optee-os: Upgrade to lf-6.1.22-2.0.0 (3.21)

Upgrade optee-os to be aligned with NXP BSP LF6.1.22_2.0.0.

Reapply and refresh patch files.

Drop patches that provided correct sysroot. Instead, use CFLAGS{32,64}
to pass --sysroot, this option is available since optee-os 3.16.

Relevant changes:
- 1962aec95 LFOPTEE-238 drivers: ele: use the baseline API to retrieve the UID
- 7e7b93ac1 LFOPTEE-238 drivers: ele: add msb and lsb to imx_ele_buf object
- 086b65048 LF-8999 drivers: ele: disable ASLR for imx8ulp
- fa3174b61 LF-8995 drivers: ele: keystore: change global key store id
- 1ae8545a4 LF-8995 drivers: ele: disable imx_ele_global_init() if CFG_IMX_ELE_ECC_DRV is disabled
- c15e21b07 LFOPTEE-243 Rework ELE MU mapping
- fb5eaa07f drivers: ele: retain the return value in case imx_ele_generate_key(), imx_ele_signature_generate() and imx_ele_signature_verification() returns an error
- 6e706ee51 drivers: ele: change RNG command ID
- 9492fa474 LFOPTEE-242 drivers: ele: use the new derive key API for HUK generation
- 4d4bd4340 core: ls: enable CFG_PKCS11_TA
- cf2cc646a core: imx: enable CFG_PKCS11_TA
- 4c8281883 drivers: ele: fix ELE_COMMAND_SUCCEED
- 5363154ed core: imx: move tzc380.c to plat-imx
- ccf5dc690 core: imx: allow CFG_CRYPTO_DRIVER enablement for imx93evk
- 735c01acf LFOPTEE-178 drivers: ele: Change OP-TEE MU memory mapping from Secure to Non-Secure
- 093318267 LFOPTEE-178 drivers: ele: Add support for ECC operations
- fa58e94e1 LFOPTEE-178 drivers: ele: Add Generate/Delete Key APIs
- 09badc46e LFOPTEE-178 drivers: ele: Add Key Management APIs
- 0cd738b0d LFOPTEE-178 drivers: ele: Create a global key store handle for all subsequent calls
- c93839af6 LFOPTEE-178 drivers: ele: Create a global session handle for all subsequent calls
- c1b29579d LFOPTEE-178 drivers: ele: add memory management functions
- c61f273fd LFOPTEE-178 drivers: ele: getting common macros and functions in header file
- b5f423f49 LFOPTEE-178 drivers: ele: move ELE to a dedicated directory
- afa1dd7bc drivers: caam: disable CFG_CRYPTO_SM2_* when ECC CAAM driver is enabled
- c723025d5 core: imx: fix CFG_TZDRAM_START
- 80b25f59f LF-7525 drivers: dcp: do not modify DCP node status in the DTB
- 425ed1fbb LFU-368: core: imx93: enable trusted_keys as early TA
- 1924712ff LFOPTEE-85 core: plat-ls: Enabled DTB overlay feature for LS platforms
- e98f5c77d LFOPTEE-85 drivers: caam: add DTB_JR_PATH for LS platforms
- 4a98ea70c core: imx: enable attestation PTA
- a654afb61 drivers: caam: add device tree JR path for mx8ulp
- e155b164e core: imx: enable CFG_CORE_HUK_SUBKEY_COMPAT_USE_OTP_DIE_ID by default
- 3a3ddf85b core: imx: enable TZASC driver for all i.MX platforms
- 8a1984cb1 TEE-639 drivers: caam: skip JR init of CFG_JR_HAB_INDEX
- 992f6b93b LFOPTEE-17: core: plat-ls: add PTA for I2C RTC test
- 519bfab46 core: imx: disable CSU protection for the DCP
- 484138b3f core: ls: enabled CFG_ENABLE_EMBEDDED_TESTS by default
- 299d2d7ad core: imx: enabled CFG_ENABLE_EMBEDDED_TESTS by default
- e79c46c9d core: ls: enable CAAM driver by default.
- 18cca2b72 core: ls: disable CAAM for ls1088 and ls2088
- 9315f5d1e LFOPTEE-9 plat-ls: Increase heap size
- dc2ddcf86 TEE-598 core: imx: increase heap size to 128k
- 0cd1cf295 TEE-526 drivers: caam: add SDP Memory cacheability verification
- 54edf5b70 TEE-526 core: arm: retrieve SDP Memory cacheability
- d5d6e8c85 core: imx: enable CAAM driver by default
- b1b2f83cc core: imx: add resume capability to CSU driver
- 6130b501e core: imx: allow NS world to change SMP bit
- 40006fb93 core: imx: remove SC_IPC_BASE_SECURE definition
- cb115caf6 LFOPTEE-37: core_mmu_lpae: clear L2 tables and indexes
- 546ed42ac LFOPTEE-37: imx8qm: bget_malloc: reset malloc_poolset at runtime
- e8e4b9761 LFOPTEE-37: imx8qm: gic: avoid GICD re-configuration
- 5eebee811 LFOPTEE-37: plat-imx: add platforms mx8qm mek cockpit a53 and a72
- ad9310fbb pta: imx: add DEK blob encapsulation
- 9fe4ecdba drivers: caam: add secure memory and blob drivers
- 4d6df4796 core: imx: add SECMEM definitions for imx8m platforms
- c3b7c47f3 TEE-482 Add .clang-format
- c48eeb2c6 MLK-22073 core: generic_entry_a32: change L1 invalidation at secondary boot
- aa26586bf scripts: add build script for imx and ls
- f5e685f71 drivers: imx_snvs: unlock SNVS access for non-secure
- d328f3a08 drivers: caam: skip the JR device tree disablement for imx8 platforms
- 85feed23e core: imx: enable DT overlay for imx8 platforms
- ebfaab628 drivers: caam: disable job ring via DT overlay
- f4f575781 core: add device tree overlay subnode disable
- a3e52ba26 drivers: caam: rework the CAAM crypto makefile
- 3cb66cb83 core: ls: remove CFG_WITH_SOFTWARE_PRNG default definition for LS platforms
- 55af337cd core: imx: remove CFG_WITH_SOFTWARE_PRNG default definition for i.MX platforms
- f06709794 core: move CFG_WITH_SOFTWARE_PRNG default definition
- 54493021c drivers: caam: remove CFG_NXP_CAAM_ACIPHER compilation flag
- 5dec4ebbf core: crypto: give the platform configuration a higher priority
- 294f91f32 drivers: imx_scu: add resume capabilities
- 851e73b1d core: imx: add plat_cpu_wakeup_late() on arm32
- 93e8838ca TEE-272 Cortex-A9 add PL310 Linux/Optee Mutex
- 711fea086 drivers: imx_scu: move i.MX SCU driver
- b0ef56504 drivers: imx_csu: move i.MX CSU driver
- 0fc481338 drivers: imx_caam: move i.MX CAAM driver
- 3cabf823d core: imx: enable busfreq on imx6 and imx7 platforms
- 11d7fc300 core: pm: imx: export busfreq_change() function
- be238d4ac core: imx: enable the compilation of sm_platform_handler.c for busfreq
- c390bfbb5 core: imx: add busfreq SIP calls
- 9df964338 pm: imx: add power management drivers
- 70af7a82a pm: imx: add suspend source files
- 2a1a3cee8 pm: imx: add cpuidle source files
- c292e6239 pm: imx: add busfreq source files
- fc00b1f35 core: imx: enable CFG_PM_ARM32 and CFG_IMX_PM for power management
- fc0a35a03 core: imx: remove SRC and GPC functions from imx.h
- f0f51a260 core: imx: add imx7ulp registers
- a1cbd6256 core: imx: add imx7 DDRC and IOMUX registers
- ac51cdba4 core: imx: add imx6 MMDC and IOMUX registers
- d7844a1ad core: imx: add pl310_enabled()
- 3dcdade81 core: imx: remove imx_sip.h
- 1e79f969e core: imx: remove power management code for imx7 platforms
- c7b15f67e allow setting sysroot for libgcc lookup
- e8abbcfbd Update CHANGELOG for 3.21.0
- 50666c141 plat-zynqmp: fixes interrupt controller
- b031393cd core: tee_ta_instance_stats(): correct the allocation size of dump_ctx
- 32b94ed4b drivers: caam: fix MP abstraction layer functions
- 4a0740da2 drivers: caam: math: add CFG_NXP_CAAM_MATH_DRV compilation flag
- 44220a36a libtomcrypt: fix pkcs_1_v1_5_decode() when empty message
- 3fb72c226 drivers: crypto: add support for SM2_DSA_SM3
- 163a7c9e8 core: imx: remove duplicate driver_init() call
- 31b31015b build: ta: add RISC-V linker script
- de4176748 core: mm: Fix idx truncation bug
- 9eabc2b44 core: fix loading of encrypted TA
- 9901df47d core: dump_ta_memstats(): check TA initialization completion before accessing it
- 66370233e ci: se05x crypto driver: update plug-and-trust
