Lines Matching refs:to
11 The PSA Protected Storage API requires confidentiality for external storage to
20 128 bits of entropy (and a 128 bit data size), and be accessible only to Trusted
26 derivation function (KDF) to derive a storage key from the HUK, by referring to
28 volatile memory private to the Crypto partition, or it could remain inside a
29 secure element. Either way it will not be returned to PS.
31 For each call to the PSA Protected Storage APIs, PS will make requests to the
32 Crypto service to perform AEAD encryption and/or decryption operations using the
35 At no point will PS access the key material itself, only referring to the HUK
40 PS will make key derivation requests to the Crypto service with calls to the
41 PSA Crypto APIs. In order to derive the storage key, the following calls are
52 /* Supply the PS key label as an input to the key derivation */
61 ``TFM_BUILTIN_KEY_ID_HUK`` is a static key ID that is used to identify the
64 ``ps_key`` is a PSA Crypto key handle to a volatile key, set by the
65 derivation operation. After the call to ``psa_key_derivation_output_key``,
66 it can be used to refer the storage key.
69 material and different to the label used in any other derivation from the
73 The key derivation function used by the crypto service to derive the storage key
78 of the output key material is less than or equal to the hash length (as is the
87 The choice of underlying hash function is fairly straightforward: it needs to be
88 a modern standardised algorithm, considered to be secure and supported by TF-M
89 Crypto. This narrows it down to just the SHA-2 family. Of the hash functions in
92 Keeping the storage key private to PS
96 as the input to that derivation, and that platform key is used for the key
97 derivation by PS. This happens transparently, and to PS is indistinguishable
104 way as the current implementation, but ``ps_key`` will refer to the storage key,