From: "Marko Mäkelä" <marko.makela@iki.fi>
To: Philippe Reynes <philippe.reynes@softathome.com>
Cc: jonny.green@keytechinc.com, raymondmaoca@gmail.com, u-boot@lists.denx.de
Subject: Re: [RFC PATCH 0/4] add software ecdsa support
Date: Wed, 4 Feb 2026 21:02:28 +0200 [thread overview]
Message-ID: <aYOXxN-DBm_6LrSE@kehys.lan> (raw)
In-Reply-To: <20260202170307.217200-1-philippe.reynes@softathome.com>
Mon, Feb 02, 2026 at 06:03:03PM +0100, Philippe Reynes wrote:
>This serie adds the support of ecdsa with software
>using mbedtls. So boards without ecdsa hardware may
>also use signature with ecdsa.
>
>To add the support of ecdsa with mbedtls, I have:
>- enabled ecdsa in mbedtls
>- add a function sw_ecdsa_verify that uses mbedtls
>- add a driver sw_ecdsa that call sw_ecdsa_verify
>
>I have tested this code with sandbox, and I have
>followed those steps:
>
>0) build u-boot using sandbox_defconfig and adding those options:
>CONFIG_ECDSA_SW=y
>CONFIG_ECDSA_MBEDTLS=y
>CONFIG_ECDSA=y
>CONFIG_ECDSA_VERIFY=y
I did "git am" on top of the master branch as of the current
eb1562cc3e4c5130c76db1c1ea57156322362a7c and tried to build it as
follows:
make rpi_4_defconfig
scripts/config -e FIT_SIGNATURE -e ECDSA -e SHA256 -e ECDSA_VERIFY \
-d BOOTSTD \
-e MBEDTLS_LIB -e MBEDTLS_LIB_CRYPTO -e ECDSA_MBEDTLS -e ECDSA_SW \
-e SHA256_MBEDTLS -e SHA256_SMALLER -e MBEDTLS_LIB_X509 -d HKDF_MBEDTLS \
-e ASN1_DECODER -e ASN1_DECODER_MBEDTLS \
-d LEGACY_HASHING_AND_CRYPTO &&
make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu-
No matter which variations of this I try (starting with -e
HDKF_MBEDTLS), the build would fail with an #error in
lib/mbedtls/external/mbedtls/include/mbedtls/check_config.h because
MBEDTLS_ECDSA_C is defined but neither MBEDTLS_ASN1_PARSE_C nor
MBEDTLS_ASN1_WRITE_C are defined.
By disabling that check I found out that the functions
ecdsa_signature_to_asn1() and mbedtls_ecdsa_read_signature_restartable()
really depend on these.
I diagnosed this by executing
make V=1 CROSS_COMPILE=aarch64-linux-gnu-
Then, I edited the compiler command line by replacing "-o *.o -c" with
"-E -dD", and redirected the standard output into a file. In that file I
found that lib/mbedtls/mbedtls_def_config.h is defining MBEDTLS_ECDSA_C
and would also define the ASN1 symbols if CONFIG_ASN1_DECODER were
enabled:
#if CONFIG_IS_ENABLED(ASN1_DECODER)
#define MBEDTLS_OID_C
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_WRITE_C
#endif
Something is wiping that out from my .config, also when I execute "make
syncconfig" after the scripts/config. When I search for ASN1_DECODER in
"make menuconfig", it mentions a large number of other configuration
options.
Can someone help me to enable CONFIG_ASN1_DECODER in this configuration?
With best regards,
Marko
next prev parent reply other threads:[~2026-02-04 19:02 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-02 17:03 [RFC PATCH 0/4] add software ecdsa support Philippe Reynes
2026-02-02 17:03 ` [RFC PATCH 1/4] mbedtls: enable support of ecc Philippe Reynes
2026-02-02 19:03 ` Raymond Mao
2026-02-02 17:03 ` [RFC PATCH 2/4] ecdsa: initial support of ecdsa using mbedtls Philippe Reynes
2026-02-02 17:03 ` [RFC PATCH 3/4] test: lib: sw_ecdsa: add initial test Philippe Reynes
2026-02-02 17:03 ` [RFC PATCH 4/4] drivers: crypto: add software ecdsa support Philippe Reynes
2026-02-02 19:09 ` [RFC PATCH 0/4] " Raymond Mao
2026-02-02 19:44 ` Tom Rini
2026-02-04 19:02 ` Marko Mäkelä [this message]
2026-02-04 19:28 ` Raymond Mao
2026-02-05 18:16 ` Marko Mäkelä
2026-02-05 18:47 ` Raymond Mao
2026-02-08 18:37 ` Marko Mäkelä
2026-02-09 16:04 ` Marko Mäkelä
2026-02-14 19:38 ` Marko Mäkelä
2026-02-15 18:31 ` Marko Mäkelä
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aYOXxN-DBm_6LrSE@kehys.lan \
--to=marko.makela@iki.fi \
--cc=jonny.green@keytechinc.com \
--cc=philippe.reynes@softathome.com \
--cc=raymondmaoca@gmail.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox