30 files changed, 471 insertions, 650 deletions
diff --git a/recipes-security/optee-imx/optee-client-fslc-imx.inc b/recipes-security/optee-imx/optee-client-fslc-imx.inc
index 60e9e1fa5..7aeff9fd5 100644
--- a/recipes-security/optee-imx/optee-client-fslc-imx.inc
+++ b/recipes-security/optee-imx/optee-client-fslc-imx.inc
@@ -1,7 +1,36 @@
-# Copyright 2017-2024 NXP
+# Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-client-imx.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L37
 require optee-client-fslc.inc
-SRC_URI += "git://github.com/nxp-imx/imx-optee-client.git;protocol=https;branch=${SRCBRANCH}"
+DEPENDS += "util-linux-libuuid"
-COMPATIBLE_MACHINE = "(imx-nxp-bsp)"
+FILESEXTRAPATHS:prepend := "${THISDIR}/optee-client:"
+SRC_URI:remove = "git://github.com/OP-TEE/optee_client.git;branch=master;protocol=https"
+SRC_URI:prepend = "${OPTEE_CLIENT_SRC};branch=${SRCBRANCH} "
+OPTEE_CLIENT_SRC ?= "git://github.com/nxp-imx/imx-optee-client.git;protocol=https"
+inherit pkgconfig
+EXTRA_OECMAKE += "-DCFG_TEE_CLIENT_LOAD_PATH=${nonarch_base_libdir}"
+# Copy the udev rule from the libts recipe for starting tee-supplicant@.service
+SRC_URI += "file://tee-udev.rules"
+# Unix group name for dev/tee* ownership.
+TEE_GROUP_NAME ?= "teeclnt"
+do_install:append () {
+    if ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', 'false', 'true', d)}; then
+        install -d ${D}${nonarch_base_libdir}/udev/rules.d/
+        install -m 755 ${UNPACKDIR}/tee-udev.rules ${D}${nonarch_base_libdir}/udev/rules.d/
+        sed -i -e "s/teeclnt/${TEE_GROUP_NAME}/" ${D}${nonarch_base_libdir}/udev/rules.d/tee-udev.rules
+    fi
+    if [ "${libdir}" != "${nonarch_base_libdir}" ]; then
+        rm -rf ${D}${libdir}/systemd
+    fi
+}
+inherit ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', '', 'useradd', d)}
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM:${PN} = "--system ${TEE_GROUP_NAME}"
+FILES:${PN} += "${libdir}/* ${includedir}/*"
diff --git a/recipes-security/optee-imx/optee-client-fslc.inc b/recipes-security/optee-imx/optee-client-fslc.inc
index f55f0ab24..2c1a0f450 100644
--- a/recipes-security/optee-imx/optee-client-fslc.inc
+++ b/recipes-security/optee-imx/optee-client-fslc.inc
@@ -1,42 +1,41 @@
-# Copyright 2017-2024 NXP
+# Copied from meta-arm/recipes-security/optee/optee-client.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L30
+SUMMARY = "OP-TEE Client API"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Normal World Client side of the TEE"
+HOMEPAGE = "https://www.op-tee.org/"
-SUMMARY = "OPTEE Client libs"
-HOMEPAGE = "http://www.optee.org/"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b"
-SRC_URI = "file://tee-supplicant.service"
+inherit systemd update-rc.d cmake
-S = "${WORKDIR}/git"
-B = "${WORKDIR}/build"
-inherit python3native systemd features_check pkgconfig
-DEPENDS = "util-linux-libuuid"
-REQUIRED_MACHINE_FEATURES = "optee"
-SYSTEMD_SERVICE:${PN} = "tee-supplicant.service"
+SRC_URI = " \
+    git://github.com/OP-TEE/optee_client.git;branch=master;protocol=https \
-EXTRA_OEMAKE = " \
+    file://tee-supplicant@.service \
-        -C ${S} O=${B} \
+    file://tee-supplicant.sh \
 "
-do_install () {
+UPSTREAM_CHECK_GITTAGREGEX = "^(?P<pver>\d+(\.\d+)+)$"
-        oe_runmake -C ${S} install
-        install -D -p -m0644 ${B}/export/usr/lib/libteec.so.2.0.0 ${D}${libdir}/libteec.so.2.0.0
+EXTRA_OECMAKE = " \
-        ln -sf libteec.so.2.0.0 ${D}${libdir}/libteec.so.2
+    -DBUILD_SHARED_LIBS=ON \
-        ln -sf libteec.so.2.0.0 ${D}${libdir}/libteec.so
+    -DCFG_TEE_FS_PARENT_PATH='${localstatedir}/lib/tee' \
+"
+EXTRA_OECMAKE:append:toolchain-clang = " -DCFG_WERROR=0"
-        install -D -p -m0644 ${B}/export/usr/lib/libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0.1.0
+do_install:append() {
-        ln -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0
+    install -D -p -m0644 ${UNPACKDIR}/tee-supplicant@.service ${D}${systemd_system_unitdir}/tee-supplicant@.service
-        ln -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so
+    install -D -p -m0755 ${UNPACKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant
-        install -D -p -m0755 ${B}/export/usr/sbin/tee-supplicant ${D}${bindir}/tee-supplicant
+    sed -i -e s:@sysconfdir@:${sysconfdir}:g \
+           -e s:@sbindir@:${sbindir}:g \
+              ${D}${systemd_system_unitdir}/tee-supplicant@.service \
+              ${D}${sysconfdir}/init.d/tee-supplicant
+}
-        cp -a ${B}/export/usr/include ${D}${includedir}
+SYSTEMD_SERVICE:${PN} = "tee-supplicant@.service"
-        sed -i -e s:/etc:${sysconfdir}:g -e s:/usr/bin:${bindir}:g ${UNPACKDIR}/tee-supplicant.service
+INITSCRIPT_PACKAGES = "${PN}"
-        install -D -p -m0644 ${UNPACKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service
+INITSCRIPT_NAME:${PN} = "tee-supplicant"
-}
+INITSCRIPT_PARAMS:${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ."
diff --git a/recipes-security/optee-imx/optee-client/tee-supplicant.service b/recipes-security/optee-imx/optee-client/tee-supplicant.service
deleted file mode 100644
index 0e2b4f6ba..000000000
--- a/recipes-security/optee-imx/optee-client/tee-supplicant.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=TEE Supplicant
-[Service]
-User=root
-EnvironmentFile=-/etc/default/tee-supplicant
-ExecStart=/usr/bin/tee-supplicant $OPTARGS
-[Install]
-WantedBy=basic.target
diff --git a/recipes-security/optee-imx/optee-client/tee-supplicant.sh b/recipes-security/optee-imx/optee-client/tee-supplicant.sh
new file mode 100644
index 000000000..b4d219502
--- /dev/null
+++ b/recipes-security/optee-imx/optee-client/tee-supplicant.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+# Source function library
+. /etc/init.d/functions
+NAME=tee-supplicant
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DESC="OP-TEE Supplicant"
+DAEMON=@sbindir@/$NAME
+test -f $DAEMON || exit 0
+test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME
+test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS
+SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS"
+set -e
+case $1 in
+    start)
+            echo -n "Starting $DESC: "
+            start-stop-daemon --start $SSD_OPTIONS
+        echo "${DAEMON##*/}."
+        ;;
+    stop)
+            echo -n "Stopping $DESC: "
+            start-stop-daemon --stop $SSD_OPTIONS
+        echo "${DAEMON##*/}."
+        ;;
+    restart|force-reload)
+            $0 stop
+            sleep 1
+            $0 start
+        ;;
+    status)
+        status ${DAEMON} || exit $?
