[RFC PATCH 0/4] add software ecdsa support

Mon Feb 2 20:09:09 CET 2026

Hi Philippe,

On Mon, Feb 2, 2026 at 12:05 PM Philippe Reynes
<philippe.reynes at softathome.com> wrote:
>
> This serie adds the support of ecdsa with software
> using mbedtls. So boards without ecdsa hardware may
> also use signature with ecdsa.
>
> To add the support of ecdsa with mbedtls, I have:
> - enabled ecdsa in mbedtls
> - add a function sw_ecdsa_verify that uses mbedtls
> - add a driver sw_ecdsa that call sw_ecdsa_verify
>
> I have tested this code with sandbox, and I have
> followed those steps:
>
> 0) build u-boot using sandbox_defconfig and adding those options:
> CONFIG_ECDSA_SW=y
> CONFIG_ECDSA_MBEDTLS=y
> CONFIG_ECDSA=y
> CONFIG_ECDSA_VERIFY=y
>
> 1) add a signature node to an its file
>         signature-256 {
>                 algo = "sha256,ecdsa256";
>                 key-name-hint = "private-key-256";
>         };
>
> 2) generate an ecdsa key
> openssl ecparam -name prime256v1 -genkey -noout -out private-key-256.pem
>
> 3) create the itb file
> ./tools/mkimage -f <file.its> -k . -K arch/sandbox/dts/test.dtb <file.itb>
>
> 4) launch sandbox u-boot
>
> ./u-boot -d arch/sandbox/dts/test.dtb
>
> 5) on sandbox u-boot prompt, load the itb and launch bootm on it
>
> => host load hostfs - 1000000 uboot-ecdsa.itb
> 4628674 bytes read in 1 ms (4.3 GiB/s)
> => bootm 1000000
> ...
> ...
>    Verifying Hash Integrity ... sha256,ecdsa256:private-key-256+ OK
>
>
> I have tested with success ecdsa256 and ecdsa384,
> but there is an issue with secp521r1.
>
>
> Philippe Reynes (4):
>   mbedtls: enable support of ecc
>   ecdsa: initial support of ecdsa using mbedtls
>   test: lib: sw_ecdsa: add initial test
>   drivers: crypto: add software ecdsa support
>
>  drivers/crypto/Kconfig             |   2 +
>  drivers/crypto/Makefile            |   1 +
>  drivers/crypto/ecdsa/Kconfig       |   6 +
>  drivers/crypto/ecdsa/Makefile      |   6 +
>  drivers/crypto/ecdsa/ecdsa-sw.c    |  33 +++
>  include/crypto/internal/sw_ecdsa.h |  14 +
>  lib/mbedtls/Kconfig                |   8 +
>  lib/mbedtls/Makefile               |  10 +
>  lib/mbedtls/mbedtls_def_config.h   |  18 ++
>  lib/mbedtls/sw_ecdsa.c             |  94 ++++++

Rename it without the "sw_", from the perspective of MbedTLS, HW
acceleration is controlled by `MBEDTLS_ECDSA_###_ALT`, so the
interface itself does not imply SW.

Regards,
Raymond

>  test/lib/Makefile                  |   1 +
>  test/lib/sw_ecdsa.c                | 445 +++++++++++++++++++++++++++++
>  12 files changed, 638 insertions(+)
>  create mode 100644 drivers/crypto/ecdsa/Kconfig
>  create mode 100644 drivers/crypto/ecdsa/Makefile
>  create mode 100644 drivers/crypto/ecdsa/ecdsa-sw.c
>  create mode 100644 include/crypto/internal/sw_ecdsa.h
>  create mode 100644 lib/mbedtls/sw_ecdsa.c
>  create mode 100644 test/lib/sw_ecdsa.c
>
> --
> 2.43.0
>