nrf_security: Avoid psa_generate_random inside CRACEN driver

Vge0rge · Vge0rge · commit 71b69fdfca2c · 2025-08-11T12:45:00.000+02:00
Change all the psa_generate_random calls to call the driver
directly (cracen_get_random). This makes it more consistent
with the rest of the driver. It is also a better practice
to stay on the same levels of APIs and avoid calling APIs
in higher levels.

Signed-off-by: Georgios Vasilakis &lt;georgios.vasilakis@nordicsemi.no&gt;
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/common.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/common.c
@@ -395,7 +395,7 @@ psa_status_t rnd_in_range(uint8_t *n, size_t sz, const uint8_t *upperlimit, size
 	msb_mask = ~msb_mask;
 
 	while (retries++ < retry_limit) {
-		psa_status_t status = psa_generate_random(n, sz);
+		psa_status_t status = cracen_get_random(NULL, n, sz);
 
 		if (status) {
 			return status;
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/common.h b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/common.h
@@ -150,7 +150,7 @@ int cracen_signature_get_rsa_key(struct cracen_rsa_key *rsa, bool extract_pubkey
 int cracen_signature_asn1_get_operand(uint8_t **p, const uint8_t *end, struct sx_buf *op);
 
 /**
- * @brief Use psa_generate_random up to generate a random number in the range [1, upperlimit).
+ * @brief Use cracen_get_random up to generate a random number in the range [1, upperlimit).
  *
  * @param[out] n           Output number.
  * @param[in]  sz          Size of number in bytes.
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c
@@ -1167,7 +1167,8 @@ psa_status_t generate_key_for_kmu(const psa_key_attributes_t *attributes, uint8_
 		}
 	} else if (key_type == PSA_KEY_TYPE_AES || key_type == PSA_KEY_TYPE_HMAC ||
 		   key_type == PSA_KEY_TYPE_CHACHA20) {
-		status = psa_generate_random(key, PSA_BITS_TO_BYTES(psa_get_key_bits(attributes)));
+		status = cracen_get_random(NULL, key,
+					   PSA_BITS_TO_BYTES(psa_get_key_bits(attributes)));
 		if (status != PSA_SUCCESS) {
 			return status;
 		}
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c
@@ -159,7 +159,7 @@ static psa_status_t cracen_kmu_encrypt(const uint8_t *key, size_t key_length,
 	psa_set_key_usage_flags(&attr, PSA_KEY_USAGE_ENCRYPT);
 
 	if (encrypted_buffer_size > CRACEN_KMU_SLOT_KEY_SIZE) {
-		psa_status = psa_generate_random(encrypted_buffer, CRACEN_KMU_SLOT_KEY_SIZE);
+		psa_status = cracen_get_random(NULL, encrypted_buffer, CRACEN_KMU_SLOT_KEY_SIZE);
 	} else {
 		return PSA_ERROR_GENERIC_ERROR;
 	}
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/spake2p.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/spake2p.c
@@ -443,7 +443,7 @@ static psa_status_t cracen_write_key_share(cracen_spake2p_operation_t *operation
 		}
 	}
 
-	status = psa_generate_random(xs, sizeof(xs));
+	status = cracen_get_random(NULL, xs, sizeof(xs));
 	if (status != PSA_SUCCESS) {
 		return status;
 	}

Original file line number	Diff line number	Diff line change
`@@ -150,7 +150,7 @@ int cracen_signature_get_rsa_key(struct cracen_rsa_key *rsa, bool extract_pubkey`
`150`	`150`	`int cracen_signature_asn1_get_operand(uint8_t *p, const uint8_t end, struct sx_buf *op);`
`151`	`151`
`152`	`152`	`/**`
`153`		`- * @brief Use psa_generate_random up to generate a random number in the range [1, upperlimit).`
	`153`	`+ * @brief Use cracen_get_random up to generate a random number in the range [1, upperlimit).`
`154`	`154`	`*`
`155`	`155`	`* @param[out] n Output number.`
`156`	`156`	`* @param[in] sz Size of number in bytes.`
Original file line number	Diff line number	Diff line change
`@@ -1167,7 +1167,8 @@ psa_status_t generate_key_for_kmu(const psa_key_attributes_t *attributes, uint8_`
`1167`	`1167`	`}`
`1168`	`1168`	`} else if (key_type == PSA_KEY_TYPE_AES \|\| key_type == PSA_KEY_TYPE_HMAC \|\|`
`1169`	`1169`	`key_type == PSA_KEY_TYPE_CHACHA20) {`
`1170`		`- status = psa_generate_random(key, PSA_BITS_TO_BYTES(psa_get_key_bits(attributes)));`
	`1170`	`+ status = cracen_get_random(NULL, key,`
	`1171`	`+ PSA_BITS_TO_BYTES(psa_get_key_bits(attributes)));`
`1171`	`1172`	`if (status != PSA_SUCCESS) {`
`1172`	`1173`	`return status;`
`1173`	`1174`	`}`
Original file line number	Diff line number	Diff line change
`@@ -159,7 +159,7 @@ static psa_status_t cracen_kmu_encrypt(const uint8_t *key, size_t key_length,`
`159`	`159`	`psa_set_key_usage_flags(&attr, PSA_KEY_USAGE_ENCRYPT);`
`160`	`160`
`161`	`161`	`if (encrypted_buffer_size > CRACEN_KMU_SLOT_KEY_SIZE) {`
`162`		`- psa_status = psa_generate_random(encrypted_buffer, CRACEN_KMU_SLOT_KEY_SIZE);`
	`162`	`+ psa_status = cracen_get_random(NULL, encrypted_buffer, CRACEN_KMU_SLOT_KEY_SIZE);`
`163`	`163`	`} else {`
`164`	`164`	`return PSA_ERROR_GENERIC_ERROR;`
`165`	`165`	`}`
Original file line number	Diff line number	Diff line change
`@@ -443,7 +443,7 @@ static psa_status_t cracen_write_key_share(cracen_spake2p_operation_t *operation`
`443`	`443`	`}`
`444`	`444`	`}`
`445`	`445`
`446`		`- status = psa_generate_random(xs, sizeof(xs));`
	`446`	`+ status = cracen_get_random(NULL, xs, sizeof(xs));`
`447`	`447`	`if (status != PSA_SUCCESS) {`
`448`	`448`	`return status;`
`449`	`449`	`}`