[RFC PATCH 0/4] add software ecdsa support

[RFC PATCH 0/4] add software ecdsa support

[Philippe Reynes]

This serie adds the support of ecdsa with software
using mbedtls. So boards without ecdsa hardware may
also use signature with ecdsa.

To add the support of ecdsa with mbedtls, I have:
- enabled ecdsa in mbedtls
- add a function sw_ecdsa_verify that uses mbedtls
- add a driver sw_ecdsa that call sw_ecdsa_verify

I have tested this code with sandbox, and I have
followed those steps:

0) build u-boot using sandbox_defconfig and adding those options:
CONFIG_ECDSA_SW=y
CONFIG_ECDSA_MBEDTLS=y
CONFIG_ECDSA=y
CONFIG_ECDSA_VERIFY=y

1) add a signature node to an its file
	signature-256 {
		algo = "sha256,ecdsa256";
		key-name-hint = "private-key-256";
	};

2) generate an ecdsa key
openssl ecparam -name prime256v1 -genkey -noout -out private-key-256.pem

3) create the itb file
./tools/mkimage -f <file.its> -k . -K arch/sandbox/dts/test.dtb <file.itb>

4) launch sandbox u-boot

./u-boot -d arch/sandbox/dts/test.dtb

5) on sandbox u-boot prompt, load the itb and launch bootm on it

=> host load hostfs - 1000000 uboot-ecdsa.itb
4628674 bytes read in 1 ms (4.3 GiB/s)
=> bootm 1000000
...
...
   Verifying Hash Integrity ... sha256,ecdsa256:private-key-256+ OK


I have tested with success ecdsa256 and ecdsa384,
but there is an issue with secp521r1. 


Philippe Reynes (4):
  mbedtls: enable support of ecc
  ecdsa: initial support of ecdsa using mbedtls
  test: lib: sw_ecdsa: add initial test
  drivers: crypto: add software ecdsa support

 drivers/crypto/Kconfig             |   2 +
 drivers/crypto/Makefile            |   1 +
 drivers/crypto/ecdsa/Kconfig       |   6 +
 drivers/crypto/ecdsa/Makefile      |   6 +
 drivers/crypto/ecdsa/ecdsa-sw.c    |  33 +++
 include/crypto/internal/sw_ecdsa.h |  14 +
 lib/mbedtls/Kconfig                |   8 +
 lib/mbedtls/Makefile               |  10 +
 lib/mbedtls/mbedtls_def_config.h   |  18 ++
 lib/mbedtls/sw_ecdsa.c             |  94 ++++++
 test/lib/Makefile                  |   1 +
 test/lib/sw_ecdsa.c                | 445 +++++++++++++++++++++++++++++
 12 files changed, 638 insertions(+)
 create mode 100644 drivers/crypto/ecdsa/Kconfig
 create mode 100644 drivers/crypto/ecdsa/Makefile
 create mode 100644 drivers/crypto/ecdsa/ecdsa-sw.c
 create mode 100644 include/crypto/internal/sw_ecdsa.h
 create mode 100644 lib/mbedtls/sw_ecdsa.c
 create mode 100644 test/lib/sw_ecdsa.c

-- 
2.43.0

[RFC PATCH 1/4] mbedtls: enable support of ecc

[Philippe Reynes]

Enables the support of ecc in mbedtls.

Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
---
 lib/mbedtls/Kconfig              |  8 ++++++++
 lib/mbedtls/Makefile             |  7 +++++++
 lib/mbedtls/mbedtls_def_config.h | 18 ++++++++++++++++++
 3 files changed, 33 insertions(+)

diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index 789721ee6cd..90c007df850 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -157,6 +157,7 @@ config MBEDTLS_LIB_CRYPTO
 	select SHA256_MBEDTLS if SHA256
 	select SHA512_MBEDTLS if SHA512
 	select SHA384_MBEDTLS if SHA384
+	select ECDSA_MBEDTLS if ECDSA
 	help
 	  Enable MbedTLS native crypto libraries.
 	  Mutually incompatible with MBEDTLS_LIB_HASHING_ALT.
@@ -231,6 +232,13 @@ config HKDF_MBEDTLS
 	  This option enables support of key derivation using HKDF algorithm
 	  with MbedTLS crypto library.
 
+config ECDSA_MBEDTLS
+	bool "Enable ECDSA support with MbedTLS crypto library"
+	depends on MBEDTLS_LIB_CRYPTO && ECDSA
+	help
+	  This option enables support of ECDSA with the MbedTLS crypto
+	  library.
+
 endif # MBEDTLS_LIB_CRYPTO
 
 config MBEDTLS_LIB_X509
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index c5b445bd85c..54a893609cf 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -35,6 +35,11 @@ mbedtls_lib_crypto-$(CONFIG_$(PHASE_)SHA512_MBEDTLS) += \
 	$(MBEDTLS_LIB_DIR)/sha512.o
 mbedtls_lib_crypto-$(CONFIG_$(PHASE_)HKDF_MBEDTLS) += \
 	$(MBEDTLS_LIB_DIR)/hkdf.o
+mbedtls_lib_crypto-$(CONFIG_$(PHASE_)ECDSA_MBEDTLS) += \
+	$(MBEDTLS_LIB_DIR)/ecdsa.o \
+	$(MBEDTLS_LIB_DIR)/ecp.o \
+	$(MBEDTLS_LIB_DIR)/ecp_curves.o \
+	$(MBEDTLS_LIB_DIR)/ecp_curves_new.o
 
 # MbedTLS X509 library
 obj-$(CONFIG_$(XPL_)MBEDTLS_LIB_X509) += mbedtls_lib_x509.o
@@ -52,6 +57,8 @@ mbedtls_lib_x509-$(CONFIG_$(PHASE_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
 	$(MBEDTLS_LIB_DIR)/pk.o \
 	$(MBEDTLS_LIB_DIR)/pk_wrap.o \
 	$(MBEDTLS_LIB_DIR)/pkparse.o
+mbedtls_lib_x509-$(CONFIG_$(PHASE_)ECDSA_MBEDTLS) += \
+	$(MBEDTLS_LIB_DIR)/pk_ecc.o
 mbedtls_lib_x509-$(CONFIG_$(PHASE_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
 	$(MBEDTLS_LIB_DIR)/x509_crl.o \
 	$(MBEDTLS_LIB_DIR)/x509_crt.o
diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h
index dda3f4dd6e4..8f366c744a5 100644
--- a/lib/mbedtls/mbedtls_def_config.h
+++ b/lib/mbedtls/mbedtls_def_config.h
@@ -60,6 +60,24 @@
 #define MBEDTLS_HKDF_C
 #endif
 
+#if CONFIG_IS_ENABLED(ECDSA)
+#define MBEDTLS_ECDSA_C
+#define MBEDTLS_ECP_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#define MBEDTLS_ECP_DP_BP256R1_ENABLED
+#define MBEDTLS_ECP_DP_BP384R1_ENABLED
+#define MBEDTLS_ECP_DP_BP512R1_ENABLED
+#endif
+
 #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
 
 #if CONFIG_IS_ENABLED(X509_CERTIFICATE_PARSER)
-- 
2.43.0

[RFC PATCH 2/4] ecdsa: initial support of ecdsa using mbedtls

[Philippe Reynes]

Adds an initial support of ecdsa verify using mbedtls.

Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
---
 include/crypto/internal/sw_ecdsa.h | 14 +++++
 lib/mbedtls/Makefile               |  3 +
 lib/mbedtls/sw_ecdsa.c             | 94 ++++++++++++++++++++++++++++++
 3 files changed, 111 insertions(+)
 create mode 100644 include/crypto/internal/sw_ecdsa.h
 create mode 100644 lib/mbedtls/sw_ecdsa.c

diff --git a/include/crypto/internal/sw_ecdsa.h b/include/crypto/internal/sw_ecdsa.h
new file mode 100644
index 00000000000..b1ca31da0f8
--- /dev/null
+++ b/include/crypto/internal/sw_ecdsa.h
@@ -0,0 +1,14 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * Copyright (c) 2026, Philippe Reynes <philippe.reynes@softathome.com>
+ */
+#ifndef _SW_ECDSA
+#define _SW_ECDSA
+
+struct ecdsa_public_key;
+
+int sw_ecdsa_verify(const struct ecdsa_public_key *pubkey,
+		    const void *hash, size_t hash_len,
+		    const void *signature, size_t sig_len);
+
+#endif
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index 54a893609cf..a5331313a60 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -11,6 +11,9 @@ obj-$(CONFIG_$(PHASE_)SHA1_MBEDTLS) += sha1.o
 obj-$(CONFIG_$(PHASE_)SHA256_MBEDTLS) += sha256.o
 obj-$(CONFIG_$(PHASE_)SHA512_MBEDTLS) += sha512.o
 
