optee: add recipes for building optee from source

Recipes are patterned after those in meta-arm, with the
following changes:

* Sources are obtained from the NVIDIA L4T public_sources archive.
* The TA development kit requires a distinct recipe to allow
  for building an out-of-tree TA from the NVIDIA samples into
  the optee OS image.
* Jetson targets need a special tool to bundle TF-A with OP-TEE
  into the secure OS image, and deployment happens in that recipe.

Signed-off-by: Matt Madison <matt@madison.systems>

recipes-security/optee/optee-client/0001-Update-Makefile-for-OE-compatibility.patch

@@ -0,0 +1,67 @@
+From 3088da2e93ca40f45cef2b33f3fa595fccd73ddf Mon Sep 17 00:00:00 2001
+From: Matt Madison <matt@madison.systems>
+Date: Sun, 23 Oct 2022 05:53:33 -0700
+Subject: [PATCH] Update Makefile for OE compatibility
+
+* Use install instead of cp
+* Use GBS standard names for target directory variables
+
+Signed-off-by: Matt Madison <matt@madison.systems>
+---
+ Makefile | 36 +++++++++++++++++++++---------------
+ 1 file changed, 21 insertions(+), 15 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index d7aa316..9be28f8 100644
+--- a/Makefile
++++ b/Makefile
+@@ -12,9 +12,9 @@ export VPREFIX
+ 
+ EXPORT_DIR ?= $(O)/export
+ DESTDIR ?= $(EXPORT_DIR)
+-SBINDIR ?= /usr/sbin
+-LIBDIR ?= /usr/lib
+-INCLUDEDIR ?= /usr/include
++sbindir ?= /usr/sbin
++libdir ?= /usr/lib
++includedir ?= /usr/include
+ 
+ .PHONY: all build build-libteec build-libckteec build-libseteec install copy_export \
+ 	clean cscope clean-cscope \
+@@ -135,15 +135,21 @@ checkpatch-all-files: checkpatch-pre-req
+ distclean: clean
+ 
+ copy_export: build
+-	mkdir -p $(DESTDIR)$(SBINDIR) $(DESTDIR)$(LIBDIR) $(DESTDIR)$(INCLUDEDIR)
+-	cp config.mk $(DESTDIR)/$(INCLUDEDIR)/optee_client_config.mk
+-	cp -a ${O}/libteec/libteec.so* $(DESTDIR)$(LIBDIR)
+-	cp -a ${O}/libteec/libteec.a $(DESTDIR)$(LIBDIR)
+-	cp ${O}/tee-supplicant/tee-supplicant $(DESTDIR)$(SBINDIR)
+-	cp public/*.h $(DESTDIR)$(INCLUDEDIR)
+-	cp libckteec/include/*.h $(DESTDIR)$(INCLUDEDIR)
+-	cp -a ${O}/libckteec/libckteec.so* $(DESTDIR)$(LIBDIR)
+-	cp -a ${O}/libckteec/libckteec.a $(DESTDIR)$(LIBDIR)
+-	cp libseteec/include/*.h $(DESTDIR)$(INCLUDEDIR)
+-	cp -a ${O}/libseteec/libseteec.so* $(DESTDIR)$(LIBDIR)
+-	cp -a ${O}/libseteec/libseteec.a $(DESTDIR)$(LIBDIR)
++	install -d $(DESTDIR)$(sbindir) $(DESTDIR)$(libdir) $(DESTDIR)$(includedir)
++	install -m 0644 config.mk $(DESTDIR)/$(includedir)/optee_client_config.mk
++	install -m 0644 ${O}/libteec/libteec.so.1.0.0 $(DESTDIR)$(libdir)
++	ln -sf libteec.so.1.0.0 $(DESTDIR)$(libdir)/libteec.so.1.0
++	ln -sf libteec.so.1.0.0 $(DESTDIR)$(libdir)/libteec.so.1
++	install -m 0644 ${O}/libteec/libteec.a $(DESTDIR)$(libdir)
++	install -m 0755 ${O}/tee-supplicant/tee-supplicant $(DESTDIR)$(sbindir)
++	install -m 0644 public/*.h $(DESTDIR)$(includedir)
++	install -m 0644 libckteec/include/*.h $(DESTDIR)$(includedir)
++	install -m 0644 ${O}/libckteec/libckteec.so.0.1.0 $(DESTDIR)$(libdir)
++	ln -sf libckteec.so.0.1.0 $(DESTDIR)$(libdir)/libckteec.so.0.1
++	ln -sf libckteec.so.0.1.0 $(DESTDIR)$(libdir)/libckteec.so.0
++	install -m 0644 ${O}/libckteec/libckteec.a $(DESTDIR)$(libdir)
++	install -m 0644 libseteec/include/*.h $(DESTDIR)$(includedir)
++	install -m 0644 ${O}/libseteec/libseteec.so.0.1.0 $(DESTDIR)$(libdir)
++	ln -sf libseteec.so.0.1.0 $(DESTDIR)$(libdir)/libseteec.so.0.1
++	ln -sf libseteec.so.0.1.0 $(DESTDIR)$(libdir)/libseteec.so.0
++	install -m 0644 ${O}/libseteec/libseteec.a $(DESTDIR)$(libdir)
+-- 
+2.34.1
+

