From: Anshul Dalal <anshuld@ti.com>
To: "Marko Mäkelä" <marko.makela@iki.fi>, "Anshul Dalal" <anshuld@ti.com>
Cc: <u-boot@lists.denx.de>
Subject: Re: How to use ECDSA for signature verification?
Date: Tue, 3 Feb 2026 11:02:41 +0530 [thread overview]
Message-ID: <DG52XM98AICT.O5PR7FP4G4BA@ti.com> (raw)
In-Reply-To: <aRNcq79cr08IN5HE@kehys.lan>
On Tue Nov 11, 2025 at 9:26 PM IST, Marko Mäkelä wrote:
> Hello Anshul,
>
> Tue, Nov 11, 2025 at 09:52:51AM +0530, Anshul Dalal wrote:
>>Hello Marko,
>>
>>On Sat Nov 8, 2025 at 10:54 PM IST, Marko Mäkelä wrote:
>>> Hi all,
>>>
>>> I am new to u-boot, please bear with me. I got CONFIG_FIT_SIGNATURE=y to
>>> work with the RSA algorithm, but not with ECDSA.
>>>
>>> My two main questions are:
>>>
>>> Is CONFIG_ECDSA_VERIFY only implemented for the two targets:
>>> rom_api_ops in arch/arm/mach-stm32mp/ecdsa_romapi.c
>>> cptra_ecdsa_ops in drivers/crypto/aspeed/cptra_ecdsa.c.
>>>
>>
>>Yes, those two seem to be the only one's implementing UCLASS_ECDSA.
>>
>>> Is it feasible to support something more modern than RSA signatures on a
>>> reasonably high-end target, such as ARMv8? Are there any suggestions or
>>> git commits that you would suggest as a reference?
>>>
>>
>>Should be possible, you can look at the current implementaitons of RSA
>>and lib/ecdsa/ecdsa-libcrypto.c for reference.
FYI Phillippe Reynes has posted an RFC for the same[1], you can provide
feedback there if interested :)
[1]: https://lore.kernel.org/u-boot/20260202170307.217200-1-philippe.reynes@softathome.com/
>
> Thank you. I will look at that.
>
> [snip]
>
>>> Rebuilding with CONFIG_ECDSA_VERIFY=y changed the error message to
>>> the
>>> following:
>>>
>>> sha256,ecdsa256:dev- error!
>>> Verification failed for '<NULL>' hash node in 'conf-1' config node
>>> Failed to verify required signature 'dev'
>>>
>>
>>This is probably due to U-Boot failing to find a driver with
>>UCLASS_ECDSA, you can verify by adding a "#define DEBUG" to the top of
>>lib/ecdsa/ecdsa-verify.c and check if the following error shows up:
>>
>> ECDSA: Could not find ECDSA implementation: -19
>
> Thank you for the tip. So, the #define DEBUG would enable the debug()
> statements. This indeed confirms my hypothesis:
>
> ## Executing script at 90000000
> sha256,ecdsa256:devECDSA: Could not find ECDSA implementation: -19
> - error!
> Verification failed for '<NULL>' hash node in 'conf-1' config node
> Failed to verify required signature 'dev'
> Boot failed (err=1)
>
> I'm working on this on a hobby basis for now, and it may take some time
> before I will submit any patches for review.
>
> Best regards,
>
> Marko
prev parent reply other threads:[~2026-02-03 5:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-13 18:36 How to use ECDSA for signature verification? Marko Mäkelä
2025-11-08 17:24 ` Marko Mäkelä
2025-11-11 4:22 ` Anshul Dalal
2025-11-11 15:56 ` Marko Mäkelä
2026-02-03 5:32 ` Anshul Dalal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DG52XM98AICT.O5PR7FP4G4BA@ti.com \
--to=anshuld@ti.com \
--cc=marko.makela@iki.fi \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.