The Secure Storage module provides target storage with APIs that support:
- Authentication of stored data.
- Physical rollback protection.
- Write-once data protection.
pal_sst.h header declares the secure storage functions.
Note: Device Management Client offers secure storage for targets that do not have their own secure storage. You only need to port the Secure Storage module if you use your target's storage. For more additional information, see Secure Storage dependencies.
Prerequisites for this porting stage
The target's storage must:
- Encrypt stored data when the
PAL_SST_CONFIDENTIALITY_FLAGflag is set in the
- Authenticate all stored data.
- Protect data overwrite or deletion by enforcing a write-once policy when the
PAL_SST_WRITE_ONCE_FLAGflag is set in the
pal_SSTSetAPI, and return a
PAL_ERR_SST_WRITE_PROTECTEDerror when the
pal_SSTDeleteAPIs are called on protected items.
- Protect against physical rollback, or removal of an item (not using an API).
- Write and retrieve empty items without set values.
- Support item names that include alphanumeric values and
_characters. You may need to add support for other characters.
- Overwrite a stored item when executing the
pal_SSTSetAPI, without throwing an error, unless the item is write-once-protected.
- Provide iterator APIs.
After successfully porting the Secure Storage module, ensure that all tests pass. See the Tests section for more information.
Mbed OS secure storage
PAL provides a reference implementation for Mbed OS secure storage generic functionality:
pal_plat_sst_impl.c, located in