[PATCH meta-rockchip 0/2] add support for (upstream) OP-TEE OS

[PATCH meta-rockchip 0/2] add support for (upstream) OP-TEE OS

[Quentin Schulz]

This adds support for baking upstream OP-TEE OS into U-Boot.

There's a patch for syncing rkbin blobs naming and paths with the
upstream recipe but note this hasn't been tested at all (and if I
remember correctly, one cannot use the blobs with upstream U-Boot).

This is using the debug private key from OP-TEE OS git tree, this is
**UNSECURE**!!! How to provide your own private key hasn't been
researched for now, patches welcome!

This was tested on PX30 Ringneck, RK3399 Puma and RK3588 Tiger on a
downstream layer by generating a core-image-minimal with

  PREFERRED_PROVIDER_optee-os = "optee-os"
  RK_UBOOT_TEE ?= "1"

in a conf file and

  IMAGE_INSTALL += "optee-test"

in a recipes-core/images/core-image-minimal.bbappend, then boot the
image and run `xtest`. It'll take a few minutes to complete.

Note that currently, meta-arm has v4.7.0 recipe only and two tests are
failing on RK3588. There are patches[1] on the meta-arm mailing list for
bumping to v4.9.0 where those tests aren't failing anymore.

RK356x support is being worked on upstream as far as I've been told but
nothing merged or even ready yet, see
https://github.com/OP-TEE/optee_os/pull/6954 for possibly where things
are going to happen (not guaranteed).

[1] https://lore.kernel.org/yocto-meta-arm/20260121140356.16818-1-hugues.kambampiana@arm.com/

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
---
Quentin Schulz (2):
      bsp: rkbin: optee-os: sync destination and name with upstream OP-TEE OS
      add support for baking OP-TEE OS into U-Boot proper binary

 README                                             | 42 ++++++++++++++++++++++
 conf/machine/include/px30.inc                      |  7 ++++
 conf/machine/include/rk3399.inc                    |  7 ++++
 conf/machine/include/rk3588s.inc                   |  7 ++++
 recipes-bsp/rkbin/rk3308-rkbin_git.bb              |  2 +-
 recipes-bsp/rkbin/rockchip-rkbin-optee-os_git.bb   |  8 ++---
 recipes-bsp/rkbin/rockchip-rkbin.inc               |  2 +-
 recipes-bsp/u-boot/u-boot-rockchip.inc             |  6 ++++
 .../optee/optee-os-tadevkit_%.bbappend             |  3 ++
 recipes-security/optee/optee-os_%.bbappend         | 19 ++++++++++
 recipes-security/optee/optee-test_%.bbappend       |  3 ++
 11 files changed, 100 insertions(+), 6 deletions(-)
---
base-commit: 2a13a49da4af4487ee71db6aff19364220da694a
change-id: 20260126-optee-os-6e01be39ebb4

Best regards,
-- 
Quentin Schulz <quentin.schulz@cherry.de>

[PATCH meta-rockchip 1/2] bsp: rkbin: optee-os: sync destination and name with upstream OP-TEE OS

[Quentin Schulz]

From: Quentin Schulz <quentin.schulz@cherry.de>

Upstream OP-TEE OS deploys a tee.bin (and other binaries) to an optee
subdirectory in the DEPLOY_DIR_IMAGE.

Let's make sure we align with the same name and location for rkbin blob.

Since this now deploys in a subdirectory, we need to make sure it is
created first, by adding -D to the install command.

Note that this hasn't been tested at all. The only combination I've ever
done is upstream U-Boot + upstream TF-A + upstream OP-TEE OS. But if it
works, this commit will make it possible to interchange OP-TEE OS blob
with OP-TEE OS upstream transparently for U-Boot recipe (OP-TEE OS
support will be added in the next commit) by making sure the names
match.

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
---
 recipes-bsp/rkbin/rk3308-rkbin_git.bb            | 2 +-
 recipes-bsp/rkbin/rockchip-rkbin-optee-os_git.bb | 8 ++++----
 recipes-bsp/rkbin/rockchip-rkbin.inc             | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/recipes-bsp/rkbin/rk3308-rkbin_git.bb b/recipes-bsp/rkbin/rk3308-rkbin_git.bb
index ab2c70f..7e816d7 100644
--- a/recipes-bsp/rkbin/rk3308-rkbin_git.bb
+++ b/recipes-bsp/rkbin/rk3308-rkbin_git.bb
@@ -30,7 +30,7 @@ do_deploy:rk3308() {
 	# Prebuilt TF-A
 	install -m 644 ${S}/bin/rk33/rk3308_bl31_v*.elf ${DEPLOYDIR}/bl31-rk3308.elf
 	# Prebuilt OPTEE-OS
-	install -m 644 ${S}/bin/rk33/rk3308_bl32_v*.bin ${DEPLOYDIR}/tee-rk3308.bin
+	install -D -m 644 ${S}/bin/rk33/rk3308_bl32_v*.bin ${DEPLOYDIR}/optee/tee.bin
 	# Prebuilt U-Boot TPL (DDR init)
 	install -m 644 ${S}/bin/rk33/rk3308_ddr_589MHz_uart0_m0_v*.bin ${DEPLOYDIR}/ddr-rk3308.bin
 }
diff --git a/recipes-bsp/rkbin/rockchip-rkbin-optee-os_git.bb b/recipes-bsp/rkbin/rockchip-rkbin-optee-os_git.bb
index 0f3c927..372307d 100644
--- a/recipes-bsp/rkbin/rockchip-rkbin-optee-os_git.bb
+++ b/recipes-bsp/rkbin/rockchip-rkbin-optee-os_git.bb
@@ -4,21 +4,21 @@ require rockchip-rkbin.inc
 
