subtree updates july 21 2023 pi,security,arm
meta-arm: d6fac49541..b4d50a273d:
Abdellatif El Khlifi (5):
arm-bsp/documentation: corstone1000: Update change log
arm-bsp/doc: corstone1000: Update the software architecture document
arm-bsp/documentation: corstone1000: update the release note
arm-bsp/documentation: corstone1000: update user guide
kas: set the SHAs for 2023.06 release
Jon Mason (7):
arm/optee-test: modify to use build openssl
arm/optee: update to 3.22.0
arm-bsp/machine: work around rootfs name issue
ci/clang: add llvm-native from clang README
arm/optee-os: update/clean-up patches and recipes
arm-bsp/juno: remove commented out KCONFIG
arm/linux-yocto: move 6.1 patches to a unique bbappend
Khem Raj (1):
gn: Disable warning as error but not disable completely
Mikko Rapeli (1):
optee-os optee-test: switch from SRC_URI:append to SRC_URI +=
Peter Hoyes (5):
runfvp: Add missing conffile include
arm/oeqa: Merge all OEFVP*Target classes
arm/OEFVPTarget: Add support for model state transitions
arm/oeqa: Convert linuxboot test case into fvp_boot
arm/oeqa: Introduce the fvp_devices test suite
Ross Burton (14):
CI: use Kas 3.3
CI: update to Kas format 14
CI: use branch, not refspec
CI: generate and use a Kas lock file
CI: add a tool to fetch a lockfile.yml for a specified build
arm/scp-firmware: set default SCP_PLATFORM to MACHINE
arm-bsp/scp-firmware: remove redundant SCP_PLATFORM
arm/scp-firware: update compiler variables
arm/scp-firmware: log what platform/firmware/type is being built
arm/scp-firmware: fix intermittent compile failures
CI: track master
arm-bsp/u-boot: add temporary 2023.01 recipe
toolchain: remove pointless provides
arm-bsp/linux-yocto: fix Upstream-Status
Rouven Czerwinski (3):
optee-os: add optional optee-os-ta package
optee-os: deploy ta elf files
optee-test: add TA elfs to deploydir
Tomás González (2):
arm-bsp/documentation: corstone1000: Update the user guide
arm-bsp/documentation: corstone1000: Update the release notes
Ziad Elhanafy (5):
arm-bsp/conf: Remove hardcoded .rootfs from image path
arm/classes: Remove IMAGE_NAME_SUFFIX from image path
arm: Set FVP EULA environment variable details message
kas: Add fvp-eula.yml and remove license related settings
arm-bsp/documentation: Replace FVP_BASE_R_ARM_EULA_ACCEPT with ARM_FVP_EULA_ACCEPT
meta-raspberrypi: dff85b9a9f..e3f733cadd:
Khem Raj (1):
linux-raspberrypi_6.1.bb: Update to 6.1.38
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Iebdd94d49998e9297e49ee2463761f2f3acb45c1
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-client/tee-supplicant.service b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-client/tee-supplicant.service
new file mode 100644
index 0000000..c273832
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-client/tee-supplicant.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=TEE Supplicant
+
+[Service]
+User=root
+EnvironmentFile=-@sysconfdir@/default/tee-supplicant
+ExecStart=@sbindir@/tee-supplicant $OPTARGS
+
+[Install]
+WantedBy=basic.target
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-client/tee-supplicant.sh b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-client/tee-supplicant.sh
new file mode 100644
index 0000000..b4d2195
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-client/tee-supplicant.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# Source function library
+. /etc/init.d/functions
+
+NAME=tee-supplicant
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DESC="OP-TEE Supplicant"
+
+DAEMON=@sbindir@/$NAME
+
+test -f $DAEMON || exit 0
+
+test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME
+test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS
+
+SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS"
+
+set -e
+
+case $1 in
+ start)
+ echo -n "Starting $DESC: "
+ start-stop-daemon --start $SSD_OPTIONS
+ echo "${DAEMON##*/}."
+ ;;
+ stop)
+ echo -n "Stopping $DESC: "
+ start-stop-daemon --stop $SSD_OPTIONS
+ echo "${DAEMON##*/}."
+ ;;
+ restart|force-reload)
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
+ status)
+ status ${DAEMON} || exit $?
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2
+ exit 1
+ ;;
+esac
+
+exit 0
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-client_3.18.0.bb b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-client_3.18.0.bb
new file mode 100644
index 0000000..ea7b65c
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-client_3.18.0.bb
@@ -0,0 +1,3 @@
+require recipes-security/optee/optee-client.inc
+
+SRCREV = "e7cba71cc6e2ecd02f412c7e9ee104f0a5dffc6f"
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-client_3.20.0.bb b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-client_3.20.0.bb
new file mode 100644
index 0000000..3daab7f
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-client_3.20.0.bb
@@ -0,0 +1,7 @@
+require recipes-security/optee/optee-client.inc
+
+SRCREV = "dd2d39b49975d2ada7870fe2b7f5a84d0d3860dc"
+
+inherit pkgconfig
+DEPENDS += "util-linux"
+EXTRA_OEMAKE += "PKG_CONFIG=pkg-config"
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-examples_3.18.0.bb b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-examples_3.18.0.bb
new file mode 100644
index 0000000..7796430
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-examples_3.18.0.bb
@@ -0,0 +1,3 @@
+require recipes-security/optee/optee-examples.inc
+
+SRCREV = "f301ee9df2129c0db683e726c91dc2cefe4cdb65"
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-examples_3.20.0.bb b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-examples_3.20.0.bb
new file mode 100644
index 0000000..4a63f95
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-examples_3.20.0.bb
@@ -0,0 +1,3 @@
+require recipes-security/optee/optee-examples.inc
+
+SRCREV = "a98d01e1b9168eaed96bcd0bac0df67c44a81081"
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.18.0/0001-allow-setting-sysroot-for-libgcc-lookup.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.18.0/0001-allow-setting-sysroot-for-libgcc-lookup.patch
new file mode 100644
index 0000000..2aec7fc
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.18.0/0001-allow-setting-sysroot-for-libgcc-lookup.patch
@@ -0,0 +1,34 @@
+From fed478758e495f35d18a9e2a89193e6577b06799 Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@arm.com>
+Date: Tue, 26 May 2020 14:38:02 -0500
+Subject: [PATCH] allow setting sysroot for libgcc lookup
+
+Explicitly pass the new variable LIBGCC_LOCATE_CFLAGS variable when searching
+for the compiler libraries as there's no easy way to reliably pass --sysroot
+otherwise.
+
+Upstream-Status: Pending [https://github.com/OP-TEE/optee_os/issues/4188]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ mk/gcc.mk | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/mk/gcc.mk b/mk/gcc.mk
+index adc77a24f25e..81bfa78ad8d7 100644
+--- a/mk/gcc.mk
++++ b/mk/gcc.mk
+@@ -13,11 +13,11 @@ nostdinc$(sm) := -nostdinc -isystem $(shell $(CC$(sm)) \
+ -print-file-name=include 2> /dev/null)
+
+ # Get location of libgcc from gcc
+-libgcc$(sm) := $(shell $(CC$(sm)) $(CFLAGS$(arch-bits-$(sm))) \
++libgcc$(sm) := $(shell $(CC$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CFLAGS$(arch-bits-$(sm))) \
+ -print-libgcc-file-name 2> /dev/null)
+-libstdc++$(sm) := $(shell $(CXX$(sm)) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
++libstdc++$(sm) := $(shell $(CXX$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
+ -print-file-name=libstdc++.a 2> /dev/null)
+-libgcc_eh$(sm) := $(shell $(CXX$(sm)) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
++libgcc_eh$(sm) := $(shell $(CXX$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
+ -print-file-name=libgcc_eh.a 2> /dev/null)
+
+ # Define these to something to discover accidental use
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.18.0/0002-optee-enable-clang-support.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.18.0/0002-optee-enable-clang-support.patch
new file mode 100644
index 0000000..7441e74
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.18.0/0002-optee-enable-clang-support.patch
@@ -0,0 +1,29 @@
+From f158e3af6633bd689a76d53be2c9c590c0385350 Mon Sep 17 00:00:00 2001
+From: Brett Warren <brett.warren@arm.com>
+Date: Wed, 23 Sep 2020 09:27:34 +0100
+Subject: [PATCH] optee: enable clang support
+
+When compiling with clang, the LIBGCC_LOCATE_CFLAG variable used
+to provide a sysroot wasn't included, which results in not locating
+compiler-rt. This is mitigated by including the variable as ammended.
+
+Upstream-Status: Pending
+ChangeId: 8ba69a4b2eb8ebaa047cb266c9aa6c2c3da45701
+Signed-off-by: Brett Warren <brett.warren@arm.com>
+---
+ mk/clang.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mk/clang.mk b/mk/clang.mk
+index c141a3f2ed0b..7d067cc007fa 100644
+--- a/mk/clang.mk
++++ b/mk/clang.mk
+@@ -27,7 +27,7 @@ comp-cflags-warns-clang := -Wno-language-extension-token \
+
+ # Note, use the compiler runtime library (libclang_rt.builtins.*.a) instead of
+ # libgcc for clang
+-libgcc$(sm) := $(shell $(CC$(sm)) $(CFLAGS$(arch-bits-$(sm))) \
++libgcc$(sm) := $(shell $(CC$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CFLAGS$(arch-bits-$(sm))) \
+ -rtlib=compiler-rt -print-libgcc-file-name 2> /dev/null)
+
+ # Core ASLR relies on the executable being ready to run from its preferred load
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.18.0/0003-core-link-add-no-warn-rwx-segments.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.18.0/0003-core-link-add-no-warn-rwx-segments.patch
new file mode 100644
index 0000000..62aee35
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.18.0/0003-core-link-add-no-warn-rwx-segments.patch
@@ -0,0 +1,64 @@
+From fb69397234b1efe3528714b6c0c1921ce37ad6a6 Mon Sep 17 00:00:00 2001
+From: Jerome Forissier <jerome.forissier@linaro.org>
+Date: Fri, 5 Aug 2022 09:48:03 +0200
+Subject: [PATCH] core: link: add --no-warn-rwx-segments
+
+Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
+Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5474]
+
+binutils ld.bfd generates one RWX LOAD segment by merging several sections
+with mixed R/W/X attributes (.text, .rodata, .data). After version 2.38 it
+also warns by default when that happens [1], which breaks the build due to
+--fatal-warnings. The RWX segment is not a problem for the TEE core, since
+that information is not used to set memory permissions. Therefore, silence
+the warning.
+
+Link: [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
+Link: https://sourceware.org/bugzilla/show_bug.cgi?id=29448
+Reported-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
+Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
+Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
+---
+ core/arch/arm/kernel/link.mk | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/core/arch/arm/kernel/link.mk b/core/arch/arm/kernel/link.mk
+index 7eed333a32de..c39d43cbfc5b 100644
+--- a/core/arch/arm/kernel/link.mk
++++ b/core/arch/arm/kernel/link.mk
+@@ -31,6 +31,7 @@ link-ldflags += -T $(link-script-pp) -Map=$(link-out-dir)/tee.map
+ link-ldflags += --sort-section=alignment
+ link-ldflags += --fatal-warnings
+ link-ldflags += --gc-sections
++link-ldflags += $(call ld-option,--no-warn-rwx-segments)
+
+ link-ldadd = $(LDADD)
+ link-ldadd += $(ldflags-external)
+@@ -55,6 +56,7 @@ link-script-cppflags := \
+ $(cppflagscore))
+
+ ldargs-all_objs := -T $(link-script-dummy) --no-check-sections \
++ $(call ld-option,--no-warn-rwx-segments) \
+ $(link-objs) $(link-ldadd) $(libgcccore)
+ cleanfiles += $(link-out-dir)/all_objs.o
+ $(link-out-dir)/all_objs.o: $(objs) $(libdeps) $(MAKEFILE_LIST)
+@@ -67,7 +69,8 @@ $(link-out-dir)/unpaged_entries.txt: $(link-out-dir)/all_objs.o
+ $(q)$(NMcore) $< | \
+ $(AWK) '/ ____keep_pager/ { printf "-u%s ", $$3 }' > $@
+
+-unpaged-ldargs = -T $(link-script-dummy) --no-check-sections --gc-sections
++unpaged-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
++ $(call ld-option,--no-warn-rwx-segments)
+ unpaged-ldadd := $(objs) $(link-ldadd) $(libgcccore)
+ cleanfiles += $(link-out-dir)/unpaged.o
+ $(link-out-dir)/unpaged.o: $(link-out-dir)/unpaged_entries.txt
+@@ -95,7 +98,8 @@ $(link-out-dir)/init_entries.txt: $(link-out-dir)/all_objs.o
+ $(q)$(NMcore) $< | \
+ $(AWK) '/ ____keep_init/ { printf "-u%s ", $$3 }' > $@
+
+-init-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections
++init-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
++ $(call ld-option,--no-warn-rwx-segments)
+ init-ldadd := $(link-objs-init) $(link-out-dir)/version.o $(link-ldadd) \
+ $(libgcccore)
+ cleanfiles += $(link-out-dir)/init.o
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.18.0/0004-core-Define-section-attributes-for-clang.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.18.0/0004-core-Define-section-attributes-for-clang.patch
new file mode 100644
index 0000000..e3c509f
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.18.0/0004-core-Define-section-attributes-for-clang.patch
@@ -0,0 +1,240 @@
+From 0690909f07779a8f35b1f3d0baf8d4c5c9305d14 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sat, 13 Aug 2022 19:24:55 -0700
+Subject: [PATCH] core: Define section attributes for clang
+
+Clang's attribute section is not same as gcc, here we need to add flags
+to sections so they can be eventually collected by linker into final
+output segments. Only way to do so with clang is to use
+
+pragma clang section ...
