diff mbox series

[1/3] arm/arm-bsp: optee: add version 4.9.0

Message ID 20260121140356.16818-2-hugues.kambampiana@arm.com
State New
Headers show
Series arm/arm-bsp: optee: upgrade to 4.9.0 | expand

Commit Message

Hugues KAMBA MPIANA Jan. 21, 2026, 2:03 p.m. UTC 
OP-TEE version 4.9.0 has been released on 2026-01-16 [1].

Add OP-TEE recipes to point to version 4.9.0

Link: [1]: https://github.com/OP-TEE/optee_os/blob/master/CHANGELOG.md#op-tee---version-490-2026-01-16

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
---
 .../optee-ftpm/optee-ftpm_4.9.0.bb            | 94 +++++++++++++++++++
 .../optee/optee-client_4.9.0.bb               |  4 +
 .../optee/optee-examples_4.9.0.bb             |  4 +
 .../optee/optee-os-tadevkit_4.9.0.bb          | 30 ++++++
 .../recipes-security/optee/optee-os_4.9.0.bb  |  8 ++
 .../optee/optee-test_4.9.0.bb                 | 14 +++
 6 files changed, 154 insertions(+)
 create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.9.0.bb
 create mode 100644 meta-arm/recipes-security/optee/optee-client_4.9.0.bb
 create mode 100644 meta-arm/recipes-security/optee/optee-examples_4.9.0.bb
 create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit_4.9.0.bb
 create mode 100644 meta-arm/recipes-security/optee/optee-os_4.9.0.bb
 create mode 100644 meta-arm/recipes-security/optee/optee-test_4.9.0.bb

Comments

Quentin Schulz Jan. 26, 2026, 1:48 p.m. UTC | #1 
Hi Hugues,

On 1/21/26 3:03 PM, Hugues KAMBA MPIANA wrote:
[...]
> diff --git a/meta-arm/recipes-security/optee/optee-os_4.9.0.bb b/meta-arm/recipes-security/optee/optee-os_4.9.0.bb
> new file mode 100644
> index 00000000..8e64a636
> --- /dev/null
> +++ b/meta-arm/recipes-security/optee/optee-os_4.9.0.bb
> @@ -0,0 +1,8 @@
> +require recipes-security/optee/optee-os.inc
> +
> +DEPENDS += "dtc-native"
> +
> +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
> +

We don't need that line anymore as there are no in-tree patches for 
optee-os anymore.

> +# 4.9.0
> +SRCREV = "c2b0684fcd89929976a8726e6e3af922b48dd2c7"
> diff --git a/meta-arm/recipes-security/optee/optee-test_4.9.0.bb b/meta-arm/recipes-security/optee/optee-test_4.9.0.bb
> new file mode 100644
> index 00000000..ddb574fc
> --- /dev/null
> +++ b/meta-arm/recipes-security/optee/optee-test_4.9.0.bb
> @@ -0,0 +1,14 @@
> +require recipes-security/optee/optee-test.inc
> +
> +# v4.9.0
> +SRCREV = "b27648ea8472cceceb8dda368a965c709066f7aa"
> +
> +LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560"
> +

This isn't the actual license but a file pointing to other files. I 
would suggest to add LICENSE-BSD and LICENSE-GPL as well so that we can 
catch modifications to those files.

I've checked all commit hashes, they match the tags.

I've run `xtest` on Rockchip PX30, RK3399 and RK3588 and they all pass, so:

Tested-by: Quentin Schulz <quentin.schulz@cherry.de> # xtest on PX30, 
RK3399, RK3588

We should probably think about also passing ;tag=${PV} to the SRC_URI 
via a variable such that we can not pass it when building the _git.bb 
variant of the recipes.

Thanks!
Quentin
Denys Dmytriyenko Jan. 26, 2026, 2:56 p.m. UTC | #2 
On Mon, Jan 26, 2026 at 02:48:29PM +0100, Quentin Schulz via lists.yoctoproject.org wrote:
> Hi Hugues,
> 
> On 1/21/26 3:03 PM, Hugues KAMBA MPIANA wrote:
> [...]
> >diff --git a/meta-arm/recipes-security/optee/optee-os_4.9.0.bb b/meta-arm/recipes-security/optee/optee-os_4.9.0.bb
> >new file mode 100644
> >index 00000000..8e64a636
> >--- /dev/null
> >+++ b/meta-arm/recipes-security/optee/optee-os_4.9.0.bb
> >@@ -0,0 +1,8 @@
> >+require recipes-security/optee/optee-os.inc
> >+
> >+DEPENDS += "dtc-native"
> >+
> >+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
> >+
> 
> We don't need that line anymore as there are no in-tree patches for
> optee-os anymore.

