psa: Add storage implementation for files

Add new functions, psa_load_persistent_key(),
psa_free_persistent_key_data(), and psa_save_persistent_key(), for
managing persistent keys. These functions load to or save from our
internal representation of key slots. Serialization is a concern of the
storage backend implementation and doesn't abstraction-leak into the
lifetime management code.

An initial implementation for files is provided. Additional storage
backends can implement this interface for other storage types.

19 files changed, 1004 insertions, 0 deletions

diff --git a/configs/config-psa-crypto.h b/configs/config-psa-crypto.h
index 870e335..27e9ef1 100644
--- a/configs/config-psa-crypto.h
+++ b/configs/config-psa-crypto.h
@@ -1523,6 +1523,31 @@
 #define MBEDTLS_PSA_CRYPTO_C
 
 /**
+ * \def MBEDTLS_PSA_CRYPTO_STORAGE_C
+ *
+ * Enable the Platform Security Architecture persistent key storage.
+ *
+ * Module:  library/psa_crypto_storage.c
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
+ *
+ */
+#define MBEDTLS_PSA_CRYPTO_STORAGE_C
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
+ *
+ * Enable persistent key storage over files for the
+ * Platform Security Architecture cryptography API.
+ *
+ * Module:  library/psa_crypto_storage_file.c
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_FS_IO
+ *
+ */
+#define MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
+
+/**
  * \def MBEDTLS_RIPEMD160_C
  *
  * Enable the RIPEMD-160 hash algorithm.
diff --git a/crypto/library/Makefile b/crypto/library/Makefile
index 9151662..5b963c5 100644
--- a/crypto/library/Makefile
+++ b/crypto/library/Makefile
@@ -45,6 +45,8 @@ OBJS_CRYPTO := \
 	platform.o \
 	platform_util.o \
 	psa_crypto.o \
+	psa_crypto_storage.o \
+	psa_crypto_storage_file.o \
 	ripemd160.o \
 	rsa_internal.o \
 	rsa.o \
diff --git a/crypto/tests/Makefile b/crypto/tests/Makefile
index b44b470..2f68e86 100644
--- a/crypto/tests/Makefile
+++ b/crypto/tests/Makefile
@@ -16,11 +16,13 @@ PYTHON ?= python
 APPS := \
 	test_suite_psa_crypto \
 	test_suite_psa_crypto_metadata \
+	test_suite_psa_crypto_storage_file \
 # Don't delete this line.
 
 # Look up for associated function files
 func.test_suite_psa_crypto := test_suite_psa_crypto
 func.test_suite_psa_crypto_metadata := test_suite_psa_crypto_metadata
+func.test_suite_psa_crypto_storage_file := test_suite_psa_crypto_storage_file
 
 .SILENT:
 
@@ -56,6 +58,7 @@ clean:
 test: $(APPS)
 	./test_suite_psa_crypto_metadata
 	./test_suite_psa_crypto
+	./test_suite_psa_crypto_storage_file
 
 # Create separate targets for generating embedded tests.
 EMBEDDED_TESTS := $(addprefix embedded_,$(APPS))
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 6eec2ad..f78e61b 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -506,6 +506,18 @@
 #error "MBEDTLS_PSA_CRYPTO_SPM defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) &&            \
+    !( defined(MBEDTLS_PSA_CRYPTO_C) &&           \
+       defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C) )
+#error "MBEDTLS_PSA_CRYPTO_STORAGE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C) &&            \
+    !( defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) &&           \
+       defined(MBEDTLS_FS_IO) )
+#error "MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C defined, but not all prerequisites"
+#endif
+
 #if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_BIGNUM_C) ||         \
     !defined(MBEDTLS_OID_C) )
 #error "MBEDTLS_RSA_C defined, but not all prerequisites"
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index cd256c3..2190ac5 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -2617,6 +2617,31 @@
 #define MBEDTLS_PSA_CRYPTO_C
 
