doc: security: rename trusted_storage

Renamed the file and the page to secure storage.
NCSDK-32976.

Signed-off-by: Grzegorz Ferenc <[email protected]>

Author: greg-fer

doc/_utils/redirects.py

@@ -303,6 +303,7 @@
     ("security/tfm", "security/tfm/index"),
     ("security/tfm/tfm", "security/tfm/index"),
     ("app_dev/ap_protect/index", "security/ap_protect"), # Enabling access port protection mechanism
+    ("security/trusted_storage", "security/secure_storage"), # Secure storage in the |NCS| (renamed from Trusted storage)
     ("ug_ble_controller", "protocols/bt/index"), # Bluetooth LE Controller
     ("protocols/ble/index", "protocols/bt/index"),
     ("protocols/bt/ble/index", "protocols/bt/bt_stack_arch"),

doc/nrf/libraries/security/trusted_storage.rst

@@ -8,7 +8,9 @@ Trusted storage
    :depth: 2
 
 The trusted storage library enables its users to provide integrity, confidentiality and authenticity of stored data using Authenticated Encryption with Associated Data (AEAD) algorithms or cryptographic hash, without the use of TF-M Platform Root of Trust (PRoT).
-The library implements the PSA Certified Secure Storage API.
+The library implements the :ref:`PSA Certified Secure Storage API <ug_psa_certified_api_overview_secstorage>` for use on builds without TF-M (no :ref:`security by separation <ug_tfm_security_by_separation>`).
+
+See also :ref:`secure_storage_in_ncs` for an overview of the PSA Secure Storage API implementation in the |NCS|.
 
 Overview
 ********
@@ -87,6 +89,16 @@ The following backends are used in the trusted storage library:
 
    The trusted storage library provides the ``TRUSTED_STORAGE_STORAGE_BACKEND_SETTINGS`` as a storage backend, but it has support for adding other memory types for storage.
 
+Security functional requirement standards
+=========================================
+
+The trusted storage library addresses two of the PSA Certified Level 2 and Level 3 optional security functional requirements (SFRs):
+
+* Secure Encrypted Storage (internal storage)
+* Secure Storage (internal storage)
+
+The Secure External Storage SFR is not covered by the trusted storage library, but you can implement a custom storage backend.
+
 Requirements
 ************
 

doc/nrf/protocols/bt/bt_mesh/configuring.rst

@@ -291,13 +291,13 @@ The following two types of security risks are possible:
   * Execute a key refresh procedure for all existing keys used on the entire network as soon as possible by excluding the compromised device, if any.
     The mechanism to determine if the device is compromised is up to the OEM developers.
 
-Additionally, after upgrading the device firmware with the key importer functionality enabled, and once the key import is complete, it is recommend to update device firmware with the key importer functionality disabled as soon as possible.
+Additionally, after upgrading the device firmware with the key importer functionality enabled, and once the key import is complete, it is recommended to update device firmware with the key importer functionality disabled as soon as possible.
 
-Trusted storage
----------------
+Secure storage
+--------------
 
-The :ref:`trusted_storage_in_ncs` is a security mechanism designed to securely store and manage sensitive data.
-Currently, all :ref:`bt_mesh_samples` in the |NCS| use the :ref:`trusted_storage_readme` library as the Trusted Storage backend for all supported platforms.
+:ref:`secure_storage_in_ncs` lets you securely store and manage sensitive data.
+Currently, all :ref:`bt_mesh_samples` in the |NCS| use the :ref:`trusted_storage_readme` library as the PSA Secure Storage API implementation for all supported platforms.
 
 .. note::
    For the nRF52840 devices, in regards to :ref:`bt_mesh_samples` in |NCS|, AEAD keys are derived using hashes of entry UIDs (:kconfig:option:`CONFIG_TRUSTED_STORAGE_BACKEND_AEAD_KEY_HASH_UID`).

doc/nrf/protocols/matter/end_product/security.rst

@@ -52,12 +52,12 @@ The recommended values are provided in the :ref:`ug_matter_hw_requirements_layou
 By default, the DAC private key is stored in the KMU storage while using TF-M.
 See the :ref:`matter_platforms_security_dac_priv_key_kmu` section for more information.
 
