Skip to content

secure_storage: re-add MbedTLS backend #85840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
JordanYates wants to merge 1 commit into from
Closed

secure_storage: re-add MbedTLS backend #85840

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions modules/mbedtls/configs/config-tls-generic.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -486,6 +486,11 @@
#define MBEDTLS_PSA_CRYPTO_STORAGE_C
#endif

#if defined(CONFIG_SECURE_STORAGE_ITS_IMPLEMENTATION_MBEDTLS)
Copy link
Contributor

@valeriosetti valeriosetti Feb 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: can't we make a new Mbed TLS specific Kconfig to be used as guard here instead of using a secure-storage one? Something like CONFIG_MBEDTLS_ITS_FILE or similar for example.

Copy link
Contributor Author

@JordanYates JordanYates Feb 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Of course we could, but that symbol would just be:

config MBEDTLS_ITS_FILE
    bool
    default y if SECURE_STORAGE_ITS_IMPLEMENTATION_MBEDTLS

It just smears the definitions across more files.

Copy link
Contributor

@valeriosetti valeriosetti Feb 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True, but then you would have secure-storage Kconfig enabling an Mbed TLS Kconfig which then "internally" sets the build symbols to build Mbed TLS. In other words, in this way we would keep relations between different subsystems/modules at Kconfig level. It just looks cleaner to me, but I guess it's a matter of preference, so I'll let the maintaner decide what to do.

Copy link
Contributor Author

@JordanYates JordanYates Feb 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Happy to change the symbols if needed, but literally 2 lines above my change there is already a:

#if defined(CONFIG_SECURE_STORAGE)
#define MBEDTLS_PSA_CRYPTO_STORAGE_C
#endif

Copy link
Contributor

@valeriosetti valeriosetti Feb 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh damn, that's right. Then I guess that it will take one or more specific PRs to fix all the mess in that header file, but that's out of scope for this one. Please ignore my comment and sorry for the noise.

Copy link
Contributor

@tomi-font tomi-font Feb 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI I am changing that in #85735 (introducing CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C).

#define MBEDTLS_PSA_ITS_FILE_C
#define MBEDTLS_FS_IO
#endif

#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_C */

#if defined(CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOTS)
Expand Down
10 changes: 10 additions & 0 deletions samples/psa/its/Kconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# Copyright (c) 2025 Embeint Inc
# SPDX-License-Identifier: Apache-2.0

# We explicitly don't want SECURE_STORAGE_ITS_IMPLEMENTATION_MBEDTLS here
choice SECURE_STORAGE_ITS_IMPLEMENTATION
default SECURE_STORAGE_ITS_IMPLEMENTATION_ZEPHYR
default SECURE_STORAGE_ITS_IMPLEMENTATION_CUSTOM
endchoice

source "Kconfig.zephyr"
6 changes: 6 additions & 0 deletions subsys/secure_storage/Kconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,12 @@ source "subsys/logging/Kconfig.template.log_config"
choice SECURE_STORAGE_ITS_IMPLEMENTATION
prompt "Internal Trusted Storage (ITS) API implementation"

config SECURE_STORAGE_ITS_IMPLEMENTATION_MBEDTLS
bool "MbedTLS ITS implementation"
depends on ARCH_POSIX
help
Use MbedTLS's implementation of the ITS API.

config SECURE_STORAGE_ITS_IMPLEMENTATION_ZEPHYR
bool "Zephyr's ITS implementation"
select SECURE_STORAGE_ITS_TRANSFORM_MODULE
Expand Down
1 change: 1 addition & 0 deletions tests/bsim/bluetooth/mesh/overlay_ss.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
CONFIG_SECURE_STORAGE=y
CONFIG_SECURE_STORAGE_ITS_IMPLEMENTATION_ZEPHYR=y
11 changes: 11 additions & 0 deletions tests/subsys/secure_storage/psa/crypto/Kconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Copyright (c) 2025 Embeint Inc
# SPDX-License-Identifier: Apache-2.0

# We explicitly don't want SECURE_STORAGE_ITS_IMPLEMENTATION_MBEDTLS here
# as it implements `psa_ps_*` and not the underlying `secure_storage_its_*`.
choice SECURE_STORAGE_ITS_IMPLEMENTATION
default SECURE_STORAGE_ITS_IMPLEMENTATION_ZEPHYR
default SECURE_STORAGE_ITS_IMPLEMENTATION_CUSTOM
endchoice

source "Kconfig.zephyr"
10 changes: 10 additions & 0 deletions tests/subsys/secure_storage/psa/its/Kconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# Copyright (c) 2025 Embeint Inc
# SPDX-License-Identifier: Apache-2.0

# We explicitly don't want SECURE_STORAGE_ITS_IMPLEMENTATION_MBEDTLS here
choice SECURE_STORAGE_ITS_IMPLEMENTATION
default SECURE_STORAGE_ITS_IMPLEMENTATION_ZEPHYR
default SECURE_STORAGE_ITS_IMPLEMENTATION_CUSTOM
endchoice

source "Kconfig.zephyr"
Loading