From 595cb0f1a0cdbbbaa245a16173a4a21ccfbd5ea9 Mon Sep 17 00:00:00 2001 From: Gyorgy Szing Date: Wed, 2 Apr 2025 16:16:52 +0200 Subject: [PATCH] arm/trusted-services: fix udev management in libts - Change libts to stop making udev related configuration if optee-client is deployed to the target to avoid conflicts. - Remove the executable permission from installed tee-udev.rules file. - Remove teepriv device from udev file as this device is op-tee specific. Signed-off-by: Gyorgy Szing Signed-off-by: Jon Mason --- .../trusted-services/libts-udev.inc | 21 ++++++++++++++++++ .../trusted-services/libts/tee-udev.rules | 5 ----- .../trusted-services/libts_git.bb | 22 +++++-------------- 3 files changed, 26 insertions(+), 22 deletions(-) create mode 100644 meta-arm/recipes-security/trusted-services/libts-udev.inc diff --git a/meta-arm/recipes-security/trusted-services/libts-udev.inc b/meta-arm/recipes-security/trusted-services/libts-udev.inc new file mode 100644 index 00000000..2eedfefe --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/libts-udev.inc @@ -0,0 +1,21 @@ +# Sour out /dev/tee* device creation and access control +SRC_URI += "file://tee-udev.rules \ + " + +# Unix group name for dev/tee* ownership. +TEE_GROUP_NAME ?= "tee" + +do_install:append () { + if ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', 'false', 'true', d)}; then + install -d ${D}${nonarch_base_libdir}/udev/rules.d/ + install -m 755 ${UNPACKDIR}/tee-udev.rules ${D}${nonarch_base_libdir}/udev/rules.d/ + sed -i -e "s/teeclnt/${TEE_GROUP_NAME}/" ${D}${nonarch_base_libdir}/udev/rules.d/tee-udev.rules + fi +} + + +inherit ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', '', 'useradd', d)} +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM:${PN} = "--system ${TEE_GROUP_NAME}" + +FILES:${PN} += " ${nonarch_base_libdir}/udev/rules.d/" diff --git a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules index 43fafd8c..216fe993 100644 --- a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules +++ b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules @@ -1,7 +1,2 @@ # tee devices can only be accessed by the teeclnt group members KERNEL=="tee[0-9]*", TAG+="systemd", MODE="0660", GROUP="teeclnt" - -# If a /dev/teepriv[0-9]* device is detected, start an instance of -# tee-supplicant.service with the device name as parameter -KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="tee", \ - TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service" diff --git a/meta-arm/recipes-security/trusted-services/libts_git.bb b/meta-arm/recipes-security/trusted-services/libts_git.bb index 635e4769..de299b9a 100644 --- a/meta-arm/recipes-security/trusted-services/libts_git.bb +++ b/meta-arm/recipes-security/trusted-services/libts_git.bb @@ -5,24 +5,16 @@ TS_ENV = "arm-linux" require trusted-services.inc -SRC_URI += "file://tee-udev.rules \ - file://0001-Remove-TEE-driver-external-component.patch \ +SRC_URI += "file://0001-Remove-TEE-driver-external-component.patch \ " +# If optee-client is not included, take care of udev and related configuration. +require ${@bb.utils.contains('IMAGE_INSTALL', 'optee-client', '', 'libts-udev.inc', d)} OECMAKE_SOURCEPATH="${S}/deployments/libts/${TS_ENV}" DEPENDS += "arm-ffa-user" -# Unix group name for dev/tee* ownership. -TEE_GROUP_NAME ?= "teeclnt" - do_install:append () { - if ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', 'false', 'true', d)}; then - install -d ${D}${nonarch_base_libdir}/udev/rules.d/ - install -m 755 ${UNPACKDIR}/tee-udev.rules ${D}${nonarch_base_libdir}/udev/rules.d/ - sed -i -e "s/teeclnt/${TEE_GROUP_NAME}/" ${D}${nonarch_base_libdir}/udev/rules.d/tee-udev.rules - fi - # Move the dynamic libraries into the standard place. install -d ${D}${libdir} mv ${D}${TS_INSTALL}/lib/libts* ${D}${libdir} @@ -34,9 +26,5 @@ do_install:append () { fi } -inherit ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', '', 'useradd', d)} -USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM:${PN} = "--system ${TEE_GROUP_NAME}" - -FILES:${PN} = "${libdir}/libts.so.* ${nonarch_base_libdir}/udev/rules.d/" -FILES:${PN}-dev = "${TS_INSTALL}/lib/cmake ${TS_INSTALL}/include ${libdir}/libts.so" +FILES:${PN} += " ${libdir}/libts*.so.*" +FILES:${PN}-dev += " ${TS_INSTALL}/lib/cmake ${TS_INSTALL}/include ${libdir}/libts*.so"