-Trusted storage
-***************
+Secure storage
+**************
 
-The :ref:`trusted_storage_in_ncs` is a security mechanism designed to securely store and manage sensitive data.
-Currently, all :ref:`matter_samples` in the |NCS| use the :ref:`trusted_storage_readme` library as the Trusted Storage backend for all supported platforms.
-You can find an overview of the Trusted Storage layer configuration supported for each |NCS| Matter-enabled platform in the :ref:`matter_platforms_security_support` section.
+:ref:`secure_storage_in_ncs` lets you securely store and manage sensitive data.
+Currently, all :ref:`matter_samples` in the |NCS| use the :ref:`trusted_storage_readme` library as the PSA Secure Storage API implementation for all supported platforms.
+You can find an overview of the PSA Secure Storage configuration supported for each |NCS| Matter-enabled platform in the :ref:`matter_platforms_security_support` section.
 
 .. note::
    For the nRF52840 devices, in regards to :ref:`matter_samples` in |NCS|, AEAD keys are derived using hashes of entry UIDs (:kconfig:option:`CONFIG_TRUSTED_STORAGE_BACKEND_AEAD_KEY_HASH_UID`).

doc/nrf/releases_and_maturity/releases/release-notes-2.7.0.rst

@@ -1353,7 +1353,7 @@ Documentation
   * The :ref:`ug_wifi_overview` page by separating the information about Wi-Fi certification into its own :ref:`ug_wifi_certification` page under :ref:`ug_wifi`.
   * The :ref:`ug_bt_mesh_configuring` page with an example of possible entries in the Settings NVS name cache.
   * The :ref:`lib_security` page to include all security-related libraries.
-  * The trusted storage support table in the :ref:`trusted_storage_in_ncs` section by adding nRF52833 and replacing nRF9160 with nRF91 Series.
+  * The secure storage support table in the :ref:`secure_storage_in_ncs` page by adding nRF52833 and replacing nRF9160 with nRF91 Series.
   * The :ref:`ug_nrf52_developing` and :ref:`ug_nrf5340` by adding notes about how to perform FOTA updates with samples using random HCI identities, some specifically relevant when using the iOS app.
   * Improved the :ref:`ug_radio_fem` user guide to be up-to-date and more informative.
   * The :ref:`bt_fast_pair_readme` page to document support for the FMDN extension and aligned the page with the sysbuild migration.

doc/nrf/releases_and_maturity/releases/release-notes-3.0.0.rst

@@ -382,7 +382,7 @@ Matter
 
   * By disabling the :ref:`mpsl` before performing a factory reset to speed up the process.
   * The :ref:`ug_matter_device_low_power_configuration` page to mention the `nWP049 - Matter over Thread: Power consumption and battery life`_ and `Online Power Profiler for Matter over Thread`_ as useful resources in optimizing the power consumption of a Matter device.
-  * The general documentation on trusted storage by moving it to the :ref:`trusted_storage_in_ncs` page and :ref:`trusted_storage_readme` library documentation.
+  * The general documentation on secure storage by moving it to the :ref:`secure_storage_in_ncs` page and :ref:`trusted_storage_readme` library documentation.
 
 Matter fork
 +++++++++++

doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst

@@ -137,7 +137,11 @@ Security
 
   * Support for AES in counter mode using CRACEN for the :zephyr:board:`nrf54lm20dk`.
 
-* Updated the :ref:`security_index` page with a table that lists the versions of security components implemented in the |NCS|.
+* Updated:
+
+  * The :ref:`security_index` page with a table that lists the versions of security components implemented in the |NCS|.
+  * The :ref:`secure_storage_in_ncs` page with updated information about the secure storage configuration in the |NCS|.
+    Also renamed the page from "Trusted storage in the |NCS|."
 
