Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package optee-client for openSUSE:Factory checked in at 2025-06-27 23:01:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/optee-client (Old) and /work/SRC/openSUSE:Factory/.optee-client.new.7067 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "optee-client" Fri Jun 27 23:01:00 2025 rev:7 rq:1288679 version:4.6.0 Changes: -------- --- /work/SRC/openSUSE:Factory/optee-client/optee-client.changes 2024-06-25 23:09:39.131062148 +0200 +++ /work/SRC/openSUSE:Factory/.optee-client.new.7067/optee-client.changes 2025-06-27 23:02:18.355730221 +0200 @@ -1,0 +2,18 @@ +Thu Jun 19 06:47:05 UTC 2025 - Guillaume GARDET <guillaume.gar...@opensuse.org> + +- Update to 4.6.0: + * cmake: raise mimimum required to 3.5 +- Skipped 4.5.0: + * libckteec: Validate EdDSA mechanism parameter length + * VSCode : Enable Development inside Docker Container + * libckteec: support for CKM_RSA_X_509 +- Skipped 4.4.0: + * libteec/CMakeLists.txt: remove CFG_TEE_CLIENT_LOAD_PATH comment + * tee-supplicant: add udev rule and systemd service file + * libckteec: fix memory allocation leakage on template serialization + * tee-supplicant: add sd_notify.c to Android.bp sources +- Skipped 4.3.0: + * tee-supplicant: send READY=1 notification to systemd + * tee-supplicant: remove useless use of __ANDROID__ condition + +------------------------------------------------------------------- Old: ---- optee_client-4.2.0.tar.gz New: ---- optee_client-4.6.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ optee-client.spec ++++++ --- /var/tmp/diff_new_pack.ZsO6B3/_old 2025-06-27 23:02:19.079760062 +0200 +++ /var/tmp/diff_new_pack.ZsO6B3/_new 2025-06-27 23:02:19.083760226 +0200 @@ -1,7 +1,7 @@ # # spec file for package optee-client # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,15 +21,17 @@ %define libname3 libseteec0 %define libname4 libteeacl0 Name: optee-client -Version: 4.2.0 +Version: 4.6.0 Release: 0 Summary: A Trusted Execution Environment client License: BSD-2-Clause Group: System/Boot URL: https://github.com/OP-TEE/optee_client Source: https://github.com/OP-TEE/optee_client/archive/%{version}.tar.gz#/optee_client-%{version}.tar.gz -BuildRequires: cmake +BuildRequires: cmake >= 3.5 BuildRequires: libuuid-devel +BuildRequires: udev +%{?systemd_requires} %description This component provides the TEE Client API as defined by the @@ -108,6 +110,15 @@ %install %cmake_install +# Fix paths for service and udev rule +mkdir -p %{buildroot}%{_udevrulesdir} +mv %{buildroot}/usr/etc/udev/rules.d/optee-udev.rules %{buildroot}%{_udevrulesdir}/99-optee-udev.rules +rm -rf %{buildroot}/usr/etc +%ifnarch %{ix86} %{arm} +mkdir -p %{buildroot}%{_unitdir} +mv %{buildroot}/usr/lib64/systemd/system/tee-supplicant@.service %{buildroot}%{_unitdir}/tee-supplicant@.service +rm -rf %{buildroot}/usr/lib64/systemd/ +%endif %post -n %{libname} -p /sbin/ldconfig %postun -n %{libname} -p /sbin/ldconfig @@ -125,6 +136,9 @@ %license LICENSE %doc README.md %{_sbindir}/tee-supplicant +%dir %{_unitdir} +%{_udevrulesdir}/99-optee-udev.rules +%{_unitdir}/tee-supplicant@.service %files devel %{_includedir}/*.h ++++++ optee_client-4.2.0.tar.gz -> optee_client-4.6.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/optee_client-4.2.0/.devcontainer/Dockerfile.vscode new/optee_client-4.6.0/.devcontainer/Dockerfile.vscode --- old/optee_client-4.2.0/.devcontainer/Dockerfile.vscode 1970-01-01 01:00:00.000000000 +0100 +++ new/optee_client-4.6.0/.devcontainer/Dockerfile.vscode 2025-04-09 17:55:00.000000000 +0200 @@ -0,0 +1,39 @@ +FROM ubuntu:22.04 + +ENV LANG=C.UTF-8 + +RUN dpkg --add-architecture armhf +RUN dpkg --add-architecture arm64 + +RUN echo 'deb [arch=amd64] http://archive.ubuntu.com/ubuntu/ jammy main restricted universe multiverse' > /etc/apt/sources.list +RUN echo 'deb [arch=amd64] http://archive.ubuntu.com/ubuntu/ jammy-updates main restricted universe multiverse' >> /etc/apt/sources.list +RUN echo 'deb [arch=amd64] http://archive.ubuntu.com/ubuntu/ jammy-backports main restricted universe multiverse' >> /etc/apt/sources.list +RUN echo 'deb [arch=amd64] http://security.ubuntu.com/ubuntu/ jammy-security main restricted universe multiverse' >> /etc/apt/sources.list +RUN echo 'deb [arch=armhf,arm64] http://ports.ubuntu.com/ubuntu-ports/ jammy main restricted universe multiverse' >> /etc/apt/sources.list +RUN echo 'deb [arch=armhf,arm64] http://ports.ubuntu.com/ubuntu-ports/ jammy-updates main restricted universe multiverse' >> /etc/apt/sources.list +RUN echo 'deb [arch=armhf,arm64] http://ports.ubuntu.com/ubuntu-ports/ jammy-backports main restricted universe multiverse' >> /etc/apt/sources.list +RUN echo 'deb [arch=armhf,arm64] http://ports.ubuntu.com/ubuntu-ports/ jammy-security main restricted universe multiverse' >> /etc/apt/sources.list + +RUN apt update && apt upgrade -y && \ + apt install -y \ + build-essential \ + automake \ + cmake \ + gcc-aarch64-linux-gnu \ + gcc-arm-linux-gnueabihf \ + gdb-multiarch \ + curl \ + dpkg-dev \ + pkg-config \ + uuid-dev:armhf \ + uuid-dev:arm64 + +# Additional development tools +RUN apt-get install -y \ + git-core git-man git-email \ + sudo nano vim openssh-client bash-completion + +# Add non root user +RUN useradd -ms /bin/bash optee +RUN echo "optee ALL=(ALL) NOPASSWD: ALL" | tee -a /etc/sudoers +USER optee diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/optee_client-4.2.0/.devcontainer/devcontainer.json new/optee_client-4.6.0/.devcontainer/devcontainer.json --- old/optee_client-4.2.0/.devcontainer/devcontainer.json 1970-01-01 01:00:00.000000000 +0100 +++ new/optee_client-4.6.0/.devcontainer/devcontainer.json 2025-04-09 17:55:00.000000000 +0200 @@ -0,0 +1,29 @@ +{ + "name": "optee-client-docker", + "build": { + "dockerfile": "Dockerfile.vscode" + }, + + "customizations": { + "vscode": { + "settings": { + "terminal.integrated.profiles.linux": { + "bash": { + "path": "/bin/bash", + "args": ["-l"] + } + }, + "terminal.integrated.defaultProfile.linux": "bash" + }, + "extensions": [ + "ms-vscode.cpptools", + "eamodio.gitlens" + ] + } + }, + + // Map the host .ssh folder into the container for a seamless ssh experience + "mounts": [ + "source=${localEnv:HOME}${localEnv:USERPROFILE}/.ssh,target=/home/optee/.ssh,type=bind,consistency=cached" + ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/optee_client-4.2.0/.vscode/extensions.json new/optee_client-4.6.0/.vscode/extensions.json --- old/optee_client-4.2.0/.vscode/extensions.json 1970-01-01 01:00:00.000000000 +0100 +++ new/optee_client-4.6.0/.vscode/extensions.json 2025-04-09 17:55:00.000000000 +0200 @@ -0,0 +1,10 @@ +{ + "recommendations": [ + "ms-vscode-remote.remote-containers", + "ms-vscode-remote.remote-wsl", + "ms-vscode-remote.vscode-remote-extensionpack", + "ms-vscode.cpptools-extension-pack", + "ms-vscode.cpptools", + "eamodio.gitlens", + ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/optee_client-4.2.0/Android.bp new/optee_client-4.6.0/Android.bp --- old/optee_client-4.2.0/Android.bp 2024-04-02 10:21:52.000000000 +0200 +++ new/optee_client-4.6.0/Android.bp 2025-04-09 17:55:00.000000000 +0200 @@ -281,6 +281,7 @@ srcs: [ "tee-supplicant/src/handle.c", "tee-supplicant/src/rpmb.c", + "tee-supplicant/src/sd_notify.c", "tee-supplicant/src/tee_supp_fs.c", "tee-supplicant/src/tee_supplicant.c", "tee-supplicant/src/teec_ta_load.c", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/optee_client-4.2.0/CMakeLists.txt new/optee_client-4.6.0/CMakeLists.txt --- old/optee_client-4.2.0/CMakeLists.txt 2024-04-02 10:21:52.000000000 +0200 +++ new/optee_client-4.6.0/CMakeLists.txt 2025-04-09 17:55:00.000000000 +0200 @@ -1,4 +1,4 @@ -cmake_minimum_required(VERSION 3.4) +cmake_minimum_required(VERSION 3.5) project(optee_client C) # https://cmake.org/Wiki/CMake_Useful_Variables diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/optee_client-4.2.0/config.mk new/optee_client-4.6.0/config.mk --- old/optee_client-4.2.0/config.mk 2024-04-02 10:21:52.000000000 +0200 +++ new/optee_client-4.6.0/config.mk 2025-04-09 17:55:00.000000000 +0200 @@ -23,7 +23,7 @@ # This folder can be created with the required permission in an init # script during boot, else it will be created by the tee-supplicant on # first REE FS access. -CFG_TEE_FS_PARENT_PATH ?= /data/tee +CFG_TEE_FS_PARENT_PATH ?= /var/lib/tee # CFG_TEE_CLIENT_LOG_FILE # The location of the client log file when logging to file is enabled. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/optee_client-4.2.0/libckteec/src/serialize_ck.c new/optee_client-4.6.0/libckteec/src/serialize_ck.c --- old/optee_client-4.2.0/libckteec/src/serialize_ck.c 2024-04-02 10:21:52.000000000 +0200 +++ new/optee_client-4.6.0/libckteec/src/serialize_ck.c 2025-04-09 17:55:00.000000000 +0200 @@ -95,17 +95,19 @@ */ rv = serialize_32b(obj, attribute->type); if (rv) - return rv; + goto out; rv = serialize_32b(obj, obj2.size); if (rv) - return rv; + goto out; rv = serialize_buffer(obj, obj2.buffer, obj2.size); if (rv) - return rv; + goto out; obj->item_count++; +out: + release_serial_object(&obj2); return rv; } @@ -672,6 +674,23 @@ { CK_RV rv = CKR_GENERAL_ERROR; CK_EDDSA_PARAMS *params = mecha->pParameter; + CK_ULONG params_len = mecha->ulParameterLen; + /* + * When no parameter is provided, the expected operation is + * no-prehash and no-context. + */ + CK_EDDSA_PARAMS default_params = { + .phFlag = 0, + .ulContextDataLen = 0, + }; + + if (params_len == 0) { + params = &default_params; + params_len = sizeof(*params); + } + + if (params_len != sizeof(*params)) + return CKR_ARGUMENTS_BAD; rv = serialize_32b(obj, obj->type); if (rv) @@ -768,6 +787,7 @@ case CKM_ECDSA_SHA512: case CKM_RSA_PKCS_KEY_PAIR_GEN: case CKM_RSA_PKCS: + case CKM_RSA_X_509: case CKM_MD5_RSA_PKCS: case CKM_SHA1_RSA_PKCS: case CKM_SHA224_RSA_PKCS: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/optee_client-4.2.0/libteec/CMakeLists.txt new/optee_client-4.6.0/libteec/CMakeLists.txt --- old/optee_client-4.2.0/libteec/CMakeLists.txt 2024-04-02 10:21:52.000000000 +0200 +++ new/optee_client-4.6.0/libteec/CMakeLists.txt 2025-04-09 17:55:00.000000000 +0200 @@ -14,7 +14,7 @@ # Configuration flags always included ################################################################################ set(CFG_TEE_CLIENT_LOG_LEVEL "1" CACHE STRING "libteec log level") -set(CFG_TEE_CLIENT_LOG_FILE "/data/tee/teec.log" CACHE STRING "Location of libteec log") +set(CFG_TEE_CLIENT_LOG_FILE "${CMAKE_INSTALL_LOCALSTATEDIR}/lib/tee/teec.log" CACHE STRING "Location of libteec log") ################################################################################ # Source files @@ -62,8 +62,6 @@ ################################################################################ # Install targets ################################################################################ -# FIXME: This should in someway harmonize with CFG_TEE_CLIENT_LOAD_PATH -# FIXME: Should we change this to /usr/local/lib? install(TARGETS teec LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}" ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/optee_client-4.2.0/tee-supplicant/CMakeLists.txt new/optee_client-4.6.0/tee-supplicant/CMakeLists.txt --- old/optee_client-4.2.0/tee-supplicant/CMakeLists.txt 2024-04-02 10:21:52.000000000 +0200 +++ new/optee_client-4.6.0/tee-supplicant/CMakeLists.txt 2025-04-09 17:55:00.000000000 +0200 @@ -11,10 +11,15 @@ set(CFG_TEE_SUPP_LOG_LEVEL "1" CACHE STRING "tee-supplicant log level") # FIXME: Question is, is this really needed? Should just use defaults from # GNUInstallDirs? set(CFG_TEE_CLIENT_LOAD_PATH "/lib" CACHE STRING "Colon-separated list of paths where to look for TAs (see also --ta-dir)") -set(CFG_TEE_FS_PARENT_PATH "/data/tee" CACHE STRING "Location of TEE filesystem (secure storage)") +set(CFG_TEE_FS_PARENT_PATH "${CMAKE_INSTALL_LOCALSTATEDIR}/lib/tee" CACHE STRING "Location of TEE filesystem (secure storage)") # FIXME: Why do we have if defined(CFG_GP_SOCKETS) && CFG_GP_SOCKETS == 1 in the c-file? set(CFG_GP_SOCKETS "1" CACHE STRING "Enable GlobalPlatform Socket API support") -set(CFG_TEE_PLUGIN_LOAD_PATH "/usr/lib/tee-supplicant/plugins/" CACHE STRING "tee-supplicant's plugins path") +set(CFG_TEE_PLUGIN_LOAD_PATH "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}/${PROJECT_NAME}/plugins/" CACHE STRING "tee-supplicant's plugins path") + +set(CFG_TEE_GROUP "tee" CACHE STRING "Group which has access to /dev/tee* devices") +set(CFG_TEEPRIV_GROUP "teepriv" CACHE STRING "Group which has access to /dev/teepriv* devices") +set(CFG_TEE_SUPPL_USER "teesuppl" CACHE STRING "User account which tee-supplicant is started with") +set(CFG_TEE_SUPPL_GROUP "teesuppl" CACHE STRING "Group account which tee-supplicant is started with") if(CFG_TEE_SUPP_PLUGINS) set(CMAKE_INSTALL_RPATH "${CFG_TEE_PLUGIN_LOAD_PATH}") @@ -28,6 +33,7 @@ src/hmac_sha2.c src/rpmb.c src/sha2.c + src/sd_notify.c src/tee_supp_fs.c src/tee_supplicant.c src/teec_ta_load.c @@ -112,3 +118,7 @@ # Install targets ################################################################################ install(TARGETS ${PROJECT_NAME} RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR}) +configure_file(tee-supplic...@.service.in tee-supplicant@.service @ONLY) +install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/tee-supplicant@.service DESTINATION ${CMAKE_INSTALL_LIBDIR}/systemd/system) +configure_file(optee-udev.rules.in optee-udev.rules @ONLY) +install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/optee-udev.rules DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/udev/rules.d) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/optee_client-4.2.0/tee-supplicant/Makefile new/optee_client-4.6.0/tee-supplicant/Makefile --- old/optee_client-4.2.0/tee-supplicant/Makefile 2024-04-02 10:21:52.000000000 +0200 +++ new/optee_client-4.6.0/tee-supplicant/Makefile 2025-04-09 17:55:00.000000000 +0200 @@ -18,7 +18,8 @@ teec_ta_load.c \ tee_supp_fs.c \ rpmb.c \ - handle.c + handle.c \ + sd_notify.c ifeq ($(CFG_GP_SOCKETS),y) TEES_SRCS += tee_socket.c diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/optee_client-4.2.0/tee-supplicant/optee-udev.rules.in new/optee_client-4.6.0/tee-supplicant/optee-udev.rules.in --- old/optee_client-4.2.0/tee-supplicant/optee-udev.rules.in 1970-01-01 01:00:00.000000000 +0100 +++ new/optee_client-4.6.0/tee-supplicant/optee-udev.rules.in 2025-04-09 17:55:00.000000000 +0200 @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: BSD-2-Clause +KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="@CFG_TEE_GROUP@", TAG+="systemd" + +# If a /dev/teepriv[0-9]* device is detected, start an instance of +# tee-supplicant.service with the device name as parameter +KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="@CFG_TEEPRIV_GROUP@", \ + TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/optee_client-4.2.0/tee-supplicant/src/rpmb.c new/optee_client-4.6.0/tee-supplicant/src/rpmb.c --- old/optee_client-4.2.0/tee-supplicant/src/rpmb.c 2024-04-02 10:21:52.000000000 +0200 +++ new/optee_client-4.6.0/tee-supplicant/src/rpmb.c 2025-04-09 17:55:00.000000000 +0200 @@ -160,11 +160,7 @@ DMSG("dev_id = %u", dev_id); if (fd < 0) { -#ifdef __ANDROID__ snprintf(path, sizeof(path), "/dev/mmcblk%urpmb", dev_id); -#else - snprintf(path, sizeof(path), "/dev/mmcblk%urpmb", dev_id); -#endif fd = open(path, O_RDWR); if (fd < 0) { EMSG("Could not open %s (%s)", path, strerror(errno)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/optee_client-4.2.0/tee-supplicant/src/sd_notify.c new/optee_client-4.6.0/tee-supplicant/src/sd_notify.c --- old/optee_client-4.2.0/tee-supplicant/src/sd_notify.c 1970-01-01 01:00:00.000000000 +0100 +++ new/optee_client-4.6.0/tee-supplicant/src/sd_notify.c 2025-04-09 17:55:00.000000000 +0200 @@ -0,0 +1,93 @@ +// SPDX-License-Identifier: MIT-0 +/* + * The code below is imported from: + * https://www.freedesktop.org/software/systemd/man/devel/sd_notify.html#Standalone%20Implementations + */ + +#define _GNU_SOURCE 1 +#include <string.h> +#include <errno.h> +#include <inttypes.h> +#include <signal.h> +#include <stdbool.h> +#include <stddef.h> +#include <stdlib.h> +#include <stdio.h> +#include <sys/socket.h> +#include <sys/un.h> +#include <time.h> +#include <unistd.h> + +#include "sd_notify.h" + +#define _cleanup_(f) __attribute__((cleanup(f))) + +static void closep(int *fd) +{ + if (!fd || *fd < 0) + return; + + close(*fd); + *fd = -1; +} + +static int notify(const char *message) +{ + union sockaddr_union { + struct sockaddr sa; + struct sockaddr_un sun; + } socket_addr = { + .sun.sun_family = AF_UNIX, + }; + + ssize_t written = 0; + size_t path_length, message_length = 0; + _cleanup_(closep) int fd = -1; + const char *socket_path = NULL; + + /* Verify the argument first */ + if (!message) + return -EINVAL; + + message_length = strlen(message); + if (message_length == 0) + return -EINVAL; + + /* If the variable is not set, the protocol is a noop */ + socket_path = getenv("NOTIFY_SOCKET"); + if (!socket_path) + return 0; /* Not