- fb559031c drivers: se050: allow configuring the Secure Element applet
- 7723564b9 dts: stm32: add OTP index for HUK on stm32mp15 platform
- b0946e1d9 drivers: stm32mp15_huk: use DT HUK NVMEM layout API
- db8ca286e se050: ecc: SE050-F shared secret
- b300b5a37 ci: compile-test as many PTAs as possible on QEMU/QEMUv8
- eb238769a pta: attestation: fix compilation incompatible pointer warning
- 552d5e40d core: ffa: Allow multiple SPs with same UUID
- f60c6b9c1 drivers: imx_ele: add ELE driver
- 8cd1171e9 drivers: imx_mu: add MU base address and size for imx93
- 4f89aed3d drivers: imx_mu: add MU base address and size for imx8ulp
- 753e6fe4f drivers: imx_mu: increase maximum MU message size
- 088116c9c drivers: imx_mu: add support for imx93
- abbe1d51f core: spmc: move FIP SP deinit call
- 6d7c8c3d8 core: spmc: fix FIP SP loading
- 1478437e6 core: ltc: use SHA-3 crypto accelerated function
- c60ed582e core: arm64: SHAKE128 using ARMv8.2-A cryptographic extensions
- bfedef0ce core: arm64: SHA-3 using ARMv8.2-A cryptographic extensions
- 2be3770e8 core: arm64: SM4 CE optimization for ARMv8.2
- 8b5fb12e2 core: arm64: SM4-AESE optimization for ARMv8
- 2fb9e950b Revert "ci: disable QEMUv8_check_rust job"
- 557fea2de Remove checked in .checkpatch-camelcase.git.
- fdc4a8bef ldelf: syscall: support RISC-V ldelf sycall
- 28849defb libutee: increase MPI_MEMPOOL_SIZE to 14Kb
- 6e99433ed core: remove keep pager directive on core_init_mmu_regs()
- dd884cc27 plat-stm32mp1: conf: support 32bit MMU
- 1a3d47c53 clk: stm32mp15: embed clock names only in debug mode
- 41d9f6c2b libutee: add TEE_ALG_ECDSA_SHA* to TEE_ALG_GET_DIGEST_SIZE()
- 7bd215a7b core: mbedtls: ecc_get_keysize(): do not check algorithm against curve
- 9cf576a9f drivers: crypto: versal: do not use deprecated algorithm macros
- 53af8d704 drivers: crypto: se050: do not use deprecated algorithm macros
- fa40bed51 core: fix out-of-bounds access of dump_ctx
- 442c670a2 drivers: atmel_tcb: Use matrix_dt_get_id() to correctly retrieve the id
- 9a28dbc4f plat-sam: matrix: add matrix_dt_get_id() to parse matrix id from dt
- 0db298206 core: pta: imx: add manufacturing protection
- d538d2936 drivers: caam: add manufacturing protection feature
- f5c3d85a5 core: crypto: add support MD5 hashes in RSA sign/verify/cipher
- 2c9522664 core: drivers: zynqmp_csu_puf.c: increase regen time to 6ms
- 3d70a9743 core: crypto: change supported HMAC key size ranges
- 200eb7bd8 plat-totalcompute: remap console logs
- f4f85ac77 drivers: crypto: add SM2 ECC encrypt and decrypt
- 769cbbd70 drivers: crypto: add SM2 curve in crypto API
- 9655e48e7 ci: qemuv8: build with maximum log level
- 9894fdb48 ta: pkcs11: fix trace compilation warning
- a3cfa14ac drivers: caam: enable the CAAM clock when submitting a new job
- 316fd6e9c drivers: caam: add missing header file
- cd857358b core: imx: use register_ddr() to register dynamic shared memory
- 9740df775 drivers: clk: sam: remove hard coded USB clock setup
- 5ff81ad89 dts: sama5d2: add assigned-clocks properties for usb
- 90dee57ac drivers: clk: sam: export audiopll_fracck and usbck
- c0e9e857f drivers: clk: sam: add a macro for count of main clocks
- 8ac3cb374 core: drivers: crypto: caam: Check PKCS_V1_5 decryption buffer size
- 97eb91680 drivers: imx: tzc380: re-configure TZ380 upon PM resume
- 83857db53 drivers: imx: tzc380: do not dump TZASC state before lockdown
- 92f496916 drivers: imx: tzc380: add support for 8mscale platforms
- 809fa817a core: ffa: add TOS_FW_CONFIG handling

Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>

7 files changed, 216 insertions, 76 deletions

diff --git a/recipes-security/optee-imx/optee-os-fslc.inc b/recipes-security/optee-imx/optee-os-fslc.inc
index faa8c993..19ca7b3c 100644
--- a/recipes-security/optee-imx/optee-os-fslc.inc
+++ b/recipes-security/optee-imx/optee-os-fslc.inc
@@ -21,6 +21,8 @@ EXTRA_OEMAKE += " \
     PLATFORM=imx-${PLATFORM_FLAVOR} \
     CROSS_COMPILE=${HOST_PREFIX} \
     CROSS_COMPILE64=${HOST_PREFIX} \
+    CFLAGS32=--sysroot=${STAGING_DIR_HOST} \
+    CFLAGS64=--sysroot=${STAGING_DIR_HOST} \
     CFG_TEE_TA_LOG_LEVEL=0 \
     CFG_TEE_CORE_LOG_LEVEL=0 \
 "
diff --git a/recipes-security/optee-imx/optee-os/0001-core-Define-section-attributes-for-clang.patch b/recipes-security/optee-imx/optee-os/0001-core-Define-section-attributes-for-clang.patch
index 2abd78a8..8a9062f3 100644
--- a/recipes-security/optee-imx/optee-os/0001-core-Define-section-attributes-for-clang.patch
+++ b/recipes-security/optee-imx/optee-os/0001-core-Define-section-attributes-for-clang.patch
@@ -1,7 +1,7 @@
-From f189457b79989543f65b8a4e8729eff2cdf9a758 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Sat, 13 Aug 2022 19:24:55 -0700
-Subject: [PATCH] core: Define section attributes for clang
+From b73c3d2829d3661ca66b5cc6b4181f3bf973b13f Mon Sep 17 00:00:00 2001
+From: Emekcan Aras <emekcan.aras@arm.com>
+Date: Wed, 21 Dec 2022 10:55:58 +0000
+Subject: [PATCH 1/4] core: Define section attributes for clang
 
 Clang's attribute section is not same as gcc, here we need to add flags
 to sections so they can be eventually collected by linker into final
@@ -30,16 +30,21 @@ going and match the functionality with gcc.
 
 Upstream-Status: Pending
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
 ---
+
  core/arch/arm/kernel/thread.c    | 19 +++++++++++++++--
- core/arch/arm/mm/core_mmu_lpae.c | 35 ++++++++++++++++++++++++++++----
+ core/arch/arm/mm/core_mmu_lpae.c | 35 +++++++++++++++++++++++++++----
+ core/arch/arm/mm/core_mmu_v7.c   | 36 +++++++++++++++++++++++++++++---
  core/arch/arm/mm/pgt_cache.c     | 12 ++++++++++-
  core/kernel/thread.c             | 13 +++++++++++-
- 4 files changed, 71 insertions(+), 8 deletions(-)
+ 5 files changed, 104 insertions(+), 11 deletions(-)
 
+diff --git a/core/arch/arm/kernel/thread.c b/core/arch/arm/kernel/thread.c
+index 22ef932f9..7a9078d2e 100644
 --- a/core/arch/arm/kernel/thread.c
 +++ b/core/arch/arm/kernel/thread.c
-@@ -44,16 +44,31 @@ static size_t thread_user_kcode_size __n
+@@ -44,15 +44,30 @@ static size_t thread_user_kcode_size __nex_bss;
  #if defined(CFG_CORE_UNMAP_CORE_AT_EL0) && \
         defined(CFG_CORE_WORKAROUND_SPECTRE_BP_SEC) && defined(ARM64)
  long thread_user_kdata_sp_offset __nex_bss;
@@ -55,27 +60,28 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
                 SMALL_PAGE_SIZE)]
         __aligned(SMALL_PAGE_SIZE)
 +#ifndef __clang__
- #ifndef CFG_VIRTUALIZATION
+ #ifndef CFG_NS_VIRTUALIZATION
 -       __section(".nozi.kdata_page");
 +       __section(".nozi.kdata_page")
  #else
 -       __section(".nex_nozi.kdata_page");
 +       __section(".nex_nozi.kdata_page")
  #endif
- #endif
++#endif
 +    ;
 +#endif
 +
 +/* reset BSS section to default ( .bss ) */
 +#ifdef __clang__
 +#pragma clang section bss=""
-+#endif
+ #endif
  
  #ifdef ARM32
- uint32_t __nostackcheck thread_get_exceptions(void)
+diff --git a/core/arch/arm/mm/core_mmu_lpae.c b/core/arch/arm/mm/core_mmu_lpae.c
+index 6df2c68cf..a877e4965 100644
 --- a/core/arch/arm/mm/core_mmu_lpae.c
 +++ b/core/arch/arm/mm/core_mmu_lpae.c
-@@ -233,19 +233,46 @@ typedef uint16_t l1_idx_t;
+@@ -238,19 +238,46 @@ typedef uint16_t l1_idx_t;
  typedef uint64_t base_xlat_tbls_t[CFG_TEE_CORE_NB_CORE][NUM_BASE_LEVEL_ENTRIES];
  typedef uint64_t xlat_tbl_t[XLAT_TABLE_ENTRIES];
  
