[PATCH v5 00/15] add software ecdsa support
Raymond Mao
raymondmaoca at gmail.com
Wed Apr 22 16:54:02 CEST 2026
Hi Philippe,
On Tue, Apr 21, 2026 at 5:10 PM Philippe Reynes
<philippe.reynes at softathome.com> wrote:
>
> This series adds the support of ecdsa with software
> using mbedtls. So boards without ecdsa hardware may
> also use signature with ecdsa.
>
> To add the support of ecdsa with mbedtls, I have:
> - enabled ecdsa in mbedtls
> - add a function sw_ecdsa_verify that uses mbedtls
> - add a driver sw_ecdsa that call sw_ecdsa_verify
>
> I have tested this code with sandbox, and I have
> followed those steps:
>
> 0) build u-boot using sandbox_defconfig and adding those options:
>
> CONFIG_ECDSA_MBEDTLS=y
> CONFIG_ECDSA=y
> CONFIG_ECDSA_VERIFY=y
>
> 1) add a signature node to an its file
> signature-256 {
> algo = "sha256,ecdsa256";
> key-name-hint = "private-key-256";
> };
>
> 2) generate an ecdsa key
> openssl ecparam -name prime256v1 -genkey -noout -out private-key-256.pem
>
> 3) create the itb file
> ./tools/mkimage -f <file.its> -k . -K arch/sandbox/dts/test.dtb <file.itb>
>
> 4) launch sandbox u-boot
>
> ./u-boot -d arch/sandbox/dts/test.dtb
>
> 5) on sandbox u-boot prompt, load the itb and launch bootm on it
>
> => host load hostfs - 1000000 uboot-ecdsa.itb
> 4628674 bytes read in 1 ms (4.3 GiB/s)
> => bootm 1000000
> ...
> ...
> Verifying Hash Integrity ... sha256,ecdsa256:private-key-256+ OK
>
>
>
>
>
> Changes in v2:
> - move ECDSA_MBEDTLS to MBEDTLS_LIB_X509
> - rename lib/mbedtls/sw_ecdsa.c to lib/mbedtls/ecdsa.c
> - enhance dependancies for ECDSA_MBEDTLS
s/dependancies/dependencies
Regards,
Raymond
> - fix support of ecdsa521/secp521r1
> - add vboot test using ecdsa
>
> Changes in v3:
> - do not use _MBEDTLS in mbedtls_def_config.h
> - check returns and remove mem leak in lib/mbedtls/ecdsa.c
> - remove useless field *k in struct ecdsa_test_vector_s
> - check returns in test/lib/ecdsa.c
> - fix third parameter when calling sha*_csum_wd()
> - add support of ecdsa in pre-load header
>
> Changes in v4:
> - change some dependencies to enable ecc
> - use ECDSA_MBEDTLS to build the ecdsa driver
> - support ecdsa521 and secp521r1
> - add a test calling ecdsa_verify for the ecdsa class
> - merge patch 10 and 11 (support ecdsa pre-load for binman and tests)
> - several code cleanup
>
> Change in v5:
> - fix ecdsa 521 in the first patch (instead of the 5th patch)
> - mbedtls: ecdsa is only compiled when ECDSA_MBEDTLS is enabled
> - fit_image_setup_sig: required_keynode is initiazed to -1 instead of 0
> - avoid hardcoded value for ecdsa sig and point size
> - check pointer before using them
> - free ecdsa keys when key are not found/used
>
>
> Philippe Reynes (15):
> ecdsa: fix support of secp521r1
> mbedtls: enable support of ecc
> ecdsa: initial support of ecdsa using mbedtls
> test: lib: ecdsa: add initial test
> drivers: crypto: add software ecdsa support
> test: dm: ecdsa.c: clean this test as software ecdsa is now
> implemented
> test: py: vboot: prepare integration test for ecdsa
> test: vboot: add test for ecdsa
> tools: fit_image_setup_sig: set required_keynode to -1
> tools: mkimage: pre-load: add support of ecdsa
> tools: binman: pre-load: add support of ecdsa
> boot: pre-load: add support of ecdsa
> tools: preload_check_sign: add support of ecdsa
> test: py: vboot: prepare test for global signature with ecdsa
> test: py: vboot: add test for global signature with ecdsa
>
> boot/image-pre-load.c | 53 +-
> configs/amd_versal2_virt_defconfig | 3 +
> configs/qemu_arm64_lwip_defconfig | 3 +
> configs/sandbox_defconfig | 1 +
> configs/starfive_visionfive2_defconfig | 3 +
> configs/xilinx_versal_net_virt_defconfig | 3 +
> configs/xilinx_versal_virt_defconfig | 3 +
> configs/xilinx_zynqmp_kria_defconfig | 3 +
> configs/xilinx_zynqmp_virt_defconfig | 3 +
> drivers/crypto/Makefile | 1 +
> drivers/crypto/ecdsa/Makefile | 6 +
> drivers/crypto/ecdsa/ecdsa-sw.c | 33 ++
> include/crypto/ecdsa-uclass.h | 15 +-
> include/crypto/internal/ecdsa.h | 39 ++
> lib/ecdsa/Kconfig | 1 +
> lib/ecdsa/ecdsa-libcrypto.c | 92 +++-
> lib/ecdsa/ecdsa-verify.c | 75 ++-
> lib/fdt-libcrypto.c | 2 +-
> lib/mbedtls/Kconfig | 14 +
> lib/mbedtls/Makefile | 19 +-
> lib/mbedtls/ecdsa.c | 146 ++++++
> lib/mbedtls/mbedtls_def_config.h | 17 +
> test/dm/ecdsa.c | 107 +++-
> test/lib/Makefile | 1 +
> test/lib/ecdsa.c | 456 ++++++++++++++++++
> test/py/tests/test_fit_ecdsa.py | 2 +-
> test/py/tests/test_vboot.py | 143 +++---
> .../tests/vboot/sandbox-binman-ecdsa256.dts | 24 +
> .../tests/vboot/sandbox-binman-ecdsa384.dts | 24 +
> .../tests/vboot/sandbox-binman-ecdsa521.dts | 24 +
> ...pss.dts => sandbox-binman-rsa2048-pss.dts} | 0
> ...-binman.dts => sandbox-binman-rsa2048.dts} | 0
> .../vboot/sandbox-u-boot-global-ecdsa256.dts | 27 ++
> .../vboot/sandbox-u-boot-global-ecdsa384.dts | 27 ++
> .../vboot/sandbox-u-boot-global-ecdsa521.dts | 27 ++
> ... => sandbox-u-boot-global-rsa2048-pss.dts} | 0
> ....dts => sandbox-u-boot-global-rsa2048.dts} | 0
> ....its => sign-configs-sha1-rsa2048-pss.its} | 0
> ...sha1.its => sign-configs-sha1-rsa2048.its} | 0
> .../vboot/sign-configs-sha256-ecdsa256.its | 45 ++
> .../vboot/sign-configs-sha256-ecdsa384.its | 45 ++
> .../vboot/sign-configs-sha256-ecdsa521.its | 45 ++
> ... sign-configs-sha256-rsa2048-pss-prod.its} | 0
> ...ts => sign-configs-sha256-rsa2048-pss.its} | 0
> ...56.its => sign-configs-sha256-rsa2048.its} | 0
> ...84.its => sign-configs-sha384-rsa3072.its} | 0
> ...s.its => sign-images-sha1-rsa2048-pss.its} | 0
> ...-sha1.its => sign-images-sha1-rsa2048.its} | 0
> .../vboot/sign-images-sha256-ecdsa256.its | 42 ++
> .../vboot/sign-images-sha256-ecdsa384.its | 42 ++
> .../vboot/sign-images-sha256-ecdsa521.its | 42 ++
> ...its => sign-images-sha256-rsa2048-pss.its} | 0
> ...256.its => sign-images-sha256-rsa2048.its} | 0
> ...384.its => sign-images-sha384-rsa3072.its} | 0
> tools/binman/etype/pre_load.py | 78 ++-
> tools/binman/ftest.py | 52 ++
> tools/binman/test/ecdsa521.pem | 7 +
> tools/binman/test/security/pre_load_ecdsa.dts | 22 +
> .../security/pre_load_ecdsa_invalid_algo.dts | 22 +
> .../security/pre_load_ecdsa_invalid_key.dts | 22 +
> .../security/pre_load_ecdsa_invalid_sha.dts | 22 +
> tools/image-host.c | 93 +++-
> tools/image-sig-host.c | 7 +
> tools/preload_check_sign.c | 30 ++
> 64 files changed, 1877 insertions(+), 136 deletions(-)
> create mode 100644 drivers/crypto/ecdsa/Makefile
> create mode 100644 drivers/crypto/ecdsa/ecdsa-sw.c
> create mode 100644 include/crypto/internal/ecdsa.h
> create mode 100644 lib/mbedtls/ecdsa.c
> create mode 100644 test/lib/ecdsa.c
> create mode 100644 test/py/tests/vboot/sandbox-binman-ecdsa256.dts
> create mode 100644 test/py/tests/vboot/sandbox-binman-ecdsa384.dts
> create mode 100644 test/py/tests/vboot/sandbox-binman-ecdsa521.dts
> rename test/py/tests/vboot/{sandbox-binman-pss.dts => sandbox-binman-rsa2048-pss.dts} (100%)
> rename test/py/tests/vboot/{sandbox-binman.dts => sandbox-binman-rsa2048.dts} (100%)
> create mode 100644 test/py/tests/vboot/sandbox-u-boot-global-ecdsa256.dts
> create mode 100644 test/py/tests/vboot/sandbox-u-boot-global-ecdsa384.dts
> create mode 100644 test/py/tests/vboot/sandbox-u-boot-global-ecdsa521.dts
> rename test/py/tests/vboot/{sandbox-u-boot-global-pss.dts => sandbox-u-boot-global-rsa2048-pss.dts} (100%)
> rename test/py/tests/vboot/{sandbox-u-boot-global.dts => sandbox-u-boot-global-rsa2048.dts} (100%)
> rename test/py/tests/vboot/{sign-configs-sha1-pss.its => sign-configs-sha1-rsa2048-pss.its} (100%)
> rename test/py/tests/vboot/{sign-configs-sha1.its => sign-configs-sha1-rsa2048.its} (100%)
> create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa256.its
> create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa384.its
> create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa521.its
> rename test/py/tests/vboot/{sign-configs-sha256-pss-prod.its => sign-configs-sha256-rsa2048-pss-prod.its} (100%)
> rename test/py/tests/vboot/{sign-configs-sha256-pss.its => sign-configs-sha256-rsa2048-pss.its} (100%)
> rename test/py/tests/vboot/{sign-configs-sha256.its => sign-configs-sha256-rsa2048.its} (100%)
> rename test/py/tests/vboot/{sign-configs-sha384.its => sign-configs-sha384-rsa3072.its} (100%)
> rename test/py/tests/vboot/{sign-images-sha1-pss.its => sign-images-sha1-rsa2048-pss.its} (100%)
> rename test/py/tests/vboot/{sign-images-sha1.its => sign-images-sha1-rsa2048.its} (100%)
> create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa256.its
> create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa384.its
> create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa521.its
> rename test/py/tests/vboot/{sign-images-sha256-pss.its => sign-images-sha256-rsa2048-pss.its} (100%)
> rename test/py/tests/vboot/{sign-images-sha256.its => sign-images-sha256-rsa2048.its} (100%)
> rename test/py/tests/vboot/{sign-images-sha384.its => sign-images-sha384-rsa3072.its} (100%)
> create mode 100644 tools/binman/test/ecdsa521.pem
> create mode 100644 tools/binman/test/security/pre_load_ecdsa.dts
> create mode 100644 tools/binman/test/security/pre_load_ecdsa_invalid_algo.dts
> create mode 100644 tools/binman/test/security/pre_load_ecdsa_invalid_key.dts
> create mode 100644 tools/binman/test/security/pre_load_ecdsa_invalid_sha.dts
>
> --
> 2.43.0
>
More information about the U-Boot
mailing list