arm-bsp/trusted-services: support for libmetal and openamp

Add support for libmetal and openamp as backend for se-proxy and smm-gateway SP. For that also introduce a change to newlib in memcpy optimization to avoid unaligned data-aborts in __packed structures handling. Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> Signed-off-by: Jon Mason <jon.mason@arm.com>
2026-06-05 14:30:10 +00:00 · 2022-10-17 22:01:36 +01:00
parent c3ada285de
commit 63cf57290b
24 changed files with 7418 additions and 64 deletions
@@ -0,0 +1,287 @@
+From 7c9589c4bb056db5e1696f2a777891ab235b1b63 Mon Sep 17 00:00:00 2001
+From: Vishnu Banavath <vishnu.banavath@arm.com>
+Date: Fri, 3 Dec 2021 16:36:51 +0000
+Subject: [PATCH 01/19] Add openamp to SE proxy deployment
+
+Openamp is required to communicate between secure partitions(running on
+Cortex-A) and trusted-firmware-m(running on Cortex-M).
+These changes are to fetch libmetal and openamp from github repo's
+and build it.
+
+Upstream-Status: Pending
+Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com>
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+---
+ deployments/se-proxy/opteesp/lse.S            | 28 ++++++++
+ deployments/se-proxy/se-proxy.cmake           |  8 +++
+ external/openamp/libmetal-init-cache.cmake.in | 20 ++++++
+ external/openamp/libmetal.cmake               | 67 +++++++++++++++++++
+ external/openamp/openamp-init-cache.cmake.in  | 20 ++++++
+ external/openamp/openamp.cmake                | 66 ++++++++++++++++++
+ 6 files changed, 209 insertions(+)
+ create mode 100644 deployments/se-proxy/opteesp/lse.S
+ create mode 100644 external/openamp/libmetal-init-cache.cmake.in
+ create mode 100644 external/openamp/libmetal.cmake
+ create mode 100644 external/openamp/openamp-init-cache.cmake.in
+ create mode 100644 external/openamp/openamp.cmake
+
+diff --git a/deployments/se-proxy/opteesp/lse.S b/deployments/se-proxy/opteesp/lse.S
+new file mode 100644
+index 000000000000..8e466d65fc2b
+--- /dev/null
+++ b/deployments/se-proxy/opteesp/lse.S
+@@ -0,0 +1,28 @@
+// SPDX-License-Identifier: BSD-3-Clause
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ */
+
+.text
+.globl __aarch64_cas4_acq_rel
+.globl __aarch64_cas4_sync
+
+__aarch64_cas4_acq_rel:
+	mov	w16, w0
+	ldaxr	w0, [x2]
+	cmp	w0, w16
+0:	bne	1f
+
+	stlxr	w17, w1, [x2]
+	cbnz	w17, 0b
+1:	ret
+
+__aarch64_cas4_sync:
+	mov	w16, w0
+	ldxr	w0, [x2]
+	cmp	w0, w16
+0:	bne	1f
+
+	stlxr	w17, w1, [x2]
+	cbnz	w17, 0b
+1:	ret
+diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake
+index 426c66c05350..d39873a0fe81 100644
+--- a/deployments/se-proxy/se-proxy.cmake
+++ b/deployments/se-proxy/se-proxy.cmake
+@@ -61,6 +61,7 @@ add_components(TARGET "se-proxy"
+ target_sources(se-proxy PRIVATE
+ 	${CMAKE_CURRENT_LIST_DIR}/common/se_proxy_sp.c
+ 	${CMAKE_CURRENT_LIST_DIR}/common/service_proxy_factory.c
+	${CMAKE_CURRENT_LIST_DIR}/opteesp/lse.S
+ )
+ 
+ #-------------------------------------------------------------------------------
+@@ -73,6 +74,13 @@ include(../../../external/nanopb/nanopb.cmake)
+ target_link_libraries(se-proxy PRIVATE nanopb::protobuf-nanopb-static)
+ protobuf_generate_all(TGT "se-proxy" NAMESPACE "protobuf" BASE_DIR "${TS_ROOT}/protocols")
+ 
+# libmetal
+include(../../../external/openamp/libmetal.cmake)
+
+# OpenAMP
+include(../../../external/openamp/openamp.cmake)
+target_link_libraries(se-proxy PRIVATE openamp libmetal)
+
+ #################################################################
+ 
+ target_include_directories(se-proxy PRIVATE
+diff --git a/external/openamp/libmetal-init-cache.cmake.in b/external/openamp/libmetal-init-cache.cmake.in
+new file mode 100644
+index 000000000000..04c25fbde960
+--- /dev/null
+++ b/external/openamp/libmetal-init-cache.cmake.in
+@@ -0,0 +1,20 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+# Copyright (c) 2021-2022, Linaro. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+
+set(CMAKE_INSTALL_PREFIX "@BUILD_INSTALL_DIR@" CACHE STRING "")
+set(CMAKE_TOOLCHAIN_FILE "@TS_EXTERNAL_LIB_TOOLCHAIN_FILE@" CACHE STRING "")
+set(BUILD_SHARED_LIBS Off CACHE BOOL "")
+set(BUILD_STATIC_LIBS On CACHE BOOL "")
+
+set(WITH_DOC OFF CACHE BOOL "")
+set(WITH_TESTS OFF CACHE BOOL "")
+set(WITH_EXAMPLES OFF CACHE BOOL "")
+set(WITH_DEFAULT_LOGGER OFF CACHE BOOL "")
+set(MACHINE "template" CACHE STRING "")
+
+@_cmake_fragment@
+diff --git a/external/openamp/libmetal.cmake b/external/openamp/libmetal.cmake
+new file mode 100644
+index 000000000000..6e5004ff555c
+--- /dev/null
+++ b/external/openamp/libmetal.cmake
+@@ -0,0 +1,67 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2022 Linaro Limited
+# Copyright (c) 2022, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+
+set (LIBMETAL_URL "https://github.com/OpenAMP/libmetal.git"
+		    CACHE STRING "libmetal repository URL")
+set (LIBMETAL_INSTALL_DIR "${CMAKE_CURRENT_BINARY_DIR}/libmetal_install"
+		    CACHE DIR "libmetal installation directory")
+set(LIBMETAL_SOURCE_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/libmetal"
+		CACHE DIR "libmetal source-code")
+set (LIBMETAL_PACKAGE_DIR "${LIBMETAL_INSTALL_DIR}/libmetal/cmake"
+			    CACHE DIR "libmetal CMake package directory")
+set (LIBMETAL_TARGET_NAME "libmetal")
+set (LIBMETAL_REFSPEC "f252f0e007fbfb8b3a52b1d5901250ddac96baad"
+			CACHE STRING "The version of libmetal to use")
+set(LIBMETAL_BINARY_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/libmetal-build")
+
+set(GIT_OPTIONS
+    GIT_REPOSITORY ${LIBMETAL_URL}
+    GIT_TAG ${LIBMETAL_REFSPEC}
+    GIT_SHALLOW FALSE
+)
+
+if(NOT LIBMETAL_DEBUG)
+	set(LIBMETAL_BUILD_TYPE "Release")
+else()
+	set(LIBMETAL_BUILD_TYPE "Debug")
+endif()
+
+include(FetchContent)
+
+# Checking git
+find_program(GIT_COMMAND "git")
+if (NOT GIT_COMMAND)
+	message(FATAL_ERROR "Please install git")
+endif()
+
+# Only pass libc settings to libmetal if needed. For environments where the
+# standard library is not overridden, this is not needed.
+if(TARGET stdlib::c)
+	include(${TS_ROOT}/tools/cmake/common/PropertyCopy.cmake)
+
+	# Save libc settings
+	save_interface_target_properties(TGT stdlib::c PREFIX LIBC)
+	# Translate libc settings to cmake code fragment. Will be inserted into
+	# libmetal-init-cache.cmake.in when LazyFetch configures the file.
+	translate_interface_target_properties(PREFIX LIBC RES _cmake_fragment)
+	unset_saved_properties(LIBC)
+endif()
+
+include(${TS_ROOT}/tools/cmake/common/LazyFetch.cmake REQUIRED)
+LazyFetch_MakeAvailable(DEP_NAME libmetal
+    FETCH_OPTIONS "${GIT_OPTIONS}"
+    INSTALL_DIR "${LIBMETAL_INSTALL_DIR}"
+    CACHE_FILE "${TS_ROOT}/external/openamp/libmetal-init-cache.cmake.in"
+    SOURCE_DIR "${LIBMETAL_SOURCE_DIR}"
+)
+unset(_cmake_fragment)
+
+#Create an imported target to have clean abstraction in the build-system.
+add_library(libmetal STATIC IMPORTED)
+set_property(TARGET libmetal PROPERTY IMPORTED_LOCATION "${LIBMETAL_INSTALL_DIR}/lib/${CMAKE_STATIC_LIBRARY_PREFIX}metal${CMAKE_STATIC_LIBRARY_SUFFIX}")
+set_property(TARGET libmetal PROPERTY INTERFACE_INCLUDE_DIRECTORIES "${LIBMETAL_INSTALL_DIR}/include")
+diff --git a/external/openamp/openamp-init-cache.cmake.in b/external/openamp/openamp-init-cache.cmake.in
+new file mode 100644
+index 000000000000..302b80511bce
+--- /dev/null
+++ b/external/openamp/openamp-init-cache.cmake.in
+@@ -0,0 +1,20 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+# Copyright (c) 2021-2022, Linaro. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+
+set(CMAKE_INSTALL_PREFIX "@BUILD_INSTALL_DIR@" CACHE STRING "")
+set(CMAKE_TOOLCHAIN_FILE "@TS_EXTERNAL_LIB_TOOLCHAIN_FILE@" CACHE STRING "")
+set(BUILD_SHARED_LIBS Off CACHE BOOL "")
+set(BUILD_STATIC_LIBS On CACHE BOOL "")
+
+set(LIBMETAL_INCLUDE_DIR "@CMAKE_CURRENT_BINARY_DIR@/libmetal_install/include" CACHE
+    STRING "")
+set(LIBMETAL_LIB "@CMAKE_CURRENT_BINARY_DIR@/libmetal_install/lib" CACHE STRING "")
+set(RPMSG_BUFFER_SIZE "512" CACHE STRING "")
+set(MACHINE "template" CACHE STRING "")
+
+@_cmake_fragment@
+diff --git a/external/openamp/openamp.cmake b/external/openamp/openamp.cmake
+new file mode 100644
+index 000000000000..449f35f4fda4
+--- /dev/null
+++ b/external/openamp/openamp.cmake
+@@ -0,0 +1,66 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2022 Linaro Limited
+# Copyright (c) 2022, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+
+set (OPENAMP_URL "https://github.com/OpenAMP/open-amp.git"
+		    CACHE STRING "OpenAMP repository URL")
+set (OPENAMP_INSTALL_DIR "${CMAKE_CURRENT_BINARY_DIR}/openamp_install"
+			    CACHE DIR "OpenAMP installation directory")
+set (OPENAMP_SOURCE_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/openamp"
+			    CACHE DIR "OpenAMP source code directory")
+set (OPENAMP_PACKAGE_DIR "${OPENAMP_INSTALL_DIR}/openamp/cmake"
+			    CACHE DIR "OpenAMP CMake package directory")
+set (OPENAMP_TARGET_NAME "openamp")
+set (OPENAMP_REFSPEC "347397decaa43372fc4d00f965640ebde042966d"
+			CACHE STRING "The version of openamp to use")
+
+set(GIT_OPTIONS
+    GIT_REPOSITORY ${OPENAMP_URL}
+    GIT_TAG ${OPENAMP_REFSPEC}
+    GIT_SHALLOW FALSE
+)
+
+if(NOT OPENAMP_DEBUG)
+	set(OPENAMP_BUILD_TYPE "Release")
+else()
+	set(OPENAMP_BUILD_TYPE "Debug")
+endif()
+
+include(FetchContent)
+
+# Checking git
+find_program(GIT_COMMAND "git")
+if (NOT GIT_COMMAND)
+	message(FATAL_ERROR "Please install git")
+endif()
+
+# Only pass libc settings to openamp if needed. For environments where the
+# standard library is not overridden, this is not needed.
+if(TARGET stdlib::c)
+	include(${TS_ROOT}/tools/cmake/common/PropertyCopy.cmake)
+
+	# Save libc settings
+	save_interface_target_properties(TGT stdlib::c PREFIX LIBC)
+	# Translate libc settings to cmake code fragment. Will be inserted into
+	# libmetal-init-cache.cmake.in when LazyFetch configures the file.
+	translate_interface_target_properties(PREFIX LIBC RES _cmake_fragment)
+	unset_saved_properties(LIBC)
+endif()
+
+include(${TS_ROOT}/tools/cmake/common/LazyFetch.cmake REQUIRED)
+LazyFetch_MakeAvailable(DEP_NAME openamp
+    FETCH_OPTIONS "${GIT_OPTIONS}"
+    INSTALL_DIR "${OPENAMP_INSTALL_DIR}"
+    CACHE_FILE "${TS_ROOT}/external/openamp/openamp-init-cache.cmake.in"
+    SOURCE_DIR "${OPENAMP_SOURCE_DIR}"
+)
+unset(_cmake_fragment)
+
+#Create an imported target to have clean abstraction in the build-system.
+add_library(openamp STATIC IMPORTED)
+set_property(TARGET openamp PROPERTY IMPORTED_LOCATION "${OPENAMP_INSTALL_DIR}/lib/${CMAKE_STATIC_LIBRARY_PREFIX}open_amp${CMAKE_STATIC_LIBRARY_SUFFIX}")
+set_property(TARGET openamp PROPERTY INTERFACE_INCLUDE_DIRECTORIES "${OPENAMP_INSTALL_DIR}/include")
+-- 
+2.38.0
+
@@ -1,27 +1,55 @@
-From 9e6f16c236fbf5d8631ebc53a79c80b85042b736 Mon Sep 17 00:00:00 2001
+From e4ccb92f8de94a82edd3548d62c853790ae36bd1 Mon Sep 17 00:00:00 2001
 From: Vishnu Banavath <vishnu.banavath@arm.com>
-Date: Tue, 27 Sep 2022 18:47:36 +0100
-Subject: [PATCH 27/27] Add MHU driver
+Date: Fri, 3 Dec 2021 18:00:46 +0000
+Subject: [PATCH 02/19] Implement mhu driver and the OpenAmp conversion layer.

-This change is to add MHU driver. This is required to communicate
-between cortex-A and cortex-M
+This commit adds an mhu driver (v2.1 and v2) to the secure
+partition se_proxy and a conversion layer to communicate with
+the secure enclave using OpenAmp.

+Upstream-Status: Pending
 Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com>
-Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
-Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
 ---
+ .../se-proxy/opteesp/default_se-proxy.dts.in  |  16 +
 .../drivers/arm/mhu_driver/component.cmake    |  12 +
 platform/drivers/arm/mhu_driver/mhu_v2.h      | 391 ++++++++++++
 platform/drivers/arm/mhu_driver/mhu_v2_x.c    | 602 ++++++++++++++++++
- .../providers/arm/corstone1000/platform.cmake |   3 +
- 4 files changed, 1008 insertions(+)
+ .../providers/arm/corstone1000/platform.cmake |  10 +
+ 5 files changed, 1031 insertions(+)
 create mode 100644 platform/drivers/arm/mhu_driver/component.cmake
 create mode 100644 platform/drivers/arm/mhu_driver/mhu_v2.h
 create mode 100644 platform/drivers/arm/mhu_driver/mhu_v2_x.c
+ create mode 100644 platform/providers/arm/corstone1000/platform.cmake

+diff --git a/deployments/se-proxy/opteesp/default_se-proxy.dts.in b/deployments/se-proxy/opteesp/default_se-proxy.dts.in
+index 5748d2f80f88..267b4f923540 100644
+--- a/deployments/se-proxy/opteesp/default_se-proxy.dts.in
+++ b/deployments/se-proxy/opteesp/default_se-proxy.dts.in
+@@ -17,4 +17,20 @@
+ 	xlat-granule = <0>; /* 4KiB */
+ 	messaging-method = <3>; /* Direct messaging only */
+ 	legacy-elf-format = <1>;
+
+	device-regions {
+		compatible = "arm,ffa-manifest-device-regions";
+		mhu-sender {
+			/* Armv8 A Foundation Platform values */
+			base-address = <0x00000000 0x1b820000>;
+			pages-count = <16>;
+			attributes = <0x3>; /* read-write */
+		};
+		mhu-receiver {
+			/* Armv8 A Foundation Platform values */
+			base-address = <0x00000000 0x1b830000>;
+			pages-count = <16>;
+			attributes = <0x3>; /* read-write */
+		};
+	};
+ };
 diff --git a/platform/drivers/arm/mhu_driver/component.cmake b/platform/drivers/arm/mhu_driver/component.cmake
 new file mode 100644
-index 00000000..77a5a50b
+index 000000000000..77a5a50b67d1
 --- /dev/null
 +++ b/platform/drivers/arm/mhu_driver/component.cmake
@@ -0,0 +1,12 @@
@@ -39,7 +67,7 @@ index 00000000..77a5a50b
 +)
 diff --git a/platform/drivers/arm/mhu_driver/mhu_v2.h b/platform/drivers/arm/mhu_driver/mhu_v2.h
 new file mode 100644
-index 00000000..2e4ba80f
+index 000000000000..2e4ba80fab95
 --- /dev/null
 +++ b/platform/drivers/arm/mhu_driver/mhu_v2.h
@@ -0,0 +1,391 @@
@@ -436,7 +464,7 @@ index 00000000..2e4ba80f
 +#endif /* __MHU_V2_X_H__ */
 diff --git a/platform/drivers/arm/mhu_driver/mhu_v2_x.c b/platform/drivers/arm/mhu_driver/mhu_v2_x.c
 new file mode 100644
-index 00000000..01d8f659
+index 000000000000..01d8f659a73a
 --- /dev/null
 +++ b/platform/drivers/arm/mhu_driver/mhu_v2_x.c
@@ -0,0 +1,602 @@
@@ -1043,19 +1071,21 @@ index 00000000..01d8f659
 +    return MHU_V_2_X_ERR_GENERAL;
 +}
 diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake
-index 14a9f6b0..df9cab71 100644
--- a/platform/providers/arm/corstone1000/platform.cmake
+new file mode 100644
+index 000000000000..bb778bb9719b
+--- /dev/null
 +++ b/platform/providers/arm/corstone1000/platform.cmake
-@@ -6,6 +6,9 @@
- # Platform definition for the corstone1000 platform.
- #-------------------------------------------------------------------------------
- 
+@@ -0,0 +1,10 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+# Platform definition for the 'fvp_base_revc-2xaem8a' virtual platform.
