[nrf fromlist] secure_storage: make UIDs 32-bit

doc/services/storage/secure_storage/index.rst

@@ -43,9 +43,18 @@ The secure storage subsystem's implementation of the PSA Secure Storage API:
   Instead, the PS API directly calls into the Internal Trusted Storage (ITS) API
   (unless a `custom implementation <#whole-api>`_ of the PS API is provided).
 
-Below are some ways the implementation deviates from the specification
+Below are some ways the implementation purposefully deviates from the specification
 and an explanation why. This is not an exhaustive list.
 
+* The UID type is only 30 bits by default. (Against `2.5 UIDs <https://arm-software.github.io/psa-api/storage/1.0/overview/architecture.html#uids>`_.)
+
+  | This is an optimization done to make it more convenient to directly use the UIDs as
+    storage entry IDs (e.g., with :ref:`ZMS <zms_api>` when
+    :kconfig:option:`CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_ZMS` is enabled).
+  | Zephyr defines numerical ranges to be used by different users of the API which guarantees that
+    there are no collisions and that they all fit within 30 bits.
+    See the header files in :zephyr_file:`include/zephyr/psa` for more information.
+
 * The data stored in the ITS is by default encrypted and authenticated (Against ``1.`` in
   `3.2. Internal Trusted Storage requirements <https://arm-software.github.io/psa-api/storage/1.0/overview/requirements.html#internal-trusted-storage-requirements>`_.)
 

samples/psa/its/sample.yaml

@@ -2,6 +2,8 @@ sample:
   name: PSA ITS API sample
   description: Demonstration of PSA Internal Trusted Storage (ITS) API usage.
 common:
+  integration_platforms:
+    - native_sim
   tags:
     - psa.secure_storage
   timeout: 10

samples/psa/persistent_key/sample.yaml

@@ -2,6 +2,8 @@ sample:
   name: PSA Crypto persistent key sample
   description: Demonstration of persistent key usage in the PSA Crypto API.
 common:
+  integration_platforms:
+    - native_sim
   tags:
     - psa.secure_storage
   timeout: 10

subsys/secure_storage/Kconfig

@@ -25,6 +25,17 @@ module = SECURE_STORAGE
 module-str = secure_storage
 source "subsys/logging/Kconfig.template.log_config"
 
+config SECURE_STORAGE_64_BIT_UID
+	bool "Make psa_storage_uid_t 64-bit"
+	help
+	  Zephyr, by default, uses a 30-bit psa_storage_uid_t, which allows using only 32 bits to
+	  identify entries.
+	  UID ranges are defined for the different users of the API which guarantees that all the
+	  UIDs fit within 30 bits. See for example the zephyr/psa/key_ids.h header file.
+	  Enable this for backward compatibility if you are updating an existing installation with
+	  stored entries that was using Zephyr prior to 4.3 or if for some reason you need the full
+	  64-bit UID range.
+
 choice SECURE_STORAGE_ITS_IMPLEMENTATION
 	prompt "Internal Trusted Storage (ITS) API implementation"
 

subsys/secure_storage/Kconfig.its_store

@@ -17,7 +17,7 @@ config SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_ZMS
 	depends on ZMS
 	help
 	  This implementation of the ITS store module makes direct use of ZMS for storage.
-	  It needs a `secure_storage_its_partition` devicetree chosen property that points
+	  It needs a secure_storage_its_partition devicetree chosen property that points
 	  to a fixed storage partition that will be dedicated to the ITS. It has lower
 	  overhead compared to the settings-based implementation, both in terms of runtime
 	  execution and storage space, and also ROM footprint if the settings subsystem is disabled.
@@ -78,7 +78,8 @@ config SECURE_STORAGE_ITS_STORE_SETTINGS_PREFIX
 config SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_MAX_LEN
 	int "Maximum setting name length"
 	range 2 64
-	default 22 if !SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_CUSTOM
-	default 0
+	default 0 if SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_CUSTOM
+	default 22 if SECURE_STORAGE_64_BIT_UID
+	default 14
 
 endif # SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS

subsys/secure_storage/include/internal/zephyr/secure_storage/its.h

@@ -14,18 +14,21 @@
 #include "its/common.h"
 
 /** @brief See `psa_its_set()`, to which this function is analogous. */
-psa_status_t secure_storage_its_set(secure_storage_its_uid_t uid, size_t data_length,
-				    const void *p_data, psa_storage_create_flags_t create_flags);
+psa_status_t secure_storage_its_set(secure_storage_its_caller_id_t caller_id, psa_storage_uid_t uid,
+				    size_t data_length, const void *p_data,
+				    psa_storage_create_flags_t create_flags);
 
 /** @brief See `psa_its_get()`, to which this function is analogous. */
-psa_status_t secure_storage_its_get(secure_storage_its_uid_t uid, size_t data_offset,
-				    size_t data_size, void *p_data, size_t *p_data_length);
+psa_status_t secure_storage_its_get(secure_storage_its_caller_id_t caller_id, psa_storage_uid_t uid,
+				    size_t data_offset, size_t data_size,
+				    void *p_data, size_t *p_data_length);
 
 /** @brief See `psa_its_get_info()`, to which this function is analogous. */
-psa_status_t secure_storage_its_get_info(secure_storage_its_uid_t uid,
-					 struct psa_storage_info_t *p_info);
+psa_status_t secure_storage_its_get_info(secure_storage_its_caller_id_t caller_id,
+					 psa_storage_uid_t uid, struct psa_storage_info_t *p_info);
 
 /** @brief See `psa_its_remove()`, to which this function is analogous. */
-psa_status_t secure_storage_its_remove(secure_storage_its_uid_t uid);
+psa_status_t secure_storage_its_remove(secure_storage_its_caller_id_t caller_id,
+				       psa_storage_uid_t uid);
 
 #endif

subsys/secure_storage/include/internal/zephyr/secure_storage/its/common.h

@@ -12,8 +12,7 @@
 #include <psa/storage_common.h>
 
 /** @brief The ID of the caller from which the ITS API call originates.
- * This is used to prevent ID collisions between different callers that are not aware
- * of each other and so might use the same numerical IDs, e.g. PSA Crypto and PSA ITS.
+ * This is used to namespace the different callers and possibly treat them differently.
  */
 typedef enum {
 	SECURE_STORAGE_ITS_CALLER_PSA_ITS,
@@ -22,12 +21,33 @@
 	SECURE_STORAGE_ITS_CALLER_COUNT
 } secure_storage_its_caller_id_t;
 
+#ifdef CONFIG_SECURE_STORAGE_64_BIT_UID
+
 /** The UID (caller + entry IDs) of an ITS entry. */
 typedef struct {
 	psa_storage_uid_t uid;
 	secure_storage_its_caller_id_t caller_id;
 } __packed secure_storage_its_uid_t;
 
+#else
+
+#define SECURE_STORAGE_ITS_UID_BIT_SIZE 30
+#define SECURE_STORAGE_ITS_CALLER_ID_BIT_SIZE 2
+
+/** @brief The UID (caller + entry IDs) of an ITS entry.
+ * This is a packed, 32-bit version of `psa_storage_uid_t` which allows storing
+ * smaller IDs compared to the 64-bit ones that PSA Secure Storage specifies.
+ * Zephyr defines ranges of IDs to be used by different users of the API (subsystems, application)
+ * which guarantees 1. no collisions and 2. that the IDs used fit within `uid`.
+ * @see @ref zephyr/psa/key_ids.h and the other header files under `zephyr/psa`.
+ */
+typedef struct {
+	psa_storage_uid_t uid : SECURE_STORAGE_ITS_UID_BIT_SIZE;
+	secure_storage_its_caller_id_t caller_id : SECURE_STORAGE_ITS_CALLER_ID_BIT_SIZE;
+} secure_storage_its_uid_t;
+
+#endif /* CONFIG_SECURE_STORAGE_64_BIT_UID */
+
 #ifdef CONFIG_SECURE_STORAGE_ITS_TRANSFORM_MODULE
 
 /** The maximum size, in bytes, of an entry's data after it has been transformed for storage. */

subsys/secure_storage/include/psa/internal_trusted_storage.h

@@ -16,7 +16,6 @@
 #else
 #define ITS_CALLER_ID SECURE_STORAGE_ITS_CALLER_PSA_ITS
 #endif
-#define ITS_UID (secure_storage_its_uid_t){.uid = uid, .caller_id = ITS_CALLER_ID}
 /** @endcond */
 
 #include <psa/storage_common.h>
@@ -50,7 +49,7 @@
 psa_status_t psa_its_set(psa_storage_uid_t uid, size_t data_length,
 			 const void *p_data, psa_storage_create_flags_t create_flags)
 {
-	return secure_storage_its_set(ITS_UID, data_length, p_data, create_flags);
+	return secure_storage_its_set(ITS_CALLER_ID, uid, data_length, p_data, create_flags);
 }
 
