diff --git a/meta-arm/.gitlab-ci.yml b/meta-arm/.gitlab-ci.yml
index 9dee580..22ecfd7 100644
--- a/meta-arm/.gitlab-ci.yml
+++ b/meta-arm/.gitlab-ci.yml
@@ -9,6 +9,8 @@
   # by default
   FF_KUBERNETES_HONOR_ENTRYPOINT: 1
   FF_USE_LEGACY_KUBERNETES_EXECUTION_STRATEGY: 0
+  ACS_TEST: 0
+  ACS_TAG: ""
 
 stages:
   - prep
@@ -67,8 +69,8 @@
     name: "logs"
     when: always
     paths:
-      - $CI_PROJECT_DIR/work/build/tmp/work*/**/temp/log.do_*.*
-      - $CI_PROJECT_DIR/work/build/tmp/work*/**/testimage/*
+      - $CI_PROJECT_DIR/work/build/tmp*/work*/**/temp/log.do_*.*
+      - $CI_PROJECT_DIR/work/build/tmp*/work*/**/testimage/*
 
 #
 # Prep stage, update repositories once.
@@ -126,6 +128,20 @@
     matrix:
       - TESTING: testimage
       - FIRMWARE: edk2
+      - SYSTEMREADY_FIRMWARE: arm-systemready-firmware
+
+arm-systemready-ir-acs:
+  extends: .build
+  timeout: 12h
+  parallel:
+    matrix:
+      # arm-systemready-ir-acs must be specified after fvp-base for ordering
+      # purposes for the jobs-to-kas output. It is not enough to just have it
+      # in the job name because fvp-base.yml overwrites the target.
+      - PLATFORM: fvp-base
+        ARM_SYSTEMREADY_IR_ACS: arm-systemready-ir-acs
+  tags:
+    - ${ACS_TAG}
 
 fvps:
   extends: .build
diff --git a/meta-arm/ci/arm-systemready-firmware.yml b/meta-arm/ci/arm-systemready-firmware.yml
new file mode 100644
index 0000000..1854c2a
--- /dev/null
+++ b/meta-arm/ci/arm-systemready-firmware.yml
@@ -0,0 +1,4 @@
+header:
+  version: 11
+  includes:
+    - kas/arm-systemready-firmware.yml
diff --git a/meta-arm/ci/arm-systemready-ir-acs.yml b/meta-arm/ci/arm-systemready-ir-acs.yml
new file mode 100644
index 0000000..6cfead6
--- /dev/null
+++ b/meta-arm/ci/arm-systemready-ir-acs.yml
@@ -0,0 +1,14 @@
+header:
+  version: 11
+  includes:
+    - kas/arm-systemready-ir-acs.yml
+
+env:
+  ACS_TEST: "0"
+
+local_conf_header:
+  testimage: |
+    TESTIMAGE_AUTO = "${ACS_TEST}"
+
+target:
+  - arm-systemready-ir-acs
diff --git a/meta-arm/ci/base.yml b/meta-arm/ci/base.yml
index dd3ab21..4296d27 100644
--- a/meta-arm/ci/base.yml
+++ b/meta-arm/ci/base.yml
@@ -5,7 +5,7 @@
 
 defaults:
   repos:
-    branch: nanbield
+    branch: master
 
 repos:
   meta-arm:
diff --git a/meta-arm/ci/meta-secure-core.yml b/meta-arm/ci/meta-secure-core.yml
index 94b11a7..2d9fc2c 100644
--- a/meta-arm/ci/meta-secure-core.yml
+++ b/meta-arm/ci/meta-secure-core.yml
@@ -5,7 +5,7 @@
   meta-secure-core:
     url: https://github.com/Wind-River/meta-secure-core.git
     layers:
-      meta:
+      meta-secure-core-common:
       meta-signing-key:
       meta-efi-secure-boot:
       
diff --git a/meta-arm/kas/arm-systemready-ir-acs.yml b/meta-arm/kas/arm-systemready-ir-acs.yml
index 38604d7..aef3e71 100644
--- a/meta-arm/kas/arm-systemready-ir-acs.yml
+++ b/meta-arm/kas/arm-systemready-ir-acs.yml
@@ -8,10 +8,5 @@
   # The full testimage run typically takes around 12-24h on fvp-base.
   TEST_OVERALL_TIMEOUT: "${@ 24*60*60}"
 
-local_conf_header:
-  systemready-ir-acs: |
-    IMAGE_CLASSES:append = " testimage"
-
-
 target:
   - arm-systemready-ir-acs
diff --git a/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc b/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc
index 749350e..063a315 100644
--- a/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc
+++ b/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc
@@ -36,7 +36,7 @@
 UBOOT_EXTLINUX = "0"
 