+#-------------------------------------------------------------------------------
+
 +# include MHU driver
 +include(${TS_ROOT}/platform/drivers/arm/mhu_driver/component.cmake)
-+
- target_compile_definitions(${TGT} PRIVATE
- 	SMM_GATEWAY_NV_STORE_SN="sn:ffa:46bb39d1-b4d9-45b5-88ff-040027dab249:1"
- )
 -- 
-2.17.1
+2.38.0

@@ -0,0 +1,298 @@
+From 8c1bc5a7ae525d64802e2a06746f698f54cf07ca Mon Sep 17 00:00:00 2001
+From: Vishnu Banavath <vishnu.banavath@arm.com>
+Date: Fri, 3 Dec 2021 19:05:18 +0000
+Subject: [PATCH 04/19] add psa client definitions for ff-m
+
+Add PSA client definitions in common include to add future
+ff-m support.
+
+Upstream-Status: Pending
+Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com>
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+---
+ .../service/common/include/psa/client.h       | 194 ++++++++++++++++++
+ components/service/common/include/psa/sid.h   |  71 +++++++
+ 2 files changed, 265 insertions(+)
+ create mode 100644 components/service/common/include/psa/client.h
+ create mode 100644 components/service/common/include/psa/sid.h
+
+diff --git a/components/service/common/include/psa/client.h b/components/service/common/include/psa/client.h
+new file mode 100644
+index 000000000000..69ccf14f40a3
+--- /dev/null
+++ b/components/service/common/include/psa/client.h
+@@ -0,0 +1,194 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef SERVICE_PSA_IPC_H
+#define SERVICE_PSA_IPC_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <rpc_caller.h>
+#include <psa/error.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifndef IOVEC_LEN
+#define IOVEC_LEN(arr) ((uint32_t)(sizeof(arr)/sizeof(arr[0])))
+#endif
+
+/*********************** PSA Client Macros and Types *************************/
+
+typedef int32_t psa_handle_t;
+
+/**
+ * The version of the PSA Framework API that is being used to build the calling
+ * firmware. Only part of features of FF-M v1.1 have been implemented. FF-M v1.1
+ * is compatible with v1.0.
+ */
+#define PSA_FRAMEWORK_VERSION       (0x0101u)
+
+/**
+ * Return value from psa_version() if the requested RoT Service is not present
+ * in the system.
+ */
+#define PSA_VERSION_NONE            (0u)
+
+/**
+ * The zero-value null handle can be assigned to variables used in clients and
+ * RoT Services, indicating that there is no current connection or message.
+ */
+#define PSA_NULL_HANDLE             ((psa_handle_t)0)
+
+/**
+ * Tests whether a handle value returned by psa_connect() is valid.
+ */
+#define PSA_HANDLE_IS_VALID(handle) ((psa_handle_t)(handle) > 0)
+
+/**
+ * Converts the handle value returned from a failed call psa_connect() into
+ * an error code.
+ */
+#define PSA_HANDLE_TO_ERROR(handle) ((psa_status_t)(handle))
+
+/**
+ * Maximum number of input and output vectors for a request to psa_call().
+ */
+#define PSA_MAX_IOVEC               (4u)
+
+/**
+ * An IPC message type that indicates a generic client request.
+ */
+#define PSA_IPC_CALL                (0)
+
+/**
+ * A read-only input memory region provided to an RoT Service.
+ */
+struct __attribute__ ((__packed__)) psa_invec {
+    uint32_t base;           /*!< the start address of the memory buffer */
+    uint32_t len;                 /*!< the size in bytes                      */
+};
+
+/**
+ * A writable output memory region provided to an RoT Service.
+ */
+struct __attribute__ ((__packed__)) psa_outvec {
+    uint32_t base;                 /*!< the start address of the memory buffer */
+    uint32_t len;                 /*!< the size in bytes                      */
+};
+
+/*************************** PSA Client API **********************************/
+
+/**
+ * \brief Retrieve the version of the PSA Framework API that is implemented.
+ *
+ * \param[in] rpc_caller        RPC caller to use
+ * \return version              The version of the PSA Framework implementation
+ *                              that is providing the runtime services to the
+ *                              caller. The major and minor version are encoded
+ *                              as follows:
+ * \arg                           version[15:8] -- major version number.
+ * \arg                           version[7:0]  -- minor version number.
+ */
+uint32_t psa_framework_version(struct rpc_caller *caller);
+
+/**
+ * \brief Retrieve the version of an RoT Service or indicate that it is not
+ *        present on this system.
+ *
+ * \param[in] rpc_caller        RPC caller to use
+ * \param[in] sid               ID of the RoT Service to query.
+ *
+ * \retval PSA_VERSION_NONE     The RoT Service is not implemented, or the
+ *                              caller is not permitted to access the service.
+ * \retval > 0                  The version of the implemented RoT Service.
+ */
+uint32_t psa_version(struct rpc_caller *caller, uint32_t sid);
+
+/**
+ * \brief Connect to an RoT Service by its SID.
+ *
+ * \param[in] rpc_caller        RPC caller to use
+ * \param[in] sid               ID of the RoT Service to connect to.
+ * \param[in] version           Requested version of the RoT Service.
+ *
+ * \retval > 0                  A handle for the connection.
+ * \retval PSA_ERROR_CONNECTION_REFUSED The SPM or RoT Service has refused the
+ *                              connection.
+ * \retval PSA_ERROR_CONNECTION_BUSY The SPM or RoT Service cannot make the
+ *                              connection at the moment.
+ * \retval "PROGRAMMER ERROR"   The call is a PROGRAMMER ERROR if one or more
+ *                              of the following are true:
+ * \arg                           The RoT Service ID is not present.
+ * \arg                           The RoT Service version is not supported.
+ * \arg                           The caller is not allowed to access the RoT
+ *                                service.
+ */
+psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid,
+			 uint32_t version);
+
+/**
+ * \brief Call an RoT Service on an established connection.
+ *
+ * \note  FF-M 1.0 proposes 6 parameters for psa_call but the secure gateway ABI
+ *        support at most 4 parameters. TF-M chooses to encode 'in_len',
+ *        'out_len', and 'type' into a 32-bit integer to improve efficiency.
+ *        Compared with struct-based encoding, this method saves extra memory
+ *        check and memory copy operation. The disadvantage is that the 'type'
+ *        range has to be reduced into a 16-bit integer. So with this encoding,
+ *        the valid range for 'type' is 0-32767.
+ *
+ * \param[in] rpc_caller        RPC caller to use
+ * \param[in] handle            A handle to an established connection.
+ * \param[in] type              The request type.
+ *                              Must be zero( \ref PSA_IPC_CALL) or positive.
+ * \param[in] in_vec            Array of input \ref psa_invec structures.
+ * \param[in] in_len            Number of input \ref psa_invec structures.
+ * \param[in,out] out_vec       Array of output \ref psa_outvec structures.
+ * \param[in] out_len           Number of output \ref psa_outvec structures.
+ *
+ * \retval >=0                  RoT Service-specific status value.
+ * \retval <0                   RoT Service-specific error code.
+ * \retval PSA_ERROR_PROGRAMMER_ERROR The connection has been terminated by the
+ *                              RoT Service. The call is a PROGRAMMER ERROR if
+ *                              one or more of the following are true:
+ * \arg                           An invalid handle was passed.
+ * \arg                           The connection is already handling a request.
+ * \arg                           type < 0.
+ * \arg                           An invalid memory reference was provided.
+ * \arg                           in_len + out_len > PSA_MAX_IOVEC.
+ * \arg                           The message is unrecognized by the RoT
+ *                                Service or incorrectly formatted.
+ */
+psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t handle,
+		      int32_t type, const struct psa_invec *in_vec,
+		      size_t in_len, struct psa_outvec *out_vec, size_t out_len);
+
+/**
+ * \brief Close a connection to an RoT Service.
+ *
+ * \param[in] rpc_caller        RPC caller to use
+ * \param[in] handle            A handle to an established connection, or the
+ *                              null handle.
+ *
+ * \retval void                 Success.
+ * \retval "PROGRAMMER ERROR"   The call is a PROGRAMMER ERROR if one or more
+ *                              of the following are true:
+ * \arg                           An invalid handle was provided that is not
+ *                                the null handle.
+ * \arg                           The connection is currently handling a
+ *                                request.
+ */
+void psa_close(struct rpc_caller *caller, psa_handle_t handle);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SERVICE_PSA_IPC_H */
+
+
+diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h
+new file mode 100644
+index 000000000000..aaa973c6e987
+--- /dev/null
+++ b/components/service/common/include/psa/sid.h
+@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+#ifndef __PSA_MANIFEST_SID_H__
+#define __PSA_MANIFEST_SID_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/******** TFM_SP_PS ********/
+#define TFM_PROTECTED_STORAGE_SERVICE_SID                          (0x00000060U)
+#define TFM_PROTECTED_STORAGE_SERVICE_VERSION                      (1U)
+#define TFM_PROTECTED_STORAGE_SERVICE_HANDLE                       (0x40000101U)
+
+/* Invalid UID */
+#define TFM_PS_INVALID_UID 0
+
+/* PS message types that distinguish PS services. */
+#define TFM_PS_SET                1001
+#define TFM_PS_GET                1002
+#define TFM_PS_GET_INFO           1003
+#define TFM_PS_REMOVE             1004
+#define TFM_PS_GET_SUPPORT        1005
+
+/******** TFM_SP_ITS ********/
+#define TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_SID                   (0x00000070U)
+#define TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_VERSION               (1U)
+#define TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_HANDLE                (0x40000102U)
+
+/******** TFM_SP_CRYPTO ********/
+#define TFM_CRYPTO_SID                                             (0x00000080U)
+#define TFM_CRYPTO_VERSION                                         (1U)
+#define TFM_CRYPTO_HANDLE                                          (0x40000100U)
+
+/******** TFM_SP_PLATFORM ********/
+#define TFM_SP_PLATFORM_SYSTEM_RESET_SID                           (0x00000040U)
+#define TFM_SP_PLATFORM_SYSTEM_RESET_VERSION                       (1U)
+#define TFM_SP_PLATFORM_IOCTL_SID                                  (0x00000041U)
+#define TFM_SP_PLATFORM_IOCTL_VERSION                              (1U)
+#define TFM_SP_PLATFORM_NV_COUNTER_SID                             (0x00000042U)
+#define TFM_SP_PLATFORM_NV_COUNTER_VERSION                         (1U)
+
+/******** TFM_SP_INITIAL_ATTESTATION ********/
+#define TFM_ATTESTATION_SERVICE_SID                                (0x00000020U)
+#define TFM_ATTESTATION_SERVICE_VERSION                            (1U)
+#define TFM_ATTESTATION_SERVICE_HANDLE                             (0x40000103U)
+
+/******** TFM_SP_FWU ********/
+#define TFM_FWU_WRITE_SID                                          (0x000000A0U)
+#define TFM_FWU_WRITE_VERSION                                      (1U)
+#define TFM_FWU_INSTALL_SID                                        (0x000000A1U)
+#define TFM_FWU_INSTALL_VERSION                                    (1U)
+#define TFM_FWU_ABORT_SID                                          (0x000000A2U)
+#define TFM_FWU_ABORT_VERSION                                      (1U)
+#define TFM_FWU_QUERY_SID                                          (0x000000A3U)
+#define TFM_FWU_QUERY_VERSION                                      (1U)
+#define TFM_FWU_REQUEST_REBOOT_SID                                 (0x000000A4U)
+#define TFM_FWU_REQUEST_REBOOT_VERSION                             (1U)
+#define TFM_FWU_ACCEPT_SID                                         (0x000000A5U)
+#define TFM_FWU_ACCEPT_VERSION                                     (1U)
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __PSA_MANIFEST_SID_H__ */
+-- 
+2.38.0
+
@@ -0,0 +1,295 @@
+From e9778f726ed582360152f150301995b10d268aae Mon Sep 17 00:00:00 2001
+From: Vishnu Banavath <vishnu.banavath@arm.com>
+Date: Fri, 3 Dec 2021 19:13:03 +0000
+Subject: [PATCH 05/19] Add common service component to ipc support
+
+Add support for inter processor communication for PSA
+including, the openamp client side structures lib.
+
+Upstream-Status: Pending
+Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com>
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+---
+ .../service/common/psa_ipc/component.cmake    |  13 ++
+ .../service/common/psa_ipc/service_psa_ipc.c  |  97 +++++++++++++
+ .../psa_ipc/service_psa_ipc_openamp_lib.h     | 131 ++++++++++++++++++
+ deployments/se-proxy/se-proxy.cmake           |   1 +
+ 4 files changed, 242 insertions(+)
+ create mode 100644 components/service/common/psa_ipc/component.cmake
+ create mode 100644 components/service/common/psa_ipc/service_psa_ipc.c
+ create mode 100644 components/service/common/psa_ipc/service_psa_ipc_openamp_lib.h
+
+diff --git a/components/service/common/psa_ipc/component.cmake b/components/service/common/psa_ipc/component.cmake
+new file mode 100644
+index 000000000000..5a1c9e62e2f0
+--- /dev/null
+++ b/components/service/common/psa_ipc/component.cmake
+@@ -0,0 +1,13 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+	message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+	"${CMAKE_CURRENT_LIST_DIR}/service_psa_ipc.c"
+	)
+diff --git a/components/service/common/psa_ipc/service_psa_ipc.c b/components/service/common/psa_ipc/service_psa_ipc.c
+new file mode 100644
+index 000000000000..e8093c20a523
+--- /dev/null
+++ b/components/service/common/psa_ipc/service_psa_ipc.c
+@@ -0,0 +1,97 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+#include <trace.h>
+
+#include <protocols/rpc/common/packed-c/status.h>
+#include <psa/error.h>
+#include <rpc_caller.h>
+
+#include <psa/client.h>
+#include "service_psa_ipc_openamp_lib.h"
+
+psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid,
+			 uint32_t version)
+{
+	psa_status_t psa_status = PSA_SUCCESS;
+	struct s_openamp_msg *resp_msg = NULL;
+	struct ns_openamp_msg *req_msg;
+	rpc_call_handle rpc_handle;
+	size_t resp_len;
+	uint8_t *resp;
+	uint8_t *req;
+	int ret;
+
+	rpc_handle = rpc_caller_begin(caller, &req,
+				      sizeof(struct ns_openamp_msg));
+	if (!rpc_handle) {
+		EMSG("psa_connect: could not get handle");
+		return PSA_ERROR_GENERIC_ERROR;
+	}
+
+	req_msg = (struct ns_openamp_msg *)req;
+
+	req_msg->call_type = OPENAMP_PSA_CONNECT;
+	req_msg->params.psa_connect_params.sid = sid;
+	req_msg->params.psa_connect_params.version = version;
+
+	ret = rpc_caller_invoke(caller, rpc_handle, 0, &psa_status, &resp,
+				&resp_len);
+	if (ret != TS_RPC_CALL_ACCEPTED) {
+		EMSG("psa_connect: invoke failed: %d", ret);
+		return PSA_ERROR_GENERIC_ERROR;
+	}
+
+	if (psa_status == PSA_SUCCESS)
+		resp_msg = (struct s_openamp_msg *)resp;
+
+	rpc_caller_end(caller, rpc_handle);
+
+	return resp_msg ? (psa_handle_t)resp_msg->reply : PSA_NULL_HANDLE;
+}
+
+psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t handle,
+		      int32_t type, const struct psa_invec *in_vec,
+		      size_t in_len, struct psa_outvec *out_vec, size_t out_len)
+{
+
+}
+
+void psa_close(struct rpc_caller *caller, psa_handle_t handle)
+{
+	psa_status_t psa_status = PSA_SUCCESS;
+	struct s_openamp_msg *resp_msg = NULL;
+	struct ns_openamp_msg *req_msg;
+	rpc_call_handle rpc_handle;
+	size_t resp_len;
+	uint8_t *resp;
+	uint8_t *req;
+	int ret;
+
+	rpc_handle = rpc_caller_begin(caller, &req,
+				      sizeof(struct ns_openamp_msg));
+	if (!rpc_handle) {
+		EMSG("psa_close: could not get handle");
+		return;
+	}
+
+	req_msg = (struct ns_openamp_msg *)req;
+
+	req_msg->call_type = OPENAMP_PSA_CLOSE;
+	req_msg->params.psa_close_params.handle = handle;
+
+	ret = rpc_caller_invoke(caller, rpc_handle, 0, &psa_status, &resp,
+				&resp_len);
+	if (ret != TS_RPC_CALL_ACCEPTED) {
+		EMSG("psa_close: invoke failed: %d", ret);
+		return;
+	}
+
+	rpc_caller_end(caller, rpc_handle);
+}
+diff --git a/components/service/common/psa_ipc/service_psa_ipc_openamp_lib.h b/components/service/common/psa_ipc/service_psa_ipc_openamp_lib.h
+new file mode 100644
+index 000000000000..33ea96660572
+--- /dev/null
+++ b/components/service/common/psa_ipc/service_psa_ipc_openamp_lib.h
+@@ -0,0 +1,131 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef SERVICE_PSA_IPC_OPENAMP_LIB_H
+#define SERVICE_PSA_IPC_OPENAMP_LIB_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <compiler.h>
+#include <psa/error.h>
+
+#include <stdint.h>
+#include <psa/client.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* PSA client call type value */
+#define OPENAMP_PSA_FRAMEWORK_VERSION       (0x1)
+#define OPENAMP_PSA_VERSION                 (0x2)
+#define OPENAMP_PSA_CONNECT                 (0x3)
+#define OPENAMP_PSA_CALL                    (0x4)
+#define OPENAMP_PSA_CLOSE                   (0x5)
+
+/* Return code of openamp APIs */
+#define OPENAMP_SUCCESS                     (0)
+#define OPENAMP_MAP_FULL                    (INT32_MIN + 1)
+#define OPENAMP_MAP_ERROR                   (INT32_MIN + 2)
+#define OPENAMP_INVAL_PARAMS                (INT32_MIN + 3)
+#define OPENAMP_NO_PERMS                    (INT32_MIN + 4)
+#define OPENAMP_NO_PEND_EVENT               (INT32_MIN + 5)
+#define OPENAMP_CHAN_BUSY                   (INT32_MIN + 6)
+#define OPENAMP_CALLBACK_REG_ERROR          (INT32_MIN + 7)
+#define OPENAMP_INIT_ERROR                  (INT32_MIN + 8)
+
+#define HOLD_INPUT_BUFFER (1) /* IF true, TF-M Library will hold the openamp
+			       * buffer so that openamp shared memory buffer
+			       * does not get freed.
+			       */
+
+/*
+ * This structure holds the parameters used in a PSA client call.
