From 97a938527b94801193d6cdb074de8364f8446bcc Mon Sep 17 00:00:00 2001 From: Tomi Fontanilles Date: Thu, 13 Feb 2025 16:30:42 +0200 Subject: [PATCH 01/10] Revert "[nrf noup] samples: psa: Fix issues" This reverts commit 8a64a2e4ab24379765dde83c2a50044c0d615541. We shouldn't have noups to fix things that can and should be fixed elsewhere/differently. Signed-off-by: Tomi Fontanilles --- samples/psa/its/overlay-secure_storage.conf | 3 --- samples/psa/its/sample.yaml | 2 -- samples/psa/persistent_key/overlay-secure_storage.conf | 3 --- samples/psa/persistent_key/sample.yaml | 3 --- 4 files changed, 11 deletions(-) diff --git a/samples/psa/its/overlay-secure_storage.conf b/samples/psa/its/overlay-secure_storage.conf index 8ff0c17ebcb..3473ae38910 100644 --- a/samples/psa/its/overlay-secure_storage.conf +++ b/samples/psa/its/overlay-secure_storage.conf @@ -3,9 +3,6 @@ CONFIG_MBEDTLS=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y -# native_sim requires ECB cipher to be enabled -CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y - # The default stack size (1024) is not enough for the PSA Crypto core. # On top of that, the ITS implementation uses the stack for buffers. CONFIG_MAIN_STACK_SIZE=3072 diff --git a/samples/psa/its/sample.yaml b/samples/psa/its/sample.yaml index 024c065ba74..c4ee3543696 100644 --- a/samples/psa/its/sample.yaml +++ b/samples/psa/its/sample.yaml @@ -13,8 +13,6 @@ common: tests: sample.psa.its.tfm: filter: CONFIG_BUILD_WITH_TFM - extra_args: - - CONFIG_TFM_PROFILE_TYPE_MEDIUM=y tags: - trusted-firmware-m sample.psa.its.secure_storage.entropy_driver: diff --git a/samples/psa/persistent_key/overlay-secure_storage.conf b/samples/psa/persistent_key/overlay-secure_storage.conf index 8ff0c17ebcb..3473ae38910 100644 --- a/samples/psa/persistent_key/overlay-secure_storage.conf +++ b/samples/psa/persistent_key/overlay-secure_storage.conf @@ -3,9 +3,6 @@ CONFIG_MBEDTLS=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y -# native_sim requires ECB cipher to be enabled -CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y - # The default stack size (1024) is not enough for the PSA Crypto core. # On top of that, the ITS implementation uses the stack for buffers. CONFIG_MAIN_STACK_SIZE=3072 diff --git a/samples/psa/persistent_key/sample.yaml b/samples/psa/persistent_key/sample.yaml index 89ced48f5b4..01cf9f450d1 100644 --- a/samples/psa/persistent_key/sample.yaml +++ b/samples/psa/persistent_key/sample.yaml @@ -13,9 +13,6 @@ common: tests: sample.psa.persistent_key.tfm: filter: CONFIG_BUILD_WITH_TFM - extra_args: - - CONFIG_TFM_PROFILE_TYPE_MEDIUM=y - - CONFIG_PSA_WANT_GENERATE_RANDOM=y tags: - trusted-firmware-m sample.psa.persistent_key.secure_storage.entropy_driver: From 3f764380340f4840da8f1410d0cdc9f9583e9697 Mon Sep 17 00:00:00 2001 From: Tomi Fontanilles Date: Thu, 13 Feb 2025 16:30:52 +0200 Subject: [PATCH 02/10] Revert "[nrf noup] tests: secure_storage: Fix issues" This reverts commit fcb4238dbd1ac2d030d38031f3297947e993afda. We shouldn't have noups to fix things that can and should be fixed elsewhere/differently. Signed-off-by: Tomi Fontanilles --- tests/subsys/secure_storage/psa/crypto/prj.conf | 3 --- tests/subsys/secure_storage/psa/crypto/src/main.c | 7 +------ tests/subsys/secure_storage/psa/crypto/testcase.yaml | 3 --- .../secure_storage/psa/its/overlay-secure_storage.conf | 4 ---- tests/subsys/secure_storage/psa/its/overlay-tfm.conf | 3 +-- tests/subsys/secure_storage/psa/its/prj.conf | 1 - 6 files changed, 2 insertions(+), 19 deletions(-) diff --git a/tests/subsys/secure_storage/psa/crypto/prj.conf b/tests/subsys/secure_storage/psa/crypto/prj.conf index bc7ec5fdbb9..d512b2fd70a 100644 --- a/tests/subsys/secure_storage/psa/crypto/prj.conf +++ b/tests/subsys/secure_storage/psa/crypto/prj.conf @@ -2,6 +2,3 @@ CONFIG_ZTEST=y CONFIG_PSA_WANT_KEY_TYPE_AES=y CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=y - -# native_sim requires ECB cipher to be enabled -CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y diff --git a/tests/subsys/secure_storage/psa/crypto/src/main.c b/tests/subsys/secure_storage/psa/crypto/src/main.c index a81f131f4f7..04a29435cab 100644 --- a/tests/subsys/secure_storage/psa/crypto/src/main.c +++ b/tests/subsys/secure_storage/psa/crypto/src/main.c @@ -77,12 +77,7 @@ ZTEST(secure_storage_psa_crypto, test_its_caller_isolation) ret = psa_get_key_attributes(ID, &retrieved_key_attributes); zassert_equal(ret, PSA_SUCCESS); - zassert_equal(key_attributes.private_bits, retrieved_key_attributes.private_bits); - zassert_equal(key_attributes.private_id, retrieved_key_attributes.private_id); - zassert_equal(key_attributes.private_lifetime, retrieved_key_attributes.private_lifetime); - zassert_mem_equal(&key_attributes.private_policy, &retrieved_key_attributes.private_policy, - sizeof(key_attributes.private_policy)); - + zassert_mem_equal(&retrieved_key_attributes, &key_attributes, sizeof(key_attributes)); ret = psa_destroy_key(ID); zassert_equal(ret, PSA_SUCCESS); ret = psa_get_key_attributes(ID, &retrieved_key_attributes); diff --git a/tests/subsys/secure_storage/psa/crypto/testcase.yaml b/tests/subsys/secure_storage/psa/crypto/testcase.yaml index df8a5b5d364..ce369fc1013 100644 --- a/tests/subsys/secure_storage/psa/crypto/testcase.yaml +++ b/tests/subsys/secure_storage/psa/crypto/testcase.yaml @@ -10,8 +10,5 @@ tests: - nrf54l15dk/nrf54l15/cpuapp secure_storage.psa.crypto.tfm: filter: CONFIG_BUILD_WITH_TFM - extra_args: - - CONFIG_TFM_PROFILE_TYPE_MEDIUM=y - - CONFIG_PSA_WANT_GENERATE_RANDOM=y integration_platforms: - nrf9151dk/nrf9151/ns diff --git a/tests/subsys/secure_storage/psa/its/overlay-secure_storage.conf b/tests/subsys/secure_storage/psa/its/overlay-secure_storage.conf index 8a81a4a4f9a..3ca9fdabcf2 100644 --- a/tests/subsys/secure_storage/psa/its/overlay-secure_storage.conf +++ b/tests/subsys/secure_storage/psa/its/overlay-secure_storage.conf @@ -2,7 +2,3 @@ CONFIG_ZTEST_STACK_SIZE=3072 CONFIG_MAIN_STACK_SIZE=2048 CONFIG_SECURE_STORAGE=y - -# native_sim requires ECB cipher to be enabled -CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y -CONFIG_PSA_WANT_KEY_TYPE_AES=y diff --git a/tests/subsys/secure_storage/psa/its/overlay-tfm.conf b/tests/subsys/secure_storage/psa/its/overlay-tfm.conf index 969d32669e4..78762d8afa3 100644 --- a/tests/subsys/secure_storage/psa/its/overlay-tfm.conf +++ b/tests/subsys/secure_storage/psa/its/overlay-tfm.conf @@ -1,3 +1,2 @@ CONFIG_TFM_ITS_MAX_ASSET_SIZE_OVERRIDE=y -CONFIG_TFM_ITS_MAX_ASSET_SIZE=512 -CONFIG_TFM_PROFILE_TYPE_MEDIUM=y +CONFIG_TFM_ITS_MAX_ASSET_SIZE=256 diff --git a/tests/subsys/secure_storage/psa/its/prj.conf b/tests/subsys/secure_storage/psa/its/prj.conf index 