diff --git a/CODEOWNERS b/CODEOWNERS index fe54d846002..f6c57055cfb 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -824,6 +824,7 @@ /subsys/partition_manager/ @nordicjm @tejlmand /subsys/pcd/ @nrfconnect/ncs-pluto /subsys/sdfw_services/ @nrfconnect/ncs-aurora +/subsys/secure_storage/ @nrfconnect/ncs-aegir /subsys/settings/ @nrfconnect/ncs-pluto @rghaddab /subsys/sdfw_services/services/extmem/ @nrfconnect/ncs-charon /subsys/sdfw_services/services/suit_service/ @nrfconnect/ncs-charon @@ -945,6 +946,7 @@ /tests/subsys/pcd/ @nrfconnect/ncs-pluto /tests/subsys/sdfw_services/ @nrfconnect/ncs-aurora /tests/subsys/suit/ @nrfconnect/ncs-charon +/tests/subsys/usb/negotiated_speed/ @nrfconnect/ncs-low-level-test /tests/tfm/ @nrfconnect/ncs-aegir @magnev /tests/unity/ @nordic-krch /tests/zephyr/boards/nrf/ @nrfconnect/ncs-low-level-test @@ -968,7 +970,7 @@ /tests/zephyr/drivers/uart/ @nrfconnect/ncs-low-level-test /tests/zephyr/drivers/watchdog/ @nrfconnect/ncs-low-level-test /tests/zephyr/kernel/timer/timer_behavior/ @nrfconnect/ncs-low-level-test -/tests/subsys/usb/negotiated_speed/ @nrfconnect/ncs-low-level-test +/tests/zephyr/subsys/secure_storage/ @nrfconnect/ncs-aegir /tests/zephyr/subsys/settings/performance/ @nrfconnect/ncs-pluto @rghaddab /tests/benchmarks/multicore/idle/*.rst @nrfconnect/ncs-si-bluebagel-doc diff --git a/samples/crypto/persistent_key_usage/CMakeLists.txt b/samples/crypto/persistent_key_usage/CMakeLists.txt index 0fc67a105cf..5e9334b17ab 100644 --- a/samples/crypto/persistent_key_usage/CMakeLists.txt +++ b/samples/crypto/persistent_key_usage/CMakeLists.txt @@ -11,9 +11,6 @@ find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) project(persistent_key) target_sources(app PRIVATE - src/main.c - ) - -target_sources_ifdef(CONFIG_TRUSTED_STORAGE app PRIVATE - src/trusted_storage_init.c - ) + src/main.c + src/init.c +) diff --git a/samples/crypto/persistent_key_usage/README.rst b/samples/crypto/persistent_key_usage/README.rst index 3f5029e723d..3fb6250ca10 100644 --- a/samples/crypto/persistent_key_usage/README.rst +++ b/samples/crypto/persistent_key_usage/README.rst @@ -1,7 +1,7 @@ .. _crypto_persistent_key: -Crypto: Persistent key storage -############################## +Crypto: Persistent key usage +############################ .. contents:: :local: @@ -9,7 +9,11 @@ Crypto: Persistent key storage The persistent key sample shows how to generate a persistent key using the Platform Security Architecture (PSA) APIs. Persistent keys are stored in the Internal Trusted Storage (ITS) of the device and retain their value between resets. -The ITS backend is either provided by TF-M, or the :ref:`trusted_storage_readme` library when building applications without TF-M. +The implementation of the PSA ITS API is provided in one of the following ways, depending on your configuration: + +* Through TF-M using Internal Trusted Storage and Protected Storage services. +* When building without TF-M: using either Zephyr's :ref:`secure_storage` subsystem or the :ref:`trusted_storage_readme` library. + A persistent key becomes unusable when the ``psa_destroy_key`` function is called. Requirements @@ -72,6 +76,7 @@ Dependencies * :file:`psa/crypto.h` -* Builds without TF-M use the :ref:`trusted_storage_readme` library +* Builds without TF-M use the :ref:`secure_storage` subsystem as the PSA Secure Storage API + provider. * The :ref:`lib_hw_unique_key` is used to encrypt the key before storing it. diff --git a/samples/crypto/persistent_key_usage/boards/nrf52840dk_nrf52840.conf b/samples/crypto/persistent_key_usage/boards/nrf52840dk_nrf52840.conf index 7ec63465389..551be17bac3 100644 --- a/samples/crypto/persistent_key_usage/boards/nrf52840dk_nrf52840.conf +++ b/samples/crypto/persistent_key_usage/boards/nrf52840dk_nrf52840.conf @@ -2,19 +2,19 @@ # Copyright (c) 2024 Nordic Semiconductor ASA # # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause -# + # Using hardware crypto accelerator CONFIG_PSA_CRYPTO_DRIVER_OBERON=n CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y +# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API. +CONFIG_SECURE_STORAGE=y + CONFIG_FLASH=y CONFIG_FLASH_PAGE_LAYOUT=y CONFIG_FLASH_MAP=y CONFIG_NVS=y CONFIG_SETTINGS=y -CONFIG_SETTINGS_NVS=y -CONFIG_TRUSTED_STORAGE=y -# Mbedtls configuration CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=8192 diff --git a/samples/crypto/persistent_key_usage/boards/nrf5340dk_nrf5340_cpuapp.conf b/samples/crypto/persistent_key_usage/boards/nrf5340dk_nrf5340_cpuapp.conf index 7ec63465389..551be17bac3 100644 --- a/samples/crypto/persistent_key_usage/boards/nrf5340dk_nrf5340_cpuapp.conf +++ b/samples/crypto/persistent_key_usage/boards/nrf5340dk_nrf5340_cpuapp.conf @@ -2,19 +2,19 @@ # Copyright (c) 2024 Nordic Semiconductor ASA # # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause -# + # Using hardware crypto accelerator CONFIG_PSA_CRYPTO_DRIVER_OBERON=n CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y +# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API. +CONFIG_SECURE_STORAGE=y + CONFIG_FLASH=y CONFIG_FLASH_PAGE_LAYOUT=y CONFIG_FLASH_MAP=y CONFIG_NVS=y CONFIG_SETTINGS=y -CONFIG_SETTINGS_NVS=y -CONFIG_TRUSTED_STORAGE=y -# Mbedtls configuration CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=8192 diff --git a/samples/crypto/persistent_key_usage/boards/nrf54l15dk_nrf54l05_cpuapp.conf b/samples/crypto/persistent_key_usage/boards/nrf54l15dk_nrf54l05_cpuapp.conf index 3f072ccf062..fb51d6df6c0 100644 --- a/samples/crypto/persistent_key_usage/boards/nrf54l15dk_nrf54l05_cpuapp.conf +++ b/samples/crypto/persistent_key_usage/boards/nrf54l15dk_nrf54l05_cpuapp.conf @@ -2,13 +2,13 @@ # Copyright (c) 2024 Nordic Semiconductor ASA # # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause -# + # Using hardware crypto accelerator CONFIG_PSA_CRYPTO_DRIVER_OBERON=n CONFIG_PSA_CRYPTO_DRIVER_CRACEN=y -# Use TRUSTED_STORAGE because this is a non-TF-M board target. -CONFIG_TRUSTED_STORAGE=y +# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API. +CONFIG_SECURE_STORAGE=y CONFIG_FLASH=y CONFIG_FLASH_PAGE_LAYOUT=y @@ -16,6 +16,5 @@ CONFIG_FLASH_MAP=y CONFIG_ZMS=y CONFIG_SETTINGS=y -# Mbedtls configuration CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=8192 diff --git a/samples/crypto/persistent_key_usage/boards/nrf54l15dk_nrf54l10_cpuapp.conf b/samples/crypto/persistent_key_usage/boards/nrf54l15dk_nrf54l10_cpuapp.conf index 3f072ccf062..fb51d6df6c0 100644 --- a/samples/crypto/persistent_key_usage/boards/nrf54l15dk_nrf54l10_cpuapp.conf +++ b/samples/crypto/persistent_key_usage/boards/nrf54l15dk_nrf54l10_cpuapp.conf @@ -2,13 +2,13 @@ # Copyright (c) 2024 Nordic Semiconductor ASA # # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause -# + # Using hardware crypto accelerator CONFIG_PSA_CRYPTO_DRIVER_OBERON=n CONFIG_PSA_CRYPTO_DRIVER_CRACEN=y -# Use TRUSTED_STORAGE because this is a non-TF-M board target. -CONFIG_TRUSTED_STORAGE=y +# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API. +CONFIG_SECURE_STORAGE=y CONFIG_FLASH=y CONFIG_FLASH_PAGE_LAYOUT=y @@ -16,6 +16,5 @@ CONFIG_FLASH_MAP=y CONFIG_ZMS=y CONFIG_SETTINGS=y -# Mbedtls configuration CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=8192 diff --git a/samples/crypto/persistent_key_usage/boards/nrf54l15dk_nrf54l15_cpuapp.conf b/samples/crypto/persistent_key_usage/boards/nrf54l15dk_nrf54l15_cpuapp.conf index 3f072ccf062..fb51d6df6c0 100644 --- a/samples/crypto/persistent_key_usage/boards/nrf54l15dk_nrf54l15_cpuapp.conf +++ b/samples/crypto/persistent_key_usage/boards/nrf54l15dk_nrf54l15_cpuapp.conf @@ -2,13 +2,13 @@ # Copyright (c) 2024 Nordic Semiconductor ASA # # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause -# + # Using hardware crypto accelerator CONFIG_PSA_CRYPTO_DRIVER_OBERON=n CONFIG_PSA_CRYPTO_DRIVER_CRACEN=y -# Use TRUSTED_STORAGE because this is a non-TF-M board target. -CONFIG_TRUSTED_STORAGE=y +# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API. +CONFIG_SECURE_STORAGE=y CONFIG_FLASH=y CONFIG_FLASH_PAGE_LAYOUT=y @@ -16,6 +16,5 @@ CONFIG_FLASH_MAP=y CONFIG_ZMS=y CONFIG_SETTINGS=y -# Mbedtls configuration CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=8192 diff --git a/samples/crypto/persistent_key_usage/boards/nrf54lm20pdk_nrf54lm20a_cpuapp.conf b/samples/crypto/persistent_key_usage/boards/nrf54lm20pdk_nrf54lm20a_cpuapp.conf index 4b9d8a98b72..fb51d6df6c0 100644 --- a/samples/crypto/persistent_key_usage/boards/nrf54lm20pdk_nrf54lm20a_cpuapp.conf +++ b/samples/crypto/persistent_key_usage/boards/nrf54lm20pdk_nrf54lm20a_cpuapp.conf @@ -3,11 +3,12 @@ # # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# Using hardware crypto accelerator CONFIG_PSA_CRYPTO_DRIVER_OBERON=n CONFIG_PSA_CRYPTO_DRIVER_CRACEN=y -# Use TRUSTED_STORAGE because this is a non-TF-M board target. -CONFIG_TRUSTED_STORAGE=y +# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API. +CONFIG_SECURE_STORAGE=y CONFIG_FLASH=y CONFIG_FLASH_PAGE_LAYOUT=y diff --git a/samples/crypto/persistent_key_usage/boards/nrf54lv10dk_nrf5454lv10a_cpuapp.conf b/samples/crypto/persistent_key_usage/boards/nrf54lv10dk_nrf5454lv10a_cpuapp.conf index 3f072ccf062..fb51d6df6c0 100644 --- a/samples/crypto/persistent_key_usage/boards/nrf54lv10dk_nrf5454lv10a_cpuapp.conf +++ b/samples/crypto/persistent_key_usage/boards/nrf54lv10dk_nrf5454lv10a_cpuapp.conf @@ -2,13 +2,13 @@ # Copyright (c) 2024 Nordic Semiconductor ASA # # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause -# + # Using hardware crypto accelerator CONFIG_PSA_CRYPTO_DRIVER_OBERON=n CONFIG_PSA_CRYPTO_DRIVER_CRACEN=y -# Use TRUSTED_STORAGE because this is a non-TF-M board target. -CONFIG_TRUSTED_STORAGE=y +# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API. +CONFIG_SECURE_STORAGE=y CONFIG_FLASH=y CONFIG_FLASH_PAGE_LAYOUT=y @@ -16,6 +16,5 @@ CONFIG_FLASH_MAP=y CONFIG_ZMS=y CONFIG_SETTINGS=y -# Mbedtls configuration CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=8192 diff --git a/samples/crypto/persistent_key_usage/boards/nrf9151dk_nrf9151.conf b/samples/crypto/persistent_key_usage/boards/nrf9151dk_nrf9151.conf index 7ec63465389..551be17bac3 100644 --- a/samples/crypto/persistent_key_usage/boards/nrf9151dk_nrf9151.conf +++ b/samples/crypto/persistent_key_usage/boards/nrf9151dk_nrf9151.conf @@ -2,19 +2,19 @@ # Copyright (c) 2024 Nordic Semiconductor ASA # # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause -# + # Using hardware crypto accelerator CONFIG_PSA_CRYPTO_DRIVER_OBERON=n CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y +# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API. +CONFIG_SECURE_STORAGE=y + CONFIG_FLASH=y CONFIG_FLASH_PAGE_LAYOUT=y CONFIG_FLASH_MAP=y CONFIG_NVS=y CONFIG_SETTINGS=y -CONFIG_SETTINGS_NVS=y -CONFIG_TRUSTED_STORAGE=y -# Mbedtls configuration CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=8192 diff --git a/samples/crypto/persistent_key_usage/boards/nrf9160dk_nrf9160.conf b/samples/crypto/persistent_key_usage/boards/nrf9160dk_nrf9160.conf index 7ec63465389..551be17bac3 100644 --- a/samples/crypto/persistent_key_usage/boards/nrf9160dk_nrf9160.conf +++ b/samples/crypto/persistent_key_usage/boards/nrf9160dk_nrf9160.conf @@ -2,19 +2,19 @@ # Copyright (c) 2024 Nordic Semiconductor ASA # # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause -# + # Using hardware crypto accelerator CONFIG_PSA_CRYPTO_DRIVER_OBERON=n CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y +# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API. +CONFIG_SECURE_STORAGE=y + CONFIG_FLASH=y CONFIG_FLASH_PAGE_LAYOUT=y CONFIG_FLASH_MAP=y CONFIG_NVS=y CONFIG_SETTINGS=y -CONFIG_SETTINGS_NVS=y -CONFIG_TRUSTED_STORAGE=y -# Mbedtls configuration CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=8192 diff --git a/samples/crypto/persistent_key_usage/boards/nrf9161dk_nrf9161.conf b/samples/crypto/persistent_key_usage/boards/nrf9161dk_nrf9161.conf index 7ec63465389..551be17bac3 100644 --- a/samples/crypto/persistent_key_usage/boards/nrf9161dk_nrf9161.conf +++ b/samples/crypto/persistent_key_usage/boards/nrf9161dk_nrf9161.conf @@ -2,19 +2,19 @@ # Copyright (c) 2024 Nordic Semiconductor ASA # # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause -# + # Using hardware crypto accelerator CONFIG_PSA_CRYPTO_DRIVER_OBERON=n CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y +# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API. +CONFIG_SECURE_STORAGE=y + CONFIG_FLASH=y CONFIG_FLASH_PAGE_LAYOUT=y CONFIG_FLASH_MAP=y CONFIG_NVS=y CONFIG_SETTINGS=y -CONFIG_SETTINGS_NVS=y -CONFIG_TRUSTED_STORAGE=y -# Mbedtls configuration CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=8192 diff --git a/samples/crypto/persistent_key_usage/sample.yaml b/samples/crypto/persistent_key_usage/sample.yaml index 482071c098c..657d781dcef 100644 --- a/samples/crypto/persistent_key_usage/sample.yaml +++ b/samples/crypto/persistent_key_usage/sample.yaml @@ -1,67 +1,73 @@ sample: description: | - This app provides an example of using peristent keys with the - PSA APIs. A random AES persistent key is generated and imported - to the PSA keystore. - name: Persistent key example + This sample provides an example of using persistent keys with the + PSA Crypto API. A random AES persistent key is generated and used. + name: Persistent key usage + +common: + sysbuild: true + tags: + - introduction + - psa + - sysbuild + - ci_samples_crypto + harness: console + harness_config: + type: multi_line + regex: + - ".*Example finished successfully!.*" + tests: - sample.persistent_key_usage.cc3xx: - sysbuild: true + sample.persistent_key_usage.tf-m: tags: - - introduction - - psa - - cc3xx - - sysbuild - - ci_samples_crypto + - ci_samples_tfm platform_allow: - nrf5340dk/nrf5340/cpuapp/ns - - nrf5340dk/nrf5340/cpuapp + - nrf54l15dk/nrf54l15/cpuapp/ns + - nrf54l15dk/nrf54l10/cpuapp/ns - nrf9160dk/nrf9160/ns - - nrf9160dk/nrf9160 - - nrf52840dk/nrf52840 - - nrf9161dk/nrf9161 - nrf9161dk/nrf9161/ns - - nrf9151dk/nrf9151 - nrf9151dk/nrf9151/ns - harness: console - harness_config: - type: multi_line - regex: - - ".*Example finished successfully!.*" integration_platforms: - nrf5340dk/nrf5340/cpuapp/ns + - nrf54l15dk/nrf54l15/cpuapp/ns + - nrf9151dk/nrf9151/ns + + sample.persistent_key_usage.secure_storage: + platform_allow: + - nrf52840dk/nrf52840 - nrf5340dk/nrf5340/cpuapp - - nrf9160dk/nrf9160/ns - nrf9160dk/nrf9160 - - nrf52840dk/nrf52840 - nrf9161dk/nrf9161 - - nrf9161dk/nrf9161/ns - nrf9151dk/nrf9151 - - nrf9151dk/nrf9151/ns - sample.persistent_key_usage.cracen: - sysbuild: true - tags: - - introduction - - psa - - cracen - - sysbuild - - ci_samples_crypto - platform_allow: - nrf54l15dk/nrf54l15/cpuapp - - nrf54l15dk/nrf54l15/cpuapp/ns - nrf54lm20pdk/nrf54lm20a/cpuapp - nrf54l15dk/nrf54l10/cpuapp - - nrf54l15dk/nrf54l10/cpuapp/ns - nrf54l15dk/nrf54l05/cpuapp - harness: console - harness_config: - type: multi_line - regex: - - ".*Example finished successfully!.