+ */
+typedef struct __packed psa_client_in_params {
+	union {
+		struct __packed {
+			uint32_t        sid;
+		} psa_version_params;
+
+		struct __packed {
+			uint32_t        sid;
+			uint32_t        version;
+		} psa_connect_params;
+
+		struct __packed {
+			psa_handle_t     handle;
+			int32_t          type;
+			uint32_t         in_vec;
+			uint32_t         in_len;
+			uint32_t         out_vec;
+			uint32_t         out_len;
+		} psa_call_params;
+
+		struct __packed {
+			psa_handle_t    handle;
+		} psa_close_params;
+	};
+} psa_client_in_params_t;
+
+/* Openamp message passed from NSPE to SPE to deliver a PSA client call */
+struct __packed ns_openamp_msg {
+	uint32_t                      call_type;   /* PSA client call type */
+	struct psa_client_in_params   params;      /* Contain parameters used in PSA
+						  * client call
+						  */
+
+	int32_t                     client_id;   /* Optional client ID of the
+						  * non-secure caller.
+						  * It is required to identify the
+						  * non-secure task when NSPE OS
+						  * enforces non-secure task
+						  * isolation
+						  */
+	int32_t                     request_id;  /* This is the unique ID for a
+						  * request send to TF-M by the
+						  * non-secure core. TF-M forward
+						  * the ID back to non-secure on the
+						  * reply to a given request. Using
+						  * this id, the non-secure library
+						  * can identify the request for
+						  * which the reply has received.
+						  */
+};
+
+/*
+ * This structure holds the location of the out data of the PSA client call.
+ */
+struct __packed psa_client_out_params {
+	uint32_t              out_vec;
+	uint32_t              out_len;
+};
+
+
+/* Openamp message from SPE to NSPE delivering the reply back for a PSA client
+ * call.
+ */
+struct __packed s_openamp_msg {
+	int32_t                     request_id;  /* Using this id, the non-secure
+						  * library identifies the request.
+						  * TF-M forwards the same
+						  * request-id received on the
+						  * initial request.
+						  */
+	int32_t                     reply;       /* Reply of the PSA client call */
+	struct psa_client_out_params     params;      /* Contain out data result of the
+						       * PSA client call.
+						       */
+};
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SERVICE_PSA_IPC_OPENAMP_LIB_H */
+
+
+diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake
+index 34fe5ff1b925..dd0c5d00c21e 100644
+--- a/deployments/se-proxy/se-proxy.cmake
+++ b/deployments/se-proxy/se-proxy.cmake
+@@ -24,6 +24,7 @@ add_components(TARGET "se-proxy"
+ 		"components/service/common/include"
+ 		"components/service/common/serializer/protobuf"
+ 		"components/service/common/client"
+		"components/service/common/psa_ipc"
+ 		"components/service/common/provider"
+ 		"components/service/discovery/provider"
+ 		"components/service/discovery/provider/serializer/packed-c"
+-- 
+2.38.0
+
@@ -0,0 +1,523 @@
+From 0df82487a7a253c601ca20ca1bd64fbb9ed64230 Mon Sep 17 00:00:00 2001
+From: Vishnu Banavath <vishnu.banavath@arm.com>
+Date: Fri, 3 Dec 2021 19:19:24 +0000
+Subject: [PATCH 06/19] Add secure storage ipc backend
+
+Add secure storage ipc ff-m implementation which may use
+openamp as rpc to communicate with other processor.
+
+Upstream-Status: Pending
+Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com>
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+---
+ .../service/common/psa_ipc/service_psa_ipc.c  | 143 +++++++++++-
+ .../secure_storage_ipc/component.cmake        |  14 ++
+ .../secure_storage_ipc/secure_storage_ipc.c   | 214 ++++++++++++++++++
+ .../secure_storage_ipc/secure_storage_ipc.h   |  52 +++++
+ deployments/se-proxy/se-proxy.cmake           |   1 +
+ 5 files changed, 420 insertions(+), 4 deletions(-)
+ create mode 100644 components/service/secure_storage/backend/secure_storage_ipc/component.cmake
+ create mode 100644 components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c
+ create mode 100644 components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h
+
+diff --git a/components/service/common/psa_ipc/service_psa_ipc.c b/components/service/common/psa_ipc/service_psa_ipc.c
+index e8093c20a523..95a07c135f31 100644
+--- a/components/service/common/psa_ipc/service_psa_ipc.c
+++ b/components/service/common/psa_ipc/service_psa_ipc.c
+@@ -16,6 +16,52 @@
+ #include <psa/client.h>
+ #include "service_psa_ipc_openamp_lib.h"
+ 
+static struct psa_invec *psa_call_in_vec_param(uint8_t *req)
+{
+	return (struct psa_invec *)(req + sizeof(struct ns_openamp_msg));
+}
+
+static struct psa_outvec *psa_call_out_vec_param(uint8_t *req, size_t in_len)
+{
+	return (struct psa_outvec *)(req + sizeof(struct ns_openamp_msg) +
+				     (in_len * sizeof(struct psa_invec)));
+}
+
+static size_t psa_call_header_len(const struct psa_invec *in_vec, size_t in_len,
+				  struct psa_outvec *out_vec, size_t out_len)
+{
+	return sizeof(struct ns_openamp_msg) + (in_len * sizeof(*in_vec)) +
+		(out_len * sizeof(*out_vec));
+}
+
+static size_t psa_call_in_vec_len(const struct psa_invec *in_vec, size_t in_len)
+{
+	size_t req_len = 0;
+	int i;
+
+	if (!in_vec || !in_len)
+		return 0;
+
+	for (i = 0; i < in_len; i++)
+		req_len += in_vec[i].len;
+
+	return req_len;
+}
+
+static size_t psa_call_out_vec_len(const struct psa_outvec *out_vec, size_t out_len)
+{
+	size_t resp_len = 0;
+	int i;
+
+	if (!out_vec || !out_len)
+		return 0;
+
+	for (i = 0; i < out_len; i++)
+		resp_len += out_vec[i].len;
+
+	return resp_len;
+}
+
+ psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid,
+ 			 uint32_t version)
+ {
+@@ -31,7 +77,7 @@ psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid,
+ 	rpc_handle = rpc_caller_begin(caller, &req,
+ 				      sizeof(struct ns_openamp_msg));
+ 	if (!rpc_handle) {
+-		EMSG("psa_connect: could not get handle");
+		EMSG("psa_connect: could not get rpc handle");
+ 		return PSA_ERROR_GENERIC_ERROR;
+ 	}
+ 
+@@ -56,14 +102,100 @@ psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid,
+ 	return resp_msg ? (psa_handle_t)resp_msg->reply : PSA_NULL_HANDLE;
+ }
+ 
+-psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t handle,
+psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t psa_handle,
+ 		      int32_t type, const struct psa_invec *in_vec,
+ 		      size_t in_len, struct psa_outvec *out_vec, size_t out_len)
+ {
+	psa_status_t psa_status = PSA_SUCCESS;
+	struct s_openamp_msg *resp_msg = NULL;
+	struct psa_outvec *out_vec_param;
+	struct psa_invec *in_vec_param;
+	struct ns_openamp_msg *req_msg;
+	rpc_call_handle rpc_handle;
+	size_t out_vec_len;
+	size_t in_vec_len;
+	size_t header_len;
+	uint8_t *payload;
+	size_t resp_len;
+	uint8_t *resp;
+	uint8_t *req;
+	int ret;
+	int i;
+
+	if ((psa_handle == PSA_NULL_HANDLE) || !caller)
+		return PSA_ERROR_INVALID_ARGUMENT;
+
+	header_len = psa_call_header_len(in_vec, in_len, out_vec, out_len);
+	in_vec_len = psa_call_in_vec_len(in_vec, in_len);
+	out_vec_len = psa_call_out_vec_len(out_vec, out_len);
+ 
+	rpc_handle = rpc_caller_begin(caller, &req, header_len + in_vec_len);
+	if (!rpc_handle) {
+		EMSG("psa_call: could not get handle");
+		return PSA_ERROR_GENERIC_ERROR;
+	}
+
+	payload = req + header_len;
+
+	out_vec_param = psa_call_out_vec_param(req, in_len);
+	in_vec_param = psa_call_in_vec_param(req);
+
+	req_msg = (struct ns_openamp_msg *)req;
+
+	req_msg->call_type = OPENAMP_PSA_CALL;
+	req_msg->request_id = 1234;
+	req_msg->params.psa_call_params.handle = psa_handle;
+	req_msg->params.psa_call_params.type = type;
+	req_msg->params.psa_call_params.in_len = in_len;
+	req_msg->params.psa_call_params.in_vec = rpc_caller_virt_to_phys(caller, in_vec_param);
+	req_msg->params.psa_call_params.out_len = out_len;
+	req_msg->params.psa_call_params.out_vec = rpc_caller_virt_to_phys(caller, out_vec_param);
+
+	for (i = 0; i < in_len; i++) {
+		in_vec_param[i].base = rpc_caller_virt_to_phys(caller, payload);
+		in_vec_param[i].len = in_vec[i].len;
+
+		memcpy(payload, in_vec[i].base, in_vec[i].len);
+		payload += in_vec[i].len;
+	}
+
+	for (i = 0; i < out_len; i++) {
+		out_vec_param[i].base = NULL;
+		out_vec_param[i].len = out_vec[i].len;
+	}
+
+	ret = rpc_caller_invoke(caller, rpc_handle, 0, &psa_status, &resp,
+				&resp_len);
+	if (ret != TS_RPC_CALL_ACCEPTED) {
+		EMSG("psa_call: invoke failed: %d", ret);
+		return PSA_ERROR_GENERIC_ERROR;
+	}
+
+	if (psa_status != PSA_SUCCESS) {
+		EMSG("psa_call: psa_status invoke failed: %d", psa_status);
+		return PSA_ERROR_GENERIC_ERROR;
+	}
+
+	resp_msg = (struct s_openamp_msg *)resp;
+
+	if (!resp_msg || !out_len || resp_msg->reply != PSA_SUCCESS)
+		goto caller_end;
+
+	out_vec_param = (struct psa_outvec *)rpc_caller_phys_to_virt(caller,
+						     resp_msg->params.out_vec);
+
+	for (i = 0; i < resp_msg->params.out_len; i++) {
+		memcpy(out_vec[i].base, rpc_caller_phys_to_virt(caller, out_vec_param[i].base),
+		       out_vec[i].len);
+	}
+
+caller_end:
+	rpc_caller_end(caller, rpc_handle);
+
+	return resp_msg ? resp_msg->reply : PSA_ERROR_COMMUNICATION_FAILURE;
+ }
+ 
+-void psa_close(struct rpc_caller *caller, psa_handle_t handle)
+void psa_close(struct rpc_caller *caller, psa_handle_t psa_handle)
+ {
+ 	psa_status_t psa_status = PSA_SUCCESS;
+ 	struct s_openamp_msg *resp_msg = NULL;
+@@ -74,6 +206,9 @@ void psa_close(struct rpc_caller *caller, psa_handle_t handle)
+ 	uint8_t *req;
+ 	int ret;
+ 
+	if ((psa_handle == PSA_NULL_HANDLE) || !caller)
+		return;
+
+ 	rpc_handle = rpc_caller_begin(caller, &req,
+ 				      sizeof(struct ns_openamp_msg));
+ 	if (!rpc_handle) {
+@@ -84,7 +219,7 @@ void psa_close(struct rpc_caller *caller, psa_handle_t handle)
+ 	req_msg = (struct ns_openamp_msg *)req;
+ 
+ 	req_msg->call_type = OPENAMP_PSA_CLOSE;
+-	req_msg->params.psa_close_params.handle = handle;
+	req_msg->params.psa_close_params.handle = psa_handle;
+ 
+ 	ret = rpc_caller_invoke(caller, rpc_handle, 0, &psa_status, &resp,
+ 				&resp_len);
+diff --git a/components/service/secure_storage/backend/secure_storage_ipc/component.cmake b/components/service/secure_storage/backend/secure_storage_ipc/component.cmake
+new file mode 100644
+index 000000000000..5d8f6714e0bd
+--- /dev/null
+++ b/components/service/secure_storage/backend/secure_storage_ipc/component.cmake
+@@ -0,0 +1,14 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+	message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+	"${CMAKE_CURRENT_LIST_DIR}/secure_storage_ipc.c"
+	)
+
+diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c
+new file mode 100644
+index 000000000000..9b55f77dd395
+--- /dev/null
+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c
+@@ -0,0 +1,214 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <protocols/rpc/common/packed-c/status.h>
+#include "secure_storage_ipc.h"
+#include <psa/client.h>
+#include <psa/sid.h>
+#include <rpc_caller.h>
+#include <string.h>
+#include <trace.h>
+
+
+static psa_status_t secure_storage_ipc_set(void *context, uint32_t client_id,
+			 psa_storage_uid_t uid, size_t data_length,
+			 const void *p_data, psa_storage_create_flags_t create_flags)
+{
+	struct secure_storage_ipc *ipc = context;
+	struct rpc_caller *caller = ipc->client.caller;
+	psa_handle_t psa_handle;
+	psa_status_t psa_status;
+	struct psa_invec in_vec[] = {
+		{ .base = &uid, .len = sizeof(uid) },
+		{ .base = p_data, .len = data_length },
+		{ .base = &create_flags, .len = sizeof(create_flags) },
+	};
+
+	(void)client_id;
+
+	ipc->client.rpc_status = TS_RPC_CALL_ACCEPTED;
+
+	/* Validating input parameters */
+	if (p_data == NULL)
+		return PSA_ERROR_INVALID_ARGUMENT;
+
+	psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE,
+			      TFM_PS_SET, in_vec, IOVEC_LEN(in_vec), NULL, 0);
+	if (psa_status < 0)
+		EMSG("ipc_set: psa_call failed: %d", psa_status);
+
+	return psa_status;
+}
+
+static psa_status_t secure_storage_ipc_get(void *context,
+					   uint32_t client_id,
+					   psa_storage_uid_t uid,
+					   size_t data_offset,
+					   size_t data_size,
+					   void *p_data,
+					   size_t *p_data_length)
+{
+	struct secure_storage_ipc *ipc = context;
+	struct rpc_caller *caller = ipc->client.caller;
+	psa_handle_t psa_handle;
+	psa_status_t psa_status;
+	uint32_t offset = (uint32_t)data_offset;
+	struct psa_invec in_vec[] = {
+		{ .base = &uid, .len = sizeof(uid) },
+		{ .base = &offset, .len = sizeof(offset) },
+	};
+	struct psa_outvec out_vec[] = {
+		{ .base = p_data, .len = data_size },
+	};
+
+	if (!p_data_length) {
+		EMSG("ipc_get: p_data_length not defined");
+		return PSA_ERROR_INVALID_ARGUMENT;
+	}
+
+	psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE,
+			      TFM_PS_GET, in_vec, IOVEC_LEN(in_vec),
+			      out_vec, IOVEC_LEN(out_vec));
+	if (psa_status == PSA_SUCCESS)
+		*p_data_length = out_vec[0].len;
+
+	return psa_status;
+}
+
+static psa_status_t secure_storage_ipc_get_info(void *context,
+						uint32_t client_id,
+						psa_storage_uid_t uid,
+						struct psa_storage_info_t *p_info)
+{
+	struct secure_storage_ipc *ipc = context;
+	struct rpc_caller *caller = ipc->client.caller;
+	psa_handle_t psa_handle;
+	psa_status_t psa_status;
+	struct psa_invec in_vec[] = {
+		{ .base = &uid, .len = sizeof(uid) },
+	};
+	struct psa_outvec out_vec[] = {
+		{ .base = p_info, .len = sizeof(*p_info) },
+	};
+
+	(void)client_id;
+
+	/* Validating input parameters */
+	if (!p_info)
+		return PSA_ERROR_INVALID_ARGUMENT;
+
+	psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE,
+			      TFM_PS_GET_INFO, in_vec,
+			      IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec));
+	if (psa_status != PSA_SUCCESS)
+		EMSG("ipc_get_info: failed to psa_call: %d", psa_status);
+
+	return psa_status;
+}
+
+static psa_status_t secure_storage_ipc_remove(void *context,
+						uint32_t client_id,
+						psa_storage_uid_t uid)
+{
+	struct secure_storage_ipc *ipc = context;
+	struct rpc_caller *caller = ipc->client.caller;
+	psa_handle_t psa_handle;
+	psa_status_t psa_status;
+	struct psa_invec in_vec[] = {
+		{ .base = &uid, .len = sizeof(uid) },
+	};
+
+	(void)client_id;
+
+	psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE,
+			      TFM_PS_REMOVE, in_vec,
+			      IOVEC_LEN(in_vec), NULL, 0);
+	if (psa_status != PSA_SUCCESS)
+		EMSG("ipc_remove: failed to psa_call: %d", psa_status);
+
+	return psa_status;
+}
+
+static psa_status_t secure_storage_ipc_create(void *context,
+					      uint32_t client_id,
+					      uint64_t uid,
+					      size_t capacity,
+					      uint32_t create_flags)
+{
+	(void)context;
+	(void)uid;
+	(void)client_id;
+	(void)capacity;
+	(void)create_flags;
+
+	return PSA_ERROR_NOT_SUPPORTED;
+}
+
+static psa_status_t secure_storage_set_extended(void *context,
+						uint32_t client_id,
+						uint64_t uid,
+						size_t data_offset,
+						size_t data_length,
+						const void *p_data)
+{
+	(void)context;
+	(void)uid;
+	(void)client_id;
+	(void)data_offset;
+	(void)data_length;
+	(void)p_data;
+
+	return PSA_ERROR_NOT_SUPPORTED;
+}
+
+static uint32_t secure_storage_get_support(void *context, uint32_t client_id)
+{
+	struct secure_storage_ipc *ipc = context;
+	struct rpc_caller *caller = ipc->client.caller;
+	psa_handle_t psa_handle;
+	psa_status_t psa_status;
+	uint32_t support_flags;
+	struct psa_outvec out_vec[] = {
+		{ .base = &support_flags, .len =  sizeof(support_flags) },
+	};
+
+	(void)client_id;
+
+	psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE,
+			      TFM_PS_GET_SUPPORT, NULL, 0,
+			      out_vec, IOVEC_LEN(out_vec));
+	if (psa_status != PSA_SUCCESS)
+		EMSG("ipc_get_support: failed to psa_call: %d", psa_status);
+
+	return psa_status;
+}
+
+struct storage_backend *secure_storage_ipc_init(struct secure_storage_ipc *context,
+						struct rpc_caller *caller)
+{
+	service_client_init(&context->client, caller);
+
+	static const struct storage_backend_interface interface =
+	{
+		.set = secure_storage_ipc_set,
+		.get = secure_storage_ipc_get,
+		.get_info = secure_storage_ipc_get_info,
+		.remove = secure_storage_ipc_remove,
+		.create = secure_storage_ipc_create,
+		.set_extended = secure_storage_set_extended,
+		.get_support = secure_storage_get_support,
+	};
+
+	context->backend.context = context;
+	context->backend.interface = &interface;
+
+	return &context->backend;
+}
+
+void secure_storage_ipc_deinit(struct secure_storage_ipc *context)
+{
+	service_client_deinit(&context->client);
+}
+diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h
+new file mode 100644
+index 000000000000..e8c1e8fd2f92
+--- /dev/null
+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h
+@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef SECURE_STORAGE_IPC_H
+#define SECURE_STORAGE_IPC_H
+
+#include <service/secure_storage/backend/storage_backend.h>
+#include <service/common/client/service_client.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * @brief      Secure storage ipc instance
+ */
+struct secure_storage_ipc
+{
+    struct storage_backend backend;
+    struct service_client client;
+};
+
+/**
+ * @brief      Initialize a secure storage ipc client
+ *
+ * A secure storage client is a storage backend that makes RPC calls
+ * to a remote secure storage provider.
