ITS: Add support for encrypted ITS
-Adds encryption and authentication support for ITS files
-Encryption is optional and is enabled using a CMake variable
-The encryption implementation is platform dependent,
the signatures of the APIs are provided in this change
Change-Id: Ifd3a67ac2274fa8d7ceec19482f7cec01b2cac54
Signed-off-by: Markus Swarowsky <markus.swarowsky@nordicsemi.no>
diff --git a/config/config_base.cmake b/config/config_base.cmake
index 3dbf3da..c414bbf 100755
--- a/config/config_base.cmake
+++ b/config/config_base.cmake
@@ -126,6 +126,7 @@
set(PS_CRYPTO_AEAD_ALG PSA_ALG_GCM CACHE STRING "The AEAD algorithm to use for authenticated encryption in Protected Storage")
set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE OFF CACHE BOOL "Enable Internal Trusted Storage partition")
+set(ITS_ENCRYPTION OFF CACHE BOOL "Enable authenticated encryption of ITS files using platform specific APIs")
set(TFM_PARTITION_CRYPTO OFF CACHE BOOL "Enable Crypto partition")
set(CRYPTO_TFM_BUILTIN_KEYS_DRIVER ON CACHE BOOL "Whether to allow crypto service to store builtin keys. Without this, ALL builtin keys must be stored in a platform-specific location")
diff --git a/config/config_base.h b/config/config_base.h
index d9caeb9..9879b68 100644
--- a/config/config_base.h
+++ b/config/config_base.h
@@ -192,6 +192,16 @@
#define ITS_STACK_SIZE 0x720
#endif
+/* The size of the authentication tag used when authentication/encryption of ITS files is enabled */
+#ifndef TFM_ITS_AUTH_TAG_LENGTH
+#define TFM_ITS_AUTH_TAG_LENGTH 16
+#endif
+
+/* The size of the nonce used when ITS file encryption is enabled */
+#ifndef TFM_ITS_ENC_NONCE_LENGTH
+#define TFM_ITS_ENC_NONCE_LENGTH 12
+#endif
+
/* PS Partition Configs */
/* Create flash FS if it doesn't exist for Protected Storage partition */
diff --git a/docs/design_docs/media/tfm_its_encryption.svg b/docs/design_docs/media/tfm_its_encryption.svg
new file mode 100644
index 0000000..eda6520
--- /dev/null
+++ b/docs/design_docs/media/tfm_its_encryption.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Do not edit this file with editors other than draw.io -->
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="812px" height="1161px" viewBox="-0.5 -0.5 812 1161" content="<mxfile host="app.diagrams.net" modified="2023-07-03T08:14:29.803Z" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" etag="LbYD61K6xTuWZ91zczBV" version="21.5.0" type="device"><diagram name="Seite-1" id="-M9_qzpLJvNTTPFXTnIg">7V1bc6M4Fv41ruqeqrhA3B9znZnavtVma3vnKYVBtunG4MUk7eyvXwkkbIQwEIuLM3IeYgQWunz6ztE5R9JMu93sf0/c7fpz7MNwBhR/P9PuZgColg7QP5zySlKASVJWSeCTtEPCY/A/SBIVkvoc+HBXejCN4zANtuVEL44i6KWlNDdJ4l/lx5ZxWH7r1l3BSsKj54bV1O+Bn67zVBtYh/Q/YLBa0zerppPf2bj0YVKT3dr1419HSdr9TLtN4jjNv232tzDErUfbJf/dQ83domAJjNI2P/hx88Vzv95sf+h/PpiRu/8e3T9fkc54ccNnUuEZMEOU380yRtmiUqevpCnM/z7H9MbVLuuoa/SAbmxRb98c7qNvK/z/z389otv3kZe8btMgjmjGqIR53vljpHGK14AU7nH6Ot2EKEFFX90wWEXou4dqChOU8AKTNEB9dE1ubALfxz+/SSAqmLvIslLQ9TYOojRDgHEzM+5wXs9pnBc+y3qXJvFPeBuHMcr3LoojnMsyCEMmqdrYpP1xUeD+KIk0/u8w3sA0eUWPkLvAIED4dcCRRsGxPsKQRdJcAt1VkdWhd9EX0sEdOltr7Gw6/GhfqtVupT9ZtAGHateA43q7DVEPMrhYsC9pwkoSP0c+9Eln/loHKXzcuh6++wsRUhlGx906A9pScTXFJWU+SleyTwUb6M7NnZXfEYAG1SS9TIjRroID6Bxw6H2BQz2fCtQ6KkiXm6cg3T1lVPCE+gF+QLfcDe6gaLHbZo8qOP0JlRGPiVvO/cGTUCEUmPMX+vaxLSihjyQIuYyTdB2v4sgN7w+pNwfYYjQdnvkUx1sC1h8wTV+JOMScVYYywl3y+h/8+7lBL/8i2WUXd/vS1Su52qVukl5jsYgSFmHs/aSJDwGGy91JdO/i58SDJzCkEwHtJiuYnsIayRC31MnBksAQccRLWRbzoE9++g3z/dEj8XK5QyVhx0bxhjO4VL+kfs+uvsEkQNXGEnSgftY00f18FsXptQxXETytKa8q4JAqSiXGIZFKFb6WVMMrPLkoUACaiuuoVlUALrMPTwCCO8vsSwACZWwJ6NTCww9eztJ2GFR1AkgtRBfJaaQ0gSqrVDlV1nOEev5x/QnlUeaBd1S9C+hGbtHk+yRuZD1lPWU9ZT1lPWU9ZT1lPWU9ZT1lPWU9ZT1lPWU9B6vnRdovPvwbRn6MS854FSfWuEIqu9tCL1gG3sf3Wb0LGCOynmPXs9Yzhx1mDZ65SoQT46pzss+M45Izs8+s4sTLP0XBznLVmbpZdtXZRsVVV7jzjl11pmr0Fa1ijeF+bxU+ceSjVxRzduylnx+uh3HU00CLRk+903NABkWSUXb6aqwzNy8o+dUBI6jN3dejx0hcX+17DKCV38PGRjY+DxiI5iUQGkKi2v1FXK1gBBM3hU9RHHnwQ6fYpU/uAoYN/HRGBGYVzSdHeIWmilhf8pbZcTgtj76UOVAco9S/NBTyTDir5Uzt8u/7Cz4C1eAjgaFFZcpSbectnNXMxu+H1Qy7zGq61g+raUzIjK50Y7Xuz6v9syAw+mNBNPyefATMl6cQc9qHGQ4y9T/+dmJSdiHsSBlACDuqBsOOqhh2BOVcGV2wR3qsKocDq35XSNUD5QjNuWYb/RAp3Adprm/mGj++/ouyOvp+eBu+eD26eL+KpsoqmjZDyXmNKpRc1ViVckaG0o7bhWG5RyWRxLbzYvFFJl2g8glEKp+GxeiJYpRPBuF0ZPVPr1SXHi30vUKt4G3UerF011lxBIziaCoMMHpQ7ByzX8XO9fsmrkkkXSB7UoIQwZ6qpVgl7ILzyLN/eqTcML1lJkom7mNcAYyFJbZGN9q4F7WAO2ftiaLYbraSpPXaE0UxrL7WnhT8ON7qyz7WJpk17IlmLGd1fENX79buFt/Z7Fd4U4D5wt0F3tyPvedN1mWVhbgG/qtioXBh1Ds9BGCBlY3ArGJBGxIKoH4dUh0UWlLB+4EMVH0DWjxoOKaluYKgoTtle1gx9xsLGoYzruZd1rqbdO63q9d03WjzAtNp6NdWmUIcewD1WmvezeH8wJti+Ifubl3vNT+kPKZxgndUafFoJ5c7g3rKF95rGCBwJ1qzArLIh8GnRZHgej9X2eD4+pyibCDlonwc4M5maUdduCoE3bQW8/76QQwdsZM4wPHCKxw6KiwF4hdU16u6Z0/xhGVEN5/ATMKHVzf36BRiDM6gVls0tRZTNWPqMzOt2ZYqN8AZawMcVR1/EqaMrF+VN/Uo7onXr5yWJECbeiIbeKh0V7ieBM7I1r4L3ibJh2/aJmka9spi3IswWGqaxXjTz7RY7svZFLkyOfQoNrsbJOS+OYPtm+Nw7FXDik3zb2KVoA14IU4/wESlGcSa1atVwupxRoidfnk46xSk3t/Ko2cKFJCqrfQTjEulOJNt/wLSApMiQMtqoEDRuwFeFi+yDh9TH8Baawmw1tb5Zt5vlCsdWCJoR1cNWwzPmIPxyriBVlecBUymDiS5dAjRN4dwBdkCyEVGWl2iXmYJjLTSLbUcaXXuMoD+CdKuEqRY+lMLtsvpz7Lfwn7NpN33vtzjkmg1qJ5RwSzKmoIXTOkm+x7jOLuuz/fE3j3GyRKz7Pun7wvkblsgdyuOLZS6aXGYXAebUVPCmp7JWcbQ1tihrdHt0DpPDWbaGwf8bNvXvvNQ1JSym0bVq60ybMhgf8KFuisRB4wgYKYUs9OS8SlAm/3zLdU1XbS6dt7xUvVYqyNtGbjcJnD5NNs1M/Zo3NMcrXEy3qoeHki8nRmXVYeXL1+/3N7zkdGObt7r8XW6Wpb3wLEqks3moIvdC0McunhLZgYW96pddmVpnGPciqCl41Ypgt3ENwvgNMvYLAwjryhEMlFqXtoe9DweNS9sQzcUzsBN4217wi7w2n5pUhVMBgdLrPFEHJQa7cpv2oZPWGh4AY3r53TdibP5jjHu2gQeLAcbN5Wapu7qHOF0NDx4o8fF+3hiVC2DPdaHizEU7OJ/YlqMViErYVCVkUpj+zpv5NhgodUs1Dt3jBR7FLUjXNPsaZCYPCVn8FlneYPGIsJiPDFkdl8FLcXQEGKowOvFiCF6YrgUQ1IMDSOGOoyRyYihCRg/1fJkiEccQ0uh7tsqSCk0iBRqb72aihRqtKRLKSSlkFAp1H6MTEYK8WIZxpVCljG+FLI4rSKl0ASkkFkDuulKocYl7FIKSSkkVAq1HyNTkUJq/YJVuQita/hEv+sJVNC4noDsbk13s26xs/XFn0dAl3zjrW4Z0y4dSGdG9mlUkFHHJbtHUOv9sVVz7pSLqGvWXCFHFmUfZpz3FNyrlTe17fp8Obh3yCh2unuYDJN4B2ESBjP90LSqK2bQMAmr3gQm0XVx6ALliGyDE28yLLp4qtbAE366gPdkEA71Rx63itHX6XSgcUlHp1nab1ldstcu0PRced4hfQypGzgKPVv4C3Mdj5kxXd9fo/yVnxC31TKJN7iq9ROro8MMwzhaXaFhsqmbls3qz3gsJ+22bsSlgsPui1ekLTAjBFGQBm7IJQVUj6ustmTTtLxiRXnyN1VoglOmd0Iep8dj69nalcqJFeDF7Vu9cQjPpsH0SbDBu4qi5voJU29NGrcyNz7qMk7DV87YRCAgs5ZsnR95x12wQRP6hzBY4NrsPBeNrod/wNf57mXVS0fsmUanS4fR5OhIiXaMaj8BDqlp2ty2euop+6Q7bdzNPrtRagtDZ5UhByvdZ5i6DaU7aYalNqI13LtonouHw9F0mKQWM2SM/caVR2iAPR5Yi7U2udBecu20pmfDxVKQ8qOVVWuTs+KIp/z0Ft9u8+z6Ays/Bj0Jjro7xne62/U2aunuGNPdYdedajVZd4fdaMmV7g7p7hDp7ugwRqbi7nCmGGo7MWod6MAQULaEW7pewcagK/Ac0Kyh5EcfkIb5TgoKys3tu7t1sUodX3xzU6Q5YgmEhL1ii2k+ZoWZwYncsLmqTG/NV78ARo6sQUcWMMu6v+1UsTHsyJpiZKmERsYGY5/g5ZyM95JmEmkm6dNMojOnuescBXVQM0lxKNHZs7hmTGlKzdC5z8+6Lh+38h7cAN3NaMzB0bxzV1SLA5DejpFSlcZdw/sHyB2UAOEDxOHoWkMDpMU8pn83M2N+5o2bQd3MqiJ2gb70M+P/0s/c6sgcUDOuJuxoVpUWW8ZcnKe5S1dcjqtZVXjr7VgF/riPjsdRxYrMQz9S//1sw12lqqprN/bdg8oZgbnDJdto/xsaXxlFcAbsJ+aBRZymiBirc+iVtwXzFXSTpzB2fQHS22TCXHUHzKtWSJMnvo056K03WywMk73Z3JuWZk6hN61K5w17TqJtFmec0HMJms59EnwugdX2HNWCyPreVNtiSN1gJ/SC4u4t6m+i7wEWg6geNslWFXtkyDkVyJnasJAr1JcWmDMHwhxLT6zuJgxzjGPNOussM3SZxFjpPzyO6ftz7ON9we//Dw==</diagram></mxfile>" style="background-color: rgb(255, 255, 255);"><defs/><g><rect x="241" y="0" width="320" height="70" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 35px; margin-left: 401px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: nowrap;"><font style="font-size: 45px;">ITS Encryption</font></div></div></div></foreignObject><text x="401" y="39" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">ITS Encryption</text></switch></g><rect x="151" y="80" width="240" height="40" rx="6" ry="6" fill="#f0a30a" stroke="#bd7000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 100px; margin-left: 152px;"><div data-drawio-colors="color: #000000; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><font size="1"><b style="font-size: 18px;">Application</b></font></div></div></div></foreignObject><text x="271" y="104" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">Application</text></switch></g><path d="M 271 248.12 L 271 313.63" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 271 241.12 L 274.5 248.12 L 267.5 248.12 Z" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><path d="M 271 318.88 L 267.5 311.88 L 271 313.63 L 274.5 311.88 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 280px; margin-left: 271px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><font style="font-size: 15px;">tfm_its_crypt_file( file_id , , encrypt )</font></div></div></div></foreignObject><text x="271" y="283" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">tfm_its_crypt_file( file_id , , encrypt )</text></switch></g><path d="M 151 220 L 61 220 L 61 418.63" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 61 423.88 L 57.5 416.88 L 61 418.63 L 64.5 416.88 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><rect x="151" y="200" width="240" height="40" rx="6" ry="6" fill="#60a917" stroke="#2d7600" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 220px; margin-left: 152px;"><div data-drawio-colors="color: #ffffff; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(255, 255, 255); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b><font color="#000000" style="font-size: 18px;">ITS</font></b></div></div></div></foreignObject><text x="271" y="224" fill="#ffffff" font-family="Helvetica" font-size="12px" text-anchor="middle">ITS</text></switch></g><rect x="637" y="285" width="160" height="615" fill="#999999" stroke="#666666" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 593px; margin-left: 638px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b>HAL ITS</b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><br /></div><div style="font-size: 18px;"><br /></div><div style="font-size: 18px;"><br /></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><br /></div><div style="font-size: 18px;"><font color="#000000"><b>(Vendor </b></font></div><div style="font-size: 18px;"><font color="#000000"><b>specific)</b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div><div style="font-size: 18px;"><font color="#000000"><b><br /></b></font></div></div></div></div></foreignObject><text x="717" y="596" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">HAL ITS...