This is not a bbappend, but a standalone recipe, so the line is not needed 
even with local patches.


> >+# 4.9.0
> >+SRCREV = "c2b0684fcd89929976a8726e6e3af922b48dd2c7"
> >diff --git a/meta-arm/recipes-security/optee/optee-test_4.9.0.bb b/meta-arm/recipes-security/optee/optee-test_4.9.0.bb
> >new file mode 100644
> >index 00000000..ddb574fc
> >--- /dev/null
> >+++ b/meta-arm/recipes-security/optee/optee-test_4.9.0.bb
> >@@ -0,0 +1,14 @@
> >+require recipes-security/optee/optee-test.inc
> >+
> >+# v4.9.0
> >+SRCREV = "b27648ea8472cceceb8dda368a965c709066f7aa"
> >+
> >+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560"
> >+
> 
> This isn't the actual license but a file pointing to other files. I
> would suggest to add LICENSE-BSD and LICENSE-GPL as well so that we
> can catch modifications to those files.
> 
> I've checked all commit hashes, they match the tags.
> 
> I've run `xtest` on Rockchip PX30, RK3399 and RK3588 and they all pass, so:
> 
> Tested-by: Quentin Schulz <quentin.schulz@cherry.de> # xtest on
> PX30, RK3399, RK3588
> 
> We should probably think about also passing ;tag=${PV} to the

Will this require network connectivity every time the recipe is parsed to 
resolve the tag, even when you have a corresponding snapshot available 
locally?


> SRC_URI via a variable such that we can not pass it when building
> the _git.bb variant of the recipes.
Quentin Schulz Jan. 26, 2026, 3:08 p.m. UTC | #3 
Hi Denys,

On 1/26/26 3:56 PM, Denys Dmytriyenko wrote:
> On Mon, Jan 26, 2026 at 02:48:29PM +0100, Quentin Schulz via lists.yoctoproject.org wrote:
>> Hi Hugues,
>>
>> On 1/21/26 3:03 PM, Hugues KAMBA MPIANA wrote:
>> [...]
>>> diff --git a/meta-arm/recipes-security/optee/optee-os_4.9.0.bb b/meta-arm/recipes-security/optee/optee-os_4.9.0.bb
>>> new file mode 100644
>>> index 00000000..8e64a636
>>> --- /dev/null
>>> +++ b/meta-arm/recipes-security/optee/optee-os_4.9.0.bb
>>> @@ -0,0 +1,8 @@
>>> +require recipes-security/optee/optee-os.inc
>>> +
>>> +DEPENDS += "dtc-native"
>>> +
>>> +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
>>> +
>>
>> We don't need that line anymore as there are no in-tree patches for
>> optee-os anymore.
> 
> This is not a bbappend, but a standalone recipe, so the line is not needed
> even with local patches.
> 

Indeed, good catch.

> 
>>> +# 4.9.0
>>> +SRCREV = "c2b0684fcd89929976a8726e6e3af922b48dd2c7"
>>> diff --git a/meta-arm/recipes-security/optee/optee-test_4.9.0.bb b/meta-arm/recipes-security/optee/optee-test_4.9.0.bb
>>> new file mode 100644
>>> index 00000000..ddb574fc
>>> --- /dev/null
>>> +++ b/meta-arm/recipes-security/optee/optee-test_4.9.0.bb
>>> @@ -0,0 +1,14 @@
>>> +require recipes-security/optee/optee-test.inc
>>> +
>>> +# v4.9.0
>>> +SRCREV = "b27648ea8472cceceb8dda368a965c709066f7aa"
>>> +
>>> +LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560"
>>> +
>>
>> This isn't the actual license but a file pointing to other files. I
>> would suggest to add LICENSE-BSD and LICENSE-GPL as well so that we
>> can catch modifications to those files.
>>
>> I've checked all commit hashes, they match the tags.
>>
>> I've run `xtest` on Rockchip PX30, RK3399 and RK3588 and they all pass, so:
>>
>> Tested-by: Quentin Schulz <quentin.schulz@cherry.de> # xtest on
>> PX30, RK3399, RK3588
>>
>> We should probably think about also passing ;tag=${PV} to the
> 
> Will this require network connectivity every time the recipe is parsed to
> resolve the tag, even when you have a corresponding snapshot available
> locally?
> 

It used to, but not anymore as far as I understood. Many recipes in 
OE-Core now do have ;tag=${PV} in their SRC_URI and I would expect that 
the project doesn't require network access by default.

