{"id":2225958,"url":"http://patchwork.ozlabs.org/api/patches/2225958/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/patch/20260421210954.1170437-12-philippe.reynes@softathome.com/","project":{"id":18,"url":"http://patchwork.ozlabs.org/api/projects/18/?format=json","name":"U-Boot","link_name":"uboot","list_id":"u-boot.lists.denx.de","list_email":"u-boot@lists.denx.de","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260421210954.1170437-12-philippe.reynes@softathome.com>","list_archive_url":null,"date":"2026-04-21T21:09:50","name":"[v5,11/15] tools: binman: pre-load: add support of ecdsa","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"aa744ad71304474574c80303ca8a587b561be8b7","submitter":{"id":74351,"url":"http://patchwork.ozlabs.org/api/people/74351/?format=json","name":"Philippe Reynes","email":"philippe.reynes@softathome.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/uboot/patch/20260421210954.1170437-12-philippe.reynes@softathome.com/mbox/","series":[{"id":500895,"url":"http://patchwork.ozlabs.org/api/series/500895/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/list/?series=500895","date":"2026-04-21T21:09:51","name":"add software ecdsa support","version":5,"mbox":"http://patchwork.ozlabs.org/series/500895/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2225958/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2225958/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=softathome1.onmicrosoft.com header.i=@softathome1.onmicrosoft.com\n header.a=rsa-sha256 header.s=selector1-softathome1-onmicrosoft-com\n header.b=ipwYeW0e;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=none (p=none dis=none) header.from=softathome.com","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=softathome1.onmicrosoft.com header.i=@softathome1.onmicrosoft.com\n header.b=\"ipwYeW0e\";\n\tdkim-atps=neutral","phobos.denx.de; dmarc=none (p=none dis=none)\n header.from=softathome.com","phobos.denx.de;\n spf=pass smtp.mailfrom=philippe.reynes@softathome.com"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0Zmk60fCz1yGs\n\tfor ; Wed, 22 Apr 2026 07:12:06 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id CA48B8437E;\n\tTue, 21 Apr 2026 23:10:29 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id BE8638426E; Tue, 21 Apr 2026 23:10:21 +0200 (CEST)","from PA5P264CU001.outbound.protection.outlook.com\n (mail-francecentralazlp170100000.outbound.protection.outlook.com\n [IPv6:2a01:111:f403:c20a::])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 2AE39842D7\n for ; Tue, 21 Apr 2026 23:10:03 +0200 (CEST)","from MR1P264CA0128.FRAP264.PROD.OUTLOOK.COM (2603:10a6:501:51::10)\n by PR0P264MB2597.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:1e0::11) with\n Microsoft SMTP Server (version=TLS1_2,\n cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9846.17; Tue, 21 Apr\n 2026 21:09:58 +0000","from MR1PEPF00000D57.FRAP264.PROD.OUTLOOK.COM\n (2603:10a6:501:51:cafe::c7) by MR1P264CA0128.outlook.office365.com\n (2603:10a6:501:51::10) with Microsoft SMTP Server (version=TLS1_3,\n cipher=TLS_AES_256_GCM_SHA384) id 15.20.9791.48 via Frontend Transport; Tue,\n 21 Apr 2026 21:09:58 +0000","from proxy.softathome.com (149.6.166.170) by\n MR1PEPF00000D57.mail.protection.outlook.com (10.167.241.4) with Microsoft\n SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9846.18\n via Frontend Transport; Tue, 21 Apr 2026 21:09:58 +0000","from sah1lpt726.softathome.com (unknown [192.168.72.32])\n by proxy.softathome.com (Postfix) with ESMTPSA id D51E12014C;\n Tue, 21 Apr 2026 23:09:57 +0200 (CEST)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_PASS,SPF_PASS autolearn=ham\n autolearn_force=no version=3.4.2","ARC-Seal":"i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;\n b=MoJGyTkZ5IJ5juVtJYF1/a/f9u/h3C+vyRJ1TS9IArEL8jS1Y8Q2nhJ5Ihy/jCxaStO0zvQ9iOS6GI/+udBLT2SXfqcfJFMKwOaKFYZqLdzcIp/6wwOQcXX7hFQYKTIQI54wr0uCz5B7KWWK/EToeRh505ss7DFuvUvjcsjOyuI4i2djyKQC68PowGIcvVRpzYlzOvW73jCtDsWNN7USGheuOkQlNr9IYY5xodBdTyxG9HQ9wnz3fWLcVCYUZta1J8c2OIb2dEaS8XxubwEafOAhWczLM7lVX6LjW36HHmJGxlNPZ5agQlqWBf0mAy9DmXDI54/7TxJmHK7kaAiORA==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;\n s=arcselector10001;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;\n bh=S18BJQkvOXc0igMZBM1DIMLwJIFRJ0M6OONkrWQzG8s=;\n b=iiOnw8ylpEbkFByx3Bi2c++4A25c8t2fesQmLGdFMze2Xz8gYVc8Zro++343vwjibVNQB7ouHeUht7i4LVpF/2YnuVsEBaMKfHp2hmswzOcHM3agpoO5ADCt7V7zPbu6xTtgWd5Sgojlua4Liur0o9JW+ok5Wq8l+BhU+t5mhJDxzMcCtebJvbGE/0y3ZF8fgy3NgnVnpBIkRC0+Oj2zsMKJZeiH94AB9uBwBrvRQp+OGUc1oBtadbZ+Ylle3VaIhEYd6VHxNfVX5DmCGrNr6wKJQ0GUUvwC6G0pd+0wQkrdpL+R5K94NfB0Pp6mjhq0ypQUuUGft4eeSA6TuycLFA==","ARC-Authentication-Results":"i=1; mx.microsoft.com 1; spf=pass (sender ip is\n 149.6.166.170) smtp.rcpttodomain=canonical.com smtp.mailfrom=softathome.com;\n dmarc=bestguesspass action=none header.from=softathome.com; dkim=none\n (message not signed); arc=none (0)","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=softathome1.onmicrosoft.com; s=selector1-softathome1-onmicrosoft-com;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;\n bh=S18BJQkvOXc0igMZBM1DIMLwJIFRJ0M6OONkrWQzG8s=;\n b=ipwYeW0eb/jN5M+AcIakMMKgP25CsELoNZsT8cxIbpOw4cSKH/l0QSOmvX85C+C+JWOfxobzgZRDK4nyKJx28SHu9sU4vLQhw2Kwg8DZzBBl7uxF1K6IqNufpXPHfNZb/p677w9qj2jVmWqR1M2ZwVp9WuMA2eIJj+XTlphjBPVZLcJIpVwFzC9MZylYOZE07PQh6Z1ZAV2381Zzw5JWOCcmuP+4JZv2f2dxdMv1ZauUtvlzUsa/bLIzWL1VKwDKTkaKUgeKpXR/1pjtc9GlWWpocdp2bnluNkbw9LWbZ7vJnDXl4q0zUFE+JiLHKpJLU0Ty/Eja9ukItzBGxpNH4A==","X-MS-Exchange-Authentication-Results":"spf=pass (sender IP is 149.6.166.170)\n smtp.mailfrom=softathome.com; dkim=none (message not signed)\n header.d=none;dmarc=bestguesspass action=none header.from=softathome.com;","Received-SPF":"Pass (protection.outlook.com: domain of softathome.com\n designates 149.6.166.170 as permitted