summaryrefslogtreecommitdiffstats
path: root/bsp/meta-arm/meta-arm
diff options
context:
space:
mode:
Diffstat (limited to 'bsp/meta-arm/meta-arm')
-rw-r--r--bsp/meta-arm/meta-arm/conf/layer.conf16
-rw-r--r--bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc169
-rw-r--r--bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.1.bb38
-rw-r--r--bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.2.bb38
-rw-r--r--bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.3.bb38
-rw-r--r--bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_git.bb31
-rw-r--r--bsp/meta-arm/meta-arm/recipes-devtools/opencsd/opencsd_git.bb31
-rw-r--r--bsp/meta-arm/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service10
-rw-r--r--bsp/meta-arm/meta-arm/recipes-security/optee/optee-client_git.bb41
-rw-r--r--bsp/meta-arm/meta-arm/recipes-security/optee/optee-examples_git.bb47
-rw-r--r--bsp/meta-arm/meta-arm/recipes-security/optee/optee-os/0001-allow-setting-sysroot-for-libgcc-lookup.patch13
-rw-r--r--bsp/meta-arm/meta-arm/recipes-security/optee/optee-os_git.bb80
-rw-r--r--bsp/meta-arm/meta-arm/recipes-security/optee/optee-test_git.bb50
-rw-r--r--bsp/meta-arm/meta-arm/recipes-security/optee/optee.inc2
14 files changed, 604 insertions, 0 deletions
diff --git a/bsp/meta-arm/meta-arm/conf/layer.conf b/bsp/meta-arm/meta-arm/conf/layer.conf
new file mode 100644
index 00000000..d96e9f1b
--- /dev/null
+++ b/bsp/meta-arm/meta-arm/conf/layer.conf
@@ -0,0 +1,16 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH .= ":${LAYERDIR}"
+
+# We have recipes-* directories, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+ ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "meta-arm"
+BBFILE_PATTERN_meta-arm = "^${LAYERDIR}/"
+BBFILE_PRIORITY_meta-arm = "6"
+
+LAYERDEPENDS_meta-arm = " \
+ core \
+ meta-python \
+"
+LAYERSERIES_COMPAT_meta-arm = "warrior zeus dunfell"
diff --git a/bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
new file mode 100644
index 00000000..fe9a4e09
--- /dev/null
+++ b/bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
@@ -0,0 +1,169 @@
+DESCRIPTION = "Trusted Firmware-A"
+LICENSE = "BSD & Apache-2.0"
+
+PROVIDES = "virtual/trusted-firmware-a"
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+inherit deploy
+
+COMPATIBLE_MACHINE ?= "invalid"
+
+# Platform must be set for each machine
+TFA_PLATFORM ?= "invalid"
+
+# Some platforms can have multiple board configurations
+# Leave empty for default behavior
+TFA_BOARD ?= ""
+
+# Some platforms use SPD (Secure Payload Dispatcher) services
+# Few options are "opteed", "tlkd", "trusty", "tspd"...
