From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Thu, 11 Dec 2025 11:22:07 +0100 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vTdoF-00AGFT-2I for lore@lore.pengutronix.de; Thu, 11 Dec 2025 11:22:07 +0100 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1vTdoF-0000WG-IR; Thu, 11 Dec 2025 11:22:07 +0100 Received: from dude03.red.stw.pengutronix.de ([2a0a:edc0:0:1101:1d::39]) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1vTdo8-0000Vi-Q1; Thu, 11 Dec 2025 11:22:00 +0100 From: Holger Assmann To: ptxdist@pengutronix.de Date: Thu, 11 Dec 2025 11:21:43 +0100 Message-ID: <20251211102143.1411156-1-h.assmann@pengutronix.de> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [ptxdist] [PATCH] optee-client: use upstream udev rule and systemd template X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Holger Assmann Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false Since optee-client version 4.4.0, the sources include a udev rule and a systemd service file template in order to start tee-supplicant and manage access to (OP-)TEE devices. Recent upstream changes have streamlined this constellation and made it usable in a BSP without additional setup required. As these changes are not part of a proper release yet, we include them into a patch stack for optee-client v4.8.0. This commit removes the PTXdist downstream "tee-supplicant.service" in favour of the upstream solution: - The udev rule changes group ownership of every "/dev/tee*" device to "tee" and of every "/dev/treepriv*" as well as any eMMC RPMB partition to "teepriv". These group names are build time options and were already introduced to PTXdist with commit a06d32d59aa. - The systemd service template derives instances for every "/dev/teepriv*" device and starts a dedicated process of tee-supplicant. It is triggered by the aforementioned udev rule and executes as "teesuppl:teesuppl". Signed-off-by: Holger Assmann --- ...dd-missing-rule-for-the-mmcblk-0-9-r.patch | 30 +++++++++++++ ...dd-device-instance-as-start-paramete.patch | 32 +++++++++++++ ...nt-add-priority-prefix-for-udev-rule.patch | 45 +++++++++++++++++++ patches/optee-client-4.8.0/series | 6 +++ .../lib/systemd/system/tee-supplicant.service | 9 ---- rules/optee-client.in | 20 +++++++++ rules/optee-client.make | 13 +++--- 7 files changed, 141 insertions(+), 14 deletions(-) create mode 100644 patches/optee-client-4.8.0/0001-tee-supplicant-add-missing-rule-for-the-mmcblk-0-9-r.patch create mode 100644 patches/optee-client-4.8.0/0002-tee-supplicant-add-device-instance-as-start-paramete.patch create mode 100644 patches/optee-client-4.8.0/0003-tee-supplicant-add-priority-prefix-for-udev-rule.patch create mode 100644 patches/optee-client-4.8.0/series delete mode 100644 projectroot/usr/lib/systemd/system/tee-supplicant.service diff --git a/patches/optee-client-4.8.0/0001-tee-supplicant-add-missing-rule-for-the-mmcblk-0-9-r.patch b/patches/optee-client-4.8.0/0001-tee-supplicant-add-missing-rule-for-the-mmcblk-0-9-r.patch new file mode 100644 index 000000000..c25abac94 --- /dev/null +++ b/patches/optee-client-4.8.0/0001-tee-supplicant-add-missing-rule-for-the-mmcblk-0-9-r.patch @@ -0,0 +1,30 @@ +From: Marco Felsch +Date: Sat, 8 Nov 2025 02:21:18 +0100 +Subject: [PATCH] tee-supplicant: add missing rule for the mmcblk[0-9]rpmb + group + +Fix rootless tee-supplicant handling for RPMB use-case. The RPMB +communcation fails badly if the in-kernel RPMB handling was not enabled +and the rootless tee-supplicant is used because the default group for +the /dev/mmcblk[0-9]rpmb is 'root'. + +Set the group to same group used for /dev/teepriv[0-9] to fix this and +to allow rootless tee-supplicant usage with legacy user-space RPMB +handling. + +Signed-off-by: Marco Felsch +--- + tee-supplicant/optee-udev.rules.in | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tee-supplicant/optee-udev.rules.in b/tee-supplicant/optee-udev.rules.in +index 275e83388efd..e28fb40c4040 100644 +--- a/tee-supplicant/optee-udev.rules.in ++++ b/tee-supplicant/optee-udev.rules.in +@@ -5,3 +5,6 @@ KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="@CFG_TEE_GROUP@", TAG+="s + # tee-supplicant.service with the device name as parameter + KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="@CFG_TEEPRIV_GROUP@", \ + TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service" ++ ++ACTION=="add", SUBSYSTEM=="mmc_rpmb", KERNEL=="mmcblk[0-9]rpmb", \ ++ GROUP="@CFG_TEEPRIV_GROUP@" diff --git a/patches/optee-client-4.8.0/0002-tee-supplicant-add-device-instance-as-start-paramete.patch b/patches/optee-client-4.8.0/0002-tee-supplicant-add-device-instance-as-start-paramete.patch new file mode 100644 index 000000000..6dfc29329 --- /dev/null +++ b/patches/optee-client-4.8.0/0002-tee-supplicant-add-device-instance-as-start-paramete.patch @@ -0,0 +1,32 @@ +From: Holger Assmann +Date: Mon, 1 Dec 2025 10:35:22 +0100 +Subject: [PATCH] tee-supplicant: add device instance as start parameter for + service file + +tee-supplicant requires a device name as a positional argument. This can +not be provided via $OPTARGS from the EnvironmentFile, since that +variable does not account for the service file being a template where +instance-specific services (i.e. @teepriv0, @teepriv1, ...) are derived +from. + +Therefore, the device instance used for each templated systemd service +needs to be included directly in the ExecStart line. + +Signed-off-by: Holger Assmann +Acked-by: Jerome Forissier +--- + tee-supplicant/tee-supplicant@.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tee-supplicant/tee-supplicant@.service.in b/tee-supplicant/tee-supplicant@.service.in +index e53a9357f01f..7e10e1d753a4 100644 +--- a/tee-supplicant/tee-supplicant@.service.in ++++ b/tee-supplicant/tee-supplicant@.service.in +@@ -12,6 +12,6 @@ Type=notify + User=@CFG_TEE_SUPPL_USER@ + Group=@CFG_TEE_SUPPL_GROUP@ + EnvironmentFile=-@CMAKE_INSTALL_SYSCONFDIR@/default/tee-supplicant +-ExecStart=@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_SBINDIR@/tee-supplicant $OPTARGS ++ExecStart=@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_SBINDIR@/tee-supplicant $OPTARGS /dev/%I + # Workaround for fTPM TA: stop kernel module before tee-supplicant + ExecStop=-/bin/sh -c "/sbin/modprobe -v -r tpm_ftpm_tee ; /bin/kill $MAINPID" diff --git a/patches/optee-client-4.8.0/0003-tee-supplicant-add-priority-prefix-for-udev-rule.patch b/patches/optee-client-4.8.0/0003-tee-supplicant-add-priority-prefix-for-udev-rule.patch new file mode 100644 index 000000000..3359d2db7 --- /dev/null +++ b/patches/optee-client-4.8.0/0003-tee-supplicant-add-priority-prefix-for-udev-rule.patch @@ -0,0 +1,45 @@ +From: Holger Assmann +Date: Mon, 1 Dec 2025 09:31:12 +0100 +Subject: [PATCH] tee-supplicant: add priority prefix for udev rule + +The manpage of udev states that "All rule files are read in lexical +order." This coincides with the established convention of assigning a +two-digit priority prefix in front of the respective rule file name. + +In case of "optee-udev.rules", we are currently missing that prefix. +When looking for context, it seems suitable to choose a priority in the +realm of the already existing "60-tpm-udev.rules", since that serves a +similar purpose like the rule for optee-client. + +This commit hence changes the installed rule file name to +"60-optee-udev.rules", with "60-" being a configurable default value. + +Signed-off-by: Holger Assmann +Acked-by: Jerome Forissier +--- + tee-supplicant/CMakeLists.txt | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/tee-supplicant/CMakeLists.txt b/tee-supplicant/CMakeLists.txt +index b47d4e377e98..5a8b387f9a7d 100644 +--- a/tee-supplicant/CMakeLists.txt ++++ b/tee-supplicant/CMakeLists.txt +@@ -18,6 +18,7 @@ set(CFG_TEE_FS_PARENT_PATH "${CMAKE_INSTALL_LOCALSTATEDIR}/lib/tee" CACHE STRING + # FIXME: Why do we have if defined(CFG_GP_SOCKETS) && CFG_GP_SOCKETS == 1 in the c-file? + set(CFG_GP_SOCKETS "1" CACHE STRING "Enable GlobalPlatform Socket API support") + set(CFG_TEE_PLUGIN_LOAD_PATH "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}/${PROJECT_NAME}/plugins/" CACHE STRING "tee-supplicant's plugins path") ++set(CFG_UDEV_RULESPREFIX "60-" CACHE STRING "Priority prefix for udev rule") + + set(CFG_TEE_GROUP "tee" CACHE STRING "Group which has access to /dev/tee* devices") + set(CFG_TEEPRIV_GROUP "teepriv" CACHE STRING "Group which has access to /dev/teepriv* devices") +@@ -150,6 +151,6 @@ if (CFG_ENABLE_SYSTEMD) + install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/tee-supplicant@.service