Merge pull request #2347 from nxp-upstream/optee-upgrade-to-6.12.20

Optee Update From 6.12.20-2.0.0

conf/machine/include/imx-base.inc

@@ -599,12 +599,10 @@ PREFERRED_VERSION_vulkan-tools:imxvulkan             ??= "1.3.275.0.imx"
 PREFERRED_VERSION_vulkan-validation-layers:imxvulkan ??= "1.3.275.0.imx"
 
 # Use i.MX optee Version
-PREFERRED_VERSION_optee-os:mx8-nxp-bsp     ??= "4.4.0.imx"
+PREFERRED_VERSION_optee-os:imx-nxp-bsp     ??= "4.6.0.imx"
-PREFERRED_VERSION_optee-os:mx9-nxp-bsp     ??= "4.4.0.imx"
+PREFERRED_VERSION_optee-client:imx-nxp-bsp ??= "4.6.0.imx"
-PREFERRED_VERSION_optee-client:mx8-nxp-bsp ??= "4.4.0.imx"
+PREFERRED_VERSION_optee-test:imx-nxp-bsp   ??= "4.6.0.imx"
-PREFERRED_VERSION_optee-client:mx9-nxp-bsp ??= "4.4.0.imx"
+PREFERRED_VERSION_optee-os-tadevkit:imx-nxp-bsp   ??= "4.6.0.imx"
-PREFERRED_VERSION_optee-test:mx8-nxp-bsp   ??= "4.4.0.imx"
-PREFERRED_VERSION_optee-test:mx9-nxp-bsp   ??= "4.4.0.imx"
 
 # Use i.MX opencv Version
 PREFERRED_VERSION_opencv:mx8-nxp-bsp ??= "4.6.0.imx"

recipes-security/optee-imx/optee-client-fslc-imx.inc

@@ -1,5 +1,5 @@
 # Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-client-imx.inc.
-# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L37
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L37
 
 require optee-client-fslc.inc
 
@@ -10,27 +10,8 @@ SRC_URI:remove = "git://github.com/OP-TEE/optee_client.git;branch=master;protoco
 SRC_URI:prepend = "${OPTEE_CLIENT_SRC};branch=${SRCBRANCH} "
 OPTEE_CLIENT_SRC ?= "git://github.com/nxp-imx/imx-optee-client.git;protocol=https"
 
+SRC_URI += "file://0001-tee-supplicant-Fix-non-arch-service-unit-install-pat.patch"
+
 inherit pkgconfig
 
 EXTRA_OECMAKE += "-DCFG_TEE_CLIENT_LOAD_PATH=${nonarch_base_libdir}"
-
-# Copy the udev rule from the libts recipe for starting tee-supplicant@.service
-SRC_URI += "file://tee-udev.rules"
-# Unix group name for dev/tee* ownership.
-TEE_GROUP_NAME ?= "teeclnt"
-do_install:append () {
-    if ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', 'false', 'true', d)}; then
-        install -d ${D}${nonarch_base_libdir}/udev/rules.d/
-        install -m 755 ${UNPACKDIR}/tee-udev.rules ${D}${nonarch_base_libdir}/udev/rules.d/
-        sed -i -e "s/teeclnt/${TEE_GROUP_NAME}/" ${D}${nonarch_base_libdir}/udev/rules.d/tee-udev.rules
-    fi
-
-    if [ "${libdir}" != "${nonarch_base_libdir}" ]; then
-        rm -rf ${D}${libdir}/systemd
-    fi
-}
-inherit ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', '', 'useradd', d)}
-USERADD_PACKAGES = "${PN}"
-GROUPADD_PARAM:${PN} = "--system ${TEE_GROUP_NAME}"
-
-FILES:${PN} += "${libdir}/* ${includedir}/*"

recipes-security/optee-imx/optee-client-fslc.inc

@@ -1,5 +1,5 @@
 # Copied from meta-arm/recipes-security/optee/optee-client.inc.
-# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L30
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L30
 
 SUMMARY = "OP-TEE Client API"
 DESCRIPTION = "Open Portable Trusted Execution Environment - Normal World Client side of the TEE"
@@ -8,11 +8,10 @@ HOMEPAGE = "https://www.op-tee.org/"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b"
 
-inherit systemd update-rc.d cmake
+inherit systemd update-rc.d cmake useradd
 
 SRC_URI = " \
     git://github.com/OP-TEE/optee_client.git;branch=master;protocol=https \
-    file://tee-supplicant@.service \
     file://tee-supplicant.sh \
 "
 
