From ac237149671891fd61b9f9a613c609c5bf3b9866 Mon Sep 17 00:00:00 2001 From: Javier Viguera Date: Thu, 27 Jun 2024 15:33:15 +0200 Subject: [PATCH] optee-client: change secure storage path when TF is enabled By default, the secure storage path in the REE is "/var/lib/tee". It is part of the rootfs, and thus, it gets lost on a firmware update. This commit changes that path to a different partition "/mnt/data/tee" when Trustfence file-based encryption is enabled. Signed-off-by: Javier Viguera --- .../recipes-security/optee-imx/optee-client/tee-supplicant | 1 + .../recipes-security/optee-imx/optee-client_4.0.0.imx.bb | 6 ++++++ .../recipes-security/optee/optee-client_3.16.bb | 3 +++ 3 files changed, 10 insertions(+) create mode 100644 meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client/tee-supplicant diff --git a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client/tee-supplicant b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client/tee-supplicant new file mode 100644 index 000000000..80c817279 --- /dev/null +++ b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client/tee-supplicant @@ -0,0 +1 @@ +OPTARGS="--fs-parent-path=/mnt/data/tee" diff --git a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client_4.0.0.imx.bb b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client_4.0.0.imx.bb index 427bdf1a8..f4640b6e7 100644 --- a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client_4.0.0.imx.bb +++ b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-client_4.0.0.imx.bb @@ -5,6 +5,7 @@ # require recipes-security/optee-imx/optee-client_3.19.0.imx.bb +SRC_URI += "${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', 'file://tee-supplicant', '', d)}" SRCBRANCH = "lf-6.1.55_2.2.0" SRCREV = "acb0885c117e73cb6c5c9b1dd9054cb3f93507ee" @@ -16,6 +17,11 @@ do_install() { sed -i -e s:@sysconfdir@:${sysconfdir}:g \ -e s:@sbindir@:${sbindir}:g \ ${D}${systemd_system_unitdir}/tee-supplicant.service + + if ${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', 'true', 'false',d)}; then + install -d ${D}${sysconfdir}/default/ + install -m 0644 ${WORKDIR}/tee-supplicant ${D}${sysconfdir}/default/tee-supplicant + fi } COMPATIBLE_MACHINE = "(ccimx93)" diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_3.16.bb b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_3.16.bb index 4a3164499..bea3c2478 100755 --- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_3.16.bb +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-security/optee/optee-client_3.16.bb @@ -25,6 +25,9 @@ EXTRA_OECMAKE = " \ -DBUILD_SHARED_LIBS=ON \ " +# If TF file based encryption is enabled, move the TEE_FS_PARENT_PATH out of the rootfs +EXTRA_OECMAKE += "${@oe.utils.vartrue('TRUSTFENCE_FILE_BASED_ENCRYPT', '-DCFG_TEE_FS_PARENT_PATH=/mnt/data/tee', '', d)}" + do_install:append() { if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then install -D -p -m0644 ${WORKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service