[PATCH v4 10/14] tools: binman: pre-load: add support of ecdsa

Simon Glass sjg at chromium.org
Mon Apr 20 04:12:28 CEST 2026 

Hi Philippe,

On 2026-04-17T13:02:04, Philippe Reynes <philippe.reynes at softathome.com> wrote:
> tools: binman: pre-load: add support of ecdsa
>
> Right now, binman can only create pre-load header
> using rsa. We add the support of ecdsa.
>
> Signed-off-by: Philippe Reynes <philippe.reynes at softathome.com>
>
> tools/binman/etype/pre_load.py                     | 76 +++++++++++++++++++---
>  tools/binman/ftest.py                              | 50 ++++++++++++++
>  tools/binman/test/ecdsa521.pem                     |  7 ++
>  tools/binman/test/security/pre_load_ecdsa.dts      | 22 +++++++
>  .../test/security/pre_load_ecdsa_invalid_algo.dts  | 22 +++++++
>  .../test/security/pre_load_ecdsa_invalid_key.dts   | 22 +++++++
>  .../test/security/pre_load_ecdsa_invalid_sha.dts   | 22 +++++++
>  7 files changed, 213 insertions(+), 8 deletions(-)

> diff --git a/tools/binman/etype/pre_load.py b/tools/binman/etype/pre_load.py
> @@ -27,6 +29,12 @@ RSAS = {
> +ECDSAS = {
> +    'ecdsa256': 256 / 8 * 2,
> +    'ecdsa384': 384 / 8 * 2,
> +    'ecdsa521': 132
> +}

For consistency, please can you use the same formula for ecdsa521?
Something like (521 + 7) // 8 * 2 would make it clearer that 132 =
ceil(521/8) * 2.

> diff --git a/tools/binman/etype/pre_load.py b/tools/binman/etype/pre_load.py
> @@ -151,6 +152,65 @@ class Entry_pre_load(Entry_collection):
> +    def _CreateHeaderEcdsa(self, hash_name, sign_name, key_name):
> +        # Check hash and signature name/type
> +        if hash_name not in SHAS:
> +            self.Raise(hash_name + " is not supported")
> +
> +        # Read the key
> +        key = ECC.import_key(tools.read_file(key_name))
> +
> +        # Check if the key has the expected size
> +        if key.pointQ.size_in_bytes() * 2 != ECDSAS[sign_name]:
> +            self.Raise("The key " + self.key_name + " don't have the expected size")

doesn't have

Also _CreateHeaderRsa() has the same issue.

> diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
> @@ -5895,6 +5895,56 @@ fdt         fdtmap                Extract the devicetree blob from the fdtmap
> +    def testPreLoadEcdsa(self):
> +        """Test an image with a pre-load header using ecdsa key"""
> +        entry_args = {
> +            'pre-load-key-path': os.path.join(self._binman_dir, 'test'),
> +        }
> +        data = self._DoReadFileDtb(
> +            'security/pre_load_ecdsa.dts', entry_args=entry_args,
> +            extra_indirs=[os.path.join(self._binman_dir, 'test')])[0]
> +
> +        image_fname = tools.get_output_filename('image.bin')
> +        is_signed = self._CheckPreload(image_fname, self.TestFile("ecdsa521.pem"), "sha256,ecdsa521")

This line is quite long. Please can you break it across lines?

Also we should use single quotes for strings.

Reviewed-by: Simon Glass <sjg at chromium.org>

Regards,
Simon

More information about the U-Boot mailing list