Hi NVIDIA Support Team,
I am working on an NVIDIA Jetson AGX Xavier SOM running JetPack 4.6.1 (L4T 32.7.x).
The SOM is ODM-fused (Secure Boot enabled) using odmfuse.sh with RSA keys and SBK/KEK keys.
Now I need to sign the kernel and kernel modules (.ko) so that the Xavier SOM will load them only when the signatures match the fused secure-boot keys.
I am facing difficulty understanding the correct steps for JetPack 4.6.1, because most documentation online applies to JetPack 5.x / L4T 35.x.
My Questions
-
How do I sign a custom kernel module (
.ko) so that it loads on a Secure Boot–fused AGX Xavier?-
How to generate
signing_key.pem,x509certificate, and where to place them in the kernel source? -
Which
CONFIG_MODULE_SIG*options must be enabled in JetPack 4.6.1 kernel config? -
How to use
sign-fileon L4T 32.7.x wherescripts/sign-fileis missing?
-
-
After signing, how do I install the signed kernel and .ko module properly?
-
Any flash commands needed?
-
Is re-building + re-flashing mandatory after enabling module signing?
-