diff mbox series

[v2,1/3] arm/arm-bsp: optee: add version 4.9.0

Message ID 20260126171658.40998-2-hugues.kambampiana@arm.com
State New
Headers show
Series arm/arm-bsp: optee: upgrade to 4.9.0 | expand

Commit Message

Hugues KAMBA MPIANA Jan. 26, 2026, 5:16 p.m. UTC 
OP-TEE version 4.9.0 has been released on 2026-01-16 [1].

Add OP-TEE recipes to point to version 4.9.0

Link: [1]: https://github.com/OP-TEE/optee_os/blob/master/CHANGELOG.md#op-tee---version-490-2026-01-16

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Tested-by: Quentin Schulz <quentin.schulz@cherry.de> # xtest on PX30, RK3399, RK3588
---
 .../optee-ftpm/optee-ftpm_4.9.0.bb            | 94 +++++++++++++++++++
 .../optee/optee-client_4.9.0.bb               |  4 +
 .../optee/optee-examples_4.9.0.bb             |  4 +
 .../optee/optee-os-tadevkit_4.9.0.bb          | 30 ++++++
 .../recipes-security/optee/optee-os_4.9.0.bb  |  6 ++
 .../recipes-security/optee/optee-test.inc     |  4 +-
 ...{optee-test_git.bb => optee-test_4.9.0.bb} | 15 ++-
 .../recipes-security/optee/optee-test_git.bb  |  7 +-
 8 files changed, 153 insertions(+), 11 deletions(-)
 create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.9.0.bb
 create mode 100644 meta-arm/recipes-security/optee/optee-client_4.9.0.bb
 create mode 100644 meta-arm/recipes-security/optee/optee-examples_4.9.0.bb
 create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit_4.9.0.bb
 create mode 100644 meta-arm/recipes-security/optee/optee-os_4.9.0.bb
 copy meta-arm/recipes-security/optee/{optee-test_git.bb => optee-test_4.9.0.bb} (68%)

Comments

Quentin Schulz Jan. 27, 2026, 9:52 a.m. UTC | #1 
Hi Hugues,

On 1/26/26 6:16 PM, Hugues KAMBA MPIANA wrote:
[...]
> diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.9.0.bb b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.9.0.bb
> new file mode 100644
> index 00000000..5dfc88c6
> --- /dev/null
> +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.9.0.bb
> @@ -0,0 +1,94 @@
> +SUMMARY = "OPTEE fTPM Microsoft TA"
> +DESCRIPTION = "TCG reference implementation of the TPM 2.0 Specification."
> +HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
> +
> +COMPATIBLE_MACHINE ?= "invalid"
> +COMPATIBLE_MACHINE:genericarm64 = "genericarm64"
> +COMPATIBLE_MACHINE:qemuarm64 = "qemuarm64"
> +COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64"
> +COMPATIBLE_MACHINE:qemuarm-secureboot = "qemuarm"
> +
> +inherit deploy python3native
> +
> +LICENSE = "MIT"
> +LIC_FILES_CHKSUM = "file://LICENSE;md5=5a3925ece0806073ae9ebbb08ff6f11e"
> +LIC_FILES_CHKSUM += "file://optee-ta/LICENSE;md5=5a3925ece0806073ae9ebbb08ff6f11e"
> +
> +DEPENDS = "python3-pyelftools-native optee-os-tadevkit python3-cryptography-native"
> +DEPENDS:append:toolchain-clang = " lld-native"
> +
> +FTPM_UUID = "bc50d971-d4c9-42c4-82cb-343fb7f37896"
> +
> +SRC_URI_ms-tpm   ?= "gitsm://github.com/Microsoft/ms-tpm-20-ref;protocol=https"
> +SRC_URI_optee-ta ?= "gitsm://github.com/OP-TEE/optee_ftpm.git;protocol=https"
> +
> +SRCBRANCH_ms-tpm    = "main"
> +SRCBRANCH_optee-ta  = "master"
> +

Maybe we should use a ;tag= for optee-ta since we have tags and use them?

[...]

