I am trying to set up OP-TEE on my Jetson Orin Nano following the official NVIDIA documentation.

.4/DeveloperGuide/SD/Security/OpTee.html

However, when I run nvhwkey-app, I receive the following error:

TEEC_InvokeCommand failed 0xffff0008 origin 0x4

It seems that the Trusted Application (TA) is not loading.

System Setup & Steps Taken

1. Flashed Jetson Linux & Verified TPM

I successfully installed Jetson Linux and checked if TPM is working:

ls /dev | grep tpm

Output:

tpm0
tpmrm0

Further verification with:

tpm2_pcrread sha256:0

This worked.

2. Built OP-TEE & Verified tee-supplicant

I compiled optee_os and optee_client following the guide.

Check: Is OP-TEE detected?

dmesg | grep -i tee

Output:

[    3.676613] optee: probing for conduit method.
[    3.676666] optee: revision 4.2 (f4442694)
[    3.736118] optee: dynamic shared memory is enabled
[    3.736372] optee: initialized driver

Is tee-supplicant running?

ps aux | grep tee

Output:

root         324  0.0  0.0   9812  3404 ?        Ss   Feb12   0:00 /bin/bash /etc/systemd/nv-tee-supplicant.sh
root         326  0.0  0.0  76564  1428 ?        Sl   Feb12   0:00 /usr/sbin/tee-supplicant
root         327  0.0  0.0      0     0 ?        I<   Feb12   0:00 [optee_bus_scan]

3. Verified & Copied Trusted Application (TA)

Checked if the .ta file is present:

ls -lh /lib/optee_armtz/

Output:

-rw-rw-r-- 1 jetson jetson 111K Feb 13 11:47 82154947-c1bc-4bdf-b89d-04f93c0ea97c.ta

4. Copied & Configured Client Application (CA)

Copied to /usr/sbin/ and made it executable:

sudo chmod +x /usr/sbin/nvhwkey-app
ls -lh /usr/sbin/nvhwkey-app

Output:

-rwxrwxr-x 1 jetson jetson 71K Feb 13 11:48 /usr/sbin/nvhwkey-app

Test Run:

sudo /usr/sbin/nvhwkey-app

Output:

Usage: nvhwkey-app [OPTION...]
          -e [-d] -i <file> -o <out-file> or -r <random size>
Try `nvhwkey-app --help' or `nvhwkey-app --usage' for more information.

5. Tried Encrypting a File (Fails with TEEC_ERROR_ITEM_NOT_FOUND)

sudo nvhwkey-app -e -i /home/jetson/test -o /home/jetson/test_encrypted.bin

Error Message:

TEEC_InvokeCommand failed 0xffff0008 origin 0x4

Additional Information

OP-TEE Source Directory Structure

My OP-TEE sources contain:

• ca/ (for Client Applications)
• ta/ (for Trusted Applications)

I did not run the make command from Step 6 in the guide because I assumed that build/t234 already contained pre-built binaries.
Instead, I manually copied the precompiled files:

cp ta/82154947-c1bc-4bdf-b89d-04f93c0ea97c.ta /lib/optee_armtz/
cp ca/nvhwkey-app /usr/sbin/

However, I am unsure if this is correct or if I need to manually build the TA using:

make -C <source directory>      CROSS_COMPILE="<jetson-toolchain>/bin/aarch64-buildroot-linux-gnu-"      TA_DEV_KIT_DIR="<jetson-optee-srcs>/optee/build/t234/export-ta_arm64/"      OPTEE_CLIENT_EXPORT="<jetson-optee-srcs>/optee/install/t234/usr"      TEEC_EXPORT="<jetson-optee-srcs>/optee/install/t234/usr"      -j"$(nproc)"

Questions & Issues

1. Trusted Application Not Found (0xffff0008)

I get TEEC_ERROR_ITEM_NOT_FOUND (0xffff0008, origin 0x4) when running nvhwkey-app.

➡ Could this be due to a missing or incorrectly built Trusted Application (TA)?

2. Do I Need to Manually Build CA & TA?

I assumed that the ca/ and ta/ directories in build/t234 contained pre-built files.

3. Possible Debugging Steps

✅ tee-supplicant is running
✅ /dev/tee0 & /dev/teepriv0 are present
✅ .ta in /lib/optee_armtz/ & CA in /usr/sbin/

What additional debugging steps should I take?
Are there specific logs I should check?

Thanks in advance for any help!