From patchwork Tue Jan 27 15:45:23 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hugues KAMBA MPIANA X-Patchwork-Id: 79866 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DFA74D34094 for ; Tue, 27 Jan 2026 15:45:40 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.14325.1769528737305163183 for ; Tue, 27 Jan 2026 07:45:37 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: hugues.kambampiana@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 617DD1650; Tue, 27 Jan 2026 07:45:30 -0800 (PST) Received: from LXKV206JHX.emea.arm.com (LXKV206JHX.cambridge.arm.com [10.1.28.17]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 4C30B3F632; Tue, 27 Jan 2026 07:45:36 -0800 (PST) From: Hugues KAMBA MPIANA To: meta-arm@lists.yoctoproject.org Cc: Hugues KAMBA MPIANA , Quentin Schulz Subject: [PATCH v3 1/3] arm/arm-bsp: optee: add version 4.9.0 Date: Tue, 27 Jan 2026 15:45:23 +0000 Message-ID: <20260127154532.27572-2-hugues.kambampiana@arm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260127154532.27572-1-hugues.kambampiana@arm.com> References: <20260127154532.27572-1-hugues.kambampiana@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 27 Jan 2026 15:45:40 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/6880 OP-TEE version 4.9.0 has been released on 2026-01-16 [1]. Add OP-TEE recipes to point to version 4.9.0 Link: [1]: https://github.com/OP-TEE/optee_os/blob/master/CHANGELOG.md#op-tee---version-490-2026-01-16 Signed-off-by: Hugues KAMBA MPIANA Tested-by: Quentin Schulz # xtest on PX30, RK3399, RK3588 --- .../optee-ftpm/optee-ftpm_4.9.0.bb | 94 +++++++++++++++++++ .../optee/optee-client_4.9.0.bb | 4 + .../recipes-security/optee/optee-examples.inc | 2 +- .../optee/optee-examples_4.9.0.bb | 4 + .../optee/optee-os-tadevkit_4.9.0.bb | 30 ++++++ meta-arm/recipes-security/optee/optee-os.inc | 2 +- .../recipes-security/optee/optee-os_4.9.0.bb | 6 ++ .../recipes-security/optee/optee-test.inc | 2 +- ...{optee-test_git.bb => optee-test_4.9.0.bb} | 15 ++- .../recipes-security/optee/optee-test_git.bb | 5 +- meta-arm/recipes-security/optee/optee.inc | 3 + 11 files changed, 154 insertions(+), 13 deletions(-) create mode 100644 meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.9.0.bb create mode 100644 meta-arm/recipes-security/optee/optee-client_4.9.0.bb create mode 100644 meta-arm/recipes-security/optee/optee-examples_4.9.0.bb create mode 100644 meta-arm/recipes-security/optee/optee-os-tadevkit_4.9.0.bb create mode 100644 meta-arm/recipes-security/optee/optee-os_4.9.0.bb copy meta-arm/recipes-security/optee/{optee-test_git.bb => optee-test_4.9.0.bb} (68%) diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.9.0.bb b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.9.0.bb new file mode 100644 index 00000000..0cbefcee --- /dev/null +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm_4.9.0.bb @@ -0,0 +1,94 @@ +SUMMARY = "OPTEE fTPM Microsoft TA" +DESCRIPTION = "TCG reference implementation of the TPM 2.0 Specification." +HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/" + +COMPATIBLE_MACHINE ?= "invalid" +COMPATIBLE_MACHINE:genericarm64 = "genericarm64" +COMPATIBLE_MACHINE:qemuarm64 = "qemuarm64" +COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64" +COMPATIBLE_MACHINE:qemuarm-secureboot = "qemuarm" + +inherit deploy python3native + +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE;md5=5a3925ece0806073ae9ebbb08ff6f11e" +LIC_FILES_CHKSUM += "file://optee-ta/LICENSE;md5=5a3925ece0806073ae9ebbb08ff6f11e" + +DEPENDS = "python3-pyelftools-native optee-os-tadevkit python3-cryptography-native" +DEPENDS:append:toolchain-clang = " lld-native" + +FTPM_UUID = "bc50d971-d4c9-42c4-82cb-343fb7f37896" + +SRC_URI_ms-tpm ?= "gitsm://github.com/Microsoft/ms-tpm-20-ref;protocol=https" +SRC_URI_optee-ta ?= "gitsm://github.com/OP-TEE/optee_ftpm.git;protocol=https" + +SRCBRANCH_ms-tpm = "main" +OPTEE_TA_GIT_TAG ?= "tag=${PV};nobranch=1" + +SRC_URI = "\ + ${SRC_URI_ms-tpm};branch=${SRCBRANCH_ms-tpm};name=ms-tpm;destsuffix=ms-tpm \ + ${SRC_URI_optee-ta};${OPTEE_TA_GIT_TAG};name=optee-ta;destsuffix=ms-tpm/optee-ta \ +" + +# As per optee-ftpm TA documentation, we have to use this SHA of MS TPM reference +SRCREV_ms-tpm ?