psa: PSA entropy is compatible with other entropy

[Patater]

MBEDTLS_PSA_INJECT_ENTROPY is compatible with actual entropy sources.
PSA entropy injection is implemented using the standard Mbed TLS NV Seed
feature, and is as compatible with other entropy sources as the standard
Mbed TLS NV Seed feature which does support entropy mixing.

[gilles-peskine-arm]

What validation has been done with inject entropy and a TRNG in the same build?

[Patater]

We've used a platform with a TRNG available to all Mbed TLS DRBGs in Mbed OS (via hardware_poll as a default source), K64F, with mbed-os-example-mbed-crypto, which demonstrates the factory entropy injection API. Tracing was added to show a relevant subset of the call graph, including calls to mbedtls_nv_seed_poll() and mbedtls_hardware_poll() from the PSA DRBG.

Image: ./BUILD/K64F/GCC_ARM/mbed-os-example-mbed-crypto.bin
--- Terminal on /dev/ttyACM0 - 9600,8,N,1 ---
&global_data.entropy: 0x20001048
> entropy_gather_internal
> mbedtls_hardware_poll
> ret: 0
> entropy_update 0x20001048
< ret 0
> mbedtls_nv_seed_poll
< ok 64
> entropy_update 0x20001048
< ret 0
> entropy_update 0x20001048
< ret 0
> entropy_gather_internal
> mbedtls_hardware_poll
> ret: 0
> entropy_update 0x20001048
< ret 0
> mbedtls_nv_seed_poll
< ok 64
> entropy_update 0x20001048
< ret 0
psa_generate_random()
PSA_SUCCESS



