Hi Rasmus,

On 2026-07-10T12:36:12, Rasmus Villemoes <[email protected]> wrote:
> binman: x509_cert: allow and parse distinguished-name subnode
>
> Currently, the ti-secure and ti-secure-rom types hardcode the contents
> of the Distinguished Name section. Those values are not necessarily
> appropriate for all boards that just happen to include a SOC produced
> by TI.
>
> Allow placing a distinguished-name subnode inside the binman node
> representing the Entry_x509_cert (or derived classes), and if present,
> use that information.
>
> Signed-off-by: Rasmus Villemoes <[email protected]>
>
> tools/binman/etype/ti_secure.py     | 3 ++-
>  tools/binman/etype/ti_secure_rom.py | 3 ++-
>  tools/binman/etype/x509_cert.py     | 5 +++++
>  3 files changed, 9 insertions(+), 2 deletions(-)

> diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
> @@ -61,6 +61,11 @@ class Entry_x509_cert(Entry_collection):
> +        dist_name_node = self._node.FindNode('distinguished-name')
> +        if dist_name_node:
> +            self.req_dist_name = dict()
> +            for pname, prop in dist_name_node.props.items():
> +                self.req_dist_name[pname] = prop.value

Please can you document the new distinguished-name subnode in the
class docstring, since the entry documentation is generated from
these docstrings?

The ti-secure and ti-secure-rom docstrings should mention it too,
along with a note that it overrides the default TI values.

Also, this iterates the raw props, so a property with no value (a
boolean) or one with multiple strings ends up formatted as 'True' or
as a Python list in the openssl config. I suspect it is worth
validating that each value is a single string and raising an error
otherwise, at least until the multi-value support mentioned in patch
1 is added. What do you think?

Regards,
Simon

Reply via email to