[PATCH v6 13/15] tools: preload_check_sign: add support of ecdsa

Mon May 25 17:44:24 CEST 2026

Hi Philippe,

On Mon, May 25, 2026 at 9:52 AM Philippe Reynes
<philippe.reynes at softathome.com> wrote:
>
> right now, the tool preload_check_sign may only
> checks an image with a pre-load header with rsa.
> We add the support of pre-load header with ecdsa.
>
> Reviewed-by: Simon Glass <sjg at chromium.org>
> Signed-off-by: Philippe Reynes <philippe.reynes at softathome.com>
> ---
> v3:
> - initial version
> v4:
> - free key to avoid mem leak
> - fix error management (set ret before goto out)
> v5:
> - add include ec.h, evp.h, err.h and image.h
> v6:
> - no change
>
>  tools/preload_check_sign.c | 30 ++++++++++++++++++++++++++++++
>  1 file changed, 30 insertions(+)
>

Looks good to me. Thanks!
Reviewed-by: Raymond Mao <raymondmaoca at gmail.com>

> diff --git a/tools/preload_check_sign.c b/tools/preload_check_sign.c
> index ebead459273..d94f0509e74 100644
> --- a/tools/preload_check_sign.c
> +++ b/tools/preload_check_sign.c
> @@ -8,9 +8,13 @@
>   * complete file. The tool preload_check_sign allows to verify and authenticate
>   * a file starting with a preload header.
>   */
> +
> +#define OPENSSL_API_COMPAT 0x10101000L
> +
>  #include <stdio.h>
>  #include <unistd.h>
>  #include <openssl/pem.h>
> +#include <openssl/ec.h>
>  #include <openssl/evp.h>
>  #include <openssl/err.h>
>  #include <image.h>
> @@ -144,6 +148,32 @@ int main(int argc, char **argv)
>         info.sig_info.key      = info.key;
>         info.sig_info.keylen   = info.key_len;
>
> +       /* For ecdsa key, we have to update some values */
> +       if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
> +               EC_KEY *ecdsa_key;
> +               const EC_GROUP *group;
> +
> +               ecdsa_key = EVP_PKEY_get1_EC_KEY(pkey);
> +               if (!ecdsa_key) {
> +                       fprintf(stderr, "Can not extract ECDSA key\n");
> +                       ret = EXIT_FAILURE;
> +                       goto out;
> +               }
> +
> +               group = EC_KEY_get0_group(ecdsa_key);
> +               if (!group) {
> +                       fprintf(stderr, "Can not extract ECDSA group\n");
> +                       EC_KEY_free(ecdsa_key);
> +                       ret = EXIT_FAILURE;
> +                       goto out;
> +               }
> +
> +               info.sig_info.keyfile  = keyfile;
> +               info.sig_size          = (EC_GROUP_order_bits(group) + 7) / 8 * 2;
> +
> +               EC_KEY_free(ecdsa_key);
> +       }
> +
>         /* Check the signature */
>         image_pre_load_sig_set_info(&info);
>         ret = image_pre_load_sig((ulong)buffer);
> --
> 2.43.0
>