a2 79 58 52 59 6d f7 f2  14 c5 b0 5c 9a 9c 11 3f 
78 a1 56 24 d0 2a 23 ba  b8 fe ee f6 b7 2a ad a7 
cf 04 1e 73 44 e9 ab 3c  7a 93 c3 57 b4 13 0c 47 
e8 f1 08 2b b1 a2 d2 9a  05 06 03 c0 f4 29 ad 05 
7c 09 1f 04 6f 1f 35 b9  fd 47 ac 09 e0 e7 a5 e5 
38 e2 01 6a 97 e5 e0 1f  05 48 d0 c8 c4 97 3f 03 
21 bd 2f ad 70 d5 9f eb  d2 72 4b 92 3f 8c 54 2a 
75 c2 1a 5f 71 83 f7 68  92 64 13 91 ef 66 42 ed 
11 aa 94 17 bd 12 49 0d  66 80 44 ed 61 8b cd d4 
89 21 86 b6 f4 a3 ff 90  ce f3 8c 8e 35 9a df 3d 
05 49 55 18 5c 92 f2 44  62 5c c9 4a 24 29 67 a6 
2a dd bf 4d f6 c0 c8 69  e1 3b df 36 40 46 6c 81 
c8 52 98 8a f4 eb dd f0  09 41 cc d6 70 f7 ac 74 
d6 e3 99 f7 24 41 bb 9d  3f af d1 1e 2b 68 50 66 
be d4 46 c7 8d 28 74 99  18 e1 47 c4 e3 14 40 10 
99 d2 d6 40 b4 75 f1 62  7f 88 ac e5 67 a8 7e e5 
f8 80 7d bd 8e 65 15 3c  da ee 3a fd f7 2a 7d b4 
57 f1 29 9d 8e 3f 44 29  55 64 2a 45 79 b2 f9 22 
77 94 47 c0 13 3a 8a 8a  34 a6 7c 7f 73 ef 87 13 
2e 99 69 d4 b8 90 c3 a0  50 c5 0f e4 ae 35 32 6f 
3e 01 1d d1 03 4f 8a cd  6d 66 33 ec 01 f2 02 21 
b9 23 fb 20 52 70 6c d6  29 b4 65 1d 62 f6 db 7c 
70 08 bf 93 fc de 29 39  50 68 31 ab d9 9c 9a 28 
16 d1 06 94 38 c2 70 98  fc af 8b b0 1f 90 39 95 
54 01 7b 9b 95 68 1e 68  87 13 3e 87 0b 34 89 7d 
b5 fe 17 0b f0 07 88 66  f1 76 c3 a4 a8 2d fe dd 
ba 1b e0 a6 84 3d 49 0b  ac 75 b5 34 fd fb 18 63 
84 b2 07 68 b9 03 d2 0f  c7 87 69 04 ce 43 49 0a 
4f 42 b5 98 c4 40 94 d3  be 40 5f d4 05 86 b4 af 
cc d3 4f 5b bf 49 08 d3  ef 5f f6 b2 4d 92 1d 74 
9a fb 03 de af f3 c5 83  5b 7d cc f7 e8 61 fe 78 
61 24 69 44 48 07 28 29  05 4a 26 e2 35 75 1b ab 
d7 93 6b 8e 4a 99 c2 23  8d 13 1f 54 df 62 f5 84 
f7 1e fe 8d 87 a9 61 78  24 91 e1 3b 33 09 21 e9 
28 b5 7c 83 9a 14 5a e1  f0 11 a4 ad 80 0e 33 c5 
1b 36 25 50 01 03 ba af  74 09 ba b9 85 e5 a1 a8 
03 9c e8 dc 97 2a f4 47  20 36 77 d3 c3 00 85 18 
96 ec c5 87 4a 68 5d 13  16 a8 bb 59 fe 67 dd 17 
a6 28 8f 40 5a 68 ff ed  b3 b3 46 73 04 ed 26 0c 
50 7b 9f a3 7f 41 e3 e7  7a 5f af ac 20 90 84 30 
f9 d4 42 39 15 50 18 3a  12 f0 0e 54 57 e5 12 dd 
91 9a f0 cf 22 b7 09 77  31 aa 51 58 f4 9f 3b e8 
ec 84 b1 8b 13 0b 5e ac  8d ef 04 32 a7 28 fd 42 
a5 f8 a4 95 ae ac 6c 04  4b c8 d5 79 48 05 4e 46 
62 c6 33 39 35 4a f8 fa  62 ce a9 47 54 76 28 44 
a2 a3 36 d4 ba 49 2e e2  ee 82 8f 25 90 8b 1e bf 
8c 26 27 b3 d4 a0 53 34  2c ec e9 5f 5c c6 b8 cb 
36 67 ba f2 0a 62 39 1d  3e 38 25 a9 8c 89 86 4e 
ec 5d 95 d2 22 e8 9d 0b  c8 a1 2c 80 63 a9 d0 79 
40 d2 a3 22 d9 8d 9f eb  0f 9f 90 0b cc b0 52 2c 
c1 60 4a 3d d4 91 2c 4d  54 19 7d e8 11 d4 cb d1 
c6 b1 5e e1 ff 20 f6 8f  a5 0c 20 84 2b 66 db e2 
fb e5 14 c3 72 d9 e2 94  d3 c5 0c d8 e9 3c 0a a0 
36 de 0c bc a7 01 cc 45  84 29 cb 8d 18 51 b5 32 
c0 77 ba 96 20 02 70 cb  7a 41 88 86 97 67 55 8d 
ad 36 45 72 40 6d 01 9e  50 b2 4d 03 cf b0 77 70 
9c e0 98 75 b8 86 fc cc  c3 c6 69 4c 1c ef fc 7b 
7e 23 28 a2 08 62 1c ee  dc 01 9e 65 62 e1 8e 95 
93 53 b5 3a 8d 2b 19 48  42 51 84 6f 58 c3 6b 61 
65 a3 14 80 32 9c df ae  f1 58 ac 09 3b 27 be b3 
96 32 af 86 93 50 6a f7  3b cf ab 12 f4 62 82 77 
a6 27 c6 33 a2 a8 89 f4  90 ff 2b ed d0 25 53 3b 
dd af ba d0 8a f0 01 c7  ba df 59 4c 44 49 99 4a 
71 ba 5e 4a 3f 5e b8 71  d3 5b 80 35 be 7b cb ea 
psa_generate_random()
PSA_SUCCESS



e6 af 19 78 ae ca 14 4a  9c 61 f8 24 52 48 0e 97 
68 53 ba 9b 3e f8 a0 91  9a 29 81 0f 81 cc 1d 0e 
59 71 35 e9 af 00 11 cb  9e 92 5d 2b ff bc c3 a9 
19 61 9f 2a 8c 2e ea 5e  e7 1b 24 b4 29 17 cd 5c 
56 4a f3 50 14 62 cb bf  e4 1e 35 52 3a d2 cf 6b 
98 8d 2b e4 b4 d9 59 7e  0e ff 8c b9 25 d3 6a 8f 
e9 b2 77 58 48 de 38 69  a2 58 6b 9a 19 e3 7e e3 
4d c5 d9 5a 3b f0 14 f7  54 15 d7 6e 79 02 7f 5b 
53 79 19 85 59 2f bf 1c  8f 87 87 2d 72 1d e3 99 
3e 4b f6 0b 2f 9d 12 b9  f3 b9 ae 4c c0 c4 48 9d 
bc 3c 4b 1a a1 7b bf ed  b4 3c 09 d0 b2 2e 8b 19 
a1 18 d7 79 fa e7 85 73  91 81 0a 30 95 d0 5e 04 
ef 60 d2 30 6d 04 34 c4  1e 00 aa a6 fd 30 53 e2 
b6 86 26 6c 89 ae 3d e9  dd d1 c0 41 28 9d c2 67 
eb d1 51 3f 7a d3 2b e5  3b 3a 8c 9b 31 31 77 10 
98 d0 1b ef 07 5e 1a db  13 36 bb 68 6c 27 bb 71 
4c 88 a7 92 92 b0 d8 07  bb 36 fb 34 86 da 90 a0 
c2 c4 88 bb 36 ef f9 9e  9d a0 e1 c2 bd 69 ff c0 
d1 38 ec d7 d0 ea b7 94  cd 88 18 d7 cc 00 df 06 
19 39 05 46 08 cd 7e 3e  8b e1 ca 4d 88 64 70 8e 
a8 f5 f2 8e 92 75 bb 9b  fe b7 a4 42 8a 3f 52 e7 
b9 71 fa 8d e0 b5 e6 fe  20 b2 c3 e8 0f 1e 86 5d 
2d 50 60 2a 99 7a 07 49  52 31 30 12 2b d3 9e a3 
57 5a f0 7b bd c5 29 c5  08 fc 1f 6c 24 6d fd 7f 
59 9b ea 67 26 4a 60 e1  ea 9c 75 66 13 2a 9d 5f 
5d f4 65 af f9 7e 6a 91  a2 79 53 3b d2 02 33 76 
9f 8a 88 2a d6 6c 51 3b  d0 08 25 7e 2e 81 9d 79 
2c 62 d4 17 73 97 3a 21  36 21 70 db dc 22 a0 43 
f4 e9 ac b5 71 dc 35 fa  e6 13 6e 2b 4b 19 a7 45 
a0 e7 c7 82 a3 37 40 83  66 24 5a 90 bc 9f 21 0c 
ab 1b 8d d7 42 cf d5 db  ea 89 97 e2 be 7d 79 be 
70 88 41 54 0d 53 98 51  53 6a 25 41 34 5d eb 76 
5b fa 64 44 dc fd 71 37  ee 56 20 a6 6c 43 f9 7b 
b7 31 b3 b6 12 78 7f 78  d0 17 55 6f 14 a3 7e 9d 
6e 5e 76 b8 31 5f 3a db  36 10 e5 3e 85 40 60 13 
cb 2d 19 d5 6b ee e8 64  e6 38 35 c4 7f 26 44 95 
19 cb b3 33 ba e9 3c 2d  e2 44 04 3b df 9a 9f f2 
74 0d 41 69 28 52 7d e4  74 9c f7 31 c5 d2 97 1e 
8e f2 0f 9a 81 6f 87 b6  cf 6f 73 32 e2 ad 45 57 
aa 2e df b6 41 9e 8a 3e  28 6f 64 80 f6 8e a3 65 
60 96 07 5d 1e 83 cc f9  ae dd 43 f7 11 0f 07 17 
88 56 2a ef ef c5 f7 e6  c6 d9 a9 3a 29 2f 4a 23 
b3 f1 33 54 13 97 da 19  60 78 0d a1 52 ec 9e 03 
57 e1 6d c9 54 df 4e 30  db 51 62 e5 3a 6c 1c 14 
22 fc f8 ef 01 f5 61 71  9c b0 42 fc 4e e4 ac dc 
40 ff f5 7c 45 ee 4a 15  13 1b 2c 24 4a 8b 83 a9 
a9 2b 59 d7 d9 28 d7 7b  b6 2b 8c b4 e9 ed 6d 4b 
90 06 9b d6 27 07 08 5f  ab f4 82 d3 ce a8 22 b6 
a2 22 f4 2b 18 0d 3e 9a  0e 5c b4 0e ec 71 c9 7b 
70 33 88 53 14 ad d6 f7  98 c5 a4 e0 8b 3b df 47 
5a d4 aa dc 3d 71 b7 28  cc 95 79 3f 97 58 6f 6e 
8f bb 6b 65 19 97 1f 92  96 68 87 8b c9 a7 c0 72 
fb 7d 29 f2 1e 0a 86 01  6b 29 1b 49 cf 5e 92 f6 
80 21 19 0e d1 59 06 f8  87 c2 2e ca b9 85 e7 95 
31 d9 37 e4 08 3a 8c 2c  3a 58 bc 2a c5 d1 12 68 
fd 83 da ad e9 bb ec 65  15 28 8f f0 90 8f fc af 
38 99 18 70 26 78 b3 4b  6d 89 70 77 6d 30 d1 d8 
79 2c 55 b6 58 79 31 06  9f e0 52 d9 ec 30 6d 98 
08 3b 5c fe 3c 68 96 20  85 86 18 3d b8 80 df 6a 
06 91 77 6d 7c 0e 6d ba  40 b5 e9 22 2a 42 04 e2 
f8 3e 9e 6a c2 f2 22 39  65 5f 24 a0 ad 15 15 2e 
2b 6b 44 19 3f 25 07 05  12 85 18 62 2e db c3 2b 
a0 d4 a8 27 ee 5e 3d 8b  7f 51 2f 9d 54 b2 0b c3 
ee 43 b8 cb 4c 54 f3 bf  c6 af c9 df 4a e6 13 b5 
psa_generate_random()
PSA_SUCCESS

