psa_ps_set() fails for PSA protected storage without TF-M

Hi,

Can you provide more information about your application? Is it based on any of the existing cryptography samples?

Best regards,
Dejan

Hello Dejans,
Thank you for looking into this. It's based on the guidelines from the 2.6.0 release notes and code from samples that I copy/pasted from here and there. Since I dont find how to include an archive, I inserted the prj.conf and main.c only (there's not much else in this tryout).

Kind regards,

francis

CONFIG_GPIO=y

CONFIG_LOG=y
CONFIG_LOG_DEFAULT_LEVEL=3

# Enables MCUboot
CONFIG_BOOTLOADER_MCUBOOT=y

# implementation of the psa_ps_*()
CONFIG_PSA_PROTECTED_STORAGE=y

# implement storage without TF-M
CONFIG_TRUSTED_STORAGE=y
CONFIG_TRUSTED_STORAGE_BACKEND_AEAD=y
CONFIG_TRUSTED_STORAGE_STORAGE_BACKEND_SETTINGS=y
# dependencies for trusted storage
CONFIG_SETTINGS=y
CONFIG_SETTINGS_NVS=y
CONFIG_NVS=y
CONFIG_FLASH=y
CONFIG_FLASH_MAP=y

# PSA protected storage uses the HUK
CONFIG_HW_UNIQUE_KEY=y
CONFIG_HW_UNIQUE_KEY_RANDOM=y

CONFIG_IDENTITY_KEY=y
CONFIG_IDENTITY_KEY_RANDOM=y
CONFIG_ASSERT=y

# dependencies for trusted
CONFIG_NRF_SECURITY=y
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=16384
CONFIG_MAIN_STACK_SIZE=16384

/*
 * Copyright (c) 2016 Intel Corporation
 *
 * SPDX-License-Identifier: Apache-2.0
 */

#include <zephyr/kernel.h>
#include <zephyr/drivers/gpio.h>
#include <zephyr/logging/log.h>

#include <hw_unique_key.h>
#include <psa/crypto.h>
#ifdef CONFIG_BUILD_WITH_TFM
#include <tfm_crypto_defs.h>
#else /* CONFIG_BUILD_WITH_TFM */
#include <nrf_cc3xx_platform.h>
#endif /* CONFIG_BUILD_WITH_TFM */

#include <psa/storage_common.h>
#include <psa/protected_storage.h>

// [00:00:00.076,324] <dbg> internal_trusted_storage_settings: storage_set_object: Set object with filename ps/0000000000000001. Size: 80
// [00:00:00.076,354] <dbg> internal_trusted_aead: trusted_set: trusted_set cleanup. status -140
// [00:00:00.076,416] <dbg> internal_trusted_storage_settings: storage_remove_object: Remove object with filename: ps/0000000000000001, status -140
// Failed to store data! (-140)


/* 1000 msec = 1 sec */

/* STEP 4.4 - Change LED timing to create a new image for DFU*/
#define SLEEP_TIME_MS   200

/* The devicetree node identifier for the "led0" alias. */
#define LED0_NODE DT_ALIAS(led0)

#define TEST_STRING_1 "The quick brown fox jumps over the lazy dog"

#define APP_SUCCESS		(0)
#define APP_ERROR		(-1)
#define APP_SUCCESS_MESSAGE "Example finished successfully!"
#define APP_ERROR_MESSAGE "Example exited with error!"

LOG_MODULE_REGISTER(app, LOG_LEVEL_DBG);

/*
 * A build error on this line means your board is unsupported.
 * See the sample documentation for information on how to fix this.
 */
static const struct gpio_dt_spec led = GPIO_DT_SPEC_GET(LED0_NODE, gpios);

int crypto_init(void)
{
	psa_status_t status;

#if !defined(CONFIG_BUILD_WITH_TFM)
	int result = nrf_cc3xx_platform_init();

	if (result != NRF_CC3XX_PLATFORM_SUCCESS) {
		LOG_INF("nrf_cc3xx_platform_init returned error: %d", result);
		return APP_ERROR;
	}

	if (!hw_unique_key_are_any_written()) {
		LOG_INF("Writing random keys to KMU");
		result = hw_unique_key_write_random();
		if (result != HW_UNIQUE_KEY_SUCCESS) {
			LOG_INF("hw_unique_key_write_random returned error: %d", result);
			return APP_ERROR;
		}
		LOG_INF("Success!");

#if !defined(HUK_HAS_KMU)
		/* Reboot to allow the bootloader to load the key into CryptoCell. */
		sys_reboot(0);
#endif /* !defined(HUK_HAS_KMU) */
	}
#endif /* !defined(CONFIG_BUILD_WITH_TFM) */

	// status = psa_crypto_init();
	// if (status != PSA_SUCCESS) {
	// 	LOG_INF("psa_crypto_init returned error: %d", status);
	// 	return APP_ERROR;
	// }

	return APP_SUCCESS;
}


int main(void)
{
	int ret;

	int result = crypto_init();
	if (result != APP_SUCCESS) {
		LOG_INF(APP_ERROR_MESSAGE);
		return APP_ERROR;
	}

	if (!device_is_ready(led.port)) {
		return -1;
	}

	ret = gpio_pin_configure_dt(&led, GPIO_OUTPUT_ACTIVE);
	if (ret < 0) {
		return -1;
	}

	uint32_t flags = psa_ps_get_support();
	LOG_INF("psa_ps_get_support: %x (%d) - %x", flags, flags, PSA_STORAGE_SUPPORT_SET_EXTENDED);

	psa_status_t status = psa_ps_set(1, sizeof("HELLO"), "HELLO", PSA_STORAGE_FLAG_NONE);
	if (status != PSA_SUCCESS) {
		printk("Failed to store data! (%d)\n", status);
		return 0;
	}

	// status = psa_ps_set(2, sizeof(TEST_STRING_1), TEST_STRING_1, PSA_STORAGE_FLAG_WRITE_ONCE);
	// if (status != PSA_SUCCESS) {
	// 	printk("Failed to store data! (%d)\n", status);
	// 	return 0;
	// }

	while (1) {
		ret = gpio_pin_toggle_dt(&led);
		printk("Toggle LED");
		if (ret < 0) {
			return -1;
		}
		k_msleep(SLEEP_TIME_MS);
	}
}

Hi,

Could you specify which samples you used when you "copied/pasted from here and there"?

Could you provide more information about your application? Can you be more specific on what you try to achieve?

Best regards,
Dejan

Hello Dejan,

...what you try to achieve?
Using PSA protected storage and its API without all of TF-M PRoT.
See the bullet point "security" in https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/releases_and_maturity/releases/release-notes-2.6.0.html 
The release-notes page further points here, which I tried to follow (I did not find guiding sample): developer.nordicsemi.com/.../trusted_storage.html

...which samples you used...
I took code from below:
- As simple starting point for a main.c and MCUBoot : https://github.com/NordicDeveloperAcademy/ncs-inter/tree/main/lesson8/inter_less8_exer1_solution

- examples of using psa_ps_set() from here: github.com/.../main.c

- For initializing the HUK: https://github.com/nrfconnect/sdk-nrf/blob/363db0ee17afcc98657838fa1f1f8469b04a57a0/samples/keys/hw_unique_key/src/main.c#L51

I have removed Kconfig options/source code that I think are not completely relevant for trying to use the PSA protected storage API as described in the trusted storage library.

One needs to call settings_subsys_init()

Found sample code here: github.com/.../main.c