[{"id":3680147,"web_url":"http://patchwork.ozlabs.org/comment/3680147/","msgid":"<CAFLszTizb=a5uvtjFRbDoUYoPX2iXyzt_jiFdkqBcKJbeOk3mw@mail.gmail.com>","list_archive_url":null,"date":"2026-04-22T00:10:19","subject":"Re: [PATCH v5 02/15] mbedtls: enable support of ecc","submitter":{"id":6170,"url":"http://patchwork.ozlabs.org/api/people/6170/","name":"Simon Glass","email":"sjg@chromium.org"},"content":"Hi Philippe,\n\nOn 2026-04-21T21:09:51, Philippe Reynes <philippe.reynes@softathome.com> wrote:\n> mbedtls: enable support of ecc\n>\n> Enables the support of ecc in mbedtls.\n>\n> Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>\n>\n> configs/amd_versal2_virt_defconfig       |  3 +++\n>  configs/qemu_arm64_lwip_defconfig        |  3 +++\n>  configs/sandbox_defconfig                |  1 +\n>  configs/starfive_visionfive2_defconfig   |  3 +++\n>  configs/xilinx_versal_net_virt_defconfig |  3 +++\n>  configs/xilinx_versal_virt_defconfig     |  3 +++\n>  configs/xilinx_zynqmp_kria_defconfig     |  3 +++\n>  configs/xilinx_zynqmp_virt_defconfig     |  3 +++\n>  lib/ecdsa/Kconfig                        |  1 +\n>  lib/mbedtls/Kconfig                      | 14 ++++++++++++++\n>  lib/mbedtls/Makefile                     | 16 +++++++++-------\n>  lib/mbedtls/mbedtls_def_config.h         | 17 +++++++++++++++++\n>  12 files changed, 63 insertions(+), 7 deletions(-)\n\n> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig\n> @@ -300,6 +313,7 @@ config MBEDTLS_LIB_TLS\n> +     depends on ECDSA_MBEDTLS\n\nAdding ECDSA_MBEDTLS as a hard dependency on MBEDTLS_LIB_TLS means\nevery board using TLS now requires CONFIG_ECDSA and\nCONFIG_ECDSA_VERIFY. I suspect you want to separate the TLS ECC\nrequirements from FIT signature verification. Perhaps the ECC curve\nsupport should be in a separate CONFIG_ECC_MBEDTLS option that both\nTLS and ECDSA verification can select?\n\n> diff --git a/configs/qemu_arm64_lwip_defconfig b/configs/qemu_arm64_lwip_defconfig\n> @@ -3,6 +3,9 @@\n> +CONFIG_ECDSA=y\n> +CONFIG_ECDSA_VERIFY=y\n> +CONFIG_ECDSA_MBEDTLS=y\n\nThis suggests the coupling between TLS and ECDSA verification is too\ntight. These boards want HTTPS but might not need FIT ECDSA signature\nverification.\n\n> diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h\n> @@ -89,6 +89,23 @@\n> +#if CONFIG_IS_ENABLED(ECDSA_MBEDTLS)\n> +#define MBEDTLS_ECDSA_C\n> +#define MBEDTLS_ECP_C\n> +#define MBEDTLS_BIGNUM_C\n> +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED\n> +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED\n> +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED\n> +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED\n> +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED\n> +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED\n> +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED\n> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED\n> +#define MBEDTLS_ECP_DP_BP256R1_ENABLED\n> +#define MBEDTLS_ECP_DP_BP384R1_ENABLED\n> +#define MBEDTLS_ECP_DP_BP512R1_ENABLED\n> +#endif\n\nHow much code size is added by enabling all ECC curves unconditionally?