@@ -20,18 +19,28 @@ UPSTREAM_CHECK_GITTAGREGEX = "^(?P<pver>\d+(\.\d+)+)$"
 
 EXTRA_OECMAKE = " \
     -DBUILD_SHARED_LIBS=ON \
-    -DCFG_TEE_FS_PARENT_PATH='${localstatedir}/lib/tee' \
+    -DCFG_USE_PKGCONFIG=ON \
 "
+
+# libts uses /dev/tee devices too. Add a common variable to allow configuring the same group.
+TEE_GROUP_NAME ?= "tee"
+
+EXTRA_OECMAKE += " -DCFG_ENABLE_SYSTEMD=On -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir}/"
+EXTRA_OECMAKE += " -DCFG_ENABLE_UDEV=On -DUDEV_UDEV_DIR=${nonarch_base_libdir}/udev/rules.d/"
+EXTRA_OECMAKE += " -DCFG_TEE_GROUP=${TEE_GROUP_NAME} -DCFG_TEEPRIV_GROUP=teepriv"
+
 EXTRA_OECMAKE:append:toolchain-clang = " -DCFG_WERROR=0"
 
 do_install:append() {
-    install -D -p -m0644 ${UNPACKDIR}/tee-supplicant@.service ${D}${systemd_system_unitdir}/tee-supplicant@.service
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
-    install -D -p -m0755 ${UNPACKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant
+        install -D -p -m0755 ${UNPACKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant
-
+        sed -i -e s:@sysconfdir@:${sysconfdir}:g \
-    sed -i -e s:@sysconfdir@:${sysconfdir}:g \
+               -e s:@sbindir@:${sbindir}:g \
-           -e s:@sbindir@:${sbindir}:g \
+               -e s:@supluser@:teesuppl:g \
-              ${D}${systemd_system_unitdir}/tee-supplicant@.service \
+               -e s:@suplgroup@:teesuppl:g \
-              ${D}${sysconfdir}/init.d/tee-supplicant
+                  ${D}${sysconfdir}/init.d/tee-supplicant
+    fi
+    install -o teesuppl -g teesuppl -m 0700 -d ${D}${localstatedir}/lib/tee
 }
 
 SYSTEMD_SERVICE:${PN} = "tee-supplicant@.service"
@@ -39,3 +48,13 @@ SYSTEMD_SERVICE:${PN} = "tee-supplicant@.service"
 INITSCRIPT_PACKAGES = "${PN}"
 INITSCRIPT_NAME:${PN} = "tee-supplicant"
 INITSCRIPT_PARAMS:${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ."
+
+FILES:${PN} += "${nonarch_base_libdir}/udev/rules.d/"
+
+# Users and groups:
+# TEE_GROUP_NAME group to access /dev/tee*
+# teepriv group to acess /dev/teepriv*, only tee-supplicant
+# teesuppl user and group teesuppl to run tee-supplicant
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM:${PN} = "--system ${TEE_GROUP_NAME}; --system teepriv; --system teesuppl"
+USERADD_PARAM:${PN} = "--system -g teesuppl --groups teepriv --home-dir ${localstatedir}/lib/tee -M --shell /sbin/nologin teesuppl;"

recipes-security/optee-imx/optee-client/0001-tee-supplicant-Fix-non-arch-service-unit-install-pat.patch

@@ -0,0 +1,35 @@
+From 5ffab66dda3e25f0b2ebc5115013c4234d048703 Mon Sep 17 00:00:00 2001
+From: Tom Hochstein <tom.hochstein@nxp.com>
+Date: Mon, 21 Apr 2025 08:47:29 -0500
+Subject: [PATCH] tee-supplicant: Fix non-arch service unit install path
+
+A 64-bit build with multilib enabled fails:
+```
+ERROR: optee-client-4.4.0-r0 do_package: Didn't find service unit 'tee-supplicant@.service', specified in SYSTEMD_SERVICE:optee-client. Also looked for service unit 'tee-supplicant@.service'.
+```
+
+The problem is the service unit is installed in the arch-specific folder
+/usr/lib64/systemd/system, but it is non-arch and should be in
+/usr/lib/systemd/system.
+
+Upstream-Status: Pending
+Signed-off-by: Tom Hochstein <tom.hochstein@nxp.com>
+---
+ tee-supplicant/CMakeLists.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tee-supplicant/CMakeLists.txt b/tee-supplicant/CMakeLists.txt
+index 8df9bef..3ea058c 100644
+--- a/tee-supplicant/CMakeLists.txt
++++ b/tee-supplicant/CMakeLists.txt
+@@ -119,6 +119,6 @@ endif()
+ ################################################################################
+ install(TARGETS ${PROJECT_NAME} RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR})
+ configure_file(tee-supplicant@.service.in tee-supplicant@.service @ONLY)
+-install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/tee-supplicant@.service DESTINATION ${CMAKE_INSTALL_LIBDIR}/systemd/system)
++install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/tee-supplicant@.service DESTINATION lib/systemd/system)
+ configure_file(optee-udev.rules.in optee-udev.rules @ONLY)
+ install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/optee-udev.rules DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/udev/rules.d)
+-- 
+2.34.1
+

