[EXTERNAL] Re: [PATCH v2 6/6] test: dm: Add test for ECDSA UCLASS support

Tim Romanski tromanski at linux.microsoft.com
Fri Apr 23 19:03:25 CEST 2021


Update on ECDSA verification progress, I've forked Alex's repo and have 
included my changes in the 'ecdsa-vrf-1' branch [1]. This includes the 
isolated OpenSSL code for verification, and I split up the 
lib/ecdsa/ecdsa-libcrypto.c file into lib/ecdsa/ecdsa-sign.c and 
lib/ecdsa/ecdsa-verify.c. I've also included unit tests under 
test/py/tests/test_vboot_ecdsa.py, which test ECDSA with the sha1 and 
sha256 digest algos. There are some outstanding changes to be made 
before it's ready for review, mainly cleaning up the OpenSSL code as it 
has redundant code still included though it works without any additional 
dependencies, and better integration with U-Boot's build system. 
Currently I've added a new Kconfig setting to turn on ECDSA 
signing/verification called "CONFIG_FIT_SIGNATURE_ECDSA" in 
common/Kconfig.boot which sets config options "CONFIG_ECDSA" and 
"CONFIG_ECDSA_VERIFY". This is done mainly to replicate how the RSA 
config was setup, though creating "CONFIG_FIT_SIGNATURE_ECDSA" separate 
from "CONFIG_FIT_SIGNATURE" feels messy, there's probably a better approach.

Today is also my last day at my internship. Deskin, a team member of 
mine at Microsoft who was keeping an eye on the project, will be the 
main point of contact from here (deskinm at linux.microsoft.com) though I 
can also be reached at timromanski at gmail.com (CC'd) and will be 
responsive if there are any questions.

All the best,

Tim

[1] timr11/u-boot: u-boot + elliptic curve verification (github.com) 
<https://github.com/timr11/u-boot>

On 2021-04-08 12:56 p.m., Tim Romanski wrote:
> Ok, will do. I'm writing the verification code, I noticed you're 
> passing the public key into the fdt using fdt_add_bignum, which 
> converts the x and y values into big endian integer arrays. Do you 
> have a method to read these values from the fdt and convert them back 
> into bignums, or is that TODO? I can get that done if it's not yet 
> implemented.
>
> All the best,
>
> Tim
>
> On 2021-04-07 4:03 p.m., Alex G. wrote:
>> On 4/7/21 12:29 PM, Tim Romanski wrote:
>>
>>> Question for Alex, I see your repo has a few branches related to 
>>> ECDSA (patch-ecdsa-v[1-5], patch-mkimage-keyfile-v{1,2}). You sent 
>>> me a link to 'patch-ecdsa-v1' in a previous email, is that the one 
>>> that's being upstreamed? Should I be working off a different branch 
>>> or is that one ok?
>>
>> I'm up to v6 on the patch submission. The differences are not that 
>> big, but I recommend sticking to the latest.
>>
>> Alex


More information about the U-Boot mailing list