444328072a4..9467c292689 100644 --- a/tests/subsys/secure_storage/psa/its/prj.conf +++ b/tests/subsys/secure_storage/psa/its/prj.conf @@ -1,2 +1 @@ CONFIG_ZTEST=y -CONFIG_ZTEST_STACK_SIZE=3072 From bf0cb4bf8302938be07969136cbd4e70276b32bc Mon Sep 17 00:00:00 2001 From: Sadik Ozer Date: Thu, 16 Jan 2025 14:05:22 +0300 Subject: [PATCH 03/10] [nrf fromtree] tests: subsys: secure_storage: Add filter for small profile TF-M small profile does not support secure storage (know as Protected storage), this commit add filter for tfm test case to pass it incase of small profile been set, see tf-m profiles in below link https://tf-m-user-guide.trustedfirmware.org/configuration/profiles/index.html Signed-off-by: Sadik Ozer (cherry picked from commit 6932885996ae36d43603633381373b4f13de503a) Signed-off-by: Tomi Fontanilles --- tests/subsys/secure_storage/psa/crypto/testcase.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/subsys/secure_storage/psa/crypto/testcase.yaml b/tests/subsys/secure_storage/psa/crypto/testcase.yaml index ce369fc1013..06606fae02a 100644 --- a/tests/subsys/secure_storage/psa/crypto/testcase.yaml +++ b/tests/subsys/secure_storage/psa/crypto/testcase.yaml @@ -9,6 +9,6 @@ tests: - native_sim - nrf54l15dk/nrf54l15/cpuapp secure_storage.psa.crypto.tfm: - filter: CONFIG_BUILD_WITH_TFM + filter: CONFIG_BUILD_WITH_TFM and not CONFIG_TFM_PROFILE_TYPE_SMALL integration_platforms: - nrf9151dk/nrf9151/ns From bfa652cff80aa45e33a5f31295be5f86a1707a0f Mon Sep 17 00:00:00 2001 From: Tomi Fontanilles Date: Thu, 13 Feb 2025 16:18:58 +0200 Subject: [PATCH 04/10] [nrf fromtree] secure_storage: improve tests' compatibility in TF-M-enabled scenarios Explicitly set the TF-M profile to not rely on the build system defaults which might differ. Signed-off-by: Tomi Fontanilles (cherry picked from commit 62fe34dd02f053fc2fe0feb44dd5cb874a9c1a37) Signed-off-by: Tomi Fontanilles --- samples/psa/its/overlay-tfm.conf | 3 +++ samples/psa/its/sample.yaml | 3 ++- samples/psa/persistent_key/overlay-tfm.conf | 3 +++ samples/psa/persistent_key/sample.yaml | 3 ++- tests/subsys/secure_storage/psa/crypto/overlay-tfm.conf | 1 + tests/subsys/secure_storage/psa/crypto/testcase.yaml | 3 ++- tests/subsys/secure_storage/psa/its/overlay-tfm.conf | 2 ++ 7 files changed, 15 insertions(+), 3 deletions(-) create mode 100644 samples/psa/its/overlay-tfm.conf create mode 100644 samples/psa/persistent_key/overlay-tfm.conf create mode 100644 tests/subsys/secure_storage/psa/crypto/overlay-tfm.conf diff --git a/samples/psa/its/overlay-tfm.conf b/samples/psa/its/overlay-tfm.conf new file mode 100644 index 00000000000..5379af81ede --- /dev/null +++ b/samples/psa/its/overlay-tfm.conf @@ -0,0 +1,3 @@ +# SPDX-License-Identifier: Apache-2.0 + +CONFIG_TFM_PROFILE_TYPE_NOT_SET=y diff --git a/samples/psa/its/sample.yaml b/samples/psa/its/sample.yaml index c4ee3543696..b556dc64e8e 100644 --- a/samples/psa/its/sample.yaml +++ b/samples/psa/its/sample.yaml @@ -13,6 +13,7 @@ common: tests: sample.psa.its.tfm: filter: CONFIG_BUILD_WITH_TFM + extra_args: EXTRA_CONF_FILE=overlay-tfm.conf tags: - trusted-firmware-m sample.psa.its.secure_storage.entropy_driver: @@ -25,7 +26,7 @@ tests: sample.psa.its.secure_storage.entropy_not_secure: filter: CONFIG_SECURE_STORAGE and not CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_NONE and not CONFIG_ENTROPY_HAS_DRIVER - extra_args: EXTRA_CONF_FILE="overlay-secure_storage.conf;overlay-entropy_not_secure.conf" + extra_args: EXTRA_CONF_FILE=overlay-secure_storage.conf;overlay-entropy_not_secure.conf tags: - random - settings diff --git a/samples/psa/persistent_key/overlay-tfm.conf b/samples/psa/persistent_key/overlay-tfm.conf new file mode 100644 index 00000000000..5379af81ede --- /dev/null +++ b/samples/psa/persistent_key/overlay-tfm.conf @@ -0,0 +1,3 @@ +# SPDX-License-Identifier: Apache-2.0 + +CONFIG_TFM_PROFILE_TYPE_NOT_SET=y diff --git a/samples/psa/persistent_key/sample.yaml b/samples/psa/persistent_key/sample.yaml index 01cf9f450d1..13c67337fdb 100644 --- a/samples/psa/persistent_key/sample.yaml +++ b/samples/psa/persistent_key/sample.yaml @@ -13,6 +13,7 @@ common: tests: sample.psa.persistent_key.tfm: filter: CONFIG_BUILD_WITH_TFM + extra_args: EXTRA_CONF_FILE=overlay-tfm.conf tags: - trusted-firmware-m sample.psa.persistent_key.secure_storage.entropy_driver: @@ -25,7 +26,7 @@ tests: sample.psa.persistent_key.secure_storage.entropy_not_secure: filter: CONFIG_SECURE_STORAGE and not CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_NONE and not CONFIG_ENTROPY_HAS_DRIVER - extra_args: EXTRA_CONF_FILE="overlay-secure_storage.conf;overlay-entropy_not_secure.conf" + extra_args: EXTRA_CONF_FILE=overlay-secure_storage.conf;overlay-entropy_not_secure.conf tags: - random - settings diff --git a/tests/subsys/secure_storage/psa/crypto/overlay-tfm.conf b/tests/subsys/secure_storage/psa/crypto/overlay-tfm.conf new file mode 100644 index 00000000000..516f4d9eb78 --- /dev/null +++ b/tests/subsys/secure_storage/psa/crypto/overlay-tfm.conf @@ -0,0 +1 @@ +CONFIG_TFM_PROFILE_TYPE_NOT_SET=y diff --git a/tests/subsys/secure_storage/psa/crypto/testcase.yaml b/tests/subsys/secure_storage/psa/crypto/testcase.yaml index 06606fae02a..1482d23cb6c 100644 --- a/tests/subsys/secure_storage/psa/crypto/testcase.yaml +++ b/tests/subsys/secure_storage/psa/crypto/testcase.yaml @@ -9,6 +9,7 @@ tests: - native_sim - nrf54l15dk/nrf54l15/cpuapp secure_storage.psa.crypto.tfm: - filter: CONFIG_BUILD_WITH_TFM and not CONFIG_TFM_PROFILE_TYPE_SMALL + filter: CONFIG_BUILD_WITH_TFM + extra_args: EXTRA_CONF_FILE=overlay-tfm.conf integration_platforms: - nrf9151dk/nrf9151/ns diff --git a/tests/subsys/secure_storage/psa/its/overlay-tfm.conf b/tests/subsys/secure_storage/psa/its/overlay-tfm.conf index 78762d8afa3..e908573fb39 100644 --- a/tests/subsys/secure_storage/psa/its/overlay-tfm.conf +++ b/tests/subsys/secure_storage/psa/its/overlay-tfm.conf @@ -1,2 +1,4 @@ +CONFIG_TFM_PROFILE_TYPE_NOT_SET=y + CONFIG_TFM_ITS_MAX_ASSET_SIZE_OVERRIDE=y CONFIG_TFM_ITS_MAX_ASSET_SIZE=256 From b27c0ea1de2de7fd6ee681cb4d4f94a5035a23ff Mon Sep 17 00:00:00 2001 From: Tomi Fontanilles Date: Thu, 13 Feb 2025 16:23:02 +0200 Subject: [PATCH 05/10] [nrf fromtree] tests: secure_storage: psa: crypto: improve compatibility The psa_key_attributes_t type is implementation-defined according to the PSA Crypto spec. Compare its fields individually instead of doing a memcmp() over the entire struct. Signed-off-by: Tomi Fontanilles (cherry picked from commit 744e9f70f44af3386be079e79189f946465f8517) Signed-off-by: Tomi Fontanilles --- tests/subsys/secure_storage/psa/crypto/src/main.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/tests/subsys/secure_storage/psa/crypto/src/main.c b/tests/subsys/secure_storage/psa/crypto/src/main.c index 04a29435cab..974a931583b 100644 --- a/tests/subsys/secure_storage/psa/crypto/src/main.c +++ b/tests/subsys/secure_storage/psa/crypto/src/main.c @@ -26,6 +26,16 @@ static void fill_key_attributes(psa_key_attributes_t *key_attributes) psa_set_key_bits(key_attributes, KEY_BITS); } +static void compare_key_attributes(const psa_key_attributes_t *l, const psa_key_attributes_t *r) +{ + zassert_equal(psa_get_key_lifetime(l), psa_get_key_lifetime(r)); + zassert_equal(psa_get_key_usage_flags(l), psa_get_key_usage_flags(r)); + zassert_equal(psa_get_key_id(l), psa_get_key_id(r)); + zassert_equal(psa_get_key_type(l), psa_get_key_type(r)); + zassert_equal(psa_get_key_algorithm(l), psa_get_key_algorithm(r)); + zassert_equal(psa_get_key_bits(l), psa_get_key_bits(r)); +} + static void fill_data(uint8_t *data, size_t size) { zassert_equal(psa_generate_random(data, size), PSA_SUCCESS); @@ -77,7 +87,7 @@ ZTEST(secure_storage_psa_crypto, test_its_caller_isolation) ret = psa_get_key_attributes(ID, &retrieved_key_attributes); zassert_equal(ret, PSA_SUCCESS); - zassert_mem_equal(&retrieved_key_attributes, &key_attributes, sizeof(key_attributes)); + compare_key_attributes(&retrieved_key_attributes, &key_attributes); ret = psa_destroy_key(ID); zassert_equal(ret, PSA_SUCCESS); ret = psa_get_key_attributes(ID, &retrieved_key_attributes); From 1d84a5764143152d726c52ce8d683342f7a6cd86 Mon Sep 17 00:00:00 2001 From: Tomi Fontanilles Date: Fri, 14 Feb 2025 15:25:22 +0200 Subject: [PATCH 06/10] [nrf fromtree] secure_storage: enable CONFIG_ENTROPY_GENERATOR in samples/tests Explicitly enable CONFIG_ENTROPY_GENERATOR instead of relying on the build system's defaults. This: - Makes sure the filtering works properly between entropy_driver and entropy_not_secure test scenarios for the samples. - Helps with TF-M builds in certain scenarios where key generation (via `psa_generate_key()`) would fail due to the RNG functionality being disabled. Signed-off-by: Tomi Fontanilles (cherry picked from commit 25ad578694b7e3f6eb74a78f7e219a576845ea24) Signed-off-by: Tomi Fontanilles --- samples/psa/its/overlay-entropy_driver.conf | 3 --- samples/psa/its/prj.conf | 2 ++ samples/psa/its/sample.yaml | 2 +- samples/psa/persistent_key/overlay-entropy_driver.conf | 3 --- samples/psa/persistent_key/prj.conf | 2 ++ samples/psa/persistent_key/sample.yaml | 2 +- tests/subsys/secure_storage/psa/crypto/overlay-tfm.conf | 2 ++ 7 files changed, 8 insertions(+), 8 deletions(-) delete mode 100644 samples/psa/its/overlay-entropy_driver.conf delete mode 100644 samples/psa/persistent_key/overlay-entropy_driver.conf diff --git a/samples/psa/its/overlay-entropy_driver.conf b/samples/psa/its/overlay-entropy_driver.conf deleted file mode 100644 index 0feb3ad0949..00000000000 --- a/samples/psa/its/overlay-entropy_driver.conf +++ /dev/null @@ -1,3 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 - -CONFIG_ENTROPY_GENERATOR=y diff --git a/samples/psa/its/prj.conf b/samples/psa/its/prj.conf index 4c214a79a52..9ab1f303a6a 100644 --- a/samples/psa/its/prj.conf +++ b/samples/psa/its/prj.conf @@ -2,3 +2,5 @@ CONFIG_LOG=y CONFIG_LOG_DEFAULT_LEVEL=3 + +CONFIG_ENTROPY_GENERATOR=y diff --git a/samples/psa/its/sample.yaml b/samples/psa/its/sample.yaml index b556dc64e8e..8d67cddd157 100644 --- a/samples/psa/its/sample.yaml +++ b/samples/psa/its/sample.yaml @@ -19,7 +19,7 @@ tests: sample.psa.its.secure_storage.entropy_driver: filter: CONFIG_SECURE_STORAGE and not CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_NONE and CONFIG_ENTROPY_HAS_DRIVER - extra_args: EXTRA_CONF_FILE=overlay-secure_storage.conf;overlay-entropy_driver.conf + extra_args: EXTRA_CONF_FILE=overlay-secure_storage.conf tags: - drivers.entropy - settings diff --git a/samples/psa/persistent_key/overlay-entropy_driver.conf b/samples/psa/persistent_key/overlay-entropy_driver.conf deleted file mode 100644 index 0feb3ad0949..00000000000 --- a/samples/psa/persistent_key/overlay-entropy_driver.conf +++ /dev/null @@ -1,3 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 - -CONFIG_ENTROPY_GENERATOR=y diff --git a/samples/psa/persistent_key/prj.conf b/samples/psa/persistent_key/prj.conf index 9e78a182bf4..af300c0c334 100644 --- a/samples/psa/persistent_key/prj.conf +++ b/samples/psa/persistent_key/prj.conf @@ -4,5 +4,7 @@ CONFIG_LOG=y CONFIG_LOG_DEFAULT_LEVEL=3 CONFIG_ASSERT=y +CONFIG_ENTROPY_GENERATOR=y + CONFIG_PSA_WANT_KEY_TYPE_AES=y CONFIG_PSA_WANT_ALG_CTR=y diff --git a/samples/psa/persistent_key/sample.yaml b/samples/psa/persistent_key/sample.yaml index 13c67337fdb..490f2ea8f15 100644 --- a/samples/psa/persistent_key/sample.yaml +++ b/samples/psa/persistent_key/sample.yaml @@ -19,7 +19,7 @@ tests: sample.psa.persistent_key.secure_storage.entropy_driver: filter: CONFIG_SECURE_STORAGE and not CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_NONE and CONFIG_ENTROPY_HAS_DRIVER - extra_args: EXTRA_CONF_FILE=overlay-secure_storage.conf;overlay-entropy_driver.conf + extra_args: EXTRA_CONF_FILE=overlay-secure_storage.conf tags: - drivers.entropy - settings diff --git a/tests/subsys/secure_storage/psa/crypto/overlay-tfm.conf b/tests/subsys/secure_storage/psa/crypto/overlay-tfm.conf index 516f4d9eb78..bb6403a96c2 100644 --- a/tests/subsys/secure_storage/psa/crypto/overlay-tfm.conf +++ b/tests/subsys/secure_storage/psa/crypto/overlay-tfm.conf @@ -1 +1,3 @@ CONFIG_TFM_PROFILE_TYPE_NOT_SET=y + +CONFIG_ENTROPY_GENERATOR=y From b9cd3eb51149ae27847d623b291dfda14a7e0b6b Mon Sep 17 00:00:00 2001 From: Tomi Fontanilles Date: Fri, 14 Feb 2025 16:26:59 +0200 Subject: [PATCH 07/10] [nrf fromtree] secure_storage: use hybrid key store in samples/tests Use dynamic allocation for key material for better compatibility as a fully static key store is a new feature that not all PSA Crypto implementations support. Explicitly enable CONFIG_MBEDTLS_ENABLE_HEAP to ensure that Mbed TLS uses heap for the PSA keys' data (instead of failing at runtime). This will turn off CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOTS, making the implementation default to dynamic key slots. Signed-off-by: Tomi Fontanilles (cherry picked from commit eb1ed1205fbd2898b6b67988483bbbdd0449a5a9) Signed-off-by: Tomi Fontanilles --- samples/psa/persistent_key/overlay-secure_storage.conf | 2 ++ .../secure_storage/psa/crypto/overlay-secure_storage.conf | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/samples/psa/persistent_key/overlay-secure_storage.conf b/samples/psa/persistent_key/overlay-secure_storage.conf index 3473ae38910..7c1d782c4c2 100644 --- a/samples/psa/persistent_key/overlay-secure_storage.conf +++ b/samples/psa/persistent_key/overlay-secure_storage.conf @@ -2,6 +2,8 @@ CONFIG_MBEDTLS=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y +CONFIG_MBEDTLS_ENABLE_HEAP=y +CONFIG_MBEDTLS_HEAP_SIZE=1024 # The default stack size (1024) is not enough for the PSA Crypto core. # On top of that, the ITS implementation uses the stack for buffers. diff --git a/tests/subsys/secure_storage/psa/crypto/overlay-secure_storage.conf b/tests/subsys/secure_storage/psa/crypto/overlay-secure_storage.conf index ed84c304328..7f891e65cce 100644 --- a/tests/subsys/secure_storage/psa/crypto/overlay-secure_storage.conf +++ b/tests/subsys/secure_storage/psa/crypto/overlay-secure_storage.conf @@ -5,9 +5,9 @@ CONFIG_MBEDTLS=y CONFIG_TEST_RANDOM_GENERATOR=y CONFIG_TIMER_RANDOM_GENERATOR=y CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y -# PSA Crypto needs some heap, but MINIMAL_LIBC has none by default. -CONFIG_COMMON_LIBC_MALLOC_ARENA_SIZE=2048 CONFIG_MBEDTLS_PSA_CRYPTO_C=y +CONFIG_MBEDTLS_ENABLE_HEAP=y +CONFIG_MBEDTLS_HEAP_SIZE=1024 CONFIG_SECURE_STORAGE=y # For testing isolation between the different callers of the ITS. From 60f2375b959efe01553b322d4c431df63865b3b9 Mon Sep 17 00:00:00 2001 From: Tomi Fontanilles Date: Fri, 14 Feb 2025 16:34:02 +0200 Subject: [PATCH 08/10] [nrf fromtree] modules: mbedtls: add promptless CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C Add a Kconfig option to match the Mbed TLS define instead of defining it based on CONFIG_SECURE_STORAGE. This gives more flexibility regarding the potential re-definition of the CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C Kconfig option. Signed-off-by: Tomi Fontanilles (cherry picked from commit 8627250d3ce537593ae986b76c95ed35200cb5b9) Signed-off-by: Tomi Fontanilles --- modules/mbedtls/Kconfig.tls-generic | 3 +++ modules/mbedtls/configs/config-tls-generic.h | 5 ++--- subsys/secure_storage/Kconfig | 1 + 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic index 01a0eebb630..f2e73ffaf25 100644 --- a/modules/mbedtls/Kconfig.tls-generic +++ b/modules/mbedtls/Kconfig.tls-generic @@ -613,6 +613,9 @@ config MBEDTLS_PSA_P256M_DRIVER_RAW Warning: Usage of this Kconfig option is prohibited in Zephyr's codebase. Users can enable it in case of very memory-constrained devices, but be aware that the p256-m interface is absolutely not guaranted to remain stable over time. +config MBEDTLS_PSA_CRYPTO_STORAGE_C + bool + config MBEDTLS_PSA_STATIC_KEY_SLOTS bool "Use statically allocated key buffers to store key material" default y if !MBEDTLS_ENABLE_HEAP diff --git a/modules/mbedtls/configs/config-tls-generic.h b/modules/mbedtls/configs/config-tls-generic.h index eb3f943a458..9d46e3be482 100644 --- a/modules/mbedtls/configs/config-tls-generic.h +++ b/modules/mbedtls/configs/config-tls-generic.h @@ -477,17 +477,16 @@ #if defined(CONFIG_MBEDTLS_PSA_CRYPTO_C) #define MBEDTLS_PSA_CRYPTO_C #define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS +#endif #if defined(CONFIG_MBEDTLS_PSA_P256M_DRIVER_ENABLED) #define MBEDTLS_PSA_P256M_DRIVER_ENABLED #endif -#if defined(CONFIG_SECURE_STORAGE) +#if defined(CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C) #define MBEDTLS_PSA_CRYPTO_STORAGE_C #endif -#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_C */ - #if defined(CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOTS) #define MBEDTLS_PSA_STATIC_KEY_SLOTS #endif diff --git a/subsys/secure_storage/Kconfig