40 files changed, 613 insertions, 873 deletions

diff --git a/recipes-security/optee-imx/optee-client-fslc-imx.inc b/recipes-security/optee-imx/optee-client-fslc-imx.inc
index 4cfe18bf8..1112a864d 100644
--- a/recipes-security/optee-imx/optee-client-fslc-imx.inc
+++ b/recipes-security/optee-imx/optee-client-fslc-imx.inc
@@ -1,7 +1,17 @@
-# Copyright (C) 2017-2021 NXP
+# Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-client-imx.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L37
 
 require optee-client-fslc.inc
 
-SRC_URI += "git://github.com/nxp-imx/imx-optee-client.git;protocol=https;branch=${SRCBRANCH}"
+DEPENDS += "util-linux-libuuid"
 
-COMPATIBLE_MACHINE = "(imx-nxp-bsp)"
+FILESEXTRAPATHS:prepend := "${THISDIR}/optee-client:"
+SRC_URI:remove = "git://github.com/OP-TEE/optee_client.git;branch=master;protocol=https"
+SRC_URI:prepend = "${OPTEE_CLIENT_SRC};branch=${SRCBRANCH} "
+OPTEE_CLIENT_SRC ?= "git://github.com/nxp-imx/imx-optee-client.git;protocol=https"
+
+SRC_URI += "file://0001-tee-supplicant-Fix-non-arch-service-unit-install-pat.patch"
+
+inherit pkgconfig
+
+EXTRA_OECMAKE += "-DCFG_TEE_CLIENT_LOAD_PATH=${nonarch_base_libdir}"
diff --git a/recipes-security/optee-imx/optee-client-fslc.inc b/recipes-security/optee-imx/optee-client-fslc.inc
index 92f9f1d1f..70a25fe6c 100644
--- a/recipes-security/optee-imx/optee-client-fslc.inc
+++ b/recipes-security/optee-imx/optee-client-fslc.inc
@@ -1,42 +1,60 @@
-# Copyright (C) 2017-2021 NXP
+# Copied from meta-arm/recipes-security/optee/optee-client.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L30
+
+SUMMARY = "OP-TEE Client API"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Normal World Client side of the TEE"
+HOMEPAGE = "https://www.op-tee.org/"
 
-SUMMARY = "OPTEE Client libs"
-HOMEPAGE = "http://www.optee.org/"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b"
 
-SRC_URI = "file://tee-supplicant.service"
-
-S = "${WORKDIR}/git"
-B = "${WORKDIR}/build"
-
-inherit python3native systemd features_check pkgconfig
-
-DEPENDS = "util-linux-libuuid"
+inherit systemd update-rc.d cmake useradd
 
-REQUIRED_MACHINE_FEATURES = "optee"
+SRC_URI = " \
+    git://github.com/OP-TEE/optee_client.git;branch=master;protocol=https \
+    file://tee-supplicant.sh \
+"
 
-SYSTEMD_SERVICE:${PN} = "tee-supplicant.service"
+UPSTREAM_CHECK_GITTAGREGEX = "^(?P<pver>\d+(\.\d+)+)$"
 
-EXTRA_OEMAKE = " \
-        -C ${S} O=${B} \
+EXTRA_OECMAKE = " \
+    -DBUILD_SHARED_LIBS=ON \
+    -DCFG_USE_PKGCONFIG=ON \
 "
 
-do_install () {
-        oe_runmake -C ${S} install
-
-        install -D -p -m0644 ${B}/export/usr/lib/libteec.so.1.0.0 ${D}${libdir}/libteec.so.1.0.0
-        ln -sf libteec.so.1.0.0 ${D}${libdir}/libteec.so.1
-        ln -sf libteec.so.1.0.0 ${D}${libdir}/libteec.so
+# libts uses /dev/tee devices too. Add a common variable to allow configuring the same group.
+TEE_GROUP_NAME ?= "tee"
+
+EXTRA_OECMAKE += " -DCFG_ENABLE_SYSTEMD=On -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir}/"
+EXTRA_OECMAKE += " -DCFG_ENABLE_UDEV=On -DUDEV_UDEV_DIR=${nonarch_base_libdir}/udev/rules.d/"
+EXTRA_OECMAKE += " -DCFG_TEE_GROUP=${TEE_GROUP_NAME} -DCFG_TEEPRIV_GROUP=teepriv"
+
+EXTRA_OECMAKE:append:toolchain-clang = " -DCFG_WERROR=0"
+
+do_install:append() {
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
+        install -D -p -m0755 ${UNPACKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant
+        sed -i -e s:@sysconfdir@:${sysconfdir}:g \
+               -e s:@sbindir@:${sbindir}:g \
+               -e s:@supluser@:teesuppl:g \
+               -e s:@suplgroup@:teesuppl:g \
+                  ${D}${sysconfdir}/init.d/tee-supplicant
+    fi
+    install -o teesuppl -g teesuppl -m 0700 -d ${D}${localstatedir}/lib/tee
+}
 
-        install -D -p -m0644 ${B}/export/usr/lib/libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0.1.0
-        ln -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0
-        ln -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so
+SYSTEMD_SERVICE:${PN} = "tee-supplicant@.service"
 
-        install -D -p -m0755 ${B}/export/usr/sbin/tee-supplicant ${D}${bindir}/tee-supplicant
+INITSCRIPT_PACKAGES = "${PN}"
+INITSCRIPT_NAME:${PN} = "tee-supplicant"
+INITSCRIPT_PARAMS:${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ."
 
-        cp -a ${B}/export/usr/include ${D}${includedir}
+FILES:${PN} += "${nonarch_base_libdir}/udev/rules.d/"
 
-        sed -i -e s:/etc:${sysconfdir}:g -e s:/usr/bin:${bindir}:g ${WORKDIR}/tee-supplicant.service
-        install -D -p -m0644 ${WORKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service
-}
+# Users and groups:
+# TEE_GROUP_NAME group to access /dev/tee*
+# teepriv group to acess /dev/teepriv*, only tee-supplicant
+# teesuppl user and group teesuppl to run tee-supplicant
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM:${PN} = "--system ${TEE_GROUP_NAME}; --system teepriv; --system teesuppl"
+USERADD_PARAM:${PN} = "--system -g teesuppl --groups teepriv --home-dir ${localstatedir}/lib/tee -M --shell /sbin/nologin teesuppl;"
diff --git a/recipes-security/optee-imx/optee-client/0001-tee-supplicant-Fix-non-arch-service-unit-install-pat.patch b/recipes-security/optee-imx/optee-client/0001-tee-supplicant-Fix-non-arch-service-unit-install-pat.patch
new file mode 100644
index 000000000..631e08019
--- /dev/null
+++ b/recipes-security/optee-imx/optee-client/0001-tee-supplicant-Fix-non-arch-service-unit-install-pat.patch
@@ -0,0 +1,35 @@
+From 5ffab66dda3e25f0b2ebc5115013c4234d048703 Mon Sep 17 00:00:00 2001
+From: Tom Hochstein <tom.hochstein@nxp.com>
+Date: Mon, 21 Apr 2025 08:47:29 -0500
+Subject: [PATCH] tee-supplicant: Fix non-arch service unit install path
+
+A 64-bit build with multilib enabled fails:
+```
+ERROR: optee-client-4.4.0-r0 do_package: Didn't find service unit 'tee-supplicant@.service', specified in SYSTEMD_SERVICE:optee-client. Also looked for service unit 'tee-supplicant@.service'.
+```
+
+The problem is the service unit is installed in the arch-specific folder
+/usr/lib64/systemd/system, but it is non-arch and should be in
+/usr/lib/systemd/system.
+
+Upstream-Status: Pending
+Signed-off-by: Tom Hochstein <tom.hochstein@nxp.com>
+---
+ tee-supplicant/CMakeLists.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tee-supplicant/CMakeLists.txt b/tee-supplicant/CMakeLists.txt
+index 8df9bef..3ea058c 100644
+--- a/tee-supplicant/CMakeLists.txt
++++ b/tee-supplicant/CMakeLists.txt
+@@ -119,6 +119,6 @@ endif()
+ ################################################################################
+ install(TARGETS ${PROJECT_NAME} RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR})
+ configure_file(tee-supplicant@.service.in tee-supplicant@.service @ONLY)
+-install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/tee-supplicant@.service DESTINATION ${CMAKE_INSTALL_LIBDIR}/systemd/system)
++install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/tee-supplicant@.service DESTINATION lib/systemd/system)
+ configure_file(optee-udev.rules.in optee-udev.rules @ONLY)
+ install(FILES ${CMAKE_BINARY_DIR}/${PROJECT_NAME}/optee-udev.rules DESTINATION ${CMAKE_INSTALL_SYSCONFDIR}/udev/rules.d)
+-- 
+2.34.1
+
diff --git a/recipes-security/optee-imx/optee-client/optee-udev.rules b/recipes-security/optee-imx/optee-client/optee-udev.rules
new file mode 100644
index 000000000..075f469c0
--- /dev/null
+++ b/recipes-security/optee-imx/optee-client/optee-udev.rules
@@ -0,0 +1,6 @@
+KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", TAG+="systemd"
+
+# If a /dev/teepriv[0-9]* device is detected, start an instance of
+# tee-supplicant.service with the device name as parameter
+KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", \
+    TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service"
diff --git a/recipes-security/optee-imx/optee-client/tee-supplicant.service b/recipes-security/optee-imx/optee-client/tee-supplicant.service
deleted file mode 100644
index 0e2b4f6ba..000000000
--- a/recipes-security/optee-imx/optee-client/tee-supplicant.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=TEE Supplicant
-
-[Service]
-User=root
-EnvironmentFile=-/etc/default/tee-supplicant
-ExecStart=/usr/bin/tee-supplicant $OPTARGS
-
-[Install]
-WantedBy=basic.target
-
diff --git a/recipes-security/optee-imx/optee-client/tee-supplicant.sh b/recipes-security/optee-imx/optee-client/tee-supplicant.sh
new file mode 100644
index 000000000..b4d219502
--- /dev/null
+++ b/recipes-security/optee-imx/optee-client/tee-supplicant.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# Source function library
+. /etc/init.d/functions
+
+NAME=tee-supplicant
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DESC="OP-TEE Supplicant"
+
+DAEMON=@sbindir@/$NAME
+
+test -f $DAEMON || exit 0
+
+test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME
+test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS
+
+SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS"
+
+set -e
+
+case $1 in
+    start)
+            echo -n "Starting $DESC: "
+            start-stop-daemon --start $SSD_OPTIONS
+        echo "${DAEMON##*/}."
+        ;;
+    stop)
+            echo -n "Stopping $DESC: "
+            start-stop-daemon --stop $SSD_OPTIONS
+        echo "${DAEMON##*/}."
+        ;;
+    restart|force-reload)
+            $0 stop
+            sleep 1
+            $0 start
+        ;;
+    status)
+        status ${DAEMON} || exit $?
+        ;;
+    *)
+        echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2
+        exit 1
+        ;;
+esac
+
+exit 0
diff --git a/recipes-security/optee-imx/optee-client/tee-supplicant@.service b/recipes-security/optee-imx/optee-client/tee-supplicant@.service
new file mode 100644
index 000000000..72c0b9aa5
--- /dev/null
+++ b/recipes-security/optee-imx/optee-client/tee-supplicant@.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=TEE Supplicant on %i
+
+[Service]
+User=root
+EnvironmentFile=-@sysconfdir@/default/tee-supplicant
+ExecStart=@sbindir@/tee-supplicant $OPTARGS
+
+[Install]
+WantedBy=basic.target
diff --git a/recipes-security/optee-imx/optee-client/tee-udev.rules b/recipes-security/optee-imx/optee-client/tee-udev.rules
new file mode 100644
index 000000000..43fafd8c9
--- /dev/null
+++ b/recipes-security/optee-imx/optee-client/tee-udev.rules
@@ -0,0 +1,7 @@
+# tee devices can only be accessed by the teeclnt group members
+KERNEL=="tee[0-9]*", TAG+="systemd", MODE="0660", GROUP="teeclnt"
+
+# If a /dev/teepriv[0-9]* device is detected, start an instance of
+# tee-supplicant.service with the device name as parameter
+KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="tee", \
+    TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service"
diff --git a/recipes-security/optee-imx/optee-client_4.0.0.imx.bb b/recipes-security/optee-imx/optee-client_4.0.0.imx.bb
deleted file mode 100644
index b404dd5b7..000000000
--- a/recipes-security/optee-imx/optee-client_4.0.0.imx.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-require optee-client-fslc-imx.inc
-
-SRCBRANCH = "lf-6.6.3_1.0.0"
-SRCREV = "acb0885c117e73cb6c5c9b1dd9054cb3f93507ee"
-
-DEPENDS += "util-linux"
-EXTRA_OEMAKE += "PKG_CONFIG=pkg-config"
diff --git a/recipes-security/optee-imx/optee-client_4.6.0.imx.bb b/recipes-security/optee-imx/optee-client_4.6.0.imx.bb
new file mode 100644
index 000000000..b5a185da1
--- /dev/null
+++ b/recipes-security/optee-imx/optee-client_4.6.0.imx.bb
@@ -0,0 +1,4 @@
+require optee-client-fslc-imx.inc
+
+SRCBRANCH = "lf-6.12.20_2.0.0"
+SRCREV = "02e7f9213b0d7db9c35ebf1e41e733fc9c5a3f75"
diff --git a/recipes-security/optee-imx/optee-fslc.inc b/recipes-security/optee-imx/optee-fslc.inc
index 6c96dc2bc..599dda522 100644
--- a/recipes-security/optee-imx/optee-fslc.inc
+++ b/recipes-security/optee-imx/optee-fslc.inc
@@ -1,26 +1,42 @@
-HOMEPAGE = "http://www.optee.org/"
+# Copied from meta-arm/recipes-security/optee/optee.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L30
 
-inherit python3native features_check
+UPSTREAM_CHECK_GITTAGREGEX = "^(?P<pver>\d+(\.\d+)+)$"
 
-REQUIRED_MACHINE_FEATURES = "optee"
+COMPATIBLE_MACHINE ?= "invalid"
+COMPATIBLE_MACHINE:genericarm64 ?= "genericarm64"
+COMPATIBLE_MACHINE:qemuarm64 ?= "qemuarm64"
+COMPATIBLE_MACHINE:qemuarm ?= "qemuarm"
+# Please add supported machines below or set it in .bbappend or .conf
 
-DEPENDS = "python3-cryptography-native"
+OPTEEMACHINE ?= "${MACHINE}"
+OPTEEMACHINE:genericarm64 ?= "vexpress-qemu_armv8a"
+OPTEEMACHINE:aarch64:qemuall ?= "vexpress-qemu_armv8a"
+OPTEEMACHINE:arm:qemuall ?= "vexpress-qemu_virt"
 
-S = "${WORKDIR}/git"
-B = "${WORKDIR}/build"
-
-OPTEE_ARCH:arm     = "arm32"
+OPTEE_ARCH = "null"
+OPTEE_ARCH:arm = "arm32"
 OPTEE_ARCH:aarch64 = "arm64"
+OPTEE_CORE = "${@d.getVar('OPTEE_ARCH').upper()}"
+
+OPTEE_TOOLCHAIN = "${@d.getVar('TOOLCHAIN') or 'gcc'}"
+OPTEE_COMPILER = "${@bb.utils.contains("BBFILE_COLLECTIONS", "clang-layer", "${OPTEE_TOOLCHAIN}", "gcc", d)}"
 
-COMPILER ?= "gcc"
-COMPILER:toolchain-clang = "clang"
+# Set here but not passed to EXTRA_OEMAKE by default as that breaks
+# the optee-os build
+TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
+
+EXTRA_OEMAKE += "V=1 \
+                 LIBGCC_LOCATE_CFLAGS='${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}' \
+                 COMPILER=${OPTEE_COMPILER} \
+                 OPTEE_CLIENT_EXPORT=${STAGING_DIR_HOST}${prefix} \
+                 TEEC_EXPORT=${STAGING_DIR_HOST}${prefix} \
+                "
+# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
+# right path until this is relocated automatically.
+export OPENSSL_MODULES = "${STAGING_LIBDIR_NATIVE}/ossl-modules"
 
 CFLAGS += "--sysroot=${STAGING_DIR_HOST}"
-CXXFLAGS += "--sysroot=${STAGING_DIR_HOST}"
-
-EXTRA_OEMAKE = " \
-    COMPILER=${COMPILER} \
-    OPENSSL_MODULES=${STAGING_LIBDIR_NATIVE}/ossl-modules \
-    OPTEE_CLIENT_EXPORT=${STAGING_DIR_HOST}${exec_prefix} \
-    -C ${S} O=${B} \
-"
+
+# See the rationale in https://github.com/f-secure-foundry/advisories/blob/master/Security_Advisory-Ref_FSC-HWSEC-VR2021-0001-OP-TEE_TrustZone_bypass.txt.
+CVE_STATUS[CVE-2021-36133] = "disputed: devices shipped open for development purposes"
diff --git a/recipes-security/optee-imx/optee-os-common-fslc-imx.inc b/recipes-security/optee-imx/optee-os-common-fslc-imx.inc
new file mode 100644
index 000000000..ffd217099
--- /dev/null
+++ b/recipes-security/optee-imx/optee-os-common-fslc-imx.inc
@@ -0,0 +1,62 @@
+# Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-os-common-imx.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L37
+require optee-os-fslc.inc
+
+DEPENDS:append:arm = "u-boot-mkimage-native"
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:"
+
+SRC_URI:remove = "git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https"
+SRC_URI:prepend = "${OPTEE_OS_SRC};branch=${SRCBRANCH} "
+SRC_URI:append = " file://0007-allow-setting-sysroot-for-clang.patch"
+SRC_URI:remove = "file://0001-allow-setting-sysroot-for-libgcc-lookup.patch \
+                  file://0002-optee-enable-clang-support.patch \
+                  file://0003-core-link-add-no-warn-rwx-segments.patch"
+
+OPTEE_OS_SRC ?= "git://github.com/nxp-imx/imx-optee-os.git;protocol=https"
+
+inherit features_check
+
+REQUIRED_MACHINE_FEATURES = "optee"
+
+OPTEEMACHINE                   = "imx-${@d.getVar('MACHINE')[1:]}"
+OPTEEMACHINE:imx6qpdlsolox     = "imx-mx6qsabresd"
+OPTEEMACHINE:mx6ul-nxp-bsp     = "imx-mx6ulevk"
+OPTEEMACHINE:mx6ull-nxp-bsp    = "imx-mx6ullevk"
+OPTEEMACHINE:mx6ulz-nxp-bsp    = "imx-mx6ulzevk"
+OPTEEMACHINE:mx8mq-nxp-bsp     = "imx-mx8mqevk"
+OPTEEMACHINE:mx8mm-nxp-bsp     = "imx-mx8mmevk"
+OPTEEMACHINE:mx8mn-nxp-bsp     = "imx-mx8mnevk"
+OPTEEMACHINE:mx8mp-nxp-bsp     = "imx-mx8mpevk"
+OPTEEMACHINE:mx8mpul-nxp-bsp   = "imx-mx8mpevk"
+OPTEEMACHINE:mx8qm-nxp-bsp     = "imx-mx8qmmek"
+OPTEEMACHINE:mx8qxp-nxp-bsp    = "imx-mx8qxpmek"
+OPTEEMACHINE:mx8dx-nxp-bsp     = "imx-mx8dxmek"
+OPTEEMACHINE:mx8dxl-nxp-bsp    = "imx-mx8dxlevk"
+OPTEEMACHINE:mx8mnul-nxp-bsp   = "imx-mx8mnevk"
+OPTEEMACHINE:mx8ulp-nxp-bsp    = "imx-mx8ulpevk"
+OPTEEMACHINE:mx91-nxp-bsp      = "imx-mx91evk"
+OPTEEMACHINE:mx93-nxp-bsp      = "imx-mx93evk"
+OPTEEMACHINE:mx943-nxp-bsp     = "imx-mx943evk"
+OPTEEMACHINE:mx95-nxp-bsp      = "imx-mx95evk"
+
+# Strip the leading imx-
+PLATFORM_FLAVOR = "${@d.getVar('OPTEEMACHINE')[4:]}"
+
+EXTRA_OEMAKE:append = " \
+    CFG_TEE_TA_LOG_LEVEL=0 \
+    CFG_TEE_CORE_LOG_LEVEL=0 \
+"
+
+EXTRA_OEMAKE:append:imx8mq-lpddr4-wevk = " \
+    CFG_CORE_LARGE_PHYS_ADDR=y \
+    CFG_CORE_ARM64_PA_BITS=36 \
+    CFG_DDR_SIZE=0x100000000 \
+    CFG_TZDRAM_START=0xfe000000 \
+"
+
+EXTRA_OEMAKE:append:imx8dxlb0-fips-lpddr4-evk = " \
+    CFG_NXP_CAAM=n \
+"
+
+COMPATIBLE_MACHINE = "(imx-nxp-bsp)"
diff --git a/recipes-security/optee-imx/optee-os-fslc-imx.inc b/recipes-security/optee-imx/optee-os-fslc-imx.inc
index 6b72e8277..f46f666ee 100644
--- a/recipes-security/optee-imx/optee-os-fslc-imx.inc
+++ b/recipes-security/optee-imx/optee-os-fslc-imx.inc
@@ -1,26 +1,26 @@
-require optee-os-fslc.inc
+# Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-os-imx.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L37
 
-SRC_URI = "git://github.com/nxp-imx/imx-optee-os.git;protocol=https;branch=${SRCBRANCH}"
+require optee-os-common-fslc-imx.inc
 
