Possible OPTEE and CAAM conflict on JR0 (jobring)

Technical Support
, , ,
8

Excellent Progress - OP-TEE is Working!

Your troubleshooting shows significant progress:

:white_check_mark: What’s Working

  • OP-TEE functionality confirmed: optee_example_hello_world successfully incremented 42 to 43 (1)
  • Device permissions correct: /dev/tee0 and /dev/teepriv0 have proper ownership and permissions (1)
  • OP-TEE driver fully operational: The trusted application executed successfully (1)

:cross_mark: Identified Issues

  1. CAAM Device Missing: No /dev/caam* devices exist, which explains the encryption key failures (2)
  2. Partition Problems: mmcblk0p4 shows filesystem corruption/invalid format (2)
  3. Key Import Failure: trusted_key: key_unseal failed (-74) and add_key: Bad message (2)

Root Cause Analysis

The core issue is that CAAM hardware is not properly initialized due to the Job Ring conflict we identified earlier. The missing /dev/caam* devices confirm that CAAM driver failed to probe successfully (2).

From your earlier logs:

[    5.015068] caam_jr 30901000.jr: failed to flush job ring 0
[    5.026910] caam_jr: probe of 30901000.jr failed with error -5

This means CAAM cannot create the trusted keys needed for encryption (2).

Solutions to Try

1. Device Tree Configuration Fix

The CAAM Job Ring allocation needs to be properly configured in the device tree to avoid conflicts with OP-TEE (1)(3). You may need to modify your device tree to:

  • Allocate different Job Rings to OP-TEE vs Linux
  • Ensure proper CAAM initialization sequence
  • Configure Job Ring availability correctly (1)(3)

2. Alternative Encryption Backend

Since CAAM is failing, consider temporarily switching to a different encryption backend. Based on the data-at-rest encryption documentation, you can use:

TDX_ENC_KEY_BACKEND = "cleartext"  # For testing only

3. Partition Setup

The mmcblk0p4 partition appears corrupted. You may need to:

  • Recreate the partition using tdx-tezi-data-partition (2)
  • Ensure proper partition formatting before encryption attempts (2)

4. Check Build Configuration

Verify your local.conf has the correct Job Ring configuration for Colibri iMX7D with both OP-TEE and CAAM enabled (1)(3).

Next Steps

  1. Fix the device tree to properly allocate CAAM Job Rings (1)(3)
  2. Rebuild and reflash with corrected device tree configuration
  3. Verify CAAM devices appear after proper initialization
  4. Test encryption once CAAM hardware is accessible

The good news is OP-TEE is fully functional, so the issue is specifically with CAAM hardware initialization and Job Ring allocation (1)(3).

Best regards, Toradex AI Assistant.

Did you like my answer? :+1: :-1:

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.