+
+The behavious is described here [1], this allows us to define names bss
+sections. This was not an issue until clang-15 where LLD linker starts
+to detect the section flags before merging them and throws the following
+errors
+
+| ld.lld: error: section type mismatch for .nozi.kdata_page
+| >>> /mnt/b/yoe/master/build/tmp/work/qemuarm64-yoe-linux/optee-os-tadevkit/3.17.0-r0/build/core/arch/arm/kernel/thread.o:(.nozi.kdata_page): SHT_PROGBITS
+| >>> output section .nozi: SHT_NOBITS
+|
+| ld.lld: error: section type mismatch for .nozi.mmu.l2
+| >>> /mnt/b/yoe/master/build/tmp/work/qemuarm64-yoe-linux/optee-os-tadevkit/3.17.0-r0/build/core/arch/arm/mm/core_mmu_lpae.o:(.nozi.mmu.l2): SHT_PROGBITS
+| >>> output section .nozi: SHT_NOBITS
+
+These sections should be carrying SHT_NOBITS but so far it was not
+possible to do so, this patch tries to use clangs pragma to get this
+going and match the functionality with gcc.
+
+[1] https://intel.github.io/llvm-docs/clang/LanguageExtensions.html#specifying-section-names-for-global-objects-pragma-clang-section
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ core/arch/arm/kernel/thread.c | 19 +++++++++++++++--
+ core/arch/arm/mm/core_mmu_lpae.c | 35 +++++++++++++++++++++++++++----
+ core/arch/arm/mm/core_mmu_v7.c | 36 +++++++++++++++++++++++++++++---
+ core/arch/arm/mm/pgt_cache.c | 12 ++++++++++-
+ core/kernel/thread.c | 13 +++++++++++-
+ 5 files changed, 104 insertions(+), 11 deletions(-)
+
+diff --git a/core/arch/arm/kernel/thread.c b/core/arch/arm/kernel/thread.c
+index f083b159e969..432983c86c9f 100644
+--- a/core/arch/arm/kernel/thread.c
++++ b/core/arch/arm/kernel/thread.c
+@@ -44,15 +44,30 @@ static size_t thread_user_kcode_size __nex_bss;
+ #if defined(CFG_CORE_UNMAP_CORE_AT_EL0) && \
+ defined(CFG_CORE_WORKAROUND_SPECTRE_BP_SEC) && defined(ARM64)
+ long thread_user_kdata_sp_offset __nex_bss;
++#ifdef __clang__
++#ifndef CFG_VIRTUALIZATION
++#pragma clang section bss=".nozi.kdata_page"
++#else
++#pragma clang section bss=".nex_nozi.kdata_page"
++#endif
++#endif
+ static uint8_t thread_user_kdata_page[
+ ROUNDUP(sizeof(struct thread_core_local) * CFG_TEE_CORE_NB_CORE,
+ SMALL_PAGE_SIZE)]
+ __aligned(SMALL_PAGE_SIZE)
++#ifndef __clang__
+ #ifndef CFG_VIRTUALIZATION
+- __section(".nozi.kdata_page");
++ __section(".nozi.kdata_page")
+ #else
+- __section(".nex_nozi.kdata_page");
++ __section(".nex_nozi.kdata_page")
+ #endif
++#endif
++ ;
++#endif
++
++/* reset BSS section to default ( .bss ) */
++#ifdef __clang__
++#pragma clang section bss=""
+ #endif
+
+ #ifdef ARM32
+diff --git a/core/arch/arm/mm/core_mmu_lpae.c b/core/arch/arm/mm/core_mmu_lpae.c
+index 3f08eec623f3..e6dc9261c41e 100644
+--- a/core/arch/arm/mm/core_mmu_lpae.c
++++ b/core/arch/arm/mm/core_mmu_lpae.c
+@@ -233,19 +233,46 @@ typedef uint16_t l1_idx_t;
+ typedef uint64_t base_xlat_tbls_t[CFG_TEE_CORE_NB_CORE][NUM_BASE_LEVEL_ENTRIES];
+ typedef uint64_t xlat_tbl_t[XLAT_TABLE_ENTRIES];
+
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.base_table"
++#endif
+ static base_xlat_tbls_t base_xlation_table[NUM_BASE_TABLES]
+ __aligned(NUM_BASE_LEVEL_ENTRIES * XLAT_ENTRY_SIZE)
+- __section(".nozi.mmu.base_table");
++#ifndef __clang__
++ __section(".nozi.mmu.base_table")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l2"
++#endif
+ static xlat_tbl_t xlat_tables[MAX_XLAT_TABLES]
+- __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2");
++ __aligned(XLAT_TABLE_SIZE)
++#ifndef __clang__
++ __section(".nozi.mmu.l2")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+
+ #define XLAT_TABLES_SIZE (sizeof(xlat_tbl_t) * MAX_XLAT_TABLES)
+
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l2"
++#endif
+ /* MMU L2 table for TAs, one for each thread */
+ static xlat_tbl_t xlat_tables_ul1[CFG_NUM_THREADS]
+- __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2");
+-
++#ifndef __clang__
++ __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ /*
+ * TAs page table entry inside a level 1 page table.
+ *
+diff --git a/core/arch/arm/mm/core_mmu_v7.c b/core/arch/arm/mm/core_mmu_v7.c
+index cd85bd22d385..3e18f54f6cf8 100644
+--- a/core/arch/arm/mm/core_mmu_v7.c
++++ b/core/arch/arm/mm/core_mmu_v7.c
+@@ -204,16 +204,46 @@ typedef uint32_t l1_xlat_tbl_t[NUM_L1_ENTRIES];
+ typedef uint32_t l2_xlat_tbl_t[NUM_L2_ENTRIES];
+ typedef uint32_t ul1_xlat_tbl_t[NUM_UL1_ENTRIES];
+
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l1"
++#endif
+ static l1_xlat_tbl_t main_mmu_l1_ttb
+- __aligned(L1_ALIGNMENT) __section(".nozi.mmu.l1");
++ __aligned(L1_ALIGNMENT)
++#ifndef __clang__
++ __section(".nozi.mmu.l1")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+
+ /* L2 MMU tables */
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l2"
++#endif
+ static l2_xlat_tbl_t main_mmu_l2_ttb[MAX_XLAT_TABLES]
+- __aligned(L2_ALIGNMENT) __section(".nozi.mmu.l2");
++ __aligned(L2_ALIGNMENT)
++#ifndef __clang__
++ __section(".nozi.mmu.l2")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+
+ /* MMU L1 table for TAs, one for each thread */
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.ul1"
++#endif
+ static ul1_xlat_tbl_t main_mmu_ul1_ttb[CFG_NUM_THREADS]
+- __aligned(UL1_ALIGNMENT) __section(".nozi.mmu.ul1");
++ __aligned(UL1_ALIGNMENT)
++#ifndef __clang__
++ __section(".nozi.mmu.ul1")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+
+ struct mmu_partition {
+ l1_xlat_tbl_t *l1_table;
+diff --git a/core/arch/arm/mm/pgt_cache.c b/core/arch/arm/mm/pgt_cache.c
+index dee1d207943f..382cae1c3f30 100644
+--- a/core/arch/arm/mm/pgt_cache.c
++++ b/core/arch/arm/mm/pgt_cache.c
+@@ -104,8 +104,18 @@ void pgt_init(void)
+ * has a large alignment, while .bss has a small alignment. The current
+ * link script is optimized for small alignment in .bss
+ */
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l2"
++#endif
+ static uint8_t pgt_tables[PGT_CACHE_SIZE][PGT_SIZE]
+- __aligned(PGT_SIZE) __section(".nozi.pgt_cache");
++ __aligned(PGT_SIZE)
++#ifndef __clang__
++ __section(".nozi.pgt_cache")
++#endif
++ ;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ size_t n;
+
+ for (n = 0; n < ARRAY_SIZE(pgt_tables); n++) {
+diff --git a/core/kernel/thread.c b/core/kernel/thread.c
+index 18d34e6adfe2..086129e282bc 100644
+--- a/core/kernel/thread.c
++++ b/core/kernel/thread.c
+@@ -37,13 +37,24 @@ struct thread_core_local thread_core_local[CFG_TEE_CORE_NB_CORE] __nex_bss;
+ name[stack_num][sizeof(name[stack_num]) / sizeof(uint32_t) - 1]
+ #endif
+
++#define DO_PRAGMA(x) _Pragma (#x)
++
++#ifdef __clang__
++#define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
++DO_PRAGMA (clang section bss=".nozi_stack." #name) \
++linkage uint32_t name[num_stacks] \
++ [ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
++ STACK_ALIGNMENT) / sizeof(uint32_t)] \
++ __attribute__((aligned(STACK_ALIGNMENT))); \
++DO_PRAGMA(clang section bss="")
++#else
+ #define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
+ linkage uint32_t name[num_stacks] \
+ [ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
+ STACK_ALIGNMENT) / sizeof(uint32_t)] \
+ __attribute__((section(".nozi_stack." # name), \
+ aligned(STACK_ALIGNMENT)))
+-
++#endif
+ #define GET_STACK(stack) ((vaddr_t)(stack) + STACK_SIZE(stack))
+
+ DECLARE_STACK(stack_tmp, CFG_TEE_CORE_NB_CORE,
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.18.0/0005-core-ldelf-link-add-z-execstack.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.18.0/0005-core-ldelf-link-add-z-execstack.patch
new file mode 100644
index 0000000..862a76b
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.18.0/0005-core-ldelf-link-add-z-execstack.patch
@@ -0,0 +1,93 @@
+From 63445958678b58c5adc7eca476b216e5dc0f4195 Mon Sep 17 00:00:00 2001
+From: Jerome Forissier <jerome.forissier@linaro.org>
+Date: Tue, 23 Aug 2022 11:41:00 +0000
+Subject: [PATCH] core, ldelf: link: add -z execstack
+
+When building for arm32 with GNU binutils 2.39, the linker outputs
+warnings when generating some TEE core binaries (all_obj.o, init.o,
+unpaged.o and tee.elf) as well as ldelf.elf:
+
+ arm-poky-linux-gnueabi-ld.bfd: warning: atomic_a32.o: missing .note.GNU-stack section implies executable stack
+ arm-poky-linux-gnueabi-ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
+
+The permissions used when mapping the TEE core stacks do not depend on
+any metadata found in the ELF file. Similarly when the TEE core loads
+ldelf it already creates a non-executable stack regardless of ELF
+information. Therefore we can safely ignore the warnings. This is done
+by adding the '-z execstack' option.
+
+Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
+
+Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
+Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5499]
+---
+ core/arch/arm/kernel/link.mk | 13 +++++++++----
+ ldelf/link.mk | 3 +++
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/core/arch/arm/kernel/link.mk b/core/arch/arm/kernel/link.mk
+index c39d43cbfc5b..0e96e606cd9d 100644
+--- a/core/arch/arm/kernel/link.mk
++++ b/core/arch/arm/kernel/link.mk
+@@ -9,6 +9,11 @@ link-script-dep = $(link-out-dir)/.kern.ld.d
+
+ AWK = awk
+
++link-ldflags-common += $(call ld-option,--no-warn-rwx-segments)
++ifeq ($(CFG_ARM32_core),y)
++link-ldflags-common += $(call ld-option,--no-warn-execstack)
++endif
++
+ link-ldflags = $(LDFLAGS)
+ ifeq ($(CFG_CORE_ASLR),y)
+ link-ldflags += -pie -Bsymbolic -z norelro $(ldflag-apply-dynamic-relocs)
+@@ -31,7 +36,7 @@ link-ldflags += -T $(link-script-pp) -Map=$(link-out-dir)/tee.map
+ link-ldflags += --sort-section=alignment
+ link-ldflags += --fatal-warnings
+ link-ldflags += --gc-sections
+-link-ldflags += $(call ld-option,--no-warn-rwx-segments)
++link-ldflags += $(link-ldflags-common)
+
+ link-ldadd = $(LDADD)
+ link-ldadd += $(ldflags-external)
+@@ -56,7 +61,7 @@ link-script-cppflags := \
+ $(cppflagscore))
+
+ ldargs-all_objs := -T $(link-script-dummy) --no-check-sections \
+- $(call ld-option,--no-warn-rwx-segments) \
++ $(link-ldflags-common) \
+ $(link-objs) $(link-ldadd) $(libgcccore)
+ cleanfiles += $(link-out-dir)/all_objs.o
+ $(link-out-dir)/all_objs.o: $(objs) $(libdeps) $(MAKEFILE_LIST)
+@@ -70,7 +75,7 @@ $(link-out-dir)/unpaged_entries.txt: $(link-out-dir)/all_objs.o
+ $(AWK) '/ ____keep_pager/ { printf "-u%s ", $$3 }' > $@
+
+ unpaged-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
+- $(call ld-option,--no-warn-rwx-segments)
++ $(link-ldflags-common)
+ unpaged-ldadd := $(objs) $(link-ldadd) $(libgcccore)
+ cleanfiles += $(link-out-dir)/unpaged.o
+ $(link-out-dir)/unpaged.o: $(link-out-dir)/unpaged_entries.txt
+@@ -99,7 +104,7 @@ $(link-out-dir)/init_entries.txt: $(link-out-dir)/all_objs.o
+ $(AWK) '/ ____keep_init/ { printf "-u%s ", $$3 }' > $@
+
+ init-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
+- $(call ld-option,--no-warn-rwx-segments)
++ $(link-ldflags-common)
+ init-ldadd := $(link-objs-init) $(link-out-dir)/version.o $(link-ldadd) \
+ $(libgcccore)
+ cleanfiles += $(link-out-dir)/init.o
+diff --git a/ldelf/link.mk b/ldelf/link.mk
+index 64c8212a06fa..bd49551e7065 100644
+--- a/ldelf/link.mk
++++ b/ldelf/link.mk
+@@ -20,6 +20,9 @@ link-ldflags += -z max-page-size=4096 # OP-TEE always uses 4K alignment
+ ifeq ($(CFG_CORE_BTI),y)
+ link-ldflags += $(call ld-option,-z force-bti) --fatal-warnings
+ endif
++ifeq ($(CFG_ARM32_$(sm)), y)
++link-ldflags += $(call ld-option,--no-warn-execstack)
++endif
+ link-ldflags += $(link-ldflags$(sm))
+
+ link-ldadd = $(addprefix -L,$(libdirs))
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.18.0/0006-arm32-libutils-libutee-ta-add-.note.GNU-stack-sectio.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.18.0/0006-arm32-libutils-libutee-ta-add-.note.GNU-stack-sectio.patch
new file mode 100644
index 0000000..e82fdc7
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.18.0/0006-arm32-libutils-libutee-ta-add-.note.GNU-stack-sectio.patch
@@ -0,0 +1,127 @@
+From 1a991cbedf8647d5a1e7c312614f7867c3940968 Mon Sep 17 00:00:00 2001
+From: Jerome Forissier <jerome.forissier@linaro.org>
+Date: Tue, 23 Aug 2022 12:31:46 +0000
+Subject: [PATCH] arm32: libutils, libutee, ta: add .note.GNU-stack section to
+
+ .S files
+
+When building for arm32 with GNU binutils 2.39, the linker outputs
+warnings when linking Trusted Applications:
+
+ arm-unknown-linux-uclibcgnueabihf-ld.bfd: warning: utee_syscalls_a32.o: missing .note.GNU-stack section implies executable stack
+ arm-unknown-linux-uclibcgnueabihf-ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
+
+We could silence the warning by adding the '-z execstack' option to the
+TA link flags, like we did in the parent commit for the TEE core and
+ldelf. Indeed, ldelf always allocates a non-executable piece of memory
+for the TA to use as a stack.
