From 9b43df59a4593a64f93d2ec14a9988936b23cd60 Mon Sep 17 00:00:00 2001
From: Paul-Emile RENE <242430366+prene-se@users.noreply.github.com>
Date: Mon, 10 Nov 2025 18:02:10 +0100
Subject: [PATCH] boot: zephyr: Add ECDSA support using mbedTLS

---
 boot/zephyr/CMakeLists.txt | 28 ++++++++++++++++------------
 boot/zephyr/Kconfig        | 14 ++++++++++++++
 2 files changed, 30 insertions(+), 12 deletions(-)

diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt
index 1813ea3217..e53f1f712a 100644
--- a/boot/zephyr/CMakeLists.txt
+++ b/boot/zephyr/CMakeLists.txt
@@ -300,21 +300,25 @@ elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519 OR CONFIG_BOOT_ENCRYPT_X25519)
 endif()
 
 if(NOT CONFIG_BOOT_ED25519_PSA AND NOT CONFIG_BOOT_ECDSA_PSA)
-  if(CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_ENCRYPT_X25519)
-    zephyr_library_sources(
-      ${TINYCRYPT_DIR}/source/aes_encrypt.c
-      ${TINYCRYPT_DIR}/source/aes_decrypt.c
-      ${TINYCRYPT_DIR}/source/ctr_mode.c
-      ${TINYCRYPT_DIR}/source/hmac.c
-      ${TINYCRYPT_DIR}/source/ecc_dh.c
-    )
+  if(CONFIG_BOOT_USE_TINYCRYPT)
+    if(CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_ENCRYPT_X25519)
+      zephyr_library_sources(
+        ${TINYCRYPT_DIR}/source/aes_encrypt.c
+        ${TINYCRYPT_DIR}/source/aes_decrypt.c
+        ${TINYCRYPT_DIR}/source/ctr_mode.c
+        ${TINYCRYPT_DIR}/source/hmac.c
+        ${TINYCRYPT_DIR}/source/ecc_dh.c
+      )
+    endif()
   endif()
 endif()
 
-if(CONFIG_BOOT_ENCRYPT_EC256 AND NOT CONFIG_BOOT_ECDSA_PSA)
-  zephyr_library_sources(
-    ${TINYCRYPT_DIR}/source/ecc_dh.c
-    )
+if(CONFIG_BOOT_USE_TINYCRYPT)
+  if(CONFIG_BOOT_ENCRYPT_EC256 AND NOT CONFIG_BOOT_ECDSA_PSA)
+    zephyr_library_sources(
+      ${TINYCRYPT_DIR}/source/ecc_dh.c
+      )
+  endif()
 endif()
 
 if(CONFIG_MCUBOOT_SERIAL)
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
index 828bcb71e7..e396b43e44 100644
--- a/boot/zephyr/Kconfig
+++ b/boot/zephyr/Kconfig
@@ -283,6 +283,20 @@ config BOOT_ECDSA_TINYCRYPT
 	bool "Use tinycrypt"
 	select BOOT_USE_TINYCRYPT
 
+config BOOT_ECDSA_MBEDTLS
+	bool "Use mbedTLS"
+	select BOOT_USE_MBEDTLS
+	select MBEDTLS
+	select MBEDTLS_ECP_C if MBEDTLS_BUILTIN
+	select MBEDTLS_ECDSA_C if MBEDTLS_BUILTIN
+	select MBEDTLS_ECP_DP_SECP256R1_ENABLED if MBEDTLS_BUILTIN
+	select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN
+	select MBEDTLS_ECP_NIST_OPTIM if MBEDTLS_BUILTIN
+	select MBEDTLS_SHA256 if MBEDTLS_BUILTIN
+	select MBEDTLS_MD if MBEDTLS_BUILTIN
+	select MBEDTLS_ECDH_C if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE
+	select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE
+
 config BOOT_ECDSA_CC310
 	bool "Use CC310"
 	depends on HAS_HW_NRF_CC310