 #optee
-PREFERRED_VERSION_optee-os ?= "3.22%"
+PREFERRED_VERSION_optee-os ?= "4.0.%"
 PREFERRED_VERSION_optee-client ?= "3.22%"
 EXTRA_IMAGEDEPENDS += "optee-os"
 OPTEE_ARCH = "arm64"
diff --git a/meta-arm/meta-arm-bsp/conf/machine/n1sdp.conf b/meta-arm/meta-arm-bsp/conf/machine/n1sdp.conf
index 74a0a66..2a246de 100644
--- a/meta-arm/meta-arm-bsp/conf/machine/n1sdp.conf
+++ b/meta-arm/meta-arm-bsp/conf/machine/n1sdp.conf
@@ -27,6 +27,7 @@
 # TF-A
 EXTRA_IMAGEDEPENDS += "trusted-firmware-a"
 TFA_PLATFORM = "n1sdp"
+PREFERRED_VERSION_trusted-firmware-a ?= "2.9.%"
 
 # SCP
 EXTRA_IMAGEDEPENDS += "virtual/control-processor-firmware"
diff --git a/meta-arm/meta-arm-bsp/conf/machine/sgi575.conf b/meta-arm/meta-arm-bsp/conf/machine/sgi575.conf
index 3c2c94b..7f2a285 100644
--- a/meta-arm/meta-arm-bsp/conf/machine/sgi575.conf
+++ b/meta-arm/meta-arm-bsp/conf/machine/sgi575.conf
@@ -9,6 +9,7 @@
 EXTRA_IMAGEDEPENDS += "virtual/control-processor-firmware"
 
 EXTRA_IMAGEDEPENDS += "trusted-firmware-a"
+PREFERRED_VERSION_trusted-firmware-a ?= "2.9.%"
 
 KERNEL_IMAGETYPE ?= "Image"
 PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst b/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst
index ce8bd7e..6bc8ace 100644
--- a/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst
+++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst
@@ -235,7 +235,7 @@
 .. _Arm security features: https://www.arm.com/architecture/security-features/platform-security
 .. _linux repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/
 .. _FF-A: https://developer.arm.com/documentation/den0077/latest
-.. _FF-M: https://developer.arm.com/-/media/Files/pdf/PlatformSecurityArchitecture/Architect/DEN0063-PSA_Firmware_Framework-1.0.0-2.pdf?revision=2d1429fa-4b5b-461a-a60e-4ef3d8f7f4b4&hash=3BFD6F3E687F324672F18E5BE9F08EDC48087C93
+.. _FF-M: https://developer.arm.com/architectures/Firmware%20Framework%20for%20M-Profile
 .. _FWU: https://developer.arm.com/documentation/den0118/a/
 .. _OPTEE-OS: https://github.com/OP-TEE/optee_os
 .. _PSA: https://www.psacertified.org/
diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst b/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst
index 134ed41..318cddf 100644
--- a/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst
+++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst
@@ -18,7 +18,7 @@
 Prerequisites
 -------------
 
-This guide assumes that your host PC is running Ubuntu 20.04 LTS, with at least
+This guide assumes that your host machine is running Ubuntu 20.04 LTS, with at least
 32GB of free disk space and 16GB of RAM as minimum requirement.
 
 The following prerequisites must be available on the host system:
@@ -435,7 +435,7 @@
      dd conv=notrunc if=openSUSE-Tumbleweed-ARM-JeOS-efi.aarch64-<date>-Snapshot<date>.raw skip=<blockaddress_1st_partition> of=corstone1000-efi-partition.img seek=<blockaddress_1st_partition> iflag=fullblock seek=<blockaddress_1st_partition> bs=512 count=<sectorsize_1s_partition> && sync
 
 
-#. Use the provided disk-layout below to label the ESP correctly.
+#. Create the file efi_disk.layout locally. Copy the content of provided disk layout below to the efi_disk.layout to label the ESP correctly.
 
    efi_disk.layout
    ::
@@ -470,7 +470,10 @@
 **Using ESP in FPGA:**
 
 Once the ESP is created, it needs to be flashed to a second USB drive different than ACS image.
-This can be done with the development machine.
+This can be done with the development machine. In the given example here
+we assume the USB device is ``/dev/sdb`` (the user should use ``lsblk`` command to
+confirm). Be cautious here and don't confuse your host machine own hard drive with the
+USB drive. Run the following commands to prepare the ACS image in USB stick:
 
 ::
 
@@ -560,7 +563,7 @@
     └── ramdisk-busybox.img
 
 RESULT partition is used to store the test results.
-**NOTE**: PLEASE MAKE SURE THAT THE RESULT PARTITION IS EMPTY BEFORE YOU START THE TESTING. OTHERWISE THE TEST RESULTS
+**NOTE**: PLEASE MAKE SURE THAT "acs_results" FOLDER UNDER THE RESULT PARTITION IS EMPTY BEFORE YOU START THE TESTING. OTHERWISE THE TEST RESULTS
 WILL NOT BE CONSISTENT
 