-# The platform flavor corresponds to the Yocto machine without the leading 'i'.
-PLATFORM_FLAVOR                   = "${@d.getVar('MACHINE')[1:]}"
-PLATFORM_FLAVOR:imx6qdlsabresd    = "mx6qsabresd"
-PLATFORM_FLAVOR:imx6qdlsabreauto  = "mx6qsabreauto"
-PLATFORM_FLAVOR:imx6qpdlsolox     = "mx6qsabresd"
-PLATFORM_FLAVOR:mx6ul-nxp-bsp     = "mx6ulevk"
-PLATFORM_FLAVOR:mx6ull-nxp-bsp    = "mx6ullevk"
-PLATFORM_FLAVOR:mx6ulz-nxp-bsp    = "mx6ulzevk"
-PLATFORM_FLAVOR:mx8mq-nxp-bsp     = "mx8mqevk"
-PLATFORM_FLAVOR:mx8mm-nxp-bsp     = "mx8mmevk"
-PLATFORM_FLAVOR:mx8mn-nxp-bsp     = "mx8mnevk"
-PLATFORM_FLAVOR:mx8mnul-nxp-bsp   = "mx8mnevk"
-PLATFORM_FLAVOR:mx8mp-nxp-bsp     = "mx8mpevk"
-PLATFORM_FLAVOR:mx8mpul-nxp-bsp   = "mx8mpevk"
-PLATFORM_FLAVOR:mx8qm-nxp-bsp     = "mx8qmmek"
-PLATFORM_FLAVOR:mx8qxp-nxp-bsp    = "mx8qxpmek"
-PLATFORM_FLAVOR:mx8dx-nxp-bsp     = "mx8dxmek"
-PLATFORM_FLAVOR:mx8dxl-nxp-bsp    = "mx8dxlevk"
-PLATFORM_FLAVOR:mx8ulp-nxp-bsp    = "mx8ulpevk"
-PLATFORM_FLAVOR:mx93-nxp-bsp      = "mx93evk"
+do_compile:arm() {
+    oe_runmake -C ${S} all uTee
+}
 
-COMPATIBLE_MACHINE = "(imx-nxp-bsp)"
+do_install:append () {
+    # Install embedded TAs
+    install -d ${D}${nonarch_base_libdir}/optee_armtz/
+    install -m 444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/
+}
+
+do_deploy:append() {
+    cp ${B}/core/tee-raw.bin ${DEPLOYDIR}/${MLPREFIX}optee/tee.${PLATFORM_FLAVOR}.bin
+    ln -sf ${MLPREFIX}optee/tee.${PLATFORM_FLAVOR}.bin ${DEPLOYDIR}/tee.bin
+}
+
+do_deploy:append:arm() {
+    cp ${B}/core/uTee ${DEPLOYDIR}/${MLPREFIX}optee/uTee-${OPTEE_BIN_EXT}
+    ln -sf ${MLPREFIX}optee/uTee-${OPTEE_BIN_EXT} ${DEPLOYDIR}/uTee-${OPTEE_BIN_EXT}
+}
+
+FILES:${PN} += "${nonarch_base_libdir}/optee_armtz"
diff --git a/recipes-security/optee-imx/optee-os-fslc.inc b/recipes-security/optee-imx/optee-os-fslc.inc
index b91a55311..4df1617d1 100644
--- a/recipes-security/optee-imx/optee-os-fslc.inc
+++ b/recipes-security/optee-imx/optee-os-fslc.inc
@@ -1,87 +1,82 @@
-# Copyright (C) 2017-2021 NXP
+# Copied from meta-arm/recipes-security/optee/optee-os.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L30
+
+SUMMARY = "OP-TEE Trusted OS"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Trusted side of the TEE"
+HOMEPAGE = "https://www.op-tee.org/"
 
-SUMMARY = "OPTEE OS"
-DESCRIPTION = "OPTEE OS"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173"
 
+inherit deploy python3native
 require optee-fslc.inc
 
-DEPENDS += "python3-pyelftools-native u-boot-mkimage-native"
+CVE_PRODUCT = "linaro:op-tee op-tee:op-tee_os"
+
+DEPENDS = "python3-pyelftools-native python3-cryptography-native"
+
 DEPENDS:append:toolchain-clang = " compiler-rt"
 
-inherit deploy autotools
+SRC_URI = "git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https"
 
-# Optee-os can be built for 32 bits and 64 bits at the same time
-# as long as the compilers are correctly defined.
-# For 64bits, CROSS_COMPILE64 must be set
-# When defining CROSS_COMPILE and CROSS_COMPILE64, we assure that
-# any 32 or 64 bits builds will pass
-EXTRA_OEMAKE += " \
-    PLATFORM=imx-${PLATFORM_FLAVOR} \
-    CROSS_COMPILE=${HOST_PREFIX} \
-    CROSS_COMPILE64=${HOST_PREFIX} \
-    CFLAGS32=--sysroot=${STAGING_DIR_HOST} \
-    CFLAGS64=--sysroot=${STAGING_DIR_HOST} \
-    CFG_TEE_TA_LOG_LEVEL=0 \
-    CFG_TEE_CORE_LOG_LEVEL=0 \
-"
+B = "${WORKDIR}/build"
 
-EXTRA_OEMAKE:append:imx8mq-lpddr4-wevk = " \
-    CFG_CORE_LARGE_PHYS_ADDR=y \
-    CFG_CORE_ARM64_PA_BITS=36 \
-    CFG_DDR_SIZE=0x100000000 \
-    CFG_TZDRAM_START=0xfe000000 \
+EXTRA_OEMAKE += " \
+    PLATFORM=${OPTEEMACHINE} \
+    CFG_${OPTEE_CORE}_core=y \
+    CROSS_COMPILE_core=${HOST_PREFIX} \
+    CROSS_COMPILE_ta_${OPTEE_ARCH}=${HOST_PREFIX} \
+    AFLAGS="${CFLAGS}" \
+    ta-targets=ta_${OPTEE_ARCH} \
+    O=${B} \
 "
+EXTRA_OEMAKE += " HOST_PREFIX=${HOST_PREFIX}"
+EXTRA_OEMAKE += " CROSS_COMPILE64=${HOST_PREFIX}"
 
 LDFLAGS[unexport] = "1"
 CPPFLAGS[unexport] = "1"
 AS[unexport] = "1"
 LD[unexport] = "1"
 
-do_configure[noexec] = "1"
-
 do_compile:prepend() {
-    PLAT_LIBGCC_PATH=$(${CC} -print-libgcc-file-name)
-}
-
-do_compile:arm () {
-    oe_runmake all uTee
+        PLAT_LIBGCC_PATH=$(${CC} -print-libgcc-file-name)
 }
 
-do_compile:aarch64 () {
-    oe_runmake all
+do_compile() {
+    oe_runmake -C ${S} all
 }
 do_compile[cleandirs] = "${B}"
 
-do_deploy () {
-    install -d ${DEPLOYDIR}
-    cp ${B}/core/tee-raw.bin ${DEPLOYDIR}/tee.${PLATFORM_FLAVOR}.bin
-    ln -sf tee.${PLATFORM_FLAVOR}.bin ${DEPLOYDIR}/tee.bin
-}
+do_install() {
+    #install core in firmware
+    install -d ${D}${nonarch_base_libdir}/firmware/
+    install -m 644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${nonarch_base_libdir}/firmware/
 
-do_deploy:append:arm () {
-    cp ${B}/core/uTee ${DEPLOYDIR}/uTee-${OPTEE_BIN_EXT}
+    #install tas in optee_armtz
+    install -d ${D}${nonarch_base_libdir}/optee_armtz/
+    install -m 444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz
 }
 
-do_install () {
-    install -d ${D}${nonarch_base_libdir}/firmware/
-    install -m 644 ${B}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
+PACKAGE_ARCH = "${MACHINE_ARCH}"
 
-    # Install embedded TAs
-    install -d ${D}${nonarch_base_libdir}/optee_armtz/
-    install -m 444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/
+do_deploy() {
+    install -d ${DEPLOYDIR}/${MLPREFIX}optee
+    install -m 644 ${D}${nonarch_base_libdir}/firmware/* ${DEPLOYDIR}/${MLPREFIX}optee
 
-    # Install the TA devkit
-    install -d ${D}${includedir}/optee/export-user_ta_${OPTEE_ARCH}/
-    cp -aR ${B}/export-ta_${OPTEE_ARCH}/* \
-        ${D}${includedir}/optee/export-user_ta_${OPTEE_ARCH}/
+    install -d ${DEPLOYDIR}/${MLPREFIX}optee/ta
+    install -m 644 ${B}/ta/*/*.elf ${DEPLOYDIR}/${MLPREFIX}optee/ta
 }
 
-addtask deploy after do_compile before do_install
+addtask deploy before do_build after do_install
 
-FILES:${PN} = "${nonarch_base_libdir}/firmware/ ${nonarch_base_libdir}/optee_armtz/"
-FILES:${PN}-staticdev = "${includedir}/optee/"
-RDEPENDS:${PN}-dev += "${PN}-staticdev"
+SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
 
-PACKAGE_ARCH = "${MACHINE_ARCH}"
+PACKAGES += "${PN}-ta"
+FILES:${PN} = "${nonarch_base_libdir}/firmware/"
+FILES:${PN}-ta = "${nonarch_base_libdir}/optee_armtz/*"
+
+
+# note: "textrel" is not triggered on all archs
+INSANE_SKIP:${PN} = "textrel"
+INSANE_SKIP:${PN}-dev = "staticdev"
+INHIBIT_PACKAGE_STRIP = "1"
diff --git a/recipes-security/optee-imx/optee-os-tadevkit-fslc-imx.inc b/recipes-security/optee-imx/optee-os-tadevkit-fslc-imx.inc
new file mode 100644
index 000000000..0b02c6908
--- /dev/null
+++ b/recipes-security/optee-imx/optee-os-tadevkit-fslc-imx.inc
@@ -0,0 +1,24 @@
+# Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-os-tadevkit-imx.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L37
+
+require optee-os-common-fslc-imx.inc
+
+SUMMARY = "OP-TEE Trusted OS TA devkit"
+DESCRIPTION = "OP-TEE TA devkit for build TAs"
+HOMEPAGE = "https://www.op-tee.org/"
+
+DEPENDS += "python3-pycryptodome-native"
+
+do_install() {
+    #install TA devkit
+    install -d ${D}${includedir}/optee/export-user_ta/
+    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
+        cp -aR $f ${D}${includedir}/optee/export-user_ta/
+    done
+}
+
+do_deploy() {
+        echo "Do not inherit do_deploy from optee-os."
+}
+
+FILES:${PN} = "${includedir}/optee/"
diff --git a/recipes-security/optee-imx/optee-os-tadevkit_4.6.0.imx.bb b/recipes-security/optee-imx/optee-os-tadevkit_4.6.0.imx.bb
new file mode 100644
index 000000000..92bdf00e7
--- /dev/null
+++ b/recipes-security/optee-imx/optee-os-tadevkit_4.6.0.imx.bb
@@ -0,0 +1,4 @@
+require optee-os-tadevkit-fslc-imx.inc
+
+SRCBRANCH = "lf-6.12.20_2.0.0"
+SRCREV = "87964807d80baf1dcfd89cafc66de34a1cf16bf3"
diff --git a/recipes-security/optee-imx/optee-os/0001-core-Define-section-attributes-for-clang.patch b/recipes-security/optee-imx/optee-os/0001-core-Define-section-attributes-for-clang.patch
deleted file mode 100644
index 54fbe5419..000000000
--- a/recipes-security/optee-imx/optee-os/0001-core-Define-section-attributes-for-clang.patch
+++ /dev/null
@@ -1,245 +0,0 @@
-From ef83625c9a5f50610e25aa860c4b9c5e64723a66 Mon Sep 17 00:00:00 2001
-From: Emekcan Aras <emekcan.aras@arm.com>
-Date: Wed, 21 Dec 2022 10:55:58 +0000
-Subject: [PATCH 1/4] core: Define section attributes for clang
-
-Clang's attribute section is not same as gcc, here we need to add flags
-to sections so they can be eventually collected by linker into final
-output segments. Only way to do so with clang is to use
-
-pragma clang section ...
-
-The behavious is described here [1], this allows us to define names bss
-sections. This was not an issue until clang-15 where LLD linker starts
-to detect the section flags before merging them and throws the following
-errors
-
-| ld.lld: error: section type mismatch for .nozi.kdata_page
-| >>> /mnt/b/yoe/master/build/tmp/work/qemuarm64-yoe-linux/optee-os-tadevkit/3.17.0-r0/build/core/arch/arm/kernel/thread.o:(.nozi.kdata_page): SHT_PROGBITS
-| >>> output section .nozi: SHT_NOBITS
-|
-| ld.lld: error: section type mismatch for .nozi.mmu.l2
-| >>> /mnt/b/yoe/master/build/tmp/work/qemuarm64-yoe-linux/optee-os-tadevkit/3.17.0-r0/build/core/arch/arm/mm/core_mmu_lpae.o:(.nozi.mmu.l2): SHT_PROGBITS
-| >>> output section .nozi: SHT_NOBITS
-
-These sections should be carrying SHT_NOBITS but so far it was not
-possible to do so, this patch tries to use clangs pragma to get this
-going and match the functionality with gcc.
-
-[1] https://intel.github.io/llvm-docs/clang/LanguageExtensions.html#specifying-section-names-for-global-objects-pragma-clang-section
-
-Upstream-Status: Pending
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
----
-
- core/arch/arm/kernel/thread.c    | 19 +++++++++++++++--
- core/arch/arm/mm/core_mmu_lpae.c | 35 +++++++++++++++++++++++++++----
- core/arch/arm/mm/core_mmu_v7.c   | 36 +++++++++++++++++++++++++++++---
- core/kernel/thread.c             | 13 +++++++++++-
- core/mm/pgt_cache.c              | 12 ++++++++++-
- 5 files changed, 104 insertions(+), 11 deletions(-)
-
-diff --git a/core/arch/arm/kernel/thread.c b/core/arch/arm/kernel/thread.c
-index 66833b3a0..b3eb9cf9a 100644
---- a/core/arch/arm/kernel/thread.c
-+++ b/core/arch/arm/kernel/thread.c
-@@ -45,15 +45,30 @@ static size_t thread_user_kcode_size __nex_bss;
- #if defined(CFG_CORE_UNMAP_CORE_AT_EL0) && \
-        defined(CFG_CORE_WORKAROUND_SPECTRE_BP_SEC) && defined(ARM64)
- long thread_user_kdata_sp_offset __nex_bss;
-+#ifdef __clang__
-+#ifndef CFG_VIRTUALIZATION
-+#pragma clang section bss=".nozi.kdata_page"
-+#else
-+#pragma clang section bss=".nex_nozi.kdata_page"
-+#endif
-+#endif
- static uint8_t thread_user_kdata_page[
-        ROUNDUP(sizeof(struct thread_core_local) * CFG_TEE_CORE_NB_CORE,
-                SMALL_PAGE_SIZE)]
-        __aligned(SMALL_PAGE_SIZE)
-+#ifndef __clang__
- #ifndef CFG_NS_VIRTUALIZATION
--       __section(".nozi.kdata_page");
-+       __section(".nozi.kdata_page")
- #else
--       __section(".nex_nozi.kdata_page");
-+       __section(".nex_nozi.kdata_page")
- #endif
-+#endif
-+    ;
-+#endif
-+
-+/* reset BSS section to default ( .bss ) */
-+#ifdef __clang__
-+#pragma clang section bss=""
- #endif
- 
- #ifdef ARM32
-diff --git a/core/arch/arm/mm/core_mmu_lpae.c b/core/arch/arm/mm/core_mmu_lpae.c
-index 4c8b85e39..1885e1d3f 100644
---- a/core/arch/arm/mm/core_mmu_lpae.c
-+++ b/core/arch/arm/mm/core_mmu_lpae.c
-@@ -234,19 +234,46 @@ typedef uint16_t l1_idx_t;
- typedef uint64_t base_xlat_tbls_t[CFG_TEE_CORE_NB_CORE][NUM_BASE_LEVEL_ENTRIES];
- typedef uint64_t xlat_tbl_t[XLAT_TABLE_ENTRIES];
- 
-+#ifdef __clang__
-+#pragma clang section bss=".nozi.mmu.base_table"
-+#endif
- static base_xlat_tbls_t base_xlation_table[NUM_BASE_TABLES]
-        __aligned(NUM_BASE_LEVEL_ENTRIES * XLAT_ENTRY_SIZE)
--       __section(".nozi.mmu.base_table");
-+#ifndef __clang__
-+       __section(".nozi.mmu.base_table")
-+#endif
-+;
-+#ifdef __clang__
-+#pragma clang section bss=""
-+#endif
- 
-+#ifdef __clang__
-+#pragma clang section bss=".nozi.mmu.l2"
-+#endif
- static xlat_tbl_t xlat_tables[MAX_XLAT_TABLES]
--       __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2");
-+       __aligned(XLAT_TABLE_SIZE)
-+#ifndef __clang__
-+       __section(".nozi.mmu.l2")
-+#endif
-+;
-+#ifdef __clang__
-+#pragma clang section bss=""
-+#endif
- 
- #define XLAT_TABLES_SIZE       (sizeof(xlat_tbl_t) * MAX_XLAT_TABLES)
- 
-+#ifdef __clang__
-+#pragma clang section bss=".nozi.mmu.l2"
-+#endif
- /* MMU L2 table for TAs, one for each thread */
- static xlat_tbl_t xlat_tables_ul1[CFG_NUM_THREADS]
--       __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2");
--
-+#ifndef __clang__
-+       __aligned(XLAT_TABLE_SIZE) __section(".nozi.mmu.l2")
-+#endif
-+;
-+#ifdef __clang__
-+#pragma clang section bss=""
-+#endif
- /*
-  * TAs page table entry inside a level 1 page table.
-  *
-diff --git a/core/arch/arm/mm/core_mmu_v7.c b/core/arch/arm/mm/core_mmu_v7.c
-index 61e703da8..1960c08ca 100644
---- a/core/arch/arm/mm/core_mmu_v7.c
-+++ b/core/arch/arm/mm/core_mmu_v7.c
-@@ -204,16 +204,46 @@ typedef uint32_t l1_xlat_tbl_t[NUM_L1_ENTRIES];
- typedef uint32_t l2_xlat_tbl_t[NUM_L2_ENTRIES];
- typedef uint32_t ul1_xlat_tbl_t[NUM_UL1_ENTRIES];
- 
-+#ifdef __clang__
-+#pragma clang section bss=".nozi.mmu.l1"
-+#endif
- static l1_xlat_tbl_t main_mmu_l1_ttb
--               __aligned(L1_ALIGNMENT) __section(".nozi.mmu.l1");
-+               __aligned(L1_ALIGNMENT)
-+#ifndef __clang__
-+       __section(".nozi.mmu.l1")
-+#endif
-+;
-+#ifdef __clang__
-+#pragma clang section bss=""
-+#endif
- 
- /* L2 MMU tables */
-+#ifdef __clang__
-+#pragma clang section bss=".nozi.mmu.l2"
-+#endif
- static l2_xlat_tbl_t main_mmu_l2_ttb[MAX_XLAT_TABLES]
--               __aligned(L2_ALIGNMENT) __section(".nozi.mmu.l2");
-+               __aligned(L2_ALIGNMENT)
-+#ifndef __clang__
-+       __section(".nozi.mmu.l2")
-+#endif
-+;
-+#ifdef __clang__
-+#pragma clang section bss=""
-+#endif
- 
- /* MMU L1 table for TAs, one for each thread */
-+#ifdef __clang__
-+#pragma clang section bss=".nozi.mmu.ul1"
-+#endif
- static ul1_xlat_tbl_t main_mmu_ul1_ttb[CFG_NUM_THREADS]
--               __aligned(UL1_ALIGNMENT) __section(".nozi.mmu.ul1");
-+               __aligned(UL1_ALIGNMENT)
-+#ifndef __clang__
-+       __section(".nozi.mmu.ul1")
-+#endif
-+;
-+#ifdef __clang__
-+#pragma clang section bss=""
-+#endif
- 
- struct mmu_partition {
-        l1_xlat_tbl_t *l1_table;
-diff --git a/core/kernel/thread.c b/core/kernel/thread.c
-index 2a1f22dce..5516b6771 100644
---- a/core/kernel/thread.c
-+++ b/core/kernel/thread.c
-@@ -39,13 +39,24 @@ static uint32_t end_canary_value = 0xababab00;
-        name[stack_num][sizeof(name[stack_num]) / sizeof(uint32_t) - 1]
- #endif
- 
-+#define DO_PRAGMA(x) _Pragma (#x)
-+
-+#ifdef __clang__
-+#define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
-+DO_PRAGMA (clang section bss=".nozi_stack." #name) \
-+linkage uint32_t name[num_stacks] \
-+               [ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
-+                        STACK_ALIGNMENT) / sizeof(uint32_t)] \
-+               __attribute__((aligned(STACK_ALIGNMENT))); \
-+DO_PRAGMA(clang section bss="")
-+#else
- #define DECLARE_STACK(name, num_stacks, stack_size, linkage) \
- linkage uint32_t name[num_stacks] \
-                [ROUNDUP(stack_size + STACK_CANARY_SIZE + STACK_CHECK_EXTRA, \
-                         STACK_ALIGNMENT) / sizeof(uint32_t)] \
-                __attribute__((section(".nozi_stack." # name), \
-                               aligned(STACK_ALIGNMENT)))
--
-+#endif
- #define GET_STACK(stack) ((vaddr_t)(stack) + STACK_SIZE(stack))
- 
- DECLARE_STACK(stack_tmp, CFG_TEE_CORE_NB_CORE, STACK_TMP_SIZE,
-diff --git a/core/mm/pgt_cache.c b/core/mm/pgt_cache.c
-index 79553c6d2..b9efdf427 100644
---- a/core/mm/pgt_cache.c
-+++ b/core/mm/pgt_cache.c
-@@ -410,8 +410,18 @@ void pgt_init(void)
-         * has a large alignment, while .bss has a small alignment. The current
-         * link script is optimized for small alignment in .bss