</text></switch></g><path d="M 399.12 320 L 514 320 L 514 321.9 L 631.59 321.9" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 392.12 320 L 399.12 316.5 L 399.12 323.5 Z" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><path d="M 636.84 321.9 L 629.84 325.4 L 631.59 321.9 L 629.84 318.4 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 317px; margin-left: 541px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><font style="font-size: 15px;">generate_nonce()</font></div></div></div></foreignObject><text x="541" y="321" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">generate_nonce()</text></switch></g><path d="M 351 360 L 351 400 L 514 400 L 514 401.2 L 630.63 401.23" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 635.88 401.23 L 628.88 404.73 L 630.63 401.23 L 628.88 397.73 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 397px; margin-left: 523px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><font style="font-size: 15px;">set_deriv_label( fid)* </font></div></div></div></foreignObject><text x="523" y="400" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">set_deriv_label( fid)* </text></switch></g><path d="M 230.92 368.12 L 230.9 521.8 L 626.63 521.78" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 230.92 361.12 L 234.42 368.12 L 227.42 368.12 Z" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><path d="M 631.88 521.78 L 624.88 525.28 L 626.63 521.78 L 624.88 518.28 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 516px; margin-left: 474px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><font style="font-size: 15px;">encrypt( )</font></div></div></div></foreignObject><text x="474" y="520" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">encrypt( )</text></switch></g><path d="M 311 360 L 311 460.3 L 634.63 460.28" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 639.88 460.28 L 632.88 463.78 L 634.63 460.28 L 632.88 456.78 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 459px; margin-left: 463px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><font style="font-size: 15px;">set_ad( )</font></div></div></div></foreignObject><text x="463" y="462" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">set_ad( )</text></switch></g><rect x="151" y="320" width="240" height="40" rx="6" ry="6" fill="#008a00" stroke="#005700" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 340px; margin-left: 152px;"><div data-drawio-colors="color: #ffffff; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(255, 255, 255); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b><font color="#000000" style="font-size: 18px;">ITS crypto interface</font></b></div></div></div></foreignObject><text x="271" y="344" fill="#ffffff" font-family="Helvetica" font-size="12px" text-anchor="middle">ITS crypto interface</text></switch></g><path d="M 340.7 265.71 L 340.7 300 L 311 300 L 311 260 L 336.45 260 Z" fill="#f5f5f5" stroke="#666666" stroke-miterlimit="10" pointer-events="all"/><path d="M 336.45 260 C 336.8 261.34 336.23 262.71 334.94 263.67 L 340.7 265.84" fill="none" stroke="#666666" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 28px; height: 1px; padding-top: 280px; margin-left: 312px;"><div data-drawio-colors="color: #333333; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(51, 51, 51); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b><font style="font-size: 16px;">File</font></b></div></div></div></foreignObject><text x="326" y="284" fill="#333333" font-family="Helvetica" font-size="12px" text-anchor="middle">File</text></switch></g><path d="M 513.7 505.71 L 513.7 540 L 484 540 L 484 500 L 509.45 500 Z" fill="#e1d5e7" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><path d="M 509.45 500 C 509.8 501.34 509.23 502.71 507.94 503.67 L 513.7 505.84" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 28px; height: 1px; padding-top: 520px; margin-left: 485px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b><font style="font-size: 16px;" color="#000000">File</font></b></div></div></div></foreignObject><text x="499" y="524" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">File</text></switch></g><path d="M 61 675 L 61 980 L 144.63 980" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 149.88 980 L 142.88 983.5 L 144.63 980 L 142.88 976.5 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><path d="M 11 447 C 11 434.85 33.39 425 61 425 C 74.26 425 86.98 427.32 96.36 431.44 C 105.73 435.57 111 441.17 111 447 L 111 653 C 111 665.15 88.61 675 61 675 C 33.39 675 11 665.15 11 653 Z" fill="#1ba1e2" stroke="#006eaf" stroke-miterlimit="10" pointer-events="all"/><path d="M 111 447 C 111 459.15 88.61 469 61 469 C 33.39 469 11 459.15 11 447" fill="none" stroke="#006eaf" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 98px; height: 1px; padding-top: 569px; margin-left: 12px;"><div data-drawio-colors="color: #ffffff; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(255, 255, 255); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><font style="font-size: 18px;"><b>Flash<br /><br />Storage<br /><br /></b></font></div></div></div></foreignObject><text x="61" y="572" fill="#ffffff" font-family="Helvetica" font-size="12px" text-anchor="middle">Flash...</text></switch></g><path d="M 271 1111.88 L 271 1006.37" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 271 1118.88 L 267.5 1111.88 L 274.5 1111.88 Z" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><path d="M 271 1001.12 L 274.5 1008.12 L 271 1006.37 L 267.5 1008.12 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 1030px; margin-left: 271px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><font style="font-size: 15px;"><font style="font-size: 15px;">tfm_its_get</font>()</font></div></div></div></foreignObject><text x="271" y="1033" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">tfm_its_get()</text></switch></g><rect x="151" y="1120" width="240" height="40" rx="6" ry="6" fill="#f0a30a" stroke="#bd7000" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 1140px; margin-left: 152px;"><div data-drawio-colors="color: #000000; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><font size="1"><b style="font-size: 18px;">Application</b></font></div></div></div></foreignObject><text x="271" y="1144" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">Application</text></switch></g><path d="M 271 960 L 271 806.37" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 271 801.12 L 274.5 808.12 L 271 806.37 L 267.5 808.12 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 833px; margin-left: 272px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><font style="font-size: 15px;"> tfm_its_crypt_file( file_id , , decrypt )</font></div></div></div></foreignObject><text x="272" y="836" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle"> tfm_its_crypt_file( file_id , , decrypt )</text></switch></g><rect x="151" y="960" width="240" height="40" rx="6" ry="6" fill="#60a917" stroke="#2d7600" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 980px; margin-left: 152px;"><div data-drawio-colors="color: #ffffff; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(255, 255, 255); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b><font color="#000000" style="font-size: 18px;">ITS</font></b></div></div></div></foreignObject><text x="271" y="984" fill="#ffffff" font-family="Helvetica" font-size="12px" text-anchor="middle">ITS</text></switch></g><path d="M 271 760 L 271 592.5 L 630.63 592.5" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 635.88 592.5 L 628.88 596 L 630.63 592.5 L 628.88 589 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 593px; margin-left: 528px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><font style="font-size: 15px;">set_nonce( )</font></div></div></div></foreignObject><text x="528" y="596" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">set_nonce( )</text></switch></g><path d="M 311 760 L 311 639.9 L 630.63 639.86" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 635.88 639.86 L 628.88 643.36 L 630.63 639.86 L 628.88 636.36 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 640px; margin-left: 523px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><font style="font-size: 16px;">set_deriv_label( fid)* </font></div></div></div></foreignObject><text x="523" y="644" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">set_deriv_label( fid)* </text></switch></g><path d="M 351 760 L 351 679.8 L 629.67 679.83" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 634.92 679.83 L 627.92 683.33 L 629.67 679.83 L 627.92 676.33 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 681px; margin-left: 540px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><font style="font-size: 15px;">set_ad( )</font></div></div></div></foreignObject><text x="540" y="685" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">set_ad( )</text></switch></g><path d="M 399.12 765 L 451 765 L 628.71 764.71" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 392.12 765 L 399.12 761.5 L 399.12 768.5 Z" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><path d="M 633.96 764.7 L 626.97 768.21 L 628.71 764.71 L 626.96 761.21 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 763px; margin-left: 544px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;"><font style="font-size: 15px;">decrypt( )</font></div></div></div></foreignObject><text x="544" y="767" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">decrypt( )</text></switch></g><rect x="151" y="760" width="240" height="40" rx="6" ry="6" fill="#008a00" stroke="#005700" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 238px; height: 1px; padding-top: 780px; margin-left: 152px;"><div data-drawio-colors="color: #ffffff; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(255, 255, 255); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;"><b><font color="#000000" style="font-size: 18px;">ITS crypto interface</font></b></div></div></div></foreignObject><text x="271" y="784" fill="#ffffff" font-family="Helvetica" font-size="12px" text-anchor="middle">ITS crypto interface</text></switch></g><path d="M 271 120 L 271 193.63" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="none"/><path d="M 271 198.88 L 267.5 191.88 L 271 193.63 L 274.5 191.88 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 160px; margin-left: 271px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; background-color: rgb(255, 255, 255); white-space: nowrap;"><font style="font-size: 15px;">tfm_its_set( )</font></div></div></div></foreignObject><text x="271" y="163" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">tfm_its_set( )</text></switch></g><path d="M 322.7 145.71 L 322.7 180 L 293 180 L 293 140 L 318.45 140 Z" fill="#e1d5e7" stroke="#9673a6" stroke-miterlimit="10" pointer-events="none"/><path d="M 318.45 140 C 318.8 141.34 318.23 142.71 316.94 143.67 L 322.7 145.84" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 28px; height: 1px; padding-top: 160px; margin-left: 294px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;"><b><font style="font-size: 16px;" color="#000000">File</font></b></div></div></div></foreignObject><text x="308" y="164" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">File</text></switch></g><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 312px; margin-left: 441px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: nowrap;"><font color="#0000ff" size="1"><b style="font-size: 16px;">NONCE</b></font></div></div></div></foreignObject><text x="441" y="316" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">NONCE</text></switch></g><path d="M 255.49 388.57 L 255.49 440 L 206 440 L 206 380 L 248.42 380 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="none"/><path d="M 248.42 380 C 249 382.01 248.05 384.07 245.9 385.51 L 255.49 388.76" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 48px; height: 1px; padding-top: 387px; margin-left: 207px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;"><b><font style="font-size: 16px;" color="#000000">enc<br />File</font></b></div></div></div></foreignObject><text x="231" y="399" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">enc...</text></switch></g><path d="M 176 453 L 231 421.25 L 286 453 L 231 484.75 L 176 453 Z" fill="#d5e8d4" stroke="#82b366" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 108px; height: 1px; padding-top: 453px; margin-left: 177px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;"><font color="#000000"><font style="font-size: 15px;"><b>Auth</b></font> <br /></font><font style="font-size: 16px;" color="#000000"><b>tag</b></font></div></div></div></foreignObject><text x="231" y="457" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Auth...