How to add the authentication key to EKB R35.5.0

[Red-Dragon-99]

Hi everyone!

I fused my Jetson Orin Devkit (only SBC and PKC) and I created PK/KEK/db keys for UEFI. This way I could enable Secure Boot and UEFI Secure Boot using the meta-tegra kirkstone branch. Using R35.4 this works like a charm. Now, when I updated to R35.5.0, the boot process fails.

I learned from this discussion, that with R35.5.0 UEFI authentication is enabled per default.

So, currently I'm trying to generate & flash an EKS image with authentication key as described in this NVIDIA forum post.
It boils down to generating the authentication key and then invoking gen_ekb.py with this key as parameter.

However, it looks like I missed something. This would only generate the authentication key and put it into the eks image file to be flashed to the ekb partition. But where is this authentication key used? In other words where is the key used to lock something (I guess the uefi variables?). I didn't find any hints where this key is used. Can you please point me to that?
How do I sign and encrypt the eks.img to flash it to the device? Can you please point me to the file/yocto recipe to do that?

Any help is appreciated.

Thanks!

[madisongh]

The use of this added key is mentioned in the L4T documentation here.

How to generate an EKB and include it in your builds is described on this wiki page.

You should be able to update the EKB with a UEFI update capsule. I don't think we have a wiki page on update capsules, but you should find general info on them in the L4T documentation. The tegra-uefi-capsules recipe generates them in your Yocto builds.