diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 6f2d54156f..6a41649e16 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1342,6 +1342,14 @@ * Make the PSA Crypto module use an external random generator provided * by a driver, instead of Mbed TLS's entropy and DRBG modules. * + * \note This random generator must deliver random numbers with cryptographic + * quality and high performance. It must supply unpredictable numbers + * with a uniform distribution. The implementation of this function + * is responsible for ensuring that the random generator is seeded + * with sufficient entropy. If you have a hardware TRNG which is slow + * or delivers non-uniform output, declare it as an entropy source + * with mbedtls_entropy_add_source() instead of enabling this option. + * * If you enable this option, you must supply configure the type * ::mbedtls_psa_external_random_context_t in psa/crypto_platform.h * and define a function called mbedtls_psa_external_get_random() diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 218a6bab24..0ebf140c3e 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -660,6 +660,14 @@ mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve, * this function replaces Mbed TLS's entropy and DRBG modules for all * random generation triggered via PSA crypto interfaces. * + * \note This random generator must deliver random numbers with cryptographic + * quality and high performance. It must supply unpredictable numbers + * with a uniform distribution. The implementation of this function + * is responsible for ensuring that the random generator is seeded + * with sufficient entropy. If you have a hardware TRNG which is slow + * or delivers non-uniform output, declare it as an entropy source + * with mbedtls_entropy_add_source() instead of enabling this option. + * * \param[in,out] context Pointer to the random generator context. * This is all-bits-zero on the first call * and preserved between successive calls.