zephyr: Support for HKDF/HMAC with SHA512

The commit adds CONFIG_BOOT_HMAC_SHA512 that enables MCUboot
configuration option MCUBOOT_HMAC_SHA512, that is used for
switching HKDF/HMAC in ECIES key exchange to SHA512,
from default SHA256.
This option, currently, is only available for ECIES-X25519
with PSA as crypto backend.

Signed-off-by: Dominik Ermel <[email protected]>

Author: de-nordic

boot/zephyr/Kconfig

@@ -609,6 +609,15 @@ config BOOT_ENCRYPT_X25519
 	help
 	  Hidden option selecting x25519 encryption.
 
+config BOOT_HMAC_SHA512
+	bool "Use SHA512 for HMAC/HKDF"
+	depends on BOOT_ENCRYPT_X25519
+	depends on BOOT_USE_PSA_CRYPTO
+	help
+	  By default SHA256 is used for HKDF/HMAC in key exchange expansion
+	  and verification. This options switches to SHA512. The option is
+	  mainly useful to reduce numer of compiled in SHA algorithms.
+
 config BOOT_ENCRYPTION_KEY_FILE
 	string "Encryption key file"
 	depends on BOOT_ENCRYPT_IMAGE

boot/zephyr/include/mcuboot_config/mcuboot_config.h

@@ -157,6 +157,13 @@
 #define MCUBOOT_ENCRYPT_X25519
 #endif
 
+/* Support for HMAC/HKDF using SHA512; this is used in key exchange where
+ * HKDF is used for key expansion and HMAC is used for key verification.
+ */
+#ifdef CONFIG_BOOT_HMAC_SHA512
+#define MCUBOOT_HMAC_SHA512
+#endif
+
 #ifdef CONFIG_BOOT_DECOMPRESSION
 #define MCUBOOT_DECOMPRESS_IMAGES
 #endif