Mistake on this page? Email us

Secure Storage

Module scope

The Secure Storage module provides target storage with APIs that support:

  • Encryption.
  • Authentication of stored data.
  • Physical rollback protection.
  • Write-once data protection.

The pal_sst.h header declares the secure storage functions.

Note: Device Management Client offers secure storage for targets that do not have their own secure storage. You only need to port the Secure Storage module if you use your target's storage. For more additional information, see Secure Storage dependencies.

Prerequisites for this porting stage

The target's storage must:

  • Encrypt stored data when the PAL_SST_CONFIDENTIALITY_FLAG flag is set in the pal_SSTSet API.
  • Authenticate all stored data.
  • Protect data overwrite or deletion by enforcing a write-once policy when the PAL_SST_WRITE_ONCE_FLAG flag is set in the pal_SSTSet API, and return a PAL_ERR_SST_WRITE_PROTECTED error when the pal_SSTSet or pal_SSTDelete APIs are called on protected items.
  • Protect against physical rollback, or removal of an item (not using an API).
  • Write and retrieve empty items without set values.
  • Support item names that include alphanumeric values and ., -, and _ characters. You may need to add support for other characters.
  • Overwrite a stored item when executing the pal_SSTSet API, without throwing an error, unless the item is write-once-protected.
  • Provide iterator APIs.

Porting result

After successfully porting the Secure Storage module, ensure that all tests pass. See the Tests section for more information.

Reference implementations

Mbed OS secure storage

PAL provides a reference implementation for Mbed OS secure storage generic functionality: pal_plat_sst_impl.c, located in Source/Port/Reference-Impl/Generic/SST/kvstore_impl/.