The mlxdpa tool allows the user to sign DPA applications, which are given to the tool as part of a Host ELF file.
It also supports creation, signing, and removal of single applications.
In addition, mlxdpa allows the user to add or remove certificates from the DPA device — this is done by creating certificate containers and signing them.
The tool generates the signatures using a provided private key PEM file.
Tool Requirements:
-
Supported operating systems: Linux
-
Supported platforms: x86-64, arm64
mlxdpa Synopsis
Sign Host ELF using PEM file
# mlxdpa --host_elf <ELF file> --cert_chain <certificate chain> --private_key <key .pem file> --output_file <output file path> sign_dpa_apps
Create upload container for single app
mlxdpa -s /tmp/singleApp.elf --life_cycle_priority OEM -m /tmp/appmetadata.yaml --manifest /tmp/manifest.bin -o /tmp/single_app.bin create_single_dpa_app
Sign upload container for single app using PEM file
mlxdpa -s /tmp/single_app.bin -c /tmp/chain.cert -p /tmp/p_key.pem [--cert_chain_count 5] --life_cycle_priority OEM -o /tmp/signed_single_app.bin sign_single_dpa_app
Query manifest from single elf
mlxdpa -s /tmp/singleApp.elf -o /tmp/manifest.bin query_manifest
Create Dpa app removal container
mlxdpa --dpa_app_uuid 7c0ab0fc-082e-11ee-bd9d-e43d1a1f06ae -o /tmp/dpa_app_removal_container.bin --life_cycle_priority OEM create_dpa_app_removal
Sign Dpa app removal container
mlxdpa --dpa_app_removal_container /tmp/dpa_app_removal_container.bin --keypair_uuid 3c8f46b2-159f-11ee-9ac4-e43d1a1f06ae -p /tmp/p_key.pem-o /tmp/signed_dpa_app_removal_container.bin --life_cycle_priority OEM sign_dpa_app_removal
Where:
|
-e|--host_elf |
Path to the Host ELF file containing DPA applications |
|
-c|--cert_chain |
Path to a certificate chain file to embed in the crypto data |
|
-p|--private_key |
Path to a private key PEM file for signature generation |
|
-o|--output_file |
Path to output signed Host ELF |
|
-h|--help |
Show help message |
|
-v|--version |
Show tool version |
|
--cert_chain_count <Hex number> |
Number of certificates in the provided certificate chain |
|
--dpa_app_removal_container <Path> |
Path to a dpa app removal container to sign |
|
--manifest <Manifest> |
Path to the manifest file |
|
-m|--app_metadata <App Metadata> |
Path to the app metadata yaml file |
|
-s|--single_app <Single App> |
Path to the single app file |
Creating a Certificate Container
Container for adding a certificate:
mlxdpa --cert_container_type add -c <.DER formatted certificate> -o <output path> --life_cycle_priority <Nvidia,OEM,User> create_cert_container
Container for removing a certificate:
mlxdpa --cert_container_type remove [--cert_uuid <uuid of the certificate for removal>] [--remove_all_certs] -o <output path> --life_cycle_priority <Nvidia,OEM,User> create_cert_container
Create a certificate upload container with the keep_sig flag
mlxdpa --cert_container_type add -c /tmp/cert.der -o /tmp/cert_container.bin --life_cycle_priority OEM --keep_sig create_cert_container
Create certificate upload container with nvidia_signed_oem flag
mlxdpa --cert_container_type add -c /tmp/cert.der -o /tmp/cert_container.bin --nvidia_signed_oem create_cert_container
Signing a Certificate Container
Container for adding a certificate:
mlxdpa --cert_container <container> -p <private key pem file> --keypair_uuid <uuid> --cert_uuid <uuid> --life_cycle_priority <Nvidia,OEM,User> -o <output path> sign_cert_container
Container for removing a certificate:
mlxdpa --cert_container <container> -p <private key pem file> --keypair_uuid <uuid> --life_cycle_priority <Nvidia,OEM,User> -o <output path> sign_cert_container
Where:
|
--cert_container |
Path to a certificate container to sign |
|
--cert_container_type <Add/Remove> |
Type of a certificate container to create |
|
-c|--certificate |
Path to a .DER formatted certificate |
|
--keypair_uuid |
Key-pair UUID of the private key used for signing |
|
--cert_uuid |
Time base UUID generated right before signing |
|
--remove_all_certs |
Remove all CA Certificates, provide with the sign_cert_remove command |
|
--life_cycle_priority <Nvidia, OEM, User> |
Life-cycle priority of a requested certificate container |
|
-o|--output_file |
Path to an output file |
|
-p|--private_key |
Path to a private key PEM file for signature generation |
|
--nvidia_signed_oem |
NVIDIA signed OEM certificate |
|
-k|--keep_sig |
The whole certificate container will be kept |
Last updated: