[{"id":3680149,"web_url":"http://patchwork.ozlabs.org/comment/3680149/","msgid":"","list_archive_url":null,"date":"2026-04-22T00:11:36","subject":"Re: [PATCH v5 01/15] ecdsa: fix support of secp521r1","submitter":{"id":6170,"url":"http://patchwork.ozlabs.org/api/people/6170/","name":"Simon Glass","email":"sjg@chromium.org"},"content":"Hi Philippe,\n\nOn 2026-04-21T21:09:51, Philippe Reynes wrote:\n> ecdsa: fix support of secp521r1\n>\n> Current implementation of ecdsa only supports key len aligned on\n> 8 bits. But the curve secp521r1 uses a key of 521 bits which is not\n> aligned on 8 bits. In this commit, we update the keys management\n> for ecdsa to support keys that are not aligned on 8 bits.\n>\n> Signed-off-by: Philippe Reynes \n>\n> lib/ecdsa/ecdsa-libcrypto.c | 63 +++++++++++++++++++++++++++++++++++--\n> lib/ecdsa/ecdsa-verify.c | 75 ++++++++++++++++++++++++++++++++++++++++-----\n> lib/fdt-libcrypto.c | 2 +-\n> tools/image-sig-host.c | 7 +++++\n> 4 files changed, 137 insertions(+), 10 deletions(-)\n\n> diff --git a/lib/ecdsa/ecdsa-libcrypto.c b/lib/ecdsa/ecdsa-libcrypto.c\n> @@ -26,6 +26,8 @@\n> +#define DIV_ROUND_UP(n, d) (((n) + (d) - 1) / (d))\n\nDIV_ROUND_UP is already defined in include/linux/kernel.h. Please can\nyou include that header instead.\n\n> diff --git a/lib/ecdsa/ecdsa-libcrypto.c b/lib/ecdsa/ecdsa-libcrypto.c\n> @@ -41,10 +43,26 @@ struct ecdsa_public_key {\n> +static char *memdup(char *buf, size_t size)\n> +{\n> + char *dup;\n> +\n> + dup = malloc(size);\n> + if (dup)\n> + memcpy(dup, buf, size);\n> +\n> + return dup;\n> +}\n\nA global memdup() exists in lib/string.c (declared in\ninclude/linux/string.h). Please can you use that instead to avoid\nconflicts.\n\n> diff --git a/lib/ecdsa/ecdsa-verify.c b/lib/ecdsa/ecdsa-verify.c\n> @@ -73,11 +111,16 @@ static int ecdsa_verify_hash(struct udevice *dev,\n> if (info->required_keynode > 0) {\n> ret = fdt_get_key(&key, info->fdt_blob, info->required_keynode);\n> - if (ret < 0)\n> + if (ret < 0) {\n> + fdt_free_key(&key);\n> return ret;\n> + }\n\nCalling fdt_free_key() after fdt_get_key() fails is unnecessary. When\nfdt_get_key() returns early, key->x and key->y may be uninitialised.\nPlease can you remove the fdt_free_key() call in this error path.\n\n> diff --git a/lib/ecdsa/ecdsa-verify.c b/lib/ecdsa/ecdsa-verify.c\n> @@ -87,15 +130,21 @@ static int ecdsa_verify_hash(struct udevice *dev,\n> fdt_for_each_subnode(key_node, info->fdt_blob, sig_node) {\n> ret = fdt_get_key(&key, info->fdt_blob, key_node);\n> - if (ret < 0)\n> + if (ret < 0) {\n> + fdt_free_key(&key);\n> continue;\n> + }\n\nSame issue here.