On Fri Jul 10, 2026 at 6:06 PM IST, Rasmus Villemoes wrote:
> When trying to hook up use of a customer's own signing infrastructure
> for some am62x devices, I found it was more difficult than it should
> be to point at the right key(s). One has to patch in the keyfile=
> property in way too many places, and if you miss just one, the build
> succeeds using the generic custMpk.pem for the one you missed, but of
> course the resulting artifacts are unbootable.
>

The default value for keyfile i.e custMpk.pem is generated via binman
from the custMpk node in binman (defined in k3-binman.dtsi), modifying
the filepath to your custom key should work as a single line change as
is.

Perhaps this could be made more clear by the use of a macro instead of
hardcoding the string "custMpk.pem" in all the places to make it more
obvious.

Other than that, the addition of configurable distinguished-name could
be valuable addition, do you have any specific use case asides from
downstream boards? I wonder if it could be valuable for existing
upstream platforms from Toradex/Phytec.

CC+: Francesco, Wadim

> Use the template mechanism that binman already has to allow one to
> only set the keyfile= in a single place. I cannot really imagine any
> case where one would not want to use the same key for signing all
> artifacts across the r5/a53 cores, but that is of course still
> possible, just as any downstreams that have explicit
>
> &{/binman/tiboot3-am62x-hs-evm.bin/ti-secure-rom} {
>     keyfile = "foobar.pem";
> };
>
> &{/binman/tiboot3-am62x-hs-fs-evm.bin/ti-secure-rom} {
>     keyfile = "foobar.pem";
> };
>
> will continue to work.
>
> Rasmus Villemoes (6):
>   binman: openssl: refactor creation of Distinguished Name section from
>     dict
>   binman: x509_cert: allow and parse distinguished-name subnode
>   binman: x509: fix CN emitted for basic x509 certificates
>   k3-binman.dtsi: add keyfile_template node
>   k3-binman.dtsi: add empty distinguished_name_template
>   k3-binman.dtsi: insert keyfile and distinguished name templates in all
>     ti-secure(-rom) nodes
>
>  arch/arm/dts/k3-binman.dtsi              | 34 +++++++++++-----
>  tools/binman/btool/openssl.py            | 51 ++++++++----------------
>  tools/binman/etype/ti_secure.py          |  3 +-
>  tools/binman/etype/ti_secure_rom.py      |  3 +-
>  tools/binman/etype/x509_cert.py          |  8 +++-
>  tools/binman/test/security/x509_cert.dts |  5 ++-
>  6 files changed, 55 insertions(+), 49 deletions(-)

Reply via email to