+
+However it seems preferable to comply with the common ELF practices in
+this case. A better fix is therefore to add the missing .note.GNU-stack
+sections in the assembler files.
+
+Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
+
+Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
+Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5499]
+---
+ lib/libutee/arch/arm/utee_syscalls_a32.S | 2 ++
+ lib/libutils/ext/arch/arm/atomic_a32.S | 2 ++
+ lib/libutils/ext/arch/arm/mcount_a32.S | 2 ++
+ lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S | 2 ++
+ lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S | 2 ++
+ lib/libutils/isoc/arch/arm/setjmp_a32.S | 2 ++
+ ta/arch/arm/ta_entry_a32.S | 2 ++
+ 7 files changed, 14 insertions(+)
+
+diff --git a/lib/libutee/arch/arm/utee_syscalls_a32.S b/lib/libutee/arch/arm/utee_syscalls_a32.S
+index 6e621ca6e06d..af405f62723c 100644
+--- a/lib/libutee/arch/arm/utee_syscalls_a32.S
++++ b/lib/libutee/arch/arm/utee_syscalls_a32.S
+@@ -7,6 +7,8 @@
+ #include <tee_syscall_numbers.h>
+ #include <asm.S>
+
++ .section .note.GNU-stack,"",%progbits
++
+ .section .text
+ .balign 4
+ .code 32
+diff --git a/lib/libutils/ext/arch/arm/atomic_a32.S b/lib/libutils/ext/arch/arm/atomic_a32.S
+index eaef6914734e..2be73ffadcc9 100644
+--- a/lib/libutils/ext/arch/arm/atomic_a32.S
++++ b/lib/libutils/ext/arch/arm/atomic_a32.S
+@@ -5,6 +5,8 @@
+
+ #include <asm.S>
+
++ .section .note.GNU-stack,"",%progbits
++
+ /* uint32_t atomic_inc32(uint32_t *v); */
+ FUNC atomic_inc32 , :
+ ldrex r1, [r0]
+diff --git a/lib/libutils/ext/arch/arm/mcount_a32.S b/lib/libutils/ext/arch/arm/mcount_a32.S
+index 51439a23014e..54dc3c02da66 100644
+--- a/lib/libutils/ext/arch/arm/mcount_a32.S
++++ b/lib/libutils/ext/arch/arm/mcount_a32.S
+@@ -7,6 +7,8 @@
+
+ #if defined(CFG_TA_GPROF_SUPPORT) || defined(CFG_FTRACE_SUPPORT)
+
++ .section .note.GNU-stack,"",%progbits
++
+ /*
+ * Convert return address to call site address by subtracting the size of the
+ * mcount call instruction (blx __gnu_mcount_nc).
+diff --git a/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S b/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S
+index a600c879668c..37ae9ec6f9f1 100644
+--- a/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S
++++ b/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S
+@@ -5,6 +5,8 @@
+
+ #include <asm.S>
+
++ .section .note.GNU-stack,"",%progbits
++
+ /*
+ * signed ret_idivmod_values(signed quot, signed rem);
+ * return quotient and remaining the EABI way (regs r0,r1)
+diff --git a/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S b/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S
+index 2dc50bc98bbf..5c3353e2c1ba 100644
+--- a/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S
++++ b/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S
+@@ -5,6 +5,8 @@
+
+ #include <asm.S>
+
++ .section .note.GNU-stack,"",%progbits
++
+ /*
+ * __value_in_regs lldiv_t __aeabi_ldivmod( long long n, long long d)
+ */
+diff --git a/lib/libutils/isoc/arch/arm/setjmp_a32.S b/lib/libutils/isoc/arch/arm/setjmp_a32.S
+index 43ea593758c9..f8a0b70df705 100644
+--- a/lib/libutils/isoc/arch/arm/setjmp_a32.S
++++ b/lib/libutils/isoc/arch/arm/setjmp_a32.S
+@@ -51,6 +51,8 @@
+ #define SIZE(x)
+ #endif
+
++ .section .note.GNU-stack,"",%progbits
++
+ /* Arm/Thumb interworking support:
+
+ The interworking scheme expects functions to use a BX instruction
+diff --git a/ta/arch/arm/ta_entry_a32.S b/ta/arch/arm/ta_entry_a32.S
+index d2f8a69daa7f..cd9a12f9dbf9 100644
+--- a/ta/arch/arm/ta_entry_a32.S
++++ b/ta/arch/arm/ta_entry_a32.S
+@@ -5,6 +5,8 @@
+
+ #include <asm.S>
+
++ .section .note.GNU-stack,"",%progbits
++
+ /*
+ * This function is the bottom of the user call stack. Mark it as such so that
+ * the unwinding code won't try to go further down.
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0001-allow-setting-sysroot-for-libgcc-lookup.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0001-allow-setting-sysroot-for-libgcc-lookup.patch
new file mode 100644
index 0000000..54b667a
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0001-allow-setting-sysroot-for-libgcc-lookup.patch
@@ -0,0 +1,34 @@
+From 843eb2ef918d5ae3d09de088110cb026ca25306b Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@arm.com>
+Date: Tue, 26 May 2020 14:38:02 -0500
+Subject: [PATCH] allow setting sysroot for libgcc lookup
+
+Explicitly pass the new variable LIBGCC_LOCATE_CFLAGS variable when searching
+for the compiler libraries as there's no easy way to reliably pass --sysroot
+otherwise.
+
+Upstream-Status: Pending [https://github.com/OP-TEE/optee_os/issues/4188]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ mk/gcc.mk | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/mk/gcc.mk b/mk/gcc.mk
+index adc77a24f25e..81bfa78ad8d7 100644
+--- a/mk/gcc.mk
++++ b/mk/gcc.mk
+@@ -13,11 +13,11 @@ nostdinc$(sm) := -nostdinc -isystem $(shell $(CC$(sm)) \
+ -print-file-name=include 2> /dev/null)
+
+ # Get location of libgcc from gcc
+-libgcc$(sm) := $(shell $(CC$(sm)) $(CFLAGS$(arch-bits-$(sm))) \
++libgcc$(sm) := $(shell $(CC$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CFLAGS$(arch-bits-$(sm))) \
+ -print-libgcc-file-name 2> /dev/null)
+-libstdc++$(sm) := $(shell $(CXX$(sm)) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
++libstdc++$(sm) := $(shell $(CXX$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
+ -print-file-name=libstdc++.a 2> /dev/null)
+-libgcc_eh$(sm) := $(shell $(CXX$(sm)) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
++libgcc_eh$(sm) := $(shell $(CXX$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
+ -print-file-name=libgcc_eh.a 2> /dev/null)
+
+ # Define these to something to discover accidental use
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0002-optee-enable-clang-support.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0002-optee-enable-clang-support.patch
new file mode 100644
index 0000000..b3e3098
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0002-optee-enable-clang-support.patch
@@ -0,0 +1,29 @@
+From 0ca5ef7c8256dbd9690a01a82397bc16a123e179 Mon Sep 17 00:00:00 2001
+From: Brett Warren <brett.warren@arm.com>
+Date: Wed, 23 Sep 2020 09:27:34 +0100
+Subject: [PATCH] optee: enable clang support
+
+When compiling with clang, the LIBGCC_LOCATE_CFLAG variable used
+to provide a sysroot wasn't included, which results in not locating
+compiler-rt. This is mitigated by including the variable as ammended.
+
+Upstream-Status: Pending
+ChangeId: 8ba69a4b2eb8ebaa047cb266c9aa6c2c3da45701
+Signed-off-by: Brett Warren <brett.warren@arm.com>
+---
+ mk/clang.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mk/clang.mk b/mk/clang.mk
+index a045beee8482..1ebe2f702dcd 100644
+--- a/mk/clang.mk
++++ b/mk/clang.mk
+@@ -30,7 +30,7 @@ comp-cflags-warns-clang := -Wno-language-extension-token \
+
+ # Note, use the compiler runtime library (libclang_rt.builtins.*.a) instead of
+ # libgcc for clang
+-libgcc$(sm) := $(shell $(CC$(sm)) $(CFLAGS$(arch-bits-$(sm))) \
++libgcc$(sm) := $(shell $(CC$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CFLAGS$(arch-bits-$(sm))) \
+ -rtlib=compiler-rt -print-libgcc-file-name 2> /dev/null)
+
+ # Core ASLR relies on the executable being ready to run from its preferred load
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0003-core-link-add-no-warn-rwx-segments.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0003-core-link-add-no-warn-rwx-segments.patch
new file mode 100644
index 0000000..5d4191f
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0003-core-link-add-no-warn-rwx-segments.patch
@@ -0,0 +1,62 @@
+From 741df4df0ec7b69b0573cff265dc1ae7cb70b55c Mon Sep 17 00:00:00 2001
+From: Jerome Forissier <jerome.forissier@linaro.org>
+Date: Fri, 5 Aug 2022 09:48:03 +0200
+Subject: [PATCH] core: link: add --no-warn-rwx-segments
+
+Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
+Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5474]
+
+binutils ld.bfd generates one RWX LOAD segment by merging several sections
+with mixed R/W/X attributes (.text, .rodata, .data). After version 2.38 it
+also warns by default when that happens [1], which breaks the build due to
+--fatal-warnings. The RWX segment is not a problem for the TEE core, since
+that information is not used to set memory permissions. Therefore, silence
+the warning.
+
+Link: [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
+Link: https://sourceware.org/bugzilla/show_bug.cgi?id=29448
+Reported-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
+Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
+Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
+---
+ core/arch/arm/kernel/link.mk | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/core/arch/arm/kernel/link.mk b/core/arch/arm/kernel/link.mk
+index 0e96e606cd9d..3fbcb6804c6f 100644
+--- a/core/arch/arm/kernel/link.mk
++++ b/core/arch/arm/kernel/link.mk
+@@ -37,6 +37,7 @@ link-ldflags += --sort-section=alignment
+ link-ldflags += --fatal-warnings
+ link-ldflags += --gc-sections
+ link-ldflags += $(link-ldflags-common)
++link-ldflags += $(call ld-option,--no-warn-rwx-segments)
+
+ link-ldadd = $(LDADD)
+ link-ldadd += $(ldflags-external)
+@@ -61,6 +62,7 @@ link-script-cppflags := \
+ $(cppflagscore))
+
+ ldargs-all_objs := -T $(link-script-dummy) --no-check-sections \
++ $(call ld-option,--no-warn-rwx-segments) \
+ $(link-ldflags-common) \
+ $(link-objs) $(link-ldadd) $(libgcccore)
+ cleanfiles += $(link-out-dir)/all_objs.o
+@@ -75,7 +77,7 @@ $(link-out-dir)/unpaged_entries.txt: $(link-out-dir)/all_objs.o
+ $(AWK) '/ ____keep_pager/ { printf "-u%s ", $$3 }' > $@
+
+ unpaged-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
+- $(link-ldflags-common)
++ $(link-ldflags-common) $(call ld-option,--no-warn-rwx-segments)
+ unpaged-ldadd := $(objs) $(link-ldadd) $(libgcccore)
+ cleanfiles += $(link-out-dir)/unpaged.o
+ $(link-out-dir)/unpaged.o: $(link-out-dir)/unpaged_entries.txt
+@@ -104,7 +106,7 @@ $(link-out-dir)/init_entries.txt: $(link-out-dir)/all_objs.o
+ $(AWK) '/ ____keep_init/ { printf "-u%s ", $$3 }' > $@
+
+ init-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
+- $(link-ldflags-common)
++ $(link-ldflags-common) $(call ld-option,--no-warn-rwx-segments)
+ init-ldadd := $(link-objs-init) $(link-out-dir)/version.o $(link-ldadd) \
+ $(libgcccore)
+ cleanfiles += $(link-out-dir)/init.o
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0004-core-Define-section-attributes-for-clang.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0004-core-Define-section-attributes-for-clang.patch
new file mode 100644
index 0000000..6229be9
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0004-core-Define-section-attributes-for-clang.patch
@@ -0,0 +1,240 @@
+From 162493e5b212b9d7391669a55be09b69b97a9cf8 Mon Sep 17 00:00:00 2001
+From: Emekcan Aras <emekcan.aras@arm.com>
+Date: Wed, 21 Dec 2022 10:55:58 +0000
+Subject: [PATCH] core: Define section attributes for clang
+
+Clang's attribute section is not same as gcc, here we need to add flags
+to sections so they can be eventually collected by linker into final
+output segments. Only way to do so with clang is to use
+
+pragma clang section ...
+
+The behavious is described here [1], this allows us to define names bss
+sections. This was not an issue until clang-15 where LLD linker starts
+to detect the section flags before merging them and throws the following
+errors
+
+| ld.lld: error: section type mismatch for .nozi.kdata_page
+| >>> /mnt/b/yoe/master/build/tmp/work/qemuarm64-yoe-linux/optee-os-tadevkit/3.17.0-r0/build/core/arch/arm/kernel/thread.o:(.nozi.kdata_page): SHT_PROGBITS
+| >>> output section .nozi: SHT_NOBITS
+|
+| ld.lld: error: section type mismatch for .nozi.mmu.l2
+| >>> /mnt/b/yoe/master/build/tmp/work/qemuarm64-yoe-linux/optee-os-tadevkit/3.17.0-r0/build/core/arch/arm/mm/core_mmu_lpae.o:(.nozi.mmu.l2): SHT_PROGBITS
+| >>> output section .nozi: SHT_NOBITS
+
+These sections should be carrying SHT_NOBITS but so far it was not
+possible to do so, this patch tries to use clangs pragma to get this
+going and match the functionality with gcc.
+
+[1] https://intel.github.io/llvm-docs/clang/LanguageExtensions.html#specifying-section-names-for-global-objects-pragma-clang-section
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ core/arch/arm/kernel/thread.c | 19 +++++++++++++++--
+ core/arch/arm/mm/core_mmu_lpae.c | 35 +++++++++++++++++++++++++++----
+ core/arch/arm/mm/core_mmu_v7.c | 36 +++++++++++++++++++++++++++++---
+ core/arch/arm/mm/pgt_cache.c | 12 ++++++++++-
+ core/kernel/thread.c | 13 +++++++++++-
+ 5 files changed, 104 insertions(+), 11 deletions(-)
+
+diff --git a/core/arch/arm/kernel/thread.c b/core/arch/arm/kernel/thread.c
+index 1cf76a0ca690..1e7f9f96b558 100644
+--- a/core/arch/arm/kernel/thread.c
++++ b/core/arch/arm/kernel/thread.c
+@@ -44,15 +44,30 @@ static size_t thread_user_kcode_size __nex_bss;
+ #if defined(CFG_CORE_UNMAP_CORE_AT_EL0) && \
+ defined(CFG_CORE_WORKAROUND_SPECTRE_BP_SEC) && defined(ARM64)
+ long thread_user_kdata_sp_offset __nex_bss;
++#ifdef __clang__
++#ifndef CFG_VIRTUALIZATION
++#pragma clang section bss=".nozi.kdata_page"
++#else
++#pragma clang section bss=".nex_nozi.kdata_page"
++#endif
++#endif
+ static uint8_t thread_user_kdata_page[
+ ROUNDUP(sizeof(struct thread_core_local) * CFG_TEE_CORE_NB_CORE,
+ SMALL_PAGE_SIZE)]
+ __aligned(SMALL_PAGE_SIZE)
++#ifndef __clang__
+ #ifndef CFG_VIRTUALIZATION
+- __section(".nozi.kdata_page");
++ __section(".nozi.kdata_page")
+ #else
+- __section(".nex_nozi.kdata_page");
++ __section(".nex_nozi.kdata_page")
+ #endif
++#endif
++ ;
++#endif
++
++/* reset BSS section to default ( .bss ) */
++#ifdef __clang__
++#pragma clang section bss=""
+ #endif
+
+ #ifdef ARM32
+diff --git a/core/arch/arm/mm/core_mmu_lpae.c b/core/arch/arm/mm/core_mmu_lpae.c
+index 3f08eec623f3..e6dc9261c41e 100644
+--- a/core/arch/arm/mm/core_mmu_lpae.c
++++ b/core/arch/arm/mm/core_mmu_lpae.c
+@@ -233,19 +233,46 @@ typedef uint16_t l1_idx_t;
+ typedef uint64_t base_xlat_tbls_t[CFG_TEE_CORE_NB_CORE][NUM_BASE_LEVEL_ENTRIES];
+ typedef uint64_t xlat_tbl_t[XLAT_TABLE_ENTRIES];
+
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.base_table"
++#endif
+ static base_xlat_tbls_t base_xlation_table[NUM_BASE_TABLES]
+ __aligned(NUM_BASE_LEVEL_ENTRIES * XLAT_ENTRY_SIZE)
+- __section(".nozi.mmu.base_table");
++#ifndef __clang__
++ __section(".nozi.mmu.base_table")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l2"
++#endif
+ static xlat_tbl_t xlat_tables[MAX_XLAT_TABLES]
+- __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2");
++ __aligned(XLAT_TABLE_SIZE)
++#ifndef __clang__
++ __section(".nozi.mmu.l2")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+
+ #define XLAT_TABLES_SIZE (sizeof(xlat_tbl_t) * MAX_XLAT_TABLES)
+
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l2"
++#endif
+ /* MMU L2 table for TAs, one for each thread */
+ static xlat_tbl_t xlat_tables_ul1[CFG_NUM_THREADS]
+- __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2");
+-
++#ifndef __clang__
++ __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ /*
+ * TAs page table entry inside a level 1 page table.
+ *
+diff --git a/core/arch/arm/mm/core_mmu_v7.c b/core/arch/arm/mm/core_mmu_v7.c
+index cd85bd22d385..3e18f54f6cf8 100644
+--- a/core/arch/arm/mm/core_mmu_v7.c
++++ b/core/arch/arm/mm/core_mmu_v7.c
+@@ -204,16 +204,46 @@ typedef uint32_t l1_xlat_tbl_t[NUM_L1_ENTRIES];
+ typedef uint32_t l2_xlat_tbl_t[NUM_L2_ENTRIES];
+ typedef uint32_t ul1_xlat_tbl_t[NUM_UL1_ENTRIES];
+
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l1"
++#endif
+ static l1_xlat_tbl_t main_mmu_l1_ttb
+- __aligned(L1_ALIGNMENT) __section(".nozi.mmu.l1");
++ __aligned(L1_ALIGNMENT)
++#ifndef __clang__
++ __section(".nozi.mmu.l1")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+
+ /* L2 MMU tables */
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l2"
++#endif
+ static l2_xlat_tbl_t main_mmu_l2_ttb[MAX_XLAT_TABLES]
+- __aligned(L2_ALIGNMENT) __section(".nozi.mmu.l2");
++ __aligned(L2_ALIGNMENT)
++#ifndef __clang__
++ __section(".nozi.mmu.l2")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+
+ /* MMU L1 table for TAs, one for each thread */
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.ul1"
++#endif
+ static ul1_xlat_tbl_t main_mmu_ul1_ttb[CFG_NUM_THREADS]
+- __aligned(UL1_ALIGNMENT) __section(".nozi.mmu.ul1");
++ __aligned(UL1_ALIGNMENT)
++#ifndef __clang__
++ __section(".nozi.mmu.ul1")
++#endif
++;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+
+ struct mmu_partition {
+ l1_xlat_tbl_t *l1_table;
+diff --git a/core/arch/arm/mm/pgt_cache.c b/core/arch/arm/mm/pgt_cache.c
+index 79553c6d2183..b9efdf42780b 100644
+--- a/core/arch/arm/mm/pgt_cache.c
++++ b/core/arch/arm/mm/pgt_cache.c
+@@ -410,8 +410,18 @@ void pgt_init(void)
+ * has a large alignment, while .bss has a small alignment. The current
+ * link script is optimized for small alignment in .bss
+ */
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l2"
++#endif
+ static uint8_t pgt_tables[PGT_CACHE_SIZE][PGT_SIZE]
+- __aligned(PGT_SIZE) __section(".nozi.pgt_cache");
++ __aligned(PGT_SIZE)
++#ifndef __clang__
++ __section(".nozi.pgt_cache")
++#endif
++ ;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+ size_t n;
+
+ for (n = 0; n < ARRAY_SIZE(pgt_tables); n++) {
+diff --git a/core/kernel/thread.c b/core/kernel/thread.c
+index d1f2f3823be7..8de124ae5357 100644
+--- a/core/kernel/thread.c
++++ b/core/kernel/thread.c
+@@ -38,13 +38,24 @@ struct thread_core_local thread_core_local[CFG_TEE_CORE_NB_CORE] __nex_bss;
+ name[stack_num][sizeof(name[stack_num]) / sizeof(uint32_t) - 1]
+ #endif
+
++#define DO_PRAGMA(x) _Pragma (#x)
++
++#ifdef __clang__
++#define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
++DO_PRAGMA (clang section bss=".nozi_stack." #name) \
++linkage uint32_t name[num_stacks] \
++ [ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
++ STACK_ALIGNMENT) / sizeof(uint32_t)] \
++ __attribute__((aligned(STACK_ALIGNMENT))); \
++DO_PRAGMA(clang section bss="")
++#else
+ #define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
+ linkage uint32_t name[num_stacks] \
+ [ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
+ STACK_ALIGNMENT) / sizeof(uint32_t)] \
+ __attribute__((section(".nozi_stack." # name), \
+ aligned(STACK_ALIGNMENT)))
+-
++#endif
+ #define GET_STACK(stack) ((vaddr_t)(stack) + STACK_SIZE(stack))
+
+ DECLARE_STACK(stack_tmp, CFG_TEE_CORE_NB_CORE, STACK_TMP_SIZE,
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch
new file mode 100644
index 0000000..381cad9
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch
@@ -0,0 +1,88 @@
+From d0e32b6e202cde672c2b38dc568122a52be716b4 Mon Sep 17 00:00:00 2001
+From: Jens Wiklander <jens.wiklander@linaro.org>
+Date: Mon, 21 Nov 2022 18:17:33 +0100
+Subject: [PATCH] core: arm: S-EL1 SPMC: boot ABI update
+
+Updates the boot ABI for S-EL1 SPMC to align better with other SPMCs,
+like Hafnium, but also with the non-FF-A configuration.
+
+Register usage:
+X0 - TOS FW config [1] address, if not NULL
+X2 - System DTB, if not NULL
+
+Adds check in the default get_aslr_seed() to see if the system DTB is
+present before trying to read kaslr-seed from secure-chosen.
+
+Note that this is an incompatible change and requires corresponding
+change in TF-A ("feat(qemu): update abi between spmd and spmc") [2].
+
+[1] A TF-A concept: TOS_FW_CONFIG - Trusted OS Firmware configuration
+ file. Used by Trusted OS (BL32), that is, OP-TEE in this case
+Link: [2] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=25ae7ad1878244f78206cc7c91f7bdbd267331a1
+
+Upstream-Status: Accepted
+
+Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+---
+ core/arch/arm/kernel/boot.c | 8 +++++++-
+ core/arch/arm/kernel/entry_a64.S | 17 ++++++++---------
+ 2 files changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/core/arch/arm/kernel/boot.c b/core/arch/arm/kernel/boot.c
+index dd34173e838d..e02c02b6097d 100644
+--- a/core/arch/arm/kernel/boot.c
++++ b/core/arch/arm/kernel/boot.c
+@@ -1502,11 +1502,17 @@ struct ns_entry_context *boot_core_hpen(void)
+ #if defined(CFG_DT)
+ unsigned long __weak get_aslr_seed(void *fdt)
+ {
+- int rc = fdt_check_header(fdt);
++ int rc = 0;
+ const uint64_t *seed = NULL;
+ int offs = 0;
+ int len = 0;
+
++ if (!fdt) {
++ DMSG("No fdt");
++ goto err;
++ }
++
++ rc = fdt_check_header(fdt);
+ if (rc) {
+ DMSG("Bad fdt: %d", rc);
+ goto err;
+diff --git a/core/arch/arm/kernel/entry_a64.S b/core/arch/arm/kernel/entry_a64.S
+index 4c6e9d75ca45..047ae1f25cc9 100644
+--- a/core/arch/arm/kernel/entry_a64.S
++++ b/core/arch/arm/kernel/entry_a64.S
+@@ -143,21 +143,20 @@
+ .endm
+
+ FUNC _start , :
+-#if defined(CFG_CORE_SEL1_SPMC)
+ /*
+- * With OP-TEE as SPMC at S-EL1 the SPMD (SPD_spmd) in TF-A passes
+- * the DTB in x0, pagaeble part in x1 and the rest of the registers
+- * are unused
++ * If CFG_CORE_FFA is enabled, then x0 if non-NULL holds the TOS FW
++ * config [1] address, else x0 if non-NULL holds the pagable part
++ * address.
