Secure Storage
Module scope
The Secure Storage module provides target storage with APIs that support:
- Encryption.
- Authentication of stored data.
- Physical rollback protection.
- Write-once data protection.
The pal_sst.h header declares the secure storage functions.
Dependencies
Device Management Client offers secure storage for targets that do not have their own secure storage. You only need to port the Secure Storage module if you use your target's storage.
To use Device Management Client's secure storage:
- Port the following modules:
- FileSystem.
- Internal Flash.
- Entropy.
- RoT.
You do not need to port the Secure Storage module.
To use your target's secure storage:
- Port the following modules:
- Secure Storage.
- Entropy.
- RoT.
- You do not need to port the following modules:
- FileSystem.
- Internal Flash.
Prerequisites for this porting stage
The target's storage must:
- Encrypt stored data when the
PAL_SST_CONFIDENTIALITY_FLAGflag is set in thepal_SSTSetAPI. - Authenticate all stored data.
- Protect data overwrite or deletion by enforcing a write-once policy when the
PAL_SST_WRITE_ONCE_FLAGflag is set in thepal_SSTSetAPI, and return aPAL_ERR_SST_WRITE_PROTECTEDerror when thepal_SSTSetorpal_SSTDeleteAPIs are called on protected items. - Protect against physical rollback, or removal of an item (not using an API).
- Write and retrieve empty items without set values.
- Support item names that include alphanumeric values and
.,-, and_characters. You may need to add support for other characters. - Overwrite a stored item when executing the
pal_SSTSetAPI, without throwing an error, unless the item is write-once-protected. - Provide iterator APIs.
Porting result
After successfully porting the Secure Storage module, ensure that all tests pass. See the Tests section for more information.
Reference implementations
Mbed OS secure storage
PAL provides a reference implementation for Mbed OS secure storage generic functionality: pal_plat_sst_impl.c, located in Source/Port/Reference-Impl/Generic/SST/kvstore_impl/.