recipes-security/optee/optee-client/tee-supplicant.service.in

@@ -0,0 +1,10 @@
+[Unit]
+Description=TEE Supplicant
+
+[Service]
+User=root
+EnvironmentFile=-@sysconfdir@/default/tee-supplicant
+ExecStart=@sbindir@/tee-supplicant $OPTARGS
+
+[Install]
+WantedBy=basic.target

recipes-security/optee/optee-client/tee-supplicant.sh.in

@@ -0,0 +1,41 @@
+#!/bin/sh
+
+NAME=tee-supplicant
+PATH=@stripped_path@
+DESC="OP-TEE Supplicant"
+
+DAEMON=@sbindir@/$NAME
+OPTARGS=
+
+test -f $DAEMON || exit 0
+
+test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME
+test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS
+
+SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS"
+
+set -e
+
+case $1 in
+    start)
+	    echo -n "Starting $DESC: "
+	    start-stop-daemon --start $SSD_OPTIONS
+        echo "${DAEMON##*/}."
+        ;;
+    stop)
+	    echo -n "Stopping $DESC: "
+	    start-stop-daemon --stop $SSD_OPTIONS
+        echo "${DAEMON##*/}."
+        ;;
+    restart|force-reload)
+	    $0 stop
+	    sleep 1
+	    $0 start
+        ;;
+    *)
+        echo "Usage: $0 {start|stop|restart|force-reload}" >&2
+        exit 1
+        ;;
+esac
+
+exit 0

recipes-security/optee/optee-client_3.16.0-l4t-r35.1.0.bb

@@ -0,0 +1,51 @@
+SUMMARY = "OP-TEE Client API"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Normal World \
+  Client side of the TEE"
+HOMEPAGE = "https://www.op-tee.org/"
+
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b"
+
+require optee-l4t.inc
+
+TEGRA_SRC_SUBARCHIVE_OPTS = "--strip-components=1 optee/optee_client"
+
+SRC_URI += "\
+    file://0001-Update-Makefile-for-OE-compatibility.patch \
+    file://tee-supplicant.service.in \
+    file://tee-supplicant.sh.in \
+"
+
+DEPENDS = "optee-os-tadevkit"
+
+S = "${WORKDIR}/optee_client"
+B = "${WORKDIR}/build"
+
+inherit systemd update-rc.d
+
+OPTEE_FS_PARENT_PATH ?= "${localstatedir}/lib/tee"
+
+EXTRA_OEMAKE += "CFG_TEE_FS_PARENT_PATH=${OPTEE_FS_PARENT_PATH}"
+
+do_compile() {
+    oe_runmake -C ${S} build
+    sed -e's,@sbindir@,${sbindir},g' \
+        -e's,@sysconfdir@,${sysconfdir},g' \
+        ${WORKDIR}/tee-supplicant.service.in >${B}/tee-supplicant.service
+    sed -e's,@sbindir@,${sbindir},g' \
+        -e's,@sysconfdir@,${sysconfdir},g' \
+        -e's,@stripped_path@,${base_sbindir}:${base_bindir}:${sbindir}:${bindir},g' \
+        ${WORKDIR}/tee-supplicant.sh.in >${B}/tee-supplicant.sh
+}
+
+do_install() {
+    oe_runmake -C ${S} install DESTDIR="${D}"
+    install -d ${D}${systemd_system_unitdir} ${D}${sysconfdir}/init.d
+    install -m 0644 ${B}/tee-supplicant.service ${D}${systemd_system_unitdir}/
+    install -m 0755 ${B}/tee-supplicant.sh ${D}${sysconfdir}/init.d/
+}
+
+SYSTEMD_SERVICE:${PN} = "tee-supplicant.service"
+INITSCRIPT_PACKAGES = "${PN}"
+INITSCRIPT_NAME:${PN} = "tee-supplicant"
+INITSCRIPT_PARAMS:${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ."