+ *
+ * @param[in]  context    Instance data
+ * @param[in]  rpc_caller RPC caller instance
+ *
+ *
+ * @return     Pointer to inialized storage backend or NULL on failure
+ */
+struct storage_backend *secure_storage_ipc_init(struct secure_storage_ipc *context,
+						struct rpc_caller *caller);
+
+/**
+ * @brief      Deinitialize a secure storage ipc client
+ *
+ * @param[in]  context   Instance data
+ */
+void secure_storage_ipc_deinit(struct secure_storage_ipc *context);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SECURE_STORAGE_IPC_H */
+diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake
+index dd0c5d00c21e..cd51460406ca 100644
+--- a/deployments/se-proxy/se-proxy.cmake
+++ b/deployments/se-proxy/se-proxy.cmake
+@@ -45,6 +45,7 @@ add_components(TARGET "se-proxy"
+ 		"components/service/crypto/factory/full"
+ 		"components/service/secure_storage/include"
+ 		"components/service/secure_storage/frontend/secure_storage_provider"
+		"components/service/secure_storage/backend/secure_storage_ipc"
+ 		"components/service/attestation/include"
+ 		"components/service/attestation/provider"
+ 		"components/service/attestation/provider/serializer/packed-c"
+-- 
+2.38.0
+
@@ -0,0 +1,63 @@
+From 9c7f1e6a5eb9ab887e568cfa3c2003583d387bc9 Mon Sep 17 00:00:00 2001
+From: Vishnu Banavath <vishnu.banavath@arm.com>
+Date: Fri, 3 Dec 2021 19:25:34 +0000
+Subject: [PATCH 07/19] Use secure storage ipc and openamp for se_proxy
+
+Remove mock up backend for secure storage in se proxy
+deployment and use instead the secure storage ipc backend with
+openamp as rpc to secure enclave side.
+
+Upstream-Status: Pending
+Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com>
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+---
+ .../se-proxy/common/service_proxy_factory.c      | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/deployments/se-proxy/common/service_proxy_factory.c b/deployments/se-proxy/common/service_proxy_factory.c
+index acfb6e8873fa..57290056d614 100644
+--- a/deployments/se-proxy/common/service_proxy_factory.c
+++ b/deployments/se-proxy/common/service_proxy_factory.c
+@@ -6,15 +6,20 @@
+ 
+ #include <stddef.h>
+ #include <rpc/common/endpoint/rpc_interface.h>
+#include <rpc/openamp/caller/sp/openamp_caller.h>
+ #include <service/attestation/provider/attest_provider.h>
+ #include <service/attestation/provider/serializer/packed-c/packedc_attest_provider_serializer.h>
+ #include <service/crypto/factory/crypto_provider_factory.h>
+ #include <service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h>
+#include <trace.h>
+ 
+ /* Stub backends */
+ #include <service/crypto/backend/stub/stub_crypto_backend.h>
+#include <service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h>
+ #include <service/secure_storage/backend/mock_store/mock_store.h>
+ 
+struct openamp_caller openamp;
+
+ struct rpc_interface *attest_proxy_create(void)
+ {
+ 	struct rpc_interface *attest_iface;
+@@ -47,10 +52,15 @@ struct rpc_interface *crypto_proxy_create(void)
+ 
+ struct rpc_interface *ps_proxy_create(void)
+ {
+-	static struct mock_store ps_backend;
+ 	static struct secure_storage_provider ps_provider;
+-
+-	struct storage_backend *backend = mock_store_init(&ps_backend);
+	static struct secure_storage_ipc ps_backend;
+	static struct rpc_caller *storage_caller;
+	struct storage_backend *backend;
+
+	storage_caller = openamp_caller_init(&openamp);
+	if (!storage_caller)
+		return NULL;
+	backend = secure_storage_ipc_init(&ps_backend, &openamp.rpc_caller);
+ 
+ 	return secure_storage_provider_init(&ps_provider, backend);
+ }
+-- 
+2.38.0
+
@@ -0,0 +1,72 @@
+From d9169d380366afc63af5d4bf02791aeb41f47897 Mon Sep 17 00:00:00 2001
+From: Satish Kumar <satish.kumar01@arm.com>
+Date: Sun, 12 Dec 2021 10:43:48 +0000
+Subject: [PATCH 08/19] Run psa-arch-test
+
+Fixes needed to run psa-arch-test
+
+Upstream-Status: Pending
+Signed-off-by: Satish Kumar <satish.kumar01@arm.com>
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+---
+ components/service/common/psa_ipc/service_psa_ipc.c       | 1 +
+ .../backend/secure_storage_ipc/secure_storage_ipc.c       | 8 --------
+ .../service/secure_storage/include/psa/storage_common.h   | 4 ++--
+ 3 files changed, 3 insertions(+), 10 deletions(-)
+
+diff --git a/components/service/common/psa_ipc/service_psa_ipc.c b/components/service/common/psa_ipc/service_psa_ipc.c
+index 95a07c135f31..5e5815dbc9cf 100644
+--- a/components/service/common/psa_ipc/service_psa_ipc.c
+++ b/components/service/common/psa_ipc/service_psa_ipc.c
+@@ -185,6 +185,7 @@ psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t psa_handle,
+ 						     resp_msg->params.out_vec);
+ 
+ 	for (i = 0; i < resp_msg->params.out_len; i++) {
+                out_vec[i].len = out_vec_param[i].len;
+ 		memcpy(out_vec[i].base, rpc_caller_phys_to_virt(caller, out_vec_param[i].base),
+ 		       out_vec[i].len);
+ 	}
+diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c
+index 9b55f77dd395..a1f369db253e 100644
+--- a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c
+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c
+@@ -31,10 +31,6 @@ static psa_status_t secure_storage_ipc_set(void *context, uint32_t client_id,
+ 
+ 	ipc->client.rpc_status = TS_RPC_CALL_ACCEPTED;
+ 
+-	/* Validating input parameters */
+-	if (p_data == NULL)
+-		return PSA_ERROR_INVALID_ARGUMENT;
+-
+ 	psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE,
+ 			      TFM_PS_SET, in_vec, IOVEC_LEN(in_vec), NULL, 0);
+ 	if (psa_status < 0)
+@@ -96,10 +92,6 @@ static psa_status_t secure_storage_ipc_get_info(void *context,
+ 
+ 	(void)client_id;
+ 
+-	/* Validating input parameters */
+-	if (!p_info)
+-		return PSA_ERROR_INVALID_ARGUMENT;
+-
+ 	psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE,
+ 			      TFM_PS_GET_INFO, in_vec,
+ 			      IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec));
+diff --git a/components/service/secure_storage/include/psa/storage_common.h b/components/service/secure_storage/include/psa/storage_common.h
+index 4f6ba2a7d822..1fd6b40dc803 100644
+--- a/components/service/secure_storage/include/psa/storage_common.h
+++ b/components/service/secure_storage/include/psa/storage_common.h
+@@ -20,8 +20,8 @@ typedef uint64_t psa_storage_uid_t;
+ typedef uint32_t psa_storage_create_flags_t;
+ 
+ struct psa_storage_info_t {
+-	size_t capacity;
+-	size_t size;
+	uint32_t capacity;
+	uint32_t size;
+ 	psa_storage_create_flags_t flags;
+ };
+ 
+-- 
+2.38.0
+
@@ -0,0 +1,168 @@
+From ee767c1ae857cfcc8b4bb520b2558091e253cf94 Mon Sep 17 00:00:00 2001
+From: Satish Kumar <satish.kumar01@arm.com>
+Date: Sun, 12 Dec 2021 10:57:17 +0000
+Subject: [PATCH 09/19] Use address instead of pointers
+
+Since secure enclave is 32bit and we 64bit there is an issue
+in the protocol communication design that force us to handle
+on our side the manipulation of address and pointers to make
+this work.
+
+Upstream-Status: Pending
+Signed-off-by: Satish Kumar <satish.kumar01@arm.com>
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+---
+ .../service/common/include/psa/client.h       | 15 ++++++++++++++
+ .../service/common/psa_ipc/service_psa_ipc.c  | 20 ++++++++++++-------
+ .../secure_storage_ipc/secure_storage_ipc.c   | 20 +++++++++----------
+ 3 files changed, 38 insertions(+), 17 deletions(-)
+
+diff --git a/components/service/common/include/psa/client.h b/components/service/common/include/psa/client.h
+index 69ccf14f40a3..12dcd68f8a76 100644
+--- a/components/service/common/include/psa/client.h
+++ b/components/service/common/include/psa/client.h
+@@ -81,6 +81,21 @@ struct __attribute__ ((__packed__)) psa_outvec {
+     uint32_t len;                 /*!< the size in bytes                      */
+ };
+ 
+static void *psa_u32_to_ptr(uint32_t addr)
+{
+	return (void *)(uintptr_t)addr;
+}
+
+static uint32_t psa_ptr_to_u32(void *ptr)
+{
+	return (uintptr_t)ptr;
+}
+
+static uint32_t psa_ptr_const_to_u32(const void *ptr)
+{
+	return (uintptr_t)ptr;
+}
+
+ /*************************** PSA Client API **********************************/
+ 
+ /**
+diff --git a/components/service/common/psa_ipc/service_psa_ipc.c b/components/service/common/psa_ipc/service_psa_ipc.c
+index 5e5815dbc9cf..435c6c0a2eba 100644
+--- a/components/service/common/psa_ipc/service_psa_ipc.c
+++ b/components/service/common/psa_ipc/service_psa_ipc.c
+@@ -62,6 +62,11 @@ static size_t psa_call_out_vec_len(const struct psa_outvec *out_vec, size_t out_
+ 	return resp_len;
+ }
+ 
+static uint32_t psa_virt_to_phys_u32(struct rpc_caller *caller, void *va)
+{
+	return (uintptr_t)rpc_caller_virt_to_phys(caller, va);
+}
+
+ psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid,
+ 			 uint32_t version)
+ {
+@@ -147,20 +152,20 @@ psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t psa_handle,
+ 	req_msg->params.psa_call_params.handle = psa_handle;
+ 	req_msg->params.psa_call_params.type = type;
+ 	req_msg->params.psa_call_params.in_len = in_len;
+-	req_msg->params.psa_call_params.in_vec = rpc_caller_virt_to_phys(caller, in_vec_param);
+	req_msg->params.psa_call_params.in_vec = psa_virt_to_phys_u32(caller, in_vec_param);
+ 	req_msg->params.psa_call_params.out_len = out_len;
+-	req_msg->params.psa_call_params.out_vec = rpc_caller_virt_to_phys(caller, out_vec_param);
+	req_msg->params.psa_call_params.out_vec = psa_virt_to_phys_u32(caller, out_vec_param);
+ 
+ 	for (i = 0; i < in_len; i++) {
+-		in_vec_param[i].base = rpc_caller_virt_to_phys(caller, payload);
+		in_vec_param[i].base = psa_virt_to_phys_u32(caller, payload);
+ 		in_vec_param[i].len = in_vec[i].len;
+ 
+-		memcpy(payload, in_vec[i].base, in_vec[i].len);
+		memcpy(payload, psa_u32_to_ptr(in_vec[i].base), in_vec[i].len);
+ 		payload += in_vec[i].len;
+ 	}
+ 
+ 	for (i = 0; i < out_len; i++) {
+-		out_vec_param[i].base = NULL;
+		out_vec_param[i].base = 0;
+ 		out_vec_param[i].len = out_vec[i].len;
+ 	}
+ 
+@@ -182,11 +187,12 @@ psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t psa_handle,
+ 		goto caller_end;
+ 
+ 	out_vec_param = (struct psa_outvec *)rpc_caller_phys_to_virt(caller,
+-						     resp_msg->params.out_vec);
+				psa_u32_to_ptr(resp_msg->params.out_vec));
+ 
+ 	for (i = 0; i < resp_msg->params.out_len; i++) {
+                 out_vec[i].len = out_vec_param[i].len;
+-		memcpy(out_vec[i].base, rpc_caller_phys_to_virt(caller, out_vec_param[i].base),
+		memcpy(psa_u32_to_ptr(out_vec[i].base),
+		       rpc_caller_phys_to_virt(caller,	psa_u32_to_ptr(out_vec_param[i].base)),
+ 		       out_vec[i].len);
+ 	}
+ 
+diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c
+index a1f369db253e..bda442a61d5c 100644
+--- a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c
+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c
+@@ -22,9 +22,9 @@ static psa_status_t secure_storage_ipc_set(void *context, uint32_t client_id,
+ 	psa_handle_t psa_handle;
+ 	psa_status_t psa_status;
+ 	struct psa_invec in_vec[] = {
+-		{ .base = &uid, .len = sizeof(uid) },
+-		{ .base = p_data, .len = data_length },
+-		{ .base = &create_flags, .len = sizeof(create_flags) },
+		{ .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) },
+		{ .base = psa_ptr_const_to_u32(p_data), .len = data_length },
+		{ .base = psa_ptr_to_u32(&create_flags), .len = sizeof(create_flags) },
+ 	};
+ 
+ 	(void)client_id;
+@@ -53,11 +53,11 @@ static psa_status_t secure_storage_ipc_get(void *context,
+ 	psa_status_t psa_status;
+ 	uint32_t offset = (uint32_t)data_offset;
+ 	struct psa_invec in_vec[] = {
+-		{ .base = &uid, .len = sizeof(uid) },
+-		{ .base = &offset, .len = sizeof(offset) },
+		{ .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) },
+		{ .base = psa_ptr_to_u32(&offset), .len = sizeof(offset) },
+ 	};
+ 	struct psa_outvec out_vec[] = {
+-		{ .base = p_data, .len = data_size },
+		{ .base = psa_ptr_to_u32(p_data), .len = data_size },
+ 	};
+ 
+ 	if (!p_data_length) {
+@@ -84,10 +84,10 @@ static psa_status_t secure_storage_ipc_get_info(void *context,
+ 	psa_handle_t psa_handle;
+ 	psa_status_t psa_status;
+ 	struct psa_invec in_vec[] = {
+-		{ .base = &uid, .len = sizeof(uid) },
+		{ .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) },
+ 	};
+ 	struct psa_outvec out_vec[] = {
+-		{ .base = p_info, .len = sizeof(*p_info) },
+		{ .base = psa_ptr_to_u32(p_info), .len = sizeof(*p_info) },
+ 	};
+ 
+ 	(void)client_id;
+@@ -110,7 +110,7 @@ static psa_status_t secure_storage_ipc_remove(void *context,
+ 	psa_handle_t psa_handle;
+ 	psa_status_t psa_status;
+ 	struct psa_invec in_vec[] = {
+-		{ .base = &uid, .len = sizeof(uid) },
+		{ .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) },
+ 	};
+ 
+ 	(void)client_id;
+@@ -164,7 +164,7 @@ static uint32_t secure_storage_get_support(void *context, uint32_t client_id)
+ 	psa_status_t psa_status;
+ 	uint32_t support_flags;
+ 	struct psa_outvec out_vec[] = {
+-		{ .base = &support_flags, .len =  sizeof(support_flags) },
+		{ .base = psa_ptr_to_u32(&support_flags), .len =  sizeof(support_flags) },
+ 	};
+ 
+ 	(void)client_id;
+-- 
+2.38.0
+
@@ -0,0 +1,266 @@
+From afdeb8e098a1f2822adf2ea83ded8dd9e2d021ba Mon Sep 17 00:00:00 2001
+From: Rui Miguel Silva <rui.silva@linaro.org>
+Date: Tue, 7 Dec 2021 11:50:00 +0000
+Subject: [PATCH 10/19] Add psa ipc attestation to se proxy
+
+Implement attestation client API as psa ipc and include it to
+se proxy deployment.
+
+Upstream-Status: Pending
+Signed-off-by: Satish Kumar <satish.kumar01@arm.com>
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+---
+ .../client/psa_ipc/component.cmake            | 13 +++
+ .../client/psa_ipc/iat_ipc_client.c           | 86 +++++++++++++++++++
+ .../reporter/psa_ipc/component.cmake          | 13 +++
+ .../reporter/psa_ipc/psa_ipc_attest_report.c  | 45 ++++++++++
+ components/service/common/include/psa/sid.h   |  4 +
+ .../se-proxy/common/service_proxy_factory.c   |  6 ++
+ deployments/se-proxy/se-proxy.cmake           |  3 +-
+ 7 files changed, 169 insertions(+), 1 deletion(-)
+ create mode 100644 components/service/attestation/client/psa_ipc/component.cmake
+ create mode 100644 components/service/attestation/client/psa_ipc/iat_ipc_client.c
+ create mode 100644 components/service/attestation/reporter/psa_ipc/component.cmake
+ create mode 100644 components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c
+
+diff --git a/components/service/attestation/client/psa_ipc/component.cmake b/components/service/attestation/client/psa_ipc/component.cmake
+new file mode 100644
+index 000000000000..a5bc6b4a387e
+--- /dev/null
+++ b/components/service/attestation/client/psa_ipc/component.cmake
+@@ -0,0 +1,13 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+	message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+	"${CMAKE_CURRENT_LIST_DIR}/iat_ipc_client.c"
+	)
+diff --git a/components/service/attestation/client/psa_ipc/iat_ipc_client.c b/components/service/attestation/client/psa_ipc/iat_ipc_client.c
+new file mode 100644
+index 000000000000..30bd0a13a385
+--- /dev/null
+++ b/components/service/attestation/client/psa_ipc/iat_ipc_client.c
+@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stddef.h>
+#include <string.h>
+
+#include "../psa/iat_client.h"
+#include <protocols/rpc/common/packed-c/status.h>
+#include <psa/initial_attestation.h>
+#include <psa/client.h>
+#include <psa/sid.h>
+#include <service/common/client/service_client.h>
+
+/**
+ * @brief      The singleton psa_iat_client instance
+ *
+ * The psa attestation C API assumes a single backend service provider.