 PROVIDES += "optee-os"
 
+# Must match the naming and path used in
+# meta-arm/recipes-security/optee/optee-os.inc
+RKBIN_DEPLOY_FILENAME = "optee/tee.bin"
+
 RKBIN_BINVERS:rk3308 ?= "v2.09"
 RKBIN_BINFILE:rk3308 ?= "rk3308_bl32_${RKBIN_BINVERS}.bin"
-RKBIN_DEPLOY_FILENAME:rk3308 ?= "tee-rk3308.bin"
 
 RKBIN_BINVERS_RK356x ?= "v2.15"
 RKBIN_BINVERS:rk3566 ?= "${RKBIN_BINVERS_RK356x}"
 # NOTE: the following are not typos
 #       the rk3566 uses the same bl32 as the rk3568
 RKBIN_BINFILE:rk3566 ?= "rk3568_bl32_${RKBIN_BINVERS}.bin"
-RKBIN_DEPLOY_FILENAME:rk3566 ?= "tee-rk3566.bin"
 
 RKBIN_BINVERS:rk3568 ?= "${RKBIN_BINVERS_RK356x}"
 RKBIN_BINFILE:rk3568 ?= "rk3568_bl32_${RKBIN_BINVERS}.bin"
-RKBIN_DEPLOY_FILENAME:rk3568 ?= "tee-rk3568.bin"
 
 RKBIN_BINVERS:rk3588s ?= "v1.19"
 RKBIN_BINFILE:rk3588s ?= "rk3588_bl32_${RKBIN_BINVERS}.bin"
-RKBIN_DEPLOY_FILENAME:rk3588s ?= "tee-rk3588.bin"
diff --git a/recipes-bsp/rkbin/rockchip-rkbin.inc b/recipes-bsp/rkbin/rockchip-rkbin.inc
index 25ec58c..9ddd54f 100644
--- a/recipes-bsp/rkbin/rockchip-rkbin.inc
+++ b/recipes-bsp/rkbin/rockchip-rkbin.inc
@@ -41,7 +41,7 @@ do_deploy() {
 		bbfatal "Non-empty RKBIN_DEPLOY_FILENAME:<MACHINE> required!"
 	fi
 
-	install -m 644 ${S}/${RKBIN_BINDIR}${RKBIN_BINFILE} ${DEPLOYDIR}/${RKBIN_DEPLOY_FILENAME}
+	install -D -m 644 ${S}/${RKBIN_BINDIR}${RKBIN_BINFILE} ${DEPLOYDIR}/${RKBIN_DEPLOY_FILENAME}
 }
 
 addtask deploy after do_install

-- 
2.52.0

[PATCH meta-rockchip 2/2] add support for baking OP-TEE OS into U-Boot proper binary

[Quentin Schulz]

From: Quentin Schulz <quentin.schulz@cherry.de>

TF-A has support for loading OP-TEE OS as BL32 which allows us to have
the following boot flow on supported Rockchip SoCs:

BootROM -> U-Boot TPL/SPL -> TF-A (BL31) -> OP-TEE OS (BL32) -> U-Boot
proper -> Linux kernel

TF-A must be built with support for the opteed payload via the SPD
variable. It can always be set, the downside is that if it's set and no
OP-TEE OS is available to load, it'll complain with

  ERROR:   Error initializing runtime service opteed_fast

but will still continue the boot flow.

U-Boot proper must be built with OPTEE_LIB enabled (forced enabled on
U-Boot v2026.01 when a TEE environment variable is set) otherwise random
crashes may happen while in Linux as the memory marked as secure for
OP-TEE OS isn't reserved and the kernel may use it and trigger a
security exception.

This has only been tested with `xtest` on PX30, RK3399 and RK3588
platforms, all tests pass. Note that this is unsecure by default as it's
using the default development key in OP-TEE OS tree which isn't secret
at all. I have not looked into how to provide your own key pair.

Note that xtest has two fails on RK3588 with OP-TEE OS v4.7.0. They are
fixed since v4.8.0 (v4.9.0 series for meta-arm has been posted
already[1]).

We also pass a few variables to make such that we avoid panics when an
FDT is passed by TF-A (happens when SPL_ATF_NO_PLATFORM_PARAM is not
set) due to the memory area to store the FDT being too small, also avoid
panics when the device is using a different console than the default in
OP-TEE OS by simply disabling the early console (thus relying on FDT to
find which one to write to) and enable Arm Cryptographic Extensions on
PX30 for faster crypto (xtest in 3m11s vs 3min32s).