+# shim layer for crypto
+obj-$(CONFIG_$(PHASE_)ECDSA_MBEDTLS) += sw_ecdsa.o
+
 # x509 libraries
 obj-$(CONFIG_$(PHASE_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
 	public_key.o
diff --git a/lib/mbedtls/sw_ecdsa.c b/lib/mbedtls/sw_ecdsa.c
new file mode 100644
index 00000000000..0ed95f4407f
--- /dev/null
+++ b/lib/mbedtls/sw_ecdsa.c
@@ -0,0 +1,94 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (C) 2026 Philippe Reynes <philippe.reynes@softathome.com>
+ */
+
+#include <crypto/ecdsa-uclass.h>
+#include "mbedtls_options.h" /* required to access private fields */
+#include <mbedtls/ecdsa.h>
+#include <mbedtls/ecp.h>
+
+static mbedtls_ecp_group_id sw_ecdsa_search_group_id(const char *curve_name)
+{
+	mbedtls_ecp_group_id grp_id = MBEDTLS_ECP_DP_NONE;
+	const mbedtls_ecp_curve_info *info;
+
+	if (!curve_name)
+		goto out;
+
+	if (!strcmp(curve_name, "prime256v1"))
+		grp_id = MBEDTLS_ECP_DP_SECP256R1;
+
+	info = mbedtls_ecp_curve_list();
+	while (info && info->name) {
+		if (!strcmp(curve_name, info->name))
+			grp_id = info->grp_id;
+		info++;
+	}
+
+ out:
+	return grp_id;
+}
+
+int sw_ecdsa_verify(const struct ecdsa_public_key *pubkey,
+		    const void *hash, size_t hash_len,
+		    const void *signature, size_t sig_len)
+{
+	mbedtls_ecp_group_id grp_id;
+	mbedtls_ecp_group grp;
+	const unsigned char *buf = hash;
+	size_t blen = hash_len;
+	mbedtls_ecp_point Q;
+	mbedtls_mpi r, s;
+	int key_len;
+	int err = -1;
+
+	if (!(pubkey->size_bits % 8))
+		key_len = pubkey->size_bits / 8;
+	else
+		key_len = pubkey->size_bits / 8 + 1;
+
+	/* search the group */
+	grp_id = sw_ecdsa_search_group_id(pubkey->curve_name);
+	if (grp_id == MBEDTLS_ECP_DP_NONE) {
+		printf("%s: curve name %s not found\n",
+		       __func__, pubkey->curve_name);
+		goto out;
+	}
+
+	/* init and load the group */
+	mbedtls_ecp_group_init(&grp);
+	err = mbedtls_ecp_group_load(&grp, grp_id);
+	if (err < 0)
+		goto out;
+
+	/* prepare the pubkey */
+	mbedtls_ecp_point_init(&Q);
+	mbedtls_mpi_init(&Q.X);
+	mbedtls_mpi_init(&Q.Y);
+	mbedtls_mpi_init(&Q.Z);
+	mbedtls_mpi_read_binary(&Q.X, pubkey->x, key_len);
+	mbedtls_mpi_read_binary(&Q.Y, pubkey->y, key_len);
+	mbedtls_mpi_lset(&Q.Z, 1);
+
+	/* check if the pubkey is valid */
+	err = mbedtls_ecp_check_pubkey(&grp, &Q);
+	if (err < 0) {
+		printf("%s: public key is invalid (err = %d)\n", __func__, err);
+		goto out;
+	}
+
+	/* compute r */
+	mbedtls_mpi_init(&r);
+	mbedtls_mpi_read_binary(&r, signature, key_len);
+
+	/* compute s */
+	mbedtls_mpi_init(&s);
+	mbedtls_mpi_read_binary(&s, signature + key_len, key_len);
+
+	/* check the signature */
+	err = mbedtls_ecdsa_verify(&grp, buf, blen, &Q, &r, &s);
+
+ out:
+	return err;
+}
-- 
2.43.0

[RFC PATCH 3/4] test: lib: sw_ecdsa: add initial test

[Philippe Reynes]

Adds tests to check that the function sw_ecdsa_verify
using mbedtls is valid.

Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
---
 test/lib/Makefile   |   1 +
 test/lib/sw_ecdsa.c | 445 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 446 insertions(+)
 create mode 100644 test/lib/sw_ecdsa.c

