here’s an FYI,
EKB (Encrypted Binary Blob) stores two keys, one is the kernel encryption key (sym_key_file), and another one is the LUKS key (sym2_key_file) for disk encryption support.
LUKS disk encryption support with a specific key. it’s script file, gen_ekb.py to generate an EKS image, (i.e. eks_t234.img file). also, in the developer guide, [Tool for EKB Generation] in the OP-TEE section, that sym2.key is equivalent to ekb.key
here’s see-also topic that we’ve verified disk encryption (i.e. ROOTFS_ENC=1) on Orin NX.
for instance, Topic 264454.