subtree updatesstyhead

poky: subtree update:5d88faa0f3..ecd195a3ef Aditya Tayade (1): e2fsprogs: removed 'sed -u' option Adrian Freihofer (12): oe-selftest: fitimage refactor u-boot-tools-native oe-selftest: fitimage drop test-mkimage-wrapper oe-selftest: fitimage cleanup asserts oe-selftest: fitimage fix test_initramfs_bundle kernel-fitimage: fix handling of empty default dtb pybootchartgui.py: python 3.12+ regexes kernel-fitimage: fix intentation kernel-fitimage: fix external dtb check uboot-config: fix devtool modify with kernel-fitimage devtool: modify kernel adds append twice devtool: remove obsolete SRCTREECOVEREDTASKS handling cml1: add do_savedefconfig Alban Bedel (2): bind: Fix build with the `httpstats` package config enabled util-linux: Add `findmnt` to the bash completion RDEPENDS Alejandro Hernandez Samaniego (1): tclibc-picolibc: Adds a new TCLIBC variant to build with picolibc as C library Aleksandar Nikolic (2): cve-check: Introduce CVE_CHECK_MANIFEST_JSON_SUFFIX scripts/install-buildtools: Update to 5.1 Alessandro Pecugi (1): runqemu: add sd card device Alexander Kanavin (100): perf: drop newt from tui build requirements libnewt: move to meta-oe python3: submit deterministic_imports.patch upstream as a ticket glib-networking: submit eagain.patch upstream psmisc: merge .inc into .bb psmisc: drop duplicate entries psmisc: remove 0001-Use-UINTPTR_MAX-instead-of-__WORDSIZE.patch openssh: drop add-test-support-for-busybox.patch libfm-extra: drop unneeded 0001-nls.m4-Take-it-from-gettext-0.15.patch glslang: mark 0001-generate-glslang-pkg-config.patch as Inappropriate tcp-wrappers: mark all patches as inactive-upstream automake: mark new_rt_path_for_test-driver.patch as Inappropriate settings-daemon: submit addsoundkeys.patch upstream and update to a revision that has it dpkg: mark patches adding custom non-debian architectures as inappropriate for upstream libacpi: mark patches as inactive-upstream python3: drop deterministic_imports.patch lib/oe/recipeutils: return a dict in get_recipe_upgrade_status() instead of a tuple lib/recipeutils: add a function to determine recipes with shared include files recipeutils/get_recipe_upgrade_status: group recipes when they need to be upgraded together devtool/upgrade: use PN instead of BPN for naming newly created upgraded recipes devtool/upgrade: rename RECIPE_UPDATE_EXTRA_TASKS -> RECIPE_UPGRADE_EXTRA_TASKS python3-jinja2: fix upstream version check ca-certificates: get sources from debian tarballs pulseaudio, desktop-file-utils: correct freedesktop.org -> www.freedesktop.org SRC_URI xf86-video-intel: correct SRC_URI as freedesktop anongit is down python3-cython: correct upstream version check python3-babel: drop custom PYPI settings python3-cython: fix upstream check again sysvinit: take release tarballs from github bash: upgrade 5.2.21 -> 5.2.32 boost: upgrade 1.85.0 -> 1.86.0 ccache: upgrade 4.10.1 -> 4.10.2 cmake: upgrade 3.30.1 -> 3.30.2 dpkg: upgrade 1.22.10 -> 1.22.11 e2fsprogs: upgrade 1.47.0 -> 1.47.1 epiphany: upgrade 46.0 -> 46.3 gstreamer1.0: upgrade 1.24.5 -> 1.24.6 kmod: upgrade 32 -> 33 kmscube: upgrade to latest revision libadwaita: upgrade 1.5.2 -> 1.5.3 libedit: upgrade 20240517-3.1 -> 20240808-3.1 libnl: upgrade 3.9.0 -> 3.10.0 librepo: upgrade 1.17.0 -> 1.18.1 libva: upgrade 2.20.0 -> 2.22.0 linux-firmware: upgrade 20240513 -> 20240811 lua: upgrade 5.4.6 -> 5.4.7 mpg123: upgrade 1.32.6 -> 1.32.7 mtools: upgrade 4.0.43 -> 4.0.44 nghttp2: upgrade 1.62.0 -> 1.62.1 puzzles: upgrade to latest revision python3-dtschema: upgrade 2024.4 -> 2024.5 python3-uritools: upgrade 4.0.2 -> 4.0.3 python3-webcolors: upgrade 1.13 -> 24.8.0 sqlite3: upgrade 3.45.3 -> 3.46.1 stress-ng: upgrade 0.17.08 -> 0.18.02 webkitgtk: upgrade 2.44.1 -> 2.44.3 weston: upgrade 13.0.1 -> 13.0.3 xkeyboard-config: upgrade 2.41 -> 2.42 xz: upgrade 5.4.6 -> 5.6.2 mesa: set PV from the .inc file and not via filenames meta/lib/oe/sstatesig.py: do not error out if sstate files fail on os.stat() piglit: add a patch to address host contamination for wayland-scanner selftest: always tweak ERROR_QA/WARN_QA per package selftest: use INIT_MANAGER to enable systemd instead of custom settings xmlto: check upstream version tags, not new commits glib-2.0: update 2.80.2 -> 2.80.4 lttng-modules: update 2.13.13 -> 2.13.14 automake: update 1.16.5 -> 1.17 fmt: update 10.2.1 -> 11.0.2 git: 2.45.2 -> 2.46.0 perlcross: update 1.5.2 -> 1.6 perl: update 5.38.2 -> 5.40.0 gnu-config: update to latest revision python3-license-expression: update 30.3.0 -> 30.3.1 python3-pip: 24.0 -> 24.2 python3-pyopenssl: update 24.1.0 -> 24.2.1 python3-pyyaml: update 6.0.1 -> 6.0.2 python3-scons: update 4.7.0 -> 4.8.0 cargo-c-native: update 0.9.30 -> 0.10.3 go-helloworld: update to latest revision vulkan-samples: update to latest revision ffmpeg: update 6.1.1 -> 7.0.2 libksba: update 1.6.6 -> 1.6.7 p11-kit: update 0.25.3 -> 0.25.5 iproute2: upgrade 6.9.0 -> 6.10.0 ifupdown: upgrade 0.8.41 -> 0.8.43 libdnf: upgrade 0.73.2 -> 0.73.3 mmc-utils: upgrade to latest revision adwaita-icon-theme: upgrade 46.0 -> 46.2 hicolor-icon-theme: upgrade 0.17 -> 0.18 waffle: upgrade 1.8.0 -> 1.8.1 libtraceevent: upgrade 1.8.2 -> 1.8.3 alsa-utils: upgrade 1.2.11 -> 1.2.12 lz4: upgrade 1.9.4 -> 1.10.0 vte: upgrade 0.74.2 -> 0.76.3 cracklib: update 2.9.11 -> 2.10.2 selftest/sstatetests: run CDN mirror check only once package_rpm: use zstd's default compression level package_rpm: restrict rpm to 4 threads ref-manual: merge two separate descriptions of RECIPE_UPGRADE_EXTRA_TASKS Alexander Sverdlin (1): linux-firmware: Move Silabs wfx firmware to a separate package Alexandre Belloni (1): oeqa/selftest/oescripts: pinentry update to 1.3.1 Alexis Lothoré (4): oeqa/ssh: allow to retrieve raw, unformatted ouput oeqa/utils/postactions: transfer whole archive over ssh instead of doing individual copies oeqa/postactions: fix exception handling oeqa/postactions: do not uncompress retrieved archive on host Andrew Oppelt (1): testexport: support for executing tests over serial Andrey Zhizhikin (1): devicetree.bbclass: switch away from S = WORKDIR Antonin Godard (38): ref-manual: add missing CVE_CHECK manifest variables ref-manual: add new vex class ref-manual: add new retain class and variables ref-manual: add missing nospdx class ref-manual: add new RECIPE_UPGRADE_EXTRA_TASKS variable ref-manual: drop siteconfig class ref-manual: add missing TESTIMAGE_FAILED_QA_ARTIFACTS ref-manual: add missing image manifest variables ref-manual: add missing EXTERNAL_KERNEL_DEVICETREE variable ref-manual: drop TCLIBCAPPEND variable ref-manual: add missing OPKGBUILDCMD variable ref-manual: add missing variable PRSERV_UPSTREAM ref-manual: merge patch-status-* to patch-status ref-manual: add mission pep517-backend sanity check release-notes-5.1: update release note for styhead release-notes-5.1: fix spdx bullet point ref-manual: fix ordering of insane checks list release-notes-5.1: add beaglebone-yocto parselogs test oeqa failure ref-manual: structure.rst: document missing tmp/ dirs overview-manual: concepts: add details on package splitting ref-manual: faq: add q&a on class appends ref-manual: release-process: update releases.svg ref-manual: release-process: refresh the current LTS releases ref-manual: release-process: update releases.svg with month after "Current" ref-manual: release-process: add a reference to the doc's release ref-manual: devtool-reference: refresh example outputs ref-manual: devtool-reference: document missing commands conf.py: rename :cve: role to :cve_nist: doc: Makefile: remove inkscape, replace by rsvg-convert doc: Makefile: add support for xelatex doc: add a download page for epub and pdf sphinx-static/switchers.js.in: do not refer to URL_ROOT anymore migration-guides: 5.1: fix titles conf.py: add a bitbake_git extlink dev-manual: document how to provide confs from layer.conf dev-manual: bblock: use warning block instead of attention standards.md: add a section on admonitions ref-manual: classes: fix bin_package description Benjamin Szőke (1): mc: fix source URL Bruce Ashfield (40): linux-yocto/6.6: update to v6.6.34 linux-yocto/6.6: update to v6.6.35 linux-yocto/6.6: fix AMD boot trace linux-yocto/6.6: update to v6.6.36 linux-yocto/6.6: update to v6.6.38 linux-yocto/6.6: update to v6.6.40 linux-yocto/6.6: update to v6.6.43 linux-libc-headers: update to v6.10 kernel-devsrc: remove 64 bit vdso cmd files linux-yocto: introduce 6.10 reference kernel linux-yocto/6.10: update to v6.10 linux-yocto/6.10: update to v6.10.2 linux-yocto/6.10: update to v6.10.3 oeqa/runtime/parselogs: update pci BAR ignore for kernel 6.10 oeqa/runtime/parselogs: mips: skip sysctl warning yocto-bsp: set temporary preferred version for genericarm64 lttng-modules: backport patches for kernel v6.11 linux-yocto-dev: bump to v6.11 linux-yocto-rt/6.10: update to -rt14 linux-yocto/6.10: cfg: disable nfsd legacy client tracking linux-yocto/6.6: update to v6.6.44 poky/poky-tiny: bump preferred version to 6.10 linux-yocto/6.6: update to v6.6.45 linux-yocto/6.6: fix genericarm64 config warning linux-yocto/6.6: update to v6.6.47 linux-yocto/6.10: fix CONFIG_PWM_SYSFS config warning linux-yocto/6.10: update to v6.10.7 linux-yocto/6.10: update to v6.10.8 linux-yocto/6.6: update to v6.6.49 linux-yocto/6.6: update to v6.6.50 linux-yocto/6.10: cfg: arm64 configuration updates linux-yocto/6.6: update to v6.6.52 linux-yocto/6.6: update to v6.6.54 linux-yocto/6.10: update to v6.10.11 linux-yocto/6.10: update to v6.10.12 linux-yocto/6.10: update to v6.10.13 linux-yocto/6.10: update to v6.10.14 linux-yocto/6.10: genericarm64.cfg: enable CONFIG_DMA_CMA linux-yocto/6.10: cfg: gpio: allow to re-enable the deprecated GPIO sysfs interface linux-yocto/6.10: bsp/genericarm64: disable ARM64_SME Carlos Alberto Lopez Perez (1): icu: Backport patch to fix build issues with long paths (>512 chars) Changhyeok Bae (1): ethtool: upgrade 6.7 -> 6.9 Changqing Li (11): pixman: fix do_compile error vulkan-samples: fix do_compile error when -Og enabled multilib.conf: remove appending to PKG_CONFIG_PATH pixman: update patch for fixing inline failure with -Og rt-tests: rt_bmark.py: fix TypeError libcap-ng: update SRC_URI apt-native: don't let dpkg overwrite files by default webkitgtk: fix do_configure error on beaglebone-yocto bitbake.conf: drop VOLATILE_LOG_DIR, use FILESYSTEM_PERMS_TABLES instead bitbake.conf: drop VOLATILE_TMP_DIR, use FILESYSTEM_PERMS_TABLES instead rxvt-unicode.inc: disable the terminfo installation by setting TIC to : Chen Qi (13): pciutils: remove textrel INSANE_SKIP systemd: upgrade from 255.6 to 256 systemd-boot: upgrade from 255.6 to 256 util-linux/util-linux-libuuid: upgrade from 2.39.3 to 2.40.1 libssh2: remove util-linux-col from ptest dependencies kexec-tools: avoid kernel warning json-c: use upstream texts for SUMMARY and DESCRIPTION util-linux/util-linux-libuuid: upgrade from 2.40.1 to 2.40.2 shadow: upgrade from 4.15.1 to 4.16.0 json-c: avoid ptest failure caused by valgrind toolchain-shar-extract.sh: exit when post-relocate-setup.sh fails libgfortran: fix buildpath QA issue shadow: use update-alternatives to handle groups.1 Chris Laplante (4): bitbake: ui/knotty: print log paths for failed tasks in summary bitbake: ui/knotty: respect NO_COLOR & check for tty; rename print_hyperlink => format_hyperlink bitbake: persist_data: close connection in SQLTable __exit__ bitbake: fetch2: use persist_data context managers Chris Spencer (1): cargo_common.bbclass: Support git repos with submodules Christian Lindeberg (3): bitbake: fetch2: Add gomod fetcher bitbake: fetch2: Add gomodgit fetcher bitbake: tests/fetch: Update GoModTest and GoModGitTest Christian Taedcke (1): iptables: fix memory corruption when parsing nft rules Clara Kowalsky (1): resulttool: Add support to create test report in JUnit XML format Claus Stovgaard (1): lib/oe/package-manager: skip processing installed-pkgs with empty globs Clayton Casciato (1): uboot-sign: fix concat_dtb arguments Clément Péron (1): openssl: Remove patch already upstreamed Colin McAllister (2): udev-extraconf: Add collect flag to mount busybox: Fix cut with "-s" flag Corentin Lévy (1): python3-libarchive-c: add ptest Dan McGregor (1): bitbake: prserv: increment 9 to 10 correctly Daniel McGregor (1): libpam: use libdir in conditional Daniel Semkowicz (1): os-release: Fix VERSION_CODENAME in case it is empty Daniil Batalov (1): spdx30_tasks.py: fix typo in call of is_file method Deepesh Varatharajan (1): rust: Rust Oe-Selftest Reduce the testcases in exclude list Deepthi Hemraj (5): llvm: Fix CVE-2024-0151 glibc: stable 2.39 branch updates. binutils: stable 2.42 branch updates glibc: stable 2.40 branch updates glibc: stable 2.40 branch updates. Denys Dmytriyenko (3): llvm: extend llvm-config reproducibility fix to nativesdk class nativesdk-libtool: sanitize the script, remove buildpaths gcc: unify cleanup of include-fixed, apply to cross-canadian Divya Chellam (1): python3: Upgrade 3.12.5 -> 3.12.6 Dmitry Baryshkov (12): mesa: fix QA warnings caused by freedreno tools xserver-xorg: fix CVE-2023-5574 status lib/spdx30_tasks: improve error message linux-firmware: make qcom-sc8280xp-lenovo-x13s-audio install Linaro licence linux-firmware: add packages with SM8550 and SM8650 audio topology files linux-firmware: move -qcom-qcm2290-wifi before -ath10k linux-firmware: use wildcards to grab all qcom-qcm2290/qrb4210 wifi files linux-firmware: package qcom-vpu firmware linux-firmware: restore qcom/vpu-1.0/venus.mdt compatibility symlink piglit: add missing dependency on wayland linux-firmware: add packages for Qualcomm XElite GPU firmware linux-firmware: split ath10k package Enguerrand de Ribaucourt (6): bitbake: fetch2/npmsw: fix fetching git revisions not on master bitbake: fetch2/npmsw: allow packages not declaring a registry version npm: accept unspecified versions in package.json recipetool: create_npm: resolve licenses defined in package.json recipetool: create: split guess_license function recipetool: create_npm: reuse license utils Enrico Jörns (2): bitbake: bitbake-diffsigs: fix handling when finding only a single sigfile archiver.bbclass: fix BB_GENERATE_MIRROR_TARBALLS checking Esben Haabendal (1): mesa: Fix build with etnaviv gallium driver Etienne Cordonnier (3): oeqa/runtime: fix race-condition in minidebuginfo test bitbake: gcp.py: remove slow calls to gsutil stat systemd: make home directory readable by systemd-coredump Fabio Estevam (1): u-boot: upgrade 2024.04 -> 2024.07 Florian Amstutz (1): u-boot: Fix potential index error issues in do_deploy with multiple u-boot configurations Gassner, Tobias.ext (1): rootfs: Ensure run-postinsts is not uninstalled for read-only-rootfs-delayed-postinsts Gauthier HADERER (1): populate_sdk_ext.bclass: make sure OECORE_NATIVE_SYSROOT is exported. Guðni Már Gilbert (7): python3-setuptools: drop python3-2to3 from RDEPENDS bluez5: drop modifications to Python shebangs bluez5: cleanup redundant backslashes python3-attrs: drop python3-ctypes from RDEPENDS gobject-introspection: split tools and giscanner into a separate package bluez5: upgrade 5.77 -> 5.78 bluez5: remove redundant patch for MAX_INPUT Harish Sadineni (4): gcc-runtime: enabling "network" task specific flag oeqa/selftest/gcc: Fix host key verfication failure oeqa/selftest/gcc: Fix kex exchange identification error binutils: Add missing perl modules to RDEPENDS for nativsdk variant Het Patel (1): zlib: Add CVE_PRODUCT to exclude false positives Hiago De Franco (1): weston: backport patch to allow neatvnc < v0.9.0 Hongxu Jia (1): gcc-source: Fix racing on building gcc-source-14.2.0 and lib32-gcc-source-14.2.0 Intaek Hwang (6): alsa-plugins: set CVE_PRODUCT mpfr: set CVE_PRODUCT libatomic-ops: set CVE_PRODUCT gstreamer1.0-plugins-bad: set CVE_PRODUCT python3-lxml: set CVE_PRODUCT python3-psutil: set CVE_PRODUCT Jaeyoon Jung (2): makedevs: Fix issue when rootdir of / is given makedevs: Fix matching uid/gid Jagadeesh Krishnanjanappa (1): tune-cortexa32: set tune feature as armv8a Jan Vermaete (2): python3-websockets: added python3-zipp as RDEPENDS ref-manual: added wic.zst to the IMAGE_TYPES Jinfeng Wang (2): glib-2.0: fix glib-2.0 ptest failure when upgrading tzdata2024b tzdata/tzcode-native: upgrade 2024a -> 2024b Johannes Schneider (3): systemd: add PACKAGECONFIG for bpf-framework systemd: bpf-framework: 'propagate' the '--sysroot=' for crosscompilation systemd: bpf-framework: pass 'recipe-sysroot' to BPF compiler John Ripple (1): packagegroup-core-tools-profile.bb: Enable aarch64 valgrind Jon Mason (6): oeqa/runtime/ssh: add retry logic and sleeps to allow for slower systems oeqa/runtime/ssh: check for all errors at the end docs: modify reference from python2.py to python.py kernel.bbclass: remove unused CMDLINE_CONSOLE oeqa/runtime/ssh: increase the number of attempts wpa-supplicant: add patch to check for kernel header version when compiling macsec Jonas Gorski (1): rootfs-postcommands.bbclass: make opkg status reproducible Jonas Munsin (1): bzip2: set CVE_PRODUCT Jonathan GUILLOT (1): cronie: add inotify PACKAGECONFIG option Jose Quaresma (14): go: upgrade 1.22.3 -> 1.22.4 go: drop the old 1.4 bootstrap C version openssh: fix CVE-2024-6387 go: upgrade 1.22.4 -> 1.22.5 openssh: drop rejected patch fixed in 8.6p1 release openssh: systemd sd-notify patch was rejected upstream oeqa/runtime/scp: requires openssh-sftp-server libssh2: fix ptest regression with openssh 9.8p1 openssh: systemd notification was implemented upstream openssh: upgrade 9.7p1 -> 9.8p1 libssh2: disable-DSA-by-default go: upgrade 1.22.5 -> 1.22.6 bitbake: bitbake: doc/user-manual: Update the BB_HASHSERVE_UPSTREAM oeqa/selftest: Update the BB_HASHSERVE_UPSTREAM Joshua Watt (22): binutils-cross-testsuite: Rename to binutils-testsuite classes/spdx-common: Move SPDX_SUPPLIER scripts/pull-spdx-licenses.py: Add script licenses: Update to SPDX license version 3.24.0 classes/create-spdx-2.2: Handle SemVer License List Versions classes-recipe/image: Add image file manifest classes-global/staging: Exclude do_create_spdx from automatic sysroot extension classes-recipe/image_types: Add SPDX_IMAGE_PURPOSE to images classes-recipe: nospdx: Add class classes-recipe/baremetal-image: Add image file manifest selftest: sstatetests: Exclude all SPDX tasks classes/create-spdx-2.2: Handle empty packages classes/create-spdx-3.0: Add classes selftest: spdx: Add SPDX 3.0 test cases classes/spdx-common: Move to library classes/create-spdx-3.0: Move tasks to library Switch default spdx version to 3.0 classes-recipe/multilib_script: Expand before splitting classes/create-spdx-image-3.0: Fix SSTATE_SKIP_CREATION lib/spdx30_tasks: Report all missing providers lib/oe/sbom30.py: Fix build parameters bitbake: Remove custom exception backtrace formatting Julien Stephan (5): README: add instruction to run Vale on a subset documentation: Makefile: add SPHINXLINTDOCS to specify subset to sphinx-lint styles: vocabularies: Yocto: add sstate ref-manual: variables: add SIGGEN_LOCKEDSIGS* variables dev-manual: add bblock documentation Jörg Sommer (7): classes/kernel: No symlink in postinst without KERNEL_IMAGETYPE_SYMLINK ref-manual: add DEFAULT_TIMEZONE variable ptest-runner: Update 2.4.4 -> 2.4.5 runqemu: Fix detection of -serial parameter buildcfg.py: add dirty status to get_metadata_git_describe doc/features: remove duplicate word in distribution feature ext2 doc/features: describe distribution feature pni-name Kai Kang (3): glibc: fix fortran header file conflict for arm systemd: fix VERSION_TAG related build error kexec-tools: update COMPATIBLE_HOST because of makedumpfile Katawann (1): cve-check: add field "modified" to JSON report Khem Raj (38): llvm: Update to 18.1.8 utils.bbclass: Use objdump instead of readelf to compute SONAME mesa: Including missing LLVM header mesa: Add packageconfig knob to control tegra gallium driver gdb: Upgrade to 15.1 release busybox: Fix tc applet build when using kernel 6.8+ busybox: CVE-2023-42364 and CVE-2023-42365 fixes busybox: Add fix for CVE-2023-42366 gcc-14: Mark CVE-2023-4039 as fixed in GCC14+ systemd: Replace deprecate udevadm command glibc: Upgrade to 2.40 glibc: Remove redundant configure option --disable-werror libyaml: Update status of CVE-2024-35328 libyaml: Change CVE status to wontfix binutils: Upgrade to 2.43 release binutils: Fix comment about major version gcc: Upgrade to GCC 14.2 gnupg: Document CVE-2022-3219 and mark wontfix systemd: Refresh patch to remove patch-fuzz quota: Apply a backport to fix basename API with musl bluez5: Fix build with musl musl: Update to 1.2.5 release musl: Upgrade to latest tip of trunk gdb: Fix build with latest clang fmt: Get rid of std::copy aspell: Backport a fix to build with gcc-15/clang-19 openssh: Mark CVE-2023-51767 as wont-fix python: Backport fixes for CVE-2024-7592 ffmpeg: Fix build on musl linux systems kea: Replace Name::NameString with vector of uint8_t webkitgtk: Fix build issues with clang-19 glibc: Fix the arm/arm64 worsize.h uniificationb patch gcc: Fix spurious '/' in GLIBC_DYNAMIC_LINKER on microblaze libpcre2: Update base uri PhilipHazel -> PCRE2Project linux-yocto: Enable l2tp drivers when ptest featuee is on bluez: Fix mesh builds on musl qemu: Fix build on musl/riscv64 ffmpeg: Disable asm optimizations on x86 Konrad Weihmann (6): testimage: fallback for empty IMAGE_LINK_NAME python3-docutils: fix interpreter lines testexport: fallback for empty IMAGE_LINK_NAME python_flit_core: remove python3 dependency runqemu: keep generating tap devices runqemu: remove unused uid variable Lee Chee Yang (10): migration-guides: add release notes for 4.0.19 migration-guides: add release notes for 5.0.2 migration-guide: add release notes for 4.0.20 migration-guides: add release notes for 5.0.3 migration-guide: add release notes for 4.0.21 release-notes-5.1: update for several section migration-guide: add release notes for 4.0.22 migration-guides: add release notes for 5.0.4 migration-guides: add release notes for 5.0.5 migration-guides: add release notes for 4.0.23 Leon Anavi (1): u-boot.inc: WORKDIR -> UNPACKDIR transition Leonard Göhrs (1): bitbake: fetch2/npm: allow the '@' character in package names Louis Rannou (1): image_qa: fix error handling Marc Ferland (2): appstream: refresh patch appstream: add qt6 PACKAGECONFIG option Marcus Folkesson (1): bootimg-partition: break out code to a common library. Mark Hatle (7): create-sdpx-2.2.bbclass: Switch from exists to isfile checking debugsrc package.py: Fix static debuginfo split package.py: Fix static library processing selftest-hardlink: Add additional test cases spdx30_tasks.py: switch from exists to isfile checking debugsrc create-spdx-*: Support multilibs via SPDX_MULTILIB_SSTATE_ARCHS oeqa sdk cases: Skip SDK test cases when TCLIBC is newlib Markus Volk (4): libinput: update 1.25.0 -> 1.26.1 systemd: dont set polkit permissions manually gtk4: update 4.14.4 -> 4.14.5 gcc: add a backport patch to fix an issue with tzdata 2024b Marta Rybczynska (9): classes/kernel.bbclass: update CVE_PRODUCT cve-check: encode affected product/vendor in CVE_STATUS cve-extra-inclusions: encode CPEs of affected packages cve-check: annotate CVEs during analysis vex.bbclass: add a new class cve-check-map: add new statuses selftest: add test_product_match cve-json-to-text: add script cve-check: remove the TEXT format support Martin Hundeb?ll (1): ofono: upgrade 2.7 -> 2.8 Martin Jansa (10): libgfortran.inc: fix nativesdk-libgfortran dependencies hdparm: drop NO_GENERIC_LICENSE[hdparm] gstreamer1.0-plugins-bad: add PACKAGECONFIG for gtk3 kernel.bbclass: add original package name to RPROVIDES for -image and -base meta-world-pkgdata: Inherit nopackages populate_sdk_base: inherit nopackages mc: set ac_cv_path_ZIP to avoid buildpaths QA issues bitbake.conf: DEBUG_PREFIX_MAP: add -fmacro-prefix-map for STAGING_DIR_NATIVE bitbake: Revert "fetch2/gitsm: use configparser to parse .gitmodules" ffmpeg: fix packaging examples Mathieu Dubois-Briand (1): oeqa/postactions: Fix archive retrieval from target Matthew Bullock (1): openssh: allow configuration of hostkey type Matthias Pritschet (1): ref-manual: fix typo and move SYSROOT_DIRS example Michael Halstead (1): yocto-uninative: Update to 4.6 for glibc 2.40 Michael Opdenacker (1): doc: Makefile: publish pdf and epub versions too Michal Sieron (1): insane: remove obsolete QA errors Mikko Rapeli (2): systemd: update from 256 to 256.4 ovmf-native: remove .pyc files from install Mingli Yu (1): llvm: Enable libllvm for native build Niko Mauno (17): dnf/mesa: Fix missing leading whitespace with ':append' systemd: Mitigate /var/log type mismatch issue systemd: Mitigate /var/tmp type mismatch issue libyaml: Amend CVE status as 'upstream-wontfix' image_types.bbclass: Use --force also with lz4,lzop util-linux: Add PACKAGECONFIG option to mitigate rootfs remount error iw: Fix LICENSE dejagnu: Fix LICENSE unzip: Fix LICENSE zip: Fix LICENSE tiff: Fix LICENSE gcr: Fix LICENSE python3-maturin: Fix cross compilation issue for armv7l, mips64, ppc bitbake.conf: Mark VOLATILE_LOG_DIR as obsolete bitbake.conf: Mark VOLATILE_TMP_DIR as obsolete docs: Replace VOLATILE_LOG_DIR with FILESYSTEM_PERMS_TABLES docs: Replace VOLATILE_TMP_DIR with FILESYSTEM_PERMS_TABLES Ola x Nilsson (4): scons.bbclass: Add scons class prefix to do_configure insane: Remove redundant returns ffmpeg: Package example files in ffmpeg-examples glibc: Fix missing randomness in __gen_tempname Oleksandr Hnatiuk (2): icu: remove host references in nativesdk to fix reproducibility gcc: remove paths to sysroot from configargs.h and checksum-options for gcc-cross-canadian Otavio Salvador (1): u-boot: Ensure we use BFD as linker even if using GCC for it Patrick Wicki (1): gpgme: move gpgme-tool to own sub-package Paul Barker (1): meta-ide-support: Mark recipe as MACHINE-specific Paul Eggleton (1): classes: add new retain class for retaining build results Paul Gerber (1): uboot-sign: fix counters in do_uboot_assemble_fitimage Pavel Zhukov (1): package_rpm: Check if file exists before open() Pedro Ferreira (2): buildhistory: Fix intermittent package file list creation buildhistory: Restoring files from preserve list Peter Kjellerstedt (9): systemd: Correct the indentation in do_install() systemd: Move the MIME file to a separate package license_image.bbclass: Rename license-incompatible to license-exception test-manual: Add a missing dot systemd.bbclass: Clean up empty parent directories oeqa/selftest/bbclasses: Add tests for systemd and update-rc.d interaction systemd: Remove a leftover reference to ${datadir}/mime bitbake: fetch2/gomod: Support URIs with only a hostname image.bbclass: Drop support for ImageQAFailed exceptions in image_qa Peter Marko (17): cargo: remove True option to getVar calls poky-sanity: remove True option to getVar calls flac: fix buildpaths warnings bitbake: fetch/clearcase: remove True option to getVar calls in clearcase module busybox: Patch CVE-2021-42380 busybox: Patch CVE-2023-42363 libstd-rs,rust-cross-canadian: set CVE_PRODUCT to rust glibc: cleanup old cve status libmnl: explicitly disable doxygen libyaml: ignore CVE-2024-35326 libyaml: Ignore CVE-2024-35325 wpa-supplicant: Ignore CVE-2024-5290 cve-check: add support for cvss v4.0 go: upgrade 1.22.6 -> 1.22.7 go: upgrade 1.22.7 -> 1.22.8 cve-check: do not skip cve status description after : cve-check: fix malformed cve status description with : characters Philip Lorenz (1): curl: Reenable auth support for native and nativesdk Primoz Fiser (2): pulseaudio: Add PACKAGECONFIG for optional OSS support pulseaudio: Remove from time64.inc exception list Purushottam Choudhary (2): kmscube: Upgrade to latest revision virglrenderer: Add patch to fix -int-conversion build issue Quentin Schulz (4): bitbake: doc: releases: mark mickledore as outdated bitbake: doc: releases: add nanbield to the outdated manuals bitbake: doc: releases: add scarthgap weston-init: fix weston not starting when xwayland is enabled Rasmus Villemoes (3): iptables: remove /etc/ethertypes openssh: factor out sshd hostkey setup to separate function systemd: include sysvinit in default PACKAGECONFIG only if in DISTRO_FEATURES Regis Dargent (1): udev-extraconf: fix network.sh script did not configure hotplugged interfaces Ricardo Simoes (2): volatile-binds: Do not create workdir if OverlayFS is disabled volatile-binds: Remove workdir if OverlayFS fails Richard Purdie (116): maintainers: Drop go-native as recipe removed oeqa/runtime/parselogs: Add some kernel log trigger keywords bitbake: codeparser/data: Ensure module function contents changing is accounted for bitbake: codeparser: Skip non-local functions for module dependencies native/nativesdk: Stop overriding unprefixed *FLAGS variables qemu: Upgrade 9.0.0 -> 9.0.1 oeqa/runtime/ssh: In case of failure, show exit code and handle -15 (SIGTERM) oeqa/selftest/reproducibile: Explicitly list virtual targets abi_version/package: Bump hashequiv version and package class version testimage/postactions: Allow artifact collection to be skipped python3: Drop generating a static libpython bitbake.conf: Drop obsolete debug compiler options bitbake.conf: Further cleanup compiler optimization flags oeqa/selftest/incompatible_lic: Ensure tests work with ERROR_QA changes oeqa/selftest/locale: Ensure tests work with ERROR_QA changes meson: Fix native meson config busybox: reconfigure wget https support by default for security poky-tiny: Update FULL_OPTIMIZATION to match core changes icu/perf: Drop SPDX_S variable insane: Promote long standing warnings to errors selftest/fortran-helloworld: Fix buildpaths error build-appliance-image: Update to master head revision distro/include: Add yocto-space-optimize, disabling debugging for large components testimage: Fix TESTIMAGE_FAILED_QA_ARTIFACTS setting oeqa/postactions: Separate artefact collection from test result collection qemu: Drop mips workaround poky: Enable yocto-space-optimize.inc time64.inc: Add warnings exclusion for known toolchain problems for now pseudo: Fix to work with glibc 2.40 pseudo: Update to include open symlink handling bugfix create-spdx-3.0/populate_sdk_base: Add SDK_CLASSES inherit mechanism to fix tarball SPDX manifests libtool: Upgrade 2.5.0 -> 2.5.1 qemu: Upgrade 9.0.1 -> 9.0.2 populate_sdk_base: Ensure nativesdk targets have do_package_qa run cve_check: Use a local copy of the database during builds pixman: Backport fix for recent binutils musl: Show error when used with multilibs sdpx: Avoid loading of SPDX_LICENSE_DATA into global config perf: Drop perl buildpaths skip m4: Drop ptest INSANE_SKIPs gettext: Drop ptest INSANE_SKIPs glibc-y2038-tests: Fix debug split and drop INSANE_SKIPs glibc-y2038-tests: Don't force distro policy glib-initial: Inherit nopackages vim: Drop vim-tools INSANE_SKIP as not needed coreutils: Fix intermittent ptest issue coreutils: Update merged patch to backport status bitbake.conf: Add truncate to HOSTTOOLS bitbake.conf: Include cve-check-map earlier, before distro bitbake: BBHandler: Handle comments in addtask/deltask bitbake: cache: Drop unused function bitbake: cookerdata: Separate out data_hash and hook to tinfoil bitbake: BBHandler/ast: Improve addtask handling bitbake: build: Ensure addtask before/after tasknames have prefix applied bitbake: codeparser: Allow code visitor expressions to be declared in metadata lib/oe: Use new visitorcode functionality for qa.handle_error() insane: Optimise ERROR_QA/WARN_QA references in do_populate_sysroot insane: Drop oe.qa.add_message usage insane: Add missing vardepsexclude insane: Further simplify code insane: Allow ERROR_QA to use 'contains' hash optimisations for do_package_qa selftest/sstatetests: Extend to cover ERROR_QA/WARN_QA common issues lz4: Fix static library reproducibility issue lz4: Disable static libraries again abi-version/ssate: Bump to avoid systemd hash corruption issue buildhistory: Simplify intercept call sites and drop SSTATEPOSTINSTFUNC usage sstate: Drop SSTATEPOSTINSTFUNC support lttng-tools: 2.13.13 -> 2.13.14 libtool: 2.5.1 -> 2.5.2 gettext: Drop obsolete ptest conditional in do_install elfutils: Drop obsolete ptest conditional in do_install expat: 2.6.2 -> 2.6.3 license: Fix directory layout issues sstate: Make do_recipe_qa and do_populate_lic non-arch specific bitbake: siggen: Fix rare file-checksum hash issue insane: Remove dependency on TCLIBC from QA test conf/defaultsetup.conf: Drop TCLIBCAPPEND poky.conf: Drop TCLIBCAPPEND layer.conf: Drop scarthgap namespace from LAYERSERIES layer.conf: Update to styhead Revert "python3-setuptools: upgrade 72.1.0 -> 72.2.0" ruby: Make docs generation deterministic libedit: Make docs generation deterministic poky-tiny: Drop TCLIBCAPPEND libsdl2: Fix non-deterministic configure option for libsamplerate bitbake: toaster: Update fixtures for styhead scripts/install-buildtools: Update to 5.0.3 build-appliance-image: Update to master head revision poky.conf: Bump version for 5.1 styhead release build-appliance-image: Update to master head revision bitbake: fetch2/git: Use quote from shlex, not pipes efi-bootdisk.wks: Increase overhead-factor to avoid test failures binutils: Fix binutils mingw packaging bitbake: tests/fetch: Use our own mirror of sysprof to decouple from gnome gitlab bitbake: tests/fetch: Use our own mirror of mobile-broadband-provider to decouple from gnome gitlab pseudo: Fix envp bug and add posix_spawn wrapper oeqa/runtime/ssh: Rework ssh timeout oeqa/runtime/ssh: Fix incorrect timeout fix qemurunner: Clean up serial_lock handling bitbake: fetch/wget: Increase timeout to 100s from 30s openssl: Fix SDK environment script to avoid unbound variable bitbake: runqueue: Fix performance of multiconfigs with large overlap bitbake: runqueue: Optimise setscene loop processing bitbake: runqueue: Fix scenetask processing performance issue do_package/sstate/sstatesig: Change timestamp clamping to hash output only selftest/reproducible: Drop rawlogs selftest/reproducible: Clean up pathnames resulttool: Allow store to filter to specific revisions resulttool: Use single space indentation in json output oeqa/utils/gitarchive: Return tag name and improve exclude handling resulttool: Fix passthrough of --all files in store mode resulttool: Add --logfile-archive option to store mode resulttool: Handle ltp rawlogs as well as ptest resulttool: Clean up repoducible build logs resulttool: Trim the precision of duration information resulttool: Improve repo layout for oeselftest results Robert Joslyn (1): curl: Update to 8.9.1 Robert Yang (8): bitbake: cache: Remove invalid symlink for bb_cache.dat bitbake: fetch2/git: Use git shallow fetch to implement clone_shallow_local() bitbake: bitbake: tests/fetch: Update GitShallowTest for clone_shallow_local() bitbake: data_smart: Improve performance for VariableHistory release-notes-5.0.rst: NO_OUTPUT -> NO_COLOR bitbake: gitsm: Add call_process_submodules() to remove duplicated code bitbake: gitsm: Remove downloads/tmpdir when failed cml1.bbclass: do_diffconfig: Don't override .config with .config.orig Rohini Sangam (1): vim: Upgrade 9.1.0698 -> 9.1.0764 Ross Burton (92): expect: fix configure with GCC 14 expect: update code for Tcl channel implementation libxcrypt: correct the check for a working libucontext.h bash: fix configure checks that fail with GCC 14.1 gstreamer1.0: disable flaky baseparser tests librsvg: don't try to run target code at build time librsvg: upgrade to 2.57.3 linux-libc-headers: remove redundant install_headers patch glibc: add task to list exported symbols oeqa/sdk: add out-of-tree kernel module building test openssl: disable tests unless ptest is enabled openssl: strip the test suite openssl: rewrite ptest installation ell: upgrade 0.66 -> 0.67 ofono: upgrade 2.8 -> 2.9 ruby: upgrade 3.3.0 -> 3.3.4 gtk+3: upgrade 3.24.42 -> 3.24.43 pango: upgrade 1.52.2 -> 1.54.0 Revert "python3: drop deterministic_imports.patch" python3: add dependency on -compression to -core python3-jsonschema: rename nongpl PACKAGECONFIG python3-setuptools: RDEPEND on python3-unixadmin python3-poetry-core: remove python3-pathlib2 dependency pytest-runner: remove python3-py dependency python3-chardet: remove pytest-runner DEPENDS python3-websockets: remove unused imports python3-beartype: add missing RDEPENDS python3-jsonschema: remove obsolete RDEPENDS python3-pluggy: clean up RDEPENDS python3-scons: remove obsolete RDEPENDS gi-docgen: remove obsolete python3-toml dependency python3-jinja2: remove obsolete python3-toml dependency python3-setuptools-rust: remove obsolete python3-toml dependency python3-setuptools-scm: remove obsolete python3-tomli dependency python3-zipp: remove obsolete dependencies python3-importlib-metadata: remove obsolete dependencies python3-pathspec: use python_flit_core python3-pyasn1: merge bb/inc python3-pyasn1: use python_setuptools_build_meta build class python3-beartype: use python_setuptools_build_meta build class python3-cffi: use python_setuptools_build_meta build class python3-psutil: use python_setuptools_build_meta build class python3-pycryptodome(x): use python_setuptools_build_meta build class python3-pyelftools: use python_setuptools_build_meta build class python3-ruemel-yaml: use python_setuptools_build_meta build class python3-scons: use python_setuptools_build_meta build class python3-websockets: use python_setuptools_build_meta build class python3-setuptools-scm: remove python3-tomli dependency python3-spdx-tools: use python_setuptools_build_meta build class python3-subunit: use python_setuptools_build_meta build class python3-uritools: use python_setuptools_build_meta build class python3-yamllint: use python_setuptools_build_meta build class python3-mako: add dependency on python3-misc for timeit python3-uritools: enable ptest gi-docgen: upgrade to 2024.1 python3-pytest: clean up RDEPENDS libcap-ng: clean up recipe glib-networking: upgrade 2.78.1 -> 2.80.0 python3-unittest-automake-output: add dependency on unittest python3-idna: generalise RDEPENDS python3-jsonpointer: upgrade 2.4 -> 3.0.0 ptest-packagelists: sort entries python3-cffi: generalise RDEPENDS python3-cffi: enable ptest python3-packaging: enable ptest python3-idna: enable ptest setuptools3: check for a PEP517 build system selection insane: add pep517-backend to WARN_QA python3-numpy: ignore pep517-backend warnings bmaptool: temporarily silence the pep517-backend warning meson: upgrade 1.4.0 -> 1.5.1 python3-pathlib2: remove recipe (moved to meta-python) python3-rfc3986-validator: remove recipe (moved to meta-python) python3-py: remove recipe (moved to meta-python) pytest-runner: remove recipe (moved to meta-python) python3-importlib-metadata: remove recipe (moved to meta-python) python3-toml: remove recipe (moved to meta-python) python3-tomli: remove recipe (moved to meta-python) bblayers/machines: add bitbake-layers command to list machines ffmpeg: fix build with binutils 2.43 on arm with commerical codecs vulkan-samples: limit to aarch64/x86-64 bitbake: fetch2/gitsm: use configparser to parse .gitmodules systemd: add missing dependency on libkmod to udev sanity: check for working user namespaces bitbake.conf: mark TCLIBCAPPEND as deprecated bitbake: fetch2: don't try to preserve all attributes when unpacking files icu: update patch Upstream-Status ffmpeg: nasm is x86 only, so only DEPEND if x86 ffmpeg: no need for textrel INSANE_SKIP strace: download release tarballs from GitHub tcl: skip io-13.6 test case groff: fix rare build race in hdtbl Ryan Eatmon (3): u-boot.inc: Refactor do_* steps into functions that can be overridden oe-setup-build: Fix typo oe-setup-build: Change how we get the SHELL value Sabeeh Khan (1): linux-firmware: add new package for cc33xx firmware Sakib Sajal (1): blktrace: ask for python3 specifically Samantha Jalabert (1): cve_check: Update selftest with new status detail Sergei Zhmylev (1): lsb-release: fix Distro Codename shell escaping Shunsuke Tokumoto (1): python3-setuptools: Add "python:setuptools" to CVE_PRODUCT Siddharth Doshi (5): libxml2: Upgrade 2.12.7 -> 2.12.8 Tiff: Security fix for CVE-2024-7006 vim: Upgrade 9.1.0114 -> 9.1.0682 wpa-supplicant: Upgrade 2.10 -> 2.11 vim: Upgrade 9.1.0682 -> 9.1.0698 Simone Weiß (2): gnutls: upgrade 3.8.5 -> 3.8.6 curl: Ignore CVE-2024-32928 Sreejith Ravi (1): package.py: Add Requires.private field in process_pkgconfig Stefan Mueller-Klieser (1): icu: fix make-icudata package config Steve Sakoman (3): release-notes-4.0: update BB_HASHSERVE_UPSTREAM for new infrastructure poky.conf: bump version for 5.1.1 build-appliance-image: Update to styhead head revision Sundeep KOKKONDA (3): binutils: stable 2.42 branch updates oeqa/selftest/reproducibile: rename of reproducible directories rust: rustdoc reproducibility issue fix Talel BELHAJSALEM (1): contributor-guide: Remove duplicated words Teresa Remmet (1): recipes-bsp: usbutils: Fix usb-devices command using busybox Theodore A. Roth (2): ca-certificates: update 20211016 -> 20240203 ca-certificates: Add comment for provenance of SRCREV Thomas Perrot (2): opensbi: bump to 1.5 opensbi: bump to 1.5.1 Tim Orling (8): python3-rpds-py: upgrade 0.18.1 -> 0.20.0 python3-alabaster: upgrade 0.7.16 -> 1.0.0 python3-cffi: upgrade 1.16.0 -> 1.17.0 python3-more-itertools: upgrade 10.3.0 -> 10.4.0 python3-wheel: upgrade 0.43.0 -> 0.44.0 python3-zipp: upgrade 3.19.2 -> 3.20.0 python3-attrs: upgrade 23.2.0 -> 24.2.0 python3-setuptools-rust: upgrade 1.9.0 -> 1.10.1 Tom Hochstein (2): time64.inc: Simplify GLIBC_64BIT_TIME_FLAGS usage weston: Add missing runtime dependency on freerdp Trevor Gamblin (37): dhcpcd: upgrade 10.0.6 -> 10.0.8 python3-hypothesis: upgrade 6.103.0 -> 6.103.2 python3-psutil: upgrade 5.9.8 -> 6.0.0 python3-testtools: upgrade 2.7.1 -> 2.7.2 python3-urllib3: upgrade 2.2.1 -> 2.2.2 maintainers.inc: add self for unassigned python recipes MAINTAINERS.md: fix patchtest entry python3-pytest-subtests: upgrade 0.12.1 -> 0.13.0 python3-hypothesis: upgrade 6.103.2 -> 6.105.1 python3-setuptools: upgrade 69.5.1 -> 70.3.0 bind: upgrade 9.18.27 -> 9.20.0 cmake: upgrade 3.29.3 -> 3.30.1 dpkg: upgrade 1.22.6 -> 1.22.10 nettle: upgrade 3.9.1 -> 3.10 patchtest/patch.py: remove cruft scripts/patchtest.README: cleanup, add selftest notes kea: upgrade 2.4.1 -> 2.6.1 python3-sphinx: upgrade 7.4.7 -> 8.0.2 python3-hypothesis: upgrade 6.108.4 -> 6.108.10 python3-pytest: upgrade 8.3.1 -> 8.3.2 python3-sphinxcontrib-applehelp: upgrade 1.0.8 -> 2.0.0 python3-sphinxcontrib-devhelp: upgrade 1.0.6 -> 2.0.0 python3-sphinxcontrib-htmlhelp: upgrade 2.0.6 -> 2.1.0 python3-sphinxcontrib-qthelp: upgrade 1.0.8 -> 2.0.0 python3-sphinxcontrib-serializinghtml: upgrade 1.1.10 -> 2.0.0 libassuan: upgrade 2.5.7 -> 3.0.1 python3-setuptools: upgrade 71.1.0 -> 72.1.0 python3-hypothesis: upgrade 6.108.10 -> 6.110.1 python3-cython: upgrade 3.0.10 -> 3.0.11 python3: upgrade 3.12.4 -> 3.12.5 python3: skip readline limited history tests piglit: upgrade 22eaf6a91c -> c11c9374c1 python3-hypothesis: upgrade 6.111.1 -> 6.111.2 python3-pyparsing: upgrade 3.1.2 -> 3.1.4 patchtest: test_mbox: remove duplicate regex definition patchtest: test_shortlog_length: omit shortlog prefixes patchtest: test_non_auh_upgrade: improve parse logic Troels Dalsgaard Hoffmeyer (1): bitbake: build/exec_task: Log str() instead of repr() for exceptions in build Tronje Krabbe (1): rust-target-config: Update data layouts for 32-bit arm targets Ulrich Ölmann (2): initramfs-framework: fix typos buildhistory: fix typos Vijay Anusuri (4): wget: Fix for CVE-2024-38428 apr: upgrade 1.7.4 -> 1.7.5 xserver-xorg: upgrade 21.1.13 -> 21.1.14 xwayland: upgrade 24.1.3 -> 24.1.4 Vivek Puar (1): linux-firmware: upgrade 20240811 -> 20240909 Wadim Egorov (1): watchdog: Set watchdog_module in default config Wang Mingyu (125): alsa-lib: upgrade 1.2.11 -> 1.2.12 alsa-plugins: upgrade 1.2.7.1 -> 1.2.12 alsa-ucm-conf: upgrade 1.2.11 -> 1.2.12 git: upgrade 2.45.1 -> 2.45.2 createrepo-c: upgrade 1.1.1 -> 1.1.2 diffoscope: upgrade 267 -> 271 enchant2: upgrade 2.7.3 -> 2.8.1 fribidi: upgrade 1.0.14 -> 1.0.15 gstreamer: upgrade 1.24.3 -> 1.24.4 libevdev: upgrade 1.13.1 -> 1.13.2 libjitterentropy: upgrade 3.4.1 -> 3.5.0 libpcre2: upgrade 10.43 -> 10.44 pciutils: upgrade 3.12.0 -> 3.13.0 rng-tools: upgrade 6.16 -> 6.17 ttyrun: upgrade 2.32.0 -> 2.33.1 btrfs-tools: handle rename of inode_includes() from e2fsprogs 1.47.1 rt-tests: upgrade 2.6 -> 2.7 base-passwd: upgrade 3.6.3 -> 3.6.4 btrfs-tools: upgrade 6.8.1 -> 6.9.2 ccache: upgrade 4.10 -> 4.10.1 createrepo-c: upgrade 1.1.2 -> 1.1.3 cups: upgrade 2.4.9 -> 2.4.10 debianutils: upgrade 5.19 -> 5.20 diffoscope: upgrade 271 -> 272 dnf: upgrade 4.20.0 -> 4.21.0 gdbm: upgrade 1.23 -> 1.24 gstreamer: upgrade 1.24.4 -> 1.24.5 harfbuzz: upgrade 8.5.0 -> 9.0.0 libadwaita: upgrade 1.5.1 -> 1.5.2 libdnf: upgrade 0.73.1 -> 0.73.2 libdrm: upgrade 2.4.120 -> 2.4.122 libproxy: upgrade 0.5.6 -> 0.5.7 librsvg: upgrade 2.57.3 -> 2.58.1 libsdl2: upgrade 2.30.4 -> 2.30.5 opkg: upgrade 0.6.3 -> 0.7.0 opkg-utils: upgrade 0.6.3 -> 0.7.0 pinentry: upgrade 1.3.0 -> 1.3.1 python3-certifi: upgrade 2024.6.2 -> 2024.7.4 python3-hatchling: upgrade 1.24.2 -> 1.25.0 python3-importlib-metadata: upgrade 7.1.0 -> 8.0.0 python3-maturin: upgrade 1.6.0 -> 1.7.0 python3-pycairo: upgrade 1.26.0 -> 1.26.1 python3-trove-classifiers: upgrade 2024.5.22 -> 2024.7.2 repo: upgrade 2.45 -> 2.46 sysstat: upgrade 12.7.5 -> 12.7.6 wireless-regdb: upgrade 2024.05.08 -> 2024.07.04 cryptodev: upgrade 1.13 -> 1.14 asciidoc: upgrade 10.2.0 -> 10.2.1 glslang: upgrade 1.3.283.0 -> 1.3.290.0 gsettings-desktop-schemas: upgrade 46.0 -> 46.1 kexec-tools: upgrade 2.0.28 -> 2.0.29 libproxy: upgrade 0.5.7 -> 0.5.8 librsvg: upgrade 2.58.1 -> 2.58.2 libsolv: upgrade 0.7.29 -> 0.7.30 libtirpc: upgrade 1.3.4 -> 1.3.5 orc: upgrade 0.4.38 -> 0.4.39 python3-bcrypt: upgrade 4.1.3 -> 4.2.0 python3-dbusmock: upgrade 0.31.1 -> 0.32.1 python3-hypothesis: upgrade 6.105.1 -> 6.108.4 python3-importlib-metadata: upgrade 8.0.0 -> 8.2.0 python3-jsonschema: upgrade 4.22.0 -> 4.23.0 python3-pytest-subtests: upgrade 0.13.0 -> 0.13.1 python3-pytest: upgrade 8.2.2 -> 8.3.1 python3-setuptools: upgrade 70.3.0 -> 71.1.0 python3-sphinx: upgrade 7.3.7 -> 7.4.7 python3-sphinxcontrib-htmlhelp: upgrade 2.0.5 -> 2.0.6 python3-sphinxcontrib-qthelp: upgrade 1.0.7 -> 1.0.8 spirv-headers: upgrade 1.3.283.0 -> 1.3.290.0 spirv-tools: upgrade 1.3.283.0 -> 1.3.290.0 strace: upgrade 6.9 -> 6.10 sysklogd: upgrade 2.5.2 -> 2.6.0 vulkan-headers: upgrade 1.3.283.0 -> 1.3.290.0 vulkan-loader: upgrade 1.3.283.0 -> 1.3.290.0 vulkan-tools: upgrade 1.3.283.0 -> 1.3.290.0 vulkan-utility-libraries: upgrade 1.3.283.0 -> 1.3.290.0 vulkan-validation-layers: upgrade 1.3.283.0 -> 1.3.290.0 vulkan-volk: upgrade 1.3.283.0 -> 1.3.290.0 xwayland: upgrade 24.1.0 -> 24.1.1 binutils: upgrade 2.43 -> 2.43.1 btrfs-tools: upgrade 6.9.2 -> 6.10.1 createrepo-c: upgrade 1.1.3 -> 1.1.4 diffoscope: upgrade 272 -> 276 dnf: upgrade 4.21.0 -> 4.21.1 enchant2: upgrade 2.8.1 -> 2.8.2 erofs-utils: upgrade 1.7.1 -> 1.8.1 ethtool: upgrade 6.9 -> 6.10 freetype: upgrade 2.13.2 -> 2.13.3 libx11: upgrade 1.8.9 -> 1.8.10 libxfont2: upgrade 2.0.6 -> 2.0.7 libxtst: upgrade 1.2.4 -> 1.2.5 pkgconf: upgrade 2.2.0 -> 2.3.0 python3-babel: upgrade 2.15.0 -> 2.16.0 python3-hypothesis: upgrade 6.110.1 -> 6.111.1 python3-lxml: upgrade 5.2.2 -> 5.3.0 python3-setuptools: upgrade 72.1.0 -> 72.2.0 rpcbind: upgrade 1.2.6 -> 1.2.7 sysklogd: upgrade 2.6.0 -> 2.6.1 ttyrun: upgrade 2.33.1 -> 2.34.0 xwayland: upgrade 24.1.1 -> 24.1.2 systemd: upgrade 256.4 -> 256.5 acpica: upgrade 20240322 -> 20240827 cairo: upgrade 1.18.0 -> 1.18.2 dhcpcd: upgrade 10.0.8 -> 10.0.10 diffoscope: upgrade 276 -> 277 ell: upgrade 0.67 -> 0.68 libdrm: upgrade 2.4.122 -> 2.4.123 libsoup: upgrade 3.4.4 -> 3.6.0 liburcu: upgrade 0.14.0 -> 0.14.1 mc: upgrade 4.8.31 -> 4.8.32 nghttp2: upgrade 1.62.1 -> 1.63.0 ofono: upgrade 2.9 -> 2.10 python3-certifi: upgrade 2024.7.4 -> 2024.8.30 python3-idna: upgrade 3.7 -> 3.8 python3-maturin: upgrade 1.7.0 -> 1.7.1 python3-pbr: upgrade 6.0.0 -> 6.1.0 python3-websockets: upgrade 12.0 -> 13.0.1 python3-zipp: upgrade 3.20.0 -> 3.20.1 taglib: upgrade 2.0.1 -> 2.0.2 wayland-protocols: upgrade 1.36 -> 1.37 wayland: upgrade 1.23.0 -> 1.23.1 git: upgrade 2.46.0 -> 2.46.1 libevdev: upgrade 1.13.2 -> 1.13.3 orc: upgrade 0.4.39 -> 0.4.40 wireless-regdb: upgrade 2024.07.04 -> 2024.10.07 xwayland: upgrade 24.1.2 -> 24.1.3 Weisser, Pascal.ext (1): qemuboot: Trigger write_qemuboot_conf task on changes of kernel image realpath Yash Shinde (12): rust: Oe-selftest fixes for rust v1.76 rust: Upgrade 1.75.0->1.76.0 rust: reproducibility issue fix with v1.76 rust: Oe-selftest changes for rust v1.77 rust: Upgrade 1.76.0->1.77.0 rust: Upgrade 1.77.0->1.77.1 rust: Upgrade 1.77.1->1.77.2 rust: Oe-selftest changes for rust v1.78 rust: Upgrade 1.77.2->1.78.0 zlib: Enable PIE for native builds rust: Oe-selftest changes for rust v1.79 rust: Upgrade 1.78.0->1.79.0 Yi Zhao (9): libsdl2: upgrade 2.30.3 -> 2.30.4 less: upgrade 643 -> 661 util-linux: install lastlog2 volatile file rpm: fix expansion of %_libdir in macros libsdl2: upgrade 2.30.5 -> 2.30.6 bind: upgrade 9.20.0 -> 9.20.1 libpcap: upgrade 1.10.4 -> 1.10.5 libsdl2: upgrade 2.30.6 -> 2.30.7 systemd: fix broken links for sysvinit-compatible commands Yoann Congal (10): Revert "insane: skip unimplemented-ptest on S=WORKDIR recipes" insane: skip unimplemented-ptest checks if disabled spirv-tools: Fix git-describe related reproducibility spirv-tools: Update merged patch to backport status oeqa/selftest: Only rewrite envvars paths that absolutely point to builddir migration/release-notes-5.1: document oeqa/selftest envvars change release-notes-5.1: document added python3-libarchive-c ptest release-notes-5.1: document fixed _test_devtool_add_git_url test release-notes-5.1: document spirv-tools reproducibility python3-maturin: sort external libs in wheel files Yuri D'Elia (1): bitbake: fetch2/git: Enforce default remote name to "origin" Zoltan Boszormenyi (1): rpcbind: Fix boot time start failure aszh07 (2): xz: Update LICENSE variable for xz packages ffmpeg: Add "libswresample libavcodec" to CVE_PRODUCT gudnimg (1): bluez5: upgrade 5.72 -> 5.77 hongxu (7): libgpg-error: 1.49 -> 1.50 man-pages: 6.8 -> 6.9.1 libxml2: 2.12.8 -> 2.13.3 readline: 8.2 -> 8.2.13 libxslt: 1.1.39 -> 1.1.42 xmlto: 0.0.28 -> 0.0.29 gnupg: 2.4.5 -> 2.5.0 simit.ghane (2): libgcrypt: Fix building error with '-O2' in sysroot path libgcrypt: upgrade 1.10.3 -> 1.11.0 y75zhang (1): bitbake: fetch/wget: checkstatus: drop shared connecton when catch Timeout error meta-openembedded: 487a2d5695..5d54a52fbe: Adrian Freihofer (1): networkmanager: remove modemmanager rdepends Akash Hadke (1): python3-flatbuffers: provide nativesdk support Alba Herrerías (1): yelp: fix unterminated string Alexander Kanavin (1): libnewt: add from oe-core Alexander Stein (1): luajit: Fix host development package Alexandre Truong (99): ace: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status acpitool: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status anthy: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status atop: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status bitwise: Include UPSTREAM_CHECK_REGEX to fix UNKNOWN_BROKEN status cfengine-masterfiles: Include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status ckermit: Include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status cloc: include UPSTREAM_CHECK_REGEX to fix UNKNOWN_BROKEN status cups-filters: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status cxxtest: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status czmq: include UPSTREAM_CHECK_REGEX to fix UNKNOWN_BROKEN status daemontools: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status doxygen: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status duktape: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status fftw: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status fltk: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status fltk-native: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status fwupd: include UPSTREAM_CHECK_REGEX to fix UNKNOWN_BROKEN status gmime: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status gnome-themes-extra: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status gradm: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status graphviz: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status gtkperf: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status hplip: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status icewm: include UPSTREAM_CHECK_REGEX to fix UNKNOWN_BROKEN status irssi: include UPSTREAM_CHECK_REGEX to fix UNKNOWN_BROKEN status jansson: modify existing UPSTREAM_CHECK_REGEX lcov: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status leptonica: include UPSTREAM_CHECK_REGEX to fix UNKNOWN_BROKEN status libcdio-paranoia: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libdbus-c++: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libftdi: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status libgnt: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libiodbc: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libjs-jquery: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status liblinebreak: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libmng: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libmtp: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libnice: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libopusenc: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libpaper: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libpcsc-perl: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libsdl-gfx: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status libsigc++-2.0: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libsigc++-3: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libsmi: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libspiro: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libstatgrab: include UPSTREAM_CHECK_REGEX to fix UNKNOWN_BROKEN status libwmf: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libx86-1: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status libxml++-5.0: include UPSTREAM_CHECK_REGEX to fix UNKNOWN_BROKEN status logwarn: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status lprng: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status mcpp: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status mozjs-115: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status mscgen: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status msgpack-cpp: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status msktutil: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status nmon: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status nss: modify UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status obexftp: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status onig: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status openbox: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status openct: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status openobex: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status p7zip: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status pngcheck: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status rsyslog: modify existing UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status sblim-cmpi-devel: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status sblim-sfc-common: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status ttf-ubuntu-font-family: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status ttf-wqy-zenhei: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status uml-utilities: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status xrdp: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status xscreensaver: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status can-isotp: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status con2fbmap: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status cpufrequtils: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status dbus-daemon-proxy: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status devmem2: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status edid-decode: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status fb-test: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status firmwared: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status funyahoo-plusplus: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status hunspell-dictionaries: switch branch from master to main hunspell-dictionaries: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status icyque: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status iksemel: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status kconfig-frontends: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status libbacktrace: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status libc-bench: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status libubox: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status linux-serial-test: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status musl-rpmatch: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status pam-plugin-ccreds: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status pcimem: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status pim435: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status properties-cpp: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status pegtl: add ptest support Alexandre Videgrain (1): openbox: fix crash on alt+tab with fullscreen app Anuj Mittal (1): tbb: pass TBB_STRICT=OFF to disable -Werror Archana Polampalli (1): apache2: Upgrade 2.4.60 -> 2.4.61 Armin Kuster (2): meta-openemnedded: Add myself as styhead maintainer audit: fix build when systemd is enabled. BINDU (1): flatbuffers: adapt for cross-compilation environments Barry Grussling (1): postgresql: Break perl RDEPENDS Bartosz Golaszewski (4): python3-gpiod: update to v2.2.0 python3-virtualenv: add missing run-time dependencies libgpiod: update v2.1.2 -> v2.1.3 python3-gpiod: update v2.2.0 -> v2.2.1 Benjamin Szőke (1): tree: fix broken links Carlos Alberto Lopez Perez (1): sysprof: upgrade 3.44.0 -> 3.48.0 Changqing Li (4): python3-h5py: remove unneeded CFLAGS pavucontrol: update SRC_URI libatasmart: Update SRC_URI libdbi-perl: upgrade 1.643 -> 1.644 Chen Qi (2): python3-protobuf: remove useless and problematic .pth file jansson: add JSON_INTEGER_IS_LONG_LONG for cmake Christian Eggers (2): lvgl: fix version in shared library file name lvgl: update upstream-status of all patches Christophe Vu-Brugier (2): nvme-cli: upgrade 2.9.1 -> 2.10.2 exfatprogs: upgrade 1.2.4 -> 1.2.5 Dimitri Bouras (1): python3-geomet: Switch to setuptools_build_meta build backend Dmitry Baryshkov (6): android-tools: make PN-adbd as a systemd package deqp-runner: improved version of parallel-deqp-runner packagegroup-meta-oe: include deqp-runner into packagegroup-meta-oe-graphics README.md: discourage use of GitHub pull request system android-tools: create flag flag file for adbd at a proper location gpsd: apply patch to fix gpsd building on Musl Einar Gunnarsson (2): yavta: Update to kernel 6.8 v4l-utils: Install media ctrl pkgconfig files Enrico Jörns (6): libconfuse: move to meta-oe libconfuse: provide native and nativesdk support libconfuse: replace DESCRIPTION by SUMMARY libconfuse: switch to release tar archive libconfuse: add backported patch to fix search path logic genimage: add new recipe Esben Haabendal (1): netplan: add missing runtime dependencies Etienne Cordonnier (3): uutils-coreutils: upgrade 0.0.26 -> 0.0.27 uutils-coreutils: disable buildpaths error perfetto: upgrade 31.0 -> 47.0 Fabio Estevam (1): imx-cst: Add recipe Faiz HAMMOUCHE (6): uim: update UPSTREAM_CHECK_* variables to fix devtool upgrades unixodbc: update UPSTREAM_CHECK_* variables to fix devtool upgrades xdotool: update UPSTREAM_CHECK_* variables to fix devtool upgrades xf86-input-tslib: update UPSTREAM_CHECK_* variables to fix devtool upgrades wvstrams: Unmaintained upstream, add UPSTREAM_VERSION_UNKNOWN wvdial: Unmaintained upstream, add UPSTREAM_VERSION_UNKNOWN Fathi Boudra (2): python3-django: upgrade 4.2.11 -> 4.2.16 python3-django: upgrade 5.0.6 -> 5.0.9 Frank de Brabander (1): python3-pydantic-core: fix incompatible version Fredrik Hugosson (1): lvm2: Remove the lvm2-udevrules package Ghislain Mangé (1): wireshark: fix typo in PACKAGECONFIG[zstd] Gianfranco Costamagna (1): vbxguestdrivers: upgrade 7.0.18 -> 7.0.20 Guocai He (1): mariadb: File conflicts for multilib Guðni Már Gilbert (5): python3-incremental: improve packaging python3-twisted: upgrade 24.3.0 -> 24.7.0 python3-incremental: drop python3-twisted-core from RDEPENDS python3-twisted: add python3-attrs to RDEPENDS python3-automat: upgrade 22.10.0 -> 24.8.1 Harish Sadineni (1): bpftool: Add support for riscv64 Hauke Lampe (1): postgresql: Use packageconfig flag for readline dependency Hitendra Prajapati (1): tcpdump: fix CVE-2024-2397 Hongxu Jia (1): nodejs: support cross compile without qemu user conditionally Hubert Wiśniewski (1): libcamera: Use multiple of sizeof as malloc size J. S. (8): znc: Fix buildpaths QA errors webmin: upgrade 2.111 -> 2.202 nodejs: upgrade 20.16.0 -> 20.17.0 syslog-ng: upgrade 4.6.0 -> 4.7.0 xfce4-panel: upgrade 4.18.3 -> 4.18.4 nodejs: upgrade 20.17.0 -> 20.18.0 xfce4-panel: upgrade 4.18.4 -> 4.18.5 nodejs: cleanup Jamin Lin (1): drgn: add new recipe Jan Luebbe (2): python3-grpcio-reflection: new recipe python3-grpcio-channelz: new recipe Jan Vermaete (3): python3-protobuf: added python3-ctypes as RDEPENDS protobuf: version bump 4.25.3 -> 4.25.4 netdata: version bump 1.47.0 -> 1.47.1 Jason Schonberg (1): nodejs: upgrade 20.13.0 -> 20.16.0 Jeremy A. Puhlman (1): net-snmp: Set ps flag value since it checks the host Jeroen Knoops (1): nng: Rename default branch of github.com:nanomsg/nng.git Jiaying Song (3): nftables: change ptest output format wireguard-tools: fix do_fetch error vlock: fix do_fetch error Jose Quaresma (6): composefs: the srcrev hash was the release tag ostree: Upgrade 2024.6 -> 2024.7 composefs: upgrade 1.0.4 -> 1.0.5 gpsd: make the meta-python dependency conditionally Revert "gpsd: make the meta-python dependency conditionally" gpsd: condition the runtime dependence of pyserial on the pygps Justin Bronder (1): python3-xmodem: replace hardcoded /usr with ${prefix} Jörg Sommer (5): dnsmasq: Install conf example from upstream instead of our version dnsmasq: set config dhcp6, broken-rtc by FEATURES gpsd: upgrade 3.24 -> 3.25; new gpsd-snmp bluealsa: upgrade 4.0.0+git -> 4.3.0 zsh: update 5.8 -> 5.9 Kai Kang (1): libosinfo: add runtime dependency osinfo-db Katariina Lounento (1): libtar: patch CVEs Keith McRae (1): ntp: Fix status call reporting incorrect value Khem Raj (142): python3-tornado: Switch to python_setuptools_build_meta rdma-core: Fix recvfrom override errors with glibc 2.40 and clang tipcutils: Replace WORKDIR with UNPACKDIR rdma-core: Do not use overloadable attribute with musl python3-pint: Upgrade to 24.1 flite: Fix buld with clang fortify enabled distros python3-inflate64: Fix build with clang fortified glibc headers renderdoc: Upgrade to 1.33 renderdoc: Fix build with clang fortify and glibc 2.40 overlayfs-tools: Fix build with musl webmin: Upgrade to 2.111 release opencv: Check GTK3DISTROFEATURES for enabling gtk support opencv: Add missing trailing slash sysprof: Fix build with llvm libunwind log4cpp: Fix buildpaths QA error ldns: Upgrade to 1.8.4 libwmf: Fix buildpaths QA Errors in libwmf-config Revert "libftdi: Fix missing ftdi_eeprom" vsomeip: Fix build with GCC-14 turbostat: Add band-aid to build from 6.10+ kernel python3-daemon: Fix build with PEP-575 build backend zfs: Upgrade to 2.2.5 release e2tools: Fix buildpaths QA warning in config.status in ptest glibmm: Upgrade to 2.66.7 release transmission: Upgrade to 4.0.6 release wolfssl: Add packageconfig for reproducible build lprng: Specify target paths for needed utilities sharutils: Let POSIX_SHELL be overridable from environment freediameter: Fix buildpaths QA error libforms: Remove buildpaths from fd2ps and fdesign scripts blueman: Fix buildpathe issue with cython generated code fvwm: Fix buildpaths QA Errors proftpd: Upgrade to 1.3.8b botan: Make it reproducible ndisc: Remove buildpaths from binaries python3-kivy: Remove buildpaths from comments in generated C sources keepalived: Make build reproducible fwknop: Upgrade to 2.6.11 fwknop: Specify target locations of gpg and wget ippool: Fix buildpaths QA error ot-br-posix: Define config files explicitly libyui: Upgrade to 4.6.2 fluentbit: Make it deprecated python3-pyproj: Fix buildpaths QA Error python3-pyproj: Remove absolute paths from cython generated .c files libyui-ncurses: Fix buildpaths QA Error ftgl: Upgrade to 2.4.0 ftgl: Switch to maintained fork frr: Upgrade to 10.1 release python3-pandas: Downgrade version check for numpy to 1.x python3-pycocotools: Use build pep517-backend python3-pycocotools: Downgrade numpy version needed to 1.x python3-pycocotools: Remove absolute paths from comments raptor2: Do not use curl-config to detect curl libgsf: Fix build with libxml2 2.13+ libspatialite: Upgrade to 5.1 libblockdev: Fix build with latest e2fsprogs bluealsa: Fix build on musl bluealsa: Update cython patch to latest upstream patch mariadb: Upgrade to 10.11.9 release gerbera: Upgrade to 2.2.0 e2tools: Fix build with automake 1.17 minidlna: Upgrade to 1.3.3 release vlc: Upgrade to 3.0.21 libplacebo: Add recipe mpv: Upgrade to 0.38.0 release libmpdclient,mpc: Upgrade to 2.22 and 0.35 respectively vlc: Disable recipe mpd: Upgrade to 0.23.15+git xdg-desktop-portal-wlr: Update to latest on master branch ltrace: Switch to gitlab SRC_URI webkitgtk3: Fix build with latest clang python3-grpcio: Upgrade to 1.66.1 release grpc: Upgrade to 1.66.1 release mozjs-115: fix build with clang and libc++ 19 nmap: Upgrade to 7.95 etcd-cpp-apiv3: Fix build with gprc 2.66+ paho-mqtt-cpp: Upgrade to 1.4.1 release poppler: Upgrade to 24.09.0 release nodejs: Fix build with libc++ 19 poco: Drop RISCV patch paho-mqtt-cpp: Move to tip of 1.4.x branch netdata: Upgrade to 1.47.0 freeipmi: Add recipe opentelemetry-cpp: Fix build with clang-19 opengl-es-cts,vulkan-cts: Upgrade recipes to 3.2.11.0 and 1.3.9.2 libcereal: Fix build with clang-19 libjxl: Upgrade to 0.10.3 release python3-serpent: Add missing rdeps for ptests to run python3-parse-type: Add missing rdep on six for ptests paho-mqtt-cpp: Use system paho-mqtt-c python3-serpent: Fix typo attr -> attrs python3-tzdata: Add missing attrs modules rdep for ptests python3-trustme: Add missing ptest rdeps on attrs and six modules python3-service-identity: Fix ptest rdeps python3-fsspec: Add recipe ptest-packagelists-meta-python: Add python3-fsspec to fast test list python3-pyyaml-include: Add missing dependencies for ptests python3-py-cpuinfo: Fix ptest runtime deps python3-flask: Add missing ptest deps yavta: Upgrade SRCREV to include 64bit time_t print format errors libjxl: Do not use -mrelax-all on RISCV with clang python3-wrapt: Add missing rdep on misc modules for ptests python3-pillow: Add missing rdep on py3-compile for ptests python-ujson: Use python_setuptools_build_meta python3-pylint: Add missing ptest rdep on python3-misc python3-fastjsonschema: Add missing rdeps for ptests python3-pytest-mock: Upgrade to 3.14.0 protobuf-c: Link with libatomic on riscv32 highway: Disable RVV on RISCV-32 dav1d: Disable asm code on rv32 mosh: Use libatomic on rv32 for atomics dlm: Disable fcf-protection on riscv32 usbguard: Link with libatomic on rv32 transmission: Link with libatomic on riscv32 ot-br-posix: Link with libatomic on rv32 opentelemetry-cpp: Link with libatomic on rv32 mozjs-115: Fix build on riscv32 netdata: Add checks for 64-bit atomic builtins liburing: Upgrade to 2.7 and fix build on riscv32 highway: Fix cmake to detect riscv32 libjxl: Disable sizeless-vectors on riscv32 kernel-selftest: Fix build on 32bit arches with 64bit time_t reptyr: Do not build for riscv32 python3-typer: Disable test_rich_markup_mode tests python3-pydbus: Add missing rdep on xml module for ptests python3-pdm: Upgrade to 2.19.1 python3-pdm-backend: Upgrade to 2.4.1 release python3-ujson: Add python misc modules to ptest rdeps python3-gunicorn: Add missing rdeps for ptests python3-eth-hash: Add packageconfigs and switch to pep517-backend python3-validators: Add missing rdeps for ptests python3-pint: Upgrade to 0.24.3 python3-pytest-mock: Fix ptests python3-sqlparse: Add missing rdep on mypy module for ptests libhugetlbfs: Use linker wrapper during build webkitgtk3: Always use -g1 for debug flags webkitgtk3: Fix build break with latest gir ndisc6: Fix reproducible build rsyslog: Enable 64bit atomics check xmlsec1: Switch SRC_URI to use github release python3-pdm-build-locked: Add recipe Kieran Bingham (1): libcamera: Add support for pycamera Leon Anavi (39): python3-eth-utils: Upgrade 3.0.0 -> 4.1.1 python3-requests-file: Upgrade 1.5.1 -> 2.1.0 python3-filelock: Upgrade 3.14.0 -> 3.15.3 python3-hexbytes: Upgrade 1.2.0 -> 1.2.1 python3-moteus: Upgrade 0.3.70 -> 0.3.71 python3-tornado: Upgrade 6.4 -> 6.4.1 python3-paho-mqtt: Upgrade 2.0.0 -> 2.1.0 python3-pyperclip: Upgrade 1.8.2 -> 1.9.0 python3-whitenoise: Upgrade 6.6.0 -> 6.7.0 python3-pycocotools: Upgrade 2.0.7 -> 2.0.8 python3-cbor2: Upgrade 5.6.3 -> 5.6.4 python3-gunicorn: Upgrade 21.2.0 -> 22.0.0 python3-aiohttp: Upgrade 3.9.5 -> 3.10.0 python3-aiosignal: switch to PEP-517 build backend python3-pycares: switch to PEP-517 build backend python3-multidict: switch to PEP-517 build backend python3-cachetools: Upgrade 5.3.3 -> 5.4.0 python3-coverage: switch to PEP-517 build backend coverage: Upgrade 7.6.0 -> 7.6.1 python3-aiohttp: Upgrade 3.10.0 -> 3.10.1 python3-hatch-requirements-txt: Add recipe python3-pymongo: Upgrade 4.7.3 -> 4.8.0 python3-itsdangerous: Upgrade 2.1.2 -> 2.2.0 python3-sniffio: witch to PEP-517 build backend python3-sniffio: Upgrade 1.3.0 -> 1.3.1 python3-qface: Upgrade 2.0.10 -> 2.0.11 python3-argcomplete: switch to PEP-517 build backend python3-argcomplete: Upgrade 3.4.0 -> 3.5.0 python3-prettytable: Upgrade 3.10.2 -> 3.11.0 python3-transitions: Upgrade 0.9.1 -> 0.9.2 python3-apispec: Upgrade 6.4.0 -> 6.6.1 python3-imageio: Upgrade 2.34.2 -> 2.35.0 python3-aiohttp: Upgrade 3.10.1 -> 3.10.3 python3-watchdog: Upgrade 4.0.1 -> 4.0.2 python3-soupsieve: Upgrade 2.5 -> 2.6 python3-fastjsonschema: Upgrade 2.18.0 -> 2.20.0 python3-dirty-equals: Upgrade 0.7.1 -> 0.8.0 python3-path: Upgrade 16.14.0 -> 17.0.0 python3-astroid: Upgrade 3.2.4 -> 3.3.2 Libo Chen (1): thin-provisioning-tools: install missed thin_shrink and era_repair Liyin Zhang (1): sound-theme-freedesktop: Update SRC_URI Luca Boccassi (4): dbus-broker: upgrade 32 -> 36 polkit: stop overriding DAC on /usr/share/polkit-1/rules.d polkit: update 124 -> 125 polkit: install group rules in /usr/share/ instead of /etc/ Marc Ferland (3): polkit: update SRC_URI polikt: add elogind packageconfig option polkit: add libs-only PACKAGECONFIG option Markus Volk (28): exiv2: update 0.28.0 -> 0.28.2 wireplumber: update 0.5.3 -> 0.5.5 pipewire: update 1.0.7 -> 1.2.0 flatpak: add PACKAGECONFIG for dconf lvm2: install all systemd service files nss: update 3.101 > 3.102 geary: update 44.1 -> 46.0 dav1d: update 1.4.2 -> 1.4.3 pipewire: update 1.2.0 -> 1.2.1 flatpak: update 1.15.8 -> 1.15.9 blueman: update 2.3.5 -> 2.4.3 pipewire: update 1.2.1 -> 1.2.2 webkitgtk3: update 2.44.2 -> 2.44.3 iwd: update 2.18 -> 2.19 bubblewrap: update 0.9.0 -> 0.10.0 flatpak: update 1.15.9 -> 1.15.10 pipewire: update 1.2.2 -> 1.2.3 cleanup after polkit fix libspelling: add recipe wireplumber: update 0.5.5. -> 0.5.6 gnome-disk-utility: update 46.0 -> 46.1 rygel: update 0.42.5 -> 0.44.0 colord: add configuration to fix runtime iwd: update 2.19 -> 2.20 iwd: use internal ell gnome-shell: add gnome-control-center dependency gnome-desktop: update 44.0 -> 44.1 cryptsetup: fix udev PACKAGECONFIG Martin Jansa (15): lvgl: install lv_conf.h in ${includedir}/${BPN} giflib: fix build with gold and avoid imagemagick-native dependency recipes: ignore various issues fatal with gcc-14 (for 32bit MACHINEs) recipes: ignore various issues fatal with gcc-14 bolt: package systemd_system_unitdir correctly pkcs11-provider: backport a fix for build with gcc-14 blueman: fix installation paths polkit-group-rule: package polkit rules vdpauinfo: require x11 in DISTRO_FEATURES gpm: fix buildpaths QA issue xerces-c: fix buildpaths QA issue gcab: keep buildpaths QA issue as a warning gcab: fix buildpaths QA issue nmap: depend on libpcre2 not libpcre xmlrpc-c: update SRCREV Maxin John (1): nginx: add PACKAGECONFIG knobs for fastcgi, scgi and uwsgi Michael Trimarchi (1): cpuset: Add recipe for cpuset tool 1.6.2 Mikko Rapeli (3): fwupd: skip buildpaths errors gcab: ignore buildpaths error from sources libjcat: skip buildpaths check Neel Gandhi (1): v4l-utils: Install media ctrl header and library files Nikhil R (1): rocksdb: Add an option to set static library Niko Mauno (27): pkcs11-provider: Upgrade 0.3 -> 0.5 opensc: Amend FILES:${PN} declaration opensc: Add 'readline' PACKAGECONFIG option opensc: Drop virtual/libiconv from DEPENDS opensc: Fix LICENSE declaration opensc: Cosmetic fixes python3-xlsxwriter: Fix LICENSE python3-ansi2html: Fix HOMEPAGE and LICENSE python3-cbor2: Fix LICENSE and LIC_FILES_CHKSUM python3-cbor2: Sanitize recipe content python3-crc32c: Amend LICENSE declaration python3-email-validator: Fix LICENSE python3-lru-dict: Fix LICENSE and change SUMMARY to DESCRIPTION python3-mock: Fix LICENSE python3-parse-type: Fix LICENSE python3-parse-type: Cosmetic fixes python3-pillow: Fix LICENSE and change SUMMARY to DESCRIPTION python3-platformdirs: Fix LICENSE python3-colorama: Fix LICENSE python3-fann2: Fix LICENSE python3-nmap: Fix LICENSE and LIC_FILES_CHKSUM python3-pycurl: Fix LICENSE python3-googleapis-common-protos: Fix LIC_FILES_CHKSUM python3-haversine: Fix LIC_FILES_CHKSUM python3-libevdev: Fix LIC_FILES_CHKSUM python3-smbus2: Fix LIC_FILES_CHKSUM python3-xmodem: Fix LIC_FILES_CHKSUM Ninette Adhikari (15): imagemagick: Update status for CVE mercurial: Update CVE status for CVE-2022-43410 influxdb: Update CVE status for CVE-2019-10329 links: CVE status update for CVE-2008-3319 usrsctp: CVE status update for CVE-2019-20503 libraw: CVE status update for CVE-2020-22628 and CVE-2023-1729 xsp: CVE status update for CVE-2006-2658 apache2:apache2-native: CVE status update gimp: CVE status update php-native: CVE status update for CVE-2022-4900 xterm: CVE status update CVE-1999-0965 redis: Update status for CVE-2022-3734 monkey: Update status for CVE-2013-2183 apache2: Update CVE status imagemagick: Update status for CVE Peter Kjellerstedt (2): libdevmapper: Inherit nopackages poppler: Correct the configuration options Peter Marko (4): cjson: fix buildpath warnings squid: Upgrade to 6.10 nginx: Upgrade stable 1.26.0 -> 1.26.2 nginx: Upgrade mainline 1.25.3 -> 1.27.1 Poonam Jadhav (1): tcpreplay: Fix CVE-2023-4256 Przemyslaw Zegan (1): libftdi: Fix missing ftdi_eeprom Quentin Schulz (1): nftables: fix pep517-backend warning Randolph Sapp (2): vulkan-cts: add workaround for createMeshShaderMiscTestsEXT opencl-clhpp: add native and nativesdk Randy MacLeod (2): libee: remove recipe since libee is obsolete liblinebreak: remove obsolete library Ricardo Simoes (8): magic-enum: add recipe magic-enum: Disable unused-value warning in tests memtool: Add recipe directfb: Order PACKAGECONFIG alphabetically directfb: Add freetype PACKAGECONFIG directfb: Add zlib PACKAGECONFIG directfb: Fix C++17 build warning magic-enum: Upgrade v0.9.5 -> v0.9.6 Richard Tollerton (1): tmux: Upgrade to 3.4 Robert Middleton (1): Upgrade dbus-cxx to 2.5.2 Ross Burton (9): libabigail: add recipe for the ABI Generic Analysis and Instrumentation Library libabigail: refresh musl/fts patch python3-importlib-metadata: add from openembedded-core python3-pathlib2: add from openembedded-core python3-py: add from openembedded-core python3-pytest-runner: add from openembedded-core python3-rfc3986-validator: add from openembedded-core python3-toml: add from openembedded-core python3-tomli: add from openembedded-core Rouven Czerwinski (1): softhsm: add destroyed global access prevention patch Ryan Eatmon (2): mpv: Fix typo in x11 option kernel-selftest: Update to allow for turning on all tests Shinji Matsunaga (1): audit: Fix CVE_PRODUCT Siddharth Doshi (1): apache2: Upgrade 2.4.59 -> 2.4.60 Soumya Sambu (4): php: Upgrade to 8.2.20 python3-werkzeug: upgrade 3.0.1 -> 3.0.3 gtk+: Fix CVE-2024-6655 python3-flask-cors: Fix CVE-2024-6221 Thomas Perrot (1): vdpauinfo: add recipe Tim Orling (7): python3-configobj: switch to PEP-517 build backend python3-tzdata: add recipe for v2024.1 python3-tzdata: enable ptest python3-pydantic-core: upgrade 2.18.4 -> 2.21.0 python3-pydantic: upgrade 2.7.3 -> 2.8.2 python3-pydantic-core: backport patch python3-psycopg: add v3.2.1 Tom Geelen (4): python3-sqlparse 0.4.4 -> 0.5.0 python3-bleak 0.21.1 -> 0.22.2 python3-aiohue: 4.7.1 -> 4.7.2 python3-pyjwt 2.8.0 -> 2.9.0 Trevor Gamblin (1): python3-pandas: upgrade 2.0.3 -> 2.2.2 Trevor Woerner (2): apache2: use update-alternatives for httpd python3-matplotlib-inline: update 0.1.6 → 0.1.7 plus fixes Tymoteusz Burak (1): dediprog-flasher: Add recipe Valeria Petrov (1): apache2: do not depend on zlib header and libs from host Vijay Anusuri (3): tipcutils: Add systemd support krb5: upgrade 1.21.2 -> 1.21.3 wireshark: upgrade 4.2.6 -> 4.2.7 Vyacheslav Yurkov (1): overlayfs: Use explicit version Wang Mingyu (306): cryptsetup: upgrade 2.7.2 -> 2.7.3 ctags: upgrade 6.1.20240602.0 -> 6.1.20240623.0 dialog: upgrade 1.3-20240307 -> 1.3-20240619 editorconfig-core-c: upgrade 0.12.7 -> 0.12.9 exiftool: upgrade 12.85 -> 12.87 frr: upgrade 10.0 -> 10.0.1 gensio: upgrade 2.8.4 -> 2.8.5 gtkwave: upgrade 3.3.119 -> 3.3.120 iniparser: upgrade 4.2.2 -> 4.2.4 libbpf: upgrade 1.4.2 -> 1.4.3 libcgi-perl: upgrade 4.64 -> 4.66 libcrypt-openssl-random-perl: upgrade 0.16 -> 0.17 libdaq: upgrade 3.0.14 -> 3.0.15 libextutils-helpers-perl: upgrade 0.026 -> 0.027 libfido2: upgrade 1.14.0 -> 1.15.0 libimobiledevice-glue: upgrade 1.2.0 -> 1.3.0 mcelog: upgrade 199 -> 200 msgraph: upgrade 0.2.2 -> 0.2.3 networkmanager-openvpn: upgrade 1.11.0 -> 1.12.0 opentelemetry-cpp: upgrade 1.15.0 -> 1.16.0 openvpn: upgrade 2.6.10 -> 2.6.11 python3-ansi2html: upgrade 1.9.1 -> 1.9.2 python3-argcomplete: upgrade 3.3.0 -> 3.4.0 python3-bandit: upgrade 1.7.8 -> 1.7.9 python3-coverage: upgrade 7.5.3 -> 7.5.4 python3-djangorestframework: upgrade 3.15.1 -> 3.15.2 python3-email-validator: upgrade 2.1.1 -> 2.2.0 python3-filelock: upgrade 3.15.3 -> 3.15.4 python3-flexparser: upgrade 0.3 -> 0.3.1 python3-google-api-python-client: upgrade 2.131.0 -> 2.134.0 python3-google-auth: upgrade 2.29.0 -> 2.30.0 python3-googleapis-common-protos: upgrade 1.63.0 -> 1.63.1 python3-huey: upgrade 2.5.0 -> 2.5.1 python3-langtable: upgrade 0.0.66 -> 0.0.67 python3-marshmallow: upgrade 3.21.2 -> 3.21.3 python3-meh: upgrade 0.51 -> 0.52 python3-openpyxl: upgrade 3.1.3 -> 3.1.4 python3-parse: upgrade 1.20.1 -> 1.20.2 python3-pdm-backend: upgrade 2.3.0 -> 2.3.1 python3-pint: upgrade 0.23 -> 0.24 python3-portalocker: upgrade 2.8.2 -> 2.10.0 python3-prompt-toolkit: upgrade 3.0.45 -> 3.0.47 python3-pycodestyle: upgrade 2.11.1 -> 2.12.0 python3-pymisp: upgrade 2.4.190 -> 2.4.194 python3-pymongo: upgrade 4.7.2 -> 4.7.3 python3-pyproject-api: upgrade 1.6.1 -> 1.7.1 python3-redis: upgrade 5.0.4 -> 5.0.6 python3-responses: upgrade 0.25.0 -> 0.25.3 python3-robotframework: upgrade 7.0 -> 7.0.1 python3-scikit-build: upgrade 0.17.6 -> 0.18.0 python3-sqlalchemy: upgrade 2.0.30 -> 2.0.31 python3-tox: upgrade 4.15.0 -> 4.15.1 python3-types-psutil: upgrade 5.9.5.20240516 -> 6.0.0.20240621 python3-virtualenv: upgrade 20.26.2 -> 20.26.3 qpdf: upgrade 11.9.0 -> 11.9.1 tesseract: upgrade 5.3.4 -> 5.4.1 thingsboard-gateway: upgrade 3.5 -> 3.5.1 openldap: upgrade 2.6.7 -> 2.6.8 openldap: fix lib32-openldap build failure with gcc-14 sblim-sfcc: fix build failure with gcc-14 openct: fix build failure with gcc-14 libcurses-perl: upgrade 1.41 -> 1.45 ctags: upgrade 6.1.20240623.0 -> 6.1.20240630.0 feh: upgrade 3.10.2 -> 3.10.3 gexiv2: upgrade 0.14.2 -> 0.14.3 isomd5sum: upgrade 1.2.4 -> 1.2.5 libndp: upgrade 1.8 -> 1.9 networkmanager: upgrade 1.48.0 -> 1.48.2 python3-a2wsgi: upgrade 1.10.4 -> 1.10.6 python3-aiofiles: upgrade 23.2.1 -> 24.1.0 python3-alembic: upgrade 1.13.1 -> 1.13.2 python3-awesomeversion: upgrade 24.2.0 -> 24.6.0 python3-dbus-fast: upgrade 2.21.3 -> 2.22.1 python3-gast: upgrade 0.5.4 -> 0.6.0 python3-google-api-core: upgrade 2.19.0 -> 2.19.1 python3-google-api-python-client: upgrade 2.134.0 -> 2.135.0 python3-googleapis-common-protos: upgrade 1.63.1 -> 1.63.2 python3-imageio: upgrade 2.34.1 -> 2.34.2 python3-ipython: upgrade 8.25.0 -> 8.26.0 python3-openpyxl: upgrade 3.1.4 -> 3.1.5 python3-pdm: upgrade 2.15.4 -> 2.16.1 python3-pymodbus: upgrade 3.6.8 -> 3.6.9 python3-rapidjson: upgrade 1.17 -> 1.18 python3-redis: upgrade 5.0.6 -> 5.0.7 python3-twine: upgrade 5.1.0 -> 5.1.1 python3-types-setuptools: upgrade 70.0.0.20240524 -> 70.1.0.20240627 python3-web3: upgrade 6.19.0 -> 6.20.0 fetchmail: disable rpath to fix buildpaths warning. procmail: fix build failure with gcc-14 botan: upgrade 3.4.0 -> 3.5.0 ctags: upgrade 6.1.20240630.0 -> 6.1.20240714.0 exiftool: upgrade 12.87 -> 12.89 gnome-keyring: upgrade 46.1 -> 46.2 hwdata: upgrade 0.383 -> 0.384 imlib2: upgrade 1.12.2 -> 1.12.3 ipset: upgrade 7.21 -> 7.22 libass: upgrade 0.17.2 -> 0.17.3 libbpf: upgrade 1.4.3 -> 1.4.5 lvm2: upgrade 2.03.24 -> 2.03.25 libio-socket-ssl-perl: upgrade 2.085 -> 2.088 mpich: upgrade 4.2.1 -> 4.2.2 nano: upgrade 8.0 -> 8.1 networkmanager: upgrade 1.48.2 -> 1.48.4 poke: upgrade 4.1 -> 4.2 python3-argh: upgrade 0.31.2 -> 0.31.3 python3-astroid: upgrade 3.2.2 -> 3.2.3 python3-coverage: upgrade 7.5.4 -> 7.6.0 python3-humanize: upgrade 4.9.0 -> 4.10.0 python3-moteus: upgrade 0.3.71 -> 0.3.72 python3-oletools: upgrade 0.60.1 -> 0.60.2 python3-pdm-backend: upgrade 2.3.1 -> 2.3.2 python3-pillow: upgrade 10.3.0 -> 10.4.0 python3-portalocker: upgrade 2.10.0 -> 2.10.1 python3-prettytable: upgrade 3.10.0 -> 3.10.2 python3-py7zr: upgrade 0.21.0 -> 0.21.1 python3-sympy: upgrade 1.12.1 -> 1.13.0 python3-tomlkit: upgrade 0.12.5 -> 0.13.0 python3-types-setuptools: upgrade 70.1.0.20240627 -> 70.3.0.20240710 python3-validators: upgrade 0.28.3 -> 0.32.0 qcbor: upgrade 1.3 -> 1.4 sngrep: upgrade 1.8.1 -> 1.8.2 thin-provisioning-tools: upgrade 1.0.12 -> 1.0.13 tree: upgrade 2.1.1 -> 2.1.3 wireshark: upgrade 4.2.5 -> 4.2.6 wolfssl: upgrade 5.7.0 -> 5.7.2 xterm: upgrade 392 -> 393 zenity: upgrade 4.0.1 -> 4.0.2 apache2: upgrade 2.4.61 -> 2.4.62 cfengine-masterfiles: upgrade 3.21.0 -> 3.21.5 cmark: upgrade 0.31.0 -> 0.31.1 cryptsetup: upgrade 2.7.3 -> 2.7.4 ctags: upgrade 6.1.20240714.0 -> 6.1.20240804.0 eog: upgrade 45.3 -> 45.4 fwupd: upgrade 1.9.18 -> 1.9.22 gmime: upgrade 3.2.13 -> 3.2.15 gnome-bluetooth: upgrade 46.0 -> 46.1 googletest: upgrade 1.14.0 -> 1.15.2 icewm: upgrade 3.4.5 -> 3.6.0 leptonica: upgrade 1.82.0 -> 1.84.1 libiodbc: upgrade 3.52.15 -> 3.52.16 liblinebreak: upgrade 1.2 -> 2.1 libnvme: upgrade 1.9 -> 1.10 libpaper: upgrade 2.1.2 -> 2.2.5 libpcsc-perl: upgrade 1.4.14 -> 1.4.15 libsdl-gfx: upgrade 2.0.25 -> 2.0.27 libtdb: upgrade 1.4.10 -> 1.4.11 libtracefs: upgrade 1.8.0 -> 1.8.1 logwarn: upgrade 1.0.14 -> 1.0.17 logwatch: upgrade 7.10 -> 7.11 msgpack-cpp: upgrade 6.1.0 -> 6.1.1 neatvnc: upgrade 0.8.0 -> 0.8.1 networkmanager: upgrade 1.48.4 -> 1.48.6 nss: upgrade 3.102 -> 3.103 openipmi: upgrade 2.0.35 -> 2.0.36 opentelemetry-cpp: upgrade 1.16.0 -> 1.16.1 openvpn: upgrade 2.6.11 -> 2.6.12 python3-a2wsgi: upgrade 1.10.6 -> 1.10.7 python3-aiohappyeyeballs: upgrade 2.3.2 -> 2.3.4 python3-astroid: upgrade 3.2.3 -> 3.2.4 python3-autobahn: upgrade 23.6.2 -> 24.4.2 python3-croniter: upgrade 2.0.5 -> 3.0.3 python3-langtable: upgrade 0.0.67 -> 0.0.68 python3-pdm-backend: upgrade 2.3.2 -> 2.3.3 python3-pure-eval: upgrade 0.2.2 -> 0.2.3 python3-pyfanotify: upgrade 0.2.2 -> 0.3.0 python3-pymisp: upgrade 2.4.194 -> 2.4.195 python3-pymodbus: upgrade 3.6.9 -> 3.7.0 python3-pytest-lazy-fixtures: upgrade 1.0.7 -> 1.1.1 python3-qface: upgrade 2.0.8 -> 2.0.10 python3-rapidjson: upgrade 1.18 -> 1.19 python3-redis: upgrade 5.0.7 -> 5.0.8 python3-regex: upgrade 2024.5.15 -> 2024.7.24 python3-sqlparse: upgrade 0.5.0 -> 0.5.1 python3-sympy: upgrade 1.13.0 -> 1.13.1 python3-tqdm: upgrade 4.66.4 -> 4.66.5 python3-types-setuptools: upgrade 70.3.0.20240710 -> 71.1.0.20240726 python3-validators: upgrade 0.32.0 -> 0.33.0 python3-web3: upgrade 6.20.0 -> 6.20.1 python3-xmlschema: upgrade 3.3.1 -> 3.3.2 qcbor: upgrade 1.4 -> 1.4.1 rsyslog: upgrade 8.2404.0 -> 8.2406.0 ttf-abyssinica: upgrade 2.100 -> 2.201 wavemon: upgrade 0.9.5 -> 0.9.6 xmlsec1: upgrade 1.3.4 -> 1.3.5 picocom: upgrade 2023-04 -> 2024 hostapd: upgrade 2.10 -> 2.11 python3-incremental: upgrade 22.10.0 -> 24.7.2 colord-gtk: upgrade 0.3.0 -> 0.3.1 ctags: upgrade 6.1.20240804.0 -> 6.1.20240825.0 fwupd: upgrade 1.9.22 -> 1.9.24 hwdata: upgrade 0.384 -> 0.385 lastlog2: upgrade 1.2.0 -> 1.3.1 libbytesize: upgrade 2.10 -> 2.11 libei: upgrade 1.2.1 -> 1.3.0 libnet-dns-perl: upgrade 1.45 -> 1.46 libtdb: upgrade 1.4.11 -> 1.4.12 libtest-harness-perl: upgrade 3.48 -> 3.50 xdg-dbus-proxy: upgrade 0.1.5 -> 0.1.6 mdns: upgrade 2200.120.24 -> 2200.140.11 mutter: upgrade 46.2 -> 46.4 networkmanager: upgrade 1.48.6 -> 1.48.10 pamela: upgrade 1.1.0 -> 1.2.0 pcsc-tools: upgrade 1.7.1 -> 1.7.2 postgresql: upgrade 16.3 -> 16.4 python3-aiohappyeyeballs: upgrade 2.3.4 -> 2.4.0 python3-aiohttp: upgrade 3.10.3 -> 3.10.5 python3-aiohue: upgrade 4.7.2 -> 4.7.3 python3-cachetools: upgrade 5.4.0 -> 5.5.0 python3-dbus-fast: upgrade 2.22.1 -> 2.24.0 python3-eth-utils: upgrade 4.1.1 -> 5.0.0 python3-gunicorn: upgrade 22.0.0 -> 23.0.0 python3-imageio: upgrade 2.35.0 -> 2.35.1 python3-importlib-metadata: upgrade 8.2.0 -> 8.4.0 python3-marshmallow: upgrade 3.21.3 -> 3.22.0 python3-nocasedict: upgrade 2.0.3 -> 2.0.4 python3-nocaselist: upgrade 2.0.2 -> 2.0.3 python3-paramiko: upgrade 3.4.0 -> 3.4.1 python3-py7zr: upgrade 0.21.1 -> 0.22.0 python3-pycodestyle: upgrade 2.12.0 -> 2.12.1 python3-pymisp: upgrade 2.4.195 -> 2.4.196 python3-pyzstd: upgrade 0.16.0 -> 0.16.1 python3-simplejson: upgrade 3.19.2 -> 3.19.3 python3-sqlalchemy: upgrade 2.0.31 -> 2.0.32 python3-sympy: upgrade 1.13.1 -> 1.13.2 python3-tomlkit: upgrade 0.13.0 -> 0.13.2 python3-typer: upgrade 0.12.3 -> 0.12.5 python3-types-python-dateutil: upgrade 2.9.0.20240316 -> 2.9.0.20240821 python3-types-setuptools: upgrade 71.1.0.20240726 -> 73.0.0.20240822 python3-xxhash: upgrade 3.4.1 -> 3.5.0 rsyslog: upgrade 8.2406.0 -> 8.2408.0 samba: upgrade 4.19.7 -> 4.19.8 sanlock: upgrade 3.9.3 -> 3.9.4 unbound: upgrade 1.20.0 -> 1.21.0 lastlog2: remove recipe since it has been merged into util-linux ctags: upgrade 6.1.20240825.0 -> 6.1.20240908.0 eog: upgrade 45.4 -> 47.0 flatpak-xdg-utils: upgrade 1.0.5 -> 1.0.6 gensio: upgrade 2.8.5 -> 2.8.7 gnome-autoar: upgrade 0.4.4 -> 0.4.5 hwdata: upgrade 0.385 -> 0.387 libbpf: upgrade 1.4.5 -> 1.4.6 libcompress-raw-bzip2-perl: upgrade 2.212 -> 2.213 libcompress-raw-lzma-perl: upgrade 2.212 -> 2.213 libcompress-raw-zlib-perl: upgrade 2.212 -> 2.213 libextutils-helpers-perl: upgrade 0.027 -> 0.028 libio-compress-lzma-perl: upgrade 2.212 -> 2.213 libio-compress-perl: upgrade 2.212 -> 2.213 libio-socket-ssl-perl: upgrade 2.088 -> 2.089 libspiro: upgrade 20221101 -> 20240903 nano: upgrade 8.1 -> 8.2 python3-dbus-fast: upgrade 2.24.0 -> 2.24.2 python3-executing: upgrade 2.0.1 -> 2.1.0 python3-filelock: upgrade 3.15.4 -> 3.16.0 python3-httpx: upgrade 0.27.0 -> 0.27.2 python3-ipython: upgrade 8.26.0 -> 8.27.0 python3-kiwisolver: upgrade 1.4.5 -> 1.4.7 python3-parse-type: upgrade 0.6.2 -> 0.6.3 python3-pefile: upgrade 2023.2.7 -> 2024.8.26 python3-platformdirs: upgrade 4.2.2 -> 4.3.1 python3-pulsectl: upgrade 24.4.0 -> 24.8.0 python3-pymetno: upgrade 0.12.0 -> 0.13.0 python3-pymisp: upgrade 2.4.196 -> 2.4.197 python3-pymodbus: upgrade 3.7.0 -> 3.7.2 python3-rich: upgrade 13.7.1 -> 13.8.0 python3-scikit-build: upgrade 0.18.0 -> 0.18.1 python3-types-psutil: upgrade 6.0.0.20240621 -> 6.0.0.20240901 python3-types-python-dateutil: upgrade 2.9.0.20240821 -> 2.9.0.20240906 python3-validators: upgrade 0.33.0 -> 0.34.0 python3-virtualenv: upgrade 20.26.3 -> 20.26.4 python3-watchdog: upgrade 4.0.2 -> 5.0.2 python3-yarl: upgrade 1.9.4 -> 1.10.0 python3-zeroconf: upgrade 0.132.2 -> 0.134.0 uhubctl: upgrade 2.5.0 -> 2.6.0 valijson: upgrade 1.0.2 -> 1.0.3 xfsdump: upgrade 3.1.12 -> 3.2.0 xterm: upgrade 393 -> 394 bdwgc: upgrade 8.2.6 -> 8.2.8 ctags: upgrade 6.1.20240908.0 -> 6.1.20240915.0 gnome-backgrounds: upgrade 46.0 -> 47.0 gnome-chess: upgrade 46.0 -> 47.0 gnome-font-viewer: upgrade 46.0 -> 47.0 libmanette: upgrade 0.2.7 -> 0.2.9 pegtl: upgrade 3.2.7 -> 3.2.8 python3-elementpath: upgrade 4.4.0 -> 4.5.0 python3-eventlet: upgrade 0.36.1 -> 0.37.0 python3-filelock: upgrade 3.16.0 -> 3.16.1 python3-greenlet: upgrade 3.0.3 -> 3.1.0 python3-nmap: upgrade 1.6.0 -> 1.9.1 python3-paramiko: upgrade 3.4.1 -> 3.5.0 python3-platformdirs: upgrade 4.3.1 -> 4.3.6 python3-psycopg: upgrade 3.2.1 -> 3.2.2 python3-pyasn1-modules: upgrade 0.4.0 -> 0.4.1 python3-pymisp: upgrade 2.4.197 -> 2.4.198 python3-pyproject-api: upgrade 1.7.1 -> 1.7.2 python3-pyunormalize: upgrade 15.1.0 -> 16.0.0 python3-regex: upgrade 2024.7.24 -> 2024.9.11 python3-rich: upgrade 13.8.0 -> 13.8.1 python3-robotframework: upgrade 7.0.1 -> 7.1 python3-virtualenv: upgrade 20.26.4 -> 20.26.5 python3-xmlschema: upgrade 3.3.2 -> 3.4.1 python3-yarl: upgrade 1.10.0 -> 1.11.1 stunnel: upgrade 5.72 -> 5.73 tecla: upgrade 46.0 -> 47.0 traceroute: upgrade 2.1.5 -> 2.1.6 nmap: Fix off-by-one overflow in the IP protocol table. python3-alembic: upgrade 1.13.2 -> 1.13.3 Yi Zhao (48): libldb: upgrade 2.8.0 -> 2.8.1 samba: upgrade 4.19.6 -> 4.19.7 devecot: set dovecot.conf file mode with chmod packagegroup-xfce-extended: fix typo of gobject-introspection-data feature lastlog2: specify correct pamlibdir wtmpdb: specify correct pamlibdir libnftnl: upgrade 1.2.6 -> 1.2.7 nftables: upgrade 1.0.9 -> 1.1.0 netplan: upgrade 1.0 -> 1.0.1 snort3: upgrade 3.1.84.0 -> 3.3.1.0 snort3: upgrade 3.3.1.0 -> 3.3.2.0 tcpreplay: upgrade 4.4.4 -> 4.5.1 libdaq: upgrade 3.0.15 -> 3.0.16 audit: upgrade 4.0.1 -> 4.0.2 snort3: upgrade 3.3.2.0 -> 3.3.3.0 snort3: upgrade 3.3.3.0 -> 3.3.4.0 tcpdump: upgrade 4.99.4 -> 4.99.5 cryptsetup: upgrade 2.7.4 -> 2.7.5 dracut: upgrade 102 -> 103 freeradius: upgrade 3.2.3 -> 3.2.5 autofs: upgrade 5.1.8 -> 5.1.9 mbedtls: upgrade 3.6.0 -> 3.6.1 mbedtls: upgrade 2.28.8 -> 2.28.9 drbd-utils: upgrade 9.27.0 -> 9.28.0 mm-common: upgrade 1.0.4 -> 1.0.6 lvm2: upgrade 2.03.25 -> 2.03.26 geoclue: upgrade 2.7.1 -> 2.7.2 s-nail: upgrade 14.9.24 -> 14.9.25 crash: upgrade 8.0.4 -> 8.0.5 mce-inject: upgrade to latest git rev mce-test: update to latest git rev fltk: upgrade 1.3.8 -> 1.3.9 openjpeg: upgrade 2.5.0 -> 2.5.2 netplan: upgrade 1.0.1 -> 1.1 libssh: upgrade 0.10.6 -> 0.11.1 jsoncpp: upgrade 1.9.5 -> 1.9.6 debootstrap: upgrade 1.0.132 -> 1.0.137 frr: upgrade 10.1 -> 10.1.1 open-vm-tools: upgrade 12.3.5 -> 12.4.5 v4l-utils: upgrade 1.26.1 -> 1.28.1 catch2: upgrade 3.6.0 -> 3.7.0 tbb: upgrade 2021.11.0 -> 2021.13.0 abseil-cpp: upgrade 20240116.2 -> 20240722.0 protobuf: add abseil-cpp to RDEPENDS protobuf: upgrade 4.25.4 -> 4.25.5 lksctp-tools: upgrade 1.0.19 -> 1.0.20 tcpslice: upgrade 1.7 -> 1.8 libhugetlbfs: upgrade 2.23 -> 2.24 Yoann Congal (39): python3-redis: add an archive prefix to avoid clashing with redis pidgin: Upgrade to 2.14.13 daq: fix SRC_URI to point to the real 2.0.7 release pidgin: Update Upstream-Status for gcc-14 compatibility patch pidgin: Remove gcc-14 compatibility workaround dbus-broker: update UPSTREAM_CHECK_* variables to fix devtool upgrades mariadb: update UPSTREAM_CHECK_* variables to fix devtool upgrades mbuffer: update UPSTREAM_CHECK_* variables to fix devtool upgrades microcom: update UPSTREAM_CHECK_* variables to fix devtool upgrades openbox-xdgmenu: update UPSTREAM_CHECK_* variables to fix devtool upgrades proxy-libintl: update UPSTREAM_CHECK_* variables to fix devtool upgrades pugixml: update UPSTREAM_CHECK_* variables to fix devtool upgrades pv: update UPSTREAM_CHECK_* variables to fix devtool upgrades sblim-sfcc: update UPSTREAM_CHECK_* variables to fix devtool upgrades source-code-pro-fonts: update UPSTREAM_CHECK_* variables to fix devtool upgrades stalonetray: update UPSTREAM_CHECK_* variables to fix devtool upgrades testfloat: update UPSTREAM_CHECK_* variables to fix devtool upgrades tk: update UPSTREAM_CHECK_* variables to fix devtool upgrades tmux: update UPSTREAM_CHECK_* variables to fix devtool upgrades ttf-abyssinica: update UPSTREAM_CHECK_* variables to fix devtool upgrades zeromq: update UPSTREAM_CHECK_* variables to fix devtool upgrades qad: Add UPSTREAM_CHECK_COMMITS reboot-mode: Add UPSTREAM_CHECK_COMMITS s-suite: Add UPSTREAM_CHECK_COMMITS syzkaller: Add UPSTREAM_CHECK_COMMITS yavta: Add UPSTREAM_CHECK_COMMITS zsync-curl: Add UPSTREAM_CHECK_COMMITS klibc: fix debug pkgs reproducibility polkit: Switch PAM files to common-* polkit: fix build on sysvinit grilo: fix buildpaths QA error non-repro-meta-python: exclude packages that failed previously README.md: Hint at "git request-pull" non-repro-meta-networking: exclude packages that failed previously non-repro-meta-filesystems: update known reproducible packages non-repro-meta-networking: update known non-reproducible list polkit: Update Upstream-Status of a merged patch wtmpdb: fix installed-vs-shipped build error minidlna: fix reproducibility Yogesh Tyagi (1): python3-pybind11 : upgrade 2.11.1 -> 2.12.0 Yogita Urade (3): hdf5: upgrade to 1.14.4 poppler: CVE-2024-6239 krb5: fix CVE-2024-26458 and CVE-2024-26461 Zhang Peng (1): hiredis: remove ANSI color from ptest result alba@thehoodiefirm.com (1): apache2:apache2-native: sort CVE status alperak (61): recipes: set S to fix the QA warning pcp: Fix contains reference to TMPDIR [buildpaths] warnings boinc-client: Fix contains reference to TMPDIR [buildpaths] warning rdist: Fix contains reference to TMPDIR [buildpaths] warning gphoto2: Fix contains reference to TMPDIR [buildpaths] warning hplip: Fix contains reference to TMPDIR [buildpaths] warning jsonrpc: Fix contains reference to TMPDIR [buildpaths] warning exiv2: Upgrade 0.28.2 to 0.28.3 for CVE fix tayga: Fix contains reference to TMPDIR [buildpaths] warning etcd-cpp-apiv3: Fix contains reference to TMPDIR [buildpaths] warning python3-lazy: switch to PEP-517 build backend python3-classes: switch to PEP-517 build backend python3-eventlet: switch to PEP-517 build backend python3-bitstruct: switch to PEP-517 build backend python3-dbus-fast: switch to PEP-517 build backend python3-brotli: switch to PEP-517 build backend python3-pymongo: switch to PEP-517 build backend python3-can: switch to PEP-517 build backend python3-pyaudio: switch to PEP-517 build backend python3-term: switch to PEP-517 build backend python3-screeninfo: switch to PEP-517 build backend python3-pykickstart: switch to PEP-517 build backend python3-click-repl: switch to PEP-517 build backend python3-evdev: switch to PEP-517 build backend python3-qrcode: switch to PEP-517 build backend python3-pyproj: switch to PEP-517 build backend python3-file-magic: switch to PEP-517 build backend python3-joblib: switch to PEP-517 build backend python3-dill: switch to PEP-517 build backend python3-luma-oled: switch to PEP-517 build backend python3-pyudev: switch to PEP-517 build backend python3-xmlschema: switch to PEP-517 build backend python3-lru-dict: switch to PEP-517 build backend python3-ipython: switch to PEP-517 build backend python3-portion: switch to PEP-517 build backend python3-lazy-object-proxy: switch to PEP-517 build backend python3-aioserial: switch to PEP-517 build backend perfetto: Fix contains reference to TMPDIR [buildpaths] warning python3-reedsolo: upgrade 2.0.13 -> 2.1.0b1 blueman: Fix do_package QA issue python3-service-identity: switch to PEP-517 build backend python3-parse-type: switch to PEP-517 build backend python3-regex: switch to PEP-517 build backend python3-pytest-timeout: switch to PEP-517 build backend python3-pytest-metadata: switch to PEP-517 build backend python3-pyroute: switch to PEP-517 build backend python3-pyjwt: switch to PEP-517 build backend python3-pyasn1-modules: switch to PEP-517 build backend python3-py-cpuinfo: switch to PEP-517 build backend python3-django: switch to PEP-517 build backend python3-greenlet: switch to PEP-517 build backend python3-gevent: switch to PEP-517 build backend python3-msgpack: upgrade 1.0.8 -> 1.1.0 python3-sqlalchemy: Upgrade 2.0.32 -> 2.0.35 and switch to PEP-517 build backend python3-alembic: switch to PEP-517 build backend python3-inflate64: switch to PEP-517 build backend python3-spidev: switch to PEP-517 build backend python3-pastedeploy: switch to PEP-517 build backend python3-reedsolo: switch to PEP-517 build backend curlpp: Fix build issue libhugetlbfs: Fix contains reference to TMPDIR [buildpaths] error ptak (1): opencv: upgrade 4.9.0 -> 4.10.0 quic-raghuvar (2): android-tools-adbd.service: Change /var to /etc in ConditionPathExists android-toold-adbd: Fix inconsistency between selinux configurations rajmohan r (1): unbound: Add ptest for unbound s-tokumoto (2): capnproto: Add "capnp" to CVE_PRODUCT fuse: Add "fuse:fuse" to CVE_PRODUCT meta-security: b4a8bc606f..e2c44c8b5d: Anusmita Dutta Mazumder (1): Add styhead LAYERSERIES_COMPAT Armin Kuster (18): recipes-*: convert WORKDIR->UNPACKDIR apparmor: fix QA Warnings python3-fail2ban: convert WORKDIR->UNPACKDIR krill: Fix QA warnings suricata: fix QA warnings isic: Fix config error arpwatch: Fix compile error chipsec: Fix QA Warnings tpm-tools: fix QA and compile errors. ima-policy: Fix S=UNPACKDIR harden/initscripts: UNPACKDIR fix harden-image-minima: Fix usermod aide: update to latest stable. python3-privacyidea: switch to PEP-517 build backend switch to PEP-517 build backend python3-tpm2-pyts: switch to PEP-517 build backend gitlab-ci: minor tweaks to try layer.conf: Update to styhead release name series Chen Qi (1): libgssglue: switch to use git source Hitendra Prajapati (2): sssd: Fix CVE-2023-3758 libhtp: fix CVE-2024-45797 Martin Jansa (4): {tcp,udp}-smack-test: fix few more implicit-function-declaration issues fatal with gcc-14 README.md: fix sendemail.to value suricata: run whole autotools_do_configure not just oe_runconf layer.conf: Update to styhead release name series Mikko Rapeli (9): python3-tpm2-pytss: update from 2.1.0 to 2.3.0 parsec-service: UNPACKDIR fixes bastille: UNPACKDIR fixes initramfs-framework-ima: UNPACKDIR fix ima-policy-appraise-all: UNPACKDIR fix ima-policy-simple: UNPACKDIR fix ima-policy-hashed: set S ima-policy-appraise-all: set S ima-policy-simple: set S Rasmus Villemoes (1): fail2ban: update to 1.1.0+ Ricardo Salveti (1): tpm2-tss: drop libgcrypt Siddharth Doshi (1): Suricata: Security Fix for CVE-2024-37151, CVE-2024-38534, CVE-2024-38535, CVE-2024-38536 Stefan Berger (3): meta-integrity: Remove stale variables and documentation meta-integrity: Add IMA_EVM_PRIVKEY_KEY_OPT to pass options to evmctl meta-integrity: Enable passing private key password Vijay Anusuri (1): tpm2-tools: Upgrade 5.5 -> 5.7 Wang Mingyu (3): ima-policy-hashed: Start WORKDIR -> UNPACKDIR transition suricata: Start WORKDIR -> UNPACKDIR transition trousers: Start WORKDIR -> UNPACKDIR transition Yi Zhao (3): openscap: fix PACKAGECONFIG[remediate_service] openscap: upgrade 1.3.10 -> 1.4.0 scap-security-guide: upgrade 0.1.73 -> 0.1.74 meta-raspberrypi: eb8ffc4e63..97d7a6b5ec: Andrew Lalaev (1): rpi-base.inc: add the disable-wifi-pi5 overlay Bastian Wanner (1): udev-rules-rpi.bb: Fix psplash systemd connection Garrett Brown (1): linux: Enable CONFIG_I2C_BRCMSTB for proper HDMI I2C support Jaeyoon Jung (1): linux-raspberrypi: Drop deprecated configs from android-driver.cfg Jan Vermaete (5): kas: updated the refspec syntax of the kas file README.md: pi3-disable-bt is renamed to disable-bt in kas example rpi-base.inc: added the disable-bt-pi5 device tree overlay raspi-utils: added new recipe extra-build-config.md: added a white line Khem Raj (6): linux-raspberrypi: Upgrade kernel to 6.6.36 weston-init.bbappend: Delete layer.conf: Update to walnascar (5.2) layer/release series linux-raspberrypi-6.6: Upgrade to 6.6.63 rpi-base: Remove bcm2712-rpi-5-b.dtb from RPI_KERNEL_DEVICETREE target SECURITY.md: Add instructions for reporting security issues Leon Anavi (2): rpi-u-boot-scr: WORKDIR -> UNPACKDIR transition conf/layer.conf: Remove meta-lts-mixins Luca Carlon (1): picamera-libs: removed unused libraries from python3-picamera Martin Jansa (1): mesa: rename bbappend to match new recipe name from oe-core Matthias Klein (1): linux-firmware-rpidistro: Upgrade to bookworm/20230625-2+rpt3 Pierrick Curt (1): rpi-base: build uart dts overlays by default Robert Yang (1): conf/layer.conf: Remove duplicated BBFILES Victor Löfgren (1): README.md: Update link to compatible layers Vincent Davis Jr (2): rpi-default-providers: remove vlc,ffmpeg PREFFERED_PROVIDER docs: include PREFERRED_PROVIDER_ffmpeg,vlc change meta-arm: 981425c54e..18bc3f9389: Ali Can Ozaslan (2): arm-bsp/trusted-firmware-m: corstone1000: Increase PS size arm-bsp/optee: corstone1000: Update upstream status Amr Mohamed (5): arm-systemready/README.md: add ARM_FVP_EULA_ACCEPT arm-systemready/linux-distros: new inc file for unattended installation arm-systemready/linux-distros: Add kickstart file for Fedora unattended arm-systemready/oeqa: Add new test for Fedora unattended installation kas: Add new yml file for Distros unattended installation Ben (3): arm-systemready/linux-distros: Implement unattended openSUSE arm-systemready/oeqa: Add unattended installation testcase kas: Include unattended openSUSE test Bence Balogh (18): arm-bsp/optee:corstone1000: Update optee to v4.2 arm-bsp/optee: Remove OP-TEE OS v4.1 recipe arm-bsp/trusted-firmware-a: Upgrade Corstone1000 to TF-A v2.11 arm-bsp/u-boot: corstone1000: use mdata v2 arm-bsp/trusted-firmware-a: corstone1000: update upstream statuses arm-bsp/trusted-firmware-m: corstone1000: upgrade to TF-M v2.1.x arm-bsp/trusted-services: corstone1000: align PSA crypto structs with TF-M arm-bsp/trusted-firmware-m: Remove TF-M v2.0 recipe arm-bsp/trusted-firmware-m: corstone1000: fix bank offset arm-bsp/trusted-firmware-m: corstone1000: add Secure Debug arm-bsp/documentation: corstone1000: add Secure Debug test CI: Add secure debug build for Corstone-1000 arm-bsp/linux-yocto: corstone1000: bump to v6.10 arm-bsp/documentation: corstone1000: remove TEE driver load arm-bsp/trusted-firmware-m: corstone1000: Fix MPU configuration arm-bsp/trusted-firmware-m: corstone1000: Update metadata handling arm-bsp/trusted-firmware-m: corstone1000: Update patches arm-bsp/trusted-firmware-m: corstone1000: Fix Secure Debug connection due to token version mismatch Delane Brandy (1): arm-bsp/corstone1000: Update Corstone-1000 user guide Emekcan Aras (1): arm-bsp/trusted-firmware-m: corstone1000: Switch to metadata v2 Harsimran Singh Tungal (7): arm-bsp/u-boot: corstone1000: fix U-Boot patch arm-bsp/trusted-services: corstone1000: fix compilation issues arm-bsp/trusted-services: fix compilation issues for ts-newlib arm-bsp/trusted-firmware-a: corstone1000: fix compilation issue for FVP multicore arm-bsp,kas: corstone1000: enable External System based on new yml file arm-bsp,documentation: corstone1000: update user documentation arm-bsp/trusted-services: corstone1000: Update Trusted-Services patches Hugues KAMBA MPIANA (4): arm-bsp/documentation: corstone1000: Mention PMOD module as prerequisite arm-bsp/documentation: corstone1000: Amend documentation for CORSTONE1000-2024.11 release kas: corstone-1000: Update the SHA of the Yocto layer dependencies for the CORSTONE1000-2024.11 release. kas: corstone-1000: Pin Yocto layer dependencies for CORSTONE1000-2024.11 release Hugues Kamba-Mpiana (2): arm-bsp/documentation: corstone1000: Deprecation of Sphinx context injection arm-bsp/documentation: corstone1000: Install Sphinx theme as recommended Javier Tia (3): arm/optee: Add optee udev rules arm: Enable Secure Boot in all required recipes arm/qemuarm64-secureboot: Enable UEFI Secure Boot Jon Mason (31): arm-bsp/fvp-base: update version to 11.26.11 arm/qemuarm64-secureboot: fix qemu parameter arm-toolchain: fix for WORKDIR changes arm-systemready: WORKDIR to UNPACKDIR changes CI: remove ts-smm-gateway for qemuarm64-secureboot-ts arm-toolchain: update to 13.3 CI: remove unnecessary clang settings CI: add poky-altcfg arm/opencsd: update to 1.5.3 arm/boot-wrapper-aarch64: update with latest patch arm/gn: update to the latest commit CI: remove xorg test removal from edk2 arm-bsp/fvp-base: add edk2 testimage support arm-bsp/fvp-base: u-boot patch clean-up arm: use devtool to clean-up patches arm-bsp: remove unreferenced patches and configs arm/trusted-firmware-a: remove workaround patch for qemuarm64-secureboot arm/qemu-efi-disk: add rootwait to bootargs arm/arm-tstee: pin kernel to 6.6 to workaround issue arm/trusted-firmware-a: update LICENSE entry arm/musl: work around trusted services error arm/libts: Patch to fix 6.10 kernel builds breaks arm-bsp/documentation: corstone1000: Improve user guide arm-toolchain: remove libmount-mountfd-support when using binary toolchain arm-bsp/fvp-base: support poky-altcfg arm-bsp/fvp-base: Get 6.10 kernel working arm-bsp/fvp: Re-enable parselogs arm/optee-os: Backport the clang fixes arm-bsp/fvp-base: use trusted-firmware-a v2.11 CI: Rework qemuarm64-secureboot matrix CI: remove branch name Luca Fancellu (2): arm/oeqa: Introduce retry mechanism for fvp_devices run_cmd arm/lib: Handle timeout for spawn object on stop() Mariam Elshakfy (1): arm/trusted-services: Move ts-newlib compilation fix to meta-arm Martin Jansa (1): layer.conf: Update to styhead release name series Mikko Rapeli (8): optee-os: asm debug prefix fixes optee-os: remove absolute paths optee-os-tadevkit: remove buildpaths INSANE_SKIP optee-os: remove buildpaths INSANE_SKIP optee-os: fix buildpaths QA failure on corstone1000 ts-newlib: setup git with check_git_config arm/optee-client: fix systemd service dependencies trusted-firmware-a: fix panic on kv260/zynqmp Peter Hoyes (1): arm/fvpboot: Revert "Disable timing annotation by default" Quentin Schulz (2): add basic b4 config file arm/trusted-firmware-a: add recipe for more-recent-but-not-yet-released source code Ross Burton (9): CI: update to Kas 4.4 image arm-systemready: explicitly disable SPDX in the fake image classes arm/edk2-firmware: set CVE_PRODUCT to the correct CPE arm-bsp/linux-yocto: update for linux 6.10 CI: switch to building against styhead branches where possible CI: add KAS_BUILD_DIR variable CI: remove duplicate arm-systemready-ir-acs CI: transform testimage reports into JUnit XML reports arm-base/linux-yocto: revert interim 6.10 patch for fvp-base Ziad Elhanafy (2): arm/oeqa: Enable pexpect profiling for testcase debugging arm-systemready/linux-distros: Follow WORKDIR -> UNPACKDIR transition Change-Id: I8c03dc8ed1822e0356c1d3dcf86b5c408aff3f78 Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
author: Patrick Williams <patrick@stwcx.xyz> 2024-12-14 02:56:42 +0300
committer: Patrick Williams <patrick@stwcx.xyz> 2024-12-14 04:38:25 +0300
commit: e73366c8bab752f44899222f9df7ce7ed080f2e9 (patch)
tree: 57ae1423728ade061bb318ab6413a18e1afb9c20 /meta-arm
parent: 1d19bb6db66dd40f999dbfcd25be489aa4ecd0b3 (diff)
download: openbmc-styhead.tar.xz
185 files changed, 6577 insertions, 5913 deletions
diff --git a/meta-arm/.b4-config b/meta-arm/.b4-config
new file mode 100644
index 0000000000..752ca4b245
--- /dev/null
+++ b/meta-arm/.b4-config
@@ -0,0 +1,2 @@
+[b4]
+	send-series-to = meta-arm@lists.yoctoproject.org
diff --git a/meta-arm/.gitlab-ci.yml b/meta-arm/.gitlab-ci.yml
index 506cb4871e..f211ea97c7 100644
--- a/meta-arm/.gitlab-ci.yml
+++ b/meta-arm/.gitlab-ci.yml
@@ -1,4 +1,4 @@
-image: ${MIRROR_GHCR}/siemens/kas/kas:4.3.2
+image: ${MIRROR_GHCR}/siemens/kas/kas:4.4
 