 FPGA instructions for ACS image
@@ -589,7 +592,7 @@
 
 Then, the user should prepare a USB stick with ACS image. In the given example here,
 we assume the USB device is ``/dev/sdb`` (the user should use ``lsblk`` command to
-confirm). Be cautious here and don't confuse your host PC's own hard drive with the
+confirm). Be cautious here and don't confuse your host machine own hard drive with the
 USB drive. Run the following commands to prepare the ACS image in USB stick:
 
 ::
@@ -604,6 +607,11 @@
 
 The FPGA will reset multiple times during the test, and it might take approx. 24-36 hours to finish the test.
 
+**NOTE**: The USB stick which contains the ESP partition might cause grub to
+unable to find the bootable partition (only in the FPGA). If that's the case, please
+remove the USB stick and run the ACS tests. ESP partition can be mounted after
+the platform is booted to linux at the end of the ACS tests.
+
 
 FVP instructions for ACS image and run
 ======================================
@@ -639,6 +647,20 @@
 Once test is finished, the FVP can be stoped, and result can be copied following above
 instructions.
 
+**NOTE:** A rare issue has been noticed (5-6% occurence) during which the FVP hangs during booting the system while running ACS tests.
+If this happens, please apply the following patch, rebuild the software stack for FVP and re-run the ACS tests.
+
+::
+
+  cd <_workspace>
+  git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2023.11
+  cp -f systemready-patch/embedded-a/corstone1000/sr_ir_workaround/0001-embedded-a-corstone1000-sr-ir-workaround.patch meta-arm
+  cd meta-arm
+  git am 0001-embedded-a-corstone1000-sr-ir-workaround.patch
+  cd ..
+  kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c="bitbake u-boot -c cleanall; bitbake trusted-firmware-a -c cleanall; corstone1000-image -c cleanall; bitbake corstone1000-image"
+
+
 Common to FVP and FPGA
 ======================
 
@@ -657,7 +679,7 @@
 Manual capsule update and ESRT checks
 -------------------------------------
 
-The following section describes running manual capsule update with the ``direct`` method.
+The following section describes running manual capsule update.
 
 The steps described in this section perform manual capsule update and show how to use the ESRT feature
 to retrieve the installed capsule details.
@@ -681,6 +703,13 @@
   make tools-only_defconfig
   make tools-only
 
+**NOTE:** The following error could happen if the linux build system does not have "libgnutls28-dev".
+ **error: "tools/mkeficapsule.c:21:10: fatal error: gnutls/gnutls.h: No such file or directory"**. If that's the case please install libgnutls28-dev and its dependencies by using the following command.
+
+::
+
+  sudo apt-get install -y libgnutls28-dev
+
 Download systemready-patch repo under <_workspace>:
 ::
 
@@ -788,20 +817,7 @@
 
    sudo umount /mnt/test
 
-**NOTE:**
-
-The size of first partition in the image file is calculated in the following way. The data is
-just an example and might vary with different ir-acs-live-image-generic-arm64.wic files.
-
-::
-
-   fdisk -lu <path-to-img>/ir-acs-live-image-generic-arm64.wic
-   ->  Device                                                     Start     End Sectors  Size Type
-       <path-to-img>/ir-acs-live-image-generic-arm64.wic1    2048  206847  204800   100M Microsoft basic data
-       <path-to-img>/ir-acs-live-image-generic-arm64.wic2  206848 1024239  817392 399.1M Linux filesystem
-       <path-to-img>/ir-acs-live-image-generic-arm64.wic3 1026048 1128447  102400    50M Microsoft basic data
-
-   ->  <offset_1st_partition> = 2048 * 512 (sector size) = 1048576
+**NOTE:** Please refer to `FVP instructions for ACS image and run`_ section to find the first partition offset.
 
 ******************************
 Performing the capsule update
@@ -819,10 +835,7 @@
 
    <_workspace>/meta-arm/scripts/runfvp --terminals=xterm <_workspace>/build/tmp/deploy/images/corstone1000-fvp/corstone1000-image-corstone1000-fvp.fvpconf -- -C board.msd_mmc.p_mmc_file=<path-to-img>/ir-acs-live-image-generic-arm64.wic
 
-**NOTE:**
-
-<path-to-img> must start from the root directory.
-make sure there are no spaces before or after of "=". board.msd_mmc.p_mmc_file=<path-to-img>/ir-acs-live-image-generic-arm64.wic.
+**NOTE:** <path-to-img> must start from the root directory. make sure there are no spaces before or after of "=". board.msd_mmc.p_mmc_file=<path-to-img>/ir-acs-live-image-generic-arm64.wic.
 
