fix(security): Clarify TRNG engine ownership by OPTEE

shiva-ti · shiva-ti · commit b1907f9922ea · 2026-04-27T11:58:23.000+05:30
The SDK by default provides control of TRNG engine to OP-TEE, which
also firewalls the associated MMR regions.
Document this design choice for clarity.

Also include reference of TRNG in security central page.

Signed-off-by: Shiva Tripathi &lt;s-tripathi1@ti.com&gt;
diff --git a/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst b/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst
@@ -216,10 +216,12 @@ software only implementation can be compared to the previous test.
 Using the True Random Number Generator (TRNG) Hardware Accelerator
 ******************************************************************
 
-The pre-built kernel included within the SDK already has the OP-TEE TRNG
-driver enabled. You do not need any further configuration.
+In the default SDK, OP-TEE controls the TRNG engine and firewalls its
+hardware registers, blocking outside access. To use TRNG from Linux instead,
+disable the OP-TEE driver and enable the RNG node in the Linux device tree.
 
-Verify that the optee-rng driver is loaded:
+Using TRNG from OP-TEE requires no further configuration. Verify the optee-rng
+driver loads:
 
 .. code-block:: console
 
diff --git a/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst b/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst
@@ -304,8 +304,12 @@ software only implementation can be compared to the previous test.
 Using the TRNG Hardware Accelerator
 ***********************************
 
-The pre built kernel that come with the SDK already has the TRNG driver
-built into the kernel. No further configuration is required.
+In the default SDK, OP-TEE controls the TRNG engine and firewalls its
+hardware registers, blocking outside access. To use TRNG from Linux instead,
+disable the OP-TEE driver and enable the RNG node in the Linux device tree.
+
+Using TRNG from OP-TEE requires no further configuration. Verify the optee-rng
+driver loads:
 
 .. ifconfig:: CONFIG_crypto in ('sa2ul')
 
diff --git a/source/linux/Foundational_Components/System_Security/Security_overview.rst b/source/linux/Foundational_Components/System_Security/Security_overview.rst
@@ -49,7 +49,8 @@ The following table lists some of the key Security Features:
   | **Authenticated Boot**  | Verifies each boot component to ensure only authorized    | :ref:`auth_boot_guide`               |
   |                         | code executes on the device                               |                                      |
   +-------------------------+-----------------------------------------------------------+--------------------------------------+
-  | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms      | :ref:`crypto-accelerator`            |
+  | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms and  | :ref:`crypto-accelerator`            |
+  | **and TRNG**            | hardware entropy based secure random number generation    |                                      |
   +-------------------------+-----------------------------------------------------------+--------------------------------------+
   | **Key Management**      | Tools for secure key provisioning                         | :ref:`key-writer-lite-label`         |
   +-------------------------+-----------------------------------------------------------+--------------------------------------+
@@ -81,7 +82,8 @@ The following table lists some of the key Security Features:
   | **Authenticated Boot**  | Transparent disk encryption using the Linux kernel        | :ref:`auth_boot_guide`               |
   |                         | device mapper (dm-crypt) for data confidentiality         |                                      |
   +-------------------------+-----------------------------------------------------------+--------------------------------------+
-  | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms      | :ref:`crypto-accelerator`            |
+  | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms and  | :ref:`crypto-accelerator`            |
+  | **and TRNG**            | hardware entropy based secure random number generation    |                                      |
   +-------------------------+-----------------------------------------------------------+--------------------------------------+
   | **Secure Storage**      | Protection mechanisms for sensitive data                  | :ref:`secure-storage-with-rpmb`      |
   +-------------------------+-----------------------------------------------------------+--------------------------------------+
@@ -106,7 +108,8 @@ The following table lists some of the key Security Features:
   +-------------------------+-----------------------------------------------------------+--------------------------------------+
   | Security Feature        | Description                                               | Links                                |
   +=========================+===========================================================+======================================+
-  | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms      | :ref:`crypto-accelerator`            |
+  | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms and  | :ref:`crypto-accelerator`            |
+  | **and TRNG**            | hardware entropy based secure random number generation    |                                      |
   +-------------------------+-----------------------------------------------------------+--------------------------------------+
   | **Secure Storage**      | Protection mechanisms for sensitive data                  | :ref:`secure-storage-with-rpmb`      |
   +-------------------------+-----------------------------------------------------------+--------------------------------------+
