[meta-rockchip,0/2] add support for (upstream) OP-TEE OS

Message ID	20260126-optee-os-v1-0-874261a77dad@cherry.de
Headers	show Return-Path: <foss@0leil.net> ip: 185.125.25.12, mailfrom: foss+yocto@0leil.net) From: Quentin Schulz <foss+yocto@0leil.net> Subject: [PATCH meta-rockchip 0/2] add support for (upstream) OP-TEE OS Date: Mon, 26 Jan 2026 15:48:28 +0100 Message-Id: <20260126-optee-os-v1-0-874261a77dad@cherry.de> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: yocto-patches@lists.yoctoproject.org Cc: Quentin Schulz <quentin.schulz@cherry.de>
Series	add support for (upstream) OP-TEE OS \| expand [meta-rockchip,0/2] add support for (upstream) OP-TEE OS [meta-rockchip,1/2] bsp: rkbin: optee-os: sync destination and name with upstream OP-TEE OS [meta-rockchip,2/2] add support for baking OP-TEE OS into U-Boot proper binary

Message ID

20260126-optee-os-v1-0-874261a77dad@cherry.de

Headers

From: Quentin Schulz <foss+yocto@0leil.net>
Subject: [PATCH meta-rockchip 0/2] add support for (upstream) OP-TEE OS
Date: Mon, 26 Jan 2026 15:48:28 +0100
Message-Id: <20260126-optee-os-v1-0-874261a77dad@cherry.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
To: yocto-patches@lists.yoctoproject.org
Cc: Quentin Schulz <quentin.schulz@cherry.de>

Series

add support for (upstream) OP-TEE OS | expand

Message

Quentin Schulz Jan. 26, 2026, 2:48 p.m. UTC

This adds support for baking upstream OP-TEE OS into U-Boot.

There's a patch for syncing rkbin blobs naming and paths with the
upstream recipe but note this hasn't been tested at all (and if I
remember correctly, one cannot use the blobs with upstream U-Boot).

This is using the debug private key from OP-TEE OS git tree, this is
**UNSECURE**!!! How to provide your own private key hasn't been
researched for now, patches welcome!

This was tested on PX30 Ringneck, RK3399 Puma and RK3588 Tiger on a
downstream layer by generating a core-image-minimal with

  PREFERRED_PROVIDER_optee-os = "optee-os"
  RK_UBOOT_TEE ?= "1"

in a conf file and

  IMAGE_INSTALL += "optee-test"

in a recipes-core/images/core-image-minimal.bbappend, then boot the
image and run `xtest`. It'll take a few minutes to complete.

Note that currently, meta-arm has v4.7.0 recipe only and two tests are
failing on RK3588. There are patches[1] on the meta-arm mailing list for
bumping to v4.9.0 where those tests aren't failing anymore.

RK356x support is being worked on upstream as far as I've been told but
nothing merged or even ready yet, see
https://github.com/OP-TEE/optee_os/pull/6954 for possibly where things
are going to happen (not guaranteed).

[1] https://lore.kernel.org/yocto-meta-arm/20260121140356.16818-1-hugues.kambampiana@arm.com/

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
---
Quentin Schulz (2):
      bsp: rkbin: optee-os: sync destination and name with upstream OP-TEE OS
      add support for baking OP-TEE OS into U-Boot proper binary

 README                                             | 42 ++++++++++++++++++++++
 conf/machine/include/px30.inc                      |  7 ++++
 conf/machine/include/rk3399.inc                    |  7 ++++
 conf/machine/include/rk3588s.inc                   |  7 ++++
 recipes-bsp/rkbin/rk3308-rkbin_git.bb              |  2 +-
 recipes-bsp/rkbin/rockchip-rkbin-optee-os_git.bb   |  8 ++---
 recipes-bsp/rkbin/rockchip-rkbin.inc               |  2 +-
 recipes-bsp/u-boot/u-boot-rockchip.inc             |  6 ++++
 .../optee/optee-os-tadevkit_%.bbappend             |  3 ++
 recipes-security/optee/optee-os_%.bbappend         | 19 ++++++++++
 recipes-security/optee/optee-test_%.bbappend       |  3 ++
 11 files changed, 100 insertions(+), 6 deletions(-)
---
base-commit: 2a13a49da4af4487ee71db6aff19364220da694a
change-id: 20260126-optee-os-6e01be39ebb4

Best regards,