+        ;;
+    *)
+        echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2
+        exit 1
+        ;;
+esac
+exit 0
diff --git a/recipes-security/optee-imx/optee-client/tee-supplicant@.service b/recipes-security/optee-imx/optee-client/tee-supplicant@.service
new file mode 100644
index 000000000..72c0b9aa5
--- /dev/null
+++ b/recipes-security/optee-imx/optee-client/tee-supplicant@.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=TEE Supplicant on %i
+[Service]
+User=root
+EnvironmentFile=-@sysconfdir@/default/tee-supplicant
+ExecStart=@sbindir@/tee-supplicant $OPTARGS
+[Install]
+WantedBy=basic.target
diff --git a/recipes-security/optee-imx/optee-client/tee-udev.rules b/recipes-security/optee-imx/optee-client/tee-udev.rules
new file mode 100644
index 000000000..43fafd8c9
--- /dev/null
+++ b/recipes-security/optee-imx/optee-client/tee-udev.rules
@@ -0,0 +1,7 @@
+# tee devices can only be accessed by the teeclnt group members
+KERNEL=="tee[0-9]*", TAG+="systemd", MODE="0660", GROUP="teeclnt"
+# If a /dev/teepriv[0-9]* device is detected, start an instance of
+# tee-supplicant.service with the device name as parameter
+KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="tee", \
+    TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service"
diff --git a/recipes-security/optee-imx/optee-client_4.2.0.imx.bb b/recipes-security/optee-imx/optee-client_4.2.0.imx.bb
deleted file mode 100644
index 64b49b752..000000000
--- a/recipes-security/optee-imx/optee-client_4.2.0.imx.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-require optee-client-fslc-imx.inc
-SRCBRANCH = "lf-6.6.23_2.0.0"
-SRCREV = "3eac340a781c00ccd61b151b0e9c22a8c6e9f9f0" 
-DEPENDS += "util-linux"
-EXTRA_OEMAKE += "PKG_CONFIG=pkg-config"
diff --git a/recipes-security/optee-imx/optee-client_4.4.0.imx.bb b/recipes-security/optee-imx/optee-client_4.4.0.imx.bb
new file mode 100644
index 000000000..322f998fc
--- /dev/null
+++ b/recipes-security/optee-imx/optee-client_4.4.0.imx.bb
@@ -0,0 +1,4 @@
+require optee-client-fslc-imx.inc
+SRCBRANCH = "lf-6.6.52_2.2.0"
+SRCREV = "d221676a58b305bddbf97db00395205b3038de8e"
diff --git a/recipes-security/optee-imx/optee-fslc.inc b/recipes-security/optee-imx/optee-fslc.inc
index 6c96dc2bc..c89746dc4 100644
--- a/recipes-security/optee-imx/optee-fslc.inc
+++ b/recipes-security/optee-imx/optee-fslc.inc
@@ -1,26 +1,40 @@
-HOMEPAGE = "http://www.optee.org/"
+# Copied from meta-arm/recipes-security/optee/optee.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L30
-inherit python3native features_check
+UPSTREAM_CHECK_GITTAGREGEX = "^(?P<pver>\d+(\.\d+)+)$"
-REQUIRED_MACHINE_FEATURES = "optee"
+COMPATIBLE_MACHINE ?= "invalid"
+COMPATIBLE_MACHINE:qemuarm64 ?= "qemuarm64"
+COMPATIBLE_MACHINE:qemuarm ?= "qemuarm"
+# Please add supported machines below or set it in .bbappend or .conf
-DEPENDS = "python3-cryptography-native"
+OPTEEMACHINE ?= "${MACHINE}"
+OPTEEMACHINE:aarch64:qemuall ?= "vexpress-qemu_armv8a"
+OPTEEMACHINE:arm:qemuall ?= "vexpress-qemu_virt"
-S = "${WORKDIR}/git"
+OPTEE_ARCH = "null"
-B = "${WORKDIR}/build"
+OPTEE_ARCH:arm = "arm32"
-OPTEE_ARCH:arm     = "arm32"
 OPTEE_ARCH:aarch64 = "arm64"
+OPTEE_CORE = "${@d.getVar('OPTEE_ARCH').upper()}"
+OPTEE_TOOLCHAIN = "${@d.getVar('TOOLCHAIN') or 'gcc'}"
+OPTEE_COMPILER = "${@bb.utils.contains("BBFILE_COLLECTIONS", "clang-layer", "${OPTEE_TOOLCHAIN}", "gcc", d)}"
-COMPILER ?= "gcc"
+# Set here but not passed to EXTRA_OEMAKE by default as that breaks
-COMPILER:toolchain-clang = "clang"
+# the optee-os build
+TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
+EXTRA_OEMAKE += "V=1 \
+                 LIBGCC_LOCATE_CFLAGS='${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}' \
+                 COMPILER=${OPTEE_COMPILER} \
+                 OPTEE_CLIENT_EXPORT=${STAGING_DIR_HOST}${prefix} \
+                 TEEC_EXPORT=${STAGING_DIR_HOST}${prefix} \
+                "
+# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
+# right path until this is relocated automatically.
+export OPENSSL_MODULES = "${STAGING_LIBDIR_NATIVE}/ossl-modules"
 CFLAGS += "--sysroot=${STAGING_DIR_HOST}"
-CXXFLAGS += "--sysroot=${STAGING_DIR_HOST}"
+# See the rationale in https://github.com/f-secure-foundry/advisories/blob/master/Security_Advisory-Ref_FSC-HWSEC-VR2021-0001-OP-TEE_TrustZone_bypass.txt.
-EXTRA_OEMAKE = " \
+CVE_STATUS[CVE-2021-36133] = "disputed: devices shipped open for development purposes"
-    COMPILER=${COMPILER} \
-    OPENSSL_MODULES=${STAGING_LIBDIR_NATIVE}/ossl-modules \
-    OPTEE_CLIENT_EXPORT=${STAGING_DIR_HOST}${exec_prefix} \
-    -C ${S} O=${B} \
-"
diff --git a/recipes-security/optee-imx/optee-os-common-fslc-imx.inc b/recipes-security/optee-imx/optee-os-common-fslc-imx.inc
new file mode 100644
index 000000000..941182fe9
--- /dev/null
+++ b/recipes-security/optee-imx/optee-os-common-fslc-imx.inc
@@ -0,0 +1,62 @@
+# Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-os-common-imx.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L37
+require optee-os-fslc.inc
+DEPENDS:append:arm = "u-boot-mkimage-native"
+FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:"
+SRC_URI:remove = "git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https"
+SRC_URI:prepend = "${OPTEE_OS_SRC};branch=${SRCBRANCH} "
+SRC_URI:append = " file://0007-allow-setting-sysroot-for-clang.patch"
+SRC_URI:remove = "file://0001-allow-setting-sysroot-for-libgcc-lookup.patch \
+                  file://0002-optee-enable-clang-support.patch \
+                  file://0003-core-link-add-no-warn-rwx-segments.patch"
+OPTEE_OS_SRC ?= "git://github.com/nxp-imx/imx-optee-os.git;protocol=https"
+inherit features_check
+REQUIRED_MACHINE_FEATURES = "optee"
+OPTEEMACHINE                   = "imx-${@d.getVar('MACHINE')[1:]}"
+OPTEEMACHINE:imx6qpdlsolox     = "imx-mx6qsabresd"
+OPTEEMACHINE:mx6ul-nxp-bsp     = "imx-mx6ulevk"
+OPTEEMACHINE:mx6ull-nxp-bsp    = "imx-mx6ullevk"
+OPTEEMACHINE:mx6ulz-nxp-bsp    = "imx-mx6ulzevk"
+OPTEEMACHINE:mx8mq-nxp-bsp     = "imx-mx8mqevk"
+OPTEEMACHINE:mx8mm-nxp-bsp     = "imx-mx8mmevk"
+OPTEEMACHINE:mx8mn-nxp-bsp     = "imx-mx8mnevk"
+OPTEEMACHINE:mx8mp-nxp-bsp     = "imx-mx8mpevk"
+OPTEEMACHINE:mx8mpul-nxp-bsp   = "imx-mx8mpevk"
+OPTEEMACHINE:mx8qm-nxp-bsp     = "imx-mx8qmmek"
+OPTEEMACHINE:mx8qxp-nxp-bsp    = "imx-mx8qxpmek"
+OPTEEMACHINE:mx8dx-nxp-bsp     = "imx-mx8dxmek"
+OPTEEMACHINE:mx8dxl-nxp-bsp    = "imx-mx8dxlevk"
+OPTEEMACHINE:mx8mnul-nxp-bsp   = "imx-mx8mnevk"
+OPTEEMACHINE:mx8ulp-nxp-bsp    = "imx-mx8ulpevk"
+OPTEEMACHINE:mx91-nxp-bsp      = "imx-mx91evk"
+OPTEEMACHINE:mx93-nxp-bsp      = "imx-mx93evk"
+OPTEEMACHINE:mx95-nxp-bsp      = "imx-mx95evk"
+# Strip the leading imx-
+PLATFORM_FLAVOR = "${@d.getVar('OPTEEMACHINE')[4:]}"
+EXTRA_OEMAKE:append = " \
+    CFG_TEE_TA_LOG_LEVEL=0 \
+    CFG_TEE_CORE_LOG_LEVEL=0 \
+"
+EXTRA_OEMAKE:append:imx8mq-lpddr4-wevk = " \
+    CFG_CORE_LARGE_PHYS_ADDR=y \
+    CFG_CORE_ARM64_PA_BITS=36 \
+    CFG_DDR_SIZE=0x100000000 \
+    CFG_TZDRAM_START=0xfe000000 \
+"
+EXTRA_OEMAKE:append:imx8dxlb0-fips-lpddr4-evk = " \
+    CFG_NXP_CAAM=n \
+"
+COMPATIBLE_MACHINE = "(imx-nxp-bsp)"
diff --git a/recipes-security/optee-imx/optee-os-fslc-imx.inc b/recipes-security/optee-imx/optee-os-fslc-imx.inc
index 6b72e8277..5fe6a75a5 100644
--- a/recipes-security/optee-imx/optee-os-fslc-imx.inc
+++ b/recipes-security/optee-imx/optee-os-fslc-imx.inc
@@ -1,26 +1,26 @@
-require optee-os-fslc.inc
+# Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-os-imx.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L37
-SRC_URI = "git://github.com/nxp-imx/imx-optee-os.git;protocol=https;branch=${SRCBRANCH}"
+require optee-os-common-fslc-imx.inc
-# The platform flavor corresponds to the Yocto machine without the leading 'i'.
