diff --git a/br-ext/configs/optee_generic b/br-ext/configs/optee_generic
index d56b5c9005160527f58ecee76d6f660b200caebc..efb7ad5d52fd8ad15941f7778bbb311599038738 100644
--- a/br-ext/configs/optee_generic
+++ b/br-ext/configs/optee_generic
@@ -1,5 +1,5 @@
 BR2_CCACHE=y
-BR2_TARGET_GENERIC_ISSUE="Welcome to Buildroot, type root to login"
+BR2_TARGET_GENERIC_ISSUE="Welcome to Buildroot, type root or test to login"
 
 BR2_TARGET_ROOTFS_CPIO=y
 BR2_TARGET_ROOTFS_CPIO_GZIP=y
diff --git a/br-ext/package/optee_client/S30optee b/br-ext/package/optee_client/S30optee
index 2aede2c293aab39c1a8949e0da4f8bc8d190ced2..f863e09c825437bfecf16d6e1b0c4b6984de74c1 100755
--- a/br-ext/package/optee_client/S30optee
+++ b/br-ext/package/optee_client/S30optee
@@ -11,7 +11,8 @@ case "$1" in
 		# root provided that the TEE devices and the data store have
 		# proper permissions
 		printf "Setting permissions on /dev/tee*... "
-		chown root:tee /dev/tee* && chmod 0660 /dev/tee*
+		chown root:tee /dev/teepriv0 && chmod 0660 /dev/teepriv0 && \
+			chown root:teeclnt /dev/tee0 && chmod 0660 /dev/tee0
 		[ $? = 0 ] && echo "OK" || echo "FAIL"
 		printf "Starting tee-supplicant... "
 		su tee -c '/usr/sbin/tee-supplicant -d'
diff --git a/br-ext/package/optee_client/optee_client.mk b/br-ext/package/optee_client/optee_client.mk
index d0d0487161a3bdeb920a831bbcab27087c8a911e..420e5fddd3d710971ce83dfa91a5cf4092c67361 100644
--- a/br-ext/package/optee_client/optee_client.mk
+++ b/br-ext/package/optee_client/optee_client.mk
@@ -17,8 +17,13 @@ define OPTEE_CLIENT_INSTALL_INIT_SYSV
 	$(OPTEE_CLIENT_INSTALL_SUPPLICANT_SCRIPT)
 endef
 
+# User tee is used to run tee-supplicant because access to /dev/teepriv0 is
+# restricted to group tee.
+# Any user in group teeclnt (such as test) may run client applications.
 define OPTEE_CLIENT_USERS
 	tee -1 tee -1 * - /bin/sh - TEE user
+	- -1 teeclnt -1 - - - - TEE users group
+	test -1 test -1 - - /bin/sh teeclnt Test user, may run TEE client applications
 endef
 
 define OPTEE_CLIENT_PERMISSIONS