Thanks, applied as 05cc41f8c966524051d1e759a1743d81a7cc9d01. Michael
[sent from post-receive hook] On Fri, 12 Dec 2025 15:52:20 +0100, Holger Assmann <[email protected]> wrote: > Since optee-client version 4.4.0, the sources include a udev rule and a > systemd service file template in order to start tee-supplicant and > manage access to (OP-)TEE devices. Recent upstream changes have > streamlined this constellation and made it usable in a BSP without > additional setup required. > > As these changes are not part of a proper release yet, we include them > into a patch stack for optee-client v4.8.0. > > This commit removes the PTXdist downstream "tee-supplicant.service" in > favour of the upstream solution: > > - The udev rule changes group ownership of every "/dev/tee*" device to > "tee" and of every "/dev/treepriv*" as well as any eMMC RPMB partition > to "teepriv". These group names are build time options and were already > introduced to PTXdist with commit a06d32d59aa. > - The systemd service template derives instances for every "/dev/teepriv*" > device and starts a dedicated process of tee-supplicant. It is triggered > by the aforementioned udev rule and executes as "teesuppl:teesuppl". > > Signed-off-by: Holger Assmann <[email protected]> > Message-Id: <[email protected]> > Signed-off-by: Michael Olbrich <[email protected]> > > diff --git > a/patches/optee-client-4.8.0/0001-tee-supplicant-add-missing-rule-for-the-mmcblk-0-9-r.patch > > b/patches/optee-client-4.8.0/0001-tee-supplicant-add-missing-rule-for-the-mmcblk-0-9-r.patch > new file mode 100644 > index 000000000000..c25abac9403d > --- /dev/null > +++ > b/patches/optee-client-4.8.0/0001-tee-supplicant-add-missing-rule-for-the-mmcblk-0-9-r.patch > @@ -0,0 +1,30 @@ > +From: Marco Felsch <[email protected]> > +Date: Sat, 8 Nov 2025 02:21:18 +0100 > +Subject: [PATCH] tee-supplicant: add missing rule for the mmcblk[0-9]rpmb > + group > + > +Fix rootless tee-supplicant handling for RPMB use-case. The RPMB > +communcation fails badly if the in-kernel RPMB handling was not enabled > +and the rootless tee-supplicant is used because the default group for > +the /dev/mmcblk[0-9]rpmb is 'root'. > + > +Set the group to same group used for /dev/teepriv[0-9] to fix this and > +to allow rootless tee-supplicant usage with legacy user-space RPMB > +handling. > + > +Signed-off-by: Marco Felsch <[email protected]> > +--- > + tee-supplicant/optee-udev.rules.in | 3 +++ > + 1 file changed, 3 insertions(+) > + > +diff --git a/tee-supplicant/optee-udev.rules.in > b/tee-supplicant/optee-udev.rules.in > +index 275e83388efd..e28fb40c4040 100644 > +--- a/tee-supplicant/optee-udev.rules.in > ++++ b/tee-supplicant/optee-udev.rules.in > +@@ -5,3 +5,6 @@ KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", > GROUP="@CFG_TEE_GROUP@", TAG+="s > + # tee-supplicant.service with the device name as parameter > + KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", > GROUP="@CFG_TEEPRIV_GROUP@", \ > + TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service" > ++ > ++ACTION=="add", SUBSYSTEM=="mmc_rpmb", KERNEL=="mmcblk[0-9]rpmb", \ > ++ GROUP="@CFG_TEEPRIV_GROUP@" > diff --git > a/patches/optee-client-4.8.0/0002-tee-supplicant-add-device-instance-as-start-paramete.patch > > b/patches/optee-client-4.8.0/0002-tee-supplicant-add-device-instance-as-start-paramete.patch > new file mode 100644 > index 000000000000..6dfc293295a9 > --- /dev/null > +++ > b/patches/optee-client-4.8.0/0002-tee-supplicant-add-device-instance-as-start-paramete.patch > @@ -0,0 +1,32 @@ > +From: Holger Assmann <[email protected]> > +Date: Mon, 1 Dec 2025 10:35:22 +0100 > +Subject: [PATCH] tee-supplicant: add device instance as start parameter for > + service file > + > +tee-supplicant requires a device name as a positional argument. This can > +not be provided via $OPTARGS from the EnvironmentFile, since that > +variable does not account for the service file being a template where > +instance-specific services (i.e. @teepriv0, @teepriv1, ...) are derived > +from. > + > +Therefore, the device instance used for each templated systemd service > +needs to be included directly in the ExecStart line. > + > +Signed-off-by: Holger Assmann <[email protected]> > +Acked-by: Jerome Forissier <[email protected]> > +--- > + tee-supplicant/[email protected] | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/tee-supplicant/[email protected] > b/tee-supplicant/[email protected] > +index e53a9357f01f..7e10e1d753a4 100644 > +--- a/tee-supplicant/[email protected] > ++++ b/tee-supplicant/[email protected] > +@@ -12,6 +12,6 @@ Type=notify > + User=@CFG_TEE_SUPPL_USER@ > + Group=@CFG_TEE_SUPPL_GROUP@ > + EnvironmentFile=-@CMAKE_INSTALL_SYSCONFDIR@/default/tee-supplicant > +-ExecStart=@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_SBINDIR@/tee-supplicant > $OPTARGS > ++ExecStart=@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_SBINDIR@/tee-supplicant > $OPTARGS /dev/%I > + # Workaround for fTPM TA: stop kernel module before tee-supplicant > + ExecStop=-/bin/sh -c "/sbin/modprobe -v -r tpm_ftpm_tee ; /bin/kill > $MAINPID" > diff --git > a/patches/optee-client-4.8.0/0003-tee-supplicant-add-priority-prefix-for-udev-rule.patch > > b/patches/optee-client-4.8.0/0003-tee-supplicant-add-priority-prefix-for-udev-rule.patch > new file mode 100644 > index 000000000000..3359d2db7467 > --- /dev/null > +++ > b/patches/optee-client-4.8.0/0003-tee-supplicant-add-priority-prefix-for-udev-rule.patch > @@ -0,0 +1,45 @@ > +From: Holger Assmann <[email protected]> > +Date: Mon, 1 Dec 2025 09:31:12 +0100 > +Subject: [PATCH] tee-supplicant: add priority prefix for udev rule > + > +The manpage of udev states that "All rule files are read in lexical > +order." This coincides with the established convention of assigning a > +two-digit priority prefix in front of the respective rule file name. > + > +In case of "optee-udev.rules", we are currently missing that prefix. > +When looking for context, it seems suitable to choose a priority in the > +realm of the already existing "60-tpm-udev.rules", since that serves a > +similar purpose like the rule for optee-client. > + > +This commit hence changes the installed rule file name to > +"60-optee-udev.rules", with "60-" being a configurable default value. > + > +Signed-off-by: Holger Assmann <[email protected]> > +Acked-by: Jerome Forissier <[email protected]> > +--- > + tee-supplicant/CMakeLists.txt | 7 ++++--- > + 1 file changed, 4 insertions(+), 3 deletions(-) > + > +diff --git a/tee-supplicant/CMakeLists.txt b/tee-supplicant/CMakeLists.txt > +index b47d4e377e98..5a8b387f9a7d 100644 > +--- a/tee-supplicant/CMakeLists.txt > ++++ b/tee-supplicant/CMakeLists.txt > +@@ -18,6 +18,7 @@ set(CFG_TEE_FS_PARENT_PATH > "${CMAKE_INSTALL_LOCALSTATEDIR}/lib/tee" CACHE STRING > + # FIXME: Why do we have if defined(CFG_GP_SOCKETS) && CFG_GP_SOCKETS == 1 > in the c-file? > + set(CFG_GP_SOCKETS "1" CACHE STRING "Enable GlobalPlatform Socket API > support") > + set(CFG_TEE_PLUGIN_LOAD_PATH > "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}/${PROJECT_NAME}/plugins/" > CACHE STRING "tee-supplicant's plugins path") > ++set(CFG_UDEV_RULESPREFIX "60-" CACHE STRING "Priority prefix for udev rule") > + > + set(CFG_TEE_GROUP "tee" CACHE STRING "Group which has access to /dev/tee* > devices") > + set(CFG_TEEPRIV_GROUP "teepriv" CACHE STRING "Group which has access to > /dev/teepriv* devices") > +@@ -150,6 +151,6 @@ if (CFG_ENABLE_SYSTEMD) > + install(FILES > ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/[email protected] DESTINATION > ${SYSTEMD_UNIT_DIR}) > + endif() > + if (CFG_ENABLE_UDEV) > +- configure_file(optee-udev.rules.in optee-udev.rules @ONLY) > +- install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/optee-udev.rules > DESTINATION ${UDEV_UDEV_DIR}) > +-endif() > +\ No newline at end of file > ++ configure_file(optee-udev.rules.in > ${CFG_UDEV_RULESPREFIX}optee-udev.rules @ONLY) > ++ install(FILES > ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/${CFG_UDEV_RULESPREFIX}optee-udev.rules > DESTINATION ${UDEV_UDEV_DIR}) > ++endif() > diff --git a/patches/optee-client-4.8.0/series > b/patches/optee-client-4.8.0/series > new file mode 100644 > index 000000000000..8a0a2fbb5c9d > --- /dev/null > +++ b/patches/optee-client-4.8.0/series > @@ -0,0 +1,6 @@ > +# generated by git-ptx-patches > +#tag:base --start-number 1 > +0001-tee-supplicant-add-missing-rule-for-the-mmcblk-0-9-r.patch > +0002-tee-supplicant-add-device-instance-as-start-paramete.patch > +0003-tee-supplicant-add-priority-prefix-for-udev-rule.patch > +# eb1647eb8fde26a3ed3fb30aa6c42307 - git-ptx-patches magic > diff --git a/projectroot/usr/lib/systemd/system/tee-supplicant.service > b/projectroot/usr/lib/systemd/system/tee-supplicant.service > deleted file mode 100644 > index 714851573df5..000000000000 > --- a/projectroot/usr/lib/systemd/system/tee-supplicant.service > +++ /dev/null > @@ -1,9 +0,0 @@ > -[Unit] > -Description=TEE Supplicant > - > -[Service] > -Type=simple > -ExecStart=/usr/sbin/tee-supplicant > - > -[Install] > -WantedBy=multi-user.target > diff --git a/rules/optee-client.in b/rules/optee-client.in > index baa84f9c9129..e1fe59efe869 100644 > --- a/rules/optee-client.in > +++ b/rules/optee-client.in > @@ -16,11 +16,31 @@ menuconfig OPTEE_CLIENT > > if OPTEE_CLIENT > > +config OPTEE_CLIENT_UDEV > + bool > + default y > + depends on UDEV > + select OPTEE_CLIENT_SYSTEMD_UNIT > + prompt "permission handling and systemd trigger" > + help > + optee-client comes with an udev rule that defines the group ownership > + of any '/dev/tee*' to 'tee' and of any '/dev/teepriv*' device as well > + as the RPMB partition of any eMMC to 'teepriv'. The respective groups > + have to be defined within the BSP. > + The udev rule further instantiates a systemd service for every TEE > + device. > + > config OPTEE_CLIENT_SYSTEMD_UNIT > bool > default y > depends on SYSTEMD > prompt "install systemd service file for tee-supplicant" > + help > + optee-client comes with a systemd service template to start a TEE- > + device specific instance of tee-supplicant. > + tee-supplicant is intended to run with a dedicated user/group > + setting: 'teesuppl:teesuppl'. This has to be defined within the BSP. > + Note that 'teesuppl' has also to be part of group 'teepriv'. > > config OPTEE_CLIENT_SUPPLICANT_PLUGINS > bool > diff --git a/rules/optee-client.make b/rules/optee-client.make > index ecf7cdb04606..32f1e425ccbc 100644 > --- a/rules/optee-client.make > +++ b/rules/optee-client.make > @@ -33,8 +33,8 @@ OPTEE_CLIENT_CONF_TOOL := cmake > OPTEE_CLIENT_CONF_OPT := \ > $(CROSS_CMAKE_USR) \ > -DBUILD_SHARED_LIBS=ON \ > - -DCFG_ENABLE_SYSTEMD=OFF \ > - -DCFG_ENABLE_UDEV=OFF \ > + -DCFG_ENABLE_SYSTEMD=$(call ptx/onoff, > PTXCONF_OPTEE_CLIENT_SYSTEMD_UNIT) \ > + -DCFG_ENABLE_UDEV=$(call ptx/onoff, PTXCONF_OPTEE_CLIENT_UDEV) \ > -DCFG_FTRACE_SUPPORT=ON \ > -DCFG_GP_SOCKETS=1 \ > -DCFG_TA_GPROF_SUPPORT=ON \ > @@ -52,6 +52,7 @@ OPTEE_CLIENT_CONF_OPT := \ > -DCFG_USE_PKGCONFIG=OFF \ > -DCFG_WERROR=ON \ > -DRPMB_EMU=$(call ptx/onoff, > PTXCONF_OPTEE_CLIENT_SUPPLICANT_RPMB_EMULATION) \ > + -DUDEV_UDEV_DIR="/usr/lib/udev/rules.d" \ > -DWITH_TEEACL=ON > > # > ---------------------------------------------------------------------------- > @@ -70,11 +71,13 @@ $(STATEDIR)/optee-client.targetinstall: > @$(call install_lib, optee-client, 0, 0, 0644, libteec) > @$(call install_lib, optee-client, 0, 0, 0644, libckteec) > @$(call install_copy, optee-client, 0, 0, 0755, -, > /usr/sbin/tee-supplicant) > +ifdef PTXCONF_OPTEE_CLIENT_UDEV > + @$(call install_alternative, optee-client, 0, 0, 0644, \ > + /usr/lib/udev/rules.d/60-optee-udev.rules) > +endif > ifdef PTXCONF_OPTEE_CLIENT_SYSTEMD_UNIT > @$(call install_alternative, optee-client, 0, 0, 0644, \ > - /usr/lib/systemd/system/tee-supplicant.service) > - @$(call install_link, optee-client, ../tee-supplicant.service,\ > - > /usr/lib/systemd/system/multi-user.target.wants/tee-supplicant.service) > + /usr/lib/systemd/system/[email protected]) > endif > > @$(call install_finish, optee-client)
