U-Boot ECDSA Implementation Question

[Simon Glass]

Hi Tim

+Alexandru Gagniuc

On Thu, 4 Feb 2021 at 15:01, Tim Romanski <t-tromanski at microsoft.com> wrote:
>
> Hello,
>
>
>
> I’m a current intern at Microsoft, and one of my priorities is to enable ECDSA for U-Boot image signing/verification. Simon mentioned someone is already working on ECC, it would be great to get synced up with related progress. For signing, I will likely replicate the existing approach of using the openssl library. I’m aware that signing happens on a host machine and verification happens during boot, which implies verification should have a custom implementation to avoid the openssl overhead in the U-Boot binary. My thoughts are to copy an ECC verification implementation from a well-tested widely-used open source project. I was wondering, is U-Boot’s current RSA verification copied from another project? If so, how are security patches between the two copies of code usually handled? I’m thinking of deriving from the ECDSA implementation currently in the Linux kernel, though I’d also appreciate suggestions if there’s a better/more widely tested & used implementation.

U-Boot's RSA came originally from Android I think and was modified for
use in Chrome OS. However the implementation in U-Boot of the
verification part is quite small - mostly in rsa-verify.c with some
maths in rsa-mod-exp.c and U-Boot has added various new features over
the years. We don't synchronous security patches formally although of
course they are published. I think pulling in something from Linux
makes sense if it is not too large, as the projects are fairly close
in coding style, contributors, etc.

Alexandru Gagniuc, on cc, has been looking at implementing the signing
side of this recently and has sent some patches that you could look
at.

I hope you have a nice internship!

Regards,
Simon