-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Expand file tree
/
Copy pathKconfig
More file actions
174 lines (139 loc) · 5.09 KB
/
Kconfig
File metadata and controls
174 lines (139 loc) · 5.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
#
# Copyright (c) 2018 - 2023 Nordic Semiconductor
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#
# Secure storage subsystem configuration options
menuconfig TRUSTED_STORAGE
bool "Trusted Storage [DEPRECATED]"
depends on !BUILD_WITH_TFM
depends on !DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED
select DEPRECATED
select MBEDTLS_PSA_CRYPTO_STORAGE_C
help
This option is deprecated. Use SECURE_STORAGE instead.
If you have an existing installation that makes use of Trusted Storage
with entries stored in non-volatile memory, you can switch to using Secure Storage
without losing any data by enabling SECURE_STORAGE_TRUSTED_STORAGE_COMPATIBILITY.
if TRUSTED_STORAGE
module = TRUSTED_STORAGE
module-str = trusted_storage
source "subsys/logging/Kconfig.template.log_config"
menuconfig PSA_PROTECTED_STORAGE
bool "Protected Storage"
help
The Protected Storage is designed to store critical assets.
It supports several storage back-ends and several secure
implementation back-ends to provide various levels of trust.
if PSA_PROTECTED_STORAGE
config PSA_PROTECTED_STORAGE_PREFIX
string "Protected Storage object prefix"
default "ps"
help
This defines the prefix for Protected Storage object names.
endif # PSA_PROTECTED_STORAGE
menuconfig PSA_INTERNAL_TRUSTED_STORAGE
bool "Internal Trusted Storage"
default y
help
The Internal Trusted Storage is designed to store critcal assets that
must be placed inside internal flash. Some examples of assets that
require this are replay protection values for external storage and
keys for use by components of the PSA Root of Trust.
if PSA_INTERNAL_TRUSTED_STORAGE
config PSA_INTERNAL_TRUSTED_STORAGE_PREFIX
string "Internal Trusted Storage object prefix"
depends on PSA_INTERNAL_TRUSTED_STORAGE
default "its"
help
This defines the prefix for Internal Trusted Storage object names.
endif # PSA_INTERNAL_TRUSTED_STORAGE
choice TRUSTED_STORAGE_BACKEND
prompt "Secure storage backend"
default TRUSTED_STORAGE_BACKEND_AEAD
help
The backend that handles encryption, authentication or other means of
validation of the stored assets.
menuconfig TRUSTED_STORAGE_BACKEND_AEAD
bool "Use AEAD scheme"
help
Use an AEAD scheme to encrypt the asset data and authenticate its
data including the meta data.
if TRUSTED_STORAGE_BACKEND_AEAD
config TRUSTED_STORAGE_BACKEND_AEAD_MAX_DATA_SIZE
int "AEAD backend maximum storage size"
default 256
help
This defines the maximum data size that can be stored.
choice TRUSTED_STORAGE_BACKEND_AEAD_CRYPTO
prompt "AEAD algorithm crypto backend"
default TRUSTED_STORAGE_BACKEND_AEAD_CRYPTO_PSA_CHACHAPOLY
help
Decides which implementation to be used to perform the AEAD crypto
operations.
config TRUSTED_STORAGE_BACKEND_AEAD_CRYPTO_PSA_CHACHAPOLY
bool "PSA ChaChaPoly"
select PSA_WANT_KEY_TYPE_CHACHA20
select PSA_WANT_ALG_CHACHA20_POLY1305
help
Use PSA Crypto API's with the ChaChaPoly-1305 AEAD algorithm.
endchoice # TRUSTED_STORAGE_BACKEND_AEAD_CRYPTO
choice TRUSTED_STORAGE_BACKEND_AEAD_NONCE
prompt "AEAD nonce implementation"
default TRUSTED_STORAGE_BACKEND_AEAD_NONCE_PSA_SEED_COUNTER
help
Implementation to provide a AEAD nonce.
config TRUSTED_STORAGE_BACKEND_AEAD_NONCE_PSA_SEED_COUNTER
bool "PSA Nonce Seed + Counter"
select PSA_WANT_GENERATE_RANDOM
help
Use PSA Crypto for Nonce initial random seed, then incrementing
nonce for each AEAD encryption.
config TRUSTED_STORAGE_BACKEND_AEAD_NONCE_CUSTOM
bool "Custom"
help
Use custom implementation for AEAD Nonce provider.
endchoice # TRUSTED_STORAGE_BACKEND_AEAD_NONCE
choice TRUSTED_STORAGE_BACKEND_AEAD_KEY
prompt "AEAD Key implementation"
default TRUSTED_STORAGE_BACKEND_AEAD_KEY_DERIVE_FROM_HUK
help
Implementation to provide the AEAD keys.
config TRUSTED_STORAGE_BACKEND_AEAD_KEY_HASH_UID
bool "Hash of UID"
select PSA_WANT_ALG_SHA_256
help
Use SHA-256 hash of UID as key, this option does not provide a very high
level of security and therefor is not recommended and should only be used
if it is impossible to use the HUK.
config TRUSTED_STORAGE_BACKEND_AEAD_KEY_DERIVE_FROM_HUK
bool "HUK + UID"
select HW_UNIQUE_KEY
select HW_UNIQUE_KEY_RANDOM
depends on HW_UNIQUE_KEY_SUPPORTED
help
Use the Hardware Unique Key (HUK) with the UID as label to derive a
new key.
config TRUSTED_STORAGE_BACKEND_AEAD_KEY_CUSTOM
bool "Custom"
help
Use custom implementation for AEAD key provider.
endchoice # TRUSTED_STORAGE_BACKEND_AEAD_KEY
endif # TRUSTED_STORAGE_BACKEND_AEAD
endchoice # TRUSTED_STORAGE_BACKEND
choice TRUSTED_STORAGE_STORAGE_BACKEND
prompt "Storage backend"
default TRUSTED_STORAGE_STORAGE_BACKEND_SETTINGS
help
Implementation used to store the assets
config TRUSTED_STORAGE_STORAGE_BACKEND_SETTINGS
bool "Settings storage backend"
depends on SETTINGS_ZMS || SETTINGS_ZMS_LEGACY || (SETTINGS_NVS && !SOC_SERIES_NRF54L)
help
Use the Settings subsystem to store the assets
config TRUSTED_STORAGE_STORAGE_BACKEND_CUSTOM
bool "Custom storage backend"
help
Use a custom-made backend to store data in the non-volatile memory.
endchoice # CONFIG_TRUSTED_STORAGE_STORAGE_BACKEND
endif # TRUSTED_STORAGE