sender)\n receiver=protection.outlook.com; client-ip=149.6.166.170;\n helo=proxy.softathome.com; pr=C","From":"Philippe Reynes ","To":"marko.makela@iki.fi, jonny.green@keytechinc.com, raymondmaoca@gmail.com,\n trini@konsulko.com, simon.glass@canonical.com","Cc":"u-boot@lists.denx.de, Philippe Reynes ,\n Simon Glass ","Subject":"[PATCH v5 11/15] tools: binman: pre-load: add support of ecdsa","Date":"Tue, 21 Apr 2026 23:09:50 +0200","Message-ID":"<20260421210954.1170437-12-philippe.reynes@softathome.com>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"<20260421210954.1170437-1-philippe.reynes@softathome.com>","References":"<20260421210954.1170437-1-philippe.reynes@softathome.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-EOPAttributedMessage":"0","X-MS-PublicTrafficType":"Email","X-MS-TrafficTypeDiagnostic":"MR1PEPF00000D57:EE_|PR0P264MB2597:EE_","Content-Type":"text/plain","X-MS-Office365-Filtering-Correlation-Id":"89851696-0f87-4932-442c-08de9fea580e","X-MS-Exchange-SenderADCheck":"1","X-MS-Exchange-AntiSpam-Relay":"0","X-Microsoft-Antispam":"BCL:0;\n ARA:13230040|36860700016|376014|1800799024|82310400026|56012099003|22082099003|17002099007|18002099003;","X-Microsoft-Antispam-Message-Info":"\n JzpZ1I5Sw+mYuBCkLsvJE9PvZ3xVkWTyFi25nxDPeLJmsFF8fd8SlSz3dUtDF+ca7y3JqXuO0pM4c+UJrLyNb/0bO0qIHIKOAvDKv4lhPJDRPECYvDn9K4jAkK1DcST2LYy81/1fl/2EqedA6IZxSMwL1ju6j/+Cv4cvT4JyJTLNfhh//X+JUeynGy8KsJz4+JLabsLpPKwpRvWCfO6Zu3WwpqFO/Wq/unbXPApOQKJJUEGJQZohu2Txl6KPlzzw1vIiAeOTD/PPSmp48rcugZRnpW8qezP32OBQmQq+ov9JvtJ7iCvazTAHcDuUe5VHbpSlOa58pAN2WMsobxcuNC5k0amPIXzx5pBeYxAiKNmN0ZMAZnFIAv2cU3WUhGefhu7/eQUkvpvWpYyOnKs25x1F3la4kVhHR+QdBI5xlsWIMEMj8avSLNvjGfSgHfzuytPz83hR3yhgwV0Gnc28qnx81ortKciYhMQ8eWl7ENzLXt7ZXkCwBatkctP//hgrJkQzy7R2ySK+HWKJgZrw2Iz6/KrI0+t3hEwW8Ac7mG3J5ESeLvNZqAgafPjroHYHB8z3XYWerCSNsL7QdCeAtoYE2LkNmiPciYxAy4VDPamNq3JlZAbxJ7WKBpZyCjKQvSWlKhRTjqbIvR/p3WNEh+d3y+AXUtI+/J3hrW38MUJ6RyqEXrQtuK/9FyRk5XpYNcb/z66bYMvBg/k7SkeCY8XkUhByt5LW2BZGUorKn/aNcBPctqZzNqaEtYsYTSefUJwTndddVwjvh9S8bMOzfw==","X-Forefront-Antispam-Report":"CIP:149.6.166.170; CTRY:FR; LANG:en; SCL:1; SRV:;\n IPV:CAL; SFV:NSPM; H:proxy.softathome.com; PTR:InfoDomainNonexistent;\n CAT:NONE;\n SFS:(13230040)(36860700016)(376014)(1800799024)(82310400026)(56012099003)(22082099003)(17002099007)(18002099003);\n DIR:OUT; SFP:1101;","X-MS-Exchange-AntiSpam-MessageData-ChunkCount":"1","X-MS-Exchange-AntiSpam-MessageData-0":"\n yp8Q/DTrgv71veZwya4WfKkhgpqo89Gz7b8a2jkiSYYT23o2VKGw5z55yHTwjVRBNUcZPom1hSK4vRSTrv0VSg9ajXeW6y78aqrkZABPsZkMqXLldoWTCsAgSRxVUqOv/snD3u1TomS7aNbcfA2dao/lYUr1tFvD6JhPC1zL6OAkgpnHnW1Shokiv/vgUiMiwusFEIeNQpFf5ZFu7dAwR8GAD0x9ZM08S4KvvqkYP+JdjwTIMGjSw2fop+M/z9no7YprGLyc0eebYMbVgFYi1xFted32iiun6qQPQz8QkyxEbIXHJCqdk/rHGgz9lf6mv1XIOLv1+bviWWWIOTXsKl6Dq7qn8xb8wkoUYCkjnaeyrI+8kn0257EocDzvD72fsRHbs/GgY4PeYOdmxBFnkBYPy/Q1hx6Mm6LPnnwsNKc0Iw2YLSFX4jSA0KDLATsl","X-OriginatorOrg":"softathome.com","X-MS-Exchange-CrossTenant-OriginalArrivalTime":"21 