Hi,
first of - glad to see that optee is now supported on imx7 
Just created a new build with version 7.4.0 using my old local.conf and added INHERIT += “tdx-optee”.
xtest final lines of output:
+-----------------------------------------------------
41474 subtests of which 0 failed
155 test cases of which 0 failed
0 test cases were skipped
D/TC:? 0 tee_ta_close_session:460 csess 0x8c095490 id 6
D/TC:? 0 tee_ta_close_session:479 Destroy session
D/TC:? 0 destroy_context:
TEE test application done!
So everything reports ok - but the following (minor) issues:
- /data/tee is not created after booting.
- TDX_OPTEE_INSTALL_TESTS += “1” does create xtest but not optee_example_hello_world
- /data/tee is available after running xtest
I have the following errors during boot - not sure if they are related?
[ 5.044497] caam 30900000.crypto: job rings = 3, qi = 0
Mounting /var/volatile...
[ 5.091963] caam_jr 30901000.jr: failed to flush job ring 0
[ 5.112134] caam_jr: probe of 30901000.jr failed with error -5
ERROR: reserving fdt memory region failed (addr=8c000000 size=1000000 flags=4)
So to sum up a bit concerned about the ERROR with reseving memory and not sure if /data/tee should be created manually ?
Best Regards - Paul
Hi, I’m the Toradex AI Assistant.
I might make mistakes. Our support team will step in if needed. If I answered your question, please tick the “Solution” checkbox. For follow-up questions to me, please use @ToradexAI in your post.
Did you like my answer? 
Hello Paul,
Thank you for your feedback and congratulations on getting OP-TEE running on your iMX7! I’ll address your observations and questions point by point:
-
/data/tee Not Created After Boot
- OP-TEE uses
/data/tee as the secure storage location by default. This directory is not created at boot time but is automatically created when the first OP-TEE operation that requires persistent storage is executed (for example, when you run xtest). Thus, it’s normal for /data/tee to only appear after running xtest or another Trusted Application that triggers secure storage usage.
- You do not need to create
/data/tee manually.
-
TDX_OPTEE_INSTALL_TESTS creates xtest but not optee_example_hello_world
- Setting
TDX_OPTEE_INSTALL_TESTS += "1" ensures that the OP-TEE test suite (xtest) is included in your image. Under current OP-TEE packaging, example applications like optee_example_hello_world may not be automatically installed. This is a known limitation and may be updated as OP-TEE support for iMX7 matures. For now, you can manually build and deploy the optee_example_hello_world if needed.
-
/data/tee is available after running xtest
- As explained above, this behavior is expected and indicates that OP-TEE’s secure storage is functioning normally.
-
CAAM and Memory Reservation Errors
- The CAAM (Cryptographic Acceleration and Assurance Module) errors, such as
caam_jr: probe of 30901000.jr failed with error -5, are commonly observed on iMX7 when the driver cannot initialize the hardware job ring for cryptographic operations. While these may not prevent normal operation, they can relate to OP-TEE’s interaction with hardware crypto features (like the Hardware Unique Key).
- The memory reservation error
ERROR: reserving fdt memory region failed (addr=8c000000 size=1000000 flags=4) usually points to the device tree not properly reserving secure memory needed by OP-TEE. This can affect OP-TEE features that require secure memory allocation. If you’re seeing successful xtest results, base functionality is likely working, but certain advanced features may be impacted.
- You may want to review your device tree configuration to ensure secure memory regions are correctly reserved, especially as OP-TEE support for iMX7 is still evolving. More information on this topic can be found in ongoing discussions in the Community.
Summary:
- Most of what you’re experiencing is expected given the current development state of OP-TEE on iMX7.
- Only create
/data/tee manually if you need to set specific permissions or storage locations, else let OP-TEE handle it.
- The CAAM and memory reservation errors are typically related to device tree and hardware crypto support; future software and BSP updates may further resolve or reduce these issues.
For the latest status and technical updates, I’d recommend following the community discussions and relevant repositories:
If you have further questions or would like to dive into a specific aspect, feel free to ask!
Best regards,
Toradex AI Assistant.
@ToradexAI
regarding the ERROR reserving the memory region
The requested address 0x8c000000 is from the default colibri-imx7_optee_overlay.dtbo :
reserved-memory {
#address-cells = <1>;
#size-cells = <1>;
ranges;
optee {
reg = <0x8c000000 0x1000000>;
no-map;
};
};
And is the same as the default load address for the kernel :
Loading Kernel Image to 8c000000
so what address would you recommend and which part to change?
Thanks for your response.
Please remember to tick the “Solution” checkbox below if my response solves your question. If you have follow-up questions, just continue to tag me using @ToradexAI in your new posts.
Did you like my answer?
Hello Paul,
You are correct—having both the OP-TEE reserved memory and the kernel loaded at address 0x8c000000 creates a conflict. This is causing the “ERROR: reserving fdt memory region failed” message.
Recommended OP-TEE Memory Region (imx7)
For the Colibri iMX7, it’s best to move the OP-TEE reserved memory to an address that doesn’t overlap with the kernel or other reserved regions. A safe and widely used address for OP-TEE on iMX7 is 0x9e000000 with a size of 0x1000000 (16MB).
Update your device tree overlay
In your colibri-imx7_optee_overlay.dtbo (or its source .dts), update the OP-TEE reserved memory node to:
reserved-memory {
#address-cells = <1>;
#size-cells = <1>;
ranges;
optee {
reg = <0x9e000000 0x1000000>;
no-map;
};
};
Update OP-TEE build configuration
You’ll also need to tell OP-TEE to use the same address. In Yocto, this is typically controlled by:
TDX_OPTEE_ADDR_LOAD = "0x9e000000"
(If you’re using a custom build system or different method, adjust the load address wherever your OP-TEE build picks up its configuration.)
What to check
- Ensure no other reserved memory or the kernel/initrd overlaps with
0x9e000000..0x9effffff.
- Rebuild and deploy both your device tree overlay and recompile OP-TEE after making these changes.
This change should solve the reservation error and allow OP-TEE and the kernel to coexist without issues.
References:
If you need more help with device tree specifics or rebuilding, let me know!
Best regards,
Toradex AI Assistant.
@ToradexAI
what YOCTO recipe name could i use to patch colibri-imx7_optee_overlay.dts?
Thanks for your response.
Please remember to tick the “Solution” checkbox below if my response solves your question. If you have follow-up questions, just continue to tag me using @ToradexAI in your new posts.
Did you like my answer?
Hello,
To patch the colibri-imx7_optee_overlay.dts file in Yocto, you should target the device-tree-overlays recipe. This recipe is responsible for building the device tree overlays—including colibri-imx7_optee_overlay.dts—into .dtbo files.
Here’s how you can do it:
1. Create a .bbappend for the device-tree-overlays recipe
Example directory structure in your custom layer:
meta-yourlayer/
└── recipes-kernel/
└── device-tree-overlays/
├── device-tree-overlays/
│ └── colibri-imx7_optee_overlay_fix.patch
└── device-tree-overlays_%.bbappend
2. Content of device-tree-overlays_%.bbappend:
FILESEXTRAPATHS:prepend := "${THISDIR}/device-tree-overlays:"
SRC_URI += "file://colibri-imx7_optee_overlay_fix.patch"
3. Create your patch (colibri-imx7_optee_overlay_fix.patch):
Example (to change the OP-TEE reserved memory address):
--- a/overlays/colibri-imx7_optee_overlay.dts
+++ b/overlays/colibri-imx7_optee_overlay.dts
@@ -10,7 +10,7 @@
Reserved-memory {
#address-cells = <1>;
#size-cells = <1>;
ranges;
optee {
- reg = <0x8c000000 0x1000000>;
+ reg = <0x9e000000 0x1000000>;
no-map;
};
};
4. Rebuild your overlays
After applying the patch, rebuild the overlays with:
bitbake device-tree-overlays -c clean
bitbake device-tree-overlays
References:
Let me know if you need an example patch or have more questions!
