From 02ac4444465fdd8c60244a5af13a7ae824b6fff7 Mon Sep 17 00:00:00 2001 From: Jordan Yates Date: Wed, 26 Feb 2025 09:37:14 +1000 Subject: [PATCH 1/4] fs: nvs: move `FLASH_PAGE_LAYOUT` to `depends on` `FLASH_PAGE_LAYOUT` has a hardware dependency on `FLASH_HAS_PAGE_LAYOUT` which is not present for all boards. Forcing this symbol to `y` when the hardware doesn't support it results in build errors at the Kconfig stage. `FLASH_PAGE_LAYOUT` is enabled by default when `FLASH_HAS_PAGE_LAYOUT` is true, so this change will not require any user changes. Signed-off-by: Jordan Yates --- subsys/fs/nvs/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/subsys/fs/nvs/Kconfig b/subsys/fs/nvs/Kconfig index 208be140f221..48915c2f048e 100644 --- a/subsys/fs/nvs/Kconfig +++ b/subsys/fs/nvs/Kconfig @@ -6,8 +6,8 @@ config NVS bool "Non-volatile Storage" depends on FLASH + depends on FLASH_PAGE_LAYOUT select CRC - select FLASH_PAGE_LAYOUT help Enable support of Non-volatile Storage. From 3b4e2fbc925b9d2154c21f0421d7808e165866cf Mon Sep 17 00:00:00 2001 From: Jordan Yates Date: Sat, 22 Feb 2025 21:47:00 +1000 Subject: [PATCH 2/4] secure_storage: remove incorrect `imply` symbols `SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS` does not use either the `FLASH_MAP` or `NVS` APIs, only `SETTINGS`. Similarly, `SECURE_STORAGE_ITS_STORE_MODULE` does not consist of any code itself and therefore should not select or imply any options. Signed-off-by: Jordan Yates --- subsys/secure_storage/Kconfig | 1 - subsys/secure_storage/Kconfig.its_store | 2 -- 2 files changed, 3 deletions(-) diff --git a/subsys/secure_storage/Kconfig b/subsys/secure_storage/Kconfig index 11e78a7dbd2c..86c589e81a4f 100644 --- a/subsys/secure_storage/Kconfig +++ b/subsys/secure_storage/Kconfig @@ -65,7 +65,6 @@ endif menuconfig SECURE_STORAGE_ITS_STORE_MODULE bool "ITS store module" - imply FLASH # for FLASH_HAS_DRIVER_ENABLED help The module that handles the storage/retrieval of the ITS data to/from NVM. Zephyr's ITS implementation calls into it. diff --git a/subsys/secure_storage/Kconfig.its_store b/subsys/secure_storage/Kconfig.its_store index 05ebf72ca8f6..3370acdf6f4e 100644 --- a/subsys/secure_storage/Kconfig.its_store +++ b/subsys/secure_storage/Kconfig.its_store @@ -31,8 +31,6 @@ config SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS && $(dt_node_has_compat,$(dt_node_parent,$(DT_SETTINGS_PARTITIION)),fixed-partitions))\ || ($(dt_path_enabled,$(DT_STORAGE_PARTITION)) \ && $(dt_node_has_compat,$(dt_node_parent,$(DT_STORAGE_PARTITION)),fixed-partitions))) - imply FLASH_MAP - imply NVS select SETTINGS config SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_NONE From 57623bca9a803560cb0c51768edf1c0590b1e789 Mon Sep 17 00:00:00 2001 From: Jordan Yates Date: Sat, 22 Feb 2025 21:48:57 +1000 Subject: [PATCH 3/4] secure_storage: swap `select` to `depends on` Mixing `select` and `depends on` is a common source of Kconfig dependency loops and should be avoided. Both `ZMS` and `SETTINGS` are more commonly used with `depends on` rather than `select`. The usage here also contradicts the Zephyr best practices guide for `select`: * Avoid selecting symbols with prompts or dependencies. Prefer depends on. Signed-off-by: Jordan Yates --- doc/releases/migration-guide-4.1.rst | 9 +++++++++ subsys/secure_storage/Kconfig.its_store | 4 ++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/doc/releases/migration-guide-4.1.rst b/doc/releases/migration-guide-4.1.rst index 836d20d79b57..848b6d502558 