diff --git a/doc/releases/migration-guide-4.3.rst b/doc/releases/migration-guide-4.3.rst index 135f02d3a033f..310ae9845f686 100644 --- a/doc/releases/migration-guide-4.3.rst +++ b/doc/releases/migration-guide-4.3.rst @@ -349,6 +349,13 @@ Shell compatibility. (:github:`92677`). +UpdateHub +========= + +* Legacy Mbed TLS as an option for crypto support has been removed and PSA Crypto is now used in all + cases. :kconfig:option:`CONFIG_UPDATEHUB` will automatically enable the Mbed TLS implementation of + PSA Crypto if TF-M is not enabled in the build. + .. zephyr-keep-sorted-stop Modules diff --git a/samples/subsys/mgmt/updatehub/overlay-psa.conf b/samples/subsys/mgmt/updatehub/overlay-psa.conf deleted file mode 100644 index 8a70becc92d37..0000000000000 --- a/samples/subsys/mgmt/updatehub/overlay-psa.conf +++ /dev/null @@ -1,2 +0,0 @@ -CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA=y -CONFIG_PSA_CRYPTO=y diff --git a/samples/subsys/mgmt/updatehub/sample.yaml b/samples/subsys/mgmt/updatehub/sample.yaml index 161cdb41327a0..7c4405ce7ed2f 100644 --- a/samples/subsys/mgmt/updatehub/sample.yaml +++ b/samples/subsys/mgmt/updatehub/sample.yaml @@ -19,13 +19,6 @@ tests: - CONFIG_UPDATEHUB_POLL_INTERVAL=1 - CONFIG_UPDATEHUB_CE=y - CONFIG_UPDATEHUB_SERVER="updatehub.io" - sample.net.updatehub.psa: - extra_args: EXTRA_CONF_FILE="overlay-psa.conf" - extra_configs: - - CONFIG_UPDATEHUB_PRODUCT_UID="e4d37cfe6ec48a2d069cc0bbb8b078677e9a0d8df3a027c4d8ea131130c4265f" - - CONFIG_UPDATEHUB_POLL_INTERVAL=1 - - CONFIG_UPDATEHUB_CE=y - - CONFIG_UPDATEHUB_SERVER="updatehub.io" sample.net.updatehub.userspace: extra_configs: - CONFIG_UPDATEHUB_PRODUCT_UID="e4d37cfe6ec48a2d069cc0bbb8b078677e9a0d8df3a027c4d8ea131130c4265f" diff --git a/subsys/mgmt/updatehub/Kconfig b/subsys/mgmt/updatehub/Kconfig index eb19b6442edc3..dca7aa4493694 100644 --- a/subsys/mgmt/updatehub/Kconfig +++ b/subsys/mgmt/updatehub/Kconfig @@ -17,8 +17,8 @@ menuconfig UPDATEHUB select REQUIRES_FULL_LIBC select IMG_ENABLE_IMAGE_CHECK select MPU_ALLOW_FLASH_WRITE - select MBEDTLS if !BUILD_WITH_TFM - select MBEDTLS_SHA256 if !PSA_CRYPTO_CLIENT + select PSA_CRYPTO + select PSA_WANT_ALG_SHA_256 help UpdateHub is an enterprise-grade solution which makes simple to remotely update all your embedded devices in the field. It diff --git a/subsys/mgmt/updatehub/updatehub.c b/subsys/mgmt/updatehub/updatehub.c index cd9bfbd247997..2cada59864ae6 100644 --- a/subsys/mgmt/updatehub/updatehub.c +++ b/subsys/mgmt/updatehub/updatehub.c @@ -61,7 +61,7 @@ static struct updatehub_context { struct coap_block_context block; struct k_sem semaphore; struct updatehub_storage_context storage_ctx; - updatehub_crypto_context_t crypto_ctx; + psa_hash_operation_t crypto_ctx; enum updatehub_response code_status; uint8_t hash[SHA256_BIN_DIGEST_SIZE]; uint8_t uri_path[MAX_PATH_SIZE]; @@ -113,7 +113,7 @@ static void prepare_fds(void) static int metadata_hash_get(char *metadata) { - updatehub_crypto_context_t local_crypto_ctx; + psa_hash_operation_t local_crypto_ctx; if (updatehub_integrity_init(&local_crypto_ctx)) { return -1; diff --git a/subsys/mgmt/updatehub/updatehub_integrity.c b/subsys/mgmt/updatehub/updatehub_integrity.c index dcebcf6d39d61..4a2f3a70c2473 100644 --- a/subsys/mgmt/updatehub/updatehub_integrity.c +++ b/subsys/mgmt/updatehub/updatehub_integrity.c @@ -9,40 +9,29 @@ LOG_MODULE_DECLARE(updatehub, CONFIG_UPDATEHUB_LOG_LEVEL); #include "updatehub_integrity.h" -#if defined(CONFIG_PSA_CRYPTO_CLIENT) -#define SUCCESS_VALUE PSA_SUCCESS -#else -#define SUCCESS_VALUE 0 -#endif - -int updatehub_integrity_init(updatehub_crypto_context_t *ctx) +int