[{"id":3679179,"web_url":"http://patchwork.ozlabs.org/comment/3679179/","msgid":"","list_archive_url":null,"date":"2026-04-20T02:12:28","subject":"Re: [PATCH v4 10/14] tools: binman: pre-load: add support of ecdsa","submitter":{"id":6170,"url":"http://patchwork.ozlabs.org/api/people/6170/","name":"Simon Glass","email":"sjg@chromium.org"},"content":"Hi Philippe,\n\nOn 2026-04-17T13:02:04, Philippe Reynes wrote:\n> tools: binman: pre-load: add support of ecdsa\n>\n> Right now, binman can only create pre-load header\n> using rsa. We add the support of ecdsa.\n>\n> Signed-off-by: Philippe Reynes \n>\n> tools/binman/etype/pre_load.py | 76 +++++++++++++++++++---\n> tools/binman/ftest.py | 50 ++++++++++++++\n> tools/binman/test/ecdsa521.pem | 7 ++\n> tools/binman/test/security/pre_load_ecdsa.dts | 22 +++++++\n> .../test/security/pre_load_ecdsa_invalid_algo.dts | 22 +++++++\n> .../test/security/pre_load_ecdsa_invalid_key.dts | 22 +++++++\n> .../test/security/pre_load_ecdsa_invalid_sha.dts | 22 +++++++\n> 7 files changed, 213 insertions(+), 8 deletions(-)\n\n> diff --git a/tools/binman/etype/pre_load.py b/tools/binman/etype/pre_load.py\n> @@ -27,6 +29,12 @@ RSAS = {\n> +ECDSAS = {\n> + 'ecdsa256': 256 / 8 * 2,\n> + 'ecdsa384': 384 / 8 * 2,\n> + 'ecdsa521': 132\n> +}\n\nFor consistency, please can you use the same formula for ecdsa521?\nSomething like (521 + 7) // 8 * 2 would make it clearer that 132 =\nceil(521/8) * 2.\n\n> diff --git a/tools/binman/etype/pre_load.py b/tools/binman/etype/pre_load.py\n> @@ -151,6 +152,65 @@ class Entry_pre_load(Entry_collection):\n> + def _CreateHeaderEcdsa(self, hash_name, sign_name, key_name):\n> + # Check hash and signature name/type\n> + if hash_name not in SHAS:\n> + self.Raise(hash_name + \" is not supported\")\n> +\n> + # Read the key\n> + key = ECC.import_key(tools.read_file(key_name))\n> +\n> + # Check if the key has the expected size\n> + if key.pointQ.size_in_bytes() * 2 != ECDSAS[sign_name]:\n> + self.Raise(\"The key \" + self.key_name + \" don't have the expected size\")\n\ndoesn't have\n\nAlso _CreateHeaderRsa() has the same issue.\n\n> diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py\n> @@ -5895,6 +5895,56 @@ fdt fdtmap Extract the devicetree blob from the fdtmap\n> + def testPreLoadEcdsa(self):\n> + \"\"\"Test an image with a pre-load header using ecdsa key\"\"\"\n> + entry_args = {\n> + 'pre-load-key-path': os.path.join(self._binman_dir, 'test'),\n> + }\n> + data = self._DoReadFileDtb(\n> + 'security/pre_load_ecdsa.dts', entry_args=entry_args,\n> + extra_indirs=[os.path.join(self._binman_dir, 'test')])[0]\n> +\n> + image_fname = tools.get_output_filename('image.bin')\n> + is_signed = self._CheckPreload(image_fname, self.TestFile(\"ecdsa521.pem\"), \"sha256,ecdsa521\")\n\nThis line is quite long. Please can you break it across lines?\n\nAlso we should use single quotes for strings.\n\nReviewed-by: Simon Glass \n\nRegards,\nSimon","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256\n header.s=google header.b=cZ5QyTU2;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=85.214.62.61; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=chromium.org","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=chromium.org header.i=@chromium.org\n header.b=\"cZ5QyTU2\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=chromium.org","phobos.denx.de;\n spf=pass smtp.mailfrom=sjg@chromium.org"],"Received":["from phobos.denx.de (phobos.denx.de [85.214.62.61])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzTXm6tvJz1yGt\n\tfor ; Mon, 20 Apr 2026 12:12:56 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 57D678419E;\n\tMon, 20 Apr 2026 04:12:51 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 3EB438419E; Mon, 20 Apr 2026 04:12:50 +0200 (CEST)","from mail-ej1-x636.google.com (mail-ej1-x636.google.com\n [IPv6:2a00:1450:4864:20::636])\n (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 4040683693\n for ; Mon, 20 Apr 2026 04:12:48 +0200 (CEST)","by mail-ej1-x636.google.com with SMTP id\n a640c23a62f3a-ba36357195bso276169966b.0\n for ; Sun, 19 Apr 2026 19:12:48 -0700 (PDT)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,\n DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,\n RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham\n autolearn_force=no version=3.4.2","ARC-Seal":"i=1; a=rsa-sha256; t=1776651168; cv=none;\n d=google.com; s=arc-20240605;\n b=NV3xFlJ+hpQg3eI1LZYiSnc8/DfsZ8MkG0x3JFWHN/FEP90ko3S3DC4pfPx377JKLz\n YHJsUqPPPHBaCq38AAhOHUaYfPK3SkINSJTdeYcacDrNx9mTPxkVdk2galYXCN53BIPu\n bG8sWCobeQd5KjYh9IfOSmp2dZBDtvn+ftKnf0Srqdz968p3skRkTM3VYcOsXapizMBW\n TfHOd7RepVdyD00jsxoaWr2iXRxkbaxpXINT/zmE+bJw00t2hgI5fYIqivwyEcRUrwzE\n 746nUanjyjgYaA+NG9JWMNhHdrCJ4MAFw2s2zOjqChLGsru2GwoBwr3CqxrWwB2nyGci\n 9Tlw==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:dkim-signature;\n bh=Lf6sO2eakSdUc0/Bjev2o7wT/j34bcgW9FNIOPY9Qe8=;\n fh=Uv/25pOELJ4QfN1/GRGMHMq2DkJf9qUhad18fLjtgiw=;\n b=RTwfDiZBuL/kuqIoQS4FzlzToivdeP5WMsGdy922zpkalvmilQ5kODyv8Xmuv5KRoK\n zERGPPpPYihzjrBzJE2CAIIzjtPMNGBKw25sunbpPT/8C0VfjT0UiltZz0jFB0cLQJzH\n woaQSf5YN6NONfUFh5HCrprihb1lQi956THQuAdssrNbm1qzymN9m2Luo6pOTplQvOvW\n Rbd1Ba5UGexzqz+VRBs0WsS2hEVQoV4XuhGdPE9LsPFtcdOTep3YHG5qiqh8muSJy76Y\n JdgLUj6aFq/fwmCSJFcUuleCh1FaK3z1G5gCwFUyH4itvTbbt7pbJISXt2Q/fAw/jU5w\n