+# Leave empty to not use SPD
+TFA_SPD ?= ""
+
+# Build for debug (set TFA_DEBUG to 1 to activate)
+TFA_DEBUG ?= "0"
+
+B = "${WORKDIR}/build"
+
+# mbed TLS support (set TFA_MBEDTLS to 1 to activate)
+TFA_MBEDTLS ?= "0"
+# sub-directory in which mbedtls will be downloaded
+TFA_MBEDTLS_DIR ?= "mbedtls"
+# This should be set to MBEDTLS download URL if MBEDTLS is needed
+SRC_URI_MBEDTLS ??= ""
+# This should be set to MBEDTLS LIC FILES checksum
+LIC_FILES_CHKSUM_MBEDTLS ??= ""
+# add MBEDTLS to our sources if activated
+SRC_URI += "${@bb.utils.contains('TFA_MBEDTLS', '1', '${SRC_URI_MBEDTLS}', '', d)}"
+# add mbed TLS chksum
+LIC_FILES_CHKSUM += "${@bb.utils.contains('TFA_MBEDTLS', '1', '${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}"
+# add mbed TLS to version
+SRCREV_FORMAT_append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '', d)}"
+
+# U-boot support (set TFA_UBOOT to 1 to activate)
+# When U-Boot support is activated BL33 is activated with u-boot.bin file
+TFA_UBOOT ?= "0"
+
+# What to build
+# By default we only build bl1, do_deploy will copy
+# everything listed in this variable (by default bl1.bin)
+TFA_BUILD_TARGET ?= "bl1"
+
+# What to install
+# do_install and do_deploy will install everything listed in this
+# variable. It is set by default to TFA_BUILD_TARGET
+TFA_INSTALL_TARGET ?= "${TFA_BUILD_TARGET}"
+
+# Requires CROSS_COMPILE set by hand as there is no configure script
+export CROSS_COMPILE="${TARGET_PREFIX}"
+
+# Let the Makefile handle setting up the CFLAGS and LDFLAGS as it is a standalone application
+CFLAGS[unexport] = "1"
+LDFLAGS[unexport] = "1"
+AS[unexport] = "1"
+LD[unexport] = "1"
+
+# No configure
+do_configure[noexec] = "1"
+
+# We need dtc for dtbs compilation
+# We need openssl for fiptool
+DEPENDS_append = " dtc-native openssl-native"
+
+# Add platform parameter
+EXTRA_OEMAKE += "BUILD_BASE=${B} PLAT=${TFA_PLATFORM}"
+
+# Handle TFA_BOARD parameter
+EXTRA_OEMAKE += "${@'TARGET_BOARD=${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
+BUILD_DIR = "${TFA_PLATFORM}${@'/${TFA_BOARD}' if d.getVar('TFA_BOARD') else ''}"
+
+# Handle TFA_SPD parameter
+EXTRA_OEMAKE += "${@'SPD=${TFA_SPD}' if d.getVar('TFA_SPD') else ''}"
+
+# Handle TFA_DEBUG parameter
+EXTRA_OEMAKE += "${@bb.utils.contains('TFA_DEBUG', '1', 'DEBUG=${TFA_DEBUG}', '', d)}"
+
+# Handle MBEDTLS
+EXTRA_OEMAKE += "${@bb.utils.contains('TFA_MBEDTLS', '1', 'MBEDTLS_DIR=${TFA_MBEDTLS_DIR}', '', d)}"
+
+# Uboot support
+DEPENDS += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot', '', d)}"
+do_compile[depends] += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot:do_deploy', '', d)}"
+EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UBOOT', '1', 'BL33=${DEPLOY_DIR_IMAGE}/u-boot.bin', '',d)}"
+
+# The following hack is needed to fit properly in yocto build environment
+# TFA is forcing the host compiler and its flags in the Makefile using :=
+# assignment for GCC and CFLAGS.
+do_compile() {
+ cd ${S}
+
+ # These changes are needed to have the fiptool compiling and executing properly
+ sed -i '/^LDLIBS/ s,$, \-L${RECIPE_SYSROOT_NATIVE}${libdir},' ${S}/tools/fiptool/Makefile
+ sed -i '/^INCLUDE_PATHS/ s,$, \-I${RECIPE_SYSROOT_NATIVE}${includedir},' ${S}/tools/fiptool/Makefile
+ export LD_LIBRARY_PATH=${STAGING_DIR_NATIVE}${libdir}:$LD_LIBRARY_PATH
+
+ oe_runmake ${TFA_BUILD_TARGET}
+}
+do_compile[cleandirs] = "${B}"
+
+do_install() {
+ if ${@"true" if d.getVar('TFA_DEBUG') == '1' else "false"}; then
+ BUILD_PLAT=${B}/${BUILD_DIR}/debug/
+ else
+ BUILD_PLAT=${B}/${BUILD_DIR}/release/
+ fi
+
+ install -d -m 755 ${D}/firmware
+ for atfbin in ${TFA_INSTALL_TARGET}; do
+ processes="0"
+ if [ "$atfbin" = "all" ]; then
+ # Target all is not handled by default
+ bberror "all as TFA_INSTALL_TARGET is not handled by do_install"
+ bberror "Please specify valid targets in TFA_INSTALL_TARGET or"
+ bberror "rewrite or turn off do_install"
+ exit 1
+ fi
+
+ if [ -f $BUILD_PLAT/$atfbin.bin ]; then
+ echo "Install $atfbin.bin"
+ install -m 0644 $BUILD_PLAT/$atfbin.bin \
+ ${D}/firmware/$atfbin-${TFA_PLATFORM}.bin
+ ln -sf $atfbin-${TFA_PLATFORM}.bin ${D}/firmware/$atfbin.bin
+ processes="1"
+ fi
+ if [ -f $BUILD_PLAT/$atfbin/$atfbin.elf ]; then
+ echo "Install $atfbin.elf"
+ install -m 0644 $BUILD_PLAT/$atfbin/$atfbin.elf \
+ ${D}/firmware/$atfbin-${TFA_PLATFORM}.elf
+ ln -sf $atfbin-${TFA_PLATFORM}.elf ${D}/firmware/$atfbin.elf
+ processes="1"
+ fi
+ if [ -f $BUILD_PLAT/$atfbin ]; then
+ echo "Install $atfbin"
+ install -m 0644 $BUILD_PLAT/$atfbin \
+ ${D}/firmware/$atfbin-${TFA_PLATFORM}
+ ln -sf $atfbin-${TFA_PLATFORM} ${D}/firmware/$atfbin
+ processes="1"
+ fi
+
+ if [ "$atfbin" = "dtbs" ]; then
+ echo "dtbs install, skipped"
+ elif [ -f ${B}/tools/$atfbin/$atfbin ]; then
+ echo "Tools $atfbin install, skipped"
+ elif [ "$processed" = "0" ]; then
+ bberror "Unsupported TFA_INSTALL_TARGET target $atfbin"
+ exit 1
+ fi
+ done
+}
+
+FILES_${PN} = "/firmware"
+SYSROOT_DIRS += "/firmware"
+# Skip QA check for relocations in .text of elf binaries
+INSANE_SKIP_${PN} = "textrel"
+
+do_deploy() {
+ cp -rf ${D}/firmware/* ${DEPLOYDIR}/
+}
+addtask deploy after do_install
diff --git a/bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.1.bb b/bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.1.bb
new file mode 100644
index 00000000..4d412027
--- /dev/null
+++ b/bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.1.bb
@@ -0,0 +1,38 @@
+#
+# Trusted firmware-A 2.1
+#
+
+require trusted-firmware-a.inc
+
+SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https;name=tfa"
+
+# Use TF-A for version
+SRCREV_FORMAT = "tfa"
+
+# TF-A v2.1
+SRCREV_tfa = "e1286bdb968ee74fc52f96cf303a4218e1ae2950"
+
+S = "${WORKDIR}/git"
+
+LIC_FILES_CHKSUM = "file://license.rst;md5=c709b197e22b81ede21109dbffd5f363"
+
+SRC_URI[tfa.md5sum] = "75c8f4958fb493d9bd7a8e5a9636ec18"
+SRC_URI[tfa.sha256sum] = "7c4c00a4f28d3cfbb235fd1a1fb28c4d2fc1d657c9301686e7d8824ef575d059"
