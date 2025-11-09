mstdpa
The mstdpa tool allows the user to sign DPA applications, which are given to the tool as part of a Host ELF file.
It also supports the creation, signing, and removal of single applications.
In addition, mlxdpa allows the user to add or remove certificates from the DPA device — this is done by creating certificate containers and signing them.
The tool generates the signatures using a provided private key PEM file.
Tool Requirements:
Supported operating systems: Linux
Supported platforms: x86-64, arm64
mlxdpa Synopsis
Sign Host ELF using PEM file
mstdpa --host_elf <ELF file> --cert_chain <certificate chain> --private_key <key .pem file> --output_file <output file path> sign_dpa_apps
Create an upload container for a single app
mstdpa -s <single ELF> --life_cycle_priority <Nvidia,OEM,User> -m <appmetadata yaml file> --manifest <manifest bin file> -o <output file path> create_single_dpa_app
Sign upload container for a single app using a PEM file
mstdpa -s <elf generated in step
2> -c <certificate file> -p <key .pem file> --cert_chain_count <certificate chain> --life_cycle_priority <Nvidia,OEM,User> -o <output file path> sign_single_dpa_app
Query manifest from a single ELF
mstdpa -s <dpa app> -o <output file path> query_manifest
Create DPA app removal container
mstdpa --dpa_app_uuid <dpa app uuid> -o <output file path> --life_cycle_priority <Nvidia,OEM,User> create_dpa_app_removal
Sign DPA app removal container
mstdpa --dpa_app_removal_container <dpa app removal container> --keypair_uuid <keypair uuid> -p <key .pem file> -o <output file path> --life_cycle_priority <Nvidia,OEM,User> sign_dpa_app_removal
Where:
-e|--host_elf
Path to the Host ELF file containing DPA applications
-c|--cert_chain
Path to a certificate chain file to embed in the crypto data
-p|--private_key
Path to a private key PEM file for signature generation
-o|--output_file
Path to output signed Host/single ELF
-h|--help
Show help message
-v|--version
Show tool version
--cert_chain_count <Hex number>
Number of certificates in the provided certificate chain
--dpa_app_removal_container <Path>
Path to a DPA app removal container to sign
--manifest <Manifest>
Path to the manifest file
-m|--app_metadata <App Metadata>
Path to the app metadata YAML file
-s|--single_app <Single App>
Path to the single app file
Creating a Certificate Container
Container for adding a certificate
mstdpa --cert_container_type add -c <.DER formatted certificate> -o <output path> --life_cycle_priority <Nvidia,OEM,User> create_cert_container
Container for removing a certificate
mstdpa --cert_container_type remove [--cert_uuid <uuid of the certificate
for removal>] [--remove_all_certs] -o <output path> --life_cycle_priority <Nvidia,OEM,User> create_cert_container
Create a certificate upload container with the
keep_sig flag
mstdpa --cert_container_type add -c <.DER formatted certificate> -o <output path> --life_cycle_priority <Nvidia,OEM,User> --keep_sig create_cert_container
Create a certificate upload container with the
nvidia_signed_oem flag
mstdpa --cert_container_type add -c <.DER formatted certificate> -o <output path> --nvidia_signed_oem create_cert_container
Signing a Certificate Container
Container for adding a certificate
mstdpa --cert_container <container> -p <
private key pem file> --keypair_uuid <uuid> --cert_uuid <uuid> --life_cycle_priority <Nvidia,OEM,User> -o <output path> sign_cert_container
Container for removing a certificate
mstdpa --cert_container <container> -p <
private key pem file> --keypair_uuid <uuid> --life_cycle_priority <Nvidia,OEM,User> -o <output path> sign_cert_container
Where:
--cert_container
Path to a certificate container to sign
--cert_container_type <Add/Remove>
Type of a certificate container to create
-c|--certificate
Path to a .DER formatted certificate
--keypair_uuid
Key-pair UUID of the private key used for signing
--cert_uuid
Time-based UUID generated right before signing
--remove_all_certs
Remove all CA Certificates, provide with the sign_cert_remove command
--life_cycle_priority <Nvidia, OEM , User>
Life-cycle priority of a requested certificate container
-o|--output_file
Path to an output file
-p|--private_key
Path to a private key PEM file for signature generation
--nvidia_signed_oem
NVIDIA signed an OEM certificate
-k|--keep_sig
The whole certificate container will be kept