diff --git a/test/lib/Makefile b/test/lib/Makefile
index f25383a40e5..8837446968b 100644
--- a/test/lib/Makefile
+++ b/test/lib/Makefile
@@ -8,6 +8,7 @@ obj-$(CONFIG_$(PHASE_)UT_COMPRESSION) += compression.o
 ifeq ($(CONFIG_XPL_BUILD),)
 obj-y += abuf.o
 obj-y += alist.o
+obj-$(CONFIG_ECDSA_MBEDTLS) += sw_ecdsa.o
 obj-$(CONFIG_EFI_LOADER) += efi_device_path.o efi_memory.o
 obj-$(CONFIG_EFI_SECURE_BOOT) += efi_image_region.o
 ifdef CONFIG_RISCV
diff --git a/test/lib/sw_ecdsa.c b/test/lib/sw_ecdsa.c
new file mode 100644
index 00000000000..f037ca0812a
--- /dev/null
+++ b/test/lib/sw_ecdsa.c
@@ -0,0 +1,445 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (C) 2026 Philippe Reynes <philippe.reynes@softathome.com>
+ */
+
+#include <command.h>
+#include <image.h>
+#include <test/lib.h>
+#include <test/test.h>
+#include <test/ut.h>
+#include <crypto/ecdsa-uclass.h>
+#include <crypto/internal/sw_ecdsa.h>
+
+#include <mbedtls/ecp.h>
+
+struct ecdsa_test_vector_s {
+	char *test_name;
+	char *curve_name;
+	unsigned char *x;
+	unsigned char *y;
+	int size_bits;
+	unsigned char *hash_type;
+	unsigned char *hash_message;
+	unsigned char *k;
+	unsigned char *r;
+	unsigned char *s;
+	int expected;
+};
+
+/*
+ * Those data come from RFC6979
+ */
+
+struct ecdsa_test_vector_s ecdsa_test_vector[] = {
+	/*
+	 * secp192r1
+	 */
+	{
+	.test_name = "secp192r1 sha1",
+	.curve_name = "secp192r1",
+	.x = "AC2C77F529F91689FEA0EA5EFEC7F210D8EEA0B9E047ED56",
+	.y = "3BC723E57670BD4887EBC732C523063D0A7C957BC97C1C43",
+	.size_bits = 192,
+	.hash_type = "sha-1",
+	.hash_message = "sample",
+	.k = "37D7CA00D2C7B0E5E412AC03BD44BA837FDD5B28CD3B0021",
+	.r = "98C6BD12B23EAF5E2A2045132086BE3EB8EBD62ABF6698FF",
+	.s = "57A22B07DEA9530F8DE9471B1DC6624472E8E2844BC25B64",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp192r1 sha256",
+	.curve_name = "secp192r1",
+	.x = "AC2C77F529F91689FEA0EA5EFEC7F210D8EEA0B9E047ED56",
+	.y = "3BC723E57670BD4887EBC732C523063D0A7C957BC97C1C43",
+	.size_bits = 192,
+	.hash_type = "sha-256",
+	.hash_message = "sample",
+	.k = "32B1B6D7D42A05CB449065727A84804FB1A3E34D8F261496",
+	.r = "4B0B8CE98A92866A2820E20AA6B75B56382E0F9BFD5ECB55",
+	.s = "CCDB006926EA9565CBADC840829D8C384E06DE1F1E381B85",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp192r1 sha384",
+	.curve_name = "secp192r1",
+	.x = "AC2C77F529F91689FEA0EA5EFEC7F210D8EEA0B9E047ED56",
+	.y = "3BC723E57670BD4887EBC732C523063D0A7C957BC97C1C43",
+	.size_bits = 192,
+	.hash_type = "sha-384",
+	.hash_message = "sample",
+	.k = "4730005C4FCB01834C063A7B6760096DBE284B8252EF4311",
+	.r = "DA63BF0B9ABCF948FBB1E9167F136145F7A20426DCC287D5",
+	.s = "C3AA2C960972BD7A2003A57E1C4C77F0578F8AE95E31EC5E",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp192r1 sha512",
+	.curve_name = "secp192r1",
+	.x = "AC2C77F529F91689FEA0EA5EFEC7F210D8EEA0B9E047ED56",
+	.y = "3BC723E57670BD4887EBC732C523063D0A7C957BC97C1C43",
+	.size_bits = 192,
+	.hash_type = "sha-512",
+	.hash_message = "sample",
+	.k = "A2AC7AB055E4F20692D49209544C203A7D1F2C0BFBC75DB1",
+	.r = "4D60C5AB1996BD848343B31C00850205E2EA6922DAC2E4B8",
+	.s = "3F6E837448F027A1BF4B34E796E32A811CBB4050908D8F67",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp192r1 sha512 error",
+	.curve_name = "secp192r1",
+	.x = "AC2C77F529F91689FEA0EA5EFEC7F210D8EEA0B9E047ED56",
+	.y = "3BC723E57670BD4887EBC732C523063D0A7C957BC97C1C43",
+	.size_bits = 192,
+	.hash_type = "sha-512",
+	.hash_message = "sample",
+	.k = "A2AC7AB055E4F20692D49209544C203A7D1F2C0BFBC75DB1",
+	.r = "4D60C5AB1996BD848343B31C00850205E2EA6922DAC2E4B8",
+	.s = "0F6E837448F027A1BF4B34E796E32A811CBB4050908D8F67",
+	.expected = MBEDTLS_ERR_ECP_VERIFY_FAILED,
+	},
+	/*
+	 * secp224r1
+	 */
+	{
+	.test_name = "secp224r1 sha1",
+	.curve_name = "secp224r1",
+	.x = "00CF08DA5AD719E42707FA431292DEA11244D64FC51610D94B130D6C",
+	.y = "EEAB6F3DEBE455E3DBF85416F7030CBD94F34F2D6F232C69F3C1385A",
+	.size_bits = 224,
+	.hash_type = "sha-1",
+	.hash_message = "sample",
+	.k = "7EEFADD91110D8DE6C2C470831387C50D3357F7F4D477054B8B426BC",
+	.r = "22226F9D40A96E19C4A301CE5B74B115303C0F3A4FD30FC257FB57AC",
+	.s = "66D1CDD83E3AF75605DD6E2FEFF196D30AA7ED7A2EDF7AF475403D69",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp224r1 sha256",
+	.curve_name = "secp224r1",
+	.x = "00CF08DA5AD719E42707FA431292DEA11244D64FC51610D94B130D6C",
+	.y = "EEAB6F3DEBE455E3DBF85416F7030CBD94F34F2D6F232C69F3C1385A",
+	.size_bits = 224,
+	.hash_type = "sha-256",
+	.hash_message = "sample",
+	.k = "AD3029E0278F80643DE33917CE6908C70A8FF50A411F06E41DEDFCDC",
+	.r = "61AA3DA010E8E8406C656BC477A7A7189895E7E840CDFE8FF42307BA",
+	.s = "BC814050DAB5D23770879494F9E0A680DC1AF7161991BDE692B10101",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp224r1 sha384",
+	.curve_name = "secp224r1",
+	.x = "00CF08DA5AD719E42707FA431292DEA11244D64FC51610D94B130D6C",
+	.y = "EEAB6F3DEBE455E3DBF85416F7030CBD94F34F2D6F232C69F3C1385A",
+	.size_bits = 224,
+	.hash_type = "sha-384",
+	.hash_message = "sample",
+	.k = "52B40F5A9D3D13040F494E83D3906C6079F29981035C7BD51E5CAC40",
+	.r = "0B115E5E36F0F9EC81F1325A5952878D745E19D7BB3EABFABA77E953",
+	.s = "830F34CCDFE826CCFDC81EB4129772E20E122348A2BBD889A1B1AF1D",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp224r1 sha512",
+	.curve_name = "secp224r1",
+	.x = "00CF08DA5AD719E42707FA431292DEA11244D64FC51610D94B130D6C",
+	.y = "EEAB6F3DEBE455E3DBF85416F7030CBD94F34F2D6F232C69F3C1385A",
+	.size_bits = 224,
+	.hash_type = "sha-512",
+	.hash_message = "sample",
+	.k = "9DB103FFEDEDF9CFDBA05184F925400C1653B8501BAB89CEA0FBEC14",
+	.r = "074BD1D979D5F32BF958DDC61E4FB4872ADCAFEB2256497CDAC30397",
+	.s = "A4CECA196C3D5A1FF31027B33185DC8EE43F288B21AB342E5D8EB084",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp224r1 sha512 error",
+	.curve_name = "secp224r1",
+	.x = "00CF08DA5AD719E42707FA431292DEA11244D64FC51610D94B130D6C",
+	.y = "EEAB6F3DEBE455E3DBF85416F7030CBD94F34F2D6F232C69F3C1385A",
+	.size_bits = 224,
+	.hash_type = "sha-512",
+	.hash_message = "sample",
+	.k = "9DB103FFEDEDF9CFDBA05184F925400C1653B8501BAB89CEA0FBEC14",
+	.r = "074BD1D979D5F32BF958DDC61E4FB4872ADCAFEB2256497CDAC30397",
+	.s = "04CECA196C3D5A1FF31027B33185DC8EE43F288B21AB342E5D8EB084",
+	.expected = MBEDTLS_ERR_ECP_VERIFY_FAILED,
+	},
+	/*
+	 * secp256r1
+	 */
+	{
+	.test_name = "secp256r1 sha1",
+	.curve_name = "secp256r1",
+	.x = "60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6",
+	.y = "7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299",
+	.size_bits = 256,
+	.hash_type = "sha-1",
+	.hash_message = "sample",
+	.k = "882905F1227FD620FBF2ABF21244F0BA83D0DC3A9103DBBEE43A1FB858109DB4",
+	.r = "61340C88C3AAEBEB4F6D667F672CA9759A6CCAA9FA8811313039EE4A35471D32",
+	.s = "6D7F147DAC089441BB2E2FE8F7A3FA264B9C475098FDCF6E00D7C996E1B8B7EB",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp256r1 sha256",
+	.curve_name = "secp256r1",
+	.x = "60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6",
+	.y = "7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299",
+	.size_bits = 256,
+	.hash_type = "sha-256",
+	.hash_message = "sample",
+	.k = "A6E3C57DD01ABE90086538398355DD4C3B17AA873382B0F24D6129493D8AAD60",
+	.r = "EFD48B2AACB6A8FD1140DD9CD45E81D69D2C877B56AAF991C34D0EA84EAF3716",
+	.s = "F7CB1C942D657C41D436C7A1B6E29F65F3E900DBB9AFF4064DC4AB2F843ACDA8",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp256r1 sha384",
+	.curve_name = "secp256r1",
+	.x = "60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6",
+	.y = "7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299",
+	.size_bits = 256,
+	.hash_type = "sha-384",
+	.hash_message = "sample",
+	.k = "09F634B188CEFD98E7EC88B1AA9852D734D0BC272F7D2A47DECC6EBEB375AAD4",
+	.r = "0EAFEA039B20E9B42309FB1D89E213057CBF973DC0CFC8F129EDDDC800EF7719",
+	.s = "4861F0491E6998B9455193E34E7B0D284DDD7149A74B95B9261F13ABDE940954",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp256r1 sha512",
+	.curve_name = "secp256r1",
+	.x = "60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6",
+	.y = "7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299",
+	.size_bits = 256,
+	.hash_type = "sha-512",
+	.hash_message = "sample",
+	.k = "5FA81C63109BADB88C1F367B47DA606DA28CAD69AA22C4FE6AD7DF73A7173AA5",
+	.r = "8496A60B5E9B47C825488827E0495B0E3FA109EC4568FD3F8D1097678EB97F00",
+	.s = "2362AB1ADBE2B8ADF9CB9EDAB740EA6049C028114F2460F96554F61FAE3302FE",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp256r1 sha512 error",
+	.curve_name = "secp256r1",
+	.x = "60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6",
+	.y = "7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299",
+	.size_bits = 256,
+	.hash_type = "sha-512",
+	.hash_message = "sample",
+	.k = "5FA81C63109BADB88C1F367B47DA606DA28CAD69AA22C4FE6AD7DF73A7173AA5",
+	.r = "8496A60B5E9B47C825488827E0495B0E3FA109EC4568FD3F8D1097678EB97F00",
+	.s = "0362AB1ADBE2B8ADF9CB9EDAB740EA6049C028114F2460F96554F61FAE3302FE",
+	.expected = MBEDTLS_ERR_ECP_VERIFY_FAILED,
+	},
+	/*
+	 * secp384r1
+	 */
+	{
+	.test_name = "secp384r1 sha1",
+	.curve_name = "secp384r1",
+	.x = "EC3A4E415B4E19A4568618029F427FA5DA9A8BC4AE92E02E06AAE5286B300C64DEF8F0EA9055866064A254515480BC13",
+	.y = "8015D9B72D7D57244EA8EF9AC0C621896708A59367F9DFB9F54CA84B3F1C9DB1288B231C3AE0D4FE7344FD2533264720",
+	.size_bits = 384,
+	.hash_type = "sha-1",
+	.hash_message = "sample",
+	.k = "4471EF7518BB2C7C20F62EAE1C387AD0C5E8E470995DB4ACF694466E6AB096630F29E5938D25106C3C340045A2DB01A7",
