Judging by what I’m currently know, EKB decryption and verification is performed solely by Trusty, and after it keys are available for other services (secure and non-secure) by Trusty IPC.
However, after examination of Trusty souce code, it seems that there is no IPC to get the kernel key. Only disk key could be retrieved. So how does CBoot get this key to decrypt kernel?