[{"id":3682926,"web_url":"http://patchwork.ozlabs.org/comment/3682926/","msgid":"<20260427195702.GN41863@bill-the-cat>","list_archive_url":null,"date":"2026-04-27T19:57:02","subject":"Re: [PATCH v4 07/11] binman: openssl: Add boot and load extensions\n to x509 cert","submitter":{"id":65875,"url":"http://patchwork.ozlabs.org/api/people/65875/","name":"Tom Rini","email":"trini@konsulko.com"},"content":"On Sat, Apr 25, 2026 at 09:07:38AM +0530, Beleswar Padhi wrote:\n> \n> The boot and load extensions in the x509 certificate are required for\n> requesting the secure entity (TIFS) to boot a core. These fields are\n> defined in the binman node for each core that must be booted by TIFS\n> and must be included when generating the signed certificate.\n> \n> Add support to parse the boot and load extension properties from the\n> binman node and populate them into the certificate. If any of the\n> mandatory properties for an extension are missing, that respective\n> extension section is NOT added to the certificate.\n> \n> Signed-off-by: Beleswar Padhi \n> ---\n> Cc: Simon Glass \n> \n> v4: Changelog:\n> 1. None\n> \n> Link to v3:\n> https://lore.kernel.org/all/20251231173621.1069988-8-b-padhi@ti.com/\n> \n> v3: Changelog:\n> 1. New patch. Add support to sign HSM firmware here in U-Boot.\n> \n> tools/binman/btool/openssl.py | 49 ++++++++++++++++++++++++++++++---\n> tools/binman/etype/ti_secure.py | 18 ++++++++++++\n> tools/binman/etype/x509_cert.py | 4 ++-\n> 3 files changed, 66 insertions(+), 5 deletions(-)\n\nIs there some testing we could be adding here? Does CI pass (and so yes,\neverything that coverage checks for has been caught already) ? Thanks.","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=konsulko.com header.i=@konsulko.com header.a=rsa-sha256\n header.s=google header.b=Y6gm/IyP;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=konsulko.com","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=konsulko.com header.i=@konsulko.com\n header.b=\"Y6gm/IyP\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=konsulko.com","phobos.denx.de;\n spf=pass smtp.mailfrom=trini@konsulko.com"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4DqX5qX6z1yHv\n\tfor ; Tue, 28 Apr 2026 05:57:12 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id B450B83693;\n\tMon, 27 Apr 2026 21:57:10 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 0F4AD83693; Mon, 27 Apr 2026 21:57:09 +0200 (CEST)","from mail-oa1-x41.google.com (mail-oa1-x41.google.com\n [IPv6:2001:4860:4864:20::41])\n (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 4D0C6805D7\n for ; Mon, 27 Apr 2026 21:57:06 +0200 (CEST)","by mail-oa1-x41.google.com with SMTP id\n 586e51a60fabf-40f1a1f77a6so7894566fac.2\n for ; Mon, 27 Apr 2026 12:57:06 -0700 (PDT)","from bill-the-cat (fixed-189-203-106-235.totalplay.net.