samples: crypto: persistent_key_usage: support secure storage subsystem

tomi-font · rlubos · commit 900df0379b8e · 2025-06-04T14:44:11.000+02:00
Make secure storage the default option on non-TF-M board targets.
Have test scenarios for both secure storage and trusted storage to
test both.
Reduce a bit the number of board targets in integration_platforms to
reduce CI load as some don't bring extra value when others are already
in there.

Signed-off-by: Tomi Fontanilles &lt;tomi.fontanilles@nordicsemi.no&gt;
diff --git a/samples/crypto/persistent_key_usage/CMakeLists.txt b/samples/crypto/persistent_key_usage/CMakeLists.txt
@@ -11,9 +11,6 @@ find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
 project(persistent_key)
 
 target_sources(app PRIVATE
-        src/main.c
-        )
-
-target_sources_ifdef(CONFIG_TRUSTED_STORAGE app PRIVATE
-        src/trusted_storage_init.c
-        )
+  src/main.c
+  src/init.c
+)
diff --git a/samples/crypto/persistent_key_usage/README.rst b/samples/crypto/persistent_key_usage/README.rst
@@ -1,15 +1,19 @@
 .. _crypto_persistent_key:
 
-Crypto: Persistent key storage
-##############################
+Crypto: Persistent key usage
+############################
 
 .. contents::
    :local:
    :depth: 2
 
 The persistent key sample shows how to generate a persistent key using the Platform Security Architecture (PSA) APIs.
 Persistent keys are stored in the Internal Trusted Storage (ITS) of the device and retain their value between resets.
-The ITS backend is either provided by TF-M, or the :ref:`trusted_storage_readme` library when building applications without TF-M.
+The implementation of the PSA ITS API is provided in one of the following ways, depending on your configuration:
+
+* Through TF-M using Internal Trusted Storage and Protected Storage services.
+* When building without TF-M: using either Zephyr's :ref:`secure_storage` subsystem or the :ref:`trusted_storage_readme` library.
+
 A persistent key becomes unusable when the ``psa_destroy_key`` function is called.
 
 Requirements
@@ -72,6 +76,7 @@ Dependencies
 
    * :file:`psa/crypto.h`
 
-* Builds without TF-M use the :ref:`trusted_storage_readme` library
+* Builds without TF-M use the :ref:`secure_storage` subsystem as the PSA Secure Storage API
+  provider.
 
    * The :ref:`lib_hw_unique_key` is used to encrypt the key before storing it.
diff --git a/samples/crypto/persistent_key_usage/boards/nrf52840dk_nrf52840.conf b/samples/crypto/persistent_key_usage/boards/nrf52840dk_nrf52840.conf
@@ -2,19 +2,19 @@
 # Copyright (c) 2024 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
-#
+
 # Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
 
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
+
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y
 CONFIG_FLASH_MAP=y
 CONFIG_NVS=y
 CONFIG_SETTINGS=y
-CONFIG_SETTINGS_NVS=y
-CONFIG_TRUSTED_STORAGE=y
 
-# Mbedtls configuration
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
diff --git a/samples/crypto/persistent_key_usage/boards/nrf5340dk_nrf5340_cpuapp.conf b/samples/crypto/persistent_key_usage/boards/nrf5340dk_nrf5340_cpuapp.conf
@@ -2,19 +2,19 @@
 # Copyright (c) 2024 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
-#
+
 # Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
 
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
+
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y
 CONFIG_FLASH_MAP=y
 CONFIG_NVS=y
 CONFIG_SETTINGS=y
-CONFIG_SETTINGS_NVS=y
-CONFIG_TRUSTED_STORAGE=y
 
-# Mbedtls configuration
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
diff --git a/samples/crypto/persistent_key_usage/boards/nrf54l15dk_nrf54l05_cpuapp.conf b/samples/crypto/persistent_key_usage/boards/nrf54l15dk_nrf54l05_cpuapp.conf
@@ -2,20 +2,19 @@
 # Copyright (c) 2024 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
-#
+
 # Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CRACEN=y
 
-# Use TRUSTED_STORAGE because this is a non-TF-M board target.
-CONFIG_TRUSTED_STORAGE=y
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
 
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y
 CONFIG_FLASH_MAP=y
 CONFIG_ZMS=y
 CONFIG_SETTINGS=y
 
-# Mbedtls configuration
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
diff --git a/samples/crypto/persistent_key_usage/boards/nrf54l15dk_nrf54l10_cpuapp.conf b/samples/crypto/persistent_key_usage/boards/nrf54l15dk_nrf54l10_cpuapp.conf
@@ -2,20 +2,19 @@
 # Copyright (c) 2024 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
-#
+
 # Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CRACEN=y
 
