[nrf fromlist] bootutil: Fix PureEdDSA when flash base is not 0x0

boot/bootutil/src/image_validate.c

@@ -544,6 +544,9 @@ bootutil_img_validate(struct boot_loader_state *state,
 #endif
     int rc = 0;
     FIH_DECLARE(fih_rc, FIH_FAILURE);
+#if defined(MCUBOOT_SIGN_PURE)
+    uintptr_t base = 0;
+#endif
 #ifdef MCUBOOT_HW_ROLLBACK_PROT
     fih_int security_cnt = fih_int_encode(INT_MAX);
     uint32_t img_security_cnt = 0;
@@ -788,11 +791,16 @@ bootutil_img_validate(struct boot_loader_state *state,
             FIH_CALL(bootutil_verify_sig, valid_signature, hash, sizeof(hash),
                                                            buf, len, key_id);
 #else
+            rc = flash_device_base(flash_area_get_device_id(fap), &base);
+            if (rc != 0) {
+                goto out;
+            }
+
             /* Directly check signature on the image, by using the mapping of
              * a device to memory. The pointer is beginning of image in flash,
              * so offset of area, the range is header + image + protected tlvs.
              */
-            FIH_CALL(bootutil_verify_img, valid_signature, (void *)flash_area_get_off(fap),
+            FIH_CALL(bootutil_verify_img, valid_signature, (void *)(base + flash_area_get_off(fap)),
                      hdr->ih_hdr_size + hdr->ih_img_size + hdr->ih_protect_tlv_size,
                      buf, len, key_id);
 #endif

boot/zephyr/flash_map_extended.c

@@ -38,7 +38,7 @@ BOOT_LOG_MODULE_DECLARE(mcuboot);
 
 #elif (defined(CONFIG_SOC_SERIES_NRF54HX) && DT_HAS_CHOSEN(zephyr_flash))
 
-#define FLASH_DEVICE_ID SPI_FLASH_0_ID
+#define FLASH_DEVICE_ID SOC_FLASH_0_ID
 #define FLASH_DEVICE_BASE CONFIG_FLASH_BASE_ADDRESS
 #define FLASH_DEVICE_NODE DT_CHOSEN(zephyr_flash)
 

docs/release-notes.d/fix-pure-eddsa-base-address.md

@@ -0,0 +1,2 @@
+ - Fixed issue in image_validate when `BOOT_SIGNATURE_TYPE_PURE` is enabled
+   for platforms with NVM memory that does not start at 0x00.