madisongh / digsigserver Goto Github PK
View Code? Open in Web Editor NEWSigning server
License: MIT License
Signing server
License: MIT License
I managed to setup the Docker container and connected to it successfully as described in the readme. However, the sigining did not complete, I get the following error.
Type ? or help for help and q or quit to exit
Use ! to execute system commands
[ 0.0021 ] Using default ramcode: 0
[ 0.0021 ] Disable BPMP dtb trim, using default dtb
[ 0.0021 ]
[ 0.0045 ] tegrasign --getmode mode.txt --key /tmp/tmpgwvkoq82/rsa_priv.pem
[ 0.0057 ] PKC key in Open SSL format
[ 0.0059 ] Key size is 256 bytes
[ 0.0068 ]
[ 0.0069 ] Generating RCM messages
[ 0.0090 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm nvtboot_recovery.bin 0 0
[ 0.0097 ] RCM 0 is saved as rcm_0.rcm
[ 0.0101 ] RCM 1 is saved as rcm_1.rcm
[ 0.0103 ] List of rcm files are saved in rcm_list.xml
[ 0.0103 ]
[ 0.0103 ] Signing RCM messages
[ 0.0121 ] tegrasign --key /tmp/tmpgwvkoq82/rsa_priv.pem --list rcm_list.xml --pubkeyhash pub_key.key
[ 0.0127 ] PKC key in Open SSL format
[ 0.0129 ] Key size is 256 bytes
[ 0.0129 ] Saving public key in pub_key.key
[ 0.0842 ] Saving public key Hash as binary: pub_key.hash
[ 0.0842 ] Saving public key Hash as big-endian text: pub_key.hash_txt
[ 0.0842 ] Saving public key Hash as little-endian(sysfs) text: pub_key.hash_sysfs_txt
[ 0.0842 ]
[ 0.0842 ] Copying signature to RCM mesages
[ 0.0867 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml --pubkeyhash pub_key.key
[ 0.0893 ]
[ 0.0893 ] Parsing partition layout
[ 0.0912 ] tegraparser --pt flash.xml.tmp
[ 0.0923 ]
[ 0.0923 ] Creating list of images to be signed
[ 0.0942 ] tegrahost --chip 0x21 0 --partitionlayout flash.xml.bin --list images_list.xml
[ 0.0949 ] File TBCFILE open failed
[ 0.0951 ] Stat for TBCFILE failed
[ 0.0951 ]
Error: Return value 4
Command tegrahost --chip 0x21 0 --partitionlayout flash.xml.bin --list images_list.xml
2023-06-22 04:01:25,108-722-DEBUG-stderr: cp: cannot stat 'signed/*': No such file or directory
Any help will be greatly appreciated.
Thanks,
We've just done some work for customer on using a YubiHSM 2 token for i.MX code signing using digsigserver. The customer is keen to upstream this so I can submit a PR if you would be interested in seeing this. Although this was specifically for the YubiHSM 2, this just means that the docker image contains the YubiHSM support, but the actual signing bits use pkcs11 and are therefore generally applicable to any HSM that supports pkcs11. Please let me know if you're interested.
Hi @madisongh
I'm testing the test-distro build for the zeus-mender-l4t-r32.3.1 branch on a Jetson TX2 (Jetson-tx2-cboot). When trying to perform tegra flash custom bup signature, I got an error only for FAB=D01:
[2020-04-19 18:40:23 +0100] [31913] [DEBUG] Setting: FAB=D01
[2020-04-19 18:40:23 +0100] [31913] [INFO] Running: ['tegra186-flash-helper', '--bup', '-u', '/tmp/tmp3o3qkpsa/rsa_priv.pem', '-v', '/tmp/tmp3o3qkpsa/sbk.txt', 'flash.xml.in', 'tegra186-quill-p3310-1000-c03-00-base.dtb', 'jetson-tx2-cboot.cfg', '0x1090000', 'tegra-minimal-initramfs-jetson-tx2-cboot.cboot']
[2020-04-19 18:40:30 +0100] [31913] [ERROR] Exception occurred while handling uri: 'http://127.0.0.1:9999/sign/tegra'
NoneType: None
[2020-04-19 18:40:30 +0100] - (sanic.access)[INFO][127.0.0.1:46848]: POST http://127.0.0.1:9999/sign/tegra 503 23
[2020-04-19 18:40:30 +0100] [31913] [WARNING] signing error, stdout: PKC+SBK - signing and encryption...
