Hi, I want to enable secure boot on Jetson Nano production module with L4T 32.7.3. Somehow I am not able to sign the image. I created a PKC using the following command (as described in the docs):
openssl genrsa -out rsa_priv.pem 2048
After that I tried to sign the image using the flash.sh script with the --no-flash option:
sudo ./flash.sh --no-flash -u /home/hesmar/Development/secure_boot_keys/rsa_priv.pem jetson-nano-devkit-emmc mmcblk0p1
This gives me the following output:
###############################################################################
# L4T BSP Information:
# R32 , REVISION: 7.3
###############################################################################
Board ID() version()
copying bctfile(/home/hesmar/Development/3dvisionlabs/embedded/yocto2/l4t-32.7.3/Linux_for_Tegra/bootloader/t210ref/BCT/P3448_A00_lpddr4_204Mhz_P987.cfg)... done.
copying bootloader(/home/hesmar/Development/3dvisionlabs/embedded/yocto2/l4t-32.7.3/Linux_for_Tegra/bootloader/t210ref/cboot.bin)... done.
copying initrd(/home/hesmar/Development/3dvisionlabs/embedded/yocto2/l4t-32.7.3/Linux_for_Tegra/bootloader/l4t_initrd.img)... done.
Making Boot image... done.
Existing sosfile(/home/hesmar/Development/3dvisionlabs/embedded/yocto2/l4t-32.7.3/Linux_for_Tegra/bootloader/nvtboot_recovery.bin) reused.
copying tegraboot(/home/hesmar/Development/3dvisionlabs/embedded/yocto2/l4t-32.7.3/Linux_for_Tegra/bootloader/t210ref/nvtboot.bin)... done.
copying cpu_bootloader(/home/hesmar/Development/3dvisionlabs/embedded/yocto2/l4t-32.7.3/Linux_for_Tegra/bootloader/t210ref/cboot.bin)... done.
copying bpffile(/home/hesmar/Development/3dvisionlabs/embedded/yocto2/l4t-32.7.3/Linux_for_Tegra/bootloader/t210ref/sc7entry-firmware.bin)... done.
copying wb0boot(/home/hesmar/Development/3dvisionlabs/embedded/yocto2/l4t-32.7.3/Linux_for_Tegra/bootloader/t210ref/warmboot.bin)... done.
Existing tosfile(/home/hesmar/Development/3dvisionlabs/embedded/yocto2/l4t-32.7.3/Linux_for_Tegra/bootloader/tos-mon-only.img) reused.
Existing eksfile(/home/hesmar/Development/3dvisionlabs/embedded/yocto2/l4t-32.7.3/Linux_for_Tegra/bootloader/eks.img) reused.
copying dtbfile(/home/hesmar/Development/3dvisionlabs/embedded/yocto2/l4t-32.7.3/Linux_for_Tegra/kernel/dtb/tegra210-p3448-0000-p3449-0000-a00.dtb)... done.
Copying nv_boot_control.conf to rootfs
populating kernel to rootfs... done.
populating initrd to rootfs... done.
populating kernel_tegra210-p3448-0000-p3449-0000-a00.dtb to rootfs... done.
Making system.img...
populating rootfs from /home/hesmar/Development/3dvisionlabs/embedded/yocto2/l4t-32.7.3/Linux_for_Tegra/rootfs ... populating /boot/extlinux/extlinux.conf ... done.
Sync'ing system.img ... done.
Converting RAW image to Sparse image... done.
system.img built successfully.
Existing tbcfile(/home/hesmar/Development/3dvisionlabs/embedded/yocto2/l4t-32.7.3/Linux_for_Tegra/bootloader/nvtboot_cpu.bin) reused.
copying tbcdtbfile(/home/hesmar/Development/3dvisionlabs/embedded/yocto2/l4t-32.7.3/Linux_for_Tegra/kernel/dtb/tegra210-p3448-0000-p3449-0000-a00.dtb)... done.
copying cfgfile(/home/hesmar/Development/3dvisionlabs/embedded/yocto2/l4t-32.7.3/Linux_for_Tegra/bootloader/t210ref/cfg/flash_l4t_t210_emmc_p3448.xml) to flash.xml... done.
copying flasher(/home/hesmar/Development/3dvisionlabs/embedded/yocto2/l4t-32.7.3/Linux_for_Tegra/bootloader/t210ref/cboot.bin)... done.
Existing flashapp(/home/hesmar/Development/3dvisionlabs/embedded/yocto2/l4t-32.7.3/Linux_for_Tegra/bootloader/tegraflash.py) reused.
./tegraflash.py --cfg flash.xml --bl cboot.bin --bct P3448_A00_lpddr4_204Mhz_P987.cfg --odmdata 0xa4000 --bldtb kernel_tegra210-p3448-0000-p3449-0000-a00.dtb.signed --applet nvtboot_recovery.bin --cmd "sign" --chip 0x21 --key /home/hesmar/Development/secure_boot_keys/rsa_priv.pem
Welcome to Tegra Flash
version 1.0.0
Type ? or help for help and q or quit to exit
Use ! to execute system commands
[ 0.0038 ] Using default ramcode: 0
[ 0.0038 ] Disable BPMP dtb trim, using default dtb
[ 0.0038 ]
[ 0.0053 ] tegrasign --getmode mode.txt --key /home/hesmar/Development/secure_boot_keys/rsa_priv.pem
[ 0.0056 ] Invalid key format
[ 0.0057 ]
Error: Return value 11
Command tegrasign --getmode mode.txt --key /home/hesmar/Development/secure_boot_keys/rsa_priv.pem
cp: Aufruf von stat für 'signed/*' nicht möglich: Datei oder Verzeichnis nicht gefunden
./tegraflash.py --bl cboot.bin.signed --bct P3448_A00_lpddr4_204Mhz_P987.bct --odmdata 0xa4000 --bldtb kernel_tegra210-p3448-0000-p3449-0000-a00.dtb.signed --applet rcm_1_signed.rcm --cmd "secureflash;reboot" --cfg flash.xml --chip 0x21 --bins "EBT cboot.bin; DTB tegra210-p3448-0000-p3449-0000-a00.dtb" --key "/home/hesmar/Development/secure_boot_keys/rsa_priv.pem"
saving flash command in /home/hesmar/Development/3dvisionlabs/embedded/yocto2/l4t-32.7.3/Linux_for_Tegra/bootloader/flashcmd.txt
saving Windows flash command to /home/hesmar/Development/3dvisionlabs/embedded/yocto2/l4t-32.7.3/Linux_for_Tegra/bootloader/flash_win.bat
assign_value: crc-flash.xml.bin 1 131056 1
printf '\x1' | dd of=crc-flash.xml.bin bs=1 seek=131056 count=1 conv=notrunc
1+0 Datensätze ein
1+0 Datensätze aus
1 Byte kopiert, 3,2603e-05 s, 30,7 kB/s
assign_value: crc-flash.xml.bin 0 131057 1
printf '\x0' | dd of=crc-flash.xml.bin bs=1 seek=131057 count=1 conv=notrunc
1+0 Datensätze ein
1+0 Datensätze aus
1 Byte kopiert, 2,9403e-05 s, 34,0 kB/s
assign_string: crc-flash.xml.bin PTHD 131064 4
echo PTHD | dd of=crc-flash.xml.bin bs=1 seek=131064 count=4 conv=notrunc
4+0 Datensätze ein
4+0 Datensätze aus
4 Bytes kopiert, 4,3638e-05 s, 91,7 kB/s
*** no-flash flag enabled. Exiting now... ***
It seems that signing failed because of an invalid key format. Any ideas whats wrong here?