</text></switch></g><path d="M 376.49 813.57 L 376.49 865 L 327 865 L 327 805 L 369.42 805 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="none"/><path d="M 369.42 805 C 370 807.01 369.05 809.07 366.9 810.51 L 376.49 813.76" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 48px; height: 1px; padding-top: 812px; margin-left: 328px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;"><b><font style="font-size: 16px;" color="#000000">enc<br />File</font></b></div></div></div></foreignObject><text x="352" y="824" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">enc...</text></switch></g><path d="M 297 878 L 352 846.25 L 407 878 L 352 909.75 L 297 878 Z" fill="#d5e8d4" stroke="#82b366" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 108px; height: 1px; padding-top: 878px; margin-left: 298px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;"><font color="#000000"><font style="font-size: 15px;"><b>Auth</b></font> <br /></font><font style="font-size: 16px;" color="#000000"><b>tag</b></font></div></div></div></foreignObject><text x="352" y="882" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Auth...</text></switch></g><path d="M 85.49 238.57 L 85.49 290 L 36 290 L 36 230 L 78.42 230 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="none"/><path d="M 78.42 230 C 79 232.01 78.05 234.07 75.9 235.51 L 85.49 238.76" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 48px; height: 1px; padding-top: 237px; margin-left: 37px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;"><b><font style="font-size: 16px;" color="#000000">enc<br />File</font></b></div></div></div></foreignObject><text x="61" y="249" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">enc...</text></switch></g><path d="M 6 303 L 61 271.25 L 116 303 L 61 334.75 L 6 303 Z" fill="#d5e8d4" stroke="#82b366" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 108px; height: 1px; padding-top: 303px; margin-left: 7px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;"><font color="#000000"><font style="font-size: 15px;"><b>Auth</b></font> <br /></font><font style="font-size: 16px;" color="#000000"><b>tag</b></font></div></div></div></foreignObject><text x="61" y="307" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Auth...</text></switch></g><path d="M 85.49 758.57 L 85.49 810 L 36 810 L 36 750 L 78.42 750 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="none"/><path d="M 78.42 750 C 79 752.01 78.05 754.07 75.9 755.51 L 85.49 758.76" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 48px; height: 1px; padding-top: 757px; margin-left: 37px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;"><b><font style="font-size: 16px;" color="#000000">enc<br />File</font></b></div></div></div></foreignObject><text x="61" y="769" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">enc...</text></switch></g><path d="M 6 823 L 61 791.25 L 116 823 L 61 854.75 L 6 823 Z" fill="#d5e8d4" stroke="#82b366" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 108px; height: 1px; padding-top: 823px; margin-left: 7px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;"><font color="#000000"><font style="font-size: 15px;"><b>Auth</b></font> <br /></font><font style="font-size: 16px;" color="#000000"><b>tag</b></font></div></div></div></foreignObject><text x="61" y="827" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Auth...</text></switch></g><path d="M 391 360 L 451 360 L 629.67 360.03" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="none"/><path d="M 634.92 360.03 L 627.92 363.53 L 629.67 360.03 L 627.92 356.53 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 350px; margin-left: 511px;"><div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 11px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; background-color: rgb(255, 255, 255); white-space: nowrap;"><font style="font-size: 15px;">set_nonce( )</font></div></div></div></foreignObject><text x="511" y="353" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="11px" text-anchor="middle">set_nonce( )</text></switch></g><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 350px; margin-left: 546px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: nowrap;"><font color="#0000ff" size="1"><b style="font-size: 16px;">NONCE</b></font></div></div></div></foreignObject><text x="546" y="354" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">NONCE</text></switch></g><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 595px; margin-left: 559px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: nowrap;"><font color="#0000ff" size="1"><b style="font-size: 16px;">NONCE</b></font></div></div></div></foreignObject><text x="559" y="599" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">NONCE</text></switch></g><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 400px; margin-left: 701px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: nowrap;"><font color="#000000">* will be used to derive <br />AEAD key from a<br /><div>long-term </div><div><span style="background-color: initial;">key-derivation key</span></div></font></div></div></div></foreignObject><text x="701" y="404" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">* will be used to deriv...</text></switch></g><image x="770.5" y="385.63" width="21" height="33.87" xlink:href="https://app.diagrams.net/img/lib/mscae/Key.svg" pointer-events="none"/><path d="M 546 660 L 586 660 L 606 680 L 586 700 L 546 700 L 526 680 Z" fill="#dae8fc" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 78px; height: 1px; padding-top: 680px; margin-left: 527px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;"><b style="font-size: 15px;"><font color="#000000" style="font-size: 15px;">File</font><br /><font color="#000000" style="font-size: 15px;">Meta</font></b></div></div></div></foreignObject><text x="566" y="684" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">File...</text></switch></g><path d="M 594.49 738.57 L 594.49 790 L 545 790 L 545 730 L 587.42 730 Z" fill="#f8cecc" stroke="#b85450" stroke-miterlimit="10" pointer-events="none"/><path d="M 587.42 730 C 588 732.01 587.05 734.07 584.9 735.51 L 594.49 738.76" fill="none" stroke="#b85450" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 48px; height: 1px; padding-top: 737px; margin-left: 546px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;"><b><font style="font-size: 16px;" color="#000000">enc<br />File</font></b></div></div></div></foreignObject><text x="570" y="749" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">enc...</text></switch></g><path d="M 515 803 L 570 771.25 L 625 803 L 570 834.75 L 515 803 Z" fill="#d5e8d4" stroke="#82b366" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 108px; height: 1px; padding-top: 803px; margin-left: 516px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;"><font color="#000000"><font style="font-size: 15px;"><b>Auth</b></font> <br /></font><font style="font-size: 16px;" color="#000000"><b>tag</b></font></div></div></div></foreignObject><text x="570" y="807" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Auth...</text></switch></g><path d="M 446.7 749.71 L 446.7 784 L 417 784 L 417 744 L 442.45 744 Z" fill="#e1d5e7" stroke="#9673a6" stroke-miterlimit="10" pointer-events="none"/><path d="M 442.45 744 C 442.8 745.34 442.23 746.71 440.94 747.67 L 446.7 749.84" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 28px; height: 1px; padding-top: 764px; margin-left: 418px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;"><b><font style="font-size: 16px;" color="#000000">File</font></b></div></div></div></foreignObject><text x="432" y="768" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">File</text></switch></g><path d="M 1 555 L 811 555" fill="none" stroke="rgb(0, 0, 0)" stroke-width="2" stroke-miterlimit="10" stroke-dasharray="16 16" pointer-events="none"/><path d="M 285.7 895.71 L 285.7 930 L 256 930 L 256 890 L 281.45 890 Z" fill="#e1d5e7" stroke="#9673a6" stroke-miterlimit="10" pointer-events="none"/><path d="M 281.45 890 C 281.8 891.34 281.23 892.71 279.94 893.67 L 285.7 895.84" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 28px; height: 1px; padding-top: 910px; margin-left: 257px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;"><b><font style="font-size: 16px;" color="#000000">File</font></b></div></div></div></foreignObject><text x="271" y="914" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">File</text></switch></g><path d="M 285.7 1065.71 L 285.7 1100 L 256 1100 L 256 1060 L 281.45 1060 Z" fill="#e1d5e7" stroke="#9673a6" stroke-miterlimit="10" pointer-events="none"/><path d="M 281.45 1060 C 281.8 1061.34 281.23 1062.71 279.94 1063.67 L 285.7 1065.84" fill="none" stroke="#9673a6" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 28px; height: 1px; padding-top: 1080px; margin-left: 257px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;"><b><font style="font-size: 16px;" color="#000000">File</font></b></div></div></div></foreignObject><text x="271" y="1084" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">File</text></switch></g><path d="M 466 440 L 506 440 L 526 460 L 506 480 L 466 480 L 446 460 Z" fill="#dae8fc" stroke="#6c8ebf" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 78px; height: 1px; padding-top: 460px; margin-left: 447px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;"><b style="font-size: 15px;"><font color="#000000" style="font-size: 15px;">File</font><br /><font color="#000000" style="font-size: 15px;">Meta</font></b></div></div></div></foreignObject><text x="486" y="464" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">File...</text></switch></g><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 145px; margin-left: 626px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: nowrap;"><font style="font-size: 30px;" color="#000000">Encryption</font></div></div></div></foreignObject><text x="626" y="149" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Encryption</text></switch></g><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 1015px; margin-left: 626px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: nowrap;"><font style="font-size: 30px;" color="#000000">Decryption</font></div></div></div></foreignObject><text x="626" y="1019" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">Decryption</text></switch></g><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 640px; margin-left: 706px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: nowrap;"><font color="#000000">* will be used to derive <br />AEAD key from a<br /><div>long-term </div><div><span style="background-color: initial;">key-derivation key</span></div></font></div></div></div></foreignObject><text x="706" y="644" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">* will be used to deriv...</text></switch></g><image x="775.5" y="625.63" width="21" height="33.87" xlink:href="https://app.diagrams.net/img/lib/mscae/Key.svg" pointer-events="none"/><path d="M 676.08 513.37 C 675.12 513.23 674.31 512.29 674.48 511.14 C 674.62 510.22 675.57 509.44 676.63 509.59 C 677.73 509.76 678.44 510.69 678.27 511.82 C 678.13 512.77 677.13 513.53 676.08 513.37 Z M 676.45 515.44 C 676.77 515.43 677.08 515.39 677.38 515.32 L 677.42 514.66 C 677.65 514.6 677.9 514.5 678.09 514.38 L 678.6 514.78 C 678.86 514.6 679.09 514.4 679.31 514.19 L 678.99 513.61 C 679.13 513.44 679.28 513.26 679.39 513.02 L 680.04 513.08 C 680.14 512.81 680.24 512.52 680.32 512.19 L 679.75 511.88 C 679.78 511.65 679.8 511.42 679.75 511.16 L 680.35 510.86 C 680.28 510.56 680.2 510.24 680.08 509.97 L 679.43 510.01 C 679.33 509.8 679.2 509.6 679.04 509.41 L 679.38 508.82 C 679.16 508.61 678.93 508.41 678.67 508.21 L 678.16 508.61 C 677.96 508.5 677.7 508.37 677.48 508.28 L 677.46 507.66 C 677.16 507.58 676.85 507.53 676.55 507.5 L 676.29 508.13 C 676.05 508.14 675.82 508.16 675.61 508.22 L 675.2 507.68 C 674.87 507.79 674.6 507.92 674.35 508.05 L 674.5 508.7 C 674.25 508.84 674.08 509 673.94 509.16 L 673.33 508.92 C 673.14 509.15 672.95 509.41 672.82 509.68 L 673.27 510.16 C 673.18 510.36 673.1 510.61 673.09 510.84 L 672.44 510.97 C 672.39 511.28 672.38 511.59 672.41 511.89 L 673.05 512.04 C 673.09 512.3 673.17 512.52 673.25 512.73 L 672.78 513.18 C 672.92 513.45 673.08 513.71 673.27 513.96 L 673.88 513.74 C 674.05 513.93 674.24 514.07 674.42 514.21 L 674.3 514.86 C 674.58 515.02 674.84 515.13 675.1 515.24 L 675.51 514.72 C 675.69 514.77 676 514.82 676.22 514.82 Z M 663.9 516.36 C 662.24 516.15 660.82 514.55 661.08 512.56 C 661.29 510.97 662.91 509.58 664.74 509.82 C 666.66 510.07 667.91 511.66 667.66 513.62 C 667.44 515.26 665.72 516.6 663.9 516.36 Z M 664.61 519.93 C 665.17 519.91 665.7 519.82 666.22 519.69 L 666.27 518.55 C 666.67 518.45 667.08 518.25 667.41 518.04 L 668.29 518.72 C 668.75 518.41 669.14 518.06 669.52 517.69 L 668.95 516.69 C 669.19 516.38 669.42 516.08 669.62 515.66 L 670.74 515.74 C 670.91 515.27 671.06 514.76 671.2 514.2 L 670.22 513.68 C 670.25 513.28 670.27 512.88 670.18 512.44 L 671.2 511.89 C 671.09 511.38 670.93 510.84 670.72 510.37 L 669.59 510.45 C 669.41 510.09 669.18 509.75 668.91 509.42 L 669.46 508.39 C 669.09 508.04 668.68 507.7 668.23 507.37 L 667.35 508.07 C 667.01 507.88 666.56 507.67 666.17 507.52 L 666.12 506.46 C 665.59 506.32 665.06 506.25 664.54 506.2 L 664.11 507.3 C 663.7 507.32 663.3 507.37 662.93 507.48 L 662.21 506.55 C 661.64 506.76 661.19 506.99 660.75 507.23 L 661.04 508.34 C 660.61 508.59 660.31 508.87 660.09 509.15 L 659.03 508.75 C 658.7 509.15 658.37 509.62 658.16 510.09 L 658.96 510.91 C 658.8 511.25 658.68 511.69 658.66 512.08 L 657.54 512.33 C 657.46 512.87 657.45 513.39 657.52 513.91 L 658.63 514.15 C 658.72 514.61 658.85 514.98 659.01 515.34 L 658.19 516.12 C 658.45 516.59 658.73 517.04 659.08 517.46 L 660.12 517.07 C 660.42 517.39 660.74 517.63 661.07 517.86 L 660.87 519 C 661.36 519.25 661.82 519.45 662.28 519.63 L 662.97 518.71 C 663.26 518.79 663.81 518.86 664.21 518.87 Z M 681.03 535.71 C 677.7 535.71 674.51 532.94 674.51 528.96 C 674.51 525.78 677.34 522.65 680.99 522.65 C 684.81 522.65 687.69 525.48 687.69 529.38 C 687.69 532.66 684.64 535.71 681.03 535.71 Z M 683.33 542.54 C 684.42 542.35 685.44 542.04 686.41 541.67 L 686.23 539.41 C 686.98 539.1 687.74 538.62 688.33 538.12 L 690.25 539.24 C 691.06 538.51 691.74 537.71 692.39 536.89 L 691.01 535.07 C 691.4 534.41 691.79 533.76 692.06 532.89 L 694.27 532.77 C 694.5 531.8 694.67 530.76 694.79 529.62 L 692.73 528.85 C 692.69 528.06 692.64 527.26 692.34 526.42 L 694.21 525.09 C 693.85 524.12 693.4 523.09 692.87 522.22 L 690.67 522.67 C 690.23 522.01 689.69 521.4 689.07 520.83 L 689.89 518.66 C 689.06 518.08 688.18 517.51 687.22 516.97 L 685.67 518.55 C 684.95 518.28 684.02 517.97 683.21 517.78 L 682.84 515.71 C 681.76 515.58 680.71 515.56 679.66 515.61 L 679.11 517.86 C 678.31 518.02 677.54 518.2 676.83 518.51 L 675.19 516.87 C 674.13 517.43 673.29 518 672.49 518.58 L 673.34 520.69 C 672.57 521.29 672.06 521.9 671.69 522.52 L 669.49 522 C 668.97 522.86 668.44 523.87 668.14 524.85 L 669.92 526.25 C 669.7 526.97 669.58 527.86 669.64 528.63 L 667.5 529.4 C 667.49 530.48 667.6 531.51 667.86 532.5 L 670.11 532.7 C 670.39 533.58 670.76 534.28 671.15 534.94 L 669.75 536.69 C 670.37 537.53 671.04 538.35 671.83 539.09 L 673.78 538.05 C 674.44 538.61 675.14 539.01 675.85 539.37 L 675.75 541.65 C 676.77 542.02 677.73 542.29 678.67 542.53 L 679.8 540.56 C 680.39 540.63 681.48 540.64 682.26 540.55 Z M 696.06 509.07 L 696.06 500.68 L 702.63 504.91 Z M 698.65 513.08 C 702.75 513.08 706.84 509.71 706.84 505.03 C 706.84 499.12 702.43 496.57 698.46 496.57 C 693.22 496.57 690.19 500.8 690.19 504.67 C 690.19 509.21 693.63 513.08 698.65 513.08 Z M 704.67 515.47 C 705.11 517.69 705.22 519.17 705.22 521.39 C 705.22 534.51 694.16 547.6 678.34 547.6 C 663.81 547.6 651 537.11 651 519.89 C 651 507.47 661.96 493.9 678.1 493.9 C 682.18 493.9 686.67 494.93 689.44 496.37 C 691.1 494.58 694.43 492.4 698.43 492.4 C 706.11 492.4 711 498.62 711 504.9 C 711 509.54 708.02 513.73 704.67 515.47 Z" fill="#3b8df1" stroke="none" pointer-events="none"/><path d="M 676.08 757.37 C 675.12 757.23 674.31 756.29 674.48 755.14 C 674.62 754.22 675.57 753.44 676.63 753.59 C 677.73 753.76 678.44 754.69 678.27 755.82 C 678.13 756.77 677.13 757.53 676.08 757.37 Z M 676.45 759.44 C 676.77 759.43 677.08 759.39 677.38 759.32 L 677.42 758.66 C 677.65 758.6 677.9 758.5 678.09 758.38 L 678.6 758.78 C 678.86 758.6 679.09 758.4 679.31 758.19 L 678.99 757.61 C 679.13 757.44 679.28 757.26 679.39 757.02 L 680.04 757.08 C 680.14 756.81 680.24 756.52 680.32 756.19 L 679.75 755.88 C 679.78 755.65 679.8 755.42 679.75 755.16 L 680.35 754.86 C 680.28 754.56 680.2 754.24 680.08 753.97 L 679.43 754.01 C 679.33 753.8 679.2 753.6 679.04 753.41 L 679.38 752.82 C 679.16 752.61 678.93 752.41 678.67 752.21 L 678.16 752.61 C 677.96 752.5 677.7 752.37 677.48 752.28 L 677.46 751.66 C 677.16 751.58 676.85 751.53 676.55 751.5 L 676.29 752.13 C 676.05 752.14 675.82 752.16 675.61 752.22 L 675.2 751.68 C 674.87 751.79 674.6 751.92 674.35 752.05 L 674.5 752.7 C 674.25 752.84 674.08 753 673.94 753.16 L 673.33 752.92 C 673.14 753.15 672.95 753.41 672.82 753.68 L 673.27 754.16 C 673.18 754.36 673.1 754.61 673.09 754.84 L 672.44 754.97 C 672.39 755.28 672.38 755.59 672.41 755.89 L 673.05 756.04 C 673.09 756.3 673.17 756.52 673.25 756.73 L 672.78 757.18 C 672.92 757.45 673.08 757.71 673.27 757.96 L 673.88 757.74 C 674.05 757.93 674.24 758.07 674.42 758.21 L 674.3 758.86 C 674.58 759.02 674.84 759.13 675.1 759.24 L 675.51 758.72 C 675.69 758.77 676 758.82 676.22 758.82 Z M 663.9 760.36 C 662.24 760.15 660.82 758.55 661.08 756.56 C 661.29 754.97 662.91 753.58 664.74 753.82 C 666.66 754.07 667.91 755.66 667.66 757.62 C 667.44 759.26 665.72 760.6 663.9 760.36 Z M 664.61 763.93 C 665.17 763.91 665.7 763.82 666.22 763.69 L 666.27 762.55 C 666.67 762.45 667.08 762.25 667.41 762.04 L 668.29 762.72 C 668.75 762.41 669.14 762.06 669.52 761.69 L 668.95 760.69 C 669.19 760.38 669.42 760.08 669.62 759.66 L 670.74 759.74 C 670.91 759.27 671.06 758.76 671.2 758.2 L 670.22 757.68 C 670.25 757.28 670.27 756.88 670.18 756.44 L 671.2 755.89 C 671.09 755.38 670.93 754.84 670.72 754.37 L 669.59 754.45 C 669.41 754.09 669.18 753.75 668.91 753.42 L 669.46 752.39 C 669.09 752.04 668.68 751.7 668.23 751.37 L 667.35 752.07 C 667.01 751.88 666.56 751.67 666.17 751.52 L 666.12 750.46 C 665.59 750.32 665.06 750.25 664.54 750.2 L 664.11 751.3 C 663.7 751.32 663.3 751.37 662.93 751.48 L 662.21 750.55 C 661.64 750.76 661.19 750.99 660.75 751.23 L 661.04 752.34 C 660.61 752.59 660.31 752.87 660.09 753.15 L 659.03 752.75 C 658.7 753.15 658.37 753.62 658.16 754.09 L 658.96 754.91 C 658.8 755.25 658.68 755.69 658.66 756.08 L 657.54 756.33 C 657.46 756.87 657.45 757.39 657.52 757.91 L 658.63 758.15 C 658.72 758.61 658.85 758.98 659.01 759.34 L 658.19 760.12 C 658.45 760.59 658.73 761.04 659.08 761.46 L 660.12 761.07 C 660.42 761.39 660.74 761.63 661.07 761.86 L 660.87 763 C 661.36 763.25 661.82 763.45 662.28 763.63 L 662.97 762.71 C 663.26 762.79 663.81 762.86 664.21 762.87 Z M 681.03 779.71 C 677.7 779.71 674.51 776.94 674.51 772.96 C 674.51 769.78 677.34 766.65 680.99 766.65 C 684.81 766.65 687.69 769.48 687.69 773.38 C 687.69 776.66 684.64 779.71 681.03 779.71 Z M 683.33 786.54 C 684.42 786.35 685.44 786.04 686.41 785.67 L 686.23 783.41 C 686.98 783.1 687.74 782.62 688.33 782.12 L 690.25 783.24 C 691.06 782.51 691.74 781.71 692.39 780.89 L 691.01 779.07 C 691.4 778.41 691.79 777.76 692.06 776.89 L 694.27 776.77 C 694.5 775.8 694.67 774.76 694.79 773.62 L 692.73 772.85 C 692.69 772.06 692.64 771.26 692.34 770.42 L 694.21 769.09 C 693.85 768.12 693.4 767.09 692.87 766.22 L 690.67 766.67 C 690.23 766.01 689.69 765.4 689.07 764.83 L 689.89 762.66 C 689.06 762.08 688.18 761.51 687.22 760.97 L 685.67 762.55 C 684.95 762.28 684.02 761.97 683.21 761.78 L 682.84 759.71 C 681.76 759.58 680.71 759.56 679.66 759.61 L 679.11 761.86 C 678.31 762.02 677.54 762.2 676.83 762.51 L 675.19 760.87 C 674.13 761.43 673.29 762 672.49 762.58 L 673.34 764.69 C 672.57 765.29 672.06 765.9 671.69 766.52 L 669.49 766 C 668.97 766.86 668.44 767.87 668.14 768.85 L 669.92 770.25 C 669.7 770.97 669.58 771.86 669.64 772.63 L 667.5 773.4 C 667.49 774.48 667.6 775.51 667.86 776.5 L 670.11 776.7 C 670.39 777.58 670.76 778.28 671.15 778.94 L 669.75 780.69 C 670.37 781.53 671.04 782.35 671.83 783.09 L 673.78 782.05 C 674.44 782.61 675.14 783.01 675.85 783.37 L 675.75 785.65 C 676.77 786.02 677.73 786.29 678.67 786.53 L 679.8 784.56 C 680.39 784.63 681.48 784.64 682.26 784.55 Z M 696.06 753.07 L 696.06 744.68 L 702.63 748.91 Z M 698.65 757.08 C 702.75 757.08 706.84 753.71 706.84 749.03 C 706.84 743.12 702.43 740.57 698.46 740.57 C 693.22 740.57 690.19 744.8 690.19 748.67 C 690.19 753.21 693.63 757.08 698.65 757.08 Z M 704.67 759.47 C 705.11 761.69 705.22 763.17 705.22 765.39 C 705.22 778.51 694.16 791.6 678.34 791.6 C 663.81 791.6 651 781.11 651 763.89 C 651 751.47 661.96 737.9 678.1 737.9 C 682.18 737.9 686.67 738.93 689.44 740.37 C 691.1 738.58 694.43 736.4 698.43 736.4 C 706.11 736.4 711 742.62 711 748.9 C 711 753.54 708.02 757.73 704.67 759.47 Z" fill="#3b8df1" stroke="none" pointer-events="none"/><path d="M 781.5 420 L 781.5 527 L 709.39 527.92" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="none"/><path d="M 704.14 527.99 L 711.09 524.4 L 709.39 527.92 L 711.18 531.4 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="none"/><path d="M 786.5 660 L 786.5 773 L 715.39 773" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="none"/><path d="M 710.14 773 L 717.14 769.5 L 715.39 773 L 717.14 776.5 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="none"/></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://www.drawio.com/doc/faq/svg-export-text-problems" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Text is not SVG - cannot display</text></a></switch></svg>
\ No newline at end of file
diff --git a/docs/design_docs/services/tfm_its_service.rst b/docs/design_docs/services/tfm_its_service.rst
index e170504..765cdba 100644
--- a/docs/design_docs/services/tfm_its_service.rst
+++ b/docs/design_docs/services/tfm_its_service.rst
@@ -84,6 +84,9 @@
- ``tfm_internal_trusted_storage.h`` - TF-M ITS API (with client_id parameter)
- ``tfm_internal_trusted_storage.c`` - TF-M ITS implementation, using the
flash_fs as a backend
+- ``its_crypto_interface.h`` - APIs for encrypting ITS assets used by ITS implementation (optional)
+- ``its_crypto_interface.c`` - Implementation for ITS encryption (optional)
+- ``platform/ext/target/.../tfm_hal_its_encryption.c`` - Platform implementation for ITS encryption HAL APIs (optional)
- ``flash_fs/`` - Filesystem
- ``flash/`` - Flash interface
@@ -280,6 +283,60 @@
to each partition but not the code. Because of these complications, this option
has not been considered further at this time.
