From ac201a0018bb9b7800f8239fadfeabd2e86c943a Mon Sep 17 00:00:00 2001 From: Tomi Fontanilles Date: Mon, 25 May 2026 15:05:23 +0300 Subject: [PATCH 1/3] treewide: default to using Secure Storage It is the preferred option compared to Trusted Storage, so default to using it. It is still possible to use Trusted Storage by disabling CONFIG_SECURE_STORAGE and enabling CONFIG_TRUSTED_STORAGE. But for existing installations making use of Trusted Storage, they can switch to using Secure Storage without losing any existing data by simply enabling the CONFIG_SECURE_STORAGE_TRUSTED_STORAGE_COMPATIBILITY Kconfig option. In addition, CONFIG_TRUSTED_STORAGE now automatically enables CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C so that users of Trusted Storage don't have to enable it themselves anymore. Signed-off-by: Tomi Fontanilles --- samples/crypto/persistent_key_usage/prj.conf | 3 --- subsys/bluetooth/mesh/Kconfig | 8 +++++--- subsys/net/openthread/Kconfig | 16 +++++++--------- subsys/trusted_storage/Kconfig | 1 + west.yml | 2 +- 5 files changed, 14 insertions(+), 16 deletions(-) diff --git a/samples/crypto/persistent_key_usage/prj.conf b/samples/crypto/persistent_key_usage/prj.conf index 4fd46201f63e..8ecb962dce0f 100644 --- a/samples/crypto/persistent_key_usage/prj.conf +++ b/samples/crypto/persistent_key_usage/prj.conf @@ -19,6 +19,3 @@ CONFIG_PSA_CRYPTO=y CONFIG_PSA_WANT_KEY_TYPE_AES=y CONFIG_PSA_WANT_ALG_CTR=y CONFIG_PSA_WANT_GENERATE_RANDOM=y - -# Enable persistent storage for PSA Crypto -CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y diff --git a/subsys/bluetooth/mesh/Kconfig b/subsys/bluetooth/mesh/Kconfig index b8aff45cf3a5..efc9c593bd11 100644 --- a/subsys/bluetooth/mesh/Kconfig +++ b/subsys/bluetooth/mesh/Kconfig @@ -36,12 +36,12 @@ if BT_SETTINGS config BT_MESH_SECURE_STORAGE bool default y - imply TRUSTED_STORAGE - imply MBEDTLS_PSA_CRYPTO_STORAGE_C + imply SECURE_STORAGE + +if TRUSTED_STORAGE choice TRUSTED_STORAGE_BACKEND_AEAD_KEY default TRUSTED_STORAGE_BACKEND_AEAD_KEY_HASH_UID if SOC_SERIES_NRF52 - endchoice # TRUSTED_STORAGE_BACKEND_AEAD_KEY config BT_MESH_CRYPTO_KEY_INITIALIZER @@ -49,6 +49,8 @@ config BT_MESH_CRYPTO_KEY_INITIALIZER default y if TRUSTED_STORAGE_BACKEND_AEAD_KEY_DERIVE_FROM_HUK imply HW_UNIQUE_KEY_WRITE_ON_CRYPTO_INIT if HW_UNIQUE_KEY_SUPPORTED +endif # TRUSTED_STORAGE + endif # BT_SETTINGS endif # !BUILD_WITH_TFM diff --git a/subsys/net/openthread/Kconfig b/subsys/net/openthread/Kconfig index 3e5278731188..33c938dc27eb 100644 --- a/subsys/net/openthread/Kconfig +++ b/subsys/net/openthread/Kconfig @@ -55,22 +55,20 @@ config OPENTHREAD_NRF_SECURITY_PSA functions if available as well as fast oberon backend for software encryption. config OPENTHREAD_NRF_SECURITY_PSA - imply MBEDTLS_PSA_CRYPTO_STORAGE_C if (!PSA_SSF_CRYPTO_CLIENT && !BUILD_WITH_TFM) - imply TRUSTED_STORAGE if (!PSA_SSF_CRYPTO_CLIENT && !BUILD_WITH_TFM) - # TRUSTED_STORAGE requires Settings + depends on !BUILD_WITH_TFM && !OPENTHREAD_COPROCESSOR_RCP + imply SECURE_STORAGE if !PSA_SSF_CRYPTO_CLIENT imply SETTINGS - imply HW_UNIQUE_KEY_WRITE_ON_CRYPTO_INIT if (SOC_NRF5340_CPUAPP || SOC_SERIES_NRF54L) - depends on (!BUILD_WITH_TFM && !OPENTHREAD_COPROCESSOR_RCP) + imply HW_UNIQUE_KEY_WRITE_ON_CRYPTO_INIT if TRUSTED_STORAGE && \ + (SOC_NRF5340_CPUAPP || SOC_SERIES_NRF54L) -if (OPENTHREAD_NRF_SECURITY_PSA && (BUILD_WITH_TFM || (!SOC_NRF5340_CPUAPP && !SOC_SERIES_NRF54L))) -# Set hash of UID as AEAD Key implementation for device that do not have hardware secure storage and TFM builds. +if OPENTHREAD_NRF_SECURITY_PSA && TRUSTED_STORAGE && !SOC_NRF5340_CPUAPP && !SOC_SERIES_NRF54L +# Set hash of UID as AEAD Key implementation for device that do not have hardware secure storage. choice TRUSTED_STORAGE_BACKEND_AEAD_KEY default TRUSTED_STORAGE_BACKEND_AEAD_KEY_HASH_UID - endchoice # TRUSTED_STORAGE_BACKEND_AEAD_KEY -endif # (OPENTHREAD_NRF_SECURITY_PSA && (BUILD_WITH_TFM || (!SOC_NRF5340_CPUAPP && !SOC_SERIES_NRF54L))) +endif config OPENTHREAD_MBEDTLS_LIB_NAME default "mbedtls_external" if OPENTHREAD_NRF_SECURITY_PSA diff --git a/subsys/trusted_storage/Kconfig b/subsys/trusted_storage/Kconfig index 75ac8d2f581e..4ae58c4e543c 100644 --- a/subsys/trusted_storage/Kconfig +++ b/subsys/trusted_storage/Kconfig @@ -10,6 +10,7 @@ menuconfig TRUSTED_STORAGE bool "Trusted Storage" depends on !BUILD_WITH_TFM depends on !DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED + select MBEDTLS_PSA_CRYPTO_STORAGE_C help The secure storage subsystem allows its users to store data in a secure way, ensuring data integrity and confidentiality by using AEAD diff --git a/west.yml b/west.yml index 3246fb39f84d..90479f2a3498 100644 --- a/west.yml +++ b/west.yml @@ -159,7 +159,7 @@ manifest: - name: matter repo-path: sdk-connectedhomeip path: modules/lib/matter - revision: 106cf3d26c6b3354fc2006aa71684a9905d1af64 + revision: pull/722/head west-commands: scripts/west/west-commands.yml submodules: - name: nlio From a0ea170131a88f46827343068a05c926129b6fe0 Mon Sep 17 00:00:00 2001 From: Tomi Fontanilles Date: Mon, 25 May 2026 15:08:00 +0300 Subject: [PATCH 2/3] secure_storage: remove experimental status from compatibility option CONFIG_SECURE_STORAGE_TRUSTED_STORAGE_COMPATIBILITY has sufficient testing, so remove its experimental status. Signed-off-by: Tomi Fontanilles --- subsys/secure_storage/compatibility/Kconfig | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/subsys/secure_storage/compatibility/Kconfig b/subsys/secure_storage/compatibility/Kconfig index 3ce7cd6b7bec..c6099e534b75 100644 --- a/subsys/secure_storage/compatibility/Kconfig +++ b/subsys/secure_storage/compatibility/Kconfig @@ -2,13 +2,12 @@ # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause config SECURE_STORAGE_TRUSTED_STORAGE_COMPATIBILITY - bool "Trusted storage backward compatibility [EXPERIMENTAL]" + bool "Trusted storage backward compatibility" depends on SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS || \ SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_CUSTOM depends on (SETTINGS_ZMS || SETTINGS_ZMS_LEGACY || \ (SETTINGS_NVS && !SOC_SERIES_NRF54L)) || \ SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_CUSTOM - select EXPERIMENTAL select SECURE_STORAGE_64_BIT_UID select SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_CUSTOM \ if SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS From 4fc6a2c3778259cc39bf1be44b13b2a7168bb0d4 Mon Sep 17 00:00:00 2001 From: Tomi Fontanilles Date: Mon, 25 May 2026 15:12:10 +0300 Subject: [PATCH 3/3] trusted_storage: deprecate Mark CONFIG_TRUSTED_STORAGE as deprecated for future removal. Secure Storage is the future-proof and recommended option. Signed-off-by: Tomi Fontanilles --- subsys/trusted_storage/Kconfig | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/subsys/trusted_storage/Kconfig b/subsys/trusted_storage/Kconfig index 4ae58c4e543c..7ab994bfd88f 100644 --- a/subsys/trusted_storage/Kconfig +++ b/subsys/trusted_storage/Kconfig @@ -7,16 +7,16 @@ # Secure storage subsystem configuration options menuconfig TRUSTED_STORAGE - bool "Trusted Storage" + bool "Trusted Storage [DEPRECATED]" depends on !BUILD_WITH_TFM depends on !DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED + select DEPRECATED select MBEDTLS_PSA_CRYPTO_STORAGE_C help - The secure storage subsystem allows its users to store data in a - secure way, ensuring data integrity and confidentiality by using AEAD - algorithms. It supports several secure implementation back-ends to - provide various levels of trust depending on the device security - features. + This option is deprecated. Use SECURE_STORAGE instead. + If you have an existing installation that makes use of Trusted Storage + with entries stored in non-volatile memory, you can switch to using Secure Storage + without losing any data by enabling SECURE_STORAGE_TRUSTED_STORAGE_COMPATIBILITY. if TRUSTED_STORAGE module = TRUSTED_STORAGE