diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic index 01a0eebb630..f2e73ffaf25 100644 --- a/modules/mbedtls/Kconfig.tls-generic +++ b/modules/mbedtls/Kconfig.tls-generic @@ -613,6 +613,9 @@ config MBEDTLS_PSA_P256M_DRIVER_RAW Warning: Usage of this Kconfig option is prohibited in Zephyr's codebase. Users can enable it in case of very memory-constrained devices, but be aware that the p256-m interface is absolutely not guaranted to remain stable over time. +config MBEDTLS_PSA_CRYPTO_STORAGE_C + bool + config MBEDTLS_PSA_STATIC_KEY_SLOTS bool "Use statically allocated key buffers to store key material" default y if !MBEDTLS_ENABLE_HEAP diff --git a/modules/mbedtls/configs/config-tls-generic.h b/modules/mbedtls/configs/config-tls-generic.h index eb3f943a458..9d46e3be482 100644 --- a/modules/mbedtls/configs/config-tls-generic.h +++ b/modules/mbedtls/configs/config-tls-generic.h @@ -477,17 +477,16 @@ #if defined(CONFIG_MBEDTLS_PSA_CRYPTO_C) #define MBEDTLS_PSA_CRYPTO_C #define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS +#endif #if defined(CONFIG_MBEDTLS_PSA_P256M_DRIVER_ENABLED) #define MBEDTLS_PSA_P256M_DRIVER_ENABLED #endif -#if defined(CONFIG_SECURE_STORAGE) +#if defined(CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C) #define MBEDTLS_PSA_CRYPTO_STORAGE_C #endif -#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_C */ - #if defined(CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOTS) #define MBEDTLS_PSA_STATIC_KEY_SLOTS #endif diff --git a/samples/psa/its/overlay-secure_storage.conf b/samples/psa/its/overlay-secure_storage.conf index 8ff0c17ebcb..3473ae38910 100644 --- a/samples/psa/its/overlay-secure_storage.conf +++ b/samples/psa/its/overlay-secure_storage.conf @@ -3,9 +3,6 @@ CONFIG_MBEDTLS=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y -# native_sim requires ECB cipher to be enabled -CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y - # The default stack size (1024) is not enough for the PSA Crypto core. # On top of that, the ITS implementation uses the stack for buffers. CONFIG_MAIN_STACK_SIZE=3072 diff --git a/samples/psa/its/overlay-entropy_driver.conf b/samples/psa/its/overlay-tfm.conf similarity index 53% rename from samples/psa/its/overlay-entropy_driver.conf rename to samples/psa/its/overlay-tfm.conf index 0feb3ad0949..5379af81ede 100644 --- a/samples/psa/its/overlay-entropy_driver.conf +++ b/samples/psa/its/overlay-tfm.conf @@ -1,3 +1,3 @@ # SPDX-License-Identifier: Apache-2.0 -CONFIG_ENTROPY_GENERATOR=y +CONFIG_TFM_PROFILE_TYPE_NOT_SET=y diff --git a/samples/psa/its/prj.conf b/samples/psa/its/prj.conf index 4c214a79a52..9ab1f303a6a 100644 --- a/samples/psa/its/prj.conf +++ b/samples/psa/its/prj.conf @@ -2,3 +2,5 @@ CONFIG_LOG=y CONFIG_LOG_DEFAULT_LEVEL=3 + +CONFIG_ENTROPY_GENERATOR=y diff --git a/samples/psa/its/sample.yaml b/samples/psa/its/sample.yaml index 024c065ba74..8d67cddd157 100644 --- a/samples/psa/its/sample.yaml +++ b/samples/psa/its/sample.yaml @@ -13,21 +13,20 @@ common: tests: sample.psa.its.tfm: filter: CONFIG_BUILD_WITH_TFM - extra_args: - - CONFIG_TFM_PROFILE_TYPE_MEDIUM=y + extra_args: EXTRA_CONF_FILE=overlay-tfm.conf tags: - trusted-firmware-m sample.psa.its.secure_storage.entropy_driver: filter: CONFIG_SECURE_STORAGE and not CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_NONE and CONFIG_ENTROPY_HAS_DRIVER - extra_args: EXTRA_CONF_FILE=overlay-secure_storage.conf;overlay-entropy_driver.conf + extra_args: EXTRA_CONF_FILE=overlay-secure_storage.conf tags: - drivers.entropy - settings sample.psa.its.secure_storage.entropy_not_secure: filter: CONFIG_SECURE_STORAGE and not CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_NONE and not CONFIG_ENTROPY_HAS_DRIVER - extra_args: EXTRA_CONF_FILE="overlay-secure_storage.conf;overlay-entropy_not_secure.conf" + extra_args: EXTRA_CONF_FILE=overlay-secure_storage.conf;overlay-entropy_not_secure.conf tags: - random - settings diff --git a/samples/psa/persistent_key/overlay-secure_storage.conf b/samples/psa/persistent_key/overlay-secure_storage.conf index 8ff0c17ebcb..7c1d782c4c2 100644 --- a/samples/psa/persistent_key/overlay-secure_storage.conf +++ b/samples/psa/persistent_key/overlay-secure_storage.conf @@ -2,9 +2,8 @@ CONFIG_MBEDTLS=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y - -# native_sim requires ECB cipher to be enabled -CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y +CONFIG_MBEDTLS_ENABLE_HEAP=y +CONFIG_MBEDTLS_HEAP_SIZE=1024 # The default stack size (1024) is not enough for the PSA Crypto core. # On top of that, the ITS implementation uses the stack for buffers. diff --git a/samples/psa/persistent_key/overlay-entropy_driver.conf b/samples/psa/persistent_key/overlay-tfm.conf similarity index 53% rename from samples/psa/persistent_key/overlay-entropy_driver.conf rename to samples/psa/persistent_key/overlay-tfm.conf index 0feb3ad0949..5379af81ede 100644 --- a/samples/psa/persistent_key/overlay-entropy_driver.conf +++ b/samples/psa/persistent_key/overlay-tfm.conf @@ -1,3 +1,3 @@ # SPDX-License-Identifier: Apache-2.0 -CONFIG_ENTROPY_GENERATOR=y +CONFIG_TFM_PROFILE_TYPE_NOT_SET=y diff --git a/samples/psa/persistent_key/prj.conf b/samples/psa/persistent_key/prj.conf index 9e78a182bf4..af300c0c334 100644 --- a/samples/psa/persistent_key/prj.conf +++ b/samples/psa/persistent_key/prj.conf @@ -4,5 +4,7 @@ CONFIG_LOG=y CONFIG_LOG_DEFAULT_LEVEL=3 CONFIG_ASSERT=y +CONFIG_ENTROPY_GENERATOR=y + CONFIG_PSA_WANT_KEY_TYPE_AES=y CONFIG_PSA_WANT_ALG_CTR=y diff --git a/samples/psa/persistent_key/sample.yaml b/samples/psa/persistent_key/sample.yaml index 89ced48f5b4..490f2ea8f15 100644 --- a/samples/psa/persistent_key/sample.yaml +++ b/samples/psa/persistent_key/sample.yaml @@ -13,22 +13,20 @@ common: tests: sample.psa.persistent_key.tfm: filter: CONFIG_BUILD_WITH_TFM - extra_args: - - CONFIG_TFM_PROFILE_TYPE_MEDIUM=y - - CONFIG_PSA_WANT_GENERATE_RANDOM=y + extra_args: EXTRA_CONF_FILE=overlay-tfm.conf tags: - trusted-firmware-m sample.psa.persistent_key.secure_storage.entropy_driver: filter: CONFIG_SECURE_STORAGE and not CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_NONE and CONFIG_ENTROPY_HAS_DRIVER - extra_args: EXTRA_CONF_FILE=overlay-secure_storage.conf;overlay-entropy_driver.conf + extra_args: EXTRA_CONF_FILE=overlay-secure_storage.conf tags: - drivers.entropy - settings sample.psa.persistent_key.secure_storage.entropy_not_secure: filter: CONFIG_SECURE_STORAGE and not CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_NONE and not CONFIG_ENTROPY_HAS_DRIVER - extra_args: EXTRA_CONF_FILE="overlay-secure_storage.conf;overlay-entropy_not_secure.conf" + extra_args: EXTRA_CONF_FILE=overlay-secure_storage.conf;overlay-entropy_not_secure.conf tags: - random - settings diff --git a/subsys/secure_storage/Kconfig b/subsys/secure_storage/Kconfig index 11e78a7dbd2..11986cf0747 100644 --- a/subsys/secure_storage/Kconfig +++ b/subsys/secure_storage/Kconfig @@ -4,6 +4,7 @@ menuconfig SECURE_STORAGE bool "Secure storage subsystem" depends on !BUILD_WITH_TFM + select MBEDTLS_PSA_CRYPTO_STORAGE_C if MBEDTLS_PSA_CRYPTO_C select EXPERIMENTAL help The secure storage subsystem provides an implementation of the PSA Secure Storage API diff --git a/tests/subsys/secure_storage/psa/crypto/overlay-secure_storage.conf b/tests/subsys/secure_storage/psa/crypto/overlay-secure_storage.conf index ed84c304328..66d62e83c9c 100644 --- a/tests/subsys/secure_storage/psa/crypto/overlay-secure_storage.conf +++ b/tests/subsys/secure_storage/psa/crypto/overlay-secure_storage.conf @@ -2,12 +2,13 @@ CONFIG_ZTEST_STACK_SIZE=3072 CONFIG_MAIN_STACK_SIZE=2048 CONFIG_MBEDTLS=y +CONFIG_ENTROPY_GENERATOR=y CONFIG_TEST_RANDOM_GENERATOR=y CONFIG_TIMER_RANDOM_GENERATOR=y CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y -# PSA Crypto needs some heap, but MINIMAL_LIBC has none by default. -CONFIG_COMMON_LIBC_MALLOC_ARENA_SIZE=2048 CONFIG_MBEDTLS_PSA_CRYPTO_C=y +CONFIG_MBEDTLS_ENABLE_HEAP=y +CONFIG_MBEDTLS_HEAP_SIZE=1024 CONFIG_SECURE_STORAGE=y # For testing isolation between the different callers of the ITS. diff --git a/tests/subsys/secure_storage/psa/crypto/overlay-tfm.conf b/tests/subsys/secure_storage/psa/crypto/overlay-tfm.conf new file mode 100644 index 00000000000..bb6403a96c2 --- /dev/null +++ b/tests/subsys/secure_storage/psa/crypto/overlay-tfm.conf @@ -0,0 +1,3 @@ +CONFIG_TFM_PROFILE_TYPE_NOT_SET=y + +CONFIG_ENTROPY_GENERATOR=y diff --git a/tests/subsys/secure_storage/psa/crypto/prj.conf b/tests/subsys/secure_storage/psa/crypto/prj.conf index bc7ec5fdbb9..d512b2fd70a 100644 --- a/tests/subsys/secure_storage/psa/crypto/prj.conf +++ b/tests/subsys/secure_storage/psa/crypto/prj.conf @@ -2,6 +2,3 @@ CONFIG_ZTEST=y CONFIG_PSA_WANT_KEY_TYPE_AES=y CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=y - -# native_sim requires ECB cipher to be enabled -CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y diff --git a/tests/subsys/secure_storage/psa/crypto/src/main.c b/tests/subsys/secure_storage/psa/crypto/src/main.c index a81f131f4f7..974a931583b 100644 --- a/tests/subsys/secure_storage/psa/crypto/src/main.c +++ b/tests/subsys/secure_storage/psa/crypto/src/main.c @@ -26,6 +26,16 @@ static void fill_key_attributes(psa_key_attributes_t *key_attributes) psa_set_key_bits(key_attributes, KEY_BITS); } +static void compare_key_attributes(const psa_key_attributes_t *l, const psa_key_attributes_t *r) +{ + zassert_equal(psa_get_key_lifetime(l), psa_get_key_lifetime(r)); + zassert_equal(psa_get_key_usage_flags(l), psa_get_key_usage_flags(r)); + zassert_equal(psa_get_key_id(l), psa_get_key_id(r)); + zassert_equal(psa_get_key_type(l), psa_get_key_type(r)); + zassert_equal(psa_get_key_algorithm(l), psa_get_key_algorithm(r)); + zassert_equal(psa_get_key_bits(l), psa_get_key_bits(r)); +} + static void fill_data(uint8_t *data, size_t