= "98b60a44aba79b15fcce1c0d1e46cf5918400f6a" + +# v4.9.0 +SRCREV_optee-ta ?= "a09269b15de635e1816fe832e26adfbfb44c5455" + +SRCREV_FORMAT = "ms-tpm_optee-ta" + +UPSTREAM_CHECK_COMMITS = "1" + +S = "${UNPACKDIR}/ms-tpm" + +OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}" +TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}" +TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta" + +EXTRA_OEMAKE += '\ + COMPILER=${TOOLCHAIN} \ + TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \ + CROSS_COMPILE=${TARGET_PREFIX} \ + CFG_MS_TPM_20_REF="${S}" \ + CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST}" \ +' + +EXTRA_OEMAKE:append:aarch64:qemuall = "\ + CFG_ARM64_ta_arm64=y \ +" + +CFLAGS:append:toolchain-clang = " -Wno-unknown-warning-option" + +# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the +# right path until this is relocated automatically. +export OPENSSL_MODULES = "${STAGING_LIBDIR_NATIVE}/ossl-modules" + +PARALLEL_MAKE = "" + +do_compile() { + cd ${S}/optee-ta + oe_runmake +} + +do_install () { + mkdir -p ${D}/${nonarch_base_libdir}/optee_armtz + install -D -p -m 0644 ${S}/optee-ta/${FTPM_UUID}.ta ${D}/${nonarch_base_libdir}/optee_armtz/ + install -D -p -m 0644 ${S}/optee-ta/${FTPM_UUID}.stripped.elf ${D}/${nonarch_base_libdir}/optee_armtz/ +} + +do_deploy () { + install -d ${DEPLOYDIR}/optee + install -D -p -m 0644 ${S}/optee-ta/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/ +} + +addtask deploy before do_build after do_install + +FILES:${PN} += " \ + ${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.ta \ + ${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.stripped.elf \ + " + +# Imports machine specific configs from staging to build +PACKAGE_ARCH = "${MACHINE_ARCH}" +INSANE_SKIP:${PN} += "ldflags" diff --git a/meta-arm/recipes-security/optee/optee-client_4.9.0.bb b/meta-arm/recipes-security/optee/optee-client_4.9.0.bb new file mode 100644 index 00000000..b5c3f0a2 --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-client_4.9.0.bb @@ -0,0 +1,4 @@ +require recipes-security/optee/optee-client.inc + +# v4.9.0 +SRCREV = "9f5e90918093c1d1cd264d8149081b64ab7ba672" diff --git a/meta-arm/recipes-security/optee/optee-examples.inc b/meta-arm/recipes-security/optee/optee-examples.inc index f274f6fa..6cd14920 100644 --- a/meta-arm/recipes-security/optee/optee-examples.inc +++ b/meta-arm/recipes-security/optee/optee-examples.inc @@ -11,7 +11,7 @@ inherit python3native require optee.inc -SRC_URI = "git://github.com/linaro-swg/optee_examples.git;branch=master;protocol=https \ +SRC_URI = "git://github.com/linaro-swg/optee_examples.git;protocol=https;${OPTEE_SRC_URI_BRANCH_OR_TAG} \ file://0001-Makefile-Avoid-variable-override.patch \ " diff --git a/meta-arm/recipes-security/optee/optee-examples_4.9.0.bb b/meta-arm/recipes-security/optee/optee-examples_4.9.0.bb new file mode 100644 index 00000000..7c9bd972 --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-examples_4.9.0.bb @@ -0,0 +1,4 @@ +require recipes-security/optee/optee-examples.inc + +# v4.9.0 +SRCREV = "934c7edb74a26e90f68024cf441073528444177f" diff --git a/meta-arm/recipes-security/optee/optee-os-tadevkit_4.9.0.bb b/meta-arm/recipes-security/optee/optee-os-tadevkit_4.9.0.bb new file mode 100644 index 00000000..cca9f62a --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-os-tadevkit_4.9.0.bb @@ -0,0 +1,30 @@ +require recipes-security/optee/optee-os_${PV}.bb + +SUMMARY = "OP-TEE Trusted OS TA devkit" +DESCRIPTION = "OP-TEE TA devkit for build TAs" +HOMEPAGE = "https://www.op-tee.org/" + +DEPENDS += "python3-pycryptodome-native" +DEPENDS:append:toolchain-clang = " lld-native" + +do_install() { + #install TA devkit + install -d ${D}${includedir}/optee/export-user_ta/ + for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do + cp -aR $f ${D}${includedir}/optee/export-user_ta/ + done +} + +do_deploy() { + echo "Do not inherit do_deploy from optee-os." +} + +FILES:${PN} = "${includedir}/optee/" + +# Build paths are currently embedded +INSANE_SKIP:${PN}-dev += "buildpaths" + +# Include extra headers needed by SPMC tests to TA DEVKIT. +# Supported after op-tee v3.20 +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ + ' CFG_SPMC_TESTS=y', '' , d)}" diff --git a/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/recipes-security/optee/optee-os.inc index 41eb6d1f..076e482b 100644 --- a/meta-arm/recipes-security/optee/optee-os.inc +++ b/meta-arm/recipes-security/optee/optee-os.inc @@ -14,7 +14,7 @@ DEPENDS = "python3-pyelftools-native python3-cryptography-native" DEPENDS:append:toolchain-clang = " lld-native compiler-rt" -SRC_URI = "git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https" +SRC_URI = "git://github.com/OP-TEE/optee_os.git;protocol=https;${OPTEE_SRC_URI_BRANCH_OR_TAG}" B = "${WORKDIR}/build" diff --git a/meta-arm/recipes-security/optee/optee-os_4.9.0.bb b/meta-arm/recipes-security/optee/optee-os_4.9.0.bb new file mode 100644 index 00000000..cd369382 --- /dev/null +++ b/meta-arm/recipes-security/optee/optee-os_4.9.0.bb @@ -0,0 +1,6 @@ +require recipes-security/optee/optee-os.inc + +DEPENDS += "dtc-native" + +# 4.9.0 +SRCREV = "c2b0684fcd89929976a8726e6e3af922b48dd2c7" diff --git a/meta-arm/recipes-security/optee/optee-test.inc b/meta-arm/recipes-security/optee/optee-test.inc index 397515f9..bb9471bf 100644 --- a/meta-arm/recipes-security/optee/optee-test.inc +++ b/meta-arm/recipes-security/optee/optee-test.inc @@ -11,7 +11,7 @@ require optee.inc DEPENDS = "optee-client optee-os-tadevkit python3-cryptography-native openssl" DEPENDS:append:toolchain-clang = " lld-native" -SRC_URI = "git://github.com/OP-TEE/optee_test.git;branch=master;protocol=https \ +SRC_URI = "git://github.com/OP-TEE/optee_test.git;protocol=https;${OPTEE_SRC_URI_BRANCH_OR_TAG} \ file://run-ptest \ " diff --git a/meta-arm/recipes-security/optee/optee-test_git.bb b/meta-arm/recipes-security/optee/optee-test_4.9.0.bb similarity index 68% copy from meta-arm/recipes-security/optee/optee-test_git.bb copy to meta-arm/recipes-security/optee/optee-test_4.9.0.bb index d2933390..2cd5fc5c 100644 --- a/meta-arm/recipes-security/optee/optee-test_git.bb +++ b/meta-arm/recipes-security/optee/optee-test_4.9.0.bb @@ -1,10 +1,12 @@ require recipes-security/optee/optee-test.inc -# v4.8.0 -SRCREV = "6569cd7b13e1b37b37069e090d592adca7d3926d" -PV .= "+git" +# v4.9.0 +SRCREV = "b27648ea8472cceceb8dda368a965c709066f7aa" -LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560" +LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560 \ + file://LICENSE-BSD;md5=dca16d6efa93b55d0fd662ae5cd6feeb \ + file://LICENSE-GPL;md5=10e86b5d2a6cb0e2b9dcfdd26a9ac58d \ + " # Include ffa_spmc test group if the SPMC test is enabled. # Supported after op-tee v3.20 @@ -13,8 +15,3 @@ EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test RDEPENDS:${PN} += "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \ ' arm-ffa-user', '' , d)}" - -# Not a release recipe, try our hardest to not pull this in implicitly -DEFAULT_PREFERENCE = "-1" - -CFLAGS += "-Wno-error=unterminated-string-initialization" diff --git a/meta-arm/recipes-security/optee/optee-test_git.bb b/meta-arm/recipes-security/optee/optee-test_git.bb index d2933390..37b00908 100644 --- a/meta-arm/recipes-security/optee/optee-test_git.bb +++ b/meta-arm/recipes-security/optee/optee-test_git.bb @@ -4,7 +4,10 @@ require recipes-security/optee/optee-test.inc SRCREV = "6569cd7b13e1b37b37069e090d592adca7d3926d" PV .= "+git" -LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560" +LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560 \ + file://LICENSE-BSD;md5=dca16d6efa93b55d0fd662ae5cd6feeb \ + file://LICENSE-GPL;md5=10e86b5d2a6cb0e2b9dcfdd26a9ac58d \ + " # Include ffa_spmc test group if the SPMC test is enabled. # Supported after op-tee v3.20 diff --git a/meta-arm/recipes-security/optee/optee.inc b/meta-arm/recipes-security/optee/optee.inc index 4dc24154..9bad64bd 100644 --- a/meta-arm/recipes-security/optee/optee.inc +++ b/meta-arm/recipes-security/optee/optee.inc @@ -1,5 +1,8 @@ UPSTREAM_CHECK_GITTAGREGEX = "^(?P\d+(\.\d+)+)$" +# Use tags for versioned recipes, but keep _git recipes on master. +OPTEE_SRC_URI_BRANCH_OR_TAG ?= "${@'branch=master' if d.getVar('PV') == 'git' or d.getVar('PV').endswith('+git') else 'tag=%s;nobranch=1' % d.getVar('PV')}" + COMPATIBLE_MACHINE ?= "invalid" COMPATIBLE_MACHINE:genericarm64 ?= "genericarm64" COMPATIBLE_MACHINE:qemuarm64 ?= "qemuarm64"