The goal for the CYGPKG_MBEDTLS3 package is to avoid where possible having to have any core Mbed TLS source file changes made specifically for eCos. This is to ensure that re-imports of newer versions of the Mbed TLS world involve minimal effort. The files are as provided in the official Mbed TLS release package as imported, with the following exceptions:

The current Mbed TLS version provided by the eCos package is 3.6.4 (with 3.6 being a Long Term Support (LTS) release supported until at least 2027Q1). Please read the package ChangeLog file for the original Mbed TLS release notes which are interleaved with the commments covering eCosCentric changes.

Cryptographic security is dependent on the use of strong keys. Strong keys are dependent on the quality of entropy used in their generation.

The eCosPro port of Mbed TLS provides both a default portable weak entropy mechanism, and the ability to implement a target platform specific mechanism to gather high-quality entropy.

We strongly recommend that you use as high a quality source of entropy as possible when using Mbed TLS on your target platform. The use of the generic weak entropy mechanism (provided by MBEDTLS_TIMING_C) is NOT recommended for anything other than simplifying the initial bring-up and testing of applications.

For eCos we define MBEDTLS_ENTROPY_HARDWARE_ALT for the configuration (in include/mbedtls/mbedtls_config.h) since the default Mbed TLS platform entropy implementation is Un*x/Windows only. The use of MBEDTLS_ENTROPY_HARDWARE_ALT provides for a link-time entropy source to be provided by the platform support. Other entropy sources are dynamically added at runtime via the mbedtls_entropy_add_source() functionality.

	Note
	In the following weak refers to the linker preference when linking an application, and not to a weak entropy source.

The eCos src/ecos_platform.c source file provides a weak function definition for the mbedtls_hardware_poll() implementation that will return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED since we expect the platform support or application code to provide a cryptographically strong implementation. Ideally such an implementation will use TRNG (True Random Number Generator) hardware support by the HAL, variant, architecture, etc. as appropriate.

The function prototype:

#include <mbedtls/entropy_poll.h>
          

The callback specific (context data pointer) parameter data will normally be NULL for the Mbed TLS registered implementation. The output parameter references a buffer of at least len bytes to receive random data. The olen pointer is filled by the function to report the number of valid bytes actually written, and may be 0 (zero) if the function is not able to satisfy the request for true random data. The function should return 0 to indicate no errors occurred, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED on error.

As an example of a platform specific implementation, the STM32 port of eCos provides an Mbed TLS entropy source based on the STM32's RNG hardware.