+do_compile:arm() {
-PLATFORM_FLAVOR                   = "${@d.getVar('MACHINE')[1:]}"
+    oe_runmake -C ${S} all uTee
-PLATFORM_FLAVOR:imx6qdlsabresd    = "mx6qsabresd"
+}
-PLATFORM_FLAVOR:imx6qdlsabreauto  = "mx6qsabreauto"
-PLATFORM_FLAVOR:imx6qpdlsolox     = "mx6qsabresd"
-PLATFORM_FLAVOR:mx6ul-nxp-bsp     = "mx6ulevk"
-PLATFORM_FLAVOR:mx6ull-nxp-bsp    = "mx6ullevk"
-PLATFORM_FLAVOR:mx6ulz-nxp-bsp    = "mx6ulzevk"
-PLATFORM_FLAVOR:mx8mq-nxp-bsp     = "mx8mqevk"
-PLATFORM_FLAVOR:mx8mm-nxp-bsp     = "mx8mmevk"
-PLATFORM_FLAVOR:mx8mn-nxp-bsp     = "mx8mnevk"
-PLATFORM_FLAVOR:mx8mnul-nxp-bsp   = "mx8mnevk"
-PLATFORM_FLAVOR:mx8mp-nxp-bsp     = "mx8mpevk"
-PLATFORM_FLAVOR:mx8mpul-nxp-bsp   = "mx8mpevk"
-PLATFORM_FLAVOR:mx8qm-nxp-bsp     = "mx8qmmek"
-PLATFORM_FLAVOR:mx8qxp-nxp-bsp    = "mx8qxpmek"
-PLATFORM_FLAVOR:mx8dx-nxp-bsp     = "mx8dxmek"
-PLATFORM_FLAVOR:mx8dxl-nxp-bsp    = "mx8dxlevk"
-PLATFORM_FLAVOR:mx8ulp-nxp-bsp    = "mx8ulpevk"
-PLATFORM_FLAVOR:mx93-nxp-bsp      = "mx93evk"
-COMPATIBLE_MACHINE = "(imx-nxp-bsp)"
+do_install:append () {
+    # Install embedded TAs
+    install -d ${D}${nonarch_base_libdir}/optee_armtz/
+    install -m 444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/
+}
+do_deploy:append() {
+    cp ${B}/core/tee-raw.bin ${DEPLOYDIR}/${MLPREFIX}optee/tee.${PLATFORM_FLAVOR}.bin
+    ln -sf ${MLPREFIX}optee/tee.${PLATFORM_FLAVOR}.bin ${DEPLOYDIR}/tee.bin
+}
+do_deploy:append:arm() {
+    cp ${B}/core/uTee ${DEPLOYDIR}/${MLPREFIX}optee/uTee-${OPTEE_BIN_EXT}
+    ln -sf ${MLPREFIX}optee/uTee-${OPTEE_BIN_EXT} ${DEPLOYDIR}/uTee-${OPTEE_BIN_EXT}
+}
+FILES:${PN} += "${nonarch_base_libdir}/optee_armtz"
diff --git a/recipes-security/optee-imx/optee-os-fslc.inc b/recipes-security/optee-imx/optee-os-fslc.inc
index b91a55311..56c0f3e12 100644
--- a/recipes-security/optee-imx/optee-os-fslc.inc
+++ b/recipes-security/optee-imx/optee-os-fslc.inc
@@ -1,87 +1,85 @@
-# Copyright (C) 2017-2021 NXP
+# Copied from meta-arm/recipes-security/optee/optee-os.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L30
+SUMMARY = "OP-TEE Trusted OS"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Trusted side of the TEE"
+HOMEPAGE = "https://www.op-tee.org/"
-SUMMARY = "OPTEE OS"
-DESCRIPTION = "OPTEE OS"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173"
+inherit deploy python3native
 require optee-fslc.inc
-DEPENDS += "python3-pyelftools-native u-boot-mkimage-native"
+CVE_PRODUCT = "linaro:op-tee op-tee:op-tee_os"
+DEPENDS = "python3-pyelftools-native python3-cryptography-native"
 DEPENDS:append:toolchain-clang = " compiler-rt"
-inherit deploy autotools
+SRC_URI = "git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https"
-# Optee-os can be built for 32 bits and 64 bits at the same time
+B = "${WORKDIR}/build"
-# as long as the compilers are correctly defined.
-# For 64bits, CROSS_COMPILE64 must be set
-# When defining CROSS_COMPILE and CROSS_COMPILE64, we assure that
-# any 32 or 64 bits builds will pass
-EXTRA_OEMAKE += " \
-    PLATFORM=imx-${PLATFORM_FLAVOR} \
-    CROSS_COMPILE=${HOST_PREFIX} \
-    CROSS_COMPILE64=${HOST_PREFIX} \
-    CFLAGS32=--sysroot=${STAGING_DIR_HOST} \
-    CFLAGS64=--sysroot=${STAGING_DIR_HOST} \
-    CFG_TEE_TA_LOG_LEVEL=0 \
-    CFG_TEE_CORE_LOG_LEVEL=0 \
-"
-EXTRA_OEMAKE:append:imx8mq-lpddr4-wevk = " \
+EXTRA_OEMAKE += " \
-    CFG_CORE_LARGE_PHYS_ADDR=y \
+    PLATFORM=${OPTEEMACHINE} \
-    CFG_CORE_ARM64_PA_BITS=36 \
+    CFG_${OPTEE_CORE}_core=y \
-    CFG_DDR_SIZE=0x100000000 \
+    CROSS_COMPILE_core=${HOST_PREFIX} \
-    CFG_TZDRAM_START=0xfe000000 \
+    CROSS_COMPILE_ta_${OPTEE_ARCH}=${HOST_PREFIX} \
+    NOWERROR=1 \
+    ta-targets=ta_${OPTEE_ARCH} \
+    O=${B} \
 "
+EXTRA_OEMAKE += " HOST_PREFIX=${HOST_PREFIX}"
+EXTRA_OEMAKE += " CROSS_COMPILE64=${HOST_PREFIX}"
 LDFLAGS[unexport] = "1"
 CPPFLAGS[unexport] = "1"
 AS[unexport] = "1"
 LD[unexport] = "1"
-do_configure[noexec] = "1"
 do_compile:prepend() {
-    PLAT_LIBGCC_PATH=$(${CC} -print-libgcc-file-name)
+        PLAT_LIBGCC_PATH=$(${CC} -print-libgcc-file-name)
 }
-do_compile:arm () {
+do_compile() {
-    oe_runmake all uTee
+    oe_runmake -C ${S} all
-}
-do_compile:aarch64 () {
-    oe_runmake all
 }
 do_compile[cleandirs] = "${B}"
-do_deploy () {
+do_install() {
-    install -d ${DEPLOYDIR}
+    #install core in firmware
-    cp ${B}/core/tee-raw.bin ${DEPLOYDIR}/tee.${PLATFORM_FLAVOR}.bin
+    install -d ${D}${nonarch_base_libdir}/firmware/
-    ln -sf tee.${PLATFORM_FLAVOR}.bin ${DEPLOYDIR}/tee.bin
+    install -m 644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${nonarch_base_libdir}/firmware/
-}
-do_deploy:append:arm () {
+    #install tas in optee_armtz
-    cp ${B}/core/uTee ${DEPLOYDIR}/uTee-${OPTEE_BIN_EXT}
+    install -d ${D}${nonarch_base_libdir}/optee_armtz/
