Overview
I am trying to use OP-TEE on my Jetson Orin Nano, following the official NVIDIA documentation (Op-TEE Setup). However, when I attempt to run nvhwkey-app
, I receive TEEC_ERROR_ITEM_NOT_FOUND (0xffff0008, origin 0x4), and the Trusted Application (TA) does not seem to load.
I would really appreciate any guidance on debugging this issue!
System Setup and Steps Taken
1. Flashed Jetson Linux and Verified TPM
- I flashed Jetson Linux onto the Orin Nano, and the system is fully functional.
- I confirmed TPM is working by running:
Output:ls /dev | grep tpm
tpm0 tpmrm0
- Also successfully used:
tpm2_pcrread sha256:0
2. Built OP-TEE and Verified tee-supplicant
- I built optee_os and optee_client following the guide.
- Verified that OP-TEE is detected:
Output:dmesg | grep -i tee
[ 3.676613] optee: probing for conduit method. [ 3.676666] optee: revision 4.2 (f4442694) [ 3.736118] optee: dynamic shared memory is enabled [ 3.736372] optee: initialized driver
- Checked if
tee-supplicant
is running:
Output:ps aux | grep tee
root 324 0.0 0.0 9812 3404 ? Ss Feb12 0:00 /bin/bash /etc/systemd/nv-tee-supplicant.sh root 326 0.0 0.0 76564 1428 ? Sl Feb12 0:00 /usr/sbin/tee-supplicant root 327 0.0 0.0 0 0 ? I< Feb12 0:00 [optee_bus_scan]
3. Verified and Copied the TA File
- Ensured the TA file is in the correct OP-TEE directory:
Output:ls -lh /lib/optee_armtz/
-rw-rw-r-- 1 jetson jetson 111K Feb 13 11:47 82154947-c1bc-4bdf-b89d-04f93c0ea97c.ta
4. Copied and Configured the Client Application (CA)
- Copied
nvhwkey-app
to/usr/sbin/
and made it executable:
Output:sudo chmod +x /usr/sbin/nvhwkey-app ls -lh /usr/sbin/nvhwkey-app
-rwxrwxr-x 1 jetson jetson 71K Feb 13 11:48 /usr/sbin/nvhwkey-app
- Running the app shows usage instructions:
Output:sudo /usr/sbin/nvhwkey-app
Usage: nvhwkey-app [OPTION...] -e [-d] -i <file> -o <out-file> or -r <random size> Try `nvhwkey-app --help' or `nvhwkey-app --usage' for more information.
5. Attempted to Encrypt a File (Fails with TEEC_ERROR_ITEM_NOT_FOUND)
- Tried running
nvhwkey-app
to encrypt a test file:
Error:sudo nvhwkey-app -e -i /home/jetson/test -o /home/jetson/test_encrypted.bin
TEEC_InvokeCommand failed 0xffff0008 origin 0x4
Additional Information
OP-TEE Source Directory Structure
Inside my Jetson OP-TEE sources, there is a build directory containing:
ca/
(for Client Applications)ta/
(for Trusted Applications)
📸 Here are images showing the contents of these directories:\
… I can only show one picture because I am a new user, but inside these ca and ta folder there are several examples and one of them is hwkey-agent.
I did not run the make
command from Step 6 of the guide because I assumed these directories already contained pre-built applications, so I skipped the make
command. Instead, I copied the pre-built hwkey-agent
files:
.ta
file fromta/
→/lib/optee_armtz/
nvhwkey-app
fromca/
→/usr/sbin/
However, I am not sure if this is correct, or if I need to manually build the TA using the command from Step 6:
make -C <source directory> \
CROSS_COMPILE="<jetson-toolchain>/bin/aarch64-buildroot-linux-gnu-" \
TA_DEV_KIT_DIR="<jetson-optee-srcs>/optee/build/t234/export-ta_arm64/" \
OPTEE_CLIENT_EXPORT="<jetson-optee-srcs>/optee/install/t234/usr" \
TEEC_EXPORT="<jetson-optee-srcs>/optee/install/t234/usr" \
-j"$(nproc)"
Questions and Issues
-
Trusted Application Not Found (0xffff0008)
- I get
TEEC_ERROR_ITEM_NOT_FOUND (0xffff0008, origin 0x4)
when runningnvhwkey-app
. - Could this be caused by a missing or incorrectly built Trusted Application (TA)?
- I get
-
Do I Need to Manually Build the CA and TA?
- I assumed the
ca/
andta/
directories inbuild/t234
contained pre-built applications. - Do I need to build them manually instead?
- I assumed the
-
Troubleshooting Steps
tee-supplicant
is running, and/dev/tee0
and/dev/teepriv0
are present.- I copied my
.ta
file to/lib/optee_armtz/
and my CA binary to/usr/sbin/
. - Are there additional debugging steps I should take?
Thank you in advance for your help! 🚀