I believe updating UEFI keys via tegra-uefi-keys-dtb.bb does not work on scarthgap nor master branches.
When adding UefiUpdateSecurityKeys.dts to tegra-uefi-keys-dtb.bbappend, the UefiUpdateSecurityKeys.dtbo is not installed in the sysroot of the recipe, causing tegra_bootcontrol_overlay_list() to not append it to the list of overlays to use for the capsule update. The result is that it is missing from the capsule update, making it impossible to update the KEK and other keys used by UEFI secure boot.
The problem can be observed without deploying the capsule update by searching for 'UefiUpdateSecurityKeys.dtbo' in 'tmp/work/horizon_orin_devkit-mdt-linux\tegra-uefi-capsules'; you should see that with the current code the file is not present.
With the changes proposed UefiUpdateSecurityKeys.dtbo is picked up for the capsule update and deploying the update I can see the new keys using mokutil --kek and mokutil --db.
A word of warning, having updated the UEFI KEK, db and dbx keys using this recipe, the board boots once, but on second reboot it stops at the following error:
ASSERT [FvbNorFlashStandaloneMm] /usr/src/debug/standalone-mm-optee-tegra/36.3.0/edk2-nvidia/Silicon)
This happens when signing the UEFI payloads with either the 'old' keys (pre-update) and with the new keys brought by the update. I am yet to test with Jetpack (not meta-tegra) to confirm whether updating the EKB actually works.
I believe updating UEFI keys via tegra-uefi-keys-dtb.bb does not work on scarthgap nor master branches.
When adding UefiUpdateSecurityKeys.dts to tegra-uefi-keys-dtb.bbappend, the UefiUpdateSecurityKeys.dtbo is not installed in the sysroot of the recipe, causing tegra_bootcontrol_overlay_list() to not append it to the list of overlays to use for the capsule update. The result is that it is missing from the capsule update, making it impossible to update the KEK and other keys used by UEFI secure boot.
The problem can be observed without deploying the capsule update by searching for 'UefiUpdateSecurityKeys.dtbo' in 'tmp/work/horizon_orin_devkit-mdt-linux\tegra-uefi-capsules'; you should see that with the current code the file is not present.
With the changes proposed UefiUpdateSecurityKeys.dtbo is picked up for the capsule update and deploying the update I can see the new keys using mokutil --kek and mokutil --db.
A word of warning, having updated the UEFI KEK, db and dbx keys using this recipe, the board boots once, but on second reboot it stops at the following error: ASSERT [FvbNorFlashStandaloneMm] /usr/src/debug/standalone-mm-optee-tegra/36.3.0/edk2-nvidia/Silicon)
This happens when signing the UEFI payloads with either the 'old' keys (pre-update) and with the new keys brought by the update. I am yet to test with Jetpack (not meta-tegra) to confirm whether updating the EKB actually works.