[1] https://lore.kernel.org/yocto-meta-arm/20260121140356.16818-1-hugues.kambampiana@arm.com/
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
---
 README                                             | 42 ++++++++++++++++++++++
 conf/machine/include/px30.inc                      |  7 ++++
 conf/machine/include/rk3399.inc                    |  7 ++++
 conf/machine/include/rk3588s.inc                   |  7 ++++
 recipes-bsp/u-boot/u-boot-rockchip.inc             |  6 ++++
 .../optee/optee-os-tadevkit_%.bbappend             |  3 ++
 recipes-security/optee/optee-os_%.bbappend         | 19 ++++++++++
 recipes-security/optee/optee-test_%.bbappend       |  3 ++
 8 files changed, 94 insertions(+)

diff --git a/README b/README
index c2697d1..f49fdb5 100644
--- a/README
+++ b/README
@@ -222,6 +222,48 @@ Notes:
 	NOTE: this variable must be set before any include/require in the
 	      machine configuration file
 
+  OP-TEE
+
+	PX30, RK3399 and RK3588 are all supported by upstream OP-TEE OS. By
+	default, OP-TEE OS is not baked into U-Boot.
+
+	You can bake OP-TEE OS in U-Boot by setting:
+
+		RK_UBOOT_TEE = "1"
+
+	in a configuration file.
+
+	Your U-Boot defconfig must enable CONFIG_OPTEE_LIB otherwise random
+	crashes in Linux will occur. It is force-enabled since v2026.01 so you
+	may omit this if running that or a more recent version.
+
+	Note that this has only been tested with upstream OP-TEE OS and upstream
+	TF-A. Please consider disabling CONFIG_SPL_ATF_NO_PLATFORM_PARAM in your
+	U-Boot's defconfig such that both upstream TF-A and OP-TEE OS are passed
+	the FDT (useful for debugging since it specifies the serial console).
+
+	Note that this is only adding OP-TEE OS to the U-Boot proper
+	(u-boot.itb) binary. It is *NOT* secure by default as it'll use
+	development keys contained in-tree, see
+	https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html#trusted-application-private-public-keypair.
+	How to properly specify the private/public key pair is left to the user
+	for now.
+
+	By default, early console is disabled because a misconfiguration of the
+	serial console will silently crash your device. You may enable it again
+	by setting:
+
+		OPTEE_OS_EARLY_CONSOLE = "y"
+
+	This only controls early console, before OP-TEE OS finds the FDT and
+	parse it to know which UART controller to use.
+	If you are not using the default serial controller (UART2), you must
+	change CFG_EARLY_CONSOLE_BASE to the appropriate UART controller base
+	address. You may have to set CFG_EARLY_CONSOLE_SIZE if it isn't set by
+	default.
+	CFG_EARLY_CONSOLE_* variables must be passed directly via EXTRA_OEMAKE
+	BitBake variable.
+
 U-Boot Environment:
 ------------------
 	In order to configure U-Boot to be able to store its environment into the
diff --git a/conf/machine/include/px30.inc b/conf/machine/include/px30.inc
index 1997f6f..689a745 100644
--- a/conf/machine/include/px30.inc
+++ b/conf/machine/include/px30.inc
@@ -14,6 +14,13 @@ KBUILD_DEFCONFIG ?= "defconfig"
 
 TFA_PLATFORM = "px30"
 TFA_BUILD_TARGET = "bl31"
+# Allow TF-A to load OP-TEE OS
+# If no OP-TEE OS, it'll simply print
+#  ERROR:   Error initializing runtime service opteed_fast
+# and the boot process will continue.
+TFA_SPD ?= "opteed"
+
+OPTEEMACHINE = "rockchip-px30"
 
 UBOOT_SUFFIX ?= "itb"
 UBOOT_ENTRYPOINT ?= "0x06000000"
diff --git a/conf/machine/include/rk3399.inc b/conf/machine/include/rk3399.inc
index 166db7b..93594bc 100644
--- a/conf/machine/include/rk3399.inc
+++ b/conf/machine/include/rk3399.inc
@@ -14,6 +14,13 @@ KBUILD_DEFCONFIG ?= "defconfig"
 
 TFA_PLATFORM = "rk3399"
 TFA_BUILD_TARGET = "bl31"
+# Allow TF-A to load OP-TEE OS
+# If no OP-TEE OS, it'll simply print
+#  ERROR:   Error initializing runtime service opteed_fast
+# and the boot process will continue.
+TFA_SPD ?= "opteed"
+
+OPTEEMACHINE = "rockchip-rk3399"
 
 UBOOT_SUFFIX ?= "itb"
 UBOOT_ENTRYPOINT ?= "0x06000000"
diff --git a/conf/machine/include/rk3588s.inc b/conf/machine/include/rk3588s.inc
index 18c2fb2..ab16e1a 100644
--- a/conf/machine/include/rk3588s.inc
+++ b/conf/machine/include/rk3588s.inc
@@ -18,5 +18,12 @@ UBOOT_ENTRYPOINT ?= "0x06000000"
 
 TFA_PLATFORM = "rk3588"
 TFA_BUILD_TARGET = "bl31"
+# Allow TF-A to load OP-TEE OS
+# If no OP-TEE OS, it'll simply print
+#  ERROR:   Error initializing runtime service opteed_fast
+# and the boot process will continue.
+TFA_SPD ?= "opteed"
+
+OPTEEMACHINE = "rockchip-rk3588"
 