recipes-security/optee-imx/optee-client/optee-udev.rules

@@ -0,0 +1,6 @@
+KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", TAG+="systemd"
+
+# If a /dev/teepriv[0-9]* device is detected, start an instance of
+# tee-supplicant.service with the device name as parameter
+KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", \
+    TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service"

recipes-security/optee-imx/optee-client_4.4.0.imx.bb

@@ -1,4 +0,0 @@
-require optee-client-fslc-imx.inc
-
-SRCBRANCH = "lf-6.6.52_2.2.0"
-SRCREV = "d221676a58b305bddbf97db00395205b3038de8e"

recipes-security/optee-imx/optee-client_4.6.0.imx.bb

@@ -0,0 +1,4 @@
+require optee-client-fslc-imx.inc
+
+SRCBRANCH = "lf-6.12.20_2.0.0"
+SRCREV = "02e7f9213b0d7db9c35ebf1e41e733fc9c5a3f75"

recipes-security/optee-imx/optee-fslc.inc

@@ -1,14 +1,16 @@
 # Copied from meta-arm/recipes-security/optee/optee.inc.
-# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L30
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L30
 
 UPSTREAM_CHECK_GITTAGREGEX = "^(?P<pver>\d+(\.\d+)+)$"
 
 COMPATIBLE_MACHINE ?= "invalid"
+COMPATIBLE_MACHINE:genericarm64 ?= "genericarm64"
 COMPATIBLE_MACHINE:qemuarm64 ?= "qemuarm64"
 COMPATIBLE_MACHINE:qemuarm ?= "qemuarm"
 # Please add supported machines below or set it in .bbappend or .conf
 
 OPTEEMACHINE ?= "${MACHINE}"
+OPTEEMACHINE:genericarm64 ?= "vexpress-qemu_armv8a"
 OPTEEMACHINE:aarch64:qemuall ?= "vexpress-qemu_armv8a"
 OPTEEMACHINE:arm:qemuall ?= "vexpress-qemu_virt"
 

recipes-security/optee-imx/optee-os-common-fslc-imx.inc

@@ -1,6 +1,5 @@
 # Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-os-common-imx.inc.
-# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L37
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L37
-
 require optee-os-fslc.inc
 
 DEPENDS:append:arm = "u-boot-mkimage-native"
@@ -38,6 +37,7 @@ OPTEEMACHINE:mx8mnul-nxp-bsp   = "imx-mx8mnevk"
 OPTEEMACHINE:mx8ulp-nxp-bsp    = "imx-mx8ulpevk"
 OPTEEMACHINE:mx91-nxp-bsp      = "imx-mx91evk"
 OPTEEMACHINE:mx93-nxp-bsp      = "imx-mx93evk"
+OPTEEMACHINE:mx943-nxp-bsp     = "imx-mx943evk"
 OPTEEMACHINE:mx95-nxp-bsp      = "imx-mx95evk"
 
 # Strip the leading imx-

recipes-security/optee-imx/optee-os-fslc-imx.inc

@@ -1,5 +1,5 @@
 # Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-os-imx.inc.
-# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L37
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L37
 
 require optee-os-common-fslc-imx.inc
 

recipes-security/optee-imx/optee-os-fslc.inc

@@ -1,5 +1,5 @@
 # Copied from meta-arm/recipes-security/optee/optee-os.inc.
-# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L30
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L30
 
 SUMMARY = "OP-TEE Trusted OS"
 DESCRIPTION = "Open Portable Trusted Execution Environment - Trusted side of the TEE"
@@ -26,7 +26,7 @@ EXTRA_OEMAKE += " \
     CFG_${OPTEE_CORE}_core=y \
     CROSS_COMPILE_core=${HOST_PREFIX} \
     CROSS_COMPILE_ta_${OPTEE_ARCH}=${HOST_PREFIX} \
-    NOWERROR=1 \
+    AFLAGS="${CFLAGS}" \
     ta-targets=ta_${OPTEE_ARCH} \
     O=${B} \
 "
@@ -39,7 +39,7 @@ AS[unexport] = "1"
 LD[unexport] = "1"
 
 do_compile:prepend() {
-	PLAT_LIBGCC_PATH=$(${CC} -print-libgcc-file-name)
+        PLAT_LIBGCC_PATH=$(${CC} -print-libgcc-file-name)
 }
 
 do_compile() {
@@ -78,8 +78,5 @@ FILES:${PN}-ta = "${nonarch_base_libdir}/optee_armtz/*"
 
 # note: "textrel" is not triggered on all archs
 INSANE_SKIP:${PN} = "textrel"
-# Build paths are currently embedded
-INSANE_SKIP:${PN} += "buildpaths"
 INSANE_SKIP:${PN}-dev = "staticdev"
 INHIBIT_PACKAGE_STRIP = "1"
-

recipes-security/optee-imx/optee-os-tadevkit-fslc-imx.inc

@@ -1,5 +1,5 @@
 # Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-os-tadevkit-imx.inc.
-# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L37
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L37
 
 require optee-os-common-fslc-imx.inc
 
@@ -22,6 +22,3 @@ do_deploy() {
 }
 
 FILES:${PN} = "${includedir}/optee/"
-
-# Build paths are currently embedded
-INSANE_SKIP:${PN}-dev += "buildpaths"

recipes-security/optee-imx/optee-os-tadevkit_4.4.0.imx.bb

@@ -1,4 +0,0 @@
-require optee-os-tadevkit-fslc-imx.inc
-
-SRCBRANCH = "lf-6.6.52_2.2.0"
-SRCREV = "60beb308810f9561a67fdb435388a64c85eb6dcb"

recipes-security/optee-imx/optee-os-tadevkit_4.6.0.imx.bb

@@ -0,0 +1,4 @@
+require optee-os-tadevkit-fslc-imx.inc
+
+SRCBRANCH = "lf-6.12.20_2.0.0"
+SRCREV = "87964807d80baf1dcfd89cafc66de34a1cf16bf3"

recipes-security/optee-imx/optee-os_4.4.0.imx.bb

@@ -1,6 +0,0 @@
-# Copyright 2017-2024 NXP
-
-require optee-os-fslc-imx.inc
-
-SRCBRANCH = "lf-6.6.52_2.2.0"
-SRCREV = "60beb308810f9561a67fdb435388a64c85eb6dcb"

recipes-security/optee-imx/optee-os_4.6.0.imx.bb

@@ -0,0 +1,6 @@
+# Copyright 2017-2024 NXP
+
+require optee-os-fslc-imx.inc
+
+SRCBRANCH = "lf-6.12.20_2.0.0"
+SRCREV = "87964807d80baf1dcfd89cafc66de34a1cf16bf3"

recipes-security/optee-imx/optee-test-fslc-imx.inc

@@ -1,6 +1,5 @@
 # Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-test-imx.inc.
-# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L37
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L37
-
 require optee-test-fslc.inc
 
 DEPENDS += "openssl"
@@ -14,5 +13,6 @@ OPTEE_TEST_SRC ?= "git://github.com/nxp-imx/imx-optee-test.git;protocol=https"
 
 EXTRA_OEMAKE:append:libc-musl = " OPTEE_OPENSSL_EXPORT=${STAGING_INCDIR}"
 CFLAGS:append:libc-musl = " -Wno-error=deprecated-declarations"
+CFLAGS += " -Wno-error=unterminated-string-initialization"
 
 COMPATIBLE_MACHINE = "(imx-nxp-bsp)"

recipes-security/optee-imx/optee-test-fslc.inc

@@ -1,12 +1,11 @@
 # Copied from meta-arm/recipes-security/optee/optee-test.inc.
-# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L30
+# See:https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L30
 
 SUMMARY = "OP-TEE sanity testsuite"
 DESCRIPTION = "Open Portable Trusted Execution Environment - Test suite"
 HOMEPAGE = "https://www.op-tee.org/"
 
 LICENSE = "BSD-2-Clause & GPL-2.0-only"
-LIC_FILES_CHKSUM = "file://LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa"
 
 inherit python3native ptest
 inherit deploy

recipes-security/optee-imx/optee-test_4.6.0.imx.bb

@@ -9,5 +9,5 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560 \
                     file://LICENSE-GPL;md5=10e86b5d2a6cb0e2b9dcfdd26a9ac58d"
 
