madisongh / digsigserver Goto Github PK

@madisongh

I managed to setup the Docker container and connected to it successfully as described in the readme. However, the sigining did not complete, I get the following error.

Type ? or help for help and q or quit to exit
Use ! to execute system commands

[ 0.0021 ] Using default ramcode: 0
[ 0.0021 ] Disable BPMP dtb trim, using default dtb
[ 0.0021 ]
[ 0.0045 ] tegrasign --getmode mode.txt --key /tmp/tmpgwvkoq82/rsa_priv.pem
[ 0.0057 ] PKC key in Open SSL format
[ 0.0059 ] Key size is 256 bytes
[ 0.0068 ]
[ 0.0069 ] Generating RCM messages
[ 0.0090 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 0 --download rcm nvtboot_recovery.bin 0 0
[ 0.0097 ] RCM 0 is saved as rcm_0.rcm
[ 0.0101 ] RCM 1 is saved as rcm_1.rcm
[ 0.0103 ] List of rcm files are saved in rcm_list.xml
[ 0.0103 ]
[ 0.0103 ] Signing RCM messages
[ 0.0121 ] tegrasign --key /tmp/tmpgwvkoq82/rsa_priv.pem --list rcm_list.xml --pubkeyhash pub_key.key
[ 0.0127 ] PKC key in Open SSL format
[ 0.0129 ] Key size is 256 bytes
[ 0.0129 ] Saving public key in pub_key.key
[ 0.0842 ] Saving public key Hash as binary: pub_key.hash
[ 0.0842 ] Saving public key Hash as big-endian text: pub_key.hash_txt
[ 0.0842 ] Saving public key Hash as little-endian(sysfs) text: pub_key.hash_sysfs_txt
[ 0.0842 ]
[ 0.0842 ] Copying signature to RCM mesages
[ 0.0867 ] tegrarcm --chip 0x21 0 --updatesig rcm_list_signed.xml --pubkeyhash pub_key.key
[ 0.0893 ]
[ 0.0893 ] Parsing partition layout
[ 0.0912 ] tegraparser --pt flash.xml.tmp
[ 0.0923 ]
[ 0.0923 ] Creating list of images to be signed
[ 0.0942 ] tegrahost --chip 0x21 0 --partitionlayout flash.xml.bin --list images_list.xml
[ 0.0949 ] File TBCFILE open failed
[ 0.0951 ] Stat for TBCFILE failed
[ 0.0951 ]
Error: Return value 4
Command tegrahost --chip 0x21 0 --partitionlayout flash.xml.bin --list images_list.xml

2023-06-22 04:01:25,108-722-DEBUG-stderr: cp: cannot stat 'signed/*': No such file or directory

Any help will be greatly appreciated.

Thanks,

We've just done some work for customer on using a YubiHSM 2 token for i.MX code signing using digsigserver. The customer is keen to upstream this so I can submit a PR if you would be interested in seeing this. Although this was specifically for the YubiHSM 2, this just means that the docker image contains the YubiHSM support, but the actual signing bits use pkcs11 and are therefore generally applicable to any HSM that supports pkcs11. Please let me know if you're interested.

Hi @madisongh

I'm testing the test-distro build for the zeus-mender-l4t-r32.3.1 branch on a Jetson TX2 (Jetson-tx2-cboot). When trying to perform tegra flash custom bup signature, I got an error only for FAB=D01:

[2020-04-19 18:40:23 +0100] [31913] [DEBUG] Setting: FAB=D01
[2020-04-19 18:40:23 +0100] [31913] [INFO] Running: ['tegra186-flash-helper', '--bup', '-u', '/tmp/tmp3o3qkpsa/rsa_priv.pem', '-v', '/tmp/tmp3o3qkpsa/sbk.txt', 'flash.xml.in', 'tegra186-quill-p3310-1000-c03-00-base.dtb', 'jetson-tx2-cboot.cfg', '0x1090000', 'tegra-minimal-initramfs-jetson-tx2-cboot.cboot']
[2020-04-19 18:40:30 +0100] [31913] [ERROR] Exception occurred while handling uri: 'http://127.0.0.1:9999/sign/tegra'
NoneType: None
[2020-04-19 18:40:30 +0100] - (sanic.access)[INFO][127.0.0.1:46848]: POST http://127.0.0.1:9999/sign/tegra  503 23
[2020-04-19 18:40:30 +0100] [31913] [WARNING] signing error, stdout: PKC+SBK - signing and encryption...

The server receive first the manifest, then proceed to the signature process:

[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: DTBFILE=tegra186-quill-p3310-1000-c03-00-base.dtb
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: ODMDATA=0x1090000
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: LNXFILE=tegra-minimal-initramfs-jetson-tx2-cboot.cboot
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: BOARDID=3310
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: FAB=C04
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: fuselevel=fuselevel_production
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: localbootfile=tegra-minimal-initramfs-jetson-tx2-cboot.cboot
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: CHIPREV=0
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: BOARDSKU=
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: BOARDREV=
[2020-04-19 18:37:31 +0100] [31913] [INFO] manifest line: BUPGENSPECS=fab=B00 fab=B02 fab=C04 fab=D00 fab=D01

I'm using BSP L4T R32.3.1 for Jetson TX2, I followed all steps mentioned README.md.

