Hi,
I am looking at using the nrf5340/nrf9160 in a device. In this device, I need to have high endurance storage of some data that must be kept secret, integrity checked and replay protected. It will be approximately one hundred bytes and writes will occur regularly (every ~30 sec). Total number of writes will be easily >1million over the lifetime of the product. I am currently evaluating using FRAM for this as the data would need to survive power off. I plan to use the nrfconnect zephyr sdk. SRAM backup via coin cell is possible, but I am trying to not do this for several reasons.
I have determined that the following options are available:
1. Do everything myself, storing a key in the zephyr NVS. This isn't all that secure, and I will still need a monotonic counter (nonce) to provide replay protection; am unsure where to store this nonce as I will quickly wear out internal flash I believe.
2. Use the TF-M Crypto implementation to store keys/perform the encryption, but otherwise write the data to the FRAM myself. This still requires that I store a nonce somewhere as far as I can tell.
3. Use the TF-M Protected Storage APIs (I don't believe I can use the Internal Protected Storage API as this will wear out the flash). As far as I can tell this handles the replay protection and nonce storage, but I cannot work out how to have this write to a specific storage medium like an I2C FRAM. Is there any information available on this?
4. Similar to 3, but using a fairly large NOR flash so that the writes are leveled across a large number of pages. But I am still unsure how to tie the PS APIs to a storage backend.
I would really prefer to go with option 3.
Could you please help me understand if there is some recommended way to store nonces on these devices and/or how I can add a storage backend to the TF-M PS API?
Thanks.