 ENABLE_STATELESS_VPU_GST ?= "1"
diff --git a/recipes-bsp/u-boot/u-boot-rockchip.inc b/recipes-bsp/u-boot/u-boot-rockchip.inc
index 2b5bbd7..19f7c8a 100644
--- a/recipes-bsp/u-boot/u-boot-rockchip.inc
+++ b/recipes-bsp/u-boot/u-boot-rockchip.inc
@@ -7,6 +7,12 @@ TFA_DEPENDS ??= ""
 TFA_DEPENDS:rockchip:aarch64 = " trusted-firmware-a:do_deploy"
 do_compile[depends] .= "${TFA_DEPENDS}"
 
+EXTRA_OEMAKE:append:rockchip = "${@' TEE=${DEPLOY_DIR_IMAGE}/optee/tee.bin' if bb.utils.to_boolean(d.getVar('RK_UBOOT_TEE'), False) else ''}"
+
+TEE_DEPENDS ??= ""
+TEE_DEPENDS:rockchip = "${@' optee-os:do_deploy' if bb.utils.to_boolean(d.getVar('RK_UBOOT_TEE'), False) else ''}"
+do_compile[depends] .= "${TEE_DEPENDS}"
+
 # No open-source TPL (yet)
 ROCKCHIP_TPL:closed-tpl = "${DEPLOY_DIR_IMAGE}/ddr-${SOC_FAMILY}.bin"
 # SOC_FAMILY for RK3588S is rk3588s but it should use the binaries from rk3588
diff --git a/recipes-security/optee/optee-os-tadevkit_%.bbappend b/recipes-security/optee/optee-os-tadevkit_%.bbappend
new file mode 100644
index 0000000..e4fc87b
--- /dev/null
+++ b/recipes-security/optee/optee-os-tadevkit_%.bbappend
@@ -0,0 +1,3 @@
+COMPATIBLE_MACHINE:px30 = "px30"
+COMPATIBLE_MACHINE:rk3399 = "rk3399"
+COMPATIBLE_MACHINE:rk3588s = "rk3588s"
diff --git a/recipes-security/optee/optee-os_%.bbappend b/recipes-security/optee/optee-os_%.bbappend
new file mode 100644
index 0000000..2a5ec8b
--- /dev/null
+++ b/recipes-security/optee/optee-os_%.bbappend
@@ -0,0 +1,19 @@
+# Increase size for FDT in OP-TEE OS to the one in TF-A since v2.13 to avoid
+# panics on 64+KiB FDT passed by U-Boot to TF-A to OP-TEE OS.
+# Can be removed once https://github.com/OP-TEE/optee_os/pull/7687 is merged.
+EXTRA_OEMAKE:append:rockchip:aarch64 = " CFG_DTB_MAX_SIZE=0x60000"
+
+# Disable early console by default to avoid OP-TEE OS panicking on boards with
+# their UART console different from OP-TEE OS default (UART2 for rk322x, rk3399
+# and rk3588(s)).
+# In-tree default changes if https://github.com/OP-TEE/optee_os/pull/7688 merged
+OPTEE_OS_EARLY_CONSOLE ?= "n"
+EXTRA_OEMAKE:append:rockchip = " CFG_EARLY_CONSOLE=${OPTEE_OS_EARLY_CONSOLE}"
+
+# Enable hardware acceleration using Arm Cryptography Extensions on PX30.
+# Can be removed once https://github.com/OP-TEE/optee_os/pull/7689 is merged.
+EXTRA_OEMAKE:append:px30 = " CFG_CRYPTO_WITH_CE=y"
+
+COMPATIBLE_MACHINE:px30 = "px30"
+COMPATIBLE_MACHINE:rk3399 = "rk3399"
+COMPATIBLE_MACHINE:rk3588s = "rk3588s"
diff --git a/recipes-security/optee/optee-test_%.bbappend b/recipes-security/optee/optee-test_%.bbappend
new file mode 100644
index 0000000..e4fc87b
--- /dev/null
+++ b/recipes-security/optee/optee-test_%.bbappend
@@ -0,0 +1,3 @@
+COMPATIBLE_MACHINE:px30 = "px30"
+COMPATIBLE_MACHINE:rk3399 = "rk3399"
+COMPATIBLE_MACHINE:rk3588s = "rk3588s"

-- 
2.52.0

Re: [yocto-patches] [PATCH meta-rockchip 2/2] add support for baking OP-TEE OS into U-Boot proper binary

[Trevor Woerner]

Hi Quentin,

Thanks for this patch series!

I believe there was a little fuzz required to apply patch 1 (around the
-D), perhaps a v2 against the current to clean that up?