+
+Encryption in ITS
+=================
+
+The ITS can optionally be configured to encrypt the internal trusted storage
+data.
+To support encryption in ITS the target platform must provide an
+implementation of the APIs defined in ``platform/include/tfm_hal_its_encryption.h``::
+
+ enum tfm_hal_status_t tfm_hal_its_aead_generate_nonce(uint8_t *nonce,
+ const size_t nonce_size);
+
+ enum tfm_hal_status_t tfm_hal_its_aead_encrypt(
+ struct tfm_hal_its_auth_crypt_ctx *ctx,
+ const uint8_t *plaintext,
+ const size_t plaintext_size,
+ uint8_t *ciphertext,
+ const size_t ciphertext_size,
+ uint8_t *tag,
+ const size_t tag_size);
+
+ enum tfm_hal_status_t tfm_hal_its_aead_decrypt(
+ struct tfm_hal_its_auth_crypt_ctx *ctx,
+ const uint8_t *ciphertext,
+ const size_t ciphertext_size,
+ uint8_t *tag,
+ const size_t tag_size,
+ uint8_t *plaintext,
+ const size_t plaintext_size);
+
+
+Then encryption can be enabled by setting the build option ``-DITS_ENCRYPTION=ON``.
+
+The figure :numref:`fig-tfm_eits` describes the encryption and decryption
+process happening when calling ``tfm_its_set`` and ``tfm_its_get``.
+
+.. figure:: /design_docs/media/tfm_its_encryption.*
+ :align: center
+ :name: fig-tfm_eits
+ :width: 80%
+
+ En/Decryption of ITS
+
+By using an AEAD scheme, it is possible to not only encrypt the file data but
+also authenticate the file meta data, which include:
+
+- File id
+- File size
+- File flags
+
+The key used to perform the AEAD operation must be derived from a long-term
+key-derivation key and the file id, which is used as a derivation label.
+The long-term key-derivation key must be managed by the target platform.
+
--------------
*Copyright (c) 2019-2022, Arm Limited. All rights reserved.*
diff --git a/platform/ext/target/nordic_nrf/common/core/CMakeLists.txt b/platform/ext/target/nordic_nrf/common/core/CMakeLists.txt
index 10f85ac..91d3e9b 100644
--- a/platform/ext/target/nordic_nrf/common/core/CMakeLists.txt
+++ b/platform/ext/target/nordic_nrf/common/core/CMakeLists.txt
@@ -75,6 +75,7 @@
native_drivers/spu.c
$<$<OR:$<BOOL:${TFM_S_REG_TEST}>,$<BOOL:${TFM_NS_REG_TEST}>>:${CMAKE_CURRENT_SOURCE_DIR}/plat_test.c>
$<$<BOOL:${TEST_PSA_API}>:${CMAKE_CURRENT_SOURCE_DIR}/pal_plat_test.c>
+ $<$<BOOL:${ITS_ENCRYPTION}>:${CMAKE_CURRENT_SOURCE_DIR}/tfm_hal_its_encryption.c>
)
if (NRF_HW_INIT_RESET_ON_BOOT)
diff --git a/platform/ext/target/nordic_nrf/common/core/tfm_hal_its_encryption.c b/platform/ext/target/nordic_nrf/common/core/tfm_hal_its_encryption.c
new file mode 100644
index 0000000..6e2b097
--- /dev/null
+++ b/platform/ext/target/nordic_nrf/common/core/tfm_hal_its_encryption.c
@@ -0,0 +1,264 @@
+/*
+ * Copyright (c) 2023 Nordic Semiconductor ASA.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdint.h>
+#include <string.h>
+
+
+#include "config_tfm.h"
+#include "platform/include/tfm_hal_its_encryption.h"
+#include "platform/include/tfm_hal_its.h"
+#include "platform/include/tfm_platform_system.h"
+#include "psa/crypto.h"
+
+/* The cc3xx driver is used directly in this file as the PSA Crypto service
+ * depends on ITS, so using PSA Crypto APIs would result in circular
+ * dependencies
+ */
+#include "nrf_cc3xx_platform_derived_key.h"
+#include "nrf_cc3xx_platform_kmu.h"
+#include "nrf_cc3xx_platform.h"
+
+#define ITS_ENCRYPTION_SUCCESS 0
+
+#define HUK_KMU_SLOT 2
+#define HUK_KMU_SIZE_BITS 128
+
+/* Global encryption counter which resets per boot. The counter ensures that
+ * the nonce will not be identical for consecutive file writes during the same
+ * boot.
+ */
+static uint32_t g_enc_counter;
+
+/* The global nonce seed which is fetched once in every boot. The seed is used
+ * as part of the nonce and allows the platforms to diversify their nonces
+ * across resets. Note that the way that this seed is generated is platform
+ * specific, so the diversification is optional.
+ */
+static uint8_t g_enc_nonce_seed[TFM_ITS_ENC_NONCE_LENGTH -
+ sizeof(g_enc_counter)];
+
+/* TFM_ITS_ENC_NONCE_LENGTH is configurable but this implementation expects
+ * the seed to be 8 bytes and the nonce length to be 12.
+ */
+#if TFM_ITS_ENC_NONCE_LENGTH != 12
+#error "This implementation only supports a ITS nonce of size 12"
+#endif
+
+/*
+ * This implementation doesn't use monotonic counters, but therfore a 64 bit
+ * seed combined with a counter, that gets reset on each reboot.
+ * This still has the risk of getting a collision on the seed resulting in
+ * nonce's beeing the same after a reboot.
+ * It would still need 3.3x10^9 resets to get a collision with a probability of
+ * 0.25.
+ */
+enum tfm_hal_status_t tfm_hal_its_aead_generate_nonce(uint8_t *nonce,
+ const size_t nonce_size)
+{
+ int err;
+
+ if(nonce == NULL){
+ return TFM_HAL_ERROR_INVALID_INPUT;
+ }
+
+ if(nonce_size < sizeof(g_enc_nonce_seed) + sizeof(g_enc_counter)){
+ return TFM_HAL_ERROR_INVALID_INPUT;
+ }
+
+ /* To avoid wrap-around of the g_enc_counter and subsequent re-use of the
+ * nonce we check the counter value for its max value
+ */
+ if(g_enc_counter == UINT32_MAX) {
+ return TFM_HAL_ERROR_GENERIC;
+ }
+
+ if (g_enc_counter == 0) {
+ err = nrf_cc3xx_platform_get_nonce_seed(g_enc_nonce_seed);
+ if (err != 0) {
+ return TFM_HAL_ERROR_GENERIC;
+ }
+ }
+
+ memcpy(nonce, g_enc_nonce_seed, sizeof(g_enc_nonce_seed));
+ memcpy(nonce + sizeof(g_enc_nonce_seed),
+ &g_enc_counter,
+ sizeof(g_enc_counter));
+
+ g_enc_counter++;
+
+ return TFM_HAL_SUCCESS;
+}
+
+static bool ctx_is_valid(struct tfm_hal_its_auth_crypt_ctx *ctx)
+{
+ bool ret;
+
+ if (ctx == NULL) {
+ return false;
+ }
+
+ ret = (ctx->deriv_label == NULL && ctx->deriv_label_size != 0) ||
+ (ctx->aad == NULL && ctx->add_size != 0) ||
+ (ctx->nonce == NULL && ctx->nonce_size != 0);
+
+ return !ret;
+}
+
+static enum tfm_hal_status_t tfm_hal_its_aead_init(
+ struct tfm_hal_its_auth_crypt_ctx *ctx,
+ nrf_cc3xx_platform_derived_key_ctx_t *platform_ctx,
+ uint8_t *tag,
+ size_t tag_size)
+{
+
+ int err = NRF_CC3XX_PLATFORM_ERROR_INTERNAL;
+
+
+ err = nrf_cc3xx_platform_derived_key_init(platform_ctx);
+ if (err != NRF_CC3XX_PLATFORM_SUCCESS) {
+ return TFM_HAL_ERROR_GENERIC;
+ }
+
+ err = nrf_cc3xx_platform_derived_key_set_info(platform_ctx,
+ HUK_KMU_SLOT,
+ HUK_KMU_SIZE_BITS,
+ ctx->deriv_label,
+ ctx->deriv_label_size);
+ if (err != NRF_CC3XX_PLATFORM_SUCCESS) {
+ return TFM_HAL_ERROR_INVALID_INPUT;
+ }
+
+ err = nrf_cc3xx_platform_derived_key_set_cipher(platform_ctx,
+ ALG_CHACHAPOLY_256_BIT);
+
+ if (err != NRF_CC3XX_PLATFORM_SUCCESS) {
+ return TFM_HAL_ERROR_INVALID_INPUT;
+ }
+
+ err = nrf_cc3xx_platform_derived_key_set_auth_info(platform_ctx,
+ ctx->nonce,
+ ctx->nonce_size,
+ ctx->aad,
+ ctx->add_size,
+ tag,
+ tag_size);
+ if (err != NRF_CC3XX_PLATFORM_SUCCESS) {
+ return TFM_HAL_ERROR_INVALID_INPUT;
+ }
+
+ return TFM_HAL_SUCCESS;
+}
+
+static void tfm_hal_its_aead_cleanup(
+ nrf_cc3xx_platform_derived_key_ctx_t *platform_ctx)
+{
+ if(platform_ctx != NULL){
+ memset(platform_ctx,
+ 0x0,
+ sizeof(nrf_cc3xx_platform_derived_key_ctx_t));
+ }
+}
+
+enum tfm_hal_status_t tfm_hal_its_aead_encrypt(
+ struct tfm_hal_its_auth_crypt_ctx *ctx,
+ const uint8_t *plaintext,
+ const size_t plaintext_size,
+ uint8_t *ciphertext,
+ const size_t ciphertext_size,
+ uint8_t *tag,
+ const size_t tag_size)
+{
+ nrf_cc3xx_platform_derived_key_ctx_t platform_ctx = {0};
+ enum tfm_hal_status_t err = TFM_HAL_ERROR_GENERIC;
+ int plat_err = NRF_CC3XX_PLATFORM_ERROR_INTERNAL;
+
+ if (!ctx_is_valid(ctx) || tag == NULL) {
+ return TFM_HAL_ERROR_INVALID_INPUT;
+ }
+
+ if (plaintext_size > ciphertext_size) {
+ return TFM_HAL_ERROR_INVALID_INPUT;
+ }
+
+ err = tfm_hal_its_aead_init(ctx,
+ &platform_ctx,
+ tag,
+ tag_size);
+ if (err != TFM_HAL_SUCCESS) {
+ tfm_hal_its_aead_cleanup(&platform_ctx);
+ return err;
+ }
+
+
+ plat_err = nrf_cc3xx_platform_derived_key_encrypt(&platform_ctx,
+ ciphertext,
+ plaintext_size,
+ plaintext);
+
+ tfm_hal_its_aead_cleanup(&platform_ctx);
+
+ if (plat_err != NRF_CC3XX_PLATFORM_SUCCESS) {
+ return TFM_HAL_ERROR_GENERIC;
+ }
+
+ return TFM_HAL_SUCCESS;
+}
+
+enum tfm_hal_status_t tfm_hal_its_aead_decrypt(
+ struct tfm_hal_its_auth_crypt_ctx *ctx,
+ const uint8_t *ciphertext,
+ const size_t ciphertext_size,
+ uint8_t *tag,
+ const size_t tag_size,
+ uint8_t *plaintext,
+ const size_t plaintext_size)
+{
+ nrf_cc3xx_platform_derived_key_ctx_t platform_ctx = {0};
+ enum tfm_hal_status_t err = TFM_HAL_ERROR_GENERIC;
+ int plat_err = NRF_CC3XX_PLATFORM_ERROR_INTERNAL;
+
+ if (!ctx_is_valid(ctx) || tag == NULL) {
+ return TFM_HAL_ERROR_INVALID_INPUT;
+ }
+
+ if (plaintext_size < ciphertext_size) {
+ return TFM_HAL_ERROR_INVALID_INPUT;
+ }
+
+ err = tfm_hal_its_aead_init(ctx,
+ &platform_ctx,
+ tag,
+ tag_size);
+ if (err != TFM_HAL_SUCCESS) {
+ tfm_hal_its_aead_cleanup(&platform_ctx);
+ return err;
+ }
+
+
+ plat_err = nrf_cc3xx_platform_derived_key_decrypt(&platform_ctx,
+ plaintext,
+ ciphertext_size,
+ ciphertext);
+ tfm_hal_its_aead_cleanup(&platform_ctx);
+
+ if (plat_err != NRF_CC3XX_PLATFORM_SUCCESS) {
+ return TFM_HAL_ERROR_GENERIC;
+ }
+
+ return TFM_HAL_SUCCESS;
+}
+
diff --git a/platform/ext/target/nordic_nrf/common/nrf5340/CMakeLists.txt b/platform/ext/target/nordic_nrf/common/nrf5340/CMakeLists.txt
index d6155a9..810cfd5 100644
--- a/platform/ext/target/nordic_nrf/common/nrf5340/CMakeLists.txt
+++ b/platform/ext/target/nordic_nrf/common/nrf5340/CMakeLists.txt
@@ -48,6 +48,7 @@
target_compile_definitions(platform_s
PUBLIC
NRF_SKIP_FICR_NS_COPY_TO_RAM
+ $<$<BOOL:${ITS_ENCRYPTION}>:ITS_ENCRYPTION>
)
#========================= Platform Non-Secure ================================#
diff --git a/platform/ext/target/nordic_nrf/common/nrf91/CMakeLists.txt b/platform/ext/target/nordic_nrf/common/nrf91/CMakeLists.txt
index 5455ab1..15ef870 100644
--- a/platform/ext/target/nordic_nrf/common/nrf91/CMakeLists.txt
+++ b/platform/ext/target/nordic_nrf/common/nrf91/CMakeLists.txt
@@ -48,6 +48,7 @@
target_compile_definitions(platform_s
PUBLIC
NRF_SKIP_FICR_NS_COPY_TO_RAM
+ $<$<BOOL:${ITS_ENCRYPTION}>:ITS_ENCRYPTION>
)
#========================= Platform Non-Secure ================================#
diff --git a/platform/include/tfm_hal_its_encryption.h b/platform/include/tfm_hal_its_encryption.h
new file mode 100644
index 0000000..0229382
--- /dev/null
+++ b/platform/include/tfm_hal_its_encryption.h
@@ -0,0 +1,128 @@
+/*
+ * Copyright (c) 2020, Cypress Semiconductor Corporation. All rights reserved.
