Re: [meta-arm] [PATCH v3 2/2] trusted-service: remove optee udev and group settings

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: Gyorgy Szing <Gyorgy.Szing@arm.com>
Cc: "meta-arm@lists.yoctoproject.org" <meta-arm@lists.yoctoproject.org>
Subject: Re: [meta-arm] [PATCH v3 2/2] trusted-service: remove optee udev and group settings
Date: Thu, 17 Oct 2024 14:09:17 +0300	[thread overview]
Message-ID: <ZxDwXeOdfwuCsI_p@nuoska> (raw)
In-Reply-To: <AS8PR08MB58951A0CBE556C313695963291472@AS8PR08MB5895.eurprd08.prod.outlook.com>

Hi,

On Thu, Oct 17, 2024 at 10:54:41AM +0000, Gyorgy Szing wrote:
> Hi,
> 
> “But optee and optee-client are part of the TS images and configs so there is a link.”
> “I don't see any user being added to the previously used "teeclnt" group. So which non-root users are there? If the users are in Cassini, I have proposed fixes there.”
> I am not saying the TS recipes are perfect and there might be a dependency, which is an error. Except for the OP-TEE SPMC tests SPs which indeed depend on op-tee and xtest.
>
> “What is the proper way to fix this?
> 
> I don't think duplicating optee/tee-supplicant udev rules is the answer.
> I could move optee-client recipe udev rules to a separate binary package
> to enable installing without tee-supplicant.”
> I think a dedicated recipe on which both libts and optee-client depends is one way to fix.

A dedicated recipe is not ok. optee-client upstream provides the udev rule.
A dedicated binary package from optee-client for the udev rule could be
created. The udev rule and matching systemd service (and possibly sysvinit
script) are non-trivial to setup and thus in meta-arm recipe some aspects
were wrong and other Linux distros have even more issues. Thus it's better
to collaborate with upstream when setting them up.

> “But I'd like to see the users and have a test case, preferably in meta-arm.”
> Well, I cannot provide a setup where TS is used without OP-TEE currently, but your config can and will be tested in the CI. Yes, TS only world might still be broken, but the change at least would make a step in the right direction.

I'm still not sure of the right direction. Which recipes and layers have userspace
SW which needs to access /dev/tee* or /dev/teepriv* devices nodes without root
rights in userspace? Where is a test for these recipes or functionality?

The old teeclnt setup was a bit broken. For example tee-supplicant was still
started in systemd service file as root user. Both /dev/tee* and /dev/teepriv*
used the same teeclnt group which was not right according to upstream,
they need to have different groups. Then the systemd service which did not
work in initrd. Etc.

Cheers,

-Mikko

next prev parent reply	other threads:[~2024-10-17 11:09 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-10-17  6:59 [PATCH v3 1/2] optee-client: use udev rule and systemd service from upstream Mikko Rapeli
2024-10-17  6:59 ` [PATCH v3 2/2] trusted-service: remove optee udev and group settings Mikko Rapeli
2024-10-17  8:17   ` [meta-arm] " Gyorgy Szing
2024-10-17  8:34     ` Mikko Rapeli
2024-10-17  9:44       ` Gyorgy Szing
2024-10-17  9:52         ` Mikko Rapeli
2024-10-17 10:54           ` Gyorgy Szing
2024-10-17 11:09             ` Mikko Rapeli [this message]
2024-10-17 13:38               ` Gyorgy Szing
2024-10-17 13:38               ` Adam Johnston
2024-10-17 14:48               ` Anton Antonov
2024-10-18  5:51                 ` [meta-arm] " Mikko Rapeli
2024-10-23 14:22 ` [PATCH v3 1/2] optee-client: use udev rule and systemd service from upstream Tom Hochstein (OSS)
2024-10-23 14:30   ` Mikko Rapeli
     [not found]     ` <PAXPR04MB9448DC39953E357F3E73D07EE24D2@PAXPR04MB9448.eurprd04.prod.outlook.com>
2024-10-23 14:54       ` Mikko Rapeli
2024-10-29 17:02         ` Tom Hochstein
2024-10-30  8:02           ` [meta-arm] " Gyorgy Szing
2024-11-26 14:55             ` Mikko Rapeli
2024-11-26 21:05               ` Gyorgy Szing
2024-11-27 14:27                 ` Mikko Rapeli
2024-12-11 14:42               ` Ross Burton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZxDwXeOdfwuCsI_p@nuoska \
    --to=mikko.rapeli@linaro.org \
    --cc=Gyorgy.Szing@arm.com \
    --cc=meta-arm@lists.yoctoproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.