[PATCH v5 1/2] binman: x509_cert: document Entry_x509_cert properties

Quentin Schulz quentin.schulz at cherry.de
Thu Jun 18 18:51:02 CEST 2026 

Hi Sergio,

On 5/25/26 3:28 PM, Sergio Prado wrote:
> The Entry_x509_cert class only listed 'content' in its
> 'Properties / Entry arguments' section, even though 'keyfile',
> 'cert-ca', 'cert-revision-int' and 'sw-rev' are also read from the
> entry node and passed through to openssl.
> 
> Expand the docstring so the binman documentation generated from it
> matches the actual behavior of the entry.
> 
> No functional change.
> 
> Signed-off-by: Sergio Prado <sergio.prado at e-labworks.com>
> ---
>   tools/binman/etype/x509_cert.py | 10 +++++++++-
>   1 file changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
> index b6e8b0b4fb09..efa85f9553e7 100644
> --- a/tools/binman/etype/x509_cert.py
> +++ b/tools/binman/etype/x509_cert.py
> @@ -18,7 +18,15 @@ class Entry_x509_cert(Entry_collection):
>       """An entry which contains an X509 certificate
>   
>       Properties / Entry arguments:
> -        - content: List of phandles to entries to sign
> +        - content: List of phandles to entries to sign.
> +        - keyfile: Filename of the PEM key file used to sign the binary.
> +        - cert-ca: Common Name (CN) embedded in the certificate. Used when
> +            generating a generic x509 certificate.

You know what's funny? This isn't used at all. Parsed and passed to the 
openssl bintool, and it does nothing with it. I bet

CN                     = {cert_fname}

should actually be

CN                     = {cn}

and we probably should add a test to whatever's using 
tools/binman/test/security/x509_cert.dts to actually test the CN is the 
expected one.

> +        - cert-revision-int: Integer certificate revision number. Used when
> +            generating a generic x509 certificate. Defaults to 0.
> +        - sw-rev: Software revision number embedded in the certificate by
> +            the sysfw/rom variants used by the TI K3 secure boot subclasses.
> +            Defaults to 1.
>   

Sigh.. It seems like cert-revision-int and sw-rev are actually used for 
the same thing, just with a different default value.

It'd be nice to send a follow-up commit either fixing the non-use of 
cert-ca, or remove it entirely. Not necessary for this patch series though.

Reviewed-by: Quentin Schulz <quentin.schulz at cherry.de>

Thanks!
Quentin

More information about the U-Boot mailing list