nrfconnect · rlubos · Jun 4, 2025 · May 22, 2025 · May 22, 2025 · Jun 2, 2025
@@ -824,6 +824,7 @@
 /subsys/partition_manager/                @nordicjm @tejlmand
 /subsys/pcd/                              @nrfconnect/ncs-pluto
 /subsys/sdfw_services/                    @nrfconnect/ncs-aurora
+/subsys/secure_storage/                   @nrfconnect/ncs-aegir
 /subsys/settings/                         @nrfconnect/ncs-pluto @rghaddab
 /subsys/sdfw_services/services/extmem/    @nrfconnect/ncs-charon
 /subsys/sdfw_services/services/suit_service/ @nrfconnect/ncs-charon
@@ -945,6 +946,7 @@
 /tests/subsys/pcd/                        @nrfconnect/ncs-pluto
 /tests/subsys/sdfw_services/              @nrfconnect/ncs-aurora
 /tests/subsys/suit/                       @nrfconnect/ncs-charon
+/tests/subsys/usb/negotiated_speed/       @nrfconnect/ncs-low-level-test
 /tests/tfm/                               @nrfconnect/ncs-aegir @magnev
 /tests/unity/                             @nordic-krch
 /tests/zephyr/boards/nrf/                 @nrfconnect/ncs-low-level-test
@@ -968,7 +970,7 @@
 /tests/zephyr/drivers/uart/               @nrfconnect/ncs-low-level-test
 /tests/zephyr/drivers/watchdog/           @nrfconnect/ncs-low-level-test
 /tests/zephyr/kernel/timer/timer_behavior/ @nrfconnect/ncs-low-level-test
-/tests/subsys/usb/negotiated_speed/       @nrfconnect/ncs-low-level-test
+/tests/zephyr/subsys/secure_storage/      @nrfconnect/ncs-aegir
 /tests/zephyr/subsys/settings/performance/ @nrfconnect/ncs-pluto @rghaddab
 
 /tests/benchmarks/multicore/idle/*.rst    @nrfconnect/ncs-si-bluebagel-doc

@@ -11,9 +11,6 @@ find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
 project(persistent_key)
 
 target_sources(app PRIVATE
-        src/main.c
-        )
-
-target_sources_ifdef(CONFIG_TRUSTED_STORAGE app PRIVATE
-        src/trusted_storage_init.c
-        )
+  src/main.c
+  src/init.c
+)
@@ -1,15 +1,19 @@
 .. _crypto_persistent_key:
 
-Crypto: Persistent key storage
-##############################
+Crypto: Persistent key usage
+############################
 
 .. contents::
    :local:
    :depth: 2
 
 The persistent key sample shows how to generate a persistent key using the Platform Security Architecture (PSA) APIs.
 Persistent keys are stored in the Internal Trusted Storage (ITS) of the device and retain their value between resets.
-The ITS backend is either provided by TF-M, or the :ref:`trusted_storage_readme` library when building applications without TF-M.
+The implementation of the PSA ITS API is provided in one of the following ways, depending on your configuration:
+
+* Through TF-M using Internal Trusted Storage and Protected Storage services.
+* When building without TF-M: using either Zephyr's :ref:`secure_storage` subsystem or the :ref:`trusted_storage_readme` library.
+
 A persistent key becomes unusable when the ``psa_destroy_key`` function is called.
 
 Requirements
@@ -72,6 +76,7 @@ Dependencies
 
    * :file:`psa/crypto.h`
 
-* Builds without TF-M use the :ref:`trusted_storage_readme` library
+* Builds without TF-M use the :ref:`secure_storage` subsystem as the PSA Secure Storage API
+  provider.
 
    * The :ref:`lib_hw_unique_key` is used to encrypt the key before storing it.
@@ -2,19 +2,19 @@
 # Copyright (c) 2024 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
-#
+
 # Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
 
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
+
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y
 CONFIG_FLASH_MAP=y
 CONFIG_NVS=y
 CONFIG_SETTINGS=y
-CONFIG_SETTINGS_NVS=y
-CONFIG_TRUSTED_STORAGE=y
 
-# Mbedtls configuration
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
@@ -2,19 +2,19 @@
 # Copyright (c) 2024 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
-#
+
 # Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
 
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
+
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y
 CONFIG_FLASH_MAP=y
 CONFIG_NVS=y
 CONFIG_SETTINGS=y
-CONFIG_SETTINGS_NVS=y
-CONFIG_TRUSTED_STORAGE=y
 
-# Mbedtls configuration
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
@@ -2,20 +2,19 @@
 # Copyright (c) 2024 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
-#
+
 # Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CRACEN=y
 
-# Use TRUSTED_STORAGE because this is a non-TF-M board target.
-CONFIG_TRUSTED_STORAGE=y
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
 
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y
 CONFIG_FLASH_MAP=y
 CONFIG_ZMS=y
 CONFIG_SETTINGS=y
 
-# Mbedtls configuration
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
@@ -2,20 +2,19 @@
 # Copyright (c) 2024 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
-#
+
 # Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CRACEN=y
 
-# Use TRUSTED_STORAGE because this is a non-TF-M board target.
-CONFIG_TRUSTED_STORAGE=y
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
 
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y
 CONFIG_FLASH_MAP=y
 CONFIG_ZMS=y
 CONFIG_SETTINGS=y
 
-# Mbedtls configuration
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
@@ -2,20 +2,19 @@
 # Copyright (c) 2024 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
-#
+
 # Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CRACEN=y
 
-# Use TRUSTED_STORAGE because this is a non-TF-M board target.
-CONFIG_TRUSTED_STORAGE=y
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
 
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y
 CONFIG_FLASH_MAP=y
 CONFIG_ZMS=y
 CONFIG_SETTINGS=y
 
-# Mbedtls configuration
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
@@ -3,11 +3,12 @@
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
 
+# Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CRACEN=y
 
-# Use TRUSTED_STORAGE because this is a non-TF-M board target.
-CONFIG_TRUSTED_STORAGE=y
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
 
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y

@@ -2,20 +2,19 @@
 # Copyright (c) 2024 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
-#
+
 # Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CRACEN=y
 
-# Use TRUSTED_STORAGE because this is a non-TF-M board target.
-CONFIG_TRUSTED_STORAGE=y
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
 
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y
 CONFIG_FLASH_MAP=y
 CONFIG_ZMS=y
 CONFIG_SETTINGS=y
 
-# Mbedtls configuration
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
@@ -2,19 +2,19 @@
 # Copyright (c) 2024 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
-#
+
 # Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
 
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
+
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y
 CONFIG_FLASH_MAP=y
 CONFIG_NVS=y
 CONFIG_SETTINGS=y
-CONFIG_SETTINGS_NVS=y
-CONFIG_TRUSTED_STORAGE=y
 
-# Mbedtls configuration
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
@@ -2,19 +2,19 @@
 # Copyright (c) 2024 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
-#
+
 # Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
 
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
+
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y
 CONFIG_FLASH_MAP=y
 CONFIG_NVS=y
 CONFIG_SETTINGS=y
-CONFIG_SETTINGS_NVS=y
-CONFIG_TRUSTED_STORAGE=y
 
-# Mbedtls configuration
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
@@ -2,19 +2,19 @@
 # Copyright (c) 2024 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
-#
+
 # Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
 
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
+
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y
 CONFIG_FLASH_MAP=y
 CONFIG_NVS=y
 CONFIG_SETTINGS=y
-CONFIG_SETTINGS_NVS=y
-CONFIG_TRUSTED_STORAGE=y
 
-# Mbedtls configuration
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192