\n\nRegards,\nSimon","headers":{"Return-Path":"<u-boot-bounces@lists.denx.de>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256\n header.s=google header.b=Y9O2wfU3;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=85.214.62.61; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=chromium.org","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=chromium.org header.i=@chromium.org\n header.b=\"Y9O2wfU3\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=chromium.org","phobos.denx.de;\n spf=pass smtp.mailfrom=sjg@chromium.org"],"Received":["from phobos.denx.de (phobos.denx.de [85.214.62.61])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0fkl70K8z1yGs\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 22 Apr 2026 10:10:39 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 896DF8352B;\n\tWed, 22 Apr 2026 02:10:35 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 10FAC83936; Wed, 22 Apr 2026 02:10:35 +0200 (CEST)","from mail-ed1-x532.google.com (mail-ed1-x532.google.com\n [IPv6:2a00:1450:4864:20::532])\n (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id DCB5E805D7\n for <u-boot@lists.denx.de>; Wed, 22 Apr 2026 02:10:32 +0200 (CEST)","by mail-ed1-x532.google.com with SMTP id\n 4fb4d7f45d1cf-672c23aa064so8929093a12.2\n for <u-boot@lists.denx.de>; Tue, 21 Apr 2026 17:10:32 -0700 (PDT)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,\n DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,\n RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham\n autolearn_force=no version=3.4.2","ARC-Seal":"i=1; a=rsa-sha256; t=1776816632; cv=none;\n d=google.com; s=arc-20240605;\n b=JUbznk7hzZxhpWbnwCotqO1RykX2/7sD0KcPrsI6j8M/pEzBhxnHtBOsGZENoAZU/T\n RgswGjwyx1ezZgziKgOnLgcxt8w3e9plrhQAWw7sx5PaTInF5fH/KusPPJAcLnJk2B6Y\n tdtmNi7G4hyvqHxp5EgoYT94Pe1ujdYRRDyeNW/TuS6tERz66DiisihvgYZWqIWuHj3L\n cdunhp2i3ry7KV9sHR3LuGkV8ywlr34Ma+XaZn1RhIAdy6s75qG/8CUWLjP+3/3jMRli\n 2FU6UXa4C1QkSI53YP7GdgG6uT8AJY6Kp4O3l9jTfGuoKdHotqADdFGxSmfs+wiV5EgP\n rLaw==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:dkim-signature;\n bh=A2Dr1RGSCLsbPSa2gIKuxGU2q4MrV50rfp3sK/wIZyA=;\n fh=huZavGIedmb5t2orr+/Rb1tnWmifMM80sbfGbi0WwQs=;\n b=kN8DY/8Paqfr+lqa9uY1KRkd+hNhoWurgZycqDRraslwL6KclTVASx905x1Uk9L85w\n Zrsm2sn3s2ElFAZfRFl3IJa7sQ/t+l8nGU3ylmqzTJZaKnFdmJUEmVlmAol+4bW4Qh5b\n CW50xTrHd1bZkk3qSkO8ZISctjPhVdcIT4Hy2ewGAEjh5pdPljuxHm561nTB/CFZcs76\n dX6SUHA3o894YyjEgCGkPaW6Pu+nmayIpoMVY2pkj3NZhxC/vJkVpgYthzA03Ax/2Nnd\n bgH6VZqQftzmOlmXHRf1NhEUh3dMsA4mJKr8sCM6ZPiv4OjW8KoeFMyxoEYaHFhOp5Xi\n D9Aw==; darn=lists.denx.de","ARC-Authentication-Results":"i=1; mx.google.com; arc=none","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=chromium.org; s=google; t=1776816632; x=1777421432; darn=lists.denx.de;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:from:to:cc:subject:date:message-id:reply-to;\n bh=A2Dr1RGSCLsbPSa2gIKuxGU2q4MrV50rfp3sK/wIZyA=;\n b=Y9O2wfU3XaAqIDTFf1cFIHY3AaqIV2d/TB+xBhQNW8eLYP5/O/KYcbfC+haptTnaWH\n tU14cxpGDDpasDNdOPTbH7QA6clR7JKYkaw8VOi3RiJER0hZvHJgNmiq8REcVYrN4eqq\n qu9kbgrVeb45Q8+cnYFIWKqTzmagwJ5Dy9jZ8=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776816632; x=1777421432;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=A2Dr1RGSCLsbPSa2gIKuxGU2q4MrV50rfp3sK/wIZyA=;\n b=Fff4EbcSAA3/mhM2CAefvDDn17zyh7QMKe9pQf+PY0HGLTMjkYc8HeiktPHzpmLcp7\n loK1OpVxijsLurQFjSecx9zHceXSXfeeM+J8gv7IZDEGQI2inx7UEqlrhUJhWgCFKwhe\n Xym+5KSDwpCYEKbAVmJHK0q4GOAczGnK4y9wD5NVhtAl7AI8R+NzXwaIbL2EtlSBwZO0\n ScoGYuB5f0PJr9kveKNbkE6MqJiA7C15dz5l82FGO7gm0bx++yb3zEDHMepIN1Zs98ye\n N+8aRXFQTEmhS1JahEOt3+qCjat6zLRvCJZH4l+9kccILgX0Iw+Hpen6p7Wv059cNoX7\n l3Vg==","X-Forwarded-Encrypted":"i=1;\n AFNElJ9ymmwcs0C1/M/arDlVmXCU0O/gs5Y+Bypq3bV69pvwkpHjGYjspN3V4uvVZaSWs47TvL/sz1g=@lists.denx.de","X-Gm-Message-State":"AOJu0YxuE0/B2S3oc4Nq8aJ9u/IrqUARM4fncbnR+7LWRcpOEJDyOH3z\n 7cwW6asys3zJ484Nrms/e9v0MSZXlrgA/qxAfj/+jEmhtzC9qie21NcJ560qfN5dYw8rZMIHpW1\n oCgyjWQtTsA3uFzhnwJ6Ox5001VolHH2GuN/Xkdez","X-Gm-Gg":"AeBDietPx69OOo/2PvzdmlRruz+bdHihPKg9Q6ULLQoiEewAaYO2GEn5sApCTWdIu10\n XaWF/Rhf0vKs5URq4wQxRkfGxT3eOnZyoct4UzSB/TOLUYJ1Gpk0mhcbl3WFTsf4Dpb1Mf4RRCX\n KPE8kF/ECnG23cmDx4WiFFycafFi5ut/S9y9PbWy3XOsgDiFC2m16nW8IG9UBAFq8914APQvvEu\n Jd87FT/1K2I6kVg3babHZXSSHdRt/bBQ2TlFNL5s2vEJv/5cPd8tTC7SzcB7MCJG/Htyta4QAzu\n yTNadajZkgsdNf0FO8op","X-Received":"by 2002:a17:907:a60b:b0:b9c:b069:8ab6 with SMTP id\n a640c23a62f3a-ba418b7e7d6mr905539366b.7.1776816632153; Tue, 21 Apr 2026\n 17:10:32 -0700 (PDT)","MIME-Version":"1.0","References":"<20260421210954.1170437-1-philippe.reynes@softathome.com>\n <20260421210954.1170437-3-philippe.reynes@softathome.com>","In-Reply-To":"<20260421210954.1170437-3-philippe.reynes@softathome.com>","From":"Simon Glass <sjg@chromium.org>","Date":"Wed, 22 Apr 2026 12:10:19 +1200","X-Gm-Features":"AQROBzA0UdOSbAmA6-XVzjGIa6oG1Xy6BazhF8Ne-qybcWooMQZZ5D_pgzffAkM","Message-ID":"\n <CAFLszTizb=a5uvtjFRbDoUYoPX2iXyzt_jiFdkqBcKJbeOk3mw@mail.gmail.com>","Subject":"Re: [PATCH v5 02/15] mbedtls: enable support of ecc","To":"philippe.reynes@softathome.com","Cc":"marko.makela@iki.fi, jonny.green@keytechinc.com, raymondmaoca@gmail.com,\n trini@konsulko.com, simon.glass@canonical.com, u-boot@lists.denx.de","Content-Type":"text/plain; charset=\"UTF-8\"","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion <u-boot.lists.denx.de>","List-Unsubscribe":"<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>","List-Archive":"<https://lists.denx.de/pipermail/u-boot/>","List-Post":"<mailto:u-boot@lists.denx.de>","List-Help":"<mailto:u-boot-request@lists.denx.de?subject=help>","List-Subscribe":"<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" <u-boot-bounces@lists.denx.de>","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}}]