[PATCH v5 02/15] mbedtls: enable support of ecc

Simon Glass sjg at chromium.org
Wed Apr 22 02:10:19 CEST 2026 

Hi Philippe,

On 2026-04-21T21:09:51, Philippe Reynes <philippe.reynes at softathome.com> wrote:
> mbedtls: enable support of ecc
>
> Enables the support of ecc in mbedtls.
>
> Signed-off-by: Philippe Reynes <philippe.reynes at softathome.com>
>
> configs/amd_versal2_virt_defconfig       |  3 +++
>  configs/qemu_arm64_lwip_defconfig        |  3 +++
>  configs/sandbox_defconfig                |  1 +
>  configs/starfive_visionfive2_defconfig   |  3 +++
>  configs/xilinx_versal_net_virt_defconfig |  3 +++
>  configs/xilinx_versal_virt_defconfig     |  3 +++
>  configs/xilinx_zynqmp_kria_defconfig     |  3 +++
>  configs/xilinx_zynqmp_virt_defconfig     |  3 +++
>  lib/ecdsa/Kconfig                        |  1 +
>  lib/mbedtls/Kconfig                      | 14 ++++++++++++++
>  lib/mbedtls/Makefile                     | 16 +++++++++-------
>  lib/mbedtls/mbedtls_def_config.h         | 17 +++++++++++++++++
>  12 files changed, 63 insertions(+), 7 deletions(-)

> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> @@ -300,6 +313,7 @@ config MBEDTLS_LIB_TLS
> +     depends on ECDSA_MBEDTLS

Adding ECDSA_MBEDTLS as a hard dependency on MBEDTLS_LIB_TLS means
every board using TLS now requires CONFIG_ECDSA and
CONFIG_ECDSA_VERIFY. I suspect you want to separate the TLS ECC
requirements from FIT signature verification. Perhaps the ECC curve
support should be in a separate CONFIG_ECC_MBEDTLS option that both
TLS and ECDSA verification can select?

> diff --git a/configs/qemu_arm64_lwip_defconfig b/configs/qemu_arm64_lwip_defconfig
> @@ -3,6 +3,9 @@
> +CONFIG_ECDSA=y
> +CONFIG_ECDSA_VERIFY=y
> +CONFIG_ECDSA_MBEDTLS=y

This suggests the coupling between TLS and ECDSA verification is too
tight. These boards want HTTPS but might not need FIT ECDSA signature
verification.

> diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h
> @@ -89,6 +89,23 @@
> +#if CONFIG_IS_ENABLED(ECDSA_MBEDTLS)
> +#define MBEDTLS_ECDSA_C
> +#define MBEDTLS_ECP_C
> +#define MBEDTLS_BIGNUM_C
> +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
> +#define MBEDTLS_ECP_DP_BP256R1_ENABLED
> +#define MBEDTLS_ECP_DP_BP384R1_ENABLED
> +#define MBEDTLS_ECP_DP_BP512R1_ENABLED
> +#endif

How much code size is added by enabling all ECC curves unconditionally?

Regards,
Simon

More information about the U-Boot mailing list