nrfconnect · tomi-font · May 25, 2026 · May 25, 2026 · May 25, 2026
@@ -19,6 +19,3 @@ CONFIG_PSA_CRYPTO=y
 CONFIG_PSA_WANT_KEY_TYPE_AES=y
 CONFIG_PSA_WANT_ALG_CTR=y
 CONFIG_PSA_WANT_GENERATE_RANDOM=y
-
-# Enable persistent storage for PSA Crypto
-CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y
@@ -36,19 +36,21 @@ if BT_SETTINGS
 config BT_MESH_SECURE_STORAGE
 	bool
 	default y
-	imply TRUSTED_STORAGE
-	imply MBEDTLS_PSA_CRYPTO_STORAGE_C
+	imply SECURE_STORAGE
+
+if TRUSTED_STORAGE
 
 choice TRUSTED_STORAGE_BACKEND_AEAD_KEY
 	default TRUSTED_STORAGE_BACKEND_AEAD_KEY_HASH_UID if SOC_SERIES_NRF52
-
 endchoice # TRUSTED_STORAGE_BACKEND_AEAD_KEY
 
 config BT_MESH_CRYPTO_KEY_INITIALIZER
 	bool
 	default y if TRUSTED_STORAGE_BACKEND_AEAD_KEY_DERIVE_FROM_HUK
 	imply HW_UNIQUE_KEY_WRITE_ON_CRYPTO_INIT if HW_UNIQUE_KEY_SUPPORTED
 
+endif # TRUSTED_STORAGE
+
 endif # BT_SETTINGS
 
 endif # !BUILD_WITH_TFM

@@ -55,22 +55,20 @@ config OPENTHREAD_NRF_SECURITY_PSA
 	  functions if available as well as fast oberon backend for software encryption.
 
 config OPENTHREAD_NRF_SECURITY_PSA
-	imply MBEDTLS_PSA_CRYPTO_STORAGE_C if (!PSA_SSF_CRYPTO_CLIENT && !BUILD_WITH_TFM)
-	imply TRUSTED_STORAGE if (!PSA_SSF_CRYPTO_CLIENT && !BUILD_WITH_TFM)
-	# TRUSTED_STORAGE requires Settings
+	depends on !BUILD_WITH_TFM && !OPENTHREAD_COPROCESSOR_RCP
+	imply SECURE_STORAGE if !PSA_SSF_CRYPTO_CLIENT
 	imply SETTINGS
-	imply HW_UNIQUE_KEY_WRITE_ON_CRYPTO_INIT if (SOC_NRF5340_CPUAPP || SOC_SERIES_NRF54L)
-	depends on (!BUILD_WITH_TFM && !OPENTHREAD_COPROCESSOR_RCP)
+	imply HW_UNIQUE_KEY_WRITE_ON_CRYPTO_INIT if TRUSTED_STORAGE && \
+						(SOC_NRF5340_CPUAPP || SOC_SERIES_NRF54L)
 
-if (OPENTHREAD_NRF_SECURITY_PSA && (BUILD_WITH_TFM || (!SOC_NRF5340_CPUAPP && !SOC_SERIES_NRF54L)))
-# Set hash of UID as AEAD Key implementation for device that do not have hardware secure storage and TFM builds.
+if OPENTHREAD_NRF_SECURITY_PSA && TRUSTED_STORAGE && !SOC_NRF5340_CPUAPP && !SOC_SERIES_NRF54L
+# Set hash of UID as AEAD Key implementation for device that do not have hardware secure storage.
 
 choice TRUSTED_STORAGE_BACKEND_AEAD_KEY
 	default TRUSTED_STORAGE_BACKEND_AEAD_KEY_HASH_UID
-
 endchoice # TRUSTED_STORAGE_BACKEND_AEAD_KEY
 
-endif # (OPENTHREAD_NRF_SECURITY_PSA && (BUILD_WITH_TFM || (!SOC_NRF5340_CPUAPP && !SOC_SERIES_NRF54L)))
+endif
 
 config OPENTHREAD_MBEDTLS_LIB_NAME
 	default "mbedtls_external" if OPENTHREAD_NRF_SECURITY_PSA

@@ -2,13 +2,12 @@
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
 
 config SECURE_STORAGE_TRUSTED_STORAGE_COMPATIBILITY
-	bool "Trusted storage backward compatibility [EXPERIMENTAL]"
+	bool "Trusted storage backward compatibility"
 	depends on SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS || \
 		SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_CUSTOM
 	depends on (SETTINGS_ZMS || SETTINGS_ZMS_LEGACY || \
 		(SETTINGS_NVS && !SOC_SERIES_NRF54L)) || \
 		SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_CUSTOM
-	select EXPERIMENTAL
 	select SECURE_STORAGE_64_BIT_UID
 	select SECURE_STORAGE_ITS_STORE_SETTINGS_NAME_CUSTOM \
 		if SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS

@@ -7,15 +7,16 @@
 # Secure storage subsystem configuration options
 
 menuconfig TRUSTED_STORAGE
-	bool "Trusted Storage"
+	bool "Trusted Storage [DEPRECATED]"
 	depends on !BUILD_WITH_TFM
 	depends on !DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED
+	select DEPRECATED
+	select MBEDTLS_PSA_CRYPTO_STORAGE_C
 	help
-	  The secure storage subsystem allows its users to store data in a
-	  secure way, ensuring data integrity and confidentiality by using AEAD
-	  algorithms. It supports several secure implementation back-ends to
-	  provide various levels of trust depending on the device security
-	  features.
+	  This option is deprecated. Use SECURE_STORAGE instead.
+	  If you have an existing installation that makes use of Trusted Storage
+	  with entries stored in non-volatile memory, you can switch to using Secure Storage
+	  without losing any data by enabling SECURE_STORAGE_TRUSTED_STORAGE_COMPATIBILITY.
 
 if TRUSTED_STORAGE
 module = TRUSTED_STORAGE

@@ -159,7 +159,7 @@ manifest:
     - name: matter
       repo-path: sdk-connectedhomeip
       path: modules/lib/matter
-      revision: 106cf3d26c6b3354fc2006aa71684a9905d1af64
+      revision: pull/722/head
       west-commands: scripts/west/west-commands.yml
       submodules:
         - name: nlio