Document the maximum key identifier

Give it a name and explain why it was chosen.

library/psa_crypto.c

@@ -871,7 +871,7 @@ psa_status_t psa_internal_make_key_persistent( psa_key_handle_t handle,
         return( PSA_ERROR_INVALID_ARGUMENT );
     /* Reject high values because the file names are reserved for the
      * library's internal use. */
-    if( id >= 0xffff0000 )
+    if( id >= PSA_MAX_PERSISTENT_KEY_IDENTIFIER )
         return( PSA_ERROR_INVALID_ARGUMENT );
 
     status = psa_get_key_slot( handle, &slot );

library/psa_crypto_storage.h

@@ -44,6 +44,23 @@ extern "C" {
  * inadvertently store an obscene amount of data) */
 #define PSA_CRYPTO_MAX_STORAGE_SIZE ( 30 * 1024 )
 
+/** The maximum permitted persistent slot number.
+ *
+ * In Mbed Crypto 0.1.0b:
+ * - Using the file backend, all key ids are ok except 0.
+ * - Using the ITS backend, all key ids are ok except 0xFFFFFF52
+ *   (#PSA_CRYPTO_ITS_RANDOM_SEED_UID) for which the file contains the
+ *   device's random seed (if this feature is enabled).
+ * - Only key ids from 1 to #PSA_KEY_SLOT_COUNT are actually used.
+ *
+ * Since we need to preserve the random seed, avoid using that key slot.
+ * Reserve a whole range of key slots just in case something else comes up.
+ *
+ * This limitation will probably become moot when we implement client
+ * separation for key storage.
+ */
+#define PSA_MAX_PERSISTENT_KEY_IDENTIFIER 0xffff0000
+
 /**
  * \brief Format key data and metadata and save to a location for given key
  *        slot.