@@ -126,59 +132,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
  /*
   * TAs page table entry inside a level 1 page table.
   *
---- a/core/arch/arm/mm/pgt_cache.c
-+++ b/core/arch/arm/mm/pgt_cache.c
-@@ -410,8 +410,18 @@ void pgt_init(void)
-         * has a large alignment, while .bss has a small alignment. The current
-         * link script is optimized for small alignment in .bss
-         */
-+#ifdef __clang__
-+#pragma clang section bss=".nozi.mmu.l2"
-+#endif
-        static uint8_t pgt_tables[PGT_CACHE_SIZE][PGT_SIZE]
--                       __aligned(PGT_SIZE) __section(".nozi.pgt_cache");
-+                       __aligned(PGT_SIZE)
-+#ifndef __clang__
-+                       __section(".nozi.pgt_cache")
-+#endif
-+                       ;
-+#ifdef __clang__
-+#pragma clang section bss=""
-+#endif
-        size_t n;
- 
-        for (n = 0; n < ARRAY_SIZE(pgt_tables); n++) {
---- a/core/kernel/thread.c
-+++ b/core/kernel/thread.c
-@@ -38,13 +38,24 @@ struct thread_core_local thread_core_loc
-        name[stack_num][sizeof(name[stack_num]) / sizeof(uint32_t) - 1]
- #endif
- 
-+#define DO_PRAGMA(x) _Pragma (#x)
-+
-+#ifdef __clang__
-+#define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
-+DO_PRAGMA (clang section bss=".nozi_stack." #name) \
-+linkage uint32_t name[num_stacks] \
-+               [ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
-+                        STACK_ALIGNMENT) / sizeof(uint32_t)] \
-+               __attribute__((aligned(STACK_ALIGNMENT))); \
-+DO_PRAGMA(clang section bss="")
-+#else
- #define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
- linkage uint32_t name[num_stacks] \
-                [ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
-                         STACK_ALIGNMENT) / sizeof(uint32_t)] \
-                __attribute__((section(".nozi_stack." # name), \
-                               aligned(STACK_ALIGNMENT)))
--
-+#endif
- #define GET_STACK(stack) ((vaddr_t)(stack) + STACK_SIZE(stack))
- 
- DECLARE_STACK(stack_tmp, CFG_TEE_CORE_NB_CORE, STACK_TMP_SIZE,
+diff --git a/core/arch/arm/mm/core_mmu_v7.c b/core/arch/arm/mm/core_mmu_v7.c
+index 58596be84..98fa58635 100644
 --- a/core/arch/arm/mm/core_mmu_v7.c
 +++ b/core/arch/arm/mm/core_mmu_v7.c
-@@ -204,16 +204,46 @@ typedef uint32_t l1_xlat_tbl_t[NUM_L1_EN
+@@ -204,16 +204,46 @@ typedef uint32_t l1_xlat_tbl_t[NUM_L1_ENTRIES];
  typedef uint32_t l2_xlat_tbl_t[NUM_L2_ENTRIES];
  typedef uint32_t ul1_xlat_tbl_t[NUM_UL1_ENTRIES];
  
