[PATCH v4 01/14] mbedtls: enable support of ecc

Simon Glass sjg at chromium.org
Mon Apr 20 04:11:11 CEST 2026 

Hi Philippe,

On 2026-04-17T13:02:04, Philippe Reynes <philippe.reynes at softathome.com> wrote:
> mbedtls: enable support of ecc
>
> Enables the support of ecc in mbedtls.
>
> Signed-off-by: Philippe Reynes <philippe.reynes at softathome.com>
>
> configs/sandbox_defconfig        |  1 +
>  lib/ecdsa/Kconfig                |  1 +
>  lib/mbedtls/Kconfig              | 14 ++++++++++++++
>  lib/mbedtls/Makefile             | 17 +++++++++--------
>  lib/mbedtls/mbedtls_def_config.h | 17 +++++++++++++++++
>  5 files changed, 42 insertions(+), 8 deletions(-)

> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
> @@ -38,14 +38,20 @@ mbedtls_lib_crypto-$(CONFIG_$(PHASE_)HKDF_MBEDTLS) += \
> +mbedtls_lib_x509-y := $(MBEDTLS_LIB_DIR)/x509.o \
> +     $(MBEDTLS_LIB_DIR)/ecdsa.o \
> +     $(MBEDTLS_LIB_DIR)/ecp.o \
> +     $(MBEDTLS_LIB_DIR)/ecp_curves.o \
> +     $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \
> +     $(MBEDTLS_LIB_DIR)/pk_ecc.o

The ECC objects are unconditionally included in mbedtls_lib_x509-y,
increasing binary size for configurations needing X509 without ECDSA.
Please can you make these conditional on CONFIG_ECDSA_MBEDTLS,
following the RSA_PUBLIC_KEY_PARSER_MBEDTLS pattern?

> diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h
> @@ -89,6 +89,23 @@
> +#if CONFIG_IS_ENABLED(ECDSA)
> +#define MBEDTLS_ECDSA_C
> +#define MBEDTLS_ECP_C
> +#define MBEDTLS_BIGNUM_C
> +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
> +#define MBEDTLS_ECP_DP_BP256R1_ENABLED
> +#define MBEDTLS_ECP_DP_BP384R1_ENABLED
> +#define MBEDTLS_ECP_DP_BP512R1_ENABLED
> +#endif

I suspect this should use CONFIG_IS_ENABLED(ECDSA_MBEDTLS) rather than
CONFIG_IS_ENABLED(ECDSA), for consistency with other mbedtls-specific
features in this file. Currently, enabling ECDSA with the legacy
crypto library would set these defines but not link the corresponding
code.

> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> @@ -247,6 +247,10 @@ config MBEDTLS_LIB_X509
> +config BIGNUM_MBEDTLS
> +     bool
> +     default n

You don't need 'default n' as 'n' is the default.

Regards,
Simon

More information about the U-Boot mailing list