Bluetooth: Mesh: use secure storage in ble mesh

[alxelax]

PR:

• adds dependency of the mbedtls psa usage on secure storage
• removes PSA ITS emulator and enables usage of
  the secure storage in ble mesh bsim tests
• enables secure storage in all ble mesh and related samples

[tomi-font]

Might also be worth a migration guide entry to indicate that it's now necessary to select the affected Kconfig options for the secure storage subsystem.

[sjanc]

#AutoPTS run zephyr nrf52 MESH/NODE/KR/BV-01-C DFUM/SR/FD/BV-01-C

[codecoup-tester]

Scheduled PR #82319 (comment), board: nrf52, estimated start time: 14:43:31, test case count: 2, estimated duration: 0:04:49

Test cases to be run

DFUM/SR/FD/BV-01-C
MESH/NODE/KR/BV-01-C

[codecoup-tester]

AutoPTS Bot results:

Failed tests (1)

MESH MESH/NODE/KR/BV-01-C FAIL

Successful tests (1)

DFUM DFUM/SR/FD/BV-01-C PASS

[alxelax]

Hi @tomi-font, seems yml files those are used to check secure storage samples and tests use twister filter feature that doesn't work properly.
Dependencies those were initially added (and later changed to even more strict dependencies) do not prevent building tests and samples for platforms without FLASH.
You can take a look, almost all twister CI steps cannot pass.

Since I'm not an expert in secure storage, I'd like to get any ideas how to solve this issue.
My suggestion is to use list of allowed platforms instead of filters.

[tomi-font]

@alxelax It rather looks like the problems are caused by the changes in your PR. Failures in this PR pass locally on main. Also for instance a recent fixup PR had green CI.
Right now I don't have the bandwidth to look into fixing this myself, but I suggest you the following:

• Rebase your PR on the latest main.
• Don't, for instance, change the not CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_NONE part of the filter by CONFIG_FLASH_HAS_DRIVER_ENABLED as you currently do in the samples' YAML files. It will for sure provoke failures. CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION has more complex filtering than just FLASH_HAS_DRIVER_ENABLED because I found out that just this Kconfig option wasn't enough (thus the check for DT properties).
• secure_storage.psa.its.secure_storage.custom.store doesn't require flash as the custom store implementation is RAM-based. Same applies to secure_storage.psa.its.secure_storage.custom.both.
• I'm pretty sure you don't want to use FLASH_HAS_DRIVER_ENABLED at all in the filters. You want to use the Kconfig option that corresponds to the ITS store module implementation that is expected to be used (ZMS or settings or just "not none"). The filtering is handled in those Kconfig options.

[alxelax]

@tomi-font, I removed my changes from filters, but you can see they still do not work. Twister runs Secure storage tests on platforms without Flash (it was the initial reason why I added direct dependency on Flash driver presence). Those obviously are not built.
It seems to me like filters do not work properly.
Any ideas?

[alxelax]

@tomi-font, I removed NVS and FLASH dependency for sample tests. Seems filters do not work. Now it passes for all platforms those sneak over filters. Really do not want to fix secure storage test system.

Just gave up to adapt secure storage tests and made changes only in mesh related code with depends on SECURE_STORAGE

[HaavardRei]

The commit title says "use psa crypto storage in mesh bsim", but you change files in modules/, samples/, subsys/.../Kconfig and tests/. Maybe this can be split into three? (Modules, samples/Kconfig and bsim, or something like this)

[alxelax]

The commit title says "use psa crypto storage in mesh bsim", but you change files in modules/, samples/, subsys/.../Kconfig and tests/. Maybe this can be split into three? (Modules, samples/Kconfig and bsim, or something like this)

Almost all changes are related. It is not possible to remove its emulator and start using secure storage directly without changes in modules/, subsys/ and tests/. It is possible to tract changes in samples/ as more or less independent. However, I do not see big advantages to split it as separate commit since they do not have sense without changes in subsys/.../Kconfig.

I will add more description details in commit message for better understanding.