On Mon 2026-01-26 @ 03:48:30 PM, Quentin Schulz via lists.yoctoproject.org wrote:
> From: Quentin Schulz <quentin.schulz@cherry.de>
> 
> TF-A has support for loading OP-TEE OS as BL32 which allows us to have
> the following boot flow on supported Rockchip SoCs:
> 
> BootROM -> U-Boot TPL/SPL -> TF-A (BL31) -> OP-TEE OS (BL32) -> U-Boot
> proper -> Linux kernel
> 
> TF-A must be built with support for the opteed payload via the SPD
> variable. It can always be set, the downside is that if it's set and no
> OP-TEE OS is available to load, it'll complain with
> 
>   ERROR:   Error initializing runtime service opteed_fast
> 
> but will still continue the boot flow.
> 
> U-Boot proper must be built with OPTEE_LIB enabled (forced enabled on
> U-Boot v2026.01 when a TEE environment variable is set) otherwise random
> crashes may happen while in Linux as the memory marked as secure for
> OP-TEE OS isn't reserved and the kernel may use it and trigger a
> security exception.
> 
> This has only been tested with `xtest` on PX30, RK3399 and RK3588
> platforms, all tests pass. Note that this is unsecure by default as it's
> using the default development key in OP-TEE OS tree which isn't secret
> at all. I have not looked into how to provide your own key pair.
> 
> Note that xtest has two fails on RK3588 with OP-TEE OS v4.7.0. They are
> fixed since v4.8.0 (v4.9.0 series for meta-arm has been posted
> already[1]).
> 
> We also pass a few variables to make such that we avoid panics when an
> FDT is passed by TF-A (happens when SPL_ATF_NO_PLATFORM_PARAM is not
> set) due to the memory area to store the FDT being too small, also avoid
> panics when the device is using a different console than the default in
> OP-TEE OS by simply disabling the early console (thus relying on FDT to
> find which one to write to) and enable Arm Cryptographic Extensions on
> PX30 for faster crypto (xtest in 3m11s vs 3min32s).
> 
> [1] https://lore.kernel.org/yocto-meta-arm/20260121140356.16818-1-hugues.kambampiana@arm.com/
> Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
> ---
>  README                                             | 42 ++++++++++++++++++++++
>  conf/machine/include/px30.inc                      |  7 ++++
>  conf/machine/include/rk3399.inc                    |  7 ++++
>  conf/machine/include/rk3588s.inc                   |  7 ++++
>  recipes-bsp/u-boot/u-boot-rockchip.inc             |  6 ++++
>  .../optee/optee-os-tadevkit_%.bbappend             |  3 ++
>  recipes-security/optee/optee-os_%.bbappend         | 19 ++++++++++
>  recipes-security/optee/optee-test_%.bbappend       |  3 ++
>  8 files changed, 94 insertions(+)
> 
> diff --git a/README b/README
> index c2697d1..f49fdb5 100644
> --- a/README
> +++ b/README
> @@ -222,6 +222,48 @@ Notes:
>  	NOTE: this variable must be set before any include/require in the
>  	      machine configuration file
>  
> +  OP-TEE
> +
> +	PX30, RK3399 and RK3588 are all supported by upstream OP-TEE OS. By
> +	default, OP-TEE OS is not baked into U-Boot.
> +
> +	You can bake OP-TEE OS in U-Boot by setting:
> +
> +		RK_UBOOT_TEE = "1"

Is it worth pointing out this is a boolean so any of
"1"/"y"/"yes"/"true" or "0"/"n"/"no"/"false" will work?

> +
> +	in a configuration file.
> +
> +	Your U-Boot defconfig must enable CONFIG_OPTEE_LIB otherwise random
> +	crashes in Linux will occur. It is force-enabled since v2026.01 so you
> +	may omit this if running that or a more recent version.
> +
> +	Note that this has only been tested with upstream OP-TEE OS and upstream
> +	TF-A. Please consider disabling CONFIG_SPL_ATF_NO_PLATFORM_PARAM in your
> +	U-Boot's defconfig such that both upstream TF-A and OP-TEE OS are passed
> +	the FDT (useful for debugging since it specifies the serial console).
> +
> +	Note that this is only adding OP-TEE OS to the U-Boot proper
> +	(u-boot.itb) binary. It is *NOT* secure by default as it'll use
> +	development keys contained in-tree, see
> +	https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html#trusted-application-private-public-keypair.
> +	How to properly specify the private/public key pair is left to the user
> +	for now.
> +
> +	By default, early console is disabled because a misconfiguration of the
> +	serial console will silently crash your device. You may enable it again
> +	by setting:
> +
> +		OPTEE_OS_EARLY_CONSOLE = "y"
> +
> +	This only controls early console, before OP-TEE OS finds the FDT and
> +	parse it to know which UART controller to use.
> +	If you are not using the default serial controller (UART2), you must
> +	change CFG_EARLY_CONSOLE_BASE to the appropriate UART controller base
> +	address. You may have to set CFG_EARLY_CONSOLE_SIZE if it isn't set by
> +	default.
> +	CFG_EARLY_CONSOLE_* variables must be passed directly via EXTRA_OEMAKE
> +	BitBake variable.
> +
>  U-Boot Environment:
>  ------------------
>  	In order to configure U-Boot to be able to store its environment into the
> diff --git a/conf/machine/include/px30.inc b/conf/machine/include/px30.inc
> index 1997f6f..689a745 100644
> --- a/conf/machine/include/px30.inc
> +++ b/conf/machine/include/px30.inc
> @@ -14,6 +14,13 @@ KBUILD_DEFCONFIG ?= "defconfig"
>  
>  TFA_PLATFORM = "px30"
>  TFA_BUILD_TARGET = "bl31"
> +# Allow TF-A to load OP-TEE OS
> +# If no OP-TEE OS, it'll simply print
> +#  ERROR:   Error initializing runtime service opteed_fast
> +# and the boot process will continue.
> +TFA_SPD ?= "opteed"
> +
> +OPTEEMACHINE = "rockchip-px30"
>  
>  UBOOT_SUFFIX ?= "itb"
>  UBOOT_ENTRYPOINT ?= "0x06000000"
> diff --git a/conf/machine/include/rk3399.inc b/conf/machine/include/rk3399.inc
> index 166db7b..93594bc 100644
> --- a/conf/machine/include/rk3399.inc
> +++ b/conf/machine/include/rk3399.inc
> @@ -14,6 +14,13 @@ KBUILD_DEFCONFIG ?= "defconfig"
>  
>  TFA_PLATFORM = "rk3399"
>  TFA_BUILD_TARGET = "bl31"
> +# Allow TF-A to load OP-TEE OS
> +# If no OP-TEE OS, it'll simply print
> +#  ERROR:   Error initializing runtime service opteed_fast
> +# and the boot process will continue.
> +TFA_SPD ?= "opteed"
> +
> +OPTEEMACHINE = "rockchip-rk3399"
>  
>  UBOOT_SUFFIX ?= "itb"
>  UBOOT_ENTRYPOINT ?= "0x06000000"
> diff --git a/conf/machine/include/rk3588s.inc b/conf/machine/include/rk3588s.inc
> index 18c2fb2..ab16e1a 100644
> --- a/conf/machine/include/rk3588s.inc
> +++ b/conf/machine/include/rk3588s.inc
> @@ -18,5 +18,12 @@ UBOOT_ENTRYPOINT ?= "0x06000000"
>  
>  TFA_PLATFORM = "rk3588"
>  TFA_BUILD_TARGET = "bl31"
> +# Allow TF-A to load OP-TEE OS
> +# If no OP-TEE OS, it'll simply print
> +#  ERROR:   Error initializing runtime service opteed_fast
> +# and the boot process will continue.
> +TFA_SPD ?= "opteed"
> +
> +OPTEEMACHINE = "rockchip-rk3588"
>  
>  ENABLE_STATELESS_VPU_GST ?= "1"
> diff --git a/recipes-bsp/u-boot/u-boot-rockchip.inc b/recipes-bsp/u-boot/u-boot-rockchip.inc
> index 2b5bbd7..19f7c8a 100644
> --- a/recipes-bsp/u-boot/u-boot-rockchip.inc
> +++ b/recipes-bsp/u-boot/u-boot-rockchip.inc
> @@ -7,6 +7,12 @@ TFA_DEPENDS ??= ""
>  TFA_DEPENDS:rockchip:aarch64 = " trusted-firmware-a:do_deploy"
>  do_compile[depends] .= "${TFA_DEPENDS}"
>  
> +EXTRA_OEMAKE:append:rockchip = "${@' TEE=${DEPLOY_DIR_IMAGE}/optee/tee.bin' if bb.utils.to_boolean(d.getVar('RK_UBOOT_TEE'), False) else ''}"
> +
> +TEE_DEPENDS ??= ""
> +TEE_DEPENDS:rockchip = "${@' optee-os:do_deploy' if bb.utils.to_boolean(d.getVar('RK_UBOOT_TEE'), False) else ''}"
> +do_compile[depends] .= "${TEE_DEPENDS}"
> +
>  # No open-source TPL (yet)
>  ROCKCHIP_TPL:closed-tpl = "${DEPLOY_DIR_IMAGE}/ddr-${SOC_FAMILY}.bin"
>  # SOC_FAMILY for RK3588S is rk3588s but it should use the binaries from rk3588
> diff --git a/recipes-security/optee/optee-os-tadevkit_%.bbappend b/recipes-security/optee/optee-os-tadevkit_%.bbappend
> new file mode 100644
> index 0000000..e4fc87b
> --- /dev/null
> +++ b/recipes-security/optee/optee-os-tadevkit_%.bbappend
> @@ -0,0 +1,3 @@
> +COMPATIBLE_MACHINE:px30 = "px30"
> +COMPATIBLE_MACHINE:rk3399 = "rk3399"
> +COMPATIBLE_MACHINE:rk3588s = "rk3588s"
> diff --git a/recipes-security/optee/optee-os_%.bbappend b/recipes-security/optee/optee-os_%.bbappend
> new file mode 100644
> index 0000000..2a5ec8b
> --- /dev/null
> +++ b/recipes-security/optee/optee-os_%.bbappend
> @@ -0,0 +1,19 @@
> +# Increase size for FDT in OP-TEE OS to the one in TF-A since v2.13 to avoid
> +# panics on 64+KiB FDT passed by U-Boot to TF-A to OP-TEE OS.
> +# Can be removed once https://github.com/OP-TEE/optee_os/pull/7687 is merged.
> +EXTRA_OEMAKE:append:rockchip:aarch64 = " CFG_DTB_MAX_SIZE=0x60000"
> +
> +# Disable early console by default to avoid OP-TEE OS panicking on boards with
> +# their UART console different from OP-TEE OS default (UART2 for rk322x, rk3399
> +# and rk3588(s)).
> +# In-tree default changes if https://github.com/OP-TEE/optee_os/pull/7688 merged
> +OPTEE_OS_EARLY_CONSOLE ?= "n"
> +EXTRA_OEMAKE:append:rockchip = " CFG_EARLY_CONSOLE=${OPTEE_OS_EARLY_CONSOLE}"
> +
> +# Enable hardware acceleration using Arm Cryptography Extensions on PX30.
> +# Can be removed once https://github.com/OP-TEE/optee_os/pull/7689 is merged.

