zephyrproject-rtos · fabiobaltieri · Jan 22, 2026 · Jan 9, 2026 · Jan 9, 2026 · Jan 9, 2026
diff --git a/doc/releases/migration-guide-4.4.rst b/doc/releases/migration-guide-4.4.rst
@@ -529,6 +529,15 @@ Other subsystems
   * Use :kconfig:option:`CONFIG_CACHE_HAS_MIRRORED_MEMORY_REGIONS` instead of
     :kconfig:option:`CONFIG_CACHE_DOUBLEMAP` as the former is more descriptive of the feature.
 
+Flash
+=====
+
+* Previously deprecated ``CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS`` is now
+  removed.
+
+* ``CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA`` is also removed since there is
+  now no alternative for the crypto library backend.
+
 JWT
 ===
 

diff --git a/subsys/storage/flash_map/Kconfig b/subsys/storage/flash_map/Kconfig
@@ -31,6 +31,8 @@ config FLASH_MAP_CUSTOM
 
 config FLASH_AREA_CHECK_INTEGRITY
 	bool "Flash check functions"
+	select PSA_CRYPTO
+	select PSA_WANT_ALG_SHA_256
 	help
 	  If enabled, there will be available the backend to check flash
 	  integrity using SHA-256 verification algorithm.
@@ -42,29 +44,4 @@ config FLASH_MAP_LABELS
 	  at runtime. The available labels will also be displayed in the
 	  flash_map list shell command.
 
-if FLASH_AREA_CHECK_INTEGRITY
-
-choice FLASH_AREA_CHECK_INTEGRITY_BACKEND
-	prompt "Crypto backend for the flash check functions"
-	default FLASH_AREA_CHECK_INTEGRITY_PSA
-
-config FLASH_AREA_CHECK_INTEGRITY_PSA
-	bool "Use PSA"
-	select PSA_WANT_ALG_SHA_256
-	select PSA_CRYPTO
-	help
-	  Use the PSA API to perform the integrity check.
-
-config FLASH_AREA_CHECK_INTEGRITY_MBEDTLS
-	bool "Use Mbed TLS [DEPRECATED]"
-	select MBEDTLS
-	select MBEDTLS_SHA256
-	select DEPRECATED
-	help
-	  Use the Mbed TLS library to perform the integrity check.
-
-endchoice
-
-endif # FLASH_AREA_CHECK_INTEGRITY
-
 endif
diff --git a/subsys/storage/flash_map/flash_map_integrity.c b/subsys/storage/flash_map/flash_map_integrity.c
@@ -18,25 +18,14 @@
 #include "flash_map_priv.h"
 #include <zephyr/drivers/flash.h>
 #include <zephyr/init.h>
-
-#define SHA256_DIGEST_SIZE 32
-#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA)
 #include <psa/crypto.h>
-#define SUCCESS_VALUE PSA_SUCCESS
-#else
-#include <mbedtls/sha256.h>
-#define SUCCESS_VALUE 0
-#endif
 
 int flash_area_check_int_sha256(const struct flash_area *fa,
 				const struct flash_area_check *fac)
 {
-	unsigned char hash[SHA256_DIGEST_SIZE];
-#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA)
+	unsigned char hash[PSA_HASH_LENGTH(PSA_ALG_SHA_256)];
 	psa_hash_operation_t hash_ctx;
-#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */
-	mbedtls_sha256_context hash_ctx;
-#endif
+	size_t hash_len;
 	int to_read;
 	int pos;
 	int rc;
@@ -50,14 +39,9 @@ int flash_area_check_int_sha256(const struct flash_area *fa,
 		return -EINVAL;
 	}
 
-#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA)
 	hash_ctx = psa_hash_operation_init();
 	rc = psa_hash_setup(&hash_ctx, PSA_ALG_SHA_256);
-#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */
-	mbedtls_sha256_init(&hash_ctx);
-	rc = mbedtls_sha256_starts(&hash_ctx, false);
-#endif
-	if (rc != SUCCESS_VALUE) {
+	if (rc != PSA_SUCCESS) {
 		return -ESRCH;
 	}
 
@@ -74,44 +58,25 @@ int flash_area_check_int_sha256(const struct flash_area *fa,
 			goto error;
 		}
 
-#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA)
 		rc = psa_hash_update(&hash_ctx, fac->rbuf, to_read);
-#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */
-		rc = mbedtls_sha256_update(&hash_ctx, fac->rbuf, to_read);
-#endif
-		if (rc != SUCCESS_VALUE) {
+		if (rc != PSA_SUCCESS) {
 			rc = -ESRCH;
 			goto error;
 		}
 	}
 
-#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA)
-	size_t hash_len;
-
 	rc = psa_hash_finish(&hash_ctx, hash, sizeof(hash), &hash_len);
-#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */
-	rc = mbedtls_sha256_finish(&hash_ctx, hash);
-#endif
-	if (rc != SUCCESS_VALUE) {
+	if (rc != PSA_SUCCESS) {
 		rc = -ESRCH;
 		goto error;
 	}
 
-	if (memcmp(hash, fac->match, SHA256_DIGEST_SIZE)) {
-#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA)
+	if (memcmp(hash, fac->match, sizeof(hash))) {
 		/* The operation has already been terminated. */
 		return -EILSEQ;
-#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */
-		rc = -EILSEQ;
-		goto error;
-#endif
 	}
 
 error:
-#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA)
 	psa_hash_abort(&hash_ctx);
-#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */
-	mbedtls_sha256_free(&hash_ctx);
-#endif
 	return rc;
 }
diff --git a/tests/subsys/storage/flash_map/overlay-integrity-check.conf b/tests/subsys/storage/flash_map/overlay-integrity-check.conf
@@ -0,0 +1,2 @@
+CONFIG_FLASH_AREA_CHECK_INTEGRITY=y
+CONFIG_TEST_RANDOM_GENERATOR=y
diff --git a/tests/subsys/storage/flash_map/overlay-mbedtls.conf b/tests/subsys/storage/flash_map/overlay-mbedtls.conf
diff --git a/tests/subsys/storage/flash_map/overlay-psa.conf b/tests/subsys/storage/flash_map/overlay-psa.conf
diff --git a/tests/subsys/storage/flash_map/testcase.yaml b/tests/subsys/storage/flash_map/testcase.yaml
@@ -26,23 +26,8 @@ tests:
     integration_platforms:
       - nrf52840dk/nrf52840
     tags: flash_map
-  storage.flash_map_sha.mbedtls:
-    extra_args: EXTRA_CONF_FILE=overlay-mbedtls.conf
-    platform_allow:
-      - nrf51dk/nrf51822
-      - qemu_x86
-      - native_sim
-      - native_sim/native/64
-      - mr_canhubk3
-      - s32z2xxdc2/s32z270/rtu0
-      - s32z2xxdc2/s32z270/rtu1
-      - s32z2xxdc2@D/s32z270/rtu0
-      - s32z2xxdc2@D/s32z270/rtu1
-    tags: flash_map
-    integration_platforms:
-      - native_sim
   storage.flash_map_sha.psa:
-    extra_args: EXTRA_CONF_FILE=overlay-psa.conf
+    extra_args: EXTRA_CONF_FILE=overlay-integrity-check.conf
     platform_allow:
       - nrf51dk/nrf51822
       - native_sim
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		CONFIG_FLASH_AREA_CHECK_INTEGRITY=y
		CONFIG_TEST_RANDOM_GENERATOR=y