recipes-security/optee/optee-l4t.inc

@@ -0,0 +1,27 @@
+COMPATIBLE_MACHINE = "(tegra)"
+
+TEGRA_SRC_SUBARCHIVE = "Linux_for_Tegra/source/public/nvidia-jetson-optee-source.tbz2"
+
+inherit l4t_bsp python3native
+require recipes-bsp/tegra-sources/tegra-sources-${L4T_VERSION}.inc
+
+DEPENDS = "python3-pyelftools-native python3-cryptography-native"
+# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
+# right path until this is relocated automatically.
+export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
+
+OPTEE_NV_PLATFORM ?= ""
+OPTEE_NV_PLATFORM:tegra194 = "t194"
+OPTEE_NV_PLATFORM:tegra234 = "t234"
+
+TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
+
+# Common to all of the builds
+EXTRA_OEMAKE = "\
+    V=1 \
+    O=${B} \
+    CFLAGS32='${TOOLCHAIN_OPTIONS} ${DEBUG_PREFIX_MAP}' \
+    CFLAGS64='${TOOLCHAIN_OPTIONS} ${DEBUG_PREFIX_MAP}' \
+    platform-aflags-generic='${DEBUG_PREFIX_MAP} -pipe' \
+    TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+"

recipes-security/optee/optee-nvsamples/0001-Update-makefiles-for-OE-builds.patch

@@ -0,0 +1,202 @@
+From 5bf629c5e4e0a3d6812675891f4717e8fa2c5238 Mon Sep 17 00:00:00 2001
+From: Matt Madison <matt@madison.systems>
+Date: Sun, 23 Oct 2022 07:14:08 -0700
+Subject: [PATCH] Update makefiles for OE builds
+
+- Remove the OPTEE_CLIENT_EXPORT references
+- Use install instead of cp to install host programs
+- Add LDFLAGS to nvhwkey-app build
+
+Signed-off-by: Matt Madison <matt@madison.systems>
+---
+ Makefile                  |  4 ----
+ hwkey-agent/Makefile      |  4 ----
+ hwkey-agent/host/Makefile | 13 +++++--------
+ luks-srv/Makefile         |  4 ----
+ luks-srv/host/Makefile    | 14 +++++---------
+ 5 files changed, 10 insertions(+), 29 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index da3f40b..7671e2d 100644
+--- a/Makefile
++++ b/Makefile
+@@ -4,8 +4,6 @@
+ # Input variables
+ # CROSS_COMPILE: The cross compiler.
+ # TA_DEV_KIT_DIR: The base directory of the TA-devkit.
+-# OPTEE_CLIENT_EXPORT: The base directory points to optee client's
+-#		       header files and libraries
+ # O: The base directory for build objects filetree.
+ 
+ SAMPLE_APPS_LIST := $(subst /,,$(dir $(wildcard */Makefile)))
+@@ -21,7 +19,6 @@ sample_apps:
+ 		$(MAKE) -C $$apps \
+ 			CROSS_COMPILE=$(CROSS_COMPILE) \
+ 			TA_DEV_KIT_DIR=$(TA_DEV_KIT_DIR) \
+-			OPTEE_CLIENT_EXPORT=$(OPTEE_CLIENT_EXPORT) \
+ 			O=$(O) || exit 1; \
+ 	done
+ 
+@@ -29,7 +26,6 @@ clean-apps:
+ 	@for apps in $(SAMPLE_APPS_LIST); do \
+ 		$(MAKE) -C $$apps \
+ 			TA_DEV_KIT_DIR=$(TA_DEV_KIT_DIR) \
+-			OPTEE_CLIENT_EXPORT=$(OPTEE_CLIENT_EXPORT) \
+ 			O=$(O) \
+ 			clean || exit 1; \
+ 	done
+diff --git a/hwkey-agent/Makefile b/hwkey-agent/Makefile
+index 7deda53..6557e0a 100644
+--- a/hwkey-agent/Makefile
++++ b/hwkey-agent/Makefile
+@@ -4,8 +4,6 @@
+ # Input variables
+ # CROSS_COMPILE: The cross compiler.
+ # TA_DEV_KIT_DIR: The base directory of the TA-devkit.
+-# OPTEE_CLIENT_EXPORT: The base directory points to optee client's
+-#		       header files and libraries
+ # O: The base directory for build objects filetree.
+ 
+ TARGET_DIR := $(notdir $(shell pwd))
+@@ -18,7 +16,6 @@ all:
+ 		O=$(O)/ta/$(TARGET_DIR)
+ 	$(MAKE) -C host \
+ 		CROSS_COMPILE=$(CROSS_COMPILE) \
+-		OPTEE_CLIENT_EXPORT=$(OPTEE_CLIENT_EXPORT) \
+ 		O=$(O)/ca/$(TARGET_DIR) \
+ 		--no-builtin-variables
+ 
+@@ -29,7 +26,6 @@ clean:
+ 		O=$(O)/ta/$(TARGET_DIR) \
+ 		clean
+ 	$(MAKE) -C host \
+-		OPTEE_CLIENT_EXPORT=$(OPTEE_CLIENT_EXPORT) \
+ 		O=$(O)/ca/$(TARGET_DIR) \
+ 		clean
+ 	rm -rf $(O)/ca/$(TARGET_DIR)
+diff --git a/hwkey-agent/host/Makefile b/hwkey-agent/host/Makefile
+index b7c2113..6807bbc 100644
+--- a/hwkey-agent/host/Makefile
++++ b/hwkey-agent/host/Makefile
+@@ -3,34 +3,31 @@
+ 
+ # Input variables
+ # CROSS_COMPILE: The cross compiler.
+-# OPTEE_CLIENT_EXPORT: The base directory points to optee client's
+-#		       header files and libraries
+ # O: The base directory for build objects filetree.
+ 
+ CC ?= $(CROSS_COMPILE)gcc
+ 
+ CFLAGS += -Wall -I../ta/include -I./include
+-CFLAGS += -I$(OPTEE_CLIENT_EXPORT)/include
+ CFLAGS += -fstack-protector-strong
+-LDADD += -lteec -L$(OPTEE_CLIENT_EXPORT)/lib
++LDADD += -lteec
+ 
+ SRCS = hwkey_agent_ca.c
+ OBJS = $(patsubst %.c,$(O)/%.o,$(SRCS))
+ BINARY = nvhwkey-app
+ 
+ .PHONY: all install
+-all: $(BINARY) install
++all: $(BINARY)
+ 
+ $(BINARY): $(OBJS)
+-	$(CC) -o $(O)/$@ $< $(LDADD)
++	$(CC) $(LDFLAGS) -o $(O)/$@ $< $(LDADD)
+ 
+ $(O)/%.o: %.c
+ 	mkdir -p $(O)
+ 	$(CC) $(CFLAGS) -c $< -o $@
+ 
+ install: $(BINARY)
+-	mkdir -p $(OPTEE_CLIENT_EXPORT)/sbin
+-	cp $(O)/$(BINARY) $(OPTEE_CLIENT_EXPORT)/sbin
++	install -d $(DESTDIR)$(sbindir)
++	install -m 0755 $(O)/$(BINARY) $(DESTDIR)$(sbindir)/
+ 
+ .PHONY: clean
+ clean:
+diff --git a/luks-srv/Makefile b/luks-srv/Makefile
+index dd71d34..875e893 100644
+--- a/luks-srv/Makefile
++++ b/luks-srv/Makefile
+@@ -4,8 +4,6 @@
+ # Input variables
+ # CROSS_COMPILE: The cross compiler.
+ # TA_DEV_KIT_DIR: The base directory of the TA-devkit.
+-# OPTEE_CLIENT_EXPORT: The base directory points to optee client's
+-#		       header files and libraries
+ # O: The base directory for build objects filetree.
+ 
+ TARGET_DIR := $(notdir $(shell pwd))
+@@ -18,7 +16,6 @@ all: early_ta_dir
+ 		O=$(O)/early_ta/$(TARGET_DIR)
+ 	$(MAKE) -C host \
+ 		CROSS_COMPILE=$(CROSS_COMPILE) \
+-		OPTEE_CLIENT_EXPORT=$(OPTEE_CLIENT_EXPORT) \
+ 		O=$(O)/ca/$(TARGET_DIR) \
+ 		--no-builtin-variables
+ 
+@@ -32,7 +29,6 @@ clean:
+ 		O=$(O)/early_ta/$(TARGET_DIR) \
+ 		clean
+ 	$(MAKE) -C host \
+-		OPTEE_CLIENT_EXPORT=$(OPTEE_CLIENT_EXPORT) \
+ 		O=$(O)/ca/$(TARGET_DIR) \
+ 		clean
+ 	rm -rf $(O)/early_ta/$(TARGET_DIR)
+diff --git a/luks-srv/host/Makefile b/luks-srv/host/Makefile
+index c9a2dcc..7b72181 100644
+--- a/luks-srv/host/Makefile
++++ b/luks-srv/host/Makefile
+@@ -3,8 +3,6 @@
+ 
+ # Input variables
+ # CROSS_COMPILE: The cross compiler.
+-# OPTEE_CLIENT_EXPORT: The base directory points to optee client's
+-#		       header files and libraries
+ # O: The base directory for build objects filetree.
+ 
+ CC ?= $(CROSS_COMPILE)gcc
+@@ -12,10 +10,9 @@ LD ?= $(CROSS_COMPILE)ld
+ STRIP ?= $(CROSS_COMPILE)strip
+ 
+ CFLAGS += -Wall -I../ta/include -I./include
+-CFLAGS += -I$(OPTEE_CLIENT_EXPORT)/include
+ CFLAGS += -fstack-protector-strong
+ LDADD += -pthread -lpthread
+-LDADD += -lteec -L$(OPTEE_CLIENT_EXPORT)/lib
++LDADD += -lteec
+ LDFLAGS := -static
+ 
+ SRCS = luks_srv_ca.c
+@@ -23,20 +20,19 @@ OBJS = $(patsubst %.c,$(O)/%.o,$(SRCS))
+ BINARY = nvluks-srv-app
+ 
+ .PHONY: all install
+-all: $(BINARY) install
++all: $(BINARY)
+ 
+ $(BINARY): $(OBJS)
+ 	$(CC) $(LDFLAGS) -o $(O)/$@ $< $(LDADD)
+-	$(STRIP) $(O)/$@
+ 
+ $(O)/%.o: %.c
+ 	mkdir -p $(O)
+ 	$(CC) $(CFLAGS) -c $< -o $@
+ 
+ install: $(BINARY)
+-	mkdir -p $(OPTEE_CLIENT_EXPORT)/sbin
+-	cp $(O)/$(BINARY) $(OPTEE_CLIENT_EXPORT)/sbin
++	install -d $(DESTDIR)$(sbindir)
++	install -m 0755 $(O)/$(BINARY) $(DESTDIR)$(sbindir)/
+ 
+ .PHONY: clean
+ clean:
+-	rm -f $(OBJS) $(O)/$(BINARY) $(OPTEE_CLIENT_EXPORT)/sbin/$(BINARY)
++	rm -f $(OBJS) $(O)/$(BINARY)
+-- 
+2.34.1
+