+
+#
+# mbed TLS source
+# Those are used in trusted-firmware-a.inc if TFA_MBEDTLS is set to 1
+#
+
+SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;destsuffix=git/mbedtls"
+
+# mbed TLS v2.16.2
+SRCREV_mbedtls = "d81c11b8ab61fd5b2da8133aa73c5fe33a0633eb"
+
+LIC_FILES_CHKSUM_MBEDTLS += " \
+ file://mbedtls/apache-2.0.txt;md5=3b83ef96387f14655fc854ddc3c6bd57 \
+ file://mbedtls/LICENSE;md5=302d50a6369f5f22efdb674db908167a \
+ "
+
+SRC_URI[mbedtls.md5sum] = "37cdec398ae9ebdd4640df74af893c95"
+SRC_URI[mbedtls.sha256sum] = "a6834fcd7b7e64b83dfaaa6ee695198cb5019a929b2806cb0162e049f98206a4"
diff --git a/bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.2.bb b/bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.2.bb
new file mode 100644
index 00000000..4d5316ea
--- /dev/null
+++ b/bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.2.bb
@@ -0,0 +1,38 @@
+#
+# Trusted firmware-A 2.2
+#
+
+require trusted-firmware-a.inc
+
+SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https;name=tfa"
+
+# Use TF-A for version
+SRCREV_FORMAT = "tfa"
+
+# TF-A v2.2
+SRCREV_tfa = "7192b956bde11652a835eee0724dca0e403fee90"
+
+S = "${WORKDIR}/git"
+
+LIC_FILES_CHKSUM = "file://docs/license.rst;md5=189505435dbcdcc8caa63c46fe93fa89"
+
+SRC_URI[tfa.md5sum] = "75c8f4958fb493d9bd7a8e5a9636ec18"
+SRC_URI[tfa.sha256sum] = "7c4c00a4f28d3cfbb235fd1a1fb28c4d2fc1d657c9301686e7d8824ef575d059"
+
+#
+# mbed TLS source
+# Those are used in trusted-firmware-a.inc if TFA_MBEDTLS is set to 1
+#
+
+SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;destsuffix=git/mbedtls"
+
+# mbed TLS v2.16.2
+SRCREV_mbedtls = "d81c11b8ab61fd5b2da8133aa73c5fe33a0633eb"
+
+LIC_FILES_CHKSUM_MBEDTLS += " \
+ file://mbedtls/apache-2.0.txt;md5=3b83ef96387f14655fc854ddc3c6bd57 \
+ file://mbedtls/LICENSE;md5=302d50a6369f5f22efdb674db908167a \
+ "
+
+SRC_URI[mbedtls.md5sum] = "37cdec398ae9ebdd4640df74af893c95"
+SRC_URI[mbedtls.sha256sum] = "a6834fcd7b7e64b83dfaaa6ee695198cb5019a929b2806cb0162e049f98206a4"
diff --git a/bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.3.bb b/bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.3.bb
new file mode 100644
index 00000000..bfda87bc
--- /dev/null
+++ b/bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.3.bb
@@ -0,0 +1,38 @@
+#
+# Trusted firmware-A 2.3
+#
+
+require trusted-firmware-a.inc
+
+SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https;name=tfa"
+
+# Use TF-A for version
+SRCREV_FORMAT = "tfa"
+
+# TF-A v2.3
+SRCREV_tfa = "ecd27ad85f1eba29f6bf92c39dc002c85b07dad5"
+
+S = "${WORKDIR}/git"
+
+LIC_FILES_CHKSUM = "file://docs/license.rst;md5=189505435dbcdcc8caa63c46fe93fa89"
+
+SRC_URI[tfa.md5sum] = "75c8f4958fb493d9bd7a8e5a9636ec18"
+SRC_URI[tfa.sha256sum] = "7c4c00a4f28d3cfbb235fd1a1fb28c4d2fc1d657c9301686e7d8824ef575d059"
+
+#
+# mbed TLS source
+# Those are used in trusted-firmware-a.inc if TFA_MBEDTLS is set to 1
+#
+
+SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;destsuffix=git/mbedtls"
+
+# mbed TLS v2.18.1
+SRCREV_mbedtls = "ca933c7e0c9e84738b168b6b0feb89af4183a60a"
+
+LIC_FILES_CHKSUM_MBEDTLS += " \
+ file://mbedtls/apache-2.0.txt;md5=3b83ef96387f14655fc854ddc3c6bd57 \
+ file://mbedtls/LICENSE;md5=302d50a6369f5f22efdb674db908167a \
+ "
+
+SRC_URI[mbedtls.md5sum] = "37cdec398ae9ebdd4640df74af893c95"
+SRC_URI[mbedtls.sha256sum] = "a6834fcd7b7e64b83dfaaa6ee695198cb5019a929b2806cb0162e049f98206a4"
diff --git a/bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_git.bb b/bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_git.bb
new file mode 100644
index 00000000..c443ecd6
--- /dev/null
+++ b/bsp/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_git.bb
@@ -0,0 +1,31 @@
+# Trusted firmware-A points a commit rather a tag
+#
+# This is only a base receipt and should be bbextended with suitable SRCREV_tfa
+# and SRCREV_MBEDTLS and target TFA_* variables
+
+# Never select this if another version is available
+DEFAULT_PREFERENCE = "-1"
+
+require trusted-firmware-a.inc
+
+SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https;name=tfa"
+
+# Use TF-A for version
+SRCREV_FORMAT = "tfa"
+
+S = "${WORKDIR}/git"
+
+LIC_FILES_CHKSUM = "file://docs/license.rst;md5=189505435dbcdcc8caa63c46fe93fa89"
+
+#
+# mbed TLS source
+# Those are used in trusted-firmware-a.inc if TFA_MBEDTLS is set to 1
+#
+
+SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;destsuffix=git/mbedtls"
+
+LIC_FILES_CHKSUM_MBEDTLS += " \
+ file://mbedtls/apache-2.0.txt;md5=3b83ef96387f14655fc854ddc3c6bd57 \
+ file://mbedtls/LICENSE;md5=302d50a6369f5f22efdb674db908167a \
+ "
+
diff --git a/bsp/meta-arm/meta-arm/recipes-devtools/opencsd/opencsd_git.bb b/bsp/meta-arm/meta-arm/recipes-devtools/opencsd/opencsd_git.bb
new file mode 100644
index 00000000..f1d4cac6
--- /dev/null
+++ b/bsp/meta-arm/meta-arm/recipes-devtools/opencsd/opencsd_git.bb
@@ -0,0 +1,31 @@
+SUMMARY = "OpenCSD - An open source CoreSight(tm) Trace Decode library"
+HOMEPAGE = "https://github.com/Linaro/OpenCSD"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=ad8cb685eb324d2fa2530b985a43f3e5"
+
+SRC_URI = "git://github.com/Linaro/OpenCSD;protocol=http;branch=master"
+SRCREV = "03c194117971e4ad0598df29395757ced2e6e9bd"
+
+S = "${WORKDIR}/git"
+
+COMPATIBLE_HOST = "(x86_64.*|aarch64.*)-linux"
+
+EXTRA_OEMAKE = "ARCH='${TARGET_ARCH}' \
+ CROSS_COMPILE='${TARGET_SYS}-' \
+ CC='${CC}' \
+ CXX='${CXX}' \
+ LIB='${AR}' \
+ LINKER='${CXX}' \
+ LINUX64=1 \
+ DEBUG=1 \
+ "
+
+do_compile() {
+ oe_runmake -C ${S}/decoder/build/linux ${EXTRA_OEMAKE}
+}
+
+do_install() {
+ oe_runmake -C ${S}/decoder/build/linux PREFIX=${D}/usr install
+}
+
+BBCLASSEXTEND = "native"
diff --git a/bsp/meta-arm/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service b/bsp/meta-arm/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
new file mode 100644
index 00000000..ffb54d39
--- /dev/null