++ *
++ * [1] A TF-A concept: TOS_FW_CONFIG - Trusted OS Firmware
++ * configuration file. Used by Trusted OS (BL32), that is, OP-TEE
++ * here.
+ */
+- mov x19, x1 /* Save pagable part */
+- mov x20, x0 /* Save DT address */
+-#else
+- mov x19, x0 /* Save pagable part address */
++ mov x19, x0
+ #if defined(CFG_DT_ADDR)
+ ldr x20, =CFG_DT_ADDR
+ #else
+ mov x20, x2 /* Save DT address */
+-#endif
+ #endif
+
+ adr x0, reset_vect_table
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0006-core-ffa-add-TOS_FW_CONFIG-handling.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0006-core-ffa-add-TOS_FW_CONFIG-handling.patch
new file mode 100644
index 0000000..5421b10
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0006-core-ffa-add-TOS_FW_CONFIG-handling.patch
@@ -0,0 +1,246 @@
+From 9da324001fd93e1b3d9bca076e4afddbb5cac289 Mon Sep 17 00:00:00 2001
+From: Balint Dobszay <balint.dobszay@arm.com>
+Date: Fri, 10 Feb 2023 11:07:27 +0100
+Subject: [PATCH] core: ffa: add TOS_FW_CONFIG handling
+
+At boot TF-A passes two DT addresses (HW_CONFIG and TOS_FW_CONFIG), but
+currently only the HW_CONFIG address is saved, the other one is dropped.
+This commit adds functionality to save the TOS_FW_CONFIG too, so we can
+retrieve it later. This is necessary for the CFG_CORE_SEL1_SPMC use
+case, because the SPMC manifest is passed in this DT.
+
+Upstream-Status: Accepted
+
+Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>
+---
+ core/arch/arm/kernel/boot.c | 60 ++++++++++++++++++++++-
+ core/arch/arm/kernel/entry_a32.S | 3 +-
+ core/arch/arm/kernel/entry_a64.S | 13 ++++-
+ core/arch/arm/kernel/link_dummies_paged.c | 4 +-
+ core/arch/arm/kernel/secure_partition.c | 2 +-
+ core/include/kernel/boot.h | 7 ++-
+ 6 files changed, 81 insertions(+), 8 deletions(-)
+
+diff --git a/core/arch/arm/kernel/boot.c b/core/arch/arm/kernel/boot.c
+index e02c02b6097d..98e13c072d8e 100644
+--- a/core/arch/arm/kernel/boot.c
++++ b/core/arch/arm/kernel/boot.c
+@@ -1,6 +1,7 @@
+ // SPDX-License-Identifier: BSD-2-Clause
+ /*
+ * Copyright (c) 2015-2022, Linaro Limited
++ * Copyright (c) 2023, Arm Limited
+ */
+
+ #include <arm.h>
+@@ -83,6 +84,9 @@ struct dt_descriptor {
+ };
+
+ static struct dt_descriptor external_dt __nex_bss;
++#ifdef CFG_CORE_SEL1_SPMC
++static struct dt_descriptor tos_fw_config_dt __nex_bss;
++#endif
+ #endif
+
+ #ifdef CFG_SECONDARY_INIT_CNTFRQ
+@@ -1224,6 +1228,54 @@ static struct core_mmu_phys_mem *get_nsec_memory(void *fdt __unused,
+ #endif /*CFG_CORE_DYN_SHM*/
+ #endif /*!CFG_DT*/
+
++#if defined(CFG_CORE_SEL1_SPMC) && defined(CFG_DT)
++void *get_tos_fw_config_dt(void)
++{
++ if (!IS_ENABLED(CFG_MAP_EXT_DT_SECURE))
++ return NULL;
++
++ assert(cpu_mmu_enabled());
++
++ return tos_fw_config_dt.blob;
++}
++
++static void init_tos_fw_config_dt(unsigned long pa)
++{
++ struct dt_descriptor *dt = &tos_fw_config_dt;
++ void *fdt = NULL;
++ int ret = 0;
++
++ if (!IS_ENABLED(CFG_MAP_EXT_DT_SECURE))
++ return;
++
++ if (!pa)
++ panic("No TOS_FW_CONFIG DT found");
++
++ fdt = core_mmu_add_mapping(MEM_AREA_EXT_DT, pa, CFG_DTB_MAX_SIZE);
++ if (!fdt)
++ panic("Failed to map TOS_FW_CONFIG DT");
++
++ dt->blob = fdt;
++
++ ret = fdt_open_into(fdt, fdt, CFG_DTB_MAX_SIZE);
++ if (ret < 0) {
++ EMSG("Invalid Device Tree at %#lx: error %d", pa, ret);
++ panic();
++ }
++
++ IMSG("TOS_FW_CONFIG DT found");
++}
++#else
++void *get_tos_fw_config_dt(void)
++{
++ return NULL;
++}
++
++static void init_tos_fw_config_dt(unsigned long pa __unused)
++{
++}
++#endif /*CFG_CORE_SEL1_SPMC && CFG_DT*/
++
+ #ifdef CFG_CORE_DYN_SHM
+ static void discover_nsec_memory(void)
+ {
+@@ -1361,10 +1413,16 @@ static bool cpu_nmfi_enabled(void)
+ * Note: this function is weak just to make it possible to exclude it from
+ * the unpaged area.
+ */
+-void __weak boot_init_primary_late(unsigned long fdt)
++void __weak boot_init_primary_late(unsigned long fdt,
++ unsigned long tos_fw_config)
+ {
+ init_external_dt(fdt);
++ init_tos_fw_config_dt(tos_fw_config);
++#ifdef CFG_CORE_SEL1_SPMC
++ tpm_map_log_area(get_tos_fw_config_dt());
++#else
+ tpm_map_log_area(get_external_dt());
++#endif
+ discover_nsec_memory();
+ update_external_dt();
+ configure_console_from_dt();
+diff --git a/core/arch/arm/kernel/entry_a32.S b/core/arch/arm/kernel/entry_a32.S
+index 0f14ca2f6ad9..3758fd8b7674 100644
+--- a/core/arch/arm/kernel/entry_a32.S
++++ b/core/arch/arm/kernel/entry_a32.S
+@@ -1,7 +1,7 @@
+ /* SPDX-License-Identifier: BSD-2-Clause */
+ /*
+ * Copyright (c) 2014, Linaro Limited
+- * Copyright (c) 2021, Arm Limited
++ * Copyright (c) 2021-2023, Arm Limited
+ */
+
+ #include <arm32_macros.S>
+@@ -560,6 +560,7 @@ shadow_stack_access_ok:
+ str r0, [r8, #THREAD_CORE_LOCAL_FLAGS]
+ #endif
+ mov r0, r6 /* DT address */
++ mov r1, #0 /* unused */
+ bl boot_init_primary_late
+ #ifndef CFG_VIRTUALIZATION
+ mov r0, #THREAD_CLF_TMP
+diff --git a/core/arch/arm/kernel/entry_a64.S b/core/arch/arm/kernel/entry_a64.S
+index 047ae1f25cc9..fa76437fb73c 100644
+--- a/core/arch/arm/kernel/entry_a64.S
++++ b/core/arch/arm/kernel/entry_a64.S
+@@ -1,7 +1,7 @@
+ /* SPDX-License-Identifier: BSD-2-Clause */
+ /*
+ * Copyright (c) 2015-2022, Linaro Limited
+- * Copyright (c) 2021, Arm Limited
++ * Copyright (c) 2021-2023, Arm Limited
+ */
+
+ #include <platform_config.h>
+@@ -320,7 +320,11 @@ clear_nex_bss:
+ bl core_mmu_set_default_prtn_tbl
+ #endif
+
++#ifdef CFG_CORE_SEL1_SPMC
++ mov x0, xzr /* pager not used */
++#else
+ mov x0, x19 /* pagable part address */
++#endif
+ mov x1, #-1
+ bl boot_init_primary_early
+
+@@ -337,7 +341,12 @@ clear_nex_bss:
+ mov x22, x0
+ str wzr, [x22, #THREAD_CORE_LOCAL_FLAGS]
+ #endif
+- mov x0, x20 /* DT address */
++ mov x0, x20 /* DT address also known as HW_CONFIG */
++#ifdef CFG_CORE_SEL1_SPMC
++ mov x1, x19 /* TOS_FW_CONFIG DT address */
++#else
++ mov x1, xzr /* unused */
++#endif
+ bl boot_init_primary_late
+ #ifdef CFG_CORE_PAUTH
+ init_pauth_per_cpu
+diff --git a/core/arch/arm/kernel/link_dummies_paged.c b/core/arch/arm/kernel/link_dummies_paged.c
+index 3b8287e06a11..023a5f3f558b 100644
+--- a/core/arch/arm/kernel/link_dummies_paged.c
++++ b/core/arch/arm/kernel/link_dummies_paged.c
+@@ -1,6 +1,7 @@
+ // SPDX-License-Identifier: BSD-2-Clause
+ /*
+ * Copyright (c) 2017-2021, Linaro Limited
++ * Copyright (c) 2023, Arm Limited
+ */
+ #include <compiler.h>
+ #include <initcall.h>
+@@ -27,7 +28,8 @@ void __section(".text.dummy.call_finalcalls") call_finalcalls(void)
+ }
+
+ void __section(".text.dummy.boot_init_primary_late")
+-boot_init_primary_late(unsigned long fdt __unused)
++boot_init_primary_late(unsigned long fdt __unused,
++ unsigned long tos_fw_config __unused)
+ {
+ }
+
+diff --git a/core/arch/arm/kernel/secure_partition.c b/core/arch/arm/kernel/secure_partition.c
+index 1d36e90b1cf7..d386f1e4d211 100644
+--- a/core/arch/arm/kernel/secure_partition.c
++++ b/core/arch/arm/kernel/secure_partition.c
+@@ -1212,7 +1212,7 @@ static TEE_Result fip_sp_map_all(void)
+ int subnode = 0;
+ int root = 0;
+
+- fdt = get_external_dt();
++ fdt = get_tos_fw_config_dt();
+ if (!fdt) {
+ EMSG("No SPMC manifest found");
+ return TEE_ERROR_GENERIC;
+diff --git a/core/include/kernel/boot.h b/core/include/kernel/boot.h
+index 260854473b8b..941e093b29a1 100644
+--- a/core/include/kernel/boot.h
++++ b/core/include/kernel/boot.h
+@@ -1,7 +1,7 @@
+ /* SPDX-License-Identifier: BSD-2-Clause */
+ /*
+ * Copyright (c) 2015-2020, Linaro Limited
+- * Copyright (c) 2021, Arm Limited
++ * Copyright (c) 2021-2023, Arm Limited
+ */
+ #ifndef __KERNEL_BOOT_H
+ #define __KERNEL_BOOT_H
+@@ -46,7 +46,7 @@ extern const struct core_mmu_config boot_mmu_config;
+ /* @nsec_entry is unused if using CFG_WITH_ARM_TRUSTED_FW */
+ void boot_init_primary_early(unsigned long pageable_part,
+ unsigned long nsec_entry);
+-void boot_init_primary_late(unsigned long fdt);
++void boot_init_primary_late(unsigned long fdt, unsigned long tos_fw_config);
+ void boot_init_memtag(void);
+
+ void __panic_at_smc_return(void) __noreturn;
+@@ -103,6 +103,9 @@ void *get_embedded_dt(void);
+ /* Returns external DTB if present, otherwise NULL */
+ void *get_external_dt(void);
+
++/* Returns TOS_FW_CONFIG DTB if present, otherwise NULL */
++void *get_tos_fw_config_dt(void);
++
+ /*
+ * get_aslr_seed() - return a random seed for core ASLR
+ * @fdt: Pointer to a device tree if CFG_DT_ADDR=y
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0007-core-spmc-handle-non-secure-interrupts.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0007-core-spmc-handle-non-secure-interrupts.patch
new file mode 100644
index 0000000..94c1e04
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0007-core-spmc-handle-non-secure-interrupts.patch
@@ -0,0 +1,275 @@
+From 18ad0cce24addd45271edf3172ab9ce873186d7a Mon Sep 17 00:00:00 2001
+From: Imre Kis <imre.kis@arm.com>
+Date: Tue, 18 Apr 2023 16:41:51 +0200
+Subject: [PATCH] core: spmc: handle non-secure interrupts
+
+Add FFA_INTERRUPT and FFA_RUN support for signaling non-secure
+interrupts and for resuming to the secure world. If a secure partition
+is preempted by a non-secure interrupt OP-TEE saves the SP's state and
+sends an FFA_INTERRUPT to the normal world. After handling the interrupt
+the normal world should send an FFA_RUN to OP-TEE so it can continue
+running the SP.
+If OP-TEE is the active FF-A endpoint (i.e. it is running TAs) the
+non-secure interrupts are signaled by the existing
+OPTEE_FFA_YIELDING_CALL_RETURN_INTERRUPT message instead of
+FFA_INTERRUPT.
