It seems that each key only occupies 32 bytes, but according to the documents linked below, each key should have 16 bytes of cmac, 16 bytes of iv, and 16 bytes of context, totaling 48 bytes, which is not consistent .
are you given non-zero user key into the command-line? <sym_key_file> above is the user_key; this also the key of kernel encryption key. do you have a non-zero user_key, to generate eks.img with the keys?
You can add additional keys to an EKB by adding additional sets of (EKB_cmac, Random_IV, EKB ciphertext) fields. You can do this by extending the script (see Tool for EKB Generation) to support additional keys.
this is a recommended way to add multiple keys into EKB image, but it doesn’t means we MUST create dedicated CMACs and IVs for each key…
FYI,
we support adding multiple keys into EKB image, but we always use one IV, and one CMAC to encrypt and sign the keys.
you may use multiple CMACs and IVs, but it’s just a recommended method, the corresponding changes in the TrustedOS is required.