Import 80d60e7 from yoctoproject.org meta-arm
To support ARMv8 SoCs.
meta-arm has several patch files. Since they are maintained by the
upstream meta-arm community, add meta-arm to the ignore list in
run-repotest.
Change-Id: Ia87a2e947bbabd347d256eccc47a343e1c885479
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-client.inc b/meta-arm/meta-arm/recipes-security/optee/optee-client.inc
new file mode 100644
index 0000000..3b9943c
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-client.inc
@@ -0,0 +1,40 @@
+SUMMARY = "OP-TEE Client API"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Normal World Client side of the TEE"
+HOMEPAGE = "https://www.op-tee.org/"
+
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b"
+
+inherit systemd update-rc.d cmake
+
+SRC_URI = " \
+ git://github.com/OP-TEE/optee_client.git;branch=master;protocol=https \
+ file://tee-supplicant.service \
+ file://tee-supplicant.sh \
+"
+
+UPSTREAM_CHECK_GITTAGREGEX = "^(?P<pver>\d+(\.\d+)+)$"
+
+S = "${WORKDIR}/git"
+
+EXTRA_OECMAKE = " \
+ -DBUILD_SHARED_LIBS=ON \
+ -DCFG_TEE_FS_PARENT_PATH='${localstatedir}/lib/tee' \
+"
+EXTRA_OECMAKE:append:toolchain-clang = " -DCFG_WERROR=0"
+
+do_install:append() {
+ install -D -p -m0644 ${WORKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service
+ install -D -p -m0755 ${WORKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant
+
+ sed -i -e s:@sysconfdir@:${sysconfdir}:g \
+ -e s:@sbindir@:${sbindir}:g \
+ ${D}${systemd_system_unitdir}/tee-supplicant.service \
+ ${D}${sysconfdir}/init.d/tee-supplicant
+}
+
+SYSTEMD_SERVICE:${PN} = "tee-supplicant.service"
+
+INITSCRIPT_PACKAGES = "${PN}"
+INITSCRIPT_NAME:${PN} = "tee-supplicant"
+INITSCRIPT_PARAMS:${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ."
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service b/meta-arm/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
new file mode 100644
index 0000000..c273832
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=TEE Supplicant
+
+[Service]
+User=root
+EnvironmentFile=-@sysconfdir@/default/tee-supplicant
+ExecStart=@sbindir@/tee-supplicant $OPTARGS
+
+[Install]
+WantedBy=basic.target
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh b/meta-arm/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
new file mode 100644
index 0000000..b4d2195
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# Source function library
+. /etc/init.d/functions
+
+NAME=tee-supplicant
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DESC="OP-TEE Supplicant"
+
+DAEMON=@sbindir@/$NAME
+
+test -f $DAEMON || exit 0
+
+test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME
+test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS
+
+SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS"
+
+set -e
+
+case $1 in
+ start)
+ echo -n "Starting $DESC: "
+ start-stop-daemon --start $SSD_OPTIONS
+ echo "${DAEMON##*/}."
+ ;;
+ stop)
+ echo -n "Stopping $DESC: "
+ start-stop-daemon --stop $SSD_OPTIONS
+ echo "${DAEMON##*/}."
+ ;;
+ restart|force-reload)
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
+ status)
+ status ${DAEMON} || exit $?
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2
+ exit 1
+ ;;
+esac
+
+exit 0
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-client_3.14.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-client_3.14.0.bb
new file mode 100644
index 0000000..be78b88
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-client_3.14.0.bb
@@ -0,0 +1,3 @@
+require optee-client.inc
+
+SRCREV = "06e1b32f6a7028e039c625b07cfc25fda0c17d53"
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-client_3.17.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-client_3.17.0.bb
new file mode 100644
index 0000000..5de16e7
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-client_3.17.0.bb
@@ -0,0 +1,3 @@
+require optee-client.inc
+
+SRCREV = "9a337049c52495e5e16b4a94decaa3e58fce793e"
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-examples.inc b/meta-arm/meta-arm/recipes-security/optee/optee-examples.inc
new file mode 100644
index 0000000..e6feb99
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-examples.inc
@@ -0,0 +1,46 @@
+SUMMARY = "OP-TEE examples"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Sample Applications"
+HOMEPAGE = "https://github.com/linaro-swg/optee_examples"
+
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=cd95ab417e23b94f381dafc453d70c30"
+
+DEPENDS = "optee-client optee-os-tadevkit python3-cryptography-native"
+
+inherit python3native
+
+require optee.inc
+
+SRC_URI = "git://github.com/linaro-swg/optee_examples.git;branch=master;protocol=https \
+ file://0001-Makefile-Fix-non-portable-sh-check-for-plugins.patch"
+
+EXTRA_OEMAKE += "TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+ HOST_CROSS_COMPILE=${HOST_PREFIX} \
+ TA_CROSS_COMPILE=${HOST_PREFIX} \
+ OUTPUT_DIR=${B} \
+ "
+
+S = "${WORKDIR}/git"
+B = "${WORKDIR}/build"
+
+
+do_compile() {
+ oe_runmake -C ${S}
+}
+do_compile[cleandirs] = "${B}"
+
+do_install () {
+ mkdir -p ${D}${nonarch_base_libdir}/optee_armtz
+ mkdir -p ${D}${bindir}
+ mkdir -p ${D}${libdir}/tee-supplicant/plugins
+ install -D -p -m0755 ${B}/ca/* ${D}${bindir}
+ install -D -p -m0444 ${B}/ta/* ${D}${nonarch_base_libdir}/optee_armtz
+ install -D -p -m0444 ${B}/plugins/* ${D}${libdir}/tee-supplicant/plugins
+}
+
+FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/ \
+ ${libdir}/tee-supplicant/plugins/ \
+ "
+
+# Imports machine specific configs from staging to build
+PACKAGE_ARCH = "${MACHINE_ARCH}"
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-examples/0001-Makefile-Fix-non-portable-sh-check-for-plugins.patch b/meta-arm/meta-arm/recipes-security/optee/optee-examples/0001-Makefile-Fix-non-portable-sh-check-for-plugins.patch
new file mode 100644
index 0000000..70add62
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-examples/0001-Makefile-Fix-non-portable-sh-check-for-plugins.patch
@@ -0,0 +1,46 @@
+From 11610debf750f15c7a104db7315dcd7d69e282a8 Mon Sep 17 00:00:00 2001
+From: Alejandro Enedino Hernandez Samaniego <alhe@linux.microsoft.com>
+Date: Sat, 26 Feb 2022 01:52:26 +0000
+Subject: [PATCH] Makefile: Fix non-portable sh check for plugins
+
+Upstream-Status: Pending
+
+We previously held a patch that used "=" for comparison, but when
+that patch got upstreamed it was changed to "==" which is non-portable,
+resulting in an error:
+
+/bin/sh: 6: [: acipher: unexpected operator
+/bin/sh: 6: [: plugins: unexpected operator
+/bin/sh: 6: [: hello_world: unexpected operator
+/bin/sh: 6: [: hotp: unexpected operator
+/bin/sh: 6: [: aes: unexpected operator
+/bin/sh: 6: [: random: unexpected operator
+/bin/sh: 6: [: secure_storage: unexpected operator
+
+if /bin/sh doesnt point to bash.
+
+Which in turn causes our do_install task to fail since plugins arent
+where we expect them to be.
+
+
+Signed-off-by: Alejandro Enedino Hernandez Samaniego <alhe@linux.microsoft.com>
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index b3f16aa..9359d95 100644
+--- a/Makefile
++++ b/Makefile
+@@ -31,7 +31,7 @@ prepare-for-rootfs: examples
+ cp -p $$example/host/optee_example_$$example $(OUTPUT_DIR)/ca/; \
+ fi; \
+ cp -pr $$example/ta/*.ta $(OUTPUT_DIR)/ta/; \
+- if [ $$example == plugins ]; then \
++ if [ $$example = plugins ]; then \
+ cp -p plugins/syslog/*.plugin $(OUTPUT_DIR)/plugins/; \
+ fi; \
+ done
+--
+2.25.1
+
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-examples_3.14.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-examples_3.14.0.bb
new file mode 100644
index 0000000..f2b5f7d
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-examples_3.14.0.bb
@@ -0,0 +1,4 @@
+require optee-examples.inc
+
+SRCREV = "e9c870525af8f7e7fccf575a0ca5394ce55adcec"
+
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-examples_3.17.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-examples_3.17.0.bb
new file mode 100644
index 0000000..b5f6269
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-examples_3.17.0.bb
@@ -0,0 +1,3 @@
+require optee-examples.inc
+
+SRCREV = "65fc74309e12189ad5b6ce3ffec37c8011088a5a"
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb
new file mode 100644
index 0000000..0d37a52
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_3.14.0.bb
@@ -0,0 +1,20 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:"
+require optee-os_3.14.0.bb
+
+SUMMARY = "OP-TEE Trusted OS TA devkit"
+DESCRIPTION = "OP-TEE TA devkit for build TAs"
+HOMEPAGE = "https://www.op-tee.org/"
+
+do_install() {
+ #install TA devkit
+ install -d ${D}${includedir}/optee/export-user_ta/
+ for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
+ cp -aR $f ${D}${includedir}/optee/export-user_ta/
+ done
+}
+
+do_deploy() {
+ echo "Do not inherit do_deploy from optee-os."
