22 files changed, 501 insertions, 187 deletions

diff --git a/conf/machine/include/imx-base.inc b/conf/machine/include/imx-base.inc
index 8ccdeb64..932b1e69 100644
--- a/conf/machine/include/imx-base.inc
+++ b/conf/machine/include/imx-base.inc
@@ -606,12 +606,12 @@ PREFERRED_VERSION_vulkan-tools:imxvulkan             ??= "1.3.275.0.imx"
 PREFERRED_VERSION_vulkan-validation-layers:imxvulkan ??= "1.3.275.0.imx"
 
 # Use i.MX optee Version
-PREFERRED_VERSION_optee-os:mx8-nxp-bsp     ??= "4.2.0.imx"
-PREFERRED_VERSION_optee-os:mx9-nxp-bsp     ??= "4.2.0.imx"
-PREFERRED_VERSION_optee-client:mx8-nxp-bsp ??= "4.2.0.imx"
-PREFERRED_VERSION_optee-client:mx9-nxp-bsp ??= "4.2.0.imx"
-PREFERRED_VERSION_optee-test:mx8-nxp-bsp   ??= "4.2.0.imx"
-PREFERRED_VERSION_optee-test:mx9-nxp-bsp   ??= "4.2.0.imx"
+PREFERRED_VERSION_optee-os:mx8-nxp-bsp     ??= "4.4.0.imx"
+PREFERRED_VERSION_optee-os:mx9-nxp-bsp     ??= "4.4.0.imx"
+PREFERRED_VERSION_optee-client:mx8-nxp-bsp ??= "4.4.0.imx"
+PREFERRED_VERSION_optee-client:mx9-nxp-bsp ??= "4.4.0.imx"
+PREFERRED_VERSION_optee-test:mx8-nxp-bsp   ??= "4.4.0.imx"
+PREFERRED_VERSION_optee-test:mx9-nxp-bsp   ??= "4.4.0.imx"
 
 # Use i.MX opencv Version
 PREFERRED_VERSION_opencv:mx8-nxp-bsp ??= "4.6.0.imx"
diff --git a/recipes-security/optee-imx/optee-client-fslc-imx.inc b/recipes-security/optee-imx/optee-client-fslc-imx.inc
index 60e9e1fa..7aeff9fd 100644
--- a/recipes-security/optee-imx/optee-client-fslc-imx.inc
+++ b/recipes-security/optee-imx/optee-client-fslc-imx.inc
@@ -1,7 +1,36 @@
-# Copyright 2017-2024 NXP
+# Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-client-imx.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L37
 
 require optee-client-fslc.inc
 
-SRC_URI += "git://github.com/nxp-imx/imx-optee-client.git;protocol=https;branch=${SRCBRANCH}"
+DEPENDS += "util-linux-libuuid"
 
-COMPATIBLE_MACHINE = "(imx-nxp-bsp)"
+FILESEXTRAPATHS:prepend := "${THISDIR}/optee-client:"
+SRC_URI:remove = "git://github.com/OP-TEE/optee_client.git;branch=master;protocol=https"
+SRC_URI:prepend = "${OPTEE_CLIENT_SRC};branch=${SRCBRANCH} "
+OPTEE_CLIENT_SRC ?= "git://github.com/nxp-imx/imx-optee-client.git;protocol=https"
+
+inherit pkgconfig
+
+EXTRA_OECMAKE += "-DCFG_TEE_CLIENT_LOAD_PATH=${nonarch_base_libdir}"
+
+# Copy the udev rule from the libts recipe for starting tee-supplicant@.service
+SRC_URI += "file://tee-udev.rules"
+# Unix group name for dev/tee* ownership.
+TEE_GROUP_NAME ?= "teeclnt"
+do_install:append () {
+    if ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', 'false', 'true', d)}; then
+        install -d ${D}${nonarch_base_libdir}/udev/rules.d/
+        install -m 755 ${UNPACKDIR}/tee-udev.rules ${D}${nonarch_base_libdir}/udev/rules.d/
+        sed -i -e "s/teeclnt/${TEE_GROUP_NAME}/" ${D}${nonarch_base_libdir}/udev/rules.d/tee-udev.rules
+    fi
+
+    if [ "${libdir}" != "${nonarch_base_libdir}" ]; then
+        rm -rf ${D}${libdir}/systemd
+    fi
+}
+inherit ${@oe.utils.conditional('VIRTUAL-RUNTIME_dev_manager', 'busybox-mdev', '', 'useradd', d)}
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM:${PN} = "--system ${TEE_GROUP_NAME}"
+
+FILES:${PN} += "${libdir}/* ${includedir}/*"
diff --git a/recipes-security/optee-imx/optee-client-fslc.inc b/recipes-security/optee-imx/optee-client-fslc.inc
index f55f0ab2..455bdd78 100644
--- a/recipes-security/optee-imx/optee-client-fslc.inc
+++ b/recipes-security/optee-imx/optee-client-fslc.inc
@@ -1,42 +1,43 @@
-# Copyright 2017-2024 NXP
+# Copied from meta-arm/recipes-security/optee/optee-client.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L30
+
+SUMMARY = "OP-TEE Client API"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Normal World Client side of the TEE"
+HOMEPAGE = "https://www.op-tee.org/"
 
-SUMMARY = "OPTEE Client libs"
-HOMEPAGE = "http://www.optee.org/"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b"
 
-SRC_URI = "file://tee-supplicant.service"
-
-S = "${WORKDIR}/git"
-B = "${WORKDIR}/build"
+inherit systemd update-rc.d cmake
 
-inherit python3native systemd features_check pkgconfig
-
-DEPENDS = "util-linux-libuuid"
+SRC_URI = " \
+    git://github.com/OP-TEE/optee_client.git;branch=master;protocol=https \
+    file://tee-supplicant@.service \
+    file://tee-supplicant.sh \
+"
 
-REQUIRED_MACHINE_FEATURES = "optee"
+UPSTREAM_CHECK_GITTAGREGEX = "^(?P<pver>\d+(\.\d+)+)$"
 
-SYSTEMD_SERVICE:${PN} = "tee-supplicant.service"
+S = "${WORKDIR}/git"
 
-EXTRA_OEMAKE = " \
-        -C ${S} O=${B} \
+EXTRA_OECMAKE = " \
+    -DBUILD_SHARED_LIBS=ON \
+    -DCFG_TEE_FS_PARENT_PATH='${localstatedir}/lib/tee' \
 "
+EXTRA_OECMAKE:append:toolchain-clang = " -DCFG_WERROR=0"
 
-do_install () {
-        oe_runmake -C ${S} install
-
-        install -D -p -m0644 ${B}/export/usr/lib/libteec.so.2.0.0 ${D}${libdir}/libteec.so.2.0.0
-        ln -sf libteec.so.2.0.0 ${D}${libdir}/libteec.so.2
-        ln -sf libteec.so.2.0.0 ${D}${libdir}/libteec.so
-
-        install -D -p -m0644 ${B}/export/usr/lib/libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0.1.0
-        ln -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so.0
-        ln -sf libckteec.so.0.1.0 ${D}${libdir}/libckteec.so
+do_install:append() {
+    install -D -p -m0644 ${UNPACKDIR}/tee-supplicant@.service ${D}${systemd_system_unitdir}/tee-supplicant@.service
+    install -D -p -m0755 ${UNPACKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant
 
-        install -D -p -m0755 ${B}/export/usr/sbin/tee-supplicant ${D}${bindir}/tee-supplicant
+    sed -i -e s:@sysconfdir@:${sysconfdir}:g \
+           -e s:@sbindir@:${sbindir}:g \
+              ${D}${systemd_system_unitdir}/tee-supplicant@.service \
+              ${D}${sysconfdir}/init.d/tee-supplicant
+}
 
-        cp -a ${B}/export/usr/include ${D}${includedir}
+SYSTEMD_SERVICE:${PN} = "tee-supplicant@.service"
 
-        sed -i -e s:/etc:${sysconfdir}:g -e s:/usr/bin:${bindir}:g ${UNPACKDIR}/tee-supplicant.service
-        install -D -p -m0644 ${UNPACKDIR}/tee-supplicant.service ${D}${systemd_system_unitdir}/tee-supplicant.service
-}
+INITSCRIPT_PACKAGES = "${PN}"
+INITSCRIPT_NAME:${PN} = "tee-supplicant"
+INITSCRIPT_PARAMS:${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ."
diff --git a/recipes-security/optee-imx/optee-client/tee-supplicant.service b/recipes-security/optee-imx/optee-client/tee-supplicant.service
deleted file mode 100644
index 0e2b4f6b..00000000
--- a/recipes-security/optee-imx/optee-client/tee-supplicant.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=TEE Supplicant
-
-[Service]
-User=root
-EnvironmentFile=-/etc/default/tee-supplicant
-ExecStart=/usr/bin/tee-supplicant $OPTARGS
-
-[Install]
-WantedBy=basic.target
-
diff --git a/recipes-security/optee-imx/optee-client/tee-supplicant.sh b/recipes-security/optee-imx/optee-client/tee-supplicant.sh
new file mode 100644
index 00000000..b4d21950
--- /dev/null
+++ b/recipes-security/optee-imx/optee-client/tee-supplicant.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# Source function library
+. /etc/init.d/functions
+
+NAME=tee-supplicant
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DESC="OP-TEE Supplicant"
+
+DAEMON=@sbindir@/$NAME
+
+test -f $DAEMON || exit 0
+
+test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME
+test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS
+
+SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS"
+
+set -e
+
+case $1 in
+    start)
+            echo -n "Starting $DESC: "
+            start-stop-daemon --start $SSD_OPTIONS
+        echo "${DAEMON##*/}."
+        ;;
+    stop)
+            echo -n "Stopping $DESC: "
+            start-stop-daemon --stop $SSD_OPTIONS
+        echo "${DAEMON##*/}."
+        ;;
+    restart|force-reload)
+            $0 stop
+            sleep 1
+            $0 start
+        ;;
+    status)
+        status ${DAEMON} || exit $?
+        ;;
+    *)
+        echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2
+        exit 1
+        ;;
+esac
+
+exit 0
diff --git a/recipes-security/optee-imx/optee-client/tee-supplicant@.service b/recipes-security/optee-imx/optee-client/tee-supplicant@.service
new file mode 100644
index 00000000..72c0b9aa
--- /dev/null
+++ b/recipes-security/optee-imx/optee-client/tee-supplicant@.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=TEE Supplicant on %i
+
+[Service]
+User=root
+EnvironmentFile=-@sysconfdir@/default/tee-supplicant
+ExecStart=@sbindir@/tee-supplicant $OPTARGS
+
+[Install]
+WantedBy=basic.target
diff --git a/recipes-security/optee-imx/optee-client/tee-udev.rules b/recipes-security/optee-imx/optee-client/tee-udev.rules
new file mode 100644
index 00000000..43fafd8c
--- /dev/null
+++ b/recipes-security/optee-imx/optee-client/tee-udev.rules
@@ -0,0 +1,7 @@
+# tee devices can only be accessed by the teeclnt group members
+KERNEL=="tee[0-9]*", TAG+="systemd", MODE="0660", GROUP="teeclnt"
+
+# If a /dev/teepriv[0-9]* device is detected, start an instance of
+# tee-supplicant.service with the device name as parameter
+KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="tee", \
+    TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service"
diff --git a/recipes-security/optee-imx/optee-client_4.2.0.imx.bb b/recipes-security/optee-imx/optee-client_4.2.0.imx.bb
deleted file mode 100644
index 59f8c84d..00000000
--- a/recipes-security/optee-imx/optee-client_4.2.0.imx.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-require optee-client-fslc-imx.inc
-
-SRCBRANCH = "lf-6.6.36_2.1.0"
-SRCREV = "3eac340a781c00ccd61b151b0e9c22a8c6e9f9f0" 
-
-DEPENDS += "util-linux"
-EXTRA_OEMAKE += "PKG_CONFIG=pkg-config"
diff --git a/recipes-security/optee-imx/optee-client_4.4.0.imx.bb b/recipes-security/optee-imx/optee-client_4.4.0.imx.bb
new file mode 100644
index 00000000..322f998f
--- /dev/null
+++ b/recipes-security/optee-imx/optee-client_4.4.0.imx.bb
@@ -0,0 +1,4 @@
+require optee-client-fslc-imx.inc
+
+SRCBRANCH = "lf-6.6.52_2.2.0"
+SRCREV = "d221676a58b305bddbf97db00395205b3038de8e"
diff --git a/recipes-security/optee-imx/optee-fslc.inc b/recipes-security/optee-imx/optee-fslc.inc
index 6c96dc2b..42e23fc2 100644
--- a/recipes-security/optee-imx/optee-fslc.inc
+++ b/recipes-security/optee-imx/optee-fslc.inc
@@ -1,26 +1,43 @@
-HOMEPAGE = "http://www.optee.org/"
+# Copied from meta-arm/recipes-security/optee/optee.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L30
 
-inherit python3native features_check
+UPSTREAM_CHECK_GITTAGREGEX = "^(?P<pver>\d+(\.\d+)+)$"
 
-REQUIRED_MACHINE_FEATURES = "optee"
+COMPATIBLE_MACHINE ?= "invalid"
+COMPATIBLE_MACHINE:qemuarm64 ?= "qemuarm64"
+COMPATIBLE_MACHINE:qemuarm ?= "qemuarm"
+# Please add supported machines below or set it in .bbappend or .conf
 
-DEPENDS = "python3-cryptography-native"
+OPTEEMACHINE ?= "${MACHINE}"
+OPTEEMACHINE:aarch64:qemuall ?= "vexpress-qemu_armv8a"
+OPTEEMACHINE:arm:qemuall ?= "vexpress-qemu_virt"
 
-S = "${WORKDIR}/git"
-B = "${WORKDIR}/build"
-
-OPTEE_ARCH:arm     = "arm32"
+OPTEE_ARCH = "null"
+OPTEE_ARCH:arm = "arm32"
 OPTEE_ARCH:aarch64 = "arm64"
+OPTEE_CORE = "${@d.getVar('OPTEE_ARCH').upper()}"
+
+# FIXME - breaks with Clang 18.  See https://github.com/OP-TEE/optee_os/issues/6754
+TOOLCHAIN = "gcc"
+
+OPTEE_TOOLCHAIN = "${@d.getVar('TOOLCHAIN') or 'gcc'}"
+OPTEE_COMPILER = "${@bb.utils.contains("BBFILE_COLLECTIONS", "clang-layer", "${OPTEE_TOOLCHAIN}", "gcc", d)}"
 
-COMPILER ?= "gcc"
-COMPILER:toolchain-clang = "clang"
+# Set here but not passed to EXTRA_OEMAKE by default as that breaks
+# the optee-os build
+TA_DEV_KIT_DIR = "${STAGING_INCDIR}/optee/export-user_ta"
+
+EXTRA_OEMAKE += "V=1 \
+                 LIBGCC_LOCATE_CFLAGS='${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}' \
+                 COMPILER=${OPTEE_COMPILER} \
+                 OPTEE_CLIENT_EXPORT=${STAGING_DIR_HOST}${prefix} \
+                 TEEC_EXPORT=${STAGING_DIR_HOST}${prefix} \
+                "
+# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
+# right path until this is relocated automatically.
+export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
 
 CFLAGS += "--sysroot=${STAGING_DIR_HOST}"
-CXXFLAGS += "--sysroot=${STAGING_DIR_HOST}"
-
-EXTRA_OEMAKE = " \
-    COMPILER=${COMPILER} \
-    OPENSSL_MODULES=${STAGING_LIBDIR_NATIVE}/ossl-modules \
-    OPTEE_CLIENT_EXPORT=${STAGING_DIR_HOST}${exec_prefix} \
-    -C ${S} O=${B} \
-"
+
+# See the rationale in https://github.com/f-secure-foundry/advisories/blob/master/Security_Advisory-Ref_FSC-HWSEC-VR2021-0001-OP-TEE_TrustZone_bypass.txt.
+CVE_STATUS[CVE-2021-36133] = "disputed: devices shipped open for development purposes"
diff --git a/recipes-security/optee-imx/optee-os-common-fslc-imx.inc b/recipes-security/optee-imx/optee-os-common-fslc-imx.inc
new file mode 100644
index 00000000..941182fe
--- /dev/null
+++ b/recipes-security/optee-imx/optee-os-common-fslc-imx.inc
@@ -0,0 +1,62 @@
+# Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-os-common-imx.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L37
+
+require optee-os-fslc.inc
+
+DEPENDS:append:arm = "u-boot-mkimage-native"
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:"
+
+SRC_URI:remove = "git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https"
+SRC_URI:prepend = "${OPTEE_OS_SRC};branch=${SRCBRANCH} "
+SRC_URI:append = " file://0007-allow-setting-sysroot-for-clang.patch"
+SRC_URI:remove = "file://0001-allow-setting-sysroot-for-libgcc-lookup.patch \
+                  file://0002-optee-enable-clang-support.patch \
+                  file://0003-core-link-add-no-warn-rwx-segments.patch"
+
+OPTEE_OS_SRC ?= "git://github.com/nxp-imx/imx-optee-os.git;protocol=https"
+
+inherit features_check
+
+REQUIRED_MACHINE_FEATURES = "optee"
+
+OPTEEMACHINE                   = "imx-${@d.getVar('MACHINE')[1:]}"
+OPTEEMACHINE:imx6qpdlsolox     = "imx-mx6qsabresd"
+OPTEEMACHINE:mx6ul-nxp-bsp     = "imx-mx6ulevk"
+OPTEEMACHINE:mx6ull-nxp-bsp    = "imx-mx6ullevk"
+OPTEEMACHINE:mx6ulz-nxp-bsp    = "imx-mx6ulzevk"
+OPTEEMACHINE:mx8mq-nxp-bsp     = "imx-mx8mqevk"
+OPTEEMACHINE:mx8mm-nxp-bsp     = "imx-mx8mmevk"
+OPTEEMACHINE:mx8mn-nxp-bsp     = "imx-mx8mnevk"
+OPTEEMACHINE:mx8mp-nxp-bsp     = "imx-mx8mpevk"
+OPTEEMACHINE:mx8mpul-nxp-bsp   = "imx-mx8mpevk"
+OPTEEMACHINE:mx8qm-nxp-bsp     = "imx-mx8qmmek"
+OPTEEMACHINE:mx8qxp-nxp-bsp    = "imx-mx8qxpmek"
+OPTEEMACHINE:mx8dx-nxp-bsp     = "imx-mx8dxmek"
+OPTEEMACHINE:mx8dxl-nxp-bsp    = "imx-mx8dxlevk"
+OPTEEMACHINE:mx8mnul-nxp-bsp   = "imx-mx8mnevk"
+OPTEEMACHINE:mx8ulp-nxp-bsp    = "imx-mx8ulpevk"
+OPTEEMACHINE:mx91-nxp-bsp      = "imx-mx91evk"
+OPTEEMACHINE:mx93-nxp-bsp      = "imx-mx93evk"
+OPTEEMACHINE:mx95-nxp-bsp      = "imx-mx95evk"
+
+# Strip the leading imx-
+PLATFORM_FLAVOR = "${@d.getVar('OPTEEMACHINE')[4:]}"
+
+EXTRA_OEMAKE:append = " \
+    CFG_TEE_TA_LOG_LEVEL=0 \
+    CFG_TEE_CORE_LOG_LEVEL=0 \
+"
+
+EXTRA_OEMAKE:append:imx8mq-lpddr4-wevk = " \
+    CFG_CORE_LARGE_PHYS_ADDR=y \
+    CFG_CORE_ARM64_PA_BITS=36 \
+    CFG_DDR_SIZE=0x100000000 \
+    CFG_TZDRAM_START=0xfe000000 \
+"
+
+EXTRA_OEMAKE:append:imx8dxlb0-fips-lpddr4-evk = " \
+    CFG_NXP_CAAM=n \
+"
+
+COMPATIBLE_MACHINE = "(imx-nxp-bsp)"
diff --git a/recipes-security/optee-imx/optee-os-fslc-imx.inc b/recipes-security/optee-imx/optee-os-fslc-imx.inc
index f4a532b7..5fe6a75a 100644
--- a/recipes-security/optee-imx/optee-os-fslc-imx.inc
+++ b/recipes-security/optee-imx/optee-os-fslc-imx.inc
@@ -1,27 +1,26 @@
-require optee-os-fslc.inc
+# Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-os-imx.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L37
 
-SRC_URI = "git://github.com/nxp-imx/imx-optee-os.git;protocol=https;branch=${SRCBRANCH}"
+require optee-os-common-fslc-imx.inc
 
-# The platform flavor corresponds to the Yocto machine without the leading 'i'.
-PLATFORM_FLAVOR                   = "${@d.getVar('MACHINE')[1:]}"
-PLATFORM_FLAVOR:imx6qdlsabresd    = "mx6qsabresd"
-PLATFORM_FLAVOR:imx6qdlsabreauto  = "mx6qsabreauto"
-PLATFORM_FLAVOR:imx6qpdlsolox     = "mx6qsabresd"
-PLATFORM_FLAVOR:mx6ul-nxp-bsp     = "mx6ulevk"
-PLATFORM_FLAVOR:mx6ull-nxp-bsp    = "mx6ullevk"
-PLATFORM_FLAVOR:mx6ulz-nxp-bsp    = "mx6ulzevk"
-PLATFORM_FLAVOR:mx8mq-nxp-bsp     = "mx8mqevk"
-PLATFORM_FLAVOR:mx8mm-nxp-bsp     = "mx8mmevk"
-PLATFORM_FLAVOR:mx8mn-nxp-bsp     = "mx8mnevk"
-PLATFORM_FLAVOR:mx8mnul-nxp-bsp   = "mx8mnevk"
-PLATFORM_FLAVOR:mx8mp-nxp-bsp     = "mx8mpevk"
-PLATFORM_FLAVOR:mx8mpul-nxp-bsp   = "mx8mpevk"
-PLATFORM_FLAVOR:mx8qm-nxp-bsp     = "mx8qmmek"
-PLATFORM_FLAVOR:mx8qxp-nxp-bsp    = "mx8qxpmek"
-PLATFORM_FLAVOR:mx8dx-nxp-bsp     = "mx8dxmek"
-PLATFORM_FLAVOR:mx8dxl-nxp-bsp    = "mx8dxlevk"
-PLATFORM_FLAVOR:mx8ulp-nxp-bsp    = "mx8ulpevk"
-PLATFORM_FLAVOR:mx93-nxp-bsp      = "mx93evk"
-PLATFORM_FLAVOR:mx95-nxp-bsp      = "mx95evk"
+do_compile:arm() {
+    oe_runmake -C ${S} all uTee
+}
 
-COMPATIBLE_MACHINE = "(imx-nxp-bsp)"
+do_install:append () {
+    # Install embedded TAs
+    install -d ${D}${nonarch_base_libdir}/optee_armtz/
+    install -m 444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/
+}
+
+do_deploy:append() {
+    cp ${B}/core/tee-raw.bin ${DEPLOYDIR}/${MLPREFIX}optee/tee.${PLATFORM_FLAVOR}.bin
+    ln -sf ${MLPREFIX}optee/tee.${PLATFORM_FLAVOR}.bin ${DEPLOYDIR}/tee.bin
+}
+
+do_deploy:append:arm() {
+    cp ${B}/core/uTee ${DEPLOYDIR}/${MLPREFIX}optee/uTee-${OPTEE_BIN_EXT}
+    ln -sf ${MLPREFIX}optee/uTee-${OPTEE_BIN_EXT} ${DEPLOYDIR}/uTee-${OPTEE_BIN_EXT}
+}
+
+FILES:${PN} += "${nonarch_base_libdir}/optee_armtz"
diff --git a/recipes-security/optee-imx/optee-os-fslc.inc b/recipes-security/optee-imx/optee-os-fslc.inc
index 61906344..c1f1f48f 100644
--- a/recipes-security/optee-imx/optee-os-fslc.inc
+++ b/recipes-security/optee-imx/optee-os-fslc.inc
@@ -1,90 +1,86 @@
-# Copyright (C) 2017-2021,2024 NXP
+# Copied from meta-arm/recipes-security/optee/optee-os.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L30
+
+SUMMARY = "OP-TEE Trusted OS"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Trusted side of the TEE"
+HOMEPAGE = "https://www.op-tee.org/"
 
-SUMMARY = "OPTEE OS"
-DESCRIPTION = "OPTEE OS"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=c1f21c4f72f372ef38a5a4aee55ec173"
 
+inherit deploy python3native
 require optee-fslc.inc
 
-DEPENDS += "python3-pyelftools-native u-boot-mkimage-native"
+CVE_PRODUCT = "linaro:op-tee op-tee:op-tee_os"
+
+DEPENDS = "python3-pyelftools-native python3-cryptography-native"
+
 DEPENDS:append:toolchain-clang = " compiler-rt"
 
-inherit deploy autotools
+SRC_URI = "git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https"
 
-# Optee-os can be built for 32 bits and 64 bits at the same time
-# as long as the compilers are correctly defined.
-# For 64bits, CROSS_COMPILE64 must be set
-# When defining CROSS_COMPILE and CROSS_COMPILE64, we assure that
-# any 32 or 64 bits builds will pass
-EXTRA_OEMAKE += " \
-    PLATFORM=imx-${PLATFORM_FLAVOR} \
-    CROSS_COMPILE=${HOST_PREFIX} \
-    CROSS_COMPILE64=${HOST_PREFIX} \
-    CFLAGS32=--sysroot=${STAGING_DIR_HOST} \
-    CFLAGS64=--sysroot=${STAGING_DIR_HOST} \
-    CFG_TEE_TA_LOG_LEVEL=0 \
-    CFG_TEE_CORE_LOG_LEVEL=0 \
-"
+S = "${WORKDIR}/git"
+B = "${WORKDIR}/build"
 
-EXTRA_OEMAKE:append:imx8mq-lpddr4-wevk = " \
-    CFG_CORE_LARGE_PHYS_ADDR=y \
-    CFG_CORE_ARM64_PA_BITS=36 \
-    CFG_DDR_SIZE=0x100000000 \
-    CFG_TZDRAM_START=0xfe000000 \
+EXTRA_OEMAKE += " \
+    PLATFORM=${OPTEEMACHINE} \
+    CFG_${OPTEE_CORE}_core=y \
+    CROSS_COMPILE_core=${HOST_PREFIX} \
+    CROSS_COMPILE_ta_${OPTEE_ARCH}=${HOST_PREFIX} \
+    NOWERROR=1 \
+    ta-targets=ta_${OPTEE_ARCH} \
+    O=${B} \
 "
+EXTRA_OEMAKE += " HOST_PREFIX=${HOST_PREFIX}"
+EXTRA_OEMAKE += " CROSS_COMPILE64=${HOST_PREFIX}"
 
 LDFLAGS[unexport] = "1"
 CPPFLAGS[unexport] = "1"
 AS[unexport] = "1"
 LD[unexport] = "1"
 
-do_configure[noexec] = "1"
-
 do_compile:prepend() {
-    PLAT_LIBGCC_PATH=$(${CC} -print-libgcc-file-name)
-}
-
-do_compile:arm () {
-    oe_runmake all uTee
+        PLAT_LIBGCC_PATH=$(${CC} -print-libgcc-file-name)
 }
 
-do_compile:aarch64 () {
-    oe_runmake all
+do_compile() {
+    oe_runmake -C ${S} all
 }
 do_compile[cleandirs] = "${B}"
 
-do_deploy () {
-    install -d ${DEPLOYDIR}
-    cp ${B}/core/tee-raw.bin ${DEPLOYDIR}/tee.${PLATFORM_FLAVOR}.bin
-    ln -sf tee.${PLATFORM_FLAVOR}.bin ${DEPLOYDIR}/tee.bin
-}
+do_install() {
+    #install core in firmware
+    install -d ${D}${nonarch_base_libdir}/firmware/
+    install -m 644 ${B}/core/*.bin ${B}/core/tee.elf ${D}${nonarch_base_libdir}/firmware/
 
-do_deploy:append:arm () {
-    cp ${B}/core/uTee ${DEPLOYDIR}/uTee-${OPTEE_BIN_EXT}
+    #install tas in optee_armtz
+    install -d ${D}${nonarch_base_libdir}/optee_armtz/
+    install -m 444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz
 }
 
-do_install () {
-    install -d ${D}${nonarch_base_libdir}/firmware/
-    install -m 644 ${B}/core/*.bin ${D}${nonarch_base_libdir}/firmware/
+PACKAGE_ARCH = "${MACHINE_ARCH}"
 
-    # Install embedded TAs
-    install -d ${D}${nonarch_base_libdir}/optee_armtz/
-    install -m 444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/
+do_deploy() {
+    install -d ${DEPLOYDIR}/${MLPREFIX}optee
+    install -m 644 ${D}${nonarch_base_libdir}/firmware/* ${DEPLOYDIR}/${MLPREFIX}optee
 
-    # Install the TA devkit
-    install -d ${D}${includedir}/optee/export-user_ta_${OPTEE_ARCH}/
-    cp -aR ${B}/export-ta_${OPTEE_ARCH}/* \
-        ${D}${includedir}/optee/export-user_ta_${OPTEE_ARCH}/
+    install -d ${DEPLOYDIR}/${MLPREFIX}optee/ta
+    install -m 644 ${B}/ta/*/*.elf ${DEPLOYDIR}/${MLPREFIX}optee/ta
 }
 
-addtask deploy after do_compile before do_install
+addtask deploy before do_build after do_install
 
-FILES:${PN} = "${nonarch_base_libdir}/firmware/ ${nonarch_base_libdir}/optee_armtz/"
-FILES:${PN}-staticdev = "${includedir}/optee/"
-RDEPENDS:${PN}-dev += "${PN}-staticdev"
+SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
 
-# FIXME: Build paths are currently embedded
-INSANE_SKIP:${PN}-staticdev += "buildpaths"
+PACKAGES += "${PN}-ta"
+FILES:${PN} = "${nonarch_base_libdir}/firmware/"
+FILES:${PN}-ta = "${nonarch_base_libdir}/optee_armtz/*"
+
+
+# note: "textrel" is not triggered on all archs
+INSANE_SKIP:${PN} = "textrel"
+# Build paths are currently embedded
+INSANE_SKIP:${PN} += "buildpaths"
+INSANE_SKIP:${PN}-dev = "staticdev"
+INHIBIT_PACKAGE_STRIP = "1"
 
-PACKAGE_ARCH = "${MACHINE_ARCH}"
diff --git a/recipes-security/optee-imx/optee-os-tadevkit-fslc-imx.inc b/recipes-security/optee-imx/optee-os-tadevkit-fslc-imx.inc
new file mode 100644
index 00000000..18cf9a37
--- /dev/null
+++ b/recipes-security/optee-imx/optee-os-tadevkit-fslc-imx.inc
@@ -0,0 +1,27 @@
+# Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-os-tadevkit-imx.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L37
+
+require optee-os-common-fslc-imx.inc
+
+SUMMARY = "OP-TEE Trusted OS TA devkit"
+DESCRIPTION = "OP-TEE TA devkit for build TAs"
+HOMEPAGE = "https://www.op-tee.org/"
+
+DEPENDS += "python3-pycryptodome-native"
+
+do_install() {
+    #install TA devkit
+    install -d ${D}${includedir}/optee/export-user_ta/
+    for f in ${B}/export-ta_${OPTEE_ARCH}/* ; do
+        cp -aR $f ${D}${includedir}/optee/export-user_ta/
+    done
+}
+
+do_deploy() {
+        echo "Do not inherit do_deploy from optee-os."
+}
+
+FILES:${PN} = "${includedir}/optee/"
+
+# Build paths are currently embedded
+INSANE_SKIP:${PN}-dev += "buildpaths"
diff --git a/recipes-security/optee-imx/optee-os-tadevkit_4.4.0.imx.bb b/recipes-security/optee-imx/optee-os-tadevkit_4.4.0.imx.bb
new file mode 100644
index 00000000..bb2e2cf6
--- /dev/null
+++ b/recipes-security/optee-imx/optee-os-tadevkit_4.4.0.imx.bb
@@ -0,0 +1,4 @@
+require optee-os-tadevkit-fslc-imx.inc
+
+SRCBRANCH = "lf-6.6.52_2.2.0"
+SRCREV = "60beb308810f9561a67fdb435388a64c85eb6dcb"
diff --git a/recipes-security/optee-imx/optee-os/0007-allow-setting-sysroot-for-clang.patch b/recipes-security/optee-imx/optee-os/0007-allow-setting-sysroot-for-clang.patch
new file mode 100644
index 00000000..067ba6eb
--- /dev/null
+++ b/recipes-security/optee-imx/optee-os/0007-allow-setting-sysroot-for-clang.patch
@@ -0,0 +1,30 @@
+From db9e44af75c7cfd3316cab15aaa387383df3e57e Mon Sep 17 00:00:00 2001
+From: Brett Warren <brett.warren@arm.com>
+Date: Wed, 23 Sep 2020 09:27:34 +0100
+Subject: [PATCH] optee: enable clang support
+
+When compiling with clang, the LIBGCC_LOCATE_CFLAG variable used
+to provide a sysroot wasn't included, which results in not locating
+compiler-rt. This is mitigated by including the variable as ammended.
+
+Upstream-Status: Pending
+ChangeId: 8ba69a4b2eb8ebaa047cb266c9aa6c2c3da45701
+Signed-off-by: Brett Warren <brett.warren@arm.com>
+
+---
+ mk/clang.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mk/clang.mk b/mk/clang.mk
+index c141a3f2..7d067cc0 100644
+--- a/mk/clang.mk
++++ b/mk/clang.mk
+@@ -27,7 +27,7 @@ comp-cflags-warns-clang := -Wno-language-extension-token \
+ 
+ # Note, use the compiler runtime library (libclang_rt.builtins.*.a) instead of
+ # libgcc for clang
+-libgcc$(sm)    := $(shell $(CC$(sm)) $(CFLAGS$(arch-bits-$(sm))) \
++libgcc$(sm)    := $(shell $(CC$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CFLAGS$(arch-bits-$(sm))) \
+                        -rtlib=compiler-rt -print-libgcc-file-name 2> /dev/null)
+ 
+ # Core ASLR relies on the executable being ready to run from its preferred load
diff --git a/recipes-security/optee-imx/optee-os_4.2.0.imx.bb b/recipes-security/optee-imx/optee-os_4.4.0.imx.bb
index 11da204e..5ff12a59 100644
--- a/recipes-security/optee-imx/optee-os_4.2.0.imx.bb
+++ b/recipes-security/optee-imx/optee-os_4.4.0.imx.bb
@@ -6,5 +6,5 @@ SRC_URI += " \
     file://0001-core-Define-section-attributes-for-clang.patch \
     file://0002-optee-enable-clang-support.patch \
 "
-SRCBRANCH = "lf-6.6.36_2.1.0"
-SRCREV = "612bc5a642a4608d282abeee2349d86de996d7ee"
+SRCBRANCH = "lf-6.6.52_2.2.0"
+SRCREV = "60beb308810f9561a67fdb435388a64c85eb6dcb"
diff --git a/recipes-security/optee-imx/optee-test-fslc-imx.inc b/recipes-security/optee-imx/optee-test-fslc-imx.inc
new file mode 100644
index 00000000..ab16fd22
--- /dev/null
+++ b/recipes-security/optee-imx/optee-test-fslc-imx.inc
@@ -0,0 +1,18 @@
+# Copied from meta-imx/meta-imx-bsp/recipes-security/optee/optee-test-imx.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L37
+
+require optee-test-fslc.inc
+
+DEPENDS += "openssl"
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/optee-test:"
+
+SRC_URI:remove = "git://github.com/OP-TEE/optee_test.git;branch=master;protocol=https"
+SRC_URI:prepend = "${OPTEE_TEST_SRC};branch=${SRCBRANCH} "
+
+OPTEE_TEST_SRC ?= "git://github.com/nxp-imx/imx-optee-test.git;protocol=https"
+
+EXTRA_OEMAKE:append:libc-musl = " OPTEE_OPENSSL_EXPORT=${STAGING_INCDIR}"
+CFLAGS:append:libc-musl = " -Wno-error=deprecated-declarations"
+
+COMPATIBLE_MACHINE = "(imx-nxp-bsp)"
diff --git a/recipes-security/optee-imx/optee-test-fslc.inc b/recipes-security/optee-imx/optee-test-fslc.inc
index e0c133a7..0fb5f878 100644
--- a/recipes-security/optee-imx/optee-test-fslc.inc
+++ b/recipes-security/optee-imx/optee-test-fslc.inc
@@ -1,38 +1,65 @@
-# Copyright (C) 2017-2021 NXP
+# Copied from meta-arm/recipes-security/optee/optee-test.inc.
+# See: https://github.com/nxp-imx/imx-manifest/blob/imx-linux-scarthgap/imx-6.6.52-2.2.0.xml#L30
+
+SUMMARY = "OP-TEE sanity testsuite"
+DESCRIPTION = "Open Portable Trusted Execution Environment - Test suite"
+HOMEPAGE = "https://www.op-tee.org/"
 
-SUMMARY = "OPTEE test"
 LICENSE = "BSD-2-Clause & GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://LICENSE.md;md5=daa2bcccc666345ab8940aab1315a4fa"
 
+inherit python3native ptest
+inherit deploy
 require optee-fslc.inc
 
-DEPENDS += "optee-os optee-client openssl"
+DEPENDS = "optee-client optee-os-tadevkit python3-cryptography-native openssl"
+
+SRC_URI = "git://github.com/OP-TEE/optee_test.git;branch=master;protocol=https \
+           file://run-ptest \
+          "
+
+S = "${WORKDIR}/git"
+B = "${WORKDIR}/build"
 
-EXTRA_OEMAKE += " \
-    TA_DEV_KIT_DIR=${STAGING_INCDIR}/optee/export-user_ta_${OPTEE_ARCH}/ \
-    CROSS_COMPILE_HOST=${HOST_PREFIX} \
-    CROSS_COMPILE_TA=${HOST_PREFIX} \
-    CROSS_COMPILE=${HOST_PREFIX} \
-"
+EXTRA_OEMAKE += "TA_DEV_KIT_DIR=${TA_DEV_KIT_DIR} \
+                 OPTEE_OPENSSL_EXPORT=${STAGING_INCDIR} \
+                 CROSS_COMPILE_HOST=${HOST_PREFIX} \
+                 CROSS_COMPILE_TA=${HOST_PREFIX} \
+                 O=${B} \
+               "
+
+CFLAGS += "-Wno-error=deprecated-declarations"
 
 do_compile() {
-    oe_runmake all
+    cd ${S}
+    # Top level makefile doesn't seem to handle parallel make gracefully
+    oe_runmake xtest
+    oe_runmake ta
+    oe_runmake test_plugin
 }
 do_compile[cleandirs] = "${B}"
 
 do_install () {
-        install -d ${D}${bindir}
-        install ${B}/xtest/xtest ${D}${bindir}
+    install -D -p -m0755 ${B}/xtest/xtest ${D}${bindir}/xtest
 