+	.r = "EC748D839243D6FBEF4FC5C4859A7DFFD7F3ABDDF72014540C16D73309834FA37B9BA002899F6FDA3A4A9386790D4EB2",
+	.s = "A3BCFA947BEEF4732BF247AC17F71676CB31A847B9FF0CBC9C9ED4C1A5B3FACF26F49CA031D4857570CCB5CA4424A443",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp384r1 sha256",
+	.curve_name = "secp384r1",
+	.x = "EC3A4E415B4E19A4568618029F427FA5DA9A8BC4AE92E02E06AAE5286B300C64DEF8F0EA9055866064A254515480BC13",
+	.y = "8015D9B72D7D57244EA8EF9AC0C621896708A59367F9DFB9F54CA84B3F1C9DB1288B231C3AE0D4FE7344FD2533264720",
+	.size_bits = 384,
+	.hash_type = "sha-256",
+	.hash_message = "sample",
+	.k = "180AE9F9AEC5438A44BC159A1FCB277C7BE54FA20E7CF404B490650A8ACC414E375572342863C899F9F2EDF9747A9B60",
+	.r = "21B13D1E013C7FA1392D03C5F99AF8B30C570C6F98D4EA8E354B63A21D3DAA33BDE1E888E63355D92FA2B3C36D8FB2CD",
+	.s = "F3AA443FB107745BF4BD77CB3891674632068A10CA67E3D45DB2266FA7D1FEEBEFDC63ECCD1AC42EC0CB8668A4FA0AB0",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp384r1 sha384",
+	.curve_name = "secp384r1",
+	.x = "EC3A4E415B4E19A4568618029F427FA5DA9A8BC4AE92E02E06AAE5286B300C64DEF8F0EA9055866064A254515480BC13",
+	.y = "8015D9B72D7D57244EA8EF9AC0C621896708A59367F9DFB9F54CA84B3F1C9DB1288B231C3AE0D4FE7344FD2533264720",
+	.size_bits = 384,
+	.hash_type = "sha-384",
+	.hash_message = "sample",
+	.k = "94ED910D1A099DAD3254E9242AE85ABDE4BA15168EAF0CA87A555FD56D10FBCA2907E3E83BA95368623B8C4686915CF9",
+	.r = "94EDBB92A5ECB8AAD4736E56C691916B3F88140666CE9FA73D64C4EA95AD133C81A648152E44ACF96E36DD1E80FABE46",
+	.s = "99EF4AEB15F178CEA1FE40DB2603138F130E740A19624526203B6351D0A3A94FA329C145786E679E7B82C71A38628AC8",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp384r1 sha512",
+	.curve_name = "secp384r1",
+	.x = "EC3A4E415B4E19A4568618029F427FA5DA9A8BC4AE92E02E06AAE5286B300C64DEF8F0EA9055866064A254515480BC13",
+	.y = "8015D9B72D7D57244EA8EF9AC0C621896708A59367F9DFB9F54CA84B3F1C9DB1288B231C3AE0D4FE7344FD2533264720",
+	.size_bits = 384,
+	.hash_type = "sha-512",
+	.hash_message = "sample",
+	.k = "92FC3C7183A883E24216D1141F1A8976C5B0DD797DFA597E3D7B32198BD35331A4E966532593A52980D0E3AAA5E10EC3",
+	.r = "ED0959D5880AB2D869AE7F6C2915C6D60F96507F9CB3E047C0046861DA4A799CFE30F35CC900056D7C99CD7882433709",
+	.s = "512C8CCEEE3890A84058CE1E22DBC2198F42323CE8ACA9135329F03C068E5112DC7CC3EF3446DEFCEB01A45C2667FDD5",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp384r1 sha512 error",
+	.curve_name = "secp384r1",
+	.x = "EC3A4E415B4E19A4568618029F427FA5DA9A8BC4AE92E02E06AAE5286B300C64DEF8F0EA9055866064A254515480BC13",
+	.y = "8015D9B72D7D57244EA8EF9AC0C621896708A59367F9DFB9F54CA84B3F1C9DB1288B231C3AE0D4FE7344FD2533264720",
+	.size_bits = 384,
+	.hash_type = "sha-512",
+	.hash_message = "sample",
+	.k = "92FC3C7183A883E24216D1141F1A8976C5B0DD797DFA597E3D7B32198BD35331A4E966532593A52980D0E3AAA5E10EC3",
+	.r = "ED0959D5880AB2D869AE7F6C2915C6D60F96507F9CB3E047C0046861DA4A799CFE30F35CC900056D7C99CD7882433709",
+	.s = "012C8CCEEE3890A84058CE1E22DBC2198F42323CE8ACA9135329F03C068E5112DC7CC3EF3446DEFCEB01A45C2667FDD5",
+	.expected = MBEDTLS_ERR_ECP_VERIFY_FAILED,
+	},
+	/*
+	 * secp521r1
+	 */
+	{
+	.test_name = "secp521r1 sha1",
+	.curve_name = "secp521r1",
+	.x = "01894550D0785932E00EAA23B694F213F8C3121F86DC97A04E5A7167DB4E5BCD371123D46E45DB6B5D5370A7F20FB633155D38FFA16D2BD761DCAC474B9A2F5023A4",
+	.y = "00493101C962CD4D2FDDF782285E64584139C2F91B47F87FF82354D6630F746A28A0DB25741B5B34A828008B22ACC23F924FAAFBD4D33F81EA66956DFEAA2BFDFCF5",
+	.size_bits = 521,
+	.hash_type = "sha-1",
+	.hash_message = "sample",
+	.k = "0089C071B419E1C2820962321787258469511958E80582E95D8378E0C2CCDB3CB42BEDE42F50E3FA3C71F5A76724281D31D9C89F0F91FC1BE4918DB1C03A5838D0F9",
+	.r = "00343B6EC45728975EA5CBA6659BBB6062A5FF89EEA58BE3C80B619F322C87910FE092F7D45BB0F8EEE01ED3F20BABEC079D202AE677B243AB40B5431D497C55D75D",
+	.s = "00E7B0E675A9B24413D448B8CC119D2BF7B2D2DF032741C096634D6D65D0DBE3D5694625FB9E8104D3B842C1B0E2D0B98BEA19341E8676AEF66AE4EBA3D5475D5D16",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp521r1 sha256",
+	.curve_name = "secp521r1",
+	.x = "01894550D0785932E00EAA23B694F213F8C3121F86DC97A04E5A7167DB4E5BCD371123D46E45DB6B5D5370A7F20FB633155D38FFA16D2BD761DCAC474B9A2F5023A4",
+	.y = "00493101C962CD4D2FDDF782285E64584139C2F91B47F87FF82354D6630F746A28A0DB25741B5B34A828008B22ACC23F924FAAFBD4D33F81EA66956DFEAA2BFDFCF5",
+	.size_bits = 521,
+	.hash_type = "sha-256",
+	.hash_message = "sample",
+	.k = "00EDF38AFCAAECAB4383358B34D67C9F2216C8382AAEA44A3DAD5FDC9C32575761793FEF24EB0FC276DFC4F6E3EC476752F043CF01415387470BCBD8678ED2C7E1A0",
+	.r = "01511BB4D675114FE266FC4372B87682BAECC01D3CC62CF2303C92B3526012659D16876E25C7C1E57648F23B73564D67F61C6F14D527D54972810421E7D87589E1A7",
+	.s = "004A171143A83163D6DF460AAF61522695F207A58B95C0644D87E52AA1A347916E4F7A72930B1BC06DBE22CE3F58264AFD23704CBB63B29B931F7DE6C9D949A7ECFC",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp521r1 sha384",
+	.curve_name = "secp521r1",
+	.x = "01894550D0785932E00EAA23B694F213F8C3121F86DC97A04E5A7167DB4E5BCD371123D46E45DB6B5D5370A7F20FB633155D38FFA16D2BD761DCAC474B9A2F5023A4",
+	.y = "00493101C962CD4D2FDDF782285E64584139C2F91B47F87FF82354D6630F746A28A0DB25741B5B34A828008B22ACC23F924FAAFBD4D33F81EA66956DFEAA2BFDFCF5",
+	.size_bits = 521,
+	.hash_type = "sha-384",
+	.hash_message = "sample",
+	.k = "01546A108BC23A15D6F21872F7DED661FA8431DDBD922D0DCDB77CC878C8553FFAD064C95A920A750AC9137E527390D2D92F153E66196966EA554D9ADFCB109C4211",
+	.r = "01EA842A0E17D2DE4F92C15315C63DDF72685C18195C2BB95E572B9C5136CA4B4B576AD712A52BE9730627D16054BA40CC0B8D3FF035B12AE75168397F5D50C67451",
+	.s = "01F21A3CEE066E1961025FB048BD5FE2B7924D0CD797BABE0A83B66F1E35EEAF5FDE143FA85DC394A7DEE766523393784484BDF3E00114A1C857CDE1AA203DB65D61",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp521r1 sha512",
+	.curve_name = "secp521r1",
+	.x = "01894550D0785932E00EAA23B694F213F8C3121F86DC97A04E5A7167DB4E5BCD371123D46E45DB6B5D5370A7F20FB633155D38FFA16D2BD761DCAC474B9A2F5023A4",
+	.y = "00493101C962CD4D2FDDF782285E64584139C2F91B47F87FF82354D6630F746A28A0DB25741B5B34A828008B22ACC23F924FAAFBD4D33F81EA66956DFEAA2BFDFCF5",
+	.size_bits = 521,
+	.hash_type = "sha-512",
+	.hash_message = "sample",
+	.k = "01DAE2EA071F8110DC26882D4D5EAE0621A3256FC8847FB9022E2B7D28E6F10198B1574FDD03A9053C08A1854A168AA5A57470EC97DD5CE090124EF52A2F7ECBFFD3",
+	.r = "00C328FAFCBD79DD77850370C46325D987CB525569FB63C5D3BC53950E6D4C5F174E25A1EE9017B5D450606ADD152B534931D7D4E8455CC91F9B15BF05EC36E377FA",
+	.s = "00617CCE7CF5064806C467F678D3B4080D6F1CC50AF26CA209417308281B68AF282623EAA63E5B5C0723D8B8C37FF0777B1A20F8CCB1DCCC43997F1EE0E44DA4A67A",
+	.expected = 0,
+	},
+	{
+	.test_name = "secp521r1 sha512 error",
+	.curve_name = "secp521r1",
+	.x = "01894550D0785932E00EAA23B694F213F8C3121F86DC97A04E5A7167DB4E5BCD371123D46E45DB6B5D5370A7F20FB633155D38FFA16D2BD761DCAC474B9A2F5023A4",
+	.y = "00493101C962CD4D2FDDF782285E64584139C2F91B47F87FF82354D6630F746A28A0DB25741B5B34A828008B22ACC23F924FAAFBD4D33F81EA66956DFEAA2BFDFCF5",
+	.size_bits = 521,
+	.hash_type = "sha-512",
+	.hash_message = "sample",
+	.k = "01DAE2EA071F8110DC26882D4D5EAE0621A3256FC8847FB9022E2B7D28E6F10198B1574FDD03A9053C08A1854A168AA5A57470EC97DD5CE090124EF52A2F7ECBFFD3",
+	.r = "00C328FAFCBD79DD77850370C46325D987CB525569FB63C5D3BC53950E6D4C5F174E25A1EE9017B5D450606ADD152B534931D7D4E8455CC91F9B15BF05EC36E377FA",
+	.s = "00017CCE7CF5064806C467F678D3B4080D6F1CC50AF26CA209417308281B68AF282623EAA63E5B5C0723D8B8C37FF0777B1A20F8CCB1DCCC43997F1EE0E44DA4A67A",
+	.expected = MBEDTLS_ERR_ECP_VERIFY_FAILED,
+	},
+};
+
+int ecdsa_test(struct unit_test_state *uts, struct ecdsa_test_vector_s *tv)
+{
+	struct ecdsa_public_key pubkey;
+	unsigned char x[528 / 8];
+	unsigned char y[528 / 8];
+	unsigned char hash[512 / 8];
+	unsigned int hash_len;
+	unsigned char signature[528 / 8 * 2];
+	unsigned int sig_len;
+	int ret;
+
+	if (!(tv->size_bits % 8))
+		sig_len = tv->size_bits / 8;
+	else
+		sig_len = tv->size_bits / 8 + 1;
+
+	pubkey.curve_name = tv->curve_name;
+	hex2bin(x, tv->x, strlen(tv->x) / 2);
+	pubkey.x          = x;
+	hex2bin(y, tv->y, strlen(tv->y) / 2);
+	pubkey.y          = y;
+	pubkey.size_bits  = tv->size_bits;
+
+	if (!strcmp(tv->hash_type, "sha-1")) {
+		hash_len = SHA1_SUM_LEN;
+		sha1_csum_wd(tv->hash_message, strlen(tv->hash_message),
+			     hash, hash_len);
+	} else if (!strcmp(tv->hash_type, "sha-256")) {
+		hash_len = SHA256_SUM_LEN;
+		sha256_csum_wd(tv->hash_message, strlen(tv->hash_message),
+			       hash, hash_len);
+	} else if (!strcmp(tv->hash_type, "sha-384")) {
+		hash_len = SHA384_SUM_LEN;
+		sha384_csum_wd(tv->hash_message, strlen(tv->hash_message),
+			       hash, hash_len);
+	} else if (!strcmp(tv->hash_type, "sha-512")) {
+		hash_len = SHA512_SUM_LEN;
+		sha512_csum_wd(tv->hash_message, strlen(tv->hash_message),
+			       hash, hash_len);
+	} else {
+		ut_reportf("Unknown hash type (%s)", tv->hash_type);
+		goto out;
+	}
+
+	memset(signature, 0, sizeof(signature));
+	hex2bin(signature, tv->r, sig_len);
+	hex2bin(signature + sig_len, tv->s, sig_len);
+	sig_len = sig_len * 2;
+
+	ret = sw_ecdsa_verify(&pubkey,
+			      hash, hash_len,
+			      signature, sig_len);
+	ut_asserteq(ret, tv->expected);
+
+ out:
+	return 0;
+}
+
+static int lib_sw_ecdsa(struct unit_test_state *uts)
+{
+	int i, num_test = ARRAY_SIZE(ecdsa_test_vector);
+
+	for (i = 0; i < num_test; i++)
+		ecdsa_test(uts, &ecdsa_test_vector[i]);
+
+	return 0;
+}
+
+LIB_TEST(lib_sw_ecdsa, 0);
-- 
2.43.0

