diff --git a/br-ext/package/optee_client/S30optee b/br-ext/package/optee_client/S30optee
index 11d999318790fca6d955d6813dc738d94c0247ae..2aede2c293aab39c1a8949e0da4f8bc8d190ced2 100755
--- a/br-ext/package/optee_client/S30optee
+++ b/br-ext/package/optee_client/S30optee
@@ -7,8 +7,14 @@
 case "$1" in
     start)
 	if [ -e /usr/sbin/tee-supplicant -a -e /dev/teepriv0 ]; then
+		# tee-supplicant and the client applications need not run as
+		# root provided that the TEE devices and the data store have
+		# proper permissions
+		printf "Setting permissions on /dev/tee*... "
+		chown root:tee /dev/tee* && chmod 0660 /dev/tee*
+		[ $? = 0 ] && echo "OK" || echo "FAIL"
 		printf "Starting tee-supplicant... "
-		/usr/sbin/tee-supplicant -d
+		su tee -c '/usr/sbin/tee-supplicant -d'
 		[ $? = 0 ] && echo "OK" || echo "FAIL"
 	else
 		echo "tee-supplicant or TEE device not found"
diff --git a/br-ext/package/optee_client/optee_client.mk b/br-ext/package/optee_client/optee_client.mk
index 0b746ad8e435de855fc97fd55fb92254b04373dc..d0d0487161a3bdeb920a831bbcab27087c8a911e 100644
--- a/br-ext/package/optee_client/optee_client.mk
+++ b/br-ext/package/optee_client/optee_client.mk
@@ -17,4 +17,13 @@ define OPTEE_CLIENT_INSTALL_INIT_SYSV
 	$(OPTEE_CLIENT_INSTALL_SUPPLICANT_SCRIPT)
 endef
 
+define OPTEE_CLIENT_USERS
+	tee -1 tee -1 * - /bin/sh - TEE user
+endef
+
+define OPTEE_CLIENT_PERMISSIONS
+	/data d 755 root root - - - - -
+	/data/tee d 770 tee tee - - - - -
+endef
+
 $(eval $(cmake-package))