 variables:
   # These are needed as the k8s executor doesn't respect the container
@@ -34,13 +34,14 @@ stages:
   interruptible: true
   variables:
     KAS_WORK_DIR: $CI_PROJECT_DIR/work
+    KAS_BUILD_DIR: $KAS_WORK_DIR/build
     KAS_REPO_REF_DIR: $CACHE_DIR/repos
     SSTATE_DIR: $CACHE_DIR/sstate
     DL_DIR: $CACHE_DIR/downloads
     BB_LOGCONFIG: $CI_PROJECT_DIR/ci/logging.yml
     TOOLCHAIN_DIR: $CACHE_DIR/toolchains
-    IMAGE_DIR: $CI_PROJECT_DIR/work/build/tmp/deploy/images
-    TOOLCHAIN_LINK_DIR: $CI_PROJECT_DIR/work/build/toolchains
+    IMAGE_DIR: $KAS_BUILD_DIR/tmp/deploy/images
+    TOOLCHAIN_LINK_DIR: $KAS_BUILD_DIR/toolchains
   before_script:
     - echo KAS_WORK_DIR = $KAS_WORK_DIR
     - echo SSTATE_DIR = $SSTATE_DIR
@@ -75,13 +76,17 @@ stages:
     - echo KASFILES=$KASFILES
     - kas dump --update --force-checkout --resolve-refs --resolve-env $KASFILES
     - kas build $KASFILES
-    - ./ci/check-warnings $KAS_WORK_DIR/build/warnings.log
+    - ./ci/check-warnings $KAS_BUILD_DIR/warnings.log
+    - kas shell ci/base.yml:lockfile.yml --command "$CI_PROJECT_DIR/ci/junit.sh $KAS_WORK_DIR/build"
+
   artifacts:
     name: "logs"
     when: always
     paths:
-      - $CI_PROJECT_DIR/work/build/tmp*/work*/**/temp/log.do_*.*
-      - $CI_PROJECT_DIR/work/build/tmp*/work*/**/testimage/*
+      - $KAS_BUILD_DIR/tmp*/work*/**/temp/log.do_*.*
+      - $KAS_BUILD_DIR/tmp*/work*/**/testimage/*
+    reports:
+      junit: $KAS_BUILD_DIR/tmp/log/oeqa/junit.xml
 
 #
 # Prep stage, update repositories once.
@@ -111,7 +116,7 @@ update-repos:
 # Build stage, the actual build jobs
 #
 # Available options for building are
-#  DISTRO: [poky, poky-tiny]
+#  DISTRO: [poky, poky-altcfg, poky-tiny]
 #  KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
 #  TOOLCHAINS: [gcc, clang, external-gccarm]
 #  TCLIBC: [glibc, musl]
@@ -119,6 +124,7 @@ update-repos:
 #  TS: [none, trusted-services]
 #  VIRT: [none, xen]
 #  TESTING: testimage
+#  SECUREDEBUG: [none, secure-debug]
 
 arm-systemready-ir-acs:
   extends: .build
@@ -128,7 +134,7 @@ arm-systemready-ir-acs:
       # arm-systemready-ir-acs must be specified after fvp-base for ordering
       # purposes for the jobs-to-kas output. It is not enough to just have it
       # in the job name because fvp-base.yml overwrites the target.
-      - PLATFORM: fvp-base
+      - PLATFORM: [fvp-base, corstone1000-fvp]
         ARM_SYSTEMREADY_IR_ACS: arm-systemready-ir-acs
   tags:
     - ${ACS_TAG}
@@ -160,6 +166,7 @@ corstone1000-mps3:
       - FIRMWARE: corstone1000-firmware-only
         TESTING: [none, tftf]
       - FIRMWARE: none
+        SECUREDEBUG: [none, secure-debug]
 
 documentation:
   extends: .setup
@@ -190,22 +197,10 @@ fvp-base:
     matrix:
       - TS: [none, fvp-base-ts]
         TESTING: testimage
-      - FIRMWARE: edk2
+      - FIRMWARE: [u-boot, edk2]
+        TESTING: testimage
       - SYSTEMREADY_FIRMWARE: arm-systemready-firmware
 
-arm-systemready-ir-acs:
-  extends: .build
-  timeout: 12h
-  parallel:
-    matrix:
-      # arm-systemready-ir-acs must be specified after fvp-base for ordering
-      # purposes for the jobs-to-kas output. It is not enough to just have it
-      # in the job name because fvp-base.yml overwrites the target.
-      - PLATFORM: [fvp-base, corstone1000-fvp]
-        ARM_SYSTEMREADY_IR_ACS: arm-systemready-ir-acs
-  tags:
-    - ${ACS_TAG}
-
 fvps:
   extends: .build
 
@@ -270,6 +265,10 @@ qemuarm64-secureboot:
         TCLIBC: [glibc, musl]
         TS: [none, qemuarm64-secureboot-ts]
         TESTING: testimage
+      - TOOLCHAINS: [gcc, clang]
+        TS: [none, qemuarm64-secureboot-ts]
+        UEFISB: [none, uefi-secureboot]
+        TESTING: testimage
       - KERNEL: linux-yocto-dev
         TESTING: testimage
 
@@ -333,6 +332,8 @@ sbsa-ref:
       - KERNEL: [linux-yocto, linux-yocto-rt]
         TOOLCHAINS: [gcc, clang]
         TESTING: testimage
+      - DISTRO: poky-altcfg
+        TESTING: testimage
       - KERNEL: linux-yocto-dev
         TESTING: testimage
 
diff --git a/meta-arm/ci/base.yml b/meta-arm/ci/base.yml
index d1c933d027..7b550dbfa2 100644
--- a/meta-arm/ci/base.yml
+++ b/meta-arm/ci/base.yml
@@ -7,7 +7,7 @@ distro: poky
 
 defaults:
   repos:
-    branch: master
+    branch: styhead
 
 repos:
   meta-arm:
diff --git a/meta-arm/ci/clang.yml b/meta-arm/ci/clang.yml
index 9b2d194a3a..402292a6b8 100644
--- a/meta-arm/ci/clang.yml
+++ b/meta-arm/ci/clang.yml
@@ -10,12 +10,3 @@ repos:
 local_conf_header:
   toolchain: |
     TOOLCHAIN = "clang"
-    PREFERRED_PROVIDER_llvm = "clang"
-    PREFERRED_PROVIDER_llvm-native = "clang-native"
-    PREFERRED_PROVIDER_nativesdk-llvm = "nativesdk-clang"
-    PROVIDES:pn-clang = "llvm"
-    PROVIDES:pn-clang-native = "llvm-native"
-    PROVIDES:pn-nativesdk-clang = "nativesdk-llvm"
-    # This is needed to stop bitbake getting confused about what clang/llvm is
-    # being used, see https://github.com/kraj/meta-clang/pull/766
-    BBMASK += "/meta/recipes-devtools/llvm/llvm.*\.bb"
diff --git a/meta-arm/ci/edk2.yml b/meta-arm/ci/edk2.yml
index d32e3645cd..cf2f5851b8 100644
--- a/meta-arm/ci/edk2.yml
+++ b/meta-arm/ci/edk2.yml
@@ -15,5 +15,3 @@ local_conf_header:
 
     QB_DEFAULT_BIOS = "QEMU_EFI.fd"
     WKS_FILE ?= "efi-disk.wks.in"
-  failing_tests: |
-    TEST_SUITES:remove = "xorg"
diff --git a/meta-arm/ci/fvp-base.yml b/meta-arm/ci/fvp-base.yml
index bbc6c44db3..5719ea8066 100644
--- a/meta-arm/ci/fvp-base.yml
+++ b/meta-arm/ci/fvp-base.yml
@@ -9,5 +9,5 @@ header:
 machine: fvp-base
 
 target:
-  - core-image-sato
+  - core-image-full-cmdline
   - boot-wrapper-aarch64
diff --git a/meta-arm/ci/fvp.yml b/meta-arm/ci/fvp.yml
index 2bf1cef024..667bb64109 100644
--- a/meta-arm/ci/fvp.yml
+++ b/meta-arm/ci/fvp.yml
@@ -7,8 +7,3 @@ local_conf_header:
   testimagefvp: |
     LICENSE_FLAGS_ACCEPTED += "Arm-FVP-EULA"
     IMAGE_CLASSES += "fvpboot"
-  failing_tests: |
-    # This fails but we can't add to the ignorelist from meta-arm yet
-    # https://bugzilla.yoctoproject.org/show_bug.cgi?id=14604
-    TEST_SUITES:remove = "parselogs"
-    TEST_SUITES:remove = "xorg"
diff --git a/meta-arm/ci/get-binary-toolchains b/meta-arm/ci/get-binary-toolchains
index 429cd1c5c0..793c689040 100755
--- a/meta-arm/ci/get-binary-toolchains
+++ b/meta-arm/ci/get-binary-toolchains
@@ -2,7 +2,7 @@
 set -u -e
 
 BASENAME=arm-gnu-toolchain
-VER=${VER:-13.2.Rel1}
+VER=${VER:-13.3.rel1}
 HOST_ARCH=${HOST_ARCH:-$(uname -m)}
 
 # Use the standard kas container locations if nothing is passed into the script
diff --git a/meta-arm/ci/junit.sh b/meta-arm/ci/junit.sh
new file mode 100755
index 0000000000..6262c34b11
--- /dev/null
+++ b/meta-arm/ci/junit.sh
@@ -0,0 +1,15 @@
+#! /bin/bash
+
+# $ ci/junit.sh <build directory>
+#
+# If there is a OEQA test report in JSON format present in the build directory,
+# transform it to JUnit XML using resulttool.
+
+set -e -u
+
+BUILDDIR=$1
+JSON=$BUILDDIR/tmp/log/oeqa/testresults.json
+
+if test -f $JSON; then
+    resulttool junit $JSON
+fi
diff --git a/meta-arm/ci/poky-altcfg.yml b/meta-arm/ci/poky-altcfg.yml
new file mode 100644
index 0000000000..86711d4d23
--- /dev/null
+++ b/meta-arm/ci/poky-altcfg.yml
@@ -0,0 +1,4 @@
+header:
+  version: 14
+
+distro: poky-altcfg
diff --git a/meta-arm/ci/qemuarm64-secureboot-ts.yml b/meta-arm/ci/qemuarm64-secureboot-ts.yml
index adf1f2f840..87f0fa9ed8 100644
--- a/meta-arm/ci/qemuarm64-secureboot-ts.yml
+++ b/meta-arm/ci/qemuarm64-secureboot-ts.yml
@@ -8,8 +8,9 @@ header:
 local_conf_header:
   trusted_services: |
     TEST_SUITES:append = " trusted_services"
-    # Include TS Crypto, TS Protected Storage, TS Internal Trusted Storage and SMM-Gateway SPs into optee-os image
-    MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its ts-smm-gateway"
+    # Include TS Crypto, TS Protected Storage, and TS Internal Trusted Storage and SPs into optee-os image
+    # FIXME - remove TS SMM Gateway due to QEMU v9.0.0 test failures
+    MACHINE_FEATURES:append = " arm-ffa ts-crypto ts-storage ts-its"
     # Include TS demo/test tools into image
     IMAGE_INSTALL:append = " packagegroup-ts-tests"
     # Include TS PSA Arch tests into image
diff --git a/meta-arm/ci/secure-debug.yml b/meta-arm/ci/secure-debug.yml
new file mode 100644
index 0000000000..33cf00a3c2
--- /dev/null
+++ b/meta-arm/ci/secure-debug.yml
@@ -0,0 +1,8 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
+
+header:
+  version: 14
+
+local_conf_header:
+  secure-debug: |
+    MACHINE_FEATURES += "secure-debug"
diff --git a/meta-arm/ci/uefi-secureboot.yml b/meta-arm/ci/uefi-secureboot.yml
new file mode 100644
index 0000000000..f647f4b1f6
--- /dev/null
+++ b/meta-arm/ci/uefi-secureboot.yml
@@ -0,0 +1,37 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
+
+# UEFI Secure Boot: A mechanism to ensure that only trusted software is executed
+# during the boot process.
+
+header:
+  version: 14
+  includes:
+    - ci/meta-openembedded.yml
+    - ci/meta-secure-core.yml
+
+local_conf_header:
+  uefi_secureboot: |
+    SBSIGN_KEYS_DIR = "${TOPDIR}/sbkeys"
+    BB_ENV_PASSTHROUGH_ADDITIONS = "SBSIGN_KEYS_DIR"
+
+    # Detected by passing kernel parameter
+    QB_KERNEL_ROOT = ""
+
+    # kernel is in the image, should not be loaded separately
+    QB_DEFAULT_KERNEL = "none"
+
+    WKS_FILE = "efi-disk.wks.in"
+    KERNEL_IMAGETYPE = "Image"
+
+    MACHINE_FEATURES:append = " efi uefi-secureboot"
+
+    EFI_PROVIDER = "systemd-boot"
+
+    # Use systemd as the init system
+    INIT_MANAGER = "systemd"
+    DISTRO_FEATURES:append = " systemd"
+    DISTRO_FEATURES_NATIVE:append = " systemd"
+
+    IMAGE_INSTALL:append = " systemd systemd-boot util-linux coreutils"
+
+    TEST_SUITES:append = " uefi_secureboot"
+\ No newline at end of file
diff --git a/meta-arm/kas/arm-systemready-linux-distros-fedora.yml b/meta-arm/kas/arm-systemready-linux-distros-fedora.yml
index b2b23d7853..2faa19cbaa 100644
--- a/meta-arm/kas/arm-systemready-linux-distros-fedora.yml
+++ b/meta-arm/kas/arm-systemready-linux-distros-fedora.yml
@@ -2,6 +2,7 @@ header:
   version: 16
   includes:
     - kas/arm-systemready-firmware.yml
+    - kas/arm-systemready-linux-distros-unattended-installation.yml
 
 target:
   - arm-systemready-linux-distros-fedora
diff --git a/meta-arm/kas/arm-systemready-linux-distros-opensuse.yml b/meta-arm/kas/arm-systemready-linux-distros-opensuse.yml
index cffbdb9251..d2d75fa225 100644
--- a/meta-arm/kas/arm-systemready-linux-distros-opensuse.yml
+++ b/meta-arm/kas/arm-systemready-linux-distros-opensuse.yml
@@ -2,6 +2,7 @@ header:
   version: 13
   includes:
     - kas/arm-systemready-firmware.yml
+    - kas/arm-systemready-linux-distros-unattended-installation.yml
 
 target:
   - arm-systemready-linux-distros-opensuse
diff --git a/meta-arm/kas/arm-systemready-linux-distros-unattended-installation.yml b/meta-arm/kas/arm-systemready-linux-distros-unattended-installation.yml
new file mode 100644
index 0000000000..7976186f13
--- /dev/null
+++ b/meta-arm/kas/arm-systemready-linux-distros-unattended-installation.yml
@@ -0,0 +1,11 @@
+header:
+  version: 16
+
+env:
+  DISTRO_UNATTENDED_INST_TESTS:
+  # The full testimage run typically takes around 12-24h on fvp-base.
+  TEST_OVERALL_TIMEOUT: "${@ 24*60*60}"
+  
+local_conf_header:
+  systemready-unattended-inst: |
+    TESTIMAGE_AUTO = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "1", "", d)}"
diff --git a/meta-arm/kas/corstone1000-base.yml b/meta-arm/kas/corstone1000-base.yml
index a8b986030b..11436d8d0a 100644
--- a/meta-arm/kas/corstone1000-base.yml
+++ b/meta-arm/kas/corstone1000-base.yml
@@ -5,7 +5,7 @@ distro: poky
 
 defaults:
   repos:
-    branch: master
+    branch: styhead
 
 repos:
   meta-arm:
@@ -16,14 +16,14 @@ repos:
 
   poky:
     url: https://git.yoctoproject.org/git/poky
-    # commit: 2e9c2a2381105f1306bcbcb54816cbc5d8110eff
+    commit: 5465094be9a61a1639e1dab6d2b4ebea2bee7440
     layers:
       meta:
       meta-poky:
 
   meta-openembedded:
     url: https://git.openembedded.org/meta-openembedded
-    # commit: 1750c66ae8e4268c472c0b2b94748a59d6ef866d
+    commit: 461d85a1831318747af5abe86da193bcde3fd9b4
     layers:
       meta-oe:
       meta-python:
@@ -31,7 +31,7 @@ repos:
 
   meta-secure-core:
     url: https://github.com/wind-river/meta-secure-core.git
-    # commit: e29165a1031dcf601edbed1733cedd64826672a5
+    commit: 59d7e90542947c342098863b9998693ac79352b0
     layers:
       meta-secure-core-common:
       meta-signing-key:
diff --git a/meta-arm/kas/corstone1000-extsys.yml b/meta-arm/kas/corstone1000-extsys.yml
new file mode 100644
index 0000000000..0534b09c30
--- /dev/null
+++ b/meta-arm/kas/corstone1000-extsys.yml
@@ -0,0 +1,6 @@
+header:
+  version: 14
+
+local_conf_header:
+  extsys: |
+    MACHINE_FEATURES += "corstone1000-extsys"
diff --git a/meta-arm/meta-arm-bsp/conf/layer.conf b/meta-arm/meta-arm-bsp/conf/layer.conf
index 1a45840083..4f648ac885 100644
--- a/meta-arm/meta-arm-bsp/conf/layer.conf
+++ b/meta-arm/meta-arm-bsp/conf/layer.conf
@@ -9,7 +9,7 @@ BBFILE_COLLECTIONS += "meta-arm-bsp"
 BBFILE_PATTERN_meta-arm-bsp = "^${LAYERDIR}/"
 BBFILE_PRIORITY_meta-arm-bsp = "5"
 
-LAYERSERIES_COMPAT_meta-arm-bsp = "nanbield scarthgap"
+LAYERSERIES_COMPAT_meta-arm-bsp = "styhead"
 
 LAYERDEPENDS_meta-arm-bsp = "core meta-arm"
 # This won't be used by layerindex-fetch, but works everywhere else
diff --git a/meta-arm/meta-arm-bsp/conf/machine/corstone1000-fvp.conf b/meta-arm/meta-arm-bsp/conf/machine/corstone1000-fvp.conf
index 2c724bfeb2..a605a695b1 100644
--- a/meta-arm/meta-arm-bsp/conf/machine/corstone1000-fvp.conf
+++ b/meta-arm/meta-arm-bsp/conf/machine/corstone1000-fvp.conf
@@ -9,7 +9,8 @@ TFM_PLATFORM_IS_FVP = "TRUE"
 
 # testimage config
 TEST_TARGET = "OEFVPTarget"
-TEST_SUITES = "fvp_boot"
+TEST_TARGET_IP = "127.0.0.1:2222"
+DEFAULT_TEST_SUITES:append = " fvp_boot fvp_devices"
 
 # FVP Config
 FVP_PROVIDER ?= "fvp-corstone1000-native"
diff --git a/meta-arm/meta-arm-bsp/conf/machine/fvp-base.conf b/meta-arm/meta-arm-bsp/conf/machine/fvp-base.conf
index 24d03e7124..03896a3471 100644
--- a/meta-arm/meta-arm-bsp/conf/machine/fvp-base.conf
+++ b/meta-arm/meta-arm-bsp/conf/machine/fvp-base.conf
@@ -9,18 +9,20 @@ require conf/machine/include/arm/arch-armv8-4a.inc
 ARM_SYSTEMREADY_FIRMWARE = "trusted-firmware-a:do_deploy"
 ARM_SYSTEMREADY_ACS_CONSOLE = "default"
 EXTRA_IMAGEDEPENDS = "${ARM_SYSTEMREADY_FIRMWARE}"
-PREFERRED_VERSION_trusted-firmware-a ?= "2.10.%"
 
-MACHINE_FEATURES = "efi"
+MACHINE_FEATURES = "efi vfat"
 
 IMAGE_NAME_SUFFIX = ""
 IMAGE_FSTYPES += "wic"
 WKS_FILE ?= "efi-disk.wks.in"
 
 SERIAL_CONSOLES = "115200;ttyAMA0"
+# FIXME -  This is being upstreamed.  Remove once that has occurred.
+KERNEL_CONSOLE ?= "${@','.join(d.getVar('SERIAL_CONSOLES').split(' ')[0].split(';')[::-1]) or 'ttyS0'}"
 
 PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
-KERNEL_DEVICETREE = "arm/fvp-base-revc.dtb"
+KERNEL_DTB_NAME = "fvp-base-revc.dtb"
+KERNEL_DEVICETREE = "arm/${KERNEL_DTB_NAME}"
 KERNEL_IMAGETYPE = "Image"
 
 EXTRA_IMAGEDEPENDS += "trusted-firmware-a"
@@ -28,7 +30,7 @@ EXTRA_IMAGEDEPENDS += "trusted-firmware-a"
 # FVP u-boot configuration
 UBOOT_MACHINE = "vexpress_fvp_defconfig"
 
-EFI_PROVIDER ?= "grub-efi"
+EFI_PROVIDER ?= "${@bb.utils.contains("DISTRO_FEATURES", "systemd", "systemd-boot", "grub-efi", d)}"
 
 # As this is a virtual target that will not be used in the real world there is
 # no need for real SSH keys.
diff --git a/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc b/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc
index c78cc061bc..d65906362d 100644
--- a/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc
+++ b/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc
@@ -3,18 +3,18 @@ require conf/machine/include/arm/armv8a/tune-cortexa35.inc
 MACHINEOVERRIDES =. "corstone1000:"
 
 # TF-M
-PREFERRED_VERSION_trusted-firmware-m ?= "2.0.%"
+PREFERRED_VERSION_trusted-firmware-m ?= "2.1.%"
 
 # TF-A
 TFA_PLATFORM = "corstone1000"
-PREFERRED_VERSION_trusted-firmware-a ?= "2.10.%"
+PREFERRED_VERSION_trusted-firmware-a ?= "2.11.%"
 PREFERRED_VERSION_tf-a-tests ?= "2.10.%"
 
 TFA_BL2_BINARY = "bl2-corstone1000.bin"
 TFA_FIP_BINARY = "fip-corstone1000.bin"
 
 # optee
-PREFERRED_VERSION_optee-os ?= "4.1.%"
+PREFERRED_VERSION_optee-os ?= "4.2.%"
 
 # Trusted Services
 TS_PLATFORM = "arm/corstone1000"
@@ -34,7 +34,7 @@ IMAGE_CMD:wic[vardeps] += "GRUB_LINUX_APPEND"
 
 # Linux kernel
 PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
-PREFERRED_VERSION_linux-yocto ?= "6.6.%"
+PREFERRED_VERSION_linux-yocto ?= "6.10.%"
 KERNEL_IMAGETYPE = "Image"
 KERNEL_IMAGETYPE:firmware = "Image.gz"
 # add FF-A support in the kernel
diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/change-log.rst b/meta-arm/meta-arm-bsp/documentation/corstone1000/change-log.rst
index f22a99c2c0..a98de3f960 100644
--- a/meta-arm/meta-arm-bsp/documentation/corstone1000/change-log.rst
+++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/change-log.rst
@@ -12,6 +12,69 @@ fixes in each release of Corstone-1000 software stack.
 
 
 ***************
+Version 2024.11
+***************
+
+Changes
+=======
+
+- Implementation of a replication strategy for FWU metadata in TF-M according to the FWU specification.
+- Upgrade to metadata version 2 in TF-M.
+- Increase the ITS and PS memory size in Secure Flash for TF-M.
+- SW components upgrades.
+- Bug fixes.
+
+Corstone-1000 components versions
+=================================
+
++-------------------------------------------+-----------------------------------------------------+
+| linux-yocto                               |                   6.10.14                           |
++-------------------------------------------+-----------------------------------------------------+
+| u-boot                                    |                   2023.07.02                        |
++-------------------------------------------+-----------------------------------------------------+
+| external-system                           |                   0.1.0                             |
++-------------------------------------------+-----------------------------------------------------+
+| optee-client                              |                   4.2.0                             |
++-------------------------------------------+-----------------------------------------------------+
+| optee-os                                  |                   4.2.0                             |
++-------------------------------------------+-----------------------------------------------------+
+| trusted-firmware-a                        |                   2.11.0                            |
++-------------------------------------------+-----------------------------------------------------+
+| trusted-firmware-m                        |                   2.1.0                             |
++-------------------------------------------+-----------------------------------------------------+
+| libts                                     |                   602be60719                        |
++-------------------------------------------+-----------------------------------------------------+
+| ts-newlib                                 |                   4.1.0                             |
++-------------------------------------------+-----------------------------------------------------+
+| ts-psa-{crypto, iat, its. ps}-api-test    |                   74dc6646ff                        |
++-------------------------------------------+-----------------------------------------------------+
+| ts-sp-{se-proxy, smm-gateway}             |                   602be60719                        |
++-------------------------------------------+-----------------------------------------------------+
+
+Yocto distribution components versions
+======================================
+
++-------------------------------------------+------------------------------+
+| meta-arm                                  | styhead                      |
++-------------------------------------------+------------------------------+
+| poky                                      | 5465094be9                   |
++-------------------------------------------+------------------------------+
+| meta-openembedded                         | 461d85a183                   |
++-------------------------------------------+------------------------------+
+| meta-secure-core                          | 59d7e90542                   |
++-------------------------------------------+------------------------------+
+| busybox                                   |                   1.36.1     |
++-------------------------------------------+------------------------------+
+| musl                                      |                   1.2.5      |
++-------------------------------------------+------------------------------+
+| gcc-arm-none-eabi                         |          13.3.rel1           |
++-------------------------------------------+------------------------------+
+| gcc-cross-aarch64                         |                   14.2.0     |
++-------------------------------------------+------------------------------+
+| openssl                                   |                   3.3.1      |
++-------------------------------------------+------------------------------+
+
+***************
 Version 2024.06
 ***************
 
diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/conf.py b/meta-arm/meta-arm-bsp/documentation/corstone1000/conf.py
index e9cab63359..d8b558fa24 100644
--- a/meta-arm/meta-arm-bsp/documentation/corstone1000/conf.py
+++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/conf.py
@@ -10,15 +10,19 @@
 # add these directories to sys.path here. If the directory is relative to the
 # documentation root, use os.path.abspath to make it absolute, like shown here.
 #
-# import os
-# import sys
 # sys.path.insert(0, os.path.abspath('.'))
 
+import os
+import sys
+
+# Append the documentation directory to the path, so we can import variables
+sys.path.append(os.path.dirname(__file__))
+
 
 # -- Project information -----------------------------------------------------
 
 project = 'corstone1000'
-copyright = '2020-2022, Arm Limited'
+copyright = '2020-2024, Arm Limited'
 author = 'Arm Limited'
 
 
@@ -28,6 +32,7 @@ author = 'Arm Limited'
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.
 extensions = [
+    'sphinx_rtd_theme',
 ]
 
 # Add any paths that contain templates here, relative to this directory.
@@ -46,6 +51,16 @@ exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store', 'docs/infra']
 #
 html_theme = 'sphinx_rtd_theme'
 
+# Define the canonical URL if you are using a custom domain on Read the Docs
+html_baseurl = os.environ.get("READTHEDOCS_CANONICAL_URL", "")
+
+# Tell Jinja2 templates the build is running on Read the Docs
+if os.environ.get("READTHEDOCS", "") == "True":
+    if "html_context" not in globals():
+        html_context = {}
+    html_context["READTHEDOCS"] = True
+
+
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/ExternalFlash.png b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/ExternalFlash.png
index 578f038996..46519df9c0 100644
--- a/meta-arm/meta-arm-bsp/documentation/corstone1000/images/ExternalFlash.png
+++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/images/ExternalFlash.png
diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/release-notes.rst b/meta-arm/meta-arm-bsp/documentation/corstone1000/release-notes.rst
index 0cad02666e..bd85fae027 100644
--- a/meta-arm/meta-arm-bsp/documentation/corstone1000/release-notes.rst
+++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/release-notes.rst
@@ -20,6 +20,12 @@ prove defective, you assume the entire cost of all necessary servicing, repair
 or correction.
 
 ***********************
+Release notes - 2024.11
+***********************
+
+The same notes as the 2024.06 release still apply.
+
+***********************
 Release notes - 2024.06
 ***********************
 
diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst b/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst
index 42278e387b..a4e0a4249a 100644
--- a/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst
+++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/software-architecture.rst
@@ -4,7 +4,7 @@
  # SPDX-License-Identifier: MIT
 
 ######################
-Software architecture
+Software Architecture
 ######################
 
 
@@ -20,7 +20,7 @@ Corstone-1000 software plus hardware reference solution is PSA Level-2 ready
 certified (`PSA L2 Ready`_) as well as System Ready IR certified(`SRIR cert`_).
 More information on the Corstone-1000 subsystem product and design can be
 found at:
-`Arm corstone1000 Software`_ and `Arm corstone1000 Technical Overview`_.
+`Arm Corstone-1000 Software`_ and `Arm Corstone-1000 Technical Overview`_.
 
 This readme explicitly focuses on the software part of the solution and
 provides internal details on the software components. The reference
@@ -57,7 +57,7 @@ TrustedFirmware-M(`TF-M`_) as runtime software. The software design on
 Secure Enclave follows Firmware Framework for M class
 processor (`FF-M`_) specification.
 
