From 8c7f38c27e4a46175aa44a33c77b9ba58904df0c Mon Sep 17 00:00:00 2001
From: Dominik Ermel <dominik.ermel@nordicsemi.no>
Date: Thu, 5 Sep 2024 10:53:17 +0000
Subject: [PATCH] [nrf noup] Enable hash calculation direclty on storage

The commit add support for passing storage device address space
to hash calculation functions, which allows to use hardware
accelerated hash calculation on storage.
This feature only works when image encryption is not enabled
and all slots are defined within internal storage of device.

The feature is enabled using Kconfig option
 CONFIG_BOOT_IMG_HASH_DIRECTLY_ON_STORAGE

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
---
 boot/bootutil/src/image_validate.c             | 18 +++++++++++++++---
 boot/zephyr/Kconfig                            | 16 ++++++++++++++++
 .../include/mcuboot_config/mcuboot_config.h    | 10 ++++++++++
 3 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/boot/bootutil/src/image_validate.c b/boot/bootutil/src/image_validate.c
index ec5d986df..59d35d714 100644
--- a/boot/bootutil/src/image_validate.c
+++ b/boot/bootutil/src/image_validate.c
@@ -68,13 +68,15 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index,
                   uint8_t *seed, int seed_len)
 {
     bootutil_sha_context sha_ctx;
-    uint32_t blk_sz;
     uint32_t size;
     uint16_t hdr_size;
-    uint32_t off;
-    int rc;
     uint32_t blk_off;
     uint32_t tlv_off;
+#if !defined(MCUBOOT_HASH_STORAGE_DIRECTLY)
+    int rc;
+    uint32_t off;
+    uint32_t blk_sz;
+#endif
 
 #if (BOOT_IMAGE_NUMBER == 1) || !defined(MCUBOOT_ENC_IMAGES) || \
     defined(MCUBOOT_RAM_LOAD)
@@ -117,6 +119,15 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index,
     /* If protected TLVs are present they are also hashed. */
     size += hdr->ih_protect_tlv_size;
 
+#ifdef MCUBOOT_HASH_STORAGE_DIRECTLY
+
+    /* No chunk loading, storage is mapped to address space and can
+     * be directly given to hashing function.
+     */
+    bootutil_sha_update(&sha_ctx, (void *)flash_area_get_off(fap), size);
+
+#else /* MCUBOOT_HASH_STORAGE_DIRECTLY */
+
 #ifdef MCUBOOT_RAM_LOAD
     bootutil_sha_update(&sha_ctx,
                         (void*)(IMAGE_RAM_BASE + hdr->ih_load_addr),
@@ -161,6 +172,7 @@ bootutil_img_hash(struct enc_key_data *enc_state, int image_index,
         bootutil_sha_update(&sha_ctx, tmp_buf, blk_sz);
     }
 #endif /* MCUBOOT_RAM_LOAD */
+#endif /* MCUBOOT_HASH_STORAGE_DIRECTLY */
     bootutil_sha_finish(&sha_ctx, hash_result);
     bootutil_sha_drop(&sha_ctx);
 
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
index 931ce38ad..bb0c1762b 100644
--- a/boot/zephyr/Kconfig
+++ b/boot/zephyr/Kconfig
@@ -159,6 +159,22 @@ config BOOT_IMG_HASH_ALG_SHA512_ALLOW
 	help
 	  Hidden option set by configurations that allow SHA512
 
+config BOOT_IMG_HASH_DIRECTLY_ON_STORAGE
+	bool "Hash calculation functions access storage through address space"
+	depends on !BOOT_ENCRYPT_IMAGE
+	help
+	  When possible to map storage device, at least for read operations,
+	  to address space or RAM area, enabling this option allows hash
+	  calculation functions to directly access the storage through that address
+	  space or using its own DMA. This reduces flash read overhead done
+	  by the MCUboot.
+	  Notes:
+	    - not supported when encrypted images are in use, because calculating
+              SHA requires image to be decrypted first, which is done to RAM.
+	    - currently only supported on internal storage of devices; this
+	      option will not work with devices that use external storage for
+	      either of image slots.
+
 choice BOOT_IMG_HASH_ALG
 	prompt "Selected image hash algorithm"
 	default BOOT_IMG_HASH_ALG_SHA256 if BOOT_IMG_HASH_ALG_SHA256_ALLOW
diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
index 57878abc6..184e944da 100644
--- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h
+++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
@@ -136,6 +136,16 @@
 #define MCUBOOT_ENCRYPT_X25519
 #endif
 
+/* Invoke hashing functions directly on storage. This requires for device
+ * to be able to map storage to address space or RAM.
+ */
+#ifdef CONFIG_BOOT_IMG_HASH_DIRECTLY_ON_STORAGE
+#ifdef MCUBOOT_ENC_IMAGES
+#error "Direct hash check is currently not supported when encrypted images are enabled"
+#endif
+#define MCUBOOT_HASH_STORAGE_DIRECTLY
+#endif
+
 #ifdef CONFIG_BOOT_BOOTSTRAP
 #define MCUBOOT_BOOTSTRAP 1
 #endif