Is there a way to disable Image.sig authentication?

Autonomous Machines Jetson & Embedded Systems Jetson AGX Xavier
,
1

Hello,

We, at Concurrent Real-Time develop an RTOS on top of L4T Tegra kernel source. With JetPack 4.3, cboot allows to boot custom kernels during boot process by updating extlinux.conf file.

However, I am seeing below messages when I select a custom kernel during boot:

[0005.300] I> Loading extlinux.conf ...
[0005.300] I> rootfs path: /sdmmc_user/boot/extlinux/extlinux.conf
[0005.337] I> L4T boot options
[0005.337] I> [1]: "primary kernel"
[0005.337] I> [2]: "redhawk-trace kernel"
[0005.337] I> [3]: "redhawk-prt-trace kernel"
[0005.338] I> Enter choice: 
[0006.178] I> Selected option: 2
[0006.179] I> Loading kernel sig file from rootfs ...
[0006.179] I> rootfs path: /sdmmc_user/boot/Image-4.9.140-rt94-r32.3.1-tegra-RedHawk-7.5.2-trace.sig
[0012.391] I> lookup_linear_dir:436: Invalid file block num
[0012.391] I> ext2_walk:142: 'Image-4.9.140-rt94-r32.3.1-tegra-RedHawk-7.5.2-trace.sig' lookup failed
[0012.392] I> ext4_open_file:638: '/boot/Image-4.9.140-rt94-r32.3.1-tegra-RedHawk-7.5.2-trace.sig' lookup failed
[0012.393] E> file /sdmmc_user/boot/Image-4.9.140-rt94-r32.3.1-tegra-RedHawk-7.5.2-trace.sig open failed!!
[0012.400] W> Failed to load kernel sig file (err=202113041)
[0012.405] I> Loading kernel binary from rootfs ...
[0012.410] I> rootfs path: /sdmmc_user/boot/Image-4.9.140-rt94-r32.3.1-tegra-RedHawk-7.5.2-trace
[0012.572] I> Validate kernel ...
[0012.572] I> T19x: Authenticate kernel (bin_type: 37), max size 0x5000000
[0012.573] E> Stage2Signature validation failed with SHA2!!
[0012.573] C> OEM authentication of kernel header failed!
[0012.573] W> Failed to validate kernel binary (err=1077936152)
[0012.574] W> Security fuse not burned, continue to boot

Is there a way to disable looking up of the *.sig file and/or a way to generate this file?

If I understand the message correctly, it seems like the end-user will fuse the system with their authentication keys including the kernel, DTB and initrd images. Please feel free to correct it.

We are only software providers so we don’t need to worry about all this, but it will be great if either there’s a way to disable, fix or get around it. We are one of the Jetson partners of NVIDIA.

3

This can be achieved by disabling CONFIG_ENABLE_SECURE_BOOT feature.
Remove following line from bootloader/partner/t18x/cboot/platform/t194/l4t.mk
CONFIG_ENABLE_SECURE_BOOT=1

4

Ohh, okay. We don’t wish to update cboot for official releases, but we can update it for our internal testing.

Thanks.