[PATCH 0/6] k3-binman ergonomics

Rasmus Villemoes ravi at prevas.dk
Fri Jul 10 14:36:12 CEST 2026


When trying to hook up use of a customer's own signing infrastructure
for some am62x devices, I found it was more difficult than it should
be to point at the right key(s). One has to patch in the keyfile=
property in way too many places, and if you miss just one, the build
succeeds using the generic custMpk.pem for the one you missed, but of
course the resulting artifacts are unbootable.

Use the template mechanism that binman already has to allow one to
only set the keyfile= in a single place. I cannot really imagine any
case where one would not want to use the same key for signing all
artifacts across the r5/a53 cores, but that is of course still
possible, just as any downstreams that have explicit

&{/binman/tiboot3-am62x-hs-evm.bin/ti-secure-rom} {
    keyfile = "foobar.pem";
};

&{/binman/tiboot3-am62x-hs-fs-evm.bin/ti-secure-rom} {
    keyfile = "foobar.pem";
};

will continue to work.

Rasmus Villemoes (6):
  binman: openssl: refactor creation of Distinguished Name section from
    dict
  binman: x509_cert: allow and parse distinguished-name subnode
  binman: x509: fix CN emitted for basic x509 certificates
  k3-binman.dtsi: add keyfile_template node
  k3-binman.dtsi: add empty distinguished_name_template
  k3-binman.dtsi: insert keyfile and distinguished name templates in all
    ti-secure(-rom) nodes

 arch/arm/dts/k3-binman.dtsi              | 34 +++++++++++-----
 tools/binman/btool/openssl.py            | 51 ++++++++----------------
 tools/binman/etype/ti_secure.py          |  3 +-
 tools/binman/etype/ti_secure_rom.py      |  3 +-
 tools/binman/etype/x509_cert.py          |  8 +++-
 tools/binman/test/security/x509_cert.dts |  5 ++-
 6 files changed, 55 insertions(+), 49 deletions(-)

-- 
2.55.0



More information about the U-Boot mailing list