EKS image and UEFI Payload Encryption

[gabrielssanches]

While doing a custom EKB, I could not get it to work until I removed the UEFI payload encryption key, a.k.a sym_t234.key here:

$ python3 gen_ekb.py -chip t234
                     -oem_k1_key <oem_k1.key> \
                     -in_sym_key <sym_t234.key> \
                     -in_sym_key2 <sym2_t234.key> \
                     -in_auth_key <auth_t234.key> \
                     -out <eks_t234.img>

after inspecting recipes-bsp/tegra-binaries/tegra-helper-scripts/tegra-flash-helper.sh it made sense since --uefi-enc is not being handled

I think until that is handled, a better description could be added in the wiki.

something like this:

Generate a Custom EKB

Before replacing the default EKB in your Yocto build, you must generate a custom one that matches OemK1 fuse burned on your Jetson device.

Run the following command:

python3 gen_ekb.py -chip t234 \
    -oem_k1_key oem_k1.key \
    -in_sym_key2 sym2_t234.key \
    -in_auth_key auth_t234.key \
    -out eks_t234.img

Where:

oem_k1.key → The OEM_K1 key stored in the OEM_K1 fuse.

sym2_t234.key → The disk encryption key.

auth_t234.key → The UEFI variable authentication key.

eks_t234.img → The generated EKB image to be flashed to the EKS partition of the device.

[gabrielssanches]

made a PR on this matter #1997