Jetson/L4T BSP development tips

Preparation
First, please download BSP package from internet. It's preferred to download BSP package, instead of Jetpack.

Go to https://developer.nvidia.com/embedded/linux-tegra.

The following packages are necessary:

L4T Driver Package (BSP)

Sample Root Filesystem

Source code for kernel and other components:

L4T Driver Package (BSP) Sources

Toolchain for kernel building:

GCC 7.3.1 for 64 bit BSP and Kernel

Secure package if secure-boot is necessary:

Jetson Platform Fuse Burning and Secure Boot Documentation and Tools

Refer to https://docs.nvidia.com/jetson/l4t/index.html#page/Tegra%2520Linux%2520Driver%2520Package%2520Development%2520Guide%2Fquick_start.html

Then the device can be flashed by command line. With this method, user can have more controls for the BSP configuration, like pinmux, kernel/kernel DTB customization, etc.

How to find out the actual pinmux configuration file
Refer to https://docs.nvidia.com/jetson/l4t/index.html#page/Tegra%2520Linux%2520Driver%2520Package%2520Development%2520Guide%2Fmb1_platform_config_xavier.html%23wwpID0E0240HA

There are several types of Jetson reference boards which are supported in SDK.

Check the configuration file
For example, when the flash command is run:

sudo ./flash.sh jetson-xavier mmcblk0p1

Check the configuration file: jetson-xavier.conf → p2822-0000+p2888-0004.conf → PINMUX_CONFIG="tegra19x-mb1-pinmux-p2888-0000-a04-p2822-0000-b01.cfg";

(Note: the value of PINMUX_CONFIG may be overwritten. So the later one should take effect.)

Or check the flash log
Run following command:

sudo ./flash.sh -r --no-flash jetson-xavier mmcblk0p1

And check the log:

 ...

copying pinmux_config(/home/Work/jetson_customer/32.4.3/Linux_for_Tegra/bootloader/t186ref/BCT/tegra19x-mb1-pinmux-p2888-0000-a04-p2822-0000-b01.cfg)... done.

...

How to update pinmux
There are several ways to customize the device PINMUX. The simple way is to generate PINMUX configuration through pre-defined excel. Another way is to edit the PINMUX configuration file directly, but that may need more knowledge about PINMUX setting for the chip.

Edit the excel and generate the Configuration
Refer to https://docs.nvidia.com/jetson/l4t/index.html#page/Tegra%2520Linux%2520Driver%2520Package%2520Development%2520Guide%2Fadaptation_and_bringup_xavier_nx.html%23wwpID0E0WL0HA

Search 'Pinmux Changes'

Also, another good reference: https://elinux.org/Jetson/AGX_Xavier_Update_Pinmux

Still, please make sure the PINMUX configuration file name is correct.

Edit the pinmux configuration file
That's the direct and simple way, assumed the developer is familiar with PINMUX setting.

Download technical reference manual from https://developer.nvidia.com/embedded/downloads#?search=TRM for different platforms. And those documents contain detailed information.

Edit the prod configuration
L4T document shows another way to override the PINMUX:

https://docs.nvidia.com/jetson/l4t/index.html#page/Tegra%2520Linux%2520Driver%2520Package%2520Development%2520Guide%2Fmb1_platform_config_xavier.html%23wwpID0E0A40HA

Same command as 2.1.1.2, and check the prod configuration in following log:

 ...

copying prod_config(/home/Work/jetson_customer/32.4.3/Linux_for_Tegra/bootloader/t186ref/BCT/tegra19x-mb1-prod-p2888-0000-p2822-0000.cfg)... done.

...

Follow the guide in above link.

How to update device PINMUX
After the pinmux configuration files are changed, re-flash the device:

sudo ./flash.sh jetson-xavier mmcblk0p1       #flash the whole device

or

sudo ./flash.sh -k MB1_BCT jetson-xavier mmcblk0p1     #only flash the MB1_BCT

How to verify the new PINUX configuration works
User can read the PINMUX registers to confirm the new configuration works.