 Running the FPGA with the IR prebuilt image
 ===========================================
@@ -1060,6 +1073,15 @@
 
 On FPGA, please update the cs1000.bin on the SD card with the newly generated wic file.
 
+**NOTE:** Skip the shim patch only applies to Debian installation. The user should remove the patch from meta-arm before running the software to boot OpenSUSE or executing any other tests in this user guide. You can make sure of removing the skip the shim patch by executing the steps below.
+
+::
+
+  cd <_workspace>/meta-arm
+  git reset --hard HEAD~1
+  cd ..
+  kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c="bitbake u-boot -c cleanall; bitbake trusted-firmware-a -c cleanall; corstone1000-image -c cleanall; bitbake corstone1000-image"
+
 *************************************************
 Preparing the Installation Media
 *************************************************
@@ -1084,7 +1106,7 @@
 In the example given below, we assume the USB device is ``/dev/sdb`` (the user
 should use the `lsblk` command to confirm).
 
-**NOTE:** Please don't confuse your host PC's own hard drive with the USB drive.
+**NOTE:** Please don't confuse your host machine own hard drive with the USB drive.
 Then, copy the contents of the iso file into the first USB stick by running the
 following command in the development machine:
 
@@ -1100,6 +1122,7 @@
 With a minimum size of 8GB formatted with gpt.
 
 ::
+
   #Generating mmc2
   dd if=/dev/zero of=<_workspace>/mmc2_file.img bs=1 count=0 seek=8G; sync;
   parted -s mmc2_file.img mklabel gpt
@@ -1147,7 +1170,7 @@
 Debian may need some extra steps, that are indicated below:
 
 During Debian installation, please answer the following question:
- - "Force GRUB installation to the EFI removable media path?" Yes
+ - "Force grub installation to the EFI removable media path?" Yes
  - "Update NVRAM variables to automatically boot into Debian?" No
 
 If the grub installation fails, these are the steps to follow on the subsequent
@@ -1198,7 +1221,7 @@
   <_workspace>/meta-arm/scripts/runfvp --terminals=xterm <_workspace>/build/tmp/deploy/images/corstone1000-fvp/corstone1000-image-corstone1000-fvp.fvpconf -- -C board.msd_mmc.p_mmc_file="<_workspace>/mmc2_file.img"
 
 
-Once the FVP begins booting, you will need to quickly change the boot option in GRUB,
+Once the FVP begins booting, you will need to quickly change the boot option in grub,
 to boot into recovery mode. 
 
 **NOTE:** This option will disappear quickly, so it's best to preempt it.
@@ -1212,11 +1235,21 @@
 
 ::
 
-  vi /etc/systemd/system.conf #Only applicable to Debian
+  #Only applicable to Debian
+  vi /etc/systemd/system.conf
   DefaultDeviceTimeoutSec=infinity
-  vi /usr/lib/systemd/system.conf # Only applicable to openSUSE
+
+::
+
+  #Only applicable to openSUSE
+  vi /usr/lib/systemd/system.conf
   DefaultDeviceTimeoutSec=infinity
 
+  The system.conf has been moved from /etc/systemd/ to /usr/lib/systemd/ and directly modifying
+  the /usr/lib/systemd/system.conf is not working and it is getting overridden. We have to create
+  drop ins system configurations in /etc/systemd/system.conf.d/ directory. So, copy the 
+  /usr/lib/systemd/system.conf to /etc/systemd/system.conf.d/ directory after the mentioned modifications.
+
 The file to be edited next is different depending on the installed distro:
 
 ::
@@ -1242,6 +1275,8 @@
 Login with the username root and its corresponding password (already set at
 installation time).
 
+**NOTE:** Debian/OpenSUSE Timeouts are not applicable for all systems. Some systems are faster than the others (especially when running the FVP) and works well with default timeouts. If the system boots to Debian or OpenSUSE unmodified, the user can skip this section.
+
 PSA API tests
 -------------
 
@@ -1261,7 +1296,7 @@
 
 ::
 
-  insmod /lib/modules/*-yocto-standard/extra/arm-ffa-tee.ko
+  insmod /lib/modules/*-yocto-standard/updates/arm-ffa-tee.ko
 
 Then, check whether the FF-A TEE driver is loaded correctly by using the following command:
 
@@ -1273,7 +1308,7 @@
 
 ::
 
-   arm_ffa_tee 16384 - - Live 0xffffffc000510000 (O)
+   arm_ffa_tee <ID> - - Live <address> (O)
 