updatehub_integrity_init(psa_hash_operation_t *ctx) { - int ret; + psa_status_t status; if (ctx == NULL) { LOG_DBG("Invalid integrity context"); return -EINVAL; } -#if defined(CONFIG_PSA_CRYPTO_CLIENT) *ctx = psa_hash_operation_init(); - ret = psa_hash_setup(ctx, PSA_ALG_SHA_256); -#else - mbedtls_sha256_init(ctx); - ret = mbedtls_sha256_starts(ctx, false); -#endif - if (ret != SUCCESS_VALUE) { - LOG_DBG("Failed to %s SHA-256 operation. (%d)", "set up", ret); + status = psa_hash_setup(ctx, PSA_ALG_SHA_256); + if (status != PSA_SUCCESS) { + LOG_DBG("Failed to %s SHA-256 operation. (%d)", "set up", status); return -EFAULT; } return 0; } -int updatehub_integrity_update(updatehub_crypto_context_t *ctx, +int updatehub_integrity_update(psa_hash_operation_t *ctx, const uint8_t *buffer, const uint32_t len) { - int ret; + psa_status_t status; if (ctx == NULL || buffer == NULL) { return -EINVAL; @@ -53,30 +42,21 @@ int updatehub_integrity_update(updatehub_crypto_context_t *ctx, return 0; } -#if defined(CONFIG_PSA_CRYPTO_CLIENT) - ret = psa_hash_update(ctx, buffer, len); - if (ret != PSA_SUCCESS) { + status = psa_hash_update(ctx, buffer, len); + if (status != PSA_SUCCESS) { psa_hash_abort(ctx); - } -#else - ret = mbedtls_sha256_update(ctx, buffer, len); - if (ret != 0) { - mbedtls_sha256_free(ctx); - } -#endif - - if (ret != SUCCESS_VALUE) { - LOG_DBG("Failed to %s SHA-256 operation. (%d)", "update", ret); + LOG_DBG("Failed to %s SHA-256 operation. (%d)", "update", status); return -EFAULT; } return 0; } -int updatehub_integrity_finish(updatehub_crypto_context_t *ctx, +int updatehub_integrity_finish(psa_hash_operation_t *ctx, uint8_t *hash, const uint32_t size) { - int ret; + psa_status_t status; + size_t hash_len; if (ctx == NULL || hash == NULL) { return -EINVAL; @@ -87,19 +67,10 @@ int updatehub_integrity_finish(updatehub_crypto_context_t *ctx, return -EINVAL; } -#if defined(CONFIG_PSA_CRYPTO_CLIENT) - size_t hash_len; - - ret = psa_hash_finish(ctx, hash, size, &hash_len); - if (ret != PSA_SUCCESS) { + status = psa_hash_finish(ctx, hash, size, &hash_len); + if (status != PSA_SUCCESS) { psa_hash_abort(ctx); - } -#else - ret = mbedtls_sha256_finish(ctx, hash); - mbedtls_sha256_free(ctx); -#endif - if (ret != SUCCESS_VALUE) { - LOG_DBG("Failed to %s SHA-256 operation. (%d)", "finish", ret); + LOG_DBG("Failed to %s SHA-256 operation. (%d)", "finish", status); return -EFAULT; } diff --git a/subsys/mgmt/updatehub/updatehub_integrity.h b/subsys/mgmt/updatehub/updatehub_integrity.h index dcec7ecdb286c..e74afa397c8af 100644 --- a/subsys/mgmt/updatehub/updatehub_integrity.h +++ b/subsys/mgmt/updatehub/updatehub_integrity.h @@ -7,29 +7,19 @@ #ifndef __UPDATEHUB_INTEGRITY_H__ #define __UPDATEHUB_INTEGRITY_H__ -#if defined(CONFIG_PSA_CRYPTO_CLIENT) #include -#else -#include -#endif #ifdef __cplusplus extern "C" { #endif -#define SHA256_BIN_DIGEST_SIZE (32) +#define SHA256_BIN_DIGEST_SIZE PSA_HASH_LENGTH(PSA_ALG_SHA_256) #define SHA256_HEX_DIGEST_SIZE ((SHA256_BIN_DIGEST_SIZE * 2) + 1) -#if defined(CONFIG_PSA_CRYPTO_CLIENT) -typedef psa_hash_operation_t updatehub_crypto_context_t; -#else -typedef mbedtls_sha256_context updatehub_crypto_context_t; -#endif - -int updatehub_integrity_init(updatehub_crypto_context_t *ctx); -int updatehub_integrity_update(updatehub_crypto_context_t *ctx, +int updatehub_integrity_init(psa_hash_operation_t *ctx); +int updatehub_integrity_update(psa_hash_operation_t *ctx, const uint8_t *buffer, const uint32_t len); -int updatehub_integrity_finish(updatehub_crypto_context_t *ctx, +int updatehub_integrity_finish(psa_hash_operation_t *ctx, uint8_t *hash, const uint32_t size); #ifdef __cplusplus