1# Random configuration options
2
3# Copyright (c) 2017 Intel Corporation
4# SPDX-License-Identifier: Apache-2.0
5
6menu "Random Number Generators"
7
8config TEST_RANDOM_GENERATOR
9	bool "Allow non-random number generator"
10	help
11	  This option signifies that a non-random number generator is allowed to
12	  be used and the kernel's random number APIs are permitted to return
13	  values that are not truly random.
14
15	  This capability is provided for testing purposes when a truly random
16	  number generator is not available. The non-random number generator
17	  should not be used in a production environment.
18
19	  This option is intended to be selected only by application-level
20	  configurations (e.g. in tests and samples) to indicate that the
21	  application is allowed to run with a random number generator that is not
22	  truly random. Board-level configurations must not select this option
23	  unless the sole purpose of the board is testing (e.g. QEMU emulation
24	  boards).
25
26	  Note that this option does not imply that a non-random number generator
27	  is selected -- that is indicated by RNG_GENERATOR_CHOICE. An entropy
28	  device-backed random number generator, if available, will be selected by
29	  default even when CONFIG_TEST_RANDOM_GENERATOR=y.
30
31config TIMER_RANDOM_INITIAL_STATE
32	int "Initial state used by clock based number generator"
33	default 123456789
34	help
35	  Initial state value used by TIMER_RANDOM_GENERATOR and
36	  early random number genenator.
37
38
39choice RNG_GENERATOR_CHOICE
40	prompt "Random generator"
41	default ENTROPY_DEVICE_RANDOM_GENERATOR if ENTROPY_HAS_DRIVER
42	default TIMER_RANDOM_GENERATOR if TEST_RANDOM_GENERATOR
43	depends on ENTROPY_HAS_DRIVER || TEST_RANDOM_GENERATOR
44	help
45	  Platform dependent non-cryptographically secure random number support.
46
47	  If the entropy support of the platform has sufficient performance
48	  to support random request then select that. Otherwise, select the
49	  XOSHIRO algorithm
50
51config TIMER_RANDOM_GENERATOR
52	bool "System timer clock based number generator"
53	depends on TEST_RANDOM_GENERATOR
54	help
55	  This options enables number generator based on system timer
56	  clock. This number generator is not random and used for
57	  testing only.
58
59config ENTROPY_DEVICE_RANDOM_GENERATOR
60	bool "Use entropy driver to generate random numbers"
61	depends on ENTROPY_HAS_DRIVER
62	help
63	  Enables a random number generator that uses the enabled hardware
64	  entropy gathering driver to generate random numbers. Should only be
65	  selected if hardware entropy driver is designed to be a random
66	  number generator source.
67
68config XOSHIRO_RANDOM_GENERATOR
69	bool "Use Xoshiro128++ as PRNG"
70	depends on ENTROPY_HAS_DRIVER
71	help
72	  Enables the Xoshiro128++ pseudo-random number generator, that uses
73	  the entropy driver as a seed source. This is a fast general-purpose
74	  non-cryptographically secure random number generator.
75
76endchoice # RNG_GENERATOR_CHOICE
77
78
79DT_CHOSEN_Z_ENTROPY := zephyr,entropy
80config CSPRNG_AVAILABLE
81	bool
82	default y if $(dt_chosen_enabled,$(DT_CHOSEN_Z_ENTROPY))
83	help
84	  Helper that can be used to check if the platform is capable of generating
85	  CS random values. For this to be enabled, there must be the "zephyr,entropy"
86	  chosen property defined in the devicetree. This means that there is an
87	  HW entropy generator that can be used for this purpose.
88	  Once CONFIG_CSPRNG_AVAILABLE is set, then CONFIG_ENTROPY_GENERATOR can
89	  be enabled to enable the platform specific entropy driver.
90
91#
92# Implied dependency on a cryptographically secure entropy source when
93# enabling CS generators. ENTROPY_HAS_DRIVER is the flag indicating the
94# CS entropy source.
95#
96config CSPRNG_ENABLED
97	bool
98	default y
99	depends on ENTROPY_HAS_DRIVER
100
101choice CSPRNG_GENERATOR_CHOICE
102	prompt "Cryptographically secure random generator"
103	default HARDWARE_DEVICE_CS_GENERATOR
104	default TEST_CSPRNG_GENERATOR
105	help
106	  Platform dependent cryptographically secure random number support.
107
108	  If the hardware entropy support of the platform has sufficient
109	  performance to support CSRNG then select that. Otherwise, select
110	  CTR-DRBG CSPRNG as that is a FIPS140-2 recommended CSPRNG.
111
112config HARDWARE_DEVICE_CS_GENERATOR
113	bool "Use hardware random driver for CS random numbers"
114	depends on ENTROPY_HAS_DRIVER
115	help
116	  Enables a cryptographically secure random number generator that
117	  uses the enabled hardware random number driver to generate
118	  random numbers.
119
120config CTR_DRBG_CSPRNG_GENERATOR
121	bool "Use CTR-DRBG CSPRNG"
122	depends on MBEDTLS
123	depends on ENTROPY_HAS_DRIVER
124	select MBEDTLS_CIPHER_AES_ENABLED
125	help
126	  Enables the CTR-DRBG pseudo-random number generator. This CSPRNG
127	  shall use the entropy API for an initialization seed. The CTR-DRBG
128	  is a FIPS140-2 recommended cryptographically secure random number
129	  generator.
130
131config TEST_CSPRNG_GENERATOR
132	bool "Use insecure CSPRNG for testing purposes"
133	depends on TEST_RANDOM_GENERATOR
134	help
135	  Route calls to `sys_csrand_get` through `sys_rand_get` to enable
136	  libraries that use the former to be tested with ZTEST.
137
138endchoice # CSPRNG_GENERATOR_CHOICE
139
140config CS_CTR_DRBG_PERSONALIZATION
141	string "CTR-DRBG Personalization string"
142	default "zephyr ctr-drbg seed"
143	depends on CTR_DRBG_CSPRNG_GENERATOR
144	help
145	  Personalization data can be provided in addition to the entropy
146	  source to make the initialization of the CTR-DRBG as unique as
147	  possible.
148
149endmenu
150