Hello JerryChang,
Thank you for you for your answers. So, just to clarify.
>> Q1
here’s see-also Topic 288196 for explanation.
since you’re using generic passphrase for massflash scenario. it won’t use unique ECID to enable disk encryption.
I read the topic linked. It indeed explain why it does not use ECID. Then it must use some kind of generated key at the start of first boot. Does it also use the generated EKB file for the disk Reencryption like in this diagram? How is the new key generated ? And how is the new key created ? The tool to create the new password is gen_luks_passphrase but it is located on the host and not on the device.
>> Q2
yes, we strongly recommended users enable bootloader secure boot so that the root-of-trust can start from the BootROM.
please refer to developer guide, SecureBoot for details.
I understands that for enabling the chain-of-trust we need to enable the secure boot and we will. But just to clarify, its just a recommandation. We can encrypt the disk without using the secure boot. Furthermore, are there any obligation to fuse the board to use disk encryption ?
>> Q4
don’t you going to have massflash?
or… you’ll going to replace generic key with a per-device unique key?
We are going to have a massflash and Ideally we would like to replace the generic key with a per-device unique key.