> diff --git a/meta-arm/recipes-security/optee/optee-test.inc b/meta-arm/recipes-security/optee/optee-test.inc
> index 397515f9..922911ad 100644
> --- a/meta-arm/recipes-security/optee/optee-test.inc
> +++ b/meta-arm/recipes-security/optee/optee-test.inc
> @@ -11,7 +11,9 @@ require optee.inc
>   DEPENDS = "optee-client optee-os-tadevkit python3-cryptography-native openssl"
>   DEPENDS:append:toolchain-clang = " lld-native"
>   
> -SRC_URI = "git://github.com/OP-TEE/optee_test.git;branch=master;protocol=https \
> +OPTEE_TEST_GIT_TAG = ";tag=${PV}"
> +

We could have this in optee.inc I believe? It applies to all recipes for 
which we have a tag and want to use that tag.

Also not entirely sure it makes sense to pass both branch=master and 
tag=${PV} (but the former is most welcome when the latter isn't 
specified, so maybe something like

in .inc files:
SRC_URI_BRANCH_OR_TAG ?= "tag=${PV}"

in _git.bb files:
SRC_URI_BRANCH_OR_TAG = "branch=master"

SRC_URI = 
"git://github.com/OP-TEE/optee_test.git;protocol=https;${SRC_URI_BRANCH_OR_TAG}"

for example (not tested!). Or maybe even

SRC_URI_BRANCH_OR_TAG ?= "${@'tag=${PV}' if d.getVar('PV') != 'git' else 
branch='master'}"

such that if the recipe filename ends with _git it automatically is 
branch=master, otherwise it is the version number taken as a tag (again, 
not tested).

This can be a separate patch. No blocker for merging this in my opinion.

