How to sign tegra194-p3668-all-p3509-0000.dtb?

jason.lu · August 9, 2021, 8:01pm

I am using “FDT /boot/tegra194-p3668-all-p3509-0000.dtb” ( /boot/extlinux/extlinux.conf) in my jetson-xavier-nx-devkit-emmc module.

As the production fuse has been burned, " tegra194-p3668-all-p3509-0000.dtb" need to be signed and the signed file “tegra194-p3668-all-p3509-0000.dtb.sig” is supposed to stay under /boot also.

How to get the signed file using “flash.sh” script? Then two files can be put under /boot directory and let CBoot to pass the authentication?

Thanks a lot for the help!

JerryChang · August 10, 2021, 3:04am

hello jason.lu,

while you’re loading device tree blob through FDT entry, the binary file doesn’t need to be signed/encrypted.

jason.lu · August 10, 2021, 3:16am

Hi Jerry,

If the production fuse has not been burned, CBoot will ignore the authentication. But, if the production fuse has been burned, CBoot will fail in authentication. Here is part of the booting message about CBoot authentication:

...
[0019.066] W> Failed to load kernel-dtb sig file (err=202113041)

[0019.072] I> Loading kernel-dtb binary from rootfs ...

[0019.077] I> rootfs path: /sdmmc_user/boot/tegra194-p3668-all-p3509-0000.dtb

[0019.109] I> Validate kernel-dtb ...

[0019.109] I> T19x: Authenticate kernel-dtb (bin_type: 38), max size 0x400000

[0019.110] E> Stage2Signature validation failed with SHA2!!

[0019.110] C> OEM authentication of kernel-dtb header failed!

[0019.111] W> Failed to validate kernel-dtb binary (err=1077936152, fail=1)

[0019.112] E> Security fuse is burned, abort loading binary from rootfs   <======== production fuse !!!!

[0019.118] W> No valid slot number is found in scratch register

[0019.124] W> Return default slot: _a

[0019.127] I> A/B: bin_type (38) slot 0

[0019.131] I> Loading kernel-dtb from partition

[0019.135] I> Loading partition kernel-dtb at 0x91000000 from device(0x1)

[0019.152] I> Validate kernel-dtb ...

[0019.153] I> T19x: Authenticate kernel-dtb (bin_type: 38), max size 0x400000
...

Thanks!

Jason

JerryChang · August 10, 2021, 5:40am

hello jason.lu,

that’s correct, it loads device tree blob via partition only when Jetson security enabled.
you may refer to Flashing a Specific Partition to update kernel-dtb partition, it’ll generate sign/encrypt file and also update the partition.
furthermore, please add --no-flash options, if you would like to create the file locally.
for example,
$ sudo ./flash.sh --no-flash -r -k kernel-dtb jetson-xavier-nx mmcblk0p1

jason.lu · August 11, 2021, 6:26pm

Thanks Jerry!

system · October 17, 2021, 6:25am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to load DTB instead of flashing to eMMC? Jetson AGX Xavier nvbugs	28	4053	August 18, 2021
Custom dts(i) not taken into account Jetson Xavier NX	4	383	November 24, 2021
Flash dtb to external device,such as NVME Jetson Xavier NX reflash , device-tree	9	479	December 28, 2022
Failed to flash signed boot image Jetson Xavier NX security	10	1388	September 19, 2021
Failed to find/load /boot/extlinux/extlinux.conf Jetson AGX Xavier boot , kernel , cboot	6	1951	August 3, 2022
Why are my kernel dtb sig files invalid? Jetson TX2 board-design , device-tree	2	613	June 22, 2022
Encrypting custom dtb file with Tegraflash.py Jetson Nano security	2	554	October 15, 2021
Create .sig files for kernel and dtb Jetson Xavier NX security	6	2176	October 18, 2021
Jetson Xavier NX update dtb fail Jetson Xavier NX kernel , device-tree	7	1042	October 10, 2022
Secure tftpboot issue. Jetson AGX Xavier	3	505	June 27, 2019

How to sign tegra194-p3668-all-p3509-0000.dtb?

Related topics