135 lines
5.5 KiB
Plaintext
135 lines
5.5 KiB
Plaintext
# Copyright (c) 2024 Nordic Semiconductor
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
choice SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION
|
|
prompt "ITS transform module implementation"
|
|
|
|
config SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_AEAD
|
|
bool "ITS transform module implementation using AEAD to protect the data"
|
|
imply HWINFO # for HWINFO_HAS_DRIVER
|
|
|
|
config SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_CUSTOM
|
|
bool "Custom ITS transform module implementation"
|
|
help
|
|
Implement the functions declared in <zephyr/secure_storage/its/transform.h>
|
|
and set CONFIG_SECURE_STORAGE_ITS_TRANSFORM_OUTPUT_OVERHEAD appropriately.
|
|
The header is made available when this Kconfig option is enabled.
|
|
|
|
endchoice # SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION
|
|
|
|
config SECURE_STORAGE_ITS_TRANSFORM_OUTPUT_OVERHEAD
|
|
int "Overhead, in bytes, associated with the transformation of an entry's data for storage"
|
|
range 0 1000
|
|
# authentication tag (16) + nonce (12)
|
|
default 28 if SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_AEAD \
|
|
&& SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_SIZE = 12
|
|
default -1
|
|
help
|
|
This indicates how many more bytes an ITS entry's data will be once it
|
|
has been processed by the secure_storage_its_transform_to_store() function.
|
|
|
|
if SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_AEAD
|
|
|
|
choice SECURE_STORAGE_ITS_TRANSFORM_AEAD_SCHEME
|
|
prompt "AEAD ITS transform module scheme"
|
|
default SECURE_STORAGE_ITS_TRANSFORM_AEAD_SCHEME_AES_GCM
|
|
help
|
|
The AEAD scheme used to encrypt and authenticate the data.
|
|
|
|
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_SCHEME_AES_GCM
|
|
bool "AES-GCM AEAD scheme"
|
|
select PSA_WANT_KEY_TYPE_AES
|
|
select PSA_WANT_ALG_GCM
|
|
|
|
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_SCHEME_CHACHA20_POLY1305
|
|
bool "ChaCha20-Poly1305 AEAD scheme"
|
|
depends on SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_SIZE = 12
|
|
select PSA_WANT_KEY_TYPE_CHACHA20
|
|
select PSA_WANT_ALG_CHACHA20_POLY1305
|
|
|
|
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_SCHEME_CUSTOM
|
|
bool "Custom AEAD scheme"
|
|
help
|
|
Implement the secure_storage_its_transform_aead_get_scheme() function
|
|
declared in <zephyr/secure_storage/its/transform/aead_get.h>
|
|
and set CONFIG_SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_SIZE appropriately.
|
|
The header is made available when this Kconfig option is enabled.
|
|
|
|
endchoice # SECURE_STORAGE_ITS_TRANSFORM_AEAD_SCHEME
|
|
|
|
choice SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER
|
|
prompt "AEAD ITS transform module encryption key provider"
|
|
default SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_DEVICE_ID_HASH if HWINFO_HAS_DRIVER
|
|
default SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_ENTRY_UID_HASH if !HWINFO_HAS_DRIVER
|
|
|
|
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_DEVICE_ID_HASH
|
|
bool "Hash of the device ID returned by the HW info API (not necessarily secure)"
|
|
depends on HWINFO_HAS_DRIVER
|
|
select PSA_WANT_ALG_SHA_256
|
|
help
|
|
This key provider generates keys by hashing the following:
|
|
- the device EUI64 as returned by hwinfo_get_device_eui64() as first choice;
|
|
- the device ID as returned by hwinfo_get_device_uuid() as second choice.
|
|
In addition to the device ID, it adds the UID of the ITS entry
|
|
for which it is generating a key to the data hashed as a salt.
|
|
This is not necessarily secure as the device ID may be easily readable
|
|
by an attacker, not unique, and/or guessable, depending on the device.
|
|
|
|
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_ENTRY_UID_HASH
|
|
bool "Hash of the ITS entry UID (not secure)"
|
|
select PSA_WANT_ALG_SHA_256
|
|
help
|
|
This key provider generates keys by hashing the UID of the ITS entry for which it is
|
|
generating a key. This is not secure, and only intended for functional support,
|
|
because the UIDs are easily guessable and even stored in clear by the store module.
|
|
Use a secure key provider if possible.
|
|
|
|
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_CUSTOM
|
|
bool "Custom key provider"
|
|
help
|
|
Implement the secure_storage_its_transform_aead_get_key() function
|
|
declared in <zephyr/secure_storage/its/transform/aead_get.h>.
|
|
The header is made available when this Kconfig option is enabled.
|
|
|
|
endchoice # SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER
|
|
|
|
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_SIZE
|
|
int "AEAD ITS transform module encryption key size in bytes"
|
|
default 32
|
|
|
|
if !SECURE_STORAGE_ITS_TRANSFORM_AEAD_KEY_PROVIDER_CUSTOM
|
|
|
|
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_NO_INSECURE_KEY_WARNING
|
|
bool "Silence the insecure ITS encryption key warnings"
|
|
|
|
endif
|
|
|
|
choice SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_PROVIDER
|
|
prompt "AEAD ITS transform module nonce provider"
|
|
|
|
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_PROVIDER_DEFAULT
|
|
bool "Default nonce provider"
|
|
help
|
|
The default nonce provider generates a random number for the first nonce with
|
|
psa_generate_random(), then increments it for every subsequent nonce. A random
|
|
source that doesn't repeat values between reboots is required for this to be secure.
|
|
|
|
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_PROVIDER_CUSTOM
|
|
bool "Custom nonce provider"
|
|
help
|
|
Implement the secure_storage_its_transform_aead_get_nonce() function
|
|
declared in <zephyr/secure_storage/its/transform/aead_get.h>.
|
|
The header is made available when this Kconfig option is enabled.
|
|
|
|
endchoice # SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_PROVIDER
|
|
|
|
config SECURE_STORAGE_ITS_TRANSFORM_AEAD_NONCE_SIZE
|
|
int "AEAD ITS transform module nonce size in bytes"
|
|
range 4 24
|
|
default 12
|
|
help
|
|
Make sure to update CONFIG_SECURE_STORAGE_ITS_TRANSFORM_OUTPUT_OVERHEAD
|
|
appropriately when changing the value of this option.
|
|
|
|
endif # SECURE_STORAGE_ITS_TRANSFORM_IMPLEMENTATION_AEAD
|