Signing device trees

ajellisuk · July 13, 2021, 9:35am

Hello

I am working on a deivce tree for my own hardware, and although the device tree compiles without error, the kernel boot fails. I’m not seeing an error from the kernel bootlog, so it’s making it very hard to debug this.

One of my colleagues asked if a device tree needs to be signed before it can be used on a Jetson system.

So my questions are, does a device tree need to be signed before it can be used? And how do I sign it?

Thanks in advance

Andrew

linuxdev · July 13, 2021, 5:09pm

There are two ways to install a device tree, and only one requires signing.

If you name a device tree in the “/boot/extlinux/extlinux.conf” file via an “FDT” key/value pair naming the .dtb file, then no signing is needed.

If you use flash tools to put the tree in a partition, then you must sign it. Normal flashing procedure takes any content put into any partition other than “APP” (the rootfs) and signs before installing. Then the signed copy is deleted from the host PC. You can however tell flash to not actually flash, but to only sign, and then the signed file won’t be deleted. You could then use a tool such as dd to install this into the partition if the partition is large enough. However, unless you are shipping to customers, then you are far better off just using the FDT entry in extlinux.conf.

How have you installed this device tree?

Also, probably nobody can help without a serial console boot log. Such logs provide boot logs even before the Linux kernel loads and can show things like device tree errors. This would need to be a custom tree if not using the dev kit carrier board. For logging, see:
http://www.jetsonhacks.com/2017/03/24/serial-console-nvidia-jetson-tx2/

JerryChang · July 14, 2021, 2:39am

hello ajellisuk,

that’s correct.

there’re two ways for loading dtb binary, (1) kernel-dtb partition, (2) FDT entry via file system.
only the binary for approach (1) need to be signed/encrypted.

you’re able to perform flash.sh, and including the -k options to have partition update.
for example, $ sudo ./flash.sh -r -k kernel-dtb jetson-tx2 mmcblk0p1
btw,
by adding the –no-flash options to command-line above,
you’re able to generate the sign/encrypt file locally, for example, $ sudo ./flash.sh --no-flash -r -k kernel-dtb jetson-tx2 mmcblk0p1

ajellisuk · July 14, 2021, 8:35am

Hello @JerryChang & @linuxdev

Thank you for you replies. They are very helpful and answer my question.

I’m still having problems with my custom device tree; I’ll post a question about that on another thread to avoid going off topic.

Kind regards

Andrew

system · September 19, 2021, 6:54am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Changing Device Tree with Signing (Nvidia Jetpack 4.3.1) Jetson AGX Xavier device-tree	19	1713	October 18, 2021
Modifying Jetson TX2 Device Tree without having to flash TX2 Jetson TX2	5	2398	October 18, 2021
How do I flash an image along with a custom DTB with flash.sh? Jetson TX2 device-tree	8	1007	October 18, 2021
Device tree Jetson TX2 kernel	2	554	August 30, 2023
Device tree modification does not work Jetson TX2 device-tree	2	571	April 11, 2023
Jetpack 4.4 - 32.4.3: How to switch between DTB files from extlinux.conf file Jetson TX2 device-tree	3	566	October 18, 2021
Device tree compilation Jetson Nano	6	1408	October 18, 2021
It is possible to replace device trees over wifi? Jetson Nano device-tree	4	594	October 15, 2021
Disable HDMI Jetson TX2	5	1376	October 18, 2021
When using the flash script to flash the device tree in Jetson Linux version 32.6.1, I receive the following error: Jetson Xavier NX reflash , device-tree	28	598	November 8, 2023

Signing device trees

Related topics