From 8d26062700181558b02a7b50095c90a029449049 Mon Sep 17 00:00:00 2001
From: Mike Engel <Mike.Engel@digi.com>
Date: Fri, 25 Jul 2025 12:00:41 +0200
Subject: [PATCH] optee-client: fix default secure storage path

This commit fixes the default secure storage path
to /mnt/data/tee instead of /var/lib/tee. This will
store all secure storage keys in that path and will
keep them even during rootfs updates.

Signed-off-by: Mike Engel <Mike.Engel@digi.com>
---
 .../recipes-security/optee/optee-client_4.0.bb            | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_4.0.bb b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_4.0.bb
index 0d12e5d77..56cd5d197 100755
--- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_4.0.bb
+++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_4.0.bb
@@ -23,7 +23,7 @@ DEPENDS += "util-linux-libuuid"
 SYSTEMD_SERVICE:${PN} = "tee-supplicant.service"
 
 SECURE_STORAGE_PATH ?= "${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', \
-                                        '-DCFG_TEE_FS_PARENT_PATH=/mnt/data/tee', \
+                                        '/mnt/data/tee', \
                                         '${localstatedir}/lib/tee', d)}"
 
 EXTRA_OECMAKE = " \
@@ -48,7 +48,11 @@ do_install:append() {
     install -m 0644 ${WORKDIR}/optee-udev.rules ${D}${sysconfdir}/udev/rules.d/optee.rules
     install -d -m770 -o root -g tee ${D}${SECURE_STORAGE_PATH}
 }
-FILES:${PN} += "${sysconfdir} ${localstatedir}"
+FILES:${PN} += " \
+    ${sysconfdir} \
+    ${localstatedir} \
+    ${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', '/mnt/data/tee', '', d)} \
+"
 
 inherit useradd