Skip to content

Commit 634f43b

Browse files
shiva-tishiva-ti
committed
fix(security): Clarify TRNG engine ownership by OPTEE
The SDK by default provides control of TRNG engine to OP-TEE, which also firewalls the associated MMR regions. Document this design choice for clarity. Signed-off-by: Shiva Tripathi <s-tripathi1@ti.com>
1 parent a1acc01 commit 634f43b

2 files changed

Lines changed: 15 additions & 5 deletions

File tree

source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -216,9 +216,14 @@ software only implementation can be compared to the previous test.
216216
Using the True Random Number Generator (TRNG) Hardware Accelerator
217217
******************************************************************
218218

219-
The pre-built kernel included within the SDK already has the OP-TEE TRNG
220-
driver enabled. You do not need any further configuration.
221-
219+
The TRNG engine can be configured through the Linux kernel or OP‑TEE
220+
drivers. By default, the SDK provides TRNG hardware control to OP‑TEE,
221+
which firewalls its associated MMRs, restricting any non‑secure access
222+
to the hardware. To access TRNG from Linux, the OP‑TEE driver should be
223+
disabled and the RNG node enabled in the Linux device tree (reserved by
224+
default).
225+
226+
To use the TRNG driver from OP‑TEE, no further configuration is required.
222227
Verify that the optee-rng driver is loaded:
223228

224229
.. code-block:: console

source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -304,8 +304,13 @@ software only implementation can be compared to the previous test.
304304
Using the TRNG Hardware Accelerator
305305
***********************************
306306

307-
The pre built kernel that come with the SDK already has the TRNG driver
308-
built into the kernel. No further configuration is required.
307+
The TRNG engine can be configured through the Linux kernel or OP-TEE
308+
drivers. By default, the SDK provides TRNG hardware control to OP-TEE,
309+
which firewalls its associated MMRs, restricting any non-secure access to
310+
the hardware. To access TRNG from Linux, the OP-TEE driver should be
311+
disabled and RNG node enabled in the Linux device tree (reserved by default).
312+
313+
To use TRNG driver from OP-TEE, no further configuration is required.
309314

310315
.. ifconfig:: CONFIG_crypto in ('sa2ul')
311316

0 commit comments

Comments
 (0)