+}
+
+FILES:${PN} = "${includedir}/optee/"
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_3.17.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_3.17.0.bb
new file mode 100644
index 0000000..5ff373a
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_3.17.0.bb
@@ -0,0 +1,25 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:"
+require optee-os_3.17.0.bb
+
+SUMMARY = "OP-TEE Trusted OS TA devkit"
+DESCRIPTION = "OP-TEE TA devkit for build TAs"
+HOMEPAGE = "https://www.op-tee.org/"
+
+DEPENDS += "python3-pycryptodome-native"
+
+do_install() {
+ #install TA devkit
+ install -d ${D}${includedir}/optee/export-user_ta/
+ for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
+ cp -aR $f ${D}${includedir}/optee/export-user_ta/
+ done
+}
+
+do_deploy() {
+ echo "Do not inherit do_deploy from optee-os."
+}
+
+FILES:${PN} = "${includedir}/optee/"
+
+# Build paths are currently embedded
+INSANE_SKIP:${PN}-dev += "buildpaths"
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/meta-arm/recipes-security/optee/optee-os.inc
new file mode 100644
index 0000000..11193dc
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-os.inc
@@ -0,0 +1,75 @@
+SUMMARY = "OP-TEE Trusted OS"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Trusted side of the TEE"
+HOMEPAGE = "https://www.op-tee.org/"
+
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173"
+
+inherit deploy python3native
+require optee.inc
+
+CVE_PRODUCT = "linaro:op-tee op-tee:op-tee_os"
+
+DEPENDS = "python3-pyelftools-native python3-cryptography-native"
+
+DEPENDS:append:toolchain-clang = " compiler-rt"
+
+SRC_URI = "git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https"
+
+SRC_URI:append = " \
+ file://0006-allow-setting-sysroot-for-libgcc-lookup.patch \
+ file://0007-allow-setting-sysroot-for-clang.patch \
+ "
+
+S = "${WORKDIR}/git"
+B = "${WORKDIR}/build"
+
+EXTRA_OEMAKE += " \
+ PLATFORM=${OPTEEMACHINE} \
+ CFG_${OPTEE_CORE}_core=y \
+ CROSS_COMPILE_core=${HOST_PREFIX} \
+ CROSS_COMPILE_ta_${OPTEE_ARCH}=${HOST_PREFIX} \
+ NOWERROR=1 \
+ ta-targets=ta_${OPTEE_ARCH} \
+ O=${B} \
+"
+
+CFLAGS[unexport] = "1"
+LDFLAGS[unexport] = "1"
+CPPFLAGS[unexport] = "1"
+AS[unexport] = "1"
+LD[unexport] = "1"
+
+do_configure[noexec] = "1"
+
+do_compile() {
+ oe_runmake -C ${S} all
+}
+do_compile[cleandirs] = "${B}"
+
+do_install() {
+ #install core in firmware
+ install -d ${D}${nonarch_base_libdir}/firmware/
+ install -m 644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${nonarch_base_libdir}/firmware/
+}
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+do_deploy() {
+ install -d ${DEPLOYDIR}/${MLPREFIX}optee
+ install -m 644 ${D}${nonarch_base_libdir}/firmware/* ${DEPLOYDIR}/${MLPREFIX}optee
+}
+
+addtask deploy before do_build after do_install
+
+SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
+
+FILES:${PN} = "${nonarch_base_libdir}/firmware/"
+
+# note: "textrel" is not triggered on all archs
+INSANE_SKIP:${PN} = "textrel"
+# Build paths are currently embedded
+INSANE_SKIP:${PN} += "buildpaths"
+INSANE_SKIP:${PN}-dev = "staticdev"
+INHIBIT_PACKAGE_STRIP = "1"
+
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os/0006-allow-setting-sysroot-for-libgcc-lookup.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os/0006-allow-setting-sysroot-for-libgcc-lookup.patch
new file mode 100644
index 0000000..1700539
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-os/0006-allow-setting-sysroot-for-libgcc-lookup.patch
@@ -0,0 +1,34 @@
+From 0bab935695ebcf0c533b49896ab18ff33d4a47d1 Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@arm.com>
+Date: Tue, 26 May 2020 14:38:02 -0500
+Subject: [PATCH] allow setting sysroot for libgcc lookup
+
+Explicitly pass the new variable LIBGCC_LOCATE_CFLAGS variable when searching
+for the compiler libraries as there's no easy way to reliably pass --sysroot
+otherwise.