+
+Upstream-Status: Submitted [https://github.com/OP-TEE/optee_os/pull/6002]
+
+Signed-off-by: Imre Kis <imre.kis@arm.com>
+Change-Id: I577ebe86d416ee494963216a66a3bfc8206921b4
+---
+ core/arch/arm/include/ffa.h | 2 +-
+ .../arch/arm/include/kernel/spmc_sp_handler.h | 11 +++++++
+ core/arch/arm/kernel/secure_partition.c | 17 ++++++++++
+ core/arch/arm/kernel/spmc_sp_handler.c | 26 ++++++++++++++++
+ core/arch/arm/kernel/thread.c | 7 +++++
+ core/arch/arm/kernel/thread_spmc.c | 31 ++++++++++++++++++-
+ core/arch/arm/kernel/thread_spmc_a64.S | 30 ++++++++++++++++++
+ 7 files changed, 122 insertions(+), 2 deletions(-)
+
+diff --git a/core/arch/arm/include/ffa.h b/core/arch/arm/include/ffa.h
+index 5a19fb0c7ff3..b3d1d354735d 100644
+--- a/core/arch/arm/include/ffa.h
++++ b/core/arch/arm/include/ffa.h
+@@ -50,7 +50,7 @@
+ #define FFA_ID_GET U(0x84000069)
+ #define FFA_MSG_WAIT U(0x8400006B)
+ #define FFA_MSG_YIELD U(0x8400006C)
+-#define FFA_MSG_RUN U(0x8400006D)
++#define FFA_RUN U(0x8400006D)
+ #define FFA_MSG_SEND U(0x8400006E)
+ #define FFA_MSG_SEND_DIRECT_REQ_32 U(0x8400006F)
+ #define FFA_MSG_SEND_DIRECT_REQ_64 U(0xC400006F)
+diff --git a/core/arch/arm/include/kernel/spmc_sp_handler.h b/core/arch/arm/include/kernel/spmc_sp_handler.h
+index f5bda7bfe7d0..30c1e4691273 100644
+--- a/core/arch/arm/include/kernel/spmc_sp_handler.h
++++ b/core/arch/arm/include/kernel/spmc_sp_handler.h
+@@ -25,6 +25,8 @@ void spmc_sp_start_thread(struct thread_smc_args *args);
+ int spmc_sp_add_share(struct ffa_rxtx *rxtx,
+ size_t blen, uint64_t *global_handle,
+ struct sp_session *owner_sp);
++void spmc_sp_set_to_preempted(struct ts_session *ts_sess);
++int spmc_sp_resume_from_preempted(uint16_t endpoint_id);
+ #else
+ static inline void spmc_sp_start_thread(struct thread_smc_args *args __unused)
+ {
+@@ -37,6 +39,15 @@ static inline int spmc_sp_add_share(struct ffa_rxtx *rxtx __unused,
+ {
+ return FFA_NOT_SUPPORTED;
+ }
++
++static inline void spmc_sp_set_to_preempted(struct ts_session *ts_sess __unused)
++{
++}
++
++static inline int spmc_sp_resume_from_preempted(uint16_t endpoint_id __unused)
++{
++ return FFA_NOT_SUPPORTED;
++}
+ #endif
+
+ #endif /* __KERNEL_SPMC_SP_HANDLER_H */
+diff --git a/core/arch/arm/kernel/secure_partition.c b/core/arch/arm/kernel/secure_partition.c
+index d386f1e4d211..740be6d22e47 100644
+--- a/core/arch/arm/kernel/secure_partition.c
++++ b/core/arch/arm/kernel/secure_partition.c
+@@ -999,6 +999,8 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s,
+ struct sp_session *sp_s = to_sp_session(s);
+ struct ts_session *sess = NULL;
+ struct thread_ctx_regs *sp_regs = NULL;
++ uint32_t thread_id = THREAD_ID_INVALID;
++ uint32_t rpc_target_info = 0;
+ uint32_t panicked = false;
+ uint32_t panic_code = 0;
+
+@@ -1011,8 +1013,23 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s,
+ sp_regs->cpsr = read_daif() & (SPSR_64_DAIF_MASK << SPSR_64_DAIF_SHIFT);
+
+ exceptions = thread_mask_exceptions(THREAD_EXCP_ALL);
++
++ /*
++ * Store endpoint ID and thread ID in rpc_target_info. This will be used
++ * as w1 in FFA_INTERRUPT in case of a NWd interrupt.
++ */
++ rpc_target_info = thread_get_tsd()->rpc_target_info;
++ thread_id = thread_get_id();
++ assert((thread_id & ~0xffff) == 0);
++ thread_get_tsd()->rpc_target_info = (sp_s->endpoint_id << 16) |
++ (thread_id & 0xffff);
++
+ __thread_enter_user_mode(sp_regs, &panicked, &panic_code);
++
+ sp_regs->cpsr = cpsr;
++ /* Restore rpc_target_info */
++ thread_get_tsd()->rpc_target_info = rpc_target_info;
++
+ thread_unmask_exceptions(exceptions);
+
+ thread_user_clear_vfp(&ctx->uctx);
+diff --git a/core/arch/arm/kernel/spmc_sp_handler.c b/core/arch/arm/kernel/spmc_sp_handler.c
+index 46a15646ecf0..12681151a796 100644
+--- a/core/arch/arm/kernel/spmc_sp_handler.c
++++ b/core/arch/arm/kernel/spmc_sp_handler.c
+@@ -366,6 +366,32 @@ cleanup:
+ return res;
+ }
+
++void spmc_sp_set_to_preempted(struct ts_session *ts_sess)
++{
++ if (ts_sess && is_sp_ctx(ts_sess->ctx)) {
++ struct sp_session *sp_sess = to_sp_session(ts_sess);
++
++ assert(sp_sess->state == sp_busy);
++
++ sp_sess->state = sp_preempted;
++ }
++}
++
++int spmc_sp_resume_from_preempted(uint16_t endpoint_id)
++{
++ struct sp_session *sp_sess = sp_get_session(endpoint_id);
++
++ if (!sp_sess)
++ return FFA_INVALID_PARAMETERS;
++
++ if (sp_sess->state != sp_preempted)
++ return FFA_DENIED;
++
++ sp_sess->state = sp_busy;
++
++ return FFA_OK;
++}
++
+ static bool check_rxtx(struct ffa_rxtx *rxtx)
+ {
+ return rxtx && rxtx->rx && rxtx->tx && rxtx->size > 0;
+diff --git a/core/arch/arm/kernel/thread.c b/core/arch/arm/kernel/thread.c
+index 1e7f9f96b558..8cd4dc961b02 100644
+--- a/core/arch/arm/kernel/thread.c
++++ b/core/arch/arm/kernel/thread.c
+@@ -531,6 +531,13 @@ int thread_state_suspend(uint32_t flags, uint32_t cpsr, vaddr_t pc)
+ core_mmu_set_user_map(NULL);
+ }
+
++ if (IS_ENABLED(CFG_SECURE_PARTITION)) {
++ struct ts_session *ts_sess =
++ TAILQ_FIRST(&threads[ct].tsd.sess_stack);
++
++ spmc_sp_set_to_preempted(ts_sess);
++ }
++
+ l->curr_thread = THREAD_ID_INVALID;
+
+ if (IS_ENABLED(CFG_VIRTUALIZATION))
+diff --git a/core/arch/arm/kernel/thread_spmc.c b/core/arch/arm/kernel/thread_spmc.c
+index 3b4ac0b4e35c..bc4e7687d618 100644
+--- a/core/arch/arm/kernel/thread_spmc.c
++++ b/core/arch/arm/kernel/thread_spmc.c
+@@ -45,7 +45,7 @@ struct mem_frag_state {
+ #endif
+
+ /* Initialized in spmc_init() below */
+-static uint16_t my_endpoint_id;
++uint16_t my_endpoint_id;
+
+ /*
+ * If struct ffa_rxtx::size is 0 RX/TX buffers are not mapped or initialized.
+@@ -437,6 +437,32 @@ out:
+ FFA_PARAM_MBZ, FFA_PARAM_MBZ);
+ cpu_spin_unlock(&rxtx->spinlock);
+ }
++
++static void spmc_handle_run(struct thread_smc_args *args)
++{
++ uint16_t endpoint = (args->a1 >> 16) & 0xffff;
++ uint16_t thread_id = (args->a1 & 0xffff);
++ uint32_t rc = 0;
++
++ if (endpoint != my_endpoint_id) {
++ /*
++ * The endpoint should be an SP, try to resume the SP from
++ * preempted into busy state.
++ */
++ rc = spmc_sp_resume_from_preempted(endpoint);
++ if (rc)
++ goto out;
++ }
++
++ thread_resume_from_rpc(thread_id, 0, 0, 0, 0);
++
++ /* thread_resume_from_rpc return only of the thread_id is invalid */
++ rc = FFA_INVALID_PARAMETERS;
++
++out:
++ spmc_set_args(args, FFA_ERROR, FFA_PARAM_MBZ, rc, FFA_PARAM_MBZ,
++ FFA_PARAM_MBZ, FFA_PARAM_MBZ);
++}
+ #endif /*CFG_CORE_SEL1_SPMC*/
+
+ static void handle_yielding_call(struct thread_smc_args *args)
+@@ -970,6 +996,9 @@ void thread_spmc_msg_recv(struct thread_smc_args *args)
+ case FFA_PARTITION_INFO_GET:
+ spmc_handle_partition_info_get(args, &nw_rxtx);
+ break;
++ case FFA_RUN:
++ spmc_handle_run(args);
++ break;
+ #endif /*CFG_CORE_SEL1_SPMC*/
+ case FFA_INTERRUPT:
+ itr_core_handler();
+diff --git a/core/arch/arm/kernel/thread_spmc_a64.S b/core/arch/arm/kernel/thread_spmc_a64.S
+index 21cb62513a42..7297005a6038 100644
+--- a/core/arch/arm/kernel/thread_spmc_a64.S
++++ b/core/arch/arm/kernel/thread_spmc_a64.S
+@@ -14,6 +14,20 @@
+ #include <kernel/thread.h>
+ #include <optee_ffa.h>
+
++#if CFG_SECURE_PARTITION
++LOCAL_FUNC thread_ffa_interrupt , :
++ mov_imm x0, FFA_INTERRUPT /* FID */
++ /* X1: Endpoint/vCPU IDs is set by caller */
++ mov x2, #FFA_PARAM_MBZ /* Param MBZ */
++ mov x3, #FFA_PARAM_MBZ /* Param MBZ */
++ mov x4, #FFA_PARAM_MBZ /* Param MBZ */
++ mov x5, #FFA_PARAM_MBZ /* Param MBZ */
++ mov x6, #FFA_PARAM_MBZ /* Param MBZ */
++ mov x7, #FFA_PARAM_MBZ /* Param MBZ */
++ b .ffa_msg_loop
++END_FUNC thread_ffa_msg_wait
++#endif /* CFG_SECURE_PARTITION */
++
+ FUNC thread_ffa_msg_wait , :
+ mov_imm x0, FFA_MSG_WAIT /* FID */
+ mov x1, #FFA_TARGET_INFO_MBZ /* Target info MBZ */
+@@ -171,6 +185,14 @@ END_FUNC thread_rpc
+ * The current thread as indicated by @thread_index has just been
+ * suspended. The job here is just to inform normal world the thread id to
+ * resume when returning.
++ * If the active FF-A endpoint is OP-TEE (or a TA) then an this function send an
++ * OPTEE_FFA_YIELDING_CALL_RETURN_INTERRUPT message to the normal world via the
++ * FFA_MSG_SEND_DIRECT_RESP interface. This is handled by the OP-TEE
++ * driver in Linux so it can schedule task to the thread.
++ * If the active endpoint is an SP the function sends an FFA_INTERRUPT. This is
++ * handled by the FF-A driver and after taking care of the NWd interrupts it
++ * returns via an FFA_RUN call.
++ * The active endpoint is determined by the upper 16 bits of rpc_target_info.
+ */
+ FUNC thread_foreign_intr_exit , :
+ /* load threads[w0].tsd.rpc_target_info into w1 */
+@@ -178,6 +200,14 @@ FUNC thread_foreign_intr_exit , :
+ adr_l x2, threads
+ madd x1, x1, x0, x2
+ ldr w1, [x1, #THREAD_CTX_TSD_RPC_TARGET_INFO]
++#if CFG_SECURE_PARTITION
++ adr_l x2, my_endpoint_id
++ ldrh w2, [x2]
++ lsr w3, w1, #16
++ cmp w2, w3
++ /* (threads[w0].tsd.rpc_target_info >> 16) != my_endpoint_id */
++ bne thread_ffa_interrupt
++#endif /* CFG_SECURE_PARTITION */
+ mov x2, #FFA_PARAM_MBZ
+ mov w3, #FFA_PARAM_MBZ
+ mov w4, #OPTEE_FFA_YIELDING_CALL_RETURN_INTERRUPT
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch
new file mode 100644
index 0000000..9f7d781
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-3.20.0/0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch
@@ -0,0 +1,148 @@
+From e7835c526aabd8e5b6db335619a0d86165c587ed Mon Sep 17 00:00:00 2001
+From: Imre Kis <imre.kis@arm.com>
+Date: Tue, 25 Apr 2023 14:19:14 +0200
+Subject: [PATCH] core: spmc: configure SP's NS interrupt action based on the
+ manifest
+
+Used mandatory ns-interrupts-action SP manifest property to configure
+signaled or queued non-secure interrupt handling.