@@ -228,3 +186,61 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
  
  struct mmu_partition {
         l1_xlat_tbl_t *l1_table;
+diff --git a/core/arch/arm/mm/pgt_cache.c b/core/arch/arm/mm/pgt_cache.c
+index 79553c6d2..b9efdf427 100644
+--- a/core/arch/arm/mm/pgt_cache.c
++++ b/core/arch/arm/mm/pgt_cache.c
+@@ -410,8 +410,18 @@ void pgt_init(void)
+         * has a large alignment, while .bss has a small alignment. The current
+         * link script is optimized for small alignment in .bss
+         */
++#ifdef __clang__
++#pragma clang section bss=".nozi.mmu.l2"
++#endif
+        static uint8_t pgt_tables[PGT_CACHE_SIZE][PGT_SIZE]
+-                       __aligned(PGT_SIZE) __section(".nozi.pgt_cache");
++                       __aligned(PGT_SIZE)
++#ifndef __clang__
++                       __section(".nozi.pgt_cache")
++#endif
++                       ;
++#ifdef __clang__
++#pragma clang section bss=""
++#endif
+        size_t n;
+ 
+        for (n = 0; n < ARRAY_SIZE(pgt_tables); n++) {
+diff --git a/core/kernel/thread.c b/core/kernel/thread.c
+index e48294b3b..8de9064ca 100644
+--- a/core/kernel/thread.c
++++ b/core/kernel/thread.c
+@@ -38,13 +38,24 @@ struct thread_core_local thread_core_local[CFG_TEE_CORE_NB_CORE] __nex_bss;
+        name[stack_num][sizeof(name[stack_num]) / sizeof(uint32_t) - 1]
+ #endif
+ 
++#define DO_PRAGMA(x) _Pragma (#x)
++
++#ifdef __clang__
++#define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
++DO_PRAGMA (clang section bss=".nozi_stack." #name) \
++linkage uint32_t name[num_stacks] \
++               [ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
++                        STACK_ALIGNMENT) / sizeof(uint32_t)] \
++               __attribute__((aligned(STACK_ALIGNMENT))); \
++DO_PRAGMA(clang section bss="")
++#else
+ #define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
+ linkage uint32_t name[num_stacks] \
+                [ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
+                         STACK_ALIGNMENT) / sizeof(uint32_t)] \
+                __attribute__((section(".nozi_stack." # name), \
+                               aligned(STACK_ALIGNMENT)))
+-
++#endif
+ #define GET_STACK(stack) ((vaddr_t)(stack) + STACK_SIZE(stack))
+ 
+ DECLARE_STACK(stack_tmp, CFG_TEE_CORE_NB_CORE, STACK_TMP_SIZE,
+-- 
+2.40.1
+
+
diff --git a/recipes-security/optee-imx/optee-os/0002-optee-enable-clang-support.patch b/recipes-security/optee-imx/optee-os/0002-optee-enable-clang-support.patch
new file mode 100644
index 00000000..096579c0
--- /dev/null
+++ b/recipes-security/optee-imx/optee-os/0002-optee-enable-clang-support.patch
@@ -0,0 +1,34 @@
+From c67f63d4e7bbe7b21b4c9ef49ae84c6725794aa9 Mon Sep 17 00:00:00 2001
+From: Brett Warren <brett.warren@arm.com>
+Date: Wed, 23 Sep 2020 09:27:34 +0100
+Subject: [PATCH 2/4] optee: enable clang support
+
+When compiling with clang, the LIBGCC_LOCATE_CFLAG variable used
+to provide a sysroot wasn't included, which results in not locating
+compiler-rt. This is mitigated by including the variable as ammended.
+
+Upstream-Status: Pending
+ChangeId: 8ba69a4b2eb8ebaa047cb266c9aa6c2c3da45701
+Signed-off-by: Brett Warren <brett.warren@arm.com>
+Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
+---
+
+ mk/clang.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mk/clang.mk b/mk/clang.mk
+index a045beee8..1ebe2f702 100644
+--- a/mk/clang.mk
++++ b/mk/clang.mk
+@@ -30,7 +30,7 @@ comp-cflags-warns-clang := -Wno-language-extension-token \
+ 
+ # Note, use the compiler runtime library (libclang_rt.builtins.*.a) instead of
+ # libgcc for clang
+-libgcc$(sm)    := $(shell $(CC$(sm)) $(CFLAGS$(arch-bits-$(sm))) \
++libgcc$(sm)    := $(shell $(CC$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CFLAGS$(arch-bits-$(sm))) \
+                        -rtlib=compiler-rt -print-libgcc-file-name 2> /dev/null)
+ 
+ # Core ASLR relies on the executable being ready to run from its preferred load
+-- 
+2.40.1
+
diff --git a/recipes-security/optee-imx/optee-os/0010-add-note-GNU-stack-section.patch b/recipes-security/optee-imx/optee-os/0003-arm32-libutils-libutee-ta-add-.note.GNU-stack-sectio.patch
index b82aabdc..f0fac69f 100644
--- a/recipes-security/optee-imx/optee-os/0010-add-note-GNU-stack-section.patch
+++ b/recipes-security/optee-imx/optee-os/0003-arm32-libutils-libutee-ta-add-.note.GNU-stack-sectio.patch
@@ -1,7 +1,8 @@
-From ec30e84671aac9a2e9549754eb7bc6201728db4c Mon Sep 17 00:00:00 2001
+From f23fb3381422c613890f77c26d11e377234481c6 Mon Sep 17 00:00:00 2001
 From: Jerome Forissier <jerome.forissier@linaro.org>
 Date: Tue, 23 Aug 2022 12:31:46 +0000
-Subject: [PATCH] arm32: libutils, libutee, ta: add .note.GNU-stack section to
+Subject: [PATCH 3/4] arm32: libutils, libutee, ta: add .note.GNU-stack section
+ to
 
