zephyrproject-rtos · nashif · Oct 20, 2025 · Oct 15, 2025 · Oct 15, 2025 · Oct 15, 2025
diff --git a/doc/releases/migration-guide-4.3.rst b/doc/releases/migration-guide-4.3.rst
@@ -349,6 +349,13 @@ Shell
   compatibility.
   (:github:`92677`).
 
+UpdateHub
+=========
+
+* Legacy Mbed TLS as an option for crypto support has been removed and PSA Crypto is now used in all
+  cases. :kconfig:option:`CONFIG_UPDATEHUB` will automatically enable the Mbed TLS implementation of
+  PSA Crypto if TF-M is not enabled in the build.
+
 .. zephyr-keep-sorted-stop
 
 Modules

diff --git a/samples/subsys/mgmt/updatehub/overlay-psa.conf b/samples/subsys/mgmt/updatehub/overlay-psa.conf
diff --git a/samples/subsys/mgmt/updatehub/sample.yaml b/samples/subsys/mgmt/updatehub/sample.yaml
@@ -19,13 +19,6 @@ tests:
       - CONFIG_UPDATEHUB_POLL_INTERVAL=1
       - CONFIG_UPDATEHUB_CE=y
       - CONFIG_UPDATEHUB_SERVER="updatehub.io"
-  sample.net.updatehub.psa:
-    extra_args: EXTRA_CONF_FILE="overlay-psa.conf"
-    extra_configs:
-      - CONFIG_UPDATEHUB_PRODUCT_UID="e4d37cfe6ec48a2d069cc0bbb8b078677e9a0d8df3a027c4d8ea131130c4265f"
-      - CONFIG_UPDATEHUB_POLL_INTERVAL=1
-      - CONFIG_UPDATEHUB_CE=y
-      - CONFIG_UPDATEHUB_SERVER="updatehub.io"
   sample.net.updatehub.userspace:
     extra_configs:
       - CONFIG_UPDATEHUB_PRODUCT_UID="e4d37cfe6ec48a2d069cc0bbb8b078677e9a0d8df3a027c4d8ea131130c4265f"

diff --git a/subsys/mgmt/updatehub/Kconfig b/subsys/mgmt/updatehub/Kconfig
@@ -17,8 +17,8 @@ menuconfig UPDATEHUB
 	select REQUIRES_FULL_LIBC
 	select IMG_ENABLE_IMAGE_CHECK
 	select MPU_ALLOW_FLASH_WRITE
-	select MBEDTLS if !BUILD_WITH_TFM
-	select MBEDTLS_SHA256 if !PSA_CRYPTO_CLIENT
+	select PSA_CRYPTO
+	select PSA_WANT_ALG_SHA_256
 	help
 	  UpdateHub is an enterprise-grade solution which makes simple to
 	  remotely update all your embedded devices in the field. It

diff --git a/subsys/mgmt/updatehub/updatehub.c b/subsys/mgmt/updatehub/updatehub.c
@@ -61,7 +61,7 @@ static struct updatehub_context {
 	struct coap_block_context block;
 	struct k_sem semaphore;
 	struct updatehub_storage_context storage_ctx;
-	updatehub_crypto_context_t crypto_ctx;
+	psa_hash_operation_t crypto_ctx;
 	enum updatehub_response code_status;
 	uint8_t hash[SHA256_BIN_DIGEST_SIZE];
 	uint8_t uri_path[MAX_PATH_SIZE];
@@ -113,7 +113,7 @@ static void prepare_fds(void)
 
 static int metadata_hash_get(char *metadata)
 {
-	updatehub_crypto_context_t local_crypto_ctx;
+	psa_hash_operation_t local_crypto_ctx;
 
 	if (updatehub_integrity_init(&local_crypto_ctx)) {
 		return -1;

diff --git a/subsys/mgmt/updatehub/updatehub_integrity.c b/subsys/mgmt/updatehub/updatehub_integrity.c
@@ -9,40 +9,29 @@ LOG_MODULE_DECLARE(updatehub, CONFIG_UPDATEHUB_LOG_LEVEL);
 
 #include "updatehub_integrity.h"
 
-#if defined(CONFIG_PSA_CRYPTO_CLIENT)
-#define SUCCESS_VALUE PSA_SUCCESS
-#else
-#define SUCCESS_VALUE 0
-#endif
-
-int updatehub_integrity_init(updatehub_crypto_context_t *ctx)
+int updatehub_integrity_init(psa_hash_operation_t *ctx)
 {
-	int ret;
+	psa_status_t status;
 
 	if (ctx == NULL) {
 		LOG_DBG("Invalid integrity context");
 		return -EINVAL;
 	}
 
