[PATCH 1/4] board: phytec: common: k3: Introduce Configs to Sign Images

[Andrew Davis]

On 2/7/25 12:51 AM, Daniel Schultz wrote:
> Private keys to sign bootloader images shouldn't be commit or part
> of this repository. Add config entries to use keys located outside
> of U-Boot to sign images.
> 

The custMpk.pem was always a placeholder, we fill it with the TI Dummy
key as an example. The idea was you replace it with your key using
something like a symlink. So custMpk.pem is replaced with a pointing
to your real key when building on the production HSM. Why do you
need to have a Kconfig to point to your real key?

If you really want a full path to be settable from Kconfig for some
reason that I am not seeing, then others will want to too. So you
should make this option generic for all K3, nothing specific to this
one board family.

Andrew

> Signed-off-by: Maik Otto <m.otto at phytec.de>
> Signed-off-by: Nathan Morrisson <nmorrisson at phytec.com>
> Signed-off-by: Daniel Schultz <d.schultz at phytec.de>
> ---
>   board/phytec/common/k3/Kconfig | 34 ++++++++++++++++++++++++++++++++++
>   1 file changed, 34 insertions(+)
> 
> diff --git a/board/phytec/common/k3/Kconfig b/board/phytec/common/k3/Kconfig
> index 282f4b79742..19fe927b22e 100644
> --- a/board/phytec/common/k3/Kconfig
> +++ b/board/phytec/common/k3/Kconfig
> @@ -3,3 +3,37 @@ config PHYTEC_K3_DDR_PATCH
>   	help
>   	   Allow to override default DDR timings prior to
>   	   DDRSS driver probing.
> +
> +config PHYTEC_K3_KEY_BLOB_COPY
> +	bool "Copy the MPK key and the degenerate TI key to the build path"
> +	default y
> +	help
> +	   Select how to manage the MPK and degenerate TI keys.
> +	   If PHYTEC_K3_KEY_BLOB_COPY is enabled, the keys will be copied into
> +	   the U-Boot directory for compatibility with the TI dummy keys
> +	   stored there.
> +	   If PHYTEC_K3_KEY_BLOB_COPY is disabled, the build will use the
> +	   original key directly. It is recommended to use the original key to
> +	   avoid unnecessary duplication.
> +
> +config PHYTEC_K3_MPK_KEY
> +	string "Path to customer specific MPK key"
> +	default "custMpk.pem" if PHYTEC_K3_KEY_BLOB_COPY
> +	default "arch/arm/mach-k3/keys/custMpk.pem" if !PHYTEC_K3_KEY_BLOB_COPY
> +	help
> +	   Specifies the path to the MPK signing key:
> +	   If PHYTEC_K3_KEY_BLOB_COPY is enabled, provide the path to the blob
> +	   copy of the original key.
> +	   If PHYTEC_K3_KEY_BLOB_COPY is disabled, provide the path to the
> +	   original key.
> +
> +config PHYTEC_K3_DEGENERATE_KEY
> +	string "Path to the degenerate TI key"
> +	default "ti-degenerate-key.pem" if PHYTEC_K3_KEY_BLOB_COPY
> +	default "arch/arm/mach-k3/keys/ti-degenerate-key.pem" if !PHYTEC_K3_KEY_BLOB_COPY
> +	help
> +	   Specifies the  path to the degenerate key:
> +	   If PHYTEC_K3_KEY_BLOB_COPY is enabled, provide the path to the blob
> +	   copy of the original key.
> +	   If PHYTEC_K3_KEY_BLOB_COPY is disabled, provide the path to the
> +	   original key.