You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While exploring Zephyr's MCUboot Kconfig options, I noticed that while there are multiple signature types and backend combinations (Tinycrypt/mbedTLS/PSA), there doesn't appear to be an existing configuration for ECDSA with mbedTLS backend.
I've attempted to add this support by creating a new Kconfig option:
config BOOT_SIGNATURE_TYPE_ECDSA_MBEDTLS
bool "ECDSA signature verification using mbedTLS"
depends on BOOT_SIGNATURE_TYPE_ECDSA
select BOOT_USE_MBEDTLS
select MBEDTLS
select MBEDTLS_ECDSA_C
select MBEDTLS_ECP_C
This configuration seems to work in my initial testing, but I'm wondering:
Is this approach technically sound, or am I missing some important considerations?
Why doesn't this configuration exist already? Are there:
Technical limitations with ECDSA+mbedTLS in MCUboot?
Performance concerns compared to other backends?
Maintenance or compatibility reasons?
Specific hardware requirements?
For context, I'm working with:
Zephyr v4.2.0
MCUboot v2.2.0
The existing configurations I see are:
ECDSA with Tinycrypt (BOOT_SIGNATURE_TYPE_ECDSA)
ECDSA with PSA (BOOT_SIGNATURE_TYPE_ECDSA_PSA)
Any insights about potential pitfalls or best practices for implementing this would be greatly appreciated.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
While exploring Zephyr's MCUboot Kconfig options, I noticed that while there are multiple signature types and backend combinations (Tinycrypt/mbedTLS/PSA), there doesn't appear to be an existing configuration for ECDSA with mbedTLS backend.
I've attempted to add this support by creating a new Kconfig option:
config BOOT_SIGNATURE_TYPE_ECDSA_MBEDTLS
bool "ECDSA signature verification using mbedTLS"
depends on BOOT_SIGNATURE_TYPE_ECDSA
select BOOT_USE_MBEDTLS
select MBEDTLS
select MBEDTLS_ECDSA_C
select MBEDTLS_ECP_C
This configuration seems to work in my initial testing, but I'm wondering:
Is this approach technically sound, or am I missing some important considerations?
Why doesn't this configuration exist already? Are there:
For context, I'm working with:
The existing configurations I see are:
Any insights about potential pitfalls or best practices for implementing this would be greatly appreciated.
Best regards,
Beta Was this translation helpful? Give feedback.
All reactions