From fd538dcb11ee1791aae238e69449c30cd3fde6f9 Mon Sep 17 00:00:00 2001
From: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Date: Fri, 28 Mar 2025 15:29:09 +0200
Subject: [PATCH] secure_storage: its: store: settings: allow using custom
 setting names

Allow replacing the default naming scheme of the stored settings by
providing a custom function that fills a name buffer based on the ITS
entry UID.

Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
---
 subsys/secure_storage/CMakeLists.txt          |  4 ++
 subsys/secure_storage/Kconfig.its_store       | 17 ++++++++
 .../secure_storage/its/store/settings_get.h   | 29 ++++++++++++++
 .../secure_storage/its/transform/aead_get.h   |  4 +-
 .../secure_storage/src/its/store/settings.c   | 39 ++++++++++++-------
 5 files changed, 78 insertions(+), 15 deletions(-)
 create mode 100644 subsys/secure_storage/include/internal/zephyr/secure_storage/its/store/settings_get.h

diff --git a/subsys/secure_storage/CMakeLists.txt b/subsys/secure_storage/CMakeLists.txt
index 8ba8b95a4fb..ef1e59364d1 100644
--- a/subsys/secure_storage/CMakeLists.txt
+++ b/subsys/secure_storage/CMakeLists.txt
@@ -46,3 +46,7 @@ if(CONFIG_SECURE_STORAGE_ITS_TRANSFORM_AEAD_SCHEME_CUSTOM
  OR CONFIG_SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_PROVIDER_CUSTOM)
   make_available(its/transform/aead_get.h)
 endif()
+
+if(CONFIG_SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_CUSTOM)
+  make_available(its/store/settings_get.h)
+endif()
diff --git a/subsys/secure_storage/Kconfig.its_store b/subsys/secure_storage/Kconfig.its_store
index 5cf1512caf6..ccd15b968a7 100644
--- a/subsys/secure_storage/Kconfig.its_store
+++ b/subsys/secure_storage/Kconfig.its_store
@@ -60,8 +60,25 @@ endif # SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_ZMS
 
 if SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS
 
+config SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_CUSTOM
+	bool "Custom naming scheme for the stored settings"
+	help
+	  This allows to use custom names for the settings that the implementation uses
+	  instead of the default naming scheme.
+	  When enabling this, implement the secure_storage_its_store_settings_get_name()
+	  function declared in <zephyr/secure_storage/its/store/settings_get.h>
+	  and set CONFIG_SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_MAX_LEN appropriately.
+	  The header file is made available when this Kconfig option is enabled.
+
 config SECURE_STORAGE_ITS_STORE_SETTINGS_PREFIX
 	string "Subtree in which to store the settings, with a trailing slash. Can be empty."
 	default "its/"
+	depends on !SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_CUSTOM
+
+config SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_MAX_LEN
+	int "Maximum setting name length"
+	range 2 64
+	default 22 if !SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_CUSTOM
+	default 0
 
 endif # SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS
diff --git a/subsys/secure_storage/include/internal/zephyr/secure_storage/its/store/settings_get.h b/subsys/secure_storage/include/internal/zephyr/secure_storage/its/store/settings_get.h
new file mode 100644
index 00000000000..028cc35e26f
--- /dev/null
+++ b/subsys/secure_storage/include/internal/zephyr/secure_storage/its/store/settings_get.h
@@ -0,0 +1,29 @@
+/* Copyright (c) 2024 Nordic Semiconductor
+ * SPDX-License-Identifier: Apache-2.0
+ */
+#ifndef SECURE_STORAGE_ITS_STORE_SETTINGS_GET_H
+#define SECURE_STORAGE_ITS_STORE_SETTINGS_GET_H
+
+/** @file zephyr/secure_storage/its/store/settings_get.h The settings ITS store module API.
+ *
+ * The functions declared in this header allow customization
+ * of the settings implementation of the ITS store module.
+ * They are not meant to be called directly other than by the settings ITS store module.
+ * This header file may and must be included when providing a custom implementation of one
+ * or more of these functions (@kconfig{CONFIG_SECURE_STORAGE_ITS_STORE_SETTINGS_*_CUSTOM}).
+ */
+#include <zephyr/secure_storage/its/common.h>
+
+enum { SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_BUF_SIZE
+	= CONFIG_SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_MAX_LEN + 1 };
+
+/** @brief Returns the setting name to use for an ITS entry.
+ *
+ * @param[in]  uid  The UID of the ITS entry for which the setting name is used.
+ * @param[out] name The setting name.
+ */
+void secure_storage_its_store_settings_get_name(
+	secure_storage_its_uid_t uid,
+	char name[static SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_BUF_SIZE]);
+
+#endif
diff --git a/subsys/secure_storage/include/internal/zephyr/secure_storage/its/transform/aead_get.h b/subsys/secure_storage/include/internal/zephyr/secure_storage/its/transform/aead_get.h
index 071c74c029e..0172c15b1d5 100644
--- a/subsys/secure_storage/include/internal/zephyr/secure_storage/its/transform/aead_get.h
+++ b/subsys/secure_storage/include/internal/zephyr/secure_storage/its/transform/aead_get.h
@@ -9,7 +9,7 @@
  * The functions declared in this header allow customization
  * of the AEAD implementation of the ITS transform module.
  * They are not meant to be called directly other than by the AEAD ITS transform module.
- * This header may be included when providing a custom implementation of one
+ * This header file may and must be included when providing a custom implementation of one
  * or more of these functions (@kconfig{CONFIG_SECURE_STORAGE_ITS_TRANSFORM_AEAD_*_CUSTOM}).
  */
 #include <zephyr/secure_storage/its/common.h>
@@ -24,7 +24,7 @@ void secure_storage_its_transform_aead_get_scheme(psa_key_type_t *key_type, psa_
 
 /** @brief Returns the encryption key to use for an ITS entry's AEAD operations.
  *
- * @param[in]  uid The UID of the ITS entry for whom the returned key is used.
+ * @param[in]  uid The UID of the ITS entry for which the key is used.
  * @param[out] key The encryption key.
  *
  * @return `PSA_SUCCESS` on success, anything else on failure.
diff --git a/subsys/secure_storage/src/its/store/settings.c b/subsys/secure_storage/src/its/store/settings.c
index e9725761201..f13ed497ae5 100644
--- a/subsys/secure_storage/src/its/store/settings.c
+++ b/subsys/secure_storage/src/its/store/settings.c
@@ -2,6 +2,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 #include <zephyr/secure_storage/its/store.h>
+#include <zephyr/secure_storage/its/store/settings_get.h>
 #include <zephyr/init.h>
 #include <zephyr/logging/log.h>
 #include <zephyr/settings/settings.h>
@@ -26,26 +27,37 @@ static int init_settings_subsys(void)
 }
 SYS_INIT(init_settings_subsys, APPLICATION, CONFIG_APPLICATION_INIT_PRIORITY);
 
-enum { NAME_BUF_SIZE = sizeof(CONFIG_SECURE_STORAGE_ITS_STORE_SETTINGS_PREFIX) - 1
-		       + 2 * (sizeof(secure_storage_its_uid_t) + 1) };
-BUILD_ASSERT(NAME_BUF_SIZE <= SETTINGS_MAX_NAME_LEN + 1);
+BUILD_ASSERT(CONFIG_SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_MAX_LEN <= SETTINGS_MAX_NAME_LEN);
 
-static void make_name(secure_storage_its_uid_t uid, char name[static NAME_BUF_SIZE])
+#ifndef CONFIG_SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_CUSTOM
+
+BUILD_ASSERT(CONFIG_SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_MAX_LEN ==
+	     sizeof(CONFIG_SECURE_STORAGE_ITS_STORE_SETTINGS_PREFIX) - 1
+	     + 1 + 1 /* caller ID + '/' */
+	     + 2 * sizeof(psa_storage_uid_t) /* hex UID */);
+
+void secure_storage_its_store_settings_get_name(
+	secure_storage_its_uid_t uid,
+	char name[static SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_BUF_SIZE])
 {
 	int ret;
 
-	ret = snprintf(name, NAME_BUF_SIZE, CONFIG_SECURE_STORAGE_ITS_STORE_SETTINGS_PREFIX
-		       "%x/%llx", uid.caller_id, (unsigned long long)uid.uid);
-	__ASSERT_NO_MSG(ret > 0 && ret < NAME_BUF_SIZE);
+	ret = snprintf(name, SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_BUF_SIZE,
+		       CONFIG_SECURE_STORAGE_ITS_STORE_SETTINGS_PREFIX "%x/%llx",
+		       uid.caller_id, (unsigned long long)uid.uid);
+	__ASSERT_NO_MSG(ret > 0 && ret < SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_BUF_SIZE);
 }
 
+#endif /* !CONFIG_SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_CUSTOM */
+
 psa_status_t secure_storage_its_store_set(secure_storage_its_uid_t uid,
 					  size_t data_length, const void *data)
 {
 	int ret;
-	char name[NAME_BUF_SIZE];
+	char name[SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_BUF_SIZE];
+
+	secure_storage_its_store_settings_get_name(uid, name);
 
-	make_name(uid, name);
 	ret = settings_save_one(name, data, data_length);
 	LOG_DBG("%s %s with %zu bytes. (%d)",
 		(ret == 0) ? "Saved" : "Failed to save", name, data_length, ret);
@@ -81,10 +93,10 @@ psa_status_t secure_storage_its_store_get(secure_storage_its_uid_t uid, size_t d
 					  void *data, size_t *data_length)
 {
 	psa_status_t ret;
-	char name[NAME_BUF_SIZE];
+	char name[SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_BUF_SIZE];
 	struct load_params load_params = {.data_size = data_size, .data = data, .ret = -ENOENT};
 
-	make_name(uid, name);
+	secure_storage_its_store_settings_get_name(uid, name);
 
 	settings_load_subtree_direct(name, load_direct_setting, &load_params);
 	if (load_params.ret > 0) {
@@ -103,9 +115,10 @@ psa_status_t secure_storage_its_store_get(secure_storage_its_uid_t uid, size_t d
 psa_status_t secure_storage_its_store_remove(secure_storage_its_uid_t uid)
 {
 	int ret;
-	char name[NAME_BUF_SIZE];
+	char name[SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_BUF_SIZE];
+
+	secure_storage_its_store_settings_get_name(uid, name);
 
-	make_name(uid, name);
 	ret = settings_delete(name);
 
 	LOG_DBG("%s %s. (%d)", ret ? "Failed to delete" : "Deleted", name, ret);