new file mode 100644
@@ -0,0 +1,94 @@
+SUMMARY = "OPTEE fTPM Microsoft TA"
+DESCRIPTION = "TCG reference implementation of the TPM 2.0 Specification."
+HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
+
+COMPATIBLE_MACHINE ?= "invalid"
+COMPATIBLE_MACHINE:genericarm64 = "genericarm64"
+COMPATIBLE_MACHINE:qemuarm64 = "qemuarm64"
+COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64"
+COMPATIBLE_MACHINE:qemuarm-secureboot = "qemuarm"
+
+inherit deploy python3native
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=5a3925ece0806073ae9ebbb08ff6f11e"
+LIC_FILES_CHKSUM += "file://optee-ta/LICENSE;md5=5a3925ece0806073ae9ebbb08ff6f11e"
+
+DEPENDS = "python3-pyelftools-native optee-os-tadevkit python3-cryptography-native"
+DEPENDS:append:toolchain-clang = " lld-native"
+
+FTPM_UUID = "bc50d971-d4c9-42c4-82cb-343fb7f37896"
+
+SRC_URI_ms-tpm ?= "gitsm://github.com/Microsoft/ms-tpm-20-ref;protocol=https"
+SRC_URI_optee-ta ?= "gitsm://github.com/OP-TEE/optee_ftpm.git;protocol=https"
+
+SRCBRANCH_ms-tpm = "main"
+SRCBRANCH_optee-ta = "master"
+
+SRC_URI = "\
+ ${SRC_URI_ms-tpm};branch=${SRCBRANCH_ms-tpm};name=ms-tpm;destsuffix=ms-tpm \
+ ${SRC_URI_optee-ta};branch=${SRCBRANCH_optee-ta};name=optee-ta;destsuffix=ms-tpm/optee-ta \
+"
+
+# As per optee-ftpm TA documentation, we have to use this SHA of MS TPM reference
+SRCREV_ms-tpm ?= "98b60a44aba79b15fcce1c0d1e46cf5918400f6a"
+
+# v4.9.0
+SRCREV_optee-ta ?= "a09269b15de635e1816fe832e26adfbfb44c5455"
+
+SRCREV_FORMAT = "ms-tpm_optee-ta"
+
+UPSTREAM_CHECK_COMMITS = "1"
+
+S = "${UNPACKDIR}/ms-tpm"
+
+OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
+TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
+TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
+
+EXTRA_OEMAKE += '\
+ COMPILER=${TOOLCHAIN} \
+ TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+ CROSS_COMPILE=${TARGET_PREFIX} \
+ CFG_MS_TPM_20_REF="${S}" \
+ CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST}" \
+'
+
+EXTRA_OEMAKE:append:aarch64:qemuall = "\
+ CFG_ARM64_ta_arm64=y \
+"
+
+CFLAGS:append:toolchain-clang = " -Wno-unknown-warning-option"
+
+# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
+# right path until this is relocated automatically.
+export OPENSSL_MODULES = "${STAGING_LIBDIR_NATIVE}/ossl-modules"
+
+PARALLEL_MAKE = ""
+
+do_compile() {
+ cd ${S}/optee-ta
+ oe_runmake
+}
+
+do_install () {
+ mkdir -p ${D}/${nonarch_base_libdir}/optee_armtz
+ install -D -p -m 0644 ${S}/optee-ta/${FTPM_UUID}.ta ${D}/${nonarch_base_libdir}/optee_armtz/
+ install -D -p -m 0644 ${S}/optee-ta/${FTPM_UUID}.stripped.elf ${D}/${nonarch_base_libdir}/optee_armtz/
+}
+
+do_deploy () {
+ install -d ${DEPLOYDIR}/optee
+ install -D -p -m 0644 ${S}/optee-ta/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/
+}
+
+addtask deploy before do_build after do_install
+
+FILES:${PN} += " \
+ ${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.ta \
+ ${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.stripped.elf \
+ "
+
+# Imports machine specific configs from staging to build
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+INSANE_SKIP:${PN} += "ldflags"
new file mode 100644
@@ -0,0 +1,4 @@
+require recipes-security/optee/optee-client.inc
+
+# v4.9.0
+SRCREV = "9f5e90918093c1d1cd264d8149081b64ab7ba672"
new file mode 100644
@@ -0,0 +1,4 @@
+require recipes-security/optee/optee-examples.inc
+
+# v4.9.0
+SRCREV = "934c7edb74a26e90f68024cf441073528444177f"
new file mode 100644
@@ -0,0 +1,30 @@
+require recipes-security/optee/optee-os_${PV}.bb
+
+SUMMARY = "OP-TEE Trusted OS TA devkit"
+DESCRIPTION = "OP-TEE TA devkit for build TAs"
+HOMEPAGE = "https://www.op-tee.org/"
+
+DEPENDS += "python3-pycryptodome-native"
+DEPENDS:append:toolchain-clang = " lld-native"
+
+do_install() {
+ #install TA devkit
+ install -d ${D}${includedir}/optee/export-user_ta/
+ for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
+ cp -aR $f ${D}${includedir}/optee/export-user_ta/
+ done
+}
+
+do_deploy() {
+ echo "Do not inherit do_deploy from optee-os."
+}
+
+FILES:${PN} = "${includedir}/optee/"
+
+# Build paths are currently embedded
+INSANE_SKIP:${PN}-dev += "buildpaths"
+
+# Include extra headers needed by SPMC tests to TA DEVKIT.
+# Supported after op-tee v3.20
+EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \
+ ' CFG_SPMC_TESTS=y', '' , d)}"
new file mode 100644
@@ -0,0 +1,8 @@
+require recipes-security/optee/optee-os.inc
+
+DEPENDS += "dtc-native"
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+# 4.9.0
+SRCREV = "c2b0684fcd89929976a8726e6e3af922b48dd2c7"
new file mode 100644
@@ -0,0 +1,14 @@
+require recipes-security/optee/optee-test.inc
+
+# v4.9.0
+SRCREV = "b27648ea8472cceceb8dda368a965c709066f7aa"
+
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560"
+
+# Include ffa_spmc test group if the SPMC test is enabled.
+# Supported after op-tee v3.20
+EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \
+ ' CFG_SPMC_TESTS=y CFG_SECURE_PARTITION=y', '' , d)}"
+
+RDEPENDS:${PN} += "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \
+ ' arm-ffa-user', '' , d)}"
OP-TEE version 4.9.0 has been released on 2026-01-16 [1]. Add OP-TEE recipes to point to version 4.9.0 Link: [1]: https://github.com/OP-TEE/optee_os/blob/master/CHANGELOG.md#op-tee---version-490-2026-01-16 Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com> --- .../optee-ftpm/optee-ftpm_4.9.0.bb | 94 +++++++++++++++++++ .../optee/optee-client_4.9.0.bb | 4 + .../optee/optee-examples_4.9.0.bb | 4 + .../optee/optee-os-tadevkit_4.9.0.bb | 30 ++++++ .../recipes-security/optee/optee-os_4.9.0.bb | 8 ++ .../optee/optee-test_4.9.0.bb | 14 +++ 6 files changed, 154 insertions(+) create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.9.0.bb create mode 100644 meta-arm/recipes-security/optee/optee-client_4.9.0.bb create mode 100644 meta-arm/recipes-security/optee/optee-examples_4.9.0.bb create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit_4.9.0.bb create mode 100644 meta-arm/recipes-security/optee/optee-os_4.9.0.bb create mode 100644 meta-arm/recipes-security/optee/optee-test_4.9.0.bb