size) { zassert_equal(psa_generate_random(data, size), PSA_SUCCESS); @@ -77,12 +87,7 @@ ZTEST(secure_storage_psa_crypto, test_its_caller_isolation) ret = psa_get_key_attributes(ID, &retrieved_key_attributes); zassert_equal(ret, PSA_SUCCESS); - zassert_equal(key_attributes.private_bits, retrieved_key_attributes.private_bits); - zassert_equal(key_attributes.private_id, retrieved_key_attributes.private_id); - zassert_equal(key_attributes.private_lifetime, retrieved_key_attributes.private_lifetime); - zassert_mem_equal(&key_attributes.private_policy, &retrieved_key_attributes.private_policy, - sizeof(key_attributes.private_policy)); - + compare_key_attributes(&retrieved_key_attributes, &key_attributes); ret = psa_destroy_key(ID); zassert_equal(ret, PSA_SUCCESS); ret = psa_get_key_attributes(ID, &retrieved_key_attributes); diff --git a/tests/subsys/secure_storage/psa/crypto/testcase.yaml b/tests/subsys/secure_storage/psa/crypto/testcase.yaml index df8a5b5d364..1482d23cb6c 100644 --- a/tests/subsys/secure_storage/psa/crypto/testcase.yaml +++ b/tests/subsys/secure_storage/psa/crypto/testcase.yaml @@ -10,8 +10,6 @@ tests: - nrf54l15dk/nrf54l15/cpuapp secure_storage.psa.crypto.tfm: filter: CONFIG_BUILD_WITH_TFM - extra_args: - - CONFIG_TFM_PROFILE_TYPE_MEDIUM=y - - CONFIG_PSA_WANT_GENERATE_RANDOM=y + extra_args: EXTRA_CONF_FILE=overlay-tfm.conf integration_platforms: - nrf9151dk/nrf9151/ns diff --git a/tests/subsys/secure_storage/psa/its/overlay-secure_storage.conf b/tests/subsys/secure_storage/psa/its/overlay-secure_storage.conf index 8a81a4a4f9a..3810764eb95 100644 --- a/tests/subsys/secure_storage/psa/its/overlay-secure_storage.conf +++ b/tests/subsys/secure_storage/psa/its/overlay-secure_storage.conf @@ -1,8 +1,4 @@ -CONFIG_ZTEST_STACK_SIZE=3072 -CONFIG_MAIN_STACK_SIZE=2048 +CONFIG_ZTEST_STACK_SIZE=4096 +CONFIG_MAIN_STACK_SIZE=3072 CONFIG_SECURE_STORAGE=y - -# native_sim requires ECB cipher to be enabled -CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y -CONFIG_PSA_WANT_KEY_TYPE_AES=y diff --git a/tests/subsys/secure_storage/psa/its/overlay-tfm.conf b/tests/subsys/secure_storage/psa/its/overlay-tfm.conf index 969d32669e4..e908573fb39 100644 --- a/tests/subsys/secure_storage/psa/its/overlay-tfm.conf +++ b/tests/subsys/secure_storage/psa/its/overlay-tfm.conf @@ -1,3 +1,4 @@ +CONFIG_TFM_PROFILE_TYPE_NOT_SET=y + CONFIG_TFM_ITS_MAX_ASSET_SIZE_OVERRIDE=y -CONFIG_TFM_ITS_MAX_ASSET_SIZE=512 -CONFIG_TFM_PROFILE_TYPE_MEDIUM=y +CONFIG_TFM_ITS_MAX_ASSET_SIZE=256 diff --git a/tests/subsys/secure_storage/psa/its/overlay-transform_default.conf b/tests/subsys/secure_storage/psa/its/overlay-transform_default.conf index 7ed936966ba..945da7e9f8b 100644 --- a/tests/subsys/secure_storage/psa/its/overlay-transform_default.conf +++ b/tests/subsys/secure_storage/psa/its/overlay-transform_default.conf @@ -1,4 +1,5 @@ CONFIG_MBEDTLS=y +CONFIG_ENTROPY_GENERATOR=y CONFIG_TEST_RANDOM_GENERATOR=y CONFIG_TIMER_RANDOM_GENERATOR=y CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y diff --git a/tests/subsys/secure_storage/psa/its/prj.conf b/tests/subsys/secure_storage/psa/its/prj.conf index 444328072a4..9467c292689 100644 --- a/tests/subsys/secure_storage/psa/its/prj.conf +++ b/tests/subsys/secure_storage/psa/its/prj.conf @@ -1,2 +1 @@ CONFIG_ZTEST=y -CONFIG_ZTEST_STACK_SIZE=3072