+    install -m 444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz
 }
-do_install () {
+PACKAGE_ARCH = "${MACHINE_ARCH}"
-    install -d ${D}${nonarch_base_libdir}/firmware/
-    install -m 644 ${B}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
-    # Install embedded TAs
+do_deploy() {
-    install -d ${D}${nonarch_base_libdir}/optee_armtz/
+    install -d ${DEPLOYDIR}/${MLPREFIX}optee
-    install -m 444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/
+    install -m 644 ${D}${nonarch_base_libdir}/firmware/* ${DEPLOYDIR}/${MLPREFIX}optee
-    # Install the TA devkit
+    install -d ${DEPLOYDIR}/${MLPREFIX}optee/ta
-    install -d ${D}${includedir}/optee/export-user_ta_${OPTEE_ARCH}/
+    install -m 644 ${B}/ta/*/*.elf ${DEPLOYDIR}/${MLPREFIX}optee/ta
-    cp -aR ${B}/export-ta_${OPTEE_ARCH}/* \
-        ${D}${includedir}/optee/export-user_ta_${OPTEE_ARCH}/
 }
-addtask deploy after do_compile before do_install
+addtask deploy before do_build after do_install
-FILES:${PN} = "${nonarch_base_libdir}/firmware/ ${nonarch_base_libdir}/optee_armtz/"
+SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
-FILES:${PN}-staticdev = "${includedir}/optee/"
-RDEPENDS:${PN}-dev += "${PN}-staticdev"
+PACKAGES += "${PN}-ta"
+FILES:${PN} = "${nonarch_base_libdir}/firmware/"
+FILES:${PN}-ta = "${nonarch_base_libdir}/optee_armtz/*"
+# note: "textrel" is not triggered on all archs
+INSANE_SKIP:${PN} = "textrel"
+# Build paths are currently embedded
+INSANE_SKIP:${PN} += "buildpaths"
+INSANE_SKIP:${PN}-dev = "staticdev"
+INHIBIT_PACKAGE_STRIP = "1"
-PACKAGE_ARCH = "${MACHINE_ARCH}"
diff --git a/recipes-security/optee-imx/optee-os-tadevkit-fslc-imx.inc b/recipes-security/optee-imx/optee-os-tadevkit-fslc-imx.inc
new file mode 100644
index 000000000..18cf9a374
--- /dev/null
+++ b/recipes-security/optee-imx/optee-os-tadevkit-fslc-imx.inc
@@ -0,0 +1,27 @@
+# Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-os-tadevkit-imx.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L37
+require optee-os-common-fslc-imx.inc
+SUMMARY = "OP-TEE Trusted OS TA devkit"
+DESCRIPTION = "OP-TEE TA devkit for build TAs"
+HOMEPAGE = "https://www.op-tee.org/"
+DEPENDS += "python3-pycryptodome-native"
+do_install() {
+    #install TA devkit
+    install -d ${D}${includedir}/optee/export-user_ta/
+    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
+        cp -aR $f ${D}${includedir}/optee/export-user_ta/
+    done
+}
+do_deploy() {
+        echo "Do not inherit do_deploy from optee-os."
+}
+FILES:${PN} = "${includedir}/optee/"
+# Build paths are currently embedded
+INSANE_SKIP:${PN}-dev += "buildpaths"
diff --git a/recipes-security/optee-imx/optee-os-tadevkit_4.4.0.imx.bb b/recipes-security/optee-imx/optee-os-tadevkit_4.4.0.imx.bb
new file mode 100644
index 000000000..bb2e2cf6b
--- /dev/null
+++ b/recipes-security/optee-imx/optee-os-tadevkit_4.4.0.imx.bb
@@ -0,0 +1,4 @@
+require optee-os-tadevkit-fslc-imx.inc
+SRCBRANCH = "lf-6.6.52_2.2.0"
+SRCREV = "60beb308810f9561a67fdb435388a64c85eb6dcb"
diff --git a/recipes-security/optee-imx/optee-os/0001-core-Define-section-attributes-for-clang.patch b/recipes-security/optee-imx/optee-os/0001-core-Define-section-attributes-for-clang.patch
deleted file mode 100644
index 54fbe5419..000000000
--- a/recipes-security/optee-imx/optee-os/0001-core-Define-section-attributes-for-clang.patch
+++ /dev/null
@@ -1,245 +0,0 @@
-From ef83625c9a5f50610e25aa860c4b9c5e64723a66 Mon Sep 17 00:00:00 2001
-From: Emekcan Aras <emekcan.aras@arm.com>
-Date: Wed, 21 Dec 2022 10:55:58 +0000
-Subject: [PATCH 1/4] core: Define section attributes for clang
-Clang's attribute section is not same as gcc, here we need to add flags
-to sections so they can be eventually collected by linker into final
-output segments. Only way to do so with clang is to use
-pragma clang section ...
-The behavious is described here [1], this allows us to define names bss
-sections. This was not an issue until clang-15 where LLD linker starts
-to detect the section flags before merging them and throws the following
-errors
-| ld.lld: error: section type mismatch for .nozi.kdata_page
-| >>> /mnt/b/yoe/master/build/tmp/work/qemuarm64-yoe-linux/optee-os-tadevkit/3.17.0-r0/build/core/arch/arm/kernel/thread.o:(.nozi.kdata_page): SHT_PROGBITS
-| >>> output section .nozi: SHT_NOBITS
-|
-| ld.lld: error: section type mismatch for .nozi.mmu.l2
-| >>> /mnt/b/yoe/master/build/tmp/work/qemuarm64-yoe-linux/optee-os-tadevkit/3.17.0-r0/build/core/arch/arm/mm/core_mmu_lpae.o:(.nozi.mmu.l2): SHT_PROGBITS
-| >>> output section .nozi: SHT_NOBITS
-These sections should be carrying SHT_NOBITS but so far it was not
-possible to do so, this patch tries to use clangs pragma to get this
-going and match the functionality with gcc.