-The Host System is based on ARM Cotex-A35 processor with standardized
+The Host System is based on ARM Cortex-A35 processor with standardized
 peripherals to allow for the booting of a Linux OS. The Cortex-A35 has
 the TrustZone technology that allows secure and non-secure security
 states in the processor. The software design in the Host System follows
@@ -213,15 +213,18 @@ Image (the initramfs bundle). The new images are accepted in the form of a UEFI
 
 When Firmware update is triggered, U-Boot verifies the capsule by checking the
 capsule signature, version number and size. Then it signals the Secure Enclave
-that can start writing UEFI capsule into the flash. Once this operation finishes
-,Secure Enclave resets the entire system.
+that can start writing UEFI capsule into the flash.
+
+Once this operation finishes, Secure Enclave resets the entire system.
 The Metadata Block in the flash has the below firmware update state machine.
 TF-M runs an OTA service that is responsible for accepting and updating the
 images in the flash. The communication between the UEFI Capsule update
 subsystem and the OTA service follows the same data path explained above.
 The OTA service writes the new images to the passive bank after successful
 capsule verification. It changes the state of the system to trial state and
-triggers the reset. Boot loaders in Secure Enclave and Host read the Metadata
+triggers the reset.
+
+Boot loaders in Secure Enclave and Host read the Metadata
 block to get the information on the boot bank. In the successful trial stage,
 the acknowledgment from the host moves the state of the system from trial to
 regular. Any failure in the trial stage or system hangs leads to a system
@@ -258,17 +261,17 @@ calls are forwarded to the Secure Enclave as explained above.
 ***************
 References
 ***************
-`ARM corstone1000 Search`_
+`ARM Corstone-1000 Search`_
 
 `Arm security features`_
 
 --------------
 
-*Copyright (c) 2022-2023, Arm Limited. All rights reserved.*
+*Copyright (c) 2022-2024, Arm Limited. All rights reserved.*
 
-.. _Arm corstone1000 Technical Overview: https://developer.arm.com/documentation/102360/0000
-.. _Arm corstone1000 Software: https://developer.arm.com/Tools%20and%20Software/Corstone-1000%20Software
-.. _Arm corstone1000 Search: https://developer.arm.com/search#q=corstone-1000
+.. _Arm Corstone-1000 Technical Overview: https://developer.arm.com/documentation/102360/0000
+.. _Arm Corstone-1000 Software: https://developer.arm.com/Tools%20and%20Software/Corstone-1000%20Software
+.. _Arm Corstone-1000 Search: https://developer.arm.com/search#q=corstone-1000
 .. _Arm security features: https://www.arm.com/architecture/security-features/platform-security
 .. _linux repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/
 .. _FF-A: https://developer.arm.com/documentation/den0077/latest
diff --git a/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst b/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst
index 5dc956428b..0c7b2fd1f1 100644
--- a/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst
+++ b/meta-arm/meta-arm-bsp/documentation/corstone1000/user-guide.rst
@@ -3,31 +3,32 @@
  #
  # SPDX-License-Identifier: MIT
 
-#####################################
-User Guide: Build & run the software
-#####################################
+####################
+Build, Flash and Run
+####################
 
 Notice
 ------
 The Corstone-1000 software stack uses the `Yocto Project <https://www.yoctoproject.org/>`__ to build
 a tiny Linux distribution suitable for the Corstone-1000 platform (kernel and initramfs filesystem less than 5 MB on the flash).
-The Yocto Project relies on the `Bitbake <https://docs.yoctoproject.org/bitbake.html#bitbake-documentation>`__
+The Yocto Project relies on the `BitBake <https://docs.yoctoproject.org/bitbake.html#bitbake-documentation>`__
 tool as its build tool. Please see `Yocto Project documentation <https://docs.yoctoproject.org/>`__
 for more information.
 
 Prerequisites
 -------------
 
-This guide assumes that your host machine is running Ubuntu 20.04 LTS, with at least
+This guide assumes that your host machine is running Ubuntu 20.04 LTS ( with ``sudo`` rights), with at least
 32GB of free disk space and 16GB of RAM as minimum requirement.
 
 The following prerequisites must be available on the host system:
 
-- Git 1.8.3.1 or greater
-- tar 1.28 or greater
+- Git 1.8.3.1 or greater.
 - Python 3.8.0 or greater.
-- gcc 8.0 or greater.
-- GNU make 4.0 or greater
+- GNU Tar 1.28 or greater.
+- GNU Compiler Collection 8.0 or greater.
+- GNU Make 4.0 or greater.
+- tmux.
 
 Please follow the steps described in the Yocto mega manual:
 
@@ -36,465 +37,611 @@ Please follow the steps described in the Yocto mega manual:
 
 Targets
 -------
+The Corstone-1000 software stack can be run on:
 
 - `Arm Corstone-1000 Ecosystem FVP (Fixed Virtual Platform) <https://developer.arm.com/downloads/-/arm-ecosystem-fvps>`__
 - `Arm Corstone-1000 for MPS3 <https://developer.arm.com/documentation/dai0550/latest/>`__
 
-Yocto stable branch
+    .. important::
+
+        Arm Corstone-1000 for MPS3 requires an additional 32 MB QSPI flash PMOD module. For more information see the `Application Note AN550 document <https://developer.arm.com/documentation/dai0550/latest/>`__.
+
+
+Yocto Stable Branch
 -------------------
 
-Corstone-1000 software stack is built on top of Yocto scarthgap.
+Corstone-1000 software stack is built on top of Yocto styhead release.
 
-Provided components
+Software Components
 -------------------
 Within the Yocto Project, each component included in the Corstone-1000 software stack is specified as
-a `bitbake recipe <https://docs.yoctoproject.org/bitbake/2.2/bitbake-user-manual/bitbake-user-manual-intro.html#recipes>`__.
+a `BitBake recipe <https://docs.yoctoproject.org/bitbake/2.2/bitbake-user-manual/bitbake-user-manual-intro.html#recipes>`__.
 The recipes specific to the Corstone-1000 BSP are located at:
-``<_workspace>/meta-arm/meta-arm-bsp/``.
+``$WORKSPACE/meta-arm/meta-arm-bsp/``.
 
-The Yocto machine config files for the Corstone-1000 FVP and FPGA targets are:
+.. important::
 
- - ``<_workspace>/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc``
- - ``<_workspace>/meta-arm/meta-arm-bsp/conf/machine/corstone1000-fvp.conf``
- - ``<_workspace>/meta-arm/meta-arm-bsp/conf/machine/corstone1000-mps3.conf``
+    ``$WORKSPACE`` refers to the absolute path to your workspace where the `meta-arm` repository will be cloned.
 
-**NOTE:** All the paths stated in this document are absolute paths.
+    ``$TARGET`` is either ``mps3`` or ``fvp``.
 
-*****************
-Software for Host
-*****************
+The Yocto machine config files for the Corstone-1000 FVP and MPS3 targets are:
 
-Trusted Firmware-A
-==================
-Based on `Trusted Firmware-A <https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git>`__
+ - ``$WORKSPACE/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc``
+ - ``$WORKSPACE/meta-arm/meta-arm-bsp/conf/machine/corstone1000-$TARGET.conf``
 
-+----------+-------------------------------------------------------------------------------------------------+
-| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend |
-+----------+-------------------------------------------------------------------------------------------------+
-| Recipe   | <_workspace>/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.4.bb      |
-+----------+-------------------------------------------------------------------------------------------------+
+.. note::
 
-OP-TEE
-======
-Based on `OP-TEE <https://git.trustedfirmware.org/OP-TEE/optee_os.git>`__
+    All the paths stated in this document are absolute paths.
+
+*************************
+Host Processor Components
+*************************
+
+`Trusted Firmware-A <https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git>`__
+====================================================================================
+
++----------+-----------------------------------------------------------------------------------------------------+
+| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend``   |
++----------+-----------------------------------------------------------------------------------------------------+
+| Recipe   | ``$WORKSPACE/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.11.0.bb``        |
++----------+-----------------------------------------------------------------------------------------------------+
+
+`Trusted Services <https://trusted-services.readthedocs.io/en/latest/index.html>`__
+====================================================================================
+
++----------+-----------------------------------------------------------------------------------------------------------+
+| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/libts_%.bbappend``                   |
++----------+-----------------------------------------------------------------------------------------------------------+
+| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-psa-crypto-api-test_%.bbappend``  |
++----------+-----------------------------------------------------------------------------------------------------------+
+| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-psa-iat-api-test_%.bbappend``     |
++----------+-----------------------------------------------------------------------------------------------------------+
+| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-psa-its-api-test_%.bbappend``     |
++----------+-----------------------------------------------------------------------------------------------------------+
+| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-psa-ps-api-test_%.bbappend``      |
++----------+-----------------------------------------------------------------------------------------------------------+
+| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-se-proxy_%.bbappend``          |
++----------+-----------------------------------------------------------------------------------------------------------+
+| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend``       |
++----------+-----------------------------------------------------------------------------------------------------------+
+| Recipe   | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/libts_git.bb``                           |
++----------+-----------------------------------------------------------------------------------------------------------+
+| Recipe   | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-crypto-api-test_git.bb``          |
++----------+-----------------------------------------------------------------------------------------------------------+
+| Recipe   | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb``             |
++----------+-----------------------------------------------------------------------------------------------------------+
+| Recipe   | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-its-api-test_git.bb``             |
++----------+-----------------------------------------------------------------------------------------------------------+
+| Recipe   | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-ps-api-test_git.bb``              |
++----------+-----------------------------------------------------------------------------------------------------------+
+| Recipe   | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway.bb``                   |
++----------+-----------------------------------------------------------------------------------------------------------+
+| Recipe   | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy.bb``                      |
++----------+-----------------------------------------------------------------------------------------------------------+
+
+`OP-TEE <https://git.trustedfirmware.org/OP-TEE/optee_os.git>`__
+================================================================
 
 +----------+----------------------------------------------------------------------------------------+
-| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.%.bbappend        |
+| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.%.bbappend``      |
 +----------+----------------------------------------------------------------------------------------+
-| Recipe   |<_workspace>/meta-arm/meta-arm/recipes-security/optee/optee-os_4.1.0.bb                 |
+| Recipe   | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/optee/optee-os_4.2.0.bb``              |
 +----------+----------------------------------------------------------------------------------------+
 
-U-Boot
-======
-Based on `U-Boot repo`_
+`U-Boot <https://github.com/u-boot/u-boot.git>`__
+=================================================
 
-+----------+----------------------------------------------------------------------------+
-| bbappend | <_workspace>/meta-arm/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend        |
-+----------+----------------------------------------------------------------------------+
-| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend    |
-+----------+----------------------------------------------------------------------------+
-| Recipe   | <_workspace>/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_2023.07.02.bb |
-+----------+----------------------------------------------------------------------------+
++----------+--------------------------------------------------------------------------------+
+| bbappend | ``$WORKSPACE/meta-arm/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend``          |
++----------+--------------------------------------------------------------------------------+
+| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend``      |
++----------+--------------------------------------------------------------------------------+
+| Recipe   | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_2023.07.02.bb``   |
++----------+--------------------------------------------------------------------------------+
 
 Linux
 =====
-The distro is based on the `poky-tiny <https://wiki.yoctoproject.org/wiki/Poky-Tiny>`__
+The distribution is based on the `Poky <https://docs.yoctoproject.org/ref-manual/terms.html#term-Poky>`__
 distribution which is a Linux distribution stripped down to a minimal configuration.
 
-The provided distribution is based on busybox and built using musl libc. The
-recipe responsible for building a tiny version of Linux is listed below.
+The provided distribution is based on `BusyBox <https://www.busybox.net/>`__ and built using `musl libc <https://musl.libc.org/>`__.
 
 +-----------+----------------------------------------------------------------------------------------------+
-| bbappend  | <_workspace>/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-yocto_%.bbappend               |
+| bbappend  | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-yocto_%.bbappend``             |
 +-----------+----------------------------------------------------------------------------------------------+
-| Recipe    | <_workspace>/poky/meta/recipes-kernel/linux/linux-yocto_6.6.bb                               |
+| Recipe    | ``$WORKSPACE/poky/meta/recipes-kernel/linux/linux-yocto_6.10.bb``                            |
 +-----------+----------------------------------------------------------------------------------------------+
-| defconfig | <_workspace>/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/defconfig         |
+| defconfig | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/defconfig``       |
 +-----------+----------------------------------------------------------------------------------------------+
 
-**************************************************
-Software for Boot Processor (a.k.a Secure Enclave)
-**************************************************
-Based on `Trusted Firmware-M <https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git>`__
+*************************
+Secure Enclave Components
+*************************
+
+`Trusted Firmware-M <https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git>`__
+====================================================================================
 
 +----------+-----------------------------------------------------------------------------------------------------+
-| bbappend | <_workspace>/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m_%.bbappend     |
+| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m_%.bbappend``   |
 +----------+-----------------------------------------------------------------------------------------------------+
-| Recipe   | <_workspace>/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_2.0.0.bb           |
+| Recipe   | ``$WORKSPACE/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_2.1.0.bb``         |
 +----------+-----------------------------------------------------------------------------------------------------+
 
-********************************
-Software for the External System
-********************************
+************************************
+External System Processor Components
+************************************
 
-RTX
-====
-Based on `RTX RTOS <https://git.gitlab.arm.com/arm-reference-solutions/corstone1000/external_system/rtx>`__
+RTX Real-Time operating system
+==============================
+
+An example application that uses the `RTX Real-Time Operating System <https://developer.arm.com/Tools%20and%20Software/Keil%20MDK/RTX5%20RTOS>`__.
+
+The application project can be found `here <https://git.gitlab.arm.com/arm-reference-solutions/corstone1000/external_system/rtx>`__.
+
++----------+--------------------------------------------------------------------------------------------+
+| Recipe   | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-bsp/external-system/external-system_0.1.0.bb``  |
++----------+--------------------------------------------------------------------------------------------+
+
+.. _building-the-software-stack:
+
+Build
+-----
 
-+----------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
-| Recipe   | <_workspace>/meta-arm/meta-arm-bsp/recipes-bsp/external-system/external-system_0.1.0.bb                                                               |
-+----------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
+.. warning::
 
-Building the software stack
----------------------------
-Create a new folder that will be your workspace and will henceforth be referred
-to as ``<_workspace>`` in these instructions. To create the folder, run:
+  Building binaries natively on Windows and AArch64 Linux is not supported.
+  
+  Use an AMD64 Linux based development machine to build the software stack and transfer the binaries to run the software stack on an FVP in Windows or AArch64 Linux
+  if required.
 
-::
 
-    mkdir <_workspace>
-    cd <_workspace>
+#. Create a new folder that will be your workspace.
 
-Corstone-1000 software is based on the Yocto Project which uses kas and bitbake
-commands to build the stack. kas version 4 is required. To install kas, run:
+    .. code-block:: console
 
-::
+        mkdir $WORKSPACE
+        cd $WORKSPACE
 
-    pip3 install kas
+#. Install kas version 4.4 with ``sudo`` rights.
 
-If 'kas' command is not found in command-line, please make sure the user installation directories are visible on $PATH. If you have sudo rights, try 'sudo pip3 install kas'.
+    .. code-block:: console
 
-In the top directory of the workspace ``<_workspace>``, run:
+        sudo pip3 install kas==4.4
 
-::
+    Ensure the kas installation directory is visible on the ``$PATH`` environment variable.
 
-    git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2024.06
+#. Clone the `meta-arm` Yocto layer in the workspace ``$WORKSPACE``.
 
-To build a Corstone-1000 image for MPS3 FPGA, run:
+    .. code-block:: console
 
-::
+        cd $WORKSPACE
+        git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2024.11
 
-    kas build meta-arm/kas/corstone1000-mps3.yml:meta-arm/ci/debug.yml
+#. Build a Corstone-1000 image:
 
-Alternatively, to build a Corstone-1000 image for FVP, you need to accept
-the EULA at https://developer.arm.com/downloads/-/arm-ecosystem-fvps/eula
-by setting the ARM_FVP_EULA_ACCEPT environment variable as follows:
+    .. code-block:: console
 
-::
+        kas build meta-arm/kas/corstone1000-$TARGET.yml:meta-arm/ci/debug.yml
 
-    export ARM_FVP_EULA_ACCEPT="True"
+    .. important::
 
-then run:
+        Accept the EULA at https://developer.arm.com/downloads/-/arm-ecosystem-fvps/eula
+        to build a Corstone-1000 image for FVP as follows:
 
-::
+        .. code-block:: console
 
-    kas build meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml
+            export ARM_FVP_EULA_ACCEPT="True"
 
-The initial clean build will be lengthy, given that all host utilities are to
-be built as well as the target images. This includes host executables (python,
-cmake, etc.) and the required toolchain(s).
 
-Once the build is successful, all output binaries will be placed in the following folders:
- - ``<_workspace>/build/tmp/deploy/images/corstone1000-fvp/`` folder for FVP build;
- - ``<_workspace>/build/tmp/deploy/images/corstone1000-mps3/`` folder for FPGA build.
+    .. warning::
+
+        Access to the External System Processor is disabled by default.
+        To build the Corstone-1000 image with External System Processor enabled, run:
+
+        .. code-block:: console
+
+            kas build meta-arm/kas/corstone1000-$TARGET.yml:meta-arm/ci/debug.yml:meta-arm/kas/corstone1000-extsys.yml
+
+A clean build takes a significant amount of time given that all of the development machine utilities are also
+built along with the target images. Those development machine utilities include executables (Python,
+CMake, etc.) and the required toolchains.
+
+
+Once the build succeeds, all output binaries will be placed in ``$WORKSPACE/build/tmp/deploy/images/corstone1000-$TARGET/``
 
 Everything apart from the Secure Enclave ROM firmware and External System firmware, is bundled into a single binary, the
-``corstone1000-flash-firmware-image-corstone1000-{mps3,fvp}.wic`` file.
+``corstone1000-flash-firmware-image-corstone1000-$TARGET.wic`` file.
 
 The output binaries run in the Corstone-1000 platform are the following:
- - The Secure Enclave ROM firmware: ``<_workspace>/build/tmp/deploy/images/corstone1000-{mps3,fvp}/bl1.bin``
- - The External System firmware: ``<_workspace>/build/tmp/deploy/images/corstone1000-{mps3,fvp}/es_flashfw.bin``
- - The flash image: ``<_workspace>/build/tmp/deploy/images/corstone1000-{mps3,fvp}/corstone1000-flash-firmware-image-corstone1000-{mps3,fvp}.wic``
-
-Flash the firmware image on FPGA
---------------------------------
-
-The user should download the FPGA bit file image ``AN550:  Arm® Corstone™-1000 for MPS3 Version 2.0``
-from `this link <https://developer.arm.com/tools-and-software/development-boards/fpga-prototyping-boards/download-fpga-images>`__
-and under the section ``Arm® Corstone™-1000 for MPS3``. The download is available after logging in.
-
-The directory structure of the FPGA bundle is shown below.
-
-::
-
-   Boardfiles
-   ├── config.txt
-   ├── MB
-   │   ├── BRD_LOG.TXT
-   │   ├── HBI0309B
-   │   │   ├── AN550
-   │   │   │   ├── AN550_v2.bit
-   │   │   │   ├── an550_v2.txt
-   │   │   │   └── images.txt
-   │   │   ├── board.txt
-   │   │   └── mbb_v210.ebf
-   │   └── HBI0309C
-   │       ├── AN550
-   │       │   ├── AN550_v2.bit
-   │       │   ├── an550_v2.txt
-   │       │   └── images.txt
-   │       ├── board.txt
-   │       └── mbb_v210.ebf
-   └── SOFTWARE
-        ├── an550_st.axf
-        ├── bl1.bin
-        ├── cs1000.bin
-        └── ES0.bin
-
-Depending upon the MPS3 board version (printed on the MPS3 board) you should update the images.txt file
-(in corresponding HBI0309x folder. Boardfiles/MB/HBI0309<board_revision>/AN550/images.txt) so that the file points to the images under SOFTWARE directory.
-
-The images.txt file that is compatible with the latest version of the software
-stack can be seen below;
-
-::
-
-  ;************************************************
-  ;       Preload port mapping                    *
-  ;************************************************
-  ;  PORT 0 & ADDRESS: 0x00_0000_0000 QSPI Flash (XNVM) (32MB)
-  ;  PORT 0 & ADDRESS: 0x00_8000_0000 OCVM (DDR4 2GB)
-  ;  PORT 1        Secure Enclave (M0+) ROM (64KB)
-  ;  PORT 2        External System 0 (M3) Code RAM (256KB)
-  ;  PORT 3        Secure Enclave OTP memory (8KB)
-  ;  PORT 4        CVM (4MB)
-  ;************************************************
-
-  [IMAGES]
-  TOTALIMAGES: 3      ;Number of Images (Max: 32)
-
-  IMAGE0PORT: 1
-  IMAGE0ADDRESS: 0x00_0000_0000
-  IMAGE0UPDATE: RAM
-  IMAGE0FILE: \SOFTWARE\bl1.bin
-
-  IMAGE1PORT: 0
-  IMAGE1ADDRESS: 0x00_0000_0000
-  IMAGE1UPDATE: AUTOQSPI
-  IMAGE1FILE: \SOFTWARE\cs1000.bin
-
-  IMAGE2PORT: 2
-  IMAGE2ADDRESS: 0x00_0000_0000
-  IMAGE2UPDATE: RAM
-  IMAGE2FILE: \SOFTWARE\es0.bin
-
-OUTPUT_DIR = ``<_workspace>/build/tmp/deploy/images/corstone1000-mps3``
-
-1. Copy ``bl1.bin`` from OUTPUT_DIR directory to SOFTWARE directory of the FPGA bundle.
-2. Copy ``es_flashfw.bin`` from OUTPUT_DIR directory to SOFTWARE directory of the FPGA bundle
+ - The Secure Enclave ROM firmware: ``$WORKSPACE/build/tmp/deploy/images/corstone1000-$TARGET/bl1.bin``
+ - The External System Processor firmware: ``$WORKSPACE/build/tmp/deploy/images/corstone1000-$TARGET/es_flashfw.bin``
+ - The internal firmware flash image: ``$WORKSPACE/build/tmp/deploy/images/corstone1000-$TARGET/corstone1000-flash-firmware-image-corstone1000-$TARGET.wic``
+
+.. _flashing-firmware-images:
+
+Flash
+-----
+
+.. note::
+
+    The steps below only apply to the MPS3. The FVP being a software application running on your development
+    machine does not require any firmware flashing. Refer to `this <running-software-stack-fvp_>`__
+    section for running the software stack on FVP. 
+
+#. Download the FPGA bit file image ``AN550: Arm® Corstone™-1000 for MPS3 Version 2.0``
+   on the `Arm Developer website <https://developer.arm.com/tools-and-software/development-boards/fpga-prototyping-boards/download-fpga-images>`__.
+   Click on the ``Download AN550 bundle`` button and login to download the file.
+
+    The directory structure of the FPGA bundle is as shown below:
+
+    .. code-block:: console
+
+        Boardfiles
+        ├── config.txt
+        ├── MB
+        │   ├── BRD_LOG.TXT
+        │   ├── HBI0309B
+        │   │   ├── AN550
+        │   │   │   ├── AN550_v2.bit
+        │   │   │   ├── an550_v2.txt
+        │   │   │   └── images.txt
+        │   │   ├── board.txt
+        │   │   └── mbb_v210.ebf
+        │   └── HBI0309C
+        │       ├── AN550
+        │       │   ├── AN550_v2.bit
+        │       │   ├── an550_v2.txt
+        │       │   └── images.txt
+        │       ├── board.txt
+        │       └── mbb_v210.ebf
+        └── SOFTWARE
+                ├── an550_st.axf
+                ├── bl1.bin
+                ├── cs1000.bin
+                └── ES0.bin
+
+#. Depending upon the MPS3 board version, you should update the ``images.txt`` file
+   (found in the corresponding ``HBI0309x`` folder e.g. ``Boardfiles/MB/HBI0309$BOARD_VERSION/AN550/images.txt``)
+   so it points to the images under the ``SOFTWARE`` directory.
+   Where ``$BOARD_VERSION`` is a variable containing the board printed on the MPS3 board.
+
+   The ``images.txt`` file compatible with the latest version of the software
+   stack can be seen below;
+
+    .. code-block:: console
+
+        ;************************************************
+        ;       Preload port mapping                    *
+        ;************************************************
+        ;  PORT 0 & ADDRESS: 0x00_0000_0000 QSPI Flash (XNVM) (32MB)
+        ;  PORT 0 & ADDRESS: 0x00_8000_0000 OCVM (DDR4 2GB)
+        ;  PORT 1        Secure Enclave (M0+) ROM (64KB)
+        ;  PORT 2        External System 0 (M3) Code RAM (256KB)
+        ;  PORT 3        Secure Enclave OTP memory (8KB)
+        ;  PORT 4        CVM (4MB)
+        ;************************************************
+
+        [IMAGES]
+        TOTALIMAGES: 3      ;Number of Images (Max: 32)
+
+        IMAGE0PORT: 1
+        IMAGE0ADDRESS: 0x00_0000_0000
+        IMAGE0UPDATE: RAM
+        IMAGE0FILE: \SOFTWARE\bl1.bin
+
+        IMAGE1PORT: 0
+        IMAGE1ADDRESS: 0x00_0000_0000
+        IMAGE1UPDATE: AUTOQSPI
+        IMAGE1FILE: \SOFTWARE\cs1000.bin
+
+        IMAGE2PORT: 2
+        IMAGE2ADDRESS: 0x00_0000_0000
+        IMAGE2UPDATE: RAM
+        IMAGE2FILE: \SOFTWARE\es0.bin
+
+
+#. Copy ``bl1.bin`` from ``$WORKSPACE/build/tmp/deploy/images/corstone1000-mps3`` to the ``SOFTWARE`` directory of the FPGA bundle.
+#. Copy ``es_flashfw.bin`` from ``$WORKSPACE/build/tmp/deploy/images/corstone1000-mps3`` to the ``SOFTWARE`` directory of the FPGA bundle
    and rename the binary to ``es0.bin``.
-3. Copy ``corstone1000-flash-firmware-image-corstone1000-mps3.wic`` from OUTPUT_DIR directory to SOFTWARE
+#. Copy ``corstone1000-flash-firmware-image-corstone1000-mps3.wic`` from ``$WORKSPACE/build/tmp/deploy/images/corstone1000-mps3`` to the ``SOFTWARE``
    directory of the FPGA bundle and rename the wic image to ``cs1000.bin``.
 
-**NOTE:** Renaming of the images are required because MCC firmware has
-limitation of 8 characters before .(dot) and 3 characters after .(dot).
+.. note::
+    Renaming of the images is required because the MCC firmware has
+    a limit of 8 characters for file name and 3 characters for file extension.
+
+After making all modifications above, copy the FPGA bit file bundle to the board's SDCard and reboot the MPS3.
+
+Run
+---
+
+.. _running-software-stack-mps3:
+
+Once the target is turned ON, the Secure Enclave will start to boot, wherein the relevant memory contents of the ``*.wic``
+file are copied to their respective memory locations. Firewall policies are enforced
+on memories and peripherals before bringing the Host Processor out of reset.
 
-Now, copy the entire folder to board's SDCard and reboot the board.
+The Host Processor will boot TrustedFirmware-A, OP-TEE, U-Boot and then Linux before presenting a login prompt.
 
-Running the software on FPGA
-----------------------------
+****
+MPS3
+****
 
-On the host machine, open 4 serial port terminals. In case of Linux machine it will
-be ttyUSB0, ttyUSB1, ttyUSB2, ttyUSB3 and it might be different on Windows machines.
+1. Open 4 serial port comms terminals on the host machine.
+   Those might be ``ttyUSB0``, ``ttyUSB1``, ``ttyUSB2``, and ``ttyUSB3`` on Linux machines.
 
-  - ttyUSB0 for MCC, OP-TEE and Secure Partition
-  - ttyUSB1 for Boot Processor (Cortex-M0+)
-  - ttyUSB2 for Host Processor (Cortex-A35)
-  - ttyUSB3 for External System Processor (Cortex-M3)
+  - ``ttyUSB0`` for MCC, OP-TEE and Secure Partition
+  - ``ttyUSB1`` for Secure Enclave (Cortex-M0+)
+  - ``ttyUSB2`` for Host Processor (Cortex-A35)
+  - ``ttyUSB3`` for External System Processor (Cortex-M3)
 
-Run following commands to open serial port terminals on Linux:
+    The serial ports might be different on Windows machines.
 
-::
+    Run the following commands in separate terminal instances on Linux:
 
-  sudo picocom -b 115200 /dev/ttyUSB0  # in one terminal
-  sudo picocom -b 115200 /dev/ttyUSB1  # in another terminal
-  sudo picocom -b 115200 /dev/ttyUSB2  # in another terminal.
-  sudo picocom -b 115200 /dev/ttyUSB3  # in another terminal.
+    .. code-block:: console
 
-**NOTE:** The MPS3 expects an ethernet cable to be plugged in, otherwise it will
-wait for the network for a considerable amount of time, printing the following
-logs:
+        sudo picocom -b 115200 /dev/ttyUSB0
 
-::
+    .. code-block:: console
 
-  Generic PHY 40100000.ethernet-ffffffff:01: attached PHY driver (mii_bus:phy_addr=40100000.ethernet-ffffffff:01, irq=POLL)
-  smsc911x 40100000.ethernet eth0: SMSC911x/921x identified at 0xffffffc008e50000, IRQ: 17
-  Waiting up to 100 more seconds for network.
+        sudo picocom -b 115200 /dev/ttyUSB1
 
-Once the system boot is completed, you should see console
-logs on the serial port terminals. Once the HOST(Cortex-A35) is
-booted completely, user can login to the shell using
-**"root"** login.
+    .. code-block:: console
 
-If system does not boot and only the ttyUSB1 logs are visible, please follow the
-steps in `Clean Secure Flash Before Testing (applicable to FPGA only)`_ under
-`SystemReady-IR tests`_ section. The previous image used in FPGA (MPS3) might
-have filled the Secure Flash completely. The best practice is to clean the
-secure flash in this case.
+        sudo picocom -b 115200 /dev/ttyUSB2
+  
+    .. code-block:: console
 
+        sudo picocom -b 115200 /dev/ttyUSB3
 
-Running the software on FVP
----------------------------
+    .. important::
+        Plug a connected Ethernet cable to the MPS3 or it will
+        wait for a network connection for a considerable amount of time, printing the following
+        on the Host Processor terminal (``ttyUSB2``):
+
+        .. code-block:: console
+
+            Generic PHY 40100000.ethernet-ffffffff:01: attached PHY driver (mii_bus:phy_addr=40100000.ethernet-ffffffff:01, irq=POLL)
+            smsc911x 40100000.ethernet eth0: SMSC911x/921x identified at 0xffffffc008e50000, IRQ: 17
+            Waiting up to 100 more seconds for network.
+
+2. Once the system boot is completed, you should see console logs on the serial port terminals.
+   Once the Host Processor is booted completely, user can login to the shell using ``root`` login.
+
+    .. important::
+
+        The secure flash might be completely filled if the system does not boot and only the Secure Enclave logs (``ttyUSB1``) are visible.
+
+        Clean the secure flash if that is the case following the steps `here <clean-secure-flash_>`__.
+
+.. _running-software-stack-fvp:
+
+***
+FVP
+***
 
-An FVP (Fixed Virtual Platform) model of the Corstone-1000 platform must be available to run the
+A Fixed Virtual Platform (FVP) model of the Corstone-1000 platform must be available to run the
 Corstone-1000 FVP software image.
 
-A Yocto recipe is provided and allows to download the latest supported FVP version.
+A Yocto recipe is provided to download the latest supported FVP version.
 
-The recipe is located at <_workspace>/meta-arm/meta-arm/recipes-devtools/fvp/fvp-corstone1000.bb
+The recipe is located at ``$WORKSPACE/meta-arm/meta-arm/recipes-devtools/fvp/fvp-corstone1000.bb``.
 
-The latest supported Fixed Virtual Platform (FVP) version is 11_23.25 and is automatically downloaded and installed when using the runfvp command as detailed below. The FVP version can be checked by running the following command:
+The latest FVP version is ``11.23.25`` and is automatically downloaded and installed when using the
+``runfvp`` command as detailed below.
 
-::
+.. note::
 
-  kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c "../meta-arm/scripts/runfvp -- --version"
+    .. code-block:: console
 
-The FVP can also be manually downloaded from the `Arm Ecosystem FVPs`_ page. On this page, navigate
-to "Corstone IoT FVPs" section to download the Corstone-1000 platform FVP installer.  Follow the
-instructions of the installer and setup the FVP.
+        kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \
+        -c "../meta-arm/scripts/runfvp -- --version"
 
-To run the FVP using the runfvp command, please run the following command:
+The FVP can also be manually downloaded from the `Arm Ecosystem FVPs`_ page by navigating
+to "Corstone IoT FVPs" section to download the Corstone-1000 platform FVP installer. Follow the
+instructions of the installer to setup the FVP.
 
-::
+#. Run the FVP
 
-  kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c "../meta-arm/scripts/runfvp --terminals=xterm"
+    .. code-block:: console
 
-When the script is executed, three terminal instances will be launched, one for the boot processor
-(aka Secure Enclave) processing element and two for the Host processing element. Once the FVP is
-executing, the Boot Processor will start to boot, wherein the relevant memory contents of the .wic
-file are copied to their respective memory locations within the model, enforce firewall policies
-on memories and peripherals and then, bring the host out of reset.
+        kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \
+        -c "../meta-arm/scripts/runfvp --terminals=tmux"
 
-The host will boot trusted-firmware-a, OP-TEE, U-Boot and then Linux, and present a login prompt
-(FVP host_terminal_0):
+    When the script is executed, three terminal instances will be launched:
 
-::
+    - one for the Secure Enclave processing element
+    - two for the Host processor processing element.
 
-    corstone1000-fvp login:
 
-Login using the username root.
+    .. code-block:: console
 
-Using FVP on Windows or AArch64 Linux
--------------------------------------
+        corstone1000-fvp login:
+
+#. Login using the ``root`` username.
 
-The user should follow the build instructions in this document to build on a Linux host machine.
-Then, copy the output binaries to the Windows or Aarch64 Linux machine where the FVP is located.
-Then, launch the FVP binary.
 
 Security Issue Reporting
 ------------------------
 
 To report any security issues identified with Corstone-1000, please send an email to psirt@arm.com.
 
-###########################
-User Guide: Provided tests
-###########################
+#####
+Tests
+#####
 
-SystemReady-IR tests
---------------------
+.. important::
 
-*************
-Testing steps
-*************
+    All the tests below assume you have already built the software stack at least once
+    following the instructions `here <building-the-software-stack_>`__.
 
-**NOTE**: Running the SystemReady-IR tests described below requires the user to
-work with USB sticks. In our testing, not all USB stick models work well with
-MPS3 FPGA. Here are the USB sticks models that are stable in our test
-environment.
 
- - HP V165W 8 GB USB Flash Drive
- - SanDisk Ultra 32GB Dual USB Flash Drive USB M3.0
- - SanDisk Ultra 16GB Dual USB Flash Drive USB M3.0
+.. _clean-secure-flash:
 
-**NOTE**:
-Before running each of the tests in this chapter, the user should follow the
-steps described in following section "Clean Secure Flash Before Testing" to
-erase the SecureEnclave flash cleanly and prepare a clean board environment for
-the testing.
+Clean Secure Flash
+------------------
 
-Prepare EFI System Partition
-===========================================================
-Corstone-1000 FVP and FPGA do not have enough on-chip nonvolatile memory to host
-an EFI System Partition (ESP). Thus, Corstone-1000 uses mass storage device for
-ESP. The instructions below should be followed for both FVP and FPGA before
-running the ACS tests.
+.. important::
 
-**Common to FVP and FPGA:**
+    The MPS3 secure flash needs to be cleared before running tests.
+    This is to erase the flash cleanly and prepare a clean board environment for testing.
 
-::
 
-  kas build meta-arm/kas/corstone1000-{mps3,fvp}.yml:meta-arm/ci/debug.yml --target corstone1000-esp-image
+#. Clone the `systemready-patch` repository to your $WORKSPACE.
 
-Once the build is successful ``corstone1000-esp-image-corstone1000-{mps3,fvp}.wic`` will be available in either:
- - ``<_workspace>/build/tmp/deploy/images/corstone1000-fvp/`` folder for FVP build;
- - ``<_workspace>/build/tmp/deploy/images/corstone1000-mps3/`` folder for FPGA build.
+    .. code-block:: console
 
-**Using ESP in FPGA:**
+        cd $WORKSPACE
+        git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2024.11
 
-Once the ESP is created, it needs to be flashed to a second USB drive different than ACS image.
-This can be done with the development machine. In the given example here
-we assume the USB device is ``/dev/sdb`` (the user should use ``lsblk`` command to
-confirm). Be cautious here and don't confuse your host machine own hard drive with the
-USB drive. Run the following commands to prepare the ACS image in USB stick:
+#. Copy the secure flash cleaning Git patch file to your copy of `meta-arm`.
 
-::
+    .. code-block:: console
 
-   sudo dd if=corstone1000-esp-image-corstone1000-mps3.wic of=/dev/sdb iflag=direct oflag=direct status=progress bs=512; sync;
+        cp -f systemready-patch/embedded-a/corstone1000/erase_flash/0001-embedded-a-corstone1000-clean-secure-flash.patch meta-arm
 
-Now you can plug this USB stick to the board together with ACS test USB stick.
+#. Apply the Git patch to `meta-arm`.
 
-**Using ESP in FVP:**
+    .. code-block:: console
 
-The ESP disk image once created will be used automatically in the Corstone-1000 FVP as the 2nd MMC card image. It will be used when the SystemReady-IR tests will be performed on the FVP in the later section.
+        cd meta-arm
+        git apply 0001-embedded-a-corstone1000-clean-secure-flash.patch
 
+#. Rebuild the software stack.
 
-Clean Secure Flash Before Testing (applicable to FPGA only)
-===========================================================
+    .. code-block:: console
 
-To prepare a clean board environment with clean secure flash for the testing,
-the user should prepare an image that erases the secure flash cleanly during
-boot. Run following commands to build such image.
+        cd $WORKSPACE
+        kas shell meta-arm/kas/corstone1000-mps3.yml:meta-arm/ci/debug.yml
+        bitbake -c cleansstate trusted-firmware-m corstone1000-flash-firmware-image
+        bitbake -c build corstone1000-flash-firmware-image
 
-::
+#. Replace the ``bl1.bin`` file on the SD card with ``$WORKSPACE/build/tmp/deploy/images/corstone1000-mps3/bl1.bin``.
 
-  cd <_workspace>
-  git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2024.06
-  git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2024.06
-  cp -f systemready-patch/embedded-a/corstone1000/erase_flash/0001-embedded-a-corstone1000-clean-secure-flash.patch meta-arm
-  cd meta-arm
-  git apply 0001-embedded-a-corstone1000-clean-secure-flash.patch
-  cd ..
-  kas build meta-arm/kas/corstone1000-mps3.yml:meta-arm/ci/debug.yml
+#. Reboot the board to completely erase the secure flash.
 
-Replace the bl1.bin and cs1000.bin files on the SD card with following files:
-  - The ROM firmware: <_workspace>/build/tmp/deploy/images/corstone1000-mps3/bl1.bin
-  - The flash image: <_workspace>/build/tmp/deploy/images/corstone1000-mps3/corstone1000-flash-firmware-image-corstone1000-mps3.wic
+    The following message log from TrustedFirmware-M should be displayed on the Secure Enclave terminal (``ttyUSB1``):
 
-Now reboot the board. This step erases the Corstone-1000 SecureEnclave flash
-completely, the user should expect following message from TF-M log (can be seen
-in ttyUSB1):
+    .. code-block:: console
 
-::
+        !!!SECURE FLASH HAS BEEN CLEANED!!!
+        NOW YOU CAN FLASH THE ACTUAL CORSTONE1000 IMAGE
+        PLEASE REMOVE THE LATEST ERASE SECURE FLASH PATCH AND BUILD THE IMAGE AGAIN
 
-  !!!SECURE FLASH HAS BEEN CLEANED!!!
-  NOW YOU CAN FLASH THE ACTUAL CORSTONE1000 IMAGE
-  PLEASE REMOVE THE LATEST ERASE SECURE FLASH PATCH AND BUILD THE IMAGE AGAIN
+#. Whilst still in the ``kas`` shell, revert the changes the patch introduced by running the following commands:
 
-Then the user should follow "Building the software stack" to build a clean
-software stack and flash the FPGA as normal. And continue the testing.
+    .. code-block:: console
 
-Run SystemReady-IR ACS tests
-============================
+        cd $WORKSPACE/meta-arm
+        git reset --hard
+        cd ..
+        bitbake -c cleansstate trusted-firmware-m corstone1000-flash-firmware-image
+        exit
+
+#. Follow the `instructions <building-the-software-stack_>`__ to build a clean software stack and flash the MPS3 with it.
+
+You can proceed with the test instructions in the following section after having done all the above.
+
+SystemReady-IR
+--------------
+
+.. important::
+    Running the SystemReady-IR tests described below requires USB drives.
+    In our testing, not all USB drive models worked well with the MPS3.
+
+    Here are the USB drive models that were stable in our test environment:
+
+        - HP v165w 8 GB USB Flash Drive
+        - SanDisk Ultra 32GB Dual USB Flash Drive USB M3.0
+        - SanDisk Ultra 16GB Dual USB Flash Drive USB M3.0
+
+Follow the instructions below before running the Architecture Compliance Suite (ACS) tests.
+
+
+.. _build-efi-system-partition:
+
+*****************************
+Build an EFI System Partition
+*****************************
+
+A storage with EFI System Partition (ESP) must exist in the system for the UEFI-SCT related tests to pass.
+
+#. Build an ESP partition for your target
+
+    .. code-block:: console
+
+        kas build meta-arm/kas/corstone1000-$TARGET.yml:meta-arm/ci/debug.yml --target corstone1000-esp-image
+
+#. Locate the ``corstone1000-esp-image-corstone1000-$TARGET.wic`` build artefact
+   in ``$WORKSPACE/build/tmp/deploy/images/corstone1000-$TARGET/`` 
+
+****************************
+Use the EFI System Partition
+****************************
+
+.. _use-efi-system-partition-mps3:
+
+MPS3
+====
+
+#. Connect a USB drive to your development machine.
+
+#. Run the following command on your development machine to discover which device is your USB drive:
+
+    .. code-block:: console
+
+        lsblk
+
+    The remaining steps assume the USB drive is ``/dev/sdb``.
+
+    .. warning::
+
+        Do not mistake your development machine hard drive with the USB drive.
+
+#. Copy the ESP to the USB drive by running the following command:
+
+    .. code-block:: console
+
+        sudo dd \
+        if=$WORKSPACE/build/tmp/deploy/images/corstone1000-mps3/corstone1000-esp-image-corstone1000-mps3.wic \
+        of=/dev/sdb \
+        iflag=direct oflag=direct status=progress bs=512; sync;
+
+#. Plug the USB drive to the MPS3.
+
+
+.. _use-efi-system-partition-fvp:
+
+FVP
+===
 
-Architecture Compliance Suite (ACS) is used to ensure architectural compliance
-across different implementations of the architecture. Arm Enterprise ACS
-includes a set of examples of the invariant behaviors that are provided by a
-set of specifications for enterprise systems (For example: SBSA, SBBR, etc.),
-so that implementers can verify if these behaviours have been interpreted correctly.
+The ESP disk image will automatically be used by the Corstone-1000 FVP as the 2nd MMC card image.
+It will be used when the SystemReady-IR tests is performed on the FVP in the later section.
 
-The ACS image contains a BOOT partition.
-Following test suites and bootable applications are under BOOT partition:
+
+****************************
+Run SystemReady-IR ACS Tests
+****************************
+
+ACS is used to ensure architectural compliance across different implementations of the architecture.
+Arm Enterprise ACS includes a set of examples of the invariant behaviors that are provided by a
+set of specifications for enterprise systems (i.e. SBSA, SBBR, etc.).
+Implementers can verify if these behaviors have been interpreted correctly.
+
+The following test suites and bootable applications are under the ``BOOT`` partition of the ACS image:
 
  * SCT
  * FWTS
- * BSA uefi
+ * BSA UEFI
  * BSA linux
- * grub
- * uefi manual capsule application
+ * GRUB
+ * UEFI manual capsule application
 
-BOOT partition contains the following:
+See the directory structure of the ACS image ``BOOT`` partition below:
 
-::
+.. code-block:: console
 
     ├── EFI
     │   └── BOOT
@@ -511,962 +658,1256 @@ BOOT partition contains the following:
     ├── ramdisk-busybox.img
     └── acs_results
 
-The BOOT partition is also used to store the test results. The
-results are stored in the `acs_results` folder.
+The ``BOOT`` partition is also used to store test results in the ``acs_results`` folder.
 
-**NOTE**: PLEASE ENSURE THAT the `acs_results` FOLDER UNDER THE BOOT PARTITION IS
-EMPTY BEFORE YOU START TESTING. OTHERWISE THE TEST RESULTS WILL NOT BE CONSISTENT.
+.. important::
+
+    Ensure that the ``acs_results`` folder is empty before starting the test.
 
-FPGA instructions for ACS image
-===============================
 
-This section describes how the user can build and run Architecture Compliance
-Suite (ACS) tests on Corstone-1000.
+This sections below describe how to build and run ACS tests on Corstone-1000.
 
-First, the user should download the `Arm SystemReady ACS repository <https://github.com/ARM-software/arm-systemready/>`__.
-This repository contains the infrastructure to build the Architecture
-Compliance Suite (ACS) and the bootable prebuilt images to be used for the
-certifications of SystemReady-IR. To download the repository, run command:
+.. _mps3-instructions-for-acs-image:
 
-::
 
-  cd <_workspace>
-  git clone https://github.com/ARM-software/arm-systemready.git
+#. On your host development machine, clone the `Arm SystemReady ACS repository <https://github.com/ARM-software/arm-systemready/>`_.
 
-Once the repository is successfully downloaded, the prebuilt ACS live image can be found in:
- - ``<_workspace>/arm-systemready/IR/prebuilt_images/v23.09_2.1.0/ir-acs-live-image-generic-arm64.wic.xz``
+    .. code-block:: console
 
-**NOTE**: This prebuilt ACS image includes v5.13 kernel, which doesn't provide
-USB driver support for Corstone-1000. The ACS image with newer kernel version
-and with full USB support for Corstone-1000 will be available in the next
-SystemReady release in this repository.
+        cd $WORKSPACE
+        git clone https://github.com/ARM-software/arm-systemready.git
 
-Then, the user should prepare a USB stick with ACS image. In the given example here,
-we assume the USB device is ``/dev/sdb`` (the user should use ``lsblk`` command to
-confirm). Be cautious here and don't confuse your host machine own hard drive with the
-USB drive. Run the following commands to prepare the ACS image in USB stick:
+    This repository contains the infrastructure to build the ACS and the bootable prebuilt images to be used for the
+    certifications of SystemReady-IR.
 
-::
+#. Find the pre-built ACS live image in ``$WORKSPACE/arm-systemready/IR/prebuilt_images/v23.09_2.1.0/ir-acs-live-image-generic-arm64.wic.xz``.
 
-  cd <_workspace>/arm-systemready/IR/prebuilt_images/v23.09_2.1.0
-  unxz ir-acs-live-image-generic-arm64.wic.xz
-  sudo dd if=ir-acs-live-image-generic-arm64.wic of=/dev/sdb iflag=direct oflag=direct bs=1M status=progress; sync
+    .. note::
 
-Once the USB stick with ACS image is prepared, the user should make sure that
-ensure that both USB sticks (ESP and ACS image) are connected to the board,
-and then boot the board.
+        This prebuilt ACS image includes v5.13 kernel, which does not provide
+        USB driver support for Corstone-1000. The ACS image with a newer kernel version
+        and full USB support for Corstone-1000 will be available in the repository with the next
+        SystemReady release.
+
+#. Decompress the pre-built ACS live image.
+
+    .. code-block:: console
+
+        cd $WORKSPACE/arm-systemready/IR/prebuilt_images/v23.09_2.1.0
+        unxz ir-acs-live-image-generic-arm64.wic.xz
+
+MPS3
+====
 
-The FPGA will reset multiple times during the test, and it might take approx. 24-36 hours to finish the test.
+#. Connect a USB drive (other than the one used for the ESP) to the host development machine.
 
-**NOTE**: The USB stick which contains the ESP partition might cause grub to
-unable to find the bootable partition (only in the FPGA). If that's the case, please
-remove the USB stick and run the ACS tests. ESP partition can be mounted after
-the platform is booted to linux at the end of the ACS tests.
+#. Run the following command to discover which device is your USB drive:
 
+    .. code-block:: console
 
-FVP instructions for ACS image and run
-======================================
+        lsblk
 
-The FVP has been integrated in the meta-arm-systemready layer so the running of the ACS tests can be handled automatically as follows
+    The remaining steps assume the USB drive is ``/dev/sdc``.
 
-::
+    .. warning::
 
-  kas build meta-arm/ci/corstone1000-fvp.yml:meta-arm/ci/debug.yml:kas/arm-systemready-ir-acs.yml
+        Do not mistake your development machine hard drive with the USB drive.
 
-The details of how this layer works can be found in : ``<_workspace>/meta-arm-systemready/README.md``
+#. Copy the ACS image to the USB drive by running the following commands:
 
-**NOTE:** You can't use the standard meta-arm/kas/corstone1000-fvp.yml kas file as it sets the build up for only building firmware
+    .. code-block:: console
 
-**NOTE:** These test might take up to 1 day to finish
+        cd $WORKSPACE/arm-systemready/IR/prebuilt_images/v23.09_2.1.0
+        sudo dd if=ir-acs-live-image-generic-arm64.wic of=/dev/sdc iflag=direct oflag=direct bs=1M status=progress; sync
 
+#. Plug the USB drive to the MPS3. At this point you should have both the USB drive with the ESP and the USB drive with the ACS image plugged to the MPS3.
 
-Common to FVP and FPGA
-======================
+#. Reboot the MPS3.
 
-U-Boot should be able to boot the grub bootloader from
-the 1st partition and if grub is not interrupted, tests are executed
-automatically in the following sequence:
+The MPS3 will reset multiple times during the test, and it might take approximately 24 to 36 hours to finish the test.
+
+.. important::
+
+    Unplug the ESP USB drive from the MPS3 if it is preventing GRUB
+    from finding the bootable partition. Leave only the ACS image USB drive
+    plugged in to run the ACS tests.
+
+    The ESP USB drive can be plugged in again after
+    selecting the `Linux Boot` option in the GRUB menu at the end of the ACS tests.
+
+.. warning::
+
+    A timeout issue has been observed while booting Linux during the ACS tests, causing the system to boot into emergency mode.
+    Booting Linux is necessary to run certain tests, such as `dt-validation`.
+    The following workaround is required to enable Linux to boot properly and perform all Linux-based tests:
+
+    #. Press Enter at the Linux prompt.
+    #. Open the file `/etc/systemd/system.conf` and set `DefaultDeviceTimeoutSec=infinity`.
+    #. Reboot the platform using the `reboot` command.
+    #. Select the `Linux Boot` option from the GRUB menu.
+    #. Allow Linux to boot and run the remaining ACS tests until completion.
+
+.. _fvp-instructions-for-acs-image:
+
+FVP
+===
+
+
+Run the commands below to run the ACS test on FVP using the built firmware image and the pre-built ACS image identified above:
+
+.. code-block:: console
+
+    cd $WORKSPACE
+    tmux
+    ./meta-arm/scripts/runfvp \
+    --terminals=tmux \
+    ./build/tmp/deploy/images/corstone1000-fvp/corstone1000-flash-firmware-image-corstone1000-fvp.fvpconf \
+    -- -C board.msd_mmc.p_mmc_file=$WORKSPACE/arm-systemready/IR/prebuilt_images/v23.09_2.1.0/ir-acs-live-image-generic-arm64.wic
+
+
+.. note::
+    The FVP will reset multiple times during the test.
+    The ACS tests might take up to 1 day to complete when run on FVP.
+
+The message `ACS run is completed` will be displayed on the FVP host terminal when the test runs to completion.
+You will be prompted to press the Enter key to access the Linux prompt.
+
+
+Test Sequence and Results
+=========================
+
+U-Boot should be able to boot the GRUB bootloader from the first partition.
+
+If GRUB is not interrupted, the tests are executed automatically in the following order:
 
  - SCT
  - UEFI BSA
  - FWTS
 
-The results can be fetched from the `acs_results` folder in the BOOT partition of the USB stick (FPGA) / SD Card (FVP).
+The results can be fetched from the `acs_results` folder in the ``BOOT`` partition of the USB drive (for MPS3) or SD Card (for FVP).
+
+.. note::
+
+    Access the `acs_results` folder in FVP by running the following commands:
 
-**NOTE:** The FVP uses the ``<_workspace>/build/tmp-glibc/work/corstone1000_fvp-oe-linux/arm-systemready-ir-acs/2.0.0/deploy-arm-systemready-ir-acs/arm-systemready-ir-acs-corstone1000-fvp.wic`` image if the meta-arm-systemready layer is used.
-The result can be checked in this image.
+    .. code-block:: console
+
+        sudo mkdir /mnt/test
+        sudo mount -o rw,offset=1048576 \
+        $WORKSPACE/arm-systemready/IR/prebuilt_images/v23.09_2.1.0/ir-acs-live-image-generic-arm64.wic \
+        /mnt/test
 
 #####################################################
 
-Manual capsule update and ESRT checks
--------------------------------------
+Capsule Update
+--------------
 
-The following section describes running manual capsule updates by going through
-a negative and positive test. Two capsules are needed to perform the positive
-and negative updates. The steps also show how to use the EFI System Resource Table
-(ESRT) to retrieve the installed capsule details.
+The following section describes the steps to update the firmware using Capsule Update
+as the Corstone-1000 supports UEFI.
 