Best regards,
Toradex AI Assistant.
@ToradexAI
the patch cant find the file
can't find file to patch at input line 3
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|--- a/overlays/colibri-imx7_optee_overlay.dts\t2025-08-14 14:20:08.868804853 +0200
|+++ b/overlays/colibri-imx7_optee_overlay.dts\t2025-08-14 14:21:11.513436918 +0200
--------------------------
No file to patch. Skipping patch.
Thanks for your response.
Please remember to tick the “Solution” checkbox below if my response solves your question. If you have follow-up questions, just continue to tag me using @ToradexAI in your new posts.
Did you like my answer?
Hello,
This error usually means the path in your patch file does not match the actual location of the dts file in the source tree used by the Yocto recipe. On Toradex BSP, the overlays are typically at the root of the device-tree-overlays sources, not in a subdirectory like overlays/.
How to fix the patch path issue:
-
Check the real path:
In the device-tree-overlays recipe, colibri-imx7_optee_overlay.dts is at the root of the source directory, not in an overlays/ subfolder.
-
Regenerate your patch:
When creating a patch, make sure your diff command is run from the right location. For Yocto, the correct patch header should look like:
--- a/colibri-imx7_optee_overlay.dts
+++ b/colibri-imx7_optee_overlay.dts
not
--- a/overlays/colibri-imx7_optee_overlay.dts
+++ b/overlays/colibri-imx7_optee_overlay.dts
-
Create your patch properly:
Example diff, run from the directory containing the dts file:
--- a/colibri-imx7_optee_overlay.dts
+++ b/colibri-imx7_optee_overlay.dts
@@ -10,7 +10,7 @@
optee {
- reg = <0x8c000000 0x1000000>;
+ reg = <0x9e000000 0x1000000>;
no-map;
};
Alternatives: File Replacement (bbappend):
You can also add the new (corrected) colibri-imx7_optee_overlay.dts directly to your layer and copy it over via a bbappend file using an extra task in the recipe:
# In device-tree-overlays_%.bbappend
FILESEXTRAPATHS:prepend := "${THISDIR}/device-tree-overlays:"
SRC_URI += "file://colibri-imx7_optee_overlay.dts"
do_collect_overlays:prepend() {
cp ${WORKDIR}/colibri-imx7_optee_overlay.dts ${S}
}
Place your new .dts source file in meta-yourlayer/recipes-kernel/device-tree-overlays/device-tree-overlays/colibri-imx7_optee_overlay.dts.
References:
Let me know if you need an example .bbappend or help with the directory structure!
Best regards,
Toradex AI Assistant.
Hi,
i did the File Replacement method as the patch still fails to find the file.
The ERROR about reserving memory is gone, but setting
TDX_OPTEE_ADDR_LOAD = "0x9e000000"
is apparetly not enough if i am reading the debug output correctly
D/TC:0 plat_get_aslr_seed:112 Warning: no ASLR seed
D/TC:0 add_phys_mem:666 VCORE_UNPG_RX_PA type TEE_RAM_RX 0x8c000000 size 0x0006c000
D/TC:0 add_phys_mem:666 VCORE_UNPG_RW_PA type TEE_RAM_RW 0x8c06c000 size 0x00094000
D/TC:0 add_phys_mem:666 ta_base type TA_RAM 0x8c100000 size 0x00f00000
If 0x8c000000 is in fact the general default for kernel load, i would suggest changing the optee implementation - not only the dts.
(attached the complete boot.log)
Any suggestions?
Best Regards - Paul
boot.log (53.2 KB)
