How can multiple keys be added to an EKB

Hello, I need to add multiple keys to ekb now, I read the developer manual and refer to this document
https://forums.developer.nvidia.com/t/the-structure-of-this-file-eks-img-is-inconsistent-with-the-description/255711/6
, I see you have said “support to add multiple keys to EKB image”, but I can’t find the method, please help me; thank you.

please refer to developer guide, Tool for EKB Generation.

I’ve read the developer’s guide, but I can’t find how to store multiple keys; I saw in the developer guide that if you want to add a new ciphertext, you need to add an EKB_cmac and a Random_IV; How should I add it, or where should I add it.

Is it convenient to give an example? Or have a similar case before can also show me, thank you

I read through the developer guide and came across this paragraph:
< You can add additional keys to an EKB by adding additional sets of (**EKB_cmac, Random_IV, EKB ciphertext**) fields. You can do this by extending the script (see [Tool for EKB Generation](https://docs.nvidia.com/jetson/archives/l4t-archived/l4t-3261/Tegra%20Linux%20Driver%20Package%20Development%20Guide/trusty.html#wwpID0E03B0HA)) to support additional keys.>

Tool for EKB Generation:

$ python3 gen_ekb.py -kek2_key <kek2_fuse_key_file> \
    -fv <fv_for_ekb_ek> \
    -in_sym_key <sym_key_file> \
    -in sym_key2 <sym2_key_file> \
    -out <eks_image_file>

Let’s get back to our problem,
As stated in the first paragraph, where should I add the EKB_cmac, Random_IV, and EKB ciphertext fields to create a new key

thank you!

hello panjiazhuang,

as you can see in the Trusty sources, i.e. CA_sample/tool/gen_ekb/README
please refer to [gen_ekb.py overview] and the steps of EKB generation.
you may extending the script file for adding multiple keys.

I see what you said about [gen_ekb.py] and [EKB generation]; But I see that the script file [gen_ekb.py] is now fixed and only generates a set of key information

EKB header
EKB_cmac
Random_IV
EKB ciphertext

which means that if I want to add a new key, I have to refer to [gen_ekb.py] and [EKB generation]. Make that change in [gen_ekb.py];

Is my understanding correct?

Hello JerryChang,
I’m sorry to bother you, please give me a reply when it is convenient, thank you

hello panjiazhuang,

we don’t have reference samples.
please see-also readme file for updating the script, gen_ekb.py accordingly.

hello panjiazhuang,

please note that you should also update EKS image if you’re using a customize key.

FYI,
EKB (Encrypted Binary Blob) stores two keys, one is the kernel encryption key (sym_key_file), and another one is the LUKS key (sym2_key_file) for disk encryption support.
LUKS disk encryption support with a specific key (i.e. sym2 key); you should execute the script file, gen_ekb.py to generate an EKS image. also, in the developer guide, [Tool for EKB Generation] that sym2.key is equivalent to ekb.key.
EKB is first encrypted and signed by EK and AK (derived from K1), then encrypted and signed by SBK and PKC.

moreover,
you may see-also discussion thread, Topic 270934 (it’s tested on Jetson Orin Nano, BTW) for disk encryption with a custom key.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.