-# Use TRUSTED_STORAGE because this is a non-TF-M board target.
-CONFIG_TRUSTED_STORAGE=y
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
 
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y
 CONFIG_FLASH_MAP=y
 CONFIG_ZMS=y
 CONFIG_SETTINGS=y
 
-# Mbedtls configuration
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
diff --git a/samples/crypto/persistent_key_usage/boards/nrf54l15dk_nrf54l15_cpuapp.conf b/samples/crypto/persistent_key_usage/boards/nrf54l15dk_nrf54l15_cpuapp.conf
@@ -2,20 +2,19 @@
 # Copyright (c) 2024 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
-#
+
 # Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CRACEN=y
 
-# Use TRUSTED_STORAGE because this is a non-TF-M board target.
-CONFIG_TRUSTED_STORAGE=y
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
 
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y
 CONFIG_FLASH_MAP=y
 CONFIG_ZMS=y
 CONFIG_SETTINGS=y
 
-# Mbedtls configuration
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
diff --git a/samples/crypto/persistent_key_usage/boards/nrf54lm20pdk_nrf54lm20a_cpuapp.conf b/samples/crypto/persistent_key_usage/boards/nrf54lm20pdk_nrf54lm20a_cpuapp.conf
@@ -3,11 +3,12 @@
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
 
+# Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CRACEN=y
 
-# Use TRUSTED_STORAGE because this is a non-TF-M board target.
-CONFIG_TRUSTED_STORAGE=y
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
 
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y
diff --git a/samples/crypto/persistent_key_usage/boards/nrf54lv10dk_nrf5454lv10a_cpuapp.conf b/samples/crypto/persistent_key_usage/boards/nrf54lv10dk_nrf5454lv10a_cpuapp.conf
@@ -2,20 +2,19 @@
 # Copyright (c) 2024 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
-#
+
 # Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CRACEN=y
 
-# Use TRUSTED_STORAGE because this is a non-TF-M board target.
-CONFIG_TRUSTED_STORAGE=y
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
 
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y
 CONFIG_FLASH_MAP=y
 CONFIG_ZMS=y
 CONFIG_SETTINGS=y
 
-# Mbedtls configuration
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
diff --git a/samples/crypto/persistent_key_usage/boards/nrf9151dk_nrf9151.conf b/samples/crypto/persistent_key_usage/boards/nrf9151dk_nrf9151.conf
@@ -2,19 +2,19 @@
 # Copyright (c) 2024 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
-#
+
 # Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
 
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
+
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y
 CONFIG_FLASH_MAP=y
 CONFIG_NVS=y
 CONFIG_SETTINGS=y
-CONFIG_SETTINGS_NVS=y
-CONFIG_TRUSTED_STORAGE=y
 
-# Mbedtls configuration
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
diff --git a/samples/crypto/persistent_key_usage/boards/nrf9160dk_nrf9160.conf b/samples/crypto/persistent_key_usage/boards/nrf9160dk_nrf9160.conf
@@ -2,19 +2,19 @@
 # Copyright (c) 2024 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
-#
+
 # Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
 
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
+
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y
 CONFIG_FLASH_MAP=y
 CONFIG_NVS=y
 CONFIG_SETTINGS=y
-CONFIG_SETTINGS_NVS=y
-CONFIG_TRUSTED_STORAGE=y
 
-# Mbedtls configuration
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
diff --git a/samples/crypto/persistent_key_usage/boards/nrf9161dk_nrf9161.conf b/samples/crypto/persistent_key_usage/boards/nrf9161dk_nrf9161.conf
@@ -2,19 +2,19 @@
 # Copyright (c) 2024 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
-#
+
 # Using hardware crypto accelerator
 CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
 
+# When TF-M is not in use, the Secure storage subsystem provides the PSA Secure Storage API.
+CONFIG_SECURE_STORAGE=y
+
 CONFIG_FLASH=y
 CONFIG_FLASH_PAGE_LAYOUT=y
 CONFIG_FLASH_MAP=y
 CONFIG_NVS=y
 CONFIG_SETTINGS=y
-CONFIG_SETTINGS_NVS=y
-CONFIG_TRUSTED_STORAGE=y
 
