How to sign the kernel and kernel modules(.ko) on jetpack 4.61 (Xavier SOM) which should be install on the key matching

Hi NVIDIA Support Team,

I am working on an NVIDIA Jetson AGX Xavier SOM running JetPack 4.6.1 (L4T 32.7.x).
The SOM is ODM-fused (Secure Boot enabled) using odmfuse.sh with RSA keys and SBK/KEK keys.

Now I need to sign the kernel and kernel modules (.ko) so that the Xavier SOM will load them only when the signatures match the fused secure-boot keys.

I am facing difficulty understanding the correct steps for JetPack 4.6.1, because most documentation online applies to JetPack 5.x / L4T 35.x.


My Questions

  1. How do I sign a custom kernel module (.ko) so that it loads on a Secure Boot–fused AGX Xavier?

    • How to generate signing_key.pem, x509 certificate, and where to place them in the kernel source?

    • Which CONFIG_MODULE_SIG* options must be enabled in JetPack 4.6.1 kernel config?

    • How to use sign-file on L4T 32.7.x where scripts/sign-file is missing?

  2. After signing, how do I install the signed kernel and .ko module properly?

    • Any flash commands needed?

    • Is re-building + re-flashing mandatory after enabling module signing?

it looks duplicated, let’s keep using Topic 351950 for tracking.