 
-SRCBRANCH = "lf-6.6.52_2.2.0"
+SRCBRANCH = "lf-6.12.20_2.0.0"
-SRCREV = "dafc98ed8364d7281a9a7f0788dd0a2067844a59"
+SRCREV = "010f088f05b5ebf392c6e235d6e53d391755722f" 

recipes-security/optee-qoriq/optee-client-qoriq_3.13.0.bb

@@ -1,5 +0,0 @@
-require optee-client.nxp.inc
-
-PV:append = "+git${SRCPV}"
-
-COMPATIBLE_MACHINE = "(qoriq-arm64)"

recipes-security/optee-qoriq/optee-client-qoriq_4.6.0.bb

@@ -0,0 +1,4 @@
+require optee-client.nxp.inc
+
+OPTEE_CLIENT_BRANCH = "lf-6.12.20_2.0.0"
+SRCREV = "02e7f9213b0d7db9c35ebf1e41e733fc9c5a3f75"

recipes-security/optee-qoriq/optee-client.nxp.inc

@@ -1,52 +1,22 @@
-# Copyright 2020-2021 NXP
+# Copyright 2020-2021,2025 NXP
 
-SUMMARY = "OPTEE Client libs"
+require recipes-security/optee-imx/optee-client-fslc.inc
-HOMEPAGE = "http://www.optee.org/"
-LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b"
 
-inherit python3native systemd
+# The patch same as imx-optee, so point FILESEXTRAPATHS to optee-imx/optee-client,
+# avoid duplicate copy files to optee-qoriq
+FILESEXTRAPATHS:prepend := "${THISDIR}/../optee-imx/optee-client:"
 
-SRC_URI = "git://github.com/nxp-qoriq/optee_client.git;protocol=https;nobranch=1"
+DEPENDS = "util-linux-libuuid"
-SRCREV = "7c9c423d00e96bf51debd5fe10fd70dce83be5cc"
 
-FILESEXTRAPATHS:prepend := "${THISDIR}/optee-client:"
+SRC_URI:remove = "git://github.com/OP-TEE/optee_client.git;branch=master;protocol=https"
-SRC_URI += "file://tee-supplicant.service"
+SRC_URI:prepend = "${OPTEE_CLIENT_SRC};branch=${OPTEE_CLIENT_BRANCH} "
 
-B = "${WORKDIR}/build"
+OPTEE_CLIENT_SRC ?= "git://github.com/nxp-qoriq/optee_client.git;protocol=https"
 
-OPTEE_ARCH ?= "arm32"
+inherit pkgconfig
-OPTEE_ARCH:armv7a = "arm32"
-OPTEE_ARCH:aarch64 = "arm64"
 
-EXTRA_OEMAKE = "ARCH=${OPTEE_ARCH} O=${B}"
+do_install:append () {
-
+    if ! ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
-do_install () {
+        rm -rf ${D}${libdir}/systemd
-	oe_runmake -C ${S} install
+    fi
-
-	install -d ${D}${libdir}/
-	install -p -m0644 ${B}/export${libdir}/libteec.so.1.0.0 ${D}${libdir}/
-	ln -sf libteec.so.1.0.0 ${D}${libdir}/libteec.so.1.0
-	ln -sf libteec.so.1.0.0 ${D}${libdir}/libteec.so.1
-	ln -sf libteec.so.1 ${D}${libdir}/libteec.so
-
-	install -D -p -m0644 ${B}/export/usr/lib/libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0.1.0
-	ln -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0.1
-	ln -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0
-	ln -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so
-
-	install -D -p -m0755 ${B}/export/usr/sbin/tee-supplicant ${D}${bindir}/tee-supplicant
-
-	cp -a ${B}/export/usr/include ${D}${includedir}
-
-	install -d ${D}${systemd_system_unitdir}/
-	install -m0644 ${UNPACKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/
-	sed -i -e s:/etc:${sysconfdir}:g -e s:/usr/bin:${bindir}:g ${D}${systemd_system_unitdir}/tee-supplicant.service
 }
-
-SYSTEMD_SERVICE:${PN} = "tee-supplicant.service"
-
-FILES:${PN} += "${libdir}/* ${includedir}/*"
-
-INSANE_SKIP:${PN} = "ldflags dev-elf"
-INSANE_SKIP:${PN}-dev = "ldflags dev-elf"

recipes-security/optee-qoriq/optee-client/tee-supplicant.service

@@ -1,11 +0,0 @@
-[Unit]
-Description=TEE Supplicant
-
-[Service]
-User=root
-EnvironmentFile=-/etc/default/tee-supplicant
-ExecStart=/usr/bin/tee-supplicant $OPTARGS
-
-[Install]
-WantedBy=basic.target
-

