secure_storage: fix tests

modules/mbedtls/Kconfig.tls-generic

@@ -613,6 +613,9 @@ config MBEDTLS_PSA_P256M_DRIVER_RAW
 	  Warning: Usage of this Kconfig option is prohibited in Zephyr's codebase.
 	           Users can enable it in case of very memory-constrained devices, but be aware that the p256-m interface is absolutely not guaranted to remain stable over time.
 
+config MBEDTLS_PSA_CRYPTO_STORAGE_C
+	bool
+
 config MBEDTLS_PSA_STATIC_KEY_SLOTS
 	bool "Use statically allocated key buffers to store key material"
 	default y if !MBEDTLS_ENABLE_HEAP

modules/mbedtls/configs/config-tls-generic.h

@@ -477,17 +477,16 @@
 #if defined(CONFIG_MBEDTLS_PSA_CRYPTO_C)
 #define MBEDTLS_PSA_CRYPTO_C
 #define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
+#endif
 
 #if defined(CONFIG_MBEDTLS_PSA_P256M_DRIVER_ENABLED)
 #define MBEDTLS_PSA_P256M_DRIVER_ENABLED
 #endif
 
-#if defined(CONFIG_SECURE_STORAGE)
+#if defined(CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C)
 #define MBEDTLS_PSA_CRYPTO_STORAGE_C
 #endif
 
-#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_C */
-
 #if defined(CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOTS)
 #define MBEDTLS_PSA_STATIC_KEY_SLOTS
 #endif

samples/psa/its/overlay-secure_storage.conf

@@ -3,9 +3,6 @@
 CONFIG_MBEDTLS=y
 CONFIG_MBEDTLS_PSA_CRYPTO_C=y
 
-# native_sim requires ECB cipher to be enabled
-CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y
-
 # The default stack size (1024) is not enough for the PSA Crypto core.
 # On top of that, the ITS implementation uses the stack for buffers.
 CONFIG_MAIN_STACK_SIZE=3072

samples/psa/its/overlay-entropy_driver.conf → samples/psa/its/overlay-tfm.conf

@@ -1,3 +1,3 @@
 # SPDX-License-Identifier: Apache-2.0
 
-CONFIG_ENTROPY_GENERATOR=y
+CONFIG_TFM_PROFILE_TYPE_NOT_SET=y

samples/psa/its/prj.conf

@@ -2,3 +2,5 @@
 
 CONFIG_LOG=y
 CONFIG_LOG_DEFAULT_LEVEL=3
+
+CONFIG_ENTROPY_GENERATOR=y

samples/psa/its/sample.yaml

@@ -13,21 +13,20 @@ common:
 tests:
   sample.psa.its.tfm:
     filter: CONFIG_BUILD_WITH_TFM
-    extra_args:
-      - CONFIG_TFM_PROFILE_TYPE_MEDIUM=y
+    extra_args: EXTRA_CONF_FILE=overlay-tfm.conf
     tags:
       - trusted-firmware-m
   sample.psa.its.secure_storage.entropy_driver:
     filter: CONFIG_SECURE_STORAGE and not CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_NONE
             and CONFIG_ENTROPY_HAS_DRIVER
-    extra_args: EXTRA_CONF_FILE=overlay-secure_storage.conf;overlay-entropy_driver.conf
+    extra_args: EXTRA_CONF_FILE=overlay-secure_storage.conf
     tags:
       - drivers.entropy
       - settings
   sample.psa.its.secure_storage.entropy_not_secure:
     filter: CONFIG_SECURE_STORAGE and not CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_NONE
             and not CONFIG_ENTROPY_HAS_DRIVER
-    extra_args: EXTRA_CONF_FILE="overlay-secure_storage.conf;overlay-entropy_not_secure.conf"
+    extra_args: EXTRA_CONF_FILE=overlay-secure_storage.conf;overlay-entropy_not_secure.conf
     tags:
       - random
       - settings

samples/psa/persistent_key/overlay-secure_storage.conf

@@ -2,9 +2,8 @@
 
 CONFIG_MBEDTLS=y
 CONFIG_MBEDTLS_PSA_CRYPTO_C=y
-
-# native_sim requires ECB cipher to be enabled
-CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y
+CONFIG_MBEDTLS_ENABLE_HEAP=y
+CONFIG_MBEDTLS_HEAP_SIZE=1024
 
 # The default stack size (1024) is not enough for the PSA Crypto core.
 # On top of that, the ITS implementation uses the stack for buffers.

samples/psa/persistent_key/overlay-entropy_driver.conf → samples/psa/persistent_key/overlay-tfm.conf

@@ -1,3 +1,3 @@
 # SPDX-License-Identifier: Apache-2.0
 
-CONFIG_ENTROPY_GENERATOR=y
+CONFIG_TFM_PROFILE_TYPE_NOT_SET=y

samples/psa/persistent_key/prj.conf

@@ -4,5 +4,7 @@ CONFIG_LOG=y
 CONFIG_LOG_DEFAULT_LEVEL=3
 CONFIG_ASSERT=y
 
+CONFIG_ENTROPY_GENERATOR=y
+
 CONFIG_PSA_WANT_KEY_TYPE_AES=y
 CONFIG_PSA_WANT_ALG_CTR=y

samples/psa/persistent_key/sample.yaml

@@ -13,22 +13,20 @@ common:
 tests:
   sample.psa.persistent_key.tfm:
     filter: CONFIG_BUILD_WITH_TFM
-    extra_args:
-      - CONFIG_TFM_PROFILE_TYPE_MEDIUM=y
-      - CONFIG_PSA_WANT_GENERATE_RANDOM=y
+    extra_args: EXTRA_CONF_FILE=overlay-tfm.conf
     tags:
       - trusted-firmware-m
   sample.psa.persistent_key.secure_storage.entropy_driver:
     filter: CONFIG_SECURE_STORAGE and not CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_NONE
             and CONFIG_ENTROPY_HAS_DRIVER
-    extra_args: EXTRA_CONF_FILE=overlay-secure_storage.conf;overlay-entropy_driver.conf
+    extra_args: EXTRA_CONF_FILE=overlay-secure_storage.conf
     tags:
       - drivers.entropy
       - settings
   sample.psa.persistent_key.secure_storage.entropy_not_secure:
     filter: CONFIG_SECURE_STORAGE and not CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_NONE
             and not CONFIG_ENTROPY_HAS_DRIVER
-    extra_args: EXTRA_CONF_FILE="overlay-secure_storage.conf;overlay-entropy_not_secure.conf"
+    extra_args: EXTRA_CONF_FILE=overlay-secure_storage.conf;overlay-entropy_not_secure.conf
     tags:
       - random
       - settings

subsys/secure_storage/Kconfig

@@ -4,6 +4,7 @@
 menuconfig SECURE_STORAGE
 	bool "Secure storage subsystem"
 	depends on !BUILD_WITH_TFM
+	select MBEDTLS_PSA_CRYPTO_STORAGE_C if MBEDTLS_PSA_CRYPTO_C
 	select EXPERIMENTAL
 	help
 	  The secure storage subsystem provides an implementation of the PSA Secure Storage API

tests/subsys/secure_storage/psa/crypto/overlay-secure_storage.conf

@@ -2,12 +2,13 @@ CONFIG_ZTEST_STACK_SIZE=3072
 CONFIG_MAIN_STACK_SIZE=2048
 
 CONFIG_MBEDTLS=y
+CONFIG_ENTROPY_GENERATOR=y
 CONFIG_TEST_RANDOM_GENERATOR=y
 CONFIG_TIMER_RANDOM_GENERATOR=y
 CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y
-# PSA Crypto needs some heap, but MINIMAL_LIBC has none by default.
-CONFIG_COMMON_LIBC_MALLOC_ARENA_SIZE=2048
 CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_MBEDTLS_ENABLE_HEAP=y
+CONFIG_MBEDTLS_HEAP_SIZE=1024
 
 CONFIG_SECURE_STORAGE=y
 # For testing isolation between the different callers of the ITS.

tests/subsys/secure_storage/psa/crypto/overlay-tfm.conf

@@ -0,0 +1,3 @@
+CONFIG_TFM_PROFILE_TYPE_NOT_SET=y
+
+CONFIG_ENTROPY_GENERATOR=y

tests/subsys/secure_storage/psa/crypto/prj.conf

@@ -2,6 +2,3 @@ CONFIG_ZTEST=y
 
 CONFIG_PSA_WANT_KEY_TYPE_AES=y
 CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=y
-
-# native_sim requires ECB cipher to be enabled
-CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y

tests/subsys/secure_storage/psa/crypto/src/main.c

@@ -26,6 +26,16 @@ static void fill_key_attributes(psa_key_attributes_t *key_attributes)
 	psa_set_key_bits(key_attributes, KEY_BITS);
 }
 
+static void compare_key_attributes(const psa_key_attributes_t *l, const psa_key_attributes_t *r)
+{
+	zassert_equal(psa_get_key_lifetime(l), psa_get_key_lifetime(r));
+	zassert_equal(psa_get_key_usage_flags(l), psa_get_key_usage_flags(r));
+	zassert_equal(psa_get_key_id(l), psa_get_key_id(r));
+	zassert_equal(psa_get_key_type(l), psa_get_key_type(r));
+	zassert_equal(psa_get_key_algorithm(l), psa_get_key_algorithm(r));
+	zassert_equal(psa_get_key_bits(l), psa_get_key_bits(r));
+}
+
 static void fill_data(uint8_t *data, size_t size)
 {
 	zassert_equal(psa_generate_random(data, size), PSA_SUCCESS);
@@ -77,12 +87,7 @@ ZTEST(secure_storage_psa_crypto, test_its_caller_isolation)
 
 	ret = psa_get_key_attributes(ID, &retrieved_key_attributes);
 	zassert_equal(ret, PSA_SUCCESS);
-	zassert_equal(key_attributes.private_bits, retrieved_key_attributes.private_bits);
-	zassert_equal(key_attributes.private_id, retrieved_key_attributes.private_id);
-	zassert_equal(key_attributes.private_lifetime, retrieved_key_attributes.private_lifetime);
-	zassert_mem_equal(&key_attributes.private_policy, &retrieved_key_attributes.private_policy,
-			  sizeof(key_attributes.private_policy));
-
+	compare_key_attributes(&retrieved_key_attributes, &key_attributes);
 	ret = psa_destroy_key(ID);
 	zassert_equal(ret, PSA_SUCCESS);
 	ret = psa_get_key_attributes(ID, &retrieved_key_attributes);

tests/subsys/secure_storage/psa/crypto/testcase.yaml

@@ -10,8 +10,6 @@ tests:
       - nrf54l15dk/nrf54l15/cpuapp
   secure_storage.psa.crypto.tfm:
     filter: CONFIG_BUILD_WITH_TFM
-    extra_args:
-      - CONFIG_TFM_PROFILE_TYPE_MEDIUM=y
-      - CONFIG_PSA_WANT_GENERATE_RANDOM=y
+    extra_args: EXTRA_CONF_FILE=overlay-tfm.conf
     integration_platforms:
       - nrf9151dk/nrf9151/ns

tests/subsys/secure_storage/psa/its/overlay-secure_storage.conf

@@ -1,8 +1,4 @@
-CONFIG_ZTEST_STACK_SIZE=3072
-CONFIG_MAIN_STACK_SIZE=2048
+CONFIG_ZTEST_STACK_SIZE=4096
+CONFIG_MAIN_STACK_SIZE=3072
 
 CONFIG_SECURE_STORAGE=y
-
-# native_sim requires ECB cipher to be enabled
-CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y
-CONFIG_PSA_WANT_KEY_TYPE_AES=y

tests/subsys/secure_storage/psa/its/overlay-tfm.conf

@@ -1,3 +1,4 @@
+CONFIG_TFM_PROFILE_TYPE_NOT_SET=y
+
 CONFIG_TFM_ITS_MAX_ASSET_SIZE_OVERRIDE=y
-CONFIG_TFM_ITS_MAX_ASSET_SIZE=512
-CONFIG_TFM_PROFILE_TYPE_MEDIUM=y
+CONFIG_TFM_ITS_MAX_ASSET_SIZE=256

tests/subsys/secure_storage/psa/its/overlay-transform_default.conf

@@ -1,4 +1,5 @@
 CONFIG_MBEDTLS=y
+CONFIG_ENTROPY_GENERATOR=y
 CONFIG_TEST_RANDOM_GENERATOR=y
 CONFIG_TIMER_RANDOM_GENERATOR=y
 CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG=y

tests/subsys/secure_storage/psa/its/prj.conf

@@ -1,2 +1 @@
 CONFIG_ZTEST=y
-CONFIG_ZTEST_STACK_SIZE=3072