1 files changed, 30 insertions, 13 deletions
diff --git a/recipes-security/optee-imx/optee-client-fslc.inc b/recipes-security/optee-imx/optee-client-fslc.inc
index 455bdd780..70a25fe6c 100644
--- a/recipes-security/optee-imx/optee-client-fslc.inc
+++ b/recipes-security/optee-imx/optee-client-fslc.inc
@@ -1,5 +1,5 @@
 # Copied from meta-arm/recipes-security/optee/optee-client.inc.
-# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L30
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L30
 SUMMARY = "OP-TEE Client API"
 DESCRIPTION = "Open Portable Trusted Execution Environment - Normal World Client side of the TEE"
@@ -8,32 +8,39 @@ HOMEPAGE = "https://www.op-tee.org/"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b"
-inherit systemd update-rc.d cmake
+inherit systemd update-rc.d cmake useradd
 SRC_URI = " \
    git://github.com/OP-TEE/optee_client.git;branch=master;protocol=https \
-    file://tee-supplicant@.service \
    file://tee-supplicant.sh \
 "
 UPSTREAM_CHECK_GITTAGREGEX = "^(?P<pver>\d+(\.\d+)+)$"
-S = "${WORKDIR}/git"
 EXTRA_OECMAKE = " \
    -DBUILD_SHARED_LIBS=ON \
-    -DCFG_TEE_FS_PARENT_PATH='${localstatedir}/lib/tee' \
+    -DCFG_USE_PKGCONFIG=ON \
 "
+# libts uses /dev/tee devices too. Add a common variable to allow configuring the same group.
+TEE_GROUP_NAME ?= "tee"
+EXTRA_OECMAKE += " -DCFG_ENABLE_SYSTEMD=On -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir}/"
+EXTRA_OECMAKE += " -DCFG_ENABLE_UDEV=On -DUDEV_UDEV_DIR=${nonarch_base_libdir}/udev/rules.d/"
+EXTRA_OECMAKE += " -DCFG_TEE_GROUP=${TEE_GROUP_NAME} -DCFG_TEEPRIV_GROUP=teepriv"
 EXTRA_OECMAKE:append:toolchain-clang = " -DCFG_WERROR=0"
 do_install:append() {
-    install -D -p -m0644 ${UNPACKDIR}/tee-supplicant@.service ${D}${systemd_system_unitdir}/tee-supplicant@.service
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
-    install -D -p -m0755 ${UNPACKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant
+        install -D -p -m0755 ${UNPACKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant
+        sed -i -e s:@sysconfdir@:${sysconfdir}:g \
-    sed -i -e s:@sysconfdir@:${sysconfdir}:g \
+               -e s:@sbindir@:${sbindir}:g \
-           -e s:@sbindir@:${sbindir}:g \
+               -e s:@supluser@:teesuppl:g \
-              ${D}${systemd_system_unitdir}/tee-supplicant@.service \
+               -e s:@suplgroup@:teesuppl:g \
-              ${D}${sysconfdir}/init.d/tee-supplicant
+                  ${D}${sysconfdir}/init.d/tee-supplicant
+    fi
+    install -o teesuppl -g teesuppl -m 0700 -d ${D}${localstatedir}/lib/tee
 }
 SYSTEMD_SERVICE:${PN} = "tee-supplicant@.service"
@@ -41,3 +48,13 @@ SYSTEMD_SERVICE:${PN} = "tee-supplicant@.service"
 INITSCRIPT_PACKAGES = "${PN}"
 INITSCRIPT_NAME:${PN} = "tee-supplicant"
 INITSCRIPT_PARAMS:${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ."
+FILES:${PN} += "${nonarch_base_libdir}/udev/rules.d/"
+# Users and groups:
+# TEE_GROUP_NAME group to access /dev/tee*
+# teepriv group to acess /dev/teepriv*, only tee-supplicant
+# teesuppl user and group teesuppl to run tee-supplicant
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM:${PN} = "--system ${TEE_GROUP_NAME}; --system teepriv; --system teesuppl"
+USERADD_PARAM:${PN} = "--system -g teesuppl --groups teepriv --home-dir ${localstatedir}/lib/tee -M --shell /sbin/nologin teesuppl;"

diff --git a/recipes-security/optee-imx/optee-client-fslc.inc b/recipes-security/optee-imx/optee-client-fslc.inc index 455bdd780..70a25fe6c 100644 --- a/recipes-security/optee-imx/optee-client-fslc.inc +++ b/recipes-security/optee-imx/optee-client-fslc.inc
@@ -1,5 +1,5 @@
1	# Copied from meta-arm/recipes-security/optee/optee-client.inc.	1	# Copied from meta-arm/recipes-security/optee/optee-client.inc.