+
+Upstream-Status: Pending [https://github.com/OP-TEE/optee_os/issues/4188]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ mk/gcc.mk | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/mk/gcc.mk b/mk/gcc.mk
+index adc77a24..81bfa78a 100644
+--- a/mk/gcc.mk
++++ b/mk/gcc.mk
+@@ -13,11 +13,11 @@ nostdinc$(sm) := -nostdinc -isystem $(shell $(CC$(sm)) \
+ -print-file-name=include 2> /dev/null)
+
+ # Get location of libgcc from gcc
+-libgcc$(sm) := $(shell $(CC$(sm)) $(CFLAGS$(arch-bits-$(sm))) \
++libgcc$(sm) := $(shell $(CC$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CFLAGS$(arch-bits-$(sm))) \
+ -print-libgcc-file-name 2> /dev/null)
+-libstdc++$(sm) := $(shell $(CXX$(sm)) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
++libstdc++$(sm) := $(shell $(CXX$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
+ -print-file-name=libstdc++.a 2> /dev/null)
+-libgcc_eh$(sm) := $(shell $(CXX$(sm)) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
++libgcc_eh$(sm) := $(shell $(CXX$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CXXFLAGS$(arch-bits-$(sm))) $(comp-cxxflags$(sm)) \
+ -print-file-name=libgcc_eh.a 2> /dev/null)
+
+ # Define these to something to discover accidental use
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os/0007-allow-setting-sysroot-for-clang.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os/0007-allow-setting-sysroot-for-clang.patch
new file mode 100644
index 0000000..5c0d0a5
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-os/0007-allow-setting-sysroot-for-clang.patch
@@ -0,0 +1,29 @@
+From 3167f2c0dba4db59d61b60a8fe66f969d20aafa9 Mon Sep 17 00:00:00 2001
+From: Brett Warren <brett.warren@arm.com>
+Date: Wed, 23 Sep 2020 09:27:34 +0100
+Subject: [PATCH] optee: enable clang support
+
+When compiling with clang, the LIBGCC_LOCATE_CFLAG variable used
+to provide a sysroot wasn't included, which results in not locating
+compiler-rt. This is mitigated by including the variable as ammended.
+
+Upstream-Status: Pending
+ChangeId: 8ba69a4b2eb8ebaa047cb266c9aa6c2c3da45701
+Signed-off-by: Brett Warren <brett.warren@arm.com>
+---
+ mk/clang.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mk/clang.mk b/mk/clang.mk
+index 0f48c836..47465523 100644
+--- a/mk/clang.mk
++++ b/mk/clang.mk
+@@ -27,7 +27,7 @@ comp-cflags-warns-clang := -Wno-language-extension-token \
+
+ # Note, use the compiler runtime library (libclang_rt.builtins.*.a) instead of
+ # libgcc for clang
+-libgcc$(sm) := $(shell $(CC$(sm)) $(CFLAGS$(arch-bits-$(sm))) \
++libgcc$(sm) := $(shell $(CC$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CFLAGS$(arch-bits-$(sm))) \
+ -rtlib=compiler-rt -print-libgcc-file-name 2> /dev/null)
+
+ # Core ASLR relies on the executable being ready to run from its preferred load
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os_3.14.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.14.0.bb
new file mode 100644
index 0000000..83b89c4
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.14.0.bb
@@ -0,0 +1,5 @@
+require optee-os.inc
+
+SRCREV = "d21befa5e53eae9db469eba1685f5aa5c6f92c2f"
+
+DEPENDS = "python3-pycryptodome-native python3-pyelftools-native"
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os_3.17.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.17.0.bb
new file mode 100644
index 0000000..3e5e0a6
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.17.0.bb
@@ -0,0 +1,5 @@
+require optee-os.inc
+
+SRCREV = "f9e550142dd4b33ee1112f5dd64ffa94ba79cefa"
