FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Using ECDSA-P265 (and ED25519) signature in mcuboot

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using ECDSA-P265 (and ED25519) signature in mcuboot

‎08-22-2025 04:27 AM
789 Views
mastupristi
Senior Contributor I

Hi,

 

I'm trying mcuboot_opensource and ota_mcuboot_basic examples.

The example use rsa2048 out-of-the-box and works well.

Since ecdsa key pair are also provided (files bootutil/nxp_port/keys/sign-ecdsa-p256-*), I would like to try this type of signature.

I have replaced 

#define CONFIG_BOOT_SIGNATURE_TYPE_RSA
#define CONFIG_BOOT_SIGNATURE_TYPE_RSA_LEN 2048


with

#define CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256


then I have signed the ota_mcuboot_basic binary:

python3 imgtool.py sign \
	--key evkmimxrt1020_mcuboot_opensource_v2.2.0/bootutil/nxp_port/keys/sign-ecdsa-p256-priv.pem \
        --align 4 \
	--header-size 0x400 \
	--pad-header \
	--slot-size 0x100000 \
	--max-sectors 800 \
	--version "1.1" \
        evkmimxrt1020_ota_mcuboot_basic.bin \
	evkmimxrt1020_ota_mcuboot_basic_signed_ecdsap256.bin

 

But it doesn't work.

Which steps do I need to do to make it works?

 

The further test for me is to use ed25519, that is not provided out-of-the-box in the examples. Could you list the steps to make is works as well?

 

regards

Max

Tags (3)
0 Kudos
Reply
3 Replies

‎08-26-2025 11:50 AM
743 Views
diego_charles
NXP TechSupport
NXP TechSupport

Hi @mastupristi 

Which MCU are you using?  I want to test with you on the same platform.

Have you updated the MCUBoot to contain the public ECDSA_P256 key? 

Diego

0 Kudos
Reply

‎08-26-2025 11:50 PM
731 Views
mastupristi
Senior Contributor I

Hi @diego_charles 

 

Which MCU are you using?

RT1021. I'm testing on MIMXRT1020-EVK

 

Have you updated the MCUBoot to contain the public ECDSA_P256 key?

Yes, this is done automatically by the example..

in source/mcux_config.h I have substituted #define CONFIG_BOOT_ENCRYPT_RSA with #define CONFIG_BOOT_ENCRYPT_ECDSA_P256
In file source/sblconfig.h I have substituted 

#define CONFIG_BOOT_SIGNATURE_TYPE_RSA
#define CONFIG_BOOT_SIGNATURE_TYPE_RSA_LEN 2048

with

#define CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256

 

in file bootutil/nxp_port/keys.c the correct key file should be selected based on the definitions:

#if defined(MCUBOOT_SIGN_RSA)
#include "sign-rsa2048-pub.c"
#elif defined(MCUBOOT_SIGN_EC256)
#include "sign-ecdsa-p256-pub.c"
#else
#error "No public key available for given signing algorithm."
#endif

 

best regards

Max

0 Kudos
Reply

‎09-30-2025 10:57 PM
411 Views
diego_charles
NXP TechSupport
NXP TechSupport

Hi @mastupristi 

I am sorry for the delay.

I noticed that none of our i.MX RT samples for MCUboot use the key you want. But the MCXN and MCXA examples for MCUBoot use the ecdsa-p256. I think the source could help us as a reference. 

Diego

0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2156738%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3EUsing%20ECDSA-P265%20(and%20ED25519)%20signature%20in%20mcuboot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2156738%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EI'm%20trying%26nbsp%3Bmcuboot_opensource%20and%20ota_mcuboot_basic%20examples.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20example%20use%20rsa2048%20out-of-the-box%20and%20works%20well.%3C%2FP%3E%3CP%3ESince%20ecdsa%20key%20pair%20are%20also%20provided%20(files%20%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3Ebootutil%2Fnxp_port%2Fkeys%2F%3C%2FFONT%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3Esign-ecdsa-p256-*%3C%2FFONT%3E)%2C%20I%20would%20like%20to%20try%20this%20type%20of%20signature.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20replaced%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-c%22%3E%3CCODE%3E%23define%20CONFIG_BOOT_SIGNATURE_TYPE_RSA%0A%23define%20CONFIG_BOOT_SIGNATURE_TYPE_RSA_LEN%202048%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%3CBR%20%2F%3Ewith%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-c%22%3E%3CCODE%3E%23define%20CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%3CBR%20%2F%3Ethen%20I%20have%20signed%20the%20ota_mcuboot_basic%20binary%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Epython3%20imgtool.py%20sign%20%5C%0A%09--key%20evkmimxrt1020_mcuboot_opensource_v2.2.0%2Fbootutil%2Fnxp_port%2Fkeys%2Fsign-ecdsa-p256-priv.pem%20%5C%0A%20%20%20%20%20%20%20%20--align%204%20%5C%0A%09--header-size%200x400%20%5C%0A%09--pad-header%20%5C%0A%09--slot-size%200x100000%20%5C%0A%09--max-sectors%20800%20%5C%0A%09--version%20%221.1%22%20%5C%0A%20%20%20%20%20%20%20%20evkmimxrt1020_ota_mcuboot_basic.bin%20%5C%0A%09evkmimxrt1020_ota_mcuboot_basic_signed_ecdsap256.bin%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3EBut%20it%20doesn't%20work.%3C%2FP%3E%3CP%3EWhich%20steps%20do%20I%20need%20to%20do%20to%20make%20it%20works%3F%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EThe%20further%20test%20for%20me%20is%20to%20use%20ed25519%2C%20that%20is%20not%20provided%20out-of-the-box%20in%20the%20examples.%20Could%20you%20list%20the%20steps%20to%20make%20is%20works%20as%20well%3F%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Eregards%3C%2FP%3E%3CP%3EMax%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2178598%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20Using%20ECDSA-P265%20(and%20ED25519)%20signature%20in%20mcuboot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2178598%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F124967%22%20target%3D%22_blank%22%3E%40mastupristi%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20am%20sorry%20for%20the%20delay.%3C%2FP%3E%0A%3CP%3EI%20noticed%20that%20none%20of%20our%20i.MX%20RT%20samples%20for%20MCUboot%20use%20the%20key%20you%20want.%20But%20the%20MCXN%20and%20MCXA%20examples%20for%20MCUBoot%20use%20the%26nbsp%3Becdsa-p256.%20I%20think%20the%20source%20could%20help%20us%20as%20a%20reference.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDiego%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2158833%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20Using%20ECDSA-P265%20(and%20ED25519)%20signature%20in%20mcuboot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2158833%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F89833%22%20target%3D%22_blank%22%3E%40diego_charles%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CBR%20%2F%3E%3CBLOCKQUOTE%3E%3CP%3EWhich%20MCU%20are%20you%20using%3F%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3ERT1021.%20I'm%20testing%20on%20MIMXRT1020-EVK%3C%2FP%3E%3CBR%20%2F%3E%3CBLOCKQUOTE%3E%3CP%3EHave%20you%20updated%20the%20MCUBoot%20to%20contain%20the%20public%20ECDSA_P256%20key%3F%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3EYes%2C%20this%20is%20done%20automatically%20by%20the%20example..%3C%2FP%3E%3CP%3Ein%20source%2Fmcux_config.h%20I%20have%20substituted%26nbsp%3B%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%23define%20CONFIG_BOOT_ENCRYPT_RSA%3C%2FFONT%3E%20with%26nbsp%3B%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%23define%20CONFIG_BOOT_ENCRYPT_ECDSA_P256%3C%2FFONT%3E%3CBR%20%2F%3EIn%20file%26nbsp%3Bsource%2Fsblconfig.h%26nbsp%3BI%20have%20substituted%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20face%3D%22comic%20sans%20ms%2Csans-serif%22%3E%23define%20CONFIG_BOOT_SIGNATURE_TYPE_RSA%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22comic%20sans%20ms%2Csans-serif%22%3E%23define%20CONFIG_BOOT_SIGNATURE_TYPE_RSA_LEN%202048%3C%2FFONT%3E%3CBR%20%2F%3E%3CBR%20%2F%3Ewith%3C%2FP%3E%3CP%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%3E%23define%20CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256%3C%2FFONT%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Ein%20file%26nbsp%3Bbootutil%2Fnxp_port%2Fkeys.c%20the%20correct%20key%20file%20should%20be%20selected%20based%20on%20the%20definitions%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-c%22%3E%3CCODE%3E%23if%20defined(MCUBOOT_SIGN_RSA)%0A%23include%20%22sign-rsa2048-pub.c%22%0A%23elif%20defined(MCUBOOT_SIGN_EC256)%0A%23include%20%22sign-ecdsa-p256-pub.c%22%0A%23else%0A%23error%20%22No%20public%20key%20available%20for%20given%20signing%20algorithm.%22%0A%23endif%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3Ebest%20regards%3C%2FP%3E%3CP%3EMax%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2158536%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20Using%20ECDSA-P265%20(and%20ED25519)%20signature%20in%20mcuboot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2158536%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F124967%22%20target%3D%22_blank%22%3E%40mastupristi%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhich%20MCU%20are%20you%20using%3F%26nbsp%3B%20I%20want%20to%20test%20with%20you%20on%20the%20same%20platform.%3C%2FP%3E%0A%3CP%3EHave%20you%20updated%20the%20MCUBoot%20to%20contain%20the%20public%20ECDSA_P256%20key%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDiego%3C%2FP%3E%3C%2FLINGO-BODY%3E