-#if defined(CONFIG_PSA_CRYPTO_CLIENT)
 	*ctx = psa_hash_operation_init();
-	ret = psa_hash_setup(ctx, PSA_ALG_SHA_256);
-#else
-	mbedtls_sha256_init(ctx);
-	ret = mbedtls_sha256_starts(ctx, false);
-#endif
-	if (ret != SUCCESS_VALUE) {
-		LOG_DBG("Failed to %s SHA-256 operation. (%d)", "set up", ret);
+	status = psa_hash_setup(ctx, PSA_ALG_SHA_256);
+	if (status != PSA_SUCCESS) {
+		LOG_DBG("Failed to %s SHA-256 operation. (%d)", "set up", status);
 		return -EFAULT;
 	}
 
 	return 0;
 }
 
-int updatehub_integrity_update(updatehub_crypto_context_t *ctx,
+int updatehub_integrity_update(psa_hash_operation_t *ctx,
 			       const uint8_t *buffer, const uint32_t len)
 {
-	int ret;
+	psa_status_t status;
 
 	if (ctx == NULL || buffer == NULL) {
 		return -EINVAL;
@@ -53,30 +42,21 @@ int updatehub_integrity_update(updatehub_crypto_context_t *ctx,
 		return 0;
 	}
 
-#if defined(CONFIG_PSA_CRYPTO_CLIENT)
-	ret = psa_hash_update(ctx, buffer, len);
-	if (ret != PSA_SUCCESS) {
+	status = psa_hash_update(ctx, buffer, len);
+	if (status != PSA_SUCCESS) {
 		psa_hash_abort(ctx);
-	}
-#else
-	ret = mbedtls_sha256_update(ctx, buffer, len);
-	if (ret != 0) {
-		mbedtls_sha256_free(ctx);
-	}
-#endif
-
-	if (ret != SUCCESS_VALUE) {
-		LOG_DBG("Failed to %s SHA-256 operation. (%d)", "update", ret);
+		LOG_DBG("Failed to %s SHA-256 operation. (%d)", "update", status);
 		return -EFAULT;
 	}
 
 	return 0;
 }
 
-int updatehub_integrity_finish(updatehub_crypto_context_t *ctx,
+int updatehub_integrity_finish(psa_hash_operation_t *ctx,
 			       uint8_t *hash, const uint32_t size)
 {
-	int ret;
+	psa_status_t status;
+	size_t hash_len;
 
 	if (ctx == NULL || hash == NULL) {
 		return -EINVAL;
@@ -87,19 +67,10 @@ int updatehub_integrity_finish(updatehub_crypto_context_t *ctx,
 		return -EINVAL;
 	}
 
-#if defined(CONFIG_PSA_CRYPTO_CLIENT)
-	size_t hash_len;
-
-	ret = psa_hash_finish(ctx, hash, size, &hash_len);
-	if (ret != PSA_SUCCESS) {
+	status = psa_hash_finish(ctx, hash, size, &hash_len);
+	if (status != PSA_SUCCESS) {
 		psa_hash_abort(ctx);
-	}
-#else
-	ret = mbedtls_sha256_finish(ctx, hash);
-	mbedtls_sha256_free(ctx);
-#endif
-	if (ret != SUCCESS_VALUE) {
-		LOG_DBG("Failed to %s SHA-256 operation. (%d)", "finish", ret);
+		LOG_DBG("Failed to %s SHA-256 operation. (%d)", "finish", status);
 		return -EFAULT;
 	}
 

diff --git a/subsys/mgmt/updatehub/updatehub_integrity.h b/subsys/mgmt/updatehub/updatehub_integrity.h
@@ -7,29 +7,19 @@
 #ifndef __UPDATEHUB_INTEGRITY_H__
 #define __UPDATEHUB_INTEGRITY_H__
 
-#if defined(CONFIG_PSA_CRYPTO_CLIENT)
 #include <psa/crypto.h>
-#else
-#include <mbedtls/sha256.h>
-#endif
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
-#define SHA256_BIN_DIGEST_SIZE	(32)
+#define SHA256_BIN_DIGEST_SIZE	PSA_HASH_LENGTH(PSA_ALG_SHA_256)
 #define SHA256_HEX_DIGEST_SIZE	((SHA256_BIN_DIGEST_SIZE * 2) + 1)
 
-#if defined(CONFIG_PSA_CRYPTO_CLIENT)
-typedef psa_hash_operation_t updatehub_crypto_context_t;
-#else
-typedef mbedtls_sha256_context updatehub_crypto_context_t;
-#endif
-
-int updatehub_integrity_init(updatehub_crypto_context_t *ctx);
-int updatehub_integrity_update(updatehub_crypto_context_t *ctx,
+int updatehub_integrity_init(psa_hash_operation_t *ctx);
+int updatehub_integrity_update(psa_hash_operation_t *ctx,
 			       const uint8_t *buffer, const uint32_t len);
-int updatehub_integrity_finish(updatehub_crypto_context_t *ctx,
+int updatehub_integrity_finish(psa_hash_operation_t *ctx,
 			       uint8_t *hash, const uint32_t size);
 
 #ifdef __cplusplus