-        install -d ${D}${nonarch_base_libdir}/optee_armtz
-        find ${B}/ta -name '*.ta' | while read name; do
-                install -m 444 $name ${D}${nonarch_base_libdir}/optee_armtz/
-        done
+    # install path should match the value set in optee-client/tee-supplicant
+    # default TEEC_LOAD_PATH is /lib
+    mkdir -p ${D}${nonarch_base_libdir}/optee_armtz/
+    install -D -p -m0444 ${B}/ta/*/*.ta ${D}${nonarch_base_libdir}/optee_armtz/
+    mkdir -p ${D}${libdir}/tee-supplicant/plugins
+    install -D -p -m0444 ${B}/supp_plugin/*.plugin ${D}${libdir}/tee-supplicant/plugins/
+}
 
-        install -d ${D}${libdir}/tee-supplicant/plugins/
-        install ${B}/supp_plugin/*plugin ${D}${libdir}/tee-supplicant/plugins/
+do_deploy () {
+    install -d ${DEPLOYDIR}/${MLPREFIX}optee/ta
+    install -m 644 ${B}/ta/*/*.elf ${DEPLOYDIR}/${MLPREFIX}optee/ta
 }
 
-FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/ ${libdir}/tee-supplicant/plugins/"
+addtask deploy before do_build after do_install
+
+FILES:${PN} += "${nonarch_base_libdir}/optee_armtz/ \
+                ${libdir}/tee-supplicant/plugins/ \
+               "
 
-RDEPENDS:${PN} = "optee-os"
+# Imports machine specific configs from staging to build
+PACKAGE_ARCH = "${MACHINE_ARCH}"
diff --git a/recipes-security/optee-imx/optee-test/run-ptest b/recipes-security/optee-imx/optee-test/run-ptest
new file mode 100644
index 00000000..ba88c14d
--- /dev/null
+++ b/recipes-security/optee-imx/optee-test/run-ptest
@@ -0,0 +1,52 @@
+#!/bin/sh
+xtest | awk '
+
+    # Escapes the special characters in a string so that, when
+    # included in a regex, it represents a literal match
+    function regx_escape_literal(str,    ret) {
+        ret = str
+        gsub(/[\[\]\^\$\.\*\?\+\{\}\\\(\)\|]/ , "\\\\&", str)
+        return str
+    }
+
+    # Returns the simple test formatted name
+    function name(n,    ret) {
+        ret = n
+        gsub(/\./, " ", ret)
+        return ret
+    }
+
+    # Returns the simple test formatted result
+    function result(res) {
+        if(res ~ /OK/) {
+            return "PASS"
+        } else if(res ~ /FAILED/) {
+            return "FAIL"
+        }
+    }
+
+    function parse(name, description,     has_subtests, result_line) {
+        has_subtests = 0
+
+        # Consume every line up to the result line
+        result_line = "  " regx_escape_literal(name) " (OK|FAILED)"
+        do {
+            getline
+
+            # If this is a subtest (denoted by an "o" bullet) then subparse
+            if($0 ~ /^o /) {
+                parse($2, description " : " substr($0, index($0, $3)))
+                has_subtests = 1
+            }
+        } while ($0 !~ result_line)
+
+        # Only print the results for the deepest nested subtests
+        if(!has_subtests) {
+            print result($2) ": " name(name) " - " description
+        }
+    }
+
+    # Start parsing at the beginning of every test (denoted by a "*" bullet)
+    /^\* / { parse($2, substr($0, index($0, $3))) }
+
+'
diff --git a/recipes-security/optee-imx/optee-test_4.2.0.imx.bb b/recipes-security/optee-imx/optee-test_4.2.0.imx.bb
deleted file mode 100644
index e2cf40e9..00000000
--- a/recipes-security/optee-imx/optee-test_4.2.0.imx.bb
+++ /dev/null
@@ -1,10 +0,0 @@
-# Copyright 2017-2024 NXP
-
-require optee-test-fslc.inc
-
-SRC_URI = "git://github.com/nxp-imx/imx-optee-test.git;protocol=https;branch=${SRCBRANCH}"
-
-SRCBRANCH = "lf-6.6.36_2.1.0"
-SRCREV = "5b52b48a73b4cc3f228ec66ae6cf9920897bb2e6"
-
-COMPATIBLE_MACHINE = "(imx-nxp-bsp)"
diff --git a/recipes-security/optee-imx/optee-test_4.4.0.imx.bb b/recipes-security/optee-imx/optee-test_4.4.0.imx.bb
new file mode 100644
index 00000000..b4ac1271
--- /dev/null
+++ b/recipes-security/optee-imx/optee-test_4.4.0.imx.bb
@@ -0,0 +1,13 @@
+# Copyright 2017-2024 NXP
+
+require optee-test-fslc-imx.inc
+
+# The BSD and GPL license files are now included in the source
+# https://github.com/OP-TEE/optee_test/commit/a748f5fcd9ec8a574dc86a5aa56d05bc6ac174e7
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=a8fa504109e4cd7ea575bc49ea4be560 \
+                    file://LICENSE-BSD;md5=dca16d6efa93b55d0fd662ae5cd6feeb \
+                    file://LICENSE-GPL;md5=10e86b5d2a6cb0e2b9dcfdd26a9ac58d"
+
+
+SRCBRANCH = "lf-6.6.52_2.2.0"
+SRCREV = "dafc98ed8364d7281a9a7f0788dd0a2067844a59"