-         */
-+#ifdef __clang__
-+#pragma clang section bss=".nozi.mmu.l2"
-+#endif
-        static uint8_t pgt_tables[PGT_CACHE_SIZE][PGT_SIZE]
--                       __aligned(PGT_SIZE) __section(".nozi.pgt_cache");
-+                       __aligned(PGT_SIZE)
-+#ifndef __clang__
-+                       __section(".nozi.pgt_cache")
-+#endif
-+                       ;
-+#ifdef __clang__
-+#pragma clang section bss=""
-+#endif
-        size_t n;
- 
-        for (n = 0; n < ARRAY_SIZE(pgt_tables); n++) {
--- 
-2.43.2
-
diff --git a/recipes-security/optee-imx/optee-os/0003-arm32-libutils-libutee-ta-add-.note.GNU-stack-sectio.patch b/recipes-security/optee-imx/optee-os/0003-arm32-libutils-libutee-ta-add-.note.GNU-stack-sectio.patch
deleted file mode 100644
index 1c5753c7f..000000000
--- a/recipes-security/optee-imx/optee-os/0003-arm32-libutils-libutee-ta-add-.note.GNU-stack-sectio.patch
+++ /dev/null
@@ -1,133 +0,0 @@
-From 6f738803a59613ec4a683ddbc1747ebffd75a4e6 Mon Sep 17 00:00:00 2001
-From: Jerome Forissier <jerome.forissier@linaro.org>
-Date: Tue, 23 Aug 2022 12:31:46 +0000
-Subject: [PATCH 3/4] arm32: libutils, libutee, ta: add .note.GNU-stack section
- to
-
- .S files
-
-When building for arm32 with GNU binutils 2.39, the linker outputs
-warnings when linking Trusted Applications:
-
- arm-unknown-linux-uclibcgnueabihf-ld.bfd: warning: utee_syscalls_a32.o: missing .note.GNU-stack section implies executable stack
- arm-unknown-linux-uclibcgnueabihf-ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
-
-We could silence the warning by adding the '-z execstack' option to the
-TA link flags, like we did in the parent commit for the TEE core and
-ldelf. Indeed, ldelf always allocates a non-executable piece of memory
-for the TA to use as a stack.
-
-However it seems preferable to comply with the common ELF practices in
-this case. A better fix is therefore to add the missing .note.GNU-stack
-sections in the assembler files.
-
-Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
-
-Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
-Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5499]
-Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
----
-
- lib/libutee/arch/arm/utee_syscalls_a32.S             | 2 ++
- lib/libutils/ext/arch/arm/atomic_a32.S               | 2 ++
- lib/libutils/ext/arch/arm/mcount_a32.S               | 2 ++
- lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S  | 2 ++
- lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S | 2 ++
- lib/libutils/isoc/arch/arm/setjmp_a32.S              | 2 ++
- ta/arch/arm/ta_entry_a32.S                           | 2 ++
- 7 files changed, 14 insertions(+)
-
-diff --git a/lib/libutee/arch/arm/utee_syscalls_a32.S b/lib/libutee/arch/arm/utee_syscalls_a32.S
-index 2dea83ab8..668b65a86 100644
---- a/lib/libutee/arch/arm/utee_syscalls_a32.S
-+++ b/lib/libutee/arch/arm/utee_syscalls_a32.S
-@@ -9,6 +9,8 @@
- 
-        .section .note.GNU-stack,"",%progbits
- 
-+       .section .note.GNU-stack,"",%progbits
-+
-         .section .text
-         .balign 4
-         .code 32
-diff --git a/lib/libutils/ext/arch/arm/atomic_a32.S b/lib/libutils/ext/arch/arm/atomic_a32.S
-index 2be73ffad..87ddf1065 100644
---- a/lib/libutils/ext/arch/arm/atomic_a32.S
-+++ b/lib/libutils/ext/arch/arm/atomic_a32.S
-@@ -7,6 +7,8 @@
- 
-        .section .note.GNU-stack,"",%progbits
- 
-+       .section .note.GNU-stack,"",%progbits
-+
- /* uint32_t atomic_inc32(uint32_t *v); */
- FUNC atomic_inc32 , :
-        ldrex   r1, [r0]
-diff --git a/lib/libutils/ext/arch/arm/mcount_a32.S b/lib/libutils/ext/arch/arm/mcount_a32.S
-index 54dc3c02d..2f24632b8 100644
---- a/lib/libutils/ext/arch/arm/mcount_a32.S
-+++ b/lib/libutils/ext/arch/arm/mcount_a32.S
-@@ -9,6 +9,8 @@
- 
-        .section .note.GNU-stack,"",%progbits
- 
-+       .section .note.GNU-stack,"",%progbits
-+
- /*
-  * Convert return address to call site address by subtracting the size of the
-  * mcount call instruction (blx __gnu_mcount_nc).
-diff --git a/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S b/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S
-index 37ae9ec6f..bc6c48b1a 100644
---- a/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S
-+++ b/lib/libutils/isoc/arch/arm/arm32_aeabi_divmod_a32.S
-@@ -7,6 +7,8 @@
- 
-        .section .note.GNU-stack,"",%progbits
- 
-+       .section .note.GNU-stack,"",%progbits
-+
- /*
-  * signed ret_idivmod_values(signed quot, signed rem);
-  * return quotient and remaining the EABI way (regs r0,r1)
-diff --git a/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S b/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S
-index 5c3353e2c..9fb5e0283 100644
---- a/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S
-+++ b/lib/libutils/isoc/arch/arm/arm32_aeabi_ldivmod_a32.S
-@@ -7,6 +7,8 @@
- 
-        .section .note.GNU-stack,"",%progbits
- 
-+       .section .note.GNU-stack,"",%progbits
-+
- /*
-  * __value_in_regs lldiv_t __aeabi_ldivmod( long long n, long long d)
-  */
-diff --git a/lib/libutils/isoc/arch/arm/setjmp_a32.S b/lib/libutils/isoc/arch/arm/setjmp_a32.S
-index f8a0b70df..37d7cb88e 100644
---- a/lib/libutils/isoc/arch/arm/setjmp_a32.S
-+++ b/lib/libutils/isoc/arch/arm/setjmp_a32.S
-@@ -53,6 +53,8 @@
- 
-        .section .note.GNU-stack,"",%progbits
- 
-+       .section .note.GNU-stack,"",%progbits
-+
- /* Arm/Thumb interworking support:
- 
-    The interworking scheme expects functions to use a BX instruction
-diff --git a/ta/arch/arm/ta_entry_a32.S b/ta/arch/arm/ta_entry_a32.S
-index cd9a12f9d..ccdc19928 100644
---- a/ta/arch/arm/ta_entry_a32.S
-+++ b/ta/arch/arm/ta_entry_a32.S
-@@ -7,6 +7,8 @@
- 
-        .section .note.GNU-stack,"",%progbits
- 
-+       .section .note.GNU-stack,"",%progbits
-+
- /*
-  * This function is the bottom of the user call stack. Mark it as such so that
-  * the unwinding code won't try to go further down.
--- 
-2.43.2
-
diff --git a/recipes-security/optee-imx/optee-os/0004-core-link-add-no-warn-rwx-segments.patch b/recipes-security/optee-imx/optee-os/0004-core-link-add-no-warn-rwx-segments.patch
deleted file mode 100644
index f32b2284f..000000000
--- a/recipes-security/optee-imx/optee-os/0004-core-link-add-no-warn-rwx-segments.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From a63f82f74e015eb662242cdb51ef814e3f576829 Mon Sep 17 00:00:00 2001
-From: Jerome Forissier <jerome.forissier@linaro.org>
-Date: Fri, 5 Aug 2022 09:48:03 +0200
-Subject: [PATCH 4/4] core: link: add --no-warn-rwx-segments
-
-Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
-Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/pull/5474]
-
-binutils ld.bfd generates one RWX LOAD segment by merging several sections
-with mixed R/W/X attributes (.text, .rodata, .data). After version 2.38 it
-also warns by default when that happens [1], which breaks the build due to
---fatal-warnings. The RWX segment is not a problem for the TEE core, since
-that information is not used to set memory permissions. Therefore, silence
-the warning.
-
-Link: [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
-Link: https://sourceware.org/bugzilla/show_bug.cgi?id=29448
-Reported-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
-Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
-Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
-Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
----
-
- core/arch/arm/kernel/link.mk | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/core/arch/arm/kernel/link.mk b/core/arch/arm/kernel/link.mk
-index 49e9f4fa1..9e1cc172f 100644
---- a/core/arch/arm/kernel/link.mk
-+++ b/core/arch/arm/kernel/link.mk
-@@ -37,6 +37,7 @@ link-ldflags += --sort-section=alignment
- link-ldflags += --fatal-warnings
- link-ldflags += --gc-sections
- link-ldflags += $(link-ldflags-common)
-+link-ldflags += $(call ld-option,--no-warn-rwx-segments)
- 
- link-ldadd  = $(LDADD)
- link-ldadd += $(ldflags-external)
-@@ -61,6 +62,7 @@ link-script-cppflags := \
-                $(cppflagscore))
- 
- ldargs-all_objs := -T $(link-script-dummy) --no-check-sections \
-+                  $(call ld-option,--no-warn-rwx-segments) \
-                   $(link-ldflags-common) \
-                   $(link-objs) $(link-ldadd) $(libgcccore)
- cleanfiles += $(link-out-dir)/all_objs.o
-@@ -75,7 +77,7 @@ $(link-out-dir)/unpaged_entries.txt: $(link-out-dir)/all_objs.o
-                $(AWK) '/ ____keep_pager/ { printf "-u%s ", $$3 }' > $@
- 
- unpaged-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
--                $(link-ldflags-common)
-+                $(link-ldflags-common) $(call ld-option,--no-warn-rwx-segments)
- unpaged-ldadd := $(objs) $(link-ldadd) $(libgcccore)
- cleanfiles += $(link-out-dir)/unpaged.o
- $(link-out-dir)/unpaged.o: $(link-out-dir)/unpaged_entries.txt
-@@ -104,7 +106,7 @@ $(link-out-dir)/init_entries.txt: $(link-out-dir)/all_objs.o
-                $(AWK) '/ ____keep_init/ { printf "-u%s ", $$3 }' > $@
- 
- init-ldargs := -T $(link-script-dummy) --no-check-sections --gc-sections \
--              $(link-ldflags-common)
-+              $(link-ldflags-common) $(call ld-option,--no-warn-rwx-segments)
- init-ldadd := $(link-objs-init) $(link-out-dir)/version.o  $(link-ldadd) \
-              $(libgcccore)
- cleanfiles += $(link-out-dir)/init.o
--- 
-2.43.2
-
diff --git a/recipes-security/optee-imx/optee-os/0002-optee-enable-clang-support.patch b/recipes-security/optee-imx/optee-os/0007-allow-setting-sysroot-for-clang.patch
index dbc53542e..067ba6ebf 100644
--- a/recipes-security/optee-imx/optee-os/0002-optee-enable-clang-support.patch
+++ b/recipes-security/optee-imx/optee-os/0007-allow-setting-sysroot-for-clang.patch
@@ -1,7 +1,7 @@
-From 2ba573c9763329fbfdfacc8393d565ab747cac4d Mon Sep 17 00:00:00 2001
+From db9e44af75c7cfd3316cab15aaa387383df3e57e Mon Sep 17 00:00:00 2001
 From: Brett Warren <brett.warren@arm.com>
 Date: Wed, 23 Sep 2020 09:27:34 +0100
-Subject: [PATCH 2/4] optee: enable clang support
+Subject: [PATCH] optee: enable clang support
 