+
+DEPENDS += "dtc-native"
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os_3.18.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.18.0.bb
new file mode 100644
index 0000000..65d661f
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-os_3.18.0.bb
@@ -0,0 +1,5 @@
+require optee-os.inc
+
+DEPENDS += "dtc-native"
+
+SRCREV = "1ee647035939e073a2e8dddb727c0f019cc035f1"
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-spdevkit_git.bb b/meta-arm/meta-arm/recipes-security/optee/optee-spdevkit_git.bb
new file mode 100644
index 0000000..7608cec
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-spdevkit_git.bb
@@ -0,0 +1,305 @@
+SUMMARY = "OP-TEE Secure Partion Development Kit"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Development Kit to run secure partitions"
+HOMEPAGE = "https://www.op-tee.org/"
+
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173"
+
+inherit deploy python3native
+require optee.inc
+FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:"
+
+CVE_PRODUCT = "linaro:op-tee op-tee:op-tee_os"
+
+DEPENDS = "python3-pyelftools-native"
+
+DEPENDS:append:toolchain-clang = " compiler-rt"
+
+# spdevkit isn't yet merged to master
+SRC_URI = "git://git.trustedfirmware.org/OP-TEE/optee_os.git;protocol=https;branch=psa-development \
+ file://0006-allow-setting-sysroot-for-libgcc-lookup.patch \
+ file://0007-allow-setting-sysroot-for-clang.patch \
+"
+SRCREV = "f9de2c9520ed97b89760cc4c99424aae440b63f4"
+PV = "3.10+git${SRCPV}"
+
+S = "${WORKDIR}/git"
+B = "${WORKDIR}/build"
+
+EXTRA_OEMAKE += " \
+ PLATFORM=${OPTEEMACHINE} \
+ CFG_${OPTEE_CORE}_core=y \
+ CROSS_COMPILE_core=${HOST_PREFIX} \
+ CROSS_COMPILE_sp_${OPTEE_ARCH}=${HOST_PREFIX} \
+ CFG_CORE_FFA=y \
+ CFG_WITH_SP=y \
+ O=${B} \
+"
+
+CFLAGS[unexport] = "1"
+LDFLAGS[unexport] = "1"
+CPPFLAGS[unexport] = "1"
+AS[unexport] = "1"
+LD[unexport] = "1"
+
+do_configure[noexec] = "1"
+
+do_compile() {
+ oe_runmake -C ${S} sp_dev_kit
+}
+do_compile[cleandirs] = "${B}"
+
+do_install() {
+ #install SP devkit
+ install -d ${D}${includedir}/optee/export-user_sp/
+ for f in ${B}/export-sp_${OPTEE_ARCH}/* ; do
+ cp -aR $f ${D}${includedir}/optee/export-user_sp/
+ done
+ cat > ${D}${includedir}/optee/export-user_sp/include/stddef.h <<'EOF'
+#ifndef STDDEF_H
+#define STDDEF_H
+
+#include <stddef_.h>
+
+#ifndef _PTRDIFF_T
+typedef long ptrdiff_t;
+#define _PTRDIFF_T
+#endif
+
+#ifndef NULL
+#define NULL ((void *) 0)
+#endif
+
+#define offsetof(st, m) __builtin_offsetof(st, m)
+
+#endif /* STDDEF_H */
+EOF
+ cat > ${D}${includedir}/optee/export-user_sp/include/stddef_.h <<'EOF'
+#ifndef STDDEF__H
+#define STDDEF__H
+
+#ifndef SIZET_
+typedef unsigned long size_t;
+#define SIZET_
+#endif
+
+#endif /* STDDEF__H */
+EOF
+ cat > ${D}${includedir}/optee/export-user_sp/include/stdarg.h <<'EOF'
+#ifndef STDARG_H
+#define STDARG_H
+
+#define va_list __builtin_va_list
+#define va_start(ap, last) __builtin_va_start(ap, last)
+#define va_end(ap) __builtin_va_end(ap)
+#define va_copy(to, from) __builtin_va_copy(to, from)
+#define va_arg(to, type) __builtin_va_arg(to, type)
+
+#endif /* STDARG_H */
+EOF
+ cat > ${D}${includedir}/optee/export-user_sp/include/stdbool.h <<'EOF'
+#ifndef STDBOOL_H
+#define STDBOOL_H
+
+#define bool _Bool
+
+#define true 1
+#define false 0
+
+#define __bool_true_false_are_defined 1
+
+#endif /* STDBOOL_H */
+EOF
+
+cat > ${D}${includedir}/optee/export-user_sp/include/features.h <<'EOF'
+ #ifndef _FEATURES_H
+ #define _FEATURES_H
