6 files changed, 104 insertions, 11 deletions
diff --git a/recipes-security/optee-imx/optee-client/0001-tee-supplicant-Fix-non-arch-service-unit-install-pat.patch b/recipes-security/optee-imx/optee-client/0001-tee-supplicant-Fix-non-arch-service-unit-install-pat.patch
new file mode 100644
index 000000000..631e08019
--- /dev/null
+++ b/recipes-security/optee-imx/optee-client/0001-tee-supplicant-Fix-non-arch-service-unit-install-pat.patch
@@ -0,0 +1,35 @@
+From 5ffab66dda3e25f0b2ebc5115013c4234d048703 Mon Sep 17 00:00:00 2001
+From: Tom Hochstein <tom.hochstein@nxp.com>
+Date: Mon, 21 Apr 2025 08:47:29 -0500
+Subject: [PATCH] tee-supplicant: Fix non-arch service unit install path
+A 64-bit build with multilib enabled fails:
+```
+ERROR: optee-client-4.4.0-r0 do_package: Didn't find service unit 'tee-supplicant@.service', specified in SYSTEMD_SERVICE:optee-client. Also looked for service unit 'tee-supplicant@.service'.
+```
+The problem is the service unit is installed in the arch-specific folder
+/usr/lib64/systemd/system, but it is non-arch and should be in
+/usr/lib/systemd/system.
+Upstream-Status: Pending
+Signed-off-by: Tom Hochstein <tom.hochstein@nxp.com>
+---
+ tee-supplicant/CMakeLists.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/tee-supplicant/CMakeLists.txt b/tee-supplicant/CMakeLists.txt
+index 8df9bef..3ea058c 100644
+--- a/tee-supplicant/CMakeLists.txt
+++ b/tee-supplicant/CMakeLists.txt
+@@ -119,6 +119,6 @@ endif()
+ ################################################################################
+ install(TARGETS ${PROJECT_NAME} RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR})
+ configure_file(tee-supplicant@.service.in tee-supplicant@.service @ONLY)
+-install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/tee-supplicant@.service DESTINATION ${CMAKE_INSTALL_LIBDIR}/systemd/system)
+install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/tee-supplicant@.service DESTINATION lib/systemd/system)
+ configure_file(optee-udev.rules.in optee-udev.rules @ONLY)
+ install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/optee-udev.rules DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/udev/rules.d)
+-- 
+2.34.1
diff --git a/recipes-security/optee-imx/optee-client/optee-udev.rules b/recipes-security/optee-imx/optee-client/optee-udev.rules
new file mode 100644
index 000000000..075f469c0
--- /dev/null
+++ b/recipes-security/optee-imx/optee-client/optee-udev.rules
@@ -0,0 +1,6 @@
+KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", TAG+="systemd"
+# If a /dev/teepriv[0-9]* device is detected, start an instance of
+# tee-supplicant.service with the device name as parameter
+KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", \
+    TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service"
diff --git a/recipes-security/optee-imx/optee-client/tee-supplicant.service b/recipes-security/optee-imx/optee-client/tee-supplicant.service
deleted file mode 100644
index 0e2b4f6ba..000000000
--- a/recipes-security/optee-imx/optee-client/tee-supplicant.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=TEE Supplicant
-[Service]
-User=root
-EnvironmentFile=-/etc/default/tee-supplicant
-ExecStart=/usr/bin/tee-supplicant $OPTARGS
-[Install]
-WantedBy=basic.target
diff --git a/recipes-security/optee-imx/optee-client/tee-supplicant.sh b/recipes-security/optee-imx/optee-client/tee-supplicant.sh
new file mode 100644
index 000000000..b4d219502
--- /dev/null
+++ b/recipes-security/optee-imx/optee-client/tee-supplicant.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+# Source function library
+. /etc/init.d/functions
+NAME=tee-supplicant
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DESC="OP-TEE Supplicant"
+DAEMON=@sbindir@/$NAME
+test -f $DAEMON || exit 0
+test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME
+test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS
+SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS"
+set -e
+case $1 in
+    start)
+            echo -n "Starting $DESC: "
+            start-stop-daemon --start $SSD_OPTIONS
+        echo "${DAEMON##*/}."
+        ;;
+    stop)
+            echo -n "Stopping $DESC: "
+            start-stop-daemon --stop $SSD_OPTIONS
+        echo "${DAEMON##*/}."
+        ;;
+    restart|force-reload)
+            $0 stop
+            sleep 1
+            $0 start
+        ;;
+    status)
+        status ${DAEMON} || exit $?
+        ;;
+    *)
+        echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2
+        exit 1
+        ;;
+esac
+exit 0
diff --git a/recipes-security/optee-imx/optee-client/tee-supplicant@.service b/recipes-security/optee-imx/optee-client/tee-supplicant@.service
new file mode 100644
index 000000000..72c0b9aa5
--- /dev/null
+++ b/recipes-security/optee-imx/optee-client/tee-supplicant@.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=TEE Supplicant on %i
+[Service]
+User=root
+EnvironmentFile=-@sysconfdir@/default/tee-supplicant
+ExecStart=@sbindir@/tee-supplicant $OPTARGS
+[Install]
+WantedBy=basic.target
diff --git a/recipes-security/optee-imx/optee-client/tee-udev.rules b/recipes-security/optee-imx/optee-client/tee-udev.rules
new file mode 100644
index 000000000..43fafd8c9
--- /dev/null
+++ b/recipes-security/optee-imx/optee-client/tee-udev.rules
@@ -0,0 +1,7 @@
+# tee devices can only be accessed by the teeclnt group members
+KERNEL=="tee[0-9]*", TAG+="systemd", MODE="0660", GROUP="teeclnt"
+# If a /dev/teepriv[0-9]* device is detected, start an instance of
+# tee-supplicant.service with the device name as parameter
+KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="tee", \
+    TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service"

