Document the maximum key identifier
Give it a name and explain why it was chosen.
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 2712c67..d272334 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -871,7 +871,7 @@
return( PSA_ERROR_INVALID_ARGUMENT );
/* Reject high values because the file names are reserved for the
* library's internal use. */
- if( id >= 0xffff0000 )
+ if( id >= PSA_MAX_PERSISTENT_KEY_IDENTIFIER )
return( PSA_ERROR_INVALID_ARGUMENT );
status = psa_get_key_slot( handle, &slot );
diff --git a/library/psa_crypto_storage.h b/library/psa_crypto_storage.h
index 478daef..85881c1 100644
--- a/library/psa_crypto_storage.h
+++ b/library/psa_crypto_storage.h
@@ -44,6 +44,23 @@
* inadvertently store an obscene amount of data) */
#define PSA_CRYPTO_MAX_STORAGE_SIZE ( 30 * 1024 )
+/** The maximum permitted persistent slot number.
+ *
+ * In Mbed Crypto 0.1.0b:
+ * - Using the file backend, all key ids are ok except 0.
+ * - Using the ITS backend, all key ids are ok except 0xFFFFFF52
+ * (#PSA_CRYPTO_ITS_RANDOM_SEED_UID) for which the file contains the
+ * device's random seed (if this feature is enabled).
+ * - Only key ids from 1 to #PSA_KEY_SLOT_COUNT are actually used.
+ *
+ * Since we need to preserve the random seed, avoid using that key slot.
+ * Reserve a whole range of key slots just in case something else comes up.
+ *
+ * This limitation will probably become moot when we implement client
+ * separation for key storage.
+ */
+#define PSA_MAX_PERSISTENT_KEY_IDENTIFIER 0xffff0000
+
/**
* \brief Format key data and metadata and save to a location for given key
* slot.