Re: [RFC PATCH 0/4] add software ecdsa support

["Marko Mäkelä" <marko.makela@iki.fi>]

Hi Philippe, hi all,

Tested-by: Marko Mäkelä <marko.makela@iki.fi> # Raspberry Pi 4

I finally got this to work, with one small patch (see below) which I 
hope you will include in some form. First, here is the relevant part of 
the output of a successful run:

U-Boot> load mmc 0:1 $loadaddr fitImage.signed
9748489 bytes read in 437 ms (21.3 MiB/s)
U-Boot> bootm
## Loading kernel (any) from FIT Image at 01000000 ...
    Using 'conf-1' configuration
    Verifying Hash Integrity ... sha256,ecdsa256:dev+ OK
    Trying 'kernel' kernel subimage
    Verifying Hash Integrity ... sha256+ OK
## Loading fdt (any) from FIT Image at 01000000 ...
    Using 'conf-1' configuration
    Verifying Hash Integrity ... sha256,ecdsa256:dev+ OK
    Trying 'fdt' fdt subimage
    Verifying Hash Integrity ... sha256+ OK
    Loading fdt from 0x0193dba0 to 0x05600000
    Booting using the fdt blob at 0x5600000
Working FDT set to 5600000
    Uncompressing Kernel Image to 2000000
    Loading Device Tree to 000000001ffef000, end 000000001ffffbb8 ... OK
Working FDT set to 1ffef000

Starting kernel ...

[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd083]
[    0.000000] Linux version 6.12.68-v8 (root@bob-the-builder.example.org) (aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44) #1 SMP PREEMPT @1770573000

After I flipped 1 bit of "ecdsa,y-point", the boot failed:

U-Boot> bootm
## Loading kernel (any) from FIT Image at 01000000 ...
    Using 'conf-1' configuration
    Verifying Hash Integrity ... sha256,ecdsa256:devsw_ecdsa_verify: public key is invalid (err = -19584)
-  error!
Verification failed for '<NULL>' hash node in 'conf-1' config node
Failed to verify required signature 'dev'
Bad Data Hash
ERROR -2: can't get kernel image!

Sat, Feb 14, 2026 at 09:38:30PM +0200, Marko Mäkelä wrote:
>However, this will not work on the Raspberry Pi 4, which defines 
>CONFIG_OF_BOARD. I came up with an idea of creating a device tree 
>overlay file instead:

I found a promising setting CONFIG_OF_OVERLAY_LIST, but apparently it 
has no effect on the u-boot.bin when CONFIG_OF_BOARD is enabled.

>Initially, I tested this with CONFIG_RSA, which I expect to work. The 
>bootm command would start up my fitImage, but unfortunately it would do 
>so even if I corrupt a bit of the public key.

After I added #define DEBUG to boot/image-fit-sig.c and 
lib/rsa/rsa-verify.c it became clear that the CONFIG_FIT_SIGNATURE 
becomes a no-op if no "signature" node can be found by u-boot.

The trick was to add the public key to the device tree that U-boot will 
be starting with, that is, the file bcm2711-rpi-4-b.dtb that will be 
preloaded by the VideoCore GPU.

Sure, this is an obviously insecure (trivial to circumvent by reverting 
to the stock *.dtb files), but I think it is good enough for using this 
piece of existing commodity hardware for development and test purposes.

>Another point is that my initial CONFIG_ECDSA_SW build was over 4 MiB 
>in size, while the sha256,rsa4096 experiment was only half a megabyte.  
>I did trim the build options for the CONFIG_ECDSA_SW experiment yet.

I managed to shrink the u-boot.bin to 645296 bytes, or 56320 bytes more 
than the CONFIG_RSA variant. However, I had to adjust some dependencies:

diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index a5331313a60..14f4d295d2a 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -57,6 +57,8 @@ mbedtls_lib_x509-$(CONFIG_$(PHASE_)RSA_PUBLIC_KEY_PARSER_MBEDTLS) += \
  	$(MBEDTLS_LIB_DIR)/rsa.o \
  	$(MBEDTLS_LIB_DIR)/rsa_alt_helpers.o
  mbedtls_lib_x509-$(CONFIG_$(PHASE_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
+	$(MBEDTLS_LIB_DIR)/bignum.o \
+	$(MBEDTLS_LIB_DIR)/bignum_core.o \
  	$(MBEDTLS_LIB_DIR)/pk.o \
  	$(MBEDTLS_LIB_DIR)/pk_wrap.o \
  	$(MBEDTLS_LIB_DIR)/pkparse.o

This may need some fixup, so that the bignum*.o will not be added twice 
if also CONFIG_RSA_PUBLIC_KEY_PARSER_MBEDTLS is enabled.

Below is my build script, with 4 lines FIT related overrides because it 
is normally disabled on this target:

make rpi_4_defconfig
scripts/config -d BOOTSTD \
-e FIT -e FIT_SIGNATURE -d FIT_CIPHER -d FIT_VERBOSE -d FIT_BEST_MATCH \
-d FIT_PRINT -d UPDATE_TFTP -d UPDATE_FIT -d EFI_LOADER \
--set-val FIT_EXTERNAL_OFFSET 0x0 \
--set-val FIT_SIGNATURE_MAX_SIZE 0x10000000 \
-e ASYMMETRIC_KEY_TYPE -e ASYMMETRIC_PUBLIC_KEY_SUBTYPE \
-d LEGACY_HASHING_AND_CRYPTO -e MBEDTLS_LIB -e MBEDTLS_LIB_CRYPTO \
-d X509_CERTIFICATE_PARSER -d X509_CERTIFICATE_PARSER_LEGACY \
-e ECDSA -e ECDSA_SW -e ECDSA_VERIFY \
-d MD5_MBEDTLS -d HKDF_MBEDTLS -e SHA256_SMALLER \
-d RSA_PUBLIC_KEY_PARSER -d RSA_PUBLIC_KEY_PARSER_MBEDTLS \
-d X509_CERTIFICATE_PARSER_MBEDTLS -e MSCODE_PARSER
make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu-

In my CONFIG_RSA test build, the 4 lines starting with -e ECDSA were 
replaced by the following:

-e RSA -e RSA_VERIFY_WITH_PKEY -d RSASSA_PSS -d MSCODE_PARSER

With best regards,

	Marko