OrgZephyr/zephyr
OrgZephyr
/
zephyr
mirror of https://github.com/zephyrproject-rtos/zephyr.git
1
0
Fork 0
Code Issues Releases Wiki Activity
zephyr/subsys/secure_storage/Kconfig.its_transform

135 lines
5.5 KiB
Plaintext
Raw Normal View History

secure_storage: introduce the secure storage subsystem Implements RFC https://github.com/zephyrproject-rtos/zephyr/issues/75275. See also the PR (https://github.com/zephyrproject-rtos/zephyr/pull/76222) for more information. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
2024-09-13 13:35:38 +08:00
# Copyright (c) 2024 Nordic Semiconductor
# SPDX-License-Identifier: Apache-2.0
choice SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION
prompt "ITS transform module implementation"
config SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_AEAD
bool "ITS transform module implementation using AEAD to protect the data"
imply HWINFO # for HWINFO_HAS_DRIVER
config SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_CUSTOM
bool "Custom ITS transform module implementation"
help
Implement the functions declared in <zephyr/secure_storage/its/transform.h>
and set CONFIG_SECURE_STORAGE_ITS_TRANSFORM_OUTPUT_OVERHEAD appropriately.
The header is made available when this Kconfig option is enabled.
endchoice # SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION
config SECURE_STORAGE_ITS_TRANSFORM_OUTPUT_OVERHEAD
int "Overhead, in bytes, associated with the transformation of an entry's data for storage"
range 0 1000
# authentication tag (16) + nonce (12)
default 28 if SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_AEAD \
&& SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_SIZE = 12
default -1
help
This indicates how many more bytes an ITS entry's data will be once it
has been processed by the secure_storage_its_transform_to_store() function.
if SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_AEAD
choice SECURE_STORAGE_ITS_TRANSFORM_AEAD_SCHEME
prompt "AEAD ITS transform module scheme"
default SECURE_STORAGE_ITS_TRANSFORM_AEAD_SCHEME_AES_GCM
help
The AEAD scheme used to encrypt and authenticate the data.
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_SCHEME_AES_GCM
bool "AES-GCM AEAD scheme"
select PSA_WANT_KEY_TYPE_AES
select PSA_WANT_ALG_GCM
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_SCHEME_CHACHA20_POLY1305
bool "ChaCha20-Poly1305 AEAD scheme"
depends on SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_SIZE = 12
select PSA_WANT_KEY_TYPE_CHACHA20
select PSA_WANT_ALG_CHACHA20_POLY1305
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_SCHEME_CUSTOM
bool "Custom AEAD scheme"
help
Implement the secure_storage_its_transform_aead_get_scheme() function
declared in <zephyr/secure_storage/its/transform/aead_get.h>
and set CONFIG_SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_SIZE appropriately.
The header is made available when this Kconfig option is enabled.
endchoice # SECURE_STORAGE_ITS_TRANSFORM_AEAD_SCHEME
choice SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER
prompt "AEAD ITS transform module encryption key provider"
default SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_DEVICE_ID_HASH if HWINFO_HAS_DRIVER
default SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_ENTRY_UID_HASH if !HWINFO_HAS_DRIVER
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_DEVICE_ID_HASH
bool "Hash of the device ID returned by the HW info API (not necessarily secure)"
depends on HWINFO_HAS_DRIVER
select PSA_WANT_ALG_SHA_256
help
This key provider generates keys by hashing the following:
- the device EUI64 as returned by hwinfo_get_device_eui64() as first choice;
- the device ID as returned by hwinfo_get_device_uuid() as second choice.
In addition to the device ID, it adds the UID of the ITS entry
for which it is generating a key to the data hashed as a salt.
This is not necessarily secure as the device ID may be easily readable
by an attacker, not unique, and/or guessable, depending on the device.
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_ENTRY_UID_HASH
bool "Hash of the ITS entry UID (not secure)"
select PSA_WANT_ALG_SHA_256
help
This key provider generates keys by hashing the UID of the ITS entry for which it is
generating a key. This is not secure, and only intended for functional support,
because the UIDs are easily guessable and even stored in clear by the store module.
Use a secure key provider if possible.
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_CUSTOM
bool "Custom key provider"
help
Implement the secure_storage_its_transform_aead_get_key() function
declared in <zephyr/secure_storage/its/transform/aead_get.h>.
The header is made available when this Kconfig option is enabled.
endchoice # SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_SIZE
int "AEAD ITS transform module encryption key size in bytes"
default 32
if !SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_CUSTOM
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_NO_INSECURE_KEY_WARNING
bool "Silence the insecure ITS encryption key warnings"
endif
choice SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_PROVIDER
prompt "AEAD ITS transform module nonce provider"
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_PROVIDER_DEFAULT
bool "Default nonce provider"
help
The default nonce provider generates a random number for the first nonce with
psa_generate_random(), then increments it for every subsequent nonce. A random
source that doesn't repeat values between reboots is required for this to be secure.
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_PROVIDER_CUSTOM
bool "Custom nonce provider"
help
Implement the secure_storage_its_transform_aead_get_nonce() function
declared in <zephyr/secure_storage/its/transform/aead_get.h>.
The header is made available when this Kconfig option is enabled.
endchoice # SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_PROVIDER
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_SIZE
int "AEAD ITS transform module nonce size in bytes"
range 4 24
default 12
help
Make sure to update CONFIG_SECURE_STORAGE_ITS_TRANSFORM_OUTPUT_OVERHEAD
appropriately when changing the value of this option.
endif # SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_AEAD