The server receive first the manifest, then proceed to the signature process:
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: DTBFILE=tegra186-quill-p3310-1000-c03-00-base.dtb
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: ODMDATA=0x1090000
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: LNXFILE=tegra-minimal-initramfs-jetson-tx2-cboot.cboot
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: BOARDID=3310
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: FAB=C04
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: fuselevel=fuselevel_production
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: localbootfile=tegra-minimal-initramfs-jetson-tx2-cboot.cboot
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: CHIPREV=0
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: BOARDSKU=
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: BOARDREV=
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: BUPGENSPECS=fab=B00 fab=B02 fab=C04 fab=D00 fab=D01
I'm using BSP L4T R32.3.1 for Jetson TX2, I followed all steps mentioned README.md.
I store the keys needed for the tegra flash signature.
Attached is a file that contains logs from digsigserver.
tegra_custom_sign_bup_failed.log
Any help would be appreciated. Please let me know if you need some more information in order to proceed.
Best regards
Ilies
TL;DR;
There appears to be an error, but everything seems to work OK.
See this forum post for context.
An error will be shown in digsigserver
's logs although the generation of flash.idx
is the last step in the signing functions within tegraflash_internal.py
. No error codes are captured and returned so digsigserver
is going to return success - 200
. The resulting packaging will be missing flash.idx
, but I'm not sure what it is used for. As I was chasing issues with getting signing completely working with L4T 35.4.1 tooling I thought this was the source of one of my issues so I crafted a 'fix' in this branch to the tegraXXX-flash-helper
scripts. Turns out that doesn't really fix anything other than addressing the superficial error in the logs.
Worth fixing? Ignore? I think it's worth fixing so that this error doesn't lead to future chasing of red herrings.
If you are supporting Jetson TX2 or Jetson AGX Xavier devices that use both PKC signing and SBK encryption of bootloader files, you will also need to apply a patch from meta-tegra:
$ P=/path/to/meta-tegra/recipes-bsp/tegra-binaries/files
$ cd /opt/nvidia/L4T-32.2.3-tegra186/Linux_for_Tegra
$ sudo patch -p1 < $P/0002-Update-l4t_bup_gen.func-to-handle-signed-encrypted-b.patch
Hi, in master branch of meta-tegra, the tegraxxx-flashtools-native was upgraded to python3 (https://github.com/OE4T/meta-tegra/blob/master/recipes-bsp/tegra-binaries/tegra-flashtools-native_35.1.0.bb#L9-L11). But digsigserver tegrasign is still using python2.
Please update digsigserver to python3 also?
Just leaving an idea here for future improvements. To prevent the Dockerfile
from becoming unwieldy as new L4T versions are released we could do something generally along the lines of the following:
past the signing issue, last error i believe
digiserver in debug output
[2020-10-06 14:01:57 -0400] [22555] [INFO] Goin' Fast @ http://0.0.0.0:9999
[2020-10-06 14:01:57 -0400] [22558] [INFO] Starting worker [22558]
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: DTBFILE=tegra186-quill-p3310-1000-c03-00-base.dtb
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: ODMDATA=0x1090000
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: LNXFILE=boot.img
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: BOARDID=3310
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: FAB=C04
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: fuselevel=fuselevel_production
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: localbootfile=boot.img
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: boardcfg=
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: CHIPREV=0
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: BOARDSKU=
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: BOARDREV=
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: BUPGENSPECS=fab=B00 fab=B02 fab=C04 fab=D00 fab=D01
[2020-10-06 14:02:21 -0400] [22558] [DEBUG] Setting: FAB=B00
[2020-10-06 14:02:21 -0400] [22558] [INFO] Running: ['tegra186-flash-helper', '--bup', '-u', '/tmp/tmpbbotn6a8/rsa_priv.pem', '-v', '/tmp/tmpbbotn6a8/sbk.txt', 'flash.xml.in', 'tegra186-quill-p3310-1000-c03-00-base.dtb', 'jetson-xavier-nx-devkit-sb.cfg', '0x1090000', 'boot.img']
