through `sys_rand_get` to enable libraries that use the former to be tested with ZTEST. endchoice # CSPRNG_GENERATOR_CHOICE config CS_CTR_DRBG_PERSONALIZATION string "CTR-DRBG Personalization string" default "zephyr ctr-drbg seed" depends on CTR_DRBG_CSPRNG_GENERATOR help Personalization data can be provided in addition to the entropy source to make the initialization of the CTR-DRBG as unique as possible. endmenu