From f366bd3fb3f02f8bcb4063580f85c81fcfee7102 Mon Sep 17 00:00:00 2001
From: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Date: Thu, 25 Apr 2024 16:16:44 +0300
Subject: [PATCH] mgmt: mcumgr: replace Tinycrypt by PSA

As part of ongoing work to move away from TinyCrypt and towards PSA
(#43712), make fs_mgmt use either PSA (when available) or MbedTLS
(as a fallback) for SHA-256.

For now this is guarded by CONFIG_BUILD_WITH_TFM.

Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
---
 subsys/mgmt/mcumgr/grp/fs_mgmt/Kconfig        |  3 +-
 .../src/fs_mgmt_hash_checksum_sha256.c        | 92 +++++++------------
 tests/subsys/mgmt/mcumgr/all_options/prj.conf |  2 -
 .../configuration/all.conf                    |  2 -
 .../configuration/sha256.conf                 |  2 -
 5 files changed, 36 insertions(+), 65 deletions(-)

diff --git a/subsys/mgmt/mcumgr/grp/fs_mgmt/Kconfig b/subsys/mgmt/mcumgr/grp/fs_mgmt/Kconfig
index 95e8a1c2658720b..2bb7e74fb630992 100644
--- a/subsys/mgmt/mcumgr/grp/fs_mgmt/Kconfig
+++ b/subsys/mgmt/mcumgr/grp/fs_mgmt/Kconfig
@@ -125,7 +125,8 @@ config MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32
 
 config MCUMGR_GRP_FS_HASH_SHA256
 	bool "SHA256 hash support"
-	depends on TINYCRYPT_SHA256 || MBEDTLS_MAC_SHA256_ENABLED
+	depends on BUILD_WITH_TFM || MBEDTLS_MAC_SHA256_ENABLED
+	select PSA_WANT_ALG_SHA_256 if BUILD_WITH_TFM
 	help
 	  Enable SHA256 hash support for MCUmgr.
 
diff --git a/subsys/mgmt/mcumgr/grp/fs_mgmt/src/fs_mgmt_hash_checksum_sha256.c b/subsys/mgmt/mcumgr/grp/fs_mgmt/src/fs_mgmt_hash_checksum_sha256.c
index 118dc93f9edb83c..bc9e33e7716a859 100644
--- a/subsys/mgmt/mcumgr/grp/fs_mgmt/src/fs_mgmt_hash_checksum_sha256.c
+++ b/subsys/mgmt/mcumgr/grp/fs_mgmt/src/fs_mgmt_hash_checksum_sha256.c
@@ -13,79 +13,41 @@
 #include <mgmt/mcumgr/grp/fs_mgmt/fs_mgmt_config.h>
 #include <mgmt/mcumgr/grp/fs_mgmt/fs_mgmt_hash_checksum_sha256.h>
 
-#if defined(CONFIG_TINYCRYPT_SHA256)
-#include <tinycrypt/constants.h>
-#include <tinycrypt/sha256.h>
+#if defined(CONFIG_BUILD_WITH_TFM)
+#include <psa/crypto.h>
+#define SUCCESS_VALUE PSA_SUCCESS
 #else
 #include <mbedtls/md.h>
 #include <mbedtls/sha256.h>
+#define SUCCESS_VALUE 0
 #endif
 
 #define SHA256_DIGEST_SIZE 32
 
-#if defined(CONFIG_TINYCRYPT_SHA256)
-/* Tinycrypt SHA256 implementation */
 static int fs_mgmt_hash_checksum_sha256(struct fs_file_t *file, uint8_t *output,
 					size_t *out_len, size_t len)
 {
 	int rc = 0;
+	int op_ret;
 	ssize_t bytes_read = 0;
 	size_t read_size = CONFIG_MCUMGR_GRP_FS_CHECKSUM_HASH_CHUNK_SIZE;
 	uint8_t buffer[CONFIG_MCUMGR_GRP_FS_CHECKSUM_HASH_CHUNK_SIZE];
-	struct tc_sha256_state_struct sha;
-
-	/* Clear variables prior to calculation */
-	*out_len = 0;
-	memset(output, 0, SHA256_DIGEST_SIZE);
-
-	if (tc_sha256_init(&sha) != TC_CRYPTO_SUCCESS) {
-		return MGMT_ERR_EUNKNOWN;
-	}
-
-	/* Read all data from file and add to SHA256 hash calculation */
-	do {
-		if ((read_size + *out_len) >= len) {
-			/* Limit read size to size of requested data */
-			read_size = len - *out_len;
-		}
-
-		bytes_read = fs_read(file, buffer, read_size);
-
-		if (bytes_read < 0) {
-			/* Failed to read file data, pass generic unknown error back */
-			return MGMT_ERR_EUNKNOWN;
-		} else if (bytes_read > 0) {
-			if (tc_sha256_update(&sha, buffer, bytes_read) != TC_CRYPTO_SUCCESS) {
-				return MGMT_ERR_EUNKNOWN;
-			}
-
-			*out_len += bytes_read;
-		}
-	} while (bytes_read > 0 && *out_len < len);
-
-	/* Finalise SHA256 hash calculation and store output in provided output buffer */
-	if (tc_sha256_final(output, &sha) != TC_CRYPTO_SUCCESS) {
-		rc = MGMT_ERR_EUNKNOWN;
-	}
-
-	return rc;
-}
+#if defined(CONFIG_BUILD_WITH_TFM)
+	psa_hash_operation_t psa_hash_ctx = psa_hash_operation_init();
 #else
-/* mbedtls SHA256 implementation */
-static int fs_mgmt_hash_checksum_sha256(struct fs_file_t *file, uint8_t *output,
-					size_t *out_len, size_t len)
-{
-	int rc = 0;
-	ssize_t bytes_read = 0;
-	size_t read_size = CONFIG_MCUMGR_GRP_FS_CHECKSUM_HASH_CHUNK_SIZE;
-	uint8_t buffer[CONFIG_MCUMGR_GRP_FS_CHECKSUM_HASH_CHUNK_SIZE];
 	mbedtls_md_context_t mbed_hash_ctx;
 	const mbedtls_md_info_t *mbed_hash_info;
+#endif
 
 	/* Clear variables prior to calculation */
 	*out_len = 0;
 	memset(output, 0, SHA256_DIGEST_SIZE);
 
+#if defined(CONFIG_BUILD_WITH_TFM)
+	if (psa_hash_setup(&psa_hash_ctx, PSA_ALG_SHA_256) != PSA_SUCCESS) {
+		return MGMT_ERR_EUNKNOWN;
+	}
+#else
 	mbed_hash_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
 	mbedtls_md_init(&mbed_hash_ctx);
 
@@ -95,8 +57,9 @@ static int fs_mgmt_hash_checksum_sha256(struct fs_file_t *file, uint8_t *output,
 
 	if (mbedtls_md_starts(&mbed_hash_ctx)) {
 		rc = MGMT_ERR_EUNKNOWN;
-		goto error;
+		goto teardown;
 	}
+#endif
 
 	/* Read all data from file and add to SHA256 hash calculation */
 	do {
@@ -110,11 +73,16 @@ static int fs_mgmt_hash_checksum_sha256(struct fs_file_t *file, uint8_t *output,
 		if (bytes_read < 0) {
 			/* Failed to read file data, pass generic unknown error back */
 			rc = MGMT_ERR_EUNKNOWN;
-			goto error;
+			goto teardown;
 		} else if (bytes_read > 0) {
-			if (mbedtls_md_update(&mbed_hash_ctx, buffer, bytes_read) != 0) {
+#if defined(CONFIG_BUILD_WITH_TFM)
+			op_ret = psa_hash_update(&psa_hash_ctx, buffer, bytes_read);
+#else
+			op_ret = mbedtls_md_update(&mbed_hash_ctx, buffer, bytes_read);
+#endif
+			if (op_ret != SUCCESS_VALUE) {
 				rc = MGMT_ERR_EUNKNOWN;
-				goto error;
+				goto teardown;
 			}
 
 			*out_len += bytes_read;
@@ -122,16 +90,24 @@ static int fs_mgmt_hash_checksum_sha256(struct fs_file_t *file, uint8_t *output,
 	} while (bytes_read > 0 && *out_len < len);
 
 	/* Finalise SHA256 hash calculation and store output in provided output buffer */
-	if (mbedtls_md_finish(&mbed_hash_ctx, output) != 0) {
+#if defined(CONFIG_BUILD_WITH_TFM)
+	op_ret = psa_hash_finish(&psa_hash_ctx, output, SHA256_DIGEST_SIZE, &read_size);
+#else
+	op_ret = mbedtls_md_finish(&mbed_hash_ctx, output);
+#endif
+	if (op_ret != SUCCESS_VALUE) {
 		rc = MGMT_ERR_EUNKNOWN;
 	}
 
-error:
+teardown:
+#if defined(CONFIG_BUILD_WITH_TFM)
+	psa_hash_abort(&psa_hash_ctx);
+#else
 	mbedtls_md_free(&mbed_hash_ctx);
+#endif
 
 	return rc;
 }
-#endif
 
 static struct fs_mgmt_hash_checksum_group sha256 = {
 	.group_name = "sha256",
diff --git a/tests/subsys/mgmt/mcumgr/all_options/prj.conf b/tests/subsys/mgmt/mcumgr/all_options/prj.conf
index 42ce2e03c86e39f..37c1a1c828350c1 100644
--- a/tests/subsys/mgmt/mcumgr/all_options/prj.conf
+++ b/tests/subsys/mgmt/mcumgr/all_options/prj.conf
@@ -4,8 +4,6 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 CONFIG_ZTEST=y
-CONFIG_TINYCRYPT=y
-CONFIG_TINYCRYPT_SHA256=y
 CONFIG_FILE_SYSTEM=y
 CONFIG_BASE64=y
 CONFIG_NET_BUF=y
diff --git a/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/all.conf b/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/all.conf
index 546b7f6128eae20..30b59e6f89b0301 100644
--- a/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/all.conf
+++ b/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/all.conf
@@ -3,7 +3,5 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 #
-CONFIG_TINYCRYPT=y
-CONFIG_TINYCRYPT_SHA256=y
 CONFIG_MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32=y
 CONFIG_MCUMGR_GRP_FS_HASH_SHA256=y
diff --git a/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/sha256.conf b/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/sha256.conf
index d8f44a443a1b055..2f40ccd6ad7fbbc 100644
--- a/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/sha256.conf
+++ b/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/sha256.conf
@@ -3,6 +3,4 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 #
-CONFIG_TINYCRYPT=y
-CONFIG_TINYCRYPT_SHA256=y
 CONFIG_MCUMGR_GRP_FS_HASH_SHA256=y