Apr 2026 21:09:58.1006 (UTC)","X-MS-Exchange-CrossTenant-Network-Message-Id":"\n 89851696-0f87-4932-442c-08de9fea580e","X-MS-Exchange-CrossTenant-Id":"aa10e044-e405-4c10-8353-36b4d0cce511","X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp":"\n TenantId=aa10e044-e405-4c10-8353-36b4d0cce511; Ip=[149.6.166.170];\n Helo=[proxy.softathome.com]","X-MS-Exchange-CrossTenant-AuthSource":"MR1PEPF00000D57.FRAP264.PROD.OUTLOOK.COM","X-MS-Exchange-CrossTenant-AuthAs":"Anonymous","X-MS-Exchange-CrossTenant-FromEntityHeader":"HybridOnPrem","X-MS-Exchange-Transport-CrossTenantHeadersStamped":"PR0P264MB2597","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"},"content":"Right now, binman can only create pre-load header\nusing rsa. We add the support of ecdsa.\n\nReviewed-by: Simon Glass \nSigned-off-by: Philippe Reynes \n---\nv3:\n- initial version\nv4:\n- merge patch 11 that was adding test for ecdsa pre-load\n- add key size check\n- use exc instead of simply e\n- rename dts filaneme\n- add a test to check key size\nv5:\n- compute ecdsa521 sig instead of using hardcoded value 132\n- fix english: don't -> doesn't\n- avoid line too long\n\n tools/binman/etype/pre_load.py | 78 ++++++++++++++++---\n tools/binman/ftest.py | 52 +++++++++++++\n tools/binman/test/ecdsa521.pem | 7 ++\n tools/binman/test/security/pre_load_ecdsa.dts | 22 ++++++\n .../security/pre_load_ecdsa_invalid_algo.dts | 22 ++++++\n .../security/pre_load_ecdsa_invalid_key.dts | 22 ++++++\n .../security/pre_load_ecdsa_invalid_sha.dts | 22 ++++++\n 7 files changed, 216 insertions(+), 9 deletions(-)\n create mode 100644 tools/binman/test/ecdsa521.pem\n create mode 100644 tools/binman/test/security/pre_load_ecdsa.dts\n create mode 100644 tools/binman/test/security/pre_load_ecdsa_invalid_algo.dts\n create mode 100644 tools/binman/test/security/pre_load_ecdsa_invalid_key.dts\n create mode 100644 tools/binman/test/security/pre_load_ecdsa_invalid_sha.dts","diff":"diff --git a/tools/binman/etype/pre_load.py b/tools/binman/etype/pre_load.py\nindex 00f1a896767..3d4a30391a6 100644\n--- a/tools/binman/etype/pre_load.py\n+++ b/tools/binman/etype/pre_load.py\n@@ -16,8 +16,10 @@ from binman.entry import EntryArg\n \n from Cryptodome.Hash import SHA256, SHA384, SHA512\n from Cryptodome.PublicKey import RSA\n+from Cryptodome.PublicKey import ECC\n from Cryptodome.Signature import pkcs1_15\n from Cryptodome.Signature import pss\n+from Cryptodome.Signature import DSS\n \n PRE_LOAD_MAGIC = b'UBSH'\n \n@@ -27,6 +29,12 @@ RSAS = {\n 'rsa4096': 4096 / 8\n }\n \n+ECDSAS = {\n+ 'ecdsa256': 256 / 8 * 2,\n+ 'ecdsa384': 384 / 8 * 2,\n+ 'ecdsa521': (521 + 7) / 8 * 2\n+}\n+\n SHAS = {\n 'sha256': SHA256,\n 'sha384': SHA384,\n@@ -86,24 +94,17 @@ class Entry_pre_load(Entry_collection):\n if self.key_path is None:\n self.key_path = ''\n \n- def _CreateHeader(self):\n- \"\"\"Create a pre load