Hello,
I am implementing FIT booting with an ECDSA signature. I am building from a TI
fork of U-Boot that is based off of v2025.01 from the mainline repo.
I am currently able to generate the signed fit image, and run
tools/fit_check_sign and confirm the "sha256,ecdsa256:<key name>+" output
indicates successful verification of the signature on the build machine (note:
I had to cherry-pick commit 8d3a9ab3 in order to get fit_check_sign to work
properly for verifying ECDSA, since this fix is not present on my current
branch).
However, attempts to boot on the target with the signed u-boot.img and
generated .itb are failing. Debug printouts show that the call to ecdsa_verify
in ecdsa-verify.c is failing after calling uclass_first_device_err: "ECDSA:
Could not find ECDSA implementation: -19".
The uclass driver declaration at the bottom of ecdsa-verify notes "We don't
implement any wrappers around ecdsa_ops->verify() because it's trivial to call
ops->verify()." - not sure if that is applicable here.
Other debugging steps I've taken:
* Ensured public key is present in the booted image via inspection with fdt
* Ensured relevant config values are set: ECDSA, ECDSA_VERIFY, FIT_SIGNATURE
* Attempted to get trace information from the boot attempt, but it appears my
board does not support the required clock
I'm not sure where to check next in debugging the implementation. From the
commit details in ecdsa-verify.c ("lib: ecdsa: Implement UCLASS_ECDSA
verification on target"), it seems that it is intended to be able to perform
verification during booting on the target. Is there anyone who is familiar with
this functionality that can help out?
Apologies if I've made any formatting mistakes, this is my first time using the
mailing list.
Thanks,
Jonny Green
