[ptxdist] [PATCH] optee-client: use upstream udev rule and systemd template

[ptxdist] [PATCH] optee-client: use upstream udev rule and systemd template

[Holger Assmann]

Since optee-client version 4.4.0, the sources include a udev rule and a
systemd service file template in order to start tee-supplicant and
manage access to (OP-)TEE devices. Recent upstream changes have
streamlined this constellation and made it usable in a BSP without
additional setup required.

As these changes are not part of a proper release yet, we include them
into a patch stack for optee-client v4.8.0.

This commit removes the PTXdist downstream "tee-supplicant.service" in
favour of the upstream solution:

- The udev rule changes group ownership of every "/dev/tee*" device to
  "tee" and of every "/dev/treepriv*" as well as any eMMC RPMB partition
  to "teepriv". These group names are build time options and were already
  introduced to PTXdist with commit a06d32d59aa.
- The systemd service template derives instances for every  "/dev/teepriv*"
  device and starts a dedicated process of tee-supplicant. It is triggered
  by the aforementioned udev rule and executes as "teesuppl:teesuppl".

Signed-off-by: Holger Assmann <h.assmann@pengutronix.de>
---
 ...dd-missing-rule-for-the-mmcblk-0-9-r.patch | 30 +++++++++++++
 ...dd-device-instance-as-start-paramete.patch | 32 +++++++++++++
 ...nt-add-priority-prefix-for-udev-rule.patch | 45 +++++++++++++++++++
 patches/optee-client-4.8.0/series             |  6 +++
 .../lib/systemd/system/tee-supplicant.service |  9 ----
 rules/optee-client.in                         | 20 +++++++++
 rules/optee-client.make                       | 13 +++---
 7 files changed, 141 insertions(+), 14 deletions(-)
 create mode 100644 patches/optee-client-4.8.0/0001-tee-supplicant-add-missing-rule-for-the-mmcblk-0-9-r.patch
 create mode 100644 patches/optee-client-4.8.0/0002-tee-supplicant-add-device-instance-as-start-paramete.patch
 create mode 100644 patches/optee-client-4.8.0/0003-tee-supplicant-add-priority-prefix-for-udev-rule.patch
 create mode 100644 patches/optee-client-4.8.0/series
 delete mode 100644 projectroot/usr/lib/systemd/system/tee-supplicant.service

diff --git a/patches/optee-client-4.8.0/0001-tee-supplicant-add-missing-rule-for-the-mmcblk-0-9-r.patch b/patches/optee-client-4.8.0/0001-tee-supplicant-add-missing-rule-for-the-mmcblk-0-9-r.patch
new file mode 100644
index 000000000..c25abac94
--- /dev/null
+++ b/patches/optee-client-4.8.0/0001-tee-supplicant-add-missing-rule-for-the-mmcblk-0-9-r.patch
@@ -0,0 +1,30 @@
+From: Marco Felsch <m.felsch@pengutronix.de>
+Date: Sat, 8 Nov 2025 02:21:18 +0100
+Subject: [PATCH] tee-supplicant: add missing rule for the mmcblk[0-9]rpmb
+ group
+
+Fix rootless tee-supplicant handling for RPMB use-case. The RPMB
+communcation fails badly if the in-kernel RPMB handling was not enabled
+and the rootless tee-supplicant is used because the default group for
+the /dev/mmcblk[0-9]rpmb is 'root'.
+
+Set the group to same group used for /dev/teepriv[0-9] to fix this and
+to allow rootless tee-supplicant usage with legacy user-space RPMB
+handling.
+
+Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
+---
+ tee-supplicant/optee-udev.rules.in | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tee-supplicant/optee-udev.rules.in b/tee-supplicant/optee-udev.rules.in
+index 275e83388efd..e28fb40c4040 100644
+--- a/tee-supplicant/optee-udev.rules.in
++++ b/tee-supplicant/optee-udev.rules.in
+@@ -5,3 +5,6 @@ KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="@CFG_TEE_GROUP@", TAG+="s
+ # tee-supplicant.service with the device name as parameter
+ KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="@CFG_TEEPRIV_GROUP@", \
+     TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service"
++
++ACTION=="add", SUBSYSTEM=="mmc_rpmb", KERNEL=="mmcblk[0-9]rpmb", \
++    GROUP="@CFG_TEEPRIV_GROUP@"
diff --git a/patches/optee-client-4.8.0/0002-tee-supplicant-add-device-instance-as-start-paramete.patch b/patches/optee-client-4.8.0/0002-tee-supplicant-add-device-instance-as-start-paramete.patch
new file mode 100644
index 000000000..6dfc29329
--- /dev/null
+++ b/patches/optee-client-4.8.0/0002-tee-supplicant-add-device-instance-as-start-paramete.patch
@@ -0,0 +1,32 @@
+From: Holger Assmann <h.assmann@pengutronix.de>
+Date: Mon, 1 Dec 2025 10:35:22 +0100
+Subject: [PATCH] tee-supplicant: add device instance as start parameter for
+ service file
+
+tee-supplicant requires a device name as a positional argument. This can
+not be provided via $OPTARGS from the EnvironmentFile, since that
+variable does not account for the service file being a template where
+instance-specific services (i.e. @teepriv0, @teepriv1, ...) are derived
+from.
+
+Therefore, the device instance used for each templated systemd service
+needs to be included directly in the ExecStart line.
+
+Signed-off-by: Holger Assmann <h.assmann@pengutronix.de>
+Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
+---
+ tee-supplicant/tee-supplicant@.service.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tee-supplicant/tee-supplicant@.service.in b/tee-supplicant/tee-supplicant@.service.in
+index e53a9357f01f..7e10e1d753a4 100644
+--- a/tee-supplicant/tee-supplicant@.service.in
++++ b/tee-supplicant/tee-supplicant@.service.in
+@@ -12,6 +12,6 @@ Type=notify
+ User=@CFG_TEE_SUPPL_USER@
+ Group=@CFG_TEE_SUPPL_GROUP@
+ EnvironmentFile=-@CMAKE_INSTALL_SYSCONFDIR@/default/tee-supplicant
+-ExecStart=@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_SBINDIR@/tee-supplicant $OPTARGS
++ExecStart=@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_SBINDIR@/tee-supplicant $OPTARGS /dev/%I
+ # Workaround for fTPM TA: stop kernel module before tee-supplicant
+ ExecStop=-/bin/sh -c "/sbin/modprobe -v -r tpm_ftpm_tee ; /bin/kill $MAINPID"
diff --git a/patches/optee-client-4.8.0/0003-tee-supplicant-add-priority-prefix-for-udev-rule.patch b/patches/optee-client-4.8.0/0003-tee-supplicant-add-priority-prefix-for-udev-rule.patch
