Decryption of VEK and Use by dm-crypt

The diagram below shows decryption of VEK and its use by dm-crypt via dmsetup. It includes following steps:

1. App reads Encrypted VEK from the filesystem (/etc/nvidia/efs/)
2. App passes Encrypted VEK and Key derivation Strings to PKCS#11 library via their APIs.
3. PKCS#11 Library talks to TOS to derive VEK Encryption key based on key derivation Strings input.
4. PKCS#11 Library talks to SE Server to decrypt the Encrypted VEK and stores the decrypted VEK in the file passed as input (/tmp/*).
5. EFS Systemd service reads the decrypted VEK from file in /tmp
6. EFS Systemd service will pass decrypted VEK as input to dmsetup which in turn is passed to kernel dm-crypt module for disk encryption and decryption operations.