optee-client: change secure storage path when TF is enabled

By default, the secure storage path in the REE is "/var/lib/tee". It is
part of the rootfs, and thus, it gets lost on a firmware update.

This commit changes that path to a different partition "/mnt/data/tee"
when Trustfence file-based encryption is enabled.

Signed-off-by: Javier Viguera <javier.viguera@digi.com>

meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client/tee-supplicant

@@ -0,0 +1 @@
+OPTARGS="--fs-parent-path=/mnt/data/tee"

meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client_4.0.0.imx.bb

@@ -5,6 +5,7 @@
 #
 require recipes-security/optee-imx/optee-client_3.19.0.imx.bb
 
+SRC_URI += "${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', 'file://tee-supplicant', '', d)}"
 SRCBRANCH = "lf-6.1.55_2.2.0"
 SRCREV = "acb0885c117e73cb6c5c9b1dd9054cb3f93507ee"
 
@@ -16,6 +17,11 @@ do_install() {
 	sed -i -e s:@sysconfdir@:${sysconfdir}:g \
 		-e s:@sbindir@:${sbindir}:g \
 		${D}${systemd_system_unitdir}/tee-supplicant.service
+
+	if ${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', 'true', 'false',d)}; then
+		install -d ${D}${sysconfdir}/default/
+		install -m 0644 ${WORKDIR}/tee-supplicant ${D}${sysconfdir}/default/tee-supplicant
+	fi
 }
 
 COMPATIBLE_MACHINE = "(ccimx93)"

meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_3.16.bb

@@ -25,6 +25,9 @@ EXTRA_OECMAKE = " \
     -DBUILD_SHARED_LIBS=ON \
     "
 
+# If TF file based encryption is enabled, move the TEE_FS_PARENT_PATH out of the rootfs
+EXTRA_OECMAKE += "${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', '-DCFG_TEE_FS_PARENT_PATH=/mnt/data/tee', '', d)}"
+
 do_install:append() {
     if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
         install -D -p -m0644 ${WORKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service