Currently, it is somewhat tedious for downstream/custom boards to
override the keyfile used for signing all the various artifacts
involved in booting on K3 devices to point at their own key (or
pkcs#11 uri for that matter). One has to have overrides in one's .dtsi
for each and every ti-secure / ti-secure-rom node, and a lot of those
do not even have dts labels, so one has to use their full
/binman/... path.

Add a small dedicated template that only contains the keyfile
property. In a subsequent patch, we will change nodes that contain an
explicit 'keyfile = "custMpk.pem"' to instead have this template
inserted. This way, the downstream board's .dtsi file only needs to
contain something like

  &keyfile_template {
    keyfile = "/path/to/own/key.pem";
  };

and that will then automatically propagate to all the nodes.

Signed-off-by: Rasmus Villemoes <[email protected]>
---
 arch/arm/dts/k3-binman.dtsi | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/arm/dts/k3-binman.dtsi b/arch/arm/dts/k3-binman.dtsi
index ad127663d03..69214bb32fb 100644
--- a/arch/arm/dts/k3-binman.dtsi
+++ b/arch/arm/dts/k3-binman.dtsi
@@ -25,6 +25,10 @@
                        filename = 
"arch/arm/mach-k3/keys/ti-degenerate-key.pem";
                };
        };
+
+       keyfile_template: template-keyfile {
+               keyfile = "custMpk.pem";
+       };
 };
 
 #ifndef CONFIG_ARM64
-- 
2.55.0

Reply via email to