The image binaries generated by build are signed using a key file. Currently, for k3 SoCs by default the example key stored in arch/arm/mach-k3/keys/custMpk.pem is used for this. Changing the key for any purpose (testing, production environment, etc.) requires swapping the key here.
This patch adds a signing-key-path etype to binman along with a Makefile variable SIGNING_KEY which can be used to provide a key file directly with build commands. Signed-off-by: T Pratham <[email protected]> --- Makefile | 1 + tools/binman/entries.rst | 23 ++++++++++++++++++++ tools/binman/etype/signing_key_path.py | 30 ++++++++++++++++++++++++++ tools/binman/ftest.py | 7 ++++++ tools/binman/test/351_signing_key.dts | 12 +++++++++++ 5 files changed, 73 insertions(+) create mode 100644 tools/binman/etype/signing_key_path.py create mode 100644 tools/binman/test/351_signing_key.dts diff --git a/Makefile b/Makefile index 435a4bf372d..2c7994b8c41 100644 --- a/Makefile +++ b/Makefile @@ -1697,6 +1697,7 @@ cmd_binman = $(srctree)/tools/binman/binman $(if $(BINMAN_DEBUG),-D) \ -a vpl-dtb=$(CONFIG_VPL_OF_REAL) \ -a pre-load-key-path=${PRE_LOAD_KEY_PATH} \ -a of-spl-remove-props=$(CONFIG_OF_SPL_REMOVE_PROPS) \ + -a signing-key-path=${SIGNING_KEY} \ $(BINMAN_$(@F)) OBJCOPYFLAGS_u-boot.ldr.hex := -I binary -O ihex diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst index a81fcbd3891..0f2e0719221 100644 --- a/tools/binman/entries.rst +++ b/tools/binman/entries.rst @@ -1986,6 +1986,29 @@ available. This is set by the `SetAllowMissing()` method, if +.. _etype_signing_key_path: + +Entry: signing-key-path: Entry containing a signing key blob +--------------------------------------------------------------- + +Properties / Entry arguments: + - signing-key-path: Filename of file to read into entry. This typically + is <file_name>.pem or <file_name>.key + +This entry holds the private key file used for signing images. + +Typical usage of this is to provide the full path to the key file in +SIGNING_KEY make argument during build. If this is not provided, the entry will +fallback to using the key file specified in the binman node filename property:: + + binman { + signing-key-path { + filename = "default_key.pem"; + }; + }; + + + .. _etype_tee_os: Entry: tee-os: Entry containing an OP-TEE Trusted OS (TEE) blob diff --git a/tools/binman/etype/signing_key_path.py b/tools/binman/etype/signing_key_path.py new file mode 100644 index 00000000000..a68b854b7e4 --- /dev/null +++ b/tools/binman/etype/signing_key_path.py @@ -0,0 +1,30 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright (c) 2026 Texas Instruments Incorporated - https://www.ti.com/ +# Written by T Pratham <[email protected]> +# +# Entry-type module for private key file for signing images +# + +from binman.etype.blob_named_by_arg import Entry_blob_named_by_arg + +class Entry_signing_key_path(Entry_blob_named_by_arg): + """Private key file path for signing images + + Properties / Entry arguments: + - signing-key-path: Path to the private key file + + This entry holds the private key file used for signing images. + + Typical usage of this is to provide the full path to the key file in + SIGNING_KEY make argument during build. If this is not provided, the entry will + fallback to using the key file specified in the binman node filename property:: + + binman { + signing-key-path { + filename = "default_key.pem"; + }; + }; + """ + def __init__(self, section, etype, node): + super().__init__(section, etype, node, 'signing-key') + self.external = True diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py index a53e37f31b3..8383db567de 100644 --- a/tools/binman/ftest.py +++ b/tools/binman/ftest.py @@ -109,6 +109,7 @@ TI_BOARD_CONFIG_DATA = b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x TI_UNSECURE_DATA = b'unsecuredata' IMX_LPDDR_IMEM_DATA = b'qwertyuiop1234567890' IMX_LPDDR_DMEM_DATA = b'asdfghjklzxcvbnm' +SIGNING_KEY_DATA = b'signingkey' # Subdirectory of the input dir to use to put test FDTs TEST_FDT_SUBDIR = 'fdts' @@ -238,6 +239,7 @@ class TestFunctional(unittest.TestCase): TestFunctional._MakeInputFile('rockchip-tpl.bin', ROCKCHIP_TPL_DATA) TestFunctional._MakeInputFile('ti_unsecure.bin', TI_UNSECURE_DATA) TestFunctional._MakeInputFile('capsule_input.bin', EFI_CAPSULE_DATA) + TestFunctional._MakeInputFile('signing_key.pem', SIGNING_KEY_DATA) # Add a few .dtb files for testing TestFunctional._MakeInputFile('%s/test-fdt1.dtb' % TEST_FDT_SUBDIR, @@ -8334,5 +8336,10 @@ fdt fdtmap Extract the devicetree blob from the fdtmap self.assertEqual(len(subnode4.props), 0, "subnode shouldn't have any properties") + def testSigningKey(self): + """Test that signing key is correctly passed using signing-key property""" + data = self._DoReadFile('351_signing_key.dts') + self.assertEqual(SIGNING_KEY_DATA, data) + if __name__ == "__main__": unittest.main() diff --git a/tools/binman/test/351_signing_key.dts b/tools/binman/test/351_signing_key.dts new file mode 100644 index 00000000000..e035f61a242 --- /dev/null +++ b/tools/binman/test/351_signing_key.dts @@ -0,0 +1,12 @@ +/dts-v1/; + +/ { + #address-cells = <1>; + #size-cells = <1>; + + binman { + signing-key-path { + filename = "signing_key.pem"; + }; + }; +}; -- 2.34.1