*" integration_platforms: + - nrf52840dk/nrf52840 + - nrf5340dk/nrf5340/cpuapp + - nrf9151dk/nrf9151 + - nrf54l15dk/nrf54l15/cpuapp + - nrf54lm20pdk/nrf54lm20a/cpuapp + + sample.persistent_key_usage.trusted_storage: + extra_args: + - CONFIG_SECURE_STORAGE=n + - CONFIG_TRUSTED_STORAGE=y + platform_allow: + - nrf52840dk/nrf52840 + - nrf5340dk/nrf5340/cpuapp + - nrf9160dk/nrf9160 + - nrf9161dk/nrf9161 + - nrf9151dk/nrf9151 - nrf54l15dk/nrf54l15/cpuapp - - nrf54l15dk/nrf54l15/cpuapp/ns - nrf54lm20pdk/nrf54lm20a/cpuapp - nrf54l15dk/nrf54l10/cpuapp - - nrf54l15dk/nrf54l10/cpuapp/ns - nrf54l15dk/nrf54l05/cpuapp + integration_platforms: + - nrf52840dk/nrf52840 + - nrf5340dk/nrf5340/cpuapp + - nrf9151dk/nrf9151 + - nrf54l15dk/nrf54l15/cpuapp + - nrf54lm20pdk/nrf54lm20a/cpuapp diff --git a/samples/crypto/persistent_key_usage/src/trusted_storage_init.c b/samples/crypto/persistent_key_usage/src/init.c similarity index 69% rename from samples/crypto/persistent_key_usage/src/trusted_storage_init.c rename to samples/crypto/persistent_key_usage/src/init.c index 6e1e9de7531..232c15ae426 100644 --- a/samples/crypto/persistent_key_usage/src/trusted_storage_init.c +++ b/samples/crypto/persistent_key_usage/src/init.c @@ -4,11 +4,13 @@ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause */ -#include "settings/settings_file.h" #include #include +#include -LOG_MODULE_REGISTER(persistent_key_usage_trusted_storage, LOG_LEVEL_DBG); +LOG_MODULE_DECLARE(persistent_key_usage, LOG_LEVEL_DBG); + +#ifdef CONFIG_TRUSTED_STORAGE_STORAGE_BACKEND_SETTINGS static int setup_settings_backend(void) { @@ -24,7 +26,11 @@ static int setup_settings_backend(void) SYS_INIT(setup_settings_backend, APPLICATION, CONFIG_APPLICATION_INIT_PRIORITY); -#ifdef CONFIG_TRUSTED_STORAGE_BACKEND_AEAD_KEY_DERIVE_FROM_HUK +#endif /* CONFIG_TRUSTED_STORAGE_STORAGE_BACKEND_SETTINGS */ + +#if defined(CONFIG_TRUSTED_STORAGE_BACKEND_AEAD_KEY_DERIVE_FROM_HUK) || \ + defined(CONFIG_SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_HUK_LIBRARY) + #include #ifndef HUK_HAS_KMU @@ -42,12 +48,12 @@ int write_huk(void) return 0; } LOG_INF("Success!\n\n"); -#if !defined(HUK_HAS_KMU) +#ifndef HUK_HAS_KMU /* Reboot to allow the bootloader to load the key into CryptoCell. */ sys_reboot(0); -#endif /* !defined(HUK_HAS_KMU) */ +#endif } return 0; } -#endif /* CONFIG_TRUSTED_STORAGE_BACKEND_AEAD_KEY_DERIVE_FROM_HUK */ +#endif diff --git a/samples/crypto/persistent_key_usage/src/init.h b/samples/crypto/persistent_key_usage/src/init.h new file mode 100644 index 00000000000..1a2ec2eeeed --- /dev/null +++ b/samples/crypto/persistent_key_usage/src/init.h @@ -0,0 +1,12 @@ +/* + * Copyright (c) 2023 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#ifndef __INIT_H_ +#define __INIT_H_ + +int write_huk(void); + +#endif diff --git a/samples/crypto/persistent_key_usage/src/main.c b/samples/crypto/persistent_key_usage/src/main.c index a1ce36ed2fe..d6ae248b851 100644 --- a/samples/crypto/persistent_key_usage/src/main.c +++ b/samples/crypto/persistent_key_usage/src/main.c @@ -15,7 +15,7 @@ #include #endif -#include "trusted_storage_init.h" +#include "init.h" #define APP_SUCCESS (0) #define APP_ERROR (-1) @@ -57,9 +57,10 @@ int crypto_init(void) { psa_status_t status; -#ifdef CONFIG_TRUSTED_STORAGE_BACKEND_AEAD_KEY_DERIVE_FROM_HUK +#if defined(CONFIG_TRUSTED_STORAGE_BACKEND_AEAD_KEY_DERIVE_FROM_HUK) || \ + defined(CONFIG_SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_HUK_LIBRARY) write_huk(); -#endif /* CONFIG_TRUSTED_STORAGE_BACKEND_AEAD_KEY_DERIVE_FROM_HUK */ +#endif /* Initialize PSA Crypto */ status = psa_crypto_init(); diff --git a/samples/crypto/persistent_key_usage/src/trusted_storage_init.h b/samples/crypto/persistent_key_usage/src/trusted_storage_init.h deleted file mode 100644 index 51a22ce9364..00000000000 --- a/samples/crypto/persistent_key_usage/src/trusted_storage_init.h +++ /dev/null @@ -1,15 +0,0 @@ -/* - * Copyright (c) 2023 Nordic Semiconductor ASA - * - * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause - */ - -#ifndef __TRUSTED_STORAGE_INIT_H_ -#define __TRUSTED_STORAGE_INIT_H_ - -/* In case a HUK ist used for the trusted_storage key */ -#ifdef CONFIG_TRUSTED_STORAGE_BACKEND_AEAD_KEY_DERIVE_FROM_HUK -int write_huk(void); -#endif /* CONFIG_TRUSTED_STORAGE_BACKEND_AEAD_KEY_DERIVE_FROM_HUK */ - -#endif /* __TRUSTED_STORAGE_INIT_H_ */ diff --git a/scripts/ci/tags.yaml b/scripts/ci/tags.yaml index c7534cc4020..d2365b7458e 100644 --- a/scripts/ci/tags.yaml +++ b/scripts/ci/tags.yaml @@ -224,8 +224,11 @@ ci_samples_crypto: &ci_crypto - nrf/samples/crypto/ - nrf/subsys/nrf_security/ - nrf/subsys/partition_manager/ + - nrf/subsys/secure_storage/ + - nrf/subsys/trusted_storage/ - nrf/sysbuild/ - nrf/tests/crypto/ + - nrf/tests/zephyr/subsys/secure_storage/ - zephyr/cmake/ - zephyr/drivers/entropy/ - zephyr/drivers/serial/ @@ -1359,6 +1362,7 @@ ci_applications_protocols_serialization: - nrf/subsys/net/openthread/ - nrf/subsys/nrf_rpc/ - nrf/subsys/nrf_security/ + - nrf/subsys/secure_storage/ - nrf/subsys/trusted_storage/ - nrfxlib/crypto/ - nrfxlib/nrf_802154/ diff --git a/subsys/Kconfig b/subsys/Kconfig index feef88b6e35..d98dfbc1c4f 100644 --- a/subsys/Kconfig +++ b/subsys/Kconfig @@ -36,6 +36,7 @@ rsource "audio_module/Kconfig" rsource "audio/audio_module_template/Kconfig" rsource "uart_async_adapter/Kconfig" rsource "trusted_storage/Kconfig" +rsource "secure_storage/Kconfig" rsource "logging/Kconfig" rsource "sdfw_services/Kconfig" rsource "suit/Kconfig" diff --git a/subsys/secure_storage/CMakeLists.txt b/subsys/secure_storage/CMakeLists.txt index dc8c7555256..a01faeb74bf 100644 --- a/subsys/secure_storage/CMakeLists.txt +++ b/subsys/secure_storage/CMakeLists.txt @@ -1,5 +1,4 @@ # Copyright (c) 2025 Nordic Semiconductor ASA -# # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause if(CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_ZMS AND CONFIG_PARTITION_MANAGER_ENABLED) @@ -8,3 +7,33 @@ if(CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_ZMS AND CONFIG_PARTITION_MANAG not supported when partition manager is enabled. ") endif() + +if(CONFIG_SECURE_STORAGE_TRUSTED_STORAGE_COMPATIBILITY) + + if(CONFIG_SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_AEAD) + message(FATAL_ERROR " + CONFIG_SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_AEAD cannot be used + when CONFIG_SECURE_STORAGE_TRUSTED_STORAGE_COMPATIBILITY is enabled.") + endif() + + if(CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS) + list(APPEND ncs_secure_storage_src compatibility/src/its_store_settings_get.c) + endif() + + if(CONFIG_SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_TSBC) + list(APPEND ncs_secure_storage_src compatibility/src/its_transform_tsbc.c) + endif() + +else() + + if(CONFIG_SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_HUK_LIBRARY) + list(APPEND ncs_secure_storage_src src/its_transform_aead_get_key_huk.c) + endif() + +endif() # CONFIG_SECURE_STORAGE_TRUSTED_STORAGE_COMPATIBILITY + +if(ncs_secure_storage_src) + zephyr_library() + zephyr_library_link_libraries_ifdef(CONFIG_MBEDTLS mbedTLS) + zephyr_library_sources(${ncs_secure_storage_src}) +endif() diff --git a/subsys/secure_storage/Kconfig b/subsys/secure_storage/Kconfig new file mode 100644 index 00000000000..e456003f194 --- /dev/null +++ b/subsys/secure_storage/Kconfig @@ -0,0 +1,19 @@ +# Copyright (c) 2025 Nordic Semiconductor +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + +# Secure storage subsystem integration into the nRF Connect SDK + +# Add the HUK library as the default AEAD key provider when supported. +# It provides the highest level of security. +choice SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER + default SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_HUK_LIBRARY + +config SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_HUK_LIBRARY + bool "Keys derived using the HUK library" + depends on HW_UNIQUE_KEY_SUPPORTED && NRF_SECURITY + select HW_UNIQUE_KEY + select HW_UNIQUE_KEY_RANDOM + +endchoice # SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER + +rsource "compatibility/Kconfig" diff --git a/subsys/secure_storage/compatibility/Kconfig b/subsys/secure_storage/compatibility/Kconfig new file mode 100644 index 00000000000..ab209d36357 --- /dev/null +++ b/subsys/secure_storage/compatibility/Kconfig @@ -0,0 +1,80 @@ +# Copyright (c) 2025 Nordic Semiconductor +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + +config SECURE_STORAGE_TRUSTED_STORAGE_COMPATIBILITY + bool "Trusted storage backward compatibility [EXPERIMENTAL]" + depends on SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS || \ + SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_CUSTOM + depends on (SETTINGS_ZMS || SETTINGS_ZMS_LEGACY || \ + (SETTINGS_NVS && !SOC_SERIES_NRF54LX)) || \ + SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_CUSTOM + select EXPERIMENTAL + select SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_CUSTOM \ + if SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS + help + Enable to make the Secure storage subsystem compatible with + an existing installation that was previously using the Trusted storage library. + This allows the Secure storage subsystem to operate and store entries + like the Trusted storage library would. + +# Replace the upstream AEAD implementation by a Trusted Storage Backward Compatible (TSBC) one. +# The custom option (SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_CUSTOM) remains usable. +choice SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION + default SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_TSBC \ + if SECURE_STORAGE_TRUSTED_STORAGE_COMPATIBILITY + +config SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_TSBC + bool "ITS transform module implementation compatible with the Trusted storage library" + depends on SECURE_STORAGE_TRUSTED_STORAGE_COMPATIBILITY + select PSA_WANT_GENERATE_RANDOM + select PSA_WANT_KEY_TYPE_CHACHA20 + select PSA_WANT_ALG_CHACHA20_POLY1305 + +endchoice # SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION + +if SECURE_STORAGE_TRUSTED_STORAGE_COMPATIBILITY + +if SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_TSBC + +config SECURE_STORAGE_ITS_MAX_DATA_SIZE + default 256 + +config SECURE_STORAGE_ITS_TRANSFORM_OUTPUT_OVERHEAD + # create_flags diff (3) + entry size (4) + nonce (12) + authentication tag (16) + default 35 + +# Make the same key providers available as trusted storage. +choice SECURE_STORAGE_ITS_TRANSFORM_TSBC_KEY_PROVIDER + prompt "AEAD key provider" + default SECURE_STORAGE_ITS_TRANSFORM_TSBC_KEY_PROVIDER_HUK_LIBRARY + +config SECURE_STORAGE_ITS_TRANSFORM_TSBC_KEY_PROVIDER_ENTRY_UID_HASH + bool "Key provider equivalent to TRUSTED_STORAGE_BACKEND_AEAD_KEY_HASH_UID" + select PSA_WANT_ALG_SHA_256 + +config SECURE_STORAGE_ITS_TRANSFORM_TSBC_KEY_PROVIDER_HUK_LIBRARY + bool "Key provider equivalent to TRUSTED_STORAGE_BACKEND_AEAD_KEY_DERIVE_FROM_HUK" + depends on HW_UNIQUE_KEY_SUPPORTED + select HW_UNIQUE_KEY + select HW_UNIQUE_KEY_RANDOM + +endchoice # SECURE_STORAGE_ITS_TRANSFORM_TSBC_KEY_PROVIDER + +endif # SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_TSBC + +if SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS + +config PSA_PROTECTED_STORAGE_PREFIX + string "PS entry setting prefix" + default "ps" + +config PSA_INTERNAL_TRUSTED_STORAGE_PREFIX + string "ITS entry setting prefix" + default "its" + +config SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_MAX_LEN + default 20 + +endif # SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS + +endif # SECURE_STORAGE_TRUSTED_STORAGE_COMPATIBILITY diff --git a/subsys/secure_storage/compatibility/src/its_store_settings_get.c b/subsys/secure_storage/compatibility/src/its_store_settings_get.c new file mode 100644 index 00000000000..2d11f94e701 --- /dev/null +++ b/subsys/secure_storage/compatibility/src/its_store_settings_get.c @@ -0,0 +1,29 @@ +/* Copyright (c) 2025 Nordic Semiconductor ASA + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ +#include +#include +#include + +/* prefix + '/' + 16-char hex UID */ +BUILD_ASSERT(CONFIG_SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_MAX_LEN == + MAX(sizeof(CONFIG_PSA_PROTECTED_STORAGE_PREFIX), + sizeof(CONFIG_PSA_INTERNAL_TRUSTED_STORAGE_PREFIX)) - 1 + + 1 + 16, + "CONFIG_SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_MAX_LEN needs to be adjusted"); + +void secure_storage_its_store_settings_get_name( + secure_storage_its_uid_t uid, + char name[static SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_BUF_SIZE]) +{ + /* Both SECURE_STORAGE_ITS_CALLER_PSA_ITS and SECURE_STORAGE_ITS_CALLER_MBEDTLS + * indicate calls to the PSA ITS API. + */ + const char *prefix = (uid.caller_id == SECURE_STORAGE_ITS_CALLER_PSA_PS) ? + CONFIG_PSA_PROTECTED_STORAGE_PREFIX : + CONFIG_PSA_INTERNAL_TRUSTED_STORAGE_PREFIX; + + snprintf(name, SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_BUF_SIZE, + "%s/%08x%08x", prefix, (unsigned int)(uid.uid >> 32), + (unsigned int)(uid.uid & 0xffffffff)); +} diff --git a/subsys/secure_storage/compatibility/src/its_transform_tsbc.c b/subsys/secure_storage/compatibility/src/its_transform_tsbc.c new file mode 100644 index 00000000000..7cd5ccd5ae7 --- /dev/null +++ b/subsys/secure_storage/compatibility/src/its_transform_tsbc.c @@ -0,0 +1,194 @@ +/* Copyright (c) 2025 Nordic Semiconductor ASA + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +/* Trusted Storage Backward Compatible (TSBC) ITS transform module implementation + * + * Heavily based on Zephyr's AEAD implementation of the ITS transform module. + * Made to fit the secure storage subsystem's API and use the trusted storage library's format + * for stored entries in order to achieve compatibility. + */ + +#include +#include +#include <../library/psa_crypto_driver_wrappers.h> + +BUILD_ASSERT(CONFIG_SECURE_STORAGE_ITS_TRANSFORM_OUTPUT_OVERHEAD == + sizeof(uint32_t) - sizeof(secure_storage_packed_create_flags_t) + sizeof(size_t) + 28); + +BUILD_ASSERT(sizeof(psa_storage_uid_t) == sizeof(uint64_t)); + +enum { + AEAD_KEY_SIZE = 32, + AEAD_NONCE_SIZE = PSA_AEAD_NONCE_LENGTH(PSA_KEY_TYPE_CHACHA20, PSA_ALG_CHACHA20_POLY1305), + CIPHERTEXT_MAX_SIZE = PSA_AEAD_ENCRYPT_OUTPUT_SIZE(PSA_KEY_TYPE_CHACHA20, + PSA_ALG_CHACHA20_POLY1305, + CONFIG_SECURE_STORAGE_ITS_MAX_DATA_SIZE), +}; + +static psa_status_t get_nonce(uint8_t nonce[static AEAD_NONCE_SIZE]) +{ + psa_status_t ret; + static bool s_nonce_initialized; + static struct { + uint64_t low; + uint32_t high; + } __packed s_nonce; + BUILD_ASSERT(sizeof(s_nonce) == AEAD_NONCE_SIZE); + + if (!s_nonce_initialized) { + ret = psa_generate_random((uint8_t *)&s_nonce, sizeof(s_nonce)); + if (ret != PSA_SUCCESS) { + return ret; + } + s_nonce_initialized = true; + } else { + ++s_nonce.low; + if (s_nonce.low == 0) { + ++s_nonce.high; + } + } + memcpy(nonce, &s_nonce, AEAD_NONCE_SIZE); + return PSA_SUCCESS; +} + +#if defined(CONFIG_SECURE_STORAGE_ITS_TRANSFORM_TSBC_KEY_PROVIDER_ENTRY_UID_HASH) + +static psa_status_t get_key(psa_storage_uid_t uid, uint8_t key[static AEAD_KEY_SIZE]) +{ + BUILD_ASSERT(AEAD_KEY_SIZE == PSA_HASH_LENGTH(PSA_ALG_SHA_256)); + size_t hash_length; + + return psa_hash_compute(PSA_ALG_SHA_256, (uint8_t *)&uid, sizeof(uid), key, AEAD_KEY_SIZE, + &hash_length); +} + +#elif defined(CONFIG_SECURE_STORAGE_ITS_TRANSFORM_TSBC_KEY_PROVIDER_HUK_LIBRARY) +#include + +static psa_status_t get_key(psa_storage_uid_t uid, uint8_t key[static AEAD_KEY_SIZE]) +{ + int result; + enum hw_unique_key_slot key_slot; + +#ifdef HUK_HAS_KMU + key_slot = HUK_KEYSLOT_MKEK; +#else + key_slot = HUK_KEYSLOT_KDR; +#endif + + result = hw_unique_key_derive_key(key_slot, NULL, 0, (uint8_t *)&uid, sizeof(uid), key, + AEAD_KEY_SIZE); + if (result != HW_UNIQUE_KEY_SUCCESS) { + return PSA_ERROR_BAD_STATE; + } + + return PSA_SUCCESS; +} + +#endif /* CONFIG_SECURE_STORAGE_ITS_TRANSFORM_TSBC_KEY_PROVIDER */ + +struct stored_entry_header { + psa_storage_create_flags_t create_flags; + size_t data_len; +}; + +struct stored_entry { + struct stored_entry_header header; + uint8_t nonce[AEAD_NONCE_SIZE]; + uint8_t ciphertext[CIPHERTEXT_MAX_SIZE]; +} __packed; +BUILD_ASSERT(sizeof(struct