diff --git a/meta-arm-bsp/conf/machine/fvp-base.conf b/meta-arm-bsp/conf/machine/fvp-base.conf
index 03896a347184..b69995256008 100644
--- a/meta-arm-bsp/conf/machine/fvp-base.conf
+++ b/meta-arm-bsp/conf/machine/fvp-base.conf
@@ -20,6 +20,8 @@ SERIAL_CONSOLES = "115200;ttyAMA0"
 # FIXME -  This is being upstreamed.  Remove once that has occurred.
 KERNEL_CONSOLE ?= "${@','.join(d.getVar('SERIAL_CONSOLES').split(' ')[0].split(';')[::-1]) or 'ttyS0'}"
 
+PREFERRED_VERSION_trusted-firmware-a ?= "2.11.%"
+
 PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
 KERNEL_DTB_NAME = "fvp-base-revc.dtb"
 KERNEL_DEVICETREE = "arm/${KERNEL_DTB_NAME}"
diff --git a/meta-arm-bsp/conf/machine/sgi575.conf b/meta-arm-bsp/conf/machine/sgi575.conf
index 3c2c94b6dcbf..e905c4293792 100644
--- a/meta-arm-bsp/conf/machine/sgi575.conf
+++ b/meta-arm-bsp/conf/machine/sgi575.conf
@@ -6,6 +6,8 @@
 
 require conf/machine/include/arm/armv8-2a/tune-cortexa75.inc
 
+PREFERRED_VERSION_trusted-firmware-a ?= "2.11.%"
+
 EXTRA_IMAGEDEPENDS += "virtual/control-processor-firmware"
 
 EXTRA_IMAGEDEPENDS += "trusted-firmware-a"
diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.12.0.bb b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.12.0.bb
new file mode 100644
index 000000000000..ceaac263fc75
--- /dev/null
+++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.12.0.bb
@@ -0,0 +1,19 @@
+require recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
+
+# TF-A v2.12.0
+SRCREV_tfa = "4ec2948fe3f65dba2f19e691e702f7de2949179c"
+SRCBRANCH = "master"
+
+LIC_FILES_CHKSUM += "file://docs/license.rst;md5=83b7626b8c7a37263c6a58af8d19bee1"
+
+# in TF-A src, docs/getting_started/prerequisites.rst lists the expected version mbedtls
+# mbedtls-3.6.1
+SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;destsuffix=git/mbedtls;branch=mbedtls-3.6"
+SRCREV_mbedtls = "71c569d44bf3a8bd53d874c81ee8ac644dd6e9e3"
+
+LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=379d5819937a6c2f1ef1630d341e026d"
+
+# continue to boot also without TPM
+SRC_URI += "\
+    file://0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch \
+"