lib: ecdsa: Verifying signature on target
Jonny Green
jonny.green at keytechinc.com
Thu Jan 29 23:18:03 CET 2026
Hello,
I am implementing FIT booting with an ECDSA signature. I am building from a TI fork of U-Boot that is based off of v2025.01 from the mainline repo.
I am currently able to generate the signed fit image, and run tools/fit_check_sign and confirm the "sha256,ecdsa256:<key name>+" output indicates successful verification of the signature on the build machine (note: I had to cherry-pick commit 8d3a9ab3 in order to get fit_check_sign to work properly for verifying ECDSA, since this fix is not present on my current branch).
However, attempts to boot on the target with the signed u-boot.img and generated .itb are failing. Debug printouts show that the call to ecdsa_verify in ecdsa-verify.c is failing after calling uclass_first_device_err: "ECDSA: Could not find ECDSA implementation: -19".
The uclass driver declaration at the bottom of ecdsa-verify notes "We don't implement any wrappers around ecdsa_ops->verify() because it's trivial to call ops->verify()." - not sure if that is applicable here.
Other debugging steps I've taken:
* Ensured public key is present in the booted image via inspection with fdt
* Ensured relevant config values are set: ECDSA, ECDSA_VERIFY, FIT_SIGNATURE
* Attempted to get trace information from the boot attempt, but it appears my board does not support the required clock
I'm not sure where to check next in debugging the implementation. From the commit details in ecdsa-verify.c ("lib: ecdsa: Implement UCLASS_ECDSA verification on target"), it seems that it is intended to be able to perform verification during booting on the target. Is there anyone who is familiar with this functionality that can help out?
Apologies if I've made any formatting mistakes, this is my first time using the mailing list.
Thanks,
Jonny Green
More information about the U-Boot
mailing list