[PATCH 0/6] k3-binman ergonomics
Rasmus Villemoes
ravi at prevas.dk
Fri Jul 10 14:36:12 CEST 2026
When trying to hook up use of a customer's own signing infrastructure
for some am62x devices, I found it was more difficult than it should
be to point at the right key(s). One has to patch in the keyfile=
property in way too many places, and if you miss just one, the build
succeeds using the generic custMpk.pem for the one you missed, but of
course the resulting artifacts are unbootable.
Use the template mechanism that binman already has to allow one to
only set the keyfile= in a single place. I cannot really imagine any
case where one would not want to use the same key for signing all
artifacts across the r5/a53 cores, but that is of course still
possible, just as any downstreams that have explicit
&{/binman/tiboot3-am62x-hs-evm.bin/ti-secure-rom} {
keyfile = "foobar.pem";
};
&{/binman/tiboot3-am62x-hs-fs-evm.bin/ti-secure-rom} {
keyfile = "foobar.pem";
};
will continue to work.
Rasmus Villemoes (6):
binman: openssl: refactor creation of Distinguished Name section from
dict
binman: x509_cert: allow and parse distinguished-name subnode
binman: x509: fix CN emitted for basic x509 certificates
k3-binman.dtsi: add keyfile_template node
k3-binman.dtsi: add empty distinguished_name_template
k3-binman.dtsi: insert keyfile and distinguished name templates in all
ti-secure(-rom) nodes
arch/arm/dts/k3-binman.dtsi | 34 +++++++++++-----
tools/binman/btool/openssl.py | 51 ++++++++----------------
tools/binman/etype/ti_secure.py | 3 +-
tools/binman/etype/ti_secure_rom.py | 3 +-
tools/binman/etype/x509_cert.py | 8 +++-
tools/binman/test/security/x509_cert.dts | 5 ++-
6 files changed, 55 insertions(+), 49 deletions(-)
--
2.55.0
More information about the U-Boot
mailing list