2020-06-19 17:17:50 +02:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2020 HAW Hamburg
|
|
|
|
*
|
|
|
|
* This file is subject to the terms and conditions of the GNU Lesser
|
|
|
|
* General Public License v2.1. See the file LICENSE in the top level
|
|
|
|
* directory for more details.
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @defgroup pkg_mbedtls ARM Mbed TLS
|
|
|
|
* @ingroup pkg
|
|
|
|
* @brief SSL crypto library
|
|
|
|
* @see https://github.com/ARMmbed/mbedtls.git
|
|
|
|
* @warning Entropy sources need to be thoroughly evaluated before deployment.
|
|
|
|
* @experimental This port is in an early state - expect changes.
|
|
|
|
*
|
|
|
|
*
|
|
|
|
* # Overview
|
|
|
|
*
|
|
|
|
* This port includes the ARM Mbed TLS library as a package. A more comprehensive
|
|
|
|
* library documentation can be found in the [knowledge base](https://tls.mbed.org/kb) and the
|
|
|
|
* [source code documentation](https://tls.mbed.org/api/). Mbed TLS is highly
|
|
|
|
* configurable and it allows inclusion of alternative hardware or OS specific implementations
|
|
|
|
* to be used by the library.
|
|
|
|
* A porting guide can be found [here](https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS).
|
|
|
|
* The configuration and enablement of alternative implementations has to be defined in
|
|
|
|
* the [configuration file](include/riot_mbedtls_config.h) of this package.
|
|
|
|
*
|
|
|
|
*
|
|
|
|
* # Tested Submodules
|
|
|
|
*
|
|
|
|
* ## Entropy
|
|
|
|
* The `entropy` and `entropy_poll` components of the Mbed TLS library
|
|
|
|
* have been tested in RIOT. The module uses a SHA-256 or a SHA-512 based
|
|
|
|
* accumulator. This port enables the SHA-256 accumulator and it adapts the RIOT SHA-256
|
|
|
|
* implementation to be used as a backend. Our reconfiguration disables the internal
|
|
|
|
* Mbed TLS implementation. A future
|
|
|
|
* compile time configuration in RIOT with transparent hardware crypto acceleration
|
|
|
|
* support will be used by the package seamlessly.
|
|
|
|
*
|
|
|
|
* The entropy module is initialized with one or more entropy
|
|
|
|
* sources which are polled iteratively and accumulated. Sources for entropy are
|
|
|
|
* registered with a function pointer and an assumption about their strength (strong/weak).
|
|
|
|
* The module is designed for cryptographic purposes, thus, an entropy poll will
|
|
|
|
* fail if there is not a single strong source. Strong sources are typically true
|
|
|
|
* (hardware) random number generators with conditioning which will provide full entropy
|
|
|
|
* per sample. In contrast, weak sources do not necessarily provide full entropy per
|
|
|
|
* sample and act as a complement, even if they only contain few random bits in a sample,
|
|
|
|
* which is typically the case for sampled noise sources.
|
|
|
|
*
|
|
|
|
*
|
|
|
|
* ### Entropy Sources
|
|
|
|
*
|
|
|
|
* RIOT provides default sources to feed the entropy module. Yet, only
|
|
|
|
* @ref drivers_periph_hwrng and @ref sys_entropy_source_adc are enabled in this package. It is planned to
|
|
|
|
* extend this list. In addition, a user can connect a personal source to the entropy
|
|
|
|
* poll by implementing [`mbedtls_entropy_add_source`](https://tls.mbed.org/api/entropy_8h.html).
|
|
|
|
*
|
|
|
|
* It is noteworthy that an entropy module might be required during OS bootstrapping,
|
|
|
|
* hence, a module that is added in `main()` will not be incorporated during `auto_init()`.
|
|
|
|
*
|
|
|
|
* Mbed TLS entropy sources are expressed as pseudomodules.
|
|
|
|
*
|
|
|
|
* ```
|
|
|
|
* PSEUDOMODULES += mbedtls_entropy_source_hwrng
|
|
|
|
* PSEUDOMODULES += mbedtls_entropy_source_adc
|
|
|
|
* ```
|
|
|
|
*
|
|
|
|
* Clearly, these sources require hardware capabilities which are indicated by a platform.
|
|
|
|
*
|
|
|
|
* ```
|
|
|
|
* FEATURES_PROVIDED += periph_hwrng
|
|
|
|
* FEATURES_PROVIDED += periph_adc
|
|
|
|
* ```
|
|
|
|
*
|
|
|
|
* All sources will be enabled by default, if available. Furthermore, a single source
|
|
|
|
* can be manually excluded from the entropy poll by disabling it in the applications Makefile.
|
|
|
|
*
|
|
|
|
* ```
|
|
|
|
* DISABLE_MODULE += mbedtls_entropy_source_hwrng
|
|
|
|
* ```
|
|
|
|
*
|
|
|
|
* ### Usage
|
|
|
|
* The RIOT API @ref pkg_mbedtls_entropy
|
|
|
|
* can be used which wraps around the Mbed TLS API and handles one entropy context internally.
|
|
|
|
* Thereby, @ref entropy_mbedtls_riot_get initializes the module, retrieves entropy
|
|
|
|
* values and uninitializes the context afterwards.
|
|
|
|
* Alternatively, the entropy module can be used directly by calling the Mbed TLS API which requires
|
|
|
|
* the entropy context to be allocated from application code. The adaptation in this
|
|
|
|
* package will then only utilize the first configured entropy source
|
|
|
|
* during initialization.
|
|
|
|
*
|
|
|
|
* # Testing
|
|
|
|
* Many Mbed TLS implementations provide self tests within the boundaries of
|
2023-05-06 07:48:58 +02:00
|
|
|
* a module and the [test folder](../../tests/pkg/mbedtls) acts as a place to execute
|
2020-06-19 17:17:50 +02:00
|
|
|
* these tests in RIOT context. It is noteworthy, that built-in Mbed TLS entropy source tests
|
|
|
|
* only execute on the source that is implemented in `mbedtls_hardware_poll`.
|
|
|
|
* The additional sources that were added using `mbedtls_entropy_add_source` are ignored in the test.
|
|
|
|
*
|
|
|
|
*/
|