oneshot hash build option

.github/workflows/test-elf-scattered.yml

@@ -35,3 +35,11 @@ jobs:
       - name: Run bootloader with no arguments
         run: |
           ./wolfboot.elf
+
+      - name: Build wolfboot.elf (ELF_SCATTERED, ONESHOT_HASH)
+        run: |
+          make clean && make test-sim-internal-flash-with-update ELF=1 ELF_SCATTERED=1 WOLFBOOT_IMG_HASH_ONESHOT=1
+
+      - name: Run bootloader with no arguments (ONESHOT_HASH)
+        run: |
+          ./wolfboot.elf

.github/workflows/test-sunnyday-simulator.yml

@@ -379,6 +379,30 @@ jobs:
         run: |
           tools/scripts/sim-sunnyday-update.sh
 
+      - name: Build wolfboot.elf (ECC256, ONESHOT_HASH, SHA256)
+        run: |
+          make clean && make test-sim-internal-flash-with-update SIGN=ECC256 SPMATH=1 WOLFBOOT_IMG_HASH_ONESHOT=1
+
+      - name: Run sunny day update test (ONESHOT_HASH, SHA256)
+        run: |
+          tools/scripts/sim-sunnyday-update.sh
+
+      - name: Build wolfboot.elf (ECC256, ONESHOT_HASH, SHA384)
+        run: |
+          make clean && make test-sim-internal-flash-with-update SIGN=ECC256 SPMATH=1 HASH=SHA384 WOLFBOOT_IMG_HASH_ONESHOT=1
+
+      - name: Run sunny day update test (ONESHOT_HASH, SHA384)
+        run: |
+          tools/scripts/sim-sunnyday-update.sh
+
+      - name: Build wolfboot.elf (ECC256, ONESHOT_HASH, SHA3)
+        run: |
+          make clean && make test-sim-internal-flash-with-update SIGN=ECC256 SPMATH=1 HASH=SHA3 WOLFBOOT_IMG_HASH_ONESHOT=1
+
+      - name: Run sunny day update test (ONESHOT_HASH, SHA3)
+        run: |
+          tools/scripts/sim-sunnyday-update.sh
+
       - name: Cleanup to change key type
         run: |
           make keysclean

docs/compile.md

@@ -189,6 +189,22 @@ falls in one of these cases, wolfBoot compilation will terminate with an explici
 In some cases you might have enough memory available to allow large stack allocations.
 To circumvent the compile-time checks on the maximum allowed stack size, use `WOLFBOOT_HUGE_STACK=1`.
 
+### One-shot hash verification
+
+By default, wolfBoot hashes firmware images in blocks of `WOLFBOOT_SHA_BLOCK_SIZE` bytes during
+verification. This block-by-block approach is required when firmware resides in external flash or
+other non-memory-mapped storage, where data must be read through intermediate buffers.
+
+When firmware images are stored in directly memory-mapped flash (e.g. internal flash with
+execute-in-place support), the block-by-block overhead can be eliminated by enabling
+`WOLFBOOT_IMG_HASH_ONESHOT=1`. With this option, the entire image buffer is passed to the wolfCrypt
+hash function in a single call, which can improve verification performance.
+
+**warning** This option assumes that `fw_base` pointers are directly dereferenceable for the full
+firmware size. It is incompatible with `EXT_FLASH=1` configurations where partitions reside on
+external SPI or UART flash. Only use `WOLFBOOT_IMG_HASH_ONESHOT=1` when all firmware partitions are
+in directly addressable, memory-mapped flash.
+
 ### Disable Backup of current running firmware
 
 Optionally, it is possible to disable the backup copy of the current running firmware upon the installation of the

options.mk

@@ -779,6 +779,10 @@ ifeq ($(ARMORED),1)
   CFLAGS+=-DWOLFBOOT_ARMORED
 endif
 
+ifeq ($(WOLFBOOT_IMG_HASH_ONESHOT),1)
+  CFLAGS+=-DWOLFBOOT_IMG_HASH_ONESHOT
+endif
+
 ifeq ($(WOLFBOOT_HUGE_STACK),1)
   CFLAGS+=-DWOLFBOOT_HUGE_STACK
 endif