100644 --- a/doc/releases/migration-guide-4.1.rst +++ b/doc/releases/migration-guide-4.1.rst @@ -677,6 +677,15 @@ LoRa additional ``user_data`` parameter, which is a void pointer. This parameter can be used to reference any user-defined data structure. To maintain the current behavior, set this parameter to ``NULL``. +Secure Storage +============== + +* Store backends no longer automatically enable their dependencies through ``select`` or ``imply``. + Users must ensure that the depencies are enabled in their applications. + :kconfig:option:`CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS` previously enabled NVS + and settings, which means the NVS settings backend would get used by default if ZMS wasn't + enabled. (:github:`86181`) + Stream Flash ============ diff --git a/subsys/secure_storage/Kconfig.its_store b/subsys/secure_storage/Kconfig.its_store index 3370acdf6f4e..5cf1512caf68 100644 --- a/subsys/secure_storage/Kconfig.its_store +++ b/subsys/secure_storage/Kconfig.its_store @@ -14,7 +14,7 @@ config SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_ZMS depends on FLASH_HAS_DRIVER_ENABLED \ && $(dt_path_enabled,$(DT_ITS_PARTITION)) \ && $(dt_node_has_compat,$(dt_node_parent,$(DT_ITS_PARTITION)),fixed-partitions) - select ZMS + depends on ZMS help This implementation of the ITS store module makes direct use of ZMS for storage. It needs a `secure_storage_its_partition` devicetree chosen property that points @@ -31,7 +31,7 @@ config SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS && $(dt_node_has_compat,$(dt_node_parent,$(DT_SETTINGS_PARTITIION)),fixed-partitions))\ || ($(dt_path_enabled,$(DT_STORAGE_PARTITION)) \ && $(dt_node_has_compat,$(dt_node_parent,$(DT_STORAGE_PARTITION)),fixed-partitions))) - select SETTINGS + depends on SETTINGS config SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_NONE bool "No ITS store module implementation" From 863e1910dff025939441612d35a4121bb6eb776d Mon Sep 17 00:00:00 2001 From: Jordan Yates Date: Mon, 24 Feb 2025 20:20:12 +1000 Subject: [PATCH 4/4] tests: secure_storage: add dependencies Now that `SECURE_STORAGE` does not `select` dependencies, they need to be enabled explicitly by the tests. Signed-off-by: Jordan Yates --- samples/psa/its/overlay-secure_storage.conf | 6 ++++++ samples/psa/persistent_key/overlay-secure_storage.conf | 6 ++++++ .../secure_storage/psa/crypto/overlay-secure_storage.conf | 6 ++++++ ...erlay-store_default.conf => overlay-store_settings.conf} | 5 +++++ tests/subsys/secure_storage/psa/its/overlay-store_zms.conf | 3 +++ tests/subsys/secure_storage/psa/its/testcase.yaml | 6 +++--- 6 files changed, 29 insertions(+), 3 deletions(-) rename tests/subsys/secure_storage/psa/its/{overlay-store_default.conf => overlay-store_settings.conf} (77%) create mode 100644 tests/subsys/secure_storage/psa/its/overlay-store_zms.conf diff --git a/samples/psa/its/overlay-secure_storage.conf b/samples/psa/its/overlay-secure_storage.conf index 3473ae389101..9265b38ccc7c 100644 --- a/samples/psa/its/overlay-secure_storage.conf +++ b/samples/psa/its/overlay-secure_storage.conf @@ -8,3 +8,9 @@ CONFIG_MBEDTLS_PSA_CRYPTO_C=y CONFIG_MAIN_STACK_SIZE=3072 CONFIG_SECURE_STORAGE=y +CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS=y +CONFIG_SETTINGS=y +CONFIG_SETTINGS_NVS=y +CONFIG_NVS=y +CONFIG_FLASH=y +CONFIG_FLASH_MAP=y diff --git a/samples/psa/persistent_key/overlay-secure_storage.conf b/samples/psa/persistent_key/overlay-secure_storage.conf index 3473ae389101..9265b38ccc7c 100644 --- a/samples/psa/persistent_key/overlay-secure_storage.conf +++ b/samples/psa/persistent_key/overlay-secure_storage.conf @@ -8,3 +8,9 @@ CONFIG_MBEDTLS_PSA_CRYPTO_C=y CONFIG_MAIN_STACK_SIZE=3072 CONFIG_SECURE_STORAGE=y +CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS=y +CONFIG_SETTINGS=y +CONFIG_SETTINGS_NVS=y +CONFIG_NVS=y +CONFIG_FLASH=y +CONFIG_FLASH_MAP=y diff --git a/tests/subsys/secure_storage/psa/crypto/overlay-secure_storage.conf b/tests/subsys/secure_storage/psa/crypto/overlay-secure_storage.conf index ed84c3043288..b67ceff8969b 100644 --- a/tests/subsys/secure_storage/psa/crypto/overlay-secure_storage.conf +++ b/tests/subsys/secure_storage/psa/crypto/overlay-secure_storage.conf @@ -12,3 +12,9 @@ CONFIG_MBEDTLS_PSA_CRYPTO_C=y CONFIG_SECURE_STORAGE=y # For testing isolation between the different callers of the ITS. CONFIG_SECURE_STORAGE_PS_IMPLEMENTATION_ITS=y +CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS=y +CONFIG_SETTINGS=y +CONFIG_SETTINGS_NVS=y +CONFIG_NVS=y +CONFIG_FLASH=y +CONFIG_FLASH_MAP=y diff --git a/tests/subsys/secure_storage/psa/its/overlay-store_default.conf b/tests/subsys/secure_storage/psa/its/overlay-store_settings.conf similarity index 77% rename from tests/subsys/secure_storage/psa/its/overlay-store_default.conf rename to tests/subsys/secure_storage/psa/its/overlay-store_settings.conf index e6604bc94b01..b0a2cd493f9d 100644 --- a/tests/subsys/secure_storage/psa/its/overlay-store_default.conf +++ b/tests/subsys/secure_storage/psa/its/overlay-store_settings.conf @@ -1,4 +1,9 @@ CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS=y +CONFIG_SETTINGS=y +CONFIG_SETTINGS_NVS=y +CONFIG_NVS=y +CONFIG_FLASH=y +CONFIG_FLASH_MAP=y # 256 - flags (1) - CONFIG_SECURE_STORAGE_ITS_TRANSFORM_OUTPUT_OVERHEAD (28) CONFIG_SECURE_STORAGE_ITS_MAX_DATA_SIZE=227 diff --git a/tests/subsys/secure_storage/psa/its/overlay-store_zms.conf b/tests/subsys/secure_storage/psa/its/overlay-store_zms.conf new file mode 100644 index 000000000000..7efe611bc0a4 --- /dev/null +++ b/tests/subsys/secure_storage/psa/its/overlay-store_zms.conf @@ -0,0 +1,3 @@ +CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_ZMS=y +CONFIG_ZMS=y +CONFIG_FLASH=y diff --git a/tests/subsys/secure_storage/psa/its/testcase.yaml b/tests/subsys/secure_storage/psa/its/testcase.yaml index bf72516e4b24..d84a14dad84d 100644 --- a/tests/subsys/secure_storage/psa/its/testcase.yaml +++ b/tests/subsys/secure_storage/psa/its/testcase.yaml @@ -25,17 +25,17 @@ tests: - nrf9161dk/nrf9161 extra_args: - EXTRA_DTC_OVERLAY_FILE=zms.overlay - - EXTRA_CONF_FILE=overlay-secure_storage.conf;overlay-transform_default.conf + - EXTRA_CONF_FILE=overlay-secure_storage.conf;overlay-store_zms.conf;overlay-transform_default.conf secure_storage.psa.its.secure_storage.store.settings: filter: CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS extra_args: "EXTRA_CONF_FILE=\ - overlay-secure_storage.conf;overlay-transform_default.conf;overlay-store_default.conf" + overlay-secure_storage.conf;overlay-transform_default.conf;overlay-store_settings.conf" secure_storage.psa.its.secure_storage.custom.transform: filter: CONFIG_SECURE_STORAGE and not CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_NONE extra_args: "EXTRA_CONF_FILE=\ - overlay-secure_storage.conf;overlay-transform_custom.conf;overlay-store_default.conf" + overlay-secure_storage.conf;overlay-transform_custom.conf;overlay-store_settings.conf" secure_storage.psa.its.secure_storage.custom.store: filter: CONFIG_SECURE_STORAGE