[PATCH v3 3/6] lib: Add support for ECDSA image signing
Alex G.
mr.nuke.me at gmail.com
Thu Jan 14 16:48:39 CET 2021
On 1/13/21 10:10 AM, Simon Glass wrote:
> On Thu, 7 Jan 2021 at 15:34, Alexandru Gagniuc <mr.nuke.me at gmail.com> wrote:
>>
>> mkimage supports rsa2048, and rsa4096 signatures. With newer silicon
>> now supporting hardware-accelerated ECDSA, it makes sense to expand
>> signing support to elliptic curves.
>>
>> Implement host-side ECDSA signing and verification with libcrypto.
>> Device-side implementation of signature verification is beyond the
>> scope of this patch.
>>
>> Signed-off-by: Alexandru Gagniuc <mr.nuke.me at gmail.com>
>> ---
>> common/image-sig.c | 11 +-
>> include/image.h | 3 +
>> include/u-boot/ecdsa.h | 94 +++++++++++
>> lib/ecdsa/ecdsa-libcrypto.c | 306 ++++++++++++++++++++++++++++++++++++
>> tools/Makefile | 3 +
>> 5 files changed, 415 insertions(+), 2 deletions(-)
>> create mode 100644 include/u-boot/ecdsa.h
>> create mode 100644 lib/ecdsa/ecdsa-libcrypto.c
>
> Reviewed-by: Simon Glass <sjg at chromium.org>
>
> But you should check the return value of do_sign(). Why do you call
> ecdsa_check_signature() afterwards? Can you not trust the library?
You are right that it's a redundant step. It's an automatic test for the
ecdsa_sig_encode_raw()/ecdsa_sig_from_raw() pair.
Alex
> Regards,
> Simon
>
More information about the U-Boot
mailing list