Skip to content

boot: zephyr: Add ECDSA support using mbedTLS #2537

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
prene-se wants to merge 1 commit into
base: main
Choose a base branch
from
Open

boot: zephyr: Add ECDSA support using mbedTLS #2537

prene-se wants to merge 1 commit into from
+30 −12

Conversation

@prene-se
Copy link

@prene-se prene-se commented Nov 10, 2025

This adds a new Kconfig option BOOT_ECDSA_MBEDTLS to enable ECDSA signature verification using mbedTLS as an alternative to TINYCRYPT, PSA, or CC310 backends.

@prene-se prene-se marked this pull request as draft November 10, 2025 17:27
@prene-se prene-se marked this pull request as ready for review November 10, 2025 18:12
nordicjm
nordicjm requested changes Nov 21, 2025
View reviewed changes
boot/zephyr/Kconfig
config BOOT_ECDSA_MBEDTLS
bool "Use mbedTLS"
select BOOT_USE_MBEDTLS
select MBEDTLS
Copy link
Collaborator

@nordicjm nordicjm Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not really sure how you expect this to work? Given that it doesn't:

/opt/zephyr-sdk-0.17.0/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: app/libapp.a(image_ecdsa.c.obj): in function `bootutil_ecdsa_init':
/tmp/aa/bootloader/mcuboot/boot/bootutil/include/bootutil/crypto/ecdsa.h:490: undefined reference to `mbedtls_ecdsa_init'
/opt/zephyr-sdk-0.17.0/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: app/libapp.a(image_ecdsa.c.obj): in function `bootutil_ecdsa_verify':
/tmp/aa/bootloader/mcuboot/boot/bootutil/include/bootutil/crypto/ecdsa.h:577: undefined reference to `mbedtls_ecp_group_load'
/opt/zephyr-sdk-0.17.0/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: /tmp/aa/bootloader/mcuboot/boot/bootutil/include/bootutil/crypto/ecdsa.h:582: undefined reference to `mbedtls_ecp_point_read_binary'
/opt/zephyr-sdk-0.17.0/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: /tmp/aa/bootloader/mcuboot/boot/bootutil/include/bootutil/crypto/ecdsa.h:587: undefined reference to `mbedtls_ecp_check_pubkey'
/opt/zephyr-sdk-0.17.0/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: /tmp/aa/bootloader/mcuboot/boot/bootutil/include/bootutil/crypto/ecdsa.h:592: undefined reference to `mbedtls_ecdsa_read_signature'
/opt/zephyr-sdk-0.17.0/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: app/libapp.a(image_ecdsa.c.obj): in function `bootutil_ecdsa_drop':
/tmp/aa/bootloader/mcuboot/boot/bootutil/include/bootutil/crypto/ecdsa.h:495: undefined reference to `mbedtls_ecdsa_free'
/opt/zephyr-sdk-0.17.0/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: app/libapp.a(keys.c.obj):/tmp/aa/bootloader/mcuboot/boot/zephyr/keys.c:52: undefined reference to `ecdsa_pub_key'
/opt/zephyr-sdk-0.17.0/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: app/libapp.a(keys.c.obj):(.rodata.bootutil_keys+0x4): undefined reference to `ecdsa_pub_key_len'

Copy link
Author

@prene-se prene-se Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Previously, I used sysbuild with:

CONFIG_CUSTOM_MBEDTLS_CFG_FILE=y CONFIG_MBEDTLS_CFG_FILE="config-ec.h"

to provide the missing mbedTLS functions.

I have now updated the Kconfig to select all required mbedTLS options directly, without relying on a custom mbedTLS config file. All dependencies are handled via Kconfig, including when BOOT_ENCRYPT_IMAGE is enabled. I am not entirely sure if all requirements are covered, so feedback is welcome.

@prene-se prene-se requested a review from nordicjm November 25, 2025 15:37
nordicjm
nordicjm reviewed Dec 1, 2025
View reviewed changes
boot/zephyr/Kconfig
select MBEDTLS_ECDSA_C if MBEDTLS_BUILTIN
select MBEDTLS_ECP_DP_SECP256R1_ENABLED if MBEDTLS_BUILTIN
select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN
select MBEDTLS_ECP_NIST_OPTIM if MBEDTLS_BUILTIN
Copy link
Collaborator

@nordicjm nordicjm Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changes look OK but commits need squashing

Copy link
Author

@prene-se prene-se Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@prene-se prene-se force-pushed the feature/ecdsambedtls-zephyr branch from 67140a4 to 9b43df5 Compare December 1, 2025 12:28
@prene-se prene-se requested a review from nordicjm December 1, 2025 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@de-nordic de-nordic Awaiting requested review from de-nordic de-nordic is a code owner

@nordicjm nordicjm Awaiting requested review from nordicjm nordicjm is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@prene-se @nordicjm