Hi Tim +Alexandru Gagniuc
On Thu, 4 Feb 2021 at 15:01, Tim Romanski <t-troman...@microsoft.com> wrote: > > Hello, > > > > I’m a current intern at Microsoft, and one of my priorities is to enable > ECDSA for U-Boot image signing/verification. Simon mentioned someone is > already working on ECC, it would be great to get synced up with related > progress. For signing, I will likely replicate the existing approach of using > the openssl library. I’m aware that signing happens on a host machine and > verification happens during boot, which implies verification should have a > custom implementation to avoid the openssl overhead in the U-Boot binary. My > thoughts are to copy an ECC verification implementation from a well-tested > widely-used open source project. I was wondering, is U-Boot’s current RSA > verification copied from another project? If so, how are security patches > between the two copies of code usually handled? I’m thinking of deriving from > the ECDSA implementation currently in the Linux kernel, though I’d also > appreciate suggestions if there’s a better/more widely tested & used > implementation. U-Boot's RSA came originally from Android I think and was modified for use in Chrome OS. However the implementation in U-Boot of the verification part is quite small - mostly in rsa-verify.c with some maths in rsa-mod-exp.c and U-Boot has added various new features over the years. We don't synchronous security patches formally although of course they are published. I think pulling in something from Linux makes sense if it is not too large, as the projects are fairly close in coding style, contributors, etc. Alexandru Gagniuc, on cc, has been looking at implementing the signing side of this recently and has sent some patches that you could look at. I hope you have a nice internship! Regards, Simon
