From: Anshul Dalal <anshuld@ti.com>
To: "Marko Mäkelä" <marko.makela@iki.fi>, "Anshul Dalal" <anshuld@ti.com>
Cc: <u-boot@lists.denx.de>
Subject: Re: How to use ECDSA for signature verification?
Date: Tue, 3 Feb 2026 11:02:41 +0530 [thread overview]
Message-ID: <DG52XM98AICT.O5PR7FP4G4BA@ti.com> (raw)
In-Reply-To: <aRNcq79cr08IN5HE@kehys.lan>
On Tue Nov 11, 2025 at 9:26 PM IST, Marko Mäkelä wrote:
> Hello Anshul,
>
> Tue, Nov 11, 2025 at 09:52:51AM +0530, Anshul Dalal wrote:
>>Hello Marko,
>>
>>On Sat Nov 8, 2025 at 10:54 PM IST, Marko Mäkelä wrote:
>>> Hi all,
>>>
>>> I am new to u-boot, please bear with me. I got CONFIG_FIT_SIGNATURE=y to
>>> work with the RSA algorithm, but not with ECDSA.
>>>
>>> My two main questions are:
>>>
>>> Is CONFIG_ECDSA_VERIFY only implemented for the two targets:
>>> rom_api_ops in arch/arm/mach-stm32mp/ecdsa_romapi.c
>>> cptra_ecdsa_ops in drivers/crypto/aspeed/cptra_ecdsa.c.
>>>
>>
>>Yes, those two seem to be the only one's implementing UCLASS_ECDSA.
>>
>>> Is it feasible to support something more modern than RSA signatures on a
>>> reasonably high-end target, such as ARMv8? Are there any suggestions or
>>> git commits that you would suggest as a reference?
>>>
>>
>>Should be possible, you can look at the current implementaitons of RSA
>>and lib/ecdsa/ecdsa-libcrypto.c for reference.
FYI Phillippe Reynes has posted an RFC for the same[1], you can provide
feedback there if interested :)
[1]: https://lore.kernel.org/u-boot/20260202170307.217200-1-philippe.reynes@softathome.com/
>
> Thank you. I will look at that.
>
> [snip]
>
>>> Rebuilding with CONFIG_ECDSA_VERIFY=y changed the error message to
>>> the
>>> following:
>>>
>>> sha256,ecdsa256:dev- error!
>>> Verification failed for '<NULL>' hash node in 'conf-1' config node
>>> Failed to verify required signature 'dev'
>>>
>>
>>This is probably due to U-Boot failing to find a driver with
>>UCLASS_ECDSA, you can verify by adding a "#define DEBUG" to the top of
>>lib/ecdsa/ecdsa-verify.c and check if the following error shows up:
>>
>> ECDSA: Could not find ECDSA implementation: -19
>
> Thank you for the tip. So, the #define DEBUG would enable the debug()
> statements. This indeed confirms my hypothesis:
>
> ## Executing script at 90000000
> sha256,ecdsa256:devECDSA: Could not find ECDSA implementation: -19
> - error!
> Verification failed for '<NULL>' hash node in 'conf-1' config node
> Failed to verify required signature 'dev'
> Boot failed (err=1)
>
> I'm working on this on a hobby basis for now, and it may take some time
> before I will submit any patches for review.
>
> Best regards,
>
> Marko
prev parent reply other threads:[~2026-02-03 5:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-13 18:36 How to use ECDSA for signature verification? Marko Mäkelä
2025-11-08 17:24 ` Marko Mäkelä
2025-11-11 4:22 ` Anshul Dalal
2025-11-11 15:56 ` Marko Mäkelä
2026-02-03 5:32 ` Anshul Dalal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DG52XM98AICT.O5PR7FP4G4BA@ti.com \
--to=anshuld@ti.com \
--cc=marko.makela@iki.fi \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox