zephyr: Enable building ECDSA PSA variant

ahasztag · ahasztag · commit 201cf52b78ce · 2025-07-18T11:02:27.000+02:00
Adds Kconfig option CONFIG_BOOT_ECDSA_PSA that allows to switch
ECDSA to PSA backend.

Signed-off-by: Artur Hadasz &lt;artur.hadasz@nordicsemi.no&gt;
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
@@ -113,6 +113,14 @@ config BOOT_X25519_PSA_DEPENDENCIES
 
 endif # BOOT_ENCRYPT_IMAGE
 
+config BOOT_ECDSA_PSA_DEPENDENCIES
+	bool
+	select PSA_WANT_ALG_ECDSA
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+	select PSA_WANT_ECC_SECP_R1_256
+	help
+	  Dependencies for ECDSA signature
+
 if MBEDTLS_ENABLE_HEAP
 
 config MBEDTLS_HEAP_SIZE
@@ -222,6 +230,15 @@ config BOOT_IMG_HASH_ALG_SHA512
 
 endchoice # BOOT_IMG_HASH_ALG
 
+config BOOT_KEY_IMPORT_BYPASS_ASN
+	bool "Directly access key value without ASN.1 parsing"
+	help
+	  Originally, public keys compiled into MCUboot were
+	  stored in ASN.1 encoded format. Enabling this option
+	  bypasses the ASN.1 decoding and directly accesses the key
+	  in ASN.1 bitstream; this reduces MCUboot code by removing
+	  the ASN.1 processing.
+
 config BOOT_SIGNATURE_TYPE_PURE_ALLOW
 	bool
 	help
@@ -269,6 +286,7 @@ config BOOT_SIGNATURE_TYPE_ECDSA_P256
 if BOOT_SIGNATURE_TYPE_ECDSA_P256
 choice BOOT_ECDSA_IMPLEMENTATION
 	prompt "Ecdsa implementation"
+	default BOOT_ECDSA_PSA
 	default BOOT_ECDSA_TINYCRYPT
 
 config BOOT_ECDSA_TINYCRYPT
@@ -282,6 +300,18 @@ config BOOT_ECDSA_CC310
 	select NRF_CC310_BL
 	select NRFXLIB_CRYPTO
 	select BOOT_USE_CC310
+
+config BOOT_ECDSA_PSA
+	bool "Use psa cryptoo"
+	select BOOT_USE_PSA_CRYPTO
+	select PSA_CRYPTO_CLIENT
+	select PSA_CRYPTO_C
+	select BOOT_KEY_IMPORT_BYPASS_ASN
+	select BOOT_IMG_HASH_ALG_SHA256_ALLOW
+	select BOOT_IMG_HASH_ALG_SHA512_ALLOW
+	select PSA_WANT_ALG_ECDSA
+	select BOOT_ECDSA_PSA_DEPENDENCIES
+
 endchoice # Ecdsa implementation
 endif
 
@@ -345,14 +375,6 @@ config BOOT_ED25519_PSA
 
 endchoice
 
-config BOOT_KEY_IMPORT_BYPASS_ASN
-	bool "Directly access key value without ASN.1 parsing"
-	help
-	  Originally, public keys compiled into MCUboot were
-	  stored in ASN.1 encoded format. Enabling this option
-	  bypasses the ASN.1 decoding and directly accesses the key
-	  in ASN.1 bitstream; this reduces MCUboot code by removing
-	  the ASN.1 processing.
 endif
 
 endchoice