  .S files
 
@@ -24,8 +25,9 @@ Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
 
 Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
 Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5499]
-
+Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
 ---
+
  lib/libutee/arch/arm/utee_syscalls_a32.S             | 2 ++
  lib/libutils/ext/arch/arm/atomic_a32.S               | 2 ++
  lib/libutils/ext/arch/arm/mcount_a32.S               | 2 ++
@@ -35,6 +37,8 @@ Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5499]
  ta/arch/arm/ta_entry_a32.S                           | 2 ++
  7 files changed, 14 insertions(+)
 
+diff --git a/lib/libutee/arch/arm/utee_syscalls_a32.S b/lib/libutee/arch/arm/utee_syscalls_a32.S
+index 2dea83ab8..668b65a86 100644
 --- a/lib/libutee/arch/arm/utee_syscalls_a32.S
 +++ b/lib/libutee/arch/arm/utee_syscalls_a32.S
 @@ -9,6 +9,8 @@
@@ -46,6 +50,8 @@ Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5499]
          .section .text
          .balign 4
          .code 32
+diff --git a/lib/libutils/ext/arch/arm/atomic_a32.S b/lib/libutils/ext/arch/arm/atomic_a32.S
+index 2be73ffad..87ddf1065 100644
 --- a/lib/libutils/ext/arch/arm/atomic_a32.S
 +++ b/lib/libutils/ext/arch/arm/atomic_a32.S
 @@ -7,6 +7,8 @@
@@ -57,6 +63,8 @@ Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5499]
  /* uint32_t atomic_inc32(uint32_t *v); */
  FUNC atomic_inc32 , :
         ldrex   r1, [r0]
+diff --git a/lib/libutils/ext/arch/arm/mcount_a32.S b/lib/libutils/ext/arch/arm/mcount_a32.S
+index 54dc3c02d..2f24632b8 100644
 --- a/lib/libutils/ext/arch/arm/mcount_a32.S
 +++ b/lib/libutils/ext/arch/arm/mcount_a32.S
 @@ -9,6 +9,8 @@
@@ -68,6 +76,8 @@ Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5499]
  /*
   * Convert return address to call site address by subtracting the size of the
   * mcount call instruction (blx __gnu_mcount_nc).
+diff --git a/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S b/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S
+index 37ae9ec6f..bc6c48b1a 100644
 --- a/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S
 +++ b/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S
 @@ -7,6 +7,8 @@
@@ -79,6 +89,8 @@ Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5499]
  /*
   * signed ret_idivmod_values(signed quot, signed rem);
   * return quotient and remaining the EABI way (regs r0,r1)
+diff --git a/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S b/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S
+index 5c3353e2c..9fb5e0283 100644
 --- a/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S
 +++ b/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S
 @@ -7,6 +7,8 @@
@@ -90,6 +102,8 @@ Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5499]
  /*
   * __value_in_regs lldiv_t __aeabi_ldivmod( long long n, long long d)
   */
+diff --git a/lib/libutils/isoc/arch/arm/setjmp_a32.S b/lib/libutils/isoc/arch/arm/setjmp_a32.S
+index f8a0b70df..37d7cb88e 100644
 --- a/lib/libutils/isoc/arch/arm/setjmp_a32.S
 +++ b/lib/libutils/isoc/arch/arm/setjmp_a32.S
 @@ -53,6 +53,8 @@
@@ -101,6 +115,8 @@ Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5499]
  /* Arm/Thumb interworking support:
  
