[RFC PATCH v2 0/9] add software ecdsa support
Philippe Reynes
philippe.reynes at softathome.com
Thu Feb 19 14:25:43 CET 2026
This serie adds the support of ecdsa with software
using mbedtls. So boards without ecdsa hardware may
also use signature with ecdsa.
To add the support of ecdsa with mbedtls, I have:
- enabled ecdsa in mbedtls
- add a function sw_ecdsa_verify that uses mbedtls
- add a driver sw_ecdsa that call sw_ecdsa_verify
I have tested this code with sandbox, and I have
followed those steps:
0) build u-boot using sandbox_defconfig and adding those options:
CONFIG_ECDSA_SW=y
CONFIG_ECDSA_MBEDTLS=y
CONFIG_ECDSA=y
CONFIG_ECDSA_VERIFY=y
1) add a signature node to an its file
signature-256 {
algo = "sha256,ecdsa256";
key-name-hint = "private-key-256";
};
2) generate an ecdsa key
openssl ecparam -name prime256v1 -genkey -noout -out private-key-256.pem
3) create the itb file
./tools/mkimage -f <file.its> -k . -K arch/sandbox/dts/test.dtb <file.itb>
4) launch sandbox u-boot
./u-boot -d arch/sandbox/dts/test.dtb
5) on sandbox u-boot prompt, load the itb and launch bootm on it
=> host load hostfs - 1000000 uboot-ecdsa.itb
4628674 bytes read in 1 ms (4.3 GiB/s)
=> bootm 1000000
...
...
Verifying Hash Integrity ... sha256,ecdsa256:private-key-256+ OK
I have tested with success ecdsa256 and ecdsa384,
but there is an issue with secp521r1.
Changes in v2:
- move ECDSA_MBEDTLS to MBEDTLS_LIB_X509
- rename lib/mbedtls/sw_ecdsa.c to lib/mbedtls/ecdsa.c
- enhance dependancies for ECDSA_MBEDTLS
- fix support of ecdsa521/secp521r1
- add vboot test using ecdsa
Philippe Reynes (9):
mbedtls: enable support of ecc
ecdsa: initial support of ecdsa using mbedtls
test: lib: sw_ecdsa: add initial test
drivers: crypto: add software ecdsa support
ecdsa: fix support of secp521r1
test: dm: ecdsa.c: clean this test as software ecdsa is now
implemented
configs: sandbox: enable the software ecdsa driver
test: py: vboot: prepare integration test for ecdsa
test: vboot: add test for ecdsa
configs/amd_versal2_virt_defconfig | 1 +
configs/qemu_arm64_lwip_defconfig | 1 +
configs/sandbox_defconfig | 1 +
configs/starfive_visionfive2_defconfig | 1 +
configs/xilinx_versal_net_virt_defconfig | 1 +
configs/xilinx_versal_virt_defconfig | 1 +
configs/xilinx_zynqmp_kria_defconfig | 1 +
configs/xilinx_zynqmp_virt_defconfig | 1 +
drivers/crypto/Kconfig | 2 +
drivers/crypto/Makefile | 1 +
drivers/crypto/ecdsa/Kconfig | 6 +
drivers/crypto/ecdsa/Makefile | 6 +
drivers/crypto/ecdsa/ecdsa-sw.c | 33 ++
include/crypto/internal/sw_ecdsa.h | 14 +
lib/ecdsa/ecdsa-libcrypto.c | 21 +-
lib/ecdsa/ecdsa-verify.c | 24 +-
lib/fdt-libcrypto.c | 2 +-
lib/mbedtls/Kconfig | 16 +
lib/mbedtls/Makefile | 19 +-
lib/mbedtls/ecdsa.c | 94 ++++
lib/mbedtls/mbedtls_def_config.h | 18 +
test/dm/ecdsa.c | 18 +-
test/lib/Makefile | 1 +
test/lib/sw_ecdsa.c | 465 ++++++++++++++++++
test/py/tests/test_fit_ecdsa.py | 2 +-
test/py/tests/test_vboot.py | 128 +++--
....its => sign-configs-sha1-rsa2048-pss.its} | 0
...sha1.its => sign-configs-sha1-rsa2048.its} | 0
.../vboot/sign-configs-sha256-ecdsa256.its | 45 ++
.../vboot/sign-configs-sha256-ecdsa384.its | 45 ++
.../vboot/sign-configs-sha256-ecdsa521.its | 45 ++
... sign-configs-sha256-rsa2048-pss-prod.its} | 0
...ts => sign-configs-sha256-rsa2048-pss.its} | 0
...56.its => sign-configs-sha256-rsa2048.its} | 0
...84.its => sign-configs-sha384-rsa3072.its} | 0
...s.its => sign-images-sha1-rsa2048-pss.its} | 0
...-sha1.its => sign-images-sha1-rsa2048.its} | 0
.../vboot/sign-images-sha256-ecdsa256.its | 42 ++
.../vboot/sign-images-sha256-ecdsa384.its | 42 ++
.../vboot/sign-images-sha256-ecdsa521.its | 42 ++
...its => sign-images-sha256-rsa2048-pss.its} | 0
...256.its => sign-images-sha256-rsa2048.its} | 0
...384.its => sign-images-sha384-rsa3072.its} | 0
tools/image-sig-host.c | 2 +-
44 files changed, 1062 insertions(+), 79 deletions(-)
create mode 100644 drivers/crypto/ecdsa/Kconfig
create mode 100644 drivers/crypto/ecdsa/Makefile
create mode 100644 drivers/crypto/ecdsa/ecdsa-sw.c
create mode 100644 include/crypto/internal/sw_ecdsa.h
create mode 100644 lib/mbedtls/ecdsa.c
create mode 100644 test/lib/sw_ecdsa.c
rename test/py/tests/vboot/{sign-configs-sha1-pss.its => sign-configs-sha1-rsa2048-pss.its} (100%)
rename test/py/tests/vboot/{sign-configs-sha1.its => sign-configs-sha1-rsa2048.its} (100%)
create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa256.its
create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa384.its
create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa521.its
rename test/py/tests/vboot/{sign-configs-sha256-pss-prod.its => sign-configs-sha256-rsa2048-pss-prod.its} (100%)
rename test/py/tests/vboot/{sign-configs-sha256-pss.its => sign-configs-sha256-rsa2048-pss.its} (100%)
rename test/py/tests/vboot/{sign-configs-sha256.its => sign-configs-sha256-rsa2048.its} (100%)
rename test/py/tests/vboot/{sign-configs-sha384.its => sign-configs-sha384-rsa3072.its} (100%)
rename test/py/tests/vboot/{sign-images-sha1-pss.its => sign-images-sha1-rsa2048-pss.its} (100%)
rename test/py/tests/vboot/{sign-images-sha1.its => sign-images-sha1-rsa2048.its} (100%)
create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa256.its
create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa384.its
create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa521.its
rename test/py/tests/vboot/{sign-images-sha256-pss.its => sign-images-sha256-rsa2048-pss.its} (100%)
rename test/py/tests/vboot/{sign-images-sha256.its => sign-images-sha256-rsa2048.its} (100%)
rename test/py/tests/vboot/{sign-images-sha384.its => sign-images-sha384-rsa3072.its} (100%)
--
2.43.0
More information about the U-Boot
mailing list