+++ b/bsp/meta-arm/meta-arm/recipes-security/optee/optee-client/tee-supplicant.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=TEE Supplicant
+
+[Service]
+User=root
+EnvironmentFile=-/etc/default/tee-supplicant
+ExecStart=/usr/sbin/tee-supplicant $OPTARGS
+
+[Install]
+WantedBy=basic.target
diff --git a/bsp/meta-arm/meta-arm/recipes-security/optee/optee-client_git.bb b/bsp/meta-arm/meta-arm/recipes-security/optee/optee-client_git.bb
new file mode 100644
index 00000000..bae7b20f
--- /dev/null
+++ b/bsp/meta-arm/meta-arm/recipes-security/optee/optee-client_git.bb
@@ -0,0 +1,41 @@
+SUMMARY = "OP-TEE Client API"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Normal World Client side of the TEE"
+HOMEPAGE = "https://www.op-tee.org/"
+
+LICENSE = "BSD"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=69663ab153298557a59c67a60a743e5b"
+
+PV = "3.8.0+git${SRCPV}"
+
+require optee.inc
+
+inherit python3native systemd
+
+SRCREV = "be4fa2e36f717f03ca46e574aa66f697a897d090"
+SRC_URI = " \
+ git://github.com/OP-TEE/optee_client.git \
+ file://tee-supplicant.service \
+"
+
+S = "${WORKDIR}/git"
+
+SYSTEMD_SERVICE_${PN} = "tee-supplicant.service"
+
+do_install() {
+ oe_runmake install
+
+ install -D -p -m0755 ${S}/out/export/usr/sbin/tee-supplicant ${D}${sbindir}/tee-supplicant
+
+ install -D -p -m0644 ${S}/out/export/usr/lib/libteec.so.1.0 ${D}${libdir}/libteec.so.1.0
+ ln -sf libteec.so.1.0 ${D}${libdir}/libteec.so
+ ln -sf libteec.so.1.0 ${D}${libdir}/libteec.so.1
+
+ install -d ${D}${includedir}
+ install -p -m0644 ${S}/out/export/usr/include/*.h ${D}${includedir}
+
+ sed -i -e s:/etc:${sysconfdir}:g \
+ -e s:/usr/bin:${bindir}:g \
+ ${WORKDIR}/tee-supplicant.service
+
+ install -D -p -m0644 ${WORKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service
+}
diff --git a/bsp/meta-arm/meta-arm/recipes-security/optee/optee-examples_git.bb b/bsp/meta-arm/meta-arm/recipes-security/optee/optee-examples_git.bb
new file mode 100644
index 00000000..996e2cd5
--- /dev/null
+++ b/bsp/meta-arm/meta-arm/recipes-security/optee/optee-examples_git.bb
@@ -0,0 +1,47 @@
+SUMMARY = "OP-TEE examples"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Sample Applications"
+HOMEPAGE = "https://github.com/linaro-swg/optee_examples"
+
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=cd95ab417e23b94f381dafc453d70c30"
+
+PV = "3.8.0+git${SRCPV}"
+
+DEPENDS = "optee-client optee-os python3-pycryptodomex-native"
+
+inherit python3native
+
+require optee.inc
+
+SRC_URI = "git://github.com/linaro-swg/optee_examples.git"
+SRCREV = "559b2141c16bf0f57ccd72f60e4deb84fc2a05b0"
+
+S = "${WORKDIR}/git"
+
+OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
+TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
+TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
+
+EXTRA_OEMAKE = " TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+ OPTEE_CLIENT_EXPORT=${OPTEE_CLIENT_EXPORT} \
+ TEEC_EXPORT=${TEEC_EXPORT} \
+ HOST_CROSS_COMPILE=${TARGET_PREFIX} \
+ TA_CROSS_COMPILE=${TARGET_PREFIX} \
+ V=1 \
