hello panjiazhuang,
please note that you should also update EKS image if you’re using a customize key.
FYI,
EKB (Encrypted Binary Blob) stores two keys, one is the kernel encryption key (sym_key_file), and another one is the LUKS key (sym2_key_file) for disk encryption support.
LUKS disk encryption support with a specific key (i.e. sym2 key); you should execute the script file, gen_ekb.py to generate an EKS image. also, in the developer guide, [Tool for EKB Generation] that sym2.key is equivalent to ekb.key.
EKB is first encrypted and signed by EK and AK (derived from K1), then encrypted and signed by SBK and PKC.
moreover,
you may see-also discussion thread, Topic 270934 (it’s tested on Jetson Orin Nano, BTW) for disk encryption with a custom key.