-In the positive test, a valid capsule is used and the platform boots correctly
-until the Linux prompt after the update. In the negative test, an outdated
-capsule is used that has a smaller version number. This capsule gets rejected
-because of being outdated and the previous firmware will be used instead.
+The firmware update process is tested with an invalid capsule (negative capsule update test)
+and with a valid capsule (positive capsule update test) to validate the robustness and
+error-handling capabilities of the firmware update mechanism.
 
+During the positive capsule update test, the Corstone-1000 is given a valid capsule, which it successfully applies, boots up and then reaches the Linux command prompt.
 
-*******************
-Generating Capsules
-*******************
+During the negative capsule update test, the Corstone-1000 is given an outdated capsule with a lower version number,
+which is expected to be rejected due to its outdated status, thereby retaining the previous firmware.
+
+Two different capsules (one for each test) are therefore needed to perform the tests.
+
+
+*****************
+Generate Capsules
+*****************
+
+U-Boot's ``mkeficapsule`` tool is used to generate capsules. It is built automatically for the host machine during the firmware image building process.
+The tool can be found in the ``$WORKSPACE/build/tmp/sysroots-components/x86_64/u-boot-tools-native/usr/bin/mkeficapsule`` directory.
+
+``mkeficapsule`` uses a no-partition image which is created when performing a clean firmware build.
+The no-partition image can be found in the ``$WORKSPACE/build/tmp/deploy/images/corstone1000-$TARGET/corstone1000-$TARGET_image.nopt`` directory.
+
+The capsule's default metadata passed can be found in the ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-flash-firmware-image.bb``
+and ``$WORKSPACE/meta-arm/kas/corstone1000-image-configuration.yml`` files.
+
+Valid Capsule
+=============
+
+An automatically generated capsule can be found in ``$WORKSPACE/build/tmp/deploy/images/corstone1000-$TARGET/corstone1000-$TARGET-v6.uefi.capsule`` after running a firmware build.
+
+The default metadata values are assumed to be correct to generate a valid capsule.
+
+This capsule will be used for the positive capsule update test.
+
+Invalid Capsule
+===============
+
+Generate another capsule with ``fw-version`` metadata set to a lower version than the valid capsule.
+The example below assumes the valid capsule has a default firmware version of 6, and therefore creates an invalid capsule with firmware version 5.
+
+
+Run the following commands to generate an invalid capsule with a ``fw-version`` of ``5``:
+
+.. code-block:: console
+
+   cd $WORKSPACE
+
+   ./build/tmp/sysroots-components/x86_64/u-boot-tools-native/usr/bin/mkeficapsule \
+   --monotonic-count 1 \
+   --private-key build/tmp/deploy/images/corstone1000-$TARGET/corstone1000_capsule_key.key \
+   --certificate build/tmp/deploy/images/corstone1000-$TARGET/corstone1000_capsule_cert.crt \
+   --index 1 \
+   --guid $TARGET_GUID \
+   --fw-version 5 build/tmp/deploy/images/corstone1000-$TARGET/corstone1000-$TARGET_image.nopt \
+   corstone1000-$TARGET-v5.uefi.capsule
+
+
+.. important::
+
+    ``$TARGET_GUID`` is different depending on whether the capsule is built for the ``fvp`` or ``mps3`` ``$TARGET``.
+
+    - ``fvp`` ``$TARGET_GUID`` is ``989f3a4e-46e0-4cd0-9877-a25c70c01329``
+    - ``mps3`` ``$TARGET_GUID`` is ``df1865d1-90fb-4d59-9c38-c9f2c1bba8cc``
+
+The invalid capsule will be located in the ``$WORKSPACE`` directory.
+
+***************************
+Transfer Capsules to Target
+***************************
+
+The capsule delivery process described below is the direct method (usage of capsules from the ACS image)
+as opposed to the on-disk method (delivery of capsules using a file on a mass storage device).
+
+MPS3
+====
+
+#. Prepare a USB drive as explained in `this <mps3-instructions-for-acs-image_>`_ section.
+
+#. Copy the capsule file to the root directory of the ``BOOT`` partition in the USB drive.
+
+  .. code-block:: console
+
+    sudo cp $CAPSULES_PATH/corstone1000-mps3-v6.uefi.capsule $ACS_IMAGE_USB_DRIVE_PATH/BOOT/
+    sudo cp $CAPSULES_PATH/corstone1000-mps3-v5.uefi.capsule $ACS_IMAGE_USB_DRIVE_PATH/BOOT/
+    sync
+
+.. important::
+
+    Since we are using the direct Capsule Update method, the capsule files should not be placed in
+    the ``EFI/UpdateCapsule`` directory, as this might inadvertently trigger the on-disk update method.
+
+FVP
+===
 
-A no-partition image is needed for the capsule generation. This image is
-created automatically during a clean Yocto build and it can be found in
-``build/tmp/deploy/images/corstone1000-<fvp/mps3>/corstone1000-<fvp/mps3>_image.nopt``.
-A capsule is also automatically generated with U-Boot's ``mkeficapsule`` tool
-during the Yocto build that uses this ``corstone1000-<fvp/mps3>_image.nopt``. The
-capsule's default metadata, that is passed to the ``mkeficapsule`` tool,
-can be found in the ``meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-flash-firmware-image.bb``
-and ``meta-arm/kas/corstone1000-image-configuration.yml`` files. These
-data can be modified before the Yocto build if it is needed. It is
-assumed that the default values are used in the following steps.
-
-The automatically generated capsule can be found in
-``build/tmp/deploy/images/corstone1000-<fvp/mps3>/corstone1000-<fvp/mps3>-v6.uefi.capsule``.
-This capsule will be used as the positive capsule during the test in the following
-steps.
-
-Generating Capsules Manually
+#. Download and extract the ACS image `as described for the MPS3 <mps3-instructions-for-acs-image_>`_.
+   The ACS image extraction location will be referred below as ``$ACS_IMAGE_PATH``.
+
+    .. note::
+
+      Creating a USB drive with the ACS image is not required as the image will be mounted with the steps below.
+
+#. Find the first partition's offset of the ``ir-acs-live-image-generic-arm64.wic`` image using the ``fdisk`` tool.
+   The partition table can be listed using:
+
+    .. code-block:: console
+
+        fdisk -lu $ACS_IMAGE_PATH/ir-acs-live-image-generic-arm64.wic
+        Device                                                 Start     End Sectors  Size Type
+        $ACS_IMAGE_PATH/ir-acs-live-image-generic-arm64.wic1    2048  309247  307200  150M Microsoft basic data
+        $ACS_IMAGE_PATH/ir-acs-live-image-generic-arm64.wic2  309248 1343339 1034092  505M Linux filesystem
+
+
+    Given that the first partition starts at sector 2048 and each sector is 512 bytes in size,
+    the first partition is at offset 1048576 (2048 x 512).
+
+#. Mount the ``ir-acs-live-image-generic-arm64.wic`` image using the previously calculated offset:
+
+    .. code-block:: console
+
+        sudo mkdir /mnt/ir-acs-live-image-generic-arm64
+        sudo mount -o rw,offset=<first_partition_offset> $ACS_IMAGE_PATH/ir-acs-live-image-generic-arm64.wic  /mnt/ir-acs-live-image-generic-arm64
+
+#. Copy the capsules:
+
+    .. code-block:: console
+
+        sudo cp $CAPSULES_PATH/corstone1000-fvp-v6.uefi.capsule /mnt/ir-acs-live-image-generic-arm64/
+        sudo cp $CAPSULES_PATH/corstone1000-fvp-v5.uefi.capsule /mnt/ir-acs-live-image-generic-arm64/
+        sync
+
+#. Unmount the IR image:
+
+    .. code-block:: console
+
+        sudo umount /mnt/ir-acs-live-image-generic-arm64
+
+************************
+Run Capsule Update Tests
+************************
+
+The valid capsule (``corstone1000-$TARGET-v6.uefi.capsule``) will be used first to run the positive capsule update test.
+This will be followed by using the invalid capsule (``corstone1000-$TARGET-v5.uefi.capsule``) to run the negative capsule update test.
+
+.. important::
+
+    This sequence order must be respected as the invalid capsule has a firmware version lower than the firmware version in the valid capsule.
+    The negative capsule update test effectively tests that firmware rollback is not permitted.
+
+
+.. _positive-capsule-update-test:
+
+Positive Capsule Update Test
 ============================
 
-If a new capsule has to be generated with different metadata after the build
-process, then it can be done manually by using the ``u-boot-tools``'s
-``mkeficapsule`` and the previously created ``.nopt`` image. The
-``mkeficapsule`` tool is built automatically for the host machine
-during the Yocto build.
+#. Run Corstone-1000 with the ACS image containing the two capsule files:
 
-The negative capsule needs a lower ``fw-version`` than the positive
-capsule. For example if the host's architecture is x86_64, this can
-be generated by using the following command:
+    - MPS3:
 
-::
+      #. Plug the prepared USB drive which has the IR prebuilt image and two capsules to the MPS3.
+      #. Power cycle the MPS3.
 
-   cd <_workspace>
+    - FVP:
 
-   ./build/tmp/sysroots-components/x86_64/u-boot-tools-native/usr/bin/mkeficapsule --monotonic-count 1 \
-   --private-key build/tmp/deploy/images/corstone1000-<fvp/mps3>/corstone1000_capsule_key.key \
-   --certificate build/tmp/deploy/images/corstone1000-<fvp/mps3>/corstone1000_capsule_cert.crt --index 1 --guid df1865d1-90fb-4d59-9c38-c9f2c1bba8cc \
-   --fw-version 5 build/tmp/deploy/images/corstone1000-<fvp/mps3>/corstone1000-<fvp/mps3>_image.nopt corstone1000-<fvp/mps3>-v5.uefi.capsule
+      #. Run the FVP with the IR prebuilt image which now also contains the two capsules:
 
-This command will put the negative capsule to the ``<_workspace>`` directory.
+      .. code-block:: console
 
+        kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \
+        -c "../meta-arm/scripts/runfvp --terminals=tmux \
+        -- -C board.msd_mmc.p_mmc_file=$ACS_IMAGE_PATH/ir-acs-live-image-generic-arm64.wic"
 
-****************
-Copying Capsules
-****************
+      .. warning::
 
-Copying the FPGA capsules
-=========================
+          ``$ACS_IMAGE_PATH`` must be an absolute path. Ensure there are no spaces before or after of ``=`` of the ``-C board.msd_mmc.p_mmc_file`` option.
 
-The user should prepare a USB stick as explained in ACS image section `FPGA instructions for ACS image`_.
-Place the generated ``corstone1000-mps3-v<5/6>.uefi.capsule`` files in the root directory of the boot partition
-in the USB stick. Note: As we are running the direct method, the ``corstone1000-mps3-v<5/6>.uefi.capsule`` files
-should not be under the EFI/UpdateCapsule directory as this may or may not trigger
-the on disk method.
 
-::
+#. Wait until U-Boot loads EFI from the ACS image and interrupt the EFI shell by pressing the ``Escape`` key when the following prompt is displayed on the Host Processor terminal (``ttyUSB2``).
 
-   sudo cp <capsule path>/corstone1000-mps3-v6.uefi.capsule <mounting path>/BOOT/
-   sudo cp <capsule path>/corstone1000-mps3-v5.uefi.capsule <mounting path>/BOOT/
-   sync
+    .. code-block:: console
 
-Copying the FVP capsules
-========================
+        Press ESC in 4 seconds to skip startup.nsh or any other key to continue.
 
-The ACS image should be used for the FVP as well. Downloaded and extract the
-image the same way as for the FPGA `FPGA instructions for ACS image`_.
-Creating an USB stick with the image is not needed for the FVP.
+#. Access the content of the first file system (``File System 0``) where we copied the capsule files by running the following command:
 
-After getting the ACS image, find the 1st partition's offset of the
-``ir-acs-live-image-generic-arm64.wic`` image. The partition table can be
-listed using the ``fdisk`` tool.
+    .. code-block:: console
 
-::
+        FS0:
 
-  fdisk -lu <path-to-img>/ir-acs-live-image-generic-arm64.wic
-      Device                                Start     End Sectors  Size Type
-         <path-to-img>/ir-acs-live-image-generic-arm64.wic1   2048  309247  307200  150M Microsoft basic data
-         <path-to-img>/ir-acs-live-image-generic-arm64.wic2 309248 1343339 1034092  505M Linux filesystem
+#. Run the ``CapsuleApp`` application with the valid capsule file:
 
+    - MPS3:
 
-The first partition starts at the 2048th sector. This has to be multiplied
-by the sector size which is 512 so the offset is 2048 * 512 = 1048576.
+        .. code-block:: console
 
-Next, mount the IR image using the previously calculated offset:
+            EFI/BOOT/app/CapsuleApp.efi EFI/BOOT/corstone1000-mps3-v6.uefi.capsule
 
-::
+    - FVP:
 
-   sudo mkdir /mnt/test
-   sudo mount -o rw,offset=<first_partition_offset> <path-to-img>/ir-acs-live-image-generic-arm64.wic  /mnt/test
+        .. code-block:: console
 
-Then, copy the capsules:
+            EFI/BOOT/app/CapsuleApp.efi corstone1000-fvp-v6.uefi.capsule
 
-::
+    The capsule update will be started.
 
-   sudo cp <capsule path>/corstone1000-fvp-v6.uefi.capsule /mnt/test/
-   sudo cp <capsule path>/corstone1000-fvp-v5.uefi.capsule /mnt/test/
-   sync
+    .. note::
+        The capsule update takes about 8 minutes to complete on MPS3 and between 15-30 minutes on FVP.
 
-Then, unmount the IR image:
+        The Corstone-1000 will reset after successfully applying the capsule.
 
-::
+    
+    The software stack copies the capsule content to the external flash, which is shared between the Secure Enclave and the Host Processor
+    before rebooting the system.
 
-   sudo umount /mnt/test
+    After the first reboot, TrustedFirmware-M should apply the valid capsule and display the following log on the Secure Enclave terminal (``ttyUSB1``)
+    before rebooting the system a second time:
 
-******************************
-Performing the capsule update
-******************************
+    .. code-block:: console
 
-During this section we will be using the capsule with the higher version
-(``corstone1000-<fvp/mps3>-v6.uefi.capsule``) for the positive scenario
-and then the capsule with the lower version (``corstone1000-<fvp/mps3>-v5.uefi.capsule``)
-for the negative scenario. The two tests have to be done after each other
-in the correct order to make sure that the negative capsule will get rejected.
+      ...
+      SysTick_Handler: counted = 10, expiring on = 360
+      SysTick_Handler: counted = 20, expiring on = 360
+      SysTick_Handler: counted = 30, expiring on = 360
+      ...
+      metadata_write: success: active = 1, previous = 0
+      flash_full_capsule: exit
+      corstone1000_fwu_flash_image: exit: ret = 0
+      ...
 
-Running the FPGA with the IR prebuilt image
-===========================================
+    The above log snippet indicates that the new capsule image is successfully applied, and the board is booting with the external flash's Bank-1.
 
-Insert the prepared USB stick which has the IR prebuilt image and two capsules,
-then Power cycle the MPS3 board.
+    After a second reboot, the following log should be displayed on on the Secure Enclave terminal (``ttyUSB1``):
 
-Running the FVP with the IR prebuilt image
-==========================================
+    .. code-block:: console
 
-Run the FVP with the IR prebuilt image:
+      ...
+      fmp_set_image_info:133 Enter
+      FMP image update: image id = 0
+      FMP image update: status = 0version=6 last_attempt_version=6.
+      fmp_set_image_info:157 Exit.
+      corstone1000_fwu_host_ack: exit: ret = 0
+      ...
 
-::
+#. Interrupt the U-Boot shell.
 
-   kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c "../meta-arm/scripts/runfvp --terminals=xterm -- -C board.msd_mmc.p_mmc_file=<path-to-img>/ir-acs-live-image-generic-arm64.wic"
+    .. code-block:: console
 
-**NOTE:** <path-to-img> must start from the root directory. make sure there are no spaces before or after of "=". board.msd_mmc.p_mmc_file=<path-to-img>/ir-acs-live-image-generic-arm64.wic.
-**NOTE:** Do not restart the FVP between the positive and negative test because it will start from a clean state.
+        Hit any key to stop autoboot:
 
-Executing capsule update for FVP and FPGA
-=========================================
+#. Run the following commands in order to run the Corstone-1000 Linux kernel.
 
-Wait until U-boot loads EFI from the ACS image stick and interrupt the EFI
-shell by pressing ESC when the following prompt is displayed in the Host
-terminal (ttyUSB2).
+    .. note::
+        Otherwise, the execution ends up in the ACS live image.
 
-::
+    .. code-block:: console
 
-   Press ESC in 4 seconds to skip startup.nsh or any other key to continue.
+        $ unzip $kernel_addr 0x90000000
+        $ loadm 0x90000000 $kernel_addr_r $filesize
+        $ bootefi $kernel_addr_r $fdtcontroladdr
 
-Then, type FS0: as shown below:
 
-::
+#. After the system fully boots, read the EFI System Resource Table (ESRT) to verify that the firmware version matches the version of the capsule applied.
 
-  FS0:
+  .. code-block:: console
 
-Then start the CapsuleApp application. Use the positive capsule
-(corstone1000-<fvp/mps3>-v6.uefi.capsule) first.
+    # cd /sys/firmware/efi/esrt/entries/entry0
+    # cat *
 
-::
+    0x0                                      # capsule_flags
+    989f3a4e-46e0-4cd0-9877-a25c70c01329     # fw_class
+    0                                        # fw_type
+    6                                        # fw_version
+    0                                        # last_attempt_status
+    6                                        # last_attempt_version
+    0                                        # lowest_supported_fw_ver
+
+  See the `UEFI documentation <https://uefi.org/specs/UEFI/2.10/23_Firmware_Update_and_Reporting.html#id29>`__ for more information on the significance of the table fields.
+
+.. warning::
+
+    Do not terminate FVP between the positive and negative capsule update tests.
+
+Negative Capsule Update Test
+============================
 
-  EFI/BOOT/app/CapsuleApp.efi corstone1000-<fvp/mps3>-v6.uefi.capsule
+.. important::
 
-The capsule update will be started.
+  The `positive capsule update test <positive-capsule-update-test_>`__ must be run before running the negative capsule update test.
 
-**NOTE:**  On the FVP it takes around 15-30 minutes, on the FPGA it takes less time.
+#. After running the positive capsule update test, reboot the system by typing the following command on the Host Processor terminal (``ttyUSB2``):
 
-After successfully updating the capsule the system will reset. Make sure the
-Corstone-1000's Poky Distro is booted after the reset so the ESRT can be checked.
-It is described in the `Select Corstone-1000 Linux kernel boot`_ section how to
-boot the Poky distro after the capsule update.
-The `Positive scenario`_ sections describes how the result should be inspected.
-After the result is checked, the system can be rebooted with the ``reboot`` command in the Host
-terminal (ttyUSB2).
+    .. code-block:: console
 
-Interrupt the EFI shell again and now start the capsule update with the negative capsule:
+        reboot
 
-::
+#. Wait until U-Boot loads EFI from the ACS image and interrupt the EFI shell by pressing the ``Escape`` key when the following prompt is displayed on the Host Processor terminal (``ttyUSB2``).
 
-  EFI/BOOT/app/CapsuleApp.efi corstone1000-<fvp/mps3>-v5.uefi.capsule
+    .. code-block:: console
 
-The command above should fail and in the TF-M logs the following message should appear:
+        Press ESC in 4 seconds to skip startup.nsh or any other key to continue.
 
-::
+#. Access the content of the first file system (``File System 0``) where we copied the capsule files by running the following command:
 
-   ERROR: flash_full_capsule: version error
+    .. code-block:: console
 
-Then, reboot manually:
+        FS0:
 
-::
+#. Run the ``CapsuleApp`` application with the invalid capsule file:
 
-   Shell> reset
+    - MPS3:
 
-Make sure the Corstone-1000's Poky Distro is booted again
-(`Select Corstone-1000 Linux kernel boot`_) in order to check the results
-`Negative scenario`_.
+        .. code-block:: console
 
-Select Corstone-1000 Linux kernel boot
-======================================
+            EFI/BOOT/app/CapsuleApp.efi EFI/BOOT/corstone1000-mps3-v5.uefi.capsule
 
-Interrupt the U-Boot shell.
+    - FVP:
 
-::
+        .. code-block:: console
 
-   Hit any key to stop autoboot:
+            EFI/BOOT/app/CapsuleApp.efi corstone1000-fvp-v5.uefi.capsule
 
-Run the following commands in order to run the Corstone-1000 Linux kernel and being able to check the ESRT table.
 
-**NOTE:** Otherwise, the execution ends up in the ACS live image.
+#. TrustedFirmware-M should reject the capsule due to having a lower firmware version and display the following log on the Secure Enclave terminal (``ttyUSB1``):
 
-::
+    .. code-block:: console
 
-   $ unzip $kernel_addr 0x90000000
-   $ loadm 0x90000000 $kernel_addr_r $filesize
-   $ bootefi $kernel_addr_r $fdtcontroladdr
+      ...
+        uefi_capsule_retrieve_images: image 0 at 0xa0000070, size=15654928
+        uefi_capsule_retrieve_images: exit
+        flash_full_capsule: enter: image = 0x0xa0000070, size = 7764541, version = 5
+        ERROR: flash_full_capsule: version error
+        private_metadata_write: enter: boot_index = 1
+        private_metadata_write: success
+        fmp_set_image_info:133 Enter
+        FMP image update: image id = 0
+        FMP image update: status = 1version=6 last_attempt_version=5.
+        fmp_set_image_info:157 Exit.
+        corstone1000_fwu_flash_image: exit: ret = -1
+        fmp_get_image_info:232 Enter
+        pack_image_info:207 ImageInfo size = 105, ImageName size = 34, ImageVersionName
+        size = 36
+        fmp_get_image_info:236 Exit
+      ...
 
+    The Secure Enclave tries to load the new image a predetermined number of times
+    if the capsule passes initial verification but fails verifications performed during
+    boot time.
 
-*********************
-Capsule update status
-*********************
+      .. code-block:: console
 
-Positive scenario
-=================
+        ...
+        metadata_write: success: active = 0, previous = 1
+        fwu_select_previous: in regular state by choosing previous active bank
+        ...
 
-In the positive case scenario, the software stack copies the capsule to the
-External Flash, which is shared between the Secure Enclave and Host,
-then a reboot is triggered. The TF-M accepts the capsule.
-The user should see following TF-M log in the Secure Enclave terminal (ttyUSB1)
-before the system reboots automatically, indicating the new capsule
-image is successfully applied, and the board boots correctly.
+    The Secure Enclave eventually reverts back to the previously running image.
 
-::
+#. Reboot manually:
 
-  ...
-  SysTick_Handler: counted = 10, expiring on = 360
-  SysTick_Handler: counted = 20, expiring on = 360
-  SysTick_Handler: counted = 30, expiring on = 360
-  ...
-  metadata_write: success: active = 1, previous = 0
-  flash_full_capsule: exit
-  corstone1000_fwu_flash_image: exit: ret = 0
-  ...
+    .. code-block:: console
 
-And after the reboot:
+        Shell> reset
 
-::
+#. Interrupt the U-Boot shell.
 
-  ...
-  fmp_set_image_info:133 Enter
-  FMP image update: image id = 0
-  FMP image update: status = 0version=6 last_attempt_version=6.
-  fmp_set_image_info:157 Exit.
-  corstone1000_fwu_host_ack: exit: ret = 0
-  ...
+    .. code-block:: console
 
+        Hit any key to stop autoboot:
 
-It's possible to check the content of the ESRT table after the system fully boots.
+#. Run the following commands in order to run the Corstone-1000 Linux kernel.
 
-In the Linux command-line run the following:
+    .. note::
+        Otherwise, the execution ends up in the ACS live image.
 
-::
+    .. code-block:: console
 
-   # cd /sys/firmware/efi/esrt/entries/entry0
-   # cat *
+        $ unzip $kernel_addr 0x90000000
+        $ loadm 0x90000000 $kernel_addr_r $filesize
+        $ bootefi $kernel_addr_r $fdtcontroladdr
 
-   0x0
-   989f3a4e-46e0-4cd0-9877-a25c70c01329
-   0
-   6
-   0
-   6
-   0
+#. After the system fully boots, read the ESRT to verify the firmware version does not match what is on the invalid capsule.
 
-.. line-block::
-   capsule_flags:	0x0
-   fw_class:	989f3a4e-46e0-4cd0-9877-a25c70c01329
-   fw_type:	0
-   fw_version:	6
-   last_attempt_status:	0
-   last_attempt_version:	6
-   lowest_supported_fw_ver:	0
+    .. code-block:: console
 
+      # cd /sys/firmware/efi/esrt/entries/entry0
+      # cat *
 
-Negative scenario
-=================
+      0x0                                      # capsule_flags
+      989f3a4e-46e0-4cd0-9877-a25c70c01329     # fw_class
+      0                                        # fw_type
+      6                                        # fw_version
+      1                                        # last_attempt_status
+      5                                        # last_attempt_version
+      0                                        # lowest_supported_fw_ver
 
-In the negative case scenario (rollback the capsule version),
-the TF-M detects that the new capsule's version number is
-smaller then the current version. The capsule is rejected because
-of this.
-The user should see appropriate logs in the Secure Enclave terminal (ttyUSB1) before the system reboots itself.
 
-::
 
-  ...
-    uefi_capsule_retrieve_images: image 0 at 0xa0000070, size=15654928
-    uefi_capsule_retrieve_images: exit
-    flash_full_capsule: enter: image = 0x0xa0000070, size = 7764541, version = 5
-    ERROR: flash_full_capsule: version error
-    private_metadata_write: enter: boot_index = 1
-    private_metadata_write: success
-    fmp_set_image_info:133 Enter
-    FMP image update: image id = 0
-    FMP image update: status = 1version=6 last_attempt_version=5.
-    fmp_set_image_info:157 Exit.
-    corstone1000_fwu_flash_image: exit: ret = -1
-    fmp_get_image_info:232 Enter
-    pack_image_info:207 ImageInfo size = 105, ImageName size = 34, ImageVersionName
-    size = 36
-    fmp_get_image_info:236 Exit
-  ...
-
-
-If capsule pass initial verification, but fails verifications performed during
-boot time, Secure Enclave will try new images predetermined number of times
-(defined in the code), before reverting back to the previous good bank.
-
-::
-
-  ...
-  metadata_write: success: active = 0, previous = 1
-  fwu_select_previous: in regular state by choosing previous active bank
-  ...
-
-It's possible to check the content of the ESRT table after the system fully boots.
-
-In the Linux command-line run the following:
-
-::
-
-   # cd /sys/firmware/efi/esrt/entries/entry0
-   # cat *
-
-   0x0
-   989f3a4e-46e0-4cd0-9877-a25c70c01329
-   0
-   6
-   1
-   5
-   0
-
-.. line-block::
-   capsule_flags:	0x0
-   fw_class:	989f3a4e-46e0-4cd0-9877-a25c70c01329
-   fw_type:	0
-   fw_version:	6
-   last_attempt_status:	1
-   last_attempt_version:	5
-   lowest_supported_fw_ver:	0
-
-
-Linux distros tests
+Linux Distributions
 -------------------
 
-*************************************************************
-Debian install and boot preparation
-*************************************************************
+This sections describes the steps to install major Linux distributions to the Corstone-1000 Host Processor.
 
-There is a known issue in the `Shim 15.7 <https://salsa.debian.org/efi-team/shim/-/tree/upstream/15.7?ref_type=tags>`__
-provided with the Debian installer image (see below). This bug causes a fatal
-error when attempting to boot media installer for Debian, and it resets the platform before installation starts.
-A patch to be applied to the Corstone-1000 stack (only applicable when
-installing Debian) is provided to
-`Skip the Shim <https://gitlab.arm.com/arm-reference-solutions/systemready-patch/-/blob/CORSTONE1000-2024.06/embedded-a/corstone1000/shim/0001-arm-bsp-u-boot-corstone1000-Skip-the-shim-by-booting.patch>`__.
-This patch makes U-Boot automatically bypass the Shim and run grub and allows
-the user to proceed with a normal installation. If at the moment of reading this
-document the problem is solved in the Shim, the user is encouraged to try the
-corresponding new installer image. Otherwise, please apply the patch as
-indicated by the instructions listed below. These instructions assume that the
-user has already built the stack by following the build steps of this
-documentation.
+The Linux distributions to be installed are:
 
-::
+ - `Debian <https://www.debian.org/>`__
+ - `openSUSE <https://www.opensuse.org/>`__
 
-  cd <_workspace>
-  git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2024.06
-  cp -f systemready-patch/embedded-a/corstone1000/shim/0001-arm-bsp-u-boot-corstone1000-Skip-the-shim-by-booting.patch meta-arm
-  cd meta-arm
-  git am 0001-arm-bsp-u-boot-corstone1000-Skip-the-shim-by-booting.patch
-  cd ..
+Follow the instructions below to install the Linux distributions to the Corstone-1000 software stack.
 
-**On FPGA**
+**************************
+Prepare Installation Media
+**************************
 
-::
+The media containing the bootable files required to start the installation process needs to be prepared.
 
-  kas shell meta-arm/kas/corstone1000-mps3.yml:meta-arm/ci/debug.yml -c="bitbake u-boot trusted-firmware-a corstone1000-flash-firmware-image -c cleansstate; bitbake corstone1000-flash-firmware-image"
+Follow the instructions below to create the installation media.
 
-**On FVP**
+#. Using your development machine, download one of following Linux distribution images:
 
-::
+    - `Debian installer image <https://cdimage.debian.org/mirror/cdimage/archive/12.7.0/arm64/iso-dvd/>`__
+    - `OpenSUSE Tumbleweed installer image <http://download.opensuse.org/ports/aarch64/tumbleweed/iso/>`__ 
 
-  kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c="bitbake u-boot trusted-firmware-a corstone1000-flash-firmware-image -c cleansstate; bitbake corstone1000-flash-firmware-image"
+    .. note::
+        
+        For openSUSE Tumbleweed, search for an ISO file with the format: ``openSUSE-Tumbleweed-DVD-aarch64-Snapshot$DATE-Media.iso``.
+        
+        ``openSUSE-Tumbleweed-DVD-aarch64-Snapshot20240516-Media.iso`` was used during development.
 
-On FPGA, please update the cs1000.bin on the SD card with the newly generated wic file.
+    The location of the ISO file on the development machine will be referred to as ``$DISTRO_INSTALLER_ISO_PATH``.
 
-**NOTE:** Skip the shim patch only applies to Debian installation. The user should remove the patch from meta-arm before running the software to boot OpenSUSE or executing any other tests in this user guide. You can make sure of removing the skip the shim patch by executing the steps below.
+#. Create the installation media which will contain the necessary files to install the operation system.
 
-::
+    - MPS3:
 
-  cd <_workspace>/meta-arm
-  git reset --hard HEAD~1
-  cd ..
-  kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c="bitbake u-boot -c cleanall; bitbake trusted-firmware-a -c cleanall; bitbake corstone1000-flash-firmware-image -c cleanall; bitbake corstone1000-flash-firmware-image"
+        #. Plug a blank USB drive formatted with FAT32, ensuring it has a minimum capacity of 4GB, to the development machine.
 
-*************************************************
-Preparing the Installation Media
-*************************************************
+        #. Run the following command to discover which device is your USB drive:
 
-Download one of following Linux distro images:
- - `Debian installer image <https://cdimage.debian.org/mirror/cdimage/archive/12.4.0/arm64/iso-dvd/>`__
- - `OpenSUSE Tumbleweed installer image <http://download.opensuse.org/ports/aarch64/tumbleweed/iso/>`__ (Tested on: openSUSE-Tumbleweed-DVD-aarch64-Snapshot20240516-Media.iso)
+            .. code-block:: console
 
-**NOTE:** For OpenSUSE Tumbleweed, the user should look for a DVD Snapshot like
-openSUSE-Tumbleweed-DVD-aarch64-Snapshot<date>-Media.iso
+                lsblk
 
+            The remaining steps assume the USB drive is ``/dev/sdb``.
 
-FPGA
-==================================================
+            .. warning::
 
-To test Linux distro install and boot on FPGA, the user should prepare two empty USB
-sticks (minimum size should be 4GB and formatted with FAT32).
+                Do not mistake your development machine hard drive with the USB drive.
 
-The downloaded iso file needs to be flashed to your USB drive.
-This can be done with your development machine.
+        #. Write one of the distribution installer ISO file to the USB drive.
 
-In the example given below, we assume the USB device is ``/dev/sdb`` (the user
-should use the `lsblk` command to confirm).
+            .. code-block:: console
 
-**NOTE:** Please don't confuse your host machine own hard drive with the USB drive.
-Then, copy the contents of the iso file into the first USB stick by running the
-following command in the development machine:
+                sudo dd if=$DISTRO_INSTALLER_ISO_PATH of=/dev/sdb iflag=direct oflag=direct status=progress bs=1M; sync;
 
-::
+    - FVP:
 
-  sudo dd if=<path-to-iso_file> of=/dev/sdb iflag=direct oflag=direct status=progress bs=1M; sync;
+        The distribution installer ISO file does not need to be burnt to a USB drive.
+        It will be used as is when starting the FVP install the distribution.
 
+********************
+Prepare System Drive
+********************
 
-FVP
-==================================================
+A system (or boot) drive, to store all the operating system files and used to boot the distribution, is required as
+Corstone-1000 on-board non-volatile storage size is insufficient for installing the distributions.
+
+    - MPS3:
+        #. Find another blank USB drive formatted with FAT32 with a minimum capacity of 4GB.
+        #. Do not yet connect this blank USB drive to the MPS3. It will be used as the primary drive to boot the distribution.
+
+    - FVP:
+        #. Create an 10 GB GUID Partition Table (GPT) formatted MultiMediaCard (MMC) image.
+
+            .. code-block:: console
+
+                dd if=/dev/zero of=$WORKSPACE/fvp_distro_system_drive.img \
+                bs=1 count=0 seek=10G; sync; \
+                parted -s fvp_distro_system_drive.img mklabel gpt
+    
+        #. This MMC image will be used as the primary drive to boot the distribution.
+
+
+************
+Installation
+************
+
+MPS3
+====
 
-To test Linux distro install and boot on FVP, the user should prepare an mmc image.
-With a minimum size of 8GB formatted with gpt.
+#. Connect the installation media, which contains the installer for the desired distribution, to the MPS3.
+#. Open a serial port terminal interface to ``/dev/ttyUSB0`` in one terminal window on your development machine.
 
-::
+    .. code-block:: console
 
-  #Generating os_file
-  dd if=/dev/zero of=<_workspace>/os_file.img bs=1 count=0 seek=10G; sync;
-  parted -s os_file.img mklabel gpt
+        sudo picocom -b 115200 /dev/ttyUSB0
 
+#. Open a serial port terminal interface to ``/dev/ttyUSB2`` in another terminal window on your development machine.
 
-*************************************************
-Debian/openSUSE install
-*************************************************
+    .. code-block:: console
 
-FPGA
-==================================================
+        sudo picocom -b 115200 /dev/ttyUSB2
 
-Unplug the first USB stick from the development machine and connect it to the
-MSP3 board. At this moment, only the first USB stick should be connected. Open
-the following picocom sessions in your development machine:
+#. When the installation screen is displayed on ``ttyUSB2``, plug in the (still empty) system drive to the MPS3.
+#. Start the distribution installation process.
 
-::
+    .. note::
 
-  sudo picocom -b 115200 /dev/ttyUSB0  # in one terminal
-  sudo picocom -b 115200 /dev/ttyUSB2  # in another terminal.
+        Reboot the MPS3 with both USB drives (installation media and empty system drive) connected to it if the distribution installer does not start.
 
-When the installation screen is visible in ttyUSB2, plug in the second USB stick
-in the MPS3 and start the distro installation process. If the installer does not
-start, please try to reboot the board with both USB sticks connected and repeat
-the process.
+.. note::
 
-**NOTE:** Due to the performance limitation of Corstone-1000 MPS3 FPGA, the
-distro installation process can take up to 24 hours to complete.
+    Due to the performance limitation, the distribution installation process can take up to 24 hours to complete.
 
 FVP
-==================================================
+===
+#. Start the FVP with the system drive as the primary drive and the distro ISO file as the secondary drive.
 
-::
+    .. code-block:: console
 
-  kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c "../meta-arm/scripts/runfvp --terminals=xterm -- -C board.msd_mmc.p_mmc_file=<_workspace>/os_file.img -C board.msd_mmc_2.p_mmc_file=<path-to-iso_file>"
+        kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \
+        -c "../meta-arm/scripts/runfvp --terminals=tmux -- \
+        -C board.msd_mmc.p_mmc_file=$WORKSPACE/fvp_distro_system_drive.img \
+        -C board.msd_mmc_2.p_mmc_file=$DISTRO_INSTALLER_ISO_PATH"
 
-The installer should now start.
-The OS will be installed on 'os_file.img'.
+    The Linux distribution will be installed on ``fvp_distro_system_drive.img``.
 
-*******************************************************
-Debian install clarifications
-*******************************************************
 
-As the installation process for Debian is different than the one for openSUSE,
-Debian may need some extra steps, that are indicated below:
+Debian Installation Extra Steps
+===============================
 
-During Debian installation, please answer the following question:
- - "Force grub installation to the EFI removable media path?" Yes
- - "Update NVRAM variables to automatically boot into Debian?" No
+Debian installation may need some extra steps, that are indicated below:
 
-If the grub installation fails, these are the steps to follow on the subsequent
-popups:
+#. Answer ``Yes`` to the question ``Force grub installation to the EFI removable media path?``.
 
-1. Select "Continue", then "Continue" again on the next popup
-2. Scroll down and select "Execute a shell"
-3. Select "Continue"
-4. Enter the following command:
+    If the GRUB installation fails, these are the steps to follow on the subsequent
+    popups:
 
-::
+    #. Select ``Continue``, then ``Continue`` again on the next popup.
 
-   in-target grub-install --no-nvram --force-extra-removable
+    #. Scroll down and select ``Execute a shell``.
 
-5. Enter the following command:
+    #. Select ``Continue``.
 
-::
+    #. Enter the following command:
 
-   in-target update-grub
+        .. code-block:: console
 
-6. Enter the following command:
+            in-target grub-install --no-nvram --force-extra-removable
 
-::
+    #. Enter the following command:
 
-   exit
+        .. code-block:: console
 
-7. Select "Continue without boot loader", then select "Continue" on the next popup
-8. At this stage, the installation should proceed as normal.
+            in-target update-grub
+    
+    #. Enter the following command:
 
-*****************************************************************
-Debian/openSUSE boot after installation
-*****************************************************************
+        .. code-block:: console
 
-FPGA
-===============
-Once the installation is complete, unplug the first USB stick and reboot the
-board.
-The board will then enter recovery mode, from which the user can access a shell
-after entering the password for the root user.
+            exit
+
+    #. Select ``Continue without boot loader``, then select ``Continue`` on the next popup.
+
+    #. At this stage, the installation should proceed as normal.
+
+#. Answer ``No`` to the question ``Update NVRAM variables to automatically boot into Debian?``.
+
+
+*****************
+Boot Distribution
+*****************
+
+- MPS3
+
+    #. Once the installation is complete, unplug the installation media.
+    #. Perform a cold boot of the MPS3.
+
+- FVP
+
+    The target should automatically boot into the installed operating system image.
+
+    Stop the FVP and run the command below to simulate a cold boot:
+
+    .. code-block:: console
+
+        kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \
+        -c "../meta-arm/scripts/runfvp --terminals=tmux -- \
+        -C board.msd_mmc.p_mmc_file=$WORKSPACE/fvp_distro_system_drive.img"
+
+    .. warning::
+
+        To manually enter recovery mode, once the FVP begins booting, you can quickly
+        change the boot option in GRUB, to boot into recovery mode. This option will disappear
+        quickly, so it is best to preempt it.
+
+        Select ``Advanced Options for <OS>`` and then ``<OS> (recovery mode)``.
+
+
+The target will then enter recovery mode, from which the user can access a shell
+after entering the password for the ``root`` user.
+
+
+Timeout Optimizations
+=====================
+
+.. important::
+
+    Operating system timeouts are inconsistent across systems.
+    Skip this section if the system boots to Debian or OpenSUSE without any issue.
+
+Make the system modification below whilst in recovery mode to increase timeouts and boot to the installed distribution.
+
+#. Remove the timeout limit for device operations.
+
+    - Debian
+        .. code-block:: console
+
+            vi /etc/systemd/system.conf
+            DefaultDeviceTimeoutSec=infinity
+
+    - openSUSE
+        .. code-block:: console
+
+            vi /usr/lib/systemd/system.conf
+            DefaultDeviceTimeoutSec=infinity
+
+        .. warning::
+
+            As modifying ``system.conf`` in ``/usr/lib/systemd/`` is not working as it is getting overwritten,
+            copy ``system.conf`` from ``/usr/lib/systemd/`` to ``/etc/systemd/system.conf.d/`` after the above edit.
+
+#. Set the maximum time that the system will wait for a user to successfully log in before timing out to 180 seconds.
+
+    - Debian
+        .. code-block:: console
+
+            vi /etc/login.defs
+            LOGIN_TIMEOUT   180
+
+    - openSUSE
+        .. code-block:: console
+
+            vi /usr/etc/login.defs
+            LOGIN_TIMEOUT   180
+
+#. Ensure the changes are applied by run the command below.
+
+    .. code-block:: console
+
+        systemctl daemon-reload
+
+#. Perform a cold boot of the target.
+
+Log into the Distribution
+=========================
+
+Login with the ``root`` username and its corresponding password (set during installation)
+at the distribution login prompt after booting. See an illustration for Debian below:
+
+.. code-block:: console
+
+    debian login:
+
+
+UEFI Secure Boot
+----------------
+
+The UEFI Secure Boot test is designed to verify the integrity and authenticity of the system’s boot process.
+This test ensures that only trusted, signed images are executed, thereby preventing unauthorized or malicious code from running.
+A successful test confirms that the signed image executes correctly, while any unsigned image is blocked from running.
+
+
+**********************************************
+Generate Keys, Signed Image and Unsigned Image
+**********************************************
+
+#. Build an EFI System Partition as described `here <build-efi-system-partition_>`__.
+
+#. Clone the `systemready-patch` repository to your workspace.
+
+    .. code-block:: console
+
+        cd $WORKSPACE
+
+        git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git \
+        -b CORSTONE1000-2024.11
+
+#. Set the current working directory to build directory's subdirectory containing the software stack build images.
+
+    .. code-block:: console
+
+        cd $WORKSPACE/build/tmp/deploy/images/corstone1000-$TARGET/
+
+#. Run the image signing script (without changing the current working directory).
+
+    .. code-block:: console
+
+        ./$WORKSPACE/systemready-patch/embedded-a/corstone1000/secureboot/create_keys_and_sign.sh \
+        -d $TARGET \
+        -v $CERTIFICATE_VALIDITY_DURATION_IN_DAYS
+
+    .. important::
+
+        The `efitools <https://github.com/vathpela/efitools/>`__  package is required to execute the script.
+
+    .. note::
+
+        Consult the image signing script help message (``-h``) for more information about other optional arguments.
+
+        The script is interactive and contains commands that require ``sudo`` level permissions.
+
+
+The keys, signed kernel image, and unsigned kernel image will be copied to the exisiting ESP image.
+The modified ESP image can be found at ``$WORKSPACE/build/tmp/deploy/images/corstone1000-$TARGET/corstone1000-esp-image-corstone1000-$TARGET.wic``.
+
+
+****************************
+Run Unsigned Image Boot Test
+****************************
+
+.. _unsigned-image-boot-test-fvp:
 
 FVP
-==============
-The platform should automatically boot into the installed OS image.
+===
+
+#. Follow the instructions `here <use-efi-system-partition-fvp_>`__ to use the ESP.
 
-To cold boot:
+#. Run the software stack as described `here <running-software-stack-fvp_>`__.
 
- ::
+#. On the Host Processor terminal host side, stop the execution of U-Boot when prompted to do so with the message ``Press any key to stop``.
 
-  kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c "../meta-arm/scripts/runfvp --terminals=xterm -- -C board.msd_mmc.p_mmc_file=<_workspace>/os_file.img"
+    .. warning::
 
+        There is a timeout of 3 seconds to stop the execution at the U-Boot prompt.
 
-The board will then enter recovery mode, from which the user can access a shell
-after entering the password for the root user.
+    The U-Boot console prompt looks as follows:
+   
+    .. code-block:: console
+   
+        corstone1000#
 
 
-**NOTE:** To manually enter recovery mode, once the FVP begins booting, you can quickly
-change the boot option in grub, to boot into recovery mode. This option will disappear
-quickly, so it's best to preempt it.
+    .. important::
+    
+        The rest of the instructions below will be executed on the U-Boot terminal.
 
-Select 'Advanced Options for '<OS>' and then '<OS> (recovery mode)'.
+#. On the U-Boot console, set the current MMC device.
 
-Common
-==============
+    .. code-block:: console
 
-Proceed to edit the following files accordingly:
+        corstone1000# mmc dev 1
 
-::
+#. Enroll the four UEFI secure boot authenticated variables.
 
-  #Only applicable to Debian
-  vi /etc/systemd/system.conf
-  DefaultDeviceTimeoutSec=infinity
+    .. code-block:: console
 
-::
+        corstone1000# \
+        load mmc 1:1 $loadaddr corstone1000_secureboot_keys/PK.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize PK; \
+        load mmc 1:1 $loadaddr corstone1000_secureboot_keys/KEK.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize KEK; \
+        load mmc 1:1 $loadaddr corstone1000_secureboot_keys/db.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize db; \
+        load mmc 1:1 $loadaddr corstone1000_secureboot_keys/dbx.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize dbx
 
-  #Only applicable to openSUSE
-  vi /usr/lib/systemd/system.conf
-  DefaultDeviceTimeoutSec=infinity
+#. Attempt to Load the unsigned kernel image.
 
-  The system.conf has been moved from /etc/systemd/ to /usr/lib/systemd/ and directly modifying
-  the /usr/lib/systemd/system.conf is not working and it is getting overridden. We have to create
-  drop ins system configurations in /etc/systemd/system.conf.d/ directory. So, copy the
-  /usr/lib/systemd/system.conf to /etc/systemd/system.conf.d/ directory after the mentioned modifications.
+    .. code-block:: console
 
-The file to be edited next is different depending on the installed distro:
+        corstone1000# \
+        load mmc 1:1 $loadaddr corstone1000_secureboot_fvp_images/Image_fvp; \
+        loadm $loadaddr $kernel_addr_r $filesize; \
+        bootefi $kernel_addr_r $fdtcontroladdr
 
-::
+        Booting /MemoryMapped(0x0,0x88200000,0x236aa00)
+        Image not authenticated
+        Loading image failed
 
-  vi /etc/login.defs # Only applicable to Debian
-  vi /usr/etc/login.defs # Only applicable to openSUSE
-  LOGIN_TIMEOUT   180
+The unsigned Linux kernel image should not be loaded.
 
-To make sure the changes are applied, please run:
+.. _unsigned-image-boot-test-mps3:
 
-::
+MPS3
+====
 
-  systemctl daemon-reload
+#. Follow the instructions `here <use-efi-system-partition-mps3_>`__ to use the ESP.
 
-After applying the previous commands, please reboot the board or restart the runfvp command.
+#. Perform a cold boot of the MPS3.
 
-The user should see a login prompt after booting, for example, for debian:
+#. On the Host Processor terminal host side, stop the execution of U-Boot when prompted to do so with the message ``Press any key to stop``.
 
-::
+    .. warning::
 
-  debian login:
+        There is a timeout of 3 seconds to stop the execution at the U-Boot prompt.
 
-Login with the username root and its corresponding password (already set at
-installation time).
+    The U-Boot console prompt looks as follows:
+   
+    .. code-block:: console
+   
+        corstone1000#
 
-**NOTE:** Debian/OpenSUSE Timeouts are not applicable for all systems. Some systems are faster than the others (especially when running the FVP) and works well with default timeouts. If the system boots to Debian or OpenSUSE unmodified, the user can skip this section.
+    .. important::
+    
+        The rest of the instructions below will be executed on the U-Boot terminal.
 
-PSA API tests
--------------
+#. On the U-Boot console, reset USB.
 
-***********************************************************
-Run PSA API test commands (applicable to both FPGA and FVP)
-***********************************************************
+    .. code-block:: console
 
-When running PSA API test commands (aka PSA Arch Tests) on MPS3 FPGA, the user should make sure there is no
-USB stick connected to the board. Power on the board and boot the board to
-Linux. Then, the user should follow the steps below to run the tests.
+        corstone1000# usb reset
+        resetting USB...
+        Bus usb@40200000: isp1763 bus width: 16, oc: not available
+        USB ISP 1763 HW rev. 32 started
+        scanning bus usb@40200000 for devices... port 1 high speed
+        3 USB Device(s) found
+                scanning usb for storage devices... 1 Storage Device(s) found
 
-When running the tests on the Corstone-1000 FVP, the user should follow the
-instructions in `Running the software on FVP`_ section to boot Linux in FVP
-host_terminal_0, and login using the username ``root``.
+    .. note::
 
-First, load FF-A TEE kernel module:
+        Occasionally, the USB reset may fail to detect the USB device. It is advisable to rerun the USB reset command.
 
-::
+#. Select the first USB device, which should be the USB drive containing the ESP.
 
-  insmod /lib/modules/*-yocto-standard/updates/arm-tstee.ko
+    .. code-block:: console
 
-Then, check whether the FF-A TEE driver is loaded correctly by using the following command:
+        corstone1000# usb dev 0
 
-::
+#. Enroll the four UEFI secure boot authenticated variables.
 
-  cat /proc/modules | grep arm_tstee
+    .. code-block:: console
 
-The output should be similar to:
+        corstone1000# \
+        load usb 0 $loadaddr corstone1000_secureboot_keys/PK.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize PK; \
+        load usb 0 $loadaddr corstone1000_secureboot_keys/KEK.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize KEK; \
+        load usb 0 $loadaddr corstone1000_secureboot_keys/db.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize db; \
+        load usb 0 $loadaddr corstone1000_secureboot_keys/dbx.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize dbx
 
-::
+#. Attempt to Load the unsigned kernel image.
 
-   arm_tstee 16384 - - Live 0xffffffc000510000 (O)
+    .. code-block:: console
 
-Now, run the PSA API tests in the following order:
+        corstone1000# \
+        load usb 0 $loadaddr corstone1000_secureboot_mps3_images/Image_mps3
+        loadm $loadaddr $kernel_addr_r $filesize
+        bootefi $kernel_addr_r $fdtcontroladdr
 
-::
+        Booting /MemoryMapped(0x0,0x88200000,0x236aa00)
+        Image not authenticated
+        Loading image failed
 
-  psa-iat-api-test
-  psa-crypto-api-test
-  psa-its-api-test
-  psa-ps-api-test
+The unsigned Linux kernel image should not be loaded.
 
+**************************
+Run Signed Image Boot Test
+**************************
 
-UEFI Secureboot (SB) test
--------------------------
+FVP
+===
 
-Before running the SB test, the user should make sure that the `FVP and FPGA software has been compiled and the ESP image for both the FVP and FPGA has been created` as mentioned in the previous sections and user should use the same workspace directory under which sources have been compiled.
-The SB test is applicable on both the FVP and the FPGA and this involves testing both the signed and unsigned kernel images. Successful test results in executing the signed image correctly and not allowing the unsigned image to run at all.
+.. important::
 
-***********************************************************
-Below steps are applicable to FVP as well as FPGA
-***********************************************************
-Firstly, the flash firmware image has to be built for both the FVP and FPGA as follows:
+    You must first perform the `Unsigned Image Boot Test <unsigned-image-boot-test-fvp_>`__.
 
-For FVP,
+Load the signed kernel image.
 
-::
+.. code-block:: console
 
-  kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c bitbake -c build corstone1000-flash-firmware-image"
+    corstone1000# \
+    load mmc 1:1 $loadaddr corstone1000_secureboot_fvp_images/Image_fvp.signed; \
+    loadm $loadaddr $kernel_addr_r $filesize; \
+    bootefi $kernel_addr_r $fdtcontroladdr
 
+The signed Linux kernel image should be booted successfully.
 
-For FPGA,
+MPS3
+====
 
-::
+.. important::
 
-  kas shell meta-arm/kas/corstone1000-mps3.yml:meta-arm/ci/debug.yml -c bitbake -c build corstone1000-flash-firmware-image"
+    You must first perform the `Unsigned Image Boot Test <unsigned-image-boot-test-mps3_>`__.
 
