Hi,
On Thu, Apr 9, 2026 at 7:41 PM Jan Kiszka via OP-TEE op-tee@lists.trustedfirmware.org wrote:
Hi all,
to avoid that I'm debugging further this error I get during boot with CONFIG_RPMB=y in the kernel and CFG_IN_TREE_EARLY_TAS=pkcs11/fd02c9da...:
[ 0.359372] mmcblk0boot0: mmc0:0001 QEMU!! 4.00 MiB [ 0.361779] mmcblk0boot1: mmc0:0001 QEMU!! 4.00 MiB [ 0.363761] mmcblk0rpmb: mmc0:0001 QEMU!! 2.00 MiB, chardev (248:0) D/TC:? 0 tee_ta_init_session_with_context:569 Re-open trusted service 7011a688-ddde-4053-a5a9-7b3c4ddf13b8 D/TC:? 0 legacy_rpmb_init:1143 Trying legacy RPMB init
The in-kernel routing didn't initialize as expected, so OP-TEE is falling back to the tee-supplicant based RPMB communication.
E/TC:? 0 get_rpc_alloc_res:646 RPC allocation failed. Non-secure world result: ret=0xffff000c ret_origin=0x2 D/TC:? 0 tee_ta_invoke_command:830 Error: f0100003 of 4 D/TC:? 0 tee_ta_close_session:469 csess 0xc0210910 id 1 D/TC:? 0 tee_ta_close_session:488 Destroy session
Is it possible at all to run the PKCS#11 TA without userland tee- supplicant? I thought it only needs the supplicant for RPMB, thus should be fine with the in-kernel routing (which is active), but maybe that is not true.
Yes, I think so. I haven't tried it myself, though. Anyway, the log tells that OP-TEE isn't using in-kernel routing. You can also check /sys/class/tee/teepriv0/rpmb_routing_model to see what the driver has negotiated.
Cheers, Jens
All is fine - minus that error message - if I later on start tee- supplicant and use the PKCS#11 TA then.
Thanks, Jan
-- Siemens AG, Foundational Technologies Linux Expert Center