+ #if defined(_ALL_SOURCE) && !defined(_GNU_SOURCE)
+ #define _GNU_SOURCE 1
+#endif
+ #if defined(_DEFAULT_SOURCE) && !defined(_BSD_SOURCE)
+ #define _BSD_SOURCE 1
+#endif
+ #if !defined(_POSIX_SOURCE) && !defined(_POSIX_C_SOURCE) \
+ && !defined(_XOPEN_SOURCE) && !defined(_GNU_SOURCE) \
+ && !defined(_BSD_SOURCE) && !defined(__STRICT_ANSI__)
+ #define _BSD_SOURCE 1
+ #define _XOPEN_SOURCE 700
+#endif
+ #if __STDC_VERSION__ >= 199901L
+ #define __restrict restrict
+ #elif !defined(__GNUC__)
+ #define __restrict
+#endif
+ #if __STDC_VERSION__ >= 199901L || defined(__cplusplus)
+ #define __inline inline
+ #elif !defined(__GNUC__)
+ #define __inline
+#endif
+ #if __STDC_VERSION__ >= 201112L
+ #elif defined(__GNUC__)
+ #define _Noreturn __attribute__((__noreturn__))
+#else
+ #define _Noreturn
+#endif
+ #define __REDIR(x,y) __typeof__(x) x __asm__(#y)
+#endif
+EOF
+cat > ${D}${includedir}/optee/export-user_sp/include/errno.h <<'EOF'
+ #ifndef _ERRNO_H
+ #define _ERRNO_H
+ #include <features.h>
+ #define EPERM 1
+ #define ENOENT 2
+ #define ESRCH 3
+ #define EINTR 4
+ #define EIO 5
+ #define ENXIO 6
+ #define E2BIG 7
+ #define ENOEXEC 8
+ #define EBADF 9
+ #define ECHILD 10
+ #define EAGAIN 11
+ #define ENOMEM 12
+ #define EACCES 13
+ #define EFAULT 14
+ #define ENOTBLK 15
+ #define EBUSY 16
+ #define EEXIST 17
+ #define EXDEV 18
+ #define ENODEV 19
+ #define ENOTDIR 20
+ #define EISDIR 21
+ #define EINVAL 22
+ #define ENFILE 23
+ #define EMFILE 24
+ #define ENOTTY 25
+ #define ETXTBSY 26
+ #define EFBIG 27
+ #define ENOSPC 28
+ #define ESPIPE 29
+ #define EROFS 30
+ #define EMLINK 31
+ #define EPIPE 32
+ #define EDOM 33
+ #define ERANGE 34
+ #define EDEADLK 35
+ #define ENAMETOOLONG 36
+ #define ENOLCK 37
+ #define ENOSYS 38
+ #define ENOTEMPTY 39
+ #define ELOOP 40
+ #define EWOULDBLOCK EAGAIN
+ #define ENOMSG 42
+ #define EIDRM 43
+ #define ECHRNG 44
+ #define EL2NSYNC 45
+ #define EL3HLT 46
+ #define EL3RST 47
+ #define ELNRNG 48
+ #define EUNATCH 49
+ #define ENOCSI 50
+ #define EL2HLT 51
+ #define EBADE 52
+ #define EBADR 53
+ #define EXFULL 54
+ #define ENOANO 55
+ #define EBADRQC 56
+ #define EBADSLT 57
+ #define EDEADLOCK EDEADLK
+ #define EBFONT 59
+ #define ENOSTR 60
+ #define ENODATA 61
+ #define ETIME 62
+ #define ENOSR 63
+ #define ENONET 64
+ #define ENOPKG 65
+ #define EREMOTE 66
+ #define ENOLINK 67
+ #define EADV 68
+ #define ESRMNT 69
+ #define ECOMM 70
+ #define EPROTO 71
+ #define EMULTIHOP 72
+ #define EDOTDOT 73
+ #define EBADMSG 74
+ #define EOVERFLOW 75
+ #define ENOTUNIQ 76
+ #define EBADFD 77
+ #define EREMCHG 78
+ #define ELIBACC 79
+ #define ELIBBAD 80
+ #define ELIBSCN 81
+ #define ELIBMAX 82
+ #define ELIBEXEC 83
+ #define EILSEQ 84
+ #define ERESTART 85
+ #define ESTRPIPE 86
+ #define EUSERS 87
+ #define ENOTSOCK 88
+ #define EDESTADDRREQ 89
+ #define EMSGSIZE 90
+ #define EPROTOTYPE 91
+ #define ENOPROTOOPT 92
+ #define EPROTONOSUPPORT 93
+ #define ESOCKTNOSUPPORT 94
+ #define EOPNOTSUPP 95
+ #define ENOTSUP EOPNOTSUPP
+ #define EPFNOSUPPORT 96
+ #define EAFNOSUPPORT 97
+ #define EADDRINUSE 98
+ #define EADDRNOTAVAIL 99
+ #define ENETDOWN 100
+ #define ENETUNREACH 101
+ #define ENETRESET 102
+ #define ECONNABORTED 103
+ #define ECONNRESET 104
+ #define ENOBUFS 105
+ #define EISCONN 106
+ #define ENOTCONN 107
+ #define ESHUTDOWN 108
+ #define ETOOMANYREFS 109
+ #define ETIMEDOUT 110
+ #define ECONNREFUSED 111
+ #define EHOSTDOWN 112
+ #define EHOSTUNREACH 113
+ #define EALREADY 114
+ #define EINPROGRESS 115