+ */
+static struct service_client instance;
+
+
+psa_status_t psa_iat_client_init(struct rpc_caller *caller)
+{
+	return service_client_init(&instance, caller);
+}
+
+void psa_iat_client_deinit(void)
+{
+	service_client_deinit(&instance);
+}
+
+int psa_iat_client_rpc_status(void)
+{
+	return instance.rpc_status;
+}
+
+psa_status_t psa_initial_attest_get_token(const uint8_t *auth_challenge,
+					  size_t challenge_size,
+					  uint8_t *token_buf,
+					  size_t token_buf_size,
+					  size_t *token_size)
+{
+	psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
+	struct rpc_caller *caller = instance.caller;
+	struct psa_invec in_vec[] = {
+		{ .base = psa_ptr_const_to_u32(auth_challenge), .len = challenge_size},
+	};
+	struct psa_outvec out_vec[] = {
+		{ .base = psa_ptr_to_u32(token_buf), .len = token_buf_size},
+	};
+
+	if (!token_buf || !token_buf_size)
+		return PSA_ERROR_INVALID_ARGUMENT;
+
+	status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE,
+			  TFM_ATTEST_GET_TOKEN, in_vec, IOVEC_LEN(in_vec),
+			  out_vec, IOVEC_LEN(out_vec));
+	if (status == PSA_SUCCESS) {
+		*token_size = out_vec[0].len;
+	}
+
+	return status;
+}
+
+psa_status_t psa_initial_attest_get_token_size(size_t challenge_size,
+						size_t *token_size)
+{
+	struct rpc_caller *caller = instance.caller;
+	psa_status_t status;
+	struct psa_invec in_vec[] = {
+		{ .base = psa_ptr_to_u32(&challenge_size), .len = sizeof(uint32_t)}
+	};
+	struct psa_outvec out_vec[] = {
+		{ .base = psa_ptr_to_u32(token_size), .len = sizeof(uint32_t)}
+	};
+
+	status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE,
+			  TFM_ATTEST_GET_TOKEN_SIZE,
+			  in_vec, IOVEC_LEN(in_vec),
+			  out_vec, IOVEC_LEN(out_vec));
+
+	return status;
+}
+diff --git a/components/service/attestation/reporter/psa_ipc/component.cmake b/components/service/attestation/reporter/psa_ipc/component.cmake
+new file mode 100644
+index 000000000000..b37830c618fe
+--- /dev/null
+++ b/components/service/attestation/reporter/psa_ipc/component.cmake
+@@ -0,0 +1,13 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+	message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+	"${CMAKE_CURRENT_LIST_DIR}/psa_ipc_attest_report.c"
+	)
+diff --git a/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c
+new file mode 100644
+index 000000000000..15805e8ed4b1
+--- /dev/null
+++ b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c
+@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+/**
+ * A attestation reporter for psa ipc
+ */
+
+#include <stddef.h>
+#include <psa/error.h>
+#include <service/attestation/reporter/attest_report.h>
+#include <psa/initial_attestation.h>
+
+#define TOKEN_BUF_SIZE	1024
+
+static uint8_t token_buf[TOKEN_BUF_SIZE];
+
+int attest_report_create(int32_t client_id, const uint8_t *auth_challenge_data,
+			 size_t auth_challenge_len, const uint8_t **report,
+			 size_t *report_len)
+{
+	*report = token_buf;
+	psa_status_t ret;
+	size_t token_size = 0;
+
+	ret = psa_initial_attest_get_token(auth_challenge_data,
+					   auth_challenge_len, token_buf,
+					   TOKEN_BUF_SIZE, &token_size);
+	if (ret != PSA_SUCCESS) {
+		*report = NULL;
+		*report_len = 0;
+		return ret;
+	}
+
+	*report_len = token_size;
+
+	return PSA_SUCCESS;
+}
+
+void attest_report_destroy(const uint8_t *report)
+{
+	(void)report;
+}
+diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h
+index aaa973c6e987..833f5039425f 100644
+--- a/components/service/common/include/psa/sid.h
+++ b/components/service/common/include/psa/sid.h
+@@ -50,6 +50,10 @@ extern "C" {
+ #define TFM_ATTESTATION_SERVICE_VERSION                            (1U)
+ #define TFM_ATTESTATION_SERVICE_HANDLE                             (0x40000103U)
+ 
+/* Initial Attestation message types that distinguish Attest services. */
+#define TFM_ATTEST_GET_TOKEN       1001
+#define TFM_ATTEST_GET_TOKEN_SIZE  1002
+
+ /******** TFM_SP_FWU ********/
+ #define TFM_FWU_WRITE_SID                                          (0x000000A0U)
+ #define TFM_FWU_WRITE_VERSION                                      (1U)
+diff --git a/deployments/se-proxy/common/service_proxy_factory.c b/deployments/se-proxy/common/service_proxy_factory.c
+index 57290056d614..4b8cceccbe4d 100644
+--- a/deployments/se-proxy/common/service_proxy_factory.c
+++ b/deployments/se-proxy/common/service_proxy_factory.c
+@@ -23,12 +23,18 @@ struct openamp_caller openamp;
+ struct rpc_interface *attest_proxy_create(void)
+ {
+ 	struct rpc_interface *attest_iface;
+	struct rpc_caller *attest_caller;
+ 
+ 	/* Static objects for proxy instance */
+ 	static struct attest_provider attest_provider;
+ 
+	attest_caller = openamp_caller_init(&openamp);
+	if (!attest_caller)
+		return NULL;
+
+ 	/* Initialize the service provider */
+ 	attest_iface = attest_provider_init(&attest_provider);
+	psa_iat_client_init(&openamp.rpc_caller);
+ 
+ 	attest_provider_register_serializer(&attest_provider,
+ 		TS_RPC_ENCODING_PACKED_C, packedc_attest_provider_serializer_instance());
+diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake
+index cd51460406ca..38d26821d44d 100644
+--- a/deployments/se-proxy/se-proxy.cmake
+++ b/deployments/se-proxy/se-proxy.cmake
+@@ -49,12 +49,13 @@ add_components(TARGET "se-proxy"
+ 		"components/service/attestation/include"
+ 		"components/service/attestation/provider"
+ 		"components/service/attestation/provider/serializer/packed-c"
+		"components/service/attestation/reporter/psa_ipc"
+		"components/service/attestation/client/psa_ipc"
+ 		"components/rpc/openamp/caller/sp"
+ 
+ 		# Stub service provider backends
+ 		"components/rpc/dummy"
+ 		"components/rpc/common/caller"
+-		"components/service/attestation/reporter/stub"
+ 		"components/service/attestation/key_mngr/stub"
+ 		"components/service/crypto/backend/stub"
+ 		"components/service/crypto/client/psa"
+-- 
+2.38.0
+
@@ -0,0 +1,163 @@
+From 94770f9660154bb1157e19c11fb706889a81ae73 Mon Sep 17 00:00:00 2001
+From: Satish Kumar <satish.kumar01@arm.com>
+Date: Thu, 9 Dec 2021 14:11:06 +0000
+Subject: [PATCH 11/19] Setup its backend as openamp rpc using secure storage
+ ipc implementation.
+
+Upstream-Status: Pending
+Signed-off-by: Satish Kumar <satish.kumar01@arm.com>
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+---
+ components/service/common/include/psa/sid.h   | 12 +++++-----
+ .../secure_storage_ipc/secure_storage_ipc.c   | 20 ++++++++---------
+ .../secure_storage_ipc/secure_storage_ipc.h   |  1 +
+ .../se-proxy/common/service_proxy_factory.c   | 22 +++++++++++++------
+ 4 files changed, 32 insertions(+), 23 deletions(-)
+
+diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h
+index 833f5039425f..4a951d4a3502 100644
+--- a/components/service/common/include/psa/sid.h
+++ b/components/service/common/include/psa/sid.h
+@@ -20,12 +20,12 @@ extern "C" {
+ /* Invalid UID */
+ #define TFM_PS_INVALID_UID 0
+ 
+-/* PS message types that distinguish PS services. */
+-#define TFM_PS_SET                1001
+-#define TFM_PS_GET                1002
+-#define TFM_PS_GET_INFO           1003
+-#define TFM_PS_REMOVE             1004
+-#define TFM_PS_GET_SUPPORT        1005
+/* PS / ITS message types that distinguish PS services. */
+#define TFM_PS_ITS_SET                1001
+#define TFM_PS_ITS_GET                1002
+#define TFM_PS_ITS_GET_INFO           1003
+#define TFM_PS_ITS_REMOVE             1004
+#define TFM_PS_ITS_GET_SUPPORT        1005
+ 
+ /******** TFM_SP_ITS ********/
+ #define TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_SID                   (0x00000070U)
+diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c
+index bda442a61d5c..0e1b48c0d2e2 100644
+--- a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c
+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c
+@@ -31,8 +31,8 @@ static psa_status_t secure_storage_ipc_set(void *context, uint32_t client_id,
+ 
+ 	ipc->client.rpc_status = TS_RPC_CALL_ACCEPTED;
+ 
+-	psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE,
+-			      TFM_PS_SET, in_vec, IOVEC_LEN(in_vec), NULL, 0);
+	psa_status = psa_call(caller, ipc->service_handle, TFM_PS_ITS_SET,
+			      in_vec, IOVEC_LEN(in_vec), NULL, 0);
+ 	if (psa_status < 0)
+ 		EMSG("ipc_set: psa_call failed: %d", psa_status);
+ 
+@@ -65,8 +65,8 @@ static psa_status_t secure_storage_ipc_get(void *context,
+ 		return PSA_ERROR_INVALID_ARGUMENT;
+ 	}
+ 
+-	psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE,
+-			      TFM_PS_GET, in_vec, IOVEC_LEN(in_vec),
+	psa_status = psa_call(caller, ipc->service_handle,
+			      TFM_PS_ITS_GET, in_vec, IOVEC_LEN(in_vec),
+ 			      out_vec, IOVEC_LEN(out_vec));
+ 	if (psa_status == PSA_SUCCESS)
+ 		*p_data_length = out_vec[0].len;
+@@ -92,8 +92,8 @@ static psa_status_t secure_storage_ipc_get_info(void *context,
+ 
+ 	(void)client_id;
+ 
+-	psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE,
+-			      TFM_PS_GET_INFO, in_vec,
+	psa_status = psa_call(caller, ipc->service_handle,
+			      TFM_PS_ITS_GET_INFO, in_vec,
+ 			      IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec));
+ 	if (psa_status != PSA_SUCCESS)
+ 		EMSG("ipc_get_info: failed to psa_call: %d", psa_status);
+@@ -115,8 +115,8 @@ static psa_status_t secure_storage_ipc_remove(void *context,
+ 
+ 	(void)client_id;
+ 
+-	psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE,
+-			      TFM_PS_REMOVE, in_vec,
+	psa_status = psa_call(caller, ipc->service_handle,
+			      TFM_PS_ITS_REMOVE, in_vec,
+ 			      IOVEC_LEN(in_vec), NULL, 0);
+ 	if (psa_status != PSA_SUCCESS)
+ 		EMSG("ipc_remove: failed to psa_call: %d", psa_status);
+@@ -169,8 +169,8 @@ static uint32_t secure_storage_get_support(void *context, uint32_t client_id)
+ 
+ 	(void)client_id;
+ 
+-	psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE,
+-			      TFM_PS_GET_SUPPORT, NULL, 0,
+	psa_status = psa_call(caller, ipc->service_handle,
+			      TFM_PS_ITS_GET_SUPPORT, NULL, 0,
+ 			      out_vec, IOVEC_LEN(out_vec));
+ 	if (psa_status != PSA_SUCCESS)
+ 		EMSG("ipc_get_support: failed to psa_call: %d", psa_status);
+diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h
+index e8c1e8fd2f92..d9949f6a9305 100644
+--- a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h
+++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h
+@@ -21,6 +21,7 @@ struct secure_storage_ipc
+ {
+     struct storage_backend backend;
+     struct service_client client;
+    int32_t service_handle;
+ };
+ 
+ /**
+diff --git a/deployments/se-proxy/common/service_proxy_factory.c b/deployments/se-proxy/common/service_proxy_factory.c
+index 4b8cceccbe4d..1110ac46bf8b 100644
+--- a/deployments/se-proxy/common/service_proxy_factory.c
+++ b/deployments/se-proxy/common/service_proxy_factory.c
+@@ -5,6 +5,7 @@
+  */
+ 
+ #include <stddef.h>
+#include <psa/sid.h>
+ #include <rpc/common/endpoint/rpc_interface.h>
+ #include <rpc/openamp/caller/sp/openamp_caller.h>
+ #include <service/attestation/provider/attest_provider.h>
+@@ -60,23 +61,30 @@ struct rpc_interface *ps_proxy_create(void)
+ {
+ 	static struct secure_storage_provider ps_provider;
+ 	static struct secure_storage_ipc ps_backend;
+-	static struct rpc_caller *storage_caller;
+	struct rpc_caller *storage_caller;
+ 	struct storage_backend *backend;
+ 
+ 	storage_caller = openamp_caller_init(&openamp);
+ 	if (!storage_caller)
+ 		return NULL;
+ 	backend = secure_storage_ipc_init(&ps_backend, &openamp.rpc_caller);
+	ps_backend.service_handle = TFM_PROTECTED_STORAGE_SERVICE_HANDLE;
+ 
+ 	return secure_storage_provider_init(&ps_provider, backend);
+ }
+ 
+ struct rpc_interface *its_proxy_create(void)
+ {
+-	static struct mock_store its_backend;
+-	static struct secure_storage_provider its_provider;
+-
+-	struct storage_backend *backend = mock_store_init(&its_backend);
+-
+-	return secure_storage_provider_init(&its_provider, backend);
+        static struct secure_storage_provider its_provider;
+        static struct secure_storage_ipc its_backend;
+        struct rpc_caller *storage_caller;
+        struct storage_backend *backend;
+ 
+        storage_caller = openamp_caller_init(&openamp);
+        if (!storage_caller)
+        	return NULL;
+        backend = secure_storage_ipc_init(&its_backend, &openamp.rpc_caller);
+        its_backend.service_handle = TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_HANDLE;
+ 
+        return secure_storage_provider_init(&its_provider, backend);
+ }
+-- 
+2.38.0
+
@@ -0,0 +1,436 @@
+From 6b8ebdeb8caa6326ae2a4befaf4410a7a54d4e02 Mon Sep 17 00:00:00 2001
+From: Julian Hall <julian.hall@arm.com>
+Date: Tue, 12 Oct 2021 15:45:41 +0100
+Subject: [PATCH 13/19] Add stub capsule update service components
+
+To facilitate development of a capsule update service provider,
+stub components are added to provide a starting point for an
+implementation. The capsule update service provider is integrated
+into the se-proxy/common deployment.
+
+Upstream-Status: Pending
+Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com>
+Signed-off-by: Julian Hall <julian.hall@arm.com>
+Change-Id: I0d4049bb4de5af7ca80806403301692507085d28
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+---
+ .../backend/capsule_update_backend.h          |  24 ++++
+ .../provider/capsule_update_provider.c        | 133 ++++++++++++++++++
+ .../provider/capsule_update_provider.h        |  51 +++++++
+ .../capsule_update/provider/component.cmake   |  13 ++
+ deployments/se-proxy/common/se_proxy_sp.c     |   3 +
+ .../se-proxy/common/service_proxy_factory.c   |  16 +++
+ .../se-proxy/common/service_proxy_factory.h   |   1 +
+ deployments/se-proxy/se-proxy.cmake           |   1 +
+ deployments/se-proxy/se_proxy_interfaces.h    |   9 +-
+ .../capsule_update/capsule_update_proto.h     |  13 ++
+ protocols/service/capsule_update/opcodes.h    |  17 +++
+ protocols/service/capsule_update/parameters.h |  15 ++
+ 12 files changed, 292 insertions(+), 4 deletions(-)
+ create mode 100644 components/service/capsule_update/backend/capsule_update_backend.h
+ create mode 100644 components/service/capsule_update/provider/capsule_update_provider.c
+ create mode 100644 components/service/capsule_update/provider/capsule_update_provider.h
+ create mode 100644 components/service/capsule_update/provider/component.cmake
+ create mode 100644 protocols/service/capsule_update/capsule_update_proto.h
+ create mode 100644 protocols/service/capsule_update/opcodes.h
+ create mode 100644 protocols/service/capsule_update/parameters.h
+
+diff --git a/components/service/capsule_update/backend/capsule_update_backend.h b/components/service/capsule_update/backend/capsule_update_backend.h
+new file mode 100644
+index 000000000000..f3144ff1d7d5
+--- /dev/null
+++ b/components/service/capsule_update/backend/capsule_update_backend.h
+@@ -0,0 +1,24 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef CAPSULE_UPDATE_BACKEND_H
+#define CAPSULE_UPDATE_BACKEND_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Defines the common capsule update backend interface.  Concrete backends
+ * implement this interface for different types of platform.