recipes-security/optee/optee-nvsamples_35.1.0.bb

@@ -0,0 +1,39 @@
+DESCRIPTION = "NVIDIA OP-TEE sample applications for Jetson platforms"
+HOMEPAGE = "https://developer.nvidia.com/embedded"
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=6938d70d5e5d49d31049419e85bb82f8"
+
+require optee-l4t.inc
+TEGRA_SRC_SUBARCHIVE_OPTS = "--strip-components=1 optee/samples"
+
+SRC_URI += " file://0001-Update-makefiles-for-OE-builds.patch"
+
+DEPENDS += "optee-os-tadevkit optee-client"
+
+S = "${WORKDIR}/samples"
+B = "${WORKDIR}/build"
+
+EXTRA_OEMAKE += "CROSS_COMPILE=${HOST_PREFIX}"
+
+do_compile() {
+    oe_runmake -C ${S} all
+}
+do_compile[cleandirs] = "${B}"
+
+do_install() {
+    install -d ${D}${nonarch_base_libdir}/optee_armtz
+    install -m 0644 ${B}/ta/hwkey-agent/82154947-c1bc-4bdf-b89d-04f93c0ea97c.ta ${D}${nonarch_base_libdir}/optee_armtz
+    oe_runmake -C ${S}/hwkey-agent/host install DESTDIR="${D}"
+
+    install -d ${D}${includedir}/optee/early_ta/luks-srv
+    install -m 0755 ${B}/early_ta/luks-srv/b83d14a8-7128-49df-9624-35f14f65ca6c.stripped.elf ${D}${includedir}/optee/early_ta/luks-srv
+    oe_runmake -C ${S}/luks-srv/host install DESTDIR="${D}"
+}
+
+PACKAGES =+ "${PN}-luks-srv ${PN}-hwkey-agent"
+FILES:${PN}-hwkey-agent = "${nonarch_base_libdir}/optee_armtz/82154947-c1bc-4bdf-b89d-04f93c0ea97c.ta ${sbindir}/nvhwkey-app"
+FILES:${PN}-luks-srv = "${sbindir}/nvluks-srv-app"
+ALLOW_EMPTY:${PN} = "1"
+RDEPENDS:${PN} = "${PN}-luks-srv ${PN}-hwkey-agent"
+INHIBIT_SYSROOT_STRIP = "1"
+INSANE_SKIP:${PN} = "already-stripped"

