Note the expectations on mbedtls_psa_external_get_random() Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

commit: b663a6014032d0c082cca50292cec115e20d3938 [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Wed Nov 18 15:27:37 2020 +0100
committer: Gilles Peskine <Gilles.Peskine@arm.com> Mon Nov 23 17:42:54 2020 +0100
tree: 6d243d3c235df14cf838ab801b523e63178f401a
parent: 89ffb28051c12f14d101437d4d1d245475ecb5f0 [diff] [blame]
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 6f2d541..6a41649 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h

@@ -1342,6 +1342,14 @@
  * Make the PSA Crypto module use an external random generator provided
  * by a driver, instead of Mbed TLS's entropy and DRBG modules.
  *
+ * \note This random generator must deliver random numbers with cryptographic
+ *       quality and high performance. It must supply unpredictable numbers
+ *       with a uniform distribution. The implementation of this function
+ *       is responsible for ensuring that the random generator is seeded
+ *       with sufficient entropy. If you have a hardware TRNG which is slow
+ *       or delivers non-uniform output, declare it as an entropy source
+ *       with mbedtls_entropy_add_source() instead of enabling this option.
+ *
  * If you enable this option, you must supply configure the type
  * ::mbedtls_psa_external_random_context_t in psa/crypto_platform.h
  * and define a function called mbedtls_psa_external_get_random()
commit	b663a6014032d0c082cca50292cec115e20d3938	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Wed Nov 18 15:27:37 2020 +0100
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Mon Nov 23 17:42:54 2020 +0100
tree	6d243d3c235df14cf838ab801b523e63178f401a
parent	89ffb28051c12f14d101437d4d1d245475ecb5f0 [diff] [blame]