stored_entry) == SECURE_STORAGE_ITS_TRANSFORM_MAX_STORED_DATA_SIZE); + +/** @return The length of a `struct stored_entry` whose `ciphertext` is `len` bytes long. */ +#define STORED_ENTRY_LEN(len) (sizeof(struct stored_entry) - CIPHERTEXT_MAX_SIZE + len) + +static psa_status_t crypt(psa_key_usage_t operation, psa_storage_uid_t uid, + const struct stored_entry *stored_entry, + size_t input_len, const void *input, + size_t output_size, void *output, size_t *output_len) +{ + psa_status_t ret; + psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; + uint8_t key[AEAD_KEY_SIZE]; + psa_status_t (*aead_crypt)(const psa_key_attributes_t *attributes, const uint8_t *key, + size_t key_size, psa_algorithm_t alg, const uint8_t *nonce, + size_t nonce_length, const uint8_t *add_data, + size_t add_data_len, const uint8_t *input, size_t input_len, + uint8_t *output, size_t output_size, size_t *output_len); + + psa_set_key_usage_flags(&key_attributes, operation); + psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_VOLATILE); + psa_set_key_type(&key_attributes, PSA_KEY_TYPE_CHACHA20); + psa_set_key_algorithm(&key_attributes, PSA_ALG_CHACHA20_POLY1305); + psa_set_key_bits(&key_attributes, PSA_BYTES_TO_BITS(AEAD_KEY_SIZE)); + + ret = get_key(uid, key); + if (ret != PSA_SUCCESS) { + return ret; + } + + /* Avoid calling psa_aead_*crypt() because that would require importing keys into + * PSA Crypto. This gets called from PSA Crypto for storing persistent keys so, + * even if using PSA_KEY_LIFETIME_VOLATILE, it would corrupt the global key store + * which holds all the active keys in the PSA Crypto core. + */ + aead_crypt = (operation == PSA_KEY_USAGE_ENCRYPT) ? psa_driver_wrapper_aead_encrypt : + psa_driver_wrapper_aead_decrypt; + + ret = aead_crypt(&key_attributes, key, AEAD_KEY_SIZE, PSA_ALG_CHACHA20_POLY1305, + stored_entry->nonce, AEAD_NONCE_SIZE, + (uint8_t *)&stored_entry->header, sizeof(stored_entry->header), + input, input_len, output, output_size, output_len); + + mbedtls_platform_zeroize(key, AEAD_KEY_SIZE); + return ret; +} + +psa_status_t secure_storage_its_transform_to_store( + secure_storage_its_uid_t uid, size_t data_len, const void *data, + secure_storage_packed_create_flags_t create_flags, + uint8_t stored_data[static SECURE_STORAGE_ITS_TRANSFORM_MAX_STORED_DATA_SIZE], + size_t *stored_data_len) +{ + psa_status_t ret; + struct stored_entry *stored_entry = (struct stored_entry *)stored_data; + size_t ciphertext_len; + + stored_entry->header.create_flags = create_flags; + stored_entry->header.data_len = data_len; + + ret = get_nonce(stored_entry->nonce); + if (ret != PSA_SUCCESS) { + return ret; + } + + ret = crypt(PSA_KEY_USAGE_ENCRYPT, uid.uid, stored_entry, data_len, data, + CIPHERTEXT_MAX_SIZE, stored_entry->ciphertext, &ciphertext_len); + if (ret == PSA_SUCCESS) { + *stored_data_len = STORED_ENTRY_LEN(ciphertext_len); + } + return ret; +} + +psa_status_t secure_storage_its_transform_from_store( + secure_storage_its_uid_t uid, size_t stored_data_len, + const uint8_t stored_data[static SECURE_STORAGE_ITS_TRANSFORM_MAX_STORED_DATA_SIZE], + size_t data_size, void *data, size_t *data_len, + psa_storage_create_flags_t *create_flags) +{ + if (stored_data_len < STORED_ENTRY_LEN(0)) { + return PSA_ERROR_DATA_CORRUPT; + } + + psa_status_t ret; + struct stored_entry *stored_entry = (struct stored_entry *)stored_data; + const size_t ciphertext_len = stored_data_len - STORED_ENTRY_LEN(0); + + ret = crypt(PSA_KEY_USAGE_DECRYPT, uid.uid, stored_entry, + ciphertext_len, stored_entry->ciphertext, data_size, data, data_len); + if (ret == PSA_SUCCESS) { + *create_flags = stored_entry->header.create_flags; + } + return ret; +} diff --git a/subsys/secure_storage/src/its_transform_aead_get_key_huk.c b/subsys/secure_storage/src/its_transform_aead_get_key_huk.c new file mode 100644 index 00000000000..2e07e6fa22e --- /dev/null +++ b/subsys/secure_storage/src/its_transform_aead_get_key_huk.c @@ -0,0 +1,28 @@ +/* Copyright (c) 2025 Nordic Semiconductor ASA + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ +#include +#include +#include + +psa_status_t secure_storage_its_transform_aead_get_key( + secure_storage_its_uid_t uid, + uint8_t key[static CONFIG_SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_SIZE]) +{ + int result; + enum hw_unique_key_slot key_slot; + +#ifdef HUK_HAS_KMU + key_slot = HUK_KEYSLOT_MKEK; +#else + key_slot = HUK_KEYSLOT_KDR; +#endif + + result = hw_unique_key_derive_key(key_slot, NULL, 0, (uint8_t *)&uid, sizeof(uid), key, + CONFIG_SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_SIZE); + if (result != HW_UNIQUE_KEY_SUCCESS) { + return PSA_ERROR_BAD_STATE; + } + + return PSA_SUCCESS; +} diff --git a/subsys/trusted_storage/Kconfig b/subsys/trusted_storage/Kconfig index 56a475a2892..7cbda1a23ae 100644 --- a/subsys/trusted_storage/Kconfig +++ b/subsys/trusted_storage/Kconfig @@ -89,6 +89,7 @@ choice TRUSTED_STORAGE_BACKEND_AEAD_CRYPTO config TRUSTED_STORAGE_BACKEND_AEAD_CRYPTO_PSA_CHACHAPOLY bool "PSA ChaChaPoly" + select PSA_WANT_KEY_TYPE_CHACHA20 select PSA_WANT_ALG_CHACHA20_POLY1305 help Use PSA Crypto API's with the ChaChaPoly-1305 AEAD algorithm. @@ -157,7 +158,7 @@ choice TRUSTED_STORAGE_STORAGE_BACKEND config