set? Nothing to do */ + + /* Only AF_UNIX is supported, with path or abstract sockets */ + if (socket_path[0] != '/' && socket_path[0] != '@') + return -EAFNOSUPPORT; + + path_length = strlen(socket_path); + /* Ensure there is room for NULL byte */ + if (path_length >= sizeof(socket_addr.sun.sun_path)) + return -E2BIG; + + memcpy(socket_addr.sun.sun_path, socket_path, path_length); + + /* Support for abstract socket */ + if (socket_addr.sun.sun_path[0] == '@') + socket_addr.sun.sun_path[0] = 0; + + fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0); + if (fd < 0) + return -errno; + + if (connect(fd, &socket_addr.sa, offsetof(struct sockaddr_un, sun_path) + path_length) != 0) + return -errno; + + written = write(fd, message, message_length); + if (written != (ssize_t) message_length) + return written < 0 ? -errno : -EPROTO; + + return 1; /* Notified! */ +} + +int sd_notify_ready(void) +{ + return notify("READY=1"); +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/optee_client-4.2.0/tee-supplicant/src/sd_notify.h new/optee_client-4.6.0/tee-supplicant/src/sd_notify.h --- old/optee_client-4.2.0/tee-supplicant/src/sd_notify.h 1970-01-01 01:00:00.000000000 +0100 +++ new/optee_client-4.6.0/tee-supplicant/src/sd_notify.h 2025-04-09 17:55:00.000000000 +0200 @@ -0,0 +1,11 @@ +// SPDX-License-Identifier: MIT-0 +/* + * The code below is imported from: + * https://www.freedesktop.org/software/systemd/man/devel/sd_notify.html#Standalone%20Implementations + */ +#ifndef SD_NOTIFY_H +#define SD_NOTIFY_H + +int sd_notify_ready(void); + +#endif /* SD_NOTIFY_H */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/optee_client-4.2.0/tee-supplicant/src/tee_supplicant.c new/optee_client-4.6.0/tee-supplicant/src/tee_supplicant.c --- old/optee_client-4.2.0/tee-supplicant/src/tee_supplicant.c 2024-04-02 10:21:52.000000000 +0200 +++ new/optee_client-4.6.0/tee-supplicant/src/tee_supplicant.c 2025-04-09 17:55:00.000000000 +0200 @@ -53,6 +53,7 @@ #include <tee_socket.h> #include <tee_supp_fs.h> #include <tee_supplicant.h> +#include <sd_notify.h> #include <unistd.h> #include "optee_msg_supplicant.h" @@ -923,6 +924,11 @@ } } + /* we are set here notify systemd */ + e = sd_notify_ready(); + if(e < 0) + fprintf(stderr, "sd_notify_ready() failed: %s\n", strerror(-e)); + if (daemonize) { /* Release parent */ if (write(pipefd[1], "", 1) != 1) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/optee_client-4.2.0/tee-supplicant/tee-supplic...@.service.in new/optee_client-4.6.0/tee-supplicant/tee-supplic...@.service.in --- old/optee_client-4.2.0/tee-supplicant/tee-supplic...@.service.in 1970-01-01 01:00:00.000000000 +0100 +++ new/optee_client-4.6.0/tee-supplicant/tee-supplic...@.service.in 2025-04-09 17:55:00.000000000 +0200 @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: BSD-2-Clause +[Unit] +Description=TEE Supplicant on %i +DefaultDependencies=no +After=dev-%i.device +Wants=dev-%i.device +Conflicts=shutdown.target +Before=tpm2.target sysinit.target shutdown.target + +[Service] +Type=notify +User=@CFG_TEE_SUPPL_USER@ +Group=@CFG_TEE_SUPPL_GROUP@ +EnvironmentFile=-@CMAKE_INSTALL_SYSCONFDIR@/default/tee-supplicant +ExecStart=@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_SBINDIR@/tee-supplicant $OPTARGS +# Workaround for fTPM TA: stop kernel module before tee-supplicant +ExecStop=-/bin/sh -c "/sbin/modprobe -v -r tpm_ftpm_tee ; /bin/kill $MAINPID"