 /**
+ * \def MBEDTLS_PSA_CRYPTO_STORAGE_C
+ *
+ * Enable the Platform Security Architecture persistent key storage.
+ *
+ * Module:  library/psa_crypto_storage.c
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
+ *
+ */
+#define MBEDTLS_PSA_CRYPTO_STORAGE_C
+
+/**
+ * \def MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
+ *
+ * Enable persistent key storage over files for the
+ * Platform Security Architecture cryptography API.
+ *
+ * Module:  library/psa_crypto_storage_file.c
+ *
+ * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_FS_IO
+ *
+ */
+#define MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
+
+/**
  * \def MBEDTLS_RIPEMD160_C
  *
  * Enable the RIPEMD-160 hash algorithm.
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 0c2ac88..04e404c 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -54,6 +54,8 @@ set(src_crypto
     platform_util.c
     poly1305.c
     psa_crypto.c
+    psa_crypto_storage.c
+    psa_crypto_storage_file.c
     ripemd160.c
     rsa.c
     rsa_internal.c
diff --git a/library/Makefile b/library/Makefile
index cf6750d..83afa66 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -82,6 +82,8 @@ OBJS_CRYPTO=	aes.o		aesni.o		arc4.o		\
 		pkcs5.o		pkparse.o	pkwrite.o	\
 		platform.o	platform_util.o	poly1305.o	\
 		psa_crypto.o					\
+		psa_crypto_storage.o				\
+		psa_crypto_storage_file.o			\
 		ripemd160.o	rsa_internal.o	rsa.o  		\
 		sha1.o		sha256.o	sha512.o	\
 		threading.o	timing.o	version.o	\
diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c
new file mode 100644
index 0000000..5285826
--- /dev/null
+++ b/library/psa_crypto_storage.c
@@ -0,0 +1,195 @@
+/*
+ *  PSA persistent key storage
+ */
+/*  Copyright (C) 2018, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if defined(MBEDTLS_CONFIG_FILE)
+#include MBEDTLS_CONFIG_FILE
+#else
+#include "mbedtls/config.h"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "psa/crypto.h"
+#include "psa_crypto_storage.h"
+#include "psa_crypto_storage_backend.h"
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_calloc   calloc
+#define mbedtls_free     free
+#endif
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ]       )             \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE(n,b,i)                                    \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+typedef struct {
+    uint8_t version[4];
+    uint8_t type[sizeof( psa_key_type_t )];
+    uint8_t policy[sizeof( psa_key_policy_t )];
+    uint8_t data_len[4];
+    uint8_t key_data[];
+} psa_persistent_key_storage_format;
+
+void psa_format_key_data_for_storage( const uint8_t *data,
+                                      const size_t data_length,
+                                      const psa_key_type_t type,
+                                      const psa_key_policy_t *policy,
+                                      uint8_t *storage_data )
+{
+    psa_persistent_key_storage_format *storage_format =
+        (psa_persistent_key_storage_format *) storage_data;
+
+    PUT_UINT32_LE(0, storage_format->version, 0);
+    PUT_UINT32_LE(type, storage_format->type, 0);
+    PUT_UINT32_LE(policy->usage, storage_format->policy, 0);
+    PUT_UINT32_LE(policy->alg, storage_format->policy, sizeof( uint32_t ));
+    PUT_UINT32_LE(data_length, storage_format->data_len, 0);
+    memcpy( storage_format->key_data, data, data_length );
+}
+
+psa_status_t psa_parse_key_data_from_storage( const uint8_t *storage_data,
+                                              size_t storage_data_length,
+                                              uint8_t **key_data,
+                                              size_t *key_data_length,
+                                              psa_key_type_t *type,
+                                              psa_key_policy_t *policy )
+{
+    const psa_persistent_key_storage_format *storage_format =
+        (const psa_persistent_key_storage_format *)storage_data;
+    uint32_t version;
+
+    GET_UINT32_LE(version, storage_format->version, 0);
+    if( version != 0 )
+        return( PSA_ERROR_STORAGE_FAILURE );
+
+    GET_UINT32_LE(*key_data_length, storage_format->data_len, 0);
+    if( *key_data_length > ( storage_data_length - sizeof(*storage_format) ) ||
+        *key_data_length > PSA_CRYPTO_MAX_STORAGE_SIZE )
+        return( PSA_ERROR_STORAGE_FAILURE );
+
+    *key_data = mbedtls_calloc( 1, *key_data_length );
+    if( *key_data == NULL )
+        return( PSA_ERROR_INSUFFICIENT_MEMORY );
+
+    GET_UINT32_LE(*type, storage_format->type, 0);
+    GET_UINT32_LE(policy->usage, storage_format->policy, 0);
+    GET_UINT32_LE(policy->alg, storage_format->policy, sizeof( uint32_t ));
+
+    memcpy( *key_data, storage_format->key_data, *key_data_length );
+
+    return( PSA_SUCCESS );
+}
+
+psa_status_t psa_save_persistent_key( const psa_key_slot_t key,
+                                      const psa_key_type_t type,
+                                      const psa_key_policy_t *policy,
+                                      const uint8_t *data,
+                                      const size_t data_length )
+{
+    size_t storage_data_length;
+    uint8_t *storage_data;
+    psa_status_t status;
+
+    if( data_length > PSA_CRYPTO_MAX_STORAGE_SIZE )
+        return PSA_ERROR_INSUFFICIENT_STORAGE;
+    storage_data_length = data_length + sizeof( psa_persistent_key_storage_format );
+
+    storage_data = mbedtls_calloc( 1, storage_data_length );
+    if( storage_data == NULL )
+        return( PSA_ERROR_INSUFFICIENT_MEMORY );
+
+    psa_format_key_data_for_storage( data, data_length, type, policy,
+                                     storage_data );
+
+    status = psa_crypto_storage_store( key,
+                                       storage_data, storage_data_length );
+
+    mbedtls_free( storage_data );
+
+    return( status );
