understanding of PSA and ITS

Hi,

Why does this happen?

• Is encryption automatically enabled for Protected Storage (PS)?

• Do I need to enable encryption for Internal Trusted Storage (ITS) separately?

In the PSA Secure Storage API documentation, you can find the following table

Note: Internal Trusted Storage has experimental support for encryption with the CONFIG_PSA_ITS_ENCRYPTED Kconfig option set.

I also noticed that when I use psa_ps_set(), the memory region starts from 0xFC00, but the data is not written exactly at the beginning of that region. Could you explain how TF-M organizes storage in flash?

You can look at TF-M Services. There you can find information on sizing ITS and PS partitions.

I want to store sensitive data (like key pairs, possibly larger than small strings) in the trusted zone. Which method should I use — psa_ps_set() or psa_its_set()are any other method?

Trusted Storage library interfaces provide this information

The trusted storage library provides two storage interfaces for use with device-protected storage:

• PSA internal trusted storage, designed to store critical data that must be placed inside internal non-volatile memory. The size of the storage available by the internal trusted storage API is expected to be limited, and therefore should be used for small, security-critical values. Examples of assets that require this kind of storage are replay protection values for external storage and keys for use by components of the PSA Root of Trust.

• PSA protected storage, designed to store all other critical data that do not need to be stored inside internal non-volatile memory.

Documentation also describes when to use PSA Protected Storage.

Hari_haran said:

Also noticed that when i trying to write hex (#define TEST_STRING_1 0x012345 ) instead of string (#define TEST_STRING_1 "The quick brown fox jumps over the lazy dog")  board resets.
why this happens?

Can you provide more details about this? What are you trying to test and how?

Best regards,
Dejan

Hi Dejan,

Thank you for the detailed explanation. It helped me understand the concept much better.

i have one more doubt, i see that 

I am using PSA ITS (psa_its_set()). My understanding is that ITS should always store in the TF-M ITS partition (tfm_its).


Is there any scenario where psa_its_set() would use this settings_storage partition instead of the TF-M ITS partition? If yes, what configuration or Kconfig options control this behavior?

settings_storage:
address: 0x78000
end_address: 0x7c000
placement:
align:
start: 0x4000
before:
- end
region: flash_primary
size: 0x4000


is setting storage is the secure partition ? because i see the keys but value is not readable.(used psa_its_set() that stores the data in setting storage)

Hi Dejan,

Thank you for the detailed explanation. It helped me understand the concept much better.

i have one more doubt, i see that 

I am using PSA ITS (psa_its_set()). My understanding is that ITS should always store in the TF-M ITS partition (tfm_its).


Is there any scenario where psa_its_set() would use this settings_storage partition instead of the TF-M ITS partition? If yes, what configuration or Kconfig options control this behavior?

settings_storage:
address: 0x78000
end_address: 0x7c000
placement:
align:
start: 0x4000
before:
- end
region: flash_primary
size: 0x4000


is setting storage is the secure partition ? because i see the keys but value is not readable.(used psa_its_set() that stores the data in setting storage)

Hi,

Hari_haran said:

Is there any scenario where psa_its_set() would use this settings_storage partition instead of the TF-M ITS partition?

No.

Hari_haran said:

is setting storage is the secure partition ?

No, it is non-secure. It is allocated using CONFIG_TFM_NRF_NS_STORAGE.

Best regards,
Dejan