+ "
+
+do_compile() {
+ oe_runmake
+}
+
+do_install () {
+ mkdir -p ${D}${nonarch_base_libdir}/optee_armtz
+ mkdir -p ${D}${bindir}
+ install -D -p -m0755 ${S}/out/ca/* ${D}${bindir}
+ install -D -p -m0444 ${S}/out/ta/* ${D}${nonarch_base_libdir}/optee_armtz
+}
+
+FILES_${PN} += "${nonarch_base_libdir}/optee_armtz/"
+
+# Imports machine specific configs from staging to build
+PACKAGE_ARCH = "${MACHINE_ARCH}"
diff --git a/bsp/meta-arm/meta-arm/recipes-security/optee/optee-os/0001-allow-setting-sysroot-for-libgcc-lookup.patch b/bsp/meta-arm/meta-arm/recipes-security/optee/optee-os/0001-allow-setting-sysroot-for-libgcc-lookup.patch
new file mode 100644
index 00000000..17127d0b
--- /dev/null
+++ b/bsp/meta-arm/meta-arm/recipes-security/optee/optee-os/0001-allow-setting-sysroot-for-libgcc-lookup.patch
@@ -0,0 +1,13 @@
+diff --git a/mk/gcc.mk b/mk/gcc.mk
+index fc38c4d..77b8d74 100644
+--- a/mk/gcc.mk
++++ b/mk/gcc.mk
+@@ -12,7 +12,7 @@ nostdinc$(sm) := -nostdinc -isystem $(shell $(CC$(sm)) \
+ -print-file-name=include 2> /dev/null)
+
+ # Get location of libgcc from gcc
+-libgcc$(sm) := $(shell $(CC$(sm)) $(CFLAGS$(arch-bits-$(sm))) $(comp-cflags$(sm)) \
++libgcc$(sm) := $(shell $(CC$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CFLAGS$(arch-bits-$(sm))) $(comp-cflags$(sm)) \
+ -print-libgcc-file-name 2> /dev/null)
+
+ # Define these to something to discover accidental use
diff --git a/bsp/meta-arm/meta-arm/recipes-security/optee/optee-os_git.bb b/bsp/meta-arm/meta-arm/recipes-security/optee/optee-os_git.bb
new file mode 100644
index 00000000..dfff6d10
--- /dev/null
+++ b/bsp/meta-arm/meta-arm/recipes-security/optee/optee-os_git.bb
@@ -0,0 +1,80 @@
+SUMMARY = "OP-TEE Trusted OS"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Trusted side of the TEE"
+HOMEPAGE = "https://www.op-tee.org/"
+
+LICENSE = "BSD"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173"
+
+PV = "3.8.0+git${SRCPV}"
+
+inherit deploy python3native
+require optee.inc
+
+DEPENDS = "python3-pycrypto-native python3-pyelftools-native python3-pycryptodomex-native"
+
+SRCREV = "023e33656e2c9557ce50ad63a98b2e2c9b51c118"
+SRC_URI = " \
+ git://github.com/OP-TEE/optee_os.git \
+ file://0001-allow-setting-sysroot-for-libgcc-lookup.patch \
+"
+
+S = "${WORKDIR}/git"
+
+OPTEEMACHINE ?= "${MACHINE}"
+OPTEEOUTPUTMACHINE ?= "${MACHINE}"
+
+OPTEE_ARCH = "null"
+OPTEE_ARCH_armv7a = "arm32"
+OPTEE_ARCH_aarch64 = "arm64"
+OPTEE_CORE = "${@d.getVar('OPTEE_ARCH').upper()}"
+
+EXTRA_OEMAKE = " \
+ PLATFORM=${OPTEEMACHINE} \
+ CFG_${OPTEE_CORE}_core=y \
+ CROSS_COMPILE_core=${HOST_PREFIX} \
+ CROSS_COMPILE_ta_${OPTEE_ARCH}=${HOST_PREFIX} \
+ NOWERROR=1 \
+ V=1 \
+ ta-targets=ta_${OPTEE_ARCH} \
+ LIBGCC_LOCATE_CFLAGS=--sysroot=${STAGING_DIR_HOST} \
+"
+
+CFLAGS[unexport] = "1"
+LDFLAGS[unexport] = "1"
+CPPFLAGS[unexport] = "1"
+AS[unexport] = "1"
+LD[unexport] = "1"
+
+do_configure[noexec] = "1"
+
+do_compile() {
+ oe_runmake all CFG_TEE_TA_LOG_LEVEL=0
+}
+
+do_install() {