2	# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L30	2	# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L30
3		3
4	SUMMARY = "OP-TEE Client API"	4	SUMMARY = "OP-TEE Client API"
5	DESCRIPTION = "Open Portable Trusted Execution Environment - Normal World Client side of the TEE"	5	DESCRIPTION = "Open Portable Trusted Execution Environment - Normal World Client side of the TEE"
@@ -8,32 +8,39 @@ HOMEPAGE = "https://www.op-tee.org/"
8	LICENSE = "BSD-2-Clause"	8	LICENSE = "BSD-2-Clause"
9	LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b"	9	LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b"
10		10
11	inherit systemd update-rc.d cmake	11	inherit systemd update-rc.d cmake useradd
12		12
13	SRC_URI = " \	13	SRC_URI = " \
14	git://github.com/OP-TEE/optee_client.git;branch=master;protocol=https \	14	git://github.com/OP-TEE/optee_client.git;branch=master;protocol=https \
15	file://tee-supplicant@.service \
16	file://tee-supplicant.sh \	15	file://tee-supplicant.sh \
17	"	16	"
18		17
19	UPSTREAM_CHECK_GITTAGREGEX = "^(?P<pver>\d+(\.\d+)+)$"	18	UPSTREAM_CHECK_GITTAGREGEX = "^(?P<pver>\d+(\.\d+)+)$"
20		19
21	S = "${WORKDIR}/git"
22
23	EXTRA_OECMAKE = " \	20	EXTRA_OECMAKE = " \
24	-DBUILD_SHARED_LIBS=ON \	21	-DBUILD_SHARED_LIBS=ON \
25	-DCFG_TEE_FS_PARENT_PATH='${localstatedir}/lib/tee' \	22	-DCFG_USE_PKGCONFIG=ON \
26	"	23	"
		24
		25	# libts uses /dev/tee devices too. Add a common variable to allow configuring the same group.
		26	TEE_GROUP_NAME ?= "tee"
		27
		28	EXTRA_OECMAKE += " -DCFG_ENABLE_SYSTEMD=On -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir}/"
		29	EXTRA_OECMAKE += " -DCFG_ENABLE_UDEV=On -DUDEV_UDEV_DIR=${nonarch_base_libdir}/udev/rules.d/"
		30	EXTRA_OECMAKE += " -DCFG_TEE_GROUP=${TEE_GROUP_NAME} -DCFG_TEEPRIV_GROUP=teepriv"
		31
27	EXTRA_OECMAKE:append:toolchain-clang = " -DCFG_WERROR=0"	32	EXTRA_OECMAKE:append:toolchain-clang = " -DCFG_WERROR=0"
28		33
29	do_install:append() {	34	do_install:append() {
30	install -D -p -m0644 ${UNPACKDIR}/tee-supplicant@.service ${D}${systemd_system_unitdir}/tee-supplicant@.service	35	if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
31	install -D -p -m0755 ${UNPACKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant	36	install -D -p -m0755 ${UNPACKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant
32		37	sed -i -e s:@sysconfdir@:${sysconfdir}:g \
33	sed -i -e s:@sysconfdir@:${sysconfdir}:g \	38	-e s:@sbindir@:${sbindir}:g \
34	-e s:@sbindir@:${sbindir}:g \	39	-e s:@supluser@:teesuppl:g \
35	${D}${systemd_system_unitdir}/tee-supplicant@.service \	40	-e s:@suplgroup@:teesuppl:g \
36	${D}${sysconfdir}/init.d/tee-supplicant	41	${D}${sysconfdir}/init.d/tee-supplicant
		42	fi
		43	install -o teesuppl -g teesuppl -m 0700 -d ${D}${localstatedir}/lib/tee
37	}	44	}
38		45
39	SYSTEMD_SERVICE:${PN} = "tee-supplicant@.service"	46	SYSTEMD_SERVICE:${PN} = "tee-supplicant@.service"
@@ -41,3 +48,13 @@ SYSTEMD_SERVICE:${PN} = "tee-supplicant@.service"
41	INITSCRIPT_PACKAGES = "${PN}"	48	INITSCRIPT_PACKAGES = "${PN}"
42	INITSCRIPT_NAME:${PN} = "tee-supplicant"	49	INITSCRIPT_NAME:${PN} = "tee-supplicant"
43	INITSCRIPT_PARAMS:${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ."	50	INITSCRIPT_PARAMS:${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ."
		51
		52	FILES:${PN} += "${nonarch_base_libdir}/udev/rules.d/"
		53
		54	# Users and groups:
		55	# TEE_GROUP_NAME group to access /dev/tee*
		56	# teepriv group to acess /dev/teepriv*, only tee-supplicant
		57	# teesuppl user and group teesuppl to run tee-supplicant
		58	USERADD_PACKAGES = "${PN}"
		59	GROUPADD_PARAM:${PN} = "--system ${TEE_GROUP_NAME}; --system teepriv; --system teesuppl"
		60	USERADD_PARAM:${PN} = "--system -g teesuppl --groups teepriv --home-dir ${localstatedir}/lib/tee -M --shell /sbin/nologin teesuppl;"