\n\n> diff --git a/lib/ecdsa/ecdsa-verify.c b/lib/ecdsa/ecdsa-verify.c\n> @@ -135,6 +184,18 @@ U_BOOT_CRYPTO_ALGO(ecdsa384) = {\n> +U_BOOT_CRYPTO_ALGO(secp521r1) = {\n> + .name = 'secp521r1',\n> + .key_len = ECDSA521_BYTES,\n> + .verify = ecdsa_verify,\n> +};\n\nJust to check — why add secp521r1 as an alias for ecdsa521 but not\nsecp256r1/secp384r1 for the other curves?\n\nRegards,\nSimon","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256\n header.s=google header.b=eBbwXLXL;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=chromium.org","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=chromium.org header.i=@chromium.org\n header.b=\"eBbwXLXL\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=chromium.org","phobos.denx.de;\n spf=pass smtp.mailfrom=sjg@chromium.org"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0fmB4qQmz1yGs\n\tfor ; Wed, 22 Apr 2026 10:11:54 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 941A58352B;\n\tWed, 22 Apr 2026 02:11:52 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id DBBE583FED; Wed, 22 Apr 2026 02:11:50 +0200 (CEST)","from mail-ej1-x636.google.com (mail-ej1-x636.google.com\n [IPv6:2a00:1450:4864:20::636])\n (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id E74B8805D7\n for ; Wed, 22 Apr 2026 02:11:48 +0200 (CEST)","by mail-ej1-x636.google.com with SMTP id\n a640c23a62f3a-b941762394aso656192866b.1\n for ; Tue, 21 Apr 2026 17:11:48 -0700 (PDT)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,\n DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,\n RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham\n autolearn_force=no version=3.4.2","ARC-Seal":"i=1; a=rsa-sha256; t=1776816708; cv=none;\n d=google.com; s=arc-20240605;\n b=Be7+lB7MIpwyOiZWhsJXKYUla/lfkil2z0VjbMvflraMI/X8ZjV91tzB6ZhmIVuY2d\n Rh9v5W6IQBehz+ZFXctbX+I5SQeXxC+v+sUzU0dttnOg0HzaENP5lCkLBF66YagacLdZ\n pf815E1GrS0VbQI3S1PFitglva3RhrxoDBV9j/NLpIjmsuPTWts34OK0Z6utlCdP3AWW\n r/TI2Ir+Q9b1/VxvlJgUAIepOxfuJj5PodWB5Emam6oXT5OqworsHU0k+7f1ltqlE0ja\n PgrE5cW5DnIwvo+id+UHe+YMNUePTA3e5qnH2htofF6KsW9FqpOkXz8EZK3u+MNX79D7\n Zsvw==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:dkim-signature;\n bh=zMs6tE5Ku7EXsW7OLVjhnDZ+bImTXzFfZGCYcDIY4Jk=;\n fh=9XxNUAKVix7ocSgu3e3z0JJsLpFZ825JPRgEBQGYIIs=;\n b=hbn5EELZETPUBWLQVjaAAQ5LIOspbhwqj4eYRhzoXiHvei0ipbvscfwiVzw+3sraNr\n Up48J6ace7lgo4EEsGBtvbcCRtxMPotmcKMY5H3U+iaf3UrRio1ZjMcPBlsT6/7xwz/B\n iIcgsHVBj3ff3B4XZPGuWIGCUe+Qz6DXg/PH/Yagl2DYxYCN+hI+cRDOOlOIcz8ae7Ey\n nr9Q/Q1cU8PS92HxmqUuZswNdY9p5eGgsdG2wVK8rCgmyfqzT6fQ04daumdStHas0LGi\n BQT3MLWLbJo/UqAAaNOxmXhWLbQPRMdkESqNxpVDfgu199EzbWMuXS1ioWwRDb7yRwwj\n