recipes-security/optee-qoriq/optee-os-qoriq-tadevkit_4.6.0.bb

@@ -0,0 +1,24 @@
+require optee-os.nxp.inc
+
+SUMMARY = "OP-TEE Trusted OS TA devkit"
+DESCRIPTION = "OP-TEE TA devkit for build TAs"
+HOMEPAGE = "https://www.op-tee.org/"
+
+DEPENDS += "python3-pycryptodome-native"
+
+OPTEE_OS_BRANCH = "lf-6.12.20_2.0.0"
+SRCREV = "87964807d80baf1dcfd89cafc66de34a1cf16bf3"
+
+do_install() {
+    #install TA devkit
+    install -d ${D}${includedir}/optee/export-user_ta/
+    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
+        cp -aR $f ${D}${includedir}/optee/export-user_ta/
+    done
+}
+
+do_deploy() {
+	echo "Do not inherit do_deploy from optee-os."
+}
+
+FILES:${PN} = "${includedir}/optee/"

recipes-security/optee-qoriq/optee-os-qoriq_3.13.0.bb

@@ -1,28 +0,0 @@
-require optee-os.nxp.inc
-
-PV:append = "+git${SRCPV}"
-
-PLATFORM_FLAVOR:ls1088ardb-pb   = "ls1088ardb"
-PLATFORM_FLAVOR:ls1046afrwy     = "ls1046ardb"
-PLATFORM_FLAVOR:lx2162aqds      = "lx2160aqds"
-
-EXTRA_OEMAKE += " \
-    PLATFORM=ls \
-    CFG_ARM64_core=y \
-"
-
-do_compile:append:ls1012afrwy() {
-    mv ${B}/core/tee-raw.bin  ${B}/core/tee_512mb.bin
-    oe_runmake CFG_DRAM0_SIZE=0x40000000 all
-}
-
-do_install:append:qoriq() {
-    install -m 644 ${B}/core/tee-raw.bin ${D}${nonarch_base_libdir}/firmware/tee_${MACHINE}.bin
-}
-
-do_install:append:ls1012afrwy() {
-    install -m 644 ${B}/core/tee_512mb.bin ${D}${nonarch_base_libdir}/firmware/tee_${MACHINE}_512mb.bin
-}
-
-INHIBIT_PACKAGE_STRIP = "1"
-COMPATIBLE_MACHINE = "(qoriq-arm64)"

recipes-security/optee-qoriq/optee-os-qoriq_4.6.0.bb

@@ -0,0 +1,21 @@
+require optee-os.nxp.inc
+
+OPTEE_OS_BRANCH = "lf-6.12.20_2.0.0"
+SRCREV = "87964807d80baf1dcfd89cafc66de34a1cf16bf3"
+
+do_install:append () {
+	install -d ${D}${nonarch_base_libdir}/firmware/
+	install -m 644 ${B}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
+	install -m 644 ${B}/core/tee-raw.bin ${D}${nonarch_base_libdir}/firmware/tee_${MACHINE}.bin
+
+	# Install embedded TAs
+	install -d ${D}${base_libdir}/optee_armtz/
+	install -m 444 ${B}/ta/*/*.ta ${D}${base_libdir}/optee_armtz/
+}
+
+do_deploy:append () {
+	install -d ${DEPLOYDIR}/optee
+	install -m 644 ${D}${nonarch_base_libdir}/firmware/* ${DEPLOYDIR}/optee/
+}
+
+FILES:${PN} = "${nonarch_base_libdir}/optee_armtz/ ${nonarch_base_libdir}/firmware/"

recipes-security/optee-qoriq/optee-os.nxp.inc

@@ -1,74 +1,30 @@
-# Copyright 2020-2021 NXP
+# Copyright 2020-2021,2025 NXP
+require recipes-security/optee-imx/optee-os-fslc.inc
 
-SUMMARY = "OPTEE OS"
+DEPENDS:append = " dtc-native"
-DESCRIPTION = "OPTEE OS"
-HOMEPAGE = "http://www.optee.org/"
-LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173"
 
-inherit deploy python3native autotools
+# The patch same as imx-optee, so point FILESEXTRAPATHS to optee-imx/optee-client,
-DEPENDS = "python3-pycryptodome-native python3-pyelftools-native python3-pycryptodomex-native dtc-native"
+# avoid duplicate copy files to optee-qoriq
+FILESEXTRAPATHS:prepend := "${THISDIR}/../optee-imx/optee-os:"
 