+
+Upstream-Status: Submitted [https://github.com/OP-TEE/optee_os/pull/6002]
+
+Signed-off-by: Imre Kis <imre.kis@arm.com>
+Change-Id: I843e69e5dbb9613ecd8b95654e8ca1730a594ca6
+---
+ .../arm/include/kernel/secure_partition.h | 2 +
+ core/arch/arm/kernel/secure_partition.c | 66 +++++++++++++++++--
+ 2 files changed, 63 insertions(+), 5 deletions(-)
+
+diff --git a/core/arch/arm/include/kernel/secure_partition.h b/core/arch/arm/include/kernel/secure_partition.h
+index 24b0a8cc07d2..51f6b697e5eb 100644
+--- a/core/arch/arm/include/kernel/secure_partition.h
++++ b/core/arch/arm/include/kernel/secure_partition.h
+@@ -43,6 +43,8 @@ struct sp_session {
+ unsigned int spinlock;
+ const void *fdt;
+ bool is_initialized;
++ uint32_t ns_interrupts_action;
++ uint32_t ns_interrupts_action_inherited;
+ TAILQ_ENTRY(sp_session) link;
+ };
+
+diff --git a/core/arch/arm/kernel/secure_partition.c b/core/arch/arm/kernel/secure_partition.c
+index 740be6d22e47..b644e1c72e6a 100644
+--- a/core/arch/arm/kernel/secure_partition.c
++++ b/core/arch/arm/kernel/secure_partition.c
+@@ -46,6 +46,10 @@
+ SP_MANIFEST_ATTR_WRITE | \
+ SP_MANIFEST_ATTR_EXEC)
+
++#define SP_MANIFEST_NS_INT_QUEUED (0x0)
++#define SP_MANIFEST_NS_INT_MANAGED_EXIT (0x1)
++#define SP_MANIFEST_NS_INT_SIGNALED (0x2)
++
+ #define SP_PKG_HEADER_MAGIC (0x474b5053)
+ #define SP_PKG_HEADER_VERSION_V1 (0x1)
+ #define SP_PKG_HEADER_VERSION_V2 (0x2)
+@@ -907,6 +911,30 @@ static TEE_Result sp_init_uuid(const TEE_UUID *uuid, const void * const fdt)
+ return res;
+ DMSG("endpoint is 0x%"PRIx16, sess->endpoint_id);
+
++ res = sp_dt_get_u32(fdt, 0, "ns-interrupts-action",
++ &sess->ns_interrupts_action);
++
++ if (res) {
++ EMSG("Mandatory property is missing: ns-interrupts-action");
++ return res;
++ }
++
++ switch (sess->ns_interrupts_action) {
++ case SP_MANIFEST_NS_INT_QUEUED:
++ case SP_MANIFEST_NS_INT_SIGNALED:
++ /* OK */
++ break;
++
++ case SP_MANIFEST_NS_INT_MANAGED_EXIT:
++ EMSG("Managed exit is not implemented");
++ return TEE_ERROR_NOT_IMPLEMENTED;
++
++ default:
++ EMSG("Invalid ns-interrupts-action value: %d",
++ sess->ns_interrupts_action);
++ return TEE_ERROR_BAD_PARAMETERS;
++ }
++
+ return TEE_SUCCESS;
+ }
+
+@@ -989,17 +1017,45 @@ TEE_Result sp_enter(struct thread_smc_args *args, struct sp_session *sp)
+ return res;
+ }
+
++/*
++ * According to FF-A v1.1 section 8.3.1.4 if a caller requires less permissive
++ * active on NS interrupt than the callee, the callee must inherit the caller's
++ * configuration.
++ * Each SP's own NS action setting is stored in ns_interrupts_action. The
++ * effective action will be MIN([self action], [caller's action]) which is
++ * stored in the ns_interrupts_action_inherited field.
++ */
++static void sp_cpsr_configure_foreing_interrupts(struct sp_session *s,
++ struct ts_session *caller,
++ uint64_t *cpsr)
++{
++ if (caller) {
++ struct sp_session *caller_sp = to_sp_session(caller);
++
++ s->ns_interrupts_action_inherited =
++ MIN(caller_sp->ns_interrupts_action_inherited,
++ s->ns_interrupts_action);
++ } else {
++ s->ns_interrupts_action_inherited = s->ns_interrupts_action;
++ }
++
++ if (s->ns_interrupts_action_inherited == SP_MANIFEST_NS_INT_QUEUED)
++ *cpsr |= (THREAD_EXCP_FOREIGN_INTR << ARM32_CPSR_F_SHIFT);
++ else
++ *cpsr &= ~(THREAD_EXCP_FOREIGN_INTR << ARM32_CPSR_F_SHIFT);
++}
++
+ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s,
+ uint32_t cmd __unused)
+ {
+ struct sp_ctx *ctx = to_sp_ctx(s->ctx);
+ TEE_Result res = TEE_SUCCESS;
+ uint32_t exceptions = 0;
+- uint64_t cpsr = 0;
+ struct sp_session *sp_s = to_sp_session(s);
+ struct ts_session *sess = NULL;
+ struct thread_ctx_regs *sp_regs = NULL;
+ uint32_t thread_id = THREAD_ID_INVALID;
++ struct ts_session *caller = NULL;
+ uint32_t rpc_target_info = 0;
+ uint32_t panicked = false;
+ uint32_t panic_code = 0;
+@@ -1009,11 +1065,12 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s,
+ sp_regs = &ctx->sp_regs;
+ ts_push_current_session(s);
+
+- cpsr = sp_regs->cpsr;
+- sp_regs->cpsr = read_daif() & (SPSR_64_DAIF_MASK << SPSR_64_DAIF_SHIFT);
+-
+ exceptions = thread_mask_exceptions(THREAD_EXCP_ALL);
+
++ /* Enable/disable foreign interrupts in CPSR/SPSR */
++ caller = ts_get_calling_session();
++ sp_cpsr_configure_foreing_interrupts(sp_s, caller, &sp_regs->cpsr);
++
+ /*
+ * Store endpoint ID and thread ID in rpc_target_info. This will be used
+ * as w1 in FFA_INTERRUPT in case of a NWd interrupt.
+@@ -1026,7 +1083,6 @@ static TEE_Result sp_enter_invoke_cmd(struct ts_session *s,
+
+ __thread_enter_user_mode(sp_regs, &panicked, &panic_code);
+
+- sp_regs->cpsr = cpsr;
+ /* Restore rpc_target_info */
+ thread_get_tsd()->rpc_target_info = rpc_target_info;
+
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-tadevkit_3.18.0.bb b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-tadevkit_3.18.0.bb
new file mode 100644
index 0000000..ff0baf8
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-tadevkit_3.18.0.bb
@@ -0,0 +1,24 @@
+require optee-os_3.18.0.bb
+
+SUMMARY = "OP-TEE Trusted OS TA devkit"
+DESCRIPTION = "OP-TEE TA devkit for build TAs"
+HOMEPAGE = "https://www.op-tee.org/"
+
+DEPENDS += "python3-pycryptodome-native"
+
+do_install() {
+ #install TA devkit
+ install -d ${D}${includedir}/optee/export-user_ta/
+ for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
+ cp -aR $f ${D}${includedir}/optee/export-user_ta/
+ done
+}
+
+do_deploy() {
+ echo "Do not inherit do_deploy from optee-os."
+}
+
+FILES:${PN} = "${includedir}/optee/"
+
+# Build paths are currently embedded
+INSANE_SKIP:${PN}-dev += "buildpaths"
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-tadevkit_3.20.0.bb b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-tadevkit_3.20.0.bb
new file mode 100644
index 0000000..202caa5
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-tadevkit_3.20.0.bb
@@ -0,0 +1,24 @@
+require optee-os_3.20.0.bb
+
+SUMMARY = "OP-TEE Trusted OS TA devkit"
+DESCRIPTION = "OP-TEE TA devkit for build TAs"
+HOMEPAGE = "https://www.op-tee.org/"
+
+DEPENDS += "python3-pycryptodome-native"
+
+do_install() {
+ #install TA devkit
+ install -d ${D}${includedir}/optee/export-user_ta/
+ for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
+ cp -aR $f ${D}${includedir}/optee/export-user_ta/
+ done
+}
+
+do_deploy() {
+ echo "Do not inherit do_deploy from optee-os."
+}
+
+FILES:${PN} = "${includedir}/optee/"
+
+# Build paths are currently embedded
+INSANE_SKIP:${PN}-dev += "buildpaths"
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-ts-3.18.inc b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-ts-3.18.inc
new file mode 100644
index 0000000..4dffc46
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os-ts-3.18.inc
@@ -0,0 +1,54 @@
+# Include Trusted Services SPs accordingly to defined machine features
+
+# Please notice that OPTEE will load SPs in the order listed in this file.
+# If an SP requires another SP to be already loaded it must be listed lower.
+
+# TS SPs UUIDs definitions
+require recipes-security/trusted-services/ts-uuid.inc
+
+TS_ENV = "opteesp"
+TS_BIN = "${RECIPE_SYSROOT}/usr/${TS_ENV}/bin"
+
+# ITS SP
+DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-its', \
+ ' ts-sp-its', '' , d)}"
+SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-its', \
+ ' ${TS_BIN}/${ITS_UUID}.stripped.elf', '', d)}"
+
+# Storage SP
+DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-storage', \
+ ' ts-sp-storage', '' , d)}"
+SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-storage', \
+ ' ${TS_BIN}/${STORAGE_UUID}.stripped.elf', '', d)}"
+
+# Crypto SP.
+DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-crypto', \
+ ' ts-sp-crypto', '' , d)}"
+SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-crypto', \
+ ' ${TS_BIN}/${CRYPTO_UUID}.stripped.elf', '', d)}"
+
+# Attestation SP
+DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', \
+ ' ts-sp-attestation', '' , d)}"
+SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-attestation', \
+ ' ${TS_BIN}/${ATTESTATION_UUID}.stripped.elf', '', d)}"
+
+# Env-test SP
+DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-env-test', \
+ ' ts-sp-env-test', '' , d)}"
+SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-env-test', \
+ ' ${TS_BIN}/${ENV_TEST_UUID}.stripped.elf', '', d)}"
+
+# SE-Proxy SP
+DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-se-proxy', \
+ ' ts-sp-se-proxy', '' , d)}"
+SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-se-proxy', \
+ ' ${TS_BIN}/${SE_PROXY_UUID}.stripped.elf', '', d)}"
+
+# SMM Gateway
+DEPENDS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \
+ ' ts-sp-smm-gateway', '' , d)}"
+SP_PATHS:append = "${@bb.utils.contains('MACHINE_FEATURES', 'ts-smm-gateway', \
+ ' ${TS_BIN}/${SMM_GATEWAY_UUID}.stripped.elf', '', d)}"
+
+EXTRA_OEMAKE:append = "${@oe.utils.conditional('SP_PATHS', '', '', ' CFG_MAP_EXT_DT_SECURE=y CFG_SECURE_PARTITION=y SP_PATHS="${SP_PATHS}" ', d)}"
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.18.0.bb b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.18.0.bb
new file mode 100644
index 0000000..6e1e6ad
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.18.0.bb
@@ -0,0 +1,15 @@
+require recipes-security/optee/optee-os.inc
+
+DEPENDS += "dtc-native"
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/${P}:"
+
+SRCREV = "1ee647035939e073a2e8dddb727c0f019cc035f1"
+SRC_URI += " \
+ file://0001-allow-setting-sysroot-for-libgcc-lookup.patch \
+ file://0002-optee-enable-clang-support.patch \
+ file://0003-core-link-add-no-warn-rwx-segments.patch \
+ file://0004-core-Define-section-attributes-for-clang.patch \
+ file://0005-core-ldelf-link-add-z-execstack.patch \
+ file://0006-arm32-libutils-libutee-ta-add-.note.GNU-stack-sectio.patch \
+ "
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.20.0.bb b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.20.0.bb
new file mode 100644
index 0000000..0f3e58d
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_3.20.0.bb
@@ -0,0 +1,17 @@
+require recipes-security/optee/optee-os.inc
+
+DEPENDS += "dtc-native"
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/${P}:"
+
+SRCREV = "8e74d47616a20eaa23ca692f4bbbf917a236ed94"
+SRC_URI += " \
+ file://0001-allow-setting-sysroot-for-libgcc-lookup.patch \
+ file://0002-optee-enable-clang-support.patch \
+ file://0003-core-link-add-no-warn-rwx-segments.patch \
+ file://0004-core-Define-section-attributes-for-clang.patch \
+ file://0005-core-arm-S-EL1-SPMC-boot-ABI-update.patch \
+ file://0006-core-ffa-add-TOS_FW_CONFIG-handling.patch \
+ file://0007-core-spmc-handle-non-secure-interrupts.patch \
+ file://0008-core-spmc-configure-SP-s-NS-interrupt-action-based-o.patch \
+ "
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test/Update-arm_ffa_user-driver-dependency.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test/Update-arm_ffa_user-driver-dependency.patch
new file mode 100644
index 0000000..e889f74
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test/Update-arm_ffa_user-driver-dependency.patch
@@ -0,0 +1,39 @@
+From 7e15470f3dd45c844f0e0901f0c85c46a0882b8b Mon Sep 17 00:00:00 2001
+From: Gabor Toth <gabor.toth2@arm.com>
+Date: Fri, 3 Mar 2023 12:23:45 +0100
+Subject: [PATCH 1/2] Update arm_ffa_user driver dependency
+
+Updating arm-ffa-user to v5.0.1 to get the following changes:
+ - move to 64 bit direct messages
+ - add Linux Kernel v6.1 compatibility
+The motivation is to update x-test to depend on the same driver
+version as TS uefi-test and thus to enable running these in a single
+configuration.
