Re: [RFC PATCH 0/4] add software ecdsa support

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

From: "Marko Mäkelä" <marko.makela@iki.fi>
To: Philippe Reynes <philippe.reynes@softathome.com>
Cc: jonny.green@keytechinc.com, raymondmaoca@gmail.com, u-boot@lists.denx.de
Subject: Re: [RFC PATCH 0/4] add software ecdsa support
Date: Sat, 14 Feb 2026 21:38:30 +0200	[thread overview]
Message-ID: <aZDPNtx6-4YwPhli@kehys.lan> (raw)
In-Reply-To: <aYoFqWew28crCb1i@kehys.lan>

Mon, Feb 09, 2026 at 06:04:57PM +0200, Marko Mäkelä wrote:
>For me, mkimage version 2025.01 (as shipped in Debian Sid) would crash 
>if I ask it to write the public key to u-boot.dtb using the parameter 
>"-K u-boot.dtb". The following statement in do_add() would hit SIGSEGV:
>
>        ret = fdt_setprop_string(fdt, key_node, FIT_KEY_REQUIRED,
>                                 info->require_keys);
>
>The function do_add() is invoked by ecdsa_add_verify_data(). For my 
>kernel build, I did not yet try a mkimage that is built from the 
>latest u-boot. Should that make a difference?

Apparently, something has been fixed since the 2025.01 release. The 
following would work for me with a current u-boot build:

echo "/dts-v1/; / { description = \"\"; images {}; };" > public-key.its
mkimage -f public-key.its public-key.dtb
mkimage -f fitImage.its -k . -K public-key.dtb fitImage

With the mkimage 2025.01 that is included in the Debian Sid 
u-boot-tools, I am able to build an unsigned Linux fitImage:
mkimage -f fitImage.its fitImage

Then I can invoke a freshly compiled mkimage to sign it and include the 
corresponding public ECDSA key in an u-boot image:
mkimage -r -k . -K u-boot.dtb -F fitImage
cat u-boot-nodtb.bin u-boot.dtb > u-boot.bin

However, this will not work on the Raspberry Pi 4, which defines 
CONFIG_OF_BOARD. I came up with an idea of creating a device tree 
overlay file instead:

tools/mkimage -r -k . -K pubkey.dtb -F fitImage
cat > signature.dtso << EOF
/dts-v1/;
/plugin/;

/ {
         fragment@0 {
                 target = "/";

                 __overlay__ {
EOF
dtc pubkey.dtb|grep -A12 signature >> signature.dtso
cat >> signature.dtso << EOF
		};
	};
};
EOF
dtc -o signature.dtbo signature.dtso
cat u-boot-nodtb.bin signature.dtbo > kernel8.img

Initially, I tested this with CONFIG_RSA, which I expect to work. The 
bootm command would start up my fitImage, but unfortunately it would do 
so even if I corrupt a bit of the public key. This would lead me to 
believe that the overlay was not loaded and the signature was not 
validated. I only saw messages about hash validation. I'm afraid I need 
a target environment where u-boot is the primary bootloader, or I must 
override the CONFIG_OF_BOARD and see if the u-boot.dtb approach would 
work.

Another point is that my initial CONFIG_ECDSA_SW build was over 4 MiB in 
size, while the sha256,rsa4096 experiment was only half a megabyte. I 
did trim the build options for the CONFIG_ECDSA_SW experiment yet.

	Marko

next prev parent reply	other threads:[~2026-02-14 19:38 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-02 17:03 [RFC PATCH 0/4] add software ecdsa support Philippe Reynes
2026-02-02 17:03 ` [RFC PATCH 1/4] mbedtls: enable support of ecc Philippe Reynes
2026-02-02 19:03   ` Raymond Mao
2026-02-02 17:03 ` [RFC PATCH 2/4] ecdsa: initial support of ecdsa using mbedtls Philippe Reynes
2026-02-02 17:03 ` [RFC PATCH 3/4] test: lib: sw_ecdsa: add initial test Philippe Reynes
2026-02-02 17:03 ` [RFC PATCH 4/4] drivers: crypto: add software ecdsa support Philippe Reynes
2026-02-02 19:09 ` [RFC PATCH 0/4] " Raymond Mao
2026-02-02 19:44 ` Tom Rini
2026-02-04 19:02 ` Marko Mäkelä
2026-02-04 19:28   ` Raymond Mao
2026-02-05 18:16     ` Marko Mäkelä
2026-02-05 18:47       ` Raymond Mao
2026-02-08 18:37     ` Marko Mäkelä
2026-02-09 16:04 ` Marko Mäkelä
2026-02-14 19:38   ` Marko Mäkelä [this message]
2026-02-15 18:31     ` Marko Mäkelä

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aZDPNtx6-4YwPhli@kehys.lan \
    --to=marko.makela@iki.fi \
    --cc=jonny.green@keytechinc.com \
    --cc=philippe.reynes@softathome.com \
    --cc=raymondmaoca@gmail.com \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox