Demonstrate entropy injection

Make the example demonstrate entropy injection by adding a new function,
called before psa_crypto_init(), that attempts to inject some fake
entropy into the system. Print a warning message if injecting entropy
fails.

Author: Patater

README.md

@@ -7,6 +7,32 @@ List of examples contained within this repository:
 * Cipher encrypt/decrypt using an AES key in cipher block chain (CBC) mode with PKCS7 padding using multiple blocks.
 * Cipher encrypt/decrypt using an AES key in counter (CTR) mode using multiple blocks.
 
+## Factory injection of entropy
+
+This example also contains a fake entropy injection example. Use of this
+function (`mbedtls_psa_inject_entropy()`) is demonstrated in this example, but
+it is not a function users would ever need to call as part of their
+applications. The function is useful for factory tool developers only.
+
+In a production system, and in the absence of other sources of entropy, a
+factory tool can inject entropy into the device. After the factory tool
+completes manufacturing of a device, that device must contain enough entropy
+for the lifetime of the device or be able to produce it with an on-board TRNG.
+
+A factory application wishing to inject entropy should configure Mbed Crypto
+using the Mbed TLS configuration system, such as in the factory application's
+`mbed_app.json` as follows:
+
+```javascript
+{
+    "macros": [
+        "MBEDTLS_ENTROPY_NV_SEED=1",
+        "MBEDTLS_PLATFORM_NV_SEED_READ_MACRO=mbed_default_seed_read",
+        "MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO=mbed_default_seed_write"
+    ]
+}
+```
+
 ## Prerequisites
 * Install <a href='https://github.com/ARMmbed/mbed-cli#installing-mbed-cli'>Mbed CLI</a>
 

main.cpp

@@ -19,6 +19,7 @@
 #endif
 
 #include "psa/crypto.h"
+#include "entropy.h"
 #include <string.h>
 #include <inttypes.h>
 
@@ -331,8 +332,33 @@ static void cipher_examples(void)
     }
 }
 
+static void fake_set_initial_nvseed(void)
+{
+    /* mbedtls_psa_inject_entropy() depends on both MBEDTLS_ENTROPY_NV_SEED and
+     * MBEDTLS_PSA_HAS_ITS_IO being enabled by the Mbed TLS configuration
+     * system. */
+#if defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_PSA_HAS_ITS_IO)
+    uint8_t seed[MBEDTLS_ENTROPY_MAX_SEED_SIZE];
+
+    /* Calculate a fake seed for injecting. A real factory application would
+     * inject true entropy for use as the initial NV Seed. */
+    for (size_t i = 0; i < sizeof(seed); ++i) {
+        seed[i] = i;
+    }
+
+    int status =  mbedtls_psa_inject_entropy(seed, sizeof(seed));
+    if (status) {
+        /* The device may already have an NV Seed injected, or another error
+         * may have happened during injection. */
+        mbedtls_printf("warning - this attempt at entropy injection failed\n");
+    }
+#endif
+}
+
 int main(void)
 {
+    fake_set_initial_nvseed();
+
     ASSERT_STATUS(psa_crypto_init(), PSA_SUCCESS);
     cipher_examples();
 exit: