Running Trusty on TX2

here’s developer guide for Jetson Security.

you may also download [Driver Package (BSP) Sources] of r32.7.3 release version.
by extracting trusty_src.tbz2 sources package, you’ll see CA_sample for python script,, which is used to create eks.img.

note, the sym.key as mentioned in the example is the user_key as mentioned by document.
if you have a non-zero user_key, you have to generate a customize eks.img with the python script to assign the user_key, and copy it to bootloader folder, re-flash the target to update the EKS partition.
so, Trusty retrieves user_key from eks.img, and loads the key into keyslot for decryption. whenever the eks.img is invalid, keyslot will be cleared with 0, and that means the binaries are not encrypted, so they won’t be decrypted by CBoot.

here’s similar topic for your reference, Topic 238756.