Disabling GPU Debugger and Profiler for Security
Important: Points to consider before using GPU Debugger and
Profiler.
NVIDIA recommends disabling the GPU Debugger and Profiler support before deploying DRIVE OS or when the support is not required during development.
Note: The GPU Debugger and Profiler support is enabled by default in DRIVE OS to better development experience.- GPU Debugger and Profiler can examine and alter the state of all the applications running on the GPU, and attackers can exploit this capability.
- Potential security risks could occur when this support is enabled during the DRIVE OS deployment.
To disable GPU Debugger and Profiler:
- Identify the Guest OS DTB file getting flashed on the target.
- Back up the original DTB file, and convert it to the DTS format with this
command:
dtc -I dtb -O dts <DTB> -o edit.dts -
Edit edit.dts and set the
support-gpu-toolsdevice tree property in the GPU device node to0.- For more information, see
<top>/kernel/kernel-5.10/Documentation/devicetree/bindings/gpu/nvidia,gv11b.txt. - On NVIDIA Orin, the GPU device node name is
ga10b.
- For more information, see
- Save the edits and compile DTS back to DTB format with
command:
dtc -I dts -O dtb edit.dts -o <DTB> -
Bind and flash the target as usual.
The GPU Debugger and Profiler support is disabled now.
To enable GPU Debugger and Profiler:
- Back up the original DTB file, and convert it to the DTS format with this
command:
dtc -I dtb -O dts <DTB> -o edit.dts -
Edit edit.dts and set the
support-gpu-toolsdevice tree property in the GPU device node to1.- For more information, see
<top>/kernel/kernel-5.10/Documentation/devicetree/bindings/gpu/nvidia,gv11b.txt. - On NVIDIA Orin, the GPU device node name is
ga10b.
- For more information, see
- Save the edits and compile DTS back to DTB format with
command:
dtc -I dts -O dtb edit.dts -o <DTB> -
Bind and flash the target as usual.
The GPU Debugger and Profiler support is enabled now.