HNOA==; darn=lists.denx.de","ARC-Authentication-Results":"i=1; mx.google.com; arc=none","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=chromium.org; s=google; t=1776651168; x=1777255968; darn=lists.denx.de;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:from:to:cc:subject:date:message-id:reply-to;\n bh=Lf6sO2eakSdUc0/Bjev2o7wT/j34bcgW9FNIOPY9Qe8=;\n b=cZ5QyTU2V+HPK1hQ+sVxg0z7Y8sNlkDBg/D1rfhwQMUql1vwC+xoZ7d+6YudfVKTp0\n inajM0RscVhYVBSQ5D3PmPXzJmgcreJDV5BjIvCKMU67EakOcwe6TDNyj468MvIYMx6u\n rHp8j8+Z5ukduXs9oDqbTP0P4J+539b+ljer0=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776651168; x=1777255968;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=Lf6sO2eakSdUc0/Bjev2o7wT/j34bcgW9FNIOPY9Qe8=;\n b=a/GFUfjrr2R33RS32BCLLkZOben34TbYf/QZFwrcLSZw+eK4b8moiMyGDDk0/SKQPT\n tXwbhFmpNgTqOSRcDAiyvIv+1HYqR5CA/Xqs35NFhFYnxbxqmDnEgYzmYOmXIe2X7c2L\n 5vK5pcqR+JF9j8qoudUXhFf9fieJg1CbEGzvtE6JBewVpRoWaYbR27OdZAD76aIvfqkL\n +FUubAVZGt2avVvXufbc1zwQq6AHDQXw6keudxxVATz0Re32bygDdyEPvTSmWpkrXKes\n MBQOIpWcF9ZE2fxezufC618ie3VNyomiAsQMRrJ5nsGCkrfZz/yHxhV2BT7++JltFmW8\n N5tg==","X-Forwarded-Encrypted":"i=1;\n AFNElJ9E34b7HsvoV82wHScaLpUCegZRg56+7V7pcODep7rg+hxZjoKT09rTYnFn6Mpu9Y2et1g8bGY=@lists.denx.de","X-Gm-Message-State":"AOJu0YxP71s0fN43BWC81mgAUDqidnHiom1MAGU78/+jYiZD1loW5MXH\n zBsuzVny1vLXcX9uZnNBWO8Uq3yb5xTedCmTy0tmsTu9cGkmqzEKNC5kxfvzRwhl2VRLbyQf28v\n R5SvZhsxQX8dMKM7ghZQgeBChHaEAc/s2IRb1JE3Z","X-Gm-Gg":"AeBDiesqGsVbX7ybuDUPiYNsHHp5VBVxMyseJzjtzkl2jivUxjMQjSFk5+QmLk0ujCY\n rXC+L73hIIiIOSWD8p8gdaIfxLO9QD1y7SP8pNyyffPLwM5qUtHrApp1nLp+3novtJy/7xUK5ZT\n YsqE9QpCNYVBU2nxqaODPr/d/wwJzsnmmy+iRoz/JTBUvgukYS6o+n6TXWWShGLJMS8qGKCTqby\n ouasUKJA1jRqs/3j7eK6DWNuiDemexm2xHFdB7N3x8gySCG1eQ3un7frqApfGInJcr5zTrACnmD\n IRQPrcAbd8/OUy8FCA3R","X-Received":"by 2002:a17:907:720f:b0:ba8:125a:951c with SMTP id\n a640c23a62f3a-ba8125ad0a5mr42769166b.13.1776651167653; Sun, 19 Apr 2026\n 19:12:47 -0700 (PDT)","MIME-Version":"1.0","References":"<20260417130204.49896-1-philippe.reynes@softathome.com>\n <20260417130204.49896-11-philippe.reynes@softathome.com>","In-Reply-To":"<20260417130204.49896-11-philippe.reynes@softathome.com>","From":"Simon Glass ","Date":"Mon, 20 Apr 2026 14:12:28 +1200","X-Gm-Features":"AQROBzBzK-iq4BCCZrCne2qQ399pHpzcDN82GyaigpuAIBveIm2tbiGq9gl-Hj4","Message-ID":"\n ","Subject":"Re: [PATCH v4 10/14] tools: binman: pre-load: add support of ecdsa","To":"philippe.reynes@softathome.com","Cc":"marko.makela@iki.fi, jonny.green@keytechinc.com, raymondmaoca@gmail.com,\n trini@konsulko.com, simon.glass@canonical.com, u-boot@lists.denx.de","Content-Type":"text/plain; charset=\"UTF-8\"","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}}]