[PATCH v3 3/6] lib: Add support for ECDSA image signing

Alex G. mr.nuke.me at gmail.com
Thu Jan 14 16:48:39 CET 2021



On 1/13/21 10:10 AM, Simon Glass wrote:
> On Thu, 7 Jan 2021 at 15:34, Alexandru Gagniuc <mr.nuke.me at gmail.com> wrote:
>>
>> mkimage supports rsa2048, and rsa4096 signatures. With newer silicon
>> now supporting hardware-accelerated ECDSA, it makes sense to expand
>> signing support to elliptic curves.
>>
>> Implement host-side ECDSA signing and verification with libcrypto.
>> Device-side implementation of signature verification is beyond the
>> scope of this patch.
>>
>> Signed-off-by: Alexandru Gagniuc <mr.nuke.me at gmail.com>
>> ---
>>   common/image-sig.c          |  11 +-
>>   include/image.h             |   3 +
>>   include/u-boot/ecdsa.h      |  94 +++++++++++
>>   lib/ecdsa/ecdsa-libcrypto.c | 306 ++++++++++++++++++++++++++++++++++++
>>   tools/Makefile              |   3 +
>>   5 files changed, 415 insertions(+), 2 deletions(-)
>>   create mode 100644 include/u-boot/ecdsa.h
>>   create mode 100644 lib/ecdsa/ecdsa-libcrypto.c
> 
> Reviewed-by: Simon Glass <sjg at chromium.org>
> 
> But you should check the return value of do_sign(). Why do you call
> ecdsa_check_signature() afterwards? Can you not trust the library?

You are right that it's a redundant step. It's an automatic test for the 
ecdsa_sig_encode_raw()/ecdsa_sig_from_raw() pair.

Alex

> Regards,
> Simon
> 


More information about the U-Boot mailing list