Bluetooth: Mesh: use secure storage in ble mesh

Commit:
 - adds dependency of the mbedtls psa usage on secure storage
 - removes PSA ITS emulator and enables usage of
   the secure storage in ble mesh bsim tests
 - enables secure storage in all ble mesh and related samples

Signed-off-by: Aleksandr Khromykh <aleksandr.khromykh@nordicsemi.no>

modules/mbedtls/configs/config-tls-generic.h

@@ -482,12 +482,6 @@
 #define MBEDTLS_PSA_P256M_DRIVER_ENABLED
 #endif
 
-#if defined(CONFIG_ARCH_POSIX) && !defined(CONFIG_PICOLIBC) && !defined(CONFIG_SECURE_STORAGE)
-#define MBEDTLS_PSA_ITS_FILE_C
-#define MBEDTLS_PSA_CRYPTO_STORAGE_C
-#define MBEDTLS_FS_IO
-#endif
-
 #if defined(CONFIG_SECURE_STORAGE)
 #define MBEDTLS_PSA_CRYPTO_STORAGE_C
 #endif

samples/bluetooth/mesh/boards/nrf5340dk_nrf5340_cpuapp_ns.conf

@@ -0,0 +1 @@
+CONFIG_SECURE_STORAGE=n

samples/bluetooth/mesh/prj.conf

@@ -5,6 +5,7 @@ CONFIG_FLASH=y
 CONFIG_FLASH_MAP=y
 CONFIG_NVS=y
 CONFIG_SETTINGS=y
+CONFIG_SECURE_STORAGE=y
 CONFIG_HWINFO=y
 
 CONFIG_BT=y

samples/bluetooth/mesh_demo/boards/nrf5340dk_nrf5340_cpuapp_ns.conf

@@ -0,0 +1 @@
+CONFIG_SECURE_STORAGE=n

samples/bluetooth/mesh_demo/prj.conf

@@ -31,6 +31,7 @@ CONFIG_FLASH_MAP=y
 CONFIG_NVS=y
 CONFIG_SETTINGS=y
 CONFIG_BT_MESH_RPL_STORE_TIMEOUT=600
+CONFIG_SECURE_STORAGE=y
 
 # Limit the number of key slots in PSA Crypto core to reduce
 # RAM footprint

samples/bluetooth/mesh_provisioner/boards/nrf5340dk_nrf5340_cpuapp_ns.conf

@@ -0,0 +1 @@
+CONFIG_SECURE_STORAGE=n

samples/bluetooth/mesh_provisioner/prj.conf

@@ -45,6 +45,7 @@ CONFIG_FLASH_MAP=y
 CONFIG_NVS=y
 CONFIG_SETTINGS=y
 CONFIG_BT_MESH_RPL_STORE_TIMEOUT=600
+CONFIG_SECURE_STORAGE=y
 
 #CONFIG_BT_MESH_LOG_LEVEL_DBG=y
 #CONFIG_BT_MESH_SETTINGS_LOG_LEVEL_DBG=y

samples/boards/nordic/mesh/onoff-app/prj.conf

@@ -9,6 +9,8 @@ CONFIG_FLASH=y
 CONFIG_FLASH_MAP=y
 CONFIG_NVS=y
 CONFIG_SETTINGS=y
+CONFIG_SECURE_STORAGE=y
+
 CONFIG_BT_MESH_RPL_STORE_TIMEOUT=600
 
 CONFIG_BOOT_BANNER=y

samples/boards/nordic/mesh/onoff_level_lighting_vnd_app/prj.conf

@@ -7,6 +7,7 @@ CONFIG_FLASH=y
 CONFIG_FLASH_MAP=y
 CONFIG_NVS=y
 CONFIG_SETTINGS=y
+CONFIG_SECURE_STORAGE=y
 
 CONFIG_BT_OBSERVER=y
 CONFIG_BT_BROADCASTER=y

samples/boards/phytec/reel_board/mesh_badge/prj.conf

@@ -66,4 +66,5 @@ CONFIG_FLASH=y
 CONFIG_FLASH_MAP=y
 CONFIG_NVS=y
 CONFIG_SETTINGS=y
+CONFIG_SECURE_STORAGE=y
 CONFIG_CBPRINTF_FP_SUPPORT=y

subsys/bluetooth/mesh/Kconfig

@@ -1452,6 +1452,10 @@ config BT_MESH_SOL_ADV_XMIT
 
 endmenu # Proxy
 
+config BT_MESH_SECURE_STORAGE
+	bool
+	depends on SECURE_STORAGE
+
 choice BT_MESH_CRYPTO_LIB
 	prompt "Crypto library:"
 	default BT_MESH_USES_TFM_PSA if BUILD_WITH_TFM
@@ -1491,6 +1495,7 @@ config BT_MESH_USES_MBEDTLS_PSA
 	select PSA_WANT_ALG_SHA_256
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_ECC_SECP_R1_256
+	select BT_MESH_SECURE_STORAGE if BT_SETTINGS
 	help
 	  Use Mbed TLS as PSA Crypto API provider. This is useful on platforms
 	  that do not support TF-M.

tests/bluetooth/mesh_shell/prj.conf

@@ -14,6 +14,7 @@ CONFIG_FLASH=y
 CONFIG_FLASH_MAP=y
 CONFIG_NVS=y
 CONFIG_SETTINGS=y
+CONFIG_SECURE_STORAGE=y
 
 CONFIG_BT=y
 CONFIG_BT_OBSERVER=y

tests/bsim/bluetooth/mesh/CMakeLists.txt

@@ -29,7 +29,6 @@ if(CONFIG_SETTINGS)
 if(CONFIG_BT_MESH_USES_MBEDTLS_PSA)
  target_sources(app PRIVATE
   src/distribute_keyid.c
-  src/psa_its_emul.c
  )
 endif()
 
@@ -83,15 +82,3 @@ zephyr_include_directories(
   ${BSIM_COMPONENTS_PATH}/libUtilv1/src/
   ${BSIM_COMPONENTS_PATH}/libPhyComv1/src/
 )
-
-# The mbedTLS PSA ITS is not thread safe.
-# The issue: https://github.com/zephyrproject-rtos/zephyr/issues/59362
-# Also, it isn't possible to use "native" ITS implementation since
-# mbedTLS includes headers that do not exist.
-# This linker option allows linking custom ITS implementation instead of
-# precompiled objects from the mbedTLS library to run it in parallel.
-if(CONFIG_BT_MESH_USES_MBEDTLS_PSA)
-  zephyr_ld_options(
-    ${LINKERFLAGPREFIX},--allow-multiple-definition
-    )
-endif()

