Re: [PATCH v3 00/15] add software ecdsa support

[Raymond Mao]

Hi Philippe,

On Tue, Mar 31, 2026 at 6:00 AM Philippe Reynes
 wrote:
>
> This serie adds the support of ecdsa with software
> using mbedtls. So boards without ecdsa hardware may
> also use signature with ecdsa.
>
> To add the support of ecdsa with mbedtls, I have:
> - enabled ecdsa in mbedtls
> - add a function sw_ecdsa_verify that uses mbedtls
> - add a driver sw_ecdsa that call sw_ecdsa_verify
>
> I have tested this code with sandbox, and I have
> followed those steps:
>
> 0) build u-boot using sandbox_defconfig and adding those options:
> CONFIG_ECDSA_SW=y
> CONFIG_ECDSA_MBEDTLS=y

Same comment as I placed in V2:
As this series introduces a MbedTLS-only solution, duplicating a
CONFIG_ECDSA_SW is not necessary, you can just use
CONFIG_ECDSA_MBEDTLS when linking with ecdsa-sw.o.

Regards,
Raymond


> CONFIG_ECDSA=y
> CONFIG_ECDSA_VERIFY=y
>
> 1) add a signature node to an its file
> signature-256 {
> algo = "sha256,ecdsa256";
> key-name-hint = "private-key-256";
> };
>
> 2) generate an ecdsa key
> openssl ecparam -name prime256v1 -genkey -noout -out private-key-256.pem
>
> 3) create the itb file
> ./tools/mkimage -f  -k . -K arch/sandbox/dts/test.dtb 
>
> 4) launch sandbox u-boot
>
> ./u-boot -d arch/sandbox/dts/test.dtb
>
> 5) on sandbox u-boot prompt, load the itb and launch bootm on it
>
> => host load hostfs - 100 uboot-ecdsa.itb
> 4628674 bytes read in 1 ms (4.3 GiB/s)
> => bootm 100
> ...
> ...
>Verifying Hash Integrity ... sha256,ecdsa256:private-key-256+ OK
>
>
> I have tested with success ecdsa256 and ecdsa384,
> but there is an issue with secp521r1.
>
> Changes in v2:
> - move ECDSA_MBEDTLS to MBEDTLS_LIB_X509
> - rename lib/mbedtls/sw_ecdsa.c to lib/mbedtls/ecdsa.c
> - enhance dependancies for ECDSA_MBEDTLS
> - fix support of ecdsa521/secp521r1
> - add vboot test using ecdsa
>
> Changes in v3:
> - do not use _MBEDTLS in mbedtls_def_config.h
> - check returns and remove mem leak in lib/mbedtls/ecdsa.c
> - remove useless field  *k in struct ecdsa_test_vector_s
> - check returns in test/lib/ecdsa.c
> - fix third parameter when calling sha*_csum_wd()
> - add support of ecdsa in pre-load header
>
>
> Philippe Reynes (15):
>   mbedtls: enable support of ecc
>   ecdsa: initial support of ecdsa using mbedtls
>   test: lib: ecdsa: add initial test
>   drivers: crypto: add software ecdsa support
>   ecdsa: fix support of secp521r1
>   test: dm: ecdsa.c: clean this test as software ecdsa is now
> implemented
>   test: py: vboot: prepare integration test for ecdsa
>   test: vboot: add test for ecdsa
>   tools: mkimage: pre-load: add support of ecdsa
>   tools: binman: pre-load: add support of ecdsa
>   tools: binman: pre-load: add test for ecdsa
>   boot: pre-load: add support of ecdsa
>   tools: preload_check_sign: add support of ecdsa
>   test: py: vboot: prepare test for glocal signature with ecdsa
>   test: py: vboot: add test for global signature with ecdsa
>
>  boot/image-pre-load.c |  48 +-
>  configs/amd_versal2_virt_defconfig|   1 +
>  configs/qemu_arm64_lwip_defconfig |   1 +
>  configs/starfive_visionfive2_defconfig|   1 +
>  configs/xilinx_versal_net_virt_defconfig  |   1 +
>  configs/xilinx_versal_virt_defconfig  |   1 +
>  configs/xilinx_zynqmp_kria_defconfig  |   1 +
>  configs/xilinx_zynqmp_virt_defconfig  |   1 +
>  drivers/crypto/Kconfig|   2 +
>  drivers/crypto/Makefile   |   1 +
>  drivers/crypto/ecdsa/Kconfig  |   8 +
>  drivers/crypto/ecdsa/Makefile |   6 +
>  drivers/crypto/ecdsa/ecdsa-sw.c   |  33 ++
>  include/crypto/internal/ecdsa.h   |  14 +
>  lib/ecdsa/ecdsa-libcrypto.c   |  50 +-
>  lib/ecdsa/ecdsa-verify.c  |  24 +-
>  lib/fdt-libcrypto.c   |   2 +-
>  lib/mbedtls/Kconfig   |  16 +
>  lib/mbedtls/Makefile  |  19 +-
>  lib/mbedtls/ecdsa.c   | 141 ++
>  lib/mbedtls/mbedtls_def_config.h  |  18 +
>  test/dm/ecdsa.c   |  18 +-
>  test/lib/Makefile |   1 +
>  test/lib/ecdsa.c  | 447 ++
>  test/py/tests/test_fit_ecdsa.py   |   2 +-
>  test/py/tests/test_vboot.py   | 143 +++---
>  .../tests/vboot/sandbox-binman-ecdsa256.dts   |  24 +
>  .../tests/vboot/sandbox-binman-ecdsa384.dts   |  24 +
>  .../tests/vboot/sandbox-binman-ecdsa521.dts   |  24 +
>  ...pss.dts => sandbox-binman-rsa2048-pss.dts} |   0
>  ...-binman.dts => sandbox-binman-rsa2048.dts} |   0
>  .../vboot/sandbox-u-boot-global-ecdsa256.dts  |  27 ++
>  .../vboot/sandbox-u-boot-global-ecdsa384.dts  |  27 ++
>  .../vboot/sandbox-u-boot-global-ecdsa521.dts  |  27 ++
>  ... => sandbox-u-boot-global-rsa2048-pss.d