-[1] https://intel.github.io/llvm-docs/clang/LanguageExtensions.html#specifying-section-names-for-global-objects-pragma-clang-section
-Upstream-Status: Pending
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
---
- core/arch/arm/kernel/thread.c    | 19 +++++++++++++++--
- core/arch/arm/mm/core_mmu_lpae.c | 35 +++++++++++++++++++++++++++----
- core/arch/arm/mm/core_mmu_v7.c   | 36 +++++++++++++++++++++++++++++---
- core/kernel/thread.c             | 13 +++++++++++-
- core/mm/pgt_cache.c              | 12 ++++++++++-
- 5 files changed, 104 insertions(+), 11 deletions(-)
-diff --git a/core/arch/arm/kernel/thread.c b/core/arch/arm/kernel/thread.c
-index 66833b3a0..b3eb9cf9a 100644
--- a/core/arch/arm/kernel/thread.c
-+++ b/core/arch/arm/kernel/thread.c
-@@ -45,15 +45,30 @@ static size_t thread_user_kcode_size __nex_bss;
- #if defined(CFG_CORE_UNMAP_CORE_AT_EL0) && \
-        defined(CFG_CORE_WORKAROUND_SPECTRE_BP_SEC) && defined(ARM64)
- long thread_user_kdata_sp_offset __nex_bss;
-+#ifdef __clang__
-+#ifndef CFG_VIRTUALIZATION
-+#pragma clang section bss=".nozi.kdata_page"
-+#else
-+#pragma clang section bss=".nex_nozi.kdata_page"
-+#endif
-+#endif
- static uint8_t thread_user_kdata_page[
-        ROUNDUP(sizeof(struct thread_core_local) * CFG_TEE_CORE_NB_CORE,
-                SMALL_PAGE_SIZE)]
-        __aligned(SMALL_PAGE_SIZE)
-+#ifndef __clang__
- #ifndef CFG_NS_VIRTUALIZATION
-       __section(".nozi.kdata_page");
-+       __section(".nozi.kdata_page")
- #else
-       __section(".nex_nozi.kdata_page");
-+       __section(".nex_nozi.kdata_page")
- #endif
-+#endif
-+    ;
-+#endif
-+
-+/* reset BSS section to default ( .bss ) */
-+#ifdef __clang__
-+#pragma clang section bss=""
- #endif
- 
- #ifdef ARM32
-diff --git a/core/arch/arm/mm/core_mmu_lpae.c b/core/arch/arm/mm/core_mmu_lpae.c
-index 4c8b85e39..1885e1d3f 100644
--- a/core/arch/arm/mm/core_mmu_lpae.c
-+++ b/core/arch/arm/mm/core_mmu_lpae.c
-@@ -234,19 +234,46 @@ typedef uint16_t l1_idx_t;
- typedef uint64_t base_xlat_tbls_t[CFG_TEE_CORE_NB_CORE][NUM_BASE_LEVEL_ENTRIES];
- typedef uint64_t xlat_tbl_t[XLAT_TABLE_ENTRIES];
- 
-+#ifdef __clang__
-+#pragma clang section bss=".nozi.mmu.base_table"
-+#endif
- static base_xlat_tbls_t base_xlation_table[NUM_BASE_TABLES]
-        __aligned(NUM_BASE_LEVEL_ENTRIES * XLAT_ENTRY_SIZE)
-       __section(".nozi.mmu.base_table");
-+#ifndef __clang__
-+       __section(".nozi.mmu.base_table")
-+#endif
-+;
-+#ifdef __clang__
-+#pragma clang section bss=""
-+#endif
- 
-+#ifdef __clang__
-+#pragma clang section bss=".nozi.mmu.l2"
-+#endif
- static xlat_tbl_t xlat_tables[MAX_XLAT_TABLES]
-       __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2");
-+       __aligned(XLAT_TABLE_SIZE)
-+#ifndef __clang__
-+       __section(".nozi.mmu.l2")
-+#endif
-+;
-+#ifdef __clang__
-+#pragma clang section bss=""
-+#endif
- 
- #define XLAT_TABLES_SIZE       (sizeof(xlat_tbl_t) * MAX_XLAT_TABLES)
- 
-+#ifdef __clang__
-+#pragma clang section bss=".nozi.mmu.l2"
-+#endif
- /* MMU L2 table for TAs, one for each thread */
- static xlat_tbl_t xlat_tables_ul1[CFG_NUM_THREADS]
-       __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2");
-
-+#ifndef __clang__
-+       __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2")
-+#endif
-+;
-+#ifdef __clang__
-+#pragma clang section bss=""
-+#endif
- /*
-  * TAs page table entry inside a level 1 page table.
-  *
-diff --git a/core/arch/arm/mm/core_mmu_v7.c b/core/arch/arm/mm/core_mmu_v7.c
-index 61e703da8..1960c08ca 100644
--- a/core/arch/arm/mm/core_mmu_v7.c
-+++ b/core/arch/arm/mm/core_mmu_v7.c
-@@ -204,16 +204,46 @@ typedef uint32_t l1_xlat_tbl_t[NUM_L1_ENTRIES];
- typedef uint32_t l2_xlat_tbl_t[NUM_L2_ENTRIES];
- typedef uint32_t ul1_xlat_tbl_t[NUM_UL1_ENTRIES];
- 
-+#ifdef __clang__
-+#pragma clang section bss=".nozi.mmu.l1"
-+#endif
- static l1_xlat_tbl_t main_mmu_l1_ttb
-               __aligned(L1_ALIGNMENT) __section(".nozi.mmu.l1");
-+               __aligned(L1_ALIGNMENT)
-+#ifndef __clang__
-+       __section(".nozi.mmu.l1")
-+#endif
-+;
-+#ifdef __clang__
-+#pragma clang section bss=""
-+#endif
- 
- /* L2 MMU tables */
-+#ifdef __clang__
-+#pragma clang section bss=".nozi.mmu.l2"
-+#endif
- static l2_xlat_tbl_t main_mmu_l2_ttb[MAX_XLAT_TABLES]
-               __aligned(L2_ALIGNMENT) __section(".nozi.mmu.l2");
-+               __aligned(L2_ALIGNMENT)
-+#ifndef __clang__
-+       __section(".nozi.mmu.l2")
-+#endif
-+;
-+#ifdef __clang__
-+#pragma clang section bss=""
-+#endif
- 
- /* MMU L1 table for TAs, one for each thread */
-+#ifdef __clang__
-+#pragma clang section bss=".nozi.mmu.ul1"
-+#endif
- static ul1_xlat_tbl_t main_mmu_ul1_ttb[CFG_NUM_THREADS]
-               __aligned(UL1_ALIGNMENT) __section(".nozi.mmu.ul1");
-+               __aligned(UL1_ALIGNMENT)
-+#ifndef __clang__
-+       __section(".nozi.mmu.ul1")
-+#endif
-+;
-+#ifdef __clang__
-+#pragma clang section bss=""
-+#endif
- 
- struct mmu_partition {
-        l1_xlat_tbl_t *l1_table;
-diff --git a/core/kernel/thread.c b/core/kernel/thread.c
-index 2a1f22dce..5516b6771 100644
--- a/core/kernel/thread.c
-+++ b/core/kernel/thread.c
-@@ -39,13 +39,24 @@ static uint32_t end_canary_value = 0xababab00;
-        name[stack_num][sizeof(name[stack_num]) / sizeof(uint32_t) - 1]
- #endif
- 
-+#define DO_PRAGMA(x) _Pragma (#x)
-+
-+#ifdef __clang__
-+#define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
-+DO_PRAGMA (clang section bss=".nozi_stack." #name) \
-+linkage uint32_t name[num_stacks] \
-+               [ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
-+                        STACK_ALIGNMENT) / sizeof(uint32_t)] \
-+               __attribute__((aligned(STACK_ALIGNMENT))); \
-+DO_PRAGMA(clang section bss="")
-+#else
- #define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
- linkage uint32_t name[num_stacks] \
-                [ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
-                         STACK_ALIGNMENT) / sizeof(uint32_t)] \
-                __attribute__((section(".nozi_stack." # name), \
-                               aligned(STACK_ALIGNMENT)))
-
-+#endif
- #define GET_STACK(stack) ((vaddr_t)(stack) + STACK_SIZE(stack))
- 
- DECLARE_STACK(stack_tmp, CFG_TEE_CORE_NB_CORE, STACK_TMP_SIZE,
-diff --git a/core/mm/pgt_cache.c b/core/mm/pgt_cache.c
-index 79553c6d2..b9efdf427 100644
--- a/core/mm/pgt_cache.c
-+++ b/core/mm/pgt_cache.c
-@@ -410,8 +410,18 @@ void pgt_init(void)
-         * has a large alignment, while .bss has a small alignment. The current
-         * link script is optimized for small alignment in .bss
-         */
-+#ifdef __clang__
-+#pragma clang section bss=".nozi.mmu.l2"
-+#endif
-        static uint8_t pgt_tables[PGT_CACHE_SIZE][PGT_SIZE]
-                       __aligned(PGT_SIZE) __section(".nozi.pgt_cache");
-+                       __aligned(PGT_SIZE)
-+#ifndef __clang__
-+                       __section(".nozi.pgt_cache")
-+#endif
-+                       ;
-+#ifdef __clang__
-+#pragma clang section bss=""
-+#endif
-        size_t n;
- 
-        for (n = 0; n < ARRAY_SIZE(pgt_tables); n++) {
-- 
-2.43.2
diff --git a/recipes-security/optee-imx/optee-os/0003-arm32-libutils-libutee-ta-add-.note.GNU-stack-sectio.patch b/recipes-security/optee-imx/optee-os/0003-arm32-libutils-libutee-ta-add-.note.GNU-stack-sectio.patch
deleted file mode 100644
index 1c5753c7f..000000000
--- a/recipes-security/optee-imx/optee-os/0003-arm32-libutils-libutee-ta-add-.note.GNU-stack-sectio.patch
+++ /dev/null
@@ -1,133 +0,0 @@
-From 6f738803a59613ec4a683ddbc1747ebffd75a4e6 Mon Sep 17 00:00:00 2001
-From: Jerome Forissier <jerome.forissier@linaro.org>
-Date: Tue, 23 Aug 2022 12:31:46 +0000
-Subject: [PATCH 3/4] arm32: libutils, libutee, ta: add .note.GNU-stack section
- to
- .S files
-When building for arm32 with GNU binutils 2.39, the linker outputs
-warnings when linking Trusted Applications:
- arm-unknown-linux-uclibcgnueabihf-ld.bfd: warning: utee_syscalls_a32.o: missing .note.GNU-stack section implies executable stack
- arm-unknown-linux-uclibcgnueabihf-ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
-We could silence the warning by adding the '-z execstack' option to the
-TA link flags, like we did in the parent commit for the TEE core and
-ldelf. Indeed, ldelf always allocates a non-executable piece of memory
-for the TA to use as a stack.
