in the release notes of l4t-32.6.1 the following point is mentioned (Jetson Linux R32.6.1 Release Page | NVIDIA Developer):
- Secure boot is enhanced for Jetson TX2 series to extend encryption support to kernel, kernel-dtb and initrd.
But neither the documentation is updated for the TX2 (https://docs.nvidia.com/jetson/archives/l4t-archived/l4t-3271/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide/bootloader_secure_boot.html#wwpID0EYHA) nor does it seem to work when following the flow as described for the “Jetson Xavier NX series and Jetson AGX Xavier series”.
We don’t really need encryption of those files but we want to have secure boot into the kernel. So I changed the flash.sh script to sign the images for the TX2 as well (they are just signed for the Jetson AGX Xavier by default):
- do_sign="False"; + do_sign="True";
This successfully creates the .sig files for the relevant files.
I fused the device like this:
./odmfuse.sh -i 0x18 -k rsa_priv_secureboot.pem --disable-jtag -p jetson-tx2-4GB
And then flashed the board like this:
./flash.sh -u rsa_priv_secureboot.pem jetson-tx2-4GB mmcblk0p1
This was mostly working (except that loading of the initrd failed). So I stopped signing the initrd for now by commenting this line:
#signimage "./initrd" "True" "data"; chkerr; which then resulted in a bootable system again.
I assume this is because I have some wrong kernel configuration. Would you know what I could be missing (but that’s not my main question)?
So I got a working system again with signed extlinux.conf, Image and device tree, which I found strange already.
But then I noticed that signatures don’t seem to be checked as I can modify the extlinux.conf and the Image (didn’t check the device tree), while keeping the .sig files unchanged, and the system still happily boots.
So am I missing something? Is this actually supported on the TX2 after all?