header\"\"\"\n- hash_name, sign_name = self.algo_name.split(',')\n- padding_name = self.padding_name\n- key_name = os.path.join(self.key_path, self.key_name)\n-\n+ def _CreateHeaderRsa(self, hash_name, sign_name, padding_name, key_name):\n # Check hash and signature name/type\n if hash_name not in SHAS:\n self.Raise(hash_name + \" is not supported\")\n- if sign_name not in RSAS:\n- self.Raise(sign_name + \" is not supported\")\n \n # Read the key\n key = RSA.import_key(tools.read_file(key_name))\n \n # Check if the key has the expected size\n if key.size_in_bytes() != RSAS[sign_name]:\n- self.Raise(\"The key \" + self.key_name + \" don't have the expected size\")\n+ self.Raise(\"The key \" + self.key_name + \" doesn't have the expected size\")\n \n # Compute the hash\n hash_image = SHAS[hash_name].new()\n@@ -151,6 +152,65 @@ class Entry_pre_load(Entry_collection):\n \n return data + pad\n \n+ def _CreateHeaderEcdsa(self, hash_name, sign_name, key_name):\n+ # Check hash and signature name/type\n+ if hash_name not in SHAS:\n+ self.Raise(hash_name + \" is not supported\")\n+\n+ # Read the key\n+ key = ECC.import_key(tools.read_file(key_name))\n+\n+ # Check if the key has the expected size\n+ if key.pointQ.size_in_bytes() * 2 != ECDSAS[sign_name]:\n+ self.Raise(\"The key \" + self.key_name + \" doesn't have the expected size\")\n+\n+ # Compute the hash\n+ hash_image = SHAS[hash_name].new()\n+ hash_image.update(self.image)\n+\n+ # Compute the signature\n+ signer = DSS.new(key, 'fips-186-3')\n+ sig = signer.sign(hash_image)\n+\n+ hash_sig = SHA256.new()\n+ hash_sig.update(sig)\n+\n+ version = self.version\n+ header_size = self.header_size\n+ image_size = len(self.image)\n+ ofs_img_sig = 64 + len(sig)\n+ flags = 0\n+ reserved0 = 0\n+ reserved1 = 0\n+\n+ first_header = struct.pack('>4sIIIIIII32s', PRE_LOAD_MAGIC,\n+ version, header_size, image_size,\n+ ofs_img_sig, flags, reserved0,\n+ reserved1, hash_sig.digest())\n+\n+ hash_first_header = SHAS[hash_name].new()\n+ hash_first_header.update(first_header)\n+ sig_first_header = signer.sign(hash_first_header)\n+\n+ data = first_header + sig_first_header + sig\n+ pad = bytearray(self.header_size - len(data))\n+\n+ return data + pad\n+\n+ def _CreateHeader(self):\n+ \"\"\"Create a pre load header\"\"\"\n+ hash_name, sign_name = self.algo_name.split(',')\n+ padding_name = self.padding_name\n+ key_name = os.path.join(self.key_path, self.key_name)\n+\n+ if sign_name in RSAS:\n+ return self._CreateHeaderRsa(hash_name, sign_name, padding_name, key_name)\n+\n+ if sign_name in ECDSAS:\n+ return self._CreateHeaderEcdsa(hash_name, sign_name, key_name)\n+\n+ self.Raise(sign_name + \" is not supported\")\n+\n def ObtainContents(self):\n \"\"\"Obtain a placeholder for the header contents\"\"\"\n # wait that the image is available\ndiff --git a/tools/binman/ftest.py b/tools/binman/ftest.py\nindex ca5149ee654..5d5bcb5874f 