[RFC PATCH 4/4] drivers: crypto: add software ecdsa support

[Philippe Reynes]

Add an software ecdsa driver so it is
now possible to use ecdsa signature on
board without ecdsa hardware support.

Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
---
 drivers/crypto/Kconfig          |  2 ++
 drivers/crypto/Makefile         |  1 +
 drivers/crypto/ecdsa/Kconfig    |  6 ++++++
 drivers/crypto/ecdsa/Makefile   |  6 ++++++
 drivers/crypto/ecdsa/ecdsa-sw.c | 33 +++++++++++++++++++++++++++++++++
 5 files changed, 48 insertions(+)
 create mode 100644 drivers/crypto/ecdsa/Kconfig
 create mode 100644 drivers/crypto/ecdsa/Makefile
 create mode 100644 drivers/crypto/ecdsa/ecdsa-sw.c

diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig
index 0d58e3910fe..cf49e5c0f7e 100644
--- a/drivers/crypto/Kconfig
+++ b/drivers/crypto/Kconfig
@@ -12,4 +12,6 @@ source "drivers/crypto/nuvoton/Kconfig"
 
 source "drivers/crypto/tegra/Kconfig"
 
+source "drivers/crypto/ecdsa/Kconfig"
+
 endmenu
diff --git a/drivers/crypto/Makefile b/drivers/crypto/Makefile
index e4a4482b7f3..8170e4cae9c 100644
--- a/drivers/crypto/Makefile
+++ b/drivers/crypto/Makefile
@@ -4,6 +4,7 @@
 #	http://www.samsung.com
 
 obj-$(CONFIG_EXYNOS_ACE_SHA)	+= ace_sha.o
+obj-$(CONFIG_ECDSA) += ecdsa/
 obj-y += aes/
 obj-y += rsa_mod_exp/
 obj-y += fsl/
diff --git a/drivers/crypto/ecdsa/Kconfig b/drivers/crypto/ecdsa/Kconfig
new file mode 100644
index 00000000000..308824d8421
--- /dev/null
+++ b/drivers/crypto/ecdsa/Kconfig
@@ -0,0 +1,6 @@
+config ECDSA_SW
+	bool "Enable driver for ECDSA in software"
+	depends on ECDSA_MBEDTLS
+	help
+	  Enable driver for ECDSA operations in software. Currently
+	  it supports multiple ECDSA algorithm.
diff --git a/drivers/crypto/ecdsa/Makefile b/drivers/crypto/ecdsa/Makefile
new file mode 100644
index 00000000000..8f9e5a767f8
--- /dev/null
+++ b/drivers/crypto/ecdsa/Makefile
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: GPL-2.0+
+#
+# Copyright (C) 2026 Philippe Reynes <philippe.reynes@softathome.com>
+#
+
+obj-$(CONFIG_ECDSA_SW) += ecdsa-sw.o
diff --git a/drivers/crypto/ecdsa/ecdsa-sw.c b/drivers/crypto/ecdsa/ecdsa-sw.c
new file mode 100644
index 00000000000..0d526371ecb
--- /dev/null
+++ b/drivers/crypto/ecdsa/ecdsa-sw.c
@@ -0,0 +1,33 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (C) 2026 Philippe Reynes <philippe.reynes@softathome.com>
+ */
+#include <dm/device.h>
+#include <linux/types.h>
+#include <u-boot/ecdsa.h>
+#include <crypto/ecdsa-uclass.h>
+#include <dm/platdata.h>
+#include <crypto/internal/sw_ecdsa.h>
+
+static int ops_sw_ecdsa_verify(__always_unused struct udevice *dev,
+			       const struct ecdsa_public_key *pubkey,
+			       const void *hash, size_t hash_len,
+			       const void *signature, size_t sig_len)
+{
+	return sw_ecdsa_verify(pubkey, hash, hash_len, signature, sig_len);
+}
+
+static const struct ecdsa_ops sw_ecdsa_ops = {
+	.verify = ops_sw_ecdsa_verify,
+};
+
+U_BOOT_DRIVER(sw_ecdsa) = {
+	.name	= "sw_ecdsa",
+	.id	= UCLASS_ECDSA,
+	.ops	= &sw_ecdsa_ops,
+	.flags	= DM_FLAG_PRE_RELOC,
+};
+
+U_BOOT_DRVINFO(sw_ecdsa) = {
+	.name = "sw_ecdsa",
+};
-- 
2.43.0

Re: [RFC PATCH 1/4] mbedtls: enable support of ecc

[Raymond Mao]

Hi Philippe,

On Mon, Feb 2, 2026 at 12:05 PM Philippe Reynes
<philippe.reynes@softathome.com> wrote:
>
> Enables the support of ecc in mbedtls.
>
> Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
> ---
>  lib/mbedtls/Kconfig              |  8 ++++++++
>  lib/mbedtls/Makefile             |  7 +++++++
>  lib/mbedtls/mbedtls_def_config.h | 18 ++++++++++++++++++
>  3 files changed, 33 insertions(+)
>
> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> index 789721ee6cd..90c007df850 100644
> --- a/lib/mbedtls/Kconfig
> +++ b/lib/mbedtls/Kconfig
> @@ -157,6 +157,7 @@ config MBEDTLS_LIB_CRYPTO
>         select SHA256_MBEDTLS if SHA256
>         select SHA512_MBEDTLS if SHA512
>         select SHA384_MBEDTLS if SHA384
> +       select ECDSA_MBEDTLS if ECDSA
>         help
>           Enable MbedTLS native crypto libraries.
>           Mutually incompatible with MBEDTLS_LIB_HASHING_ALT.
> @@ -231,6 +232,13 @@ config HKDF_MBEDTLS
>           This option enables support of key derivation using HKDF algorithm
>           with MbedTLS crypto library.
>
> +config ECDSA_MBEDTLS
> +       bool "Enable ECDSA support with MbedTLS crypto library"
> +       depends on MBEDTLS_LIB_CRYPTO && ECDSA
> +       help
> +         This option enables support of ECDSA with the MbedTLS crypto
> +         library.
> +

ECDSA config should be under MBEDTLS_LIB_X509 instead og MBEDTLS_LIB_CRYPTO.

>  endif # MBEDTLS_LIB_CRYPTO
>
>  config MBEDTLS_LIB_X509
> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
> index c5b445bd85c..54a893609cf 100644
> --- a/lib/mbedtls/Makefile
> +++ b/lib/mbedtls/Makefile
> @@ -35,6 +35,11 @@ mbedtls_lib_crypto-$(CONFIG_$(PHASE_)SHA512_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/sha512.o
>  mbedtls_lib_crypto-$(CONFIG_$(PHASE_)HKDF_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/hkdf.o
> +mbedtls_lib_crypto-$(CONFIG_$(PHASE_)ECDSA_MBEDTLS) += \
> +       $(MBEDTLS_LIB_DIR)/ecdsa.o \
> +       $(MBEDTLS_LIB_DIR)/ecp.o \
> +       $(MBEDTLS_LIB_DIR)/ecp_curves.o \
> +       $(MBEDTLS_LIB_DIR)/ecp_curves_new.o

Currently these ecp*.o are imported by MBEDTLS_LIB_TLS, refactoring is
required to avoid duplications when multiple kconfigs are selected.

>
>  # MbedTLS X509 library
>  obj-$(CONFIG_$(XPL_)MBEDTLS_LIB_X509) += mbedtls_lib_x509.o
> @@ -52,6 +57,8 @@ mbedtls_lib_x509-$(CONFIG_$(PHASE_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/pk.o \
>         $(MBEDTLS_LIB_DIR)/pk_wrap.o \
>         $(MBEDTLS_LIB_DIR)/pkparse.o
> +mbedtls_lib_x509-$(CONFIG_$(PHASE_)ECDSA_MBEDTLS) += \
> +       $(MBEDTLS_LIB_DIR)/pk_ecc.o

ditto.

>  mbedtls_lib_x509-$(CONFIG_$(PHASE_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/x509_crl.o \
>         $(MBEDTLS_LIB_DIR)/x509_crt.o
> diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h
> index dda3f4dd6e4..8f366c744a5 100644
> --- a/lib/mbedtls/mbedtls_def_config.h
> +++ b/lib/mbedtls/mbedtls_def_config.h
> @@ -60,6 +60,24 @@
>  #define MBEDTLS_HKDF_C
>  #endif
>
> +#if CONFIG_IS_ENABLED(ECDSA)
> +#define MBEDTLS_ECDSA_C
> +#define MBEDTLS_ECP_C
> +#define MBEDTLS_BIGNUM_C
> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
> +#define MBEDTLS_ECP_DP_BP256R1_ENABLED
> +#define MBEDTLS_ECP_DP_BP384R1_ENABLED
> +#define MBEDTLS_ECP_DP_BP512R1_ENABLED
> +#endif
> +

Currently they are enabled by MBEDTLS_LIB_TLS, refactoring is required
to select ECDSA when MBEDTLS_LIB_TLS is on, to avoid duplicated
defining macros here.