tests/bsim/bluetooth/mesh/overlay_pst.conf

@@ -3,6 +3,7 @@ CONFIG_BT_SETTINGS=y
 CONFIG_FLASH=y
 CONFIG_FLASH_MAP=y
 CONFIG_NVS=y
+CONFIG_SECURE_STORAGE=y
 
 CONFIG_BT_PERIPHERAL=y
 CONFIG_BT_MESH_GATT_PROXY=y

tests/bsim/bluetooth/mesh/src/psa_its_emul.c

@@ -1,209 +0,0 @@
-/*
- * Copyright (c) 2023 Nordic Semiconductor ASA
- *
- * SPDX-License-Identifier: Apache-2.0
- */
-/*
- *  PSA ITS emulator over settings.
- */
-
-#include <stdlib.h>
-
-#include <zephyr/bluetooth/mesh.h>
-#include <../library/psa_crypto_its.h>
-
-#define LOG_MODULE_NAME pts_its_emu
-
-#include <zephyr/logging/log.h>
-#include "mesh/net.h"
-#include "mesh/settings.h"
-
-LOG_MODULE_REGISTER(LOG_MODULE_NAME, LOG_LEVEL_INF);
-
-/* The value of 52 bytes was measured practically in the mbedTLS psa security storage. */
-#define MAX_ITEM_LENGTH 52
-#define MAX_ITEM_NUMBER MBEDTLS_PSA_KEY_SLOT_COUNT
-
-typedef struct {
-	uint32_t size;
-	psa_storage_create_flags_t flags;
-	uint8_t data[MAX_ITEM_LENGTH];
-} psa_its_pst_item_t;
-
-typedef struct {
-	psa_storage_uid_t uid;
-	psa_its_pst_item_t pst_item;
-} psa_its_item_t;
-
-static psa_its_item_t item[MAX_ITEM_NUMBER];
-
-static psa_its_item_t *get_item_by_uid(psa_storage_uid_t uid)
-{
-	for (int i = 0; i < MAX_ITEM_NUMBER; i++) {
-		if (uid == item[i].uid) {
-			return &item[i];
-		}
-	}
-
-	return NULL;
-}
-
-static int itsemul_set(const char *name, size_t len_rd, settings_read_cb read_cb, void *cb_arg)
-{
-	ssize_t len;
-	uint64_t uid;
-	psa_its_item_t *p_item;
-
-	LOG_DBG("read out uid: %s", name);
-
-	if (!name) {
-		LOG_ERR("Insufficient number of arguments");
-		return -ENOENT;
-	}
-
-	uid = strtoull(name, NULL, 10);
-	if (uid == ULLONG_MAX) {
-		LOG_ERR("Invalid format for uid");
-		return -EINVAL;
-	}
-
-	p_item = get_item_by_uid(uid);
-	if (p_item == NULL) {
-		p_item = get_item_by_uid(0ull);
-	}
-
-	if (p_item == NULL) {
-		LOG_ERR("Insufficient sources for %llu", uid);
-		return -EINVAL;
-	}
-
-	p_item->uid = uid;
-
-	len = read_cb(cb_arg, &p_item->pst_item, len_rd);
-	if (len < 0) {
-		LOG_ERR("Failed to read value (err %zd)", len);
-		return -EINVAL;
-	}
-
-	LOG_HEXDUMP_DBG(&p_item->pst_item, len, "pst_item:");
-
-	if (len != len_rd) {
-		LOG_ERR("Unexpected length (%zd != %zu)", len, len_rd);
-		return -EINVAL;
-	}
-
-	return 0;
-}
-
-SETTINGS_STATIC_HANDLER_DEFINE(psa_its_emu, "itsemul", NULL, itsemul_set, NULL, NULL);
-
-psa_status_t psa_its_get_info(psa_storage_uid_t uid, struct psa_storage_info_t *p_info)
-{
-	psa_its_item_t *p_item;
-
-	LOG_DBG("get info uid: %llu", uid);
-
-	p_item = get_item_by_uid(uid);
-	if (p_item == NULL) {
-		return PSA_ERROR_DOES_NOT_EXIST;
-	}
-
-	p_info->flags = p_item->pst_item.flags;
-	p_info->size = p_item->pst_item.size;
-
-	LOG_DBG("flags: %lu, size: %lu", p_info->flags, p_info->size);
-
-	return PSA_SUCCESS;
-}
-
-psa_status_t psa_its_get(psa_storage_uid_t uid, uint32_t data_offset, uint32_t data_length,
-			 void *p_data, size_t *p_data_length)
-{
-	psa_its_item_t *p_item;
-	psa_its_pst_item_t *p_pst_item;
-
-	LOG_DBG("get uid: %llu", uid);
-
-	p_item = get_item_by_uid(uid);
-	if (p_item == NULL) {
-		return PSA_ERROR_DOES_NOT_EXIST;
-	}
-
-	p_pst_item = &p_item->pst_item;
-
-	if (data_offset > p_pst_item->size) {
-		return PSA_ERROR_DATA_CORRUPT;
-	}
-
-	*p_data_length = MIN(p_pst_item->size - data_offset, data_length);
-	memcpy(p_data, p_pst_item->data + data_offset, *p_data_length);
-
-	return PSA_SUCCESS;
-}
-
-psa_status_t psa_its_set(psa_storage_uid_t uid, uint32_t data_length, const void *p_data,
-			 psa_storage_create_flags_t create_flags)
-{
-	char path[40];
-	psa_its_item_t *p_item;
-	psa_its_pst_item_t *p_pst_item;
-	psa_status_t status = PSA_SUCCESS;
-
-	LOG_DBG("Set uid: %llu, len: %lu", uid, data_length);
-
-	if (data_length > MAX_ITEM_LENGTH) {
-		LOG_ERR("Too long item data: %lu > " STRINGIFY(MAX_ITEM_LENGTH), data_length);
-	}
-
-	p_item = get_item_by_uid(uid);
-	if (p_item == NULL) {
-		p_item = get_item_by_uid(0ull);
-	}
-
-	if (p_item == NULL) {
-		return PSA_ERROR_STORAGE_FAILURE;
-	}
-
-	snprintk(path, sizeof(path), "itsemul/%llu", uid);
-
-	p_item->uid = uid;
-	p_pst_item = &p_item->pst_item;
-	p_pst_item->size = data_length;
-	p_pst_item->flags = create_flags;
-	memcpy(p_pst_item->data, p_data, data_length);
-
-	if (settings_save_one(path, p_pst_item, sizeof(psa_its_pst_item_t))) {
-		LOG_ERR("Failed to store its item: %s", path);
-		status = PSA_ERROR_STORAGE_FAILURE;
-	} else {
-		LOG_DBG("Stored its item: %s", path);
-	}
-
-	return status;
-}
-
-psa_status_t psa_its_remove(psa_storage_uid_t uid)
-{
-	char path[40];
-	psa_status_t status = PSA_SUCCESS;
-	psa_its_item_t *p_item;
-
-	LOG_DBG("remove uid: %llu", uid);
-
-	p_item = get_item_by_uid(uid);
-	if (p_item == NULL) {
-		return status;
-	}
-	memset(p_item, 0, sizeof(psa_its_item_t));
-
-	snprintk(path, sizeof(path), "itsemul/%llu", uid);
-
-	if (settings_delete(path)) {
-		LOG_ERR("Failed to remove its item: %s", path);
-		status = PSA_ERROR_STORAGE_FAILURE;
-	} else {
-		LOG_DBG("Removed its item: %s", path);
-	}
-
-	return status;
-}