# Random configuration options

# Copyright (c) 2017 Intel Corporation
# SPDX-License-Identifier: Apache-2.0

menu "Random Number Generators"

config TEST_RANDOM_GENERATOR
	bool "Allow non-random number generator"
	help
	  This option signifies that a non-random number generator is allowed to
	  be used and the kernel's random number APIs are permitted to return
	  values that are not truly random.

	  This capability is provided for testing purposes when a truly random
	  number generator is not available. The non-random number generator
	  should not be used in a production environment.

	  This option is intended to be selected only by application-level
	  configurations (e.g. in tests and samples) to indicate that the
	  application is allowed to run with a random number generator that is not
	  truly random. Board-level configurations must not select this option
	  unless the sole purpose of the board is testing (e.g. QEMU emulation
	  boards).

	  Note that this option does not imply that a non-random number generator
	  is selected -- that is indicated by RNG_GENERATOR_CHOICE. An entropy
	  device-backed random number generator, if available, will be selected by
	  default even when CONFIG_TEST_RANDOM_GENERATOR=y.

config TIMER_RANDOM_INITIAL_STATE
	int "Initial state used by clock based number generator"
	default 123456789
	help
	  Initial state value used by TIMER_RANDOM_GENERATOR and
	  early random number genenator.


choice RNG_GENERATOR_CHOICE
	prompt "Random generator"
	default ENTROPY_DEVICE_RANDOM_GENERATOR if ENTROPY_HAS_DRIVER
	default TIMER_RANDOM_GENERATOR if TEST_RANDOM_GENERATOR
	depends on ENTROPY_HAS_DRIVER || TEST_RANDOM_GENERATOR
	help
	  Platform dependent non-cryptographically secure random number support.

	  If the entropy support of the platform has sufficient performance
	  to support random request then select that. Otherwise, select the
	  XOSHIRO algorithm

config TIMER_RANDOM_GENERATOR
	bool "System timer clock based number generator"
	depends on TEST_RANDOM_GENERATOR
	help
	  This options enables number generator based on system timer
	  clock. This number generator is not random and used for
	  testing only.

config ENTROPY_DEVICE_RANDOM_GENERATOR
	bool "Use entropy driver to generate random numbers"
	depends on ENTROPY_HAS_DRIVER
	help
	  Enables a random number generator that uses the enabled hardware
	  entropy gathering driver to generate random numbers. Should only be
	  selected if hardware entropy driver is designed to be a random
	  number generator source.

config XOSHIRO_RANDOM_GENERATOR
	bool "Use Xoshiro128++ as PRNG"
	depends on ENTROPY_HAS_DRIVER
	help
	  Enables the Xoshiro128++ pseudo-random number generator, that uses
	  the entropy driver as a seed source. This is a fast general-purpose
	  non-cryptographically secure random number generator.

endchoice # RNG_GENERATOR_CHOICE


DT_CHOSEN_Z_ENTROPY := zephyr,entropy
config CSPRNG_AVAILABLE
	bool
	default y if $(dt_chosen_enabled,$(DT_CHOSEN_Z_ENTROPY))
	help
	  Helper that can be used to check if the platform is capable of generating
	  CS random values. For this to be enabled, there must be the "zephyr,entropy"
	  chosen property defined in the devicetree. This means that there is an
	  HW entropy generator that can be used for this purpose.
	  Once CONFIG_CSPRNG_AVAILABLE is set, then CONFIG_ENTROPY_GENERATOR can
	  be enabled to enable the platform specific entropy driver.

#
# Implied dependency on a cryptographically secure entropy source when
# enabling CS generators. ENTROPY_HAS_DRIVER is the flag indicating the
# CS entropy source.
#
config CSPRNG_ENABLED
	bool
	default y
	depends on ENTROPY_HAS_DRIVER

choice CSPRNG_GENERATOR_CHOICE
	prompt "Cryptographically secure random generator"
	default HARDWARE_DEVICE_CS_GENERATOR
	default TEST_CSPRNG_GENERATOR
	help
	  Platform dependent cryptographically secure random number support.

	  If the hardware entropy support of the platform has sufficient
	  performance to support CSRNG then select that. Otherwise, select
	  CTR-DRBG CSPRNG as that is a FIPS140-2 recommended CSPRNG.

config HARDWARE_DEVICE_CS_GENERATOR
	bool "Use hardware random driver for CS random numbers"
	depends on ENTROPY_HAS_DRIVER
	help
	  Enables a cryptographically secure random number generator that
	  uses the enabled hardware random number driver to generate
	  random numbers.

config CTR_DRBG_CSPRNG_GENERATOR
	bool "Use CTR-DRBG CSPRNG"
	depends on MBEDTLS
	depends on ENTROPY_HAS_DRIVER
	select MBEDTLS_CIPHER_AES_ENABLED
	help
	  Enables the CTR-DRBG pseudo-random number generator. This CSPRNG
	  shall use the entropy API for an initialization seed. The CTR-DRBG
	  is a FIPS140-2 recommended cryptographically secure random number
	  generator.

config TEST_CSPRNG_GENERATOR
	bool "Use insecure CSPRNG for testing purposes"
	depends on TEST_RANDOM_GENERATOR
	help
	  Route calls to `sys_csrand_get` through `sys_rand_get` to enable
	  libraries that use the former to be tested with ZTEST.

endchoice # CSPRNG_GENERATOR_CHOICE

config CS_CTR_DRBG_PERSONALIZATION
	string "CTR-DRBG Personalization string"
	default "zephyr ctr-drbg seed"
	depends on CTR_DRBG_CSPRNG_GENERATOR
	help
	  Personalization data can be provided in addition to the entropy
	  source to make the initialization of the CTR-DRBG as unique as
	  possible.

endmenu