Regards,
Raymond

>  #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
>
>  #if CONFIG_IS_ENABLED(X509_CERTIFICATE_PARSER)
> --
> 2.43.0
>

Re: [RFC PATCH 0/4] add software ecdsa support

[Raymond Mao]

Hi Philippe,

On Mon, Feb 2, 2026 at 12:05 PM Philippe Reynes
<philippe.reynes@softathome.com> wrote:
>
> This serie adds the support of ecdsa with software
> using mbedtls. So boards without ecdsa hardware may
> also use signature with ecdsa.
>
> To add the support of ecdsa with mbedtls, I have:
> - enabled ecdsa in mbedtls
> - add a function sw_ecdsa_verify that uses mbedtls
> - add a driver sw_ecdsa that call sw_ecdsa_verify
>
> I have tested this code with sandbox, and I have
> followed those steps:
>
> 0) build u-boot using sandbox_defconfig and adding those options:
> CONFIG_ECDSA_SW=y
> CONFIG_ECDSA_MBEDTLS=y
> CONFIG_ECDSA=y
> CONFIG_ECDSA_VERIFY=y
>
> 1) add a signature node to an its file
>         signature-256 {
>                 algo = "sha256,ecdsa256";
>                 key-name-hint = "private-key-256";
>         };
>
> 2) generate an ecdsa key
> openssl ecparam -name prime256v1 -genkey -noout -out private-key-256.pem
>
> 3) create the itb file
> ./tools/mkimage -f <file.its> -k . -K arch/sandbox/dts/test.dtb <file.itb>
>
> 4) launch sandbox u-boot
>
> ./u-boot -d arch/sandbox/dts/test.dtb
>
> 5) on sandbox u-boot prompt, load the itb and launch bootm on it
>
> => host load hostfs - 1000000 uboot-ecdsa.itb
> 4628674 bytes read in 1 ms (4.3 GiB/s)
> => bootm 1000000
> ...
> ...
>    Verifying Hash Integrity ... sha256,ecdsa256:private-key-256+ OK
>
>
> I have tested with success ecdsa256 and ecdsa384,
> but there is an issue with secp521r1.
>
>
> Philippe Reynes (4):
>   mbedtls: enable support of ecc
>   ecdsa: initial support of ecdsa using mbedtls
>   test: lib: sw_ecdsa: add initial test
>   drivers: crypto: add software ecdsa support
>
>  drivers/crypto/Kconfig             |   2 +
>  drivers/crypto/Makefile            |   1 +
>  drivers/crypto/ecdsa/Kconfig       |   6 +
>  drivers/crypto/ecdsa/Makefile      |   6 +
>  drivers/crypto/ecdsa/ecdsa-sw.c    |  33 +++
>  include/crypto/internal/sw_ecdsa.h |  14 +
>  lib/mbedtls/Kconfig                |   8 +
>  lib/mbedtls/Makefile               |  10 +
>  lib/mbedtls/mbedtls_def_config.h   |  18 ++
>  lib/mbedtls/sw_ecdsa.c             |  94 ++++++

Rename it without the "sw_", from the perspective of MbedTLS, HW
acceleration is controlled by `MBEDTLS_ECDSA_###_ALT`, so the
interface itself does not imply SW.

Regards,
Raymond

>  test/lib/Makefile                  |   1 +
>  test/lib/sw_ecdsa.c                | 445 +++++++++++++++++++++++++++++
>  12 files changed, 638 insertions(+)
>  create mode 100644 drivers/crypto/ecdsa/Kconfig
>  create mode 100644 drivers/crypto/ecdsa/Makefile
>  create mode 100644 drivers/crypto/ecdsa/ecdsa-sw.c
>  create mode 100644 include/crypto/internal/sw_ecdsa.h
>  create mode 100644 lib/mbedtls/sw_ecdsa.c
>  create mode 100644 test/lib/sw_ecdsa.c
>
> --
> 2.43.0
>

Re: [RFC PATCH 0/4] add software ecdsa support

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 1676 bytes --]

On Mon, Feb 02, 2026 at 06:03:03PM +0100, Philippe Reynes wrote:

> This serie adds the support of ecdsa with software
> using mbedtls. So boards without ecdsa hardware may
> also use signature with ecdsa.
> 
> To add the support of ecdsa with mbedtls, I have:
> - enabled ecdsa in mbedtls
> - add a function sw_ecdsa_verify that uses mbedtls
> - add a driver sw_ecdsa that call sw_ecdsa_verify
> 
> I have tested this code with sandbox, and I have
> followed those steps:
> 
> 0) build u-boot using sandbox_defconfig and adding those options:
> CONFIG_ECDSA_SW=y
> CONFIG_ECDSA_MBEDTLS=y
> CONFIG_ECDSA=y
> CONFIG_ECDSA_VERIFY=y
> 
> 1) add a signature node to an its file
> 	signature-256 {
> 		algo = "sha256,ecdsa256";
> 		key-name-hint = "private-key-256";
> 	};
> 
> 2) generate an ecdsa key
> openssl ecparam -name prime256v1 -genkey -noout -out private-key-256.pem
> 
> 3) create the itb file
> ./tools/mkimage -f <file.its> -k . -K arch/sandbox/dts/test.dtb <file.itb>
> 
> 4) launch sandbox u-boot
> 
> ./u-boot -d arch/sandbox/dts/test.dtb
> 
> 5) on sandbox u-boot prompt, load the itb and launch bootm on it
> 
> => host load hostfs - 1000000 uboot-ecdsa.itb
> 4628674 bytes read in 1 ms (4.3 GiB/s)
> => bootm 1000000
> ...
> ...
>    Verifying Hash Integrity ... sha256,ecdsa256:private-key-256+ OK
> 
> 
> I have tested with success ecdsa256 and ecdsa384,
> but there is an issue with secp521r1. 

This is good to see. Please work on adding this to CI automatically
(which may involve doing something like the sandbox_trace builds/tests
rather than just being part of the default sandbox suite).

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [RFC PATCH 0/4] add software ecdsa support

[Marko Mäkelä]

Mon, Feb 02, 2026 at 06:03:03PM +0100, Philippe Reynes wrote:
>This serie adds the support of ecdsa with software
>using mbedtls. So boards without ecdsa hardware may
>also use signature with ecdsa.
>
>To add the support of ecdsa with mbedtls, I have:
>- enabled ecdsa in mbedtls
>- add a function sw_ecdsa_verify that uses mbedtls
>- add a driver sw_ecdsa that call sw_ecdsa_verify
>
>I have tested this code with sandbox, and I have
>followed those steps:
>
>0) build u-boot using sandbox_defconfig and adding those options:
>CONFIG_ECDSA_SW=y
>CONFIG_ECDSA_MBEDTLS=y
>CONFIG_ECDSA=y
>CONFIG_ECDSA_VERIFY=y

I did "git am" on top of the master branch as of the current 
eb1562cc3e4c5130c76db1c1ea57156322362a7c and tried to build it as 
follows:

make rpi_4_defconfig
scripts/config -e FIT_SIGNATURE -e ECDSA -e SHA256 -e ECDSA_VERIFY \
-d BOOTSTD \
-e MBEDTLS_LIB -e MBEDTLS_LIB_CRYPTO -e ECDSA_MBEDTLS -e ECDSA_SW \
-e SHA256_MBEDTLS -e SHA256_SMALLER -e MBEDTLS_LIB_X509 -d HKDF_MBEDTLS \
-e ASN1_DECODER -e ASN1_DECODER_MBEDTLS \
-d LEGACY_HASHING_AND_CRYPTO &&
make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu-

No matter which variations of this I try (starting with -e 
HDKF_MBEDTLS), the build would fail with an #error in
lib/mbedtls/external/mbedtls/include/mbedtls/check_config.h because 
MBEDTLS_ECDSA_C is defined but neither MBEDTLS_ASN1_PARSE_C nor 
MBEDTLS_ASN1_WRITE_C are defined.

By disabling that check I found out that the functions 
ecdsa_signature_to_asn1() and mbedtls_ecdsa_read_signature_restartable() 
really depend on these.

I diagnosed this by executing
make V=1 CROSS_COMPILE=aarch64-linux-gnu-

Then, I edited the compiler command line by replacing "-o *.o -c" with 
"-E -dD", and redirected the standard output into a file. In that file I 
found that lib/mbedtls/mbedtls_def_config.h is defining MBEDTLS_ECDSA_C 
and would also define the ASN1 symbols if CONFIG_ASN1_DECODER were 
enabled:

#if CONFIG_IS_ENABLED(ASN1_DECODER)
#define MBEDTLS_OID_C
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_WRITE_C
#endif

Something is wiping that out from my .config, also when I execute "make 
syncconfig" after the scripts/config. When I search for ASN1_DECODER in 
"make menuconfig", it mentions a large number of other configuration 
options.

Can someone help me to enable CONFIG_ASN1_DECODER in this configuration?