+}
+
+void psa_free_persistent_key_data( uint8_t *key_data, size_t key_data_length )
+{
+    if( key_data != NULL )
+    {
+        mbedtls_platform_zeroize( key_data, key_data_length );
+    }
+    mbedtls_free( key_data );
+}
+
+psa_status_t psa_load_persistent_key( psa_key_slot_t key,
+                                      psa_key_type_t *type,
+                                      psa_key_policy_t *policy,
+                                      uint8_t **data,
+                                      size_t *data_length )
+{
+    psa_status_t status = PSA_SUCCESS;
+    uint8_t *loaded_data;
+    size_t storage_data_length = 0;
+
+    status = psa_crypto_storage_get_data_length( key, &storage_data_length );
+    if( status != PSA_SUCCESS )
+        return( status );
+
+    loaded_data = mbedtls_calloc( 1, storage_data_length );
+
+    if( loaded_data == NULL )
+        return( PSA_ERROR_INSUFFICIENT_MEMORY );
+
+    status = psa_crypto_storage_load( key, loaded_data, storage_data_length );
+    if( status != PSA_SUCCESS )
+        goto exit;
+
+    status = psa_parse_key_data_from_storage( loaded_data, storage_data_length,
+                                              data, data_length, type, policy );
+
+exit:
+    mbedtls_free( loaded_data );
+    return( status );
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
diff --git a/library/psa_crypto_storage.h b/library/psa_crypto_storage.h
new file mode 100644
index 0000000..167b0db
--- /dev/null
+++ b/library/psa_crypto_storage.h
@@ -0,0 +1,177 @@
+/**
+ * \file psa_crypto_storage.h
+ *
+ * \brief PSA cryptography module: Mbed TLS key storage
+ */
+/*
+ *  Copyright (C) 2018, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef PSA_CRYPTO_STORAGE_H
+#define PSA_CRYPTO_STORAGE_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Include the Mbed TLS configuration file, the way Mbed TLS does it
+ * in each of its header files. */
+#if defined(MBEDTLS_CONFIG_FILE)
+#include MBEDTLS_CONFIG_FILE
+#else
+#include "mbedtls/config.h"
+#endif
+
+#include "psa/crypto.h"
+#include <stdint.h>
+
+/* Limit the maximum key size to 30kB (just in case someone tries to
+ * inadvertently store an obscene amount of data) */
+#define PSA_CRYPTO_MAX_STORAGE_SIZE ( 30 * 1024 )
+
+/**
+ * \brief Format key data and metadata and save to a location for given key
+ *        slot.
+ *
+ * This function formats the key data and metadata and saves it to a
+ * persistent storage backend. The storage location corresponding to the
+ * key slot must be empty, otherwise this function will fail. This function
+ * should be called after psa_import_key_into_slot() to ensure the
+ * persistent key is not saved into a storage location corresponding to an
+ * already occupied non-persistent key, as well as validating the key data.
+ *
+ *
+ * \param key           Slot number of the key to be stored. This must be a
+ *                      valid slot for a key of the chosen type. This should be
+ *                      an occupied key slot with an unoccupied corresponding
+ *                      storage location.
+ * \param type          Key type (a \c PSA_KEY_TYPE_XXX value).
+ * \param[in] policy    The key policy to save.
+ * \param[in] data      Buffer containing the key data.
+ * \param data_length   The number of bytes that make up the key data.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_INSUFFICIENT_STORAGE
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_save_persistent_key( const psa_key_slot_t key,
+                                      const psa_key_type_t type,
+                                      const psa_key_policy_t *policy,
+                                      const uint8_t *data,
+                                      const size_t data_length );
+
+/**
+ * \brief Parses key data and metadata and load persistent key for given
+ * key slot number.
+ *
+ * This function reads from a storage backend, parses the key data and
+ * metadata and writes them to the appropriate output parameters.
+ *
+ * Note: This function allocates a buffer and returns a pointer to it through
+ * the data parameter. psa_free_persistent_key_data() must be called after
+ * this function to zeroize and free this buffer, regardless of whether this
+ * function succeeds or fails.
+ *
+ * \param key               Slot number whose content is to be loaded. This
+ *                          must be an unoccupied key slot with an occupied
+ *                          corresponding storage location. The key slot
+ *                          lifetime must be set to persistent.
+ * \param[out] type         On success, the key type (a \c PSA_KEY_TYPE_XXX
+ *                          value).
+ * \param[out] policy       On success, the key's policy.
+ * \param[out] data         Pointer to an allocated key data buffer on return.
+ * \param[out] data_length  The number of bytes that make up the key data.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_load_persistent_key( psa_key_slot_t key,
+                                      psa_key_type_t *type,
+                                      psa_key_policy_t *policy,
+                                      uint8_t **data,
+                                      size_t *data_length );
+
+/**
+ * \brief Remove persistent data for the given key slot number.
+ *
+ * \param key           Slot number whose content is to be removed
+ *                      from persistent storage.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_destroy_persistent_key( const psa_key_slot_t key );
+
+/**
+ * \brief Zeroizes and frees the given buffer.
+ *
+ * This function must be called at some point after psa_load_persistent_key()
+ * to zeroize and free the memory allocated to the buffer in that function.
+ *
+ * \param key_data        Buffer for the key data.
+ * \param key_data_length Size of the key data buffer.