-SRC_URI = "git://github.com/nxp-qoriq/optee_os.git;protocol=https;nobranch=1"
+SRC_URI:remove = "git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https"
-SRCREV = "735d98806dc26fbeeecad7f5e60ffeab8170c67e"
+SRC_URI:prepend = "${OPTEE_OS_SRC};branch=${OPTEE_OS_BRANCH} "
+SRC_URI:append = " file://0007-allow-setting-sysroot-for-clang.patch"
 
-B = "${WORKDIR}/build.${PLATFORM_FLAVOR}"
+OPTEE_OS_SRC ?= "git://github.com/nxp-qoriq/optee_os.git;protocol=https"
 
-PLATFORM_FLAVOR ?= "${MACHINE}"
+REQUIRED_MACHINE_FEATURES = "optee"
 
-OPTEE_ARCH ?= "arm64"
+inherit features_check
-OPTEE_ARCH:armv7a = "arm32"
-OPTEE_ARCH:aarch64 = "arm64"
 
-OPTEE_CORE_LOG_LEVEL ?= "1"
+OPTEEMACHINE = "ls-${MACHINE}"
-OPTEE_TA_LOG_LEVEL ?= "0"
+OPTEEMACHINE:ls1088ardb-pb   = "ls-ls1088ardb"
+OPTEEMACHINE:ls1046afrwy     = "ls-ls1046ardb"
+OPTEEMACHINE:lx2162aqds      = "ls-lx2160aqds"
+OPTEEMACHINE:lx2160ardb-rev2 = "ls-lx2160ardb"
 
-# Optee-os can be built for 32 bits and 64 bits at the same time
+EXTRA_OEMAKE:append = " \
-# as long as the compilers are correctly defined.
+    CFG_TEE_TA_LOG_LEVEL=0 \
-# For 64bits, CROSS_COMPILE64 must be set
+    CFG_TEE_CORE_LOG_LEVEL=1 \
-# When defining CROSS_COMPILE and CROSS_COMPILE64, we assure that
-# any 32 or 64 bits builds will pass
-EXTRA_OEMAKE = " \
-	-C ${S} O=${B} \
-	PLATFORM_FLAVOR=${PLATFORM_FLAVOR} \
-	CROSS_COMPILE=${HOST_PREFIX} \
-	CROSS_COMPILE64=${HOST_PREFIX} \
-	CFG_WERROR=y \
-	CFG_TEE_CORE_LOG_LEVEL=${OPTEE_CORE_LOG_LEVEL} \
-	CFG_TEE_TA_LOG_LEVEL=${OPTEE_TA_LOG_LEVEL} \
 "
-
+COMPATIBLE_MACHINE = "(qoriq-arm64)"
-do_compile() {
-    unset LDFLAGS
-    export CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST}"
-    oe_runmake all
-}
-
-do_install() {
-    install -d ${D}${nonarch_base_libdir}/firmware/
-    install -m 644 ${B}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
-
-    # Install the TA devkit
-    install -d ${D}${includedir}/optee/export-user_ta/
-
-    for f in ${B}/export-ta_${OPTEE_ARCH}/*; do
-        cp -aR $f ${D}${includedir}/optee/export-user_ta/
-    done
-
-    install -d ${D}${nonarch_base_libdir}/optee_armtz
-    find ${B}/export-ta_${OPTEE_ARCH}/ta -name '*.ta' | while read name; do
-        install -m 444 $name ${D}${nonarch_base_libdir}/optee_armtz/
-    done
-}
-
-do_deploy() {
-    install -d ${DEPLOYDIR}/optee
-    install -m 644 ${D}${nonarch_base_libdir}/firmware/* ${DEPLOYDIR}/optee/
-}
-addtask deploy before do_build after do_install
-
-FILES:${PN} = "${nonarch_base_libdir}/firmware/ ${nonarch_base_libdir}/optee_armtz/"
-FILES:${PN}-staticdev = "/usr/include/optee/"
-RDEPENDS:${PN}-dev += "${PN}-staticdev"
-
-PACKAGE_ARCH = "${MACHINE_ARCH}"

recipes-security/optee-qoriq/optee-test-qoriq_3.13.0.bb

@@ -1,13 +0,0 @@
-require optee-test.nxp.inc
-
-PV:append = "+git${SRCPV}"
-
-DEPENDS += "optee-client-qoriq optee-os-qoriq"
-
-TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
-
-EXTRA_OEMAKE += " \
-    TEEC_EXPORT=${TEEC_EXPORT} \
-"
-
-COMPATIBLE_MACHINE = "(qoriq-arm64)"

