1.. zephyr:code-sample:: psa_protected_storage
2   :name: TF-M PSA Protected Storage
3
4   Use the Protected Storage (PS) API to store encrypted data.
5
6Overview
7********
8
9This sample demonstrates how the Protected Storage (PS) API can be used for storing data.
10
11Protected storage provides a key/value storage interface where data is (by default) encrypted, with
12optional authentication and rollback protection. The default crypto algorithm is ``AES-128-GCM``.
13The encryption key is derived from the Hardware Unique Key (HUK), which is often set via device
14fuses, etc.
15
16Using the PS API, this sample stores data to non-volatile storage. The sample shows how data can
17be stored to and read from UIDs, and how overwrite protection can be enabled using flags.
18
19TF-M includes a maximum number of PS records, set via ``PS_NUM_ASSETS`` (default 10 as of
20TF-M 1.3.0), and a maximum record size, set via ``PS_MAX_ASSET_SIZE`` (default of 2048 as of
21TF-M 1.3.0). These defaults may be different depending on the platform being used, the current
22value will be printed by the build system during the TF-M compilation step.
23
24More information about Protected Storage can be found in the Platform Security Architecture (PSA)
25Secure Storage API: https://developer.arm.com/architectures/architecture-security-features/platform-security
26
27This sample is available for platforms that are supported in the trusted-firmware-m repo:
28https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/
29See sample.yaml for a list of supported platforms.
30
31Building and Running
32********************
33
34On Target
35=========
36
37Note that the board needs to be completely erased before programming the sample, as the flash area
38used might contain data from before. The board must also be erased between each time the sample is
39run as the overwrite protection will not be removed with a power reset.
40
41On QEMU
42========
43
44Refer to :zephyr:code-sample:`tfm_ipc` for detailed instructions.
45Following is an example based on ``west build``
46
47   .. code-block:: bash
48
49      $ west build samples/tfm_integration/psa_protected_storage/ -p -b mps2/an521/cpu0/ns -t run
50
51Sample Output
52=============
53
54.. code-block:: console
55
56    *** Booting Zephyr OS build zephyr-v2.5.0-2791-g5585355dde0c  ***
57    TF-M Protected Storage sample started. PSA Protected Storage API Version 1.0
58    Writing data to UID1: The quick brown fox jumps over the lazy dog
59    Info on data stored in UID1:
60    - Size: 16
61    - Capacity: 0x42
62    - Flags: 0x 0
63    Read and compare data stored in UID1
64    Data stored in UID1: The quick brown fox jumps over the lazy dog
65    Overwriting data stored in UID1 with: Lorem ipsum dolor sit amet
66    Writing data to UID2 with overwrite protection: The quick brown fox jumps over the lazy dog
67    Attempting to write 'The quick brown fox jumps over the lazy dog' to UID2
68    Got expected error (PSA_ERROR_NOT_PERMITTED) when writing to protected UID
69    Removing UID1
70