The mlxdpa tool allows the user to sign DPA applications, which are given to the tool as part of a Host ELF file. In addition, mlxdpa allows the user to add or remove certificates from the DPA device. This is done by creating certificate containers and signing them.
The tool generates the signatures using a provided private key PEM file.
Tool Requirements:
Supported operating systems: Linux
Supported platforms: x86-64, arm64
mlxdpa Synopsis
# mlxdpa --host_elf <ELF file> --cert_chain <certificate chain> --private_key <key .pem file> --output_file <output file path> sign_dpa_apps
Where:
|
-e|--host_elf |
Path to the Host ELF file containing DPA applications |
|
-c|--cert_chain |
Path to a certificate chain file to embed in the crypto data |
|
-p|--private_key |
Path to a private key PEM file for signature generation |
|
-o|--output_file |
Path to output signed Host ELF |
|
-h|--help |
Show help message |
|
-v|--version |
Show tool version |
|
--cert_chain_count <Hex number> |
Number of certificates in the provided certificate chain |
Creating a Certificate Container
Container for adding a certificate:
mlxdpa --cert_container_type add -c <.DER formatted certificate> -o <output path> --life_cycle_priority <Nvidia,OEM,User> create_cert_container
Container for removing a certificate:
mlxdpa --cert_container_type remove [--cert_uuid <uuid of the certificate for removal>] [--remove_all_certs] -o <output path> --life_cycle_priority <Nvidia,OEM,User> create_cert_container
Signing a Certificate Container
Container for adding a certificate:
mlxdpa --cert_container <container> -p <private key pem file> --keypair_uuid <uuid> --cert_uuid <uuid> --life_cycle_priority <Nvidia,OEM,User> -o <output path> sign_cert_container
Container for removing a certificate:
mlxdpa --cert_container <container> -p <private key pem file> --keypair_uuid <uuid> --life_cycle_priority <Nvidia,OEM,User> -o <output path> sign_cert_container
Where:
|
--cert_container |
Path to a certificate container to sign |
|
--cert_container_type <Add/Remove> |
Type of a certificate container to create |
|
-c|--certificate |
Path to a .DER formatted certificate |
|
--keypair_uuid |
Key-pair UUID of the private key used for signing |
|
--cert_uuid |
Time base UUID generated right before signing |
|
--remove_all_certs |
Remove all CA Certificates, provide with the sign_cert_remove command |
|
--life_cycle_priority <Nvidia, OEM, User> |
Life-cycle priority of a requested certificate container |
|
-o|--output_file |
Path to an output file |
|
-p|--private_key |
Path to a private key PEM file for signature generation |