 Protocols
 =========

doc/nrf/security.rst

@@ -122,10 +122,12 @@ Some of them are documented in detail in other parts of this documentation, whil
       In the |NCS|, the CMSE support is implemented using Trusted Firmware-M (TF-M).
     - See :ref:`app_boards_spe_nspe`.
     - All samples and applications that support the ``*/ns`` :ref:`variant <app_boards_names>` of the boards.
-  * - Trusted storage
-    - The trusted storage library enables you to provide features like integrity, confidentiality and authenticity of the stored data, without using the TF-M Platform Root of Trust (PRoT).
-    - See :ref:`trusted_storage_in_ncs` and :ref:`trusted storage library configuration <trusted_storage_configuration>`.
-    - :ref:`trusted_storage_readme` library
+  * - Secure storage
+    - Secure storage enables you to provide features like integrity, confidentiality and authenticity of the stored data, with or without TF-M.
+    - See :ref:`secure_storage_in_ncs`.
+    - | - :ref:`trusted_storage_readme` library
+      | - TF-M's :ref:`ug_tfm_services_its`
+      | - TF-M's :ref:`tfm_partition_ps`
   * - Hardware unique key (HUK)
     - Nordic Semiconductor devices featuring the CryptoCell cryptographic accelerator allow the usage of a hardware unique key (HUK) for key derivation.
       A HUK is a unique symmetric cryptographic key which is loaded in special hardware registers allowing the application to use the key by reference, without any access to the key material.
@@ -141,5 +143,5 @@ Some of them are documented in detail in other parts of this documentation, whil
    security/crypto/index
    security/tfm/index
    security/ap_protect
-   security/trusted_storage
+   security/secure_storage
    security/key_storage

doc/nrf/security/crypto/crypto_architecture.rst

@@ -115,7 +115,7 @@ When using the Oberon PSA Crypto implementation, persistent keys from the PSA Cr
 * Zephyr's :ref:`Secure storage <zephyr:secure_storage>` subsystem - Zephyr-specific implementation of the functions defined in the `PSA Certified Secure Storage API`_.
 * |NCS|'s :ref:`trusted_storage_readme` library - which provides features like integrity, confidentiality, and authenticity of the stored data without using the TF-M Platform Root of Trust (PRoT).
 
-For more information about the storage integration for the Oberon PSA Crypto implementation, see :ref:`trusted_storage_in_ncs`.
+For more information, see :ref:`secure_storage_in_ncs`.
 
 .. _ug_crypto_architecture_implementation_standards_tfm:
 

doc/nrf/security/psa_certified_api_overview.rst

@@ -186,55 +186,48 @@ See PSA's `protected_storage.h`_ file for versioning.
 
 The Secure Storage API consists of the following components:
 
-* Internal Trusted Storage - The Internal Trusted Storage API is used internally by the SPE to store data persistently in secure flash.
+* Internal Trusted Storage (ITS) - The Internal Trusted Storage API is used internally by the SPE to store data persistently in secure flash.
+  The Internal Trusted Storage API is one of the :ref:`ug_tfm_architecture_rot_services_platform` and is not available by default in the Non-Secure Callable interface.
   It is possible to expose the Internal Trusted Storage API to the NSPE, but it is not recommended.
 
-* Protected Storage - The Protected Storage API is for storing data persistently in secure flash and provides integrity checks to the stored data.
+* Protected Storage (PS) - The Protected Storage API is used for securely storing data in non-volatile memory.
+  It provides authenticity and integrity checks to the stored data.
   The Protected Storage API is one of :ref:`ug_tfm_architecture_rot_services_application` and is available in the Non-Secure Callable interface, making the Protected Storage API callable from either the SPE or the NSPE.
   Data in Protected Storage has ownership, so data stored from the SPE is only available to the SPE.
 
