Why are my kernel dtb sig files invalid?

I’m attempting to experiment with custom device trees for our Jetson AGX on our custom carrier board. For the sake of this post, our device tree binary file will be named “tim.dtb”. I’m using the FDT “force device tree” option in our /boot/extlinux/extlinux.conf:

DEFAULT primary
MENU TITLE L4T boot options
LABEL primary
      MENU LABEL primary kernel
      LINUX /boot/Image
      FDT /boot/tim.dtb
      INITRD /boot/initrd
      APPEND ${cbootargs} quiet root=/dev/mmcblk0p1 rw rootwait rootfstype=ext4
console=ttyTCU0,115200n8 console=tty0 fbcon=map:0 net.ifnames=0 rootfstype=ext4

I’ve created a signature file for our device tree binary file as follows:

./l4t_sign_image.sh --file ../tim.dtb --type kernel_dtb --chip 0x19

That succeeds and creates a signature file called tim.dtb.sig. I copy both tim.dtb and tim.tdb.sig onto our Jetson’s eMMC filesystem, in the /boot directory. Then I reboot the Jetson.

Here is what I see when the Jetson reboots:

[0013.640] I> Encryption fuse is not ON
[0013.671] I> Loading kernel-dtb ...
[0013.671] I> Loading kernel-dtb binary from rootfs ...
[0013.671] I> rootfs path: /sdmmc_user/boot/tim.dtb
[0013.702] I> Loading kernel-dtb sig file from rootfs ...
[0013.702] I> rootfs path: /sdmmc_user/boot/tim.dtb.sig
[0013.739] I> Validate kernel-dtb ...
[0013.739] I> T19x: Authenticate kernel-dtb (bin_type: 38), max size 0x400000
[0013.743] E> digest on binary did not match!!
[0013.743] C> OEM authentication of kernel-dtb payload failed!
[0013.743] W> Failed to validate kernel-dtb binary from rootfs (err=1077936152, fail=0)

This seems to indicate a problem with my Tim.tdb.sig file. But what? As far as I can tell, I’ve created it the right way. I’ve seen a few other posts with similar error messages, and the answer seems to be to use flash.sh with the -r -k kernel-dab option. (That works for me, btw.). But I would really like to understand what I’m doing wrong with creating the .sig manually.

Thanks in advance.

There is no update from you for a period, assuming this is not an issue any more.
Hence we are closing this topic. If need further support, please open a new one.


Do you mean if you don’t add FDT in extlinux.conf but let cboot load signed dtb from partition, then it has no problem?