+ #define ESTALE 116
+ #define EUCLEAN 117
+ #define ENOTNAM 118
+ #define ENAVAIL 119
+ #define EISNAM 120
+ #define EREMOTEIO 121
+ #define EDQUOT 122
+ #define ENOMEDIUM 123
+ #define EMEDIUMTYPE 124
+ #define ECANCELED 125
+ #define ENOKEY 126
+ #define EKEYEXPIRED 127
+ #define EKEYREVOKED 128
+ #define EKEYREJECTED 129
+ #define EOWNERDEAD 130
+ #define ENOTRECOVERABLE 131
+ #define ERFKILL 132
+ #define EHWPOISON 133
+ #ifdef __GNUC__
+ __attribute__((const))
+#endif
+ int *__errno_location(void);
+ #define errno (*__errno_location())
+ #ifdef _GNU_SOURCE
+ extern char *program_invocation_short_name, *program_invocation_name;
+#endif
+#endif
+EOF
+}
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+COMPATIBLE_HOST = "aarch64.*-linux"
+
+# optee-spdevkit static library is part of optee-os image. No need to package this library in a staticdev package
+INSANE_SKIP:${PN}-dev = "staticdev"
+# Build paths are currently embedded
+INSANE_SKIP:${PN}-dev += "buildpaths"
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test.inc b/meta-arm/meta-arm/recipes-security/optee/optee-test.inc
new file mode 100644
index 0000000..64b41a8
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-test.inc
@@ -0,0 +1,51 @@
+SUMMARY = "OP-TEE sanity testsuite"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Test suite"
+HOMEPAGE = "https://www.op-tee.org/"
+
+LICENSE = "BSD-2-Clause & GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa"
+
+inherit python3native ptest
+require optee.inc
+
+DEPENDS = "optee-client optee-os-tadevkit python3-cryptography-native"
+
+SRC_URI = "git://github.com/OP-TEE/optee_test.git;branch=master;protocol=https \
+ file://run-ptest \
+ "
+
+S = "${WORKDIR}/git"
+B = "${WORKDIR}/build"
+
+EXTRA_OEMAKE += "TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+ CROSS_COMPILE_HOST=${HOST_PREFIX} \
+ CROSS_COMPILE_TA=${HOST_PREFIX} \
+ O=${B} \
+ "
+
+do_compile() {
+ cd ${S}
+ # Top level makefile doesn't seem to handle parallel make gracefully
+ oe_runmake xtest
+ oe_runmake ta
+ oe_runmake test_plugin
+}
+do_compile[cleandirs] = "${B}"
+
+do_install () {
+ install -D -p -m0755 ${B}/xtest/xtest ${D}${bindir}/xtest
+
+ # install path should match the value set in optee-client/tee-supplicant
+ # default TEEC_LOAD_PATH is /lib
+ mkdir -p ${D}${nonarch_base_libdir}/optee_armtz/
+ install -D -p -m0444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/
+ mkdir -p ${D}${libdir}/tee-supplicant/plugins
+ install -D -p -m0444 ${B}/supp_plugin/*.plugin ${D}${libdir}/tee-supplicant/plugins/
+}
+
+FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/ \
+ ${libdir}/tee-supplicant/plugins/ \
+ "
+
+# Imports machine specific configs from staging to build
+PACKAGE_ARCH = "${MACHINE_ARCH}"
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test/musl-workaround.patch b/meta-arm/meta-arm/recipes-security/optee/optee-test/musl-workaround.patch
new file mode 100644
index 0000000..eed1bd4
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-test/musl-workaround.patch
@@ -0,0 +1,24 @@
+Hack to work around musl compile error:
+ In file included from optee-test/3.17.0-r0/recipe-sysroot/usr/include/sys/stat.h:23,
+ from optee-test/3.17.0-r0/git/host/xtest/regression_1000.c:25:
+ optee-test/3.17.0-r0/recipe-sysroot/usr/include/bits/stat.h:17:26: error: expected identifier or '(' before '[' token
+ 17 | unsigned __unused[2];
+ | ^
+
+stat.h is not needed, since it is not being used in this file. So removing it.
