Re: [PATCH v5 00/15] add software ecdsa support

["Marko Mäkelä" <marko.makela@iki.fi>]

Hi Philippe, all,

Tue, Apr 21, 2026 at 11:09:39PM +0200, Philippe Reynes wrote:
>This series adds the support of ecdsa with software
>using mbedtls. So boards without ecdsa hardware may
>also use signature with ecdsa.

Today, I finally tested this patch series on top of Robert Nelson's 
u-boot v2026.01 based fork for BeagleBoard PocketBeagle 2:
https://github.com/beagleboard/u-boot/commit/ef03e35488377a32cdd4f76d1a03ef7f60c798ef

The only conflicts were for copyright comments in some files.

I used the following configuration; this platform enables CONFIG_FIT and 
CONFIG_FIT_VERIFY by default:

make am62_pocketbeagle2_a53_defconfig
scripts/config -e ASYMMETRIC_KEY_TYPE -e ASYMMETRIC_PUBLIC_KEY_SUBTYPE \
-d LEGACY_HASHING_AND_CRYPTO -e MBEDTLS_LIB -e MBEDTLS_LIB_CRYPTO \
-e ECDSA -e ECDSA_MBEDTLS -e ECDSA_VERIFY \
-d MD5_MBEDTLS -d HKDF_MBEDTLS -e SHA256_SMALLER -e SHA512_SMALLER \
-d RSA_PUBLIC_KEY_PARSER -d RSA_PUBLIC_KEY_PARSER_MBEDTLS \
-d SPL_ECDSA_VERIFY \
-d SPL_ASYMMETRIC_KEY_TYPE -d SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE \
-d SPL_RSA_PUBLIC_KEY_PARSER \
-d PKCS7_MESSAGE_PARSER -d PKCS7_MESSAGE_PARSER_MBEDTLS \
-e X509_CERTIFICATE_PARSER -d MSCODE_PARSER

I used these settings also for the 32-bit 
am62_pocketbeagle2_r5_defconfig which loads the 64-bit u-boot.img.

I tested this build with an ARMv8 "defconfig" of 
https://github.com/torvalds/linux tag v7.0. An image that was signed 
with a different private key was rejected:

=> load mmc 1 $loadaddr fitImage
15013689 bytes read in 180 ms (79.5 MiB/s)
=> source
## Executing script at 82000000
sha256,ecdsa256:dev-  error!
Verification failed for '<NULL>' hash node in 'conf-1' config node
Failed to verify required signature 'dev'
=> bootm
## Loading kernel (any) from FIT Image at 82000000 ...
    Using 'conf-1' configuration
    Verifying Hash Integrity ... sha256,ecdsa256:dev-  error!
Verification failed for '<NULL>' hash node in 'conf-1' config node
Failed to verify required signature 'dev'
Bad Data Hash
ERROR -2: can't get kernel image!

A correctly signed image passed the verification:

=> load mmc 1 $loadaddr fitImage
15013689 bytes read in 179 ms (80 MiB/s)
=> bootm
## Loading kernel (any) from FIT Image at 82000000 ...
[snip]
    Loading fdt from 0x82e430d4 to 0x88000000
    Booting using the fdt blob at 0x88000000
Working FDT set to 88000000
    Uncompressing Kernel Image to 82000000
Error: inflate() returned -3
gzip compressed: uncompress error -3
Must RESET board to recover
Resetting the board...
U-Boot SPL 2026.01 (May 16 2026 - 16:42:03 +0000)

I think that this can be declared as a success for this patch series, 
even though my kernel load address is causing trouble.

With best regards,

	Marko