Creating factory flash files with secure boot and disk encryption


How can I export the generated flash files for use with manufacturing/deployment, without supplying the PKC/SBK keys?

This is my flash command:
sudo ROOTFS_ENC=1 ./ --no-flash --uefi-keys uefi_keys/uefi_keys.conf -i $sym2file -u $keyfile -v $sbkfile jetson-agx-xavier-devkit mmcblk0p1

It will generate flashcmd.txt in the bootloader directory. However, odmfuse.xml is also present, as well as the unencrypted system.img. In earlier Jetpack versions there was something in the docs about compressing the bootloader directory, however I cant find anything in the current Jetpack 5.1.1 docs about this. Is there something similar like the fuseblob.tbz2, but then for the rootfs?

hello riboyama,

you may see-also $OUT/Linux_for_Tegra/tools/kernel_flash/README_initrd_flash.txt
please refer to [Workflow 8: Secure initrd Massflash] for the steps by running to create the mfi package.
you may see-also other workflows for reference, thanks

Hello Jerry,

Does this support signed uefi payloads, as like --uefi-keys?

hello riboyama,

there’s -p <option> for passing options to when generating the image for internal storage.
hence, you may using $ sudo ./ -p "--uefi-keys" <board-name> <rootdev>.

please kindly have a try and sharing the test results.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.