Cheers,
Quentin
diff mbox series

Patch

diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.9.0.bb b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.9.0.bb
new file mode 100644
index 00000000..5dfc88c6
--- /dev/null
+++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.9.0.bb
@@ -0,0 +1,94 @@ 
+SUMMARY = "OPTEE fTPM Microsoft TA"
+DESCRIPTION = "TCG reference implementation of the TPM 2.0 Specification."
+HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
+
+COMPATIBLE_MACHINE ?= "invalid"
+COMPATIBLE_MACHINE:genericarm64 = "genericarm64"
+COMPATIBLE_MACHINE:qemuarm64 = "qemuarm64"
+COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64"
+COMPATIBLE_MACHINE:qemuarm-secureboot = "qemuarm"
+
+inherit deploy python3native
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=5a3925ece0806073ae9ebbb08ff6f11e"
+LIC_FILES_CHKSUM += "file://optee-ta/LICENSE;md5=5a3925ece0806073ae9ebbb08ff6f11e"
+
+DEPENDS = "python3-pyelftools-native optee-os-tadevkit python3-cryptography-native"
+DEPENDS:append:toolchain-clang = " lld-native"
+
+FTPM_UUID = "bc50d971-d4c9-42c4-82cb-343fb7f37896"
+
+SRC_URI_ms-tpm   ?= "gitsm://github.com/Microsoft/ms-tpm-20-ref;protocol=https"
+SRC_URI_optee-ta ?= "gitsm://github.com/OP-TEE/optee_ftpm.git;protocol=https"
+
+SRCBRANCH_ms-tpm    = "main"
+SRCBRANCH_optee-ta  = "master"
+
+SRC_URI = "\
+    ${SRC_URI_ms-tpm};branch=${SRCBRANCH_ms-tpm};name=ms-tpm;destsuffix=ms-tpm \
+    ${SRC_URI_optee-ta};branch=${SRCBRANCH_optee-ta};name=optee-ta;destsuffix=ms-tpm/optee-ta \
+"
+
+# As per optee-ftpm TA documentation, we have to use this SHA of MS TPM reference
+SRCREV_ms-tpm   ?= "98b60a44aba79b15fcce1c0d1e46cf5918400f6a"
+
+# v4.9.0
+SRCREV_optee-ta ?= "a09269b15de635e1816fe832e26adfbfb44c5455"
+
+SRCREV_FORMAT    = "ms-tpm_optee-ta"
+
+UPSTREAM_CHECK_COMMITS = "1"
+
+S = "${UNPACKDIR}/ms-tpm"
+
+OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
+TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
+TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
+
+EXTRA_OEMAKE += '\
+    COMPILER=${TOOLCHAIN} \
+    TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+    CROSS_COMPILE=${TARGET_PREFIX} \
+    CFG_MS_TPM_20_REF="${S}" \
+    CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST}" \
+'
+
+EXTRA_OEMAKE:append:aarch64:qemuall = "\
+    CFG_ARM64_ta_arm64=y \
+"
+
+CFLAGS:append:toolchain-clang = " -Wno-unknown-warning-option"
+
+# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
+# right path until this is relocated automatically.
+export OPENSSL_MODULES = "${STAGING_LIBDIR_NATIVE}/ossl-modules"
+
+PARALLEL_MAKE = ""
+
+do_compile() {
+    cd ${S}/optee-ta
+    oe_runmake
+}
+
+do_install () {
+    mkdir -p ${D}/${nonarch_base_libdir}/optee_armtz
+    install -D -p -m 0644 ${S}/optee-ta/${FTPM_UUID}.ta ${D}/${nonarch_base_libdir}/optee_armtz/
+    install -D -p -m 0644 ${S}/optee-ta/${FTPM_UUID}.stripped.elf ${D}/${nonarch_base_libdir}/optee_armtz/
+}
+
+do_deploy () {
+    install -d ${DEPLOYDIR}/optee
+    install -D -p -m 0644 ${S}/optee-ta/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/
+}
+
+addtask deploy before do_build after do_install
+
+FILES:${PN} += " \
+               ${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.ta \
+               ${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.stripped.elf \
+               "
+
+# Imports machine specific configs from staging to build
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+INSANE_SKIP:${PN} += "ldflags"
diff --git a/meta-arm/recipes-security/optee/optee-client_4.9.0.bb b/meta-arm/recipes-security/optee/optee-client_4.9.0.bb
new file mode 100644
index 00000000..b5c3f0a2
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-client_4.9.0.bb
@@ -0,0 +1,4 @@ 
+require recipes-security/optee/optee-client.inc
+
+# v4.9.0
+SRCREV = "9f5e90918093c1d1cd264d8149081b64ab7ba672"
diff --git a/meta-arm/recipes-security/optee/optee-examples_4.9.0.bb b/meta-arm/recipes-security/optee/optee-examples_4.9.0.bb
new file mode 100644
index 00000000..7c9bd972
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-examples_4.9.0.bb
@@ -0,0 +1,4 @@ 
+require recipes-security/optee/optee-examples.inc
+
+# v4.9.0
+SRCREV = "934c7edb74a26e90f68024cf441073528444177f"
diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit_4.9.0.bb b/meta-arm/recipes-security/optee/optee-os-tadevkit_4.9.0.bb
new file mode 100644
index 00000000..cca9f62a
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os-tadevkit_4.9.0.bb
@@ -0,0 +1,30 @@ 
+require recipes-security/optee/optee-os_${PV}.bb
+
+SUMMARY = "OP-TEE Trusted OS TA devkit"
+DESCRIPTION = "OP-TEE TA devkit for build TAs"
+HOMEPAGE = "https://www.op-tee.org/"
+
+DEPENDS += "python3-pycryptodome-native"
+DEPENDS:append:toolchain-clang = " lld-native"
+
+do_install() {
+    #install TA devkit
+    install -d ${D}${includedir}/optee/export-user_ta/
+    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
+        cp -aR $f ${D}${includedir}/optee/export-user_ta/
+    done
+}
+
+do_deploy() {
+	echo "Do not inherit do_deploy from optee-os."
+}
+
+FILES:${PN} = "${includedir}/optee/"
+
+# Build paths are currently embedded
+INSANE_SKIP:${PN}-dev += "buildpaths"
+
+# Include extra headers needed by SPMC tests to TA DEVKIT.
+# Supported after op-tee v3.20
+EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \
+                                        ' CFG_SPMC_TESTS=y', '' , d)}"
diff --git a/meta-arm/recipes-security/optee/optee-os_4.9.0.bb b/meta-arm/recipes-security/optee/optee-os_4.9.0.bb
new file mode 100644
index 00000000..cd369382
--- /dev/null
+++ b/meta-arm/recipes-security/optee/optee-os_4.9.0.bb
@@ -0,0 +1,6 @@ 
+require recipes-security/optee/optee-os.inc
+
+DEPENDS += "dtc-native"
+
+# 4.9.0
+SRCREV = "c2b0684fcd89929976a8726e6e3af922b48dd2c7"
diff --git a/meta-arm/recipes-security/optee/optee-test.inc b/meta-arm/recipes-security/optee/optee-test.inc
index 397515f9..922911ad 100644
--- a/meta-arm/recipes-security/optee/optee-test.inc
+++ b/meta-arm/recipes-security/optee/optee-test.inc
@@ -11,7 +11,9 @@  require optee.inc
 DEPENDS = "optee-client optee-os-tadevkit python3-cryptography-native openssl"
 DEPENDS:append:toolchain-clang = " lld-native"
 
