Re: [RFC PATCH 0/4] add software ecdsa support

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Marko Mäkelä" <marko.makela@iki.fi>
To: Philippe Reynes <philippe.reynes@softathome.com>
Cc: jonny.green@keytechinc.com, raymondmaoca@gmail.com, u-boot@lists.denx.de
Subject: Re: [RFC PATCH 0/4] add software ecdsa support
Date: Sat, 14 Feb 2026 21:38:30 +0200	[thread overview]
Message-ID: <aZDPNtx6-4YwPhli@kehys.lan> (raw)
In-Reply-To: <aYoFqWew28crCb1i@kehys.lan>

Mon, Feb 09, 2026 at 06:04:57PM +0200, Marko Mäkelä wrote:
>For me, mkimage version 2025.01 (as shipped in Debian Sid) would crash 
>if I ask it to write the public key to u-boot.dtb using the parameter 
>"-K u-boot.dtb". The following statement in do_add() would hit SIGSEGV:
>
>        ret = fdt_setprop_string(fdt, key_node, FIT_KEY_REQUIRED,
>                                 info->require_keys);
>
>The function do_add() is invoked by ecdsa_add_verify_data(). For my 
>kernel build, I did not yet try a mkimage that is built from the 
>latest u-boot. Should that make a difference?

Apparently, something has been fixed since the 2025.01 release. The 
following would work for me with a current u-boot build:

echo "/dts-v1/; / { description = \"\"; images {}; };" > public-key.its
mkimage -f public-key.its public-key.dtb
mkimage -f fitImage.its -k . -K public-key.dtb fitImage

With the mkimage 2025.01 that is included in the Debian Sid 
u-boot-tools, I am able to build an unsigned Linux fitImage:
mkimage -f fitImage.its fitImage

Then I can invoke a freshly compiled mkimage to sign it and include the 
corresponding public ECDSA key in an u-boot image:
mkimage -r -k . -K u-boot.dtb -F fitImage
cat u-boot-nodtb.bin u-boot.dtb > u-boot.bin

However, this will not work on the Raspberry Pi 4, which defines 
CONFIG_OF_BOARD. I came up with an idea of creating a device tree 
overlay file instead:

tools/mkimage -r -k . -K pubkey.dtb -F fitImage
cat > signature.dtso << EOF
/dts-v1/;
/plugin/;

/ {
         fragment@0 {
                 target = "/";

                 __overlay__ {
EOF
dtc pubkey.dtb|grep -A12 signature >> signature.dtso
cat >> signature.dtso << EOF
		};
	};
};
EOF
dtc -o signature.dtbo signature.dtso
cat u-boot-nodtb.bin signature.dtbo > kernel8.img

Initially, I tested this with CONFIG_RSA, which I expect to work. The 
bootm command would start up my fitImage, but unfortunately it would do 
so even if I corrupt a bit of the public key. This would lead me to 
believe that the overlay was not loaded and the signature was not 
validated. I only saw messages about hash validation. I'm afraid I need 
a target environment where u-boot is the primary bootloader, or I must 
override the CONFIG_OF_BOARD and see if the u-boot.dtb approach would 
work.

Another point is that my initial CONFIG_ECDSA_SW build was over 4 MiB in 
size, while the sha256,rsa4096 experiment was only half a megabyte. I 
did trim the build options for the CONFIG_ECDSA_SW experiment yet.

	Marko

next prev parent reply	other threads:[~2026-02-14 19:38 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-02 17:03 [RFC PATCH 0/4] add software ecdsa support Philippe Reynes
2026-02-02 17:03 ` [RFC PATCH 1/4] mbedtls: enable support of ecc Philippe Reynes
2026-02-02 19:03   ` Raymond Mao
2026-02-02 17:03 ` [RFC PATCH 2/4] ecdsa: initial support of ecdsa using mbedtls Philippe Reynes
2026-02-02 17:03 ` [RFC PATCH 3/4] test: lib: sw_ecdsa: add initial test Philippe Reynes
2026-02-02 17:03 ` [RFC PATCH 4/4] drivers: crypto: add software ecdsa support Philippe Reynes
2026-02-02 19:09 ` [RFC PATCH 0/4] " Raymond Mao
2026-02-02 19:44 ` Tom Rini
2026-02-04 19:02 ` Marko Mäkelä
2026-02-04 19:28   ` Raymond Mao
2026-02-05 18:16     ` Marko Mäkelä
2026-02-05 18:47       ` Raymond Mao
2026-02-08 18:37     ` Marko Mäkelä
2026-02-09 16:04 ` Marko Mäkelä
2026-02-14 19:38   ` Marko Mäkelä [this message]
2026-02-15 18:31     ` Marko Mäkelä

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aZDPNtx6-4YwPhli@kehys.lan \
    --to=marko.makela@iki.fi \
    --cc=jonny.green@keytechinc.com \
    --cc=philippe.reynes@softathome.com \
    --cc=raymondmaoca@gmail.com \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.