arm/arm-bsp: optee: add version 4.9.0

OP-TEE version 4.9.0 has been released on 2026-01-16 [1]. Add OP-TEE recipes to point to version 4.9.0 Link: [1]: https://github.com/OP-TEE/optee_os/blob/master/CHANGELOG.md#op-tee---version-490-2026-01-16 Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com> Tested-by: Quentin Schulz <quentin.schulz@cherry.de> # xtest on PX30, RK3399, RK3588 Signed-off-by: Jon Mason <jon.mason@arm.com>
2026-06-05 02:20:30 +00:00 · 2026-01-27 15:45:23 +00:00
parent d9eac47e30
commit 4981dca139
11 changed files with 165 additions and 4 deletions
@@ -0,0 +1,94 @@
+SUMMARY = "OPTEE fTPM Microsoft TA"
+DESCRIPTION = "TCG reference implementation of the TPM 2.0 Specification."
+HOMEPAGE = "https://github.com/microsoft/ms-tpm-20-ref/"
+
+COMPATIBLE_MACHINE ?= "invalid"
+COMPATIBLE_MACHINE:genericarm64 = "genericarm64"
+COMPATIBLE_MACHINE:qemuarm64 = "qemuarm64"
+COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64"
+COMPATIBLE_MACHINE:qemuarm-secureboot = "qemuarm"
+
+inherit deploy python3native
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=5a3925ece0806073ae9ebbb08ff6f11e"
+LIC_FILES_CHKSUM += "file://optee-ta/LICENSE;md5=5a3925ece0806073ae9ebbb08ff6f11e"
+
+DEPENDS = "python3-pyelftools-native optee-os-tadevkit python3-cryptography-native"
+DEPENDS:append:toolchain-clang = " lld-native"
+
+FTPM_UUID = "bc50d971-d4c9-42c4-82cb-343fb7f37896"
+
+SRC_URI_ms-tpm   ?= "gitsm://github.com/Microsoft/ms-tpm-20-ref;protocol=https"
+SRC_URI_optee-ta ?= "gitsm://github.com/OP-TEE/optee_ftpm.git;protocol=https"
+
+SRCBRANCH_ms-tpm    = "main"
+OPTEE_TA_GIT_TAG ?= "tag=${PV};nobranch=1"
+
+SRC_URI = "\
+    ${SRC_URI_ms-tpm};branch=${SRCBRANCH_ms-tpm};name=ms-tpm;destsuffix=ms-tpm \
+    ${SRC_URI_optee-ta};${OPTEE_TA_GIT_TAG};name=optee-ta;destsuffix=ms-tpm/optee-ta \
+"
+
+# As per optee-ftpm TA documentation, we have to use this SHA of MS TPM reference
+SRCREV_ms-tpm   ?= "98b60a44aba79b15fcce1c0d1e46cf5918400f6a"
+
+# v4.9.0
+SRCREV_optee-ta ?= "a09269b15de635e1816fe832e26adfbfb44c5455"
+
+SRCREV_FORMAT    = "ms-tpm_optee-ta"
+
+UPSTREAM_CHECK_COMMITS = "1"
+
+S = "${UNPACKDIR}/ms-tpm"
+
+OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
+TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
+TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
+
+EXTRA_OEMAKE += '\
+    COMPILER=${TOOLCHAIN} \
+    TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+    CROSS_COMPILE=${TARGET_PREFIX} \
+    CFG_MS_TPM_20_REF="${S}" \
+    CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST}" \
+'
+
+EXTRA_OEMAKE:append:aarch64:qemuall = "\
+    CFG_ARM64_ta_arm64=y \
+"
+
+CFLAGS:append:toolchain-clang = " -Wno-unknown-warning-option"
+
+# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
+# right path until this is relocated automatically.
+export OPENSSL_MODULES = "${STAGING_LIBDIR_NATIVE}/ossl-modules"
+
+PARALLEL_MAKE = ""
+
+do_compile() {
+    cd ${S}/optee-ta
+    oe_runmake
+}
+
+do_install () {
+    mkdir -p ${D}/${nonarch_base_libdir}/optee_armtz
+    install -D -p -m 0644 ${S}/optee-ta/${FTPM_UUID}.ta ${D}/${nonarch_base_libdir}/optee_armtz/
+    install -D -p -m 0644 ${S}/optee-ta/${FTPM_UUID}.stripped.elf ${D}/${nonarch_base_libdir}/optee_armtz/
+}
+
+do_deploy () {
+    install -d ${DEPLOYDIR}/optee
+    install -D -p -m 0644 ${S}/optee-ta/${FTPM_UUID}.stripped.elf ${DEPLOYDIR}/optee/
+}
+
+addtask deploy before do_build after do_install
+
+FILES:${PN} += " \
+               ${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.ta \
+               ${nonarch_base_libdir}/optee_armtz/${FTPM_UUID}.stripped.elf \
+               "
+
+# Imports machine specific configs from staging to build
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+INSANE_SKIP:${PN} += "ldflags"
@@ -0,0 +1,4 @@
+require recipes-security/optee/optee-client.inc
+
+# v4.9.0
+SRCREV = "9f5e90918093c1d1cd264d8149081b64ab7ba672"
@@ -11,7 +11,7 @@ inherit python3native

 require optee.inc

-SRC_URI = "git://github.com/linaro-swg/optee_examples.git;branch=master;protocol=https \
+SRC_URI = "git://github.com/linaro-swg/optee_examples.git;protocol=https;${OPTEE_SRC_URI_BRANCH_OR_TAG} \
           file://0001-Makefile-Avoid-variable-override.patch \
           "

