diff --git a/meta-arm/classes/tfm_sign_image.bbclass b/meta-arm/classes/tfm_sign_image.bbclass
index a5c41ae3..5ba57dc8 100644
--- a/meta-arm/classes/tfm_sign_image.bbclass
+++ b/meta-arm/classes/tfm_sign_image.bbclass
@@ -35,6 +35,21 @@ DEPENDS += "trusted-firmware-m-scripts-native"
 # right path until this is relocated automatically.
 export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
 
+# The arguments passed to the TF-M image signing script. Override this variable
+# in an image recipe to customize the arguments.
+TFM_IMAGE_SIGN_ARGS ?= "\
+    -v ${RE_LAYOUT_WRAPPER_VERSION} \
+    --layout "${TFM_IMAGE_SIGN_DIR}/${host_binary_layout}" \
+    -k  "${RECIPE_SYSROOT_NATIVE}/${TFM_SIGN_PRIVATE_KEY}" \
+    --public-key-format full \
+    --align 1 \
+    --pad \
+    --pad-header \
+    --measured-boot-record \
+    -H ${RE_IMAGE_OFFSET} \
+    -s auto \
+"
+
 #
 # sign_host_image
 #
@@ -65,16 +80,7 @@ EOF
     host_binary_signed="${TFM_IMAGE_SIGN_DIR}/signed_$(basename "${1}")"
 
     ${PYTHON} "${STAGING_LIBDIR_NATIVE}/tfm-scripts/wrapper/wrapper.py" \
-            -v ${RE_LAYOUT_WRAPPER_VERSION} \
-            --layout "${TFM_IMAGE_SIGN_DIR}/${host_binary_layout}" \
-            -k  "${RECIPE_SYSROOT_NATIVE}/${TFM_SIGN_PRIVATE_KEY}" \
-            --public-key-format full \
-            --align 1 \
-            --pad \
-            --pad-header \
-            --measured-boot-record \
-            -H ${RE_IMAGE_OFFSET} \
-            -s auto \
+            ${TFM_IMAGE_SIGN_ARGS} \
             "${1}" \
             "${host_binary_signed}"
 }