TRUSTED_STORAGE_STORAGE_BACKEND_SETTINGS bool "Settings storage backend" - depends on SETTINGS_ZMS || SETTINGS_ZMS_LEGACY || (SETTINGS_NVS && !SOC_NRF54L15) + depends on SETTINGS_ZMS || SETTINGS_ZMS_LEGACY || (SETTINGS_NVS && !SOC_SERIES_NRF54LX) help Use the Settings subsystem to store the assets diff --git a/subsys/trusted_storage/src/aead/aead_crypt_psa_chachapoly.c b/subsys/trusted_storage/src/aead/aead_crypt_psa_chachapoly.c index 15733bd2edb..df97bbbc75b 100644 --- a/subsys/trusted_storage/src/aead/aead_crypt_psa_chachapoly.c +++ b/subsys/trusted_storage/src/aead/aead_crypt_psa_chachapoly.c @@ -4,8 +4,6 @@ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause */ -#include -#include #include "psa_crypto_driver_wrappers.h" #include #include diff --git a/tests/zephyr/subsys/secure_storage/psa/its/CMakeLists.txt b/tests/zephyr/subsys/secure_storage/psa/its/CMakeLists.txt new file mode 100644 index 00000000000..859da4d0941 --- /dev/null +++ b/tests/zephyr/subsys/secure_storage/psa/its/CMakeLists.txt @@ -0,0 +1,11 @@ +cmake_minimum_required(VERSION 3.20.0) +find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) +project(app) + +target_sources(app PRIVATE ${ZEPHYR_BASE}/tests/subsys/secure_storage/psa/its/src/main.c) + +zephyr_sources_ifdef(CONFIG_SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_CUSTOM + ${ZEPHYR_BASE}/tests/subsys/secure_storage/psa/its/src/custom_transform.c) + +zephyr_sources_ifdef(CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_CUSTOM + ${ZEPHYR_BASE}/tests/subsys/secure_storage/psa/its/src/custom_store.c) diff --git a/tests/zephyr/subsys/secure_storage/psa/its/prj.conf b/tests/zephyr/subsys/secure_storage/psa/its/prj.conf new file mode 100644 index 00000000000..09638b5bae0 --- /dev/null +++ b/tests/zephyr/subsys/secure_storage/psa/its/prj.conf @@ -0,0 +1,9 @@ +CONFIG_ZTEST=y + +CONFIG_SECURE_STORAGE_TRUSTED_STORAGE_COMPATIBILITY=y + +CONFIG_NRF_SECURITY=y +CONFIG_PSA_WANT_GENERATE_RANDOM=y + +CONFIG_MPU_ALLOW_FLASH_WRITE=y +CONFIG_HW_UNIQUE_KEY_WRITE_ON_CRYPTO_INIT=y diff --git a/tests/zephyr/subsys/secure_storage/psa/its/testcase.yaml b/tests/zephyr/subsys/secure_storage/psa/its/testcase.yaml new file mode 100644 index 00000000000..b89db471b6c --- /dev/null +++ b/tests/zephyr/subsys/secure_storage/psa/its/testcase.yaml @@ -0,0 +1,58 @@ +common: + sysbuild: true + tags: + - sysbuild + - psa + - crypto + - ci_tests_crypto + platform_allow: + - native_sim + - nrf54l15dk/nrf54l15/cpuapp + - nrf9151dk/nrf9151 + - nrf52840dk/nrf52840 + integration_platforms: + - native_sim + - nrf54l15dk/nrf54l15/cpuapp + - nrf9151dk/nrf9151 + - nrf52840dk/nrf52840 + +tests: + nrf.extended.secure_storage.psa.its.secure_storage.store.zms: + filter: not CONFIG_SOC_NRF52840 + extra_args: + - SB_CONFIG_PARTITION_MANAGER=n + - EXTRA_DTC_OVERLAY_FILE=${ZEPHYR_BASE}/tests/subsys/secure_storage/psa/its/zms.overlay + - EXTRA_CONF_FILE=\ + ${ZEPHYR_BASE}/tests/subsys/secure_storage/psa/its/overlay-secure_storage.conf;\ + ${ZEPHYR_BASE}/tests/subsys/secure_storage/psa/its/overlay-store_zms.conf;\ + ${ZEPHYR_BASE}/tests/subsys/secure_storage/psa/its/overlay-transform_default.conf + + nrf.extended.secure_storage.backward_compatibility.psa.its.secure_storage.store.settings: + extra_args: "EXTRA_CONF_FILE=\ + ${ZEPHYR_BASE}/tests/subsys/secure_storage/psa/its/overlay-secure_storage.conf;\ + ${ZEPHYR_BASE}/tests/subsys/secure_storage/psa/its/overlay-transform_default.conf;\ + ${ZEPHYR_BASE}/tests/subsys/secure_storage/psa/its/overlay-store_settings.conf" + extra_configs: + - CONFIG_NVS=n + - CONFIG_ZMS=y + + nrf.extended.secure_storage.backward_compatibility.psa.its.secure_storage.custom.transform: + extra_args: "EXTRA_CONF_FILE=\ + ${ZEPHYR_BASE}/tests/subsys/secure_storage/psa/its/overlay-secure_storage.conf;\ + ${ZEPHYR_BASE}/tests/subsys/secure_storage/psa/its/overlay-transform_custom.conf;\ + ${ZEPHYR_BASE}/tests/subsys/secure_storage/psa/its/overlay-store_settings.conf" + extra_configs: + - CONFIG_NVS=n + - CONFIG_ZMS=y + + nrf.extended.secure_storage.backward_compatibility.psa.its.secure_storage.custom.store: + extra_args: "EXTRA_CONF_FILE=\ + ${ZEPHYR_BASE}/tests/subsys/secure_storage/psa/its/overlay-secure_storage.conf;\ + ${ZEPHYR_BASE}/tests/subsys/secure_storage/psa/its/overlay-transform_default.conf;\ + ${ZEPHYR_BASE}/tests/subsys/secure_storage/psa/its/overlay-store_custom.conf" + + nrf.extended.secure_storage.backward_compatibility.psa.its.secure_storage.custom.both: + extra_args: "EXTRA_CONF_FILE=\ + ${ZEPHYR_BASE}/tests/subsys/secure_storage/psa/its/overlay-secure_storage.conf;\ + ${ZEPHYR_BASE}/tests/subsys/secure_storage/psa/its/overlay-transform_custom.conf;\ + ${ZEPHYR_BASE}/tests/subsys/secure_storage/psa/its/overlay-store_custom.conf" diff --git a/west.yml b/west.yml index 835072011a2..10bc5f3f224 100644 --- a/west.yml +++ b/west.yml @@ -65,7 +65,7 @@ manifest: # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/modules.html - name: zephyr repo-path: sdk-zephyr - revision: e6537849e886ca40b68269e0c5d39be66f09479d + revision: 247ef302c2269d63b8957e5a346ab42a5f0b3bc8 import: # In addition to the zephyr repository itself, NCS also # imports the contents of zephyr/west.yml at the above