[PATCH 1/2] binman: introduce signing-key-path etype

Fri Feb 6 12:04:38 CET 2026

The image binaries generated by build are signed using a key file.
Currently, for k3 SoCs by default the example key stored in
arch/arm/mach-k3/keys/custMpk.pem is used for this. Changing the key for
any purpose (testing, production environment, etc.) requires swapping
the key here.

This patch adds a signing-key-path etype to binman along with a Makefile
variable SIGNING_KEY which can be used to provide a key file directly
with build commands.

Signed-off-by: T Pratham <t-pratham at ti.com>
---
 Makefile                               |  1 +
 tools/binman/entries.rst               | 23 ++++++++++++++++++++
 tools/binman/etype/signing_key_path.py | 30 ++++++++++++++++++++++++++
 tools/binman/ftest.py                  |  7 ++++++
 tools/binman/test/351_signing_key.dts  | 12 +++++++++++
 5 files changed, 73 insertions(+)
 create mode 100644 tools/binman/etype/signing_key_path.py
 create mode 100644 tools/binman/test/351_signing_key.dts

diff --git a/Makefile b/Makefile
index 435a4bf372d..2c7994b8c41 100644
--- a/Makefile
+++ b/Makefile
@@ -1697,6 +1697,7 @@ cmd_binman = $(srctree)/tools/binman/binman $(if $(BINMAN_DEBUG),-D) \
 		-a vpl-dtb=$(CONFIG_VPL_OF_REAL) \
 		-a pre-load-key-path=${PRE_LOAD_KEY_PATH} \
 		-a of-spl-remove-props=$(CONFIG_OF_SPL_REMOVE_PROPS) \
+		-a signing-key-path=${SIGNING_KEY} \
 		$(BINMAN_$(@F))
 
 OBJCOPYFLAGS_u-boot.ldr.hex := -I binary -O ihex
diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
index a81fcbd3891..0f2e0719221 100644
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst
@@ -1986,6 +1986,29 @@ available. This is set by the `SetAllowMissing()` method, if
 
 
 
+.. _etype_signing_key_path:
+
+Entry: signing-key-path: Entry containing a signing key blob
+---------------------------------------------------------------
+
+Properties / Entry arguments:
+    - signing-key-path: Filename of file to read into entry. This typically
+        is <file_name>.pem or <file_name>.key
+
+This entry holds the private key file used for signing images.
+
+Typical usage of this is to provide the full path to the key file in 
+SIGNING_KEY make argument during build. If this is not provided, the entry will
+fallback to using the key file specified in the binman node filename property::
+
+    binman {
+        signing-key-path {
+                filename = "default_key.pem";
+        };
+    };
+
+
+
 .. _etype_tee_os:
 
 Entry: tee-os: Entry containing an OP-TEE Trusted OS (TEE) blob
diff --git a/tools/binman/etype/signing_key_path.py b/tools/binman/etype/signing_key_path.py
new file mode 100644
index 00000000000..a68b854b7e4
--- /dev/null
+++ b/tools/binman/etype/signing_key_path.py
@@ -0,0 +1,30 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright (c) 2026 Texas Instruments Incorporated - https://www.ti.com/
+# Written by T Pratham <t-pratham at ti.com>
+#
+# Entry-type module for private key file for signing images
+#
+
+from binman.etype.blob_named_by_arg import Entry_blob_named_by_arg
+
+class Entry_signing_key_path(Entry_blob_named_by_arg):
+	"""Private key file path for signing images
+
+	Properties / Entry arguments:
+		- signing-key-path: Path to the private key file
+
+	This entry holds the private key file used for signing images.
+
+	Typical usage of this is to provide the full path to the key file in
+	SIGNING_KEY make argument during build. If this is not provided, the entry will
+	fallback to using the key file specified in the binman node filename property::
+
+		binman {
+			signing-key-path {
+					filename = "default_key.pem";
+			};
+		};
+	"""
+	def __init__(self, section, etype, node):
+		super().__init__(section, etype, node, 'signing-key')
+		self.external = True
diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
index a53e37f31b3..8383db567de 100644
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@@ -109,6 +109,7 @@ TI_BOARD_CONFIG_DATA  = b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x
 TI_UNSECURE_DATA      = b'unsecuredata'
 IMX_LPDDR_IMEM_DATA   = b'qwertyuiop1234567890'
 IMX_LPDDR_DMEM_DATA   = b'asdfghjklzxcvbnm'
+SIGNING_KEY_DATA      = b'signingkey'
 
 # Subdirectory of the input dir to use to put test FDTs
 TEST_FDT_SUBDIR       = 'fdts'
@@ -238,6 +239,7 @@ class TestFunctional(unittest.TestCase):
         TestFunctional._MakeInputFile('rockchip-tpl.bin', ROCKCHIP_TPL_DATA)
         TestFunctional._MakeInputFile('ti_unsecure.bin', TI_UNSECURE_DATA)
         TestFunctional._MakeInputFile('capsule_input.bin', EFI_CAPSULE_DATA)
+        TestFunctional._MakeInputFile('signing_key.pem', SIGNING_KEY_DATA)
 
         # Add a few .dtb files for testing
         TestFunctional._MakeInputFile('%s/test-fdt1.dtb' % TEST_FDT_SUBDIR,
@@ -8334,5 +8336,10 @@ fdt         fdtmap                Extract the devicetree blob from the fdtmap
         self.assertEqual(len(subnode4.props), 0,
                         "subnode shouldn't have any properties")
 
+    def testSigningKey(self):
+        """Test that signing key is correctly passed using signing-key property"""
+        data = self._DoReadFile('351_signing_key.dts')
+        self.assertEqual(SIGNING_KEY_DATA, data)
+
 if __name__ == "__main__":
     unittest.main()
diff --git a/tools/binman/test/351_signing_key.dts b/tools/binman/test/351_signing_key.dts
new file mode 100644
index 00000000000..e035f61a242
--- /dev/null
+++ b/tools/binman/test/351_signing_key.dts
@@ -0,0 +1,12 @@
+/dts-v1/;
+
+/ {
+	#address-cells = <1>;
+	#size-cells = <1>;
+
+	binman {
+		signing-key-path {
+			filename = "signing_key.pem";
+		};
+	};
+};
-- 
2.34.1