recipes-security/optee/optee-os-l4t.inc

@@ -0,0 +1,49 @@
+require optee-l4t.inc
+TEGRA_SRC_SUBARCHIVE_OPTS = "--strip-components=1 optee/optee_os"
+
+LICENSE = "BSD-2-Clause & Proprietary"
+LIC_FILES_CHKSUM = " \
+    file://LICENSE;md5=2f6a2cb48b5cc5cd0bd3f87a836cb407 \
+    file://LICENSE.NVIDIA;md5=ba16bc74328d76e24af960ba01c937dc \
+"
+
+SRC_URI += "\
+    file://0001-core-link-add-no-warn-rwx-segments.patch \
+    file://0002-core-arm.mk-add-fcommon-to-cflags.patch \
+"
+
+OPTEEMACHINE ?= "invalid"
+OPTEEMACHINE:tegra ?= "tegra"
+
+OPTEE_ARCH = "null"
+OPTEE_ARCH:aarch64 = "arm64"
+
+NV_CCC_PREBUILT = ""
+NV_CCC_PREBUILT:tegra234 = "${S}/prebuilt/${OPTEE_NV_PLATFORM}/libcommon_crypto.a"
+
+S = "${WORKDIR}/optee_os"
+B = "${WORKDIR}/build"
+
+CFLAGS[unexport] = "1"
+LDFLAGS[unexport] = "1"
+CPPFLAGS[unexport] = "1"
+AS[unexport] = "1"
+LD[unexport] = "1"
+
+do_configure[noexec] = "1"
+
+EXTRA_OEMAKE += "\
+    PLATFORM=${OPTEEMACHINE} \
+    PLATFORM_FLAVOR=${OPTEE_NV_PLATFORM} \
+    CROSS_COMPILE_core=${HOST_PREFIX} \
+    CROSS_COMPILE_ta_${OPTEE_ARCH}=${HOST_PREFIX} \
+    ${@' NV_CCC_PREBUILT=${NV_CCC_PREBUILT}' if d.getVar('NV_CCC_PREBUILT') else ''} \
+"
+
+do_compile() {
+    oe_runmake -C ${S} all
+}
+do_compile[cleandirs] = "${B}"
+
+INHIBIT_PACKAGE_STRIP = "1"
+INHIBIT_SYSROOT_STRIP = "1"

recipes-security/optee/optee-os-tadevkit_3.16.0-l4t-r35.1.0.bb

@@ -0,0 +1,17 @@
+SUMMARY = "OP-TEE Trusted OS TA devkit"
+DESCRIPTION = "OP-TEE TA devkit for build TAs"
+HOMEPAGE = "https://www.op-tee.org/"
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:"
+require optee-os-l4t.inc
+
+do_install() {
+    install -d ${D}${includedir}/optee/export-user_ta/
+    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
+        cp -aR $f ${D}${includedir}/optee/export-user_ta/
+    done
+    sed -i -r -e's!-f(macro|debug)-prefix-map=[^ ]+!!g' ${D}${includedir}/optee/export-user_ta/mk/conf.mk
+}
+
+FILES:${PN} = "${includedir}/optee/"
+INSANE_SKIP:${PN}-dev = "staticdev"