-However it seems preferable to comply with the common ELF practices in
-this case. A better fix is therefore to add the missing .note.GNU-stack
-sections in the assembler files.
-Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
-Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
-Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5499]
-Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
---
- lib/libutee/arch/arm/utee_syscalls_a32.S             | 2 ++
- lib/libutils/ext/arch/arm/atomic_a32.S               | 2 ++
- lib/libutils/ext/arch/arm/mcount_a32.S               | 2 ++
- lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S  | 2 ++
- lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S | 2 ++
- lib/libutils/isoc/arch/arm/setjmp_a32.S              | 2 ++
- ta/arch/arm/ta_entry_a32.S                           | 2 ++
- 7 files changed, 14 insertions(+)
-diff --git a/lib/libutee/arch/arm/utee_syscalls_a32.S b/lib/libutee/arch/arm/utee_syscalls_a32.S
-index 2dea83ab8..668b65a86 100644
--- a/lib/libutee/arch/arm/utee_syscalls_a32.S
-+++ b/lib/libutee/arch/arm/utee_syscalls_a32.S
-@@ -9,6 +9,8 @@
- 
-        .section .note.GNU-stack,"",%progbits
- 
-+       .section .note.GNU-stack,"",%progbits
-+
-         .section .text
-         .balign 4
-         .code 32
-diff --git a/lib/libutils/ext/arch/arm/atomic_a32.S b/lib/libutils/ext/arch/arm/atomic_a32.S
-index 2be73ffad..87ddf1065 100644
--- a/lib/libutils/ext/arch/arm/atomic_a32.S
-+++ b/lib/libutils/ext/arch/arm/atomic_a32.S
-@@ -7,6 +7,8 @@
- 
-        .section .note.GNU-stack,"",%progbits
- 
-+       .section .note.GNU-stack,"",%progbits
-+
- /* uint32_t atomic_inc32(uint32_t *v); */
- FUNC atomic_inc32 , :
-        ldrex   r1, [r0]
-diff --git a/lib/libutils/ext/arch/arm/mcount_a32.S b/lib/libutils/ext/arch/arm/mcount_a32.S
-index 54dc3c02d..2f24632b8 100644
--- a/lib/libutils/ext/arch/arm/mcount_a32.S
-+++ b/lib/libutils/ext/arch/arm/mcount_a32.S
-@@ -9,6 +9,8 @@
- 
-        .section .note.GNU-stack,"",%progbits
- 
-+       .section .note.GNU-stack,"",%progbits
-+
- /*
-  * Convert return address to call site address by subtracting the size of the
-  * mcount call instruction (blx __gnu_mcount_nc).
-diff --git a/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S b/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S
-index 37ae9ec6f..bc6c48b1a 100644
--- a/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S
-+++ b/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S
-@@ -7,6 +7,8 @@
- 
-        .section .note.GNU-stack,"",%progbits
- 
-+       .section .note.GNU-stack,"",%progbits
-+
- /*
-  * signed ret_idivmod_values(signed quot, signed rem);
-  * return quotient and remaining the EABI way (regs r0,r1)
-diff --git a/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S b/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S
-index 5c3353e2c..9fb5e0283 100644
--- a/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S
-+++ b/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S
-@@ -7,6 +7,8 @@
- 
-        .section .note.GNU-stack,"",%progbits
- 
-+       .section .note.GNU-stack,"",%progbits
-+
- /*
-  * __value_in_regs lldiv_t __aeabi_ldivmod( long long n, long long d)
-  */
-diff --git a/lib/libutils/isoc/arch/arm/setjmp_a32.S b/lib/libutils/isoc/arch/arm/setjmp_a32.S
-index f8a0b70df..37d7cb88e 100644
--- a/lib/libutils/isoc/arch/arm/setjmp_a32.S
-+++ b/lib/libutils/isoc/arch/arm/setjmp_a32.S
-@@ -53,6 +53,8 @@
- 
-        .section .note.GNU-stack,"",%progbits
- 
-+       .section .note.GNU-stack,"",%progbits
-+
- /* Arm/Thumb interworking support:
- 
-    The interworking scheme expects functions to use a BX instruction
-diff --git a/ta/arch/arm/ta_entry_a32.S b/ta/arch/arm/ta_entry_a32.S
-index cd9a12f9d..ccdc19928 100644
--- a/ta/arch/arm/ta_entry_a32.S
-+++ b/ta/arch/arm/ta_entry_a32.S
-@@ -7,6 +7,8 @@
- 
-        .section .note.GNU-stack,"",%progbits
- 
-+       .section .note.GNU-stack,"",%progbits
-+
- /*
-  * This function is the bottom of the user call stack. Mark it as such so that
-  * the unwinding code won't try to go further down.
-- 
-2.43.2
diff --git a/recipes-security/optee-imx/optee-os/0004-core-link-add-no-warn-rwx-segments.patch b/recipes-security/optee-imx/optee-os/0004-core-link-add-no-warn-rwx-segments.patch
deleted file mode 100644
index f32b2284f..000000000
--- a/recipes-security/optee-imx/optee-os/0004-core-link-add-no-warn-rwx-segments.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From a63f82f74e015eb662242cdb51ef814e3f576829 Mon Sep 17 00:00:00 2001
-From: Jerome Forissier <jerome.forissier@linaro.org>
-Date: Fri, 5 Aug 2022 09:48:03 +0200
-Subject: [PATCH 4/4] core: link: add --no-warn-rwx-segments
-Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
-Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5474]
-binutils ld.bfd generates one RWX LOAD segment by merging several sections
-with mixed R/W/X attributes (.text, .rodata, .data). After version 2.38 it
-also warns by default when that happens [1], which breaks the build due to
--fatal-warnings. The RWX segment is not a problem for the TEE core, since
-that information is not used to set memory permissions. Therefore, silence
-the warning.
-Link: [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
-Link: https://sourceware.org/bugzilla/show_bug.cgi?id=29448
-Reported-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
-Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
-Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
-Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
---
- core/arch/arm/kernel/link.mk | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-diff --git a/core/arch/arm/kernel/link.mk b/core/arch/arm/kernel/link.mk
-index 49e9f4fa1..9e1cc172f 100644
--- a/core/arch/arm/kernel/link.mk
-+++ b/core/arch/arm/kernel/link.mk
-@@ -37,6 +37,7 @@ link-ldflags += --sort-section=alignment
- link-ldflags += --fatal-warnings
- link-ldflags += --gc-sections
- link-ldflags += $(link-ldflags-common)
-+link-ldflags += $(call ld-option,--no-warn-rwx-segments)
- 
- link-ldadd  = $(LDADD)
- link-ldadd += $(ldflags-external)
-@@ -61,6 +62,7 @@ link-script-cppflags := \
-                $(cppflagscore))
- 
- ldargs-all_objs := -T $(link-script-dummy) --no-check-sections \
-+                  $(call ld-option,--no-warn-rwx-segments) \
-                   $(link-ldflags-common) \
-                   $(link-objs) $(link-ldadd) $(libgcccore)
- cleanfiles += $(link-out-dir)/all_objs.o
-@@ -75,7 +77,7 @@ $(link-out-dir)/unpaged_entries.txt: $(link-out-dir)/all_objs.o
-                $(AWK) '/ ____keep_pager/ { printf "-u%s ", $$3 }' > $@
- 
- unpaged-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
-                $(link-ldflags-common)
-+                $(link-ldflags-common) $(call ld-option,--no-warn-rwx-segments)
- unpaged-ldadd := $(objs) $(link-ldadd) $(libgcccore)
- cleanfiles += $(link-out-dir)/unpaged.o
- $(link-out-dir)/unpaged.o: $(link-out-dir)/unpaged_entries.txt
-@@ -104,7 +106,7 @@ $(link-out-dir)/init_entries.txt: $(link-out-dir)/all_objs.o
-                $(AWK) '/ ____keep_init/ { printf "-u%s ", $$3 }' > $@
- 
- init-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
-              $(link-ldflags-common)
-+              $(link-ldflags-common) $(call ld-option,--no-warn-rwx-segments)
- init-ldadd := $(link-objs-init) $(link-out-dir)/version.o  $(link-ldadd) \
-              $(libgcccore)
- cleanfiles += $(link-out-dir)/init.o
-- 
-2.43.2
diff --git a/recipes-security/optee-imx/optee-os/0002-optee-enable-clang-support.patch b/recipes-security/optee-imx/optee-os/0007-allow-setting-sysroot-for-clang.patch
index dbc53542e..067ba6ebf 100644
--- a/recipes-security/optee-imx/optee-os/0002-optee-enable-clang-support.patch
+++ b/recipes-security/optee-imx/optee-os/0007-allow-setting-sysroot-for-clang.patch
@@ -1,7 +1,7 @@
-From 2ba573c9763329fbfdfacc8393d565ab747cac4d Mon Sep 17 00:00:00 2001
+From db9e44af75c7cfd3316cab15aaa387383df3e57e Mon Sep 17 00:00:00 2001
 From: Brett Warren <brett.warren@arm.com>
 Date: Wed, 23 Sep 2020 09:27:34 +0100
-Subject: [PATCH 2/4] optee: enable clang support
+Subject: [PATCH] optee: enable clang support
 When compiling with clang, the LIBGCC_LOCATE_CFLAG variable used
 to provide a sysroot wasn't included, which results in not locating
@@ -10,17 +10,16 @@ compiler-rt. This is mitigated by including the variable as ammended.