+ *
+ */
+void psa_free_persistent_key_data( uint8_t *key_data, size_t key_data_length );
+
+/**
+ * \brief Formats key data and metadata for persistent storage
+ *
+ * \param[in] data          Buffer for the key data.
+ * \param data_length       Length of the key data buffer.
+ * \param type              Key type (a \c PSA_KEY_TYPE_XXX value).
+ * \param policy            The key policy.
+ * \param[out] storage_data Output buffer for the formatted data.
+ *
+ */
+void psa_format_key_data_for_storage( const uint8_t *data,
+                                      const size_t data_length,
+                                      const psa_key_type_t type,
+                                      const psa_key_policy_t *policy,
+                                      uint8_t *storage_data );
+
+/**
+ * \brief Parses persistent storage data into key data and metadata
+ *
+ * \param[in] storage_data     Buffer for the storage data.
+ * \param storage_data_length  Length of the storage data buffer
+ * \param[out] key_data        On output, pointer to a newly allocated buffer
+ *                             containing the key data. This must be freed
+ *                             using psa_free_persistent_key_data()
+ * \param[out] key_data_length Length of the key data buffer
+ * \param[out] type            Key type (a \c PSA_KEY_TYPE_XXX value).
+ * \param[out] policy          The key policy.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_INSUFFICIENT_STORAGE
+ * \retval PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_parse_key_data_from_storage( const uint8_t *storage_data,
+                                              size_t storage_data_length,
+                                              uint8_t **key_data,
+                                              size_t *key_data_length,
+                                              psa_key_type_t *type,
+                                              psa_key_policy_t *policy );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* PSA_CRYPTO_STORAGE_H */
diff --git a/library/psa_crypto_storage_backend.h b/library/psa_crypto_storage_backend.h
new file mode 100644
index 0000000..3ca9a1d
--- /dev/null
+++ b/library/psa_crypto_storage_backend.h
@@ -0,0 +1,112 @@
+/**
+ * \file psa_crypto_storage_backend.h
+ *
+ * \brief PSA cryptography module: Mbed TLS key storage backend
+ */
+/*
+ *  Copyright (C) 2018, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef PSA_CRYPTO_STORAGE_BACKEND_H
+#define PSA_CRYPTO_STORAGE_BACKEND_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Include the Mbed TLS configuration file, the way Mbed TLS does it
+ * in each of its header files. */
+#if defined(MBEDTLS_CONFIG_FILE)
+#include MBEDTLS_CONFIG_FILE
+#else
+#include "mbedtls/config.h"
+#endif
+
+#include "psa/crypto.h"
+#include "psa_crypto_storage.h"
+#include <stdint.h>
+
+/**
+ * \brief Load persistent data for the given key slot number.
+ *
+ * This function reads data from a storage backend and returns the data in a
+ * buffer.
+ *
+ * \param key              Slot number whose content is to be loaded. This must
+ *                         be a key slot whose lifetime is set to persistent.
+ * \param[out] data        Buffer where the data is to be written.
+ * \param data_size        Size of the \c data buffer in bytes.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_crypto_storage_load( const psa_key_slot_t key, uint8_t *data,
+                                      size_t data_size );
+
+/**
+ * \brief Store persistent data for the given key slot number.
+ *
+ * This function stores the given data buffer to a persistent storage.
+ *
+ * \param key           Slot number whose content is to be stored.
+ * \param[in] data      Buffer containing the data to be stored.
+ * \param data_length   The number of bytes
+ *                      that make up the data.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_INSUFFICIENT_STORAGE
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_crypto_storage_store( const psa_key_slot_t key,
+                                       const uint8_t *data,
+                                       size_t data_length );
+
+/**
+ * \brief Checks if persistent data is stored for the given key slot number
+ *
+ * This function checks if any key data or metadata exists for the key slot in
+ * the persistent storage.
+ *
+ * \param key           Slot number whose content is to be checked.
+ *
+ * \retval 0
+ *         No persistent data present for slot number
+ * \retval 1
+ *         Persistent data present for slot number
+ */
+int psa_is_key_present_in_storage( const psa_key_slot_t key );
+
+/**
+ * \brief Get data length for given key slot number.
+ *
+ * \param key              Slot number whose stored data length is to be obtained.
+ * \param[out] data_length The number of bytes
+ *                         that make up the data.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_STORAGE_FAILURE
+ */
+psa_status_t psa_crypto_storage_get_data_length( const psa_key_slot_t key,
+                                                 size_t *data_length );
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* PSA_CRYPTO_STORAGE_H */
diff --git a/library/psa_crypto_storage_file.c b/library/psa_crypto_storage_file.c
new file mode 100644
index 0000000..03c711a
--- /dev/null
+++ b/library/psa_crypto_storage_file.c
@@ -0,0 +1,218 @@
+/*
+ *  PSA file storage backend for persistent keys
+ */
+/*  Copyright (C) 2018, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if defined(MBEDTLS_CONFIG_FILE)
+#include MBEDTLS_CONFIG_FILE
+#else
+#include "mbedtls/config.h"
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C)
+
+#include <string.h>
+
+#include "psa/crypto.h"
+#include "psa_crypto_storage_backend.h"
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_snprintf snprintf
+#endif
+
+/* This option sets where files are to be stored. If this is left unset,
+ * the files by default will be stored in the same location as the program,
+ * which may not be desired or possible. */
+#if !defined(CRYPTO_STORAGE_FILE_LOCATION)
+#define CRYPTO_STORAGE_FILE_LOCATION ""
+#endif
+
+enum { MAX_LOCATION_LEN = sizeof(CRYPTO_STORAGE_FILE_LOCATION) + 40 };
+
+static void key_slot_to_location( const psa_key_slot_t key,
+                                  char *location,
+                                  size_t location_size )
+{
+    mbedtls_snprintf( location, location_size,
+                      CRYPTO_STORAGE_FILE_LOCATION "psa_key_slot_%d", key );
+}
+
+psa_status_t psa_crypto_storage_load( const psa_key_slot_t key, uint8_t *data,
+                                      size_t data_size )
+{
+    psa_status_t status = PSA_SUCCESS;
+    FILE *file;
+    size_t num_read;
+    char slot_location[MAX_LOCATION_LEN];
+
+    key_slot_to_location( key, slot_location, MAX_LOCATION_LEN );
+    file = fopen( slot_location, "rb" );
+    if( file == NULL )
+    {
+        status = PSA_ERROR_STORAGE_FAILURE;
+        goto exit;
+    }
+    num_read = fread( data, 1, data_size, file );
+    if( num_read != data_size )
+        status = PSA_ERROR_STORAGE_FAILURE;
+
+exit:
+    if( file != NULL )
+        fclose( file );
+    return( status );
+}
+
+int psa_is_key_present_in_storage( const psa_key_slot_t key )
+{
+    char slot_location[MAX_LOCATION_LEN];
+    FILE *file;
+
+    key_slot_to_location( key, slot_location, MAX_LOCATION_LEN );
+
+    file = fopen( slot_location, "r" );
+    if( file == NULL )
+    {
+        /* File doesn't exist */
+        return( 0 );
+    }
+
+    fclose( file );
+    return( 1 );
+}
+
+psa_status_t psa_crypto_storage_store( const psa_key_slot_t key,
+                                       const uint8_t *data,
+                                       size_t data_length )
+{
+    psa_status_t status = PSA_SUCCESS;
+    int ret;
+    size_t num_written;
+    char slot_location[MAX_LOCATION_LEN];
+    FILE *file;
+    /* The storage location corresponding to "key slot 0" is used as a
+     * temporary location in order to make the apparition of the actual slot
+     * file atomic. 0 is not a valid key slot number, so this should not
+     * affect actual keys. */
+    const char *temp_location = CRYPTO_STORAGE_FILE_LOCATION "psa_key_slot_0";
+
+    key_slot_to_location( key, slot_location, MAX_LOCATION_LEN );
+
+    if( psa_is_key_present_in_storage( key ) == 1 )
+        return( PSA_ERROR_OCCUPIED_SLOT );
+
+    file = fopen( temp_location, "wb" );
+    if( file == NULL )
+    {
+        status = PSA_ERROR_STORAGE_FAILURE;
+        goto exit;
+    }
+
+    num_written = fwrite( data, 1, data_length, file );
+    if( num_written != data_length )
+    {
+        status = PSA_ERROR_STORAGE_FAILURE;
+        goto exit;
+    }
+
+    ret = fclose( file );
+    file = NULL;
+    if( ret != 0 )
+    {
+        status = PSA_ERROR_STORAGE_FAILURE;
+        goto exit;
+    }
+
+    if( rename( temp_location, slot_location ) != 0 )
+    {
+        status = PSA_ERROR_STORAGE_FAILURE;
+        goto exit;
+    }
+
+exit:
+    if( file != NULL )
+        fclose( file );
+    remove( temp_location );
+    return( status );
+}
+
+psa_status_t psa_destroy_persistent_key( const psa_key_slot_t key )
+{
+    FILE *file;
+    char slot_location[MAX_LOCATION_LEN];
+
+    key_slot_to_location( key, slot_location, MAX_LOCATION_LEN );
+
+    /* Only try remove the file if it exists */
+    file = fopen( slot_location, "rb" );
+    if( file != NULL )
+    {
+        fclose( file );
+
+        if( remove( slot_location ) != 0 )
+            return( PSA_ERROR_STORAGE_FAILURE );
+    }
+    return( PSA_SUCCESS );
+}
+
+psa_status_t psa_crypto_storage_get_data_length( const psa_key_slot_t key,
+                                                 size_t *data_length )
+{
+    psa_status_t status = PSA_SUCCESS;
+    FILE *file;
+    long file_size;
+    char slot_location[MAX_LOCATION_LEN];
+
+    key_slot_to_location( key, slot_location, MAX_LOCATION_LEN );
+
+    file = fopen( slot_location, "rb" );
+    if( file == NULL )
+        return( PSA_ERROR_EMPTY_SLOT );
+
+    if( fseek( file, 0, SEEK_END ) != 0 )
+    {
+        status = PSA_ERROR_STORAGE_FAILURE;
+        goto exit;
+    }
+
+    file_size = ftell( file );
+
+    if( file_size < 0 )
+    {
+        status = PSA_ERROR_STORAGE_FAILURE;
+        goto exit;
+    }
+
+#if LONG_MAX > SIZE_MAX
+    if( (unsigned long) file_size > SIZE_MAX )
+    {
+        status = PSA_ERROR_STORAGE_FAILURE;
+        goto exit;
+    }
+#endif
+    *data_length = (size_t) file_size;
+
+exit:
+    fclose( file );
+    return( status );
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C */
diff --git a/library/version_features.c b/library/version_features.c
index ffad82f..7ef8997 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -687,6 +687,12 @@ static const char *features[] = {
 #if defined(MBEDTLS_PSA_CRYPTO_C)
     "MBEDTLS_PSA_CRYPTO_C",
 #endif /* MBEDTLS_PSA_CRYPTO_C */
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
+    "MBEDTLS_PSA_CRYPTO_STORAGE_C",
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C)
+    "MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C",
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C */
 #if defined(MBEDTLS_RIPEMD160_C)
     "MBEDTLS_RIPEMD160_C",
 #endif /* MBEDTLS_RIPEMD160_C */
diff --git a/scripts/config.pl b/scripts/config.pl
index 2e4ac3b..69c6d5f 100755
--- a/scripts/config.pl
+++ b/scripts/config.pl
@@ -116,6 +116,8 @@ MBEDTLS_MEMORY_BACKTRACE
 MBEDTLS_MEMORY_BUFFER_ALLOC_C
 MBEDTLS_PLATFORM_TIME_ALT
 MBEDTLS_PLATFORM_FPRINTF_ALT
+MBEDTLS_PSA_CRYPTO_STORAGE_C
+MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
 );
 
