Hi Philippe,
On Thu, Feb 19, 2026 at 8:26 AM Philippe Reynes
<[email protected]> wrote:
>
> This serie adds the support of ecdsa with software
> using mbedtls. So boards without ecdsa hardware may
> also use signature with ecdsa.
>
> To add the support of ecdsa with mbedtls, I have:
> - enabled ecdsa in mbedtls
> - add a function sw_ecdsa_verify that uses mbedtls
> - add a driver sw_ecdsa that call sw_ecdsa_verify
>
> I have tested this code with sandbox, and I have
> followed those steps:
>
> 0) build u-boot using sandbox_defconfig and adding those options:
> CONFIG_ECDSA_SW=y
> CONFIG_ECDSA_MBEDTLS=y
As this series introduces a MbedTLS-only solution, duplicating a
CONFIG_ECDSA_SW is not necessary, you can just use
CONFIG_ECDSA_MBEDTLS when linking with ecdsa-sw.o.
Regards,
Raymond
> CONFIG_ECDSA=y
> CONFIG_ECDSA_VERIFY=y
>
> 1) add a signature node to an its file
> signature-256 {
> algo = "sha256,ecdsa256";
> key-name-hint = "private-key-256";
> };
>
> 2) generate an ecdsa key
> openssl ecparam -name prime256v1 -genkey -noout -out private-key-256.pem
>
> 3) create the itb file
> ./tools/mkimage -f <file.its> -k . -K arch/sandbox/dts/test.dtb <file.itb>
>
> 4) launch sandbox u-boot
>
> ./u-boot -d arch/sandbox/dts/test.dtb
>
> 5) on sandbox u-boot prompt, load the itb and launch bootm on it
>
> => host load hostfs - 1000000 uboot-ecdsa.itb
> 4628674 bytes read in 1 ms (4.3 GiB/s)
> => bootm 1000000
> ...
> ...
> Verifying Hash Integrity ... sha256,ecdsa256:private-key-256+ OK
>
>
> I have tested with success ecdsa256 and ecdsa384,
> but there is an issue with secp521r1.
>
> Changes in v2:
> - move ECDSA_MBEDTLS to MBEDTLS_LIB_X509
> - rename lib/mbedtls/sw_ecdsa.c to lib/mbedtls/ecdsa.c
> - enhance dependancies for ECDSA_MBEDTLS
> - fix support of ecdsa521/secp521r1
> - add vboot test using ecdsa
>
>
> Philippe Reynes (9):
> mbedtls: enable support of ecc
> ecdsa: initial support of ecdsa using mbedtls
> test: lib: sw_ecdsa: add initial test
> drivers: crypto: add software ecdsa support
> ecdsa: fix support of secp521r1
> test: dm: ecdsa.c: clean this test as software ecdsa is now
> implemented
> configs: sandbox: enable the software ecdsa driver
> test: py: vboot: prepare integration test for ecdsa
> test: vboot: add test for ecdsa
>
> configs/amd_versal2_virt_defconfig | 1 +
> configs/qemu_arm64_lwip_defconfig | 1 +
> configs/sandbox_defconfig | 1 +
> configs/starfive_visionfive2_defconfig | 1 +
> configs/xilinx_versal_net_virt_defconfig | 1 +
> configs/xilinx_versal_virt_defconfig | 1 +
> configs/xilinx_zynqmp_kria_defconfig | 1 +
> configs/xilinx_zynqmp_virt_defconfig | 1 +
> drivers/crypto/Kconfig | 2 +
> drivers/crypto/Makefile | 1 +
> drivers/crypto/ecdsa/Kconfig | 6 +
> drivers/crypto/ecdsa/Makefile | 6 +
> drivers/crypto/ecdsa/ecdsa-sw.c | 33 ++
> include/crypto/internal/sw_ecdsa.h | 14 +
> lib/ecdsa/ecdsa-libcrypto.c | 21 +-
> lib/ecdsa/ecdsa-verify.c | 24 +-
> lib/fdt-libcrypto.c | 2 +-
> lib/mbedtls/Kconfig | 16 +
> lib/mbedtls/Makefile | 19 +-
> lib/mbedtls/ecdsa.c | 94 ++++
