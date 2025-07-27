OP-TEE must be configured in the UEFI menu.

ESC into the UEFI on boot. Navigate to Device Manager > System Configuration > Enable OP-TEE (make sure this item is checked). Save the change and reset/reboot. Upon reboot, OP-TEE is enable. Info OP-TEE is essentially dormant (does not have an OS scheduler) and reacts to external inputs.

The following indicators must all be present to have a functioning OP-TEE/fTPM setup.

Check dmesg for the OP-TEE driver initializing: Copy Copied! root@localhost ~] [ 5.646578] optee: probing for conduit method. [ 5.653282] optee: revision 3.10 (450b24ac) [ 5.653991] optee: initialized driver Verify the 3 Kernel modules tee , optee , and tpm_ftpm_tee are loaded: Copy Copied! [root@localhost ~] tpm_ftpm_tee 16384 0 optee 49152 1 tee 49152 3 optee,tpm_ftpm_tee Verify the required devices are created/available (there should be 4 in total): Copy Copied! [root@localhost ~] crw------- 1 root root 234, 0 Sep 8 18:24 /dev/tee0 crw------- 1 root root 234, 16 Sep 8 18:24 /dev/teepriv0 [root@localhost ~] crw-rw---- 1 tss root 10, 224 Sep 8 18:24 /dev/tpm0 crw-rw---- 1 tss tss 252, 65536 Sep 8 18:24 /dev/tpmrm0 Verify the required processes are running (there should be 3 in total): Copy Copied! [root@localhost ~] root 707 0.0 0.0 76208 1372 ? Ssl 14:42 0:00 /usr/sbin/tee-supplicant root 715 0.0 0.0 0 0 ? I< 14:42 0:00 [optee_bus_scan] [root@localhost ~] root 124 0.0 0.0 0 0 ? I< 18:24 0:00 [tpm_dev_wq]

Identify your RPMB device: RPMB Device Verification Collapse Source Copy Copied! [root@localhost ~] crw------- 1 root root 238, 0 Jun 7 14:25 /dev/mmcblk0rpmb Verify your RPMB is functional: RPMB Device Verification Collapse Source Copy Copied! [root@localhost ~] Counter value: 0x0004fb3f Info A positive number indicates the RPMB is functional, a negative number indicates the RPMB has not been programmed.

If you execute the command mmc rpmb read-counter /dev/mmcblk0rpmb and it returns error code 0x0007 , this means that the RPMB on your BlueField-3 device has never been programmed. Refer to your NVIDIA FAE contact to solve this for you via a BFB which would program the authentication key required to make the RPMB functional.

Note If the first 3 scenarios above are verified/functional, then you should have a 100% functioning OP-TEE/fTPM setup.

Install the TPM2 tools (mentioned earlier) and execute the following simple TPM2 command. This command goes through the fTPM TA, TEE-supplicant, and OP-TEE which verifies the entire data path for OP-TEE/fTPM.

Example of successful operation: Copy Copied! [root@localhost ~] 2199a9e230ad532e8abb76

Example of failed operation: Collapse Source Copy Copied! [root@localhost ~] E/TC:?? 0 get_rpc_alloc_res:646 RPC allocation failed. Non-secure world result: ret=0xffff000c ret_origin=0x2 E/TC:?? 0 get_rpc_alloc_res:646 RPC allocation failed. Non-secure world result: ret=0xffff000c ret_origin=0x2 E/TC:?? 0 E/TC:?? 0 TA panicked with code 0xffff000c E/LD: Status of TA bc50d971-d4c9-42c4-82cb-343fb7f37896 E/LD: arch: aarch64 E/LD: region 0: va 0xc0005000 pa 0x81601000 size 0x002000 flags rw-s (ldelf) E/LD: region 1: va 0xc0007000 pa 0x81603000 size 0x008000 flags r-xs (ldelf) E/LD: region 2: va 0xc000f000 pa 0x8160b000 size 0x001000 flags rw-s (ldelf) E/LD: region 3: va 0xc0010000 pa 0x8160c000 size 0x004000 flags rw-s (ldelf) E/LD: region 4: va 0xc0014000 pa 0x81610000 size 0x001000 flags r--s E/LD: region 5: va 0xc0015000 pa 0x81697000 size 0x011000 flags rw-s (stack) E/LD: region 6: va 0xc0026000 pa 0x81e00000 size 0x003000 flags rw-- (param) E/LD: region 7: va 0xc0078000 pa 0x00001000 size 0x067000 flags r-xs [0] E/LD: region 8: va 0xc00df000 pa 0x00068000 size 0x01f000 flags rw-s [0] E/LD: [0] bc50d971-d4c9-42c4-82cb-343fb7f37896 @ 0xc0078000 E/LD: Call stack: E/LD: 0xc00b5a24 E/LD: 0xc0078ba4 E/LD: 0xc0079228 E/LD: 0xc0097a18 E/LD: 0xc00b0ce4 E/LD: 0xc0079ad8 E/LD: 0xc00bba6c E/LD: 0xc00b0e80 [ 7802.822441] tpm tpm0: ftpm_tee_tpm_op_send: SUBMIT_COMMAND invoke error: 0xffff3024 [ 7802.830122] tpm tpm0: tpm_try_transmit: send(): error -53212 ERROR:tcti:src/tss2-tcti/tcti-dev[ 7802.836246] tpm tpm0: ftpm_tee_tpm_op_send: SUBMIT_COMMAND invoke error: 0xffff3024 ice.c:486:Tss2_Tcti_Device_Init([ 7802.846418] tpm tpm0: tpm_try_transmit: send(): error -53212 ) Failed to read response header fd 3, got errno 2: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file : libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:486:Tss2_Tcti_Device_Init() Failed to read response header fd 3, got errno 2: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file : libtss2-tcti-device.so.0 WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:614:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file : libtss2-tcti-swtpm.so.0 WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file : libtss2-tcti-mssim.so.0 ERROR:tcti:src/tss2-tcti/tctildr-dl.c:254:tctildr_get_default() No standard TCTI could be loaded ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI ERROR: Could not load tcti, got: "(null)"

Executing TPM2 commands (or any commands interfacing to fTPM, whether they be user written TA applications or otherwise) must go between the Unsecure World (i.e., TEE-supplicant) and the Secure World (OP-TEE/fTPM).

The first thing to check here is whether something happened to the TEE-supplicant as that acts as a proxy between the Secure/Unsecure worlds:

Collapse Source Copy Copied! [root@localhost ~] root 51380 0.0 0.0 6416 1860 ttyAMA0 S+ 16:51 0:00 grep --color=auto tee As you can see the tee -supplicant is no longer running. Now lets take a look at the tee -supplicant itself, as it's a service started at boot time . [root@localhost ~] Jun 07 14:25:54 localhost systemd[1]: Starting TEE Supplicant... ░░ Subject: A start job for unit tee -supplicant.service has begun execution ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit tee -supplicant.service has begun execution. ░░ ░░ The job identifier is 231. Jun 07 14:25:54 localhost systemd[1]: Started TEE Supplicant. ░░ Subject: A start job for unit tee -supplicant.service has finished successfully ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ A start job for unit tee -supplicant.service has finished successfully. ░░ ░░ The job identifier is 231. Jun 07 16:35:44 bu-lab106-oob systemd[1]: tee -supplicant.service: Main process exited, code=killed, status=9/KILL ░░ Subject: Unit process exited ░░ Defined-By: systemd ░░ Support: http://www.ubuntu.com/support ░░ ░░ An ExecStart= process belonging to unit tee -supplicant.service has exited.



