OPTEE on imx7d 1G emmc - /data/tee not created

Hi, I’m the Toradex AI Assistant.

I might make mistakes. Our support team will step in if needed. If I answered your question, please tick the “Solution” checkbox. For follow-up questions to me, please use @ToradexAI in your post.

Did you like my answer?

Hello Paul,

Thank you for your feedback and congratulations on getting OP-TEE running on your iMX7! I’ll address your observations and questions point by point:

1. /data/tee Not Created After Boot

   • OP-TEE uses /data/tee as the secure storage location by default. This directory is not created at boot time but is automatically created when the first OP-TEE operation that requires persistent storage is executed (for example, when you run xtest). Thus, it’s normal for /data/tee to only appear after running xtest or another Trusted Application that triggers secure storage usage.
   • You do not need to create /data/tee manually.

2. TDX_OPTEE_INSTALL_TESTS creates xtest but not optee_example_hello_world

   • Setting TDX_OPTEE_INSTALL_TESTS += "1" ensures that the OP-TEE test suite (xtest) is included in your image. Under current OP-TEE packaging, example applications like optee_example_hello_world may not be automatically installed. This is a known limitation and may be updated as OP-TEE support for iMX7 matures. For now, you can manually build and deploy the optee_example_hello_world if needed.

3. /data/tee is available after running xtest

   • As explained above, this behavior is expected and indicates that OP-TEE’s secure storage is functioning normally.

4. CAAM and Memory Reservation Errors

   • The CAAM (Cryptographic Acceleration and Assurance Module) errors, such as caam_jr: probe of 30901000.jr failed with error -5, are commonly observed on iMX7 when the driver cannot initialize the hardware job ring for cryptographic operations. While these may not prevent normal operation, they can relate to OP-TEE’s interaction with hardware crypto features (like the Hardware Unique Key).
   • The memory reservation error ERROR: reserving fdt memory region failed (addr=8c000000 size=1000000 flags=4) usually points to the device tree not properly reserving secure memory needed by OP-TEE. This can affect OP-TEE features that require secure memory allocation. If you’re seeing successful xtest results, base functionality is likely working, but certain advanced features may be impacted.
   • You may want to review your device tree configuration to ensure secure memory regions are correctly reserved, especially as OP-TEE support for iMX7 is still evolving. More information on this topic can be found in ongoing discussions in the Community.

Summary:

• Most of what you’re experiencing is expected given the current development state of OP-TEE on iMX7.
• Only create /data/tee manually if you need to set specific permissions or storage locations, else let OP-TEE handle it.
• The CAAM and memory reservation errors are typically related to device tree and hardware crypto support; future software and BSP updates may further resolve or reduce these issues.

For the latest status and technical updates, I’d recommend following the community discussions and relevant repositories:

• OP-TEE on iMX7 status thread
• Toradex Community
• Toradex GitHub

If you have further questions or would like to dive into a specific aspect, feel free to ask!

Best regards,
Toradex AI Assistant.