Have these 3 merges occurred yet?

> +EXTRA_OEMAKE:append:px30 = " CFG_CRYPTO_WITH_CE=y"
> +
> +COMPATIBLE_MACHINE:px30 = "px30"
> +COMPATIBLE_MACHINE:rk3399 = "rk3399"
> +COMPATIBLE_MACHINE:rk3588s = "rk3588s"
> diff --git a/recipes-security/optee/optee-test_%.bbappend b/recipes-security/optee/optee-test_%.bbappend
> new file mode 100644
> index 0000000..e4fc87b
> --- /dev/null
> +++ b/recipes-security/optee/optee-test_%.bbappend
> @@ -0,0 +1,3 @@
> +COMPATIBLE_MACHINE:px30 = "px30"
> +COMPATIBLE_MACHINE:rk3399 = "rk3399"
> +COMPATIBLE_MACHINE:rk3588s = "rk3588s"
> 
> -- 
> 2.52.0
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#3085): https://lists.yoctoproject.org/g/yocto-patches/message/3085
> Mute This Topic: https://lists.yoctoproject.org/mt/117469183/900817
> Group Owner: yocto-patches+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto-patches/leave/13168745/900817/63955952/xyzzy [twoerner@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 
> 

Re: [yocto-patches] [PATCH meta-rockchip 2/2] add support for baking OP-TEE OS into U-Boot proper binary

[Quentin Schulz]

Hi Trevor,

On 5/27/26 5:30 PM, Trevor Woerner via lists.yoctoproject.org wrote:
> Hi Quentin,
> 
> Thanks for this patch series!
> 

Thanks for the review!

> I believe there was a little fuzz required to apply patch 1 (around the
> -D), perhaps a v2 against the current to clean that up?
> 

I'm assuming due to commit 9fb264d42a20 ("bsp: fix upstream TF-A deploy 
desync") already being merged.

> On Mon 2026-01-26 @ 03:48:30 PM, Quentin Schulz via lists.yoctoproject.org wrote:
[...]
>> diff --git a/README b/README
>> index c2697d1..f49fdb5 100644
>> --- a/README
>> +++ b/README
>> @@ -222,6 +222,48 @@ Notes:
>>   	NOTE: this variable must be set before any include/require in the
>>   	      machine configuration file
>>   
>> +  OP-TEE
>> +
>> +	PX30, RK3399 and RK3588 are all supported by upstream OP-TEE OS. By
>> +	default, OP-TEE OS is not baked into U-Boot.
>> +
>> +	You can bake OP-TEE OS in U-Boot by setting:
>> +
>> +		RK_UBOOT_TEE = "1"
> 
> Is it worth pointing out this is a boolean so any of
> "1"/"y"/"yes"/"true" or "0"/"n"/"no"/"false" will work?
> 

Not sure it's worth the added complexity? We also don't say that for 
RK_IMAGE_INCLUDES_UBOOT_ENV, RK_RAUC_DEMO, RK_KERNEL_FITIMAGE, 
RK_OVERLAY_DEMO but we word it differently for them.

Would,

You can bake OP-TEE OS in U-Boot by enabling the RK_UBOOT_TEE variable 
boolean.

work for you?

[...]
>> diff --git a/recipes-security/optee/optee-os_%.bbappend b/recipes-security/optee/optee-os_%.bbappend
>> new file mode 100644
>> index 0000000..2a5ec8b
>> --- /dev/null
>> +++ b/recipes-security/optee/optee-os_%.bbappend
>> @@ -0,0 +1,19 @@
>> +# Increase size for FDT in OP-TEE OS to the one in TF-A since v2.13 to avoid
>> +# panics on 64+KiB FDT passed by U-Boot to TF-A to OP-TEE OS.
>> +# Can be removed once https://github.com/OP-TEE/optee_os/pull/7687 is merged.
>> +EXTRA_OEMAKE:append:rockchip:aarch64 = " CFG_DTB_MAX_SIZE=0x60000"
>> +
>> +# Disable early console by default to avoid OP-TEE OS panicking on boards with
>> +# their UART console different from OP-TEE OS default (UART2 for rk322x, rk3399
>> +# and rk3588(s)).
>> +# In-tree default changes if https://github.com/OP-TEE/optee_os/pull/7688 merged
>> +OPTEE_OS_EARLY_CONSOLE ?= "n"
>> +EXTRA_OEMAKE:append:rockchip = " CFG_EARLY_CONSOLE=${OPTEE_OS_EARLY_CONSOLE}"
>> +
>> +# Enable hardware acceleration using Arm Cryptography Extensions on PX30.
>> +# Can be removed once https://github.com/OP-TEE/optee_os/pull/7689 is merged.
> 
> Have these 3 merges occurred yet?
> 

Yes.

b6c7291c246b ("plat-rockchip: increase FDT max size to 384KiB on all 
Aarch64 supported SoCs")
763be3b08c16 ("plat-rockchip: disable early console by default")
74eb4d9ed3ac ("plat-rockchip: px30: set CFG_CRYPTO_WITH_CE ?= y")

All available in 4.10.0. However, meta-arm currently is still at 4.9.0. 
I don't see patches on their ML 
(https://lore.kernel.org/yocto-meta-arm/?q=op-tee) for a version bump so 
we need to keep those in for now.