new file mode 100644
index 000000000..3359d2db7
--- /dev/null
+++ b/patches/optee-client-4.8.0/0003-tee-supplicant-add-priority-prefix-for-udev-rule.patch
@@ -0,0 +1,45 @@
+From: Holger Assmann <h.assmann@pengutronix.de>
+Date: Mon, 1 Dec 2025 09:31:12 +0100
+Subject: [PATCH] tee-supplicant: add priority prefix for udev rule
+
+The manpage of udev states that "All rule files are read in lexical
+order." This coincides with the established convention of assigning a
+two-digit priority prefix in front of the respective rule file name.
+
+In case of "optee-udev.rules", we are currently missing that prefix.
+When looking for context, it seems suitable to choose a priority in the
+realm of the already existing "60-tpm-udev.rules", since that serves a
+similar purpose like the rule for optee-client.
+
+This commit hence changes the installed rule file name to
+"60-optee-udev.rules", with "60-" being a configurable default value.
+
+Signed-off-by: Holger Assmann <h.assmann@pengutronix.de>
+Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
+---
+ tee-supplicant/CMakeLists.txt | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/tee-supplicant/CMakeLists.txt b/tee-supplicant/CMakeLists.txt
+index b47d4e377e98..5a8b387f9a7d 100644
+--- a/tee-supplicant/CMakeLists.txt
++++ b/tee-supplicant/CMakeLists.txt
+@@ -18,6 +18,7 @@ set(CFG_TEE_FS_PARENT_PATH "${CMAKE_INSTALL_LOCALSTATEDIR}/lib/tee" CACHE STRING
+ # FIXME: Why do we have if defined(CFG_GP_SOCKETS) && CFG_GP_SOCKETS == 1 in the c-file?
+ set(CFG_GP_SOCKETS "1" CACHE STRING "Enable GlobalPlatform Socket API support")
+ set(CFG_TEE_PLUGIN_LOAD_PATH "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}/${PROJECT_NAME}/plugins/" CACHE STRING "tee-supplicant's plugins path")
++set(CFG_UDEV_RULESPREFIX "60-" CACHE STRING "Priority prefix for udev rule")
+ 
+ set(CFG_TEE_GROUP "tee" CACHE STRING "Group which has access to /dev/tee* devices")
+ set(CFG_TEEPRIV_GROUP "teepriv" CACHE STRING "Group which has access to /dev/teepriv* devices")
+@@ -150,6 +151,6 @@ if (CFG_ENABLE_SYSTEMD)
+ 	install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/tee-supplicant@.service DESTINATION ${SYSTEMD_UNIT_DIR})
+ endif()
+ if (CFG_ENABLE_UDEV)
+-	configure_file(optee-udev.rules.in optee-udev.rules @ONLY)
+-	install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/optee-udev.rules DESTINATION ${UDEV_UDEV_DIR})
+-endif()
+\ No newline at end of file
++	configure_file(optee-udev.rules.in ${CFG_UDEV_RULESPREFIX}optee-udev.rules @ONLY)
++	install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/${CFG_UDEV_RULESPREFIX}optee-udev.rules DESTINATION ${UDEV_UDEV_DIR})
++endif()
diff --git a/patches/optee-client-4.8.0/series b/patches/optee-client-4.8.0/series
new file mode 100644
index 000000000..8a0a2fbb5
--- /dev/null
+++ b/patches/optee-client-4.8.0/series
@@ -0,0 +1,6 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+0001-tee-supplicant-add-missing-rule-for-the-mmcblk-0-9-r.patch
+0002-tee-supplicant-add-device-instance-as-start-paramete.patch
+0003-tee-supplicant-add-priority-prefix-for-udev-rule.patch
+# eb1647eb8fde26a3ed3fb30aa6c42307  - git-ptx-patches magic
diff --git a/projectroot/usr/lib/systemd/system/tee-supplicant.service b/projectroot/usr/lib/systemd/system/tee-supplicant.service
deleted file mode 100644
index 714851573..000000000
--- a/projectroot/usr/lib/systemd/system/tee-supplicant.service
+++ /dev/null
@@ -1,9 +0,0 @@
-[Unit]
-Description=TEE Supplicant
-
-[Service]
-Type=simple
-ExecStart=/usr/sbin/tee-supplicant
-
-[Install]
-WantedBy=multi-user.target
diff --git a/rules/optee-client.in b/rules/optee-client.in
index baa84f9c9..e1fe59efe 100644
--- a/rules/optee-client.in
+++ b/rules/optee-client.in
@@ -16,11 +16,31 @@ menuconfig OPTEE_CLIENT
 