I store the keys needed for the tegra flash signature.

Attached is a file that contains logs from digsigserver.
tegra_custom_sign_bup_failed.log

Any help would be appreciated. Please let me know if you need some more information in order to proceed.

Best regards
Ilies

TL;DR;

There appears to be an error, but everything seems to work OK.

See this forum post for context.

An error will be shown in digsigserver's logs although the generation of flash.idx is the last step in the signing functions within tegraflash_internal.py. No error codes are captured and returned so digsigserver is going to return success - 200. The resulting packaging will be missing flash.idx, but I'm not sure what it is used for. As I was chasing issues with getting signing completely working with L4T 35.4.1 tooling I thought this was the source of one of my issues so I crafted a 'fix' in this branch to the tegraXXX-flash-helper scripts. Turns out that doesn't really fix anything other than addressing the superficial error in the logs.

Worth fixing? Ignore? I think it's worth fixing so that this error doesn't lead to future chasing of red herrings.

If you are supporting Jetson TX2 or Jetson AGX Xavier devices that use both PKC signing and SBK encryption of bootloader files, you will also need to apply a patch from meta-tegra:

$ P=/path/to/meta-tegra/recipes-bsp/tegra-binaries/files
$ cd /opt/nvidia/L4T-32.2.3-tegra186/Linux_for_Tegra
$ sudo patch -p1 < $P/0002-Update-l4t_bup_gen.func-to-handle-signed-encrypted-b.patch

Hi, in master branch of meta-tegra, the tegraxxx-flashtools-native was upgraded to python3 (https://github.com/OE4T/meta-tegra/blob/master/recipes-bsp/tegra-binaries/tegra-flashtools-native_35.1.0.bb#L9-L11). But digsigserver tegrasign is still using python2.

Please update digsigserver to python3 also?

Just leaving an idea here for future improvements. To prevent the Dockerfile from becoming unwieldy as new L4T versions are released we could do something generally along the lines of the following:

• split out the L4T specifics and patching requirements into their own respective Dockerfiles
• create a script that is parameterized to build the desired L4T version specific Dockerfiles
• have the script dynamically create and build a Dockerfile using multi-stage builds to copy in the required L4T releases

past the signing issue, last error i believe
digiserver in debug output
[2020-10-06 14:01:57 -0400] [22555] [INFO] Goin' Fast @ http://0.0.0.0:9999
[2020-10-06 14:01:57 -0400] [22558] [INFO] Starting worker [22558]
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: DTBFILE=tegra186-quill-p3310-1000-c03-00-base.dtb
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: ODMDATA=0x1090000
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: LNXFILE=boot.img
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: BOARDID=3310
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: FAB=C04
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: fuselevel=fuselevel_production
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: localbootfile=boot.img
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: boardcfg=
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: CHIPREV=0
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: BOARDSKU=
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: BOARDREV=
[2020-10-06 14:02:21 -0400] [22558] [INFO] manifest line: BUPGENSPECS=fab=B00 fab=B02 fab=C04 fab=D00 fab=D01
[2020-10-06 14:02:21 -0400] [22558] [DEBUG] Setting: FAB=B00
[2020-10-06 14:02:21 -0400] [22558] [INFO] Running: ['tegra186-flash-helper', '--bup', '-u', '/tmp/tmpbbotn6a8/rsa_priv.pem', '-v', '/tmp/tmpbbotn6a8/sbk.txt', 'flash.xml.in', 'tegra186-quill-p3310-1000-c03-00-base.dtb', 'jetson-xavier-nx-devkit-sb.cfg', '0x1090000', 'boot.img']
[2020-10-06 14:02:21 -0400] [22558] [WARNING] signing error, stdout:
stderr: ERR: flash variable set not defined

[2020-10-06 14:02:21 -0400] - (sanic.access)[INFO][127.0.0.1:42768]: POST http://127.0.0.1:9999/sign/tegra 500 13

and logfile of error

cat /home/dingo/tegra-test-distro/build/tmp/work/jetson_xavier_nx_devkit_sb-oe4t-linux/kernel-bup-payload/1.0-r0/temp/log.do_deploy.22863
DEBUG: Executing python function sstate_task_prefunc
DEBUG: Python function sstate_task_prefunc finished
DEBUG: Executing python function extend_recipe_sysroot
NOTE: Direct dependencies are ['/home/dingo/tegra-test-distro/layers/meta-tegra/recipes-bsp/tegra-binaries/tegra186-flashtools-native_32.4.3.bb:do_populate_sysroot', 'virtual:native:/home/dingo/tegra-test-distro/layers/meta/recipes-core/coreutils/coreutils_8.32.bb:do_populate_sysroot', '/home/dingo/tegra-test-distro/layers/meta-tegra/recipes-bsp/tegra-binaries/tegra-bootfiles_32.4.3.bb:do_populate_sysroot', 'virtual:native:/home/dingo/tegra-test-distro/layers/meta/recipes-kernel/dtc/dtc_1.6.0.bb:do_populate_sysroot', '/home/dingo/tegra-test-distro/layers/meta-tegra/recipes-bsp/tegra-binaries/tegra-redundant-boot-base_32.4.3.bb:do_populate_sysroot']
NOTE: Installed into sysroot: []
NOTE: Skipping as already exists in sysroot: ['tegra186-flashtools-native', 'coreutils-native', 'tegra-bootfiles', 'dtc-native', 'tegra-redundant-boot-base', 'quilt-native', 'tegra-helper-scripts-native', 'autoconf-native', 'gnu-config-native', 'attr-native', 'automake-native', 'xz-native', 'libtool-native', 'texinfo-dummy-native', 'gettext-minimal-native', 'gcc-cross-aarch64', 'gcc-runtime', 'patch-native', 'python3-native', 'pseudo-native', 'glibc', 'custom-flash-layout', 'mender-custom-flash-layout', 'tegra-flashvars', 'bootfiles', 'pkgconfig-native', 'flex-native', 'tegra-binaries-patches', 'kern-tools-native', 'qemuwrapper-cross', 'bc-native', 'update-rc.d-native', 'cpio-native', 'rpm-native', 'openssl-native', 'kern-tools-tegra-native', 'binutils-cross-aarch64', 'mklibs-native', 'createrepo-c-native', 'opkg-utils-native', 'prelink-native', 'libgcc', 'dnf-native', 'kmod-native', 'pigz-native', 'linux-tegra', 'cross-localedef-native', 'depmodwrapper-cross', 'opkg-native', 'perl-native', 'ldconfig-native', 'makedevs-native', 'bison-native', 'keystore', 'arm-trusted-firmware', 'm4-native', 'libmpc-native', 'zlib-native', 'linux-libc-headers', 'gmp-native', 'mpfr-native', 'libtirpc-native', 'ncurses-native', 'readline-native', 'sqlite3-native', 'util-linux-native', 'libffi-native', 'libnsl2-native', 'gdbm-native', 'bzip2-native', 'shared-mime-info-native', 'shadow-native', 'qemu-native', 'systemd-systemctl-native', 'popt-native', 'db-native', 'elfutils-native', 'file-native', 'curl-native', 'libxml2-native', 'ninja-native', 'cmake-native', 'expat-native', 'glib-2.0-native', 'binutils-native', 'python3-iniparse-native', 'librepo-native', 'libcomps-native', 'libdnf-native', 'gtk-doc-native', 'debianutils-native', 'libsolv-native', 'libarchive-native', 'libcap-ng-native', 'libpcre2-native', 'meson-native', 'xmlto-native', 'itstool-native', 're2c-native', 'libpcre-native', 'gettext-native', 'python3-six-native', 'gpgme-native', 'libcheck-native', 'libmodulemd-native', 'gobject-introspection-native', 'json-c-native', 'swig-native', 'e2fsprogs-native', 'lzo-native', 'python3-setuptools-native', 'docbook-xsl-stylesheets-native', 'docbook-xml-dtd4-native', 'libxslt-native', 'libassuan-native', 'libgpg-error-native', 'libyaml-native', 'unzip-native']
DEBUG: Python function extend_recipe_sysroot finished
DEBUG: Executing shell function do_deploy
1+0 records in
1+0 records out
4096 bytes (4.1 kB, 4.0 KiB) copied, 5.3751e-05 s, 76.2 MB/s
WARNING: exit code 22 from a shell command.
ERROR: Execution of '/home/dingo/tegra-test-distro/build/tmp/work/jetson_xavier_nx_devkit_sb-oe4t-linux/kernel-bup-payload/1.0-r0/temp/run.do_deploy.22863' failed with exit code 22:
1+0 records in
1+0 records out
4096 bytes (4.1 kB, 4.0 KiB) copied, 5.3751e-05 s, 76.2 MB/s
WARNING: exit code 22 from a shell command.

ok enlightenment needed, how are you generating ? openssl ?
${DIGSIGSERVER_KEYFILE_URI}/${machine}/kmodsign/kernel-signkey.priv
${DIGSIGSERVER_KEYFILE_URI}/${machine}/kmodsign/kernel-signkey.x509

ok enlightenment needed, how are you generating ? openssl ?
${DIGSIGSERVER_KEYFILE_URI}/${machine}/kmodsign/kernel-signkey.priv
${DIGSIGSERVER_KEYFILE_URI}/${machine}/kmodsign/kernel-signkey.x509