Mon, Feb 02, 2026 at 06:03:03PM +0100, Philippe Reynes wrote:
This serie adds the support of ecdsa with software
using mbedtls. So boards without ecdsa hardware may
also use signature with ecdsa.
To add the support of ecdsa with mbedtls, I have:
- enabled ecdsa in mbedtls
- add a function sw_ecdsa_verify that uses mbedtls
- add a driver sw_ecdsa that call sw_ecdsa_verify
I have tested this code with sandbox, and I have
followed those steps:
0) build u-boot using sandbox_defconfig and adding those options:
CONFIG_ECDSA_SW=y
CONFIG_ECDSA_MBEDTLS=y
CONFIG_ECDSA=y
CONFIG_ECDSA_VERIFY=y
I did "git am" on top of the master branch as of the current
eb1562cc3e4c5130c76db1c1ea57156322362a7c and tried to build it as
follows:
make rpi_4_defconfig
scripts/config -e FIT_SIGNATURE -e ECDSA -e SHA256 -e ECDSA_VERIFY \
-d BOOTSTD \
-e MBEDTLS_LIB -e MBEDTLS_LIB_CRYPTO -e ECDSA_MBEDTLS -e ECDSA_SW \
-e SHA256_MBEDTLS -e SHA256_SMALLER -e MBEDTLS_LIB_X509 -d HKDF_MBEDTLS \
-e ASN1_DECODER -e ASN1_DECODER_MBEDTLS \
-d LEGACY_HASHING_AND_CRYPTO &&
make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu-
No matter which variations of this I try (starting with -e
HDKF_MBEDTLS), the build would fail with an #error in
lib/mbedtls/external/mbedtls/include/mbedtls/check_config.h because
MBEDTLS_ECDSA_C is defined but neither MBEDTLS_ASN1_PARSE_C nor
MBEDTLS_ASN1_WRITE_C are defined.
By disabling that check I found out that the functions
ecdsa_signature_to_asn1() and mbedtls_ecdsa_read_signature_restartable()
really depend on these.
I diagnosed this by executing
make V=1 CROSS_COMPILE=aarch64-linux-gnu-
Then, I edited the compiler command line by replacing "-o *.o -c" with
"-E -dD", and redirected the standard output into a file. In that file I
found that lib/mbedtls/mbedtls_def_config.h is defining MBEDTLS_ECDSA_C
and would also define the ASN1 symbols if CONFIG_ASN1_DECODER were
enabled:
#if CONFIG_IS_ENABLED(ASN1_DECODER)
#define MBEDTLS_OID_C
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_WRITE_C
#endif
Something is wiping that out from my .config, also when I execute "make
syncconfig" after the scripts/config. When I search for ASN1_DECODER in
"make menuconfig", it mentions a large number of other configuration
options.
Can someone help me to enable CONFIG_ASN1_DECODER in this configuration?
With best regards,
Marko
