How to sign/encrypt DTB file with R28.2 (to update DTB via scp/dd)

Hello,

We are currently using scp/dd approach to flash TX2 and we would like to keep using that, if possible. With the update to R28.2, new requirement was introduced, that DTB files have to be signed/encrypted now. Best solution for us would be the one not requiring any Linux/Ubuntu binaries, however even that is an acceptable solution.

From reading the forum topics, it seemed that tegraflash.py is the tool to use to achieve this (e.g. https://devtalk.nvidia.com/default/topic/1035622/jetson-tx2/in-system-update-of-dtb-in-r28-2/1) However, I am having trouble using this tool. While it is trying to execute tegrasign (to select the proper binary), I am getting this Python exception:

command = exec_file('tegrasign')
  File "...../jetpack/64_TX2/Linux_for_Tegra/bootloader/tegraflash_internal.py", line 1507, in exec_file
    if values['--tegraflash_v2']:
KeyError: '--tegraflash_v2'

Checking out these Python files, it seems that --tegraflash_v2 option should be transferred from tegraflash.py to tegraflash_internal.py, however that is not happening. Not sure how is this tool meant to be used - I am hoping someone is using it for signing DTB files and maybe can share a simple example of tegraflash.py call syntax to sign a DTB file?

I tried another thing. From looking at the flash logs, it looked like DTB signing/encryption could be done using another set of tools (tegrahost, tegrasign).

./tegrahost_v2 --align file.dtb
./tegrahost_v2 --appendsigheader file.dtb zerosbk

previous produces file: file_sigheader.dtb

./tegrasign_v2 --key None --file file_sigheader.dtb

previous produces files:

file_sigheader.hash

file_sigheader_encrypt.dtb

Final step:

./tegrahost_v2 --updatesigheader file_sigheader_encrypt.dtb file_sigheader.hash zerosbk

This produces a file which has a header of proper size and looks like what it should be. However, when I upload this as a DTB file to TX2 board, it won’t boot properly. I am getting this:

[0002.760] I> Loading partition kernel-dtb at 0x92000000
[0002.772] I> tegrabl_auth_payload: partition kernel-dtb (bin_type 1)
[0002.779] C> ERROR: Highest Layer Module = 0x1d, Lowest Layer Module = 0x15,
Aux Info = 0x0, Reason = 0x1c

I apologize I’m reporting couple of related subjects in this single topic. However I need to resolve this one way or another, so trying to investigate these different approaches further seemed liked a good idea. Thanks for your time!

hello milan.gornik,

you should check comment #7 in Topic 1035622 for detail steps.
also, please refer to Topic 1042852 for some related discussion.
thanks