Re: [RFC PATCH 0/4] add software ecdsa support

Sat, 14 Feb 2026 11:38:49 -0800 

Mon, Feb 09, 2026 at 06:04:57PM +0200, Marko Mäkelä wrote:
For me, mkimage version 2025.01 (as shipped in Debian Sid) would crash if I ask it to write the public key to u-boot.dtb using the parameter "-K u-boot.dtb". The following statement in do_add() would hit SIGSEGV: 

       ret = fdt_setprop_string(fdt, key_node, FIT_KEY_REQUIRED,
                                info->require_keys);


The function do_add() is invoked by ecdsa_add_verify_data(). For my 
kernel build, I did not yet try a mkimage that is built from the 
latest u-boot. Should that make a difference?



Apparently, something has been fixed since the 2025.01 release. The 
following would work for me with a current u-boot build:


echo "/dts-v1/; / { description = \"\"; images {}; };" > public-key.its
mkimage -f public-key.its public-key.dtb
mkimage -f fitImage.its -k . -K public-key.dtb fitImage


With the mkimage 2025.01 that is included in the Debian Sid 
u-boot-tools, I am able to build an unsigned Linux fitImage:

mkimage -f fitImage.its fitImage


Then I can invoke a freshly compiled mkimage to sign it and include the 
corresponding public ECDSA key in an u-boot image:

mkimage -r -k . -K u-boot.dtb -F fitImage
cat u-boot-nodtb.bin u-boot.dtb > u-boot.bin


However, this will not work on the Raspberry Pi 4, which defines 
CONFIG_OF_BOARD. I came up with an idea of creating a device tree 
overlay file instead:


tools/mkimage -r -k . -K pubkey.dtb -F fitImage
cat > signature.dtso << EOF
/dts-v1/;
/plugin/;

/ {
        fragment@0 {
                target = "/";

                __overlay__ {
EOF
dtc pubkey.dtb|grep -A12 signature >> signature.dtso
cat >> signature.dtso << EOF
                };
        };
};
EOF
dtc -o signature.dtbo signature.dtso
cat u-boot-nodtb.bin signature.dtbo > kernel8.img


Initially, I tested this with CONFIG_RSA, which I expect to work. The 
bootm command would start up my fitImage, but unfortunately it would do 
so even if I corrupt a bit of the public key. This would lead me to 
believe that the overlay was not loaded and the signature was not 
validated. I only saw messages about hash validation. I'm afraid I need 
a target environment where u-boot is the primary bootloader, or I must 
override the CONFIG_OF_BOARD and see if the u-boot.dtb approach would 
work.



Another point is that my initial CONFIG_ECDSA_SW build was over 4 MiB in 
size, while the sha256,rsa4096 experiment was only half a megabyte. I 
did trim the build options for the CONFIG_ECDSA_SW experiment yet.


        Marko























					Reply via email to