b/subsys/secure_storage/Kconfig index 11e78a7dbd2..11986cf0747 100644 --- a/subsys/secure_storage/Kconfig +++ b/subsys/secure_storage/Kconfig @@ -4,6 +4,7 @@ menuconfig SECURE_STORAGE bool "Secure storage subsystem" depends on !BUILD_WITH_TFM + select MBEDTLS_PSA_CRYPTO_STORAGE_C if MBEDTLS_PSA_CRYPTO_C select EXPERIMENTAL help The secure storage subsystem provides an implementation of the PSA Secure Storage API From 53e1d61195c937a01ccc57cc15ebe87902e98b5c Mon Sep 17 00:00:00 2001 From: Tomi Fontanilles Date: Mon, 3 Mar 2025 14:04:23 +0200 Subject: [PATCH 09/10] [nrf fromtree] tests: secure_storage: its: increase stack sizes Some implementations require more stack than others. Increase the Ztest and main stack sizes to accommodate them. Signed-off-by: Tomi Fontanilles (cherry picked from commit f50c3d9d261f4a3c82ffc262936396136ca062fd) Signed-off-by: Tomi Fontanilles --- .../subsys/secure_storage/psa/its/overlay-secure_storage.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/subsys/secure_storage/psa/its/overlay-secure_storage.conf b/tests/subsys/secure_storage/psa/its/overlay-secure_storage.conf index 3ca9fdabcf2..3810764eb95 100644 --- a/tests/subsys/secure_storage/psa/its/overlay-secure_storage.conf +++ b/tests/subsys/secure_storage/psa/its/overlay-secure_storage.conf @@ -1,4 +1,4 @@ -CONFIG_ZTEST_STACK_SIZE=3072 -CONFIG_MAIN_STACK_SIZE=2048 +CONFIG_ZTEST_STACK_SIZE=4096 +CONFIG_MAIN_STACK_SIZE=3072 CONFIG_SECURE_STORAGE=y From d6fe2d11b8f9fbb3caf5c8e7659000cf3fe603ad Mon Sep 17 00:00:00 2001 From: Tomi Fontanilles Date: Mon, 3 Mar 2025 14:47:02 +0200 Subject: [PATCH 10/10] [nrf fromtree] tests: secure_storage: enable entropy driver if available On top of enabling and allowing test entropy sources, enable CONFIG_ENTROPY_GENERATOR so that a real driver and entropy source gets used if available. This is needed for some PSA Crypto implementations that have random number generation conditionally compiled in. Signed-off-by: Tomi Fontanilles (cherry picked from commit b920686812042da84bb485a91a2b7810ea5530b4) Signed-off-by: Tomi Fontanilles --- .../subsys/secure_storage/psa/crypto/overlay-secure_storage.conf | 1 + .../subsys/secure_storage/psa/its/overlay-transform_default.conf | 1 + 2 files changed, 2 insertions(+) diff --git a/tests/subsys/secure_storage/psa/crypto/overlay-secure_storage.conf b/tests/subsys/secure_storage/psa/crypto/overlay-secure_storage.conf index 7f891e65cce..66d62e83c9c 100644 --- a/tests/subsys/secure_storage/psa/crypto/overlay-secure_storage.conf +++ b/tests/subsys/secure_storage/psa/crypto/overlay-secure_storage.conf @@ -2,6 +2,7 @@ CONFIG_ZTEST_STACK_SIZE=3072 CONFIG_MAIN_STACK_SIZE=2048 CONFIG_MBEDTLS=y +CONFIG_ENTROPY_GENERATOR=y CONFIG_TEST_RANDOM_GENERATOR=y CONFIG_TIMER_RANDOM_GENERATOR=y CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y diff --git a/tests/subsys/secure_storage/psa/its/overlay-transform_default.conf b/tests/subsys/secure_storage/psa/its/overlay-transform_default.conf index 7ed936966ba..945da7e9f8b 100644 --- a/tests/subsys/secure_storage/psa/its/overlay-transform_default.conf +++ b/tests/subsys/secure_storage/psa/its/overlay-transform_default.conf @@ -1,4 +1,5 @@ CONFIG_MBEDTLS=y +CONFIG_ENTROPY_GENERATOR=y CONFIG_TEST_RANDOM_GENERATOR=y CONFIG_TIMER_RANDOM_GENERATOR=y CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y