[PATCH v4 07/11] binman: openssl: Add boot and load extensions to x509 cert
Tom Rini
trini at konsulko.com
Mon Apr 27 21:57:02 CEST 2026
On Sat, Apr 25, 2026 at 09:07:38AM +0530, Beleswar Padhi wrote:
>
> The boot and load extensions in the x509 certificate are required for
> requesting the secure entity (TIFS) to boot a core. These fields are
> defined in the binman node for each core that must be booted by TIFS
> and must be included when generating the signed certificate.
>
> Add support to parse the boot and load extension properties from the
> binman node and populate them into the certificate. If any of the
> mandatory properties for an extension are missing, that respective
> extension section is NOT added to the certificate.
>
> Signed-off-by: Beleswar Padhi <b-padhi at ti.com>
> ---
> Cc: Simon Glass <sjg at chromium.org>
>
> v4: Changelog:
> 1. None
>
> Link to v3:
> https://lore.kernel.org/all/20251231173621.1069988-8-b-padhi@ti.com/
>
> v3: Changelog:
> 1. New patch. Add support to sign HSM firmware here in U-Boot.
>
> tools/binman/btool/openssl.py | 49 ++++++++++++++++++++++++++++++---
> tools/binman/etype/ti_secure.py | 18 ++++++++++++
> tools/binman/etype/x509_cert.py | 4 ++-
> 3 files changed, 66 insertions(+), 5 deletions(-)
Is there some testing we could be adding here? Does CI pass (and so yes,
everything that coverage checks for has been caught already) ? Thanks.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260427/f96c46d9/attachment.sig>
More information about the U-Boot
mailing list