[PATCH 3/6] ARM: k3: allow to pass custom signing keys

[Sascha Hauer]

By default the AM62x images are signed with default TI development keys.
Allow to sign the images with custom keys for future secure boot.

Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
---
 arch/arm/mach-k3/Kconfig | 22 ++++++++++++++++++++++
 images/Makefile.k3       |  4 ++++
 2 files changed, 26 insertions(+)

diff --git a/arch/arm/mach-k3/Kconfig b/arch/arm/mach-k3/Kconfig
index 338421a8af1715c72a23adc41fb7a21d69091585..281068071e4ef617f5fe5006b225428c7e2d17c1 100644
--- a/arch/arm/mach-k3/Kconfig
+++ b/arch/arm/mach-k3/Kconfig
@@ -66,4 +66,26 @@ config ARCH_K3_COMMAND_AUTHENTICATE
 	  Add k3_authenticate_image command to test authenticating images
 	  against the K3 ROM API.
 
+choice
+	prompt "Select signing key"
+	default ARCH_K3_SIGNING_KEY_TI_DEVEL
+
+config ARCH_K3_SIGNING_KEY_TI_DEVEL
+	bool "Use TI devel key for signing (arch/arm/mach-k3/custMpk.pem)"
+	help
+	  Use the TI provided devel key for signing the bootable certificates
+
+config ARCH_K3_SIGNING_KEY_CUSTOM
+	bool "Specify custom key for signing"
+	help
+	  Use custom keys for signing the bootable certificates
+
+endchoice
+
+config ARCH_K3_SIGNING_KEY
+	string "Signing key"
+	depends on ARCH_K3_SIGNING_KEY_CUSTOM
+	help
+	  Path or PKS#11 uri for the signing keys
+
 endmenu
diff --git a/images/Makefile.k3 b/images/Makefile.k3
index 0024cefa3687778487749f39b1c5bb57d490ec10..05b645f6d48b0594eec2af1208825c1d551a1dff 100644
--- a/images/Makefile.k3
+++ b/images/Makefile.k3
@@ -17,7 +17,11 @@ image-$(CONFIG_MACH_BEAGLEPLAY) += barebox-beagleplay.img
 
 endif
 
+ifdef CONFIG_ARCH_K3_SIGNING_KEY_TI_DEVEL
 KEY_custmpk=$(srctree)/arch/arm/mach-k3/custMpk.pem
+else
+KEY_custmpk="$(CONFIG_ARCH_K3_SIGNING_KEY)"
+endif
 KEY_degenerate=$(srctree)/arch/arm/mach-k3/ti-degenerate-key.pem
 
 ifdef CONFIG_MACH_K3_CORTEX_R5

-- 
2.39.5