See commit d591d7633fe8 ("fetch/git: Rework tag parameter handling") in 
bitbake, available since Walnascar (5.2), which seems to hint that this 
is now possible.

This adds an additional check that the commit hash does really match the 
tag. If the tag moves, then new builds will fail and you'll know that 
something happened upstream and likely requires your attention.

Cheers,
Quentin
diff mbox series

Patch

diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.9.0.bb b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.9.0.bb
new file mode 100644
index 00000000..5dfc88c6
--- /dev/null
+++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.9.0.bb
@@ -0,0 +1,94 @@ 
+SUMMARY = "OPTEE fTPM Microsoft TA"
+DESCRIPTION = "TCG reference implementation of the TPM 2.0 Specification."
+HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
+
+COMPATIBLE_MACHINE ?= "invalid"
+COMPATIBLE_MACHINE:genericarm64 = "genericarm64"
+COMPATIBLE_MACHINE:qemuarm64 = "qemuarm64"
+COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64"
+COMPATIBLE_MACHINE:qemuarm-secureboot = "qemuarm"
+
+inherit deploy python3native
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=5a3925ece0806073ae9ebbb08ff6f11e"
+LIC_FILES_CHKSUM += "file://optee-ta/LICENSE;md5=5a3925ece0806073ae9ebbb08ff6f11e"
+
+DEPENDS = "python3-pyelftools-native optee-os-tadevkit python3-cryptography-native"
+DEPENDS:append:toolchain-clang = " lld-native"
+
+FTPM_UUID = "bc50d971-d4c9-42c4-82cb-343fb7f37896"
+
+SRC_URI_ms-tpm   ?= "gitsm://github.com/Microsoft/ms-tpm-20-ref;protocol=https"
+SRC_URI_optee-ta ?= "gitsm://github.com/OP-TEE/optee_ftpm.git;protocol=https"
+
+SRCBRANCH_ms-tpm    = "main"
+SRCBRANCH_optee-ta  = "master"
+
+SRC_URI = "\
+    ${SRC_URI_ms-tpm};branch=${SRCBRANCH_ms-tpm};name=ms-tpm;destsuffix=ms-tpm \
+    ${SRC_URI_optee-ta};branch=${SRCBRANCH_optee-ta};name=optee-ta;destsuffix=ms-tpm/optee-ta \
+"
+
+# As per optee-ftpm TA documentation, we have to use this SHA of MS TPM reference
+SRCREV_ms-tpm   ?= "98b60a44aba79b15fcce1c0d1e46cf5918400f6a"
+
+# v4.9.0
+SRCREV_optee-ta ?= "a09269b15de635e1816fe832e26adfbfb44c5455"
+
+SRCREV_FORMAT    = "ms-tpm_optee-ta"
+
+UPSTREAM_CHECK_COMMITS = "1"
+
+S = "${UNPACKDIR}/ms-tpm"
+
+OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
+TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
+TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
+
+EXTRA_OEMAKE += '\
+    COMPILER=${TOOLCHAIN} \
+    TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+    CROSS_COMPILE=${TARGET_PREFIX} \
+    CFG_MS_TPM_20_REF="${S}" \
+    CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST}" \
+'
+
+EXTRA_OEMAKE:append:aarch64:qemuall = "\
+    CFG_ARM64_ta_arm64=y \
+"
+
+CFLAGS:append:toolchain-clang = " -Wno-unknown-warning-option"
+
+# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
+# right path until this is relocated automatically.
+export OPENSSL_MODULES = "${STAGING_LIBDIR_NATIVE}/ossl-modules"
+
+PARALLEL_MAKE = ""
+
+do_compile() {
+    cd ${S}/optee-ta
+    oe_runmake
+}
+
+do_install () {
+    mkdir -p ${D}/${nonarch_base_libdir}/optee_armtz
+    install -D -p -m 0644 ${S}/optee-ta/${FTPM_UUID}.ta ${D}/${nonarch_base_libdir}/optee_armtz/
+    install -D -p -m 0644 ${S}/optee-ta/${FTPM_UUID}.stripped.elf ${D}/${nonarch_base_libdir}/optee_armtz/
+}
+
+do_deploy () {
+    install -d ${DEPLOYDIR}/optee
+    install -D -p -m 0644 ${S}/optee-ta/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/
+}
+
+addtask deploy before do_build after do_install