For example,

In PINMUX configuration file, there's an entry:  pinmux.0x0c302030 = 0x00000540; # gen2_i2c_scl_pcc7: i2c2, tristate-disable, input-enable, io_high_voltage-disable, lpdr-enable

And in prod configuration file, another entry:  prod.0x0c302030.0x0000100 = 0x00000000; #gen2_i2c_scl_pcc7: LPDR disable

Run a physical memory access tool, like devmem2 in Jetson device:  root@nvidia-desktop:/home/nvidia# devmem2 0x0c302030 /dev/mem opened. Memory mapped at address 0x7f84359000. Value at address 0xC302030 (0x7f84359030): 0x440

BSP 32.x
There are several resources in internet introducing how to build Jetson Linux kernel from source. But it seems that the NV-provided nvbuild.sh never works in my side. Here's the script I'm using for kernel building:  set -e export KERNEL_SRC_DIR=${HOME}/Work/jetson_sdk/32.4.3/source/Linux_for_Tegra/source/public/kernel-source/kernel/kernel-4.9 export CROSS_COMPILE=${HOME}/Tools/kernel-toolchain/gcc-linaro-7.3.1-2018.05-x86_64_aarch64-linux-gnu/bin/aarch64-linux-gnu- export TEGRA_KERNEL_OUT=${HOME}/Work/jetson_sdk/32.4.3/source/Linux_for_Tegra/source/public/kernel-build export ARCH=arm64 make -C $KERNEL_SRC_DIR ARCH=arm64 LOCALVERSION="-tegra" O=$TEGRA_KERNEL_OUT tegra_defconfig make -C $KERNEL_SRC_DIR ARCH=arm64 LOCALVERSION="-tegra" O=$TEGRA_KERNEL_OUT -j8 make -C $KERNEL_SRC_DIR ARCH=arm64 INSTALL_MOD_PATH=$TEGRA_KERNEL_OUT/modules_install INSTALL_MOD_STRIP=1 O=$TEGRA_KERNEL_OUT modules_install -j8 Note the parameter 'INSTALL_MOD_STRIP=1' should be added, otherwise the built module will be quite large. For example, nvgpu.ko size will increase from 2.6MB to 89MB.
 * 1) !/bin/bash

BSP 35.3.1
Patch for module building/strip:  diff -ur kernel-source.orig/nvbuild.sh kernel-source/nvbuild.sh --- kernel-source.orig/nvbuild.sh	2023-03-19 22:54:08.000000000 +0800 +++ kernel-source/nvbuild.sh	2023-05-15 15:00:10.819086980 +0800 @@ -108,6 +108,13 @@ 		"${O_OPT[@]}" -j"${NPROC}" \ --output-sync=target modules +	"${MAKE_BIN}" -C "${source_dir}" ARCH=arm64 \ +		LOCALVERSION="-tegra" \ +		CROSS_COMPILE="${CROSS_COMPILE_AARCH64}" \ +		"${O_OPT[@]}" -j"${NPROC}" \ +		INSTALL_MOD_PATH=${KERNEL_OUT_DIR}/modules_install INSTALL_MOD_STRIP=1 \ +		modules_install + 	image="${tegra_kernel_out}/arch/arm64/boot/Image" if [ ! -f "${image}" ]; then echo "Error: Missing kernel image ${image}" Build script:  building-pc:~/Work/jetson_sdk/35.3.1/sources/Linux_for_Tegra/source/public$ cat kernel-build.sh

export CROSS_COMPILE_AARCH64_PATH=${HOME}/Work/jetson_sdk/34.1/toolchain cd kernel-source ./nvbuild.sh -o ${HOME}/Work/jetson_sdk/35.3.1/sources/Linux_for_Tegra/source/public/kernel-source/../kernel-built/ Tool-chain refers to https://docs.nvidia.com/jetson/archives/r35.3.1/DeveloperGuide/text/SD/Kernel/KernelCustomization.html#building-the-kernel

(https://developer.nvidia.com/embedded/jetson-linux/bootlin-toolchain-gcc-93)

Ramdisk customization
The original ram-disk image can be copied from device (/boot/initrd) or host SDK directory (Linux_for_Tegra/bootloader/l4t_initrd.img).

1. Extract the initrd by following command: zcat xxx/initrd | cpio -idmv 2. Change all files in this directory owner as root: sudo chown root.root * -R 3. Make some private changes. (For example, to add some special echo message in init script.) 4. Repack the initrd : find. | cpio -o -H newc | gzip > ../initrd.debug 5. Replace the file /boot/initrd with generated file initrd.debug in above step. 6. Reboot the device, and check the kernel log to confirm the new initrd works.

In addition, the initrd can also be built-in to kernel image.

1. Extract the initrd by following command: zcat xxx/initrd | cpio -idmv 2. Change all files in this directory owner as root: sudo chown root.root * -R 3. Make some private changes. (For example, to add some special echo message in init script.) 4. Repack the initrd: find. | cpio -o -H newc > ../initrd.debug.cpio 5. Edit the kernel config, and add the following line:  CONFIG_BLK_DEV_INITRD=y CONFIG_INITRAMFS_SOURCE="/home/temp/initr.debug.cpio" 6. Re-build the kernel, replace the kernel image in device. 7. Comment out the default INITRD in /boot/extlinux/extlinux.conf  ...   LINUX /boot/Image #INITRD /boot/initrd ...   8. Reboot the device, and the kernel should use the built-in initrd.

