How to sign/encrypt DTB file with R28.2 (to update DTB via scp/dd)

milan.gornik · February 20, 2019, 3:04pm

Hello,

We are currently using scp/dd approach to flash TX2 and we would like to keep using that, if possible. With the update to R28.2, new requirement was introduced, that DTB files have to be signed/encrypted now. Best solution for us would be the one not requiring any Linux/Ubuntu binaries, however even that is an acceptable solution.

From reading the forum topics, it seemed that tegraflash.py is the tool to use to achieve this (e.g. https://devtalk.nvidia.com/default/topic/1035622/jetson-tx2/in-system-update-of-dtb-in-r28-2/1) However, I am having trouble using this tool. While it is trying to execute tegrasign (to select the proper binary), I am getting this Python exception:

command = exec_file('tegrasign')
  File "...../jetpack/64_TX2/Linux_for_Tegra/bootloader/tegraflash_internal.py", line 1507, in exec_file
    if values['--tegraflash_v2']:
KeyError: '--tegraflash_v2'

Checking out these Python files, it seems that --tegraflash_v2 option should be transferred from tegraflash.py to tegraflash_internal.py, however that is not happening. Not sure how is this tool meant to be used - I am hoping someone is using it for signing DTB files and maybe can share a simple example of tegraflash.py call syntax to sign a DTB file?

I tried another thing. From looking at the flash logs, it looked like DTB signing/encryption could be done using another set of tools (tegrahost, tegrasign).

./tegrahost_v2 --align file.dtb
./tegrahost_v2 --appendsigheader file.dtb zerosbk

previous produces file: file_sigheader.dtb

./tegrasign_v2 --key None --file file_sigheader.dtb

previous produces files:

file_sigheader.hash

file_sigheader_encrypt.dtb

Final step:

./tegrahost_v2 --updatesigheader file_sigheader_encrypt.dtb file_sigheader.hash zerosbk

This produces a file which has a header of proper size and looks like what it should be. However, when I upload this as a DTB file to TX2 board, it won’t boot properly. I am getting this:

[0002.760] I> Loading partition kernel-dtb at 0x92000000
[0002.772] I> tegrabl_auth_payload: partition kernel-dtb (bin_type 1)
[0002.779] C> ERROR: Highest Layer Module = 0x1d, Lowest Layer Module = 0x15,
Aux Info = 0x0, Reason = 0x1c

I apologize I’m reporting couple of related subjects in this single topic. However I need to resolve this one way or another, so trying to investigate these different approaches further seemed liked a good idea. Thanks for your time!

JerryChang · February 21, 2019, 2:23am

hello milan.gornik,

you should check comment #7 in Topic 1035622 for detail steps.
also, please refer to Topic 1042852 for some related discussion.
thanks

Topic		Replies	Views
r32.3.1 Is there a tegraflash.py available to run on the Jetson Tx2? Jetson TX2	5	595	October 18, 2021
How to disable DTB encryption of L4T 28.2 Jetson TX2	13	1940	October 18, 2021
DTB partition format change from R28.1 vs R28.2 Jetson TX1	7	1108	October 18, 2021
In-system update of DTB in R28.2 Jetson TX2	16	4648	March 11, 2021
[TX2] Can not flash tx2 any more Jetson TX2	9	787	October 18, 2021
Request for a tool to update device tree locally. Jetson TX2	24	3520	October 18, 2021
Tegraflash.py error Jetson Nano reflash , security	5	1536	October 15, 2021
Flash dtb to external device,such as NVME Jetson Xavier NX reflash , device-tree	9	479	December 28, 2022
tegrasign replacement for Jetson Nano for DTB file generation Jetson Nano	4	1668	July 16, 2020
FDT error Jetson Tx2 with R28.2.1 package Jetson TX2	9	1471	October 18, 2021

How to sign/encrypt DTB file with R28.2 (to update DTB via scp/dd)

Related topics