-In order to test SB for FVP and FPGA, a bash script is available in the systemready-patch repo which is responsible in creating the relevant keys, sign the respective kernel images, and copy the same in their corresponding ESP images.
+Load the signed kernel image.
 
-Clone the systemready-patch repo under <_workspace. Then, change directory to where the script `create_keys_and_sign.sh` is and execute the script as follows:
+.. code-block:: console
 
-::
+    corstone1000# \
+    load usb 0 $loadaddr corstone1000_secureboot_mps3_images/Image_mps3.signed; \
+    loadm $loadaddr $kernel_addr_r $filesize; \
+    bootefi $kernel_addr_r $fdtcontroladdr
 
-  git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2024.06
-  cd systemready-patch/embedded-a/corstone1000/secureboot/
+The signed Linux kernel image should be booted successfully.
 
-**NOTE:** The efitools package is required to execute the script. Install the efitools package on your system, if it doesn't exist.
 
-The script is responsible to create the required UEFI secureboot keys, sign the kernel images and copy the public keys and the kernel images (both signed and unsigned) to the ESP image for both the FVP and FPGA.
+*******************
+Disable Secure Boot
+*******************
 
-::
+Running the UEFI Secure Boot Test steps stores UEFI authenticated variables in the secure flash.
+As a result, U-Boot reads these variables and verifies the Linux kernel image before executing it at each reboot.
 
-  ./create_keys_and_sign.sh -w <Absolute path to <workdir> directory under which sources have been compiled> -v <certification validity in days>
-  For ex: ./create_keys_and_sign.sh -w "/home/xyz/workspace/meta-arm" -v 365
-  For help: ./create_keys_and_sign.sh -h
+In a typical boot scenario, the Linux kernel image is not signed, which will prevent the system from booting due to failed image authentication.
+To resolve this, the Platform Key (one of the UEFI authenticated variables for secure boot) needs to be deleted.
 
-**NOTE:** The above script is interactive and contains some commands that would require sudo password/permissions.
+#. Perform a cold boot of the MPS3.
 
-After executing the above script, the relevant keys and the signed/unsigned kernel images will be copied to the ESP images for both the FVP and FGPA. The modified ESP images can be found at the same location i.e.
+#. On the Host Processor terminal host side, stop the execution of U-Boot when prompted to do so with the message ``Press any key to stop``.
 
-::
+#. On the U-Boot console, delete the Platform Key (PK).
 
-  For MPS3 FPGA : _workspace/meta-arm/build/tmp/deploy/images/corstone1000-mps3/corstone1000-esp-image-corstone1000-mps3.wic
-  For FVP       : _workspace/meta-arm/build/tmp/deploy/images/corstone1000-fvp/corstone1000-esp-image-corstone1000-fvp.wic
+    - FVP
 
-Now, it is time to test the SB for the Corstone-1000
+        .. code-block:: console
 
+            corstone1000# \
+            mmc dev 1; \
+            load mmc 1:1 $loadaddr corstone1000_secureboot_keys/PK_delete.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize PK; \
+            boot
 
-***********************************************************
-Steps to test SB on FVP
-***********************************************************
-Now, as mentioned in the previous section **Prepare EFI System Partition**, the ESP image will be used automatically in the Corstone-1000 FVP as the 2nd MMC card image. Change directory to your workspace and run the FVP as follows:
+    - MPS3
 
-::
+        .. code-block:: console
 
-  kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml -c "../meta-arm/scripts/runfvp --terminals=xterm"
+            corstone1000# \
+            usb reset; \
+            usb dev 0; \
+            load usb 0 $loadaddr corstone1000_secureboot_keys/PK_delete.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize PK; \
+            boot
 
-When the script is executed, three terminal instances will be launched, one for the boot processor (aka Secure Enclave) processing element and two for the Host processing element. On the host side, stop the execution at the U-Boot prompt which looks like `corstone1000#`. There is a timeout of 3 seconds to stop the execution at the U-Boot prompt. At the U-Boot prompt, run the following commands:
 
-Set the current mmc device
+PSA API
+-------
 
-::
+The following tests the implementation of the Application Programming Interface (API)
+of the Platform Security Architecture (PSA) certification scheme. It uses Arm Firmware Framework for Arm A-profile (FF-A)
+to communicate between the normal world and the secure world to run the `Arm Platform Security Architecture Test Suite <https://github.com/ARM-software/psa-arch-tests>`__.
 
-  corstone1000# mmc dev 1
+The tests use the `arm_tstee` driver to access Trusted Services Secure Partitions from user space. The driver is included in the Linux Kernel, starting from v6.10.
 
-Enroll the four UEFI Secureboot authenticated variables
+.. important::
+    Ensure there are no USB drives connected to the board when running the test on the MPS3.
 
-::
 
-  corstone1000# load mmc 1:1 ${loadaddr} corstone1000_secureboot_keys/PK.auth && setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize PK
-  corstone1000# load mmc 1:1 ${loadaddr} corstone1000_secureboot_keys/KEK.auth && setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize KEK
-  corstone1000# load mmc 1:1 ${loadaddr} corstone1000_secureboot_keys/db.auth && setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize db
-  corstone1000# load mmc 1:1 ${loadaddr} corstone1000_secureboot_keys/dbx.auth && setenv -e -nv -bs -rt -at -i ${loadaddr}:$filesize dbx
+The steps below are applicable to both MPS3 and FVP).
 
-Now, load the unsigned FVP kernel image and execute it. This unsigned kernel image should not boot and result as follows
+#. Start the Corstone-1000 and wait until it boots to Linux on the Host Processor terminal (``ttyUSB2``).
 
-::
+#. Run the PSA API tests by running the commands below in the order shown:
 
-  corstone1000# load mmc 1:1 ${loadaddr} corstone1000_secureboot_fvp_images/Image_fvp
-  corstone1000# loadm $loadaddr $kernel_addr_r $filesize
-  corstone1000# bootefi $kernel_addr_r $fdtcontroladdr
+    .. code-block:: console
 
-  Booting /MemoryMapped(0x0,0x88200000,0x236aa00)
-  Image not authenticated
-  Loading image failed
+        psa-iat-api-test
+        psa-crypto-api-test
+        psa-its-api-test
+        psa-ps-api-test
 
-The next step is to verify the signed linux kernel image. Load the signed kernel image and execute it as follows:
 
-::
+External System Processor
+-------------------------
 
-  corstone1000# load mmc 1:1 ${loadaddr} corstone1000_secureboot_fvp_images/Image_fvp.signed
-  corstone1000# loadm $loadaddr $kernel_addr_r $filesize
-  corstone1000# bootefi $kernel_addr_r $fdtcontroladdr
+.. important::
 
-The above set of commands should result in booting of signed linux kernel image successfully.
+    Access to the External System Processor is disabled by default.
+    Ensure you are running a software stack image with access to the External System Processor enabled following the steps `here <building-the-software-stack_>`__.
 
+The Linux operating system running on the Host Processor starts the ``remoteproc`` framework to manage the External System Processor.
 
-***********************************************************
-Steps to test SB on MPS3 FPGA
-***********************************************************
-Now, as mentioned in the previous section **Prepare EFI System Partition**, the ESP image for MPS3 FPGA needs to be copied to the USB drive.
-Follow the steps mentioned in the same section for MPS3 FPGA to prepare the USB drive with the ESP image. The modified ESP image corresponds to MPS3 FPGA can be found at the location as mentioned before i.e. `_workspace/meta-arm/build/tmp/deploy/images/corstone1000-mps3/corstone1000-esp-image-corstone1000-mps3.wic`.
-Insert this USB drive to the MPS3 FPGA and boot, and stop the execution at the U-Boot prompt similar to the FVP. At the U-Boot prompt, run the following commands:
 
-Reset the USB
+#. Stop the External System Processor with the following command:
 
-::
+    .. code-block:: console
 
-  corstone1000# usb reset
-  resetting USB...
-  Bus usb@40200000: isp1763 bus width: 16, oc: not available
-  USB ISP 1763 HW rev. 32 started
-  scanning bus usb@40200000 for devices... port 1 high speed
-  3 USB Device(s) found
-         scanning usb for storage devices... 1 Storage Device(s) found
+        echo stop > /sys/class/remoteproc/remoteproc0/state
 
-**NOTE:** Sometimes, the usb reset doesn't recognize the USB device. It is recomended to rerun the usb reset command.
+#. Start the External System Processor with the following command:
 
-Set the current USB device
+    .. code-block:: console
 
-::
+        echo start > /sys/class/remoteproc/remoteproc0/state
 
-  corstone1000# usb dev 0
 
-Enroll the four UEFI Secureboot authenticated variables
+Symmetric Multiprocessing
+-------------------------
 
-::
+.. warning::
 
-  corstone1000# load usb 0 $loadaddr corstone1000_secureboot_keys/PK.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize PK
-  corstone1000# load usb 0 $loadaddr corstone1000_secureboot_keys/KEK.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize KEK
-  corstone1000# load usb 0 $loadaddr corstone1000_secureboot_keys/db.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize db
-  corstone1000# load usb 0 $loadaddr corstone1000_secureboot_keys/dbx.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize dbx
+    Symmetric multiprocessing (SMP) mode is only supported on FVP but is disabled by default.
 
 
-Now, load the unsigned MPS3 FPGA linux kernel image and execute it. This unsigned kernel image should not boot and result as follows
+#. Build the software stack with SMP mode enabled:
 
-::
+    .. code-block:: console
 
-  corstone1000# load usb 0 $loadaddr corstone1000_secureboot_mps3_images/Image_mps3
-  corstone1000# loadm $loadaddr $kernel_addr_r $filesize
-  corstone1000# bootefi $kernel_addr_r $fdtcontroladdr
+        kas build meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml:meta-arm/kas/corstone1000-fvp-multicore.yml
 
-  Booting /MemoryMapped(0x0,0x88200000,0x236aa00)
-  Image not authenticated
-  Loading image failed
+#. Run the Corstone-1000 FVP:
 
-The next step is to verify the signed linux kernel image. Load the signed kernel image and execute it as follows:
+    .. code-block:: console
 
-::
+        kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml:meta-arm/kas/corstone1000-fvp-multicore.yml \
+        -c "../meta-arm/scripts/runfvp"
 
-  corstone1000# load usb 0 $loadaddr corstone1000_secureboot_mps3_images/Image_mps3.signed
-  corstone1000# loadm $loadaddr $kernel_addr_r $filesize
-  corstone1000# bootefi $kernel_addr_r $fdtcontroladdr
 
-The above set of commands should result in booting of signed linux kernel image successfully.
+#. Verify that the FVP is running the Host Processor with more than one CPU core:
 
-***********************************************************
-Steps to disable Secureboot on both FVP and MPS3 FPGA
-***********************************************************
-Now, after testing the SB, UEFI authenticated variables get stored in the secure flash. When you try to reboot, the U-Boot will automatically read the UEFI authenticated variables and authenticates the images before executing them. In normal booting scenario, the linux kernel images will not be signed and hence this will not allow the system to boot, as image authentication will fail. We need to delete the Platform Key (one of the UEFI authenticated variable for SB) in order to disable the SB. At the U-Boot prompt, run the following commands.
+    .. code-block:: console
 
-On the FVP
+        nproc
+        4                  # number of processing units
 
-::
+Secure Debug
+------------
 
-  corstone1000# mmc dev 1
-  corstone1000# load mmc 1:1 $loadaddr corstone1000_secureboot_keys/PK_delete.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize PK
-  corstone1000# boot
+.. warning::
 
-On the MPS3 FPGA
+    Secure Debug is only supported on MPS3.
 
-::
+The MPS3 supports Authenticated Debug Access Control (ADAC), using the CoreSight SDC-600 IP.
 
-  corstone1000# usb reset
-  corstone1000# usb dev 0
-  corstone1000# load usb 0 $loadaddr corstone1000_secureboot_keys/PK_delete.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize PK
-  corstone1000# boot
+For more information about this, see the following resources:
 
-The above commands will delete the Platform key (PK) and allow the normal system boot flow without SB.
+ - `CoreSight SDC-600 <https://developer.arm.com/Processors/CoreSight%20SDC-600>`__
+ - `Authenticated Debug Access Control Specification <https://developer.arm.com/documentation/den0101/latest/>`__
+ - `Arm Corstone-1000 for MPS3 Application Note AN550, Chapter 7 <https://developer.arm.com/documentation/dai0550/latest/>`__
 
+The Secure Debug Manager API is implemented in the `secure-debug-manager <https://github.com/ARM-software/secure-debug-manager>`__ repository.
+This repository also contains the necessary files for the Arm Development Studio support.
+The build and integration instructions can be found in its `README <secure-debug-manager-repo-readme_>`__.
 
-Testing the External System
----------------------------
+The `secure-debug-manager` repository also contains the private key and chain certificate to be used during the tests.
+The private key's public pair is provisioned into the One-Time Programmable memory in TrustedFirmware-M. These are dummy keys that should not be used in production.
 
-During Linux boot the remoteproc subsystem automatically starts
-the external system.
+To test the Secure Debug feature, you'll need a debug probe from the DSTREAM family and Arm Development Studio versions 2022.2, 2022.c, or 2023.a.
 
-The external system can be switched on/off on demand with the following commands:
 
-::
+#. Clone the `secure-debug-manager` repository to your workspace.
 
-  echo stop > /sys/class/remoteproc/remoteproc0/state
+    .. code-block:: console
 
-::
+        cd $WORKSPACE
+        git clone https://github.com/ARM-software/secure-debug-manager.git
 
-  echo start > /sys/class/remoteproc/remoteproc0/state
+#. Navigate into the repository directory and checkout the specific commit in the listing below.
 
-Tests results
--------------
+    .. code-block:: console
+
+        cd $WORKSPACE/secure-debug-manager
+        git checkout b30d6496ca749123e86b39b161b9f70ef76106d6
+
+#. Follow the steps in the `secure-debug-manager`'s `README <secure-debug-manager-repo-readme_>`__ for the development machine setup.
+
+#. Rebuild the software stack with Secure Debug.
+
+    .. code-block:: console
+
+        kas build meta-arm/kas/corstone1000-mps3.yml:meta-arm/ci/debug.yml:meta-arm/ci/secure-debug.yml
+
+#. Flash the firmware image as shown `here <flashing-firmware-images_>`__.
+
+#. Run the software as shown `here <running-software-stack-mps3_>`__.
+
+#. Wait until the Secure Enclave terminal (``ttyUSB1``) prints the following prompts:
+
+    .. code-block:: console
+
+        IComPortInit                  :  382 : warn  : init       : IComPortInit: Blocked reading of LPH2RA is active.
+        IComPortInit                  :  383 : warn  : init       : IComPortInit: Blocked reading LPH2RA
+
+
+#. Connect the debug probe to the MPS3 using the 20-pin 1.27mm connector with the ``CS_20W_1.27MM silkscreen`` label.
+
+#. Create a debug configuration in Arm Development Studio as described in the `secure-debug-manager`'s `README <https://github.com/ARM-software/secure-debug-manager?tab=readme-ov-file#arm-development-studio-integration>`__.
+
+#. Connect the debuger to the target using the debug configuration.
+
+#. Provide the paths to the private key and trust chain certificate when asked by Arm Development Studio Console.
+
+    .. code-block:: console
+
+        ...
+
+        Please provide private key file path:
+        Enter file path > $WORKSPACE\secure-debug-manager\example\data\keys\EcdsaP256Key-3.pem
+
+        Please provide trust chain file path:
+        Enter file path > $WORKSPACE\secure-debug-manager\example\data\chains\chain.EcdsaP256-3
+
+        ...
+
+#. When successful authenticated, Arm Development Studio will connect to the running MS3 and the debug features can be used.
+   The following prompt should appear in the Secure Enclave terminal (``ttyUSB1``):
+
+    .. code-block:: console
+
+        ...
+        boot_platform_init: Corstone-1000 Secure Debug is a success.
+        ...
+
+
+Reports
+-------
+Various test reports for the `Corstone-1000 software (CORSTONE1000-2024.11) <https://git.yoctoproject.org/meta-arm/tag/?h=CORSTONE1000-2024.11>`__
+release version are available for reference `here <https://gitlab.arm.com/arm-reference-solutions/arm-reference-solutions-test-report/-/tree/CORSTONE1000-2024.11/embedded-a/corstone1000/CORSTONE1000-2024.11?ref_type=tags>`__.
 
-As a reference for the end user, reports for various tests for `Corstone-1000 software (CORSTONE1000-2024.06) <https://git.yoctoproject.org/meta-arm/tag/?h=CORSTONE1000-2024.06>`__
-can be found `here <https://gitlab.arm.com/arm-reference-solutions/arm-reference-solutions-test-report/-/tree/CORSTONE1000-2024.06/embedded-a/corstone1000/CORSTONE1000-2024.06?ref_type=tags>`__.
 
 --------------
 
 *Copyright (c) 2022-2024, Arm Limited. All rights reserved.*
 
 .. _Arm Ecosystem FVPs: https://developer.arm.com/tools-and-software/open-source-software/arm-platforms-software/arm-ecosystem-fvps
-.. _U-Boot repo: https://github.com/u-boot/u-boot.git
+.. _secure-debug-manager-repo-readme: https://github.com/ARM-software/secure-debug-manager/blob/master/README.md
diff --git a/meta-arm/meta-arm-bsp/lib/oeqa/runtime/cases/parselogs-ignores-corstone1000-fvp.txt b/meta-arm/meta-arm-bsp/lib/oeqa/runtime/cases/parselogs-ignores-corstone1000-fvp.txt
new file mode 100644
index 0000000000..63cef943e7
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/lib/oeqa/runtime/cases/parselogs-ignores-corstone1000-fvp.txt
@@ -0,0 +1,8 @@
+psci: failed to boot CPU1 (-95)
+CPU1: failed to boot: -95
+psci: failed to boot CPU2 (-95)
+CPU2: failed to boot: -95
+psci: failed to boot CPU3 (-95)
+CPU3: failed to boot: -95
+ARM FF-A: Notification setup failed -95, not enabled
+ARM FF-A: Failed to register driver sched callback -95
diff --git a/meta-arm/meta-arm-bsp/lib/oeqa/runtime/cases/parselogs-ignores-fvp-base.txt b/meta-arm/meta-arm-bsp/lib/oeqa/runtime/cases/parselogs-ignores-fvp-base.txt
new file mode 100644
index 0000000000..eaffc18155
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/lib/oeqa/runtime/cases/parselogs-ignores-fvp-base.txt
@@ -0,0 +1 @@
+basic-mmio-gpio: Failed to locate of_node [id: -2]
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-flash-firmware-image.bb b/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-flash-firmware-image.bb
index 4a32192d6a..73cc32aa25 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-flash-firmware-image.bb
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-flash-firmware-image.bb
@@ -53,9 +53,11 @@ TFM_SIGN_PRIVATE_KEY = "${libdir}/tfm-scripts/root-RSA-3072_1.pem"
 RE_IMAGE_OFFSET = "0x1000"
 
 # Offsets for the .nopt image generation
-TFM_OFFSET = "102400"
-FIP_OFFSET = "479232"
-KERNEL_OFFSET = "2576384"
+# These offset values have to be aligned with those in
+# meta-arm/meta-arm-bsp/wic/corstone1000-flash-firmware.wks.in
+TFM_OFFSET = "147456"
+FIP_OFFSET = "475136"
+KERNEL_OFFSET = "2572288"
 
 do_sign_images() {
     # Sign TF-A BL2
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0002-fix-corstone1000-pass-spsr-value-explicitly.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0002-fix-corstone1000-pass-spsr-value-explicitly.patch
index 4a08abb60f..276d095d5f 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0002-fix-corstone1000-pass-spsr-value-explicitly.patch
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0002-fix-corstone1000-pass-spsr-value-explicitly.patch
@@ -6,7 +6,7 @@ Subject: [PATCH] fix(corstone1000): pass spsr value explicitly
 Passes spsr value for BL32 (OPTEE) explicitly between different boot
 stages.
 
-Upstream-Status: Pending
+Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/30116/2]
 Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
 ---
  .../corstone1000/common/corstone1000_bl2_mem_params_desc.c     | 3 ++-
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0004-fix-corstone1000-remove-unused-NS_SHARED_RAM-region.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0003-fix-corstone1000-remove-unused-NS_SHARED_RAM-region.patch
index 6028204860..f9a0c1166f 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0004-fix-corstone1000-remove-unused-NS_SHARED_RAM-region.patch
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0003-fix-corstone1000-remove-unused-NS_SHARED_RAM-region.patch
@@ -9,7 +9,7 @@ for BL32 image, this patch removes NS_SHARED_RAM region which is not currently u
 corstone1000 platform.
 
 Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
-Upstream-Status: Pending
+Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/30117/2]
 ---
  .../corstone1000/common/corstone1000_plat.c   |  1 -
  .../common/include/platform_def.h             | 19 +------------------
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0003-fix-spmd-remove-EL3-interrupt-registration.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0003-fix-spmd-remove-EL3-interrupt-registration.patch
deleted file mode 100644
index ea7a29139c..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0003-fix-spmd-remove-EL3-interrupt-registration.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 684b8f88238f522b52eb102485762e02e6b1671a Mon Sep 17 00:00:00 2001
-From: Emekcan Aras <Emekcan.Aras@arm.com>
-Date: Fri, 23 Feb 2024 13:17:59 +0000
-Subject: [PATCH] fix(spmd): remove EL3 interrupt registration
-
-This configuration should not be done for corstone1000 and similar
-platforms. GICv2 systems only support EL3 interrupts and can have SEL1 component
-as SPMC.
-
-Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
-Upstream-Status: Inappropriate [Discussions of fixing this in a better way is ongoing in upstream]
----
- services/std_svc/spmd/spmd_main.c | 24 ------------------------
- 1 file changed, 24 deletions(-)
-
-diff --git a/services/std_svc/spmd/spmd_main.c b/services/std_svc/spmd/spmd_main.c
-index 066571e9b..313f05bf3 100644
---- a/services/std_svc/spmd/spmd_main.c
-+++ b/services/std_svc/spmd/spmd_main.c
-@@ -580,30 +580,6 @@ static int spmd_spmc_init(void *pm_addr)
- 		panic();
- 	}
- 
--	/*
--	 * Permit configurations where the SPM resides at S-EL1/2 and upon a
--	 * Group0 interrupt triggering while the normal world runs, the
--	 * interrupt is routed either through the EHF or directly to the SPMD:
--	 *
--	 * EL3_EXCEPTION_HANDLING=0: the Group0 interrupt is routed to the SPMD
--	 *                   for handling by spmd_group0_interrupt_handler_nwd.
--	 *
--	 * EL3_EXCEPTION_HANDLING=1: the Group0 interrupt is routed to the EHF.
--	 *
--	 */
--#if (EL3_EXCEPTION_HANDLING == 0)
--	/*
--	 * Register an interrupt handler routing Group0 interrupts to SPMD
--	 * while the NWd is running.
--	 */
--	rc = register_interrupt_type_handler(INTR_TYPE_EL3,
--					     spmd_group0_interrupt_handler_nwd,
--					     flags);
--	if (rc != 0) {
--		panic();
--	}
--#endif
--
- 	return 0;
- }
- 
--- 
-2.25.1
-
-
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0005-fix-corstone1000-clean-the-cache-and-disable-interru.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0004-fix-corstone1000-clean-the-cache-and-disable-interru.patch
index a45b657713..e92cb5f9bf 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0005-fix-corstone1000-clean-the-cache-and-disable-interru.patch
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0004-fix-corstone1000-clean-the-cache-and-disable-interru.patch
@@ -9,7 +9,7 @@ before the reset. This causes a race condition especially in FVP after reset.
 This adds proper sequence before resetting the platform.
 
 Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
-Upstream-Status: Pending
+Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/30118/2]
 ---
  plat/arm/board/corstone1000/common/corstone1000_pm.c | 9 +++++++++
  1 file changed, 9 insertions(+)
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0006-feat-corstone1000-Add-multicore-support-for-FVP-plat.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0005-feat-corstone1000-Add-multicore-support-for-FVP-plat.patch
index 3463044293..2a385d83db 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0006-feat-corstone1000-Add-multicore-support-for-FVP-plat.patch
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0005-feat-corstone1000-Add-multicore-support-for-FVP-plat.patch
@@ -1,4 +1,4 @@
-From bd975fbcff8886b3d3ed3268d7b6fa41bd7fba2d Mon Sep 17 00:00:00 2001
+From dcc9cf5111c41edc691f007bd97548d96f5efddb Mon Sep 17 00:00:00 2001
 From: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
 Date: Thu, 9 May 2024 16:59:34 +0000
 Subject: [PATCH] feat(corstone1000): add multicore support for fvp
@@ -13,8 +13,8 @@ Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
  .../common/corstone1000_helpers.S             | 26 +++++++++++
  .../corstone1000/common/corstone1000_pm.c     | 43 ++++++++++++++++++-
  .../common/include/platform_def.h             | 15 ++++++-
- plat/arm/board/corstone1000/platform.mk       |  8 ++++
- 4 files changed, 90 insertions(+), 2 deletions(-)
+ plat/arm/board/corstone1000/platform.mk       |  7 +++
+ 4 files changed, 89 insertions(+), 2 deletions(-)
 
 diff --git a/plat/arm/board/corstone1000/common/corstone1000_helpers.S b/plat/arm/board/corstone1000/common/corstone1000_helpers.S
 index cbe27c3b5..90dc4fee6 100644
@@ -56,10 +56,10 @@ index cbe27c3b5..90dc4fee6 100644
  
  	/* ---------------------------------------------------------------------
 diff --git a/plat/arm/board/corstone1000/common/corstone1000_pm.c b/plat/arm/board/corstone1000/common/corstone1000_pm.c
-index 4b0a791e7..9cd384e18 100644
+index a52e945bf..979243317 100644
 --- a/plat/arm/board/corstone1000/common/corstone1000_pm.c
 +++ b/plat/arm/board/corstone1000/common/corstone1000_pm.c
-@@ -24,10 +24,51 @@ static void __dead2 corstone1000_system_reset(void)
+@@ -33,10 +33,51 @@ static void __dead2 corstone1000_system_reset(void)
  		wfi();
  	}
  }
@@ -80,7 +80,7 @@ index 4b0a791e7..9cd384e18 100644
 +{
 +	int core_index = plat_core_pos_by_mpidr(mpidr);
 +	uint64_t *secondary_core_hold_base = (uint64_t *)CORSTONE1000_SECONDARY_CORE_HOLD_BASE;
-+
+ 
 +	/* Validate the core index */
 +	if ((core_index < 0) || (core_index > PLATFORM_CORE_COUNT)) {
 +		return PSCI_E_INVALID_PARAMS;
@@ -91,7 +91,7 @@ index 4b0a791e7..9cd384e18 100644
 +
 +	return PSCI_E_SUCCESS;
 +}
- 
++
 +void corstone1000_pwr_domain_on_finish(const psci_power_state_t *target_state)
 +{
 +	(void)target_state;
@@ -113,10 +113,10 @@ index 4b0a791e7..9cd384e18 100644
  
  const plat_psci_ops_t *plat_arm_psci_override_pm_ops(plat_psci_ops_t *ops)
 diff --git a/plat/arm/board/corstone1000/common/include/platform_def.h b/plat/arm/board/corstone1000/common/include/platform_def.h
-index 35bb6ad5c..56e124f96 100644
+index b9a1d43df..c4839ccf3 100644
 --- a/plat/arm/board/corstone1000/common/include/platform_def.h
 +++ b/plat/arm/board/corstone1000/common/include/platform_def.h
-@@ -251,7 +251,20 @@
+@@ -249,7 +249,20 @@
   */
  #define ARM_LOCAL_STATE_OFF	U(2)
  
@@ -139,11 +139,11 @@ index 35bb6ad5c..56e124f96 100644
  
  #define PLAT_ARM_NS_IMAGE_BASE		(BL33_BASE)
 diff --git a/plat/arm/board/corstone1000/platform.mk b/plat/arm/board/corstone1000/platform.mk
-index dcd0df844..71b7f324c 100644
+index fd08803e8..45092ace9 100644
 --- a/plat/arm/board/corstone1000/platform.mk
 +++ b/plat/arm/board/corstone1000/platform.mk
-@@ -31,6 +31,14 @@ override NEED_BL31	:=	yes
- NEED_BL32		:=	yes
+@@ -31,6 +31,13 @@ override NEED_BL31	:=	yes
+ NEED_BL32		?=	yes
  override NEED_BL33	:=	yes
  
 +ENABLE_MULTICORE	:=	0
@@ -153,10 +153,9 @@ index dcd0df844..71b7f324c 100644
 +endif
 +endif
 +
-+
- # Include GICv2 driver files
- include drivers/arm/gic/v2/gicv2.mk
- 
+ # Add CORSTONE1000_WITH_BL32 as a preprocessor define (-D option)
+ ifeq (${NEED_BL32},yes)
+ $(eval $(call add_define,CORSTONE1000_WITH_BL32))
 -- 
-2.34.1
+2.25.1
 
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0006-feat-corstone1000-include-platform-header-file.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0006-feat-corstone1000-include-platform-header-file.patch
new file mode 100644
index 0000000000..133101436d
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/corstone1000/0006-feat-corstone1000-include-platform-header-file.patch
@@ -0,0 +1,28 @@
+From 8070bf4a89492727b6da3fb7bdec61748eae1d7d Mon Sep 17 00:00:00 2001
+From: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
+Date: Tue, 2 Jul 2024 12:49:12 +0000
+Subject: [PATCH] fix(corstone1000): include platform header file
+
+Include platform.h file in order to remove compiler warnings
+
+Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/29727]
+Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
+---
+ plat/arm/board/corstone1000/common/corstone1000_pm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/plat/arm/board/corstone1000/common/corstone1000_pm.c b/plat/arm/board/corstone1000/common/corstone1000_pm.c
+index 979243317..9babe5b11 100644
+--- a/plat/arm/board/corstone1000/common/corstone1000_pm.c
++++ b/plat/arm/board/corstone1000/common/corstone1000_pm.c
+@@ -8,6 +8,7 @@
+ #include <plat/arm/common/plat_arm.h>
+ #include <platform_def.h>
+ #include <drivers/arm/gicv2.h>
++#include <plat/common/platform.h>
+ /*******************************************************************************
+  * Export the platform handlers via plat_arm_psci_pm_ops. The ARM Standard
+  * platform layer will take care of registering the handlers with PSCI.
+-- 
+2.34.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/fvp-base/0001-fdts-fvp-base-Add-stdout-path-and-virtio-net-and-rng.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/fvp-base/0001-fdts-fvp-base-Add-stdout-path-and-virtio-net-and-rng.patch
deleted file mode 100644
index 4d0019a501..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/fvp-base/0001-fdts-fvp-base-Add-stdout-path-and-virtio-net-and-rng.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From b79d3cf319cc5698311ef83247110c93d3c2de2c Mon Sep 17 00:00:00 2001
-Message-Id: <b79d3cf319cc5698311ef83247110c93d3c2de2c.1695834344.git.diego.sueiro@arm.com>
-From: Diego Sueiro <diego.sueiro@arm.com>
-Date: Wed, 27 Sep 2023 18:05:26 +0100
-Subject: [PATCH] fdts/fvp-base: Add stdout-path and virtio net and rng nodes
-
-Upstream-Status: Pending
-Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
----
- fdts/fvp-base-psci-common.dtsi |  8 ++++++--
- fdts/rtsm_ve-motherboard.dtsi  | 12 ++++++++++++
- 2 files changed, 18 insertions(+), 2 deletions(-)
-
-diff --git a/fdts/fvp-base-psci-common.dtsi b/fdts/fvp-base-psci-common.dtsi
-index 79cf37d3b0..b1ba5ce703 100644
---- a/fdts/fvp-base-psci-common.dtsi
-+++ b/fdts/fvp-base-psci-common.dtsi
-@@ -30,7 +30,9 @@
- #if (ENABLE_RME == 1)
- 	chosen { bootargs = "console=ttyAMA0 earlycon=pl011,0x1c090000 root=/dev/vda ip=on";};
- #else
--	chosen {};
-+	chosen {
-+		stdout-path = &v2m_serial0;
-+	};
- #endif
- 
- 	aliases {
-@@ -243,6 +245,8 @@
- 				<0 0 39 &gic 0 GIC_SPI 39 IRQ_TYPE_LEVEL_HIGH>,
- 				<0 0 40 &gic 0 GIC_SPI 40 IRQ_TYPE_LEVEL_HIGH>,
- 				<0 0 41 &gic 0 GIC_SPI 41 IRQ_TYPE_LEVEL_HIGH>,
--				<0 0 42 &gic 0 GIC_SPI 42 IRQ_TYPE_LEVEL_HIGH>;
-+				<0 0 42 &gic 0 GIC_SPI 42 IRQ_TYPE_LEVEL_HIGH>,
-+				<0 0 44 &gic 0 GIC_SPI 44 IRQ_TYPE_LEVEL_HIGH>,
-+				<0 0 46 &gic 0 GIC_SPI 46 IRQ_TYPE_LEVEL_HIGH>;
- 	};
- };
-diff --git a/fdts/rtsm_ve-motherboard.dtsi b/fdts/rtsm_ve-motherboard.dtsi
-index 0a824b349a..21a083a51a 100644
---- a/fdts/rtsm_ve-motherboard.dtsi
-+++ b/fdts/rtsm_ve-motherboard.dtsi
-@@ -230,6 +230,18 @@
- 					interrupts = <42>;
- 				};
- 
-+				virtio@150000 {
-+					compatible = "virtio,mmio";
-+					reg = <0x150000 0x200>;
-+					interrupts = <44>;
-+				};
-+
-+				virtio@200000 {
-+					compatible = "virtio,mmio";
-+					reg = <0x200000 0x200>;
-+					interrupts = <46>;
-+				};
-+
- 				rtc@170000 {
- 					compatible = "arm,pl031", "arm,primecell";
- 					reg = <0x170000 0x1000>;
--- 
-2.39.1
-
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/rwx-segments.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/rwx-segments.patch
deleted file mode 100644
index 403381c9d6..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/rwx-segments.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 051c723a6463a579b05dcaa81f204516737a3645 Mon Sep 17 00:00:00 2001
-From: Ross Burton <ross.burton@arm.com>
-Date: Wed, 9 Aug 2023 15:56:03 -0400
-Subject: [PATCH] Binutils 2.39 now warns when a segment has RXW
- permissions[1]:
-
-aarch64-none-elf-ld.bfd: warning: bl31.elf has a LOAD segment with RWX
-permissions
-
-However, TF-A passes --fatal-warnings to LD, so this is a build failure.
-
-There is a ticket filed upstream[2], so until that is resolved just
-remove --fatal-warnings.
-
-[1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
-[2] https://developer.trustedfirmware.org/T996
-
-Upstream-Status: Inappropriate
-Signed-off-by: Ross Burton <ross.burton@arm.com>
----
- Makefile | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index 1ddb7b84417d..9eae30c923ec 100644
---- a/Makefile
-+++ b/Makefile
-@@ -425,7 +425,7 @@ TF_LDFLAGS		+=	$(TF_LDFLAGS_$(ARCH))
- # LD = gcc (used when GCC LTO is enabled)
- else ifneq ($(findstring gcc,$(notdir $(LD))),)
- # Pass ld options with Wl or Xlinker switches
--TF_LDFLAGS		+=	-Wl,--fatal-warnings -O1
-+TF_LDFLAGS		+=	-O1
- TF_LDFLAGS		+=	-Wl,--gc-sections
- ifeq ($(ENABLE_LTO),1)
- 	ifeq (${ARCH},aarch64)
-@@ -442,7 +442,7 @@ TF_LDFLAGS		+=	$(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH)))
- 
- # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other
- else
--TF_LDFLAGS		+=	--fatal-warnings -O1
-+TF_LDFLAGS		+=	-O1
- TF_LDFLAGS		+=	--gc-sections
- # ld.lld doesn't recognize the errata flags,
- # therefore don't add those in that case
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/tf-a-tests-no-warn-rwx-segments.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/tf-a-tests-no-warn-rwx-segments.patch
deleted file mode 100644
index 0193e8cc41..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/files/tf-a-tests-no-warn-rwx-segments.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 6635341615a5bcb36ce71479ee30dae1599081e2 Mon Sep 17 00:00:00 2001
-From: Anton Antonov <anrton.antonov@arm.com>
-Date: Wed, 9 Aug 2023 15:56:03 -0400
-Subject: [PATCH] Binutils 2.39 now warns when a segment has RXW
- permissions[1]:
-
-aarch64-poky-linux-musl-ld: tftf.elf has a LOAD segment with RWX permissions
-
-There is a ticket filed upstream[2], so until that is resolved just
-disable the warning
-
-[1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
-[2] https://developer.trustedfirmware.org/T996
-
-Upstream-Status: Inappropriate
-Signed-off-by: Anton Antonov <anrton.antonov@arm.com>
----
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index 286a47c7d454..3481187b62cf 100644
---- a/Makefile
-+++ b/Makefile
-@@ -246,7 +246,7 @@ TFTF_SOURCES		:= ${FRAMEWORK_SOURCES}	${TESTS_SOURCES} ${PLAT_SOURCES} ${LIBC_SR
- TFTF_INCLUDES		+= ${PLAT_INCLUDES}
- TFTF_CFLAGS		+= ${COMMON_CFLAGS}
- TFTF_ASFLAGS		+= ${COMMON_ASFLAGS}
--TFTF_LDFLAGS		+= ${COMMON_LDFLAGS}
-+TFTF_LDFLAGS		+= ${COMMON_LDFLAGS} --no-warn-rwx-segments
- TFTF_EXTRA_OBJS 	:=
- 
- ifneq (${BP_OPTION},none)
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc
index c53bc6cd26..f6677f70ff 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-corstone1000.inc
@@ -6,10 +6,10 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/files/corstone1000:"
 SRC_URI:append = " \
 	file://0001-Fix-FF-A-version-in-SPMC-manifest.patch \
 	file://0002-fix-corstone1000-pass-spsr-value-explicitly.patch \
-	file://0003-fix-spmd-remove-EL3-interrupt-registration.patch \
-	file://0004-fix-corstone1000-remove-unused-NS_SHARED_RAM-region.patch \
-	file://0005-fix-corstone1000-clean-the-cache-and-disable-interru.patch \
-	file://0006-feat-corstone1000-Add-multicore-support-for-FVP-plat.patch \
+	file://0003-fix-corstone1000-remove-unused-NS_SHARED_RAM-region.patch \
+	file://0004-fix-corstone1000-clean-the-cache-and-disable-interru.patch \
+	file://0005-feat-corstone1000-Add-multicore-support-for-FVP-plat.patch \
+	file://0006-feat-corstone1000-include-platform-header-file.patch \
        "
 
 TFA_DEBUG = "1"
@@ -26,13 +26,13 @@ TFA_SPMD_SPM_AT_SEL2 = "0"
 # BL2 loads BL32 (optee). So, optee needs to be built first:
 DEPENDS += "optee-os"
 
-# Note: Regarding the build option: LOG_LEVEL. 
+# Note: Regarding the build option: LOG_LEVEL.
 # There seems to be an issue when setting it
-# to 50 (LOG_LEVEL_VERBOSE), where the kernel 
+# to 50 (LOG_LEVEL_VERBOSE), where the kernel
 # tee driver sends yielding requests to OP-TEE
 # at a faster pace than OP-TEE processes them,
-# as the processing time is consumed by logging 
-# in TF-A. When this issue occurs, booting halts 
+# as the processing time is consumed by logging
+# in TF-A. When this issue occurs, booting halts
 # as soon as optee driver starts initialization.
 # Therefore, it's not currently recommended to
 # set LOG_LEVEL to 50 at all.
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-base.inc b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-base.inc
index 4c37f7cb72..a5d1ee5351 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-base.inc
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-fvp-base.inc
@@ -7,7 +7,6 @@
 FILESEXTRAPATHS:prepend := "${THISDIR}/files/:${THISDIR}/files/fvp-base"
 
 SRC_URI:append = " \
-    file://0001-fdts-fvp-base-Add-stdout-path-and-virtio-net-and-rng.patch \
     file://optee_spmc_maifest.dts;subdir=git/plat/arm/board/fvp/fdts \
 "
 
