[EXTERNAL] Re: [PATCH v2 6/6] test: dm: Add test for ECDSA UCLASS support
Tim Romanski
tromanski at linux.microsoft.com
Fri Apr 23 19:03:25 CEST 2021
Update on ECDSA verification progress, I've forked Alex's repo and have
included my changes in the 'ecdsa-vrf-1' branch [1]. This includes the
isolated OpenSSL code for verification, and I split up the
lib/ecdsa/ecdsa-libcrypto.c file into lib/ecdsa/ecdsa-sign.c and
lib/ecdsa/ecdsa-verify.c. I've also included unit tests under
test/py/tests/test_vboot_ecdsa.py, which test ECDSA with the sha1 and
sha256 digest algos. There are some outstanding changes to be made
before it's ready for review, mainly cleaning up the OpenSSL code as it
has redundant code still included though it works without any additional
dependencies, and better integration with U-Boot's build system.
Currently I've added a new Kconfig setting to turn on ECDSA
signing/verification called "CONFIG_FIT_SIGNATURE_ECDSA" in
common/Kconfig.boot which sets config options "CONFIG_ECDSA" and
"CONFIG_ECDSA_VERIFY". This is done mainly to replicate how the RSA
config was setup, though creating "CONFIG_FIT_SIGNATURE_ECDSA" separate
from "CONFIG_FIT_SIGNATURE" feels messy, there's probably a better approach.
Today is also my last day at my internship. Deskin, a team member of
mine at Microsoft who was keeping an eye on the project, will be the
main point of contact from here (deskinm at linux.microsoft.com) though I
can also be reached at timromanski at gmail.com (CC'd) and will be
responsive if there are any questions.
All the best,
Tim
[1] timr11/u-boot: u-boot + elliptic curve verification (github.com)
<https://github.com/timr11/u-boot>
On 2021-04-08 12:56 p.m., Tim Romanski wrote:
> Ok, will do. I'm writing the verification code, I noticed you're
> passing the public key into the fdt using fdt_add_bignum, which
> converts the x and y values into big endian integer arrays. Do you
> have a method to read these values from the fdt and convert them back
> into bignums, or is that TODO? I can get that done if it's not yet
> implemented.
>
> All the best,
>
> Tim
>
> On 2021-04-07 4:03 p.m., Alex G. wrote:
>> On 4/7/21 12:29 PM, Tim Romanski wrote:
>>
>>> Question for Alex, I see your repo has a few branches related to
>>> ECDSA (patch-ecdsa-v[1-5], patch-mkimage-keyfile-v{1,2}). You sent
>>> me a link to 'patch-ecdsa-v1' in a previous email, is that the one
>>> that's being upstreamed? Should I be working off a different branch
>>> or is that one ok?
>>
>> I'm up to v6 on the patch submission. The differences are not that
>> big, but I recommend sticking to the latest.
>>
>> Alex
More information about the U-Boot
mailing list