+
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Jon Mason <jon.mason@arm.com>
+
+diff --git a/host/xtest/regression_1000.c b/host/xtest/regression_1000.c
+index 4264884..7f1baca 100644
+--- a/host/xtest/regression_1000.c
++++ b/host/xtest/regression_1000.c
+@@ -22,7 +22,6 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+-#include <sys/stat.h>
+ #include <sys/types.h>
+ #include <ta_arm_bti.h>
+ #include <ta_concurrent.h>
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test/run-ptest b/meta-arm/meta-arm/recipes-security/optee/optee-test/run-ptest
new file mode 100755
index 0000000..ba88c14
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-test/run-ptest
@@ -0,0 +1,52 @@
+#!/bin/sh
+xtest | awk '
+
+ # Escapes the special characters in a string so that, when
+ # included in a regex, it represents a literal match
+ function regx_escape_literal(str, ret) {
+ ret = str
+ gsub(/[\[\]\^\$\.\*\?\+\{\}\\\(\)\|]/ , "\\\\&", str)
+ return str
+ }
+
+ # Returns the simple test formatted name
+ function name(n, ret) {
+ ret = n
+ gsub(/\./, " ", ret)
+ return ret
+ }
+
+ # Returns the simple test formatted result
+ function result(res) {
+ if(res ~ /OK/) {
+ return "PASS"
+ } else if(res ~ /FAILED/) {
+ return "FAIL"
+ }
+ }
+
+ function parse(name, description, has_subtests, result_line) {
+ has_subtests = 0
+
+ # Consume every line up to the result line
+ result_line = " " regx_escape_literal(name) " (OK|FAILED)"
+ do {
+ getline
+
+ # If this is a subtest (denoted by an "o" bullet) then subparse
+ if($0 ~ /^o /) {
+ parse($2, description " : " substr($0, index($0, $3)))
+ has_subtests = 1
+ }
+ } while ($0 !~ result_line)
+
+ # Only print the results for the deepest nested subtests
+ if(!has_subtests) {
+ print result($2) ": " name(name) " - " description
+ }
+ }
+
+ # Start parsing at the beginning of every test (denoted by a "*" bullet)
+ /^\* / { parse($2, substr($0, index($0, $3))) }
+
+'
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test_3.14.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.14.0.bb
new file mode 100644
index 0000000..6367c27
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.14.0.bb
@@ -0,0 +1,3 @@
+require optee-test.inc
+
+SRCREV = "f2eb88affbb7f028561b4fd5cbd049d5d704f741"
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-test_3.17.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.17.0.bb
new file mode 100644
index 0000000..18870da
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-test_3.17.0.bb
@@ -0,0 +1,10 @@
+require optee-test.inc
+
+SRC_URI:append = " \
+ file://musl-workaround.patch \
+ "
+SRCREV = "44a31d02379bd8e50762caa5e1592ad81e3339af"
+
+EXTRA_OEMAKE:append:libc-musl = " OPTEE_OPENSSL_EXPORT=${STAGING_INCDIR}"
+DEPENDS:append:libc-musl = " openssl"
+CFLAGS:append:libc-musl = " -Wno-error=deprecated-declarations"
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee.inc b/meta-arm/meta-arm/recipes-security/optee/optee.inc
new file mode 100644
index 0000000..06c67cf
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee.inc
@@ -0,0 +1,33 @@
+UPSTREAM_CHECK_GITTAGREGEX = "^(?P<pver>\d+(\.\d+)+)$"
+
+COMPATIBLE_MACHINE ?= "invalid"
+COMPATIBLE_MACHINE:qemuarm64 ?= "qemuarm64"
+COMPATIBLE_MACHINE:qemu-generic-arm64 ?= "qemu-generic-arm64"
+COMPATIBLE_MACHINE:qemuarm ?= "qemuarm"
+# Please add supported machines below or set it in .bbappend or .conf
+
+OPTEEMACHINE ?= "${MACHINE}"
+OPTEEMACHINE:aarch64:qemuall ?= "vexpress-qemu_armv8a"
+OPTEEMACHINE:arm:qemuall ?= "vexpress-qemu_virt"
+
+OPTEE_ARCH = "null"
+OPTEE_ARCH:arm = "arm32"
+OPTEE_ARCH:aarch64 = "arm64"
+OPTEE_CORE = "${@d.getVar('OPTEE_ARCH').upper()}"
+
+OPTEE_TOOLCHAIN = "${@d.getVar('TOOLCHAIN') or 'gcc'}"
+OPTEE_COMPILER = "${@bb.utils.contains("BBFILE_COLLECTIONS", "clang-layer", "${OPTEE_TOOLCHAIN}", "gcc", d)}"
+
+# Set here but not passed to EXTRA_OEMAKE by default as that breaks
+# the optee-os build
+TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
+
+EXTRA_OEMAKE += "V=1 \
+ LIBGCC_LOCATE_CFLAGS='${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}' \
+ COMPILER=${OPTEE_COMPILER} \
+ OPTEE_CLIENT_EXPORT=${STAGING_DIR_HOST}${prefix} \
+ TEEC_EXPORT=${STAGING_DIR_HOST}${prefix} \
+ "
+# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
+# right path until this is relocated automatically.
+export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"