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0001-Platform-Corstone1000-Align-capsule-UEFI-structs.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0001-Platform-Corstone1000-Align-capsule-UEFI-structs.patch
new file mode 100644
index 0000000000..fbeb1540f8
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0001-Platform-Corstone1000-Align-capsule-UEFI-structs.patch
@@ -0,0 +1,97 @@
+From 6ac0d4ce58c1a957c5f086e8c32268fdfc3ea531 Mon Sep 17 00:00:00 2001
+From: Emekcan Aras <emekcan.aras@arm.com>
+Date: Thu, 26 Oct 2023 11:46:04 +0100
+Subject: [PATCH 1/9] Platform: Corstone1000: Align capsule UEFI structs
+
+The UEFI capsules are generated using the U-Boot mkeficapsule tool.
+U-Boot uses packed struct for the UEFI and FMP structures, see [1].
+The structs have to be aligned in the TF-M side parser to avoid
+crashes.
+
+[1] https://github.com/u-boot/u-boot/blob/u-boot-2023.07.y/include/efi_api.h#L245
+
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Backport [6ac0d4ce58c1a957c5f086e8c32268fdfc3ea531]
+---
+ .../fw_update_agent/uefi_capsule_parser.c       | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/platform/ext/target/arm/corstone1000/fw_update_agent/uefi_capsule_parser.c b/platform/ext/target/arm/corstone1000/fw_update_agent/uefi_capsule_parser.c
+index c706c040a..44566e08d 100644
+--- a/platform/ext/target/arm/corstone1000/fw_update_agent/uefi_capsule_parser.c
++++ b/platform/ext/target/arm/corstone1000/fw_update_agent/uefi_capsule_parser.c
+@@ -1,10 +1,11 @@
+ /*
+- * Copyright (c) 2021, Arm Limited. All rights reserved.
++ * Copyright (c) 2021-2024, Arm Limited. All rights reserved.
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  *
+  */
+ 
++#include "cmsis_compiler.h"
+ #include "uefi_capsule_parser.h"
+ #include "fwu_agent.h"
+ #include <string.h>
+@@ -29,21 +30,21 @@ Update Capsule Structure (UEFI spec 2.9 1004)
+             Payload n (item_offset[embedded_driver_count + payload_item_count -1])
+ */
+ 
+-typedef struct {
++typedef __PACKED_STRUCT {
+     struct efi_guid         capsule_guid;
+     uint32_t                header_size;
+     uint32_t                flags;
+     uint32_t                capsule_image_size;
+ } efi_capsule_header_t;
+ 
+-typedef struct {
++typedef __PACKED_STRUCT {
+     uint32_t                version;
+     uint16_t                embedded_driver_count;
+     uint16_t                payload_item_count;
+     uint64_t                item_offset_list[];
+ } efi_firmware_management_capsule_header_t;
+ 
+-typedef struct {
++typedef __PACKED_STRUCT {
+     uint32_t                version;
+     struct efi_guid         update_image_type_id;
+     uint8_t                 update_image_index;
+@@ -54,7 +55,7 @@ typedef struct {
+     uint64_t                image_capsule_support; //introduced in v3
+ } efi_firmware_management_capsule_image_header_t;
+ 
+-typedef struct {
++typedef __PACKED_STRUCT {
+     uint32_t                signature;
+     uint32_t                header_size;
+     uint32_t                fw_version;
+@@ -63,20 +64,20 @@ typedef struct {
+ 
+ #define ANYSIZE_ARRAY 0
+ 
+-typedef struct {
++typedef __PACKED_STRUCT {
+     uint32_t                dwLength;
+     uint16_t                wRevision;
+     uint16_t                wCertificateType;
+     uint8_t                 bCertificate[ANYSIZE_ARRAY];
+ } WIN_CERTIFICATE;
+ 
+-typedef struct {
++typedef __PACKED_STRUCT {
+     WIN_CERTIFICATE         hdr;
+     struct efi_guid         cert_type;
+     uint8_t                 cert_data[ANYSIZE_ARRAY];
+ } win_certificate_uefi_guid_t;
+ 
+-typedef struct {
++typedef __PACKED_STRUCT {
+     uint64_t                    monotonic_count;
+     win_certificate_uefi_guid_t   auth_info;
+ } efi_firmware_image_authentication_t;
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0001-platform-corstone1000-Update-MPU-configuration.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0001-platform-corstone1000-Update-MPU-configuration.patch
deleted file mode 100644
index 25e53b5656..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0001-platform-corstone1000-Update-MPU-configuration.patch
+++ /dev/null
@@ -1,274 +0,0 @@
-From eb096e4c03b80f9f31e5d15ca06e5a38e4112664 Mon Sep 17 00:00:00 2001
-From: Bence Balogh <bence.balogh@arm.com>
-Date: Tue, 7 Nov 2023 20:25:49 +0100
-Subject: [PATCH 1/2] platform: corstone1000: Update MPU configuration
-
-In Armv6-M the MPU requires the regions to be aligned with
-region sizes.
-The commit aligns the different code/data sections using the
-alignment macros. The code/data sections can be covered by
-multiple MPU regions in order to save memory.
-
-Small adjustments had to be made in the memory layout in order to
-not overflow the flash:
-- Decreased TFM_PARTITION_SIZE
-- Increased S_UNPRIV_DATA_SIZE
-
-Added checks to the MPU configuration function for checking the
-MPU constraints:
-- Base address has to be aligned to the size
-- The minimum MPU region size is 0x100
-- The MPU can have 8 regions at most
-
-Change-Id: I059468e8aba0822bb354fd1cd4987ac2bb1f34d1
-Signed-off-by: Bence Balogh <bence.balogh@arm.com>
-Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/25393]
-
----
- .../target/arm/corstone1000/CMakeLists.txt    | 19 +++++
- .../arm/corstone1000/create-flash-image.sh    |  8 +-
- .../arm/corstone1000/partition/flash_layout.h |  2 +-
- .../arm/corstone1000/partition/region_defs.h  |  6 +-
- .../arm/corstone1000/tfm_hal_isolation.c      | 83 +++++++++++++++----
- 5 files changed, 93 insertions(+), 25 deletions(-)
-
-diff --git a/platform/ext/target/arm/corstone1000/CMakeLists.txt b/platform/ext/target/arm/corstone1000/CMakeLists.txt
-index e6cf15b11..8817f514c 100644
---- a/platform/ext/target/arm/corstone1000/CMakeLists.txt
-+++ b/platform/ext/target/arm/corstone1000/CMakeLists.txt
-@@ -22,6 +22,25 @@ target_compile_definitions(platform_region_defs
-     INTERFACE
-         $<$<BOOL:${TFM_S_REG_TEST}>:TFM_S_REG_TEST>
- )
-+
-+# The Armv6-M MPU requires that the MPU regions be aligned to the region sizes.
-+# The minimal region size is 0x100 bytes.
-+#
-+# The alignments have to be a power of two and ideally bigger than the section size (which
-+# can be checked in the map file).
-+# In some cases the alignment value is smaller than the actual section
-+# size to save memory. In that case, multiple MPU region has to be configured to cover it.
-+#
-+# To save memory, the attributes are set to XN_EXEC_OK and AP_RO_PRIV_UNPRIV for
-+# the SRAM so the PSA_ROT_LINKER_CODE, TFM_UNPRIV_CODE and APP_ROT_LINKER_CODE don't have to
-+# be aligned. The higher-priority regions will overwrite these attributes if needed.
-+# The RAM is also located in the SRAM so it has to be configured to overwrite these default
-+# attributes.
-+target_compile_definitions(platform_region_defs
-+    INTERFACE
-+        TFM_LINKER_APP_ROT_LINKER_DATA_ALIGNMENT=0x2000
-+        TFM_LINKER_SP_META_PTR_ALIGNMENT=0x100
-+)
- #========================= Platform common defs ===============================#
- 
- # Specify the location of platform specific build dependencies.
-diff --git a/platform/ext/target/arm/corstone1000/create-flash-image.sh b/platform/ext/target/arm/corstone1000/create-flash-image.sh
-index 2522d3674..a6be61384 100755
---- a/platform/ext/target/arm/corstone1000/create-flash-image.sh
-+++ b/platform/ext/target/arm/corstone1000/create-flash-image.sh
-@@ -8,7 +8,7 @@
- 
- ######################################################################
- # This script is to create a flash gpt image for corstone platform
--# 
-+#
- #  Flash image layout:
- #       |------------------------------|
- #       |        Protective MBR        |
-@@ -82,15 +82,15 @@ sgdisk  --mbrtogpt \
-         --new=4:56:+4K --typecode=4:$PRIVATE_METADATA_TYPE_UUID --partition-guid=4:$(uuidgen) --change-name=4:'private_metadata_replica_1' \
-         --new=5:64:+4k --typecode=5:$PRIVATE_METADATA_TYPE_UUID --partition-guid=5:$(uuidgen) --change-name=5:'private_metadata_replica_2' \
-         --new=6:72:+100k --typecode=6:$SE_BL2_TYPE_UUID --partition-guid=6:$(uuidgen) --change-name=6:'bl2_primary' \
--        --new=7:272:+376K --typecode=7:$TFM_TYPE_UUID --partition-guid=7:$(uuidgen) --change-name=7:'tfm_primary' \
-+        --new=7:272:+368K --typecode=7:$TFM_TYPE_UUID --partition-guid=7:$(uuidgen) --change-name=7:'tfm_primary' \
-         --new=8:32784:+100k --typecode=8:$SE_BL2_TYPE_UUID --partition-guid=8:$(uuidgen) --change-name=8:'bl2_secondary' \
--        --new=9:32984:+376K --typecode=9:$TFM_TYPE_UUID --partition-guid=9:$(uuidgen) --change-name=9:'tfm_secondary' \
-+        --new=9:32984:+368K --typecode=9:$TFM_TYPE_UUID --partition-guid=9:$(uuidgen) --change-name=9:'tfm_secondary' \
-         --new=10:65496:65501  --partition-guid=10:$(uuidgen) --change-name=10:'reserved_2' \
-         $IMAGE
- 
- [ $? -ne 0 ] && echo "Error occurs while writing the GPT layout" && exit 1
- 
--# Write partitions 
-+# Write partitions
- # conv=notrunc avoids truncation to keep the geometry of the image.
- dd if=$BIN_DIR/bl2_signed.bin of=${IMAGE}  seek=72 conv=notrunc
- dd if=$BIN_DIR/tfm_s_signed.bin of=${IMAGE} seek=272 conv=notrunc
-diff --git a/platform/ext/target/arm/corstone1000/partition/flash_layout.h b/platform/ext/target/arm/corstone1000/partition/flash_layout.h
-index 568c8de28..7fffd94c6 100644
---- a/platform/ext/target/arm/corstone1000/partition/flash_layout.h
-+++ b/platform/ext/target/arm/corstone1000/partition/flash_layout.h
-@@ -134,7 +134,7 @@
- 
- /* Bank configurations */
- #define BANK_PARTITION_SIZE             (0xFE0000)   /* 15.875 MB */
--#define TFM_PARTITION_SIZE              (0x5E000)    /* 376 KB */
-+#define TFM_PARTITION_SIZE              (0x5C000)    /* 368 KB */
- 
- /************************************************************/
- /* Bank : Images flash offsets are with respect to the bank */
-diff --git a/platform/ext/target/arm/corstone1000/partition/region_defs.h b/platform/ext/target/arm/corstone1000/partition/region_defs.h
-index 99e822f51..64ab786e5 100644
---- a/platform/ext/target/arm/corstone1000/partition/region_defs.h
-+++ b/platform/ext/target/arm/corstone1000/partition/region_defs.h
-@@ -1,8 +1,10 @@
- /*
-- * Copyright (c) 2017-2022 Arm Limited. All rights reserved.
-+ * Copyright (c) 2017-2023 Arm Limited. All rights reserved.
-  * Copyright (c) 2021-2023 Cypress Semiconductor Corporation (an Infineon company)
-  * or an affiliate of Cypress Semiconductor Corporation. All rights reserved.
-  *
-+ * SPDX-License-Identifier: Apache-2.0
-+ *
-  * Licensed under the Apache License, Version 2.0 (the "License");
-  * you may not use this file except in compliance with the License.
-  * You may obtain a copy of the License at
-@@ -53,7 +55,7 @@
- 
- #define S_DATA_START            (SRAM_BASE + TFM_PARTITION_SIZE)
- #define S_DATA_SIZE             (SRAM_SIZE - TFM_PARTITION_SIZE)
--#define S_UNPRIV_DATA_SIZE      (0x2160)
-+#define S_UNPRIV_DATA_SIZE      (0x4000)
- #define S_DATA_LIMIT            (S_DATA_START + S_DATA_SIZE - 1)
- #define S_DATA_PRIV_START       (S_DATA_START + S_UNPRIV_DATA_SIZE)
- 
-diff --git a/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c b/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
-index 01f7687bc..98e795dde 100644
---- a/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
-+++ b/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2020-2022, Arm Limited. All rights reserved.
-+ * Copyright (c) 2020-2023, Arm Limited. All rights reserved.
-  * Copyright (c) 2022 Cypress Semiconductor Corporation (an Infineon
-  * company) or an affiliate of Cypress Semiconductor Corporation. All rights
-  * reserved.
-@@ -14,9 +14,11 @@
- #include "tfm_hal_isolation.h"
- #include "mpu_config.h"
- #include "mmio_defs.h"
-+#include "flash_layout.h"
- 
- #define PROT_BOUNDARY_VAL \
-     ((1U << HANDLE_ATTR_PRIV_POS) & HANDLE_ATTR_PRIV_MASK)
-+#define MPU_REGION_MIN_SIZE (0x100)
- 
- #ifdef CONFIG_TFM_ENABLE_MEMORY_PROTECT
- 
-@@ -31,20 +33,38 @@ REGION_DECLARE(Image$$, TFM_SP_META_PTR, $$ZI$$Base);
- REGION_DECLARE(Image$$, TFM_SP_META_PTR, $$ZI$$Limit);
- #endif /* CONFIG_TFM_PARTITION_META */
- 
--static void configure_mpu(uint32_t rnr, uint32_t base, uint32_t limit,
--                          uint32_t is_xn_exec, uint32_t ap_permissions)
-+static enum tfm_hal_status_t configure_mpu(uint32_t rnr, uint32_t base,
-+                          uint32_t limit, uint32_t is_xn_exec, uint32_t ap_permissions)
- {
--    uint32_t size; /* region size */
-+    uint32_t rbar_size_field; /* region size as it is used in the RBAR */
-     uint32_t rasr; /* region attribute and size register */
-     uint32_t rbar; /* region base address register */
- 
--    size = get_rbar_size_field(limit - base);
-+    rbar_size_field = get_rbar_size_field(limit - base);
-+
-+    /* The MPU region's base address has to be aligned to the region
-+     * size for a valid MPU configuration */
-+    if ((base % (1 << (rbar_size_field + 1))) != 0) {
-+        return TFM_HAL_ERROR_INVALID_INPUT;
-+    }
-+
-+    /* The MPU supports only 8 memory regions */
-+    if (rnr > 7) {
-+        return TFM_HAL_ERROR_INVALID_INPUT;
-+    }
-+
-+    /* The minimum size for a region is 0x100 bytes */
-+    if((limit - base) < MPU_REGION_MIN_SIZE) {
-+        return TFM_HAL_ERROR_INVALID_INPUT;
-+    }
- 
-     rasr = ARM_MPU_RASR(is_xn_exec, ap_permissions, TEX, NOT_SHAREABLE,
--            NOT_CACHEABLE, NOT_BUFFERABLE, SUB_REGION_DISABLE, size);
-+            NOT_CACHEABLE, NOT_BUFFERABLE, SUB_REGION_DISABLE, rbar_size_field);
-     rbar = base & MPU_RBAR_ADDR_Msk;
- 
-     ARM_MPU_SetRegionEx(rnr, rbar, rasr);
-+
-+    return TFM_HAL_SUCCESS;
- }
- 
- #endif /* CONFIG_TFM_ENABLE_MEMORY_PROTECT */
-@@ -56,33 +76,60 @@ enum tfm_hal_status_t tfm_hal_set_up_static_boundaries(
-     uint32_t rnr = TFM_ISOLATION_REGION_START_NUMBER; /* current region number */
-     uint32_t base; /* start address */
-     uint32_t limit; /* end address */
-+    enum tfm_hal_status_t ret;
- 
-     ARM_MPU_Disable();
- 
--    /* TFM Core unprivileged code region */
--    base = (uint32_t)&REGION_NAME(Image$$, TFM_UNPRIV_CODE_START, $$RO$$Base);
--    limit = (uint32_t)&REGION_NAME(Image$$, TFM_UNPRIV_CODE_END, $$RO$$Limit);
--
--    configure_mpu(rnr++, base, limit, XN_EXEC_OK, AP_RO_PRIV_UNPRIV);
--
--    /* RO region */
--    base = (uint32_t)&REGION_NAME(Image$$, TFM_APP_CODE_START, $$Base);
--    limit = (uint32_t)&REGION_NAME(Image$$, TFM_APP_CODE_END, $$Base);
-+    /* Armv6-M MPU allows region overlapping. The region with the higher RNR
-+     * will decide the attributes.
-+     *
-+     * The default attributes are set to XN_EXEC_OK and AP_RO_PRIV_UNPRIV for the
-+     * whole SRAM so the PSA_ROT_LINKER_CODE, TFM_UNPRIV_CODE and APP_ROT_LINKER_CODE
-+     * don't have to be aligned and memory space can be saved.
-+     * This region has the lowest RNR so the next regions can overwrite these
-+     * attributes if it's needed.
-+     */
-+    base = SRAM_BASE;
-+    limit = SRAM_BASE + SRAM_SIZE;
-+
-+    ret = configure_mpu(rnr++, base, limit,
-+                            XN_EXEC_OK, AP_RW_PRIV_UNPRIV);
-+    if (ret != TFM_HAL_SUCCESS) {
-+        return ret;
-+    }
- 
--    configure_mpu(rnr++, base, limit, XN_EXEC_OK, AP_RO_PRIV_UNPRIV);
- 
-     /* RW, ZI and stack as one region */
-     base = (uint32_t)&REGION_NAME(Image$$, TFM_APP_RW_STACK_START, $$Base);
-     limit = (uint32_t)&REGION_NAME(Image$$, TFM_APP_RW_STACK_END, $$Base);
- 
--    configure_mpu(rnr++, base, limit, XN_EXEC_NOT_OK, AP_RW_PRIV_UNPRIV);
-+    /* The section size can be bigger than the alignment size, else the code would
-+     * not fit into the memory. Because of this, the sections can use multiple MPU
-+     * regions. */
-+    do {
-+        ret = configure_mpu(rnr++, base, base + TFM_LINKER_APP_ROT_LINKER_DATA_ALIGNMENT,
-+                                XN_EXEC_NOT_OK, AP_RW_PRIV_UNPRIV);
-+        if (ret != TFM_HAL_SUCCESS) {
-+            return ret;
-+        }
-+        base += TFM_LINKER_APP_ROT_LINKER_DATA_ALIGNMENT;
-+    } while (base < limit);
-+
- 
- #ifdef CONFIG_TFM_PARTITION_META
-     /* TFM partition metadata pointer region */
-     base = (uint32_t)&REGION_NAME(Image$$, TFM_SP_META_PTR, $$ZI$$Base);
-     limit = (uint32_t)&REGION_NAME(Image$$, TFM_SP_META_PTR, $$ZI$$Limit);
- 
--    configure_mpu(rnr++, base, limit, XN_EXEC_NOT_OK, AP_RW_PRIV_UNPRIV);
-+    do {
-+        ret = configure_mpu(rnr++, base, base + TFM_LINKER_SP_META_PTR_ALIGNMENT,
-+                                XN_EXEC_NOT_OK, AP_RW_PRIV_UNPRIV);
-+        if (ret != TFM_HAL_SUCCESS) {
-+            return ret;
-+        }
-+        base += TFM_LINKER_SP_META_PTR_ALIGNMENT;
-+    } while (base < limit);
-+
- #endif
- 
-     arm_mpu_enable();
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0002-Platform-Corstone1000-Fix-NV-counter-writing.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0002-Platform-Corstone1000-Fix-NV-counter-writing.patch
new file mode 100644
index 0000000000..cf59882441
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0002-Platform-Corstone1000-Fix-NV-counter-writing.patch
@@ -0,0 +1,69 @@
+From 47c54e8e79df52f40057c3d4be9411447d2787c2 Mon Sep 17 00:00:00 2001
+From: Emekcan Aras <Emekcan.Aras@arm.com>
+Date: Wed, 21 Feb 2024 07:44:25 +0000
+Subject: [PATCH 2/9] Platform: Corstone1000: Fix NV counter writing
+
+The BL1 writes the PLAT_NV_COUNTER_BL1_0 NV counter directly without
+updating the private metadata. Because of this the update_nv_counters()
+function should not update the PLAT_NV_COUNTER_BL1_0 from the metadata.
+
+The tfm_plat_set_nv_counter() had a typo and wrote the
+priv_metadata->nv_counter[FWU_BL2_NV_COUNTER] to every NV counter.
+
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Backport [47c54e8e79df52f40057c3d4be9411447d2787c2]
+---
+ .../corstone1000/fw_update_agent/fwu_agent.c   | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c b/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
+index 9a9926a3d..b2f31e166 100644
+--- a/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
++++ b/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
+@@ -1120,12 +1120,13 @@ static enum fwu_agent_error_t update_nv_counters(
+ 
+     FWU_LOG_MSG("%s: enter\n\r", __func__);
+ 
+-    for (int i = 0; i <= FWU_MAX_NV_COUNTER_INDEX; i++) {
++    /* The FWU_BL2_NV_COUNTER (0) is not mirrored in the private metadata. It is
++     * directly updated in the bl1_2_validate_image_at_addr() function, in
++     * tfm/bl1/bl1_2/main.c.
++     * Because of this, the index starts from FWU_TFM_NV_COUNTER (1). */
++    for (int i = FWU_TFM_NV_COUNTER; i <= FWU_MAX_NV_COUNTER_INDEX; i++) {
+ 
+         switch (i) {
+-            case FWU_BL2_NV_COUNTER:
+-                tfm_nv_counter_i = PLAT_NV_COUNTER_BL1_0;
+-                break;
+             case FWU_TFM_NV_COUNTER:
+                 tfm_nv_counter_i = PLAT_NV_COUNTER_BL2_0;
+                 break;
+@@ -1140,18 +1141,21 @@ static enum fwu_agent_error_t update_nv_counters(
+         err = tfm_plat_read_nv_counter(tfm_nv_counter_i,
+                         sizeof(security_cnt), (uint8_t *)&security_cnt);
+         if (err != TFM_PLAT_ERR_SUCCESS) {
++            FWU_LOG_MSG("%s: couldn't read NV counter\n\r", __func__);
+             return FWU_AGENT_ERROR;
+         }
+ 
+         if (priv_metadata->nv_counter[i] < security_cnt) {
++            FWU_LOG_MSG("%s: staged NV counter is smaller than current value\n\r", __func__);
+             return FWU_AGENT_ERROR;
+         } else if (priv_metadata->nv_counter[i] > security_cnt) {
+-            FWU_LOG_MSG("%s: updaing index = %u nv counter = %u->%u\n\r",
++            FWU_LOG_MSG("%s: updating index = %u nv counter = %u->%u\n\r",
+                         __func__, i, security_cnt,
+-                        priv_metadata->nv_counter[FWU_BL2_NV_COUNTER]);
++                        priv_metadata->nv_counter[i]);
+             err = tfm_plat_set_nv_counter(tfm_nv_counter_i,
+-                                    priv_metadata->nv_counter[FWU_BL2_NV_COUNTER]);
++                                    priv_metadata->nv_counter[i]);
+             if (err != TFM_PLAT_ERR_SUCCESS) {
++                FWU_LOG_MSG("%s: couldn't write NV counter\n\r", __func__);
+                 return FWU_AGENT_ERROR;
+             }
+         }
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0002-platform-corstone1000-Cover-S_DATA-with-MPU.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0002-platform-corstone1000-Cover-S_DATA-with-MPU.patch
deleted file mode 100644
index 6676acf8b7..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0002-platform-corstone1000-Cover-S_DATA-with-MPU.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From ca7696bca357cfd71a34582c65a7c7c08828b6dc Mon Sep 17 00:00:00 2001
-From: Bence Balogh <bence.balogh@arm.com>
-Date: Mon, 18 Dec 2023 14:00:14 +0100
-Subject: [PATCH 2/2] platform: corstone1000: Cover S_DATA with MPU
-
-The S_DATA has to be covered with MPU regions to override the
-other MPU regions with smaller RNR values.
-
-Change-Id: I45fec65f51241939314941e25d287e6fdc82777c
-Signed-off-by: Bence Balogh <bence.balogh@arm.com>
-Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/25583]
-
----
- .../target/arm/corstone1000/CMakeLists.txt    |  8 +++++++
- .../arm/corstone1000/tfm_hal_isolation.c      | 22 +++++++++++++++++++
- 2 files changed, 30 insertions(+)
-
-diff --git a/platform/ext/target/arm/corstone1000/CMakeLists.txt b/platform/ext/target/arm/corstone1000/CMakeLists.txt
-index 8817f514c..541504368 100644
---- a/platform/ext/target/arm/corstone1000/CMakeLists.txt
-+++ b/platform/ext/target/arm/corstone1000/CMakeLists.txt
-@@ -40,6 +40,14 @@ target_compile_definitions(platform_region_defs
-     INTERFACE
-         TFM_LINKER_APP_ROT_LINKER_DATA_ALIGNMENT=0x2000
-         TFM_LINKER_SP_META_PTR_ALIGNMENT=0x100
-+
-+        # The RAM MPU Region block sizes are calculated manually. The RAM has to be covered
-+        # with the MPU regions. These regions also have to be the power of 2 and
-+        # the start addresses have to be aligned to these sizes. The sizes can be calculated
-+        # from the S_DATA_START and S_DATA_SIZE defines.
-+        RAM_MPU_REGION_BLOCK_1_SIZE=0x4000
-+        RAM_MPU_REGION_BLOCK_2_SIZE=0x20000
-+
- )
- #========================= Platform common defs ===============================#
- 
-diff --git a/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c b/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
-index 98e795dde..39b19c535 100644
---- a/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
-+++ b/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
-@@ -15,6 +15,7 @@
- #include "mpu_config.h"
- #include "mmio_defs.h"
- #include "flash_layout.h"
-+#include "region_defs.h"
- 
- #define PROT_BOUNDARY_VAL \
-     ((1U << HANDLE_ATTR_PRIV_POS) & HANDLE_ATTR_PRIV_MASK)
-@@ -132,6 +133,27 @@ enum tfm_hal_status_t tfm_hal_set_up_static_boundaries(
- 
- #endif
- 
-+    /* Set the RAM attributes. It is needed because the first region overlaps the whole
-+     * SRAM and it has to be overridden.
-+     * The RAM_MPU_REGION_BLOCK_1_SIZE and RAM_MPU_REGION_BLOCK_2_SIZE are calculated manually
-+     * and added to the platform_region_defs compile definitions.
-+     */
-+    base = S_DATA_START;
-+    limit = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE;
-+    ret = configure_mpu(rnr++, base, limit,
-+                            XN_EXEC_NOT_OK, AP_RW_PRIV_UNPRIV);
-+    if (ret != TFM_HAL_SUCCESS) {
-+        return ret;
-+    }
-+
-+    base = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE;
-+    limit = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE + RAM_MPU_REGION_BLOCK_2_SIZE;
-+    ret = configure_mpu(rnr++, base, limit,
-+                            XN_EXEC_NOT_OK, AP_RW_PRIV_UNPRIV);
-+    if (ret != TFM_HAL_SUCCESS) {
-+        return ret;
-+    }
-+
-     arm_mpu_enable();
- 
- #endif /* CONFIG_TFM_ENABLE_MEMORY_PROTECT */
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0006-Platform-Corstone1000-Enable-host-firewall-in-FVP.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0003-Platform-Corstone1000-Enable-firewall-in-FVP.patch
index 4f15da2217..17aad5ab8b 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0006-Platform-Corstone1000-Enable-host-firewall-in-FVP.patch
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0003-Platform-Corstone1000-Enable-firewall-in-FVP.patch
@@ -1,14 +1,15 @@
-From 1410dc5504d60219279581b1cf6442f81551cfe7 Mon Sep 17 00:00:00 2001
+From 4b5a9546205e484ac7f53cee369b1db9a7bf2279 Mon Sep 17 00:00:00 2001
 From: Emekcan Aras <Emekcan.Aras@arm.com>
 Date: Wed, 3 Apr 2024 13:37:40 +0100
-Subject: [PATCH] Platform: Corstone1000: Enable host firewall in FVP
+Subject: [PATCH 3/9] Platform: Corstone1000: Enable firewall in FVP
 
-Enables host firewall and mpu setup for FVP. It also fixes secure-ram
-configuration and disable access rights to secure ram from both normal world
-for both mps3 and fvp.
+Enables host firewall and MPU setup for FVP. It also fixes secure RAM
+configuration and disables access rights to secure RAM from normal world
+for both MPS3 and FVP.
 
 Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
-Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Backport [4b5a9546205e484ac7f53cee369b1db9a7bf2279]
 ---
  .../Device/Include/platform_base_address.h    |  2 +-
  .../arm/corstone1000/bl1/boot_hal_bl1_1.c     | 42 ++++---------------
@@ -16,7 +17,7 @@ Upstream-Status: Pending [Not submitted to upstream yet]
  3 files changed, 11 insertions(+), 35 deletions(-)
 
 diff --git a/platform/ext/target/arm/corstone1000/Device/Include/platform_base_address.h b/platform/ext/target/arm/corstone1000/Device/Include/platform_base_address.h
-index 416f0ebcd..101cad9e7 100644
+index 416f0ebcdb..101cad9e7c 100644
 --- a/platform/ext/target/arm/corstone1000/Device/Include/platform_base_address.h
 +++ b/platform/ext/target/arm/corstone1000/Device/Include/platform_base_address.h
 @@ -67,7 +67,7 @@
@@ -29,7 +30,7 @@ index 416f0ebcd..101cad9e7 100644
  #define CORSTONE1000_HOST_BASE_SYSTEM_CONTROL_BASE (0x7A010000U) /* Host SCB                          */
  #define CORSTONE1000_EXT_SYS_RESET_REG             (0x7A010310U) /* external system (cortex-M3)       */
 diff --git a/platform/ext/target/arm/corstone1000/bl1/boot_hal_bl1_1.c b/platform/ext/target/arm/corstone1000/bl1/boot_hal_bl1_1.c
-index a5fee66af..7988c2392 100644
+index 45d6768215..2f693d2b1b 100644
 --- a/platform/ext/target/arm/corstone1000/bl1/boot_hal_bl1_1.c
 +++ b/platform/ext/target/arm/corstone1000/bl1/boot_hal_bl1_1.c
 @@ -35,7 +35,7 @@ REGION_DECLARE(Image$$, ER_DATA, $$Base)[];
@@ -159,7 +160,7 @@ index a5fee66af..7988c2392 100644
  #if defined(TFM_BL1_LOGGING) || defined(TEST_BL1_1) || defined(TEST_BL1_2)
      stdio_init();
 diff --git a/platform/ext/target/arm/corstone1000/bl2/flash_map_bl2.c b/platform/ext/target/arm/corstone1000/bl2/flash_map_bl2.c
-index 2b1cdfa19..06cc3f0f5 100644
+index 2b1cdfa199..06cc3f0f52 100644
 --- a/platform/ext/target/arm/corstone1000/bl2/flash_map_bl2.c
 +++ b/platform/ext/target/arm/corstone1000/bl2/flash_map_bl2.c
 @@ -70,7 +70,7 @@ int boot_get_image_exec_ram_info(uint32_t image_id,
@@ -174,4 +175,3 @@ index 2b1cdfa19..06cc3f0f5 100644
 -- 
 2.25.1
 