...until time for a reseed...

8e e4 b1 e9 18 8a de b9  11 d9 cd bd bb 41 15 6b 
> entropy_gather_internal
> mbedtls_hardware_poll
> ret: 0
> entropy_update 0x20001048
< ret 0
> mbedtls_nv_seed_poll
< ok 64
> entropy_update 0x20001048
< ret 0
psa_generate_random()
PSA_SUCCESS

We can see both entropy gathering functions are called with the PSA entropy context during init. Reseeds also gather from both entropy sources.

[gilles-peskine-arm]

Suppose I take the default configuration and do the minimum needed to enable entropy injection:

./scripts/config.pl set MBEDTLS_ENTROPY_NV_SEED; ./scripts/config.pl set MBEDTLS_PSA_INJECT_ENTROPY

Then entropy injection writes to ITS, but nothing reads that, and NV seed reads and writes MBEDTLS_PLATFORM_STD_NV_SEED_FILE.

That's a preexisting defect: enabling MBEDTLS_PSA_INJECT_ENTROPY should also change the NV seed hooks to access ITS, or else entropy injection should write to the seed file. But making entropy injection easier to turn on exacerbates this.

I'm very uncomfortable making entropy injection easier to enable without better integration and further validation. Validation should not just cover the nominal case but also runtime failures and misconfigurations.

[Patater]

As integrated with Mbed OS, the NV seed hooks are set to use ITS. I agree it's a bit hard to configure right now and error prone, but we do have it pre-configured correctly in Mbed OS currently.

https://github.com/ARMmbed/mbed-os/blob/b050a9df64cc53bfcc76aacc93958788aae0654c/features/mbedtls/platform/inc/platform_mbed.h#L29
https://github.com/ARMmbed/mbed-os/blob/497d0d65c375176f75faa92bd56d9fd474ae5c0a/features/mbedtls/platform/TARGET_PSA/COMPONENT_PSA_SRV_IMPL/src/default_random_seed.cpp#L6-L10

[gilles-peskine-arm]

These hooks should be moved to mbed-crypto and used if MBEDTLS_PSA_INJECT_ENTROPY is turned on. As it is, if you do the obvious thing to enable MBEDTLS_PSA_INJECT_ENTROPY, it doesn't work.

[Patater]

Agreed. However, we've run out of time to make that change in Mbed OS 5.13.0. We can update in a patch release to Mbed OS.

This change targets Mbed OS 5.13.0.

[Patater]

I've raised #147 to track your request to make the obvious thing Just Work™.

[gilles-peskine-arm]

I've reviewed the code paths and done a bit of ad hoc testing, and I'm ok with enabling this on Mbed OS only. Not in the development branch of Mbed Crypto or Mbed TLS. Please either create a separate branch or add an Mbed OS-specific check in check_config.h.

[Patater]

Added Mbed OS specific check in ARMmbed/mbed-os#10802