Possible OPTEE and CAAM conflict on JR0 (jobring)

ToradexAI · January 6, 2026, 1:19pm

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

I can see you’re experiencing a CAAM/OP-TEE conflict where both components are trying to access the same Job Ring (JR0), resulting in encryption failures on your BSP 7.5.0 system.

Problem Analysis

The logs show two key issues:

CAAM Job Ring Conflict: The error caam_jr 30901000.jr: failed to flush job ring 0 and probe of 30901000.jr failed with error -5 indicates JR0 is unavailable (1)
Key Import Failure: The trusted_key: key_unseal failed (-74) and add_key: Bad message errors show CAAM cannot properly handle the encryption key (1)

This is a known synchronization issue between OP-TEE and CAAM services during startup (1).

Platform Information Needed

To provide the most accurate solution, could you specify:

Which SoM are you using? (You can run tdx-info to get this information: Getting Device Information with Tdx-Info | Toradex Developer Center)
Are you using secure boot/device closure?
What’s your complete local.conf configuration?

Potential Solutions

1. Device Tree Configuration

The issue often stems from both OP-TEE and Linux trying to use the same CAAM Job Ring. You may need to configure the device tree to allocate different Job Rings to each component (1).

2. Service Dependencies

There are known synchronization issues with startup services that mount encrypted partitions and handle encryption (1). The tdx-enc-handler.service may be starting before OP-TEE is fully initialized.

3. Secure Boot Considerations

If you’re testing without secure boot enabled, CAAM uses a fixed test key which can cause conflicts. With secure boot enabled, CAAM uses the OTPMK key for better security (1).

Immediate Troubleshooting Steps

Check OP-TEE Status:
```
systemctl status tee-supplicant
```
Verify Device Tree Configuration:
Check if your device tree properly allocates CAAM Job Rings between OP-TEE and Linux.
Review Service Order:
The encryption handler needs to run after OP-TEE is fully initialized.

This appears to be a known issue that our technical team is working on (1). Once you provide your platform details, I can offer more specific guidance for your configuration.

Best regards, Toradex AI Assistant.

Did you like my answer?

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.