     The interworking scheme expects functions to use a BX instruction
+diff --git a/ta/arch/arm/ta_entry_a32.S b/ta/arch/arm/ta_entry_a32.S
+index cd9a12f9d..ccdc19928 100644
 --- a/ta/arch/arm/ta_entry_a32.S
 +++ b/ta/arch/arm/ta_entry_a32.S
 @@ -7,6 +7,8 @@
@@ -112,3 +128,6 @@ Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5499]
  /*
   * This function is the bottom of the user call stack. Mark it as such so that
   * the unwinding code won't try to go further down.
+-- 
+2.40.1
+
diff --git a/recipes-security/optee-imx/optee-os/0004-core-link-add-no-warn-rwx-segments.patch b/recipes-security/optee-imx/optee-os/0004-core-link-add-no-warn-rwx-segments.patch
new file mode 100644
index 00000000..f72d80dc
--- /dev/null
+++ b/recipes-security/optee-imx/optee-os/0004-core-link-add-no-warn-rwx-segments.patch
@@ -0,0 +1,67 @@
+From b53f5542102b8088448134202c30ca563f5b3c04 Mon Sep 17 00:00:00 2001
+From: Jerome Forissier <jerome.forissier@linaro.org>
+Date: Fri, 5 Aug 2022 09:48:03 +0200
+Subject: [PATCH 4/4] core: link: add --no-warn-rwx-segments
+
+Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
+Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5474]
+
+binutils ld.bfd generates one RWX LOAD segment by merging several sections
+with mixed R/W/X attributes (.text, .rodata, .data). After version 2.38 it
+also warns by default when that happens [1], which breaks the build due to
+--fatal-warnings. The RWX segment is not a problem for the TEE core, since
+that information is not used to set memory permissions. Therefore, silence
+the warning.
+
+Link: [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
+Link: https://sourceware.org/bugzilla/show_bug.cgi?id=29448
+Reported-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
+Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
+Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
+---
+
+ core/arch/arm/kernel/link.mk | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/core/arch/arm/kernel/link.mk b/core/arch/arm/kernel/link.mk
+index e8a518254..60e08966f 100644
+--- a/core/arch/arm/kernel/link.mk
++++ b/core/arch/arm/kernel/link.mk
+@@ -37,6 +37,7 @@ link-ldflags += --sort-section=alignment
+ link-ldflags += --fatal-warnings
+ link-ldflags += --gc-sections
+ link-ldflags += $(link-ldflags-common)
++link-ldflags += $(call ld-option,--no-warn-rwx-segments)
+ 
+ link-ldadd  = $(LDADD)
+ link-ldadd += $(ldflags-external)
+@@ -61,6 +62,7 @@ link-script-cppflags := \
+                $(cppflagscore))
+ 
+ ldargs-all_objs := -T $(link-script-dummy) --no-check-sections \
++                  $(call ld-option,--no-warn-rwx-segments) \
+                   $(link-ldflags-common) \
+                   $(link-objs) $(link-ldadd) $(libgcccore)
+ cleanfiles += $(link-out-dir)/all_objs.o
+@@ -75,7 +77,7 @@ $(link-out-dir)/unpaged_entries.txt: $(link-out-dir)/all_objs.o
+                $(AWK) '/ ____keep_pager/ { printf "-u%s ", $$3 }' > $@
+ 
+ unpaged-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
+-                $(link-ldflags-common)
++                $(link-ldflags-common) $(call ld-option,--no-warn-rwx-segments)
+ unpaged-ldadd := $(objs) $(link-ldadd) $(libgcccore)
+ cleanfiles += $(link-out-dir)/unpaged.o
+ $(link-out-dir)/unpaged.o: $(link-out-dir)/unpaged_entries.txt
+@@ -104,7 +106,7 @@ $(link-out-dir)/init_entries.txt: $(link-out-dir)/all_objs.o
+                $(AWK) '/ ____keep_init/ { printf "-u%s ", $$3 }' > $@
+ 
+ init-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
+-              $(link-ldflags-common)
++              $(link-ldflags-common) $(call ld-option,--no-warn-rwx-segments)
+ init-ldadd := $(link-objs-init) $(link-out-dir)/version.o  $(link-ldadd) \
+              $(libgcccore)
+ cleanfiles += $(link-out-dir)/init.o
+-- 
+2.40.1
+
diff --git a/recipes-security/optee-imx/optee-os_3.19.0.imx.bb b/recipes-security/optee-imx/optee-os_3.19.0.imx.bb
deleted file mode 100644
index aec204c6..00000000
--- a/recipes-security/optee-imx/optee-os_3.19.0.imx.bb
+++ /dev/null
@@ -1,10 +0,0 @@
-# Copyright (C) 2017-2021 NXP
-
-require optee-os-fslc-imx.inc
-
-SRC_URI += "file://0001-core-Define-section-attributes-for-clang.patch \
-            file://0006-allow-setting-sysroot-for-libgcc-lookup.patch \
-            file://0007-allow-setting-sysroot-for-clang.patch \
-            file://0010-add-note-GNU-stack-section.patch"
-SRCBRANCH = "lf-6.1.1_1.0.0"
-SRCREV = "ad4e8389bb2c38efe39853925eec571ac778c575"
diff --git a/recipes-security/optee-imx/optee-os_3.21.0.imx.bb b/recipes-security/optee-imx/optee-os_3.21.0.imx.bb
new file mode 100644
index 00000000..f158441f
--- /dev/null
+++ b/recipes-security/optee-imx/optee-os_3.21.0.imx.bb
@@ -0,0 +1,12 @@
+# Copyright (C) 2017-2021 NXP
+
+require optee-os-fslc-imx.inc
+
+SRC_URI += " \
+    file://0001-core-Define-section-attributes-for-clang.patch \
+    file://0002-optee-enable-clang-support.patch \
+    file://0003-arm32-libutils-libutee-ta-add-.note.GNU-stack-sectio.patch \
+    file://0004-core-link-add-no-warn-rwx-segments.patch \
+"
+SRCBRANCH = "lf-6.1.22_2.0.0"
+SRCREV = "1962aec9581760803b1485d455cd62cb11c14870"