+ */
+
+
+#ifdef __cplusplus
+} /* extern "C" */
+#endif
+
+#endif /* CAPSULE_UPDATE_BACKEND_H */
+diff --git a/components/service/capsule_update/provider/capsule_update_provider.c b/components/service/capsule_update/provider/capsule_update_provider.c
+new file mode 100644
+index 000000000000..e133753f8560
+--- /dev/null
+++ b/components/service/capsule_update/provider/capsule_update_provider.c
+@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <psa/client.h>
+#include <psa/sid.h>
+#include <trace.h>
+
+#include <protocols/service/capsule_update/capsule_update_proto.h>
+#include <protocols/rpc/common/packed-c/status.h>
+#include "capsule_update_provider.h"
+
+
+#define CAPSULE_UPDATE_REQUEST (0x1)
+#define KERNEL_STARTED_EVENT   (0x2)
+
+enum corstone1000_ioctl_id_t {
+	IOCTL_CORSTONE1000_FWU_FLASH_IMAGES = 0,
+	IOCTL_CORSTONE1000_FWU_HOST_ACK,
+};
+
+/* Service request handlers */
+static rpc_status_t update_capsule_handler(void *context, struct call_req *req);
+static rpc_status_t boot_confirmed_handler(void *context, struct call_req *req);
+
+/* Handler mapping table for service */
+static const struct service_handler handler_table[] = {
+	{CAPSULE_UPDATE_OPCODE_UPDATE_CAPSULE,			update_capsule_handler},
+	{CAPSULE_UPDATE_OPCODE_BOOT_CONFIRMED,			boot_confirmed_handler}
+};
+
+struct rpc_interface *capsule_update_provider_init(
+	struct capsule_update_provider *context)
+{
+	struct rpc_interface *rpc_interface = NULL;
+
+	if (context) {
+
+		service_provider_init(
+			&context->base_provider,
+			context,
+			handler_table,
+			sizeof(handler_table)/sizeof(struct service_handler));
+
+		rpc_interface = service_provider_get_rpc_interface(&context->base_provider);
+	}
+
+	return rpc_interface;
+}
+
+void capsule_update_provider_deinit(struct capsule_update_provider *context)
+{
+	(void)context;
+}
+
+static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller)
+{
+	uint32_t ioctl_id;
+	psa_handle_t handle;
+	rpc_status_t rpc_status = TS_RPC_CALL_ACCEPTED;
+
+	struct psa_invec in_vec[] = {
+			{ .base = &ioctl_id, .len = sizeof(ioctl_id) }
+	};
+
+	if(!caller) {
+		EMSG("event_handler rpc_caller is NULL");
+		rpc_status = TS_RPC_ERROR_RESOURCE_FAILURE;
+		return rpc_status;
+	}
+
+	IMSG("event handler opcode %x", opcode);
+	switch(opcode) {
+		case CAPSULE_UPDATE_REQUEST:
+		/* Openamp call with IOCTL for firmware update*/
+		ioctl_id = IOCTL_CORSTONE1000_FWU_FLASH_IMAGES;
+		handle = psa_connect(caller, TFM_SP_PLATFORM_IOCTL_SID,
+				TFM_SP_PLATFORM_IOCTL_VERSION);
+		if (handle <= 0) {
+			EMSG("%s Invalid handle", __func__);
+			rpc_status = TS_RPC_ERROR_INVALID_PARAMETER;
+			return rpc_status;
+		}
+		psa_call(caller,handle, PSA_IPC_CALL,
+			in_vec,IOVEC_LEN(in_vec), NULL, 0);
+		break;
+
+		case KERNEL_STARTED_EVENT:
+		ioctl_id = IOCTL_CORSTONE1000_FWU_HOST_ACK;
+		/*openamp call with IOCTL for kernel start*/
+		handle = psa_connect(caller, TFM_SP_PLATFORM_IOCTL_SID,
+				TFM_SP_PLATFORM_IOCTL_VERSION);
+		if (handle <= 0) {
+			EMSG("%s Invalid handle", __func__);
+			rpc_status = TS_RPC_ERROR_INVALID_PARAMETER;
+			return rpc_status;
+		}
+		psa_call(caller,handle, PSA_IPC_CALL,
+			in_vec,IOVEC_LEN(in_vec), NULL, 0);
+		break;
+		default:
+			EMSG("%s unsupported opcode", __func__);
+			rpc_status = TS_RPC_ERROR_INVALID_PARAMETER;
+			return rpc_status;
+	}
+	return rpc_status;
+
+}
+
+static rpc_status_t update_capsule_handler(void *context, struct call_req *req)
+{
+	struct capsule_update_provider *this_instance = (struct capsule_update_provider*)context;
+	struct rpc_caller *caller = this_instance->client.caller;
+	uint32_t opcode = req->opcode;
+	rpc_status_t rpc_status = TS_RPC_ERROR_NOT_READY;
+
+	rpc_status = event_handler(opcode, caller);
+	return rpc_status;
+}
+
+static rpc_status_t boot_confirmed_handler(void *context, struct call_req *req)
+{
+	struct capsule_update_provider *this_instance = (struct capsule_update_provider*)context;
+	struct rpc_caller *caller = this_instance->client.caller;
+	uint32_t opcode = req->opcode;
+	rpc_status_t rpc_status = TS_RPC_ERROR_NOT_READY;
+
+	rpc_status = event_handler(opcode, caller);
+
+	return rpc_status;
+}
+diff --git a/components/service/capsule_update/provider/capsule_update_provider.h b/components/service/capsule_update/provider/capsule_update_provider.h
+new file mode 100644
+index 000000000000..3de49854ea90
+--- /dev/null
+++ b/components/service/capsule_update/provider/capsule_update_provider.h
+@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef CAPSULE_UPDATE_PROVIDER_H
+#define CAPSULE_UPDATE_PROVIDER_H
+
+#include <rpc/common/endpoint/rpc_interface.h>
+#include <service/common/provider/service_provider.h>
+#include <service/common/client/service_client.h>
+#include <service/capsule_update/backend/capsule_update_backend.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * The capsule_update_provider is a service provider that accepts update capsule
+ * requests and delegates them to a suitable backend that applies the update.
+ */
+struct capsule_update_provider
+{
+	struct service_provider base_provider;
+	struct service_client client;
+};
+
+/**
+ * \brief Initialize an instance of the capsule update service provider
+ *
+ * @param[in] context The instance to initialize
+ *
+ * \return An rpc_interface or NULL on failure
+ */
+struct rpc_interface *capsule_update_provider_init(
+	struct capsule_update_provider *context);
+
+/**
+ * \brief Cleans up when the instance is no longer needed
+ *
+ * \param[in] context   The instance to de-initialize
+ */
+void capsule_update_provider_deinit(
+	struct capsule_update_provider *context);
+
+#ifdef __cplusplus
+} /* extern "C" */
+#endif
+
+#endif /* CAPSULE_UPDATE_PROVIDER_H */
+diff --git a/components/service/capsule_update/provider/component.cmake b/components/service/capsule_update/provider/component.cmake
+new file mode 100644
+index 000000000000..1d412eb234d9
+--- /dev/null
+++ b/components/service/capsule_update/provider/component.cmake
+@@ -0,0 +1,13 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+	message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+	"${CMAKE_CURRENT_LIST_DIR}/capsule_update_provider.c"
+	)
+diff --git a/deployments/se-proxy/common/se_proxy_sp.c b/deployments/se-proxy/common/se_proxy_sp.c
+index a37396f4454b..a38ad6ca3f56 100644
+--- a/deployments/se-proxy/common/se_proxy_sp.c
+++ b/deployments/se-proxy/common/se_proxy_sp.c
+@@ -77,6 +77,9 @@ void __noreturn sp_main(struct ffa_init_info *init_info)
+ 	}
+ 	rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_ATTEST, rpc_iface);
+ 
+	rpc_iface = capsule_update_proxy_create();
+	rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_CAPSULE_UPDATE, rpc_iface);
+
+ 	/* End of boot phase */
+ 	result = sp_msg_wait(&req_msg);
+ 	if (result != SP_RESULT_OK) {
+diff --git a/deployments/se-proxy/common/service_proxy_factory.c b/deployments/se-proxy/common/service_proxy_factory.c
+index 7edeef8b434a..591cc9eeb59e 100644
+--- a/deployments/se-proxy/common/service_proxy_factory.c
+++ b/deployments/se-proxy/common/service_proxy_factory.c
+@@ -13,6 +13,7 @@
+ #include <service/crypto/factory/crypto_provider_factory.h>
+ #include <service/secure_storage/frontend/secure_storage_provider/secure_storage_provider.h>
+ #include <trace.h>
+#include <service/capsule_update/provider/capsule_update_provider.h>
+ 
+ /* Stub backends */
+ #include <service/crypto/backend/psa_ipc/crypto_ipc_backend.h>
+@@ -93,3 +94,18 @@ struct rpc_interface *its_proxy_create(void)
+  
+         return secure_storage_provider_init(&its_provider, backend);
+ }
+
+struct rpc_interface *capsule_update_proxy_create(void)
+{
+	static struct capsule_update_provider capsule_update_provider;
+	static struct rpc_caller *capsule_update_caller;
+
+	capsule_update_caller = openamp_caller_init(&openamp);
+
+	if (!capsule_update_caller)
+	return NULL;
+
+	capsule_update_provider.client.caller = capsule_update_caller;
+
+	return capsule_update_provider_init(&capsule_update_provider);
+}
+diff --git a/deployments/se-proxy/common/service_proxy_factory.h b/deployments/se-proxy/common/service_proxy_factory.h
+index 298d407a2371..02aa7fe2550d 100644
+--- a/deployments/se-proxy/common/service_proxy_factory.h
+++ b/deployments/se-proxy/common/service_proxy_factory.h
+@@ -17,6 +17,7 @@ struct rpc_interface *attest_proxy_create(void);
+ struct rpc_interface *crypto_proxy_create(void);
+ struct rpc_interface *ps_proxy_create(void);
+ struct rpc_interface *its_proxy_create(void);
+struct rpc_interface *capsule_update_proxy_create(void);
+ 
+ #ifdef __cplusplus
+ }
+diff --git a/deployments/se-proxy/se-proxy.cmake b/deployments/se-proxy/se-proxy.cmake
+index f647190d9559..e35b0d0f610d 100644
+--- a/deployments/se-proxy/se-proxy.cmake
+++ b/deployments/se-proxy/se-proxy.cmake
+@@ -51,6 +51,7 @@ add_components(TARGET "se-proxy"
+ 		"components/service/attestation/provider/serializer/packed-c"
+ 		"components/service/attestation/reporter/psa_ipc"
+ 		"components/service/attestation/client/psa_ipc"
+		"components/service/capsule_update/provider"
+ 		"components/rpc/openamp/caller/sp"
+ 
+ 		# Stub service provider backends
+diff --git a/deployments/se-proxy/se_proxy_interfaces.h b/deployments/se-proxy/se_proxy_interfaces.h
+index 48908f846990..3d4a7c204785 100644
+--- a/deployments/se-proxy/se_proxy_interfaces.h
+++ b/deployments/se-proxy/se_proxy_interfaces.h
+@@ -8,9 +8,10 @@
+ #define SE_PROXY_INTERFACES_H
+ 
+ /* Interface IDs from service endpoints available from an se-proxy deployment */
+-#define SE_PROXY_INTERFACE_ID_ITS			(0)
+-#define SE_PROXY_INTERFACE_ID_PS			(1)
+-#define SE_PROXY_INTERFACE_ID_CRYPTO		(2)
+-#define SE_PROXY_INTERFACE_ID_ATTEST		(3)
+#define SE_PROXY_INTERFACE_ID_ITS			    (0)
+#define SE_PROXY_INTERFACE_ID_PS			    (1)
+#define SE_PROXY_INTERFACE_ID_CRYPTO		    (2)
+#define SE_PROXY_INTERFACE_ID_ATTEST		    (3)
+#define SE_PROXY_INTERFACE_ID_CAPSULE_UPDATE    (4)
+ 
+ #endif /* SE_PROXY_INTERFACES_H */
+diff --git a/protocols/service/capsule_update/capsule_update_proto.h b/protocols/service/capsule_update/capsule_update_proto.h
+new file mode 100644
+index 000000000000..8f326cd387fb
+--- /dev/null
+++ b/protocols/service/capsule_update/capsule_update_proto.h
+@@ -0,0 +1,13 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef CAPSULE_UPDATE_PROTO_H
+#define CAPSULE_UPDATE_PROTO_H
+
+#include <protocols/service/capsule_update/opcodes.h>
+#include <protocols/service/capsule_update/parameters.h>
+
+#endif /* CAPSULE_UPDATE_PROTO_H */
+diff --git a/protocols/service/capsule_update/opcodes.h b/protocols/service/capsule_update/opcodes.h
+new file mode 100644
+index 000000000000..8185a0902378
+--- /dev/null
+++ b/protocols/service/capsule_update/opcodes.h
+@@ -0,0 +1,17 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef CAPSULE_UPDATE_OPCODES_H
+#define CAPSULE_UPDATE_OPCODES_H
+
+/**
+ * Opcode definitions for the capsule update service
+ */
+
+#define CAPSULE_UPDATE_OPCODE_UPDATE_CAPSULE		1
+#define CAPSULE_UPDATE_OPCODE_BOOT_CONFIRMED		2
+
+#endif /* CAPSULE_UPDATE_OPCODES_H */
+diff --git a/protocols/service/capsule_update/parameters.h b/protocols/service/capsule_update/parameters.h
+new file mode 100644
+index 000000000000..285d924186be
+--- /dev/null
+++ b/protocols/service/capsule_update/parameters.h
+@@ -0,0 +1,15 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef CAPSULE_UPDATE_PARAMETERS_H
+#define CAPSULE_UPDATE_PARAMETERS_H
+
+/**
+ * Operation parameter definitions for the capsule update service access protocol.
+ */
+
+
+#endif /* CAPSULE_UPDATE_PARAMETERS_H */
+-- 
+2.38.0
+
@@ -0,0 +1,42 @@
+From a71b26f867f1b4a08285d6da82528de6a54321f2 Mon Sep 17 00:00:00 2001
+From: Gowtham Suresh Kumar <gowtham.sureshkumar@arm.com>
+Date: Thu, 16 Dec 2021 21:31:40 +0000
+Subject: [PATCH 14/19] Configure storage size
+
+Upstream-Status: Pending
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+---
+ .../service/smm_variable/backend/uefi_variable_store.c       | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/components/service/smm_variable/backend/uefi_variable_store.c b/components/service/smm_variable/backend/uefi_variable_store.c
+index 715ccc3cb546..aeb8a22062b7 100644
+--- a/components/service/smm_variable/backend/uefi_variable_store.c
+++ b/components/service/smm_variable/backend/uefi_variable_store.c
+@@ -88,6 +88,7 @@ static efi_status_t check_name_terminator(
+  * may be overridden using uefi_variable_store_set_storage_limits()
+  */
+ #define DEFAULT_MAX_VARIABLE_SIZE			(2048)
+#define CONFIGURE_STORAGE_SIZE			    (50)
+ 
+ efi_status_t uefi_variable_store_init(
+ 	struct uefi_variable_store *context,
+@@ -101,13 +102,13 @@ efi_status_t uefi_variable_store_init(
+ 	/* Initialise persistent store defaults */
+ 	context->persistent_store.is_nv = true;
+ 	context->persistent_store.max_variable_size = DEFAULT_MAX_VARIABLE_SIZE;
+-	context->persistent_store.total_capacity = DEFAULT_MAX_VARIABLE_SIZE * max_variables;
+	context->persistent_store.total_capacity = CONFIGURE_STORAGE_SIZE * max_variables;
+ 	context->persistent_store.storage_backend = persistent_store;
+ 
+ 	/* Initialise volatile store defaults */
+ 	context->volatile_store.is_nv = false;
+ 	context->volatile_store.max_variable_size = DEFAULT_MAX_VARIABLE_SIZE;
+-	context->volatile_store.total_capacity = DEFAULT_MAX_VARIABLE_SIZE * max_variables;
+	context->volatile_store.total_capacity = CONFIGURE_STORAGE_SIZE * max_variables;
+ 	context->volatile_store.storage_backend = volatile_store;
+ 
+ 	context->owner_id = owner_id;
+-- 
+2.38.0
+
@@ -0,0 +1,31 @@
+From 3cc9c417f12f005244530d8d706a6b7f3be35627 Mon Sep 17 00:00:00 2001
+From: Satish Kumar <satish.kumar01@arm.com>
+Date: Sun, 13 Feb 2022 09:01:10 +0000
+Subject: [PATCH 15/19] Fix: Crypto interface structure aligned with tf-m
+ change.
+
+NO NEED TO RAISE PR: The PR for this FIX  is raied by Emek.
+
+Upstream-Status: Pending
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+---
+ components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h
+index c13c20e84131..ec25eaf868c7 100644
+--- a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h
+++ b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h
+@@ -38,7 +38,8 @@ struct psa_ipc_crypto_pack_iovec {
+ 				      *   multipart operation
+ 				      */
+ 	uint32_t capacity;             /*!< Key derivation capacity */
+-
+	uint32_t ad_length;            /*!< Additional Data length for multipart AEAD */
+	uint32_t plaintext_length;     /*!< Plaintext length for multipart AEAD */
+ 	struct psa_ipc_crypto_aead_pack_input aead_in; /*!< FixMe: Temporarily used for
+ 							    *   AEAD until the API is
+ 							    *   restructured
+-- 
+2.38.0
+
@@ -0,0 +1,494 @@
+From c54afe45c1be25c4819b0f762cf03a24e6343ce5 Mon Sep 17 00:00:00 2001
+From: Satish Kumar <satish.kumar01@arm.com>
+Date: Sun, 13 Feb 2022 09:49:51 +0000
+Subject: [PATCH 16/19] Integrate remaining psa-ipc client APIs.