 Upstream-Status: Pending
 ChangeId: 8ba69a4b2eb8ebaa047cb266c9aa6c2c3da45701
 Signed-off-by: Brett Warren <brett.warren@arm.com>
-Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
---
+---
 mk/clang.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/mk/clang.mk b/mk/clang.mk
-index a045beee8..1ebe2f702 100644
+index c141a3f2..7d067cc0 100644
 --- a/mk/clang.mk
 +++ b/mk/clang.mk
-@@ -30,7 +30,7 @@ comp-cflags-warns-clang := -Wno-language-extension-token \
+@@ -27,7 +27,7 @@ comp-cflags-warns-clang := -Wno-language-extension-token \
 
 # Note, use the compiler runtime library (libclang_rt.builtins.*.a) instead of
 # libgcc for clang
@@ -29,6 +28,3 @@ index a045beee8..1ebe2f702 100644
                        -rtlib=compiler-rt -print-libgcc-file-name 2> /dev/null)
 
 # Core ASLR relies on the executable being ready to run from its preferred load
-- 
-2.43.2
diff --git a/recipes-security/optee-imx/optee-os_4.2.0.imx.bb b/recipes-security/optee-imx/optee-os_4.2.0.imx.bb
deleted file mode 100644
index 96948bc7b..000000000
--- a/recipes-security/optee-imx/optee-os_4.2.0.imx.bb
+++ /dev/null
@@ -1,12 +0,0 @@
-# Copyright 2017-2024 NXP
-require optee-os-fslc-imx.inc
-SRC_URI += " \
-    file://0001-core-Define-section-attributes-for-clang.patch \
-    file://0002-optee-enable-clang-support.patch \
-    file://0003-arm32-libutils-libutee-ta-add-.note.GNU-stack-sectio.patch \
-    file://0004-core-link-add-no-warn-rwx-segments.patch \
-"
-SRCBRANCH = "lf-6.6.23_2.0.0"
-SRCREV = "c6be5b572452a2808d1a34588fd10e71715e23cf"
diff --git a/recipes-security/optee-imx/optee-os_4.4.0.imx.bb b/recipes-security/optee-imx/optee-os_4.4.0.imx.bb
new file mode 100644
index 000000000..dc6d3901d
--- /dev/null
+++ b/recipes-security/optee-imx/optee-os_4.4.0.imx.bb
@@ -0,0 +1,6 @@
+# Copyright 2017-2024 NXP
+require optee-os-fslc-imx.inc
+SRCBRANCH = "lf-6.6.52_2.2.0"
+SRCREV = "60beb308810f9561a67fdb435388a64c85eb6dcb"
diff --git a/recipes-security/optee-imx/optee-test-fslc-imx.inc b/recipes-security/optee-imx/optee-test-fslc-imx.inc
new file mode 100644
index 000000000..ab16fd221
--- /dev/null
+++ b/recipes-security/optee-imx/optee-test-fslc-imx.inc
@@ -0,0 +1,18 @@
+# Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-test-imx.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L37
+require optee-test-fslc.inc
+DEPENDS += "openssl"
+FILESEXTRAPATHS:prepend := "${THISDIR}/optee-test:"
+SRC_URI:remove = "git://github.com/OP-TEE/optee_test.git;branch=master;protocol=https"
+SRC_URI:prepend = "${OPTEE_TEST_SRC};branch=${SRCBRANCH} "
+OPTEE_TEST_SRC ?= "git://github.com/nxp-imx/imx-optee-test.git;protocol=https"
+EXTRA_OEMAKE:append:libc-musl = " OPTEE_OPENSSL_EXPORT=${STAGING_INCDIR}"
+CFLAGS:append:libc-musl = " -Wno-error=deprecated-declarations"
+COMPATIBLE_MACHINE = "(imx-nxp-bsp)"
diff --git a/recipes-security/optee-imx/optee-test-fslc.inc b/recipes-security/optee-imx/optee-test-fslc.inc
index e0c133a7c..ed64c87f8 100644
--- a/recipes-security/optee-imx/optee-test-fslc.inc
+++ b/recipes-security/optee-imx/optee-test-fslc.inc
@@ -1,38 +1,64 @@
-# Copyright (C) 2017-2021 NXP
+# Copied from meta-arm/recipes-security/optee/optee-test.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L30
+SUMMARY = "OP-TEE sanity testsuite"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Test suite"
+HOMEPAGE = "https://www.op-tee.org/"
-SUMMARY = "OPTEE test"
 LICENSE = "BSD-2-Clause & GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa"
+inherit python3native ptest
+inherit deploy
 require optee-fslc.inc
-DEPENDS += "optee-os optee-client openssl"
+DEPENDS = "optee-client optee-os-tadevkit python3-cryptography-native openssl"
+SRC_URI = "git://github.com/OP-TEE/optee_test.git;branch=master;protocol=https \
+           file://run-ptest \
+          "
+B = "${WORKDIR}/build"
-EXTRA_OEMAKE += " \
+EXTRA_OEMAKE += "TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
-    TA_DEV_KIT_DIR=${STAGING_INCDIR}/optee/export-user_ta_${OPTEE_ARCH}/ \
+                 OPTEE_OPENSSL_EXPORT=${STAGING_INCDIR} \
-    CROSS_COMPILE_HOST=${HOST_PREFIX} \
+                 CROSS_COMPILE_HOST=${HOST_PREFIX} \
-    CROSS_COMPILE_TA=${HOST_PREFIX} \
+                 CROSS_COMPILE_TA=${HOST_PREFIX} \
-    CROSS_COMPILE=${HOST_PREFIX} \
+                 O=${B} \
-"
+               "
+CFLAGS += "-Wno-error=deprecated-declarations"
 do_compile() {
-    oe_runmake all
+    cd ${S}
+    # Top level makefile doesn't seem to handle parallel make gracefully
+    oe_runmake xtest
+    oe_runmake ta
+    oe_runmake test_plugin
 }
 do_compile[cleandirs] = "${B}"
 do_install () {
-        install -d ${D}${bindir}
+    install -D -p -m0755 ${B}/xtest/xtest ${D}${bindir}/xtest
-        install ${B}/xtest/xtest ${D}${bindir}
-        install -d ${D}${nonarch_base_libdir}/optee_armtz
+    # install path should match the value set in optee-client/tee-supplicant
-        find ${B}/ta -name '*.ta' | while read name; do
+    # default TEEC_LOAD_PATH is /lib
-                install -m 444 $name ${D}${nonarch_base_libdir}/optee_armtz/
+    mkdir -p ${D}${nonarch_base_libdir}/optee_armtz/
-        done
+    install -D -p -m0444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/
+    mkdir -p ${D}${libdir}/tee-supplicant/plugins
+    install -D -p -m0444 ${B}/supp_plugin/*.plugin ${D}${libdir}/tee-supplicant/plugins/
+}
-        install -d ${D}${libdir}/tee-supplicant/plugins/
+do_deploy () {
-        install ${B}/supp_plugin/*plugin ${D}${libdir}/tee-supplicant/plugins/
+    install -d ${DEPLOYDIR}/${MLPREFIX}optee/ta
+    install -m 644 ${B}/ta/*/*.elf ${DEPLOYDIR}/${MLPREFIX}optee/ta
 }
-FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/ ${libdir}/tee-supplicant/plugins/"
+addtask deploy before do_build after do_install
+FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/ \
+                ${libdir}/tee-supplicant/plugins/ \
+               "
-RDEPENDS:${PN} = "optee-os"
+# Imports machine specific configs from staging to build
+PACKAGE_ARCH = "${MACHINE_ARCH}"
