From 59f9a3d19596a0835b9087fdb779d341cfa7906f Mon Sep 17 00:00:00 2001
From: Joakim Andersson <joakim.andersson@nordicsemi.no>
Date: Wed, 22 Nov 2023 17:01:12 +0100
Subject: [PATCH] nrf_security: Don't always enable entropy generator

The ENTROPY_GENERATOR configuration is to be selected by users of the
zephyr entropy interface.
nrf_security provides entropy through the PSA interface, not the
zephyr entropy interface.

Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
---
 Kconfig.nrf                                    | 5 -----
 subsys/nrf_security/Kconfig                    | 2 +-
 subsys/nrf_security/src/drivers/zephyr/Kconfig | 2 ++
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/Kconfig.nrf b/Kconfig.nrf
index dbebbaaa986..cc063c431b6 100644
--- a/Kconfig.nrf
+++ b/Kconfig.nrf
@@ -82,11 +82,6 @@ config MCUMGR_TRANSPORT_NETBUF_SIZE
 config BT_BUF_CMD_TX_COUNT
 	default 10 if SOC_NRF5340_CPUAPP || SOC_NRF5340_CPUNET
 
-# Set ENTROPY_GENERATOR to true for TF-M builds with enabled
-# RNG provided from secure services.
-config ENTROPY_GENERATOR
-	default y if BUILD_WITH_TFM
-
 config INIT_ARCH_HW_AT_BOOT
 	default y
 	help
diff --git a/subsys/nrf_security/Kconfig b/subsys/nrf_security/Kconfig
index 6e77b7c4951..b909d8c900e 100644
--- a/subsys/nrf_security/Kconfig
+++ b/subsys/nrf_security/Kconfig
@@ -35,7 +35,6 @@ config NRF_SECURITY
 	prompt "Enable nRF Security" if !PSA_PROMPTLESS
 	depends on SOC_FAMILY_NRF
 	default y if BUILD_WITH_TFM
-	select ENTROPY_GENERATOR
 	select DISABLE_MBEDTLS_BUILTIN if MBEDTLS
 	help
 	  Set this configuration to enable nRF Security. This provides
@@ -100,6 +99,7 @@ config MBEDTLS_ENTROPY_POLL
 	default y
 	depends on !NRF_CC3XX_PLATFORM
 	depends on !BUILD_WITH_TFM
+	select ENTROPY_GENERATOR
 
 # Include TLS/DTLS and x509 configurations
 rsource "Kconfig.tls"
diff --git a/subsys/nrf_security/src/drivers/zephyr/Kconfig b/subsys/nrf_security/src/drivers/zephyr/Kconfig
index 762835db38a..82df952b181 100644
--- a/subsys/nrf_security/src/drivers/zephyr/Kconfig
+++ b/subsys/nrf_security/src/drivers/zephyr/Kconfig
@@ -7,6 +7,8 @@
 config PSA_NEED_NRF_RNG_ENTROPY_DRIVER
 	bool
 	default y
+	# Cannot select entropy-generator without creating a loop to ENTROPY_PSA_CRYPTO_RNG
+	depends on ENTROPY_GENERATOR
 	select PSA_ACCEL_GET_ENTROPY
 	depends on HAS_HW_NRF_RNG
 	depends on (!PSA_USE_CC3XX_CTR_DRBG_DRIVER && !PSA_USE_CC3XX_HMAC_DRBG_DRIVER) && \