With best regards,

	Marko

Re: [RFC PATCH 0/4] add software ecdsa support

[Raymond Mao]

Hi Marko,

On Wed, Feb 4, 2026 at 2:02 PM Marko Mäkelä <marko.makela@iki.fi> wrote:
>
> Mon, Feb 02, 2026 at 06:03:03PM +0100, Philippe Reynes wrote:
> >This serie adds the support of ecdsa with software
> >using mbedtls. So boards without ecdsa hardware may
> >also use signature with ecdsa.
> >
> >To add the support of ecdsa with mbedtls, I have:
> >- enabled ecdsa in mbedtls
> >- add a function sw_ecdsa_verify that uses mbedtls
> >- add a driver sw_ecdsa that call sw_ecdsa_verify
> >
> >I have tested this code with sandbox, and I have
> >followed those steps:
> >
> >0) build u-boot using sandbox_defconfig and adding those options:
> >CONFIG_ECDSA_SW=y
> >CONFIG_ECDSA_MBEDTLS=y
> >CONFIG_ECDSA=y
> >CONFIG_ECDSA_VERIFY=y
>
> I did "git am" on top of the master branch as of the current
> eb1562cc3e4c5130c76db1c1ea57156322362a7c and tried to build it as
> follows:
>
> make rpi_4_defconfig
> scripts/config -e FIT_SIGNATURE -e ECDSA -e SHA256 -e ECDSA_VERIFY \
> -d BOOTSTD \
> -e MBEDTLS_LIB -e MBEDTLS_LIB_CRYPTO -e ECDSA_MBEDTLS -e ECDSA_SW \
> -e SHA256_MBEDTLS -e SHA256_SMALLER -e MBEDTLS_LIB_X509 -d HKDF_MBEDTLS \
> -e ASN1_DECODER -e ASN1_DECODER_MBEDTLS \
> -d LEGACY_HASHING_AND_CRYPTO &&
> make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu-
>
> No matter which variations of this I try (starting with -e
> HDKF_MBEDTLS), the build would fail with an #error in
> lib/mbedtls/external/mbedtls/include/mbedtls/check_config.h because
> MBEDTLS_ECDSA_C is defined but neither MBEDTLS_ASN1_PARSE_C nor
> MBEDTLS_ASN1_WRITE_C are defined.
>
> By disabling that check I found out that the functions
> ecdsa_signature_to_asn1() and mbedtls_ecdsa_read_signature_restartable()
> really depend on these.
>
> I diagnosed this by executing
> make V=1 CROSS_COMPILE=aarch64-linux-gnu-
>
> Then, I edited the compiler command line by replacing "-o *.o -c" with
> "-E -dD", and redirected the standard output into a file. In that file I
> found that lib/mbedtls/mbedtls_def_config.h is defining MBEDTLS_ECDSA_C
> and would also define the ASN1 symbols if CONFIG_ASN1_DECODER were
> enabled:
>
> #if CONFIG_IS_ENABLED(ASN1_DECODER)
> #define MBEDTLS_OID_C
> #define MBEDTLS_ASN1_PARSE_C
> #define MBEDTLS_ASN1_WRITE_C
> #endif
>
> Something is wiping that out from my .config, also when I execute "make
> syncconfig" after the scripts/config. When I search for ASN1_DECODER in
> "make menuconfig", it mentions a large number of other configuration
> options.
>
> Can someone help me to enable CONFIG_ASN1_DECODER in this configuration?
>

When EFI_SECURE_BOOT is enabled, all these dependent Kconfigs will be
selected automatically.

Raymond

> With best regards,
>
>         Marko

Re: [RFC PATCH 0/4] add software ecdsa support

[Marko Mäkelä]

Hi Raymond,

Wed, Feb 04, 2026 at 02:28:53PM -0500, Raymond Mao wrote:
>Hi Marko,
[snip]
>When EFI_SECURE_BOOT is enabled, all these dependent Kconfigs will be
>selected automatically.

Thank you for your help. I can confirm that the following will build the 
ECDSA_SW implementation:

make sandbox_defconfig
scripts/config -e ECDSA_SW
make syncconfig && grep ASN1 .config
make -j$(nproc)

The redundant "grep" step above would output the following:
CONFIG_ASN1_DECODER_MBEDTLS=y
CONFIG_ASN1_COMPILER=y
CONFIG_ASN1_DECODER=y

I still can't enable those in any rpi_4_defconfig based build attempt, 
such as this one:

cat > configs/rpi_4a_defconfig << EOF
#include <configs/rpi_4_defconfig>
CONFIG_EFI_SECURE_BOOT=y
CONFIG_MBEDTLS_LIB=y
CONFIG_ECDSA_SW=y
CONFIG_ECDSA_MBEDTLS=y
CONFIG_ECDSA=y
CONFIG_ECDSA_VERIFY=y
EOF
make rpi_4a_defconfig
make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu-

This build fails in the same way as yesterday because none of the ASN1 
options will be present in the .config file. Neither will 
CONFIG_EFI_SECURE_BOOT. Many EFI options were enabled, but not that one.

On a positive note, CONFIG_LEGACY_HASHING_AND_CRYPTO was disabled 
automatically by the above, and MBEDTLS was enabled, unlike in my 
earlier attempt about a month ago, using an different u-boot revision.

I also tried to enable several options that CONFIG_EFI_SECURE_BOOT would 
select in lib/efi_loader/Kconfig, but with no success.

Is there a way to get some diagnostics that explains why Kconfig refuses 
to enable a particular option?

With best regards,

	Marko

Re: [RFC PATCH 0/4] add software ecdsa support

[Raymond Mao]

Hi Marko,

On Thu, Feb 5, 2026 at 1:16 PM Marko Mäkelä <marko.makela@iki.fi> wrote:
>
> Hi Raymond,
>
> Wed, Feb 04, 2026 at 02:28:53PM -0500, Raymond Mao wrote:
> >Hi Marko,
> [snip]
> >When EFI_SECURE_BOOT is enabled, all these dependent Kconfigs will be
> >selected automatically.
>
> Thank you for your help. I can confirm that the following will build the
> ECDSA_SW implementation:
>
> make sandbox_defconfig
> scripts/config -e ECDSA_SW
> make syncconfig && grep ASN1 .config
> make -j$(nproc)
>
> The redundant "grep" step above would output the following:
> CONFIG_ASN1_DECODER_MBEDTLS=y
> CONFIG_ASN1_COMPILER=y
> CONFIG_ASN1_DECODER=y
>
> I still can't enable those in any rpi_4_defconfig based build attempt,
> such as this one:
>
> cat > configs/rpi_4a_defconfig << EOF
> #include <configs/rpi_4_defconfig>
> CONFIG_EFI_SECURE_BOOT=y
> CONFIG_MBEDTLS_LIB=y
> CONFIG_ECDSA_SW=y
> CONFIG_ECDSA_MBEDTLS=y
> CONFIG_ECDSA=y
> CONFIG_ECDSA_VERIFY=y
> EOF
> make rpi_4a_defconfig
> make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu-
>
> This build fails in the same way as yesterday because none of the ASN1
> options will be present in the .config file. Neither will
> CONFIG_EFI_SECURE_BOOT. Many EFI options were enabled, but not that one.
>
> On a positive note, CONFIG_LEGACY_HASHING_AND_CRYPTO was disabled
> automatically by the above, and MBEDTLS was enabled, unlike in my
> earlier attempt about a month ago, using an different u-boot revision.
>
> I also tried to enable several options that CONFIG_EFI_SECURE_BOOT would
> select in lib/efi_loader/Kconfig, but with no success.
>
> Is there a way to get some diagnostics that explains why Kconfig refuses
> to enable a particular option?
>

Can you take a reference on 'sandbox_defconfig', it enables:
```
CONFIG_EFI_SECURE_BOOT=y
...
CONFIG_MBEDTLS_LIB=y
```
Then all dependent Kconfigs are selected automatically when you do
`make sandbox_defconfig`.

Regards,
Raymond

> With best regards,
>
>         Marko

Re: [RFC PATCH 0/4] add software ecdsa support

[Marko Mäkelä]

Wed, Feb 04, 2026 at 02:28:53PM -0500, Raymond Mao wrote:
[snip]
>When EFI_SECURE_BOOT is enabled, all these dependent Kconfigs will be 
>selected automatically.

I finally solved my problem by using "make menuconfig".

It turns out that CONFIG_FIT is not defined in rpi_4_defconfig. That is 
why some requested configuration was being disregarded. The build 
succeeds with the following:

cat > boot/rpi_4_ecdsa_defconfig << "EOF"
#include <configs/rpi_4_defconfig>
CONFIG_FIT=y
CONFIG_FIT_SIGNATURE=y
CONFIG_MBEDTLS_LIB=y
CONFIG_ECDSA=y
CONFIG_ECDSA_SW=y
CONFIG_ECDSA_VERIFY=y
CONFIG_EFI_SECURE_BOOT=y
CONFIG_EFI_LOADER=y
EOF
make rpi_4_ecdsa_defconfig
make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu-

I am yet to build an ECDSA signed fitImage of Linux and the device tree, 
so I did not actually test this implementation yet.

With best regards,

	Marko

Re: [RFC PATCH 0/4] add software ecdsa support

[Marko Mäkelä]

Mon, Feb 02, 2026 at 06:03:03PM +0100, Philippe Reynes wrote:
>I have tested this code with sandbox, and I have
>followed those steps:
>
>0) build u-boot using sandbox_defconfig and adding those options:
>CONFIG_ECDSA_SW=y
>CONFIG_ECDSA_MBEDTLS=y
>CONFIG_ECDSA=y
>CONFIG_ECDSA_VERIFY=y

I believe that I was able to build an ECDSA signed fitImage of a Linux 
kernel. At least "dtc" shows that a signature is present, just like with 
my earlier attempt with RSA.

>1) add a signature node to an its file
>	signature-256 {
>		algo = "sha256,ecdsa256";
>		key-name-hint = "private-key-256";
>	};
>
>2) generate an ecdsa key
>openssl ecparam -name prime256v1 -genkey -noout -out private-key-256.pem
>
>3) create the itb file
>./tools/mkimage -f <file.its> -k . -K arch/sandbox/dts/test.dtb <file.itb>

Step 1) is part of <file.its>, which specifies how a signed payload, 
such as a Linux kernel, is built in <file.itb>, right?

I assume that arch/sandbox/dts/test.dts is the source code for 
arch/sandbox/dts/test.dtb. Would this file correspond to the file 
u-boot.dtb in a non-sandbox environment (in my case, based on 
rpi_4_defconfig)?

For me, mkimage version 2025.01 (as shipped in Debian Sid) would crash 
if I ask it to write the public key to u-boot.dtb using the parameter 
"-K u-boot.dtb". The following statement in do_add() would hit SIGSEGV:

         ret = fdt_setprop_string(fdt, key_node, FIT_KEY_REQUIRED,
                                  info->require_keys);

The function do_add() is invoked by ecdsa_add_verify_data(). For my 
kernel build, I did not yet try a mkimage that is built from the latest 
u-boot. Should that make a difference?

