1# Copyright (c) 2024 Nordic Semiconductor
2# SPDX-License-Identifier: Apache-2.0
3
4menuconfig SECURE_STORAGE
5	bool "Secure storage subsystem"
6	depends on !BUILD_WITH_TFM
7	select MBEDTLS_PSA_CRYPTO_STORAGE_C if MBEDTLS_PSA_CRYPTO_C
8	help
9	  The secure storage subsystem provides an implementation of the PSA Secure Storage API
10	  functions on board targets that don't already have one.
11	  It allows making use of the PSA Secure Storage API and persistent keys in the PSA Crypto
12	  API in a standard and portable way.
13	  It is configurable and different implementations can be used to accommodate the varying
14	  capabilities of different devices.
15	  In addition to providing functional support for the PSA Secure Storage API, depending on
16	  the device-specific security features that are available and used, the subsystem may
17	  secure the data stored through it at rest.
18	  This is however highly dependent on the device and configuration in use, and not a
19	  guarantee of the subsystem.
20
21if SECURE_STORAGE
22
23module = SECURE_STORAGE
24module-str = secure_storage
25source "subsys/logging/Kconfig.template.log_config"
26
27config SECURE_STORAGE_64_BIT_UID
28	bool "Make psa_storage_uid_t 64-bit"
29	help
30	  Zephyr, by default, uses a 30-bit psa_storage_uid_t, which allows using only 32 bits to
31	  identify entries.
32	  UID ranges are defined for the different users of the API which guarantees that all the
33	  UIDs fit within 30 bits. See for example the zephyr/psa/key_ids.h header file.
34	  Enable this for backward compatibility if you are updating an existing installation with
35	  stored entries that was using Zephyr prior to 4.3 or if for some reason you need the full
36	  64-bit UID range.
37
38choice SECURE_STORAGE_ITS_IMPLEMENTATION
39	prompt "Internal Trusted Storage (ITS) API implementation"
40
41config SECURE_STORAGE_ITS_IMPLEMENTATION_ZEPHYR
42	bool "Zephyr's ITS implementation"
43	select SECURE_STORAGE_ITS_TRANSFORM_MODULE
44	select SECURE_STORAGE_ITS_STORE_MODULE
45	help
46	  Use Zephyr's implementation of the ITS API.
47	  It calls into the transform and store modules, which
48	  can be configured and have custom implementations.
49
50config SECURE_STORAGE_ITS_IMPLEMENTATION_CUSTOM
51	bool "Custom ITS implementation"
52	help
53	  A custom implementation of the ITS API is present.
54	  Implement the functions declared in <zephyr/secure_storage/its.h>.
55	  The header is made available when this Kconfig option is enabled.
56
57endchoice # SECURE_STORAGE_ITS_IMPLEMENTATION
58
59config SECURE_STORAGE_ITS_MAX_DATA_SIZE
60	int "Maximum data size of an ITS entry in bytes"
61	default 128
62	help
63	  The maximum size, in bytes, that the data of an ITS entry can be.
64	  Increasing this value increases the stack usage when serving PSA ITS API calls.
65
66menuconfig SECURE_STORAGE_ITS_TRANSFORM_MODULE
67	bool "ITS transform module"
68	help
69	  The module that handles the transformation and validation of the
70	  ITS data before it's written to and after it's read from NVM.
71	  Zephyr's ITS implementation calls into it.
72
73if SECURE_STORAGE_ITS_TRANSFORM_MODULE
74rsource "Kconfig.its_transform"
75endif
76
77menuconfig SECURE_STORAGE_ITS_STORE_MODULE
78	bool "ITS store module"
79	help
80	  The module that handles the storage/retrieval of the ITS data to/from NVM.
81	  Zephyr's ITS implementation calls into it.
82
83if SECURE_STORAGE_ITS_STORE_MODULE
84rsource "Kconfig.its_store"
85endif
86
87choice SECURE_STORAGE_PS_IMPLEMENTATION
88	prompt "Protected Storage (PS) API implementation"
89	default SECURE_STORAGE_PS_IMPLEMENTATION_ITS
90
91config SECURE_STORAGE_PS_IMPLEMENTATION_ITS
92	bool "PS calls directly into the ITS"
93	help
94	  The PS API doesn't have an implementation of its own, and directly calls into the ITS API.
95	  This means that the implementation of the PS API will be identical to that of the ITS API.
96
97config SECURE_STORAGE_PS_IMPLEMENTATION_CUSTOM
98	bool "Custom PS implementation"
99	help
100	  A custom implementation of the PS API is present.
101	  Implement the functions declared in <zephyr/secure_storage/ps.h>.
102	  The header is made available when this Kconfig option is enabled.
103
104endchoice # SECURE_STORAGE_PS_IMPLEMENTATION
105
106config SECURE_STORAGE_PS_SUPPORTS_SET_EXTENDED
107	bool "PS API implementation supports psa_ps_create() and psa_ps_set_extended()"
108	depends on SECURE_STORAGE_PS_IMPLEMENTATION_CUSTOM
109	help
110	  Whether the psa_ps_create() and psa_ps_set_extended() functions are implemented.
111
112endif # SECURE_STORAGE
113