The structure of this file eks.img is inconsistent with the description

Hi
I have used the

 "python3 gen_ekb.py -kek2_key <kek2_fuse_key_file> \
    -fv <fv_for_ekb_ek> \
    -in_sym_key <sym_key_file> \
    -in sym_key2 <sym2_key_file> \
    -out <eks_image_file>"

and generate the eks.img
while I use "hexdump eks.img"
it show that:


0000000 0400 0000 564e 4b45 5042 0000 0000 0000
0000010 1852 ef8f 4322 15d5 30b9 c05a acad 97bb
0000020 9b23 0615 c7fc ccd8 d0bb 6b28 3d91 f264
0000030 3377 6b8f af7a 83b4 7c2d 25c6 b6b5 f070
0000040 0288 dd67 c040 0162 9f33 b2b8 e3e8 1aed
0000050 b4b4 b4b4 b4b4 b4b4 b4b4 b4b4 b4b4 b4b4
*
0000404

It seems that each key only occupies 32 bytes, but according to the documents linked below, each key should have 16 bytes of cmac, 16 bytes of iv, and 16 bytes of context, totaling 48 bytes, which is not consistent .

https://docs.nvidia.com/jetson/archives/l4t-archived/l4t-3273/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide/trusty.html#wwpID0E06D0HA

hello miaofeiyu1991,

are you given non-zero user key into the command-line?
<sym_key_file> above is the user_key; this also the key of kernel encryption key. do you have a non-zero user_key, to generate eks.img with the keys?

Of course I use the non-zore user key

<sym_key_file> content is f6b262fd7adf75da83349881f44bfdba

<sym2_key_file>content is f54d8e975f3f84daf9a2c0fb75dde164

They were all generated by me using OpenSSL
This file eks.img can be successfully used.

I’m just surprised that its format is not consistent with the document

hello miaofeiyu1991,

okay. let me double confirm the JetPack release version you’re used.

Hi Jerry
Yes, I use the JetPack 4.6.3 (L4T 32.7.3)
by the way , can you give me more suggest about another topic

hello miaofeiyu1991,

okay… you may mislead by the developer guide.

You can add additional keys to an EKB by adding additional sets of (EKB_cmac, Random_IV, EKB ciphertext) fields. You can do this by extending the script (see Tool for EKB Generation) to support additional keys.

this is a recommended way to add multiple keys into EKB image, but it doesn’t means we MUST create dedicated CMACs and IVs for each key…

FYI,
we support adding multiple keys into EKB image, but we always use one IV, and one CMAC to encrypt and sign the keys.
you may use multiple CMACs and IVs, but it’s just a recommended method, the corresponding changes in the TrustedOS is required.

1 Like

Oh, Thank you that mean if I use the gen_ekb.py, the eks.img just include one CMAC and one IV, so that there is just 32 bytes.

Thank you.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.