 When compiling with clang, the LIBGCC_LOCATE_CFLAG variable used
 to provide a sysroot wasn't included, which results in not locating
@@ -10,17 +10,16 @@ compiler-rt. This is mitigated by including the variable as ammended.
 Upstream-Status: Pending
 ChangeId: 8ba69a4b2eb8ebaa047cb266c9aa6c2c3da45701
 Signed-off-by: Brett Warren <brett.warren@arm.com>
-Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
----
 
+---
  mk/clang.mk | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/mk/clang.mk b/mk/clang.mk
-index a045beee8..1ebe2f702 100644
+index c141a3f2..7d067cc0 100644
 --- a/mk/clang.mk
 +++ b/mk/clang.mk
-@@ -30,7 +30,7 @@ comp-cflags-warns-clang := -Wno-language-extension-token \
+@@ -27,7 +27,7 @@ comp-cflags-warns-clang := -Wno-language-extension-token \
  
  # Note, use the compiler runtime library (libclang_rt.builtins.*.a) instead of
  # libgcc for clang
@@ -29,6 +28,3 @@ index a045beee8..1ebe2f702 100644
                         -rtlib=compiler-rt -print-libgcc-file-name 2> /dev/null)
  
  # Core ASLR relies on the executable being ready to run from its preferred load
--- 
-2.43.2
-
diff --git a/recipes-security/optee-imx/optee-os_4.0.0.imx.bb b/recipes-security/optee-imx/optee-os_4.0.0.imx.bb
deleted file mode 100644
index ad6c6b406..000000000
--- a/recipes-security/optee-imx/optee-os_4.0.0.imx.bb
+++ /dev/null
@@ -1,12 +0,0 @@
-# Copyright (C) 2017-2021 NXP
-
-require optee-os-fslc-imx.inc
-
-SRC_URI += " \
-    file://0001-core-Define-section-attributes-for-clang.patch \
-    file://0002-optee-enable-clang-support.patch \
-    file://0003-arm32-libutils-libutee-ta-add-.note.GNU-stack-sectio.patch \
-    file://0004-core-link-add-no-warn-rwx-segments.patch \
-"
-SRCBRANCH = "lf-6.6.3_1.0.0"
-SRCREV = "e0a3e77735941e6057a1994a576b83a93ea0bdb9"
diff --git a/recipes-security/optee-imx/optee-os_4.6.0.imx.bb b/recipes-security/optee-imx/optee-os_4.6.0.imx.bb
new file mode 100644
index 000000000..ed2557bcb
--- /dev/null
+++ b/recipes-security/optee-imx/optee-os_4.6.0.imx.bb
@@ -0,0 +1,6 @@
+# Copyright 2017-2024 NXP
+
+require optee-os-fslc-imx.inc
+
+SRCBRANCH = "lf-6.12.20_2.0.0"
+SRCREV = "87964807d80baf1dcfd89cafc66de34a1cf16bf3"
diff --git a/recipes-security/optee-imx/optee-test-fslc-imx.inc b/recipes-security/optee-imx/optee-test-fslc-imx.inc
new file mode 100644
index 000000000..b4bb6031b
--- /dev/null
+++ b/recipes-security/optee-imx/optee-test-fslc-imx.inc
@@ -0,0 +1,18 @@
+# Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-test-imx.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L37
+require optee-test-fslc.inc
+
+DEPENDS += "openssl"
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/optee-test:"
+
+SRC_URI:remove = "git://github.com/OP-TEE/optee_test.git;branch=master;protocol=https"
+SRC_URI:prepend = "${OPTEE_TEST_SRC};branch=${SRCBRANCH} "
+
+OPTEE_TEST_SRC ?= "git://github.com/nxp-imx/imx-optee-test.git;protocol=https"
+
+EXTRA_OEMAKE:append:libc-musl = " OPTEE_OPENSSL_EXPORT=${STAGING_INCDIR}"
+CFLAGS:append:libc-musl = " -Wno-error=deprecated-declarations"
+CFLAGS += " -Wno-error=unterminated-string-initialization"
+
+COMPATIBLE_MACHINE = "(imx-nxp-bsp)"
diff --git a/recipes-security/optee-imx/optee-test-fslc.inc b/recipes-security/optee-imx/optee-test-fslc.inc
index e0c133a7c..46d57ac41 100644
--- a/recipes-security/optee-imx/optee-test-fslc.inc
+++ b/recipes-security/optee-imx/optee-test-fslc.inc
@@ -1,38 +1,63 @@
-# Copyright (C) 2017-2021 NXP
+# Copied from meta-arm/recipes-security/optee/optee-test.inc.
+# See:https://github.com/nxp-imx/imx-manifest/blob/imx-linux-walnascar/imx-6.12.20-2.0.0.xml#L30
+
+SUMMARY = "OP-TEE sanity testsuite"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Test suite"
+HOMEPAGE = "https://www.op-tee.org/"
 
-SUMMARY = "OPTEE test"
 LICENSE = "BSD-2-Clause & GPL-2.0-only"
-LIC_FILES_CHKSUM = "file://LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa"
 
+inherit python3native ptest
+inherit deploy
 require optee-fslc.inc
 
-DEPENDS += "optee-os optee-client openssl"
+DEPENDS = "optee-client optee-os-tadevkit python3-cryptography-native openssl"
+
+SRC_URI = "git://github.com/OP-TEE/optee_test.git;branch=master;protocol=https \
+           file://run-ptest \
+          "
+
+B = "${WORKDIR}/build"
+
+EXTRA_OEMAKE += "TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+                 OPTEE_OPENSSL_EXPORT=${STAGING_INCDIR} \
+                 CROSS_COMPILE_HOST=${HOST_PREFIX} \
+                 CROSS_COMPILE_TA=${HOST_PREFIX} \
+                 O=${B} \
+               "
 
-EXTRA_OEMAKE += " \
-    TA_DEV_KIT_DIR=${STAGING_INCDIR}/optee/export-user_ta_${OPTEE_ARCH}/ \
-    CROSS_COMPILE_HOST=${HOST_PREFIX} \
-    CROSS_COMPILE_TA=${HOST_PREFIX} \
-    CROSS_COMPILE=${HOST_PREFIX} \
-"
+CFLAGS += "-Wno-error=deprecated-declarations"
 
 do_compile() {
-    oe_runmake all
+    cd ${S}
+    # Top level makefile doesn't seem to handle parallel make gracefully
+    oe_runmake xtest
+    oe_runmake ta
+    oe_runmake test_plugin
 }
 do_compile[cleandirs] = "${B}"
 
 do_install () {
-        install -d ${D}${bindir}
-        install ${B}/xtest/xtest ${D}${bindir}
-
-        install -d ${D}${nonarch_base_libdir}/optee_armtz
-        find ${B}/ta -name '*.ta' | while read name; do
-                install -m 444 $name ${D}${nonarch_base_libdir}/optee_armtz/
-        done
+    install -D -p -m0755 ${B}/xtest/xtest ${D}${bindir}/xtest
+
+    # install path should match the value set in optee-client/tee-supplicant
+    # default TEEC_LOAD_PATH is /lib
+    mkdir -p ${D}${nonarch_base_libdir}/optee_armtz/
+    install -D -p -m0444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/
+    mkdir -p ${D}${libdir}/tee-supplicant/plugins
+    install -D -p -m0444 ${B}/supp_plugin/*.plugin ${D}${libdir}/tee-supplicant/plugins/
+}
 
-        install -d ${D}${libdir}/tee-supplicant/plugins/
-        install ${B}/supp_plugin/*plugin ${D}${libdir}/tee-supplicant/plugins/
+do_deploy () {
+    install -d ${DEPLOYDIR}/${MLPREFIX}optee/ta
+    install -m 644 ${B}/ta/*/*.elf ${DEPLOYDIR}/${MLPREFIX}optee/ta
 }
 
-FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/ ${libdir}/tee-supplicant/plugins/"
+addtask deploy before do_build after do_install
+
+FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/ \
+                ${libdir}/tee-supplicant/plugins/ \
+               "
 
-RDEPENDS:${PN} = "optee-os"
+# Imports machine specific configs from staging to build
+PACKAGE_ARCH = "${MACHINE_ARCH}"
diff --git a/recipes-security/optee-imx/optee-test/run-ptest b/recipes-security/optee-imx/optee-test/run-ptest
new file mode 100644
index 000000000..ba88c14d3
--- /dev/null
+++ b/recipes-security/optee-imx/optee-test/run-ptest
@@ -0,0 +1,52 @@
+#!/bin/sh
+xtest | awk '
+
+    # Escapes the special characters in a string so that, when
+    # included in a regex, it represents a literal match
+    function regx_escape_literal(str,    ret) {
+        ret = str
+        gsub(/[\[\]\^\$\.\*\?\+\{\}\\\(\)\|]/ , "\\\\&", str)
+        return str
+    }
+
+    # Returns the simple test formatted name
+    function name(n,    ret) {
+        ret = n
+        gsub(/\./, " ", ret)
+        return ret
+    }
+
+    # Returns the simple test formatted result
+    function result(res) {
+        if(res ~ /OK/) {
+            return "PASS"
+        } else if(res ~ /FAILED/) {
+            return "FAIL"
+        }
+    }
+
+    function parse(name, description,     has_subtests, result_line) {
+        has_subtests = 0
+
+        # Consume every line up to the result line
+        result_line = "  " regx_escape_literal(name) " (OK|FAILED)"
+        do {
+            getline
+
+            # If this is a subtest (denoted by an "o" bullet) then subparse
+            if($0 ~ /^o /) {
+                parse($2, description " : " substr($0, index($0, $3)))
+                has_subtests = 1
+            }
+        } while ($0 !~ result_line)
+
+        # Only print the results for the deepest nested subtests
+        if(!has_subtests) {
+            print result($2) ": " name(name) " - " description
+        }
+    }
+
+    # Start parsing at the beginning of every test (denoted by a "*" bullet)
+    /^\* / { parse($2, substr($0, index($0, $3))) }
+
+'
diff --git a/recipes-security/optee-imx/optee-test_4.0.0.imx.bb b/recipes-security/optee-imx/optee-test_4.0.0.imx.bb
deleted file mode 100644
index 1717a713f..000000000
--- a/recipes-security/optee-imx/optee-test_4.0.0.imx.bb
+++ /dev/null
@@ -1,10 +0,0 @@
-# Copyright (C) 2017-2021 NXP
-
-require optee-test-fslc.inc
-
-SRC_URI = "git://github.com/nxp-imx/imx-optee-test.git;protocol=https;branch=${SRCBRANCH}"
-
-SRCBRANCH = "lf-6.6.3_1.0.0"
-SRCREV = "95c49d950f50fa774e4530d19a967079b3b61279"
-
-COMPATIBLE_MACHINE = "(imx-nxp-bsp)"
diff --git a/recipes-security/optee-imx/optee-test_4.6.0.imx.bb b/recipes-security/optee-imx/optee-test_4.6.0.imx.bb
new file mode 100644
index 000000000..78e933486
--- /dev/null
+++ b/recipes-security/optee-imx/optee-test_4.6.0.imx.bb
@@ -0,0 +1,13 @@
+# Copyright 2017-2024 NXP
+
+require optee-test-fslc-imx.inc
+
+# The BSD and GPL license files are now included in the source
+# https://github.com/OP-TEE/optee_test/commit/a748f5fcd9ec8a574dc86a5aa56d05bc6ac174e7
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560 \
+                    file://LICENSE-BSD;md5=dca16d6efa93b55d0fd662ae5cd6feeb \
+                    file://LICENSE-GPL;md5=10e86b5d2a6cb0e2b9dcfdd26a9ac58d"
+
+
+SRCBRANCH = "lf-6.12.20_2.0.0"
+SRCREV = "010f088f05b5ebf392c6e235d6e53d391755722f" 
diff --git a/recipes-security/optee-qoriq/optee-client-qoriq_3.13.0.bb b/recipes-security/optee-qoriq/optee-client-qoriq_3.13.0.bb
deleted file mode 100644
index 94123e435..000000000
--- a/recipes-security/optee-qoriq/optee-client-qoriq_3.13.0.bb
+++ /dev/null
@@ -1,5 +0,0 @@
-require optee-client.nxp.inc
-
-PV:append = "+git${SRCPV}"
-
-COMPATIBLE_MACHINE = "(qoriq-arm64)"
diff --git a/recipes-security/optee-qoriq/optee-client-qoriq_4.6.0.bb b/recipes-security/optee-qoriq/optee-client-qoriq_4.6.0.bb
new file mode 100644
index 000000000..4b61f7c04
--- /dev/null
+++ b/recipes-security/optee-qoriq/optee-client-qoriq_4.6.0.bb
@@ -0,0 +1,4 @@
+require optee-client.nxp.inc
+
+OPTEE_CLIENT_BRANCH = "lf-6.12.20_2.0.0"
+SRCREV = "02e7f9213b0d7db9c35ebf1e41e733fc9c5a3f75"
diff --git a/recipes-security/optee-qoriq/optee-client.nxp.inc b/recipes-security/optee-qoriq/optee-client.nxp.inc
index a7d34497e..590540cd8 100644
--- a/recipes-security/optee-qoriq/optee-client.nxp.inc
+++ b/recipes-security/optee-qoriq/optee-client.nxp.inc
@@ -1,53 +1,22 @@
-# Copyright 2020-2021 NXP
+# Copyright 2020-2021,2025 NXP
 