diff --git a/recipes-security/optee-imx/optee-test/run-ptest b/recipes-security/optee-imx/optee-test/run-ptest
new file mode 100644
index 000000000..ba88c14d3
--- /dev/null
+++ b/recipes-security/optee-imx/optee-test/run-ptest
@@ -0,0 +1,52 @@
+#!/bin/sh
+xtest | awk '
+    # Escapes the special characters in a string so that, when
+    # included in a regex, it represents a literal match
+    function regx_escape_literal(str,    ret) {
+        ret = str
+        gsub(/[\[\]\^\$\.\*\?\+\{\}\\\(\)\|]/ , "\\\\&", str)
+        return str
+    }
+    # Returns the simple test formatted name
+    function name(n,    ret) {
+        ret = n
+        gsub(/\./, " ", ret)
+        return ret
+    }
+    # Returns the simple test formatted result
+    function result(res) {
+        if(res ~ /OK/) {
+            return "PASS"
+        } else if(res ~ /FAILED/) {
+            return "FAIL"
+        }
+    }
+    function parse(name, description,     has_subtests, result_line) {
+        has_subtests = 0
+        # Consume every line up to the result line
+        result_line = "  " regx_escape_literal(name) " (OK|FAILED)"
+        do {
+            getline
+            # If this is a subtest (denoted by an "o" bullet) then subparse
+            if($0 ~ /^o /) {
+                parse($2, description " : " substr($0, index($0, $3)))
+                has_subtests = 1
+            }
+        } while ($0 !~ result_line)
+        # Only print the results for the deepest nested subtests
+        if(!has_subtests) {
+            print result($2) ": " name(name) " - " description
+        }
+    }
+    # Start parsing at the beginning of every test (denoted by a "*" bullet)
+    /^\* / { parse($2, substr($0, index($0, $3))) }
+'
diff --git a/recipes-security/optee-imx/optee-test_4.2.0.imx.bb b/recipes-security/optee-imx/optee-test_4.2.0.imx.bb
deleted file mode 100644
index aa8444fba..000000000
--- a/recipes-security/optee-imx/optee-test_4.2.0.imx.bb
+++ /dev/null
@@ -1,10 +0,0 @@
-# Copyright 2017-2024 NXP
-require optee-test-fslc.inc
-SRC_URI = "git://github.com/nxp-imx/imx-optee-test.git;protocol=https;branch=${SRCBRANCH}"
-SRCBRANCH = "lf-6.6.23_2.0.0"
-SRCREV = "07682f1b1b41ec0bfa507286979b36ab8d344a96"
-COMPATIBLE_MACHINE = "(imx-nxp-bsp)"
diff --git a/recipes-security/optee-imx/optee-test_4.4.0.imx.bb b/recipes-security/optee-imx/optee-test_4.4.0.imx.bb
new file mode 100644
index 000000000..b4ac12714
--- /dev/null
+++ b/recipes-security/optee-imx/optee-test_4.4.0.imx.bb
@@ -0,0 +1,13 @@
+# Copyright 2017-2024 NXP
+require optee-test-fslc-imx.inc
+# The BSD and GPL license files are now included in the source
+# https://github.com/OP-TEE/optee_test/commit/a748f5fcd9ec8a574dc86a5aa56d05bc6ac174e7
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560 \
+                    file://LICENSE-BSD;md5=dca16d6efa93b55d0fd662ae5cd6feeb \
+                    file://LICENSE-GPL;md5=10e86b5d2a6cb0e2b9dcfdd26a9ac58d"
+SRCBRANCH = "lf-6.6.52_2.2.0"
+SRCREV = "dafc98ed8364d7281a9a7f0788dd0a2067844a59"
diff --git a/recipes-security/optee-qoriq/optee-client.nxp.inc b/recipes-security/optee-qoriq/optee-client.nxp.inc
index c3933a243..a7e51a29d 100644
--- a/recipes-security/optee-qoriq/optee-client.nxp.inc
+++ b/recipes-security/optee-qoriq/optee-client.nxp.inc
@@ -13,7 +13,6 @@ SRCREV = "7c9c423d00e96bf51debd5fe10fd70dce83be5cc"
 FILESEXTRAPATHS:prepend := "${THISDIR}/optee-client:"
 SRC_URI += "file://tee-supplicant.service"
-S = "${WORKDIR}/git"
 B = "${WORKDIR}/build"
 OPTEE_ARCH ?= "arm32"
diff --git a/recipes-security/optee-qoriq/optee-os.nxp.inc b/recipes-security/optee-qoriq/optee-os.nxp.inc
index 5b90b937c..989da06d7 100644
--- a/recipes-security/optee-qoriq/optee-os.nxp.inc
+++ b/recipes-security/optee-qoriq/optee-os.nxp.inc
@@ -12,7 +12,6 @@ DEPENDS = "python3-pycryptodome-native python3-pyelftools-native python3-pycrypt
 SRC_URI = "git://github.com/nxp-qoriq/optee_os.git;protocol=https;nobranch=1"
 SRCREV = "735d98806dc26fbeeecad7f5e60ffeab8170c67e"
-S = "${WORKDIR}/git"
 B = "${WORKDIR}/build.${PLATFORM_FLAVOR}"
 PLATFORM_FLAVOR ?= "${MACHINE}"
diff --git a/recipes-security/optee-qoriq/optee-test.nxp.inc b/recipes-security/optee-qoriq/optee-test.nxp.inc
index 14a42ac5a..17108ff38 100644
--- a/recipes-security/optee-qoriq/optee-test.nxp.inc
+++ b/recipes-security/optee-qoriq/optee-test.nxp.inc
@@ -12,7 +12,6 @@ inherit python3native cmake
 SRC_URI = "git://github.com/nxp-qoriq/optee_test.git;protocol=https;nobranch=1"
 SRCREV = "69722dab8c1f2683e30e0ee3b536053367e37aad"
-S = "${WORKDIR}/git"
 B = "${WORKDIR}/build"
 TA_DEV_KIT_DIR ?= "${STAGING_INCDIR}/optee/export-user_ta"
diff --git a/recipes-security/smw/keyctl-caam_git.bb b/recipes-security/smw/keyctl-caam_git.bb
index 25a5f656a..66ff7ecb0 100644
--- a/recipes-security/smw/keyctl-caam_git.bb
+++ b/recipes-security/smw/keyctl-caam_git.bb
@@ -11,8 +11,6 @@ SRC_URI = "git://github.com/nxp-imx/keyctl_caam.git;protocol=https;branch=${SRCB
 SRCREV = "81dc06cdb9c4d0d4ba10459d85af9a8603774948"
-S = "${WORKDIR}/git"
 TARGET_CC_ARCH += "${LDFLAGS}"
 do_install () {
diff --git a/recipes-security/smw/smw_git.bb b/recipes-security/smw/smw_git.bb
index 3f77ad06b..dbb59d2f3 100644
--- a/recipes-security/smw/smw_git.bb
+++ b/recipes-security/smw/smw_git.bb
@@ -19,7 +19,7 @@ SRC_URI = "git://github.com/nxp-imx/imx-smw.git;protocol=https;branch=release/ve
 SRCREV_smw = "f0570b3e8cb5f68d54edc4f9dd7cb984f6f604ed"
 SRCREV_psa = "463cb95ada820bc6f758d50066cf8c0ed5cc3a02"
 SRCREV_FORMAT = "smw_psa"
-S = "${WORKDIR}/git/smw"
+S = "${UNPACKDIR}/git/smw"
 inherit cmake python3native
@@ -35,7 +35,7 @@ OPTEE_OS_TA_EXPORT_DIR:aarch64 = "${STAGING_INCDIR}/optee/export-user_ta_arm64"
 OPTEE_OS_TA_EXPORT_DIR:arm = "${STAGING_INCDIR}/optee/export-user_ta_arm32"
 # Needs to sign OPTEE TAs
-export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
+export OPENSSL_MODULES = "${STAGING_LIBDIR_NATIVE}/ossl-modules"
 EXTRA_OECMAKE = " \
    -DTA_DEV_KIT_ROOT=${OPTEE_OS_TA_EXPORT_DIR} \