diff --git a/br-ext/package/optee_client/S30optee b/br-ext/package/optee_client/S30optee
index f863e09c825437bfecf16d6e1b0c4b6984de74c1..df6129fbfaa704c47630c1a06680fc3fd9d02a80 100755
--- a/br-ext/package/optee_client/S30optee
+++ b/br-ext/package/optee_client/S30optee
@@ -14,6 +14,11 @@ case "$1" in
 		chown root:tee /dev/teepriv0 && chmod 0660 /dev/teepriv0 && \
 			chown root:teeclnt /dev/tee0 && chmod 0660 /dev/tee0
 		[ $? = 0 ] && echo "OK" || echo "FAIL"
+		if [ -e /dev/ion ]; then
+			printf "Setting permissions on /dev/ion... "
+			chown root:ion /dev/ion && chmod 0660 /dev/ion
+			[ $? = 0 ] && echo "OK" || echo "FAIL"
+		fi
 		printf "Starting tee-supplicant... "
 		su tee -c '/usr/sbin/tee-supplicant -d'
 		[ $? = 0 ] && echo "OK" || echo "FAIL"
diff --git a/br-ext/package/optee_client/optee_client.mk b/br-ext/package/optee_client/optee_client.mk
index 420e5fddd3d710971ce83dfa91a5cf4092c67361..18dd799d84794d7587eb86d0b609f72f6dd4033e 100644
--- a/br-ext/package/optee_client/optee_client.mk
+++ b/br-ext/package/optee_client/optee_client.mk
@@ -20,10 +20,12 @@ endef
 # User tee is used to run tee-supplicant because access to /dev/teepriv0 is
 # restricted to group tee.
 # Any user in group teeclnt (such as test) may run client applications.
+# Any user in group ion may access /dev/ion
 define OPTEE_CLIENT_USERS
 	tee -1 tee -1 * - /bin/sh - TEE user
 	- -1 teeclnt -1 - - - - TEE users group
-	test -1 test -1 - - /bin/sh teeclnt Test user, may run TEE client applications
+	- -1 ion -1 - - - - ION users group
+	test -1 test -1 - - /bin/sh teeclnt,ion Test user, may run TEE client applications
 endef
 
 define OPTEE_CLIENT_PERMISSIONS