Is this page helpful?

Sign and Flash Secured Images#

The procedures described in this section use the following placeholders in their commands:

  • <pkc_keyfile> is a PKC key file (RSA 3K, ECDSA P-256, ECDSA P-521, or XMSS) used for Orin series.

  • <pkc_keylist> is a PKC key list XML file with active key ID used for Thor series. For more information, refer to Generate a PKC Key List for Jetson Thor.

  • <sbk_keyfile> is an SBK key file.

  • <target_config> is the name of the configuration for your Jetson device and carrier board; see the table in Jetson Modules and Configurations.

  • <rootdev> specifies the device on which the root file system is located, as described in Basic Flashing Script Usage.

Sign and Flash in One Step Using the l4t_initrd_flash.sh Script#

  1. Navigate to the directory where you installed Jetson Linux.

  2. Place the Jetson device into Recovery mode.

  3. Enter the following command:

    $ sudo ./l4t_initrd_flash.sh -u <pkc_keyfile or pkc_keylist> [-v <sbk_keyfile>] <target_config> <rootdev>

    Note

    If the -v command option is specified, the -u command option also must be specified.

    If the -v command option is omitted, all images flashed to the Jetson device are not encrypted.

    If the -u command option is omitted, all images flashed to the Jetson device are not signed.

Caution

Neither the PKC key file nor the SBK key file can be placed under the bootloader directory.

For example,

  • To flash a PKC-fused Jetson AGX Orin target:

    $ sudo ./l4t_initrd_flash.sh -u <pkc_keyfile> jetson-agx-orin-devkit internal

  • To flash an SBKPKC-fused Jetson AGX Orin target:

    $ sudo ./l4t_initrd_flash.sh -u <pkc_keyfile> -v <sbk_keyfile> jetson-agx-orin-devkit internal

  • To flash a PKC-fused Jetson AGX Thor target:

    $ sudo ./l4t_initrd_flash.sh -u <pkc_keylist> jetson-agx-thor-devkit internal

  • To flash an SBKPKC-fused Jetson AGX Thor target:

    $ sudo ./l4t_initrd_flash.sh -u <pkc_keylist> -v <sbk_keyfile> jetson-agx-thor-devkit internal

Sign and Flash in Separate Steps Using the l4t_initrd_flash.sh Script#

  1. Place the Jetson device into Force Recovery mode.

  2. To sign the image, run the following command:

    $ sudo ./l4t_initrd_flash.sh --no-flash -u <pkc_keyfile or pkc_keylist> [-v <sbk_keyfile>] <target_config> <rootdev>

  3. To flash the signed images, run the following command:

    $ sudo ./l4t_initrd_flash.sh --flash-only <target_config> <rootdev>

For example, to flash an SBKPKC-fused Jetson AGX Thor target using l4t_initrd_flash.sh:

  1. Sign the images:

    $ sudo ./l4t_initrd_flash.sh --no-flash -u pkc_keylist.xml -v sbk.key jetson-agx-thor-devkit internal

  2. Flash the signed images:

    $ sudo ./l4t_initrd_flash.sh --flash-only jetson-agx-thor-devkit internal

For more information about PKC key lists, refer to Generate a PKC Key List for Jetson Thor.

For more information about SBK keys, refer to Prepare an SBK key.