+
+Upstream-Status: Pending
+Signed-off-by: Satish Kumar <satish.kumar01@arm.com>
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+---
+ .../caller/psa_ipc/crypto_caller_aead.h       | 297 +++++++++++++++++-
+ .../caller/psa_ipc/crypto_caller_sign_hash.h  |  35 +++
+ .../psa_ipc/crypto_caller_verify_hash.h       |  33 +-
+ 3 files changed, 352 insertions(+), 13 deletions(-)
+
+diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h
+index 78517fe32ca9..f6aadd8b9098 100644
+--- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h
+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h
+@@ -152,7 +152,27 @@ static inline psa_status_t crypto_caller_aead_encrypt_setup(
+ 					    psa_key_id_t key,
+ 					    psa_algorithm_t alg)
+ {
+-	return PSA_ERROR_NOT_SUPPORTED;
+	struct service_client *ipc = context;
+	struct rpc_caller *caller = ipc->caller;
+	psa_status_t status;
+	struct psa_ipc_crypto_pack_iovec iov = {
+	    .sfn_id = TFM_CRYPTO_AEAD_ENCRYPT_SETUP_SID,
+	    .key_id = key,
+	    .alg = alg,
+	    .op_handle = (*op_handle),
+	};
+
+	struct psa_invec in_vec[] = {
+	    {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}
+	};
+	struct psa_outvec out_vec[] = {
+	    {.base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t)}
+	};
+
+	status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
+	                   IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec));
+
+	return status;
+ }
+ 
+ static inline psa_status_t crypto_caller_aead_decrypt_setup(
+@@ -161,7 +181,26 @@ static inline psa_status_t crypto_caller_aead_decrypt_setup(
+ 					    psa_key_id_t key,
+ 					    psa_algorithm_t alg)
+ {
+-	return PSA_ERROR_NOT_SUPPORTED;
+	struct service_client *ipc = context;
+	struct rpc_caller *caller = ipc->caller;
+	psa_status_t status;
+	struct psa_ipc_crypto_pack_iovec iov = {
+	    .sfn_id = TFM_CRYPTO_AEAD_DECRYPT_SETUP_SID,
+	    .key_id = key,
+	    .alg = alg,
+	    .op_handle = (*op_handle),
+	};
+
+	struct psa_invec in_vec[] = {
+	    {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}
+	};
+	struct psa_outvec out_vec[] = {
+	    {.base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t)}
+	};
+
+	status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
+	                   IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec));
+	return status;
+ }
+ 
+ static inline psa_status_t crypto_caller_aead_generate_nonce(
+@@ -171,7 +210,27 @@ static inline psa_status_t crypto_caller_aead_generate_nonce(
+ 					     size_t nonce_size,
+ 					     size_t *nonce_length)
+ {
+-	return PSA_ERROR_NOT_SUPPORTED;
+	struct service_client *ipc = context;
+	struct rpc_caller *caller = ipc->caller;
+	psa_status_t status;
+	struct psa_ipc_crypto_pack_iovec iov = {
+	    .sfn_id = TFM_CRYPTO_AEAD_GENERATE_NONCE_SID,
+	    .op_handle = op_handle,
+	};
+
+	struct psa_invec in_vec[] = {
+	    {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)},
+	};
+	struct psa_outvec out_vec[] = {
+	    {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)},
+	    {.base = psa_ptr_to_u32(nonce), .len = nonce_size}
+	};
+
+	status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
+	                   IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec));
+
+	*nonce_length = out_vec[1].len;
+	return status;
+ }
+ 
+ static inline psa_status_t crypto_caller_aead_set_nonce(
+@@ -180,7 +239,25 @@ static inline psa_status_t crypto_caller_aead_set_nonce(
+ 						const uint8_t *nonce,
+ 						size_t nonce_length)
+ {
+-	return PSA_ERROR_NOT_SUPPORTED;
+	struct service_client *ipc = context;
+	struct rpc_caller *caller = ipc->caller;
+	psa_status_t status;
+	struct psa_ipc_crypto_pack_iovec iov = {
+	    .sfn_id = TFM_CRYPTO_AEAD_SET_NONCE_SID,
+	    .op_handle = op_handle,
+	};
+
+	struct psa_invec in_vec[] = {
+	    {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)},
+	    {.base = psa_ptr_to_u32(nonce), .len = nonce_length}
+	};
+	struct psa_outvec out_vec[] = {
+	    {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}
+	};
+
+	status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
+	                   IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec));
+	return status;
+ }
+ 
+ static inline psa_status_t crypto_caller_aead_set_lengths(
+@@ -189,7 +266,27 @@ static inline psa_status_t crypto_caller_aead_set_lengths(
+ 					  size_t ad_length,
+ 					  size_t plaintext_length)
+ {
+-	return PSA_ERROR_NOT_SUPPORTED;
+	struct service_client *ipc = context;
+	struct rpc_caller *caller = ipc->caller;
+	psa_status_t status;
+	struct psa_ipc_crypto_pack_iovec iov = {
+	    .sfn_id = TFM_CRYPTO_AEAD_SET_LENGTHS_SID,
+	    .ad_length = ad_length,
+	    .plaintext_length = plaintext_length,
+	    .op_handle = op_handle,
+	};
+
+	struct psa_invec in_vec[] = {
+	    {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)},
+	};
+	struct psa_outvec out_vec[] = {
+	    {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}
+	};
+
+	status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
+	                   IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec));
+
+	return status;
+ }
+ 
+ static inline psa_status_t crypto_caller_aead_update_ad(
+@@ -198,7 +295,35 @@ static inline psa_status_t crypto_caller_aead_update_ad(
+ 						const uint8_t *input,
+ 						size_t input_length)
+ {
+-	return PSA_ERROR_NOT_SUPPORTED;
+	struct service_client *ipc = context;
+	struct rpc_caller *caller = ipc->caller;
+	psa_status_t status;
+	struct psa_ipc_crypto_pack_iovec iov = {
+	    .sfn_id = TFM_CRYPTO_AEAD_UPDATE_AD_SID,
+	    .op_handle = op_handle,
+	};
+
+	/* Sanitize the optional input */
+	if ((input == NULL) && (input_length != 0)) {
+	    return PSA_ERROR_INVALID_ARGUMENT;
+	}
+
+	struct psa_invec in_vec[] = {
+	    {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)},
+	    {.base = psa_ptr_const_to_u32(input), .len = input_length}
+	};
+	struct psa_outvec out_vec[] = {
+	    {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}
+	};
+
+	size_t in_len = IOVEC_LEN(in_vec);
+
+	if (input == NULL) {
+	    in_len--;
+	}
+	status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
+	                   in_len, out_vec, IOVEC_LEN(out_vec));
+	return status;
+ }
+ 
+ static inline psa_status_t crypto_caller_aead_update(
+@@ -210,7 +335,38 @@ static inline psa_status_t crypto_caller_aead_update(
+ 					     size_t output_size,
+ 					     size_t *output_length)
+ {
+-	return PSA_ERROR_NOT_SUPPORTED;
+	struct service_client *ipc = context;
+	struct rpc_caller *caller = ipc->caller;
+	psa_status_t status;
+	struct psa_ipc_crypto_pack_iovec iov = {
+	    .sfn_id = TFM_CRYPTO_AEAD_UPDATE_SID,
+	    .op_handle = op_handle,
+	};
+
+	/* Sanitize the optional input */
+	if ((input == NULL) && (input_length != 0)) {
+	    return PSA_ERROR_INVALID_ARGUMENT;
+	}
+
+	struct psa_invec in_vec[] = {
+	    {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)},
+	    {.base = psa_ptr_const_to_u32(input), .len = input_length}
+	};
+	struct psa_outvec out_vec[] = {
+	    {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)},
+	    {.base = psa_ptr_const_to_u32(output), .len = output_size},
+	};
+
+	size_t in_len = IOVEC_LEN(in_vec);
+
+	if (input == NULL) {
+	    in_len--;
+	}
+	status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
+	                   in_len, out_vec, IOVEC_LEN(out_vec));
+
+	*output_length = out_vec[1].len;
+	return status;
+ }
+ 
+ static inline psa_status_t crypto_caller_aead_finish(
+@@ -223,7 +379,48 @@ static inline psa_status_t crypto_caller_aead_finish(
+ 					     size_t tag_size,
+ 					     size_t *tag_length)
+ {
+-	return PSA_ERROR_NOT_SUPPORTED;
+	struct service_client *ipc = context;
+	struct rpc_caller *caller = ipc->caller;
+	psa_status_t status;
+	struct psa_ipc_crypto_pack_iovec iov = {
+	    .sfn_id = TFM_CRYPTO_AEAD_FINISH_SID,
+	    .op_handle = op_handle,
+	};
+
+	/* Sanitize the optional output */
+	if ((aeadtext == NULL) && (aeadtext_size != 0)) {
+	    return PSA_ERROR_INVALID_ARGUMENT;
+	}
+
+	struct psa_invec in_vec[] = {
+	    {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)},
+	};
+	struct psa_outvec out_vec[] = {
+	    {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)},
+	    {.base = psa_ptr_const_to_u32(tag), .len = tag_size},
+	    {.base = psa_ptr_const_to_u32(aeadtext), .len = aeadtext_size}
+	};
+
+	size_t out_len = IOVEC_LEN(out_vec);
+
+	if (aeadtext == NULL || aeadtext_size == 0) {
+	    out_len--;
+	}
+	if ((out_len == 3) && (aeadtext_length == NULL)) {
+	    return PSA_ERROR_INVALID_ARGUMENT;
+	}
+
+	status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
+	                   IOVEC_LEN(in_vec), out_vec, out_len);
+
+	*tag_length = out_vec[1].len;
+
+	if (out_len == 3) {
+	    *aeadtext_length = out_vec[2].len;
+	} else {
+	    *aeadtext_length = 0;
+	}
+	return status;
+ }
+ 
+ static inline psa_status_t crypto_caller_aead_verify(
+@@ -235,14 +432,94 @@ static inline psa_status_t crypto_caller_aead_verify(
+ 					     const uint8_t *tag,
+ 					     size_t tag_length)
+ {
+-	return PSA_ERROR_NOT_SUPPORTED;
+	struct service_client *ipc = context;
+	struct rpc_caller *caller = ipc->caller;
+	psa_status_t status;
+	struct psa_ipc_crypto_pack_iovec iov = {
+	    .sfn_id = TFM_CRYPTO_AEAD_VERIFY_SID,
+	    .op_handle = op_handle,
+	};
+
+	/* Sanitize the optional output */
+	if ((plaintext == NULL) && (plaintext_size != 0)) {
+	    return PSA_ERROR_INVALID_ARGUMENT;
+	}
+
+	struct psa_invec in_vec[] = {
+	    {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)},
+	    {.base = psa_ptr_const_to_u32(tag), .len = tag_length}
+	};
+	struct psa_outvec out_vec[] = {
+	    {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)},
+	    {.base = psa_ptr_const_to_u32(plaintext), .len = plaintext_size},
+	};
+
+	size_t out_len = IOVEC_LEN(out_vec);
+
+	if (plaintext == NULL || plaintext_size == 0) {
+	    out_len--;
+	}
+	if ((out_len == 2) && (plaintext_length == NULL)) {
+	    return PSA_ERROR_INVALID_ARGUMENT;
+	}
+
+	status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
+	                   IOVEC_LEN(in_vec), out_vec, out_len);
+
+	if (out_len == 2) {
+	    *plaintext_length = out_vec[1].len;
+	} else {
+	    *plaintext_length = 0;
+	}
+	return status;
+ }
+ 
+ static inline psa_status_t crypto_caller_aead_abort(
+ 					    struct service_client *context,
+ 					    uint32_t op_handle)
+ {
+-	return PSA_ERROR_NOT_SUPPORTED;
+	struct service_client *ipc = context;
+	struct rpc_caller *caller = ipc->caller;
+	psa_status_t status;
+	struct psa_ipc_crypto_pack_iovec iov = {
+	    .sfn_id = TFM_CRYPTO_AEAD_ABORT_SID,
+	    .op_handle = op_handle,
+	};
+
+	struct psa_invec in_vec[] = {
+	    {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)},
+	};
+	struct psa_outvec out_vec[] = {
+	    {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)},
+	};
+
+	status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
+	                   IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec));
+	return status;
+}
+
+static inline size_t crypto_caller_aead_max_update_size(const struct service_client *context)
+{
+       /* Returns the maximum number of bytes that may be
+        * carried as a parameter of the mac_update operation
+        *  using the packed-c encoding.
+        */
+       size_t payload_space = context->service_info.max_payload;
+       size_t overhead = iov_size;
+
+       return (payload_space > overhead) ? payload_space - overhead : 0;
+}
+
+static inline size_t crypto_caller_aead_max_update_ad_size(const struct service_client *context)
+{
+	/* Returns the maximum number of bytes that may be
+	 * carried as a parameter of the mac_update operation
+	 *  using the packed-c encoding.
+	 */
+	size_t payload_space = context->service_info.max_payload;
+	size_t overhead = iov_size;
+
+	return (payload_space > overhead) ? payload_space - overhead : 0;
+ }
+ 
+ #ifdef __cplusplus
+diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h
+index 71d88cededf5..e4a2b167defb 100644
+--- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h
+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h
+@@ -57,6 +57,41 @@ static inline psa_status_t crypto_caller_sign_hash(struct service_client *contex
+ 	return status;
+ }
+ 
+static inline psa_status_t crypto_caller_sign_message(struct service_client *context,
+						   psa_key_id_t id,
+						   psa_algorithm_t alg,
+						   const uint8_t *hash,
+						   size_t hash_length,
+						   uint8_t *signature,
+						   size_t signature_size,
+						   size_t *signature_length)
+{
+	struct service_client *ipc = context;
+	struct rpc_caller *caller = ipc->caller;
+	psa_status_t status;
+	struct psa_ipc_crypto_pack_iovec iov = {
+		.sfn_id = TFM_CRYPTO_SIGN_MESSAGE_SID,
+		.key_id = id,
+		.alg = alg,
+	};
+	struct psa_invec in_vec[] = {
+		{ .base = psa_ptr_to_u32(&iov), .len = iov_size },
+		{ .base = psa_ptr_const_to_u32(hash), .len = hash_length },
+	};
+	struct psa_outvec out_vec[] = {
+		{ .base = psa_ptr_to_u32(signature), .len = signature_size },
+	};
+
+	status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
+			  IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec));
+
+	*signature_length = out_vec[0].len;
+
+	return status;
+}
+
+
+
+ #ifdef __cplusplus
+ }
+ #endif
+diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h
+index e16f6e5450af..cc9279ee79f2 100644
+--- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h
+++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h
+@@ -24,19 +24,20 @@
+ extern "C" {
+ #endif
+ 
+-static inline psa_status_t crypto_caller_verify_hash(struct service_client *context,
+static inline psa_status_t crypto_caller_common(struct service_client *context,
+ 						     psa_key_id_t id,
+ 						     psa_algorithm_t alg,
+ 						     const uint8_t *hash,
+ 						     size_t hash_length,
+ 						     const uint8_t *signature,
+-						     size_t signature_length)
+						     size_t signature_length,
+						     uint32_t sfn_id)
+ {
+ 	struct service_client *ipc = context;
+ 	struct rpc_caller *caller = ipc->caller;
+ 	psa_status_t status;
+ 	struct psa_ipc_crypto_pack_iovec iov = {
+-		.sfn_id = TFM_CRYPTO_VERIFY_HASH_SID,
+		.sfn_id = sfn_id,
+ 		.key_id = id,
+ 		.alg = alg,
+ 	};
+@@ -52,6 +53,32 @@ static inline psa_status_t crypto_caller_verify_hash(struct service_client *cont
+ 	return status;
+ }
+ 
+static inline psa_status_t crypto_caller_verify_hash(struct service_client *context,
+						     psa_key_id_t id,
+						     psa_algorithm_t alg,
+						     const uint8_t *hash,
+						     size_t hash_length,
+						     const uint8_t *signature,
+						     size_t signature_length)
+{
+
+	return crypto_caller_common(context,id,alg,hash,hash_length,
+			signature,signature_length, TFM_CRYPTO_VERIFY_HASH_SID);
+}
+
+static inline psa_status_t crypto_caller_verify_message(struct service_client *context,
+						     psa_key_id_t id,
+						     psa_algorithm_t alg,
+						     const uint8_t *hash,
+						     size_t hash_length,
+						     const uint8_t *signature,
+						     size_t signature_length)
+{
+
+	return crypto_caller_common(context,id,alg,hash,hash_length,
+			signature,signature_length, TFM_CRYPTO_VERIFY_MESSAGE_SID);
+}
+
+ #ifdef __cplusplus
+ }
+ #endif
+-- 
+2.38.0
+
@@ -0,0 +1,40 @@
+From b1ff44c650ae82f364a2f74059eeb280996dc4f8 Mon Sep 17 00:00:00 2001
+From: Satish Kumar <satish.kumar01@arm.com>
+Date: Mon, 14 Feb 2022 17:52:00 +0000
+Subject: [PATCH 17/19] Fix : update psa_set_key_usage_flags definition to the
+ latest from the tf-m
+
+Upstream-Status: Pending
+Signed-off-by: Satish Kumar <satish.kumar01@arm.com>
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+---
+ components/service/crypto/include/psa/crypto_struct.h | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/components/service/crypto/include/psa/crypto_struct.h b/components/service/crypto/include/psa/crypto_struct.h
+index 1bc55e375eea..b4a7ed4b39d3 100644
+--- a/components/service/crypto/include/psa/crypto_struct.h
+++ b/components/service/crypto/include/psa/crypto_struct.h
+@@ -155,9 +155,19 @@ static inline psa_key_lifetime_t psa_get_key_lifetime(
+     return( attributes->lifetime );
+ }
+ 
+static inline void psa_extend_key_usage_flags( psa_key_usage_t *usage_flags )
+{
+    if( *usage_flags & PSA_KEY_USAGE_SIGN_HASH )
+        *usage_flags |= PSA_KEY_USAGE_SIGN_MESSAGE;
+
+    if( *usage_flags & PSA_KEY_USAGE_VERIFY_HASH )
+        *usage_flags |= PSA_KEY_USAGE_VERIFY_MESSAGE;
+}
+
+ static inline void psa_set_key_usage_flags(psa_key_attributes_t *attributes,
+                                            psa_key_usage_t usage_flags)
+ {
+    psa_extend_key_usage_flags( &usage_flags );
+     attributes->usage = usage_flags;
+ }
+ 
+-- 
+2.38.0
+
@@ -0,0 +1,120 @@
+From a1da63a8c4d55d52321608a72129af49e0a498b2 Mon Sep 17 00:00:00 2001
+From: Satish Kumar <satish.kumar01@arm.com>
+Date: Mon, 14 Feb 2022 08:22:25 +0000
+Subject: [PATCH 18/19] Fixes in AEAD for psa-arch test 54 and 58.
+
+Upstream-Status: Pending
+Signed-off-by: Satish Kumar <satish.kumar01@arm.com>
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+---
+ .../crypto/client/caller/packed-c/crypto_caller_aead.h    | 1 +
+ components/service/crypto/include/psa/crypto_sizes.h      | 2 +-
+ .../crypto/provider/extension/aead/aead_provider.c        | 8 ++++++--
+ .../extension/aead/serializer/aead_provider_serializer.h  | 1 +
+ .../packed-c/packedc_aead_provider_serializer.c           | 2 ++
+ protocols/service/crypto/packed-c/aead.h                  | 1 +
+ 6 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h
+index c4ffb20cf7f8..a91f66c14008 100644
+--- a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h
+++ b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h
+@@ -309,6 +309,7 @@ static inline psa_status_t crypto_caller_aead_update(struct service_client *cont
+ 	size_t req_len = req_fixed_len;
+ 
+ 	*output_length = 0;
+        req_msg.output_size = output_size;
+ 	req_msg.op_handle = op_handle;
+ 
+ 	/* Mandatory input data parameter */
+diff --git a/components/service/crypto/include/psa/crypto_sizes.h b/components/service/crypto/include/psa/crypto_sizes.h
+index 4d7bf6e959b0..e3c4df2927b3 100644
+--- a/components/service/crypto/include/psa/crypto_sizes.h
+++ b/components/service/crypto/include/psa/crypto_sizes.h
+@@ -351,7 +351,7 @@
+  *       just the largest size that may be generated by
+  *       #psa_aead_generate_nonce().
+  */
+-#define PSA_AEAD_NONCE_MAX_SIZE 12
+#define PSA_AEAD_NONCE_MAX_SIZE 16
+ 
+ /** A sufficient output buffer size for psa_aead_update().
