Revert "[nrf noup] bootutil: key revocation"

This reverts commit 6227d66.

Author: michalek-no

boot/bootutil/include/bootutil/key_revocation.h

@@ -32,11 +32,6 @@ static psa_key_id_t kmu_key_ids[3] =  {
     MAKE_PSA_KMU_KEY_ID(230)
 };
 
-#if defined(CONFIG_BOOT_KMU_KEYS_REVOCATION)
-#include <bootutil/key_revocation.h>
-static psa_key_id_t *validated_with = NULL;
-#endif
-
 BUILD_ASSERT(CONFIG_BOOT_SIGNATURE_KMU_SLOTS <= ARRAY_SIZE(kmu_key_ids),
 	     "Invalid number of KMU slots, up to 3 are supported on nRF54L15");
 #endif
@@ -121,9 +116,6 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
                                     EDDSA_SIGNAGURE_LENGTH);
         if (status == PSA_SUCCESS) {
             ret = 1;
-#if defined(CONFIG_BOOT_KMU_KEYS_REVOCATION)
-            validated_with = kmu_key_ids + i;
-#endif
             break;
         }
 
@@ -132,37 +124,4 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
 
     return ret;
 }
-#if defined(CONFIG_BOOT_KMU_KEYS_REVOCATION)
-int exec_revoke(void)
-{
-    int ret = BOOT_KEY_REVOKE_OK;
-    psa_status_t status = psa_crypto_init();
-
-    if (!validated_with) {
-        ret = BOOT_KEY_REVOKE_INVALID;
-        goto out;
-    }
-
-    if (status != PSA_SUCCESS) {
-            BOOT_LOG_ERR("PSA crypto init failed with error %d", status);
-            ret = BOOT_KEY_REVOKE_FAILED;
-            goto out;
-    }
-    for (int i = 0; i < CONFIG_BOOT_SIGNATURE_KMU_SLOTS; i++) {
-        if ((kmu_key_ids + i) == validated_with) {
-            break;
-        }
-        BOOT_LOG_DBG("Invalidating key ID %d", i);
-
-        status = psa_destroy_key(kmu_key_ids[i]);
-        if (status == PSA_SUCCESS) {
-            BOOT_LOG_DBG("Success on key ID %d", i);
-        } else {
-            BOOT_LOG_ERR("Key invalidation failed with: %d", status);
-        }
-    }
-out:
-    return ret;
-}
-#endif /* CONFIG_BOOT_KMU_KEYS_REVOCATION */
 #endif

boot/bootutil/src/ed25519_psa.c

@@ -80,10 +80,6 @@ int pcd_version_cmp_net(const struct flash_area *fap, struct image_header *hdr);
 
 #include "mcuboot_config/mcuboot_config.h"
 
-#if defined(CONFIG_BOOT_KEYS_REVOCATION)
-#include "bootutil/key_revocation.h"
-#endif
-
 BOOT_LOG_MODULE_DECLARE(mcuboot);
 
 static struct boot_loader_state boot_data;
@@ -3063,11 +3059,6 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp)
         }
     }
 
-#if defined(CONFIG_BOOT_KEYS_REVOCATION)
-    if (BOOT_SWAP_TYPE(state) == BOOT_SWAP_TYPE_NONE) {
-        allow_revoke();
-    }
-#endif
     /* Iterate over all the images. At this point all required update operations
      * have finished. By the end of the loop each image in the primary slot will
      * have been re-validated.
@@ -3176,13 +3167,6 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp)
     fill_rsp(state, rsp);
 
     fih_rc = FIH_SUCCESS;
-#if defined(CONFIG_BOOT_KEYS_REVOCATION)
-    rc = revoke();
-    if (rc != BOOT_KEY_REVOKE_OK &&
-        rc != BOOT_KEY_REVOKE_NOT_READY) {
-        FIH_SET(fih_rc, FIH_FAILURE);
-    }
-#endif /* CONFIG_BOOT_KEYS_REVOCATION */
 out:
     /*
      * Since the boot_status struct stores plaintext encryption keys, reset

boot/bootutil/src/key_revocation.c

@@ -104,12 +104,6 @@ if(DEFINED CONFIG_BOOT_SHARE_BACKEND_RETENTION)
     )
 endif()
 
-if(DEFINED CONFIG_BOOT_KEYS_REVOCATION)
-  zephyr_library_sources(
-    ${BOOT_DIR}/bootutil/src/key_revocation.c
-)
-endif()
-
 # Generic bootutil sources and includes.
 zephyr_library_include_directories(${BOOT_DIR}/bootutil/include)
 zephyr_library_sources(

boot/bootutil/src/loader.c

@@ -358,18 +358,6 @@ config BOOT_SIGNATURE_KMU_SLOTS
 
 endif
 
-config BOOT_KEYS_REVOCATION
-	bool "Auto revoke previous gen key"
-	help
-	  Automatically revoke previous generation key upon new valid key usage.
-
-config BOOT_KMU_KEYS_REVOCATION
-	bool
-	depends on BOOT_KEYS_REVOCATION
-	default y if BOOT_SIGNATURE_USING_KMU
-	help
-	  Enabling KMU key revocation backend.
-
 if !BOOT_SIGNATURE_USING_KMU
 
 config BOOT_SIGNATURE_KEY_FILE