With the previous commit, "binman: x509_cert: allow and parse
distinguished-name subnode", it is possible for downstream boards to
put more appropriate values in the req_distinguished_name section in
the certificate being generated than the hard-coded TI
values. However, that requires adding a distinguished-name section to
each and every ti-secure or ti-secure-rom binman node.

In order to avoid lots of repetition and make it easier to just add
the information in one place, add an empty template-dist-name template
which we can inject in every such binman node. That makes no
difference for existing boards, but makes it possible for downstream
boards to simply do

    &distinguished_name_template {
        distinguished-name {
            C = "DK";
            ...
        };
    };

in their -u-boot.dtsi.

Signed-off-by: Rasmus Villemoes <[email protected]>
---
 arch/arm/dts/k3-binman.dtsi | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/arch/arm/dts/k3-binman.dtsi b/arch/arm/dts/k3-binman.dtsi
index 69214bb32fb..2c9e5b619b7 100644
--- a/arch/arm/dts/k3-binman.dtsi
+++ b/arch/arm/dts/k3-binman.dtsi
@@ -29,6 +29,16 @@
        keyfile_template: template-keyfile {
                keyfile = "custMpk.pem";
        };
+
+       distinguished_name_template: template-dist-name {
+               /*
+                * Empty, but allows downstreams to inject a
+                * distinguished-name subnode with appropriate
+                * contents from their -u-boot.dtsi, which will
+                * propagate to all ti-secure(-rom) nodes including
+                * this template.
+                */
+       };
 };
 
 #ifndef CONFIG_ARM64
-- 
2.55.0

Reply via email to