 /**
@@ -76,8 +75,9 @@
 psa_status_t psa_its_get(psa_storage_uid_t uid, size_t data_offset,
 			 size_t data_size, void *p_data, size_t *p_data_length)
 {
-	return secure_storage_its_get(ITS_UID, data_offset, data_size, p_data, p_data_length);
+	return secure_storage_its_get(ITS_CALLER_ID, uid, data_offset,
+				      data_size, p_data, p_data_length);
 }
 
 /**
  * @brief Retrieves the metadata of a given entry.
@@ -96,7 +96,7 @@
 /** @endcond  */
 psa_status_t psa_its_get_info(psa_storage_uid_t uid, struct psa_storage_info_t *p_info)
 {
-	return secure_storage_its_get_info(ITS_UID, p_info);
+	return secure_storage_its_get_info(ITS_CALLER_ID, uid, p_info);
 }
 
 /**
@@ -117,7 +117,7 @@
 /** @endcond  */
 psa_status_t psa_its_remove(psa_storage_uid_t uid)
 {
-	return secure_storage_its_remove(ITS_UID);
+	return secure_storage_its_remove(ITS_CALLER_ID, uid);
 }
 
 #undef ITS_UID

subsys/secure_storage/include/psa/protected_storage.h

@@ -12,8 +12,7 @@
 /** @cond INTERNAL_HIDDEN */
 #ifdef CONFIG_SECURE_STORAGE_PS_IMPLEMENTATION_ITS
 #include "../internal/zephyr/secure_storage/its.h"
-#define ITS_UID (secure_storage_its_uid_t){.uid = uid, \
-					   .caller_id = SECURE_STORAGE_ITS_CALLER_PSA_PS}
+#define ITS_CALLER_ID SECURE_STORAGE_ITS_CALLER_PSA_PS
 #else
 #include "../internal/zephyr/secure_storage/ps.h"
 #endif
@@ -50,7 +49,7 @@
 			const void *p_data, psa_storage_create_flags_t create_flags)
 {
 #ifdef CONFIG_SECURE_STORAGE_PS_IMPLEMENTATION_ITS
-	return secure_storage_its_set(ITS_UID, data_length, p_data, create_flags);
+	return secure_storage_its_set(ITS_CALLER_ID, uid, data_length, p_data, create_flags);
 #else
 	return secure_storage_ps_set(uid, data_length, p_data, create_flags);
 #endif
@@ -83,8 +82,9 @@
 			size_t data_size, void *p_data, size_t *p_data_length)
 {
 #ifdef CONFIG_SECURE_STORAGE_PS_IMPLEMENTATION_ITS
-	return secure_storage_its_get(ITS_UID, data_offset, data_size, p_data, p_data_length);
+	return secure_storage_its_get(ITS_CALLER_ID, uid, data_offset,
+				      data_size, p_data, p_data_length);
 #else
 	return secure_storage_ps_get(uid, data_offset, data_size, p_data, p_data_length);
 #endif
 }
@@ -110,7 +110,7 @@
 psa_status_t psa_ps_get_info(psa_storage_uid_t uid, struct psa_storage_info_t *p_info)
 {
 #ifdef CONFIG_SECURE_STORAGE_PS_IMPLEMENTATION_ITS
-	return secure_storage_its_get_info(ITS_UID, p_info);
+	return secure_storage_its_get_info(ITS_CALLER_ID, uid, p_info);
 #else
 	return secure_storage_ps_get_info(uid, p_info);
 #endif
@@ -138,7 +138,7 @@
 psa_status_t psa_ps_remove(psa_storage_uid_t uid)
 {
 #ifdef CONFIG_SECURE_STORAGE_PS_IMPLEMENTATION_ITS
-	return secure_storage_its_remove(ITS_UID);
+	return secure_storage_its_remove(ITS_CALLER_ID, uid);
 #else
 	return secure_storage_ps_remove(uid);
 #endif

subsys/secure_storage/include/psa/storage_common.h

@@ -20,7 +20,11 @@
 #include <stddef.h>
 
 /** UID type for identifying entries. */
+#ifdef CONFIG_SECURE_STORAGE_64_BIT_UID
 typedef uint64_t psa_storage_uid_t;
+#else
+typedef uint32_t psa_storage_uid_t;
+#endif
 
 /** Flags used when creating an entry. */
 typedef uint32_t psa_storage_create_flags_t;