 # Things that should be enabled in "full" even if they match @excluded
diff --git a/scripts/mbed_crypto.make b/scripts/mbed_crypto.make
index e5e6ded..ab54d55 100644
--- a/scripts/mbed_crypto.make
+++ b/scripts/mbed_crypto.make
@@ -70,6 +70,10 @@ LIB_FILES := \
 	platform.c \
 	platform_util.c \
 	psa_crypto.c \
+	psa_crypto_storage.h \
+	psa_crypto_storage.c \
+	psa_crypto_storage_backend.h \
+	psa_crypto_storage_file.c \
 	ripemd160.c \
 	rsa_internal.c \
 	rsa.c \
@@ -154,6 +158,8 @@ TEST_FILES := \
 	tests/suites/test_suite_psa_crypto_hash.function \
 	tests/suites/test_suite_psa_crypto_metadata.data \
 	tests/suites/test_suite_psa_crypto_metadata.function \
+	tests/suites/test_suite_psa_crypto_storage_file.data \
+	tests/suites/test_suite_psa_crypto_storage_file.function \
 # Don't delete this line.
 
 OTHER_FILES := \
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 89be6fe..7af7fcf 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -113,6 +113,7 @@ add_test_suite(poly1305)
 add_test_suite(psa_crypto)
 add_test_suite(psa_crypto_hash)
 add_test_suite(psa_crypto_metadata)
+add_test_suite(psa_crypto_storage_file)
 add_test_suite(shax)
 add_test_suite(ssl)
 add_test_suite(timing)
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 5b04d84..73152cf 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -644,6 +644,8 @@ scripts/config.pl unset MBEDTLS_PLATFORM_EXIT_ALT
 scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
 scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
 scripts/config.pl unset MBEDTLS_FS_IO
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C
 # Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19,
 # to re-enable platform integration features otherwise disabled in C99 builds
 make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -O0 -D_DEFAULT_SOURCE' lib programs
@@ -859,6 +861,8 @@ scripts/config.pl unset MBEDTLS_THREADING_PTHREAD
 scripts/config.pl unset MBEDTLS_THREADING_C
 scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
 scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C # depends on MBEDTLS_FS_IO
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
 make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -Wall -Wextra' lib
 
