Re: [PATCH v5 1/2] binman: x509_cert: document Entry_x509_cert properties

Thu, 18 Jun 2026 09:51:17 -0700 

Hi Sergio,

On 5/25/26 3:28 PM, Sergio Prado wrote:

The Entry_x509_cert class only listed 'content' in its
'Properties / Entry arguments' section, even though 'keyfile',
'cert-ca', 'cert-revision-int' and 'sw-rev' are also read from the
entry node and passed through to openssl.

Expand the docstring so the binman documentation generated from it
matches the actual behavior of the entry.

No functional change.

Signed-off-by: Sergio Prado <[email protected]>
---
  tools/binman/etype/x509_cert.py | 10 +++++++++-
  1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
index b6e8b0b4fb09..efa85f9553e7 100644
--- a/tools/binman/etype/x509_cert.py
+++ b/tools/binman/etype/x509_cert.py
@@ -18,7 +18,15 @@ class Entry_x509_cert(Entry_collection):
      """An entry which contains an X509 certificate
Properties / Entry arguments: 
-        - content: List of phandles to entries to sign
+        - content: List of phandles to entries to sign.
+        - keyfile: Filename of the PEM key file used to sign the binary.
+        - cert-ca: Common Name (CN) embedded in the certificate. Used when
+            generating a generic x509 certificate.
You know what's funny? This isn't used at all. Parsed and passed to the openssl bintool, and it does nothing with it. I bet 

CN                     = {cert_fname}

should actually be

CN                     = {cn}
and we probably should add a test to whatever's using tools/binman/test/security/x509_cert.dts to actually test the CN is the expected one. 


+        - cert-revision-int: Integer certificate revision number. Used when
+            generating a generic x509 certificate. Defaults to 0.
+        - sw-rev: Software revision number embedded in the certificate by
+            the sysfw/rom variants used by the TI K3 secure boot subclasses.
+            Defaults to 1.
Sigh.. It seems like cert-revision-int and sw-rev are actually used for the same thing, just with a different default value.
It'd be nice to send a follow-up commit either fixing the non-use of cert-ca, or remove it entirely. Not necessary for this patch series though. 

Reviewed-by: Quentin Schulz <[email protected]>

Thanks!
Quentin

Reply via email to