 if OPTEE_CLIENT
 
+config OPTEE_CLIENT_UDEV
+	bool
+	default y
+	depends on UDEV
+	select OPTEE_CLIENT_SYSTEMD_UNIT
+	prompt "permission handling and systemd trigger"
+	help
+	  optee-client comes with an udev rule that defines the group ownership
+	  of any '/dev/tee*' to 'tee' and of any '/dev/teepriv*' device as well
+	  as the RPMB partition of any eMMC to 'teepriv'. The respective groups
+	  have to be defined within the BSP.
+	  The udev rule further instantiates a systemd service for every TEE
+	  device.
+
 config OPTEE_CLIENT_SYSTEMD_UNIT
 	bool
 	default y
 	depends on SYSTEMD
 	prompt "install systemd service file for tee-supplicant"
+	help
+	  optee-client comes with a systemd service template to start a TEE-
+	  device specific instance of tee-supplicant.
+	  tee-supplicant is intended to run with a dedicated user/group
+	  setting: 'teesuppl:teesuppl'. This has to be defined within the BSP.
+	  Note that 'teesuppl' has also to be part of group 'teepriv'.
 
 config OPTEE_CLIENT_SUPPLICANT_PLUGINS
 	bool
diff --git a/rules/optee-client.make b/rules/optee-client.make
index ecf7cdb04..32f1e425c 100644
--- a/rules/optee-client.make
+++ b/rules/optee-client.make
@@ -33,8 +33,8 @@ OPTEE_CLIENT_CONF_TOOL	:= cmake
 OPTEE_CLIENT_CONF_OPT	:= \
 	$(CROSS_CMAKE_USR) \
 	-DBUILD_SHARED_LIBS=ON \
-	-DCFG_ENABLE_SYSTEMD=OFF \
-	-DCFG_ENABLE_UDEV=OFF \
+	-DCFG_ENABLE_SYSTEMD=$(call ptx/onoff, PTXCONF_OPTEE_CLIENT_SYSTEMD_UNIT) \
+	-DCFG_ENABLE_UDEV=$(call ptx/onoff, PTXCONF_OPTEE_CLIENT_UDEV) \
 	-DCFG_FTRACE_SUPPORT=ON \
 	-DCFG_GP_SOCKETS=1 \
 	-DCFG_TA_GPROF_SUPPORT=ON \
@@ -52,6 +52,7 @@ OPTEE_CLIENT_CONF_OPT	:= \
 	-DCFG_USE_PKGCONFIG=OFF \
 	-DCFG_WERROR=ON \
 	-DRPMB_EMU=$(call ptx/onoff, PTXCONF_OPTEE_CLIENT_SUPPLICANT_RPMB_EMULATION) \
+	-DUDEV_UDEV_DIR="/usr/lib/udev/rules.d" \
 	-DWITH_TEEACL=ON
 
 # ----------------------------------------------------------------------------
@@ -70,11 +71,13 @@ $(STATEDIR)/optee-client.targetinstall:
 	@$(call install_lib, optee-client, 0, 0, 0644, libteec)
 	@$(call install_lib, optee-client, 0, 0, 0644, libckteec)
 	@$(call install_copy, optee-client, 0, 0, 0755, -, /usr/sbin/tee-supplicant)
+ifdef PTXCONF_OPTEE_CLIENT_UDEV
+	@$(call install_alternative, optee-client, 0, 0, 0644, \
+		/usr/lib/udev/rules.d/60-optee-udev.rules)
+endif
 ifdef PTXCONF_OPTEE_CLIENT_SYSTEMD_UNIT
 	@$(call install_alternative, optee-client, 0, 0, 0644, \
-		/usr/lib/systemd/system/tee-supplicant.service)
-	@$(call install_link, optee-client, ../tee-supplicant.service,\
-		/usr/lib/systemd/system/multi-user.target.wants/tee-supplicant.service)
+		/usr/lib/systemd/system/tee-supplicant@.service)
 endif
 
 	@$(call install_finish, optee-client)
-- 
2.47.3

Re: [ptxdist] [APPLIED] optee-client: use upstream udev rule and systemd template

[Michael Olbrich]

Thanks, applied as 05cc41f8c966524051d1e759a1743d81a7cc9d01.

