Re: How to use ECDSA for signature verification?

["Marko Mäkelä" <marko.makela@iki.fi>]

Hello Anshul,

Tue, Nov 11, 2025 at 09:52:51AM +0530, Anshul Dalal wrote:
>Hello Marko,
>
>On Sat Nov 8, 2025 at 10:54 PM IST, Marko Mäkelä wrote:
>> Hi all,
>>
>> I am new to u-boot, please bear with me. I got CONFIG_FIT_SIGNATURE=y to
>> work with the RSA algorithm, but not with ECDSA.
>>
>> My two main questions are:
>>
>> Is CONFIG_ECDSA_VERIFY only implemented for the two targets:
>> rom_api_ops in arch/arm/mach-stm32mp/ecdsa_romapi.c
>> cptra_ecdsa_ops in drivers/crypto/aspeed/cptra_ecdsa.c.
>>
>
>Yes, those two seem to be the only one's implementing UCLASS_ECDSA.
>
>> Is it feasible to support something more modern than RSA signatures on a
>> reasonably high-end target, such as ARMv8? Are there any suggestions or
>> git commits that you would suggest as a reference?
>>
>
>Should be possible, you can look at the current implementaitons of RSA
>and lib/ecdsa/ecdsa-libcrypto.c for reference.

Thank you. I will look at that.

[snip]

>> Rebuilding with CONFIG_ECDSA_VERIFY=y changed the error message to 
>> the
>> following:
>>
>> sha256,ecdsa256:dev-  error!
>> Verification failed for '<NULL>' hash node in 'conf-1' config node
>> Failed to verify required signature 'dev'
>>
>
>This is probably due to U-Boot failing to find a driver with
>UCLASS_ECDSA, you can verify by adding a "#define DEBUG" to the top of
>lib/ecdsa/ecdsa-verify.c and check if the following error shows up:
>
>	ECDSA: Could not find ECDSA implementation: -19

Thank you for the tip. So, the #define DEBUG would enable the debug() 
statements. This indeed confirms my hypothesis:

## Executing script at 90000000
sha256,ecdsa256:devECDSA: Could not find ECDSA implementation: -19
-  error!
Verification failed for '<NULL>' hash node in 'conf-1' config node
Failed to verify required signature 'dev'
Boot failed (err=1)

I'm working on this on a hobby basis for now, and it may take some time 
before I will submit any patches for review.

Best regards,

	Marko