DESTINATION ${SYSTEMD_UNIT_DIR}) + endif() + if (CFG_ENABLE_UDEV) +- configure_file(optee-udev.rules.in optee-udev.rules @ONLY) +- install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/optee-udev.rules DESTINATION ${UDEV_UDEV_DIR}) +-endif() +\ No newline at end of file ++ configure_file(optee-udev.rules.in ${CFG_UDEV_RULESPREFIX}optee-udev.rules @ONLY) ++ install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/${CFG_UDEV_RULESPREFIX}optee-udev.rules DESTINATION ${UDEV_UDEV_DIR}) ++endif() diff --git a/patches/optee-client-4.8.0/series b/patches/optee-client-4.8.0/series new file mode 100644 index 000000000..8a0a2fbb5 --- /dev/null +++ b/patches/optee-client-4.8.0/series @@ -0,0 +1,6 @@ +# generated by git-ptx-patches +#tag:base --start-number 1 +0001-tee-supplicant-add-missing-rule-for-the-mmcblk-0-9-r.patch +0002-tee-supplicant-add-device-instance-as-start-paramete.patch +0003-tee-supplicant-add-priority-prefix-for-udev-rule.patch +# eb1647eb8fde26a3ed3fb30aa6c42307 - git-ptx-patches magic diff --git a/projectroot/usr/lib/systemd/system/tee-supplicant.service b/projectroot/usr/lib/systemd/system/tee-supplicant.service deleted file mode 100644 index 714851573..000000000 --- a/projectroot/usr/lib/systemd/system/tee-supplicant.service +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=TEE Supplicant - -[Service] -Type=simple -ExecStart=/usr/sbin/tee-supplicant - -[Install] -WantedBy=multi-user.target diff --git a/rules/optee-client.in b/rules/optee-client.in index baa84f9c9..e1fe59efe 100644 --- a/rules/optee-client.in +++ b/rules/optee-client.in @@ -16,11 +16,31 @@ menuconfig OPTEE_CLIENT if OPTEE_CLIENT +config OPTEE_CLIENT_UDEV + bool + default y + depends on UDEV + select OPTEE_CLIENT_SYSTEMD_UNIT + prompt "permission handling and systemd trigger" + help + optee-client comes with an udev rule that defines the group ownership + of any '/dev/tee*' to 'tee' and of any '/dev/teepriv*' device as well + as the RPMB partition of any eMMC to 'teepriv'. The respective groups + have to be defined within the BSP. + The udev rule further instantiates a systemd service for every TEE + device. + config OPTEE_CLIENT_SYSTEMD_UNIT bool default y depends on SYSTEMD prompt "install systemd service file for tee-supplicant" + help + optee-client comes with a systemd service template to start a TEE- + device specific instance of tee-supplicant. + tee-supplicant is intended to run with a dedicated user/group + setting: 'teesuppl:teesuppl'. This has to be defined within the BSP. + Note that 'teesuppl' has also to be part of group 'teepriv'. config OPTEE_CLIENT_SUPPLICANT_PLUGINS bool diff --git a/rules/optee-client.make b/rules/optee-client.make index ecf7cdb04..32f1e425c 100644 --- a/rules/optee-client.make +++ b/rules/optee-client.make @@ -33,8 +33,8 @@ OPTEE_CLIENT_CONF_TOOL := cmake OPTEE_CLIENT_CONF_OPT := \ $(CROSS_CMAKE_USR) \ -DBUILD_SHARED_LIBS=ON \ - -DCFG_ENABLE_SYSTEMD=OFF \ - -DCFG_ENABLE_UDEV=OFF \ + -DCFG_ENABLE_SYSTEMD=$(call ptx/onoff, PTXCONF_OPTEE_CLIENT_SYSTEMD_UNIT) \ + -DCFG_ENABLE_UDEV=$(call ptx/onoff, PTXCONF_OPTEE_CLIENT_UDEV) \ -DCFG_FTRACE_SUPPORT=ON \ -DCFG_GP_SOCKETS=1 \ -DCFG_TA_GPROF_SUPPORT=ON \ @@ -52,6 +52,7 @@ OPTEE_CLIENT_CONF_OPT := \ -DCFG_USE_PKGCONFIG=OFF \ -DCFG_WERROR=ON \ -DRPMB_EMU=$(call ptx/onoff, PTXCONF_OPTEE_CLIENT_SUPPLICANT_RPMB_EMULATION) \ + -DUDEV_UDEV_DIR="/usr/lib/udev/rules.d" \ -DWITH_TEEACL=ON # ---------------------------------------------------------------------------- @@ -70,11 +71,13 @@ $(STATEDIR)/optee-client.targetinstall: @$(call install_lib, optee-client, 0, 0, 0644, libteec) @$(call install_lib, optee-client, 0, 0, 0644, libckteec) @$(call install_copy, optee-client, 0, 0, 0755, -, /usr/sbin/tee-supplicant) +ifdef PTXCONF_OPTEE_CLIENT_UDEV + @$(call install_alternative, optee-client, 0, 0, 0644, \ + /usr/lib/udev/rules.d/60-optee-udev.rules) +endif ifdef PTXCONF_OPTEE_CLIENT_SYSTEMD_UNIT @$(call install_alternative, optee-client, 0, 0, 0644, \ - /usr/lib/systemd/system/tee-supplicant.service) - @$(call install_link, optee-client, ../tee-supplicant.service,\ - /usr/lib/systemd/system/multi-user.target.wants/tee-supplicant.service) + /usr/lib/systemd/system/tee-supplicant@.service) endif @$(call install_finish, optee-client) -- 2.47.3