 Now, run the PSA API tests in the following order:
 
diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/fiptool-native_2.9.0.bb b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/fiptool-native_2.9.0.bb
similarity index 100%
rename from meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/fiptool-native_2.9.0.bb
rename to meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/fiptool-native_2.9.0.bb
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_%.bbappend b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_%.bbappend
index 074bc68..eef21b9 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_%.bbappend
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_%.bbappend
@@ -2,5 +2,8 @@
 
 COMPATIBLE_MACHINE:corstone1000 = "corstone1000"
 SRCREV:corstone1000 = "5f591f67738a1bbe6b262c53d9dad46ed8bbcd67"
+EXTRA_OEMAKE:append:corstone1000 = " DEBUG=0"
+EXTRA_OEMAKE:append:corstone1000 = " LOG_LEVEL=30"
+TFTF_MODE:corstone1000 = "release"
 
 COMPATIBLE_MACHINE:n1sdp = "n1sdp"
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.8.0.bb b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.8.0.bb
index ed3b349..160ada6 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.8.0.bb
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.8.0.bb
@@ -19,6 +19,9 @@
 EXTRA_OEMAKE += "SHELL_COLOR=1"
 EXTRA_OEMAKE += "DEBUG=1"
 
+# Modify mode based on debug or release mode
+TFTF_MODE ?= "debug"
+
 # Platform must be set for each machine
 TFA_PLATFORM ?= "invalid"
 
@@ -45,7 +48,7 @@
 
 do_install() {
     install -d -m 755 ${D}/firmware
-    install -m 0644 ${B}/${TFA_PLATFORM}/debug/tftf.bin ${D}/firmware/tftf.bin
+    install -m 0644 ${B}/${TFA_PLATFORM}/${TFTF_MODE}/tftf.bin ${D}/firmware/tftf.bin
 }
 
 do_deploy() {
diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.9.0.bb b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.9.0.bb
similarity index 100%
rename from meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.9.0.bb
rename to meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/tf-a-tests_2.9.0.bb
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.6.bb b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.6.bb
index cffc6db..ef7ea59 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.6.bb
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.8.6.bb
@@ -13,3 +13,7 @@
 SRCREV_mbedtls = "89f040a5c938985c5f30728baed21e49d0846a53"
 
 LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
+
+do_compile:prepend() {
+    sed -i '/^LDLIBS/ s,$, \$\{BUILD_LDFLAGS},' ${S}/tools/fiptool/Makefile
+}
diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.9.0.bb b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.9.0.bb
similarity index 68%
rename from meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.9.0.bb
rename to meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.9.0.bb
index 5e52695..d9fdf32 100644
--- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.9.0.bb
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.9.0.bb
@@ -1,13 +1,8 @@
-require trusted-firmware-a.inc
+require recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
 
 # TF-A v2.9.0
 SRCREV_tfa = "d3e71ead6ea5bc3555ac90a446efec84ef6c6122"
 
-# Enable passing TOS_FW_CONFIG from FIP package to Trusted OS.
-SRC_URI:append:qemuarm64-secureboot = " \
-            file://0001-Add-spmc_manifest-for-qemu.patch \
-        "
-
 LIC_FILES_CHKSUM += "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde"
 
 # mbedtls-3.4.0
@@ -15,3 +10,7 @@
 SRCREV_mbedtls = "1873d3bfc2da771672bd8e7e8f41f57e0af77f33"
 
 LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
+
+do_compile:prepend() {
+    sed -i '/^LDLIBS/ s,$, \$\{BUILD_LDFLAGS},' ${S}/tools/fiptool/Makefile
+}
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.0.0.bbappend b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.0.0.bbappend
new file mode 100644
index 0000000..6c94303
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.0.0.bbappend
@@ -0,0 +1,6 @@
+
+# Machine specific configurations
+MACHINE_OPTEE_OS_REQUIRE ?= ""
+MACHINE_OPTEE_OS_REQUIRE:corstone1000 = "optee-os-corstone1000-common.inc"
+
+require ${MACHINE_OPTEE_OS_REQUIRE}
diff --git a/meta-arm/meta-arm-systemready/classes/arm-systemready-acs.bbclass b/meta-arm/meta-arm-systemready/classes/arm-systemready-acs.bbclass
index e988802..28e800c 100644
--- a/meta-arm/meta-arm-systemready/classes/arm-systemready-acs.bbclass
+++ b/meta-arm/meta-arm-systemready/classes/arm-systemready-acs.bbclass
@@ -12,12 +12,11 @@
 INHIBIT_DEFAULT_DEPS = "1"
 COMPATIBLE_HOST = "aarch64-*"
 PACKAGE_ARCH = "${MACHINE_ARCH}"
-inherit nopackages deploy rootfs-postcommands ${IMAGE_CLASSES} python3native
+inherit nopackages deploy rootfs-postcommands ${IMAGE_CLASSES} python3native testimage
 
 do_configure[noexec] = "1"
 do_compile[noexec] = "1"
 do_install[noexec] = "1"
-do_testimage[depends] += "mtools-native:do_populate_sysroot"
 