+ * Copyright (c) 2020-2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+#ifndef __TFM_HAL_ITS_ENCRYPTION_H__
+#define __TFM_HAL_ITS_ENCRYPTION_H__
+
+#include <stddef.h>
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+/**
+ * \brief Struct containing information required from the platform to perform
+ * encryption/decryption of ITS files.
+ */
+struct tfm_hal_its_auth_crypt_ctx {
+ uint8_t *deriv_label; /* The derivation label for AEAD */
+ size_t deriv_label_size; /* Size of the deriv_label in bytes */
+ uint8_t *aad; /* The additional authenticated data for AEAD */
+ size_t add_size; /* Size of the add in bytes */
+ uint8_t *nonce; /* The nonce for AEAD */
+ size_t nonce_size; /* Size of the nonce in bytes */
+};
+
+/**
+ * \brief Generate an encryption nonce
+ *
+ * \details The nonce has to be unique for every encryption using the same key,
+ * even across resets.
+ * \param [out] nonce Pointer to the nonce
+ * \param [in] nonce_size Size of the nonce in bytes
+ *
+ * \retval TFM_HAL_SUCCESS The operation completed successfully
+ * \retval TFM_HAL_ERROR_INVALID_INPUT Invalid argument
+ * \retval TFM_HAL_ERROR_GENERIC Failed to fill the nonce seed because of
+ * an internal error
+ */
+enum tfm_hal_status_t tfm_hal_its_aead_generate_nonce(uint8_t *nonce,
+ const size_t nonce_size);
+
+/**
+ * \brief Perform authenticated encryption.
+ *
+ * \details Perform the the AEAD encryption.
+ * It will start with deriving a key based long-term key-derivation
+ * key and the provided derivation label.
+ * This derived key will then be used to perform the AEAD operation.
+ * Therefore the following members of the ctx struct must be set:
+ * nonce
+ * nonce_size
+ * deriv_label
+ * deriv_label_size
+ * If additional data should be authenticated also
+ * aad
+ * aad_size
+ * must be set.
+ *
+ * \param [in] ctx AEAD context for ITS object
+ * \param [in] plaintext Pointer to the plaintext
+ * \param [in] plaintext_size Size of the plaintext in bytes
+ * \param [out] ciphertext Pointer to the ciphertext
+ * \param [in] ciphertext_size Size of the ciphertext in bytes
+ * \param [out] tag Authentication tag
+ * \param [in] tag_size Authentication tag size in bytes
+ *
+ * \retval TFM_HAL_SUCCESS The operation completed successfully
+ * \retval TFM_HAL_ERROR_INVALID_INPUT Invalid argument
+ * \retval TFM_HAL_ERROR_GENERIC Failed to encrypt
+ */
+enum tfm_hal_status_t tfm_hal_its_aead_encrypt(
+ struct tfm_hal_its_auth_crypt_ctx *ctx,
+ const uint8_t *plaintext,
+ const size_t plaintext_size,
+ uint8_t *ciphertext,
+ const size_t ciphertext_size,
+ uint8_t *tag,
+ const size_t tag_size);
+
+/**
+ * \brief Perform authenticated decryption.
+ *
+ * \details To perform the the AEAD decryption, the following members of the
+ * ctx struct must be set:
+ * nonce
+ * nonce_size
+ * deriv_label
+ * deriv_label_size
+ * If additional data should be authenticated also
+ * aad
+ * aad_size
+ * must be set.
+ *
+ *
+ * \param [in] ctx AEAD context for ITS object
+ * \param [in] ciphertext Pointer to the ciphertext
+ * \param [in] ciphertext_size Size of the ciphertext in bytes
+ * \param [in] tag Authentication tag
+ * \param [in] tag_size Authentication tag size in bytes
+ * \param [out] plaintext Pointer to the plaintext
+ * \param [in] plaintext_size Size of the plaintext in bytes
+ *
+ * \retval TFM_HAL_SUCCESS The operation completed successfully
+ * \retval TFM_HAL_ERROR_INVALID_INPUT Invalid argument
+ * \retval TFM_HAL_ERROR_GENERIC Failed to decrypt
+ */
+enum tfm_hal_status_t tfm_hal_its_aead_decrypt(
+ struct tfm_hal_its_auth_crypt_ctx *ctx,
+ const uint8_t *ciphertext,
+ const size_t ciphertext_size,
+ uint8_t *tag,
+ const size_t tag_size,
+ uint8_t *plaintext,
+ const size_t plaintext_size);
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __TFM_HAL_ITS_ENCRYPTION_H__ */
diff --git a/secure_fw/partitions/internal_trusted_storage/CMakeLists.txt b/secure_fw/partitions/internal_trusted_storage/CMakeLists.txt
index 943a58a..bc048d0 100644
--- a/secure_fw/partitions/internal_trusted_storage/CMakeLists.txt
+++ b/secure_fw/partitions/internal_trusted_storage/CMakeLists.txt
@@ -32,6 +32,7 @@
tfm_its_req_mngr.c
tfm_internal_trusted_storage.c
its_utils.c
+ $<$<BOOL:${ITS_ENCRYPTION}>:its_crypto_interface.c>
flash/its_flash.c
flash/its_flash_nand.c
flash/its_flash_nor.c
diff --git a/secure_fw/partitions/internal_trusted_storage/flash_fs/its_flash_fs.c b/secure_fw/partitions/internal_trusted_storage/flash_fs/its_flash_fs.c
index a6536c5..9544ed8 100644
--- a/secure_fw/partitions/internal_trusted_storage/flash_fs/its_flash_fs.c
+++ b/secure_fw/partitions/internal_trusted_storage/flash_fs/its_flash_fs.c
@@ -6,11 +6,12 @@
*
*/
-#include "its_flash_fs.h"
#include <stdbool.h>
#include <string.h>
+#include "config_tfm.h"
+#include "its_flash_fs.h"
#include "its_flash_fs_dblock.h"
#include "its_utils.h"
@@ -196,7 +197,7 @@
psa_status_t its_flash_fs_file_get_info(struct its_flash_fs_ctx_t *fs_ctx,
const uint8_t *fid,
- struct its_file_info_t *info)
+ struct its_flash_fs_file_info_t *info)
{
psa_status_t err;
uint32_t idx;
@@ -211,13 +212,17 @@
info->size_current = tmp_metadata.cur_size;
info->flags = tmp_metadata.flags & ITS_FLASH_FS_USER_FLAGS_MASK;
+#ifdef ITS_ENCRYPTION
+ memcpy(info->nonce, tmp_metadata.nonce, TFM_ITS_ENC_NONCE_LENGTH);
+ memcpy(info->tag, tmp_metadata.tag, TFM_ITS_AUTH_TAG_LENGTH);
+#endif
+
return PSA_SUCCESS;
}
psa_status_t its_flash_fs_file_write(struct its_flash_fs_ctx_t *fs_ctx,
const uint8_t *fid,
- uint32_t flags,
- size_t max_size,
+ struct its_flash_fs_file_info_t *finfo,
size_t data_size,
size_t offset,
const uint8_t *data)
@@ -231,26 +236,30 @@
uint32_t new_idx = ITS_METADATA_INVALID_INDEX;
bool use_spare;
+ if (finfo == NULL) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
/* Do not permit the user to pass filesystem-internal flags */
- if (flags & ITS_FLASH_FS_INTERNAL_FLAGS_MASK) {
+ if (finfo->flags & ITS_FLASH_FS_INTERNAL_FLAGS_MASK) {
return PSA_ERROR_INVALID_ARGUMENT;
}
#if (ITS_FLASH_MAX_ALIGNMENT != 1)
/* Set the max_size to be aligned with the flash program unit */
- max_size = ITS_UTILS_ALIGN(max_size, fs_ctx->cfg->program_unit);
+ finfo->size_max = ITS_UTILS_ALIGN(finfo->size_max, fs_ctx->cfg->program_unit);
#endif
/* Check if the file already exists */
err = its_flash_fs_mblock_get_file_idx_meta(fs_ctx, fid, &old_idx, &file_meta);
if (err == PSA_SUCCESS) {
- if (flags & ITS_FLASH_FS_FLAG_TRUNCATE) {
- if (file_meta.max_size == max_size) {
+ if (finfo->flags & ITS_FLASH_FS_FLAG_TRUNCATE) {
+ if (file_meta.max_size == finfo->size_max) {
/* Truncate and reuse the existing file, which is already the
* correct size.
*/
file_meta.cur_size = 0;
- file_meta.flags = flags;
+ file_meta.flags = finfo->flags;
new_idx = old_idx;
} else {
/* Mark the existing file to be deleted in this block update. It
@@ -272,7 +281,7 @@
}
} else if (err == PSA_ERROR_DOES_NOT_EXIST) {
/* The create flag must be supplied to create a new file */
- if (!(flags & ITS_FLASH_FS_FLAG_CREATE)) {
+ if (!(finfo->flags & ITS_FLASH_FS_FLAG_CREATE)) {
return PSA_ERROR_DOES_NOT_EXIST;
}
} else {
@@ -282,7 +291,7 @@
/* If the existing file was not reused, then a new one must be reserved */
if (new_idx == ITS_METADATA_INVALID_INDEX) {
/* Check that the file's maximum size is valid */
- if (max_size > fs_ctx->cfg->max_file_size) {
+ if (finfo->size_max > fs_ctx->cfg->max_file_size) {
return PSA_ERROR_INVALID_ARGUMENT;
}
@@ -291,7 +300,7 @@
/* Try to reserve a new file based on the input parameters */
err = its_flash_fs_mblock_reserve_file(fs_ctx, fid, use_spare,
- max_size, flags, &new_idx,
+ finfo->size_max, finfo->flags, &new_idx,
&file_meta, &block_meta);
if (err != PSA_SUCCESS) {
return err;
@@ -339,6 +348,11 @@
return PSA_ERROR_GENERIC_ERROR;
}
+#ifdef ITS_ENCRYPTION
+ memcpy(file_meta.nonce, finfo->nonce, sizeof(finfo->nonce));
+ memcpy(file_meta.tag, finfo->tag, sizeof(finfo->tag));
+#endif
+
/* Write file metadata in the scratch metadata block */
err = its_flash_fs_mblock_update_scratch_file_meta(fs_ctx, new_idx,
&file_meta);
diff --git a/secure_fw/partitions/internal_trusted_storage/flash_fs/its_flash_fs.h b/secure_fw/partitions/internal_trusted_storage/flash_fs/its_flash_fs.h
index 9c45e8a..ad5a0f5 100644
--- a/secure_fw/partitions/internal_trusted_storage/flash_fs/its_flash_fs.h
+++ b/secure_fw/partitions/internal_trusted_storage/flash_fs/its_flash_fs.h
@@ -167,15 +167,24 @@
typedef struct its_flash_fs_ctx_t its_flash_fs_ctx_t;
/*!
