How can multiple keys be added to an EKB

Hello, I need to add multiple keys to ekb now, I read the developer manual and refer to this document
, I see you have said “support to add multiple keys to EKB image”, but I can’t find the method, please help me; thank you.

please refer to developer guide, Tool for EKB Generation.

I’ve read the developer’s guide, but I can’t find how to store multiple keys; I saw in the developer guide that if you want to add a new ciphertext, you need to add an EKB_cmac and a Random_IV; How should I add it, or where should I add it.

Is it convenient to give an example? Or have a similar case before can also show me, thank you

I read through the developer guide and came across this paragraph:
< You can add additional keys to an EKB by adding additional sets of (**EKB_cmac, Random_IV, EKB ciphertext**) fields. You can do this by extending the script (see [Tool for EKB Generation]( to support additional keys.>

Tool for EKB Generation:

$ python3 -kek2_key <kek2_fuse_key_file> \
    -fv <fv_for_ekb_ek> \
    -in_sym_key <sym_key_file> \
    -in sym_key2 <sym2_key_file> \
    -out <eks_image_file>

Let’s get back to our problem,
As stated in the first paragraph, where should I add the EKB_cmac, Random_IV, and EKB ciphertext fields to create a new key

thank you!

hello panjiazhuang,

as you can see in the Trusty sources, i.e. CA_sample/tool/gen_ekb/README
please refer to [ overview] and the steps of EKB generation.
you may extending the script file for adding multiple keys.

I see what you said about [] and [EKB generation]; But I see that the script file [] is now fixed and only generates a set of key information

EKB header
EKB ciphertext

which means that if I want to add a new key, I have to refer to [] and [EKB generation]. Make that change in [];

Is my understanding correct?

Hello JerryChang,
I’m sorry to bother you, please give me a reply when it is convenient, thank you

hello panjiazhuang,

we don’t have reference samples.
please see-also readme file for updating the script, accordingly.

hello panjiazhuang,

please note that you should also update EKS image if you’re using a customize key.

EKB (Encrypted Binary Blob) stores two keys, one is the kernel encryption key (sym_key_file), and another one is the LUKS key (sym2_key_file) for disk encryption support.
LUKS disk encryption support with a specific key (i.e. sym2 key); you should execute the script file, to generate an EKS image. also, in the developer guide, [Tool for EKB Generation] that sym2.key is equivalent to ekb.key.
EKB is first encrypted and signed by EK and AK (derived from K1), then encrypted and signed by SBK and PKC.

you may see-also discussion thread, Topic 270934 (it’s tested on Jetson Orin Nano, BTW) for disk encryption with a custom key.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.