• State Verified Answer
  • Replies 4 replies
  • Subscribers 86 subscribers
  • Views 552 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 351382
Options

understanding of PSA and ITS

Hari_haran

Hi, I am working on storing data in the Trusted Zone using the PSA APIs.

I tried the Protected Storage (PS) example. When I store data using psa_ps_set() and then read the flash memory with nrfjprog, I see some data that looks encrypted (random bytes). I cannot see the original plaintext.

However, when I use psa_its_set() in the same example and dump the flash, I can see the raw data in plaintext.

  1. Why does this happen?

    • Is encryption automatically enabled for Protected Storage (PS)?

    • Do I need to enable encryption for Internal Trusted Storage (ITS) separately?

  2. I also noticed that when I use psa_ps_set(), the memory region starts from 0xFC00, but the data is not written exactly at the beginning of that region. Could you explain how TF-M organizes storage in flash?

  3. I want to store sensitive data (like key pairs, possibly larger than small strings) in the trusted zone. Which method should I use — psa_ps_set() or psa_its_set()are any other method?

Could you please point me to documentation that explains how TF-M storage (ITS vs PS) works on Nordic devices?

Thank you.

  • 0

    Also noticed that when i trying to write hex (#define TEST_STRING_1 0x012345 ) instead of string (#define TEST_STRING_1 "The quick brown fox jumps over the lazy dog")  board resets.
    why this happens?

  • +1

    Hi,

    Why does this happen?

    • Is encryption automatically enabled for Protected Storage (PS)?

    • Do I need to enable encryption for Internal Trusted Storage (ITS) separately?

    In the PSA Secure Storage API documentation, you can find the following table

    Note: Internal Trusted Storage has experimental support for encryption with the CONFIG_PSA_ITS_ENCRYPTED Kconfig option set.

    I also noticed that when I use psa_ps_set(), the memory region starts from 0xFC00, but the data is not written exactly at the beginning of that region. Could you explain how TF-M organizes storage in flash?

    You can look at TF-M Services. There you can find information on sizing ITS and PS partitions.

    I want to store sensitive data (like key pairs, possibly larger than small strings) in the trusted zone. Which method should I use — psa_ps_set() or psa_its_set()are any other method?

    Trusted Storage library interfaces provide this information

    The trusted storage library provides two storage interfaces for use with device-protected storage:

    • PSA internal trusted storage, designed to store critical data that must be placed inside internal non-volatile memory. The size of the storage available by the internal trusted storage API is expected to be limited, and therefore should be used for small, security-critical values. Examples of assets that require this kind of storage are replay protection values for external storage and keys for use by components of the PSA Root of Trust.

    • PSA protected storage, designed to store all other critical data that do not need to be stored inside internal non-volatile memory.

    Documentation also describes when to use PSA Protected Storage.

    Hari_haran said:
    Also noticed that when i trying to write hex (#define TEST_STRING_1 0x012345 ) instead of string (#define TEST_STRING_1 "The quick brown fox jumps over the lazy dog")  board resets.
    why this happens?

    Can you provide more details about this? What are you trying to test and how?

    Best regards,
    Dejan

  • 0 in reply to dejans

    Hi Dejan,

    Thank you for the detailed explanation. It helped me understand the concept much better.

    i have one more doubt, i see that 

    I am using PSA ITS (psa_its_set()). My understanding is that ITS should always store in the TF-M ITS partition (tfm_its).


    Is there any scenario where psa_its_set() would use this settings_storage partition instead of the TF-M ITS partition? If yes, what configuration or Kconfig options control this behavior?

    settings_storage:
    address: 0x78000
    end_address: 0x7c000
    placement:
    align:
    start: 0x4000
    before:
    - end
    region: flash_primary
    size: 0x4000


    is setting storage is the secure partition ? because i see the keys but value is not readable.(used psa_its_set() that stores the data in setting storage)

  • 0 in reply to Hari_haran

    Hi,

    Hari_haran said:
    Is there any scenario where psa_its_set() would use this settings_storage partition instead of the TF-M ITS partition?

    No.

    Hari_haran said:
    is setting storage is the secure partition ?

    No, it is non-secure. It is allocated using CONFIG_TFM_NRF_NS_STORAGE.

    Best regards,
    Dejan

Related
Terms of service