diff --git a/doc/releases/migration-guide-4.4.rst b/doc/releases/migration-guide-4.4.rst index b767f9541915c..88ec78978611e 100644 --- a/doc/releases/migration-guide-4.4.rst +++ b/doc/releases/migration-guide-4.4.rst @@ -529,6 +529,15 @@ Other subsystems * Use :kconfig:option:`CONFIG_CACHE_HAS_MIRRORED_MEMORY_REGIONS` instead of :kconfig:option:`CONFIG_CACHE_DOUBLEMAP` as the former is more descriptive of the feature. +Flash +===== + +* Previously deprecated ``CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS`` is now + removed. + +* ``CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA`` is also removed since there is + now no alternative for the crypto library backend. + JWT === diff --git a/subsys/storage/flash_map/Kconfig b/subsys/storage/flash_map/Kconfig index 83d2f27136955..cc18b5d0f353f 100644 --- a/subsys/storage/flash_map/Kconfig +++ b/subsys/storage/flash_map/Kconfig @@ -31,6 +31,8 @@ config FLASH_MAP_CUSTOM config FLASH_AREA_CHECK_INTEGRITY bool "Flash check functions" + select PSA_CRYPTO + select PSA_WANT_ALG_SHA_256 help If enabled, there will be available the backend to check flash integrity using SHA-256 verification algorithm. @@ -42,29 +44,4 @@ config FLASH_MAP_LABELS at runtime. The available labels will also be displayed in the flash_map list shell command. -if FLASH_AREA_CHECK_INTEGRITY - -choice FLASH_AREA_CHECK_INTEGRITY_BACKEND - prompt "Crypto backend for the flash check functions" - default FLASH_AREA_CHECK_INTEGRITY_PSA - -config FLASH_AREA_CHECK_INTEGRITY_PSA - bool "Use PSA" - select PSA_WANT_ALG_SHA_256 - select PSA_CRYPTO - help - Use the PSA API to perform the integrity check. - -config FLASH_AREA_CHECK_INTEGRITY_MBEDTLS - bool "Use Mbed TLS [DEPRECATED]" - select MBEDTLS - select MBEDTLS_SHA256 - select DEPRECATED - help - Use the Mbed TLS library to perform the integrity check. - -endchoice - -endif # FLASH_AREA_CHECK_INTEGRITY - endif diff --git a/subsys/storage/flash_map/flash_map_integrity.c b/subsys/storage/flash_map/flash_map_integrity.c index 7e512e759db26..feefc2761d8b1 100644 --- a/subsys/storage/flash_map/flash_map_integrity.c +++ b/subsys/storage/flash_map/flash_map_integrity.c @@ -18,25 +18,14 @@ #include "flash_map_priv.h" #include #include - -#define SHA256_DIGEST_SIZE 32 -#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA) #include -#define SUCCESS_VALUE PSA_SUCCESS -#else -#include -#define SUCCESS_VALUE 0 -#endif int flash_area_check_int_sha256(const struct flash_area *fa, const struct flash_area_check *fac) { - unsigned char hash[SHA256_DIGEST_SIZE]; -#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA) + unsigned char hash[PSA_HASH_LENGTH(PSA_ALG_SHA_256)]; psa_hash_operation_t hash_ctx; -#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */ - mbedtls_sha256_context hash_ctx; -#endif + size_t hash_len; int to_read; int pos; int rc; @@ -50,14 +39,9 @@ int flash_area_check_int_sha256(const struct flash_area *fa, return -EINVAL; } -#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA) hash_ctx = psa_hash_operation_init(); rc = psa_hash_setup(&hash_ctx, PSA_ALG_SHA_256); -#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */ - mbedtls_sha256_init(&hash_ctx); - rc = mbedtls_sha256_starts(&hash_ctx, false); -#endif - if (rc != SUCCESS_VALUE) { + if (rc != PSA_SUCCESS) { return -ESRCH; } @@ -74,44 +58,25 @@ int flash_area_check_int_sha256(const struct flash_area *fa, goto error; } -#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA) rc = psa_hash_update(&hash_ctx, fac->rbuf, to_read); -#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */ - rc = mbedtls_sha256_update(&hash_ctx, fac->rbuf, to_read); -#endif - if (rc != SUCCESS_VALUE) { + if (rc != PSA_SUCCESS) { rc = -ESRCH; goto error; } } -#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA) - size_t hash_len; - rc = psa_hash_finish(&hash_ctx, hash, sizeof(hash), &hash_len); -#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */ - rc = mbedtls_sha256_finish(&hash_ctx, hash); -#endif - if (rc != SUCCESS_VALUE) { + if (rc != PSA_SUCCESS) { rc = -ESRCH; goto error; } - if (memcmp(hash, fac->match, SHA256_DIGEST_SIZE)) { -#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA) + if (memcmp(hash, fac->match, sizeof(hash))) { /* The operation has already been terminated. */ return -EILSEQ; -#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */ - rc = -EILSEQ; - goto error; -#endif } error: -#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA) psa_hash_abort(&hash_ctx); -#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */ - mbedtls_sha256_free(&hash_ctx); -#endif return rc; } diff --git a/tests/subsys/storage/flash_map/overlay-integrity-check.conf b/tests/subsys/storage/flash_map/overlay-integrity-check.conf new file mode 100644 index 0000000000000..4a6f3846fdb3a --- /dev/null +++ b/tests/subsys/storage/flash_map/overlay-integrity-check.conf @@ -0,0 +1,2 @@ +CONFIG_FLASH_AREA_CHECK_INTEGRITY=y +CONFIG_TEST_RANDOM_GENERATOR=y diff --git a/tests/subsys/storage/flash_map/overlay-mbedtls.conf b/tests/subsys/storage/flash_map/overlay-mbedtls.conf deleted file mode 100644 index 2b8aef9e908d3..0000000000000 --- a/tests/subsys/storage/flash_map/overlay-mbedtls.conf +++ /dev/null @@ -1,2 +0,0 @@ -CONFIG_FLASH_AREA_CHECK_INTEGRITY=y -CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS=y diff --git a/tests/subsys/storage/flash_map/overlay-psa.conf b/tests/subsys/storage/flash_map/overlay-psa.conf deleted file mode 100644 index 03d88c4b53054..0000000000000 --- a/tests/subsys/storage/flash_map/overlay-psa.conf +++ /dev/null @@ -1,5 +0,0 @@ -CONFIG_FLASH_AREA_CHECK_INTEGRITY=y -CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA=y -CONFIG_MBEDTLS=y -CONFIG_MBEDTLS_PSA_CRYPTO_C=y -CONFIG_TEST_RANDOM_GENERATOR=y diff --git a/tests/subsys/storage/flash_map/testcase.yaml b/tests/subsys/storage/flash_map/testcase.yaml index fd381e6034a8b..4cc3d9fdd3ee5 100644 --- a/tests/subsys/storage/flash_map/testcase.yaml +++ b/tests/subsys/storage/flash_map/testcase.yaml @@ -26,23 +26,8 @@ tests: integration_platforms: - nrf52840dk/nrf52840 tags: flash_map - storage.flash_map_sha.mbedtls: - extra_args: EXTRA_CONF_FILE=overlay-mbedtls.conf - platform_allow: - - nrf51dk/nrf51822 - - qemu_x86 - - native_sim - - native_sim/native/64 - - mr_canhubk3 - - s32z2xxdc2/s32z270/rtu0 - - s32z2xxdc2/s32z270/rtu1 - - s32z2xxdc2@D/s32z270/rtu0 - - s32z2xxdc2@D/s32z270/rtu1 - tags: flash_map - integration_platforms: - - native_sim storage.flash_map_sha.psa: - extra_args: EXTRA_CONF_FILE=overlay-psa.conf + extra_args: EXTRA_CONF_FILE=overlay-integrity-check.conf platform_allow: - nrf51dk/nrf51822 - native_sim