ITS: Add support for encrypted ITS
-Adds encryption and authentication support for ITS files
-Encryption is optional and is enabled using a CMake variable
-The encryption implementation is platform dependent,
the signatures of the APIs are provided in this change
Change-Id: Ifd3a67ac2274fa8d7ceec19482f7cec01b2cac54
Signed-off-by: Markus Swarowsky <markus.swarowsky@nordicsemi.no>
diff --git a/config/config_base.cmake b/config/config_base.cmake
index 3dbf3da..c414bbf 100755
--- a/config/config_base.cmake
+++ b/config/config_base.cmake
@@ -126,6 +126,7 @@
set(PS_CRYPTO_AEAD_ALG PSA_ALG_GCM CACHE STRING "The AEAD algorithm to use for authenticated encryption in Protected Storage")
set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE OFF CACHE BOOL "Enable Internal Trusted Storage partition")
+set(ITS_ENCRYPTION OFF CACHE BOOL "Enable authenticated encryption of ITS files using platform specific APIs")
set(TFM_PARTITION_CRYPTO OFF CACHE BOOL "Enable Crypto partition")
set(CRYPTO_TFM_BUILTIN_KEYS_DRIVER ON CACHE BOOL "Whether to allow crypto service to store builtin keys. Without this, ALL builtin keys must be stored in a platform-specific location")
diff --git a/config/config_base.h b/config/config_base.h
index d9caeb9..9879b68 100644
--- a/config/config_base.h
+++ b/config/config_base.h
@@ -192,6 +192,16 @@
#define ITS_STACK_SIZE 0x720
#endif
+/* The size of the authentication tag used when authentication/encryption of ITS files is enabled */
+#ifndef TFM_ITS_AUTH_TAG_LENGTH
+#define TFM_ITS_AUTH_TAG_LENGTH 16
+#endif
+
+/* The size of the nonce used when ITS file encryption is enabled */
+#ifndef TFM_ITS_ENC_NONCE_LENGTH
+#define TFM_ITS_ENC_NONCE_LENGTH 12
+#endif
+
/* PS Partition Configs */
/* Create flash FS if it doesn't exist for Protected Storage partition */