OVERLAY FS support in Jetson L4T
L4T BSP is using EXT4 file-system as root-FS in eMMC or SDCARD. For EXT4 file-system, there's high risk of file-system corruption if the device does not shut down correctly, like sudden power loss. 'overlayfs' may help to avoid such file-system corruption, especially in embedded products.

Introduction of overlayfs
(Abstracted from https://en.wikipedia.org/wiki/OverlayFS) In computing, OverlayFS is a union mount filesystem implementation for Linux. It combines multiple different underlying mount points into one, resulting in single directory structure that contains underlying files and sub-directories from all sources. Common applications overlay a read/write partition over a read-only partition, such as with LiveCDs and IoT devices with limited flash memory write cycles.

(Abstracted from kernel/kernel-4.9/Documentation/filesystems/overlayfs.txt) An overlay filesystem combines two filesystems - an 'upper' filesystem and a 'lower' filesystem. When a name exists in both filesystems, the

object in the 'upper' filesystem is visible while the object in the

'lower' filesystem is either hidden or, in the case of directories,

merged with the 'upper' object.

...

The lower filesystem can be any filesystem supported by Linux and does

not need to be writable. The lower filesystem can even be another

overlayfs. The upper filesystem will normally be writable and if it

is it must support the creation of trusted.* extended attributes, and

must provide valid d_type in readdir responses, so NFS is not suitable.

General usage:

mount -t overlay overlay -olowerdir=/lower,upperdir=/upper,\

workdir=/work /merged

(Abstracted from https://unix.stackexchange.com/questions/324515/linux-filesystem-overlay-what-is-workdir-used-for-overlayfs) The workdir option is required, and used to prepare files before they are switched to the overlay destination in an atomic action (the workdir needs to be on the same filesystem as the upperdir).

Kernel update
By default, overlayfs is built by module in kernel configuration. And it should be changed as built-in in kernel. Rebuild the kernel, and boot the device with new kernel.

initrd update
(A good reference: http://wiki.psuter.ch/doku.php?id=solve_raspbian_sd_card_corruption_issues_with_read-only_mounted_root_partition) Edit the script 'init' in initrd. This is the patch for ram-FS overlayfs:

Update the device to boot with new initrd. After the kernel's up, the mount information will look like:

(Refer to https://elinux.org/Jetson/L4T_BSP_development_tips#Ramdisk_customization for how to customize initrd in L4T SDK.) Now, every change in root-FS will be in ram-FS, and after the device reboots, all changes will be lost. In addition, a lot of memory will also be consumed if big files added/changed.

Also, non-volatile media, like USB-Disk can also be used as overlayfs, which can reserve the changes in root-FS. Here's the init script patch, which use sda1 (USB-Disk) as overlayfs:

With this script, after the kernel's up, the mount information is similar. But the root-FS changes will lie in mounted USB-Disk. So it will not be lost after reboot. After sda1 is mounted:

The content in /media/sda/upper will look like:

All changes in root-FS will still be there. Note the USB-Disk read/write throughput may have impact on system performance. In addition, if the device suddenly shutdown/power-off, the file-system in USB-Disk may, with some probabilities, be corrupted. Anyway, the content in EMMC root-FS should be good, and that makes it possible to scan/fix the file-system error or even format the USB-disk.

Signing and Encrypting Kernel, Kernel-DTB, Initrd, and extlinux.conf Files
Basic instructions are in (https://docs.nvidia.com/jetson/archives/l4t-archived/l4t-3261/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide/bootloader_secure_boot.html#wwpID0ESHA)

Device preparation
Fuse the device with PKC+SBK+KEK0/1/2. Sample

Download source package from 32.7.1 BSP
wget https://developer.nvidia.com/embedded/l4t/r32_release_v7.1/sources/t186/public_sources.tbz2

Extract the trusty_src.tbz2 in source package, and enter directory
.../trusty/app/nvidia-sample/hwkey-agent/CA_sample/tool/gen_ekb

Run following command, with correct paramters
NOTE: the fixed vector (FV) should match the one in trusty/app/nvidia-sample/hwkey-agent/key_mgnt.c

With following command:

Keys format and content:

Flash the device
user_key.txt content:

Verify the log
Trusty OS should print following log through debug UART:

CBoot should authenticate and decrypt the payload by following logs:

In root-FS, extlinux.conf is encrypted.

Debug tips
Following error log means the EKB content is not correct.

Tips: * KEK2 in fuse blob and EKB generation should match. * user_key in flash command and EKB generation should match. * FV in EKB generation and TOS app should match.