Michael

[sent from post-receive hook]

On Fri, 12 Dec 2025 15:52:20 +0100, Holger Assmann <h.assmann@pengutronix.de> wrote:
> Since optee-client version 4.4.0, the sources include a udev rule and a
> systemd service file template in order to start tee-supplicant and
> manage access to (OP-)TEE devices. Recent upstream changes have
> streamlined this constellation and made it usable in a BSP without
> additional setup required.
> 
> As these changes are not part of a proper release yet, we include them
> into a patch stack for optee-client v4.8.0.
> 
> This commit removes the PTXdist downstream "tee-supplicant.service" in
> favour of the upstream solution:
> 
> - The udev rule changes group ownership of every "/dev/tee*" device to
>   "tee" and of every "/dev/treepriv*" as well as any eMMC RPMB partition
>   to "teepriv". These group names are build time options and were already
>   introduced to PTXdist with commit a06d32d59aa.
> - The systemd service template derives instances for every  "/dev/teepriv*"
>   device and starts a dedicated process of tee-supplicant. It is triggered
>   by the aforementioned udev rule and executes as "teesuppl:teesuppl".
> 
> Signed-off-by: Holger Assmann <h.assmann@pengutronix.de>
> Message-Id: <20251211102143.1411156-1-h.assmann@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/patches/optee-client-4.8.0/0001-tee-supplicant-add-missing-rule-for-the-mmcblk-0-9-r.patch b/patches/optee-client-4.8.0/0001-tee-supplicant-add-missing-rule-for-the-mmcblk-0-9-r.patch
> new file mode 100644
> index 000000000000..c25abac9403d
> --- /dev/null
> +++ b/patches/optee-client-4.8.0/0001-tee-supplicant-add-missing-rule-for-the-mmcblk-0-9-r.patch
> @@ -0,0 +1,30 @@
> +From: Marco Felsch <m.felsch@pengutronix.de>
> +Date: Sat, 8 Nov 2025 02:21:18 +0100
> +Subject: [PATCH] tee-supplicant: add missing rule for the mmcblk[0-9]rpmb
> + group
> +
> +Fix rootless tee-supplicant handling for RPMB use-case. The RPMB
> +communcation fails badly if the in-kernel RPMB handling was not enabled
> +and the rootless tee-supplicant is used because the default group for
> +the /dev/mmcblk[0-9]rpmb is 'root'.
> +
> +Set the group to same group used for /dev/teepriv[0-9] to fix this and
> +to allow rootless tee-supplicant usage with legacy user-space RPMB
> +handling.
> +
> +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
> +---
> + tee-supplicant/optee-udev.rules.in | 3 +++
> + 1 file changed, 3 insertions(+)
> +
> +diff --git a/tee-supplicant/optee-udev.rules.in b/tee-supplicant/optee-udev.rules.in
> +index 275e83388efd..e28fb40c4040 100644
> +--- a/tee-supplicant/optee-udev.rules.in
> ++++ b/tee-supplicant/optee-udev.rules.in
> +@@ -5,3 +5,6 @@ KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="@CFG_TEE_GROUP@", TAG+="s
> + # tee-supplicant.service with the device name as parameter
> + KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="@CFG_TEEPRIV_GROUP@", \
> +     TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service"
> ++
> ++ACTION=="add", SUBSYSTEM=="mmc_rpmb", KERNEL=="mmcblk[0-9]rpmb", \
> ++    GROUP="@CFG_TEEPRIV_GROUP@"
> diff --git a/patches/optee-client-4.8.0/0002-tee-supplicant-add-device-instance-as-start-paramete.patch b/patches/optee-client-4.8.0/0002-tee-supplicant-add-device-instance-as-start-paramete.patch
> new file mode 100644
> index 000000000000..6dfc293295a9
> --- /dev/null
> +++ b/patches/optee-client-4.8.0/0002-tee-supplicant-add-device-instance-as-start-paramete.patch
> @@ -0,0 +1,32 @@
> +From: Holger Assmann <h.assmann@pengutronix.de>
> +Date: Mon, 1 Dec 2025 10:35:22 +0100
> +Subject: [PATCH] tee-supplicant: add device instance as start parameter for
> + service file
> +
> +tee-supplicant requires a device name as a positional argument. This can
> +not be provided via $OPTARGS from the EnvironmentFile, since that
> +variable does not account for the service file being a template where
> +instance-specific services (i.e. @teepriv0, @teepriv1, ...) are derived
> +from.
> +
> +Therefore, the device instance used for each templated systemd service
> +needs to be included directly in the ExecStart line.
> +
> +Signed-off-by: Holger Assmann <h.assmann@pengutronix.de>
> +Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
> +---
> + tee-supplicant/tee-supplicant@.service.in | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/tee-supplicant/tee-supplicant@.service.in b/tee-supplicant/tee-supplicant@.service.in
> +index e53a9357f01f..7e10e1d753a4 100644
> +--- a/tee-supplicant/tee-supplicant@.service.in
> ++++ b/tee-supplicant/tee-supplicant@.service.in
> +@@ -12,6 +12,6 @@ Type=notify
> + User=@CFG_TEE_SUPPL_USER@
> + Group=@CFG_TEE_SUPPL_GROUP@
> + EnvironmentFile=-@CMAKE_INSTALL_SYSCONFDIR@/default/tee-supplicant
> +-ExecStart=@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_SBINDIR@/tee-supplicant $OPTARGS
> ++ExecStart=@CMAKE_INSTALL_PREFIX@/@CMAKE_INSTALL_SBINDIR@/tee-supplicant $OPTARGS /dev/%I
> + # Workaround for fTPM TA: stop kernel module before tee-supplicant
> + ExecStop=-/bin/sh -c "/sbin/modprobe -v -r tpm_ftpm_tee ; /bin/kill $MAINPID"
> diff --git a/patches/optee-client-4.8.0/0003-tee-supplicant-add-priority-prefix-for-udev-rule.patch b/patches/optee-client-4.8.0/0003-tee-supplicant-add-priority-prefix-for-udev-rule.patch
> new file mode 100644
> index 000000000000..3359d2db7467
> --- /dev/null
> +++ b/patches/optee-client-4.8.0/0003-tee-supplicant-add-priority-prefix-for-udev-rule.patch
> @@ -0,0 +1,45 @@
> +From: Holger Assmann <h.assmann@pengutronix.de>
> +Date: Mon, 1 Dec 2025 09:31:12 +0100
> +Subject: [PATCH] tee-supplicant: add priority prefix for udev rule
> +
> +The manpage of udev states that "All rule files are read in lexical
> +order." This coincides with the established convention of assigning a
> +two-digit priority prefix in front of the respective rule file name.
> +
> +In case of "optee-udev.rules", we are currently missing that prefix.
> +When looking for context, it seems suitable to choose a priority in the
> +realm of the already existing "60-tpm-udev.rules", since that serves a