-SRC_URI = "git://github.com/OP-TEE/optee_test.git;branch=master;protocol=https \
+OPTEE_TEST_GIT_TAG = ";tag=${PV}"
+
+SRC_URI = "git://github.com/OP-TEE/optee_test.git;branch=master;protocol=https${OPTEE_TEST_GIT_TAG} \
            file://run-ptest \
           "
 
diff --git a/meta-arm/recipes-security/optee/optee-test_git.bb b/meta-arm/recipes-security/optee/optee-test_4.9.0.bb
similarity index 68%
copy from meta-arm/recipes-security/optee/optee-test_git.bb
copy to meta-arm/recipes-security/optee/optee-test_4.9.0.bb
index d2933390..2cd5fc5c 100644
--- a/meta-arm/recipes-security/optee/optee-test_git.bb
+++ b/meta-arm/recipes-security/optee/optee-test_4.9.0.bb
@@ -1,10 +1,12 @@ 
 require recipes-security/optee/optee-test.inc
 
-# v4.8.0
-SRCREV = "6569cd7b13e1b37b37069e090d592adca7d3926d"
-PV .= "+git"
+# v4.9.0
+SRCREV = "b27648ea8472cceceb8dda368a965c709066f7aa"
 
-LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560"
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560 \
+                    file://LICENSE-BSD;md5=dca16d6efa93b55d0fd662ae5cd6feeb \
+                    file://LICENSE-GPL;md5=10e86b5d2a6cb0e2b9dcfdd26a9ac58d \
+                   "
 
 # Include ffa_spmc test group if the SPMC test is enabled.
 # Supported after op-tee v3.20
@@ -13,8 +15,3 @@  EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test
 
 RDEPENDS:${PN} += "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \
                                               ' arm-ffa-user', '' , d)}"
-
-# Not a release recipe, try our hardest to not pull this in implicitly
-DEFAULT_PREFERENCE = "-1"
-
-CFLAGS += "-Wno-error=unterminated-string-initialization"
diff --git a/meta-arm/recipes-security/optee/optee-test_git.bb b/meta-arm/recipes-security/optee/optee-test_git.bb
index d2933390..dfbef843 100644
--- a/meta-arm/recipes-security/optee/optee-test_git.bb
+++ b/meta-arm/recipes-security/optee/optee-test_git.bb
@@ -4,7 +4,12 @@  require recipes-security/optee/optee-test.inc
 SRCREV = "6569cd7b13e1b37b37069e090d592adca7d3926d"
 PV .= "+git"
 
-LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560"
+OPTEE_TEST_GIT_TAG = ""
+
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560 \
+                    file://LICENSE-BSD;md5=dca16d6efa93b55d0fd662ae5cd6feeb \
+                    file://LICENSE-GPL;md5=10e86b5d2a6cb0e2b9dcfdd26a9ac58d \
+                   "
 
 # Include ffa_spmc test group if the SPMC test is enabled.
 # Supported after op-tee v3.20