Secure tftpboot issue.

I am trying to work with TFTP + NFS boot. I changed boot-order in CPUBL-CFG partition, and watching the serial console that is working.

I generate signed kernel and kernel-dtb files with the following commands:

sudo --no-flash -N -k kernel-dtb jetson-xavier eth0
sudo --no-flash -N -k kernel jetson-xavier eth0

I have 2 Jetson AGX Xavier kits in hand and they show different behaviour that I need to understand.

Xavier1: Have been working with it and used SDK manager and many times. ( JetPack 4.2 )
Xavier2: Brand new, never been reflashed with those tools (the only usb cable I plugged in was the serial console, I updated CPUBL-CFG partition using dd command)

Xavier1 will boot with tegra194-p2888-0001-p2822-0000_sigheader.dtb.encrypt and boot_sigheader.img.encrypt from tftp ( appropriately renamed without _sigheader and .encrypt). It gives me a “Stage2Signature validation failed with SHA2!!” when I put tegra194-p2888-0001-p2822-0000.dtb and boot.img in tftp server.

Xavier2 will boot with tegra194-p2888-0001-p2822-0000.dtb and boot.img from tftp. Using the _sigheader and .encrypt files give an “header magic mismatch”

According to

I would expect tegra194-p2888-0001-p2822-0000.dtb and boot.img to be the signed working files, so the question is why do I need tegra194-p2888-0001-p2822-0000_sigheader.dtb.encrypt and boot_sigheader.img.encrypt for Xavier1 and how can I have a unified solution?

1 Like

hello fguimond,

both kernel and kernel-dtb should be signed and encrypted, please also refer to Jetson AGX Xavier Boot Flow for the details.
hence, you should replace *.dtb and *.img with the signed and encrypted files in your nfsroot also.
please run flash scripts with “–no-flash” options to generate encrypted and singed files locally.


Hello JerryChang,

Thanks for taking the time to answer me, but your response confuses me for the following reasons:

  • The provided link only mention signed or encrypted for MB1 which is not part of the topic because cboot does the tftp fetch, so I don’t understand what you are trying to explain me with this link.
  • If dtb and img files are loaded from tftp, why would they need to be on the nfsroot? Also, we are talking about boot.img or something else? (because boot.img is not in /boot if I run a regular jetson-xavier mmcblk0p1 with Tegra_Linux_Sample-Root-Filesystem_R32.1.0_aarch64.tbz2 extracted in the rootfs folder)
  • As for running the “–no-flash”, that was in my initial post, but it generates Linux_for_Tegra/bootloader/boot.img and Linux_for_Tegra/bootloader/boot_sigheader.img.encrypt files. There is no Linux_for_Tegra/bootloader/signed folder… My understanding of your explanation is the .encrypt file is the right one, but never mention it…

So assuming the _sigheader.encrypt files are the right ones, why a fresh Xavier DevKit out of the box won’t accept to boot with them?

Some information which may help…

Most (but not all) of the files in “/boot” are no longer used, and ended up being moved to partitions. In cases where content moved to partitions it is because boot stages prior to the regular bootloader running needed to read that content, and those earlier stages don’t understand the ext4 filesystem. Later on Xavier stopped using U-Boot and started booting directly from CBoot. Think of any content which was moved into a partition as needing to be signed, else early boot stages will reject the content.

1 Like