- * \struct its_file_info_t
+ * \struct its_flash_fs_file_info_t
*
- * \brief Structure to store the file information.
+ * \brief Structure containing file information.
+ *
+ * \details This structure is not written to the filesystem, it is used by the
+ * file system functions to simplify accessing the containing
+ * information.
*/
-struct its_file_info_t {
- size_t size_current; /*!< The current size of the flash file data */
- size_t size_max; /*!< The maximum size of the flash file data in bytes.
- */
- uint32_t flags; /*!< Flags set when the file was created */
+struct its_flash_fs_file_info_t {
+ size_t size_current; /*!< The current size of the file in bytes */
+ size_t size_max; /*!< The maximum size of the file in bytes. */
+ uint32_t flags; /*!< Flags set when the file was created */
+#ifdef ITS_ENCRYPTION
+ /*!< Additional authenticated data */
+ uint8_t add[ITS_FILE_ID_SIZE + ITS_DATA_SIZE_FIELD_SIZE + ITS_FLAG_SIZE];
+ uint8_t nonce[12];/*!< Nonce/IV for encrypted files */
+ uint8_t tag[16]; /*!< Authentication tag */
+#endif
};
/**
@@ -220,23 +229,21 @@
*
* \param[in,out] fs_ctx Filesystem context
* \param[in] fid File ID
- * \param[out] info Pointer to the information structure to store the
- * file information values \ref its_file_info_t
+ * \param[out] info Pointer to the file information
+ * structure \ref its_flash_fs_file_info_t
*
* \return Returns error code specified in \ref psa_status_t
*/
psa_status_t its_flash_fs_file_get_info(its_flash_fs_ctx_t *fs_ctx,
const uint8_t *fid,
- struct its_file_info_t *info);
+ struct its_flash_fs_file_info_t *info);
/**
* \brief Writes data to a file.
*
* \param[in,out] fs_ctx Filesystem context
* \param[in] fid File ID
- * \param[in] flags Flags of the file
- * \param[in] max_size Maximum size of the file to be created. Ignored if
- * the file is not being created.
+ * \param[in] finfo Pointer to \ref its_flash_fs_file_info_t
* \param[in] data_size Size of the incoming write data.
* \param[in] offset Offset in the file to write. Must be less than or
* equal to the current file size.
@@ -246,8 +253,7 @@
*/
psa_status_t its_flash_fs_file_write(its_flash_fs_ctx_t *fs_ctx,
const uint8_t *fid,
- uint32_t flags,
- size_t max_size,
+ struct its_flash_fs_file_info_t *finfo,
size_t data_size,
size_t offset,
const uint8_t *data);
diff --git a/secure_fw/partitions/internal_trusted_storage/flash_fs/its_flash_fs_mblock.h b/secure_fw/partitions/internal_trusted_storage/flash_fs/its_flash_fs_mblock.h
index 480d549..fe443f4 100644
--- a/secure_fw/partitions/internal_trusted_storage/flash_fs/its_flash_fs_mblock.h
+++ b/secure_fw/partitions/internal_trusted_storage/flash_fs/its_flash_fs_mblock.h
@@ -150,23 +150,31 @@
* \note This structure is programmed to flash, so its size must be padded
* to a multiple of the maximum required flash program unit.
*/
-#define _T3 \
- uint32_t lblock; /*!< Logical datablock where file is \
- * stored \
- */ \
- size_t data_idx; /*!< Offset in the logical data block */ \
- size_t cur_size; /*!< Size in storage system for this # \
- * fragment \
- */ \
- size_t max_size; /*!< Maximum size of this file */ \
- uint32_t flags; /*!< Flags set when the file was created */ \
- uint8_t id[ITS_FILE_ID_SIZE]; /*!< ID of this file */
+#ifdef ITS_ENCRYPTION
+ #define _T3 \
+ uint32_t lblock; /* Logical datablock where file is stored */ \
+ size_t data_idx; /* Offset in the logical data block */ \
+ size_t cur_size; /* Size in storage system for this fragment */ \
+ size_t max_size; /* Maximum size of this file */ \
+ uint32_t flags; /* Flags set when the file was created */ \
+ uint8_t id[ITS_FILE_ID_SIZE]; /* ID of this file */ \
+ uint8_t nonce[TFM_ITS_ENC_NONCE_LENGTH]; \
+ uint8_t tag[TFM_ITS_AUTH_TAG_LENGTH]
+#else
+ #define _T3 \
+ uint32_t lblock; /* Logical datablock where file is stored */ \
+ size_t data_idx; /* Offset in the logical data block */ \
+ size_t cur_size; /* Size in storage system for this fragment */ \
+ size_t max_size; /* Maximum size of this file */ \
+ uint32_t flags; /* Flags set when the file was created */ \
+ uint8_t id[ITS_FILE_ID_SIZE] /* ID of this file */
+#endif
struct its_file_meta_t {
- _T3
+ _T3;
#if ((ITS_FLASH_MAX_ALIGNMENT) > 4)
- uint8_t roundup[sizeof(struct __attribute__((__aligned__(ITS_FLASH_MAX_ALIGNMENT))) { _T3 }) -
- sizeof(struct { _T3 })];
+ uint8_t roundup[sizeof(struct __attribute__((__aligned__(ITS_FLASH_MAX_ALIGNMENT))) { _T3; }) -
+ sizeof(struct { _T3; })];
#endif
};
#undef _T3
diff --git a/secure_fw/partitions/internal_trusted_storage/its_crypto_interface.c b/secure_fw/partitions/internal_trusted_storage/its_crypto_interface.c
new file mode 100644
index 0000000..f2f721d
--- /dev/null
+++ b/secure_fw/partitions/internal_trusted_storage/its_crypto_interface.c
@@ -0,0 +1,166 @@
+/*
+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+#include <string.h>
+
+#include "flash_fs/its_flash_fs.h"
+#include "flash/its_flash.h"
+#include "its_utils.h"
+#include "psa_manifest/pid.h"
+#include "tfm_hal_its_encryption.h"
+#include "tfm_hal_ps.h"
+#include "tfm_internal_trusted_storage.h"
+#include "tfm_its_defs.h"
+#include "tfm_sp_log.h"
+
+/**
+ * \brief Fills the AEAD additional data used for the encryption/decryption
+ *
+ * \details The additional data are not encypted their integrity is checked.
+ * For the ITS encryption we use the file id, the file flags and the
+ * data size of the file as addditional data.
+ *
+ * \param[out] add Additional data
+ * \param[in] add_size Additional data size in bytes
+ * \param[in] fid Identifier of the file
+ * \param[in] fid_size Identifier of the file size in bytes
+ * \param[in] flags Flags of the file
+ * \param[in] data_size Data size in bytes
+ *
+ * \retval PSA_SUCCESS On success
+ * \retval PSA_ERROR_INVALID_ARGUMENT When the addditional data buffer does not
+ * have the correct size of the add/fid
+ * buffers are NULL
+ *
+ */
+static psa_status_t tfm_its_fill_enc_add(uint8_t *add,
+ const size_t add_size,
+ const uint8_t *fid,
+ const size_t fid_size,
+ const uint32_t flags,
+ const size_t data_size)
+
+{
+ /* Only the user flags are populated in the function which
+ * gets the file info from ITS (see its_flash_fs_file_get_info).
+ * We use the same flags for conformity.
+ */
+ uint32_t user_flags = flags & ITS_FLASH_FS_USER_FLAGS_MASK;
+
+ /* The additional data consist of the file id, the flags and the
+ * data size of the file.
+ */
+ size_t add_expected_size = ITS_FILE_ID_SIZE +
+ sizeof(user_flags) +
+ sizeof(data_size);
+
+ if (add_size != add_expected_size || add == NULL || fid == NULL) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ memcpy(add, fid, fid_size);
+ memcpy(add + fid_size, &user_flags, sizeof(user_flags));
+ memcpy(add + fid_size + sizeof(user_flags),
+ &data_size,
+ sizeof(data_size));
+
+ return PSA_SUCCESS;
+}
+
+static psa_status_t tfm_hal_to_psa_error(enum tfm_hal_status_t tfm_hal_err)
+{
+ switch (tfm_hal_err) {
+ case TFM_HAL_SUCCESS:
+ return PSA_SUCCESS;
+ case TFM_HAL_ERROR_INVALID_INPUT:
+ return PSA_ERROR_INVALID_ARGUMENT;
+ default:
+ return PSA_ERROR_GENERIC_ERROR;
+ }
+}
+
+psa_status_t tfm_its_crypt_file(struct its_flash_fs_file_info_t *finfo,
+ uint8_t *fid,
+ const size_t fid_size,
+ const uint8_t *input,
+ const size_t input_size,
+ uint8_t *output,
+ const size_t output_size,
+ const bool is_encrypt)
+{
+ struct tfm_hal_its_auth_crypt_ctx aead_ctx = {0};
+ enum tfm_hal_status_t err;
+ size_t file_size;
+
+ if (finfo == NULL) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ /* The file size is not known yet when encrypting */
+ if (is_encrypt) {
+ file_size = input_size;
+ } else {
+ file_size = finfo->size_current;
+ }
+
+ err = tfm_its_fill_enc_add(finfo->add,
+ sizeof(finfo->add),
+ fid,
+ fid_size,
+ finfo->flags,
+ file_size);
+ if (err != TFM_HAL_SUCCESS) {
+ return tfm_hal_to_psa_error(err);
+ }
+
+ if (is_encrypt) {
+ err = tfm_hal_its_aead_generate_nonce(finfo->nonce,
+ sizeof(finfo->nonce));
+
+ if (err != TFM_HAL_SUCCESS) {
+ return tfm_hal_to_psa_error(err);
+ }
+ }
+
+ /* Set all required parameters for the aead operation context */
+ aead_ctx.nonce = finfo->nonce;
+ aead_ctx.nonce_size = sizeof(finfo->nonce);
+ aead_ctx.deriv_label = fid;
+ aead_ctx.deriv_label_size = fid_size;
+ aead_ctx.aad = finfo->add;
+ aead_ctx.add_size = sizeof(finfo->add);
+
+
+ if (is_encrypt) {
+ err = tfm_hal_its_aead_encrypt(&aead_ctx,
+ input,
+ input_size,
+ output,
+ output_size,
+ finfo->tag,
+ sizeof(finfo->tag));
+ } else {
+ err = tfm_hal_its_aead_decrypt(&aead_ctx,
+ input,
+ input_size,
+ finfo->tag,
+ sizeof(finfo->tag),
+ output,
+ output_size);
+ }
+
+ if (err != TFM_HAL_SUCCESS) {
+ return tfm_hal_to_psa_error(err);
+ }
+
+ if (is_encrypt) {
+ finfo->size_max = input_size;
+ }
+
+ return PSA_SUCCESS;
+}
+
diff --git a/secure_fw/partitions/internal_trusted_storage/its_crypto_interface.h b/secure_fw/partitions/internal_trusted_storage/its_crypto_interface.h
new file mode 100644
index 0000000..7191f57
--- /dev/null
+++ b/secure_fw/partitions/internal_trusted_storage/its_crypto_interface.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+
+#include "flash_fs/its_flash_fs.h"
+#include "flash/its_flash.h"
+#include "its_utils.h"
+#include "psa_manifest/pid.h"
+#include "tfm_hal_its.h"
+#include "tfm_hal_ps.h"
+#include "tfm_internal_trusted_storage.h"
+#include "tfm_its_defs.h"
+#include "tfm_sp_log.h"
+
+/**
+ * \brief Perform encryption/decryption of the buffer using the
+ * tfm_hal_its APIs
+ *
+ * \param[in] finfo Pointer to \ref its_flash_fs_file_info_t
+ * \param[in] fid File identifier
+ * \param[in] fid_size File identifier size in bytes
+ * \param[in] input Input buffer
+ * \param[in] input_size Input size in bytes
+ * \param[out] output Output buffer
+ * \param[in] output_size Output size in bytes
+ * \param[in] is_encrypt Set the operation type (encryption/decryption)
+ *
+ * \return PSA_SUCCESS on successful operation or a valid PSA error code
+ *
+ */
+psa_status_t tfm_its_crypt_file(struct its_flash_fs_file_info_t *finfo,
+ uint8_t *fid,
+ const size_t fid_size,
+ const uint8_t *input,
+ const size_t input_size,
+ uint8_t *output,
+ const size_t output_size,
+ const bool is_encrypt);
+
diff --git a/secure_fw/partitions/internal_trusted_storage/its_utils.h b/secure_fw/partitions/internal_trusted_storage/its_utils.h
index 1c38056..4cffaff 100644
--- a/secure_fw/partitions/internal_trusted_storage/its_utils.h
+++ b/secure_fw/partitions/internal_trusted_storage/its_utils.h
@@ -18,6 +18,8 @@
#endif
#define ITS_FILE_ID_SIZE 12
+#define ITS_DATA_SIZE_FIELD_SIZE 4
+#define ITS_FLAG_SIZE 4
#define ITS_DEFAULT_EMPTY_BUFF_VAL 0
/**
diff --git a/secure_fw/partitions/internal_trusted_storage/tfm_internal_trusted_storage.c b/secure_fw/partitions/internal_trusted_storage/tfm_internal_trusted_storage.c
index 2114e63..6ac360c 100644
--- a/secure_fw/partitions/internal_trusted_storage/tfm_internal_trusted_storage.c
+++ b/secure_fw/partitions/internal_trusted_storage/tfm_internal_trusted_storage.c
@@ -24,6 +24,10 @@
#include "its_utils.h"
#include "tfm_sp_log.h"
+#ifdef ITS_ENCRYPTION
+#include "its_crypto_interface.h"
+#endif
+
#ifdef TFM_PARTITION_PROTECTED_STORAGE
#include "ps_object_defs.h"
#endif
@@ -34,7 +38,7 @@
#endif /* !TFM_PARTITION_INTERNAL_TRUSTED_STORAGE */
static uint8_t g_fid[ITS_FILE_ID_SIZE];
-static struct its_file_info_t g_file_info;
+static struct its_flash_fs_file_info_t g_file_info;
#if (PSA_FRAMEWORK_HAS_MM_IOVEC != 1) && defined(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE)
/* Buffer to store asset data from the caller.
