Open ydonghyuk opened 2 weeks ago
The directory will be created by tee-supplicant on the first access to the (REE_FS) secure storage.
Try fox example xtest regression_1004
(that loads a TA hence use the secure storage for the TA version rollback protection). You'll see that /data/tee/ is created.
@etienne-lms Thanks, I verified that it works as you suggested. I also tested the following modification to change the secure storage path, but it didn't work. Did I miss something?
(optee_client)
diff --git a/config.mk b/config.mk
index 24904af..4a5a037 100644
--- a/config.mk
+++ b/config.mk
@@ -23,7 +23,7 @@ CFG_TEE_SUPP_LOG_LEVEL?=1
# This folder can be created with the required permission in an init
# script during boot, else it will be created by the tee-supplicant on
# first REE FS access.
-CFG_TEE_FS_PARENT_PATH ?= /data/tee
+CFG_TEE_FS_PARENT_PATH ?= /my_rw/tee
# CFG_TEE_CLIENT_LOG_FILE
# The location of the client log file when logging to file is enabled.
diff --git a/tee-supplicant/CMakeLists.txt b/tee-supplicant/CMakeLists.txt
index 57a3326..f9c490a 100644
--- a/tee-supplicant/CMakeLists.txt
+++ b/tee-supplicant/CMakeLists.txt
@@ -12,7 +12,7 @@ option (CFG_TEE_SUPP_PLUGINS "Enable tee-supplicant plugin support" ON)
set (CFG_TEE_SUPP_LOG_LEVEL "1" CACHE STRING "tee-supplicant log level")
# FIXME: Question is, is this really needed? Should just use defaults from # GNUInstallDirs?
set (CFG_TEE_CLIENT_LOAD_PATH "/lib" CACHE STRING "Colon-separated list of paths where to look for TAs (see also --ta-dir)")
-set (CFG_TEE_FS_PARENT_PATH "/data/tee" CACHE STRING "Location of TEE filesystem (secure storage)")
+set (CFG_TEE_FS_PARENT_PATH "/my_rw/tee" CACHE STRING "Location of TEE filesystem (secure storage)")
# FIXME: Why do we have if defined(CFG_GP_SOCKETS) && CFG_GP_SOCKETS == 1 in the c-file?
set (CFG_GP_SOCKETS "1" CACHE STRING "Enable GlobalPlatform Socket API support")
set (CFG_TEE_PLUGIN_LOAD_PATH "/usr/lib/tee-supplicant/plugins/" CACHE STRING "tee-supplicant's plugins path")
It should work, assuming tee-supplicant has sufficient rights to create this /my_rw
directory at root /
path. Tee-supplicant run as root will have. If run as tee user, it will not.
Note that if you need to change init.rd file S30optee, you can set the TEE FS parent path from tee-supplicant command line option -f
/--fs-parent-path
. This path defaults to CFG_TEE_FS_PARENT_PATH
/TEE_FS_PARENT_PATH
when no set from the command line option.
@etienne-lms When no set from the command line option, which of the two files below should I set CFG_TEE_FS_PARENT_PATH in? I'm a bit confused, so I'm asking. 1) optee_client/config.mk 2) optee_client/tee-supplicant/CMakeLists.txt
In QEMU v8, if I modify file 2), the secure storage path is changed normally, but I don't quite understand this process.
_opteeclient/config.mk is used when building optee_client with a make
command.
_opteeclient/tee-supplicant/CMakeLists.txt is used when building optee_client with CMake.
Using OP-TEE distribution (OP-TEE/manifest.git + OP-TEE/build.git) as when building from qemu_armv8, optee_client is built with CMake (see build/br-ext/.../optee_client_ext.mk)
If the secure storage path is not pre-generated, we are reviewing the code generated by tee-supplicant.
When I tested in QEMU environment with the following modifications, it seems that /data/tee is not created by tee-supplicant. Can someone explain the mechanism for this behavior?
The contents of the modifications are as follows: