[RFC PATCH 0/4] add software ecdsa support

Marko Mäkelä marko.makela at iki.fi
Wed Feb 4 20:02:28 CET 2026 

Mon, Feb 02, 2026 at 06:03:03PM +0100, Philippe Reynes wrote:
>This serie adds the support of ecdsa with software
>using mbedtls. So boards without ecdsa hardware may
>also use signature with ecdsa.
>
>To add the support of ecdsa with mbedtls, I have:
>- enabled ecdsa in mbedtls
>- add a function sw_ecdsa_verify that uses mbedtls
>- add a driver sw_ecdsa that call sw_ecdsa_verify
>
>I have tested this code with sandbox, and I have
>followed those steps:
>
>0) build u-boot using sandbox_defconfig and adding those options:
>CONFIG_ECDSA_SW=y
>CONFIG_ECDSA_MBEDTLS=y
>CONFIG_ECDSA=y
>CONFIG_ECDSA_VERIFY=y

I did "git am" on top of the master branch as of the current 
eb1562cc3e4c5130c76db1c1ea57156322362a7c and tried to build it as 
follows:

make rpi_4_defconfig
scripts/config -e FIT_SIGNATURE -e ECDSA -e SHA256 -e ECDSA_VERIFY \
-d BOOTSTD \
-e MBEDTLS_LIB -e MBEDTLS_LIB_CRYPTO -e ECDSA_MBEDTLS -e ECDSA_SW \
-e SHA256_MBEDTLS -e SHA256_SMALLER -e MBEDTLS_LIB_X509 -d HKDF_MBEDTLS \
-e ASN1_DECODER -e ASN1_DECODER_MBEDTLS \
-d LEGACY_HASHING_AND_CRYPTO &&
make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu-

No matter which variations of this I try (starting with -e 
HDKF_MBEDTLS), the build would fail with an #error in
lib/mbedtls/external/mbedtls/include/mbedtls/check_config.h because 
MBEDTLS_ECDSA_C is defined but neither MBEDTLS_ASN1_PARSE_C nor 
MBEDTLS_ASN1_WRITE_C are defined.

By disabling that check I found out that the functions 
ecdsa_signature_to_asn1() and mbedtls_ecdsa_read_signature_restartable() 
really depend on these.

I diagnosed this by executing
make V=1 CROSS_COMPILE=aarch64-linux-gnu-

Then, I edited the compiler command line by replacing "-o *.o -c" with 
"-E -dD", and redirected the standard output into a file. In that file I 
found that lib/mbedtls/mbedtls_def_config.h is defining MBEDTLS_ECDSA_C 
and would also define the ASN1 symbols if CONFIG_ASN1_DECODER were 
enabled:

#if CONFIG_IS_ENABLED(ASN1_DECODER)
#define MBEDTLS_OID_C
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_WRITE_C
#endif

Something is wiping that out from my .config, also when I execute "make 
syncconfig" after the scripts/config. When I search for ASN1_DECODER in 
"make menuconfig", it mentions a large number of other configuration 
options.

Can someone help me to enable CONFIG_ASN1_DECODER in this configuration?

With best regards,

	Marko

More information about the U-Boot mailing list