Massflash with a generic key and replace by unique key : OEM_K1 fuse to create eks image

Autonomous Machines Jetson & Embedded Systems Jetson Orin NX
,
1

Hello,

Following this post, I am reposting the different question in different threads.

I have successfully created a massflash with generic password and with reencryption enabled with a per device unique key. However, I have created the massflash with an not fused board and a generic eks image. (The sym2_t234.key file and eks.image were generated by the example.sh script).

My question are :

  1. Does the eks.img is related with the disk encryption ? And if yes, what is the role of the eks.img in the disk encryption ?
  2. Is the EKB key the same than the eks.img file ?
  3. To create the eks.img, we use partially the oem_k1 fuse to generate the eks.img. Then in a massflash scenario, we cannot use the oem_k1 fuse value per device.
  4. What is the purpose of the eks.image ?

Kind regards,
cleng

4

hello cleng,

>> Q1, Q2, Q4
yes, EKS is related with the disk encryption.
as you can see… there’re keys included in the EKS image.
it has two keys, one is the kernel encryption key (sym_t234.key), and another one is the LUKS key (sym2_t234.key) for disk encryption support.
for instance,

$ python3 gen_ekb.py -chip t234 -oem_k1_key oem_k1.key \
        -fv fv_ekb_t234 \
        -in_sym_key sym_t234.key \
        -in_sym_key2 sym2_t234.key \
        -in_auth_key auth_t234.key \
        -out eks_t234.img

>> Q3
the real problem should be… you must enable generic passphrase for the massflash scenario. otherwise, you’ll have unique ECID to enable disk encryption per device.

besides,
please see-also some similar discussion threads for reference,
such as… Topic 309032, Topic 284400, and Topic 271974.