Re: [PATCH v3 00/15] add software ecdsa support

[Tom Rini]

On Tue, Mar 31, 2026 at 12:00:32PM +0200, Philippe Reynes wrote:
> This serie adds the support of ecdsa with software
> using mbedtls. So boards without ecdsa hardware may
> also use signature with ecdsa.
> 
> To add the support of ecdsa with mbedtls, I have:
> - enabled ecdsa in mbedtls
> - add a function sw_ecdsa_verify that uses mbedtls
> - add a driver sw_ecdsa that call sw_ecdsa_verify
> 
> I have tested this code with sandbox, and I have
> followed those steps:
> 
> 0) build u-boot using sandbox_defconfig and adding those options:
> CONFIG_ECDSA_SW=y
> CONFIG_ECDSA_MBEDTLS=y
> CONFIG_ECDSA=y
> CONFIG_ECDSA_VERIFY=y
> 
> 1) add a signature node to an its file
>   signature-256 {
>   algo = "sha256,ecdsa256";
>   key-name-hint = "private-key-256";
>   };
> 
> 2) generate an ecdsa key
> openssl ecparam -name prime256v1 -genkey -noout -out private-key-256.pem
> 
> 3) create the itb file
> ./tools/mkimage -f  -k . -K arch/sandbox/dts/test.dtb 
> 
> 4) launch sandbox u-boot
> 
> ./u-boot -d arch/sandbox/dts/test.dtb
> 
> 5) on sandbox u-boot prompt, load the itb and launch bootm on it
> 
> => host load hostfs - 100 uboot-ecdsa.itb
> 4628674 bytes read in 1 ms (4.3 GiB/s)
> => bootm 100
> ...
> ...
>Verifying Hash Integrity ... sha256,ecdsa256:private-key-256+ OK

For the next iteration can you please add this as part of the series, so
CI tests it? And also put it through Azure at least to make sure there's
no other testing surprises that come out. Thanks!

-- 
Tom


signature.asc
Description: PGP signature