+
+FILES:${PN} += " \
+               ${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.ta \
+               ${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.stripped.elf \
+               "
+
+# Imports machine specific configs from staging to build
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+INSANE_SKIP:${PN} += "ldflags"
diff --git a/meta-arm/recipes-security/optee/optee-client_4.9.0.bb b/meta-arm/recipes-security/optee/optee-client_4.9.0.bb
new file mode 100644
index 00000000..b5c3f0a2
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-client_4.9.0.bb
@@ -0,0 +1,4 @@ 
+require recipes-security/optee/optee-client.inc
+
+# v4.9.0
+SRCREV = "9f5e90918093c1d1cd264d8149081b64ab7ba672"
diff --git a/meta-arm/recipes-security/optee/optee-examples_4.9.0.bb b/meta-arm/recipes-security/optee/optee-examples_4.9.0.bb
new file mode 100644
index 00000000..7c9bd972
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-examples_4.9.0.bb
@@ -0,0 +1,4 @@ 
+require recipes-security/optee/optee-examples.inc
+
+# v4.9.0
+SRCREV = "934c7edb74a26e90f68024cf441073528444177f"
diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit_4.9.0.bb b/meta-arm/recipes-security/optee/optee-os-tadevkit_4.9.0.bb
new file mode 100644
index 00000000..cca9f62a
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os-tadevkit_4.9.0.bb
@@ -0,0 +1,30 @@ 
+require recipes-security/optee/optee-os_${PV}.bb
+
+SUMMARY = "OP-TEE Trusted OS TA devkit"
+DESCRIPTION = "OP-TEE TA devkit for build TAs"
+HOMEPAGE = "https://www.op-tee.org/"
+
+DEPENDS += "python3-pycryptodome-native"
+DEPENDS:append:toolchain-clang = " lld-native"
+
+do_install() {
+    #install TA devkit
+    install -d ${D}${includedir}/optee/export-user_ta/
+    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
+        cp -aR $f ${D}${includedir}/optee/export-user_ta/
+    done
+}
+
+do_deploy() {
+	echo "Do not inherit do_deploy from optee-os."
+}
+
+FILES:${PN} = "${includedir}/optee/"
+
+# Build paths are currently embedded
+INSANE_SKIP:${PN}-dev += "buildpaths"
+
+# Include extra headers needed by SPMC tests to TA DEVKIT.
+# Supported after op-tee v3.20
+EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \
+                                        ' CFG_SPMC_TESTS=y', '' , d)}"
diff --git a/meta-arm/recipes-security/optee/optee-os_4.9.0.bb b/meta-arm/recipes-security/optee/optee-os_4.9.0.bb
new file mode 100644
index 00000000..8e64a636
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os_4.9.0.bb
@@ -0,0 +1,8 @@ 
+require recipes-security/optee/optee-os.inc
+
+DEPENDS += "dtc-native"
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+# 4.9.0
+SRCREV = "c2b0684fcd89929976a8726e6e3af922b48dd2c7"
diff --git a/meta-arm/recipes-security/optee/optee-test_4.9.0.bb b/meta-arm/recipes-security/optee/optee-test_4.9.0.bb
new file mode 100644
index 00000000..ddb574fc
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-test_4.9.0.bb
@@ -0,0 +1,14 @@ 
+require recipes-security/optee/optee-test.inc
+
+# v4.9.0
+SRCREV = "b27648ea8472cceceb8dda368a965c709066f7aa"
+
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560"
+
+# Include ffa_spmc test group if the SPMC test is enabled.
+# Supported after op-tee v3.20
+EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \
+                                        ' CFG_SPMC_TESTS=y CFG_SECURE_PARTITION=y', '' , d)}"
+
+RDEPENDS:${PN} += "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \
+                                              ' arm-ffa-user', '' , d)}"