diff mbox series

optee-client: start tee-supplicant.service when teeprivX dev is detected

Message ID 20230914182616.455983-1-javier.tia@linaro.org
State New
Headers show
Series optee-client: start tee-supplicant.service when teeprivX dev is detected | expand

Commit Message

Javier Tia Sept. 14, 2023, 6:26 p.m. UTC
It's expected to exist multiple /dev/teepriv[0-9]* devices, and the
tee-supplicant service depends on them, which should be activated only
when the device is detected by the kernel using a udev rule.

Improve commit f02d065dce, where it's only considering a path creation
and not a device detection by the kernel.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../{tee-supplicant.service => tee-supplicant@.service}   | 3 +--
 meta-arm/recipes-security/optee/optee-client.inc          | 8 ++++----
 .../{tee-supplicant.service => tee-supplicant@.service}   | 3 +--
 .../trusted-services/libts/tee-udev.rules                 | 5 +++++
 4 files changed, 11 insertions(+), 8 deletions(-)
 rename meta-arm-bsp/recipes-security/optee/optee-client/{tee-supplicant.service => tee-supplicant@.service} (69%)
 rename meta-arm/recipes-security/optee/optee-client/{tee-supplicant.service => tee-supplicant@.service} (69%)

Comments

Jon Mason Sept. 15, 2023, 5:39 p.m. UTC | #1
On Thu, 14 Sep 2023 12:26:16 -0600, Javier Tia wrote:
> It's expected to exist multiple /dev/teepriv[0-9]* devices, and the
> tee-supplicant service depends on them, which should be activated only
> when the device is detected by the kernel using a udev rule.
> 
> Improve commit f02d065dce, where it's only considering a path creation
> and not a device detection by the kernel.
> 
> [...]

Applied, thanks!

[1/1] optee-client: start tee-supplicant.service when teeprivX dev is detected
      commit: 1bff41eee67d6dafc7c58b0c88923a3c6f7a2a7c

Best regards,
diff mbox series

Patch

diff --git a/meta-arm-bsp/recipes-security/optee/optee-client/tee-supplicant.service b/meta-arm-bsp/recipes-security/optee/optee-client/tee-supplicant@.service
similarity index 69%
rename from meta-arm-bsp/recipes-security/optee/optee-client/tee-supplicant.service
rename to meta-arm-bsp/recipes-security/optee/optee-client/tee-supplicant@.service
index 6b00df74..72c0b9aa 100644
--- a/meta-arm-bsp/recipes-security/optee/optee-client/tee-supplicant.service
+++ b/meta-arm-bsp/recipes-security/optee/optee-client/tee-supplicant@.service
@@ -1,6 +1,5 @@ 
 [Unit]
-Description=TEE Supplicant
-ConditionPathExistsGlob=/dev/teepriv[0-9]*
+Description=TEE Supplicant on %i
 
 [Service]
 User=root
diff --git a/meta-arm/recipes-security/optee/optee-client.inc b/meta-arm/recipes-security/optee/optee-client.inc
index 3b9943cc..77f6a642 100644
--- a/meta-arm/recipes-security/optee/optee-client.inc
+++ b/meta-arm/recipes-security/optee/optee-client.inc
@@ -9,7 +9,7 @@  inherit systemd update-rc.d cmake
 
 SRC_URI = " \
     git://github.com/OP-TEE/optee_client.git;branch=master;protocol=https \
-    file://tee-supplicant.service \
+    file://tee-supplicant@.service \
     file://tee-supplicant.sh \
 "
 
@@ -24,16 +24,16 @@  EXTRA_OECMAKE = " \
 EXTRA_OECMAKE:append:toolchain-clang = " -DCFG_WERROR=0"
 
 do_install:append() {
-    install -D -p -m0644 ${WORKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service
+    install -D -p -m0644 ${WORKDIR}/tee-supplicant@.service ${D}${systemd_system_unitdir}/tee-supplicant@.service
     install -D -p -m0755 ${WORKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant
 
     sed -i -e s:@sysconfdir@:${sysconfdir}:g \
            -e s:@sbindir@:${sbindir}:g \
-              ${D}${systemd_system_unitdir}/tee-supplicant.service \
+              ${D}${systemd_system_unitdir}/tee-supplicant@.service \
               ${D}${sysconfdir}/init.d/tee-supplicant
 }
 
-SYSTEMD_SERVICE:${PN} = "tee-supplicant.service"
+SYSTEMD_SERVICE:${PN} = "tee-supplicant@.service"
 
 INITSCRIPT_PACKAGES = "${PN}"
 INITSCRIPT_NAME:${PN} = "tee-supplicant"
diff --git a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service b/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service
similarity index 69%
rename from meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
rename to meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service
index 6b00df74..72c0b9aa 100644
--- a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
+++ b/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service
@@ -1,6 +1,5 @@ 
 [Unit]
-Description=TEE Supplicant
-ConditionPathExistsGlob=/dev/teepriv[0-9]*
+Description=TEE Supplicant on %i
 
 [Service]
 User=root
diff --git a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules
index 216fe993..af428974 100644
--- a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules
+++ b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules
@@ -1,2 +1,7 @@ 
 # tee devices can only be accessed by the teeclnt group members
 KERNEL=="tee[0-9]*", TAG+="systemd", MODE="0660", GROUP="teeclnt"
+
+# If a /dev/teepriv[0-9]* device is detected, start an instance of
+# tee-supplicant.service with the device name as parameter
+KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", \
+    TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service"