NVIDIA Firmware Tools (MFT) Documentation v4.34.0
NVIDIA Docs Hub Homepage  NVIDIA Networking  Networking Software  Firmware Management  NVIDIA Firmware Tools (MFT) Documentation v4.34.0  mlxdpa – DPA Applications Sign Tool

mlxdpa – DPA Applications Sign Tool

The mlxdpa tool allows the user to sign DPA applications, which are given to the tool as part of a Host ELF file.

It also supports creation, signing, and removal of single applications.

In addition, mlxdpa allows the user to add or remove certificates from the DPA device — this is done by creating certificate containers and signing them.

The tool generates the signatures using a provided private key PEM file.

Tool Requirements:

  • Supported operating systems: Linux

  • Supported platforms: x86-64, arm64

mlxdpa Synopsis

Sign Host ELF using PEM file

Copy
Copied!
            

            
# mlxdpa --host_elf <ELF file> --cert_chain <certificate chain> --private_key <key .pem file> --output_file <output file path> sign_dpa_apps

Create upload container for single app

Copy
Copied!
            

            
mlxdpa -s /tmp/singleApp.elf --life_cycle_priority OEM  -m /tmp/appmetadata.yaml --manifest /tmp/manifest.bin -o /tmp/single_app.bin create_single_dpa_app

Sign upload container for single app using PEM file

Copy
Copied!
            

            
mlxdpa -s /tmp/single_app.bin -c /tmp/chain.cert -p /tmp/p_key.pem [--cert_chain_count 5] --life_cycle_priority OEM -o /tmp/signed_single_app.bin sign_single_dpa_app

Query manifest from single elf

Copy
Copied!
            

            
mlxdpa -s /tmp/singleApp.elf -o /tmp/manifest.bin query_manifest

Create Dpa app removal container

Copy
Copied!
            

            
mlxdpa --dpa_app_uuid 7c0ab0fc-082e-11ee-bd9d-e43d1a1f06ae -o /tmp/dpa_app_removal_container.bin --life_cycle_priority OEM create_dpa_app_removal

Sign Dpa app removal container

Copy
Copied!
            

            
mlxdpa --dpa_app_removal_container /tmp/dpa_app_removal_container.bin --keypair_uuid 3c8f46b2-159f-11ee-9ac4-e43d1a1f06ae -p /tmp/p_key.pem-o /tmp/signed_dpa_app_removal_container.bin --life_cycle_priority OEM sign_dpa_app_removal

Where:

-e|--host_elf

Path to the Host ELF file containing DPA applications

-c|--cert_chain

Path to a certificate chain file to embed in the crypto data

-p|--private_key

Path to a private key PEM file for signature generation

-o|--output_file

Path to output signed Host ELF

-h|--help

Show help message

-v|--version

Show tool version

--cert_chain_count <Hex number>

Number of certificates in the provided certificate chain

--dpa_app_removal_container <Path>

Path to a dpa app removal container to sign

--manifest <Manifest>

Path to the manifest file

-m|--app_metadata <App Metadata>

Path to the app metadata yaml file

-s|--single_app <Single App>

Path to the single app file

Creating a Certificate Container

Container for adding a certificate:

Copy
Copied!
            

            
mlxdpa --cert_container_type add -c <.DER formatted certificate> -o <output path> --life_cycle_priority <Nvidia,OEM,User> create_cert_container

Container for removing a certificate:

Copy
Copied!
            

            
mlxdpa --cert_container_type remove [--cert_uuid <uuid of the certificate for removal>] [--remove_all_certs] -o <output path> --life_cycle_priority <Nvidia,OEM,User> create_cert_container

Create a certificate upload container with the keep_sig flag

Copy
Copied!
            

            
mlxdpa --cert_container_type add -c /tmp/cert.der -o /tmp/cert_container.bin --life_cycle_priority OEM --keep_sig create_cert_container

Create certificate upload container with nvidia_signed_oem flag

Copy
Copied!
            

            
mlxdpa --cert_container_type add -c /tmp/cert.der -o /tmp/cert_container.bin --nvidia_signed_oem create_cert_container

Signing a Certificate Container

Container for adding a certificate:

Copy
Copied!
            

            
mlxdpa --cert_container <container> -p <private key pem file> --keypair_uuid <uuid> --cert_uuid <uuid> --life_cycle_priority <Nvidia,OEM,User> -o <output path> sign_cert_container

Container for removing a certificate:

Copy
Copied!
            

            
mlxdpa --cert_container <container> -p <private key pem file> --keypair_uuid <uuid> --life_cycle_priority <Nvidia,OEM,User> -o <output path> sign_cert_container

Where:

--cert_container

Path to a certificate container to sign

--cert_container_type <Add/Remove>

Type of a certificate container to create

-c|--certificate

Path to a .DER formatted certificate

--keypair_uuid

Key-pair UUID of the private key used for signing

--cert_uuid

Time base UUID generated right before signing

--remove_all_certs

Remove all CA Certificates, provide with the sign_cert_remove command

--life_cycle_priority <Nvidia, OEM, User>

Life-cycle priority of a requested certificate container

-o|--output_file

Path to an output file

-p|--private_key

Path to a private key PEM file for signature generation

--nvidia_signed_oem

NVIDIA signed OEM certificate

-k|--keep_sig

The whole certificate container will be kept
© Copyright 2025, NVIDIA. Last updated on Nov 20, 2025
content here