For an earlier experiment with an RSA signed fitImage, I was able to do 
the following:

make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu- all u-boot.dtb

cp u-boot.dtb u-boot-pubkey.dtb
ALGO=$(scripts/dtc/dtc -I dtb /target/fitImage |grep -A10 signature|
sed -ne "s/\s*algo = \"\(.*\)\";/\1/p")
tools/fdt_add_pubkey -a "$ALGO" -n dev -k . -r conf u-boot-pubkey.dtb
tools/fit_check_sign -f /target/fitImage -k u-boot-pubkey.dtb

make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu- \
EXT_DTB=u-boot-pubkey.dtb

cp -L u-boot.img /target/

With CONFIG_ECDSA, fdt_add_pubkey would SIGSEGV (unrelated to these 
changes) and fit_check_sign does not appear to be built.

I would appreciate some help in embedding the ECDSA public key to the 
u-boot image, so that I can test this.

Best regards,

	Marko

Re: [RFC PATCH 0/4] add software ecdsa support

[Marko Mäkelä]

Mon, Feb 09, 2026 at 06:04:57PM +0200, Marko Mäkelä wrote:
>For me, mkimage version 2025.01 (as shipped in Debian Sid) would crash 
>if I ask it to write the public key to u-boot.dtb using the parameter 
>"-K u-boot.dtb". The following statement in do_add() would hit SIGSEGV:
>
>        ret = fdt_setprop_string(fdt, key_node, FIT_KEY_REQUIRED,
>                                 info->require_keys);
>
>The function do_add() is invoked by ecdsa_add_verify_data(). For my 
>kernel build, I did not yet try a mkimage that is built from the 
>latest u-boot. Should that make a difference?

Apparently, something has been fixed since the 2025.01 release. The 
following would work for me with a current u-boot build:

echo "/dts-v1/; / { description = \"\"; images {}; };" > public-key.its
mkimage -f public-key.its public-key.dtb
mkimage -f fitImage.its -k . -K public-key.dtb fitImage

With the mkimage 2025.01 that is included in the Debian Sid 
u-boot-tools, I am able to build an unsigned Linux fitImage:
mkimage -f fitImage.its fitImage

Then I can invoke a freshly compiled mkimage to sign it and include the 
corresponding public ECDSA key in an u-boot image:
mkimage -r -k . -K u-boot.dtb -F fitImage
cat u-boot-nodtb.bin u-boot.dtb > u-boot.bin

However, this will not work on the Raspberry Pi 4, which defines 
CONFIG_OF_BOARD. I came up with an idea of creating a device tree 
overlay file instead:

tools/mkimage -r -k . -K pubkey.dtb -F fitImage
cat > signature.dtso << EOF
/dts-v1/;
/plugin/;

/ {
         fragment@0 {
                 target = "/";

                 __overlay__ {
EOF
dtc pubkey.dtb|grep -A12 signature >> signature.dtso
cat >> signature.dtso << EOF
		};
	};
};
EOF
dtc -o signature.dtbo signature.dtso
cat u-boot-nodtb.bin signature.dtbo > kernel8.img

Initially, I tested this with CONFIG_RSA, which I expect to work. The 
bootm command would start up my fitImage, but unfortunately it would do 
so even if I corrupt a bit of the public key. This would lead me to 
believe that the overlay was not loaded and the signature was not 
validated. I only saw messages about hash validation. I'm afraid I need 
a target environment where u-boot is the primary bootloader, or I must 
override the CONFIG_OF_BOARD and see if the u-boot.dtb approach would 
work.

Another point is that my initial CONFIG_ECDSA_SW build was over 4 MiB in 
size, while the sha256,rsa4096 experiment was only half a megabyte. I 
did trim the build options for the CONFIG_ECDSA_SW experiment yet.

	Marko

Re: [RFC PATCH 0/4] add software ecdsa support

[Marko Mäkelä]

Hi Philippe, hi all,

Tested-by: Marko Mäkelä <marko.makela@iki.fi> # Raspberry Pi 4

I finally got this to work, with one small patch (see below) which I 
hope you will include in some form. First, here is the relevant part of 
the output of a successful run:

U-Boot> load mmc 0:1 $loadaddr fitImage.signed
9748489 bytes read in 437 ms (21.3 MiB/s)
U-Boot> bootm
## Loading kernel (any) from FIT Image at 01000000 ...
    Using 'conf-1' configuration
    Verifying Hash Integrity ... sha256,ecdsa256:dev+ OK
    Trying 'kernel' kernel subimage
    Verifying Hash Integrity ... sha256+ OK
## Loading fdt (any) from FIT Image at 01000000 ...
    Using 'conf-1' configuration
    Verifying Hash Integrity ... sha256,ecdsa256:dev+ OK
    Trying 'fdt' fdt subimage
    Verifying Hash Integrity ... sha256+ OK
    Loading fdt from 0x0193dba0 to 0x05600000
    Booting using the fdt blob at 0x5600000
Working FDT set to 5600000
    Uncompressing Kernel Image to 2000000
    Loading Device Tree to 000000001ffef000, end 000000001ffffbb8 ... OK
Working FDT set to 1ffef000

Starting kernel ...

[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd083]
[    0.000000] Linux version 6.12.68-v8 (root@bob-the-builder.example.org) (aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44) #1 SMP PREEMPT @1770573000

After I flipped 1 bit of "ecdsa,y-point", the boot failed:

U-Boot> bootm
## Loading kernel (any) from FIT Image at 01000000 ...
    Using 'conf-1' configuration
    Verifying Hash Integrity ... sha256,ecdsa256:devsw_ecdsa_verify: public key is invalid (err = -19584)
-  error!
Verification failed for '<NULL>' hash node in 'conf-1' config node
Failed to verify required signature 'dev'
Bad Data Hash
ERROR -2: can't get kernel image!

Sat, Feb 14, 2026 at 09:38:30PM +0200, Marko Mäkelä wrote:
>However, this will not work on the Raspberry Pi 4, which defines 
>CONFIG_OF_BOARD. I came up with an idea of creating a device tree 
>overlay file instead:

I found a promising setting CONFIG_OF_OVERLAY_LIST, but apparently it 
has no effect on the u-boot.bin when CONFIG_OF_BOARD is enabled.

>Initially, I tested this with CONFIG_RSA, which I expect to work. The 
>bootm command would start up my fitImage, but unfortunately it would do 
>so even if I corrupt a bit of the public key.

After I added #define DEBUG to boot/image-fit-sig.c and 
lib/rsa/rsa-verify.c it became clear that the CONFIG_FIT_SIGNATURE 
becomes a no-op if no "signature" node can be found by u-boot.

The trick was to add the public key to the device tree that U-boot will 
be starting with, that is, the file bcm2711-rpi-4-b.dtb that will be 
preloaded by the VideoCore GPU.

Sure, this is an obviously insecure (trivial to circumvent by reverting 
to the stock *.dtb files), but I think it is good enough for using this 
piece of existing commodity hardware for development and test purposes.

>Another point is that my initial CONFIG_ECDSA_SW build was over 4 MiB 
>in size, while the sha256,rsa4096 experiment was only half a megabyte.  
>I did trim the build options for the CONFIG_ECDSA_SW experiment yet.

I managed to shrink the u-boot.bin to 645296 bytes, or 56320 bytes more 
than the CONFIG_RSA variant. However, I had to adjust some dependencies:

diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index a5331313a60..14f4d295d2a 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -57,6 +57,8 @@ mbedtls_lib_x509-$(CONFIG_$(PHASE_)RSA_PUBLIC_KEY_PARSER_MBEDTLS) += \
  	$(MBEDTLS_LIB_DIR)/rsa.o \
  	$(MBEDTLS_LIB_DIR)/rsa_alt_helpers.o
  mbedtls_lib_x509-$(CONFIG_$(PHASE_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
+	$(MBEDTLS_LIB_DIR)/bignum.o \
+	$(MBEDTLS_LIB_DIR)/bignum_core.o \
  	$(MBEDTLS_LIB_DIR)/pk.o \
  	$(MBEDTLS_LIB_DIR)/pk_wrap.o \
  	$(MBEDTLS_LIB_DIR)/pkparse.o

This may need some fixup, so that the bignum*.o will not be added twice 
if also CONFIG_RSA_PUBLIC_KEY_PARSER_MBEDTLS is enabled.

Below is my build script, with 4 lines FIT related overrides because it 
is normally disabled on this target:

make rpi_4_defconfig
scripts/config -d BOOTSTD \
-e FIT -e FIT_SIGNATURE -d FIT_CIPHER -d FIT_VERBOSE -d FIT_BEST_MATCH \
-d FIT_PRINT -d UPDATE_TFTP -d UPDATE_FIT -d EFI_LOADER \
--set-val FIT_EXTERNAL_OFFSET 0x0 \
--set-val FIT_SIGNATURE_MAX_SIZE 0x10000000 \
-e ASYMMETRIC_KEY_TYPE -e ASYMMETRIC_PUBLIC_KEY_SUBTYPE \
-d LEGACY_HASHING_AND_CRYPTO -e MBEDTLS_LIB -e MBEDTLS_LIB_CRYPTO \
-d X509_CERTIFICATE_PARSER -d X509_CERTIFICATE_PARSER_LEGACY \
-e ECDSA -e ECDSA_SW -e ECDSA_VERIFY \
-d MD5_MBEDTLS -d HKDF_MBEDTLS -e SHA256_SMALLER \
-d RSA_PUBLIC_KEY_PARSER -d RSA_PUBLIC_KEY_PARSER_MBEDTLS \
-d X509_CERTIFICATE_PARSER_MBEDTLS -e MSCODE_PARSER
make -j$(nproc) CROSS_COMPILE=aarch64-linux-gnu-

In my CONFIG_RSA test build, the 4 lines starting with -e ECDSA were 
replaced by the following:

-e RSA -e RSA_VERIFY_WITH_PKEY -d RSASSA_PSS -d MSCODE_PARSER

With best regards,

	Marko