1# Copyright (c) 2024 Nordic Semiconductor
2# SPDX-License-Identifier: Apache-2.0
3
4menuconfig SECURE_STORAGE
5	bool "Secure storage subsystem"
6	depends on !BUILD_WITH_TFM
7	select MBEDTLS_PSA_CRYPTO_STORAGE_C if MBEDTLS_PSA_CRYPTO_C
8	select EXPERIMENTAL
9	help
10	  The secure storage subsystem provides an implementation of the PSA Secure Storage API
11	  functions on board targets that don't already have one.
12	  It allows making use of the PSA Secure Storage API and persistent keys in the PSA Crypto
13	  API in a standard and portable way.
14	  It is configurable and different implementations can be used to accommodate the varying
15	  capabilities of different devices.
16	  In addition to providing functional support for the PSA Secure Storage API, depending on
17	  the device-specific security features that are available and used, the subsystem may
18	  secure the data stored through it at rest.
19	  This is however highly dependent on the device and configuration in use, and not a
20	  guarantee of the subsystem.
21
22if SECURE_STORAGE
23
24module = SECURE_STORAGE
25module-str = secure_storage
26source "subsys/logging/Kconfig.template.log_config"
27
28choice SECURE_STORAGE_ITS_IMPLEMENTATION
29	prompt "Internal Trusted Storage (ITS) API implementation"
30
31config SECURE_STORAGE_ITS_IMPLEMENTATION_ZEPHYR
32	bool "Zephyr's ITS implementation"
33	select SECURE_STORAGE_ITS_TRANSFORM_MODULE
34	select SECURE_STORAGE_ITS_STORE_MODULE
35	help
36	  Use Zephyr's implementation of the ITS API.
37	  It calls into the transform and store modules, which
38	  can be configured and have custom implementations.
39
40config SECURE_STORAGE_ITS_IMPLEMENTATION_CUSTOM
41	bool "Custom ITS implementation"
42	help
43	  A custom implementation of the ITS API is present.
44	  Implement the functions declared in <zephyr/secure_storage/its.h>.
45	  The header is made available when this Kconfig option is enabled.
46
47endchoice # SECURE_STORAGE_ITS_IMPLEMENTATION
48
49config SECURE_STORAGE_ITS_MAX_DATA_SIZE
50	int "Maximum data size of an ITS entry in bytes"
51	default 128
52	help
53	  The maximum size, in bytes, that the data of an ITS entry can be.
54	  Increasing this value increases the stack usage when serving PSA ITS API calls.
55
56menuconfig SECURE_STORAGE_ITS_TRANSFORM_MODULE
57	bool "ITS transform module"
58	help
59	  The module that handles the transformation and validation of the
60	  ITS data before it's written to and after it's read from NVM.
61	  Zephyr's ITS implementation calls into it.
62
63if SECURE_STORAGE_ITS_TRANSFORM_MODULE
64rsource "Kconfig.its_transform"
65endif
66
67menuconfig SECURE_STORAGE_ITS_STORE_MODULE
68	bool "ITS store module"
69	help
70	  The module that handles the storage/retrieval of the ITS data to/from NVM.
71	  Zephyr's ITS implementation calls into it.
72
73if SECURE_STORAGE_ITS_STORE_MODULE
74rsource "Kconfig.its_store"
75endif
76
77choice SECURE_STORAGE_PS_IMPLEMENTATION
78	prompt "Protected Storage (PS) API implementation"
79	default SECURE_STORAGE_PS_IMPLEMENTATION_ITS
80
81config SECURE_STORAGE_PS_IMPLEMENTATION_ITS
82	bool "PS calls directly into the ITS"
83	help
84	  The PS API doesn't have an implementation of its own, and directly calls into the ITS API.
85	  This means that the implementation of the PS API will be identical to that of the ITS API.
86
87config SECURE_STORAGE_PS_IMPLEMENTATION_CUSTOM
88	bool "Custom PS implementation"
89	help
90	  A custom implementation of the PS API is present.
91	  Implement the functions declared in <zephyr/secure_storage/ps.h>.
92	  The header is made available when this Kconfig option is enabled.
93
94endchoice # SECURE_STORAGE_PS_IMPLEMENTATION
95
96config SECURE_STORAGE_PS_SUPPORTS_SET_EXTENDED
97	bool "PS API implementation supports psa_ps_create() and psa_ps_set_extended()"
98	depends on SECURE_STORAGE_PS_IMPLEMENTATION_CUSTOM
99	help
100	  Whether the psa_ps_create() and psa_ps_set_extended() functions are implemented.
101
102endif # SECURE_STORAGE
103