On 07.02.25 18:07, Andrew Davis wrote:
On 2/7/25 12:51 AM, Daniel Schultz wrote:
Private keys to sign bootloader images shouldn't be commit or part
of this repository. Add config entries to use keys located outside
of U-Boot to sign images.
The custMpk.pem was always a placeholder, we fill it with the TI Dummy
key as an example. The idea was you replace it with your key using
something like a symlink. So custMpk.pem is replaced with a pointing
to your real key when building on the production HSM. Why do you
need to have a Kconfig to point to your real key?
Thanks for pointing that out! We were not aware of that process and
added these Kconfigs. I just sent new patches to add the missing keyfile
entries in our binman to use symlinks.
- Daniel
If you really want a full path to be settable from Kconfig for some
reason that I am not seeing, then others will want to too. So you
should make this option generic for all K3, nothing specific to this
one board family.
Andrew
Signed-off-by: Maik Otto <m.o...@phytec.de>
Signed-off-by: Nathan Morrisson <nmorris...@phytec.com>
Signed-off-by: Daniel Schultz <d.schu...@phytec.de>
---
board/phytec/common/k3/Kconfig | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/board/phytec/common/k3/Kconfig
b/board/phytec/common/k3/Kconfig
index 282f4b79742..19fe927b22e 100644
--- a/board/phytec/common/k3/Kconfig
+++ b/board/phytec/common/k3/Kconfig
@@ -3,3 +3,37 @@ config PHYTEC_K3_DDR_PATCH
help
Allow to override default DDR timings prior to
DDRSS driver probing.
+
+config PHYTEC_K3_KEY_BLOB_COPY
+ bool "Copy the MPK key and the degenerate TI key to the build path"
+ default y
+ help
+ Select how to manage the MPK and degenerate TI keys.
+ If PHYTEC_K3_KEY_BLOB_COPY is enabled, the keys will be
copied into
+ the U-Boot directory for compatibility with the TI dummy keys
+ stored there.
+ If PHYTEC_K3_KEY_BLOB_COPY is disabled, the build will use the
+ original key directly. It is recommended to use the original
key to
+ avoid unnecessary duplication.
+
+config PHYTEC_K3_MPK_KEY
+ string "Path to customer specific MPK key"
+ default "custMpk.pem" if PHYTEC_K3_KEY_BLOB_COPY
+ default "arch/arm/mach-k3/keys/custMpk.pem" if
!PHYTEC_K3_KEY_BLOB_COPY
+ help
+ Specifies the path to the MPK signing key:
+ If PHYTEC_K3_KEY_BLOB_COPY is enabled, provide the path to
the blob
+ copy of the original key.
+ If PHYTEC_K3_KEY_BLOB_COPY is disabled, provide the path to the
+ original key.
+
+config PHYTEC_K3_DEGENERATE_KEY
+ string "Path to the degenerate TI key"
+ default "ti-degenerate-key.pem" if PHYTEC_K3_KEY_BLOB_COPY
+ default "arch/arm/mach-k3/keys/ti-degenerate-key.pem" if
!PHYTEC_K3_KEY_BLOB_COPY
+ help
+ Specifies the path to the degenerate key:
+ If PHYTEC_K3_KEY_BLOB_COPY is enabled, provide the path to
the blob
+ copy of the original key.
+ If PHYTEC_K3_KEY_BLOB_COPY is disabled, provide the path to the
+ original key.
