From patchwork Wed Apr 2 14:16:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Szing X-Patchwork-Id: 60613 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0D50FC3601C for ; Wed, 2 Apr 2025 14:17:11 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.9653.1743603429780679734 for ; Wed, 02 Apr 2025 07:17:09 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: gyorgy.szing@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 6ADA21FC4; Wed, 2 Apr 2025 07:17:12 -0700 (PDT) Received: from gyoszi01-yocto.budapest.arm.com (ubul2.budapest.arm.com [10.45.25.74]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id D18FE3F63F; Wed, 2 Apr 2025 07:17:08 -0700 (PDT) From: Gyorgy Szing To: meta-arm@lists.yoctoproject.org Cc: Gyorgy Szing Subject: [PATCH 6/6] arm/trusted-services: fix udev management in libts Date: Wed, 2 Apr 2025 16:16:52 +0200 Message-ID: <20250402141652.380180-6-gyorgy.szing@arm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250402141652.380180-1-gyorgy.szing@arm.com> References: <20250402141652.380180-1-gyorgy.szing@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 02 Apr 2025 14:17:11 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6440 - Change libts to stop making udev related configuration if optee-client is deployed to the target to avoid conflicts. - Remove the executable permission from installed tee-udev.rules file. - Remove teepriv device from udev file as this device is op-tee specific. Signed-off-by: Gyorgy Szing --- .../trusted-services/libts-udev.inc | 21 ++++++++++++++++++ .../trusted-services/libts/tee-udev.rules | 5 ----- .../trusted-services/libts_git.bb | 22 +++++-------------- 3 files changed, 26 insertions(+), 22 deletions(-) create mode 100644 meta-arm/recipes-security/trusted-services/libts-udev.inc diff --git a/meta-arm/recipes-security/trusted-services/libts-udev.inc b/meta-arm/recipes-security/trusted-services/libts-udev.inc new file mode 100644 index 00000000..2eedfefe --- /dev/null +++ b/meta-arm/recipes-security/trusted-services/libts-udev.inc @@ -0,0 +1,21 @@ +# Sour out /dev/tee* device creation and access control +SRC_URI += "file://tee-udev.rules \ + " + +# Unix group name for dev/tee* ownership. +TEE_GROUP_NAME ?= "tee" + +do_install:append () { + if ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', 'false', 'true', d)}; then + install -d ${D}${nonarch_base_libdir}/udev/rules.d/ + install -m 755 ${UNPACKDIR}/tee-udev.rules ${D}${nonarch_base_libdir}/udev/rules.d/ + sed -i -e "s/teeclnt/${TEE_GROUP_NAME}/" ${D}${nonarch_base_libdir}/udev/rules.d/tee-udev.rules + fi +} + + +inherit ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', '', 'useradd', d)} +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM:${PN} = "--system ${TEE_GROUP_NAME}" + +FILES:${PN} += " ${nonarch_base_libdir}/udev/rules.d/" diff --git a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules index 43fafd8c..216fe993 100644 --- a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules +++ b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules @@ -1,7 +1,2 @@ # tee devices can only be accessed by the teeclnt group members KERNEL=="tee[0-9]*", TAG+="systemd", MODE="0660", GROUP="teeclnt" - -# If a /dev/teepriv[0-9]* device is detected, start an instance of -# tee-supplicant.service with the device name as parameter -KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="tee", \ - TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service" diff --git a/meta-arm/recipes-security/trusted-services/libts_git.bb b/meta-arm/recipes-security/trusted-services/libts_git.bb index 635e4769..de299b9a 100644 --- a/meta-arm/recipes-security/trusted-services/libts_git.bb +++ b/meta-arm/recipes-security/trusted-services/libts_git.bb @@ -5,24 +5,16 @@ TS_ENV = "arm-linux" require trusted-services.inc -SRC_URI += "file://tee-udev.rules \ - file://0001-Remove-TEE-driver-external-component.patch \ +SRC_URI += "file://0001-Remove-TEE-driver-external-component.patch \ " +# If optee-client is not included, take care of udev and related configuration. +require ${@bb.utils.contains('IMAGE_INSTALL', 'optee-client', '', 'libts-udev.inc', d)} OECMAKE_SOURCEPATH="${S}/deployments/libts/${TS_ENV}" DEPENDS += "arm-ffa-user" -# Unix group name for dev/tee* ownership. -TEE_GROUP_NAME ?= "teeclnt" - do_install:append () { - if ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', 'false', 'true', d)}; then - install -d ${D}${nonarch_base_libdir}/udev/rules.d/ - install -m 755 ${UNPACKDIR}/tee-udev.rules ${D}${nonarch_base_libdir}/udev/rules.d/ - sed -i -e "s/teeclnt/${TEE_GROUP_NAME}/" ${D}${nonarch_base_libdir}/udev/rules.d/tee-udev.rules - fi - # Move the dynamic libraries into the standard place. install -d ${D}${libdir} mv ${D}${TS_INSTALL}/lib/libts* ${D}${libdir} @@ -34,9 +26,5 @@ do_install:append () { fi } -inherit ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', '', 'useradd', d)} -USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM:${PN} = "--system ${TEE_GROUP_NAME}" - -FILES:${PN} = "${libdir}/libts.so.* ${nonarch_base_libdir}/udev/rules.d/" -FILES:${PN}-dev = "${TS_INSTALL}/lib/cmake ${TS_INSTALL}/include ${libdir}/libts.so" +FILES:${PN} += " ${libdir}/libts*.so.*" +FILES:${PN}-dev += " ${TS_INSTALL}/lib/cmake ${TS_INSTALL}/include ${libdir}/libts*.so"