 # Deploy with this suffix so it is picked up in the machine configuration
 IMAGE_DEPLOY_SUFFIX ?= ".wic"
@@ -80,7 +79,9 @@
 
 do_testimage[postfuncs] += "acs_logs_handle"
 do_testimage[depends] += "edk2-test-parser-native:do_populate_sysroot \
-                          arm-systemready-scripts-native:do_populate_sysroot"
+                          arm-systemready-scripts-native:do_populate_sysroot \
+                          mtools-native:do_populate_sysroot \
+                          parted-native:do_populate_sysroot"
 
 # Process the logs
 python acs_logs_handle() {
diff --git a/meta-arm/meta-arm/recipes-bsp/hafnium/hafnium_2.9.bb b/meta-arm/meta-arm/recipes-bsp/hafnium/hafnium_2.10.bb
similarity index 97%
rename from meta-arm/meta-arm/recipes-bsp/hafnium/hafnium_2.9.bb
rename to meta-arm/meta-arm/recipes-bsp/hafnium/hafnium_2.10.bb
index 0997448..dea1bdc 100644
--- a/meta-arm/meta-arm/recipes-bsp/hafnium/hafnium_2.9.bb
+++ b/meta-arm/meta-arm/recipes-bsp/hafnium/hafnium_2.10.bb
@@ -18,7 +18,7 @@
            file://0001-Use-pkg-config-native-to-find-the-libssl-headers.patch;patchdir=third_party/linux \
            file://0001-work-around-visibility-issue.patch;patchdir=third_party/dtc \
           "
-SRCREV = "0715b8e002cdfb92e6b7efb71128cb24557b70cb"
+SRCREV = "946fde92bedc95e1320684b0bc2dc752bc1e1bc7"
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build"
 
diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-bl31_runtime-revert-usage-of-plat_ic_has_interrupt_t.patch b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-bl31_runtime-revert-usage-of-plat_ic_has_interrupt_t.patch
new file mode 100644
index 0000000..f6f054d
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-bl31_runtime-revert-usage-of-plat_ic_has_interrupt_t.patch
@@ -0,0 +1,38 @@
+From fd13a4d304da4233cb954329bf287ec9dfbb7367 Mon Sep 17 00:00:00 2001
+From: Jon Mason <jon.mason@arm.com>
+Date: Mon, 4 Dec 2023 10:20:21 -0500
+Subject: [PATCH] bl31_runtime: revert usage of plat_ic_has_interrupt_type
+
+There is a regression caused by commit
+1f6bb41dd951714b47bf07bb9a332346ca261033 for the trusted services tests.
+This is due to the fact that the referenced commit changes the behavior
+from checking for both INTR_TYPE_EL3 and INTR_TYPE_S_EL1, to referencing
+an existing function that #if for _either_ INTR_TYPE_EL3 or
+INTR_TYPE_S_EL1 (depending on the value of GICV2_G0_FOR_EL3).  To work
+around this issue, revert the check back to its original form.
+
+Signed-off-by: Jon Mason <jon.mason@arm.com>
+Upstream-Status: Pending
+---
+ bl31/interrupt_mgmt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/bl31/interrupt_mgmt.c b/bl31/interrupt_mgmt.c
+index 68c7f10add21..8e888b676b35 100644
+--- a/bl31/interrupt_mgmt.c
++++ b/bl31/interrupt_mgmt.c
+@@ -47,9 +47,9 @@ static intr_type_desc_t intr_type_descs[MAX_INTR_TYPES];
+  ******************************************************************************/
+ static int32_t validate_interrupt_type(uint32_t type)
+ {
+-	if (plat_ic_has_interrupt_type(type)) {
++	if ((type == INTR_TYPE_S_EL1) || (type == INTR_TYPE_NS) ||
++	    (type == INTR_TYPE_EL3))
+ 		return 0;
+-	}
+ 
+ 	return -EINVAL;
+ }
+-- 
+2.30.2
+
diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/fiptool-native_2.10.0.bb b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/fiptool-native_2.10.0.bb
new file mode 100644
index 0000000..e45ea9c
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/fiptool-native_2.10.0.bb
@@ -0,0 +1,33 @@
+# Firmware Image Package (FIP)
+# It is a packaging format used by TF-A to package the
+# firmware images in a single binary.
+
+DESCRIPTION = "fiptool - Trusted Firmware tool for packaging"
+LICENSE = "BSD-3-Clause"
+
+SRC_URI_TRUSTED_FIRMWARE_A ?= "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https"
+SRC_URI = "${SRC_URI_TRUSTED_FIRMWARE_A};destsuffix=fiptool-${PV};branch=${SRCBRANCH}"
+LIC_FILES_CHKSUM = "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde"
+
+# Use fiptool from TF-A v2.10.0
+SRCREV = "b6c0948400594e3cc4dbb5a4ef04b815d2675808"
+SRCBRANCH = "master"
+
+DEPENDS += "openssl-native"
+
+inherit native
+
+EXTRA_OEMAKE = "V=1 HOSTCC='${BUILD_CC}' OPENSSL_DIR=${STAGING_DIR_NATIVE}/${prefix_native}"
+
+do_compile () {
+    # This is still needed to have the native fiptool executing properly by
+    # setting the RPATH
+    sed -i '/^LDOPTS/ s,$, \$\{BUILD_LDFLAGS},' ${S}/tools/fiptool/Makefile
+    sed -i '/^INCLUDE_PATHS/ s,$, \$\{BUILD_CFLAGS},' ${S}/tools/fiptool/Makefile
+
+    oe_runmake fiptool
+}
+
+do_install () {
+    install -D -p -m 0755 tools/fiptool/fiptool ${D}${bindir}/fiptool
+}
diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.10.0.bb b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.10.0.bb
new file mode 100644
index 0000000..f3818b6
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/tf-a-tests_2.10.0.bb
@@ -0,0 +1,55 @@
+DESCRIPTION = "Trusted Firmware-A tests(aka TFTF)"
+LICENSE = "BSD-3-Clause & NCSA"
+
+LIC_FILES_CHKSUM += "file://docs/license.rst;md5=6175cc0aa2e63b6d21a32aa0ee7d1b4a"
+
+inherit deploy
+
+COMPATIBLE_MACHINE ?= "invalid"
+
+SRC_URI_TRUSTED_FIRMWARE_A_TESTS ?= "git://git.trustedfirmware.org/TF-A/tf-a-tests.git;protocol=https"
+SRC_URI = "${SRC_URI_TRUSTED_FIRMWARE_A_TESTS};branch=${SRCBRANCH} \
+          "
+SRCBRANCH = "master"
+SRCREV = "42b99719d5dde58bdde07712bcb70a20d87f9067"
+
+DEPENDS += "optee-os"
+
+EXTRA_OEMAKE += "USE_NVM=0"
+EXTRA_OEMAKE += "SHELL_COLOR=1"
+EXTRA_OEMAKE += "DEBUG=1"
+
+# Platform must be set for each machine
+TFA_PLATFORM ?= "invalid"
+
+EXTRA_OEMAKE += "ARCH=aarch64"
+EXTRA_OEMAKE += "LOG_LEVEL=50"
+
+S = "${WORKDIR}/git"
+B = "${WORKDIR}/build"
+
+# Add platform parameter
+EXTRA_OEMAKE += "BUILD_BASE=${B} PLAT=${TFA_PLATFORM}"
+
+# Requires CROSS_COMPILE set by hand as there is no configure script
+export CROSS_COMPILE="${TARGET_PREFIX}"
+
+LDFLAGS[unexport] = "1"
+do_compile() {
+    oe_runmake -C ${S} tftf
+}
+
+do_compile[cleandirs] = "${B}"
+
+FILES:${PN} = "/firmware/tftf.bin"
+SYSROOT_DIRS += "/firmware"
+
+do_install() {
+    install -d -m 755 ${D}/firmware
+    install -m 0644 ${B}/${TFA_PLATFORM}/debug/tftf.bin ${D}/firmware/tftf.bin
+}
+
+do_deploy() {
+    cp -rf ${D}/firmware/* ${DEPLOYDIR}/
+}
+addtask deploy after do_install
diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
index 2bdf221..922c0a3 100644
--- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
+++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
@@ -168,7 +168,7 @@
 do_compile() {
     # This is still needed to have the native tools executing properly by
     # setting the RPATH
-    sed -i '/^LDLIBS/ s,$, \$\{BUILD_LDFLAGS},' ${S}/tools/fiptool/Makefile
+    sed -i '/^LDOPTS/ s,$, \$\{BUILD_LDFLAGS},' ${S}/tools/fiptool/Makefile
     sed -i '/^INCLUDE_PATHS/ s,$, \$\{BUILD_CFLAGS},' ${S}/tools/fiptool/Makefile
     sed -i '/^LIB/ s,$, \$\{BUILD_LDFLAGS},' ${S}/tools/cert_create/Makefile
 
diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
index e58a090..b3624bb 100644
--- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
+++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
@@ -6,6 +6,13 @@
 # arm/aarch32.  This is a known testing hole in TF-A.
 TOOLCHAIN:qemuarm-secureboot = "gcc"
 
