understanding of PSA and ITS

Question

Hi, I am working on storing data in the Trusted Zone using the PSA APIs. 
 I tried the Protected Storage (PS) example. When I store data using psa_ps_set() and then read the flash memory with nrfjprog , I see some data that looks encrypted (random bytes). I cannot see the original plaintext. 
 However, when I use psa_its_set() in the same example and dump the flash, I can see the raw data in plaintext.

Why does this happen?

Is encryption automatically enabled for Protected Storage (PS)?

Do I need to enable encryption for Internal Trusted Storage (ITS) separately?

I also noticed that when I use psa_ps_set() , the memory region starts from 0xFC00 , but the data is not written exactly at the beginning of that region. Could you explain how TF-M organizes storage in flash?

I want to store sensitive data (like key pairs, possibly larger than small strings) in the trusted zone. Which method should I use — psa_ps_set() or psa_its_set()are any other method ?

Could you please point me to documentation that explains how TF-M storage (ITS vs PS) works on Nordic devices? 
 Thank you.

dejans · Accepted Answer

Hi, 
 Why does this happen?

Is encryption automatically enabled for Protected Storage (PS)?

Do I need to enable encryption for Internal Trusted Storage (ITS) separately? 
 In the PSA Secure Storage API documentation, you can find the following table Note: Internal Trusted Storage has experimental support for encryption with the CONFIG_PSA_ITS_ENCRYPTED Kconfig option set. 
 I also noticed that when I use psa_ps_set() , the memory region starts from 0xFC00 , but the data is not written exactly at the beginning of that region. Could you explain how TF-M organizes storage in flash? 
 You can look at TF-M Services . There you can find information on sizing ITS and PS partitions. 
 I want to store sensitive data (like key pairs, possibly larger than small strings) in the trusted zone. Which method should I use — psa_ps_set() or psa_its_set()are any other method ? 
 Trusted Storage library interfaces provide this information The trusted storage library provides two storage interfaces for use with device-protected storage:

PSA internal trusted storage, designed to store critical data that must be placed inside internal non-volatile memory. The size of the storage available by the internal trusted storage API is expected to be limited, and therefore should be used for small, security-critical values. Examples of assets that require this kind of storage are replay protection values for external storage and keys for use by components of the PSA Root of Trust.

PSA protected storage, designed to store all other critical data that do not need to be stored inside internal non-volatile memory.

Documentation also describes when to use PSA Protected Storage . 
 Hari_haran said: Also noticed that when i trying to write hex ( #define TEST_STRING_1 0x012345 ) instead of string ( #define TEST_STRING_1 "The quick brown fox jumps over the lazy dog" ) board resets. why this happens? 
 Can you provide more details about this? What are you trying to test and how? Best regards, Dejan