 The following table provides an overview over features in Internal Trusted Storage and Protected Storage:
 
-+-----------------------+----------------------------------+-------------------+
-|                       |     Internal Trusted Storage     | Protected Storage |
-+=======================+==================================+===================+
-| Persistent Storage    | Yes                              | Yes               |
-+-----------------------+----------------------------------+-------------------+
-| Root of Trust (RoT)   | Platform RoT Service             | Application RoT   |
-|                       |                                  | Service           |
-+-----------------------+----------------------------------+-------------------+
-| Available in the SPE  | Yes                              | Yes               |
-+-----------------------+----------------------------------+-------------------+
-| Available in the NSPE | No (by default - see note below) | Yes               |
-+-----------------------+----------------------------------+-------------------+
-| Encryption            | No (see note below)              | Yes               |
-+-----------------------+----------------------------------+-------------------+
-| Integrity Check       | No (see note below)              | Yes               |
-+-----------------------+----------------------------------+-------------------+
++-----------------------+-------------------------------------------------------------------------+-------------------------------------------------------------------------------+
+|                       |                        Internal Trusted Storage (ITS)                   |                               Protected Storage (PS)                          |
++=======================+=========================================================================+===============================================================================+
+| Persistent Storage    | Yes                                                                     | Yes                                                                           |
++-----------------------+-------------------------------------------------------------------------+-------------------------------------------------------------------------------+
+| Root of Trust (RoT)   | :ref:`Platform RoT Service <ug_tfm_architecture_rot_services_platform>` | :ref:`Application RoT Service <ug_tfm_architecture_rot_services_application>` |
++-----------------------+-------------------------------------------------------------------------+-------------------------------------------------------------------------------+
+| Available in the SPE  | Yes                                                                     | Yes                                                                           |
++-----------------------+-------------------------------------------------------------------------+-------------------------------------------------------------------------------+
+| Available in the NSPE | No (by default - see note below)                                        | Yes                                                                           |
++-----------------------+-------------------------------------------------------------------------+-------------------------------------------------------------------------------+
+| Encryption            | No (see note below)                                                     | Yes                                                                           |
++-----------------------+-------------------------------------------------------------------------+-------------------------------------------------------------------------------+
+| Integrity Check       | No (see note below)                                                     | Yes                                                                           |
++-----------------------+-------------------------------------------------------------------------+-------------------------------------------------------------------------------+
 
 .. note::
 
-   * The PSA Crypto API is invoked by other APIs that are available from the NSPE.
-     For example the PSA Protected Storage API or the PSA Crypto API ``import()`` and ``generate()``.
+   * The PSA ITS API is invoked by other APIs that are available from the NSPE.
+     For example, the PSA Protected Storage API or the PSA Crypto API's ``psa_import_key`` and ``psa_generate_key`` functions.
 
    * Internal Trusted Storage has experimental support for encryption with the :kconfig:option:`CONFIG_TFM_ITS_ENCRYPTED` Kconfig option.
 
-PSA Secure Storage API in Nordic hardware and the |NCS|
-=======================================================
+PSA Secure Storage API in the |NCS|
+===================================
 
-SoCs from Nordic Semiconductor that come with dedicated hardware components for security (such as `nRF9160's System Protection Unit <nRF9160 System Protection Unit_>`_ or `nRF54L Series' security components <nRF54L15 Security_>`_) have the functionality for `flash <nRF9160 flash access control_>`_ (nRF9160) or `feature <nRF54L15 feature access control_>`_ (nRF54L15) access control, making it possible to configure different features as secure.
-Internal Trusted Storage and Protected Storage saves data to the sections of secure flash.
-This way, the NSPE cannot directly access data saved by the Internal Trusted Storage API or the Protected Storage API.
+.. ncs-include:: secure_storage.rst
+   :start-after: secure_storage_options_table_start
+   :end-before: secure_storage_options_table_end
 
-Internal Trusted Storage is by default only available from the SPE.
-
-.. note::
-
-   For Nordic SoCs without TF-M's Platform Root of Trust (such as the nRF52832), the :ref:`trusted_storage_readme` library is used for the PSA Certified Secure Storage APIs.
-
-The PSA Protected Storage API implementation is optional for use in the |NCS|.
-It does not support storing data to external flash.
-Instead, you can configure your application to encrypt data stored to the external flash, for example using the :ref:`ug_psa_certified_api_overview_crypto`.
+For more information, see :ref:`secure_storage_in_ncs`.
 
 .. _ug_psa_certified_api_overview_fw_update: