trusted-firmware-a/optee-os: Add LPM support on few platforms

Adds the required TF-A and OP-TEE patches to enable LPM support on
J7200, J784s4, J742s2.

Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
Signed-off-by: Ryan Eatmon <reatmon@ti.com>

6 files changed, 446 insertions, 0 deletions

diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-ti.inc b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-ti.inc
index f188f35e..27d69241 100644
--- a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-ti.inc
+++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-ti.inc
@@ -1,5 +1,7 @@
 # NOTE: This .inc file with customizations only gets included for K3 platforms
 
+FILESEXTRAPATHS:prepend := "${THISDIR}/trusted-firmware-a:"
+
 PV = "2.13+git"
 
 LIC_FILES_CHKSUM = "file://docs/license.rst;md5=6ed7bace7b0bc63021c6eba7b524039e"
@@ -28,3 +30,14 @@ EXTRA_OEMAKE += "${@ 'BL32_BASE=' + d.getVar('TFA_K3_BL32_BASE') if d.getVar('TF
 EXTRA_OEMAKE += "${@ 'PRELOADED_BL33_BASE=' + d.getVar('TFA_K3_PRELOADED_BL33') if d.getVar('TFA_K3_PRELOADED_BL33') else ''}"
 EXTRA_OEMAKE += "${@ 'K3_PM_SYSTEM_SUSPEND=' + d.getVar('TFA_K3_SYSTEM_SUSPEND') if d.getVar('TFA_K3_SYSTEM_SUSPEND') else ''}"
 EXTRA_OEMAKE:append:ti-falcon = " PRELOADED_BL33_BASE=0x82000000 K3_HW_CONFIG_BASE=0x88000000"
+
+# LPM support patches for Jacinto platforms (J7200, J742S2, J784S4)
+TFA_JACINTO_LPM_PATCHES = " \
+    file://0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch \
+    file://0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch \
+    file://0003-feat-k3-handle-suspend-in-case-of-LPM_BOARDCFG_MANAG.patch \
+"
+
+SRC_URI:append:j7200 = " ${TFA_JACINTO_LPM_PATCHES}"
+SRC_URI:append:j742s2 = " ${TFA_JACINTO_LPM_PATCHES}"
+SRC_URI:append:j784s4 = " ${TFA_JACINTO_LPM_PATCHES}"
diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch
new file mode 100644
index 00000000..ad3b8fbf
--- /dev/null
+++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0001-feat-k3-choose-cluster_start_id-depending-on-the-soc.patch
@@ -0,0 +1,115 @@
+From 3de4f871d9bfe29c3862860e494bfa70ba72af3e Mon Sep 17 00:00:00 2001
+From: Abhash Kumar Jha <a-kumar2@ti.com>
+Date: Mon, 20 Oct 2025 11:26:17 +0530
+Subject: [PATCH 1/3] feat(k3): choose cluster_start_id depending on the soc
+
+The CLUSTER_DEVICE_START_ID denotes the device id of the A-core cluster.
+It is utilized when powering off the entire cluster.
+
+J7200, J721E and J721S2 have a different cluster_start_id than their
+"generic" counterparts.
+
+Query the JTAG_ID register to get the part id and choose the
+cluster_start_id depending on that.
+
+Upstream-Status: Pending
+
+Change-Id: I44d3ac0ec646c39019e4c0167d34f410015a147a
+Signed-off-by: Abhash Kumar Jha <a-kumar2@ti.com>
+---
+ plat/ti/k3/common/k3_bl31_setup.c |  1 +
+ plat/ti/k3/common/k3_psci.c       | 25 ++++++++++++++++++++++++-
+ plat/ti/k3/include/platform_def.h | 16 ++++++++++++++++
+ 3 files changed, 41 insertions(+), 1 deletion(-)
+
+diff --git a/plat/ti/k3/common/k3_bl31_setup.c b/plat/ti/k3/common/k3_bl31_setup.c
+index 1b93dc860..79a9c924c 100644
+--- a/plat/ti/k3/common/k3_bl31_setup.c
++++ b/plat/ti/k3/common/k3_bl31_setup.c
+@@ -20,6 +20,7 @@ const mmap_region_t plat_k3_mmap[] = {
+        K3_MAP_REGION_FLAT(SEC_PROXY_RT_BASE,   SEC_PROXY_RT_SIZE,   MT_DEVICE | MT_RW | MT_SECURE),
+        K3_MAP_REGION_FLAT(SEC_PROXY_SCFG_BASE, SEC_PROXY_SCFG_SIZE, MT_DEVICE | MT_RW | MT_SECURE),
+        K3_MAP_REGION_FLAT(SEC_PROXY_DATA_BASE, SEC_PROXY_DATA_SIZE, MT_DEVICE | MT_RW | MT_SECURE),
++       K3_MAP_REGION_FLAT(WKUP_CTRL_MMR0_BASE, WKUP_CTRL_MMR0_SIZE, MT_DEVICE | MT_RW | MT_SECURE),
+        { /* sentinel */ }
+ };
+
+diff --git a/plat/ti/k3/common/k3_psci.c b/plat/ti/k3/common/k3_psci.c
+index ec37d9f4c..a443dd851 100644
+--- a/plat/ti/k3/common/k3_psci.c
++++ b/plat/ti/k3/common/k3_psci.c
+@@ -11,6 +11,8 @@
+ #include <common/debug.h>
+ #include <lib/el3_runtime/cpu_data.h>
+ #include <lib/psci/psci.h>
++#include <lib/mmio.h>
++#include <lib/utils_def.h>
+ #include <plat/common/platform.h>
+
+ #include <ti_sci_protocol.h>
+@@ -83,6 +85,27 @@ static int k3_pwr_domain_on(u_register_t mpidr)
+        return PSCI_E_SUCCESS;
+ }
+
++uint32_t get_plat_cluster_start_id()
++{
++       static uint32_t cluster_id;
++       uint32_t part_id, jtag_id_reg;
++
++       if (cluster_id) {
++               return cluster_id;
++       }
++
++       jtag_id_reg = mmio_read_32(WKUP_CTRL_MMR0_BASE + JTAG_ID);
++       part_id = EXTRACT(JTAG_PART_ID, jtag_id_reg);
++
++       if ((part_id == J7200_PART_ID) || (part_id == J721E_PART_ID) || (part_id == J721S2_PART_ID)) {
++               cluster_id = J7_PLAT_CLUSTER_DEVICE_START_ID;
++       } else {
++               cluster_id = PLAT_CLUSTER_DEVICE_START_ID;
++       }
++
++       return cluster_id;
++}
++
+ void k3_pwr_domain_off(const psci_power_state_t *target_state)
+ {
+        int core, cluster, proc_id, device_id, cluster_id, ret;
+@@ -97,7 +120,7 @@ void k3_pwr_domain_off(const psci_power_state_t *target_state)
+        cluster = MPIDR_AFFLVL1_VAL(read_mpidr_el1());
+        proc_id = PLAT_PROC_START_ID + core;
+        device_id = PLAT_PROC_DEVICE_START_ID + core;
+-       cluster_id = PLAT_CLUSTER_DEVICE_START_ID + (cluster * 2);
++       cluster_id = get_plat_cluster_start_id() + (cluster * 2);
+
+        /*
+         * If we are the last core in the cluster then we take a reference to
+diff --git a/plat/ti/k3/include/platform_def.h b/plat/ti/k3/include/platform_def.h
+index db5e31d95..d191781a6 100644
+--- a/plat/ti/k3/include/platform_def.h
++++ b/plat/ti/k3/include/platform_def.h
+@@ -25,6 +25,22 @@
+ #define SEC_PROXY_RT_SIZE      0x80000
+ #endif /* K3_SEC_PROXY_LITE */
+
++#define WKUP_CTRL_MMR0_BASE            UL(0x43000000)
++#define WKUP_CTRL_MMR0_SIZE            UL(0x20000)
++#define JTAG_ID                        U(0x14)
++#define JTAG_PART_ID_MASK              GENMASK(27, 12)
++
++#define J721E_PART_ID                  U(0xBB64)
++#define J7200_PART_ID                  U(0xBB6D)
++#define J721S2_PART_ID                 U(0xBB75)
++#define J784S4_J742S2_PART_ID          U(0xBB80)
++
++#define JTAG_PART_ID_WIDTH             U(0x10)
++#define JTAG_PART_ID_SHIFT             U(0xC)
++
++/* A-core Cluster Device ID for j721e, j7200 and j721s2 */
++#define J7_PLAT_CLUSTER_DEVICE_START_ID        U(0x4)
++
+ #define SEC_PROXY_TIMEOUT_US           1000000
+ #define SEC_PROXY_MAX_MESSAGE_SIZE     56
+
+--
+2.34.1
diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch
new file mode 100644
index 00000000..09e69999
--- /dev/null
+++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0002-feat-ti-add-message-to-encrypt-tfa-during-suspend.patch
@@ -0,0 +1,194 @@
+From c79ff3679a4360bb848b01d4036c365533fcf791 Mon Sep 17 00:00:00 2001
+From: Richard Genoud <richard.genoud@bootlin.com>
+Date: Tue, 11 Feb 2025 18:20:17 +0100
+Subject: [PATCH 2/3] feat(ti): add message to encrypt tfa during suspend
+
+At suspend, BL31 with its context will be encrypted by TIFS in DDR.
+Encryption is needed for security matters, so that the BL31 is not
+modified before entering suspend or early at resume.
+
+We only need the encryption function here because the decryption message
+will be send by the R5 SPL at resume.
+
+Also introduce the LPM_ENCRYPT_IMAGE cap signals that FW has the support
+to encrypt the image using the TISCI_MSG_LPM_ENCRYPT tisci message.
+
+This is useful in suspend to ram cases where we would like to
+store the encrypted image of a secure fw instead of the original image
+itself in the DDR.
+
+Check for LPM_ENCRYPT_IMAGE flag in the FW capabilities, and only then
+call encrypt.
+
+Upstream-Status: Pending
+
+Change-Id: I266472da87dd0821493019b2d9853f8886f33811
+Signed-off-by: Richard Genoud <richard.genoud@bootlin.com>
+Signed-off-by: Abhash Kumar Jha <a-kumar2@ti.com>
+---
+ drivers/ti/ti_sci/ti_sci.c          | 36 +++++++++++++++++++++++++++++
+ drivers/ti/ti_sci/ti_sci.h          |  7 ++++++
+ drivers/ti/ti_sci/ti_sci_protocol.h | 32 +++++++++++++++++++++++++
+ plat/ti/k3/common/k3_psci.c         | 10 ++++++++
+ 4 files changed, 85 insertions(+)
+
+diff --git a/drivers/ti/ti_sci/ti_sci.c b/drivers/ti/ti_sci/ti_sci.c
+index f0813e5b0..ee5f7166f 100644
+--- a/drivers/ti/ti_sci/ti_sci.c
++++ b/drivers/ti/ti_sci/ti_sci.c
+@@ -1784,3 +1784,39 @@ int ti_sci_lpm_get_next_sys_mode(uint8_t *next_mode)
+
+        return 0;
+ }
++/*
++ * ti_sci_encrypt_tfa - Ask TIFS to encrypt TFA at a specific address
++ *
++ * @src_tfa_addr: Address where the TFA lies unencrypted
++ * @src_tfa_len: Size of the TFA unencrypted
++ *
++ * Return: 0 if all goes well, else appropriate error message
++ */
++int ti_sci_encrypt_tfa(uint64_t src_tfa_addr,
++                      uint32_t src_tfa_len)
++{
++       struct ti_sci_msg_req_encrypt_tfa req = { 0 };
++       struct ti_sci_msg_resp_encrypt_tfa resp = { 0 };
++       struct ti_sci_xfer xfer;
++       int ret;
++
++       ret = ti_sci_setup_one_xfer(TISCI_MSG_LPM_ENCRYPT_TFA, 0,
++                                   &req, sizeof(req),
++                                   &resp, sizeof(resp),
++                                   &xfer);
++       if (ret != 0U) {
++               ERROR("Message alloc failed (%d)\n", ret);
++               return ret;
++       }
++
++       req.src_tfa_addr = src_tfa_addr;
++       req.src_tfa_len = src_tfa_len;
++
++       ret = ti_sci_do_xfer(&xfer);
++       if (ret != 0U) {
++               ERROR("Transfer send failed (%d)\n", ret);
++               return ret;
++       }
++
++       return 0;
++}
+diff --git a/drivers/ti/ti_sci/ti_sci.h b/drivers/ti/ti_sci/ti_sci.h
+index 1f1963274..2afa11317 100644
+--- a/drivers/ti/ti_sci/ti_sci.h
++++ b/drivers/ti/ti_sci/ti_sci.h
+@@ -258,6 +258,11 @@ int ti_sci_proc_wait_boot_status_no_wait(uint8_t proc_id,
+  *
+  * Return: 0 if all goes well, else appropriate error message
+  *
++ * - ti_sci_encrypt_tfa - Ask TIFS to encrypt TFA at a specific address
++ *
++ *             @src_tfa_addr: Address where the TFA lies unencrypted
++ *             @src_tfa_len: Size of the TFA unencrypted
++ *
+  * NOTE: for all these functions, the following are generic in nature:
+  * Returns 0 for successful request, else returns corresponding error message.
+  */
+@@ -265,5 +270,7 @@ int ti_sci_enter_sleep(uint8_t proc_id,
+                       uint8_t mode,
+                       uint64_t core_resume_addr);
+ int ti_sci_lpm_get_next_sys_mode(uint8_t *next_mode);
++int ti_sci_encrypt_tfa(uint64_t src_tfa_addr,
++                      uint32_t src_tfa_len);
+
+ #endif /* TI_SCI_H */
+diff --git a/drivers/ti/ti_sci/ti_sci_protocol.h b/drivers/ti/ti_sci/ti_sci_protocol.h
+index bdd24622a..a165cda99 100644
+--- a/drivers/ti/ti_sci/ti_sci_protocol.h
++++ b/drivers/ti/ti_sci/ti_sci_protocol.h
+@@ -53,6 +53,9 @@
+ #define TISCI_MSG_GET_PROC_BOOT_STATUS 0xc400
+ #define TISCI_MSG_WAIT_PROC_BOOT_STATUS        0xc401
+
++/* TFA encrypt/decrypt messages */
++#define TISCI_MSG_LPM_ENCRYPT_TFA      0x030F
++
+ /**
+  * struct ti_sci_secure_msg_hdr - Header that prefixes all TISCI messages sent
+  *                               via secure transport.
+@@ -160,6 +163,7 @@ struct ti_sci_msg_resp_query_fw_caps {
+ #define MSG_FLAG_CAPS_LPM_STANDBY      TI_SCI_MSG_FLAG(3)
+ #define MSG_FLAG_CAPS_LPM_PARTIAL_IO   TI_SCI_MSG_FLAG(4)
+ #define MSG_FLAG_CAPS_LPM_DM_MANAGED   TI_SCI_MSG_FLAG(5)
++#define MSG_FLAG_CAPS_LPM_ENCRYPT_IMAGE        TI_SCI_MSG_FLAG(11)
+        uint64_t fw_caps;
+ } __packed;
+
+@@ -810,4 +814,32 @@ struct ti_sci_msg_resp_lpm_get_next_sys_mode {
+        uint8_t mode;
+ } __packed;
+
++/*
++ * struct ti_sci_msg_req_encrypt_tfa - Request for TISCI_MSG_LPM_ENCRYPT_TFA.
++ *
++ * @hdr                        Generic Header
++ * @src_tfa_addr:  Address where the TFA lies unencrypted
++ * @src_tfa_len:   Size of the TFA unencrypted
++ *
++ * This message is to be sent when the system is going in suspend, just before
++ * TI_SCI_MSG_ENTER_SLEEP.
++ * The TIFS will then encrypt the TFA and store it in RAM, along with a private
++ * header.
++ * Upon resume, the SPL will ask TIFS to decrypt it back.
++ */
++struct ti_sci_msg_req_encrypt_tfa {
++       struct ti_sci_msg_hdr hdr;
++       uint64_t src_tfa_addr;
++       uint32_t src_tfa_len;
++} __packed;
++
++/*
++ * struct ti_sci_msg_req_encrypt_tfa - Request for TISCI_MSG_LPM_ENCRYPT_TFA.
++ *
++ * @hdr                        Generic Header
++ */
++struct ti_sci_msg_resp_encrypt_tfa {
++       struct ti_sci_msg_hdr hdr;
++} __packed;
++
+ #endif /* TI_SCI_PROTOCOL_H */
+diff --git a/plat/ti/k3/common/k3_psci.c b/plat/ti/k3/common/k3_psci.c
+index a443dd851..c2017666b 100644
+--- a/plat/ti/k3/common/k3_psci.c
++++ b/plat/ti/k3/common/k3_psci.c
+@@ -24,6 +24,7 @@
+ #define SYSTEM_PWR_STATE(state) ((state)->pwr_domain_state[PLAT_MAX_PWR_LVL])
+
+ uintptr_t k3_sec_entrypoint;
++bool encrypt_image;
+
+ static void k3_cpu_standby(plat_local_state_t cpu_state)
+ {
+@@ -282,6 +283,11 @@ static void k3_pwr_domain_suspend_to_mode(const psci_power_state_t *target_state
+        k3_gic_cpuif_disable();
+        k3_gic_save_context();
+
++       if (encrypt_image)
++       {
++               ti_sci_encrypt_tfa((uint64_t)__TEXT_START__, BL31_SIZE);
++       }
++
+        k3_pwr_domain_off(target_state);
+
+        ti_sci_enter_sleep(proc_id, mode, k3_sec_entrypoint);
+@@ -347,6 +353,10 @@ int plat_setup_psci_ops(uintptr_t sec_entrypoint,
+                ERROR("Unable to query firmware capabilities (%d)\n", ret);
+        }
+
++       if (fw_caps & MSG_FLAG_CAPS_LPM_ENCRYPT_IMAGE) {
++               encrypt_image = true;
++       }
++
+        /* If firmware does not support any known suspend mode */
+        if (!(fw_caps & (MSG_FLAG_CAPS_LPM_DEEP_SLEEP |
+                         MSG_FLAG_CAPS_LPM_MCU_ONLY |
+--
+2.34.1
diff --git a/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0003-feat-k3-handle-suspend-in-case-of-LPM_BOARDCFG_MANAG.patch b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0003-feat-k3-handle-suspend-in-case-of-LPM_BOARDCFG_MANAG.patch
new file mode 100644
index 00000000..a1209fe1
--- /dev/null
+++ b/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a/0003-feat-k3-handle-suspend-in-case-of-LPM_BOARDCFG_MANAG.patch
@@ -0,0 +1,68 @@
+From 470cf022d03e350beab36605d4250944d2c92ffe Mon Sep 17 00:00:00 2001
+From: Abhash Kumar Jha <a-kumar2@ti.com>
+Date: Tue, 28 Oct 2025 23:24:22 +0530
+Subject: [PATCH 3/3] feat(k3): handle suspend in case of LPM_BOARDCFG_MANAGED
+
+The J7 platforms support LPM_BOARDCFG_MANAGED capability where the
+low power mode configuration is done statically for the DM via the
+pm-boardcfg.
+
+This is entirely opposite to the case of DM_MANAGED, where the DM fw
+decides the low power mode to enter into.
+
+Introduce LPM_BOARDCFG_MANAGED cap to handle suspend for those
+platforms as well.
+
+Upstream-Status: Pending
+
+Change-Id: Iaa0ab478cbe0db6652f61e9d733c0fddb4bab234
+Signed-off-by: Abhash Kumar Jha <a-kumar2@ti.com>
+---
+ drivers/ti/ti_sci/ti_sci_protocol.h |  1 +
+ plat/ti/k3/common/k3_psci.c         | 13 ++++++++-----
+ 2 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/ti/ti_sci/ti_sci_protocol.h b/drivers/ti/ti_sci/ti_sci_protocol.h
+index a165cda99..b83174b0d 100644
+--- a/drivers/ti/ti_sci/ti_sci_protocol.h
++++ b/drivers/ti/ti_sci/ti_sci_protocol.h
+@@ -164,6 +164,7 @@ struct ti_sci_msg_resp_query_fw_caps {
+ #define MSG_FLAG_CAPS_LPM_PARTIAL_IO   TI_SCI_MSG_FLAG(4)
+ #define MSG_FLAG_CAPS_LPM_DM_MANAGED   TI_SCI_MSG_FLAG(5)
+ #define MSG_FLAG_CAPS_LPM_ENCRYPT_IMAGE        TI_SCI_MSG_FLAG(11)
++#define MSG_FLAG_CAPS_LPM_BOARDCFG_MANAGED     TI_SCI_MSG_FLAG(12)
+        uint64_t fw_caps;
+ } __packed;
+
+diff --git a/plat/ti/k3/common/k3_psci.c b/plat/ti/k3/common/k3_psci.c
+index c2017666b..9cf41b4cb 100644
+--- a/plat/ti/k3/common/k3_psci.c
++++ b/plat/ti/k3/common/k3_psci.c
+@@ -357,17 +357,20 @@ int plat_setup_psci_ops(uintptr_t sec_entrypoint,
+                encrypt_image = true;
+        }
+
+-       /* If firmware does not support any known suspend mode */
+-       if (!(fw_caps & (MSG_FLAG_CAPS_LPM_DEEP_SLEEP |
++       /* If firmware is capabale of low power modes */
++       if (fw_caps & (MSG_FLAG_CAPS_LPM_DM_MANAGED |
++                       MSG_FLAG_CAPS_LPM_BOARDCFG_MANAGED)) {
++               k3_plat_psci_ops.pwr_domain_suspend = k3_pwr_domain_suspend_dm_managed;
++       } else if (!(fw_caps & (MSG_FLAG_CAPS_LPM_DEEP_SLEEP |
+                         MSG_FLAG_CAPS_LPM_MCU_ONLY |
+                         MSG_FLAG_CAPS_LPM_STANDBY |
+                         MSG_FLAG_CAPS_LPM_PARTIAL_IO))) {
+-               /* Disable PSCI suspend support */
++               /* If firmware does not support any known suspend mode
++                * disable PSCI suspend support
++                */
+                k3_plat_psci_ops.pwr_domain_suspend = NULL;
+                k3_plat_psci_ops.pwr_domain_suspend_finish = NULL;
+                k3_plat_psci_ops.get_sys_suspend_power_state = NULL;
+-       } else if (fw_caps & MSG_FLAG_CAPS_LPM_DM_MANAGED) {
+-               k3_plat_psci_ops.pwr_domain_suspend = k3_pwr_domain_suspend_dm_managed;
+        }
+
+        *psci_ops = &k3_plat_psci_ops;
+--
+2.34.1
diff --git a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
index 61a74a06..d636ae00 100644
--- a/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
+++ b/meta-ti-bsp/recipes-security/optee/optee-os-ti-overrides.inc
@@ -1,6 +1,8 @@
 # Use TI SECDEV for signing
 inherit ti-secdev
 
+FILESEXTRAPATHS:prepend := "${THISDIR}/optee-os:"
+
 EXTRA_OEMAKE:remove = "CFG_MAP_EXT_DT_SECURE=y"
 
 EXTRA_OEMAKE:append:k3 = " ${@ 'CFG_CONSOLE_UART='+ d.getVar('OPTEE_K3_USART') if d.getVar('OPTEE_K3_USART') else ''}"
@@ -76,3 +78,12 @@ RDEPENDS:${PN} += "${PN}-ta"
 
 # This is needed for bl32.elf
 INSANE_SKIP:${PN}:append:k3 = " textrel"
+
+# LPM support patch for Jacinto platforms (J7200, J742S2, J784S4)
+OPTEE_JACINTO_LPM_PATCHES = " \
+    file://0001-plat-k3-drivers-Open-TRNG-firewall-for-TIFS-on-all-k.patch \
+"
+
+SRC_URI:append:j7200 = " ${OPTEE_JACINTO_LPM_PATCHES}"
+SRC_URI:append:j742s2 = " ${OPTEE_JACINTO_LPM_PATCHES}"
+SRC_URI:append:j784s4 = " ${OPTEE_JACINTO_LPM_PATCHES}"
diff --git a/meta-ti-bsp/recipes-security/optee/optee-os/0001-plat-k3-drivers-Open-TRNG-firewall-for-TIFS-on-all-k.patch b/meta-ti-bsp/recipes-security/optee/optee-os/0001-plat-k3-drivers-Open-TRNG-firewall-for-TIFS-on-all-k.patch
new file mode 100644
index 00000000..59d7a795
--- /dev/null
+++ b/meta-ti-bsp/recipes-security/optee/optee-os/0001-plat-k3-drivers-Open-TRNG-firewall-for-TIFS-on-all-k.patch
@@ -0,0 +1,45 @@
+From 00f74ba2ab00088d51e6da3c0eefe50599ef5c82 Mon Sep 17 00:00:00 2001
+From: Prasanth Babu Mantena <p-mantena@ti.com>
+Date: Mon, 3 Nov 2025 12:42:57 +0530
+Subject: [PATCH] plat-k3: drivers: Open TRNG firewall for TIFS on all k3 devs
+
+On k3 devices, TRNG is firewalled to be accessed only by OPTEE.
+
+TIFS needs this for the encryption and decryption services to support
+different low power modes. So, open firewall to TIFS as well.
+
+There is no concurrent usage of TRNG, as TIFS uses TRNG only at suspend
+when OPTEE is down and resume, when firewalls are restored but OPTEE is
+not up yet.
+
+As this is a firewall that required to be shared along with TIFS on all
+devices, making this a common change and open on all devs.
+
+Upstream-Status: Submitted [https://github.com/OP-TEE/optee_os/pull/7582]
+
+Signed-off-by: Prasanth Babu Mantena <p-mantena@ti.com>
+Reviewed-by: Manorit Chawdhry <m-chawdhry@ti.com>
+Reviewed-by: Andrew Davis <afd@ti.com>
+---
+ core/arch/arm/plat-k3/drivers/sa2ul.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/core/arch/arm/plat-k3/drivers/sa2ul.c b/core/arch/arm/plat-k3/drivers/sa2ul.c
+index c50757b2c..e10bde131 100644
+--- a/core/arch/arm/plat-k3/drivers/sa2ul.c
++++ b/core/arch/arm/plat-k3/drivers/sa2ul.c
+@@ -121,12 +121,7 @@ static TEE_Result sa2ul_init(void)
+        start_address = RNG_BASE;
+        end_address = RNG_BASE + RNG_REG_SIZE - 1;
+        permissions[num_perm++] = (FW_BIG_ARM_PRIVID << 16) | FW_SECURE_ONLY;
+-#if defined(PLATFORM_FLAVOR_am62x) || \
+-       defined(PLATFORM_FLAVOR_am62ax) || \
+-       defined(PLATFORM_FLAVOR_am62px)
+-
+        permissions[num_perm++] = (FW_TIFS_PRIVID << 16) | FW_NON_SECURE;
+-#endif
+        ret = ti_sci_set_fwl_region(fwl_id, rng_region, num_perm,
+                                    control, permissions,
+                                    start_address, end_address);
+--
+2.34.1