+# Enable passing TOS_FW_CONFIG from FIP package to Trusted OS.
+FILESEXTRAPATHS:prepend:qemuarm64-secureboot := "${THISDIR}/files:"
+SRC_URI:append:qemuarm64-secureboot = " \
+            file://0001-Add-spmc_manifest-for-qemu.patch \
+            file://0001-bl31_runtime-revert-usage-of-plat_ic_has_interrupt_t.patch \
+        "
+
 TFA_PLATFORM:qemuarm64-secureboot = "qemu"
 TFA_PLATFORM:qemu-generic-arm64 = "qemu_sbsa"
 TFA_PLATFORM:qemuarm-secureboot = "qemu"
diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.0.bb b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.0.bb
new file mode 100644
index 0000000..4f01984
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.0.bb
@@ -0,0 +1,12 @@
+require recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
+
+# TF-A v2.10.0
+SRCREV_tfa = "b6c0948400594e3cc4dbb5a4ef04b815d2675808"
+
+LIC_FILES_CHKSUM += "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde"
+
+# mbedtls-3.5.1
+SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;destsuffix=git/mbedtls;branch=master"
+SRCREV_mbedtls = "edb8fec9882084344a314368ac7fd957a187519c"
+
+LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=379d5819937a6c2f1ef1630d341e026d"
diff --git a/meta-arm/meta-arm/recipes-bsp/uefi/edk2-basetools-native_202308.bb b/meta-arm/meta-arm/recipes-bsp/uefi/edk2-basetools-native_202311.bb
similarity index 92%
rename from meta-arm/meta-arm/recipes-bsp/uefi/edk2-basetools-native_202308.bb
rename to meta-arm/meta-arm/recipes-bsp/uefi/edk2-basetools-native_202311.bb
index 31b8fb0..6bd880b 100644
--- a/meta-arm/meta-arm/recipes-bsp/uefi/edk2-basetools-native_202308.bb
+++ b/meta-arm/meta-arm/recipes-bsp/uefi/edk2-basetools-native_202311.bb
@@ -10,7 +10,7 @@
 SRC_URI = "git://github.com/tianocore/edk2.git;branch=master;protocol=https"
 LIC_FILES_CHKSUM = "file://License.txt;md5=2b415520383f7964e96700ae12b4570a"
 
-SRCREV = "819cfc6b42a68790a23509e4fcc58ceb70e1965e"
+SRCREV = "8736b8fdca85e02933cdb0a13309de14c9799ece"
 
 S = "${WORKDIR}/git"
 
diff --git a/meta-arm/meta-arm/recipes-bsp/uefi/edk2-firmware_202308.bb b/meta-arm/meta-arm/recipes-bsp/uefi/edk2-firmware_202308.bb
deleted file mode 100644
index 8620a67..0000000
--- a/meta-arm/meta-arm/recipes-bsp/uefi/edk2-firmware_202308.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-SRCREV_edk2           ?= "819cfc6b42a68790a23509e4fcc58ceb70e1965e"
-SRCREV_edk2-platforms ?= "bb6841e3fd1c60b3f8510b4fc0a380784e05d326"
-
-# FIXME - clang is having issues with antlr
-TOOLCHAIN:aarch64 = "gcc"
-
-require recipes-bsp/uefi/edk2-firmware.inc
diff --git a/meta-arm/meta-arm/recipes-bsp/uefi/edk2-firmware_202311.bb b/meta-arm/meta-arm/recipes-bsp/uefi/edk2-firmware_202311.bb
new file mode 100644
index 0000000..aa11cfd
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-bsp/uefi/edk2-firmware_202311.bb
@@ -0,0 +1,7 @@
+SRCREV_edk2           ?= "8736b8fdca85e02933cdb0a13309de14c9799ece"
+SRCREV_edk2-platforms ?= "d61836283a4c9198a02387fe7b31a8242e732f3f"
+
+# FIXME - clang is having issues with antlr
+TOOLCHAIN:aarch64 = "gcc"
+
+require recipes-bsp/uefi/edk2-firmware.inc
diff --git a/meta-arm/meta-arm/recipes-bsp/uefi/sbsa-acs_7.1.2.bb b/meta-arm/meta-arm/recipes-bsp/uefi/sbsa-acs_7.1.2.bb
index 781d6e0..a564e2a 100644
--- a/meta-arm/meta-arm/recipes-bsp/uefi/sbsa-acs_7.1.2.bb
+++ b/meta-arm/meta-arm/recipes-bsp/uefi/sbsa-acs_7.1.2.bb
@@ -1,4 +1,4 @@
-require recipes-bsp/uefi/edk2-firmware_202308.bb
+require recipes-bsp/uefi/edk2-firmware_202311.bb
 PROVIDES:remove = "virtual/bootloader"
 
 LICENSE += "& Apache-2.0"