A minimal script that only the signs Jetson boot components

Hi,

NVIDIA recommends using the flash.sh script to sign the Jetson boot software. While we attempted to use this approach, we encountered a few challenges:

(1) flash.sh generates partition images for esp and APP.
(2) The script performs many additional, unrelated operations, making it difficult to track what is being signed and to understand the signing process in detail.

We are looking for a minimal, focused script that performs only the signing of Jetson boot components, without the extra overhead. In particular, we are interested in understanding how to sign everything up to and including EDK II.

Could you please advise what is the right way to do it?

Many thanks for your support and help.

Best regards,
Yanlin

hello yanlin.li,

you may check Flashing Script Usage, there’s -r option to skip building system.img. you may also adding -koption for individual partition.

or,
would you like to sign/encrypt all those bootloader binaries?
please see-also $OUT/Linux_for_Tegra/tools/kernel_flash/README_initrd_flash.txt of [Workflow 11], it should works with generate images for internal device.

Hi Jerry,

Thank you very much for your prompt response and excellent help. I saw that l4t_initrd_flash.sh has an option --qspi-only . Could you please provide some details how I can exactly use this "–qspi-only " option to sign qspi components, and flash qspi only?

Many thanks for your help and look forward to hearing from you.

Best regards,
Yanlin

hello yanlin.li,

you may see-also To Flash the Jetson Developer Kit Operating Software, for the command-line to flash Jetson developer kits, which depends-on your storage, such as SD, USB, NVMe..etc.

let me taking Jetson Orin Nano Developer Kit (NVMe) as an exmaple,
here’s flash command-line.
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh --external-device nvme0n1p1 -c tools/kernel_flash/flash_l4t_t234_nvme.xml -p "-c bootloader/generic/cfg/flash_t234_qspi.xml" --showlogs --network usb0 jetson-orin-nano-devkit internal

as you can see, there’re internal (QSPI) and external (NVME).
for your use-case, you may omit those external configuration since you would like to flash qspi only.
furthermore, assume you’re flashing a target which fused with PKC+SBK, please also assign the keys to the flash command-line.
for instance,
$ sudo ./tools/kernel_flash/l4t_initrd_flash.sh -u PKC.pem -v SBK.key -p "-c bootloader/generic/cfg/flash_t234_qspi.xml --no-systemimg" jetson-orin-nano-devkit internal

you can run command similar to:

sudo NO_ESP_IMG=1 BOARDSKU=0000 FAB=100 ./flash.sh --qspi-only --no-systemimg --no-flash -u ~/Downloads/rsa_priv-3k.pem jetson-agx-orin-devkit mmcblk0p1

NO_ESP_IMG=1 and --no-systemimg will skip generating the esp and the APP partition

The script that does the all signing internally is tegraflash.py . In the flash log you can see there is a command similar to

./tegraflash.py --bl uefi_jetson_with_dtb.bin … --cmd “sign” …

That is the command that signs the image.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.