Disk Encryption - Custom EKB

evilinux · March 10, 2023, 3:41pm

In the guideline for the disk encryption it is specified that I need to generate the EKB in this manner:
echo “00000000000000000000000000000000” > ekb.key

If I want to use my random bytes such as
echo “cf794188bf85f31929018ffdd149a71f” > ekb.key without a kernel panic, what is the procedure to follow?

jdiegodelgado · March 10, 2023, 5:48pm

Hi evilinux,

Which kind of JetPack are you using? For instance, the JetPack 5.1 Developer guide on the Security section shows how to use tools like this:
https://docs.nvidia.com/jetson/archives/r35.2.1/DeveloperGuide/text/SD/Security/OpTee.html#tool-for-ekb-generation

It also show more processes related to this. Maybe you can take a look and see if it fits for your answer.

Best,

JDiego Delgado
Embedded SW Engineer at RidgeRun
Contact us: support@ridgerun.com
Developers wiki: https://developer.ridgerun.c om/
Website: www.ridgerun.com

evilinux · March 10, 2023, 6:05pm

I am using the Jetpack 5.0.2 and I think that it is supported. What do you think?

jdiegodelgado · March 10, 2023, 11:32pm

It looks like it could work.
https://docs.nvidia.com/jetson/archives/r35.1/DeveloperGuide/text/SD/Security/OpTee.html#ekb-generation

That’s from the JetPack 5.0.2 developer guide. You could try it.

Best,

JDiego Delgado
Embedded SW Engineer at RidgeRun
Contact us: support@ridgerun.com
Developers wiki: https://developer.ridgerun.c om/
Website: www.ridgerun.com

jdiegodelgado · March 15, 2023, 2:01pm

evilinux,
There’s also a nvidia-jetson-optee-source.tbz2 tarball within the JP5.1 public sources (I’m not sure if this is also supported in JP5.0.2) with some scripts that could help you generate the EKB.
The scripts are located on:
/$HOME/Linux_for_Tegra/source/public/nvidia-jetson-optee-source/optee/samples/hwkey-agent/host/tool/gen_ekb . It contains a gen_ekb.py that generates the EKB, and an example.sh that guides you on how to do it.

Best,

JDiego Delgado
Embedded SW Engineer at RidgeRun
Contact us: support@ridgerun.com
Developers wiki: https://developer.ridgerun.c om/
Website: www.ridgerun.com

evilinux · March 16, 2023, 3:48am

Thanks a lot jdiegodelgado. A couple of days ago I did the same by using the same package in the version 5.0.2. The most important thing is that the sym2.key in the example.sh is correspondent to the ekb.key. However, thank you for your support.

system · March 30, 2023, 3:48am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.