\n [189.203.106.235]) by smtp.gmail.com with ESMTPSA id\n 006d021491bc7-6965ba57ee1sm170526eaf.12.2026.04.27.12.57.03\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 27 Apr 2026 12:57:04 -0700 (PDT)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,\n SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=konsulko.com; s=google; t=1777319825; x=1777924625; darn=lists.denx.de;\n h=in-reply-to:content-disposition:mime-version:references:message-id\n :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;\n bh=QXMLGrg+yknsd4dx3NYuHSEV0t3cWmHpEu6XD4a7C+Q=;\n b=Y6gm/IyP385RyDPGZJrwV/lTGjPcK+vhjDnSYbRT86AFKi6GYRHnTBsbORVDKnfbBh\n Eacm1hQUVW1te1DPwth7CasScCkgWVg8rc/Sr7rzfBgEur2NGjW7wPJg8EWjkgAbcAvB\n 52QyRmr69Sz1/pdZJIRZ1ra9d4gdRkeZnGlz4=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777319825; x=1777924625;\n h=in-reply-to:content-disposition:mime-version:references:message-id\n :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc\n :subject:date:message-id:reply-to;\n bh=QXMLGrg+yknsd4dx3NYuHSEV0t3cWmHpEu6XD4a7C+Q=;\n b=Q2NGWjj4hg1gUxEpKixJrkiuZgu1W/mX/D8XZsM+AljINEfTt+XkLvca6Mw/PNYEN3\n X0I/8esAjWayK9eNC5ki7LFj8+VjsVSY+gH+XJNvgmdy3r5hEg6AfzmbIY2TOg7oN49r\n EYVj601zSxzJhc93PYLBRwk0EuzqCW2SIkqWUBaR45Sr7Wu0PrGxw/8UGZIL8Sm4hSDG\n 4anIduoaC1bX5aQ4fklNYw4ToLDIW/vMtwb9UEt9TxxkZmoFkUYZ60tYWU8ctQ+ZUFBs\n MElbzCU/UTP1qw6CdrmUWf/V9XQIvBSPdXiCnwlp1cgB5mo+ZC04y6P5TOxD4J2QCj04\n I45w==","X-Forwarded-Encrypted":"i=1;\n AFNElJ9slKZBsrqh2cISzE90dU/4k7Lc1LkGGsMpZC77ugPjwfL3bLTwRjoG5xHgOEgtcDpkz8iWOn0=@lists.denx.de","X-Gm-Message-State":"AOJu0YyfleIk3ZgooGGp4W1vKFwUxnH8/RNvQpcdrCID0EhcktB2BxBN\n mqMrg2mm5QhNpwyE8Kojt5vdsEmpseB5yCq5516clPgC4i1u3MT4BAETeXckR5HfKbI=","X-Gm-Gg":"AeBDieu2IHFkSX1PDyH56jkr2uCGwB9ZP/XhawL0dq59BUn4+ioe5YrMk+/B6r3D1Ag\n 6ovc/uP4iRjopUDS5Ry02tbzN5GuBDpOlW8fSLPdFLLbZ/KbYrgfDmGSrhJ1EjTY8/oTGorkYui\n M+0Rbs72l9GEIPqaU/Zdc0srKpeSPik/AOBrvp+4/6C4jGTuFiZpCz5MiUwvLniMICNUQWGQC0O\n EcXH8ULZAEEEbkmEwD24zoih1xxgTFjPyl/fXIlhlvlFGRZZUipSD/nBuQi+99BGu0+UjmnpNPZ\n Gyjl5uCIYwR3AOqmYhvQVl/lvL4qYIHduKSl71iOEujs74EkBEopToEnswJ/JwAIXln31m9H2qo\n x8EyS21VOanyuzwW8RwLDysCeCPwX2tCJ0nqP/Dfq5PMtkw6pWid9mxh8BNajdiEDpPOgnd4/Aa\n fEwI7ohDr+DceXO4KBWNYbfSVyo5CVHkAbAUZh2VmCnx9F/f+FHNzRpnIeyJsd5EvcxArQhDlVR\n 0Ss5Xy1E8XtGHxS9ikZKZd1GN54O6VojeqSIVkb1aUtvUbqoLnDgsI3Wo3p1vRgwAtuY9G8","X-Received":"by 2002:a05:6820:f02b:b0:696:22bd:8584 with SMTP id\n 006d021491bc7-6965b8f341fmr262613eaf.1.1777319824948;\n Mon, 27 Apr 2026 12:57:04 -0700 (PDT)","Date":"Mon, 27 Apr 2026 13:57:02 -0600","From":"Tom Rini ","To":"Beleswar Padhi ","Cc":"afd@ti.com, bb@ti.com, anshuld@ti.com, hnagalla@ti.com, jm@ti.com,\n nm@ti.com, n-francis@ti.com, u-kumar1@ti.com, u-boot@lists.denx.de,\n Simon Glass ","Subject":"Re: [PATCH v4 07/11] binman: openssl: Add boot and load extensions\n to x509 cert","Message-ID":"<20260427195702.GN41863@bill-the-cat>","References":"<20260425033742.1519298-1-b-padhi@ti.com>\n <20260425033742.1519298-8-b-padhi@ti.com>","MIME-Version":"1.0","Content-Type":"multipart/signed; micalg=pgp-sha512;\n protocol=\"application/pgp-signature\"; boundary=\"t+HQx52v8hK+dDaY\"","Content-Disposition":"inline","In-Reply-To":"<20260425033742.1519298-8-b-padhi@ti.com>","X-Clacks-Overhead":"GNU Terry Pratchett","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}}]