How to Sign and Encrypt Kernel image to avoid repeat restart in Jetson AGX Xavier?

Autonomous Machines Jetson & Embedded Systems Jetson AGX Xavier
1

Hi nvidia:
I custom L4T kernel and just add a print in tegra_pcie_dw_probe function in pcie-tegra.c.And add an item refer to /boot/extlinux/extlinux.conf as following:

LABEL backup
    MENU LABEL backup kernel
    LINUX /boot/Image.backup
    INITRD /boot/initrd
    APPEND ${cbootargs} ......

I add my kernel image to /boot and resart xavier devkit,and select item 2 for extlinux.conf,L4T will restart after timeout.The log is in the attachment.I trace some log about it and found that there are some error info about sign as following:

I> L4T boot options
I> [1]: "primary kernel"
I> [2]: "backup kernel"
I> Enter choice: 
[0047.165] I> Selected option: 2
[0047.165] I> Loading kernel ...
[0047.165] I> Loading kernel binary from rootfs ...
[0047.165] I> rootfs path: /sdmmc_user/boot/Image.backup
[0047.409] I> Loading kernel sig file from rootfs ...
[0047.409] I> rootfs path: /sdmmc_user/boot/Image.backup.sig
[0053.625] I> lookup_linear_dir:485: Invalid file block num
[0053.626] I> ext2_walk:142: 'Image.backup.sig' lookup failed
[0053.626] I> ext4_open_file:704: '/boot/Image.backup.sig' lookup failed
[0053.627] E> file /sdmmc_user/boot/Image.backup.sig open failed!!
[0053.627] W> Failed to load kernel sig file (err=202113041)
[0053.629] I> Validate kernel ...
[0053.632] I> T19x: Authenticate kernel (bin_type: 37), max size 0x5000000
[0053.639] E> Stage2Signature validation failed with SHA2!!
[0053.644] C> OEM authentication of kernel header failed!
[0053.649] W> Failed to validate kernel binary from rootfs (err=1077936152, fail=1)
[0053.657] W> Security fuse not burned, ignore validation failure

I refer to the chapter of Building the NVIDIA Kernel of https://docs.nvidia.com/jetson/archives/l4t-archived/l4t-3273/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide/kernel_custom.html#wwpID0E0XD0HA and learn that i can use the commoand to sign kernel image:

$ ./l4t_sign_image.sh --file <filename> --chip 0x19 --key <keyfile>] --encrypt_key <encrypt_keyfile> --type <filetype> --minratchet_config <ratchet>

But i don’t know how to produce keyfile,encrypt_keyfile.Any suggustion is helpful.Thanks!
agx-xavier-reboot-using-mybuild-kernel.txt (38.0 KB)

3

hello sdz_2011,

may I confirm the L4T release version you’re working with, is it JetPack 4.6.3/ L4T 32.7.3?
assume you’re working with an unfused target; when you develop the kernel. you should delete Image.sig.
so… when kernel development is complete, a valid Image.sig must be generated and placed in /boot folder.

please have a try, thanks

4

Hi JerryChang:
Yes.The L4T release version i am working with is JetPack 4.6.3/ L4T 32.7.3.
I would like to confirm that if i delete the old Image.sig and put my new Image ,it will generate a valid Image.sig for the new Image in /boot,isn’t it?

5

please try delete Image.sig on your target for testing.

6

Before i del Image.sig, /boot look like:

nvidia@ubuntu:~$ ls /boot
dtb
extlinux
grub
Image
Image.backup
Image.sig
Image.t19x
Image.t19x.sig
initrd
initrd.img
initrd.img-4.9.299-tegra
initrd.sig
initrd.t19x
initrd.t19x.sig

I try delete Image.sig ,delete old Image,and copy new Image to /boot ,it also restart.The log piece is as following:

[0012.167] I> [2]: "backup kernel"
[0012.170] I> Enter choice: 
[0013.057] I> Selected option: 2
[0013.058] I> Loading kernel ...
[0013.058] I> Loading kernel binary from rootfs ...
[0013.058] I> rootfs path: /sdmmc_user/boot/Image
[0013.304] I> Loading kernel sig file from rootfs ...
[0013.305] I> rootfs path: /sdmmc_user/boot/Image.sig
[0019.537] I> lookup_linear_dir:485: Invalid file block num
[0019.537] I> ext2_walk:142: 'Image.sig' lookup failed
[0019.537] I> ext4_open_file:704: '/boot/Image.sig' lookup failed
[0019.538] E> file /sdmmc_user/boot/Image.sig open failed!!
[0019.538] W> Failed to load kernel sig file (err=202113041)
[0019.539] I> Validate kernel ...

attch is the log:
agx-xavier-del-image.sig-reboot.txt (39.2 KB)

7

hello sdz_2011,

hold-on, had your Xavier platform ever fused to enable Jetson security?

8

I remember there is no such operation.I flash agx xavier devkit by sdk manager usually before.
How to check Xavier platform has enable Jetson security?

9

there’s script file, odmfuseread.sh to Accessing the Fuse from the Target.
it looks you’ve not fused the target before, please refer to Building the NVIDIA Kernel to push the Image binary to your target without sign/encryption.

10

I make a comparison experient as following exlinux.conf(The normal Image first as back):

TIMEOUT 30
DEFAULT primary
MENU TITLE L4T boot options

LABEL primary
      MENU LABEL primary kernel
      LINUX /boot/Image
      INITRD /boot/initrd
      APPEND ${cbootargs} quiet root=/dev/mmcblk0p1 rw rootwait rootfstype=ext4  
console=ttyTCU0,115200n8 console=tty0 fbcon=map:0 net.ifnames=0 rootfstype=ext4  
nv-auto-config

    MENU LABEL backup kernel
    LINUX /boot/Image.backup
    INITRD /boot/initrd
    APPEND ${cbootargs} quiet root=/dev/mmcblk0p1 rw rootwait rootfstype=ext4 coo
nsole=ttyTCU0,115200n8 console=tty0 fbcon=map:0 net.ifnames=0 rootfstype=ext4 nvv
-auto-configelow menu setting lines for the original kernel

In L4T boot options in startup,choose 2,/boot has no Image.backup.sig,but it can boot and the log as follow:

[0012.180] I> L4T boot options
[0012.183] I> [1]: "primary kernel"
[0012.186] I> [2]: "backup kernel"
[0012.189] I> Enter choice: 
[0013.021] I> Selected option: 2
[0013.021] I> Loading kernel ...
[0013.021] I> Loading kernel binary from rootfs ...
[0013.021] I> rootfs path: /sdmmc_user/boot/Image.backup
[0013.257] I> Loading kernel sig file from rootfs ...
[0013.257] I> rootfs path: /sdmmc_user/boot/Image.backup.sig
[0019.479] I> lookup_linear_dir:485: Invalid file block num
[0019.479] I> ext2_walk:142: 'Image.backup.sig' lookup failed
[0019.480] I> ext4_open_file:704: '/boot/Image.backup.sig' lookup failed
[0019.480] E> file /sdmmc_user/boot/Image.backup.sig open failed!!
[0019.481] W> Failed to load kernel sig file (err=202113041)
[0019.482] I> Validate kernel ...
[0019.486] I> T19x: Authenticate kernel (bin_type: 37), max size 0x5000000
[0019.492] E> Stage2Signature validation failed with SHA2!!
[0019.498] C> OEM authentication of kernel header failed!
[0019.503] W> Failed to validate kernel binary from rootfs (err=1077936152, fail=1)
[0019.510] W> Security fuse not burned, ignore validation failure
[0019.516] I> restore load_size to 34629648
[0019.534] I> Loading kernel-dtb ...

I think the mechanism is the same, but why did Image fail?
by the way,

$ sudo ./odmfuseread.sh -i <0x18 or 0x19> [-k <pkc_keyfile>] [-S <sbk_keyfile>] <device_name>

pkc_keyfile is the .pem output file in Generating the RSA Key Pair ? sbk_keyfile is path of .pem ?the device_name is the name of EMMC device? as follow:

$ openssl genrsa -out rsa_priv.pem 2048
11

hello sdz_2011,

the booting process is complete, right?
since you’re not assign SBK keys. you may execute command-line as following for reading fuse info
i.e. $ sudo ./odmfuseread.sh -i 0x19 -k <pkc_keyfile> jetson-agx-xavier-devkit

12

Hi JerryChang:
The booting process for my built Image is not yet.Do you have some advice for that?Thanks!

13

please share complete logs for reference, or… is it stuck at loading kernel-dtb ?

14

Hi JerryChang:
I build L4T(not change anything) and make it as the primary startup item and all the log is as attachment.
At the same time,i backup origin Image as Image.backup and delete Image.sig.