> lib/mbedtls/mbedtls_def_config.h | 18 +
> test/dm/ecdsa.c | 18 +-
> test/lib/Makefile | 1 +
> test/lib/sw_ecdsa.c | 465 ++++++++++++++++++
> test/py/tests/test_fit_ecdsa.py | 2 +-
> test/py/tests/test_vboot.py | 128 +++--
> ....its => sign-configs-sha1-rsa2048-pss.its} | 0
> ...sha1.its => sign-configs-sha1-rsa2048.its} | 0
> .../vboot/sign-configs-sha256-ecdsa256.its | 45 ++
> .../vboot/sign-configs-sha256-ecdsa384.its | 45 ++
> .../vboot/sign-configs-sha256-ecdsa521.its | 45 ++
> ... sign-configs-sha256-rsa2048-pss-prod.its} | 0
> ...ts => sign-configs-sha256-rsa2048-pss.its} | 0
> ...56.its => sign-configs-sha256-rsa2048.its} | 0
> ...84.its => sign-configs-sha384-rsa3072.its} | 0
> ...s.its => sign-images-sha1-rsa2048-pss.its} | 0
> ...-sha1.its => sign-images-sha1-rsa2048.its} | 0
> .../vboot/sign-images-sha256-ecdsa256.its | 42 ++
> .../vboot/sign-images-sha256-ecdsa384.its | 42 ++
> .../vboot/sign-images-sha256-ecdsa521.its | 42 ++
> ...its => sign-images-sha256-rsa2048-pss.its} | 0
> ...256.its => sign-images-sha256-rsa2048.its} | 0
> ...384.its => sign-images-sha384-rsa3072.its} | 0
> tools/image-sig-host.c | 2 +-
> 44 files changed, 1062 insertions(+), 79 deletions(-)
> create mode 100644 drivers/crypto/ecdsa/Kconfig
> create mode 100644 drivers/crypto/ecdsa/Makefile
> create mode 100644 drivers/crypto/ecdsa/ecdsa-sw.c
> create mode 100644 include/crypto/internal/sw_ecdsa.h
> create mode 100644 lib/mbedtls/ecdsa.c
> create mode 100644 test/lib/sw_ecdsa.c
> rename test/py/tests/vboot/{sign-configs-sha1-pss.its =>
> sign-configs-sha1-rsa2048-pss.its} (100%)
> rename test/py/tests/vboot/{sign-configs-sha1.its =>
> sign-configs-sha1-rsa2048.its} (100%)
> create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa256.its
> create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa384.its
> create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa521.its
> rename test/py/tests/vboot/{sign-configs-sha256-pss-prod.its =>
> sign-configs-sha256-rsa2048-pss-prod.its} (100%)
> rename test/py/tests/vboot/{sign-configs-sha256-pss.its =>
> sign-configs-sha256-rsa2048-pss.its} (100%)
> rename test/py/tests/vboot/{sign-configs-sha256.its =>
> sign-configs-sha256-rsa2048.its} (100%)
> rename test/py/tests/vboot/{sign-configs-sha384.its =>
> sign-configs-sha384-rsa3072.its} (100%)
> rename test/py/tests/vboot/{sign-images-sha1-pss.its =>
> sign-images-sha1-rsa2048-pss.its} (100%)
> rename test/py/tests/vboot/{sign-images-sha1.its =>
> sign-images-sha1-rsa2048.its} (100%)
> create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa256.its
> create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa384.its
> create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa521.its
> rename test/py/tests/vboot/{sign-images-sha256-pss.its =>
> sign-images-sha256-rsa2048-pss.its} (100%)
> rename test/py/tests/vboot/{sign-images-sha256.its =>
> sign-images-sha256-rsa2048.its} (100%)
> rename test/py/tests/vboot/{sign-images-sha384.its =>
> sign-images-sha384-rsa3072.its} (100%)
>
> --
> 2.43.0
>