-SUMMARY = "OPTEE Client libs"
-HOMEPAGE = "http://www.optee.org/"
-LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b"
+require recipes-security/optee-imx/optee-client-fslc.inc
 
-inherit python3native systemd
+# The patch same as imx-optee, so point FILESEXTRAPATHS to optee-imx/optee-client,
+# avoid duplicate copy files to optee-qoriq
+FILESEXTRAPATHS:prepend := "${THISDIR}/../optee-imx/optee-client:"
 
-SRC_URI = "git://github.com/nxp-qoriq/optee_client.git;protocol=https;nobranch=1"
-SRCREV = "7c9c423d00e96bf51debd5fe10fd70dce83be5cc"
+DEPENDS = "util-linux-libuuid"
 
-FILESEXTRAPATHS:prepend := "${THISDIR}/optee-client:"
-SRC_URI += "file://tee-supplicant.service"
+SRC_URI:remove = "git://github.com/OP-TEE/optee_client.git;branch=master;protocol=https"
+SRC_URI:prepend = "${OPTEE_CLIENT_SRC};branch=${OPTEE_CLIENT_BRANCH} "
 
-S = "${WORKDIR}/git"
-B = "${WORKDIR}/build"
+OPTEE_CLIENT_SRC ?= "git://github.com/nxp-qoriq/optee_client.git;protocol=https"
 
-OPTEE_ARCH ?= "arm32"
-OPTEE_ARCH:armv7a = "arm32"
-OPTEE_ARCH:aarch64 = "arm64"
+inherit pkgconfig
 
-EXTRA_OEMAKE = "ARCH=${OPTEE_ARCH} O=${B}"
-
-do_install () {
-        oe_runmake -C ${S} install
-
-        install -d ${D}${libdir}/
-        install -p -m0644 ${B}/export${libdir}/libteec.so.1.0.0 ${D}${libdir}/
-        ln -sf libteec.so.1.0.0 ${D}${libdir}/libteec.so.1.0
-        ln -sf libteec.so.1.0.0 ${D}${libdir}/libteec.so.1
-        ln -sf libteec.so.1 ${D}${libdir}/libteec.so
-
-        install -D -p -m0644 ${B}/export/usr/lib/libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0.1.0
-        ln -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0.1
-        ln -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0
-        ln -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so
-
-        install -D -p -m0755 ${B}/export/usr/sbin/tee-supplicant ${D}${bindir}/tee-supplicant
-
-        cp -a ${B}/export/usr/include ${D}${includedir}
-
-        install -d ${D}${systemd_system_unitdir}/
-        install -m0644 ${WORKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/
-        sed -i -e s:/etc:${sysconfdir}:g -e s:/usr/bin:${bindir}:g ${D}${systemd_system_unitdir}/tee-supplicant.service
+do_install:append () {
+    if ! ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+        rm -rf ${D}${libdir}/systemd
+    fi
 }
-
-SYSTEMD_SERVICE:${PN} = "tee-supplicant.service"
-
-FILES:${PN} += "${libdir}/* ${includedir}/*"
-
-INSANE_SKIP:${PN} = "ldflags dev-elf"
-INSANE_SKIP:${PN}-dev = "ldflags dev-elf"
diff --git a/recipes-security/optee-qoriq/optee-client/tee-supplicant.service b/recipes-security/optee-qoriq/optee-client/tee-supplicant.service
deleted file mode 100644
index 0e2b4f6ba..000000000
--- a/recipes-security/optee-qoriq/optee-client/tee-supplicant.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=TEE Supplicant
-
-[Service]
-User=root
-EnvironmentFile=-/etc/default/tee-supplicant
-ExecStart=/usr/bin/tee-supplicant $OPTARGS
-
-[Install]
-WantedBy=basic.target
-
diff --git a/recipes-security/optee-qoriq/optee-os-qoriq-tadevkit_4.6.0.bb b/recipes-security/optee-qoriq/optee-os-qoriq-tadevkit_4.6.0.bb
new file mode 100644
index 000000000..e7847b81e
--- /dev/null
+++ b/recipes-security/optee-qoriq/optee-os-qoriq-tadevkit_4.6.0.bb
@@ -0,0 +1,24 @@
+require optee-os.nxp.inc
+
+SUMMARY = "OP-TEE Trusted OS TA devkit"
+DESCRIPTION = "OP-TEE TA devkit for build TAs"
+HOMEPAGE = "https://www.op-tee.org/"
+
+DEPENDS += "python3-pycryptodome-native"
+
+OPTEE_OS_BRANCH = "lf-6.12.20_2.0.0"
+SRCREV = "87964807d80baf1dcfd89cafc66de34a1cf16bf3"
+
+do_install() {
+    #install TA devkit
+    install -d ${D}${includedir}/optee/export-user_ta/
+    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
+        cp -aR $f ${D}${includedir}/optee/export-user_ta/
+    done
+}
+
+do_deploy() {
+        echo "Do not inherit do_deploy from optee-os."
+}
+
+FILES:${PN} = "${includedir}/optee/"
diff --git a/recipes-security/optee-qoriq/optee-os-qoriq_3.13.0.bb b/recipes-security/optee-qoriq/optee-os-qoriq_3.13.0.bb
deleted file mode 100644
index 3c3652d3d..000000000
--- a/recipes-security/optee-qoriq/optee-os-qoriq_3.13.0.bb
+++ /dev/null
@@ -1,28 +0,0 @@
-require optee-os.nxp.inc
-
-PV:append = "+git${SRCPV}"
-
-PLATFORM_FLAVOR:ls1088ardb-pb   = "ls1088ardb"
-PLATFORM_FLAVOR:ls1046afrwy     = "ls1046ardb"
-PLATFORM_FLAVOR:lx2162aqds      = "lx2160aqds"
-
-EXTRA_OEMAKE += " \
-    PLATFORM=ls \
-    CFG_ARM64_core=y \
-"
-
-do_compile:append:ls1012afrwy() {
-    mv ${B}/core/tee-raw.bin  ${B}/core/tee_512mb.bin
-    oe_runmake CFG_DRAM0_SIZE=0x40000000 all
-}
-
-do_install:append:qoriq() {
-    install -m 644 ${B}/core/tee-raw.bin ${D}${nonarch_base_libdir}/firmware/tee_${MACHINE}.bin
-}
-
-do_install:append:ls1012afrwy() {
-    install -m 644 ${B}/core/tee_512mb.bin ${D}${nonarch_base_libdir}/firmware/tee_${MACHINE}_512mb.bin
-}
-
-INHIBIT_PACKAGE_STRIP = "1"
-COMPATIBLE_MACHINE = "(qoriq-arm64)"
diff --git a/recipes-security/optee-qoriq/optee-os-qoriq_4.6.0.bb b/recipes-security/optee-qoriq/optee-os-qoriq_4.6.0.bb
new file mode 100644
index 000000000..cd568b3dc
--- /dev/null
+++ b/recipes-security/optee-qoriq/optee-os-qoriq_4.6.0.bb
@@ -0,0 +1,21 @@
+require optee-os.nxp.inc
+
+OPTEE_OS_BRANCH = "lf-6.12.20_2.0.0"
+SRCREV = "87964807d80baf1dcfd89cafc66de34a1cf16bf3"
+
+do_install:append () {
+        install -d ${D}${nonarch_base_libdir}/firmware/
+        install -m 644 ${B}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
+        install -m 644 ${B}/core/tee-raw.bin ${D}${nonarch_base_libdir}/firmware/tee_${MACHINE}.bin
+
+        # Install embedded TAs
+        install -d ${D}${base_libdir}/optee_armtz/
+        install -m 444 ${B}/ta/*/*.ta ${D}${base_libdir}/optee_armtz/
+}
+
+do_deploy:append () {
+        install -d ${DEPLOYDIR}/optee
+        install -m 644 ${D}${nonarch_base_libdir}/firmware/* ${DEPLOYDIR}/optee/
+}
+
+FILES:${PN} = "${nonarch_base_libdir}/optee_armtz/ ${nonarch_base_libdir}/firmware/"
diff --git a/recipes-security/optee-qoriq/optee-os.nxp.inc b/recipes-security/optee-qoriq/optee-os.nxp.inc
index 5b90b937c..88ba3fbe2 100644
--- a/recipes-security/optee-qoriq/optee-os.nxp.inc
+++ b/recipes-security/optee-qoriq/optee-os.nxp.inc
@@ -1,75 +1,30 @@
-# Copyright 2020-2021 NXP
+# Copyright 2020-2021,2025 NXP
+require recipes-security/optee-imx/optee-os-fslc.inc
 
-SUMMARY = "OPTEE OS"
-DESCRIPTION = "OPTEE OS"
-HOMEPAGE = "http://www.optee.org/"
-LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173"
+DEPENDS:append = " dtc-native"
 
-inherit deploy python3native autotools
-DEPENDS = "python3-pycryptodome-native python3-pyelftools-native python3-pycryptodomex-native dtc-native"
+# The patch same as imx-optee, so point FILESEXTRAPATHS to optee-imx/optee-client,
+# avoid duplicate copy files to optee-qoriq
+FILESEXTRAPATHS:prepend := "${THISDIR}/../optee-imx/optee-os:"
 
-SRC_URI = "git://github.com/nxp-qoriq/optee_os.git;protocol=https;nobranch=1"
-SRCREV = "735d98806dc26fbeeecad7f5e60ffeab8170c67e"
+SRC_URI:remove = "git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https"
+SRC_URI:prepend = "${OPTEE_OS_SRC};branch=${OPTEE_OS_BRANCH} "
+SRC_URI:append = " file://0007-allow-setting-sysroot-for-clang.patch"
 
-S = "${WORKDIR}/git"
-B = "${WORKDIR}/build.${PLATFORM_FLAVOR}"
+OPTEE_OS_SRC ?= "git://github.com/nxp-qoriq/optee_os.git;protocol=https"
 
-PLATFORM_FLAVOR ?= "${MACHINE}"
+REQUIRED_MACHINE_FEATURES = "optee"
 