 msg "build: arm-none-eabi-gcc -DMBEDTLS_NO_UDBL_DIVISION, make" # ~ 10s
@@ -877,6 +881,8 @@ scripts/config.pl unset MBEDTLS_THREADING_C
 scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
 scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
 scripts/config.pl set MBEDTLS_NO_UDBL_DIVISION
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C # depends on MBEDTLS_FS_IO
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
 make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -Wall -Wextra' lib
 echo "Checking that software 64-bit division is not required"
 if_build_succeeded not grep __aeabi_uldiv library/*.o
@@ -897,6 +903,8 @@ scripts/config.pl unset MBEDTLS_THREADING_C
 scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
 scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
 scripts/config.pl set MBEDTLS_NO_64BIT_MULTIPLICATION
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C # depends on MBEDTLS_FS_IO
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
 make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -O1 -march=armv6-m -mthumb' lib
 echo "Checking that software 64-bit multiplication is not required"
 if_build_succeeded not grep __aeabi_lmul library/*.o
@@ -920,6 +928,8 @@ scripts/config.pl unset MBEDTLS_THREADING_C
 scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # execinfo.h
 scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
 scripts/config.pl unset MBEDTLS_PLATFORM_TIME_ALT # depends on MBEDTLS_HAVE_TIME
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C # depends on MBEDTLS_FS_IO
+scripts/config.pl unset MBEDTLS_PSA_CRYPTO_STORAGE_C # depends on MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
 