recipes-security/optee-qoriq/optee-test-qoriq_4.6.0.bb

@@ -0,0 +1,10 @@
+require optee-test.nxp.inc
+
+# The BSD and GPL license files are now included in the source
+# https://github.com/OP-TEE/optee_test/commit/a748f5fcd9ec8a574dc86a5aa56d05bc6ac174e7
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560 \
+                    file://LICENSE-BSD;md5=dca16d6efa93b55d0fd662ae5cd6feeb \
+                    file://LICENSE-GPL;md5=10e86b5d2a6cb0e2b9dcfdd26a9ac58d"
+
+OPTEE_TEST_BRANCH = "lf-6.12.20_2.0.0"
+SRCREV = "010f088f05b5ebf392c6e235d6e53d391755722f"

recipes-security/optee-qoriq/optee-test.nxp.inc

@@ -1,60 +1,15 @@
-# Copyright 2020-2021 NXP
+# Copyright 2020-2021,2025 NXP
+require recipes-security/optee-imx/optee-test-fslc.inc
 
-SUMMARY = "OPTEE test"
+DEPENDS:remove = "optee-client optee-os-tadevkit"
-HOMEPAGE = "http://www.optee.org/"
+DEPENDS:append = "optee-client-qoriq optee-os-qoriq-tadevkit openssl"
 
-LICENSE = "BSD & GPL-2.0-only"
+SRC_URI:remove = "git://github.com/OP-TEE/optee_test.git;branch=master;protocol=https"
-LIC_FILES_CHKSUM = "file://LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa"
+SRC_URI:remove = "file://run-ptest"
+SRC_URI:prepend = "${OPTEE_TEST_SRC};branch=${OPTEE_TEST_BRANCH} "
 
-DEPENDS = "python3-pycryptodome-native python3-pycryptodomex-native openssl"
+OPTEE_TEST_SRC ?= "git://github.com/nxp-qoriq/optee_test.git;protocol=https"
-inherit python3native cmake
 
-SRC_URI = "git://github.com/nxp-qoriq/optee_test.git;protocol=https;nobranch=1"
+CFLAGS += " -Wno-error=unterminated-string-initialization"
-SRCREV = "69722dab8c1f2683e30e0ee3b536053367e37aad"
 
-B = "${WORKDIR}/build"
+COMPATIBLE_MACHINE = "(qoriq-arm64)"
-
-TA_DEV_KIT_DIR ?= "${STAGING_INCDIR}/optee/export-user_ta"
-OPTEE_CLIENT_EXPORT ?= "${STAGING_DIR_HOST}${prefix}"
-
-EXTRA_OEMAKE = " \
-    TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
-    OPTEE_CLIENT_EXPORT=${OPTEE_CLIENT_EXPORT} \
-    CROSS_COMPILE_HOST=${HOST_PREFIX} \
-    CROSS_COMPILE_TA=${HOST_PREFIX} \
-    OPTEE_OPENSSL_EXPORT=${STAGING_INCDIR}/ \
-    -C ${S} O=${B} \
-"
-
-EXTRA_OECMAKE = " \
-    -DOPTEE_TEST_SDK=${TA_DEV_KIT_DIR} \
-"
-
-do_compile() {
-    export CXXFLAGS="${CXXFLAGS} --sysroot=${STAGING_DIR_HOST}"
-    oe_runmake xtest
-    oe_runmake ta
-    oe_runmake test_plugin
-}
-
-do_install() {
-	install -d ${D}${bindir}/
-	install ${B}/xtest/xtest ${D}${bindir}/
-
-	install -d ${D}${nonarch_base_libdir}/optee_armtz
-	find ${B}/ta -name '*.ta' | while read name; do
-		install -m 444 $name ${D}${nonarch_base_libdir}/optee_armtz/
-	done
-
-	install -d ${D}${libdir}/tee-supplicant/plugins/
-	find ${B}/supp_plugin -name '*.plugin' | while read name; do
-		install -m 755 $name ${D}${libdir}/tee-supplicant/plugins/
-	done
-}
-
-FILES:${PN} += "${nonarch_base_libdir} ${libdir}/tee-supplicant/plugins/"
-
-DEBUG_OPTIMIZATION:append = " -Wno-error=maybe-uninitialized -Wno-deprecated-declarations"
-FULL_OPTIMIZATION:append = " -Wno-error=maybe-uninitialized -Wno-deprecated-declarations"
-
-PACKAGE_ARCH = "${MACHINE_ARCH}"