Signed the payloads using db key on the rootfs and the parititions:
extlinux.conf:
openssl cms -sign -signer db.crt -inkey db.key -binary -in extlinux.conf -outform der -out extlinux.conf.sig
initrd:
openssl cms -sign -signer db.crt -inkey db.key -binary -in initrd -outform der -out initrd.sig
Kernel:
cp Image Image.unsigned
sbsign --key db.key --cert db.crt --output Image Image
Kernel-dtb:
openssl cms -sign -signer db.crt -inkey db.key -binary -in kernel_tegra234-p3737-0000+p3701-0000-nv.dtb -outform der -out kernel_tegra234-p3737-0000+p3701-0000-nv.dtb.sig
boot.img:
…/bootloader/mkbootimg --kernel Image --ramdisk initrd --board internal --output boot.img --cmdline “root=/dev/mmcblk0p1 rw rootwait rootfstype=ext4 mminit_loglevel=4 console=ttyTCU0,115200 console=ttyAMA0,115200 firmware_class.path=/etc/firmware fbcon=map:0 net.ifnames=0”
openssl cms -sign -signer db.crt -inkey db.key -binary -in boot.img -outform der -out boot.img.sig
truncate -s %2048 boot.img
cat boot.img.sig >> boot.img
Kernel-dtb of the krenel-dtb partition:
cp tegra234-p3737-0000+p3701-0000.dtb tegra234-p3737-0000+p3701-0000.dtb.unsigned
openssl cms -sign -signer db.crt -inkey db.key -binary -in tegra234-p3737-0000+p3701-0000.dtb -outform der -out tegra234-p3737-0000+p3701-0000.dtb.sig
truncate -s %2048 tegra234-p3737-0000+p3701-0000.dtb
cat tegra234-p3737-0000+p3701-0000.dtb.sig >> tegra234-p3701-0004-p3737-0000.dtb
Recovery.image:
…/bootloader/mkbootimg --kernel Image --ramdisk initrd --board internal --output recovery.img --cmdline “root=/dev/initrd rw rootwait mminit_loglevel=4 console=ttyTCU0,115200 firmware_class.path=/etc/firmware fbcon=map:0 net.ifnames=0”
cp recovery.img recovery.img.unsigned
openssl cms -sign -signer db.crt -inkey db.key -binary -in recovery.img -outform der -out recovery.img.sig
truncate -s %2048 recovery.img
cat recovery.img.sig >> recovery.img
Recovery-kernel-dtb of partition:
cp tegra234-p3737-0000+p3701-0000-nv.dtb.rec tegra234-p3737-0000+p3701-0000-nv.dtb.rec.unsigned
openssl cms -sign -signer db.crt -inkey db.key -binary -in tegra234-p3737-0000+p3701-0000-nv.dtb.rec -outform der -out tegra234-p3737-0000+p3701-0000-nv.dtb.rec.sig
truncate -s %2048 tegra234-p3737-0000+p3701-0000-nv.dtb.rec
cat tegra234-p3737-0000+p3701-0000-nv.dtb.rec.sig>> tegra234-p3737-0000+p3701-0000-nv.dtb.rec
BOOTAA64.efi:
cp BOOTAA64.efi BOOTAA64.efi.unsigned
sbsign --key db.key --cert db.crt --output BOOTAA64.efi BOOTAA64.efi
I then downloaded the paylaods and keys auth on the jetson and pass modified each partition using dd as well as enrolling the keys using efi-updatevar -f, for the rootfs I replaced the filenames on the target like this:
and for the partitions I used the dd command.