@@ -80,6 +84,106 @@
#endif
}
+#ifdef ITS_ENCRYPTION
+/* Buffer to store the encrypted asset data before it is stored in the
+ * filesystem.
+ */
+static uint8_t enc_asset_data[ITS_UTILS_ALIGN(ITS_BUF_SIZE,
+ ITS_FLASH_MAX_ALIGNMENT)];
+
+static psa_status_t buffer_size_check(int32_t client_id, size_t buffer_size)
+{
+/* With protected storage no encryption is used */
+#ifdef TFM_PARTITION_PROTECTED_STORAGE
+ if (client_id != TFM_SP_PS) {
+#else
+ {
+#endif /* TFM_PARTITION_PROTECTED_STORAGE */
+ /* When encryption is enabled the whole file needs to fit in the
+ * global buffer.
+ */
+ if (buffer_size > sizeof(enc_asset_data)) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+ }
+ return PSA_SUCCESS;
+}
+
+static psa_status_t tfm_its_crypt_data(int32_t client_id,
+ uint8_t **input,
+ size_t input_size)
+{
+ psa_status_t status;
+#ifdef TFM_PARTITION_PROTECTED_STORAGE
+ if (client_id != TFM_SP_PS) {
+#else
+ {
+#endif /* TFM_PARTITION_PROTECTED_STORAGE */
+ status = tfm_its_crypt_file(&g_file_info,
+ g_fid,
+ sizeof(g_fid),
+ *input,
+ input_size,
+ enc_asset_data,
+ sizeof(enc_asset_data),
+ true);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ *input = enc_asset_data;
+ }
+ return PSA_SUCCESS;
+}
+
+static psa_status_t tfm_its_get_encrypted(int32_t client_id,
+ size_t data_offset,
+ size_t data_size,
+ size_t *p_data_length)
+{
+ psa_status_t status;
+
+ if (g_file_info.size_max > sizeof(enc_asset_data)) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+
+ /* When encryption is enabled we need to read the whole file */
+ status = its_flash_fs_file_read(get_fs_ctx(client_id),
+ g_fid,
+ g_file_info.size_current,
+ 0,
+ enc_asset_data);
+ if (status != PSA_SUCCESS) {
+ *p_data_length = 0;
+ return status;
+ }
+
+ status = tfm_its_crypt_file(&g_file_info,
+ g_fid,
+ sizeof(g_fid),
+ enc_asset_data,
+ g_file_info.size_current,
+ asset_data,
+ sizeof(asset_data),
+ false);
+ if (status != PSA_SUCCESS) {
+ *p_data_length = 0;
+ return status;
+ }
+
+ #if (PSA_FRAMEWORK_HAS_MM_IOVEC == 1) /* PSA_FRAMEWORK_HAS_MM_IOVEC */
+ memcpy(its_req_mngr_get_vec_base(), asset_data + data_offset, data_size);
+ #else
+ /* Write asset data to the caller in one go as due to buffer check before
+ * it is ensured that all data fit into asset_data
+ */
+ its_req_mngr_write(asset_data + data_offset, data_size);
+ #endif /* PSA_FRAMEWORK_HAS_MM_IOVEC */
+
+ return PSA_SUCCESS;
+}
+#endif /* ITS_ENCRYPTION */
+
/**
* \brief Maps a pair of client id and uid to a file id.
*
@@ -277,6 +381,37 @@
&g_file_info);
}
+
+static psa_status_t tfm_its_write_data_to_fs(const int32_t client_id,
+ const uint8_t *fid,
+ struct its_flash_fs_file_info_t *finfo,
+ const size_t data_size,
+ const size_t offset,
+ uint8_t *data)
+{
+ psa_status_t status;
+ uint8_t *buffer_ptr = data;
+#ifdef ITS_ENCRYPTION /* ITS_ENCRYPTION */
+ /* If the data will be encrypted the whole file needs to be written */
+ if (offset != 0) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+ status = tfm_its_crypt_data(client_id, &buffer_ptr, data_size);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+#endif /* ITS_ENCRYPTION */
+ status = its_flash_fs_file_write(get_fs_ctx(client_id),
+ fid,
+ &g_file_info,
+ data_size, offset, buffer_ptr);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ return PSA_SUCCESS;
+}
+
psa_status_t tfm_its_set(int32_t client_id,
psa_storage_uid_t uid,
size_t data_length,
@@ -287,7 +422,6 @@
size_t write_size;
size_t offset;
#endif
- uint32_t flags;
/* Check that the UID is valid */
if (uid == TFM_ITS_INVALID_UID) {
@@ -301,6 +435,13 @@
return PSA_ERROR_NOT_SUPPORTED;
}
+#if defined ITS_ENCRYPTION && defined TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
+ status = buffer_size_check(client_id, data_length);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+#endif /* ITS_ENCRYPTION && TFM_PARTITION_INTERNAL_TRUSTED_STORAGE*/
+
/* Read file info */
status = get_file_info(uid, client_id);
if (status == PSA_SUCCESS) {
@@ -317,21 +458,24 @@
return status;
}
- flags = (uint32_t)create_flags |
- ITS_FLASH_FS_FLAG_CREATE | ITS_FLASH_FS_FLAG_TRUNCATE;
+ g_file_info.size_max = data_length;
+ g_file_info.flags = (uint32_t)create_flags |
+ ITS_FLASH_FS_FLAG_CREATE | ITS_FLASH_FS_FLAG_TRUNCATE;
+
#ifndef TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
- /* Write to the file in the file system */
- status = its_flash_fs_file_write(get_fs_ctx(client_id), g_fid, flags,
- data_length, data_length, 0,
- p_psa_src_data);
-
-#elif (PSA_FRAMEWORK_HAS_MM_IOVEC == 1)
- /* Write to the file in the file system */
- status = its_flash_fs_file_write(get_fs_ctx(client_id), g_fid, flags,
- data_length, data_length, 0,
- its_req_mngr_get_vec_base());
-
+ /* Write to the file in the file system
+ * No encryption needed as this will be stored in the Protected Storage
+ * Partition if ITS partition is not enabled.
+ */
+ status = its_flash_fs_file_write(get_fs_ctx(client_id), g_fid, &g_file_info,
+ data_length, 0, p_psa_src_data);
+#elif PSA_FRAMEWORK_HAS_MM_IOVEC == 1
+ status = tfm_its_write_data_to_fs(client_id,
+ g_fid,
+ &g_file_info,
+ data_length, 0,
+ its_req_mngr_get_vec_base());
#else
offset = 0;
@@ -345,16 +489,14 @@
/* Read asset data from the caller */
(void)its_req_mngr_read(asset_data, write_size);
- /* Write to the file in the file system */
- status = its_flash_fs_file_write(get_fs_ctx(client_id), g_fid, flags,
- data_length, write_size, offset,
- asset_data);
- if (status != PSA_SUCCESS) {
- return status;
- }
+ status = tfm_its_write_data_to_fs(client_id, g_fid, &g_file_info,
+ write_size, offset, asset_data);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
/* Do not create or truncate after the first iteration */
- flags &= ~(ITS_FLASH_FS_FLAG_CREATE | ITS_FLASH_FS_FLAG_TRUNCATE);
+ g_file_info.flags &= ~(ITS_FLASH_FS_FLAG_CREATE | ITS_FLASH_FS_FLAG_TRUNCATE);
offset += write_size;
data_length -= write_size;
@@ -364,8 +506,7 @@
return status;
}
-psa_status_t tfm_its_get(int32_t client_id,
- psa_storage_uid_t uid,
+static psa_status_t tfm_its_get_plain(int32_t client_id,
size_t data_offset,
size_t data_size,
size_t *p_data_length)
@@ -376,38 +517,6 @@
size_t read_size;
#endif
-#ifdef TFM_PARTITION_TEST_PS
- /* The PS test partition can call tfm_its_get() through PS code. Treat it
- * as if it were PS.
- */
- if (client_id == TFM_SP_PS_TEST) {
- client_id = TFM_SP_PS;
- }
-#endif
-
- /* Check that the UID is valid */
- if (uid == TFM_ITS_INVALID_UID) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- /* Read file info */
- status = get_file_info(uid, client_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Boundary check the incoming request */
- if (data_offset > g_file_info.size_current) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- /* Copy the object data only from within the file boundary */
- data_size = ITS_UTILS_MIN(data_size,
- g_file_info.size_current - data_offset);
-
- /* Update the size of the output data */
- *p_data_length = data_size;
-
#ifndef TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
/* Read file data from the filesystem */
status = its_flash_fs_file_read(get_fs_ctx(client_id), g_fid, data_size,
@@ -449,10 +558,80 @@
data_offset += read_size;
data_size -= read_size;
} while (data_size > 0);
-#endif
+#endif /* TFM_PARTITION_INTERNAL_TRUSTED_STORAGE & PSA_FRAMEWORK_HAS_MM_IOVEC */
+
return PSA_SUCCESS;
}
+psa_status_t tfm_its_get(int32_t client_id,
+ psa_storage_uid_t uid,
+ size_t data_offset,
+ size_t data_size,
+ size_t *p_data_length)
+{
+ psa_status_t status;
+
+ #if (PSA_FRAMEWORK_HAS_MM_IOVEC != 1) && defined(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE) \
+ && (ITS_ENCRYPTION != 1)
+ size_t read_size;
+ #endif
+
+#ifdef TFM_PARTITION_TEST_PS
+ /* The PS test partition can call tfm_its_get() through PS code. Treat it
+ * as if it were PS.
+ */
+ if (client_id == TFM_SP_PS_TEST) {
+ client_id = TFM_SP_PS;
+ }
+#endif
+
+ /* Check that the UID is valid */
+ if (uid == TFM_ITS_INVALID_UID) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+#if defined ITS_ENCRYPTION && defined TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
+ status = buffer_size_check(client_id, data_offset + data_size);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+#endif /* ITS_ENCRYPTION && TFM_PARTITION_INTERNAL_TRUSTED_STORAGE */
+
+ /* Read file info */
+ status = get_file_info(uid, client_id);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ /* Boundary check the incoming request */
+ if (data_offset > g_file_info.size_current) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
+
+ /* Copy the object data only from within the file boundary */
+ data_size = ITS_UTILS_MIN(data_size,
+ g_file_info.size_current - data_offset);
+
+ /* Update the size of the output data */
+ *p_data_length = data_size;
+
+#if defined ITS_ENCRYPTION && defined TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
+#if defined TFM_PARTITION_PROTECTED_STORAGE
+ /* With protected storage no encryption is used */
+ if (client_id == TFM_SP_PS) {
+ return tfm_its_get_plain(client_id, data_offset, data_size, p_data_length);
+ } else
+#endif /* TFM_PARTITION_PROTECTED_STORAGE */
+ {
+ return tfm_its_get_encrypted(client_id, data_offset, data_size, p_data_length);
+ }
+#else
+ {
+ return tfm_its_get_plain(client_id, data_offset, data_size, p_data_length);
+ }
+#endif /* ITS_ENCRYPTION && TFM_PARTITION_INTERNAL_TRUSTED_STORAGE */
+}
+
psa_status_t tfm_its_get_info(int32_t client_id, psa_storage_uid_t uid,
struct psa_storage_info_t *p_info)
{