-OPTEE_ARCH ?= "arm64"
-OPTEE_ARCH:armv7a = "arm32"
-OPTEE_ARCH:aarch64 = "arm64"
+inherit features_check
 
-OPTEE_CORE_LOG_LEVEL ?= "1"
-OPTEE_TA_LOG_LEVEL ?= "0"
+OPTEEMACHINE = "ls-${MACHINE}"
+OPTEEMACHINE:ls1088ardb-pb   = "ls-ls1088ardb"
+OPTEEMACHINE:ls1046afrwy     = "ls-ls1046ardb"
+OPTEEMACHINE:lx2162aqds      = "ls-lx2160aqds"
+OPTEEMACHINE:lx2160ardb-rev2 = "ls-lx2160ardb"
 
-# Optee-os can be built for 32 bits and 64 bits at the same time
-# as long as the compilers are correctly defined.
-# For 64bits, CROSS_COMPILE64 must be set
-# When defining CROSS_COMPILE and CROSS_COMPILE64, we assure that
-# any 32 or 64 bits builds will pass
-EXTRA_OEMAKE = " \
-        -C ${S} O=${B} \
-        PLATFORM_FLAVOR=${PLATFORM_FLAVOR} \
-        CROSS_COMPILE=${HOST_PREFIX} \
-        CROSS_COMPILE64=${HOST_PREFIX} \
-        CFG_WERROR=y \
-        CFG_TEE_CORE_LOG_LEVEL=${OPTEE_CORE_LOG_LEVEL} \
-        CFG_TEE_TA_LOG_LEVEL=${OPTEE_TA_LOG_LEVEL} \
+EXTRA_OEMAKE:append = " \
+    CFG_TEE_TA_LOG_LEVEL=0 \
+    CFG_TEE_CORE_LOG_LEVEL=1 \
 "
-
-do_compile() {
-    unset LDFLAGS
-    export CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_HOST}"
-    oe_runmake all
-}
-
-do_install() {
-    install -d ${D}${nonarch_base_libdir}/firmware/
-    install -m 644 ${B}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
-
-    # Install the TA devkit
-    install -d ${D}${includedir}/optee/export-user_ta/
-
-    for f in ${B}/export-ta_${OPTEE_ARCH}/*; do
-        cp -aR $f ${D}${includedir}/optee/export-user_ta/
-    done
-
-    install -d ${D}${nonarch_base_libdir}/optee_armtz
-    find ${B}/export-ta_${OPTEE_ARCH}/ta -name '*.ta' | while read name; do
-        install -m 444 $name ${D}${nonarch_base_libdir}/optee_armtz/
-    done
-}
-
-do_deploy() {
-    install -d ${DEPLOYDIR}/optee
-    install -m 644 ${D}${nonarch_base_libdir}/firmware/* ${DEPLOYDIR}/optee/
-}
-addtask deploy before do_build after do_install
-
-FILES:${PN} = "${nonarch_base_libdir}/firmware/ ${nonarch_base_libdir}/optee_armtz/"
-FILES:${PN}-staticdev = "/usr/include/optee/"
-RDEPENDS:${PN}-dev += "${PN}-staticdev"
-
-PACKAGE_ARCH = "${MACHINE_ARCH}"
+COMPATIBLE_MACHINE = "(qoriq-arm64)"
diff --git a/recipes-security/optee-qoriq/optee-test-qoriq_3.13.0.bb b/recipes-security/optee-qoriq/optee-test-qoriq_3.13.0.bb
deleted file mode 100644
index 69ef73d3a..000000000
--- a/recipes-security/optee-qoriq/optee-test-qoriq_3.13.0.bb
+++ /dev/null
@@ -1,13 +0,0 @@
-require optee-test.nxp.inc
-
-PV:append = "+git${SRCPV}"
-
-DEPENDS += "optee-client-qoriq optee-os-qoriq"
-
-TEEC_EXPORT = "${STAGING_DIR_HOST}${prefix}"
-
-EXTRA_OEMAKE += " \
-    TEEC_EXPORT=${TEEC_EXPORT} \
-"
-
-COMPATIBLE_MACHINE = "(qoriq-arm64)"
diff --git a/recipes-security/optee-qoriq/optee-test-qoriq_4.6.0.bb b/recipes-security/optee-qoriq/optee-test-qoriq_4.6.0.bb
new file mode 100644
index 000000000..d008a6211
--- /dev/null
+++ b/recipes-security/optee-qoriq/optee-test-qoriq_4.6.0.bb
@@ -0,0 +1,10 @@
+require optee-test.nxp.inc
+
+# The BSD and GPL license files are now included in the source
+# https://github.com/OP-TEE/optee_test/commit/a748f5fcd9ec8a574dc86a5aa56d05bc6ac174e7
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560 \
+                    file://LICENSE-BSD;md5=dca16d6efa93b55d0fd662ae5cd6feeb \
+                    file://LICENSE-GPL;md5=10e86b5d2a6cb0e2b9dcfdd26a9ac58d"
+
+OPTEE_TEST_BRANCH = "lf-6.12.20_2.0.0"
+SRCREV = "010f088f05b5ebf392c6e235d6e53d391755722f"
diff --git a/recipes-security/optee-qoriq/optee-test.nxp.inc b/recipes-security/optee-qoriq/optee-test.nxp.inc
index 14a42ac5a..48d5a4211 100644
--- a/recipes-security/optee-qoriq/optee-test.nxp.inc
+++ b/recipes-security/optee-qoriq/optee-test.nxp.inc
@@ -1,61 +1,15 @@
-# Copyright 2020-2021 NXP
+# Copyright 2020-2021,2025 NXP
+require recipes-security/optee-imx/optee-test-fslc.inc
 
-SUMMARY = "OPTEE test"
-HOMEPAGE = "http://www.optee.org/"
+DEPENDS:remove = "optee-client optee-os-tadevkit"
+DEPENDS:append = "optee-client-qoriq optee-os-qoriq-tadevkit openssl"
 
-LICENSE = "BSD & GPL-2.0-only"
-LIC_FILES_CHKSUM = "file://LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa"
+SRC_URI:remove = "git://github.com/OP-TEE/optee_test.git;branch=master;protocol=https"
+SRC_URI:remove = "file://run-ptest"
+SRC_URI:prepend = "${OPTEE_TEST_SRC};branch=${OPTEE_TEST_BRANCH} "
 
-DEPENDS = "python3-pycryptodome-native python3-pycryptodomex-native openssl"
-inherit python3native cmake
+OPTEE_TEST_SRC ?= "git://github.com/nxp-qoriq/optee_test.git;protocol=https"
 
-SRC_URI = "git://github.com/nxp-qoriq/optee_test.git;protocol=https;nobranch=1"
-SRCREV = "69722dab8c1f2683e30e0ee3b536053367e37aad"
+CFLAGS += " -Wno-error=unterminated-string-initialization"
 
-S = "${WORKDIR}/git"
-B = "${WORKDIR}/build"
-
-TA_DEV_KIT_DIR ?= "${STAGING_INCDIR}/optee/export-user_ta"
-OPTEE_CLIENT_EXPORT ?= "${STAGING_DIR_HOST}${prefix}"
-
-EXTRA_OEMAKE = " \
-    TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
-    OPTEE_CLIENT_EXPORT=${OPTEE_CLIENT_EXPORT} \
-    CROSS_COMPILE_HOST=${HOST_PREFIX} \
-    CROSS_COMPILE_TA=${HOST_PREFIX} \
-    OPTEE_OPENSSL_EXPORT=${STAGING_INCDIR}/ \
-    -C ${S} O=${B} \
-"
-
-EXTRA_OECMAKE = " \
-    -DOPTEE_TEST_SDK=${TA_DEV_KIT_DIR} \
-"
-
-do_compile() {
-    export CXXFLAGS="${CXXFLAGS} --sysroot=${STAGING_DIR_HOST}"
-    oe_runmake xtest
-    oe_runmake ta
-    oe_runmake test_plugin
-}
-
-do_install() {
-        install -d ${D}${bindir}/
-        install ${B}/xtest/xtest ${D}${bindir}/
-
-        install -d ${D}${nonarch_base_libdir}/optee_armtz
-        find ${B}/ta -name '*.ta' | while read name; do
-                install -m 444 $name ${D}${nonarch_base_libdir}/optee_armtz/
-        done
-
-        install -d ${D}${libdir}/tee-supplicant/plugins/
-        find ${B}/supp_plugin -name '*.plugin' | while read name; do
-                install -m 755 $name ${D}${libdir}/tee-supplicant/plugins/
-        done
-}
-
-FILES:${PN} += "${nonarch_base_libdir} ${libdir}/tee-supplicant/plugins/"
-
-DEBUG_OPTIMIZATION:append = " -Wno-error=maybe-uninitialized -Wno-deprecated-declarations"
-FULL_OPTIMIZATION:append = " -Wno-error=maybe-uninitialized -Wno-deprecated-declarations"
-
-PACKAGE_ARCH = "${MACHINE_ARCH}"
+COMPATIBLE_MACHINE = "(qoriq-arm64)"
diff --git a/recipes-security/smw/keyctl-caam_git.bb b/recipes-security/smw/keyctl-caam_git.bb
index 25a5f656a..f147e1148 100644
--- a/recipes-security/smw/keyctl-caam_git.bb
+++ b/recipes-security/smw/keyctl-caam_git.bb
@@ -11,13 +11,11 @@ SRC_URI = "git://github.com/nxp-imx/keyctl_caam.git;protocol=https;branch=${SRCB
 
 SRCREV = "81dc06cdb9c4d0d4ba10459d85af9a8603774948"
 
-S = "${WORKDIR}/git"
-
 TARGET_CC_ARCH += "${LDFLAGS}"
 
 do_install () {
         oe_runmake DESTDIR=${D} install
 }
 
-COMPATIBLE_MACHINE = "(imx-generic-bsp)"
+COMPATIBLE_MACHINE = "(imx-generic-bsp|qoriq)"
 
diff --git a/recipes-security/smw/smw_git.bb b/recipes-security/smw/smw_git.bb
index 3f77ad06b..dbb59d2f3 100644
--- a/recipes-security/smw/smw_git.bb
+++ b/recipes-security/smw/smw_git.bb
@@ -19,7 +19,7 @@ SRC_URI = "git://github.com/nxp-imx/imx-smw.git;protocol=https;branch=release/ve
 SRCREV_smw = "f0570b3e8cb5f68d54edc4f9dd7cb984f6f604ed"
 SRCREV_psa = "463cb95ada820bc6f758d50066cf8c0ed5cc3a02"
 SRCREV_FORMAT = "smw_psa"
-S = "${WORKDIR}/git/smw"
+S = "${UNPACKDIR}/git/smw"
 
 inherit cmake python3native
 
@@ -35,7 +35,7 @@ OPTEE_OS_TA_EXPORT_DIR:aarch64 = "${STAGING_INCDIR}/optee/export-user_ta_arm64"
 OPTEE_OS_TA_EXPORT_DIR:arm = "${STAGING_INCDIR}/optee/export-user_ta_arm32"
 
 # Needs to sign OPTEE TAs
-export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
+export OPENSSL_MODULES = "${STAGING_LIBDIR_NATIVE}/ossl-modules"
 
 EXTRA_OECMAKE = " \
     -DTA_DEV_KIT_ROOT=${OPTEE_OS_TA_EXPORT_DIR} \