Hi Marko, On Wed, Feb 4, 2026 at 2:02 PM Marko Mäkelä <[email protected]> wrote: > > Mon, Feb 02, 2026 at 06:03:03PM +0100, Philippe Reynes wrote: > >This serie adds the support of ecdsa with software > >using mbedtls. So boards without ecdsa hardware may > >also use signature with ecdsa. > > > >To add the support of ecdsa with mbedtls, I have: > >- enabled ecdsa in mbedtls > >- add a function sw_ecdsa_verify that uses mbedtls > >- add a driver sw_ecdsa that call sw_ecdsa_verify > > > >I have tested this code with sandbox, and I have > >followed those steps: > > > >0) build u-boot using sandbox_defconfig and adding those options: > >CONFIG_ECDSA_SW=y > >CONFIG_ECDSA_MBEDTLS=y > >CONFIG_ECDSA=y > >CONFIG_ECDSA_VERIFY=y > > I did "git am" on top of the master branch as of the current > eb1562cc3e4c5130c76db1c1ea57156322362a7c and tried to build it as > follows: > > make rpi_4_defconfig > scripts/config -e FIT_SIGNATURE -e ECDSA -e SHA256 -e ECDSA_VERIFY \ > -d BOOTSTD \ > -e MBEDTLS_LIB -e MBEDTLS_LIB_CRYPTO -e ECDSA_MBEDTLS -e ECDSA_SW \ > -e SHA256_MBEDTLS -e SHA256_SMALLER -e MBEDTLS_LIB_X509 -d HKDF_MBEDTLS \ > -e ASN1_DECODER -e ASN1_DECODER_MBEDTLS \ > -d LEGACY_HASHING_AND_CRYPTO && > make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu- > > No matter which variations of this I try (starting with -e > HDKF_MBEDTLS), the build would fail with an #error in > lib/mbedtls/external/mbedtls/include/mbedtls/check_config.h because > MBEDTLS_ECDSA_C is defined but neither MBEDTLS_ASN1_PARSE_C nor > MBEDTLS_ASN1_WRITE_C are defined. > > By disabling that check I found out that the functions > ecdsa_signature_to_asn1() and mbedtls_ecdsa_read_signature_restartable() > really depend on these. > > I diagnosed this by executing > make V=1 CROSS_COMPILE=aarch64-linux-gnu- > > Then, I edited the compiler command line by replacing "-o *.o -c" with > "-E -dD", and redirected the standard output into a file. In that file I > found that lib/mbedtls/mbedtls_def_config.h is defining MBEDTLS_ECDSA_C > and would also define the ASN1 symbols if CONFIG_ASN1_DECODER were > enabled: > > #if CONFIG_IS_ENABLED(ASN1_DECODER) > #define MBEDTLS_OID_C > #define MBEDTLS_ASN1_PARSE_C > #define MBEDTLS_ASN1_WRITE_C > #endif > > Something is wiping that out from my .config, also when I execute "make > syncconfig" after the scripts/config. When I search for ASN1_DECODER in > "make menuconfig", it mentions a large number of other configuration > options. > > Can someone help me to enable CONFIG_ASN1_DECODER in this configuration? >
When EFI_SECURE_BOOT is enabled, all these dependent Kconfigs will be selected automatically. Raymond > With best regards, > > Marko
