How to sign tegra194-p3668-all-p3509-0000.dtb?

I am using “FDT /boot/tegra194-p3668-all-p3509-0000.dtb” ( /boot/extlinux/extlinux.conf) in my jetson-xavier-nx-devkit-emmc module.

As the production fuse has been burned, " tegra194-p3668-all-p3509-0000.dtb" need to be signed and the signed file “tegra194-p3668-all-p3509-0000.dtb.sig” is supposed to stay under /boot also.

How to get the signed file using “flash.sh” script? Then two files can be put under /boot directory and let CBoot to pass the authentication?

Thanks a lot for the help!

hello jason.lu,

while you’re loading device tree blob through FDT entry, the binary file doesn’t need to be signed/encrypted.

Hi Jerry,

If the production fuse has not been burned, CBoot will ignore the authentication. But, if the production fuse has been burned, CBoot will fail in authentication. Here is part of the booting message about CBoot authentication:

...
[0019.066] W> Failed to load kernel-dtb sig file (err=202113041)

[0019.072] I> Loading kernel-dtb binary from rootfs ...

[0019.077] I> rootfs path: /sdmmc_user/boot/tegra194-p3668-all-p3509-0000.dtb

[0019.109] I> Validate kernel-dtb ...

[0019.109] I> T19x: Authenticate kernel-dtb (bin_type: 38), max size 0x400000

[0019.110] E> Stage2Signature validation failed with SHA2!!

[0019.110] C> OEM authentication of kernel-dtb header failed!

[0019.111] W> Failed to validate kernel-dtb binary (err=1077936152, fail=1)

[0019.112] E> Security fuse is burned, abort loading binary from rootfs   <======== production fuse !!!!

[0019.118] W> No valid slot number is found in scratch register

[0019.124] W> Return default slot: _a

[0019.127] I> A/B: bin_type (38) slot 0

[0019.131] I> Loading kernel-dtb from partition

[0019.135] I> Loading partition kernel-dtb at 0x91000000 from device(0x1)

[0019.152] I> Validate kernel-dtb ...

[0019.153] I> T19x: Authenticate kernel-dtb (bin_type: 38), max size 0x400000
...

Thanks!

Jason

hello jason.lu,

that’s correct, it loads device tree blob via partition only when Jetson security enabled.
you may refer to Flashing a Specific Partition to update kernel-dtb partition, it’ll generate sign/encrypt file and also update the partition.
furthermore, please add --no-flash options, if you would like to create the file locally.
for example,
$ sudo ./flash.sh --no-flash -r -k kernel-dtb jetson-xavier-nx mmcblk0p1

Thanks Jerry!