From 5d11be4d2b3e9767db9a6ca1b55e912547ff227a Mon Sep 17 00:00:00 2001
From: Hector Palacios <hector.palacios@digi.com>
Date: Mon, 23 Jun 2025 16:30:51 +0200
Subject: [PATCH] optee-client: change secure storage and TEE log paths

The default secure storage (/var/lib/tee) is a tmpfs and not persistent
across reboots. Change it to the data partition (/mnt/data/tee) when
TrustFence file system encryption enabled

For the log file, do use the /var/log/ directory instead of default
/data

Signed-off-by: Hector Palacios <hector.palacios@digi.com>

https://onedigi.atlassian.net/browse/DEL-9683
---
 .../recipes-security/optee/optee-client_4.0.bb         | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_4.0.bb b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_4.0.bb
index 1fde6e3ff..0d12e5d77 100755
--- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_4.0.bb
+++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_4.0.bb
@@ -22,11 +22,15 @@ DEPENDS += "util-linux-libuuid"
 
 SYSTEMD_SERVICE:${PN} = "tee-supplicant.service"
 
+SECURE_STORAGE_PATH ?= "${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', \
+                                        '-DCFG_TEE_FS_PARENT_PATH=/mnt/data/tee', \
+                                        '${localstatedir}/lib/tee', d)}"
+
 EXTRA_OECMAKE = " \
-    -DCFG_TEE_FS_PARENT_PATH='${localstatedir}/lib/tee' \
+    -DCFG_TEE_FS_PARENT_PATH='${SECURE_STORAGE_PATH}' \
     -DCFG_WERROR=OFF \
     -DCFG_TEE_CLIENT_LOG_LEVEL=2 \
-    -DCFG_TEE_CLIENT_LOG_FILE='/data/tee/teec.log' \
+    -DCFG_TEE_CLIENT_LOG_FILE='${localstatedir}/log/tee/teec.log' \
     -DBUILD_SHARED_LIBS=ON \
     -DRPMB_EMU=0 \
     "
@@ -42,7 +46,7 @@ do_install:append() {
     fi
     install -d ${D}${sysconfdir}/udev/rules.d
     install -m 0644 ${WORKDIR}/optee-udev.rules ${D}${sysconfdir}/udev/rules.d/optee.rules
-    install -d -m770 -o root -g tee ${D}${localstatedir}/lib/tee
+    install -d -m770 -o root -g tee ${D}${SECURE_STORAGE_PATH}
 }
 FILES:${PN} += "${sysconfdir} ${localstatedir}"