Hi Philippe, On Mon, Feb 2, 2026 at 12:05 PM Philippe Reynes <[email protected]> wrote: > > This serie adds the support of ecdsa with software > using mbedtls. So boards without ecdsa hardware may > also use signature with ecdsa. > > To add the support of ecdsa with mbedtls, I have: > - enabled ecdsa in mbedtls > - add a function sw_ecdsa_verify that uses mbedtls > - add a driver sw_ecdsa that call sw_ecdsa_verify > > I have tested this code with sandbox, and I have > followed those steps: > > 0) build u-boot using sandbox_defconfig and adding those options: > CONFIG_ECDSA_SW=y > CONFIG_ECDSA_MBEDTLS=y > CONFIG_ECDSA=y > CONFIG_ECDSA_VERIFY=y > > 1) add a signature node to an its file > signature-256 { > algo = "sha256,ecdsa256"; > key-name-hint = "private-key-256"; > }; > > 2) generate an ecdsa key > openssl ecparam -name prime256v1 -genkey -noout -out private-key-256.pem > > 3) create the itb file > ./tools/mkimage -f <file.its> -k . -K arch/sandbox/dts/test.dtb <file.itb> > > 4) launch sandbox u-boot > > ./u-boot -d arch/sandbox/dts/test.dtb > > 5) on sandbox u-boot prompt, load the itb and launch bootm on it > > => host load hostfs - 1000000 uboot-ecdsa.itb > 4628674 bytes read in 1 ms (4.3 GiB/s) > => bootm 1000000 > ... > ... > Verifying Hash Integrity ... sha256,ecdsa256:private-key-256+ OK > > > I have tested with success ecdsa256 and ecdsa384, > but there is an issue with secp521r1. > > > Philippe Reynes (4): > mbedtls: enable support of ecc > ecdsa: initial support of ecdsa using mbedtls > test: lib: sw_ecdsa: add initial test > drivers: crypto: add software ecdsa support > > drivers/crypto/Kconfig | 2 + > drivers/crypto/Makefile | 1 + > drivers/crypto/ecdsa/Kconfig | 6 + > drivers/crypto/ecdsa/Makefile | 6 + > drivers/crypto/ecdsa/ecdsa-sw.c | 33 +++ > include/crypto/internal/sw_ecdsa.h | 14 + > lib/mbedtls/Kconfig | 8 + > lib/mbedtls/Makefile | 10 + > lib/mbedtls/mbedtls_def_config.h | 18 ++ > lib/mbedtls/sw_ecdsa.c | 94 ++++++
Rename it without the "sw_", from the perspective of MbedTLS, HW acceleration is controlled by `MBEDTLS_ECDSA_###_ALT`, so the interface itself does not imply SW. Regards, Raymond > test/lib/Makefile | 1 + > test/lib/sw_ecdsa.c | 445 +++++++++++++++++++++++++++++ > 12 files changed, 638 insertions(+) > create mode 100644 drivers/crypto/ecdsa/Kconfig > create mode 100644 drivers/crypto/ecdsa/Makefile > create mode 100644 drivers/crypto/ecdsa/ecdsa-sw.c > create mode 100644 include/crypto/internal/sw_ecdsa.h > create mode 100644 lib/mbedtls/sw_ecdsa.c > create mode 100644 test/lib/sw_ecdsa.c > > -- > 2.43.0 >