[2020-10-06 14:02:21 -0400] [22558] [WARNING] signing error, stdout:
stderr: ERR: flash variable set not defined
[2020-10-06 14:02:21 -0400] - (sanic.access)[INFO][127.0.0.1:42768]: POST http://127.0.0.1:9999/sign/tegra 500 13
and logfile of error
cat /home/dingo/tegra-test-distro/build/tmp/work/jetson_xavier_nx_devkit_sb-oe4t-linux/kernel-bup-payload/1.0-r0/temp/log.do_deploy.22863
DEBUG: Executing python function sstate_task_prefunc
DEBUG: Python function sstate_task_prefunc finished
DEBUG: Executing python function extend_recipe_sysroot
NOTE: Direct dependencies are ['/home/dingo/tegra-test-distro/layers/meta-tegra/recipes-bsp/tegra-binaries/tegra186-flashtools-native_32.4.3.bb:do_populate_sysroot', 'virtual:native:/home/dingo/tegra-test-distro/layers/meta/recipes-core/coreutils/coreutils_8.32.bb:do_populate_sysroot', '/home/dingo/tegra-test-distro/layers/meta-tegra/recipes-bsp/tegra-binaries/tegra-bootfiles_32.4.3.bb:do_populate_sysroot', 'virtual:native:/home/dingo/tegra-test-distro/layers/meta/recipes-kernel/dtc/dtc_1.6.0.bb:do_populate_sysroot', '/home/dingo/tegra-test-distro/layers/meta-tegra/recipes-bsp/tegra-binaries/tegra-redundant-boot-base_32.4.3.bb:do_populate_sysroot']
NOTE: Installed into sysroot: []
NOTE: Skipping as already exists in sysroot: ['tegra186-flashtools-native', 'coreutils-native', 'tegra-bootfiles', 'dtc-native', 'tegra-redundant-boot-base', 'quilt-native', 'tegra-helper-scripts-native', 'autoconf-native', 'gnu-config-native', 'attr-native', 'automake-native', 'xz-native', 'libtool-native', 'texinfo-dummy-native', 'gettext-minimal-native', 'gcc-cross-aarch64', 'gcc-runtime', 'patch-native', 'python3-native', 'pseudo-native', 'glibc', 'custom-flash-layout', 'mender-custom-flash-layout', 'tegra-flashvars', 'bootfiles', 'pkgconfig-native', 'flex-native', 'tegra-binaries-patches', 'kern-tools-native', 'qemuwrapper-cross', 'bc-native', 'update-rc.d-native', 'cpio-native', 'rpm-native', 'openssl-native', 'kern-tools-tegra-native', 'binutils-cross-aarch64', 'mklibs-native', 'createrepo-c-native', 'opkg-utils-native', 'prelink-native', 'libgcc', 'dnf-native', 'kmod-native', 'pigz-native', 'linux-tegra', 'cross-localedef-native', 'depmodwrapper-cross', 'opkg-native', 'perl-native', 'ldconfig-native', 'makedevs-native', 'bison-native', 'keystore', 'arm-trusted-firmware', 'm4-native', 'libmpc-native', 'zlib-native', 'linux-libc-headers', 'gmp-native', 'mpfr-native', 'libtirpc-native', 'ncurses-native', 'readline-native', 'sqlite3-native', 'util-linux-native', 'libffi-native', 'libnsl2-native', 'gdbm-native', 'bzip2-native', 'shared-mime-info-native', 'shadow-native', 'qemu-native', 'systemd-systemctl-native', 'popt-native', 'db-native', 'elfutils-native', 'file-native', 'curl-native', 'libxml2-native', 'ninja-native', 'cmake-native', 'expat-native', 'glib-2.0-native', 'binutils-native', 'python3-iniparse-native', 'librepo-native', 'libcomps-native', 'libdnf-native', 'gtk-doc-native', 'debianutils-native', 'libsolv-native', 'libarchive-native', 'libcap-ng-native', 'libpcre2-native', 'meson-native', 'xmlto-native', 'itstool-native', 're2c-native', 'libpcre-native', 'gettext-native', 'python3-six-native', 'gpgme-native', 'libcheck-native', 'libmodulemd-native', 'gobject-introspection-native', 'json-c-native', 'swig-native', 'e2fsprogs-native', 'lzo-native', 'python3-setuptools-native', 'docbook-xsl-stylesheets-native', 'docbook-xml-dtd4-native', 'libxslt-native', 'libassuan-native', 'libgpg-error-native', 'libyaml-native', 'unzip-native']
DEBUG: Python function extend_recipe_sysroot finished
DEBUG: Executing shell function do_deploy
1+0 records in
1+0 records out
4096 bytes (4.1 kB, 4.0 KiB) copied, 5.3751e-05 s, 76.2 MB/s
WARNING: exit code 22 from a shell command.
ERROR: Execution of '/home/dingo/tegra-test-distro/build/tmp/work/jetson_xavier_nx_devkit_sb-oe4t-linux/kernel-bup-payload/1.0-r0/temp/run.do_deploy.22863' failed with exit code 22:
1+0 records in
1+0 records out
4096 bytes (4.1 kB, 4.0 KiB) copied, 5.3751e-05 s, 76.2 MB/s
WARNING: exit code 22 from a shell command.
ok enlightenment needed, how are you generating ? openssl ?
${DIGSIGSERVER_KEYFILE_URI}/${machine}/kmodsign/kernel-signkey.priv
${DIGSIGSERVER_KEYFILE_URI}/${machine}/kmodsign/kernel-signkey.x509
ok enlightenment needed, how are you generating ? openssl ?
${DIGSIGSERVER_KEYFILE_URI}/${machine}/kmodsign/kernel-signkey.priv
${DIGSIGSERVER_KEYFILE_URI}/${machine}/kmodsign/kernel-signkey.x509
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.