0531_custom_build_kernel_auto_restart_NG.txt (78.1 KB)

15

hello sdz_2011,

I did not get this…
may I know all your steps in details, and what’s the error messages you’ve seen now?
practically, you should create a customize kernel image, i.e. Image, put it to your filesystem and modify exlinux.conf to have LINUX entry point-to your binary file.

16

Hi JerryChang:
My steps is just as what you said(create a customize kernel image, i.e. Image, put it to your filesystem and modify exlinux.conf to have LINUX entry point-to your binary file) .In details it is as follow:
1.Download L4T from Jetson Linux R32.7.3
2.uncompress L4T source code(assume Linux_for_Tegra is uncompress in /home/test/Jeston_AGX_Xavier)

   ```
   $ cd  /home/test/Jeston_AGX_Xavier

   $ tar -xjf public_sources.tbz2

   $tar xf Jetson_Linux_R32.7.3_aarch64.tbz2

   $ sudo tar xpf Tegra_Linux_Sample-Root-Filesystem_R32.7.3_aarch64.tbz2 -C Linux_for_Tegra/rootfs

   $ cd Linux_for_Tegra/source/public

   $ tar –xjf kernel_src.tbz2
 ```
 3.set enviropment varibles

$ export TEGRA_KERNEL_OUT=/home/test/Jetson_AGX_Xavier/Linux_for_Tegra/source/public/kernel/output/

$ export CROSS_COMPILE=<cross_prefix>

$ export LOCALVERSION=-tegra
  1. create .config
$ cd <kernel-4.9/>

$ mkdir -p $TEGRA_KERNEL_OUT

$ make ARCH=arm64 O=$TEGRA_KERNEL_OUT tegra_defconfig
  1. patch
$ scripts/rt-patch.sh apply-patches

6.build dtb,Image and module

$ make mrproper

$ make ARCH=arm64 O=$TEGRA_KERNEL_OUT -j<n>

$ sudo make ARCH=arm64 O=$TEGRA_KERNEL_OUT modules_install INSTALL_MOD_PATH= <Linux_for_Tegra>/rootfs

7.copy Image to devkit by scp or USB,for example put it to <$HOME>/Downloads

8.update origin Image and extlinux.conf in /boot in devkit

cd /boot

sudo cp Image Image.backup

sudo mv Image.sig ~/Downloads

sudo cp ~/Downloads/Image /boot

the new extlinux.conf :
[extlinux.conf|attachment](upload://eaOCpcAwuF4bnhRHS4cF9NODt1a.conf) (1023 Bytes)

9.reboot

$sudo reboot

The biggest error is it repeated restart.Corresponding to the log,it will happen in about 885 line in log and wait some time it will auto reboot and no obvious error log.I guess it is trigger by watchdog.

The other error message is in 757 line to 774 line in log ,as follow:

[0012.179] I> Enter choice: 
[0015.183] I> Continuing with default option: 1
[0015.183] I> Loading kernel ...
[0015.183] I> Loading kernel binary from rootfs ...
[0015.184] I> rootfs path: /sdmmc_user/boot/Image
[0015.416] I> Loading kernel sig file from rootfs ...
[0015.417] I> rootfs path: /sdmmc_user/boot/Image.sig
[0021.649] I> lookup_linear_dir:485: Invalid file block num
[0021.649] I> ext2_walk:142: 'Image.sig' lookup failed
[0021.650] I> ext4_open_file:704: '/boot/Image.sig' lookup failed
[0021.650] E> file /sdmmc_user/boot/Image.sig open failed!!
[0021.650] W> Failed to load kernel sig file (err=202113041)
[0021.651] I> Validate kernel ...
[0021.654] I> T19x: Authenticate kernel (bin_type: 37), max size 0x5000000
[0021.660] E> Stage2Signature validation failed with SHA2!!
[0021.666] C> OEM authentication of kernel header failed!
[0021.671] W> Failed to validate kernel binary from rootfs (err=1077936152, fail=1)
[0021.678] W> Security fuse not burned, ignore validation failure
17

hello sdz_2011,

could you please omit this sudo mv Image.sig ~/Downloads for your step-8.
for example,
8.update origin Image and extlinux.conf in /boot in devkit

cd /boot
sudo cp Image Image.backup
sudo mv Image.sig ~/Downloads
sudo cp ~/Downloads/Image /boot

18

Hi JerryChang:
I have try not delete Image.sig,it will also repeated restart.

19

hello sdz_2011,

may I confirm whether this Xavier platform has ever fused to enable Jetson security?
if yes… you cannot load kernel image via filesystem. only partition flash to update kernel partition is valid

21

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.