@@ -0,0 +1,4 @@
+require recipes-security/optee/optee-examples.inc
+
+# v4.9.0
+SRCREV = "934c7edb74a26e90f68024cf441073528444177f"
@@ -0,0 +1,30 @@
+require recipes-security/optee/optee-os_${PV}.bb
+
+SUMMARY = "OP-TEE Trusted OS TA devkit"
+DESCRIPTION = "OP-TEE TA devkit for build TAs"
+HOMEPAGE = "https://www.op-tee.org/"
+
+DEPENDS += "python3-pycryptodome-native"
+DEPENDS:append:toolchain-clang = " lld-native"
+
+do_install() {
+    #install TA devkit
+    install -d ${D}${includedir}/optee/export-user_ta/
+    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
+        cp -aR $f ${D}${includedir}/optee/export-user_ta/
+    done
+}
+
+do_deploy() {
+	echo "Do not inherit do_deploy from optee-os."
+}
+
+FILES:${PN} = "${includedir}/optee/"
+
+# Build paths are currently embedded
+INSANE_SKIP:${PN}-dev += "buildpaths"
+
+# Include extra headers needed by SPMC tests to TA DEVKIT.
+# Supported after op-tee v3.20
+EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \
+                                        ' CFG_SPMC_TESTS=y', '' , d)}"
@@ -14,7 +14,7 @@ DEPENDS = "python3-pyelftools-native python3-cryptography-native"

 DEPENDS:append:toolchain-clang = " lld-native compiler-rt"

-SRC_URI = "git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https"
+SRC_URI = "git://github.com/OP-TEE/optee_os.git;protocol=https;${OPTEE_SRC_URI_BRANCH_OR_TAG}"

 B = "${WORKDIR}/build"

@@ -0,0 +1,6 @@
+require recipes-security/optee/optee-os.inc
+
+DEPENDS += "dtc-native"
+
+# 4.9.0
+SRCREV = "c2b0684fcd89929976a8726e6e3af922b48dd2c7"
@@ -11,7 +11,7 @@ require optee.inc
 DEPENDS = "optee-client optee-os-tadevkit python3-cryptography-native openssl"
 DEPENDS:append:toolchain-clang = " lld-native"

-SRC_URI = "git://github.com/OP-TEE/optee_test.git;branch=master;protocol=https \
+SRC_URI = "git://github.com/OP-TEE/optee_test.git;protocol=https;${OPTEE_SRC_URI_BRANCH_OR_TAG} \
           file://run-ptest \
          "

@@ -0,0 +1,17 @@
+require recipes-security/optee/optee-test.inc
+
+# v4.9.0
+SRCREV = "b27648ea8472cceceb8dda368a965c709066f7aa"
+
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560 \
+                    file://LICENSE-BSD;md5=dca16d6efa93b55d0fd662ae5cd6feeb \
+                    file://LICENSE-GPL;md5=10e86b5d2a6cb0e2b9dcfdd26a9ac58d \
+                   "
+
+# Include ffa_spmc test group if the SPMC test is enabled.
+# Supported after op-tee v3.20
+EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \
+                                        ' CFG_SPMC_TESTS=y CFG_SECURE_PARTITION=y', '' , d)}"
+
+RDEPENDS:${PN} += "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \
+                                              ' arm-ffa-user', '' , d)}"
@@ -4,7 +4,10 @@ require recipes-security/optee/optee-test.inc
 SRCREV = "6569cd7b13e1b37b37069e090d592adca7d3926d"
 PV .= "+git"

-LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560"
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560 \
+                    file://LICENSE-BSD;md5=dca16d6efa93b55d0fd662ae5cd6feeb \
+                    file://LICENSE-GPL;md5=10e86b5d2a6cb0e2b9dcfdd26a9ac58d \
+                   "

 # Include ffa_spmc test group if the SPMC test is enabled.
 # Supported after op-tee v3.20
@@ -1,5 +1,8 @@
 UPSTREAM_CHECK_GITTAGREGEX = "^(?P<pver>\d+(\.\d+)+)$"

+# Use tags for versioned recipes, but keep _git recipes on master.
+OPTEE_SRC_URI_BRANCH_OR_TAG ?= "${@'branch=master' if d.getVar('PV') == 'git' or d.getVar('PV').endswith('+git') else 'tag=%s;nobranch=1' % d.getVar('PV')}"
+
 COMPATIBLE_MACHINE ?= "invalid"
 COMPATIBLE_MACHINE:genericarm64 ?= "genericarm64"
 COMPATIBLE_MACHINE:qemuarm64 ?= "qemuarm64"