[PATCH 1/4] board: phytec: common: k3: Introduce Configs to Sign Images

[Daniel Schultz]

On 07.02.25 18:07, Andrew Davis wrote:
> On 2/7/25 12:51 AM, Daniel Schultz wrote:
>> Private keys to sign bootloader images shouldn't be commit or part
>> of this repository. Add config entries to use keys located outside
>> of U-Boot to sign images.
>>
>
> The custMpk.pem was always a placeholder, we fill it with the TI Dummy
> key as an example. The idea was you replace it with your key using
> something like a symlink. So custMpk.pem is replaced with a pointing
> to your real key when building on the production HSM. Why do you
> need to have a Kconfig to point to your real key?

Thanks for pointing that out! We were not aware of that process and 
added these Kconfigs. I just sent new patches to add the missing keyfile 
entries in our binman to use symlinks.

- Daniel

>
> If you really want a full path to be settable from Kconfig for some
> reason that I am not seeing, then others will want to too. So you
> should make this option generic for all K3, nothing specific to this
> one board family.
>
> Andrew
>
>> Signed-off-by: Maik Otto <m.otto at phytec.de>
>> Signed-off-by: Nathan Morrisson <nmorrisson at phytec.com>
>> Signed-off-by: Daniel Schultz <d.schultz at phytec.de>
>> ---
>>   board/phytec/common/k3/Kconfig | 34 ++++++++++++++++++++++++++++++++++
>>   1 file changed, 34 insertions(+)
>>
>> diff --git a/board/phytec/common/k3/Kconfig 
>> b/board/phytec/common/k3/Kconfig
>> index 282f4b79742..19fe927b22e 100644
>> --- a/board/phytec/common/k3/Kconfig
>> +++ b/board/phytec/common/k3/Kconfig
>> @@ -3,3 +3,37 @@ config PHYTEC_K3_DDR_PATCH
>>       help
>>          Allow to override default DDR timings prior to
>>          DDRSS driver probing.
>> +
>> +config PHYTEC_K3_KEY_BLOB_COPY
>> +    bool "Copy the MPK key and the degenerate TI key to the build path"
>> +    default y
>> +    help
>> +       Select how to manage the MPK and degenerate TI keys.
>> +       If PHYTEC_K3_KEY_BLOB_COPY is enabled, the keys will be 
>> copied into
>> +       the U-Boot directory for compatibility with the TI dummy keys
>> +       stored there.
>> +       If PHYTEC_K3_KEY_BLOB_COPY is disabled, the build will use the
>> +       original key directly. It is recommended to use the original 
>> key to
>> +       avoid unnecessary duplication.
>> +
>> +config PHYTEC_K3_MPK_KEY
>> +    string "Path to customer specific MPK key"
>> +    default "custMpk.pem" if PHYTEC_K3_KEY_BLOB_COPY
>> +    default "arch/arm/mach-k3/keys/custMpk.pem" if 
>> !PHYTEC_K3_KEY_BLOB_COPY
>> +    help
>> +       Specifies the path to the MPK signing key:
>> +       If PHYTEC_K3_KEY_BLOB_COPY is enabled, provide the path to 
>> the blob
>> +       copy of the original key.
>> +       If PHYTEC_K3_KEY_BLOB_COPY is disabled, provide the path to the
>> +       original key.
>> +
>> +config PHYTEC_K3_DEGENERATE_KEY
>> +    string "Path to the degenerate TI key"
>> +    default "ti-degenerate-key.pem" if PHYTEC_K3_KEY_BLOB_COPY
>> +    default "arch/arm/mach-k3/keys/ti-degenerate-key.pem" if 
>> !PHYTEC_K3_KEY_BLOB_COPY
>> +    help
>> +       Specifies the  path to the degenerate key:
>> +       If PHYTEC_K3_KEY_BLOB_COPY is enabled, provide the path to 
>> the blob
>> +       copy of the original key.
>> +       If PHYTEC_K3_KEY_BLOB_COPY is disabled, provide the path to the
>> +       original key.