net: tls_credentials: Fix TLS credentials library loading with secure-only variant#111837
Open
PavelVPV wants to merge 2 commits into
Open
Conversation
rlubos
approved these changes
Jun 23, 2026
rlubos
left a comment
rlubos
left a comment
Contributor
There was a problem hiding this comment.
LGTM, not sure how this PR got no reviewers/assignees added...
Contributor
Author
Probably because there are no maintainers for this area. It is excluded from Line 4412 in e301062 |
PavelVPV
force-pushed
the
fix_tls_credentials_library_loading_with_secure_only_variant
branch
from
01da9f8 to
e9971b8
Compare
The protected storage credentials backend only uses the PSA Protected Storage API (psa_ps_*), which Zephyr's Secure Storage subsystem provides without TF-M. Allow selecting the backend when SECURE_STORAGE is enabled, not only with TF-M, so secure-only builds (for example nRF54L cpuapp) can persist TLS credentials across reboot instead of being limited to the volatile backend. The backend builds storage UIDs that use the full 64-bit range (see tls_credential_get_uid()). TF-M's Protected Storage supports that natively, but Zephyr's Secure Storage defaults to a 30-bit UID, which makes psa_ps_set() reject the credential UIDs (observed as -EIO). Select SECURE_STORAGE_64_BIT_UID when using Secure Storage so the backend works. Assisted-by: Claude:claude-opus-4.8 Signed-off-by: Pavel Vasilyev <pavel.vasilyev@nordicsemi.no>
The protected storage backend read its Table of Contents (ToC) from a
SYS_INIT hook at POST_KERNEL priority 0. With TF-M, Protected Storage is
provided by the secure domain and is available that early, so this
worked. Without TF-M the backend is layered on Zephyr's Secure Storage,
and the ToC read then runs far too early in the boot sequence:
- The RRAM/MRAM (non-volatile memory) flash drivers initialize at
POST_KERNEL, KERNEL_INIT_PRIORITY_DEVICE (priority 50).
- On top of that, the Secure Storage PSA ITS settings store mounts the
settings subsystem (settings_subsys_init()) from its own SYS_INIT at
APPLICATION level.
- Only after that is psa_ps_get()/psa_ps_set() actually backed by
persistent storage.
credentials_init() at POST_KERNEL/0 therefore ran before storage was
usable: psa_ps_get() returned "does not exist", the ToC was treated as
empty, and the first credential write then overwrote the persisted ToC,
dropping all previously stored credentials across reboot.
Simply moving the SYS_INIT to APPLICATION level only swaps one fragile
ordering for another: it would have to run after Secure Storage's own
APPLICATION-level settings mount, at the same init priority, making
correctness depend on link order. That priority coupling is the wrong
way to express the dependency.
Instead, drop the boot-time SYS_INIT and load the ToC lazily on first
access:
- credentials_ensure_loaded() runs credentials_init() exactly once,
under credential_lock, and records the result in credentials_loaded.
- The public API (tls_credential_add/get/delete) calls it and returns
-EACCES if storage is still not usable, so callers get a real error
instead of silently operating on an empty ToC.
- credentials_lock() also calls it. The internal iteration API used by
the TLS handshake (credential_get(), credential_next_get(),
credential_next_tag_get()) returns a pointer / sec_tag and has no way
to report an error, so it cannot trigger or surface a failed load on
its own. Performing the load in credentials_lock() - which
sockets_tls takes before iterating - is what guarantees the ToC is
loaded for that path; the getters additionally log a warning and
return empty if it is somehow still not loaded.
The inability of the internal getter API to return an error is a
pre-existing limitation, also implemented downstreams; changing its
signature is left for a follow-up so this change stays self-contained.
Assisted-by: Claude:claude-opus-4.8
Signed-off-by: Pavel Vasilyev <pavel.vasilyev@nordicsemi.no>
PavelVPV
force-pushed
the
fix_tls_credentials_library_loading_with_secure_only_variant
branch
from
e9971b8 to
c5c05e5
Compare
|
jukkar
approved these changes
Jun 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR addresses 2 issues:
SYS_INITto lazy loading.See corresponding commits for details.