Some ITS store module implementations may make use of them.
This is the case of the custom one in the
secure_storage.psa.its.secure_storage.custom.store test.
Instead of making transform.h conditionally available, move the definitions
to common.h and simply make them available whenever the ITS transform
module is enabled.
At the same time, remove unneeded/redundant includes/build asserts.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
On top of enabling and allowing test entropy sources, enable
CONFIG_ENTROPY_GENERATOR so that a real driver and entropy source gets
used if available.
This is needed for some PSA Crypto implementations that have random number
generation conditionally compiled in.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Some implementations require more stack than others.
Increase the Ztest and main stack sizes to accommodate them.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Use dynamic allocation for key material for
better compatibility as a fully static key store is a new
feature that not all PSA Crypto implementations support.
Explicitly enable CONFIG_MBEDTLS_ENABLE_HEAP to ensure that Mbed TLS uses
heap for the PSA keys' data (instead of failing at runtime).
This will turn off CONFIG_MBEDTLS_PSA_STATIC_KEY_SLOTS, making the
implementation default to dynamic key slots.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Explicitly enable CONFIG_ENTROPY_GENERATOR instead of relying on the
build system's defaults.
This:
- Makes sure the filtering works properly between entropy_driver and
entropy_not_secure test scenarios for the samples.
- Helps with TF-M builds in certain scenarios where key generation (via
`psa_generate_key()`) would fail due to the RNG functionality being
disabled.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
The psa_key_attributes_t type is implementation-defined according to
the PSA Crypto spec.
Compare its fields individually instead of doing a memcmp() over the
entire struct.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Explicitly set the TF-M profile to not rely on the build system defaults
which might differ.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Now that `SECURE_STORAGE` does not `select` dependencies, they need to
be enabled explicitly by the tests.
Signed-off-by: Jordan Yates <jordan@embeint.com>
We need to make sure that within Zephyr different users of the PSA APIs
don't interfere with each other because of using the same numerical IDs
for persistent assets.
This takes care of the PSA key IDs when using persistent keys through
the PSA Crypto API.
See the comments in `<zephyr/psa/key_ids.h>` for more information.
This removes the recently-introduced Kconfig options that allowed changing
the base IDs subsystems were using for their persistent keys.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
TF-M small profile does not support secure storage (know as Protected
storage), this commit add filter for tfm test case to pass it
incase of small profile been set, see tf-m profiles in below link
https://tf-m-user-guide.trustedfirmware.org/configuration/profiles/index.html
Signed-off-by: Sadik Ozer <sadik.ozer@analog.com>
It would time out when run on-device due to the NVS setting backend being
incredibly slow once enough entries exist.
Also, rename the tests which use different store implementations to make
that explicit.
Fixes https://github.com/zephyrproject-rtos/zephyr/issues/83210.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Add MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG to the list of
test Kconfigs. Typical use case of this:
- the platform has "zephyr,entropy" defined in the devicetree which means
that CSPRNG_AVAILABLE is set;
- for some reason the board actually does not have any entropy driver
enabled (ex: ENTROPY_BT_HCI is disabled in nrf5340bsim when BT is _not_
enabled in the build);
- since TEST_RANDOM_GENERATOR is enabled then also TEST_CSPRNG_GENERATOR
would be;
- unfortunately the call to psa_generate_random() would fail in
get_random_data() (in modules/mbedtls/zephyr_entropy.c) because
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG is not set and it would
not reach "subsys/random/random_test_csprng.c".
This commit fixes this problem.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Add a test scenario for the ITS store module implementation that uses
ZMS for storage.
Reorganize the others at the same time.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
It becomes the new default when the secure_storage_its_partition
devicetree chosen property is defined as it is a preferred alternative.
See the help message of the
`CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_ZMS` Kconfig option
for more information.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
The PSA Crypto implementation provided by Mbed TLS generally requires
some amount of heap to function, so enable the arena unconditionally
to make the test compatible with MINIMAL_LIBC configurations where the
arena is disabled by default.
Signed-off-by: Ilya Tagunov <Ilya.Tagunov@synopsys.com>
As long as MBEDTLS_ENTROPY_C is enabled, Mbed TLS needs to
poll some entropy source to gather data that will then be
processed by CTR/HMAC-DRBG modules. This means that in most
of the cases, once MBEDTLS_ENTROPY_C is enabled then also
MBEDTLS_ENTROPY_POLL_ZEPHYR needs to be enabled. This was
done manually until now, as the long list of samples/tests
demonstrate.
This commit solves this dependency by defaulting
MBEDTLS_ENTROPY_POLL_ZEPHYR to on as soon as
MBEDTLS_ENTROPY_C is set. As a consequence, all manual
enablement of MBEDTLS_ENTROPY_POLL_ZEPHYR in samples/tests
are removed.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Obviously, everyone knows that there are 8 bits per byte, so
there isn't a lot of magic happening, per se, but it's also
helpful to clearly denote where the magic number 8 is referring
to the number of bits in a byte.
Occasionally, 8 will refer to a field size or offset in a
structure, MMR, or word. Occasionally, the number 8 will refer
to the number of bytes in a 64-bit value (which should probably
be replaced with `sizeof(uint64_t)`).
For converting bits to bytes, or vice-versa, let's use
`BITS_PER_BYTE` for clarity (or other appropriate `BITS_PER_*`
macros).
Signed-off-by: Chris Friedt <cfriedt@tenstorrent.com>
Consistently use the nRF54L15 as the non-TF-M integration platform
in addition to `native_sim`, and the nRF9151 as the TF-M one.
In addition, add the `integration_platforms` specification to the
tests that were missing it.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Add one suite to test the PSA ITS API directly, and another to test it
through the PSA Crypto API.
The PSA ITS API test suite is run with different configurations to also
test customization possibilities that the secure storage subsystem offers.
Both test suites also have a test scenario with TF-M instead of the
secure storage subsystem.
This serves as compatibility testing to ensure that the PSA Secure
Storage API behaves the same from the user's point of view regardless
of the underlying implementation provider.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