ctbw==; darn=lists.denx.de","ARC-Authentication-Results":"i=1; mx.google.com; arc=none","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=chromium.org; s=google; t=1776816708; x=1777421508; darn=lists.denx.de;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:from:to:cc:subject:date\n :message-id:reply-to;\n bh=zMs6tE5Ku7EXsW7OLVjhnDZ+bImTXzFfZGCYcDIY4Jk=;\n b=eBbwXLXL/TtcBcTVg/2we85trzVHGY6Nos9lX324CmNeNKpsrUOEY+FtnipmaqEQhU\n jRzwnFufiAEsMcAI79feP1N5G7zKvQ1uqZaoyjxIVjqcHp32ul6dFZrzk1uq1R+pguLD\n /cpQAIAiG9CUDAM79lzN5wgBxeW9uKoNdirQg=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776816708; x=1777421508;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=zMs6tE5Ku7EXsW7OLVjhnDZ+bImTXzFfZGCYcDIY4Jk=;\n b=mJbY5oxAYe6uvGLpn+Iq2PmhbWY8/VQK86aXGeqfGYqXEYuhImAXExQVzIRxdFZRYG\n MoIqpNJ9ZE5adHxxfiTA0gaNOXYmf46SH2qohrz2Vntg5H0Rs2KpeW4pKdMxHtkLJuEq\n seHd3Xm277ha75VoU6ccy2NVzxIvXeFjmAGk6A/qGks6WoWAqqqvSc068osLM7JZa2wQ\n 56zF5aCKfuGO06bmTxHIKcBdiGsLJATiyZvUW/RaJSlj2IXF9dfMLlisPKS6Y4zXDXli\n NgOwrHpsXyuJ/yFH1v3awE1x3hb9pS2egHsDOczd5gkkNRKQyD8JE/NN8dT0tQPNhvVv\n A4dg==","X-Forwarded-Encrypted":"i=1;\n AFNElJ/uxemp7C5RAYvAEdCiNdbuU2JOk+2g83eLEBQujuyZUBnPLI1lZIQLGQq72ZD7C7E3Psd3k+w=@lists.denx.de","X-Gm-Message-State":"AOJu0YwqV6+EjztyIDkIQ3HbRCB8URrHr+NCfk95ngzosJ2L7ryaMO/+\n tDd6ICLiuK2t7VXA2pJWlVg6B+AERqyG+Lfovpr7J+O4FwSRBQVagBAfKwqnUhCyMCHGBLimLn3\n XMpWRLZH7UdE6oiXOXy/HBRQ4ggHspciTZf1SFjE1","X-Gm-Gg":"AeBDieukiwNgYhism5hPTA71vCJrOSaV4Yk+IP9z2Ml60Zjz3qnpSw9UoRjZm57vlV0\n tHDyC0O8PNWZuuN5auPa5xGgQpkC0Rik/1iLXChoSPItDP5rcYsL9rHy8r+/GwqWFLrdSBLcckh\n //IJm+eLrxOqmoBLpRkkO1kH+2t/9c+vwiwGM66qe9gCWMKo14nzMGVLE7/Fssn5UAB1rNpouUV\n OYZBMhOMjG3V2QPdFmJPeHsEViQgk3W7M+FKM/QX1O7e4idwX8PGlYwIlLvGVNB/mtf1CuphEP1\n 04z9vqYWu2GcHH/ZBf5r","X-Received":"by 2002:a17:907:9413:b0:b97:a1ca:e100 with SMTP id\n a640c23a62f3a-ba41ac02533mr971950666b.32.1776816708311; Tue, 21 Apr 2026\n 17:11:48 -0700 (PDT)","MIME-Version":"1.0","References":"<20260421210954.1170437-1-philippe.reynes@softathome.com>\n <20260421210954.1170437-2-philippe.reynes@softathome.com>","In-Reply-To":"<20260421210954.1170437-2-philippe.reynes@softathome.com>","From":"Simon Glass ","Date":"Wed, 22 Apr 2026 12:11:36 +1200","X-Gm-Features":"AQROBzAUyk7Eq2EQ8eK_yKiRgcgR3wsLZkKTthSP0kc206Ps9CWXYDmjGWYfroM","Message-ID":"\n ","Subject":"Re: [PATCH v5 01/15] ecdsa: fix support of secp521r1","To":"philippe.reynes@softathome.com","Cc":"marko.makela@iki.fi, jonny.green@keytechinc.com, raymondmaoca@gmail.com,\n trini@konsulko.com, simon.glass@canonical.com, u-boot@lists.denx.de","Content-Type":"text/plain; charset=\"UTF-8\"","Content-Transfer-Encoding":"quoted-printable","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}}]