> +similar purpose like the rule for optee-client.
> +
> +This commit hence changes the installed rule file name to
> +"60-optee-udev.rules", with "60-" being a configurable default value.
> +
> +Signed-off-by: Holger Assmann <h.assmann@pengutronix.de>
> +Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
> +---
> + tee-supplicant/CMakeLists.txt | 7 ++++---
> + 1 file changed, 4 insertions(+), 3 deletions(-)
> +
> +diff --git a/tee-supplicant/CMakeLists.txt b/tee-supplicant/CMakeLists.txt
> +index b47d4e377e98..5a8b387f9a7d 100644
> +--- a/tee-supplicant/CMakeLists.txt
> ++++ b/tee-supplicant/CMakeLists.txt
> +@@ -18,6 +18,7 @@ set(CFG_TEE_FS_PARENT_PATH "${CMAKE_INSTALL_LOCALSTATEDIR}/lib/tee" CACHE STRING
> + # FIXME: Why do we have if defined(CFG_GP_SOCKETS) && CFG_GP_SOCKETS == 1 in the c-file?
> + set(CFG_GP_SOCKETS "1" CACHE STRING "Enable GlobalPlatform Socket API support")
> + set(CFG_TEE_PLUGIN_LOAD_PATH "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}/${PROJECT_NAME}/plugins/" CACHE STRING "tee-supplicant's plugins path")
> ++set(CFG_UDEV_RULESPREFIX "60-" CACHE STRING "Priority prefix for udev rule")
> + 
> + set(CFG_TEE_GROUP "tee" CACHE STRING "Group which has access to /dev/tee* devices")
> + set(CFG_TEEPRIV_GROUP "teepriv" CACHE STRING "Group which has access to /dev/teepriv* devices")
> +@@ -150,6 +151,6 @@ if (CFG_ENABLE_SYSTEMD)
> + 	install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/tee-supplicant@.service DESTINATION ${SYSTEMD_UNIT_DIR})
> + endif()
> + if (CFG_ENABLE_UDEV)
> +-	configure_file(optee-udev.rules.in optee-udev.rules @ONLY)
> +-	install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/optee-udev.rules DESTINATION ${UDEV_UDEV_DIR})
> +-endif()
> +\ No newline at end of file
> ++	configure_file(optee-udev.rules.in ${CFG_UDEV_RULESPREFIX}optee-udev.rules @ONLY)
> ++	install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/${CFG_UDEV_RULESPREFIX}optee-udev.rules DESTINATION ${UDEV_UDEV_DIR})
> ++endif()
> diff --git a/patches/optee-client-4.8.0/series b/patches/optee-client-4.8.0/series
> new file mode 100644
> index 000000000000..8a0a2fbb5c9d
> --- /dev/null
> +++ b/patches/optee-client-4.8.0/series
> @@ -0,0 +1,6 @@
> +# generated by git-ptx-patches
> +#tag:base --start-number 1
> +0001-tee-supplicant-add-missing-rule-for-the-mmcblk-0-9-r.patch
> +0002-tee-supplicant-add-device-instance-as-start-paramete.patch
> +0003-tee-supplicant-add-priority-prefix-for-udev-rule.patch
> +# eb1647eb8fde26a3ed3fb30aa6c42307  - git-ptx-patches magic
> diff --git a/projectroot/usr/lib/systemd/system/tee-supplicant.service b/projectroot/usr/lib/systemd/system/tee-supplicant.service
> deleted file mode 100644
> index 714851573df5..000000000000
> --- a/projectroot/usr/lib/systemd/system/tee-supplicant.service
> +++ /dev/null
> @@ -1,9 +0,0 @@
> -[Unit]
> -Description=TEE Supplicant
> -
> -[Service]
> -Type=simple
> -ExecStart=/usr/sbin/tee-supplicant
> -
> -[Install]
> -WantedBy=multi-user.target
> diff --git a/rules/optee-client.in b/rules/optee-client.in
