diff --git a/subsys/storage/flash_map/CMakeLists.txt b/subsys/storage/flash_map/CMakeLists.txt index 3b5085e61f1..906762f6b17 100644 --- a/subsys/storage/flash_map/CMakeLists.txt +++ b/subsys/storage/flash_map/CMakeLists.txt @@ -5,3 +5,7 @@ zephyr_sources_ifndef(CONFIG_FLASH_MAP_CUSTOM flash_map_default.c) zephyr_sources_ifdef(CONFIG_FLASH_MAP_SHELL flash_map_shell.c) zephyr_sources_ifdef(CONFIG_FLASH_PAGE_LAYOUT flash_map_layout.c) zephyr_sources_ifdef(CONFIG_FLASH_AREA_CHECK_INTEGRITY flash_map_integrity.c) + +if(CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS) + zephyr_library_link_libraries_ifdef(CONFIG_MBEDTLS mbedTLS) +endif() diff --git a/subsys/storage/flash_map/Kconfig b/subsys/storage/flash_map/Kconfig index 6aba25fda64..9bd480f18c7 100644 --- a/subsys/storage/flash_map/Kconfig +++ b/subsys/storage/flash_map/Kconfig @@ -30,10 +30,32 @@ config FLASH_MAP_CUSTOM config FLASH_AREA_CHECK_INTEGRITY bool "Enable flash check functions" - select TINYCRYPT - select TINYCRYPT_SHA256 help If enabled, there will be available the backend to check flash integrity using SHA-256 verification algorithm. +if FLASH_AREA_CHECK_INTEGRITY +choice + prompt "Crypto backend for the flash check functions" + default FLASH_AREA_CHECK_INTEGRITY_TC + +config FLASH_AREA_CHECK_INTEGRITY_TC + bool "Use TinyCrypt" + select TINYCRYPT + select TINYCRYPT_SHA256 + help + Use TinyCrypt library to perform the integrity check. + +config FLASH_AREA_CHECK_INTEGRITY_MBEDTLS + bool "Use MBEDTLS" + select MBEDTLS + select MBEDTLS_MD + select MBEDTLS_MAC_SHA256_ENABLED + select MBEDTLS_ENABLE_HEAP + help + Use MBEDTLS library to perform the integrity check. + +endchoice +endif + endif diff --git a/subsys/storage/flash_map/flash_map_integrity.c b/subsys/storage/flash_map/flash_map_integrity.c index a76841e3d6d..191633afa89 100644 --- a/subsys/storage/flash_map/flash_map_integrity.c +++ b/subsys/storage/flash_map/flash_map_integrity.c @@ -17,15 +17,27 @@ #include #include +#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY) +#define SHA256_DIGEST_SIZE 32 +#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_TC) #include #include +#else +#include +#endif #include +#endif /* CONFIG_FLASH_AREA_CHECK_INTEGRITY */ int flash_area_check_int_sha256(const struct flash_area *fa, const struct flash_area_check *fac) { - unsigned char hash[TC_SHA256_DIGEST_SIZE]; + unsigned char hash[SHA256_DIGEST_SIZE]; +#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_TC) struct tc_sha256_state_struct sha; +#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */ + mbedtls_md_context_t mbed_hash_ctx; + const mbedtls_md_info_t *mbed_hash_info; +#endif const struct device *dev; int to_read; int pos; @@ -40,9 +52,24 @@ int flash_area_check_int_sha256(const struct flash_area *fa, return -EINVAL; } +#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_TC) if (tc_sha256_init(&sha) != TC_CRYPTO_SUCCESS) { return -ESRCH; } +#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */ + mbed_hash_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256); + + mbedtls_md_init(&mbed_hash_ctx); + + if (mbedtls_md_setup(&mbed_hash_ctx, mbed_hash_info, 0) != 0) { + return -ESRCH; + } + + if (mbedtls_md_starts(&mbed_hash_ctx)) { + rc = -ESRCH; + goto error; + } +#endif dev = device_get_binding(fa->fa_dev_name); to_read = fac->rblen; @@ -55,23 +82,50 @@ int flash_area_check_int_sha256(const struct flash_area *fa, rc = flash_read(dev, (fa->fa_off + fac->off + pos), fac->rbuf, to_read); if (rc != 0) { +#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_TC) return rc; +#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */ + goto error; +#endif } +#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_TC) if (tc_sha256_update(&sha, fac->rbuf, to_read) != TC_CRYPTO_SUCCESS) { return -ESRCH; } +#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */ + if (mbedtls_md_update(&mbed_hash_ctx, fac->rbuf, to_read) != 0) { + rc = -ESRCH; + goto error; + } +#endif } +#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_TC) if (tc_sha256_final(hash, &sha) != TC_CRYPTO_SUCCESS) { return -ESRCH; } +#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */ + if (mbedtls_md_finish(&mbed_hash_ctx, hash) != 0) { + rc = -ESRCH; + goto error; + } +#endif - if (memcmp(hash, fac->match, TC_SHA256_DIGEST_SIZE)) { + if (memcmp(hash, fac->match, SHA256_DIGEST_SIZE)) { +#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_TC) return -EILSEQ; +#else /* CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS */ + rc = -EILSEQ; + goto error; +#endif } - return 0; +#if defined(CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS) +error: + mbedtls_md_free(&mbed_hash_ctx); +#endif + return rc; } diff --git a/tests/subsys/storage/flash_map/overlay-mbedtls.conf b/tests/subsys/storage/flash_map/overlay-mbedtls.conf new file mode 100644 index 00000000000..0d18fba5d3b --- /dev/null +++ b/tests/subsys/storage/flash_map/overlay-mbedtls.conf @@ -0,0 +1 @@ +CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS=y diff --git a/tests/subsys/storage/flash_map/testcase.yaml b/tests/subsys/storage/flash_map/testcase.yaml index feff98fba08..dc8b80495d1 100644 --- a/tests/subsys/storage/flash_map/testcase.yaml +++ b/tests/subsys/storage/flash_map/testcase.yaml @@ -7,3 +7,7 @@ tests: platform_allow: nrf52840dk_nrf52840 nrf52dk_nrf52832 frdm_k64f hexiwear_k64 twr_ke18f tags: flash_map + storage.flash_map.mbedtls: + extra_args: OVERLAY_CONFIG=overlay-mbedtls.conf + platform_allow: nrf51dk_nrf51422 qemu_x86 native_posix native_posix_64 + tags: flash_map