100644\n--- a/tools/binman/ftest.py\n+++ b/tools/binman/ftest.py\n@@ -5895,6 +5895,58 @@ fdt fdtmap Extract the devicetree blob from the fdtmap\n data = self._DoReadFileDtb('security/pre_load_invalid_key.dts',\n entry_args=entry_args)\n \n+ def testPreLoadEcdsa(self):\n+ \"\"\"Test an image with a pre-load header using ecdsa key\"\"\"\n+ entry_args = {\n+ 'pre-load-key-path': os.path.join(self._binman_dir, 'test'),\n+ }\n+ data = self._DoReadFileDtb(\n+ 'security/pre_load_ecdsa.dts', entry_args=entry_args,\n+ extra_indirs=[os.path.join(self._binman_dir, 'test')])[0]\n+\n+ image_fname = tools.get_output_filename('image.bin')\n+ is_signed = self._CheckPreload(image_fname,\n+ self.TestFile('ecdsa521.pem'),\n+ 'sha256,ecdsa521')\n+\n+ self.assertEqual(PRE_LOAD_MAGIC, data[:len(PRE_LOAD_MAGIC)])\n+ self.assertEqual(PRE_LOAD_VERSION, data[4:4 + len(PRE_LOAD_VERSION)])\n+ self.assertEqual(PRE_LOAD_HDR_SIZE, data[8:8 + len(PRE_LOAD_HDR_SIZE)])\n+ self.assertEqual(is_signed, True)\n+\n+ def testPreLoadEcdsaInvalidSha(self):\n+ \"\"\"Test an image with a pre-load ecdsa header with an invalid hash\"\"\"\n+ entry_args = {\n+ 'pre-load-key-path': os.path.join(self._binman_dir, 'test'),\n+ }\n+ with self.assertRaises(ValueError) as exc:\n+ self._DoReadFileDtb('security/pre_load_ecdsa_invalid_sha.dts',\n+ entry_args=entry_args)\n+ self.assertIn(\"Node '/binman/pre-load': sha2560 is not supported\",\n+ str(exc.exception))\n+\n+ def testPreLoadEcdsaInvalidAlgo(self):\n+ \"\"\"Test an image with a pre-load header with an invalid algo\"\"\"\n+ entry_args = {\n+ 'pre-load-key-path': os.path.join(self._binman_dir, 'test'),\n+ }\n+ with self.assertRaises(ValueError) as exc:\n+ data = self._DoReadFileDtb('security/pre_load_ecdsa_invalid_algo.dts',\n+ entry_args=entry_args)\n+ self.assertIn(\"Node '/binman/pre-load': ecdsa5210 is not supported\",\n+ str(exc.exception))\n+\n+ def testPreLoadEcdsaInvalidKey(self):\n+ \"\"\"Test an image with a pre-load header with an invalid key size\"\"\"\n+ entry_args = {\n+ 'pre-load-key-path': os.path.join(self._binman_dir, 'test'),\n+ }\n+ with self.assertRaises(ValueError) as exc:\n+ data = self._DoReadFileDtb('security/pre_load_ecdsa_invalid_key.dts',\n+ entry_args=entry_args)\n+ self.assertIn(\"Node '/binman/pre-load': The key ecdsa521.pem doesn't have the expected size\",\n+ str(exc.exception))\n+\n def _CheckSafeUniqueNames(self, *images):\n \"\"\"Check all entries of given images for unsafe unique names\"\"\"\n for image in images:\ndiff --git a/tools/binman/test/ecdsa521.pem b/tools/binman/test/ecdsa521.pem\nnew file mode 100644\nindex 00000000000..ac1904d3955\n--- /dev/null\n+++ b/tools/binman/test/ecdsa521.pem\n@@ -0,0 +1,7 @@\n+-----BEGIN EC PRIVATE KEY-----\n+MIHcAgEBBEIBM+CNnraGci2/mw1wPq44l2HccHnoBbdP3DiU6zqsBOq8IR8uegz2\n+FLzWsjxcW7hwROCdEm6tW99wqsyPE25RZ3egBwYFK4EEACOhgYkDgYYABABu5bWV\n+aQ4EgnXFjojX9df3gBEBipphEEFAoG87GuoWBdlimFC8UEEXiKNU37w0wlJn4bG0\n+8uOKwDqBk3uF+DrmZwB45lCSKkjdRWsJeDt+iEuFe2O/mbXoL4p5D8MM2OsDV5GT\n+srUbxhXq+T/i5lV7XXm2+tT/7zU8ZQce6WRufbd9KQ==\n+-----END