1# Copyright (c) 2024 Nordic Semiconductor
2# SPDX-License-Identifier: Apache-2.0
3
4choice SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION
5	prompt "ITS transform module implementation"
6
7config SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_AEAD
8	bool "ITS transform module implementation using AEAD to protect the data"
9	imply HWINFO # for HWINFO_HAS_DRIVER
10
11config SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_CUSTOM
12	bool "Custom ITS transform module implementation"
13	help
14	  Implement the functions declared in <zephyr/secure_storage/its/transform.h>
15	  and set CONFIG_SECURE_STORAGE_ITS_TRANSFORM_OUTPUT_OVERHEAD appropriately.
16	  The header is made available when this Kconfig option is enabled.
17
18endchoice # SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION
19
20config SECURE_STORAGE_ITS_TRANSFORM_OUTPUT_OVERHEAD
21	int "Overhead, in bytes, associated with the transformation of an entry's data for storage"
22	range 0 1000
23	# authentication tag (16) + nonce (12)
24	default 28 if SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_AEAD \
25		   && SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_SIZE = 12
26	default -1
27	help
28	  This indicates how many more bytes an ITS entry's data will be once it
29	  has been processed by the secure_storage_its_transform_to_store() function.
30
31if SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_AEAD
32
33choice SECURE_STORAGE_ITS_TRANSFORM_AEAD_SCHEME
34	prompt "AEAD ITS transform module scheme"
35	default SECURE_STORAGE_ITS_TRANSFORM_AEAD_SCHEME_AES_GCM
36	help
37	  The AEAD scheme used to encrypt and authenticate the data.
38
39config SECURE_STORAGE_ITS_TRANSFORM_AEAD_SCHEME_AES_GCM
40	bool "AES-GCM AEAD scheme"
41	select PSA_WANT_KEY_TYPE_AES
42	select PSA_WANT_ALG_GCM
43
44config SECURE_STORAGE_ITS_TRANSFORM_AEAD_SCHEME_CHACHA20_POLY1305
45	bool "ChaCha20-Poly1305 AEAD scheme"
46	depends on SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_SIZE = 12
47	select PSA_WANT_KEY_TYPE_CHACHA20
48	select PSA_WANT_ALG_CHACHA20_POLY1305
49
50config SECURE_STORAGE_ITS_TRANSFORM_AEAD_SCHEME_CUSTOM
51	bool "Custom AEAD scheme"
52	help
53	  Implement the secure_storage_its_transform_aead_get_scheme() function
54	  declared in <zephyr/secure_storage/its/transform/aead_get.h>
55	  and set CONFIG_SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_SIZE appropriately.
56	  The header is made available when this Kconfig option is enabled.
57
58endchoice # SECURE_STORAGE_ITS_TRANSFORM_AEAD_SCHEME
59
60choice SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER
61	prompt "AEAD ITS transform module encryption key provider"
62	default SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_DEVICE_ID_HASH if HWINFO_HAS_DRIVER
63	default SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_ENTRY_UID_HASH if !HWINFO_HAS_DRIVER
64
65config SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_DEVICE_ID_HASH
66	bool "Hash of the device ID returned by the HW info API (not necessarily secure)"
67	depends on HWINFO_HAS_DRIVER
68	select PSA_WANT_ALG_SHA_256
69	help
70	  This key provider generates keys by hashing the following:
71	  - the device EUI64 as returned by hwinfo_get_device_eui64() as first choice;
72	  - the device ID as returned by hwinfo_get_device_uuid() as second choice.
73	  In addition to the device ID, it adds the UID of the ITS entry
74	  for which it is generating a key to the data hashed as a salt.
75	  This is not necessarily secure as the device ID may be easily readable
76	  by an attacker, not unique, and/or guessable, depending on the device.
77
78config SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_ENTRY_UID_HASH
79	bool "Hash of the ITS entry UID (not secure)"
80	select PSA_WANT_ALG_SHA_256
81	help
82	  This key provider generates keys by hashing the UID of the ITS entry for which it is
83	  generating a key. This is not secure, and only intended for functional support,
84	  because the UIDs are easily guessable and even stored in clear by the store module.
85	  Use a secure key provider if possible.
86
87config SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_CUSTOM
88	bool "Custom key provider"
89	help
90	  Implement the secure_storage_its_transform_aead_get_key() function
91	  declared in <zephyr/secure_storage/its/transform/aead_get.h>.
92	  The header is made available when this Kconfig option is enabled.
93
94endchoice # SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER
95
96config SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_SIZE
97	int "AEAD ITS transform module encryption key size in bytes"
98	default 32
99
100if !SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_CUSTOM
101
102config SECURE_STORAGE_ITS_TRANSFORM_AEAD_NO_INSECURE_KEY_WARNING
103	bool "Silence the insecure ITS encryption key warnings"
104
105endif
106
107choice SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_PROVIDER
108	prompt "AEAD ITS transform module nonce provider"
109
110config SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_PROVIDER_DEFAULT
111	bool "Default nonce provider"
112	help
113	  The default nonce provider generates a random number for the first nonce with
114	  psa_generate_random(), then increments it for every subsequent nonce. A random
115	  source that doesn't repeat values between reboots is required for this to be secure.
116
117config SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_PROVIDER_CUSTOM
118	bool "Custom nonce provider"
119	help
120	  Implement the secure_storage_its_transform_aead_get_nonce() function
121	  declared in <zephyr/secure_storage/its/transform/aead_get.h>.
122	  The header is made available when this Kconfig option is enabled.
123
124endchoice # SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_PROVIDER
125
126config SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_SIZE
127	int "AEAD ITS transform module nonce size in bytes"
128	range 4 24
129	default 12
130	help
131	  Make sure to update CONFIG_SECURE_STORAGE_ITS_TRANSFORM_OUTPUT_OVERHEAD
132	  appropriately when changing the value of this option.
133
134endif # SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_AEAD
135