Signing device trees

Hello

I am working on a deivce tree for my own hardware, and although the device tree compiles without error, the kernel boot fails. I’m not seeing an error from the kernel bootlog, so it’s making it very hard to debug this.

One of my colleagues asked if a device tree needs to be signed before it can be used on a Jetson system.

So my questions are, does a device tree need to be signed before it can be used? And how do I sign it?

Thanks in advance

Andrew

There are two ways to install a device tree, and only one requires signing.

If you name a device tree in the “/boot/extlinux/extlinux.conf” file via an “FDT” key/value pair naming the .dtb file, then no signing is needed.

If you use flash tools to put the tree in a partition, then you must sign it. Normal flashing procedure takes any content put into any partition other than “APP” (the rootfs) and signs before installing. Then the signed copy is deleted from the host PC. You can however tell flash to not actually flash, but to only sign, and then the signed file won’t be deleted. You could then use a tool such as dd to install this into the partition if the partition is large enough. However, unless you are shipping to customers, then you are far better off just using the FDT entry in extlinux.conf.

How have you installed this device tree?

Also, probably nobody can help without a serial console boot log. Such logs provide boot logs even before the Linux kernel loads and can show things like device tree errors. This would need to be a custom tree if not using the dev kit carrier board. For logging, see:
http://www.jetsonhacks.com/2017/03/24/serial-console-nvidia-jetson-tx2/

1 Like

hello ajellisuk,

that’s correct.

there’re two ways for loading dtb binary, (1) kernel-dtb partition, (2) FDT entry via file system.
only the binary for approach (1) need to be signed/encrypted.


you’re able to perform flash.sh, and including the -k options to have partition update.
for example, $ sudo ./flash.sh -r -k kernel-dtb jetson-tx2 mmcblk0p1
btw,
by adding the –no-flash options to command-line above,
you’re able to generate the sign/encrypt file locally, for example, $ sudo ./flash.sh --no-flash -r -k kernel-dtb jetson-tx2 mmcblk0p1

Hello @JerryChang & @linuxdev

Thank you for you replies. They are very helpful and answer my question.

I’m still having problems with my custom device tree; I’ll post a question about that on another thread to avoid going off topic.

Kind regards

Andrew

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.