recipes-security/optee/optee-os/0001-core-link-add-no-warn-rwx-segments.patch

@@ -0,0 +1,61 @@
+From 2852b22fe999c96a57d017bf7cf79019b73f4d19 Mon Sep 17 00:00:00 2001
+From: Jerome Forissier <jerome.forissier@linaro.org>
+Date: Fri, 5 Aug 2022 09:48:03 +0200
+Subject: [PATCH] core: link: add --no-warn-rwx-segments
+
+binutils ld.bfd generates one RWX LOAD segment by merging several sections
+with mixed R/W/X attributes (.text, .rodata, .data). After version 2.38 it
+also warns by default when that happens [1], which breaks the build due to
+--fatal-warnings. The RWX segment is not a problem for the TEE core, since
+that information is not used to set memory permissions. Therefore, silence
+the warning.
+
+Link: [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
+Link: https://sourceware.org/bugzilla/show_bug.cgi?id=29448
+Reported-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
+Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
+Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
+---
+ core/arch/arm/kernel/link.mk | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/core/arch/arm/kernel/link.mk b/core/arch/arm/kernel/link.mk
+index 51808b8..4b18f4d 100644
+--- a/core/arch/arm/kernel/link.mk
++++ b/core/arch/arm/kernel/link.mk
+@@ -25,6 +25,7 @@ link-ldflags += -T $(link-script-pp) -Map=$(link-out-dir)/tee.map
+ link-ldflags += --sort-section=alignment
+ link-ldflags += --fatal-warnings
+ link-ldflags += --gc-sections
++link-ldflags += $(call ld-option,--no-warn-rwx-segments)
+ 
+ link-ldadd  = $(LDADD)
+ link-ldadd += $(ldflags-external)
+@@ -49,6 +50,7 @@ link-script-cppflags := \
+ 		$(cppflagscore))
+ 
+ ldargs-all_objs := -T $(link-script-dummy) --no-check-sections \
++		   $(call ld-option,--no-warn-rwx-segments) \
+ 		   $(link-objs) $(link-ldadd) $(libgcccore)
+ cleanfiles += $(link-out-dir)/all_objs.o
+ $(link-out-dir)/all_objs.o: $(objs) $(libdeps) $(MAKEFILE_LIST)
+@@ -61,7 +63,8 @@ $(link-out-dir)/unpaged_entries.txt: $(link-out-dir)/all_objs.o
+ 	$(q)$(NMcore) $< | \
+ 		$(AWK) '/ ____keep_pager/ { printf "-u%s ", $$3 }' > $@
+ 
+-unpaged-ldargs = -T $(link-script-dummy) --no-check-sections --gc-sections
++unpaged-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
++		 $(call ld-option,--no-warn-rwx-segments)
+ unpaged-ldadd := $(objs) $(link-ldadd) $(libgcccore)
+ cleanfiles += $(link-out-dir)/unpaged.o
+ $(link-out-dir)/unpaged.o: $(link-out-dir)/unpaged_entries.txt
+@@ -89,7 +92,8 @@ $(link-out-dir)/init_entries.txt: $(link-out-dir)/all_objs.o
+ 	$(q)$(NMcore) $< | \
+ 		$(AWK) '/ ____keep_init/ { printf "-u%s ", $$3 }' > $@
+ 
+-init-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections
++init-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
++	       $(call ld-option,--no-warn-rwx-segments)
+ init-ldadd := $(link-objs-init) $(link-out-dir)/version.o  $(link-ldadd) \
+ 	      $(libgcccore)
+ cleanfiles += $(link-out-dir)/init.o

recipes-security/optee/optee-os/0002-core-arm.mk-add-fcommon-to-cflags.patch

@@ -0,0 +1,27 @@
+From af8164d5634911d8684e193291690c23bc4e123b Mon Sep 17 00:00:00 2001
+From: Matt Madison <matt@madison.systems>
+Date: Sun, 23 Oct 2022 04:41:29 -0700
+Subject: [PATCH] core: arm.mk: add -fcommon to cflags
+
+NVIDIA's patches to the core memory management code
+introduces some global variables that require this
+flag, which is on by default in older versions.
+
+Signed-off-by: Matt Madison <matt@madison.systems>
+---
+ core/arch/arm/arm.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/core/arch/arm/arm.mk b/core/arch/arm/arm.mk
+index dff305b..5e7895f 100644
+--- a/core/arch/arm/arm.mk
++++ b/core/arch/arm/arm.mk
+@@ -139,7 +139,7 @@ endif
+ arm64-platform-cppflags += -DARM64=1 -D__LP64__=1
+ arm32-platform-cppflags += -DARM32=1 -D__ILP32__=1
+ 
+-platform-cflags-generic ?= -ffunction-sections -fdata-sections -pipe
++platform-cflags-generic ?= -ffunction-sections -fdata-sections -fcommon -pipe
+ platform-aflags-generic ?= -pipe
+ 
+ arm32-platform-aflags += -marm

recipes-security/optee/optee-os_3.16.0-l4t-r35.1.0.bb

@@ -0,0 +1,30 @@
+SUMMARY = "OP-TEE Trusted OS"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Trusted side of the TEE"
+HOMEPAGE = "https://www.op-tee.org/"
+
+require optee-os-l4t.inc
+
+CVE_PRODUCT = "linaro:op-tee op-tee:op-tee_os"
+
+DEPENDS += "optee-nvsamples"
+
+EXTRA_OEMAKE += "\
+    EARLY_TA_PATHS='${STAGING_INCDIR}/optee/early_ta/luks-srv/b83d14a8-7128-49df-9624-35f14f65ca6c.stripped.elf' \
+"
+
+do_install() {
+    install -d ${D}${datadir}/trusted-os
+    install -m 0644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${datadir}/trusted-os/
+
+    # Install embedded TAs
+    install -d ${D}${nonarch_base_libdir}/optee_armtz
+    find ${B}/ta -name '*.ta' | while read name; do
+        install -m 444 $name ${D}${nonarch_base_libdir}/optee_armtz/
+    done
+}
+
+FILES:${PN} = "${nonarch_base_libdir}/optee_armtz"
+FILES:${PN}-dev = "${datadir}/trusted-os"
+INSANE_SKIP:${PN}-dev = "textrel"
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"

recipes-security/optee/optee-test_3.16.0-l4t-r35.1.0.bb

@@ -0,0 +1,46 @@
+SUMMARY = "OP-TEE sanity testsuite"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Test suite"
+HOMEPAGE = "https://www.op-tee.org/"
+
+LICENSE = "BSD-2-Clause & GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa"
+
+require optee-l4t.inc
+
+TEGRA_SRC_SUBARCHIVE_OPTS = "--strip-components=1 optee/optee_test"
+
+DEPENDS += "optee-os-tadevkit optee-client"
+
+S = "${WORKDIR}/optee_test"
+B = "${WORKDIR}/build"
+
+EXTRA_OEMAKE += " \
+    CROSS_COMPILE_HOST=${HOST_PREFIX} \
+    CROSS_COMPILE_TA=${HOST_PREFIX} \
+    OPTEE_CLIENT_EXPORT=${STAGING_DIR_HOST}${prefix} \
+"
+
+do_compile() {
+    # Upstream recipe notes that top-level makefile has parallelism issues
+    oe_runmake -C ${S} xtest
+    oe_runmake -C ${S} ta
+    oe_runmake -C ${S} test_plugin
+}
+do_compile[cleandirs] = "${B}"
+
+do_install () {
+    install -d ${D}${bindir}
+    install -m 0755 ${B}/xtest/xtest ${D}${bindir}
+
+    install -d ${D}${nonarch_base_libdir}/optee_armtz/
+    install -m 0644 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/
+    install -d ${D}${libdir}/tee-supplicant/plugins
+    install -m 0644 ${B}/supp_plugin/*.plugin ${D}${libdir}/tee-supplicant/plugins/
+}
+
+FILES:${PN} += " \
+    ${nonarch_base_libdir}/optee_armtz \
+    ${libdir}/tee-supplicant/plugins \
+"
+
+RDEPENDS:${PN} = "optee-os optee-client"

recipes-security/optee/tos-optee_35.1.0.bb

@@ -0,0 +1,43 @@
+DESCRIPTION = "Construct a trusted OS image with ATF and OP-TEE"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+require optee-l4t.inc
+
+# We only need the device tree file for this recipe
+TEGRA_SRC_SUBARCHIVE_OPTS = "optee/${SOC_FAMILY}-optee.dts"
+
+TOSIMG ?= "tos-optee_${OPTEE_NV_PLATFORM}.img"
+PREFERRED_PROVIDER_virtual/secure-os ??= ""
+PROVIDES += "trusted-os virtual/secure-os"
+TOS_IMAGE ?= "tos-${MACHINE}-${PV}-${PR}.img"
+TOS_SYMLINK ?= "tos-${MACHINE}.img"
+
+inherit deploy nopackages
+
+DEPENDS = "tegra-flashtools-native dtc-native optee-os arm-trusted-firmware"
+
+S = "${WORKDIR}/optee"
+
+do_configure[noexec] = "1"
+
+do_compile() {
+    dtc -I dts -O dtb -o ${S}/${SOC_FAMILY}-optee.dtb ${S}/${SOC_FAMILY}-optee.dts
+
+    ${PYTHON} ${STAGING_BINDIR_NATIVE}/tegra-flash/gen_tos_part_img.py --monitor ${STAGING_DATADIR}/trusted-os/bl31.bin \
+      --os ${STAGING_DATADIR}/trusted-os/tee-raw.bin \
+      --dtb ${S}/${SOC_FAMILY}-optee.dtb \
+      --tostype optee ${TOSIMG}
+} 
+
+do_install[noexec] = "1"
+
+do_deploy() {
+    install -d ${DEPLOYDIR}
+    install -m 0644 ${S}/${TOSIMG} ${DEPLOYDIR}/${TOS_IMAGE}
+    ln -sf ${TOS_IMAGE} ${DEPLOYDIR}/${TOS_SYMLINK}
+}
+
+addtask deploy before do_build after do_compile
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"