On Mon, Feb 02, 2026 at 06:03:03PM +0100, Philippe Reynes wrote:
> This serie adds the support of ecdsa with software
> using mbedtls. So boards without ecdsa hardware may
> also use signature with ecdsa.
>
> To add the support of ecdsa with mbedtls, I have:
> - enabled ecdsa in mbedtls
> - add a function sw_ecdsa_verify that uses mbedtls
> - add a driver sw_ecdsa that call sw_ecdsa_verify
>
> I have tested this code with sandbox, and I have
> followed those steps:
>
> 0) build u-boot using sandbox_defconfig and adding those options:
> CONFIG_ECDSA_SW=y
> CONFIG_ECDSA_MBEDTLS=y
> CONFIG_ECDSA=y
> CONFIG_ECDSA_VERIFY=y
>
> 1) add a signature node to an its file
> signature-256 {
> algo = "sha256,ecdsa256";
> key-name-hint = "private-key-256";
> };
>
> 2) generate an ecdsa key
> openssl ecparam -name prime256v1 -genkey -noout -out private-key-256.pem
>
> 3) create the itb file
> ./tools/mkimage -f <file.its> -k . -K arch/sandbox/dts/test.dtb <file.itb>
>
> 4) launch sandbox u-boot
>
> ./u-boot -d arch/sandbox/dts/test.dtb
>
> 5) on sandbox u-boot prompt, load the itb and launch bootm on it
>
> => host load hostfs - 1000000 uboot-ecdsa.itb
> 4628674 bytes read in 1 ms (4.3 GiB/s)
> => bootm 1000000
> ...
> ...
> Verifying Hash Integrity ... sha256,ecdsa256:private-key-256+ OK
>
>
> I have tested with success ecdsa256 and ecdsa384,
> but there is an issue with secp521r1. This is good to see. Please work on adding this to CI automatically (which may involve doing something like the sandbox_trace builds/tests rather than just being part of the default sandbox suite). -- Tom
signature.asc
Description: PGP signature