I guess I can change the comment to say we need to keep this until 
4.10.0? At the same time, it shouldn't hurt keeping them in even in 
4.10.0 or later.

Cheers,
Quentin

Re: [yocto-patches] [PATCH meta-rockchip 2/2] add support for baking OP-TEE OS into U-Boot proper binary

[Trevor Woerner]

On Thu 2026-05-28 @ 10:48:24 AM, Quentin Schulz via lists.yoctoproject.org wrote:
> Hi Trevor,
> 
> On 5/27/26 5:30 PM, Trevor Woerner via lists.yoctoproject.org wrote:
> > Hi Quentin,
> > 
> > Thanks for this patch series!
> > 
> 
> Thanks for the review!
> 
> > I believe there was a little fuzz required to apply patch 1 (around the
> > -D), perhaps a v2 against the current to clean that up?
> > 
> 
> I'm assuming due to commit 9fb264d42a20 ("bsp: fix upstream TF-A deploy
> desync") already being merged.

Yes, I think so.

> > On Mon 2026-01-26 @ 03:48:30 PM, Quentin Schulz via lists.yoctoproject.org wrote:
> [...]
> > > diff --git a/README b/README
> > > index c2697d1..f49fdb5 100644
> > > --- a/README
> > > +++ b/README
> > > @@ -222,6 +222,48 @@ Notes:
> > >   	NOTE: this variable must be set before any include/require in the
> > >   	      machine configuration file
> > > +  OP-TEE
> > > +
> > > +	PX30, RK3399 and RK3588 are all supported by upstream OP-TEE OS. By
> > > +	default, OP-TEE OS is not baked into U-Boot.
> > > +
> > > +	You can bake OP-TEE OS in U-Boot by setting:
> > > +
> > > +		RK_UBOOT_TEE = "1"
> > 
> > Is it worth pointing out this is a boolean so any of
> > "1"/"y"/"yes"/"true" or "0"/"n"/"no"/"false" will work?
> > 
> 
> Not sure it's worth the added complexity? We also don't say that for
> RK_IMAGE_INCLUDES_UBOOT_ENV, RK_RAUC_DEMO, RK_KERNEL_FITIMAGE,
> RK_OVERLAY_DEMO but we word it differently for them.
> 
> Would,
> 
> You can bake OP-TEE OS in U-Boot by enabling the RK_UBOOT_TEE variable
> boolean.
> 
> work for you?

Sounds great!

> [...]
> > > diff --git a/recipes-security/optee/optee-os_%.bbappend b/recipes-security/optee/optee-os_%.bbappend
> > > new file mode 100644
> > > index 0000000..2a5ec8b
> > > --- /dev/null
> > > +++ b/recipes-security/optee/optee-os_%.bbappend
> > > @@ -0,0 +1,19 @@
> > > +# Increase size for FDT in OP-TEE OS to the one in TF-A since v2.13 to avoid
> > > +# panics on 64+KiB FDT passed by U-Boot to TF-A to OP-TEE OS.
> > > +# Can be removed once https://github.com/OP-TEE/optee_os/pull/7687 is merged.
> > > +EXTRA_OEMAKE:append:rockchip:aarch64 = " CFG_DTB_MAX_SIZE=0x60000"
> > > +
> > > +# Disable early console by default to avoid OP-TEE OS panicking on boards with
> > > +# their UART console different from OP-TEE OS default (UART2 for rk322x, rk3399
> > > +# and rk3588(s)).
> > > +# In-tree default changes if https://github.com/OP-TEE/optee_os/pull/7688 merged
> > > +OPTEE_OS_EARLY_CONSOLE ?= "n"
> > > +EXTRA_OEMAKE:append:rockchip = " CFG_EARLY_CONSOLE=${OPTEE_OS_EARLY_CONSOLE}"
> > > +
> > > +# Enable hardware acceleration using Arm Cryptography Extensions on PX30.
> > > +# Can be removed once https://github.com/OP-TEE/optee_os/pull/7689 is merged.
> > 
> > Have these 3 merges occurred yet?
> > 
> 
> Yes.
> 
> b6c7291c246b ("plat-rockchip: increase FDT max size to 384KiB on all Aarch64
> supported SoCs")
> 763be3b08c16 ("plat-rockchip: disable early console by default")
> 74eb4d9ed3ac ("plat-rockchip: px30: set CFG_CRYPTO_WITH_CE ?= y")
> 
> All available in 4.10.0. However, meta-arm currently is still at 4.9.0. I
> don't see patches on their ML
> (https://lore.kernel.org/yocto-meta-arm/?q=op-tee) for a version bump so we
> need to keep those in for now.
> 
> I guess I can change the comment to say we need to keep this until 4.10.0?

Please do.

> At the same time, it shouldn't hurt keeping them in even in 4.10.0 or later.

Okay.

> Cheers,
> Quentin
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#4082): https://lists.yoctoproject.org/g/yocto-patches/message/4082
> Mute This Topic: https://lists.yoctoproject.org/mt/117469183/900817
> Group Owner: yocto-patches+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto-patches/leave/13168745/900817/63955952/xyzzy [twoerner@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 
>