EC PRIVATE KEY-----\ndiff --git a/tools/binman/test/security/pre_load_ecdsa.dts b/tools/binman/test/security/pre_load_ecdsa.dts\nnew file mode 100644\nindex 00000000000..247b85aad4c\n--- /dev/null\n+++ b/tools/binman/test/security/pre_load_ecdsa.dts\n@@ -0,0 +1,22 @@\n+// SPDX-License-Identifier: GPL-2.0+\n+\n+/dts-v1/;\n+\n+/ {\n+\t#address-cells = <1>;\n+\t#size-cells = <1>;\n+\n+\tbinman {\n+\t\tpre-load {\n+\t\t\tcontent = <&image>;\n+\t\t\talgo-name = \"sha256,ecdsa521\";\n+\t\t\tkey-name = \"ecdsa521.pem\";\n+\t\t\theader-size = <4096>;\n+\t\t\tversion = <0x11223344>;\n+\t\t};\n+\n+\t\timage: blob-ext {\n+\t\t\tfilename = \"refcode.bin\";\n+\t\t};\n+\t};\n+};\ndiff --git a/tools/binman/test/security/pre_load_ecdsa_invalid_algo.dts b/tools/binman/test/security/pre_load_ecdsa_invalid_algo.dts\nnew file mode 100644\nindex 00000000000..be71edbbdcd\n--- /dev/null\n+++ b/tools/binman/test/security/pre_load_ecdsa_invalid_algo.dts\n@@ -0,0 +1,22 @@\n+// SPDX-License-Identifier: GPL-2.0+\n+\n+/dts-v1/;\n+\n+/ {\n+\t#address-cells = <1>;\n+\t#size-cells = <1>;\n+\n+\tbinman {\n+\t\tpre-load {\n+\t\t\tcontent = <&image>;\n+\t\t\talgo-name = \"sha256,ecdsa5210\";\n+\t\t\tkey-name = \"ecdsa521.pem\";\n+\t\t\theader-size = <4096>;\n+\t\t\tversion = <0x11223344>;\n+\t\t};\n+\n+\t\timage: blob-ext {\n+\t\t\tfilename = \"refcode.bin\";\n+\t\t};\n+\t};\n+};\ndiff --git a/tools/binman/test/security/pre_load_ecdsa_invalid_key.dts b/tools/binman/test/security/pre_load_ecdsa_invalid_key.dts\nnew file mode 100644\nindex 00000000000..15d71cf0324\n--- /dev/null\n+++ b/tools/binman/test/security/pre_load_ecdsa_invalid_key.dts\n@@ -0,0 +1,22 @@\n+// SPDX-License-Identifier: GPL-2.0+\n+\n+/dts-v1/;\n+\n+/ {\n+\t#address-cells = <1>;\n+\t#size-cells = <1>;\n+\n+\tbinman {\n+\t\tpre-load {\n+\t\t\tcontent = <&image>;\n+\t\t\talgo-name = \"sha256,ecdsa384\";\n+\t\t\tkey-name = \"ecdsa521.pem\";\n+\t\t\theader-size = <4096>;\n+\t\t\tversion = <0x11223344>;\n+\t\t};\n+\n+\t\timage: blob-ext {\n+\t\t\tfilename = \"refcode.bin\";\n+\t\t};\n+\t};\n+};\ndiff --git a/tools/binman/test/security/pre_load_ecdsa_invalid_sha.dts b/tools/binman/test/security/pre_load_ecdsa_invalid_sha.dts\nnew file mode 100644\nindex 00000000000..1017707375e\n--- /dev/null\n+++ b/tools/binman/test/security/pre_load_ecdsa_invalid_sha.dts\n@@ -0,0 +1,22 @@\n+// SPDX-License-Identifier: GPL-2.0+\n+\n+/dts-v1/;\n+\n+/ {\n+\t#address-cells = <1>;\n+\t#size-cells = <1>;\n+\n+\tbinman {\n+\t\tpre-load {\n+\t\t\tcontent = <&image>;\n+\t\t\talgo-name = \"sha2560,ecdsa521\";\n+\t\t\tkey-name = \"ecdsa521.pem\";\n+\t\t\theader-size = <4096>;\n+\t\t\tversion = <0x11223344>;\n+\t\t};\n+\n+\t\timage: blob-ext {\n+\t\t\tfilename = \"refcode.bin\";\n+\t\t};\n+\t};\n+};\n","prefixes":["v5","11/15"]}