+Note: arm_ffa_user.h was copied from:
+ - URL:https://git.gitlab.arm.com/linux-arm/linux-trusted-services.git
+ - SHA:18e3be71f65a405dfb5d97603ae71b3c11759861
+
+Upstream-Status: Backport
+
+Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
+Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
+---
+ host/xtest/include/uapi/linux/arm_ffa_user.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/host/xtest/include/uapi/linux/arm_ffa_user.h b/host/xtest/include/uapi/linux/arm_ffa_user.h
+index 9ef0be3..0acde4f 100644
+--- a/host/xtest/include/uapi/linux/arm_ffa_user.h
++++ b/host/xtest/include/uapi/linux/arm_ffa_user.h
+@@ -33,7 +33,7 @@ struct ffa_ioctl_ep_desc {
+ * @dst_id: [in] 16-bit ID of destination endpoint.
+ */
+ struct ffa_ioctl_msg_args {
+- __u32 args[5];
++ __u64 args[5];
+ __u16 dst_id;
+ };
+ #define FFA_IOC_MSG_SEND _IOWR(FFA_IOC_MAGIC, FFA_IOC_BASE + 1, \
+--
+2.39.1.windows.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test/ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test/ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch
new file mode 100644
index 0000000..d333e86
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test/ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch
@@ -0,0 +1,163 @@
+From 6734d14cc249af37705129de7874533df9535cd3 Mon Sep 17 00:00:00 2001
+From: Gabor Toth <gabor.toth2@arm.com>
+Date: Fri, 3 Mar 2023 12:25:58 +0100
+Subject: [PATCH 2/2] ffa_spmc: Add arm_ffa_user driver compatibility check
+
+Check the version of the arm_ffa_user Kernel Driver and fail with a
+meaningful message if incompatible driver is detected.
+
+Upstream-Status: Backport
+
+Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
+Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
+---
+ host/xtest/ffa_spmc_1000.c | 68 ++++++++++++++++++++++++++++++++++----
+ 1 file changed, 61 insertions(+), 7 deletions(-)
+
+diff --git a/host/xtest/ffa_spmc_1000.c b/host/xtest/ffa_spmc_1000.c
+index 15f4a46..1839d03 100644
+--- a/host/xtest/ffa_spmc_1000.c
++++ b/host/xtest/ffa_spmc_1000.c
+@@ -1,11 +1,12 @@
+ // SPDX-License-Identifier: BSD-3-Clause
+ /*
+- * Copyright (c) 2022, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2022-2023, Arm Limited and Contributors. All rights reserved.
+ */
+ #include <fcntl.h>
+ #include <ffa.h>
+ #include <stdio.h>
+ #include <string.h>
++#include <errno.h>
+ #include <sys/ioctl.h>
+ #include <unistd.h>
+ #include "include/uapi/linux/arm_ffa_user.h"
+@@ -17,6 +18,10 @@
+ #define INCORRECT_ENDPOINT_ID 0xffff
+ #define NORMAL_WORLD_ENDPOINT_ID 0
+
++#define FFA_USER_REQ_VER_MAJOR 5
++#define FFA_USER_REQ_VER_MINOR 0
++#define FFA_USER_REQ_VER_PATCH 1
++
+ /* Get the 32 least significant bits of a handle.*/
+ #define MEM_SHARE_HANDLE_LOW(x) ((x) & 0xffffffff)
+ /* Get the 32 most significant bits of a handle.*/
+@@ -62,6 +67,50 @@ static struct ffa_ioctl_ep_desc test_endpoint3 = {
+ .uuid_ptr = (uint64_t)test_endpoint3_uuid,
+ };
+
++static bool check_ffa_user_version(void)
++{
++ FILE *f = NULL;
++ int ver_major = -1;
++ int ver_minor = -1;
++ int ver_patch = -1;
++ int scan_cnt = 0;
++
++ f = fopen("/sys/module/arm_ffa_user/version", "r");
++ if (f) {
++ scan_cnt = fscanf(f, "%d.%d.%d",
++ &ver_major, &ver_minor, &ver_patch);
++ fclose(f);
++ if (scan_cnt != 3) {
++ printf("error: failed to parse arm_ffa_user version\n");
++ return false;
++ }
++ } else {
++ printf("error: failed to read arm_ffa_user module info - %s\n",
++ strerror(errno));
++ return false;
++ }
++
++ if (ver_major != FFA_USER_REQ_VER_MAJOR)
++ goto err;
++
++ if (ver_minor < FFA_USER_REQ_VER_MINOR)
++ goto err;
++
++ if (ver_minor == FFA_USER_REQ_VER_MINOR)
++ if (ver_patch < FFA_USER_REQ_VER_PATCH)
++ goto err;
++
++ return true;
++
++err:
++ printf("error: Incompatible arm_ffa_user driver detected.");
++ printf("Found v%d.%d.%d wanted >= v%d.%d.%d)\n",
++ ver_major, ver_minor, ver_patch, FFA_USER_REQ_VER_MAJOR,
++ FFA_USER_REQ_VER_MINOR, FFA_USER_REQ_VER_PATCH);
++
++ return false;
++}
++
+ static void close_debugfs(void)
+ {
+ int err = 0;
+@@ -76,6 +125,9 @@ static void close_debugfs(void)
+
+ static bool init_sp_xtest(ADBG_Case_t *c)
+ {
++ if (!check_ffa_user_version())
++ return false;
++
+ if (ffa_fd < 0) {
+ ffa_fd = open(FFA_DRIVER_FS_PATH, O_RDWR);
+ if (ffa_fd < 0) {
+@@ -83,6 +135,7 @@ static bool init_sp_xtest(ADBG_Case_t *c)
+ return false;
+ }
+ }
++
+ return true;
+ }
+
+@@ -99,7 +152,7 @@ static uint16_t get_endpoint_id(uint64_t endp)
+ struct ffa_ioctl_ep_desc sid = { .uuid_ptr = endp };
+
+ /* Get ID of destination SP based on UUID */
+- if(ioctl(ffa_fd, FFA_IOC_GET_PART_ID, &sid))
++ if (ioctl(ffa_fd, FFA_IOC_GET_PART_ID, &sid))
+ return INCORRECT_ENDPOINT_ID;
+
+ return sid.id;
+@@ -213,14 +266,15 @@ static int set_up_mem(struct ffa_ioctl_ep_desc *endp,
+ rc = share_mem(endpoint, handle);
+ ADBG_EXPECT_COMPARE_SIGNED(c, rc, ==, 0);
+
+- if (!ADBG_EXPECT_TRUE(c, handle != NULL))
+- return TEEC_ERROR_GENERIC;
++ if (!ADBG_EXPECT_NOT_NULL(c, handle))
++ return TEEC_ERROR_GENERIC;
+
+ /* SP will retrieve the memory region. */
+ memset(args, 0, sizeof(*args));
+ args->dst_id = endpoint;
+ args->args[MEM_SHARE_HANDLE_LOW_INDEX] = MEM_SHARE_HANDLE_LOW(*handle);
+- args->args[MEM_SHARE_HANDLE_HIGH_INDEX] = MEM_SHARE_HANDLE_HIGH(*handle);
++ args->args[MEM_SHARE_HANDLE_HIGH_INDEX] =
++ MEM_SHARE_HANDLE_HIGH(*handle);
+ args->args[MEM_SHARE_HANDLE_ENDPOINT_INDEX] = NORMAL_WORLD_ENDPOINT_ID;
+
+ rc = start_sp_test(endpoint, EP_RETRIEVE, args);
+@@ -254,7 +308,7 @@ static void xtest_ffa_spmc_test_1002(ADBG_Case_t *c)
+ rc = start_sp_test(endpoint1_id, EP_TEST_SP, &args);
+ ADBG_EXPECT_COMPARE_SIGNED(c, rc, ==, 0);
+ if (!ADBG_EXPECT_COMPARE_UNSIGNED(c, args.args[0], ==, SPMC_TEST_OK))
+- goto out;
++ goto out;
+
+ /* Set up memory and have the SP retrieve it. */
+ Do_ADBG_BeginSubCase(c, "Test memory set-up");
+@@ -469,7 +523,7 @@ static void xtest_ffa_spmc_test_1005(ADBG_Case_t *c)
+ memset(&args, 0, sizeof(args));
+ args.args[1] = endpoint2;
+ args.args[2] = endpoint3;
+- rc = start_sp_test(endpoint1, EP_SP_MEM_SHARING_MULTI,&args);
++ rc = start_sp_test(endpoint1, EP_SP_MEM_SHARING_MULTI, &args);
+ ADBG_EXPECT_COMPARE_SIGNED(c, rc, ==, 0);
+ ADBG_EXPECT_COMPARE_UNSIGNED(c, args.args[0], ==, SPMC_TEST_OK);
+
+--
+2.39.1.windows.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test/musl-workaround.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test/musl-workaround.patch
new file mode 100644
index 0000000..eed1bd4
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test/musl-workaround.patch
@@ -0,0 +1,24 @@
+Hack to work around musl compile error:
+ In file included from optee-test/3.17.0-r0/recipe-sysroot/usr/include/sys/stat.h:23,
+ from optee-test/3.17.0-r0/git/host/xtest/regression_1000.c:25:
+ optee-test/3.17.0-r0/recipe-sysroot/usr/include/bits/stat.h:17:26: error: expected identifier or '(' before '[' token
+ 17 | unsigned __unused[2];
+ | ^
+
+stat.h is not needed, since it is not being used in this file. So removing it.
+
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Jon Mason <jon.mason@arm.com>
+
+diff --git a/host/xtest/regression_1000.c b/host/xtest/regression_1000.c
+index 4264884..7f1baca 100644
+--- a/host/xtest/regression_1000.c
++++ b/host/xtest/regression_1000.c
+@@ -22,7 +22,6 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+-#include <sys/stat.h>
+ #include <sys/types.h>
+ #include <ta_arm_bti.h>
+ #include <ta_concurrent.h>
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test/run-ptest b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test/run-ptest
new file mode 100755
index 0000000..ba88c14
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test/run-ptest
@@ -0,0 +1,52 @@
+#!/bin/sh
+xtest | awk '
+
+ # Escapes the special characters in a string so that, when
+ # included in a regex, it represents a literal match
+ function regx_escape_literal(str, ret) {
+ ret = str
+ gsub(/[\[\]\^\$\.\*\?\+\{\}\\\(\)\|]/ , "\\\\&", str)
+ return str
+ }
+
+ # Returns the simple test formatted name
+ function name(n, ret) {
+ ret = n
+ gsub(/\./, " ", ret)
+ return ret
+ }
+
+ # Returns the simple test formatted result
+ function result(res) {
+ if(res ~ /OK/) {
+ return "PASS"
+ } else if(res ~ /FAILED/) {
+ return "FAIL"
+ }
+ }
+
+ function parse(name, description, has_subtests, result_line) {
+ has_subtests = 0
+
+ # Consume every line up to the result line
+ result_line = " " regx_escape_literal(name) " (OK|FAILED)"
+ do {
+ getline
+
+ # If this is a subtest (denoted by an "o" bullet) then subparse
+ if($0 ~ /^o /) {
+ parse($2, description " : " substr($0, index($0, $3)))
+ has_subtests = 1
+ }
+ } while ($0 !~ result_line)
+
+ # Only print the results for the deepest nested subtests
+ if(!has_subtests) {
+ print result($2) ": " name(name) " - " description
+ }
+ }
+
+ # Start parsing at the beginning of every test (denoted by a "*" bullet)
+ /^\* / { parse($2, substr($0, index($0, $3))) }
+
+'
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test_3.18.0.bb b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test_3.18.0.bb
new file mode 100644
index 0000000..436733e
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test_3.18.0.bb
@@ -0,0 +1,10 @@
+require recipes-security/optee/optee-test.inc
+
+SRC_URI += " \
+ file://musl-workaround.patch \
+ "
+SRCREV = "da5282a011b40621a2cf7a296c11a35c833ed91b"
+
+EXTRA_OEMAKE:append:libc-musl = " OPTEE_OPENSSL_EXPORT=${STAGING_INCDIR}"
+DEPENDS:append:libc-musl = " openssl"
+CFLAGS:append:libc-musl = " -Wno-error=deprecated-declarations"
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test_3.20.0.bb b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test_3.20.0.bb
new file mode 100644
index 0000000..03ea911
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-test_3.20.0.bb
@@ -0,0 +1,12 @@
+require recipes-security/optee/optee-test.inc
+
+SRC_URI += " \
+ file://Update-arm_ffa_user-driver-dependency.patch \
+ file://ffa_spmc-Add-arm_ffa_user-driver-compatibility-check.patch \
+ file://musl-workaround.patch \
+ "
+SRCREV = "5db8ab4c733d5b2f4afac3e9aef0a26634c4b444"
+
+EXTRA_OEMAKE:append = " OPTEE_OPENSSL_EXPORT=${STAGING_INCDIR}"
+DEPENDS:append = " openssl"
+CFLAGS:append = " -Wno-error=deprecated-declarations"