Mon, Feb 02, 2026 at 06:03:03PM +0100, Philippe Reynes wrote:
I have tested this code with sandbox, and I have
followed those steps:
0) build u-boot using sandbox_defconfig and adding those options:
CONFIG_ECDSA_SW=y
CONFIG_ECDSA_MBEDTLS=y
CONFIG_ECDSA=y
CONFIG_ECDSA_VERIFY=y
I believe that I was able to build an ECDSA signed fitImage of a Linux
kernel. At least "dtc" shows that a signature is present, just like with
my earlier attempt with RSA.
1) add a signature node to an its file
signature-256 {
algo = "sha256,ecdsa256";
key-name-hint = "private-key-256";
};
2) generate an ecdsa key
openssl ecparam -name prime256v1 -genkey -noout -out private-key-256.pem
3) create the itb file
./tools/mkimage -f <file.its> -k . -K arch/sandbox/dts/test.dtb <file.itb>
Step 1) is part of <file.its>, which specifies how a signed payload,
such as a Linux kernel, is built in <file.itb>, right?
I assume that arch/sandbox/dts/test.dts is the source code for
arch/sandbox/dts/test.dtb. Would this file correspond to the file
u-boot.dtb in a non-sandbox environment (in my case, based on
rpi_4_defconfig)?
For me, mkimage version 2025.01 (as shipped in Debian Sid) would crash
if I ask it to write the public key to u-boot.dtb using the parameter
"-K u-boot.dtb". The following statement in do_add() would hit SIGSEGV:
ret = fdt_setprop_string(fdt, key_node, FIT_KEY_REQUIRED,
info->require_keys);
The function do_add() is invoked by ecdsa_add_verify_data(). For my
kernel build, I did not yet try a mkimage that is built from the latest
u-boot. Should that make a difference?
For an earlier experiment with an RSA signed fitImage, I was able to do
the following:
make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu- all u-boot.dtb
cp u-boot.dtb u-boot-pubkey.dtb
ALGO=$(scripts/dtc/dtc -I dtb /target/fitImage |grep -A10 signature|
sed -ne "s/\s*algo = \"\(.*\)\";/\1/p")
tools/fdt_add_pubkey -a "$ALGO" -n dev -k . -r conf u-boot-pubkey.dtb
tools/fit_check_sign -f /target/fitImage -k u-boot-pubkey.dtb
make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu- \
EXT_DTB=u-boot-pubkey.dtb
cp -L u-boot.img /target/
With CONFIG_ECDSA, fdt_add_pubkey would SIGSEGV (unrelated to these
changes) and fit_check_sign does not appear to be built.
I would appreciate some help in embedding the ECDSA public key to the
u-boot image, so that I can test this.
Best regards,
Marko