diff --git a/recipes-security/optee-imx/optee-client/0001-tee-supplicant-Fix-non-arch-service-unit-install-pat.patch b/recipes-security/optee-imx/optee-client/0001-tee-supplicant-Fix-non-arch-service-unit-install-pat.patch new file mode 100644 index 000000000..631e08019 --- /dev/null +++ b/recipes-security/optee-imx/optee-client/0001-tee-supplicant-Fix-non-arch-service-unit-install-pat.patch
@@ -0,0 +1,35 @@
		1	From 5ffab66dda3e25f0b2ebc5115013c4234d048703 Mon Sep 17 00:00:00 2001
		2	From: Tom Hochstein <tom.hochstein@nxp.com>
		3	Date: Mon, 21 Apr 2025 08:47:29 -0500
		4	Subject: [PATCH] tee-supplicant: Fix non-arch service unit install path
		5
		6	A 64-bit build with multilib enabled fails:
		7	```
		8	ERROR: optee-client-4.4.0-r0 do_package: Didn't find service unit 'tee-supplicant@.service', specified in SYSTEMD_SERVICE:optee-client. Also looked for service unit 'tee-supplicant@.service'.
		9	```
		10
		11	The problem is the service unit is installed in the arch-specific folder
		12	/usr/lib64/systemd/system, but it is non-arch and should be in
		13	/usr/lib/systemd/system.
		14
		15	Upstream-Status: Pending
		16	Signed-off-by: Tom Hochstein <tom.hochstein@nxp.com>
		17	---
		18	tee-supplicant/CMakeLists.txt \| 2 +-
		19	1 file changed, 1 insertion(+), 1 deletion(-)
		20
		21	diff --git a/tee-supplicant/CMakeLists.txt b/tee-supplicant/CMakeLists.txt
		22	index 8df9bef..3ea058c 100644
		23	--- a/tee-supplicant/CMakeLists.txt
		24	+++ b/tee-supplicant/CMakeLists.txt
		25	@@ -119,6 +119,6 @@ endif()
		26	################################################################################
		27	install(TARGETS ${PROJECT_NAME} RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR})
		28	configure_file(tee-supplicant@.service.in tee-supplicant@.service @ONLY)
		29	-install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/tee-supplicant@.service DESTINATION ${CMAKE_INSTALL_LIBDIR}/systemd/system)
		30	+install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/tee-supplicant@.service DESTINATION lib/systemd/system)
		31	configure_file(optee-udev.rules.in optee-udev.rules @ONLY)
		32	install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/optee-udev.rules DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/udev/rules.d)
		33	--
		34	2.34.1
		35


diff --git a/recipes-security/optee-imx/optee-client/optee-udev.rules b/recipes-security/optee-imx/optee-client/optee-udev.rules new file mode 100644 index 000000000..075f469c0 --- /dev/null +++ b/recipes-security/optee-imx/optee-client/optee-udev.rules
@@ -0,0 +1,6 @@
		1	KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", TAG+="systemd"
		2
		3	# If a /dev/teepriv[0-9]* device is detected, start an instance of
		4	# tee-supplicant.service with the device name as parameter
		5	KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", \
		6	TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service"


diff --git a/recipes-security/optee-imx/optee-client/tee-supplicant.service b/recipes-security/optee-imx/optee-client/tee-supplicant.service deleted file mode 100644 index 0e2b4f6ba..000000000 --- a/recipes-security/optee-imx/optee-client/tee-supplicant.service +++ /dev/null
@@ -1,11 +0,0 @@
1	[Unit]
2	Description=TEE Supplicant
3
4	[Service]
5	User=root
6	EnvironmentFile=-/etc/default/tee-supplicant
7	ExecStart=/usr/bin/tee-supplicant $OPTARGS
8
9	[Install]
10	WantedBy=basic.target
11


diff --git a/recipes-security/optee-imx/optee-client/tee-supplicant.sh b/recipes-security/optee-imx/optee-client/tee-supplicant.sh new file mode 100644 index 000000000..b4d219502 --- /dev/null +++ b/recipes-security/optee-imx/optee-client/tee-supplicant.sh
@@ -0,0 +1,46 @@
		1	#!/bin/sh
		2
		3	# Source function library
		4	. /etc/init.d/functions
		5
		6	NAME=tee-supplicant
		7	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		8	DESC="OP-TEE Supplicant"
		9
		10	DAEMON=@sbindir@/$NAME
		11
		12	test -f $DAEMON \|\| exit 0
		13
		14	test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME
		15	test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS
		16
		17	SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS"
		18
		19	set -e
		20
		21	case $1 in
		22	start)
		23	echo -n "Starting $DESC: "
		24	start-stop-daemon --start $SSD_OPTIONS
		25	echo "${DAEMON##*/}."
		26	;;
		27	stop)
		28	echo -n "Stopping $DESC: "
		29	start-stop-daemon --stop $SSD_OPTIONS
		30	echo "${DAEMON##*/}."
		31	;;
		32	restart\|force-reload)
		33	$0 stop
		34	sleep 1
		35	$0 start
		36	;;
		37	status)
		38	status ${DAEMON} \|\| exit $?
		39	;;
		40	*)
		41	echo "Usage: $0 {start\|stop\|restart\|force-reload\|status}" >&2
		42	exit 1
		43	;;
		44	esac
		45
		46	exit 0


diff --git a/recipes-security/optee-imx/optee-client/tee-supplicant@.service b/recipes-security/optee-imx/optee-client/tee-supplicant@.service new file mode 100644 index 000000000..72c0b9aa5 --- /dev/null +++ b/recipes-security/optee-imx/optee-client/tee-supplicant@.service
@@ -0,0 +1,10 @@
		1	[Unit]
		2	Description=TEE Supplicant on %i
		3
		4	[Service]
		5	User=root
		6	EnvironmentFile=-@sysconfdir@/default/tee-supplicant
		7	ExecStart=@sbindir@/tee-supplicant $OPTARGS
		8
		9	[Install]
		10	WantedBy=basic.target


diff --git a/recipes-security/optee-imx/optee-client/tee-udev.rules b/recipes-security/optee-imx/optee-client/tee-udev.rules new file mode 100644 index 000000000..43fafd8c9 --- /dev/null +++ b/recipes-security/optee-imx/optee-client/tee-udev.rules
@@ -0,0 +1,7 @@
		1	# tee devices can only be accessed by the teeclnt group members
		2	KERNEL=="tee[0-9]*", TAG+="systemd", MODE="0660", GROUP="teeclnt"
		3
		4	# If a /dev/teepriv[0-9]* device is detected, start an instance of
		5	# tee-supplicant.service with the device name as parameter
		6	KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="tee", \
		7	TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service"