Re: [RFC PATCH 1/4] mbedtls: enable support of ecc

Mon, 02 Feb 2026 11:03:31 -0800 

Hi Philippe,

On Mon, Feb 2, 2026 at 12:05 PM Philippe Reynes
<[email protected]> wrote:
>
> Enables the support of ecc in mbedtls.
>
> Signed-off-by: Philippe Reynes <[email protected]>
> ---
>  lib/mbedtls/Kconfig              |  8 ++++++++
>  lib/mbedtls/Makefile             |  7 +++++++
>  lib/mbedtls/mbedtls_def_config.h | 18 ++++++++++++++++++
>  3 files changed, 33 insertions(+)
>
> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> index 789721ee6cd..90c007df850 100644
> --- a/lib/mbedtls/Kconfig
> +++ b/lib/mbedtls/Kconfig
> @@ -157,6 +157,7 @@ config MBEDTLS_LIB_CRYPTO
>         select SHA256_MBEDTLS if SHA256
>         select SHA512_MBEDTLS if SHA512
>         select SHA384_MBEDTLS if SHA384
> +       select ECDSA_MBEDTLS if ECDSA
>         help
>           Enable MbedTLS native crypto libraries.
>           Mutually incompatible with MBEDTLS_LIB_HASHING_ALT.
> @@ -231,6 +232,13 @@ config HKDF_MBEDTLS
>           This option enables support of key derivation using HKDF algorithm
>           with MbedTLS crypto library.
>
> +config ECDSA_MBEDTLS
> +       bool "Enable ECDSA support with MbedTLS crypto library"
> +       depends on MBEDTLS_LIB_CRYPTO && ECDSA
> +       help
> +         This option enables support of ECDSA with the MbedTLS crypto
> +         library.
> +

ECDSA config should be under MBEDTLS_LIB_X509 instead og MBEDTLS_LIB_CRYPTO.

>  endif # MBEDTLS_LIB_CRYPTO
>
>  config MBEDTLS_LIB_X509
> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
> index c5b445bd85c..54a893609cf 100644
> --- a/lib/mbedtls/Makefile
> +++ b/lib/mbedtls/Makefile
> @@ -35,6 +35,11 @@ mbedtls_lib_crypto-$(CONFIG_$(PHASE_)SHA512_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/sha512.o
>  mbedtls_lib_crypto-$(CONFIG_$(PHASE_)HKDF_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/hkdf.o
> +mbedtls_lib_crypto-$(CONFIG_$(PHASE_)ECDSA_MBEDTLS) += \
> +       $(MBEDTLS_LIB_DIR)/ecdsa.o \
> +       $(MBEDTLS_LIB_DIR)/ecp.o \
> +       $(MBEDTLS_LIB_DIR)/ecp_curves.o \
> +       $(MBEDTLS_LIB_DIR)/ecp_curves_new.o

Currently these ecp*.o are imported by MBEDTLS_LIB_TLS, refactoring is
required to avoid duplications when multiple kconfigs are selected.

>
>  # MbedTLS X509 library
>  obj-$(CONFIG_$(XPL_)MBEDTLS_LIB_X509) += mbedtls_lib_x509.o
> @@ -52,6 +57,8 @@ 
> mbedtls_lib_x509-$(CONFIG_$(PHASE_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/pk.o \
>         $(MBEDTLS_LIB_DIR)/pk_wrap.o \
>         $(MBEDTLS_LIB_DIR)/pkparse.o
> +mbedtls_lib_x509-$(CONFIG_$(PHASE_)ECDSA_MBEDTLS) += \
> +       $(MBEDTLS_LIB_DIR)/pk_ecc.o

ditto.

>  mbedtls_lib_x509-$(CONFIG_$(PHASE_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/x509_crl.o \
>         $(MBEDTLS_LIB_DIR)/x509_crt.o
> diff --git a/lib/mbedtls/mbedtls_def_config.h 
> b/lib/mbedtls/mbedtls_def_config.h
> index dda3f4dd6e4..8f366c744a5 100644
> --- a/lib/mbedtls/mbedtls_def_config.h
> +++ b/lib/mbedtls/mbedtls_def_config.h
> @@ -60,6 +60,24 @@
>  #define MBEDTLS_HKDF_C
>  #endif
>
> +#if CONFIG_IS_ENABLED(ECDSA)
> +#define MBEDTLS_ECDSA_C
> +#define MBEDTLS_ECP_C
> +#define MBEDTLS_BIGNUM_C
> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
> +#define MBEDTLS_ECP_DP_BP256R1_ENABLED
> +#define MBEDTLS_ECP_DP_BP384R1_ENABLED
> +#define MBEDTLS_ECP_DP_BP512R1_ENABLED
> +#endif
> +

Currently they are enabled by MBEDTLS_LIB_TLS, refactoring is required
to select ECDSA when MBEDTLS_LIB_TLS is on, to avoid duplicated
defining macros here.

Regards,
Raymond

>  #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
>
>  #if CONFIG_IS_ENABLED(X509_CERTIFICATE_PARSER)
> --
> 2.43.0
>

Reply via email to