+ #install core in firmware
+ install -d ${D}${nonarch_base_libdir}/firmware/
+ install -m 644 ${B}/out/arm-plat-${OPTEEOUTPUTMACHINE}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
+
+ #install TA devkit
+ install -d ${D}${includedir}/optee/export-user_ta/
+ for f in ${B}/out/arm-plat-${OPTEEOUTPUTMACHINE}/export-ta_${OPTEE_ARCH}/* ; do
+ cp -aR $f ${D}${includedir}/optee/export-user_ta/
+ done
+}
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+do_deploy() {
+ install -d ${DEPLOYDIR}/optee
+ install -m 644 ${D}${nonarch_base_libdir}/firmware/* ${DEPLOYDIR}/optee/
+}
+
+addtask deploy before do_build after do_install
+
+FILES_${PN} = "${nonarch_base_libdir}/firmware/"
+FILES_${PN}-dev = "${includedir}/optee/"
+
+INSANE_SKIP_${PN}-dev = "staticdev"
+
+INHIBIT_PACKAGE_STRIP = "1"
diff --git a/bsp/meta-arm/meta-arm/recipes-security/optee/optee-test_git.bb b/bsp/meta-arm/meta-arm/recipes-security/optee/optee-test_git.bb
new file mode 100644
index 00000000..ee73a2c6
--- /dev/null
+++ b/bsp/meta-arm/meta-arm/recipes-security/optee/optee-test_git.bb
@@ -0,0 +1,50 @@
+SUMMARY = "OP-TEE sanity testsuite"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Test suite"
+HOMEPAGE = "https://www.op-tee.org/"
+
+LICENSE = "BSD & GPLv2"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa"
+
+inherit python3native
+require optee.inc
+
+DEPENDS = "optee-client optee-os python3-pycryptodomex-native"
+
+PV = "3.8.0+git${SRCPV}"
+
+SRCREV = "30481e381cb4285706e7516853495a7699c93b2c"
+SRC_URI = "git://github.com/OP-TEE/optee_test.git"
+
+S = "${WORKDIR}/git"
+
+OPTEE_CLIENT_EXPORT = "${STAGING_DIR_HOST}${prefix}"
+TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
+TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
+
+EXTRA_OEMAKE = " TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+ OPTEE_CLIENT_EXPORT=${OPTEE_CLIENT_EXPORT} \
+ TEEC_EXPORT=${TEEC_EXPORT} \
+ CROSS_COMPILE_HOST=${TARGET_PREFIX} \
+ CROSS_COMPILE_TA=${TARGET_PREFIX} \
+ V=1 \
+ "
+
+do_compile() {
+ # Top level makefile doesn't seem to handle parallel make gracefully
+ oe_runmake xtest
+ oe_runmake ta
+}
+
+do_install () {
+ install -D -p -m0755 ${S}/out/xtest/xtest ${D}${bindir}/xtest
+
+ # install path should match the value set in optee-client/tee-supplicant
+ # default TEEC_LOAD_PATH is /lib
+ mkdir -p ${D}${nonarch_base_libdir}/optee_armtz/
+ install -D -p -m0444 ${S}/out/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/
+}
+
+FILES_${PN} += "${nonarch_base_libdir}/optee_armtz/"
+
+# Imports machine specific configs from staging to build
+PACKAGE_ARCH = "${MACHINE_ARCH}"
diff --git a/bsp/meta-arm/meta-arm/recipes-security/optee/optee.inc b/bsp/meta-arm/meta-arm/recipes-security/optee/optee.inc
new file mode 100644
index 00000000..b3e52713
--- /dev/null
+++ b/bsp/meta-arm/meta-arm/recipes-security/optee/optee.inc
@@ -0,0 +1,2 @@
+COMPATIBLE_MACHINE ?= "invalid"
+# Please add supported machines below or set it in .bbappend or .conf