-# Mbedtls configuration
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
diff --git a/samples/crypto/persistent_key_usage/sample.yaml b/samples/crypto/persistent_key_usage/sample.yaml
@@ -1,67 +1,73 @@
 sample:
   description: |
-    This app provides an example of using peristent keys with the
-    PSA APIs. A random AES persistent key is generated and imported
-    to the PSA keystore.
-  name: Persistent key example
+    This sample provides an example of using persistent keys with the
+    PSA Crypto API. A random AES persistent key is generated and used.
+  name: Persistent key usage
+
+common:
+  sysbuild: true
+  tags:
+    - introduction
+    - psa
+    - sysbuild
+    - ci_samples_crypto
+  harness: console
+  harness_config:
+    type: multi_line
+    regex:
+      - ".*Example finished successfully!.*"
+
 tests:
-  sample.persistent_key_usage.cc3xx:
-    sysbuild: true
+  sample.persistent_key_usage.tf-m:
     tags:
-      - introduction
-      - psa
-      - cc3xx
-      - sysbuild
-      - ci_samples_crypto
+      - ci_samples_tfm
     platform_allow:
       - nrf5340dk/nrf5340/cpuapp/ns
-      - nrf5340dk/nrf5340/cpuapp
+      - nrf54l15dk/nrf54l15/cpuapp/ns
+      - nrf54l15dk/nrf54l10/cpuapp/ns
       - nrf9160dk/nrf9160/ns
-      - nrf9160dk/nrf9160
-      - nrf52840dk/nrf52840
-      - nrf9161dk/nrf9161
       - nrf9161dk/nrf9161/ns
-      - nrf9151dk/nrf9151
       - nrf9151dk/nrf9151/ns
-    harness: console
-    harness_config:
-      type: multi_line
-      regex:
-        - ".*Example finished successfully!.*"
     integration_platforms:
       - nrf5340dk/nrf5340/cpuapp/ns
+      - nrf54l15dk/nrf54l15/cpuapp/ns
+      - nrf9151dk/nrf9151/ns
+
+  sample.persistent_key_usage.secure_storage:
+    platform_allow:
+      - nrf52840dk/nrf52840
       - nrf5340dk/nrf5340/cpuapp
-      - nrf9160dk/nrf9160/ns
       - nrf9160dk/nrf9160
-      - nrf52840dk/nrf52840
       - nrf9161dk/nrf9161
-      - nrf9161dk/nrf9161/ns
       - nrf9151dk/nrf9151
-      - nrf9151dk/nrf9151/ns
-  sample.persistent_key_usage.cracen:
-    sysbuild: true
-    tags:
-      - introduction
-      - psa
-      - cracen
-      - sysbuild
-      - ci_samples_crypto
-    platform_allow:
       - nrf54l15dk/nrf54l15/cpuapp
-      - nrf54l15dk/nrf54l15/cpuapp/ns
       - nrf54lm20pdk/nrf54lm20a/cpuapp
       - nrf54l15dk/nrf54l10/cpuapp
-      - nrf54l15dk/nrf54l10/cpuapp/ns
       - nrf54l15dk/nrf54l05/cpuapp
-    harness: console
-    harness_config:
-      type: multi_line
-      regex:
-        - ".*Example finished successfully!.*"
     integration_platforms:
+      - nrf52840dk/nrf52840
+      - nrf5340dk/nrf5340/cpuapp
+      - nrf9151dk/nrf9151
+      - nrf54l15dk/nrf54l15/cpuapp
+      - nrf54lm20pdk/nrf54lm20a/cpuapp
+
+  sample.persistent_key_usage.trusted_storage:
+    extra_args:
+      - CONFIG_SECURE_STORAGE=n
+      - CONFIG_TRUSTED_STORAGE=y
+    platform_allow:
+      - nrf52840dk/nrf52840
+      - nrf5340dk/nrf5340/cpuapp
+      - nrf9160dk/nrf9160
+      - nrf9161dk/nrf9161
+      - nrf9151dk/nrf9151
       - nrf54l15dk/nrf54l15/cpuapp
-      - nrf54l15dk/nrf54l15/cpuapp/ns
       - nrf54lm20pdk/nrf54lm20a/cpuapp
       - nrf54l15dk/nrf54l10/cpuapp
-      - nrf54l15dk/nrf54l10/cpuapp/ns
       - nrf54l15dk/nrf54l05/cpuapp
+    integration_platforms:
+      - nrf52840dk/nrf52840
+      - nrf5340dk/nrf5340/cpuapp
+      - nrf9151dk/nrf9151
+      - nrf54l15dk/nrf54l15/cpuapp
+      - nrf54lm20pdk/nrf54lm20a/cpuapp
diff --git a/samples/crypto/persistent_key_usage/src/init.c b/samples/crypto/persistent_key_usage/src/init.c
diff --git a/samples/crypto/persistent_key_usage/src/init.h b/samples/crypto/persistent_key_usage/src/init.h
diff --git a/samples/crypto/persistent_key_usage/src/main.c b/samples/crypto/persistent_key_usage/src/main.c
diff --git a/samples/crypto/persistent_key_usage/src/trusted_storage_init.h b/samples/crypto/persistent_key_usage/src/trusted_storage_init.h
