[PATCH 0/2] Add a build time parameter to accept custom signing key
Quentin Schulz
quentin.schulz at cherry.de
Fri Feb 6 12:31:28 CET 2026
Hi T,
On 2/6/26 12:04 PM, T Pratham wrote:
> [You don't often get email from t-pratham at ti.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
>
> This series adds support to use a custom key provided via Make during
> build for signing the bootloader binaries, and updates the k3-binman to
> use it.
>
Can't you use the same mechanism we have for adding the pubkey to the
SPL DTB (see tools/binman/etype/u_boot_spl_pubkey_dtb.py)?
We use key-name-hint property which is a key filename without the .crt
extension, you don't necessarily need to reuse this (but I think it
makes sense) but sharing the logic for finding the key seems more
interesting to me.
We try to find the key with tools.get_input_filename(self._key_name_hint
+ ".crt"). The paths that are traversed can be specified with
BINMAN_INDIRS. This should help with not having to add yet another
variable. Set allow_missing to True and if it returns None, then use the
key listed in the filename property?
Also, is there really a need for separate binman image just for keys?
Can't you have ti-secure/ti-secure-rom use key-name-hint directly to
avoid yet another binman entry?
Cheers,
Quentin
More information about the U-Boot
mailing list