-
Notifications
You must be signed in to change notification settings - Fork 236
Secure Boot Support
Signing images and bootloader update payloads is currently a work in progress on the wip-secure-boot-tegra186 branch.
Image signing is supported for Jetson-TX2 and Jetson AGX Xavier platforms. Full testing with a secured device has only been tested on Jetson-TX2. Support is for L4T R32.2.1 and later.
To enable secure boot on your device, follow the instructions in the L4T BSP documentation and the README included in the L4T Secure Boot package. Note that the odmfuse.sh script has a bug that causes fusing to fail on Jetson-TX2 devices; see issue #193 for an explanation and patch.
If you have the signing and (optional) encryption key files available, you can add the following setting to your local.conf to create signed images and BUP packages:
TEGRA_SIGNING_ARGS = "-u /path/to/signing-key.pem -v /path/to/encryption-key"
The additional arguments will be passed through to the flash-helper script and all files will be signed (and boot files will be encrypted, if the -v option is provided) during the build. The doflash.sh script in the resulting tegraflash ZIP package will flash the signed files to the devices. This is similar to the flashcmd.txt script you would get if you used the L4T flash.sh script with the --no-flash option as mentioned in the NVIDIA secure boot documentation.
If you prefer not to have the signing occur during your build, you can manually add the necessary arguments to your invocation of doflash.sh after unpacking the tegraflash ZIP file. For example:
$ ./doflash.sh -u /path/to/signing-key.pem -v /path/to-encryption-key
Note that this approach will not work for BUP packages; if you use the redundant boot feature, signing must be done during the build.
If you prefer not to have your signing/encryption keys local to your development host, you can override the tegraflash_custom_sign_pkg and tegraflash_custom_sign_bup functions in image_types_tegra.bbclass to package up the files in the current working directory, send them to be signed, then unpack the results back into the current directory. Everything needed to perform the signing, except for the keys, will be present in the package sent to the server, so as long as the server is running Ubuntu 18.04, no additional tools should need to be installed.