 if [ $RUN_ARMCC -ne 0 ]; then
     make CC="$ARMC5_CC" AR="$ARMC5_AR" WARNING_CFLAGS='--strict --c99' lib
diff --git a/tests/suites/test_suite_psa_crypto_storage_file.data b/tests/suites/test_suite_psa_crypto_storage_file.data
new file mode 100644
index 0000000..730e092
--- /dev/null
+++ b/tests/suites/test_suite_psa_crypto_storage_file.data
@@ -0,0 +1,43 @@
+PSA Storage Load verify loaded file
+depends_on:MBEDTLS_FS_IO
+load_data_from_file:1:"deadbeef":1:4:PSA_SUCCESS
+
+PSA Storage Load check slots dont share state
+depends_on:MBEDTLS_FS_IO
+load_data_from_file:2:"deadbeef":1:4:PSA_ERROR_STORAGE_FAILURE
+
+PSA Storage Load zero length file
+depends_on:MBEDTLS_FS_IO
+load_data_from_file:1:"":1:1:PSA_SUCCESS
+
+PSA Storage Load less than capacity of data buffer
+depends_on:MBEDTLS_FS_IO
+load_data_from_file:1:"deadbeef":1:5:PSA_SUCCESS
+
+PSA Storage Load nonexistent file location, should fail
+depends_on:MBEDTLS_FS_IO
+load_data_from_file:1:"deadbeef":0:4:PSA_ERROR_STORAGE_FAILURE
+
+PSA Storage Store verify stored file
+depends_on:MBEDTLS_FS_IO
+write_data_to_file:"deadbeef":PSA_SUCCESS
+
+PSA Storage Store into preexisting location, should fail
+depends_on:MBEDTLS_FS_IO
+write_data_to_prexisting_file:"psa_key_slot_1":"deadbeef":PSA_ERROR_OCCUPIED_SLOT
+
+PSA Storage Store, preexisting temp_location file, should succeed
+depends_on:MBEDTLS_FS_IO
+write_data_to_prexisting_file:"psa_key_slot_0":"deadbeef":PSA_SUCCESS
+
+PSA Storage Get data size verify data size
+depends_on:MBEDTLS_FS_IO
+get_file_size:"deadbeef":4:PSA_SUCCESS:1
+
+PSA Storage Get data size verify data size zero length file
+depends_on:MBEDTLS_FS_IO
+get_file_size:"":0:PSA_SUCCESS:1
+
+PSA Storage Get data size nonexistent file location, should fail
+depends_on:MBEDTLS_FS_IO
+get_file_size:"deadbeef":4:PSA_ERROR_EMPTY_SLOT:0
diff --git a/tests/suites/test_suite_psa_crypto_storage_file.function b/tests/suites/test_suite_psa_crypto_storage_file.function
new file mode 100644
index 0000000..b6dcad7
--- /dev/null
+++ b/tests/suites/test_suite_psa_crypto_storage_file.function
@@ -0,0 +1,159 @@
+/* BEGIN_HEADER */
+#include <stdint.h>
+#include "psa/crypto.h"
+#include "psa_crypto_storage_backend.h"
+
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE */
+void load_data_from_file( int slot_to_load, data_t *data, int should_make_file,
+                          int capacity_arg, int expected_status )
+{
+    char slot_location[] = "psa_key_slot_1";
+    psa_status_t status;
+    int ret;
+    size_t file_size = 0;
+    uint8_t *loaded_data = NULL;
+    size_t capacity = (size_t) capacity_arg;
+
+    if( should_make_file == 1 )
+    {
+        /* Create a file with data contents, with mask permissions. */
+        FILE *file;
+        file = fopen( slot_location, "wb+" );
+        TEST_ASSERT( file != NULL );
+        file_size = fwrite( data->x, 1, data->len, file );
+        TEST_ASSERT( file_size == data->len );
+        ret = fclose( file );
+        TEST_ASSERT( ret == 0 );
+    }
+
+    /* Read from the file with psa_crypto_storage_load. */
+    loaded_data = mbedtls_calloc( 1, capacity );
+    TEST_ASSERT( loaded_data != NULL );
+    status = psa_crypto_storage_load( (psa_key_slot_t) slot_to_load, loaded_data,
+                                   file_size );
+
+    /* Check we get the expected status. */
+    TEST_ASSERT( status == expected_status );
+    if( status != PSA_SUCCESS )
+        goto exit;
+
+    /* Check that the file data and data length is what we expect. */
+    ASSERT_COMPARE( data->x, data->len, loaded_data, file_size );
+
+exit:
+    mbedtls_free( loaded_data );
+    remove( slot_location );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void write_data_to_file( data_t *data, int expected_status )
+{
+    char slot_location[] = "psa_key_slot_1";
+    psa_status_t status;
+    int ret;
+    FILE *file;
+    size_t file_size;
+    size_t num_read;
+    uint8_t *loaded_data = NULL;
+
+    /* Write data to file. */
+    status = psa_crypto_storage_store( 1, data->x, data->len );
+
+    /* Check that we got the expected status. */
+    TEST_ASSERT( status == expected_status );
+    if( status != PSA_SUCCESS )
+        goto exit;
+
+    /* Check that the file length is what we expect */
+    file = fopen( slot_location, "rb" );
+    TEST_ASSERT( file != NULL );
+    fseek( file, 0, SEEK_END );
+    file_size = (size_t) ftell( file );
+    fseek( file, 0, SEEK_SET );
+    TEST_ASSERT( file_size == data->len );
+
+    /* Check that the file contents are what we expect */
+    loaded_data = mbedtls_calloc( 1, data->len );
+    TEST_ASSERT( loaded_data != NULL );
+
+    num_read = fread( loaded_data, 1, file_size, file );
+    TEST_ASSERT( num_read == file_size );
+    ASSERT_COMPARE( data->x, data->len, loaded_data, file_size );
+    ret = fclose( file );
+    TEST_ASSERT( ret == 0 );
+
+exit:
+    mbedtls_free( loaded_data );
+    remove( slot_location );
+}
+/* END_CASE */
+
+
+/* BEGIN_CASE */
+void get_file_size( data_t *data, int expected_data_length,
+                    int expected_status, int should_make_file )
+{
+    char slot_location[] = "psa_key_slot_1";
+    psa_status_t status;
+    int ret;
+    size_t file_size;
+
+    if( should_make_file )
+    {
+        /* Create a file with data contents, with mask permissions. */
+        FILE *file;
+        file = fopen( slot_location, "wb+" );
+        TEST_ASSERT( file != NULL );
+        file_size = fwrite( data->x, 1, data->len, file );
+        TEST_ASSERT( file_size == data->len );
+        ret = fclose( file );
+        TEST_ASSERT( ret == 0 );
+    }
+
+    /* Check get data size is what we expect */
+    status = psa_crypto_storage_get_data_length( 1, &file_size );
+    TEST_ASSERT( status == expected_status );
+    if( expected_status == PSA_SUCCESS )
+        TEST_ASSERT( file_size == (size_t)expected_data_length );
+
+exit:
+    remove( slot_location );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void write_data_to_prexisting_file( char *preexist_file_location,
+                                    data_t *data, int expected_status )
+{
+    char slot_location[] = "psa_key_slot_1";
+    psa_status_t status;
+    int ret;
+    FILE *file;
+
+    /* Create file first */
+    file = fopen( preexist_file_location, "wb" );
+    TEST_ASSERT( file != NULL );
+    ret = fclose( file );
+    TEST_ASSERT( ret == 0 );
+
+    /* Write data to file. */
+    status = psa_crypto_storage_store( 1, data->x, data->len );
+
+    /* Check that we got the expected status. */
+    TEST_ASSERT( status == expected_status );
+    if( status != PSA_SUCCESS )
+        goto exit;
+
+exit:
+    remove( preexist_file_location );
+    remove( slot_location );
+}
+/* END_CASE */
diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj
index 301d333..91cf2f0 100644
--- a/visualc/VS2010/mbedTLS.vcxproj
+++ b/visualc/VS2010/mbedTLS.vcxproj
@@ -230,6 +230,8 @@
     <ClInclude Include="..\..\include\psa\crypto_platform.h" />

     <ClInclude Include="..\..\include\psa\crypto_sizes.h" />

     <ClInclude Include="..\..\include\psa\crypto_struct.h" />

+    <ClInclude Include="..\..\library/psa_crypto_storage.h" />

+    <ClInclude Include="..\..\library/psa_crypto_storage_backend.h" />

   </ItemGroup>

   <ItemGroup>

     <ClCompile Include="..\..\library\aes.c" />

@@ -287,6 +289,8 @@
     <ClCompile Include="..\..\library\platform_util.c" />

     <ClCompile Include="..\..\library\poly1305.c" />

     <ClCompile Include="..\..\library\psa_crypto.c" />

+    <ClCompile Include="..\..\library\psa_crypto_storage.c" />

+    <ClCompile Include="..\..\library\psa_crypto_storage_file.c" />

     <ClCompile Include="..\..\library\ripemd160.c" />

     <ClCompile Include="..\..\library\rsa.c" />

     <ClCompile Include="..\..\library\rsa_internal.c" />