> index baa84f9c9129..e1fe59efe869 100644
> --- a/rules/optee-client.in
> +++ b/rules/optee-client.in
> @@ -16,11 +16,31 @@ menuconfig OPTEE_CLIENT
>  
>  if OPTEE_CLIENT
>  
> +config OPTEE_CLIENT_UDEV
> +	bool
> +	default y
> +	depends on UDEV
> +	select OPTEE_CLIENT_SYSTEMD_UNIT
> +	prompt "permission handling and systemd trigger"
> +	help
> +	  optee-client comes with an udev rule that defines the group ownership
> +	  of any '/dev/tee*' to 'tee' and of any '/dev/teepriv*' device as well
> +	  as the RPMB partition of any eMMC to 'teepriv'. The respective groups
> +	  have to be defined within the BSP.
> +	  The udev rule further instantiates a systemd service for every TEE
> +	  device.
> +
>  config OPTEE_CLIENT_SYSTEMD_UNIT
>  	bool
>  	default y
>  	depends on SYSTEMD
>  	prompt "install systemd service file for tee-supplicant"
> +	help
> +	  optee-client comes with a systemd service template to start a TEE-
> +	  device specific instance of tee-supplicant.
> +	  tee-supplicant is intended to run with a dedicated user/group
> +	  setting: 'teesuppl:teesuppl'. This has to be defined within the BSP.
> +	  Note that 'teesuppl' has also to be part of group 'teepriv'.
>  
>  config OPTEE_CLIENT_SUPPLICANT_PLUGINS
>  	bool
> diff --git a/rules/optee-client.make b/rules/optee-client.make
> index ecf7cdb04606..32f1e425ccbc 100644
> --- a/rules/optee-client.make
> +++ b/rules/optee-client.make
> @@ -33,8 +33,8 @@ OPTEE_CLIENT_CONF_TOOL	:= cmake
>  OPTEE_CLIENT_CONF_OPT	:= \
>  	$(CROSS_CMAKE_USR) \
>  	-DBUILD_SHARED_LIBS=ON \
> -	-DCFG_ENABLE_SYSTEMD=OFF \
> -	-DCFG_ENABLE_UDEV=OFF \
> +	-DCFG_ENABLE_SYSTEMD=$(call ptx/onoff, PTXCONF_OPTEE_CLIENT_SYSTEMD_UNIT) \
> +	-DCFG_ENABLE_UDEV=$(call ptx/onoff, PTXCONF_OPTEE_CLIENT_UDEV) \
>  	-DCFG_FTRACE_SUPPORT=ON \
>  	-DCFG_GP_SOCKETS=1 \
>  	-DCFG_TA_GPROF_SUPPORT=ON \
> @@ -52,6 +52,7 @@ OPTEE_CLIENT_CONF_OPT	:= \
>  	-DCFG_USE_PKGCONFIG=OFF \
>  	-DCFG_WERROR=ON \
>  	-DRPMB_EMU=$(call ptx/onoff, PTXCONF_OPTEE_CLIENT_SUPPLICANT_RPMB_EMULATION) \
> +	-DUDEV_UDEV_DIR="/usr/lib/udev/rules.d" \
>  	-DWITH_TEEACL=ON
>  
>  # ----------------------------------------------------------------------------
> @@ -70,11 +71,13 @@ $(STATEDIR)/optee-client.targetinstall:
>  	@$(call install_lib, optee-client, 0, 0, 0644, libteec)
>  	@$(call install_lib, optee-client, 0, 0, 0644, libckteec)
>  	@$(call install_copy, optee-client, 0, 0, 0755, -, /usr/sbin/tee-supplicant)
> +ifdef PTXCONF_OPTEE_CLIENT_UDEV
> +	@$(call install_alternative, optee-client, 0, 0, 0644, \
> +		/usr/lib/udev/rules.d/60-optee-udev.rules)
> +endif
>  ifdef PTXCONF_OPTEE_CLIENT_SYSTEMD_UNIT
>  	@$(call install_alternative, optee-client, 0, 0, 0644, \
> -		/usr/lib/systemd/system/tee-supplicant.service)
> -	@$(call install_link, optee-client, ../tee-supplicant.service,\
> -		/usr/lib/systemd/system/multi-user.target.wants/tee-supplicant.service)
> +		/usr/lib/systemd/system/tee-supplicant@.service)
>  endif
>  
>  	@$(call install_finish, optee-client)