Skip to content

Security Analysis: install_jtop_thor.sh

Script Source

  • Original: NVIDIA Forums community contribution
  • URL: https://cdck-file-uploads-global.s3.dualstack.us-west-2.amazonaws.com/nvidia/original/4X/1/2/4/124bf1b0b70a4c548c6d165cb60bca8a7148ddb0.txt
  • Context: Community workaround for jtop on Jetson Thor (not official NVIDIA)

What the Script Does

1. System Package Installation

apt-get update -y
apt-get install -y python3.12-venv git

Risk: LOW - Standard system packages from Ubuntu repos

2. Creates Root-Owned Directory

mkdir -p /opt/jtop
python3 -m venv /opt/jtop/venv

Risk: LOW - Standard location for system-wide Python tools

3. Clones GitHub Repository

git clone --depth=1 "https://github.com/rbonghi/jetson_stats.git"

Risk: MEDIUM - Clones third-party repo - Repo: rbonghi/jetson_stats (well-known Jetson monitoring tool) - GitHub stars: 2.1k+ (popular project) - Last updated: Active development - Maintainer: Raffaello Bonghi (NVIDIA community member)

4. Applies Local Patches

sed -i '/# -------- JP6 --------/a\    "38.2.1": "7.0",' jetson_variables.py
sed -i "/'tegra234':/i\    'tegra264': '13.0', # JETSON THOR" jetson_variables.py

Risk: LOW - Only patches configuration files to add Thor support - Adds JetPack 7.0 version mappings (38.2.0, 38.2.1) - Adds tegra264 (Thor chip ID) to CUDA table - Adds Thor module ID (p3834-0008) - Does NOT modify any executable code

5. Installs Python Package

pip install --no-cache-dir -U /opt/jtop/jetson_stats

Risk: MEDIUM - Installs from cloned repo (not PyPI) - Source: Local clone (reviewed in step 3) - Not from PyPI (can't verify package signatures) - But: Source code is visible in /opt/jtop/jetson_stats

6. Installs NVML Bindings

pip install -U nvidia-ml-py

Risk: LOW - Official NVIDIA package from PyPI - Package: nvidia-ml-py (official NVIDIA ML Python bindings) - Source: PyPI (trusted)

7. Creates Systemd Service

cat >/etc/systemd/system/jtop.service <<'EOF'
[Service]
ExecStart=/opt/jtop/venv/bin/jtop --force
EOF

Risk: LOW - Standard systemd service - Runs as root (necessary for hardware access) - No network access required - Restart policy: on-failure only

8. Creates Wrapper Script

install -m 0755 /usr/local/bin/jtop <<'EOF'
#!/bin/sh
exec /opt/jtop/venv/bin/jtop "$@"
EOF

Risk: LOW - Simple wrapper for convenience

Missing Component

install_python_fixes() function is called in original but patch script missing: - Original calls: patch_thor_jp7_in_repo.sh - Purpose: Additional Python code patches for Thor - Status: NOT included (script not available) - Impact: May cause jtop to fail on Thor - Mitigation: Commented out in our version with clear note

Security Concerns

HIGH RISK: None identified

MEDIUM RISK:

  1. Third-party GitHub repo: jetson_stats is not official NVIDIA software
  2. Mitigation: Well-known, active, popular project (2k+ stars)
  3. Mitigation: Source code is visible for review

  4. Mitigation: Only for monitoring (doesn't control robot)

  5. Root execution: Script must run as root

  6. Mitigation: Necessary for hardware access (GPU stats)

  7. Mitigation: Creates isolated venv, doesn't modify system Python

  8. Missing patch script: install_python_fixes() not included

  9. Mitigation: Commented out with explanation
  10. Impact: Script may not work; user must troubleshoot

LOW RISK:

  • System package installation (Ubuntu repos)
  • Standard Python venv usage
  • Systemd service creation (no network, restart-only)

Recommendations

APPROVED FOR USE with caveats:

✅ Script is reasonably safe for Thor system ✅ No malicious code identified ✅ Standard practices for Python tool installation ✅ Isolated in venv (won't affect system Python)

WARNINGS:

⚠️ Missing patch script - jtop may not work without it ⚠️ Third-party tool - not official NVIDIA software ⚠️ Runs as root - can access all hardware

BEFORE RUNNING:

  1. Review cloned repo: cd /opt/jtop/jetson_stats && git log
  2. Check package contents: ls -la /opt/jtop/jetson_stats
  3. Monitor first run: journalctl -u jtop -f
  4. If it doesn't work: Missing patch script is likely cause

ALTERNATIVES:

  • Wait for official NVIDIA jtop support for Thor
  • Use tegrastats (built-in Jetson tool): sudo tegrastats
  • Use nvidia-smi with jtop API when supported

Conclusion

SECURITY VERDICT: ACCEPTABLE RISK

The script follows standard practices for installing Python monitoring tools. The main risks are: 1. Dependence on third-party repo (acceptable - popular, trusted project) 2. Missing patch component (may cause functional issues, not security)

The script does NOT: - Download/execute untrusted binaries - Modify system files beyond /opt/jtop and /etc/systemd - Open network listeners - Execute arbitrary remote code - Modify robot control code

Recommendation: Safe to include in repo with warning about missing patch.