+  *
+diff --git a/components/service/crypto/provider/extension/aead/aead_provider.c b/components/service/crypto/provider/extension/aead/aead_provider.c
+index 14a25436b3f6..6b144db821de 100644
+--- a/components/service/crypto/provider/extension/aead/aead_provider.c
+++ b/components/service/crypto/provider/extension/aead/aead_provider.c
+@@ -283,10 +283,11 @@ static rpc_status_t aead_update_handler(void *context, struct call_req *req)
+ 	uint32_t op_handle;
+ 	const uint8_t *input;
+ 	size_t input_len;
+        uint32_t recv_output_size;
+ 
+ 	if (serializer)
+ 		rpc_status = serializer->deserialize_aead_update_req(req_buf, &op_handle,
+-			&input, &input_len);
+			&recv_output_size, &input, &input_len);
+ 
+ 	if (rpc_status == TS_RPC_CALL_ACCEPTED) {
+ 
+@@ -300,9 +301,12 @@ static rpc_status_t aead_update_handler(void *context, struct call_req *req)
+ 		if (crypto_context) {
+ 
+ 			size_t output_len = 0;
+-			size_t output_size = PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(input_len);
+			size_t output_size = PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(24);
+ 			uint8_t *output = malloc(output_size);
+ 
+                        if (recv_output_size < output_size) {
+                            output_size = recv_output_size;
+                        }
+ 			if (output) {
+ 
+ 				psa_status = psa_aead_update(&crypto_context->op.aead,
+diff --git a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h
+index bb1a2a97e4b7..0156aaba3fe3 100644
+--- a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h
+++ b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h
+@@ -51,6 +51,7 @@ struct aead_provider_serializer {
+ 	/* Operation: aead_update */
+ 	rpc_status_t (*deserialize_aead_update_req)(const struct call_param_buf *req_buf,
+ 		uint32_t *op_handle,
+                uint32_t *output_size,
+ 		const uint8_t **input, size_t *input_len);
+ 
+ 	rpc_status_t (*serialize_aead_update_resp)(struct call_param_buf *resp_buf,
+diff --git a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c
+index 6f00b3e3f6f1..45c739abcbb4 100644
+--- a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c
+++ b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c
+@@ -192,6 +192,7 @@ static rpc_status_t deserialize_aead_update_ad_req(const struct call_param_buf *
+ /* Operation: aead_update */
+ static rpc_status_t deserialize_aead_update_req(const struct call_param_buf *req_buf,
+ 	uint32_t *op_handle,
+        uint32_t *output_size,
+ 	const uint8_t **input, size_t *input_len)
+ {
+ 	rpc_status_t rpc_status = TS_RPC_ERROR_INVALID_REQ_BODY;
+@@ -208,6 +209,7 @@ static rpc_status_t deserialize_aead_update_req(const struct call_param_buf *req
+ 		memcpy(&recv_msg, req_buf->data, expected_fixed_len);
+ 
+ 		*op_handle = recv_msg.op_handle;
+                *output_size = recv_msg.output_size;
+ 
+ 		tlv_const_iterator_begin(&req_iter,
+ 			(uint8_t*)req_buf->data + expected_fixed_len,
+diff --git a/protocols/service/crypto/packed-c/aead.h b/protocols/service/crypto/packed-c/aead.h
+index 0be266b52403..435fd3b523ce 100644
+--- a/protocols/service/crypto/packed-c/aead.h
+++ b/protocols/service/crypto/packed-c/aead.h
+@@ -98,6 +98,7 @@ enum
+ struct __attribute__ ((__packed__)) ts_crypto_aead_update_in
+ {
+   uint32_t op_handle;
+  uint32_t output_size;
+ };
+ 
+ /* Variable length input parameter tags */
+-- 
+2.38.0
+
@@ -0,0 +1,37 @@
+From 07ad7e1f7ba06045bf331d5b73a6adf38a098fb7 Mon Sep 17 00:00:00 2001
+From: Rui Miguel Silva <rui.silva@linaro.org>
+Date: Tue, 11 Oct 2022 10:46:10 +0100
+Subject: [PATCH 19/19] plat: corstone1000: change default smm values
+
+Smm gateway uses SE proxy to route the calls for any NV
+storage so set the NV_STORE_SN.
+Change the storage index uid because TF-M in the secure
+enclave reserves the default value (0x1) to some internal
+operation.
+Increase the maximum number of uefi variables to cope with all
+the needs for testing and certification
+
+Upstream-Status: Pending
+Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com>
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+---
+ platform/providers/arm/corstone1000/platform.cmake | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake
+index 51e5faa3e4d8..04b629a81906 100644
+--- a/platform/providers/arm/corstone1000/platform.cmake
+++ b/platform/providers/arm/corstone1000/platform.cmake
+@@ -10,3 +10,9 @@
+ include(${TS_ROOT}/platform/drivers/arm/mhu_driver/component.cmake)
+ 
+ add_compile_definitions(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+
+target_compile_definitions(${TGT} PRIVATE
+	SMM_GATEWAY_NV_STORE_SN="sn:ffa:46bb39d1-b4d9-45b5-88ff-040027dab249:1"
+	SMM_VARIABLE_INDEX_STORAGE_UID=0x787
+	SMM_GATEWAY_MAX_UEFI_VARIABLES=100
+)
+-- 
+2.38.0
+
@@ -1,36 +0,0 @@
-From d262ab277a87c1cda4f71137f6bb963066ba6997 Mon Sep 17 00:00:00 2001
-From: Vishnu Banavath <vishnu.banavath@arm.com>
-Date: Tue, 13 Sep 2022 16:46:14 +0100
-Subject: [PATCH 26/27] plat: add corstone1000 platform to drivers/arm
-
-This change is to add corstone1000 platform cmake. Smm gateway
-uses SE proxy to route the calls for any NV storage.
-
-Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com>
-Upstream-Status: Pending [Not submitted to upstream yet]
---
- platform/providers/arm/corstone1000/platform.cmake | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
- create mode 100644 platform/providers/arm/corstone1000/platform.cmake
-
-diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake
-new file mode 100644
-index 00000000..14a9f6b0
--- /dev/null
-+++ b/platform/providers/arm/corstone1000/platform.cmake
-@@ -0,0 +1,12 @@
-+#-------------------------------------------------------------------------------
-+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
-+#
-+# SPDX-License-Identifier: BSD-3-Clause
-+#
-+# Platform definition for the corstone1000 platform.
-+#-------------------------------------------------------------------------------
-+
-+target_compile_definitions(${TGT} PRIVATE
-+	SMM_GATEWAY_NV_STORE_SN="sn:ffa:46bb39d1-b4d9-45b5-88ff-040027dab249:1"
-+)
-+
-- 
-2.17.1
-
@@ -0,0 +1,210 @@
+From 03d97c104f2d68cffd1bfc48cd62727e13a64712 Mon Sep 17 00:00:00 2001
+From: Rui Miguel Silva <rui.silva@linaro.org>
+Date: Fri, 14 Oct 2022 17:42:52 +0100
+Subject: [PATCH] newlib: memcpy: remove optimized version
+
+When creating messages packed to send over openamp we may need
+to do some copy in unaligned address, because of that we may
+not always use the assembler optimized version, which will
+trough a data-abort on aligned address exception.
+
+So, we may just use the version in string.h (the same used in
+optee-os) that will take care to check and use different
+optimization based on given source or destination address's.
+
+Upstream-Status: Pending
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+---
+ newlib/libc/machine/aarch64/memcpy-stub.c |   2 +-
+ newlib/libc/machine/aarch64/memcpy.S      | 166 ----------------------
+ 2 files changed, 1 insertion(+), 167 deletions(-)
+
+diff --git a/newlib/libc/machine/aarch64/memcpy-stub.c b/newlib/libc/machine/aarch64/memcpy-stub.c
+index cd6d72a8b8af..5f2b7968c7fc 100644
+--- a/newlib/libc/machine/aarch64/memcpy-stub.c
+++ b/newlib/libc/machine/aarch64/memcpy-stub.c
+@@ -27,5 +27,5 @@
+ #if (defined (__OPTIMIZE_SIZE__) || defined (PREFER_SIZE_OVER_SPEED))
+ # include "../../string/memcpy.c"
+ #else
+-/* See memcpy.S  */
+# include "../../string/memcpy.c"
+ #endif
+diff --git a/newlib/libc/machine/aarch64/memcpy.S b/newlib/libc/machine/aarch64/memcpy.S
+index 463bad0a1816..2a1460546374 100644
+--- a/newlib/libc/machine/aarch64/memcpy.S
+++ b/newlib/libc/machine/aarch64/memcpy.S
+@@ -61,170 +61,4 @@
+ #if (defined (__OPTIMIZE_SIZE__) || defined (PREFER_SIZE_OVER_SPEED))
+ /* See memcpy-stub.c  */
+ #else
+-
+-#define dstin	x0
+-#define src	x1
+-#define count	x2
+-#define dst	x3
+-#define srcend	x4
+-#define dstend	x5
+-#define A_l	x6
+-#define A_lw	w6
+-#define A_h	x7
+-#define A_hw	w7
+-#define B_l	x8
+-#define B_lw	w8
+-#define B_h	x9
+-#define C_l	x10
+-#define C_h	x11
+-#define D_l	x12
+-#define D_h	x13
+-#define E_l	src
+-#define E_h	count
+-#define F_l	srcend
+-#define F_h	dst
+-#define tmp1	x9
+-
+-#define L(l) .L ## l
+-
+-	.macro def_fn f p2align=0
+-	.text
+-	.p2align \p2align
+-	.global \f
+-	.type \f, %function
+-\f:
+-	.endm
+-
+-/* Copies are split into 3 main cases: small copies of up to 16 bytes,
+-   medium copies of 17..96 bytes which are fully unrolled. Large copies
+-   of more than 96 bytes align the destination and use an unrolled loop
+-   processing 64 bytes per iteration.
+-   Small and medium copies read all data before writing, allowing any
+-   kind of overlap, and memmove tailcalls memcpy for these cases as
+-   well as non-overlapping copies.
+-*/
+-
+-def_fn memcpy p2align=6
+-	prfm	PLDL1KEEP, [src]
+-	add	srcend, src, count
+-	add	dstend, dstin, count
+-	cmp	count, 16
+-	b.ls	L(copy16)
+-	cmp	count, 96
+-	b.hi	L(copy_long)
+-
+-	/* Medium copies: 17..96 bytes.  */
+-	sub	tmp1, count, 1
+-	ldp	A_l, A_h, [src]
+-	tbnz	tmp1, 6, L(copy96)
+-	ldp	D_l, D_h, [srcend, -16]
+-	tbz	tmp1, 5, 1f
+-	ldp	B_l, B_h, [src, 16]
+-	ldp	C_l, C_h, [srcend, -32]
+-	stp	B_l, B_h, [dstin, 16]
+-	stp	C_l, C_h, [dstend, -32]
+-1:
+-	stp	A_l, A_h, [dstin]
+-	stp	D_l, D_h, [dstend, -16]
+-	ret
+-
+-	.p2align 4
+-	/* Small copies: 0..16 bytes.  */
+-L(copy16):
+-	cmp	count, 8
+-	b.lo	1f
+-	ldr	A_l, [src]
+-	ldr	A_h, [srcend, -8]
+-	str	A_l, [dstin]
+-	str	A_h, [dstend, -8]
+-	ret
+-	.p2align 4
+-1:
+-	tbz	count, 2, 1f
+-	ldr	A_lw, [src]
+-	ldr	A_hw, [srcend, -4]
+-	str	A_lw, [dstin]
+-	str	A_hw, [dstend, -4]
+-	ret
+-
+-	/* Copy 0..3 bytes.  Use a branchless sequence that copies the same
+-	   byte 3 times if count==1, or the 2nd byte twice if count==2.  */
+-1:
+-	cbz	count, 2f
+-	lsr	tmp1, count, 1
+-	ldrb	A_lw, [src]
+-	ldrb	A_hw, [srcend, -1]
+-	ldrb	B_lw, [src, tmp1]
+-	strb	A_lw, [dstin]
+-	strb	B_lw, [dstin, tmp1]
+-	strb	A_hw, [dstend, -1]
+-2:	ret
+-
+-	.p2align 4
+-	/* Copy 64..96 bytes.  Copy 64 bytes from the start and
+-	   32 bytes from the end.  */
+-L(copy96):
+-	ldp	B_l, B_h, [src, 16]
+-	ldp	C_l, C_h, [src, 32]
+-	ldp	D_l, D_h, [src, 48]
+-	ldp	E_l, E_h, [srcend, -32]
+-	ldp	F_l, F_h, [srcend, -16]
+-	stp	A_l, A_h, [dstin]
+-	stp	B_l, B_h, [dstin, 16]
+-	stp	C_l, C_h, [dstin, 32]
+-	stp	D_l, D_h, [dstin, 48]
+-	stp	E_l, E_h, [dstend, -32]
+-	stp	F_l, F_h, [dstend, -16]
+-	ret
+-
+-	/* Align DST to 16 byte alignment so that we don't cross cache line
+-	   boundaries on both loads and stores.	 There are at least 96 bytes
+-	   to copy, so copy 16 bytes unaligned and then align.	The loop
+-	   copies 64 bytes per iteration and prefetches one iteration ahead.  */
+-
+-	.p2align 4
+-L(copy_long):
+-	and	tmp1, dstin, 15
+-	bic	dst, dstin, 15
+-	ldp	D_l, D_h, [src]
+-	sub	src, src, tmp1
+-	add	count, count, tmp1	/* Count is now 16 too large.  */
+-	ldp	A_l, A_h, [src, 16]
+-	stp	D_l, D_h, [dstin]
+-	ldp	B_l, B_h, [src, 32]
+-	ldp	C_l, C_h, [src, 48]
+-	ldp	D_l, D_h, [src, 64]!
+-	subs	count, count, 128 + 16	/* Test and readjust count.  */
+-	b.ls	2f
+-1:
+-	stp	A_l, A_h, [dst, 16]
+-	ldp	A_l, A_h, [src, 16]
+-	stp	B_l, B_h, [dst, 32]
+-	ldp	B_l, B_h, [src, 32]
+-	stp	C_l, C_h, [dst, 48]
+-	ldp	C_l, C_h, [src, 48]
+-	stp	D_l, D_h, [dst, 64]!
+-	ldp	D_l, D_h, [src, 64]!
+-	subs	count, count, 64
+-	b.hi	1b
+-
+-	/* Write the last full set of 64 bytes.	 The remainder is at most 64
+-	   bytes, so it is safe to always copy 64 bytes from the end even if
+-	   there is just 1 byte left.  */
+-2:
+-	ldp	E_l, E_h, [srcend, -64]
+-	stp	A_l, A_h, [dst, 16]
+-	ldp	A_l, A_h, [srcend, -48]
+-	stp	B_l, B_h, [dst, 32]
+-	ldp	B_l, B_h, [srcend, -32]
+-	stp	C_l, C_h, [dst, 48]
+-	ldp	C_l, C_h, [srcend, -16]
+-	stp	D_l, D_h, [dst, 64]
+-	stp	E_l, E_h, [dstend, -64]
+-	stp	A_l, A_h, [dstend, -48]
+-	stp	B_l, B_h, [dstend, -32]
+-	stp	C_l, C_h, [dstend, -16]
+-	ret
+-
+-	.size	memcpy, . - memcpy
+ #endif
+-- 
+2.38.0
+
@@ -1,11 +1,28 @@
 FILESEXTRAPATHS:prepend := "${THISDIR}/corstone1000:"

 SRC_URI:append = " \
-                  file://0026-plat-add-corstone1000-platform-to-drivers-arm.patch \
-                  file://0027-Add-MHU-driver.patch \
-		  "
+    file://0001-Add-openamp-to-SE-proxy-deployment.patch \
+    file://0002-Implement-mhu-driver-and-the-OpenAmp-conversion-laye.patch \
+    file://0003-Add-openamp-rpc-caller.patch \
+    file://0004-add-psa-client-definitions-for-ff-m.patch \
+    file://0005-Add-common-service-component-to-ipc-support.patch \
+    file://0006-Add-secure-storage-ipc-backend.patch \
+    file://0007-Use-secure-storage-ipc-and-openamp-for-se_proxy.patch \
+    file://0008-Run-psa-arch-test.patch \
+    file://0009-Use-address-instead-of-pointers.patch \
+    file://0010-Add-psa-ipc-attestation-to-se-proxy.patch \
+    file://0011-Setup-its-backend-as-openamp-rpc-using-secure-storag.patch \
+    file://0012-add-psa-ipc-crypto-backend.patch \
+    file://0013-Add-stub-capsule-update-service-components.patch \
+    file://0014-Configure-storage-size.patch \
+    file://0015-Fix-Crypto-interface-structure-aligned-with-tf-m-cha.patch \
+    file://0016-Integrate-remaining-psa-ipc-client-APIs.patch \
+    file://0017-Fix-update-psa_set_key_usage_flags-definition-to-the.patch \
+    file://0018-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch \
+    file://0019-plat-corstone1000-change-default-smm-values.patch \
+    "


 EXTRA_OECMAKE:append = "-DMM_COMM_BUFFER_ADDRESS="0x00000000 0x02000000" \
-                                             -DMM_COMM_BUFFER_PAGE_COUNT="1" \
-"
+    -DMM_COMM_BUFFER_PAGE_COUNT="1" \
+    "
@@ -0,0 +1,6 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/corstone1000/${PN}:"
+
+SRC_URI:append:corstone1000 = " \
+  file://0001-newlib-memcpy-remove-optimized-version.patch;patchdir=../newlib \
+"
+
@@ -42,6 +42,16 @@ SRC_URI += "git://github.com/cpputest/cpputest.git;name=cpputest;protocol=https;
 SRCREV_cpputest = "e25097614e1c4856036366877a02346c4b36bb5b"
 LIC_FILES_CHKSUM += "file://../cpputest/COPYING;md5=ce5d5f1fe02bcd1343ced64a06fd4177"

+# Libmetal
+SRC_URI += "git://github.com/OpenAMP/libmetal.git;name=libmetal;protocol=https;branch=main;destsuffix=git/libmetal"
+SRCREV_libmetal = "f252f0e007fbfb8b3a52b1d5901250ddac96baad"
+LIC_FILES_CHKSUM += "file://../libmetal/LICENSE.md;md5=fe0b8a4beea8f0813b606d15a3df3d3c"
+
+# Openamp
+SRC_URI += "git://github.com/OpenAMP/open-amp.git;name=openamp;protocol=https;branch=main;destsuffix=git/openamp"
+SRCREV_openamp = "347397decaa43372fc4d00f965640ebde042966d"
+LIC_FILES_CHKSUM += "file://../openamp/LICENSE.md;md5=a8d8cf662ef6bf9936a1e1413585ecbf"
+
 # TS ships patches for external dependencies that needs to be applied
 apply_ts_patches() {
    for p in ${S}/external/qcbor/*.patch; do
@@ -63,4 +73,6 @@ EXTRA_OECMAKE += "-DDTC_SOURCE_DIR=${WORKDIR}/git/dtc \
                  -DT_COSE_SOURCE_DIR=${WORKDIR}/git/tcose \
                  -DQCBOR_SOURCE_DIR=${WORKDIR}/git/qcbor \
                  -DMBEDTLS_SOURCE_DIR=${WORKDIR}/git/mbedtls \
+                  -DOPENAMP_SOURCE_DIR=${WORKDIR}/git/openamp \
+                  -DLIBMETAL_SOURCE_DIR=${WORKDIR}/git/libmetal \
                 "