mgmt: mcumgr: replace Tinycrypt by PSA

As part of ongoing work to move away from TinyCrypt and towards PSA
(zephyrproject-rtos#43712), make fs_mgmt use either PSA (when available) or MbedTLS
(as a fallback) for SHA-256.

For now this is guarded by CONFIG_BUILD_WITH_TFM.

Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>

subsys/mgmt/mcumgr/grp/fs_mgmt/Kconfig

@@ -125,7 +125,8 @@ config MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32
 
 config MCUMGR_GRP_FS_HASH_SHA256
 	bool "SHA256 hash support"
-	depends on TINYCRYPT_SHA256 || MBEDTLS_MAC_SHA256_ENABLED
+	depends on BUILD_WITH_TFM || MBEDTLS_MAC_SHA256_ENABLED
+	select PSA_WANT_ALG_SHA_256 if BUILD_WITH_TFM
 	help
 	  Enable SHA256 hash support for MCUmgr.
 

subsys/mgmt/mcumgr/grp/fs_mgmt/src/fs_mgmt_hash_checksum_sha256.c

@@ -13,79 +13,41 @@
 #include <mgmt/mcumgr/grp/fs_mgmt/fs_mgmt_config.h>
 #include <mgmt/mcumgr/grp/fs_mgmt/fs_mgmt_hash_checksum_sha256.h>
 
-#if defined(CONFIG_TINYCRYPT_SHA256)
-#include <tinycrypt/constants.h>
-#include <tinycrypt/sha256.h>
+#if defined(CONFIG_BUILD_WITH_TFM)
+#include <psa/crypto.h>
+#define SUCCESS_VALUE PSA_SUCCESS
 #else
 #include <mbedtls/md.h>
 #include <mbedtls/sha256.h>
+#define SUCCESS_VALUE 0
 #endif
 
 #define SHA256_DIGEST_SIZE 32
 
-#if defined(CONFIG_TINYCRYPT_SHA256)
-/* Tinycrypt SHA256 implementation */
 static int fs_mgmt_hash_checksum_sha256(struct fs_file_t *file, uint8_t *output,
 					size_t *out_len, size_t len)
 {
 	int rc = 0;
+	int op_ret;
 	ssize_t bytes_read = 0;
 	size_t read_size = CONFIG_MCUMGR_GRP_FS_CHECKSUM_HASH_CHUNK_SIZE;
 	uint8_t buffer[CONFIG_MCUMGR_GRP_FS_CHECKSUM_HASH_CHUNK_SIZE];
-	struct tc_sha256_state_struct sha;
-
-	/* Clear variables prior to calculation */
-	*out_len = 0;
-	memset(output, 0, SHA256_DIGEST_SIZE);
-
-	if (tc_sha256_init(&sha) != TC_CRYPTO_SUCCESS) {
-		return MGMT_ERR_EUNKNOWN;
-	}
-
-	/* Read all data from file and add to SHA256 hash calculation */
-	do {
-		if ((read_size + *out_len) >= len) {
-			/* Limit read size to size of requested data */
-			read_size = len - *out_len;
-		}
-
-		bytes_read = fs_read(file, buffer, read_size);
-
-		if (bytes_read < 0) {
-			/* Failed to read file data, pass generic unknown error back */
-			return MGMT_ERR_EUNKNOWN;
-		} else if (bytes_read > 0) {
-			if (tc_sha256_update(&sha, buffer, bytes_read) != TC_CRYPTO_SUCCESS) {
-				return MGMT_ERR_EUNKNOWN;
-			}
-
-			*out_len += bytes_read;
-		}
-	} while (bytes_read > 0 && *out_len < len);
-
-	/* Finalise SHA256 hash calculation and store output in provided output buffer */
-	if (tc_sha256_final(output, &sha) != TC_CRYPTO_SUCCESS) {
-		rc = MGMT_ERR_EUNKNOWN;
-	}
-
-	return rc;
-}
+#if defined(CONFIG_BUILD_WITH_TFM)
+	psa_hash_operation_t psa_hash_ctx = psa_hash_operation_init();
 #else
-/* mbedtls SHA256 implementation */
-static int fs_mgmt_hash_checksum_sha256(struct fs_file_t *file, uint8_t *output,
-					size_t *out_len, size_t len)
-{
-	int rc = 0;
-	ssize_t bytes_read = 0;
-	size_t read_size = CONFIG_MCUMGR_GRP_FS_CHECKSUM_HASH_CHUNK_SIZE;
-	uint8_t buffer[CONFIG_MCUMGR_GRP_FS_CHECKSUM_HASH_CHUNK_SIZE];
 	mbedtls_md_context_t mbed_hash_ctx;
 	const mbedtls_md_info_t *mbed_hash_info;
+#endif
 
 	/* Clear variables prior to calculation */
 	*out_len = 0;
 	memset(output, 0, SHA256_DIGEST_SIZE);
 
+#if defined(CONFIG_BUILD_WITH_TFM)
+	if (psa_hash_setup(&psa_hash_ctx, PSA_ALG_SHA_256) != PSA_SUCCESS) {
+		return MGMT_ERR_EUNKNOWN;
+	}
+#else
 	mbed_hash_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
 	mbedtls_md_init(&mbed_hash_ctx);
 
@@ -95,8 +57,9 @@ static int fs_mgmt_hash_checksum_sha256(struct fs_file_t *file, uint8_t *output,
 
 	if (mbedtls_md_starts(&mbed_hash_ctx)) {
 		rc = MGMT_ERR_EUNKNOWN;
-		goto error;
+		goto teardown;
 	}
+#endif
 
 	/* Read all data from file and add to SHA256 hash calculation */
 	do {
@@ -110,28 +73,41 @@ static int fs_mgmt_hash_checksum_sha256(struct fs_file_t *file, uint8_t *output,
 		if (bytes_read < 0) {
 			/* Failed to read file data, pass generic unknown error back */
 			rc = MGMT_ERR_EUNKNOWN;
-			goto error;
+			goto teardown;
 		} else if (bytes_read > 0) {
-			if (mbedtls_md_update(&mbed_hash_ctx, buffer, bytes_read) != 0) {
+#if defined(CONFIG_BUILD_WITH_TFM)
+			op_ret = psa_hash_update(&psa_hash_ctx, buffer, bytes_read);
+#else
+			op_ret = mbedtls_md_update(&mbed_hash_ctx, buffer, bytes_read);
+#endif
+			if (op_ret != SUCCESS_VALUE) {
 				rc = MGMT_ERR_EUNKNOWN;
-				goto error;
+				goto teardown;
 			}
 
 			*out_len += bytes_read;
 		}
 	} while (bytes_read > 0 && *out_len < len);
 
 	/* Finalise SHA256 hash calculation and store output in provided output buffer */
-	if (mbedtls_md_finish(&mbed_hash_ctx, output) != 0) {
+#if defined(CONFIG_BUILD_WITH_TFM)
+	op_ret = psa_hash_finish(&psa_hash_ctx, output, SHA256_DIGEST_SIZE, &read_size);
+#else
+	op_ret = mbedtls_md_finish(&mbed_hash_ctx, output);
+#endif
+	if (op_ret != SUCCESS_VALUE) {
 		rc = MGMT_ERR_EUNKNOWN;
 	}
 
-error:
+teardown:
+#if defined(CONFIG_BUILD_WITH_TFM)
+	psa_hash_abort(&psa_hash_ctx);
+#else
 	mbedtls_md_free(&mbed_hash_ctx);
+#endif
 
 	return rc;
 }
-#endif
 
 static struct fs_mgmt_hash_checksum_group sha256 = {
 	.group_name = "sha256",

tests/subsys/mgmt/mcumgr/all_options/prj.conf

@@ -4,8 +4,6 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 CONFIG_ZTEST=y
-CONFIG_TINYCRYPT=y
-CONFIG_TINYCRYPT_SHA256=y
 CONFIG_FILE_SYSTEM=y
 CONFIG_BASE64=y
 CONFIG_NET_BUF=y

tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/all.conf

@@ -3,7 +3,5 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 #
-CONFIG_TINYCRYPT=y
-CONFIG_TINYCRYPT_SHA256=y
 CONFIG_MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32=y
 CONFIG_MCUMGR_GRP_FS_HASH_SHA256=y

tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/sha256.conf

@@ -3,6 +3,4 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 #
-CONFIG_TINYCRYPT=y
-CONFIG_TINYCRYPT_SHA256=y
 CONFIG_MCUMGR_GRP_FS_HASH_SHA256=y