-
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0003-platform-corstone1000-align-capsule-update-structs.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0003-platform-corstone1000-align-capsule-update-structs.patch
deleted file mode 100644
index 7aeecfa31b..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0003-platform-corstone1000-align-capsule-update-structs.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 6807d4b30f7d4ed32d3c54dfcaf3ace63eaa4f02 Mon Sep 17 00:00:00 2001
-From: Emekcan Aras <emekcan.aras@arm.com>
-Date: Thu, 26 Oct 2023 11:46:04 +0100
-Subject: [PATCH] platform: corstone1000: align capsule update structs
-
-U-boot mkefitool creates capsule image without packed and byte-aligned
-structs. This patch aligns the capsule-update structures and avoids
-crashes in case of unaligned pointer access.
-
-Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
-Upstream-Status: Pending
----
- .../fw_update_agent/uefi_capsule_parser.c          | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/platform/ext/target/arm/corstone1000/fw_update_agent/uefi_capsule_parser.c b/platform/ext/target/arm/corstone1000/fw_update_agent/uefi_capsule_parser.c
-index c706c040ac..9f8d12ad4e 100644
---- a/platform/ext/target/arm/corstone1000/fw_update_agent/uefi_capsule_parser.c
-+++ b/platform/ext/target/arm/corstone1000/fw_update_agent/uefi_capsule_parser.c
-@@ -34,14 +34,14 @@ typedef struct {
-     uint32_t                header_size;
-     uint32_t                flags;
-     uint32_t                capsule_image_size;
--} efi_capsule_header_t;
-+} efi_capsule_header_t __attribute__((packed, aligned(1)));
-
- typedef struct {
-     uint32_t                version;
-     uint16_t                embedded_driver_count;
-     uint16_t                payload_item_count;
-     uint64_t                item_offset_list[];
--} efi_firmware_management_capsule_header_t;
-+} efi_firmware_management_capsule_header_t __attribute__((packed, aligned(1)));
-
- typedef struct {
-     uint32_t                version;
-@@ -52,14 +52,14 @@ typedef struct {
-     uint32_t                update_vendorcode_size;
-     uint64_t                update_hardware_instance; //introduced in v2
-     uint64_t                image_capsule_support; //introduced in v3
--} efi_firmware_management_capsule_image_header_t;
-+} efi_firmware_management_capsule_image_header_t __attribute__((packed, aligned(1)));
-
- typedef struct {
-     uint32_t                signature;
-     uint32_t                header_size;
-     uint32_t                fw_version;
-     uint32_t                lowest_supported_version;
--} fmp_payload_header_t;
-+} fmp_payload_header_t __attribute__((packed, aligned(1)));
-
- #define ANYSIZE_ARRAY 0
-
-@@ -68,18 +68,18 @@ typedef struct {
-     uint16_t                wRevision;
-     uint16_t                wCertificateType;
-     uint8_t                 bCertificate[ANYSIZE_ARRAY];
--} WIN_CERTIFICATE;
-+} WIN_CERTIFICATE __attribute__((packed, aligned(1)));
-
- typedef struct {
-     WIN_CERTIFICATE         hdr;
-     struct efi_guid         cert_type;
-     uint8_t                 cert_data[ANYSIZE_ARRAY];
--} win_certificate_uefi_guid_t;
-+} win_certificate_uefi_guid_t __attribute__((packed, aligned(1)));
-
- typedef struct {
-     uint64_t                    monotonic_count;
-     win_certificate_uefi_guid_t   auth_info;
--} efi_firmware_image_authentication_t;
-+} efi_firmware_image_authentication_t __attribute__((packed, aligned(1)));
-
-
- enum uefi_capsule_error_t uefi_capsule_retrieve_images(void* capsule_ptr,
---
-2.25.1
-
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0004-Platform-CS1000-Increase-ITS-max-asset-size.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0004-Platform-CS1000-Increase-ITS-max-asset-size.patch
new file mode 100644
index 0000000000..21450654af
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0004-Platform-CS1000-Increase-ITS-max-asset-size.patch
@@ -0,0 +1,41 @@
+From 2a7e418afc96a9c897d3511fd47dbe596f880074 Mon Sep 17 00:00:00 2001
+From: Emekcan Aras <emekcan.aras@arm.com>
+Date: Wed, 17 Apr 2024 11:34:45 +0000
+Subject: [PATCH 4/9] Platform: CS1000: Increase ITS max asset size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Increases the max asset size for ITS to enable Parsec services and
+tests.
+
+Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
+Signed-off-by: Vikas Katariya <vikas.katariya@arm.com>
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Backport [2a7e418afc96a9c897d3511fd47dbe596f880074]
+---
+ platform/ext/target/arm/corstone1000/config_tfm_target.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/platform/ext/target/arm/corstone1000/config_tfm_target.h b/platform/ext/target/arm/corstone1000/config_tfm_target.h
+index 2c7341afd..9522379cd 100644
+--- a/platform/ext/target/arm/corstone1000/config_tfm_target.h
++++ b/platform/ext/target/arm/corstone1000/config_tfm_target.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2022, Arm Limited. All rights reserved.
++ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  *
+@@ -20,4 +20,7 @@
+ /* The maximum number of assets to be stored in the Protected Storage area. */
+ #define PS_NUM_ASSETS        20
+ 
++/* The maximum size of asset to be stored in the Internal Trusted Storage area. */
++#define ITS_MAX_ASSET_SIZE   2048
++
+ #endif /* __CONFIG_TFM_TARGET_H__ */
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0004-Platform-Corstone1000-skip-the-first-nv-counter.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0004-Platform-Corstone1000-skip-the-first-nv-counter.patch
deleted file mode 100644
index 4c486e69f2..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0004-Platform-Corstone1000-skip-the-first-nv-counter.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 001e5bea183bc78352ac3ba6283d9d7912bb6ea5 Mon Sep 17 00:00:00 2001
-From: Emekcan Aras <Emekcan.Aras@arm.com>
-Date: Wed, 21 Feb 2024 07:44:25 +0000
-Subject: [PATCH] Platform: Corstone1000: skip the first nv counter
-
-It skips doing a sanity check the BL2 nv counter after the capsule
-update since the tfm bl1 does not sync metadata and nv counters in OTP during
-the boot anymore.
-
-Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
-Upstream-Status: Pending
-
----
- .../ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c     | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c b/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
-index 2e6de255b..2e6cf8047 100644
---- a/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
-+++ b/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
-@@ -1125,7 +1125,7 @@ static enum fwu_agent_error_t update_nv_counters(
- 
-     FWU_LOG_MSG("%s: enter\n\r", __func__);
- 
--    for (int i = 0; i <= FWU_MAX_NV_COUNTER_INDEX; i++) {
-+    for (int i = 1; i <= FWU_MAX_NV_COUNTER_INDEX; i++) {
- 
-         switch (i) {
-             case FWU_BL2_NV_COUNTER:
--- 
-2.25.1
-
-
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0005-Platform-CS1000-Increase-RSE_COMMS-buffer-size.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0005-Platform-CS1000-Increase-RSE_COMMS-buffer-size.patch
new file mode 100644
index 0000000000..059b5a2da6
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0005-Platform-CS1000-Increase-RSE_COMMS-buffer-size.patch
@@ -0,0 +1,38 @@
+From 85e7e9f52177c9617b8554fbacac34c8c591f549 Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Fri, 5 Jul 2024 21:18:08 +0200
+Subject: [PATCH 5/9] Platform: CS1000: Increase RSE_COMMS buffer size
+
+This was needed because the UEFI variable index size was increased in
+the Host side software stack. The RSE_COMMS buffer has to be increased
+to accomodate the bigger messages.
+
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Backport [85e7e9f52177c9617b8554fbacac34c8c591f549]
+---
+ .../ext/target/arm/corstone1000/rse_comms/rse_comms.h    | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h
+index 41e5c2bc3..720a60b62 100644
+--- a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h
++++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h
+@@ -15,8 +15,13 @@
+ extern "C" {
+ #endif
+ 
+-/* size suits to fit the largest message too (EFI variables) */
+-#define RSE_COMMS_PAYLOAD_MAX_SIZE (0x2100)
++/*
++ * The size suits to fit the largest message too (EFI variables)
++ * This size is defined by the Host's software stack.
++ * The size was chosen by monitoring the messages that are coming
++ * from the Trusted Services SE Proxy partition.
++ */
++#define RSE_COMMS_PAYLOAD_MAX_SIZE (0x43C0)
+ 
+ /*
+  * Allocated for each client request.
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0006-Platform-CS1000-Increase-buffers-for-EFI-vars.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0006-Platform-CS1000-Increase-buffers-for-EFI-vars.patch
new file mode 100644
index 0000000000..62022183b9
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0006-Platform-CS1000-Increase-buffers-for-EFI-vars.patch
@@ -0,0 +1,42 @@
+From 8ca9620a000ba182ebb51c51f49e2b97622f3404 Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Wed, 15 May 2024 22:37:51 +0200
+Subject: [PATCH 6/9] Platform: CS1000: Increase buffers for EFI vars
+
+The UEFI variables are stored in the Protected Storage. The size of
+the variables metadata have been increased in the Host software stack
+so the related buffer sizes have to be increased:
+
+- The PS_MAX_ASSET_SIZE needs to be big enough to store the variables.
+- The CRYPTO_ENGINE_BUF_SIZE needs to be increased because the encryption
+  of the bigger PS assets requires bigger buffer.
+- The CRYPTO_IOVEC_BUFFER_SIZE needs to be increased because the PS
+  assets are passed through the IOVEC buffer between the crypto and
+  PS partition during encryption.
+
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Backport [8ca9620a000ba182ebb51c51f49e2b97622f3404]
+---
+ platform/ext/target/arm/corstone1000/config_tfm_target.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/platform/ext/target/arm/corstone1000/config_tfm_target.h b/platform/ext/target/arm/corstone1000/config_tfm_target.h
+index 9522379cd..0b410dfd4 100644
+--- a/platform/ext/target/arm/corstone1000/config_tfm_target.h
++++ b/platform/ext/target/arm/corstone1000/config_tfm_target.h
+@@ -23,4 +23,12 @@
+ /* The maximum size of asset to be stored in the Internal Trusted Storage area. */
+ #define ITS_MAX_ASSET_SIZE   2048
+ 
++/* The maximum asset size to be stored in the Protected Storage */
++#define PS_MAX_ASSET_SIZE   2592
++
++/* This is needed to be able to process the EFI variables during PS writes. */
++#define CRYPTO_ENGINE_BUF_SIZE 0x5000
++
++/* This is also has to be increased to fit the EFI variables into the iovecs. */
++#define CRYPTO_IOVEC_BUFFER_SIZE    6000
+ #endif /* __CONFIG_TFM_TARGET_H__ */
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0007-Plaform-Corstone1000-Switch-to-metadata-v2.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0007-Plaform-Corstone1000-Switch-to-metadata-v2.patch
new file mode 100644
index 0000000000..2e14dfd6eb
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0007-Plaform-Corstone1000-Switch-to-metadata-v2.patch
@@ -0,0 +1,202 @@
+From c731d187fbe9fc1e10ad8ecfb3d04bb480bc86b6 Mon Sep 17 00:00:00 2001
+From: Emekcan Aras <Emekcan.Aras@arm.com>
+Date: Mon, 8 Apr 2024 16:04:45 +0100
+Subject: [PATCH 7/9] Plaform: Corstone1000: Switch to metadata v2
+
+This upgrades metadata data structs from v1 to v2 as described in PSA
+FWU Specification:
+https://developer.arm.com/documentation/den0118/latest/
+
+The TrustedFirmware-A v2.11 release supports only the metadata v2. The
+structs in TF-M side had to be aligned to keep the compatibility.
+
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Backport [c731d187fbe9fc1e10ad8ecfb3d04bb480bc86b6]
+---
+ .../corstone1000/fw_update_agent/fwu_agent.c  | 86 +++++++++++++++----
+ 1 file changed, 69 insertions(+), 17 deletions(-)
+
+diff --git a/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c b/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
+index b2f31e166..5fddd3238 100644
+--- a/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
++++ b/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
+@@ -26,6 +26,15 @@
+ #include "platform.h"
+ #endif
+ 
++#define FWU_METADATA_VERSION		2
++#define FWU_FW_STORE_DESC_OFFSET	0x20
++#define NR_OF_MAX_FW_BANKS		4
++
++/*
++ * Metadata version 2 data structures defined by PSA_FW update specification
++ * at https://developer.arm.com/documentation/den0118/latest/
++ */
++
+ /* Properties of image in a bank */
+ struct fwu_image_properties {
+ 
+@@ -58,6 +67,28 @@ struct fwu_image_entry {
+ 
+ } __packed;
+ 
++struct fwu_fw_store_descriptor {
++
++       /* Number of Banks */
++       uint8_t num_banks;
++
++       /* Reserved */
++       uint8_t reserved;
++
++       /* Number of images per bank */
++       uint16_t num_images;
++
++       /* Size of image_entry(all banks) in bytes */
++       uint16_t img_entry_size;
++
++       /* Size of image bank info structure in bytes */
++       uint16_t bank_info_entry_size;
++
++       /* Array of fwu_image_entry structs */
++       struct fwu_image_entry img_entry[NR_OF_IMAGES_IN_FW_BANK];
++
++} __packed;
++
+ struct fwu_metadata {
+ 
+         /* Metadata CRC value */
+@@ -72,8 +103,23 @@ struct fwu_metadata {
+         /* Previous bank index with which device booted successfully */
+         uint32_t previous_active_index;
+ 
+-        /* Image entry information */
+-        struct fwu_image_entry img_entry[NR_OF_IMAGES_IN_FW_BANK];
++        /* Size of the entire metadata in bytes */
++        uint32_t metadata_size;
++
++        /* Offset of the image descriptor structure */
++        uint16_t desc_offset;
++
++        /* Reserved */
++        uint16_t reserved1;
++
++        /* Bank state: It's not used in corstone1000 at the moment.Currently
++	     * not used by any sw componenets such as u-boot and TF-A */
++        uint8_t bank_state[NR_OF_MAX_FW_BANKS];
++
++        /* Reserved */
++        uint32_t reserved2;
++
++        struct fwu_fw_store_descriptor fw_desc;
+ 
+ } __packed;
+ 
+@@ -607,23 +653,29 @@ enum fwu_agent_error_t fwu_metadata_provision(void)
+ 
+     memset(&_metadata, 0, sizeof(struct fwu_metadata));
+ 
+-    _metadata.version = 1;
++    _metadata.version = FWU_METADATA_VERSION;
+     _metadata.active_index = BANK_0;
+     _metadata.previous_active_index = BANK_1;
++    _metadata.desc_offset= FWU_FW_STORE_DESC_OFFSET;
+ 
++    _metadata.fw_desc.num_banks = NR_OF_FW_BANKS;
++    _metadata.fw_desc.num_images = NR_OF_IMAGES_IN_FW_BANK;
++    _metadata.fw_desc.img_entry_size = sizeof(struct fwu_image_entry) * NR_OF_IMAGES_IN_FW_BANK;
++    _metadata.fw_desc.bank_info_entry_size = sizeof(struct fwu_image_properties) * NR_OF_FW_BANKS;
+     /* bank 0 is the place where images are located at the
+      * start of device lifecycle */
+ 
+     for (int i = 0; i < NR_OF_IMAGES_IN_FW_BANK; i++) {
+ 
+-        _metadata.img_entry[i].img_props[BANK_0].accepted = IMAGE_ACCEPTED;
+-        _metadata.img_entry[i].img_props[BANK_0].version = image_version;
++        _metadata.fw_desc.img_entry[i].img_props[BANK_0].accepted = IMAGE_ACCEPTED;
++        _metadata.fw_desc.img_entry[i].img_props[BANK_0].version = image_version;
+ 
+-        _metadata.img_entry[i].img_props[BANK_1].accepted = IMAGE_NOT_ACCEPTED;
+-        _metadata.img_entry[i].img_props[BANK_1].version = INVALID_VERSION;
++        _metadata.fw_desc.img_entry[i].img_props[BANK_1].accepted = IMAGE_NOT_ACCEPTED;
++        _metadata.fw_desc.img_entry[i].img_props[BANK_1].version = INVALID_VERSION;
+     }
+ 
+-    /* Calculate CRC32 for fwu metadata */
++    /* Calculate CRC32 for fwu metadata. The first filed in the _metadata has to be the crc_32.
++     * This should be omited from the calculation. */
+     _metadata.crc_32 = crc32((uint8_t *)&_metadata.version,
+                              sizeof(struct fwu_metadata) - sizeof(uint32_t));
+ 
+@@ -685,7 +737,7 @@ static enum fwu_agent_state_t get_fwu_agent_state(
+     }
+ 
+     for (int i = 0; i < NR_OF_IMAGES_IN_FW_BANK; i++) {
+-        if ((metadata_ptr->img_entry[i].img_props[boot_index].accepted)
++        if ((metadata_ptr->fw_desc.img_entry[i].img_props[boot_index].accepted)
+                 == (IMAGE_NOT_ACCEPTED)) {
+             return FWU_AGENT_STATE_TRIAL;
+         }
+@@ -760,7 +812,7 @@ static enum fwu_agent_error_t flash_full_capsule(
+     }
+ 
+     if (version <=
+-            (metadata->img_entry[IMAGE_0].img_props[active_index].version)) {
++            (metadata->fw_desc.img_entry[IMAGE_0].img_props[active_index].version)) {
+         FWU_LOG_MSG("ERROR: %s: version error\n\r",__func__);
+         return FWU_AGENT_ERROR;
+     }
+@@ -791,9 +843,9 @@ static enum fwu_agent_error_t flash_full_capsule(
+ 
+     /* Change system state to trial bank state */
+     for (int i = 0; i < NR_OF_IMAGES_IN_FW_BANK; i++) {
+-        metadata->img_entry[i].img_props[previous_active_index].accepted =
++        metadata->fw_desc.img_entry[i].img_props[previous_active_index].accepted =
+                                                         IMAGE_NOT_ACCEPTED;
+-        metadata->img_entry[i].img_props[previous_active_index].version = version;
++        metadata->fw_desc.img_entry[i].img_props[previous_active_index].version = version;
+     }
+     metadata->active_index = previous_active_index;
+     metadata->previous_active_index = active_index;
+@@ -900,7 +952,7 @@ static enum fwu_agent_error_t accept_full_capsule(
+     FWU_LOG_MSG("%s: enter\n\r", __func__);
+ 
+     for (int i = 0; i < NR_OF_IMAGES_IN_FW_BANK; i++) {
+-        metadata->img_entry[i].img_props[active_index].accepted =
++        metadata->fw_desc.img_entry[i].img_props[active_index].accepted =
+                                                             IMAGE_ACCEPTED;
+     }
+ 
+@@ -990,7 +1042,7 @@ static enum fwu_agent_error_t fwu_select_previous(
+ 
+     index = metadata->previous_active_index;
+     for (int i = 0; i < NR_OF_IMAGES_IN_FW_BANK; i++) {
+-        if (metadata->img_entry[i].img_props[index].accepted != IMAGE_ACCEPTED)
++        if (metadata->fw_desc.img_entry[i].img_props[index].accepted != IMAGE_ACCEPTED)
+         {
+             FWU_ASSERT(0);
+         }
+@@ -1211,7 +1263,7 @@ enum fwu_agent_error_t corstone1000_fwu_host_ack(void)
+         /* firmware update failed, revert back to previous bank */
+ 
+         priv_metadata.fmp_last_attempt_version =
+-         _metadata.img_entry[IMAGE_0].img_props[_metadata.active_index].version;
++         _metadata.fw_desc.img_entry[IMAGE_0].img_props[_metadata.active_index].version;
+ 
+         priv_metadata.fmp_last_attempt_status = LAST_ATTEMPT_STATUS_ERROR_UNSUCCESSFUL;
+ 
+@@ -1222,9 +1274,9 @@ enum fwu_agent_error_t corstone1000_fwu_host_ack(void)
+         /* firmware update successful */
+ 
+         priv_metadata.fmp_version =
+-         _metadata.img_entry[IMAGE_0].img_props[_metadata.active_index].version;
++         _metadata.fw_desc.img_entry[IMAGE_0].img_props[_metadata.active_index].version;
+         priv_metadata.fmp_last_attempt_version =
+-         _metadata.img_entry[IMAGE_0].img_props[_metadata.active_index].version;
++         _metadata.fw_desc.img_entry[IMAGE_0].img_props[_metadata.active_index].version;
+ 
+         priv_metadata.fmp_last_attempt_status = LAST_ATTEMPT_STATUS_SUCCESS;
+ 
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0007-platform-corstone1000-Increase-ITS-max-asset-size.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0007-platform-corstone1000-Increase-ITS-max-asset-size.patch
deleted file mode 100644
index e831f0343f..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0007-platform-corstone1000-Increase-ITS-max-asset-size.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 2edf197735bd0efb1428c1710443dddcb376d930 Mon Sep 17 00:00:00 2001
-From: Emekcan Aras <emekcan.aras@arm.com>
-Date: Wed, 17 Apr 2024 11:34:45 +0000
-Subject: [PATCH] platform: corstone1000: Increase ITS max asset size
-
-Increases the max asset size for ITS to enable parsec services & tests
-
-Upstream-Status: Pending
-Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
-Signed-off-by: Vikas Katariya <vikas.katariya@arm.com>
----
- platform/ext/target/arm/corstone1000/config_tfm_target.h | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/platform/ext/target/arm/corstone1000/config_tfm_target.h b/platform/ext/target/arm/corstone1000/config_tfm_target.h
-index 2c7341afd4..2eb0924770 100644
---- a/platform/ext/target/arm/corstone1000/config_tfm_target.h
-+++ b/platform/ext/target/arm/corstone1000/config_tfm_target.h
-@@ -20,4 +20,8 @@
- /* The maximum number of assets to be stored in the Protected Storage area. */
- #define PS_NUM_ASSETS        20
- 
-+/* The maximum size of asset to be stored in the Internal Trusted Storage area. */
-+#undef ITS_MAX_ASSET_SIZE
-+#define ITS_MAX_ASSET_SIZE   2048
-+
- #endif /* __CONFIG_TFM_TARGET_H__ */
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0008-Platform-CS1000-Increase-flash-PS-area-size.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0008-Platform-CS1000-Increase-flash-PS-area-size.patch
new file mode 100644
index 0000000000..77e8ddbaa7
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0008-Platform-CS1000-Increase-flash-PS-area-size.patch
@@ -0,0 +1,37 @@
+From 3794ba29b66641ebecbd4dd3d9a2a2e8caeb690a Mon Sep 17 00:00:00 2001
+From: Ali Can Ozaslan <ali.oezaslan@arm.com>
+Date: Mon, 15 Jul 2024 13:03:24 +0000
+Subject: [PATCH 8/9] Platform: CS1000: Increase flash PS area size
+
+Previously, approximately only 2MB was used out of the 8MB SE Flash.
+The aim of this commit is to increase the size of PS storage in SE
+Flash.
+Increasing the size minimize the possibilities of it to run out
+of memory as it is not cleared on reset or reprogramming of the device.
+
+The FLASH_PS_AREA_SIZE is increased to 6MB so now 7MB of the SE Flash
+is used. The remaining 1MB is allocated for future uses.
+
+Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Backport [3794ba29b66641ebecbd4dd3d9a2a2e8caeb690a]
+---
+ platform/ext/target/arm/corstone1000/partition/flash_layout.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/platform/ext/target/arm/corstone1000/partition/flash_layout.h b/platform/ext/target/arm/corstone1000/partition/flash_layout.h
+index a181a7168..07b4cdea7 100644
+--- a/platform/ext/target/arm/corstone1000/partition/flash_layout.h
++++ b/platform/ext/target/arm/corstone1000/partition/flash_layout.h
+@@ -192,7 +192,7 @@
+ 
+ #define FLASH_PS_AREA_OFFSET            (FLASH_ITS_AREA_OFFSET + \
+                                          FLASH_ITS_AREA_SIZE)
+-#define FLASH_PS_AREA_SIZE              (16 * SECURE_FLASH_SECTOR_SIZE)
++#define FLASH_PS_AREA_SIZE              (96 * SECURE_FLASH_SECTOR_SIZE)
+ 
+ /* OTP_definitions */
+ #define FLASH_OTP_NV_COUNTERS_AREA_OFFSET (FLASH_PS_AREA_OFFSET + \
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0008-Platform-CS1000-Replace-OpenAMP-with-RSE_COMMS.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0008-Platform-CS1000-Replace-OpenAMP-with-RSE_COMMS.patch
deleted file mode 100644
index 3e0acbe3b9..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0008-Platform-CS1000-Replace-OpenAMP-with-RSE_COMMS.patch
+++ /dev/null
@@ -1,3620 +0,0 @@
-From 5e0e5207fe7edf7f9b47f0800388c7b3c9d69a1c Mon Sep 17 00:00:00 2001
-From: Bence Balogh <bence.balogh@arm.com>
-Date: Mon, 26 Feb 2024 10:20:54 +0100
-Subject: [PATCH] Platform: CS1000: Replace OpenAMP with RSE_COMMS
-
-The RSE_COMMS files were copied from the arm/rse platform (e7fcf4e0)
-Did not copy the ATU and pointer access protocol related files as
-they are not supported yet in Corstone-1000.
-
-There were some modifications in the files:
-- Remove ATU support because Corstone-1000 doesn't have ATU
-- Update and extend platform specific memory and permission checks
-- Remove Armv8.1-M specific calls
-
-The OpenAMP related files were removed from Corstone-1000.
-
-Signed-off-by: Bence Balogh <bence.balogh@arm.com>
-Upstream-Status: Backport [75a980b37fb726dff8720b50de121c8196b70e4e]
----
- docs/platform/arm/corstone1000/readme.rst     |   5 +-
- .../target/arm/corstone1000/CMakeLists.txt    |   5 +-
- .../arm/corstone1000/Native_Driver/mhu.h      | 140 +++++++
- .../Native_Driver/mhu_wrapper_v2_x.c          | 353 ++++++++++++++++++
- .../ext/target/arm/corstone1000/config.cmake  |   8 -
- .../arm/corstone1000/openamp/CMakeLists.txt   |  57 ---
- ...ogger-when-the-build-type-is-release.patch |  27 --
- .../openamp/ext/libmetal/CMakeLists.txt       |  23 --
- .../openamp/ext/libopenamp/CMakeLists.txt     |  21 --
- .../openamp/platform_spe_dual_core_hal.c      | 152 --------
- .../corstone1000/openamp/tfm_openamp_lib.h    | 128 -------
- .../tfm_spe_dual_core_psa_client_secure_lib.c | 304 ---------------
- .../tfm_spe_dual_core_psa_client_secure_lib.h |  39 --
- .../openamp/tfm_spe_openamp_interface.h       |  39 --
- .../openamp/tfm_spe_openamp_interface_impl.c  | 248 ------------
- .../tfm_spe_openamp_platform_interconnect.c   | 114 ------
- .../tfm_spe_openamp_platform_interface.h      |  31 --
- .../tfm_spe_psa_client_lib_unordered_map.c    | 151 --------
- .../tfm_spe_psa_client_lib_unordered_map.h    |  50 ---
- .../openamp/tfm_spe_shm_openamp.h             |  39 --
- .../arm/corstone1000/partition/region_defs.h  |  12 +-
- .../arm/corstone1000/rse_comms/CMakeLists.txt |  34 ++
- .../arm/corstone1000/rse_comms/rse_comms.c    | 176 +++++++++
- .../arm/corstone1000/rse_comms/rse_comms.h    |  48 +++
- .../corstone1000/rse_comms/rse_comms_hal.c    | 232 ++++++++++++
- .../corstone1000/rse_comms/rse_comms_hal.h    |  56 +++
- .../rse_comms/rse_comms_permissions_hal.h     |  58 +++
- .../rse_comms/rse_comms_protocol.c            | 120 ++++++
- .../rse_comms/rse_comms_protocol.h            | 129 +++++++
- .../rse_comms/rse_comms_protocol_embed.c      | 105 ++++++
- .../rse_comms/rse_comms_protocol_embed.h      |  50 +++
- .../corstone1000/rse_comms/rse_comms_queue.c  |  64 ++++
- .../corstone1000/rse_comms/rse_comms_queue.h  |  25 ++
- .../corstone1000/rse_comms_permissions_hal.c  | 177 +++++++++
- .../target/arm/corstone1000/tfm_interrupts.c  |  51 +++
- 35 files changed, 1831 insertions(+), 1440 deletions(-)
- create mode 100644 platform/ext/target/arm/corstone1000/Native_Driver/mhu.h
- create mode 100644 platform/ext/target/arm/corstone1000/Native_Driver/mhu_wrapper_v2_x.c
- delete mode 100644 platform/ext/target/arm/corstone1000/openamp/CMakeLists.txt
- delete mode 100644 platform/ext/target/arm/corstone1000/openamp/ext/libmetal/0001-Disable-logger-when-the-build-type-is-release.patch
- delete mode 100644 platform/ext/target/arm/corstone1000/openamp/ext/libmetal/CMakeLists.txt
- delete mode 100644 platform/ext/target/arm/corstone1000/openamp/ext/libopenamp/CMakeLists.txt
- delete mode 100644 platform/ext/target/arm/corstone1000/openamp/platform_spe_dual_core_hal.c
- delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_openamp_lib.h
- delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.c
- delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.h
- delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_interface.h
- delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_interface_impl.c
- delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_platform_interconnect.c
- delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_platform_interface.h
- delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_spe_psa_client_lib_unordered_map.c
- delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_spe_psa_client_lib_unordered_map.h
- delete mode 100644 platform/ext/target/arm/corstone1000/openamp/tfm_spe_shm_openamp.h
- create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/CMakeLists.txt
- create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms.c
- create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h
- create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms_hal.c
- create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms_hal.h
- create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms_permissions_hal.h
- create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol.c
- create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol.h
- create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol_embed.c
- create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol_embed.h
- create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms_queue.c
- create mode 100644 platform/ext/target/arm/corstone1000/rse_comms/rse_comms_queue.h
- create mode 100644 platform/ext/target/arm/corstone1000/rse_comms_permissions_hal.c
- create mode 100644 platform/ext/target/arm/corstone1000/tfm_interrupts.c
-
-diff --git a/docs/platform/arm/corstone1000/readme.rst b/docs/platform/arm/corstone1000/readme.rst
-index 59b167d8f..d46a6460e 100644
---- a/docs/platform/arm/corstone1000/readme.rst
-+++ b/docs/platform/arm/corstone1000/readme.rst
-@@ -19,7 +19,8 @@ and boots the software ecosystem based on linux, u-boot, UEFI run time
- services, TF-A, Secure Partitions and Optee.
- 
- The communication between NSPE and SPE is based on PSA IPC protocol running on
--top of FF-A/OpenAMP.
-+top of the RSE communication protocol. The Corstone-1000 supports only the
-+`Embed protocol`, and the ATU support is removed.
- 
- .. toctree::
-     :maxdepth: 1
-@@ -116,7 +117,7 @@ Other test configurations are:
- - -DTEST_S_PS=ON/OFF
- - -DTEST_S_PLATFORM=ON/OFF
- 
--*Copyright (c) 2021-2023, Arm Limited. All rights reserved.*
-+*Copyright (c) 2021-2024, Arm Limited. All rights reserved.*
- 
- .. _Arm Ecosystem FVPs: https://developer.arm.com/tools-and-software/open-source-software/arm-platforms-software/arm-ecosystem-fvps
- .. _Arm Corstone-1000 User Guide: https://corstone1000.docs.arm.com/en/corstone1000-2022.11.23/user-guide.html
-diff --git a/platform/ext/target/arm/corstone1000/CMakeLists.txt b/platform/ext/target/arm/corstone1000/CMakeLists.txt
-index 541504368..e2a7ac302 100644
---- a/platform/ext/target/arm/corstone1000/CMakeLists.txt
-+++ b/platform/ext/target/arm/corstone1000/CMakeLists.txt
-@@ -87,7 +87,7 @@ target_add_scatter_file(bl1_2
- 
- #========================= Platform Secure ====================================#
- 
--add_subdirectory(openamp)
-+add_subdirectory(${CMAKE_CURRENT_LIST_DIR}/rse_comms rse_comms)
- 
- add_subdirectory(${PLATFORM_DIR}/ext/accelerator/cc312/cc312-rom cc312-rom)
- 
-@@ -124,6 +124,7 @@ target_sources(platform_s
-         Device/Source/system_core_init.c
-         ${PLATFORM_DIR}/ext/target/arm/drivers/usart/pl011/uart_pl011_drv.c
-         Native_Driver/mhu_v2_x.c
-+        Native_Driver/mhu_wrapper_v2_x.c
-         Native_Driver/watchdog.c
-         Native_Driver/arm_watchdog_drv.c
-         $<$<BOOL:TFM_PARTITION_PLATFORM>:${CMAKE_CURRENT_SOURCE_DIR}/services/src/tfm_platform_system.c>
-@@ -137,6 +138,7 @@ target_sources(platform_s
-         partition/partition.c
-         partition/gpt.c
-         $<$<NOT:$<BOOL:${PLATFORM_DEFAULT_OTP}>>:${PLATFORM_DIR}/ext/accelerator/cc312/otp_cc312.c>
-+        rse_comms_permissions_hal.c
- )
- 
- if (PLATFORM_IS_FVP)
-@@ -376,6 +378,7 @@ target_sources(tfm_psa_rot_partition_ns_agent_mailbox
- 
- target_sources(tfm_spm
-     PRIVATE
-+        tfm_interrupts.c
-         tfm_hal_isolation.c
-         tfm_hal_platform.c
-         $<$<BOOL:${TFM_S_REG_TEST}>:${CMAKE_CURRENT_SOURCE_DIR}/target_cfg.c>
-diff --git a/platform/ext/target/arm/corstone1000/Native_Driver/mhu.h b/platform/ext/target/arm/corstone1000/Native_Driver/mhu.h
-new file mode 100644
-index 000000000..a02fdd883
---- /dev/null
-+++ b/platform/ext/target/arm/corstone1000/Native_Driver/mhu.h
-@@ -0,0 +1,140 @@
-+/*
-+ * Copyright (c) 2022-2023 Arm Limited. All rights reserved.
-+ *
-+ * Licensed under the Apache License, Version 2.0 (the "License");
-+ * you may not use this file except in compliance with the License.
-+ * You may obtain a copy of the License at
-+ *
-+ *     http://www.apache.org/licenses/LICENSE-2.0
-+ *
-+ * Unless required by applicable law or agreed to in writing, software
-+ * distributed under the License is distributed on an "AS IS" BASIS,
-+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+ * See the License for the specific language governing permissions and
-+ * limitations under the License.
-+ */
-+
-+#ifndef __MHU_H__
-+#define __MHU_H__
-+
-+#include <stddef.h>
-+#include <stdint.h>
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+/**
-+ * Generic MHU error enumeration types.
-+ */
-+enum mhu_error_t {
-+    MHU_ERR_NONE                =  0,
-+    MHU_ERR_NOT_INIT            = -1,
-+    MHU_ERR_ALREADY_INIT        = -2,
-+    MHU_ERR_UNSUPPORTED_VERSION = -3,
-+    MHU_ERR_UNSUPPORTED         = -4,
-+    MHU_ERR_INVALID_ARG         = -5,
-+    MHU_ERR_BUFFER_TOO_SMALL    = -6,
-+    MHU_ERR_GENERAL             = -7,
-+};
-+
-+/**
-+ * \brief Initializes sender MHU.
-+ *
-+ * \param[in] mhu_sender_dev        Pointer to the sender MHU.
-+ *
-+ * \return Returns mhu_error_t error code.
-+ *
-+ * \note This function must be called before mhu_send_data().
-+ */
-+enum mhu_error_t mhu_init_sender(void *mhu_sender_dev);
-+
-+/**
-+ * \brief Initializes receiver MHU.
-+ *
-+ * \param[in] mhu_receiver_dev      Pointer to the receiver MHU.
-+ *
-+ * \return Returns mhu_error_t error code.
-+ *
-+ * \note This function must be called before mhu_receive_data().
-+ */
-+enum mhu_error_t mhu_init_receiver(void *mhu_receiver_dev);
-+
-+/**
-+ * \brief Sends data over MHU.
-+ *
-+ * \param[in] mhu_sender_dev  Pointer to the sender MHU.
-+ * \param[in] send_buffer     Pointer to buffer containing the data to be
-+ *                            transmitted.
-+ * \param[in] size            Size of the data to be transmitted in bytes.
-+ *
-+ * \return Returns mhu_error_t error code.
-+ *
-+ * \note The send_buffer must be 4-byte aligned and its length must be at least
-+ *       (4 - (size % 4)) bytes bigger than the data size to prevent buffer
-+ *       over-reading.
-+ */
-+enum mhu_error_t mhu_send_data(void *mhu_sender_dev,
-+                               const uint8_t *send_buffer,
-+                               size_t size);
-+
-+/**
-+ * \brief Wait for data from MHU.
-+ *
-+ * \param[in]     mhu_receiver_dev  Pointer to the receiver MHU.
-+ *
-+ * \return Returns mhu_error_t error code.
-+ *
-+ * \note This function must be called before mhu_receive_data() if the MHU
-+ *       receiver interrupt is not used.
-+ */
-+enum mhu_error_t mhu_wait_data(void *mhu_receiver_dev);
-+
-+/**
-+ * \brief Receives data from MHU.
-+ *
-+ * \param[in]     mhu_receiver_dev  Pointer to the receiver MHU.
-+ * \param[out]    receive_buffer    Pointer the buffer where to store the
-+ *                                  received data.
-+ * \param[in,out] size              As input the size of the receive_buffer,
-+ *                                  as output the number of bytes received.
-+ *                                  As a limitation, the size of the buffer
-+ *                                  must be a multiple of 4.
-+ *
-+ * \return Returns mhu_error_t error code.
-+ *
-+ * \note The receive_buffer must be 4-byte aligned and its length must be a
-+ *       multiple of 4.
-+ */
-+enum mhu_error_t mhu_receive_data(void *mhu_receiver_dev,
-+                                  uint8_t *receive_buffer,
-+                                  size_t *size);
-+
-+/**
-+ * \brief Signals an interrupt over the last available channel and wait for the
-+ *        values to be cleared by the receiver.
-+ *
-+ * \param[in]     mhu_sender_dev   Pointer to the sender MHU.
-+ * \param[in]     value            Value that will be used while signaling.
-+ *
-+ * \return Returns mhu_error_t error code.
-+ */
-+enum mhu_error_t signal_and_wait_for_clear(void *mhu_sender_dev,
-+                                           uint32_t value);
-+
-+/**
-+ * \brief Wait for signal on the last available channel in a loop and
-+ *        acknowledge the transfer by clearing the status on that channel.
-+ *
-+ * \param[in]     mhu_receiver_dev Pointer to the receiver MHU.
-+ * \param[in]     value            Value that will be used while waiting.
-+ *
-+ * \return Returns mhu_error_t error code.
-+ */
-+enum mhu_error_t wait_for_signal_and_clear(void *mhu_receiver_dev,
-+                                           uint32_t value);
-+#ifdef __cplusplus
-+}
-+#endif
-+
-+#endif /* __MHU_H__ */
-diff --git a/platform/ext/target/arm/corstone1000/Native_Driver/mhu_wrapper_v2_x.c b/platform/ext/target/arm/corstone1000/Native_Driver/mhu_wrapper_v2_x.c
-new file mode 100644
-index 000000000..f749f7661
---- /dev/null
-+++ b/platform/ext/target/arm/corstone1000/Native_Driver/mhu_wrapper_v2_x.c
-@@ -0,0 +1,353 @@
-+/*
-+ * Copyright (c) 2022-2023 Arm Limited. All rights reserved.
-+ *
-+ * Licensed under the Apache License, Version 2.0 (the "License");
-+ * you may not use this file except in compliance with the License.
-+ * You may obtain a copy of the License at
-+ *
-+ *     http://www.apache.org/licenses/LICENSE-2.0
-+ *
-+ * Unless required by applicable law or agreed to in writing, software
-+ * distributed under the License is distributed on an "AS IS" BASIS,
-+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+ * See the License for the specific language governing permissions and
-+ * limitations under the License.
-+ */
-+
-+#include "mhu.h"
-+
-+#include <stddef.h>
-+#include <stdint.h>
-+
-+#include "mhu_v2_x.h"
-+
-+#define MHU_NOTIFY_VALUE    (1234u)
-+
-+static enum mhu_error_t
-+error_mapping_to_mhu_error_t(enum mhu_v2_x_error_t err)
-+{
-+    switch (err) {
-+    case MHU_V_2_X_ERR_NONE:
-+        return MHU_ERR_NONE;
-+    case MHU_V_2_X_ERR_NOT_INIT:
-+        return MHU_ERR_NOT_INIT;
-+    case MHU_V_2_X_ERR_ALREADY_INIT:
-+        return MHU_ERR_ALREADY_INIT;
-+    case MHU_V_2_X_ERR_UNSUPPORTED_VERSION:
-+        return MHU_ERR_UNSUPPORTED_VERSION;
-+    case MHU_V_2_X_ERR_INVALID_ARG:
-+        return MHU_ERR_INVALID_ARG;
-+    case MHU_V_2_X_ERR_GENERAL:
-+        return MHU_ERR_GENERAL;
-+    default:
-+        return MHU_ERR_GENERAL;
-+    }
-+}
-+
-+enum mhu_error_t
-+signal_and_wait_for_clear(void *mhu_sender_dev, uint32_t value)
-+{
-+    enum mhu_v2_x_error_t err;
-+    struct mhu_v2_x_dev_t *dev;
-+    uint32_t channel_notify;
-+    uint32_t wait_val;
-+
-+    if (mhu_sender_dev == NULL) {
-+        return MHU_ERR_INVALID_ARG;
-+    }
-+
-+    dev = (struct mhu_v2_x_dev_t *)mhu_sender_dev;
-+
-+    /* Use the last channel for notifications */
-+    channel_notify = mhu_v2_x_get_num_channel_implemented(dev) - 1;
-+
-+    /* FIXME: Avoid wasting a whole channel for notifying */
-+    err = mhu_v2_x_channel_send(dev, channel_notify, value);
-+    if (err != MHU_V_2_X_ERR_NONE) {
-+        return error_mapping_to_mhu_error_t(err);
-+    }
-+
-+    do {
-+        err = mhu_v2_x_channel_poll(dev, channel_notify, &wait_val);
-+        if (err != MHU_V_2_X_ERR_NONE) {
-+            break;
-+        }
-+    } while (wait_val != 0);
-+
-+    return error_mapping_to_mhu_error_t(err);
-+}
-+
-+enum mhu_error_t
-+wait_for_signal_and_clear(void *mhu_receiver_dev, uint32_t value)
-+{
-+    enum mhu_v2_x_error_t err;
-+    struct mhu_v2_x_dev_t *dev;
-+    uint32_t channel_notify;
-+    uint32_t wait_val;
-+
-+    if (mhu_receiver_dev == NULL) {
-+        return MHU_ERR_INVALID_ARG;
-+    }
-+
-+    dev = (struct mhu_v2_x_dev_t *)mhu_receiver_dev;
-+
-+    /* Use the last channel for notifications */
-+    channel_notify = mhu_v2_x_get_num_channel_implemented(dev) - 1;
-+
-+    do {
-+        /* Using the last channel for notifications */
-+        err = mhu_v2_x_channel_receive(dev, channel_notify, &wait_val);
-+        if (err != MHU_V_2_X_ERR_NONE) {
-+            return error_mapping_to_mhu_error_t(err);
-+        }
-+    } while (wait_val != value);
-+
-+    /* Clear the last channel */
-+    err = mhu_v2_x_channel_clear(dev, channel_notify);
-+
-+    return error_mapping_to_mhu_error_t(err);
-+}
-+
-+static enum mhu_v2_x_error_t
-+clear_and_wait_for_signal(struct mhu_v2_x_dev_t *dev)
-+{
-+    enum mhu_v2_x_error_t err;
-+    uint32_t num_channels = mhu_v2_x_get_num_channel_implemented(dev);
-+    uint32_t val, i;
-+
-+    /* Clear all channels */
-+    for (i = 0; i < num_channels; ++i) {
-+        err = mhu_v2_x_channel_clear(dev, i);
-+        if (err != MHU_V_2_X_ERR_NONE) {
-+            return err;
-+        }
-+    }
-+
-+    do {
-+        /* Using the last channel for notifications */
-+        err = mhu_v2_x_channel_receive(dev, num_channels - 1, &val);
-+        if (err != MHU_V_2_X_ERR_NONE) {
-+            break;
-+        }
-+    } while (val != MHU_NOTIFY_VALUE);
-+
-+    return err;
-+}
-+
-+enum mhu_error_t mhu_init_sender(void *mhu_sender_dev)
-+{
-+    enum mhu_v2_x_error_t err;
-+    struct mhu_v2_x_dev_t *dev = mhu_sender_dev;
-+
-+    if (dev == NULL) {
-+        return MHU_ERR_INVALID_ARG;
-+    }
-+
-+    err = mhu_v2_x_driver_init(dev, MHU_REV_READ_FROM_HW);
-+    if (err != MHU_V_2_X_ERR_NONE) {
-+        return error_mapping_to_mhu_error_t(err);
-+    }
-+
-+    /* This wrapper requires at least two channels to be implemented */
-+    if (mhu_v2_x_get_num_channel_implemented(dev) < 2) {
-+        return MHU_ERR_UNSUPPORTED;
-+    }
-+
-+    return MHU_ERR_NONE;
-+}
-+
-+enum mhu_error_t mhu_init_receiver(void *mhu_receiver_dev)
-+{
-+    enum mhu_v2_x_error_t err;
-+    struct mhu_v2_x_dev_t *dev = mhu_receiver_dev;
-+    uint32_t num_channels, i;
-+
-+    if (dev == NULL) {
-+        return MHU_ERR_INVALID_ARG;
-+    }
-+
-+    err = mhu_v2_x_driver_init(dev, MHU_REV_READ_FROM_HW);
-+    if (err != MHU_V_2_X_ERR_NONE) {
-+        return error_mapping_to_mhu_error_t(err);
-+    }
-+
-+    num_channels = mhu_v2_x_get_num_channel_implemented(dev);
-+
-+    /* This wrapper requires at least two channels to be implemented */
-+    if (num_channels < 2) {
-+        return MHU_ERR_UNSUPPORTED;
-+    }
-+
-+    /* Mask all channels except the notifying channel */
-+    for (i = 0; i < (num_channels - 1); ++i) {
-+        err = mhu_v2_x_channel_mask_set(dev, i, UINT32_MAX);
-+        if (err != MHU_V_2_X_ERR_NONE) {
-+            return error_mapping_to_mhu_error_t(err);
-+        }
-+    }
-+
-+    /* The last channel is used for notifications */
-+    err = mhu_v2_x_channel_mask_clear(dev, (num_channels - 1), UINT32_MAX);
-+    if (err != MHU_V_2_X_ERR_NONE) {
-+        return error_mapping_to_mhu_error_t(err);
-+    }
-+
-+    err = mhu_v2_x_interrupt_enable(dev, MHU_2_1_INTR_CHCOMB_MASK);
-+    if (err != MHU_V_2_X_ERR_NONE) {
-+        return error_mapping_to_mhu_error_t(err);
-+    }
-+
-+    return MHU_ERR_NONE;
-+}
-+
-+enum mhu_error_t mhu_send_data(void *mhu_sender_dev,
-+                               const uint8_t *send_buffer,
-+                               size_t size)
-+{
-+    enum mhu_v2_x_error_t err;
-+    enum mhu_error_t mhu_err;
-+    struct mhu_v2_x_dev_t *dev = mhu_sender_dev;
-+    uint32_t num_channels = mhu_v2_x_get_num_channel_implemented(dev);
-+    uint32_t chan = 0;
-+    uint32_t i;
-+    uint32_t *p;
-+
-+    if (dev == NULL || send_buffer == NULL) {
-+        return MHU_ERR_INVALID_ARG;
-+    } else if (size == 0) {
-+        return MHU_ERR_NONE;
-+    }
-+
-+    /* For simplicity, require the send_buffer to be 4-byte aligned. */
-+    if ((uintptr_t)send_buffer & 0x3u) {
-+        return MHU_ERR_INVALID_ARG;
-+    }
-+
-+    err = mhu_v2_x_initiate_transfer(dev);
-+    if (err != MHU_V_2_X_ERR_NONE) {
-+        return error_mapping_to_mhu_error_t(err);
-+    }
-+
-+    /* First send over the size of the actual message. */
-+    err = mhu_v2_x_channel_send(dev, chan, (uint32_t)size);
-+    if (err != MHU_V_2_X_ERR_NONE) {
-+        return error_mapping_to_mhu_error_t(err);
-+    }
-+    chan++;
-+
-+    p = (uint32_t *)send_buffer;
-+    for (i = 0; i < size; i += 4) {
-+        err = mhu_v2_x_channel_send(dev, chan, *p++);
-+        if (err != MHU_V_2_X_ERR_NONE) {
-+            return error_mapping_to_mhu_error_t(err);
-+        }
-+        if (++chan == (num_channels - 1)) {
-+            mhu_err = signal_and_wait_for_clear(dev, MHU_NOTIFY_VALUE);
-+            if (mhu_err != MHU_ERR_NONE) {
-+                return mhu_err;
-+            }
-+            chan = 0;
-+        }
-+    }
-+
-+    /* Signal the end of transfer.
-+     *   It's not required to send a signal when the message was
-+     *   perfectly-aligned ((num_channels - 1) channels were used in the last
-+     *   round) preventing it from signaling twice at the end of transfer.
-+     */
-+    if (chan != 0) {
-+        mhu_err = signal_and_wait_for_clear(dev, MHU_NOTIFY_VALUE);
-+        if (mhu_err != MHU_ERR_NONE) {
-+            return mhu_err;
-+        }
-+    }
-+
-+    err = mhu_v2_x_close_transfer(dev);
-+    return error_mapping_to_mhu_error_t(err);
-+}
-+
-+enum mhu_error_t mhu_wait_data(void *mhu_receiver_dev)
-+{
-+    enum mhu_v2_x_error_t err;
-+    struct mhu_v2_x_dev_t *dev = mhu_receiver_dev;
-+    uint32_t num_channels = mhu_v2_x_get_num_channel_implemented(dev);
-+    uint32_t val;
-+
-+    do {
-+        /* Using the last channel for notifications */
-+        err = mhu_v2_x_channel_receive(dev, num_channels - 1, &val);
-+        if (err != MHU_V_2_X_ERR_NONE) {
-+            break;
-+        }
-+    } while (val != MHU_NOTIFY_VALUE);
-+
-+    return error_mapping_to_mhu_error_t(err);
-+}
-+
-+enum mhu_error_t mhu_receive_data(void *mhu_receiver_dev,
-+                                  uint8_t *receive_buffer,
-+                                  size_t *size)
-+{
-+    enum mhu_v2_x_error_t err;
-+    struct mhu_v2_x_dev_t *dev = mhu_receiver_dev;
-+    uint32_t num_channels = mhu_v2_x_get_num_channel_implemented(dev);
-+    uint32_t chan = 0;
-+    uint32_t message_len;
-+    uint32_t i;
-+    uint32_t *p;
-+
-+    if (dev == NULL || receive_buffer == NULL) {
-+        return MHU_ERR_INVALID_ARG;
-+    }
-+
-+    /* For simplicity, require:
-+     * - the receive_buffer to be 4-byte aligned,
-+     * - the buffer size to be a multiple of 4.
-+     */
-+    if (((uintptr_t)receive_buffer & 0x3u) || (*size & 0x3u)) {
-+        return MHU_ERR_INVALID_ARG;
-+    }
-+
-+    /* The first word is the length of the actual message. */
-+    err = mhu_v2_x_channel_receive(dev, chan, &message_len);
-+    if (err != MHU_V_2_X_ERR_NONE) {
-+        return error_mapping_to_mhu_error_t(err);
-+    }
-+    chan++;
-+
-+    if (message_len > *size) {
-+        /* Message buffer too small */
-+        *size = message_len;
-+        return MHU_ERR_BUFFER_TOO_SMALL;
-+    }
-+
-+    p = (uint32_t *)receive_buffer;
-+    for (i = 0; i < message_len; i += 4) {
-+        err = mhu_v2_x_channel_receive(dev, chan, p++);
-+        if (err != MHU_V_2_X_ERR_NONE) {
-+            return error_mapping_to_mhu_error_t(err);
-+        }
-+
-+        /* Only wait for next transfer if there is still missing data. */
-+        if (++chan == (num_channels - 1) && (message_len - i) > 4) {
-+            /* Busy wait for next transfer */
-+            err = clear_and_wait_for_signal(dev);
-+            if (err != MHU_V_2_X_ERR_NONE) {
-+                return error_mapping_to_mhu_error_t(err);
-+            }
-+            chan = 0;
-+        }
-+    }
-+
-+    /* Clear all channels */
-+    for (i = 0; i < num_channels; ++i) {
-+        err = mhu_v2_x_channel_clear(dev, i);
-+        if (err != MHU_V_2_X_ERR_NONE) {
-+            return error_mapping_to_mhu_error_t(err);
-+        }
-+    }
-+
-+    *size = message_len;
-+
-+    return MHU_ERR_NONE;
-+}
-diff --git a/platform/ext/target/arm/corstone1000/config.cmake b/platform/ext/target/arm/corstone1000/config.cmake
-index 70bbcdafd..6a805a122 100644
---- a/platform/ext/target/arm/corstone1000/config.cmake
-+++ b/platform/ext/target/arm/corstone1000/config.cmake
-@@ -37,14 +37,6 @@ set(TFM_CRYPTO_TEST_ALG_CFB             OFF        CACHE BOOL     "Test CFB cryp
- set(NS                                  FALSE      CACHE BOOL     "Whether to build NS app")
- set(EXTERNAL_SYSTEM_SUPPORT             OFF        CACHE BOOL     "Whether to include external system support.")
- 
--# External dependency on OpenAMP and Libmetal
--set(LIBMETAL_SRC_PATH                   "DOWNLOAD"  CACHE PATH      "Path to Libmetal (or DOWNLOAD to fetch automatically")
--set(LIBMETAL_VERSION                    "f252f0e007fbfb8b3a52b1d5901250ddac96baad"  CACHE STRING    "The version of libmetal to use")
--set(LIBMETAL_FORCE_PATCH                OFF         CACHE BOOL      "Always apply Libmetal patches")
--
--set(LIBOPENAMP_SRC_PATH                 "DOWNLOAD"  CACHE PATH      "Path to Libopenamp (or DOWNLOAD to fetch automatically")
--set(OPENAMP_VERSION                     "347397decaa43372fc4d00f965640ebde042966d"  CACHE STRING    "The version of openamp to use")
--
- if (${PLATFORM_IS_FVP})
-     set(PLATFORM_PSA_ADAC_SECURE_DEBUG      FALSE        CACHE BOOL      "Whether to use psa-adac secure debug.")
- else()
-diff --git a/platform/ext/target/arm/corstone1000/openamp/CMakeLists.txt b/platform/ext/target/arm/corstone1000/openamp/CMakeLists.txt
-deleted file mode 100644
-index 32c0def25..000000000
---- a/platform/ext/target/arm/corstone1000/openamp/CMakeLists.txt
-+++ /dev/null
-@@ -1,57 +0,0 @@
--#-------------------------------------------------------------------------------
--# Copyright (c) 2021, Arm Limited. All rights reserved.
--#
--# SPDX-License-Identifier: BSD-3-Clause
--#
--#-------------------------------------------------------------------------------
--
--add_subdirectory(ext/libmetal)
--add_subdirectory(ext/libopenamp)
--
--set(CMAKE_SYSTEM_PROCESSOR  "arm")
--set(MACHINE  "template")
--set(LIBMETAL_INCLUDE_DIR "${LIBMETAL_BIN_PATH}/lib/include")
--set(LIBMETAL_LIB "${LIBMETAL_BIN_PATH}/lib")
--
--add_subdirectory(${LIBMETAL_SRC_PATH} ${LIBMETAL_BIN_PATH})
--add_subdirectory(${LIBOPENAMP_SRC_PATH} ${LIBOPENAMP_BIN_PATH})
--
--target_include_directories(platform_s
--    PRIVATE
--        ${LIBMETAL_BIN_PATH}/lib/include
--        ${LIBOPENAMP_SRC_PATH}/lib/include
--)
--
--target_include_directories(platform_s
--    PUBLIC
--        .
--)
--
--target_sources(platform_s
--    PRIVATE
--        tfm_spe_openamp_platform_interconnect.c
--        tfm_spe_dual_core_psa_client_secure_lib.c
--        tfm_spe_openamp_interface_impl.c
--        platform_spe_dual_core_hal.c
--        tfm_spe_psa_client_lib_unordered_map.c
--)
--
--target_link_libraries(open_amp-static
--    PRIVATE
--        metal-static
--)
--
--target_compile_definitions(open_amp-static
--    PRIVATE
--        RPMSG_BUFFER_SIZE=8192
--)
--
--target_link_libraries(platform_s
--    PRIVATE
--        open_amp-static
--)
--
--# Export header file shared with non-secure side
--install(FILES       tfm_openamp_lib.h
--        DESTINATION ${INSTALL_INTERFACE_INC_DIR}
--)
-diff --git a/platform/ext/target/arm/corstone1000/openamp/ext/libmetal/0001-Disable-logger-when-the-build-type-is-release.patch b/platform/ext/target/arm/corstone1000/openamp/ext/libmetal/0001-Disable-logger-when-the-build-type-is-release.patch
-deleted file mode 100644
-index 7c5eacc9f..000000000
---- a/platform/ext/target/arm/corstone1000/openamp/ext/libmetal/0001-Disable-logger-when-the-build-type-is-release.patch
-+++ /dev/null
-@@ -1,27 +0,0 @@
--From d9d92c8848e4567f208f1900aff57e6a234c8130 Mon Sep 17 00:00:00 2001
--From: Mohamed Omar Asaker <mohamed.omarasaker@arm.com>
--Date: Wed, 7 Dec 2022 12:37:22 +0000
--Subject: [PATCH] Disable logger when the build type is release
--
--Signed-off-by: Mohamed Omar Asaker <mohamed.omarasaker@arm.com>
-----
-- cmake/options.cmake | 3 ++-
-- 1 file changed, 2 insertions(+), 1 deletion(-)
--
--diff --git a/cmake/options.cmake b/cmake/options.cmake
--index 25c7c96..7a2b116 100644
----- a/cmake/options.cmake
--+++ b/cmake/options.cmake
--@@ -55,7 +55,8 @@ if (WITH_ZEPHYR)
--   option (WITH_ZEPHYR_LIB "Build libmetal as a zephyr library" OFF)
-- endif (WITH_ZEPHYR)
-- 
---option (WITH_DEFAULT_LOGGER "Build with default logger" ON)
--+include(CMakeDependentOption)
--+cmake_dependent_option(WITH_DEFAULT_LOGGER "Build with default logger" ON "${CMAKE_BUILD_TYPE} STREQUAL Debug" OFF)
-- 
-- option (WITH_DOC "Build with documentation" ON)
-- 
---- 
--2.25.1
--
-diff --git a/platform/ext/target/arm/corstone1000/openamp/ext/libmetal/CMakeLists.txt b/platform/ext/target/arm/corstone1000/openamp/ext/libmetal/CMakeLists.txt
-deleted file mode 100644
-index fa37fd6be..000000000
---- a/platform/ext/target/arm/corstone1000/openamp/ext/libmetal/CMakeLists.txt
-+++ /dev/null
-@@ -1,23 +0,0 @@
--#-------------------------------------------------------------------------------
--# Copyright (c) 2021-2022, Arm Limited. All rights reserved.
--# Copyright (c) 2022 Cypress Semiconductor Corporation (an Infineon company)
--# or an affiliate of Cypress Semiconductor Corporation. All rights reserved.
--#
--# SPDX-License-Identifier: BSD-3-Clause
--#
--#-------------------------------------------------------------------------------
--
--fetch_remote_library(
--    LIB_NAME                libmetal
--    LIB_SOURCE_PATH_VAR     LIBMETAL_SRC_PATH
--    LIB_BINARY_PATH_VAR     LIBMETAL_BIN_PATH
--    LIB_PATCH_DIR           ${CMAKE_CURRENT_LIST_DIR}
--    LIB_FORCE_PATCH         LIBMETAL_FORCE_PATCH
--    FETCH_CONTENT_ARGS
--        GIT_TAG             ${LIBMETAL_VERSION}
--        GIT_REPOSITORY      https://github.com/OpenAMP/libmetal.git
--)
--
--if (NOT LIB_BINARY_PATH_VAR)
--set(LIBMETAL_BIN_PATH "${CMAKE_SOURCE_DIR}/build/lib/ext/libmetal-subbuild" CACHE PATH "Path to build directory of libmetal.")
--endif()
-diff --git a/platform/ext/target/arm/corstone1000/openamp/ext/libopenamp/CMakeLists.txt b/platform/ext/target/arm/corstone1000/openamp/ext/libopenamp/CMakeLists.txt
-deleted file mode 100644
-index 28c5fa284..000000000
---- a/platform/ext/target/arm/corstone1000/openamp/ext/libopenamp/CMakeLists.txt
-+++ /dev/null
-@@ -1,21 +0,0 @@
--#-------------------------------------------------------------------------------
--# Copyright (c) 2020-2022, Arm Limited. All rights reserved.
--# Copyright (c) 2022 Cypress Semiconductor Corporation (an Infineon company)
--# or an affiliate of Cypress Semiconductor Corporation. All rights reserved.
--#
--# SPDX-License-Identifier: BSD-3-Clause
--#
--#-------------------------------------------------------------------------------
--
--fetch_remote_library(
--    LIB_NAME                libopenamp
--    LIB_SOURCE_PATH_VAR     LIBOPENAMP_SRC_PATH
--    LIB_BINARY_PATH_VAR     LIBOPENAMP_BIN_PATH
--    FETCH_CONTENT_ARGS
--        GIT_TAG             ${OPENAMP_VERSION}
--        GIT_REPOSITORY      https://github.com/OpenAMP/open-amp.git
--)
--
--if (NOT LIB_BINARY_PATH_VAR)
--set(LIBOPENAMP_BIN_PATH "${CMAKE_SOURCE_DIR}/build/lib/ext/libopenamp-subbuild" CACHE PATH "Path to build directory of open-amp.")
--endif()
-diff --git a/platform/ext/target/arm/corstone1000/openamp/platform_spe_dual_core_hal.c b/platform/ext/target/arm/corstone1000/openamp/platform_spe_dual_core_hal.c
-deleted file mode 100644
-index 7613345ff..000000000
---- a/platform/ext/target/arm/corstone1000/openamp/platform_spe_dual_core_hal.c
-+++ /dev/null
-@@ -1,152 +0,0 @@
--/*
-- * Copyright (c) 2021, Arm Limited. All rights reserved.
-- * Copyright (c) 2021-2022 Cypress Semiconductor Corporation (an Infineon
-- * company) or an affiliate of Cypress Semiconductor Corporation. All rights
-- * reserved.
-- *
-- * SPDX-License-Identifier: BSD-3-Clause
-- */
--
--#include "tfm_spe_openamp_platform_interface.h"
--#include "device_cfg.h"
--#include "device_definition.h"
--#include "load/interrupt_defs.h"
--#include "mhu_v2_x.h"
--#include "tfm_plat_defs.h"
--#include "tfm_spm_log.h"
--#include "cmsis.h"
--
--#define MHU1_SEH_NOTIFY_CH 0
--#define MHU1_SEH_NOTIFY_VAL 1234
--
--static enum tfm_plat_err_t initialize_secure_enclave_to_host_mhu(void)
--{
--   enum mhu_v2_x_error_t status;
--
--   status = mhu_v2_x_driver_init(&MHU1_SE_TO_HOST_DEV, MHU_REV_READ_FROM_HW);
--   if (status != MHU_V_2_X_ERR_NONE) {
--       SPMLOG_ERRMSGVAL("Secure-enclave to Host MHU driver initialization failed: ", status);
--       return TFM_PLAT_ERR_SYSTEM_ERR;
--   }
--   SPMLOG_INFMSG("Secure-enclave to Host MHU Driver initialized successfully.\r\n");
--
--   return TFM_PLAT_ERR_SUCCESS;
--}
--
--static enum tfm_plat_err_t initialize_host_to_secure_enclave_mhu(void)
--{
--   enum mhu_v2_x_error_t status;
--
--   status = mhu_v2_x_driver_init(&MHU1_HOST_TO_SE_DEV, MHU_REV_READ_FROM_HW);
--   if (status != MHU_V_2_X_ERR_NONE) {
--       SPMLOG_ERRMSGVAL("Host to secure-enclave MHU driver initialization failed: ", status);
--       return TFM_PLAT_ERR_SYSTEM_ERR;
--   }
--   SPMLOG_INFMSG("Host to secure-enclave MHU Driver initialized successfully.\r\n");
--
--   NVIC_EnableIRQ(HSE1_RECEIVER_COMBINED_IRQn);
--
--   return TFM_PLAT_ERR_SUCCESS;
--}
--
--static struct irq_t mbox_irq_info = {0};
--
--void HSE1_RECEIVER_COMBINED_IRQHandler(void)
--{
--   spm_handle_interrupt(mbox_irq_info.p_pt, mbox_irq_info.p_ildi);
--
--   mhu_v2_x_channel_clear(&MHU1_HOST_TO_SE_DEV, 0);
--   NVIC_ClearPendingIRQ(HSE1_RECEIVER_COMBINED_IRQn);
--}
--
--enum tfm_hal_status_t mailbox_irq_init(void *p_pt,
--                                       const struct irq_load_info_t *p_ildi)
--{
--    mbox_irq_info.p_pt = p_pt;
--    mbox_irq_info.p_ildi = p_ildi;
--
--    return TFM_HAL_SUCCESS;
--}
--
--enum tfm_plat_err_t tfm_dual_core_hal_init(void)
--{
--    enum tfm_plat_err_t status;
--
--    status = initialize_host_to_secure_enclave_mhu();
--    if (status) {
--        return status;
--    }
--    status = initialize_secure_enclave_to_host_mhu();
--
--    return status;
--}
--
--enum tfm_plat_err_t tfm_hal_notify_peer(void)
--{
--    uint32_t access_ready;
--    enum mhu_v2_x_error_t status;
--    struct mhu_v2_x_dev_t* dev = &MHU1_SE_TO_HOST_DEV;
--
--    status = mhu_v2_x_set_access_request(dev);
--    if (status != MHU_V_2_X_ERR_NONE) {
--        SPMLOG_ERRMSGVAL("mhu_v2_x_set_access_request failed : ", status);
--        return TFM_PLAT_ERR_SYSTEM_ERR;
--    }
--
--    do {
--        status = mhu_v2_x_get_access_ready(dev, &access_ready);
--        if (status != MHU_V_2_X_ERR_NONE) {
--            SPMLOG_ERRMSGVAL("mhu_v2_x_get_access_ready failed : ", status);
--            return TFM_PLAT_ERR_SYSTEM_ERR;
--        }
--    } while(!access_ready);
--
--    status = mhu_v2_x_channel_send(dev, MHU1_SEH_NOTIFY_CH, MHU1_SEH_NOTIFY_VAL);
--
--    if (status != MHU_V_2_X_ERR_NONE) {
--        SPMLOG_ERRMSGVAL("mhu_v2_x_channel_send : ", status);
--        return TFM_PLAT_ERR_SYSTEM_ERR;
--    }
--
--    status = mhu_v2_x_reset_access_request(dev);
--    if (status != MHU_V_2_X_ERR_NONE) {
--        SPMLOG_ERRMSGVAL("mhu_v2_x_reset_access_request : ", status);
--        return TFM_PLAT_ERR_SYSTEM_ERR;
--    }
--    return TFM_PLAT_ERR_SUCCESS;
--}
--
--/*
-- * The function is implemented to support libmetal's mutex and spinlock
-- * implementation. The GCC does not support a respective builtin
-- * functions for Cortex M0+. So below function provides the
-- * missing link for libmetal compilation.
-- * This function will prevent race condition between PendSV context (where
-- * entries are inserted into unordered map) and service threads (where
-- * entries are removed from the unordered map).
-- */
--bool  __atomic_compare_exchange_4(volatile void *mem, void *expected,
--        uint32_t desired, bool var, int success, int failure)
--{
--    bool ret = false;
--    volatile uint32_t *location = mem;
--    volatile uint32_t *old_val = expected;
--    /* unused variables */
--    (void)var;
--    (void)success;
--    (void)failure;
--
--    NVIC_DisableIRQ(PendSV_IRQn);
--
--    do {
--        if (*location != *old_val) {
--            break;
--        }
--        *location = desired;
--        ret = true;
--    } while (0);
--
--    NVIC_EnableIRQ(PendSV_IRQn);
--
--    return ret;
--}
-diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_openamp_lib.h b/platform/ext/target/arm/corstone1000/openamp/tfm_openamp_lib.h
-deleted file mode 100644
-index 2996ba9a8..000000000
---- a/platform/ext/target/arm/corstone1000/openamp/tfm_openamp_lib.h
-+++ /dev/null
-@@ -1,128 +0,0 @@
--/*
-- * Copyright (c) 2021, Arm Limited. All rights reserved.
-- *
-- * SPDX-License-Identifier: BSD-3-Clause
-- *
-- */
--
--/*
-- * This header file is common to NSPE and SPE PSA client libraries.
-- */
--
--#ifndef __TFM_OPENAMP_LIB_H__
--#define __TFM_OPENAMP_LIB_H__
--
--#include <stdint.h>
--#include "psa/client.h"
--
--#ifdef __cplusplus
--extern "C" {
--#endif
--
--/* PSA client call type value */
--#define OPENAMP_PSA_FRAMEWORK_VERSION       (0x1)
--#define OPENAMP_PSA_VERSION                 (0x2)
--#define OPENAMP_PSA_CONNECT                 (0x3)
--#define OPENAMP_PSA_CALL                    (0x4)
--#define OPENAMP_PSA_CLOSE                   (0x5)
--
--/* Return code of openamp APIs */
--#define OPENAMP_SUCCESS                     (0)
--#define OPENAMP_MAP_FULL                    (INT32_MIN + 1)
--#define OPENAMP_MAP_ERROR                   (INT32_MIN + 2)
--#define OPENAMP_INVAL_PARAMS                (INT32_MIN + 3)
--#define OPENAMP_NO_PERMS                    (INT32_MIN + 4)
--#define OPENAMP_NO_PEND_EVENT               (INT32_MIN + 5)
--#define OPENAMP_CHAN_BUSY                   (INT32_MIN + 6)
--#define OPENAMP_CALLBACK_REG_ERROR          (INT32_MIN + 7)
--#define OPENAMP_INIT_ERROR                  (INT32_MIN + 8)
--
--#define HOLD_INPUT_BUFFER (1) /* IF true, TF-M Library will hold the openamp
--                               * buffer so that openamp shared memory buffer
--                               * does not get freed.
--                               */
--
--/*
-- * This structure holds the parameters used in a PSA client call.
-- */
--typedef struct __attribute__((packed)) psa_client_in_params {
--    union {
--        struct __attribute__((packed)) {
--            uint32_t        sid;
--        } psa_version_params;
--
--        struct __attribute__((packed)) {
--            uint32_t        sid;
--            uint32_t        version;
--        } psa_connect_params;
--
--        struct __attribute__((packed)) {
--            psa_handle_t     handle;
--            int32_t          type;
--            uint32_t         in_vec;
--            uint32_t         in_len;
--            uint32_t         out_vec;
--            uint32_t         out_len;
--        } psa_call_params;
--
--        struct __attribute__((packed)) {
--            psa_handle_t    handle;
--        } psa_close_params;
--    };
--} psa_client_in_params_t;
--
--/* Openamp message passed from NSPE to SPE to deliver a PSA client call */
--typedef struct __attribute__((packed)) ns_openamp_msg {
--    uint32_t                    call_type;   /* PSA client call type */
--    psa_client_in_params_t      params;      /* Contain parameters used in PSA
--                                              * client call
--                                              */
--
--    int32_t                     client_id;   /* Optional client ID of the
--                                              * non-secure caller.
--                                              * It is required to identify the
--                                              * non-secure task when NSPE OS
--                                              * enforces non-secure task
--                                              * isolation
--                                              */
--    int32_t                     request_id;  /* This is the unique ID for a
--                                              * request send to TF-M by the
--                                              * non-secure core. TF-M forward
--                                              * the ID back to non-secure on the
--                                              * reply to a given request. Using
--                                              * this id, the non-secure library
--                                              * can identify the request for
--                                              * which the reply has received.
--                                              */
--} ns_openamp_msg_t;
--
--/*
-- * This structure holds the location of the out data of the PSA client call.
-- */
--typedef struct __attribute__((packed)) psa_client_out_params {
--    uint32_t          out_vec;
--    uint32_t          out_len;
--} psa_client_out_params_t;
--
--
--/* Openamp message from SPE to NSPE delivering the reply back for a PSA client
-- * call.
-- */
--typedef struct __attribute__((packed)) s_openamp_msg {
--    int32_t                     request_id;  /* Using this id, the non-secure
--                                              * library identifies the request.
--                                              * TF-M forwards the same
--                                              * request-id received on the
--                                              * initial request.
--                                              */
--    int32_t                     reply;       /* Reply of the PSA client call */
--    psa_client_out_params_t     params;      /* Contain out data result of the
--                                              * PSA client call.
--                                              */
--} s_openamp_msg_t;
--
--#ifdef __cplusplus
--}
--#endif
--
--#endif /* __TFM_OPENAMP_LIB_H__ */
-diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.c b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.c
-deleted file mode 100644
-index d2eabe144..000000000
---- a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.c
-+++ /dev/null
-@@ -1,304 +0,0 @@
--/*
-- * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
-- * Copyright (c) 2021-2023 Cypress Semiconductor Corporation (an Infineon company)
-- * or an affiliate of Cypress Semiconductor Corporation. All rights reserved.
-- *
-- * SPDX-License-Identifier: BSD-3-Clause
-- *
-- */
--
--#include "config_impl.h"
--#include "tfm_psa_call_pack.h"
--#include "tfm_spe_dual_core_psa_client_secure_lib.h"
--#include "tfm_rpc.h"
--#include "tfm_spe_openamp_interface.h"
--#include "tfm_spm_log.h"
--#include "tfm_spe_psa_client_lib_unordered_map.h"
--#include "psa/error.h"
--#include "utilities.h"
--#include "thread.h"
--
--/**
-- * In linux environment and for psa_call type client api,
-- * the layout of the reply from tf-m to linux is as following.
-- */
--typedef struct output_buffer_with_payload {
--    s_openamp_msg_t header;
--    psa_outvec outvec[PSA_MAX_IOVEC];
--    uint8_t payload[]; /* outdata follows */
--} output_buffer_with_payload_t;
--
--static void prepare_and_send_output_msg(int32_t reply, int32_t request_id)
--{
--    s_openamp_msg_t msg;
--
--    msg.request_id = request_id;
--    msg.reply = reply;
--
--    msg.params.out_vec = 0;
--    msg.params.out_len = 0;
--
--    tfm_to_openamp_reply_back(&msg, sizeof(msg));
--}
--
--static void prepare_and_send_preallocated_output_msg(int32_t reply,
--        const unordered_map_entry_t* s_map_entry)
--{
--    uint32_t out_len = s_map_entry->msg.params.psa_call_params.out_len;
--    output_buffer_with_payload_t *output_msg = (output_buffer_with_payload_t*)s_map_entry->output_buffer;
--
--    output_msg->header.request_id = s_map_entry->msg.request_id;
--    output_msg->header.reply = reply;
--
--    output_msg->header.params.out_vec =
--                   (uint32_t)tfm_to_openamp_translate_secure_to_non_secure_ptr(
--                                   output_msg->outvec);
--    output_msg->header.params.out_len = out_len;
--
--    for (int i = 0; i < out_len; i++) {
--        output_msg->outvec[i].base = tfm_to_openamp_translate_secure_to_non_secure_ptr(
--                                        output_msg->outvec[i].base);
--    }
--
--    /* send msg to non-secure side */
--    tfm_to_openamp_reply_back_no_copy(output_msg, s_map_entry->output_buffer_len);
--}
--
--void send_service_reply_to_non_secure(int32_t reply, void *private)
--{
--    unordered_map_handle_t handle;
--    const unordered_map_entry_t* s_map_entry = (const unordered_map_entry_t*)private;
--
--    if (s_map_entry->is_input_buffer_hold) {
--        tfm_to_openamp_release_buffer(s_map_entry->input_buffer);
--    }
--
--    if (s_map_entry->is_output_buffer) {
--        prepare_and_send_preallocated_output_msg(reply, s_map_entry);
--    } else {
--        prepare_and_send_output_msg(reply, s_map_entry->msg.request_id);
--    }
--
--    handle = unordered_map_get_entry_handle(s_map_entry);
--    if (handle == INVALID_MAP_HANDLE) {
--        SPMLOG_ERRMSG("FATAL_ERROR: Map handle not valid\r\n");
--        SPM_ASSERT(0);
--    }
--    unordered_map_free(handle);
--}
--
--static psa_invec * prepare_in_vecs(unordered_map_entry_t* s_map_entry)
--{
--    uint32_t in_len = s_map_entry->msg.params.psa_call_params.in_len;
--    SPM_ASSERT(in_len <= PSA_MAX_IOVEC);
--
--    psa_invec *input_buffer_in_vec = (psa_invec*)tfm_to_openamp_translate_non_secure_to_secure_ptr(
--                                         (void*)s_map_entry->msg.params.psa_call_params.in_vec);
--    for (int i = 0; i < in_len; i++) {
--        input_buffer_in_vec[i].base = tfm_to_openamp_translate_non_secure_to_secure_ptr(
--                                                input_buffer_in_vec[i].base);
--    }
--
--    return input_buffer_in_vec;
--}
--
--static void * alloc_output_buffer_in_shared_mem(size_t length,
--        unordered_map_entry_t* s_map_entry)
--{
--    uint32_t buffer_sz = 0;
--
--    /* pre allocate output_buffer space from openamp shared memory */
--    s_map_entry->output_buffer = tfm_to_openamp_get_buffer(&buffer_sz);
--    SPM_ASSERT((s_map_entry->output_buffer != NULL) && (buffer_sz >= length));
--    s_map_entry->is_output_buffer = true;
--    s_map_entry->output_buffer_len = length;
--    spm_memset(s_map_entry->output_buffer, 0x0, length);
--
--    return s_map_entry->output_buffer;
--}
--
--static psa_status_t alloc_and_prepare_out_vecs(psa_outvec **out_vec_start_ptr,
--        unordered_map_entry_t* s_map_entry)
--{
--    psa_outvec *input_buffer_outvec = NULL;
--    size_t output_buffer_len = 0;
--    size_t current_outdata_len = 0;
--    output_buffer_with_payload_t *out_buffer = NULL;
--    int max_shared_mem_buffer_size = 0;
--    uint32_t out_len = s_map_entry->msg.params.psa_call_params.out_len;
--
--    SPM_ASSERT(out_len <= PSA_MAX_IOVEC);
--    *out_vec_start_ptr = NULL;
--
--    if (out_len == 0) {
--        return PSA_SUCCESS;
--    }
--
--    input_buffer_outvec = (psa_outvec*)tfm_to_openamp_translate_non_secure_to_secure_ptr(
--                                          (void*)s_map_entry->msg.params.psa_call_params.out_vec);
--
--    /* calculate and validate out data len */
--    output_buffer_len = sizeof(output_buffer_with_payload_t);
--    for (int i = 0; i < out_len; i++) {
--        output_buffer_len += input_buffer_outvec[i].len;
--    }
--    max_shared_mem_buffer_size = tfm_to_openamp_get_buffer_size();
--    if (output_buffer_len > max_shared_mem_buffer_size) {
--        SPMLOG_ERRMSGVAL("required buffer size : ", output_buffer_len);
--        SPMLOG_ERRMSGVAL(" is more than maximum available : ", max_shared_mem_buffer_size);
--        return PSA_ERROR_INVALID_ARGUMENT;
--    }
--
--    /* prepare output buffer layout */
--    out_buffer = (output_buffer_with_payload_t*)alloc_output_buffer_in_shared_mem(
--                                                output_buffer_len, s_map_entry);
--
--    for (int i = 0; i < PSA_MAX_IOVEC; i++) {
--        if (i < out_len) {
--            out_buffer->outvec[i].base = &out_buffer->payload[current_outdata_len];
--            out_buffer->outvec[i].len = input_buffer_outvec[i].len;
--            current_outdata_len += input_buffer_outvec[i].len;
--        } else {
--            out_buffer->outvec[i].base = NULL;
--            out_buffer->outvec[i].len = 0;
--        }
--    }
--
--    *out_vec_start_ptr = out_buffer->outvec;
--
--    return PSA_SUCCESS;
--}
--
--static psa_status_t prepare_params_for_psa_call(struct client_params_t *params,
--                           unordered_map_entry_t* s_map_entry)
--{
--    psa_status_t ret = PSA_SUCCESS;
--
--    params->ns_client_id_stateless = s_map_entry->msg.client_id;
--
--    params->p_outvecs = NULL;
--    ret = alloc_and_prepare_out_vecs(&params->p_outvecs, s_map_entry);
--    if (ret != PSA_SUCCESS) {
--        return ret;
--    }
--
--    params->p_invecs = prepare_in_vecs(s_map_entry);
--
--    /* hold the input shared memory */
--    tfm_to_openamp_hold_buffer(s_map_entry->input_buffer);
--    s_map_entry->is_input_buffer_hold = true;
--
--    return ret;
--}
--
--__STATIC_INLINE int32_t check_msg(const ns_openamp_msg_t *msg)
--{
--    /*
--     * TODO
--     * Comprehensive check of openamp msessage content can be implemented here.
--     */
--    (void)msg;
--    return OPENAMP_SUCCESS;
--}
--
--static void send_error_to_non_secure(int32_t reply, int32_t request_id)
--{
--    prepare_and_send_output_msg(reply, request_id);
--}
--
--int32_t register_msg_to_spe_and_verify(void **private, const void *data, size_t len)
--{
--    unordered_map_entry_t *s_map_entry;
--    ns_openamp_msg_t *ns_msg;
--    unordered_map_handle_t map_handle;
--    int32_t ret = OPENAMP_SUCCESS;
--
--    *private = NULL;
--
--    if (len < sizeof(ns_openamp_msg_t)) {
--        SPMLOG_ERRMSG("Invalid parameters.\r\n");
--        send_error_to_non_secure(OPENAMP_INVAL_PARAMS, 0);
--        return OPENAMP_INVAL_PARAMS;
--    }
--
--    /* start of the data is with "ns_openamp_msg_t" */
--    ns_msg = (ns_openamp_msg_t*)data;
--    ret = unordered_map_insert(ns_msg, data, &map_handle);
--    if (ret) {
--        SPMLOG_ERRMSG("Map insert failed\r\n");
--        send_error_to_non_secure(OPENAMP_MAP_FULL, ns_msg->request_id);
--        return OPENAMP_MAP_FULL;
--    }
--
--    s_map_entry = unordered_map_get_entry_ptr(map_handle);
--
--    /* verify msg after copy to the secure memory */
--    if (check_msg(&s_map_entry->msg)) {
--        SPMLOG_ERRMSG("Message is invalid\r\n");
--        send_error_to_non_secure(OPENAMP_INVAL_PARAMS, ns_msg->request_id);
--        unordered_map_free(map_handle);
--        return OPENAMP_INVAL_PARAMS;
--    }
--
--    *private = s_map_entry;
--
--    return ret;
--}
--
--void deliver_msg_to_tfm_spe(void *private)
--{
--    struct client_params_t params = {0};
--    psa_status_t psa_ret = PSA_ERROR_GENERIC_ERROR;
--    unordered_map_entry_t* s_map_entry = (unordered_map_entry_t*)private;
--
--    switch(s_map_entry->msg.call_type) {
--        case OPENAMP_PSA_FRAMEWORK_VERSION:
--            psa_ret = tfm_rpc_psa_framework_version();
--            send_service_reply_to_non_secure(psa_ret, s_map_entry);
--            break;
--        case OPENAMP_PSA_VERSION:
--            psa_ret = tfm_rpc_psa_version(s_map_entry->msg.params.psa_version_params.sid);
--            send_service_reply_to_non_secure(psa_ret, s_map_entry);
--            break;
--        case OPENAMP_PSA_CALL:
--            psa_ret = prepare_params_for_psa_call(&params, s_map_entry);
--            if (psa_ret != PSA_SUCCESS) {
--                send_service_reply_to_non_secure(psa_ret, s_map_entry);
--                break;
--            }
--            psa_ret = tfm_rpc_psa_call(s_map_entry->msg.params.psa_call_params.handle,
--                                       PARAM_PACK(s_map_entry->msg.params.psa_call_params.type,
--                                                  s_map_entry->msg.params.psa_call_params.in_len,
--                                                  s_map_entry->msg.params.psa_call_params.out_len),
--                                       &params, NULL);
--            if (psa_ret != PSA_SUCCESS) {
--                send_service_reply_to_non_secure(psa_ret, s_map_entry);
--                break;
--            }
--            break;
--#if CONFIG_TFM_CONNECTION_BASED_SERVICE_API == 1
--        case OPENAMP_PSA_CONNECT:
--            psa_ret = tfm_rpc_psa_connect(s_map_entry->msg.params.psa_connect_params.sid,
--                                          s_map_entry->msg.params.psa_connect_params.version,
--                                          s_map_entry->msg.client_id,
--                                          NULL);
--            if (psa_ret != PSA_SUCCESS) {
--                send_service_reply_to_non_secure(psa_ret, s_map_entry);
--            }
--            break;
--        case OPENAMP_PSA_CLOSE:
--            tfm_rpc_psa_close(s_map_entry->msg.params.psa_close_params.handle);
--            break;
--#endif /* CONFIG_TFM_CONNECTION_BASED_SERVICE_API == 1 */
--        default:
--            SPMLOG_ERRMSG("msg type did not recognized\r\n");
--            send_error_to_non_secure(OPENAMP_INVAL_PARAMS, s_map_entry->msg.request_id);
--            unordered_map_free(unordered_map_get_entry_handle(s_map_entry));
--            break;
--    }
--}
--
--void init_dual_core_psa_client_secure_lib(void)
--{
--    unordered_map_init();
--}
-diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.h b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.h
-deleted file mode 100644
-index de7891b83..000000000
---- a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_dual_core_psa_client_secure_lib.h
-+++ /dev/null
-@@ -1,39 +0,0 @@
--/*
-- * Copyright (c) 2021, Arm Limited. All rights reserved.
-- *
-- * SPDX-License-Identifier: BSD-3-Clause
-- *
-- */
--
--#ifndef __TFM_SPE_DUAL_CORE_PSA_CLIENT_SECURE_LIB_H__
--#define __TFM_SPE_DUAL_CORE_PSA_CLIENT_SECURE_LIB_H__
--
--#include "tfm_openamp_lib.h"
--
--/**
-- * \brief Initializes the library.
-- */
--void init_dual_core_psa_client_secure_lib(void);
--
--/**
-- * \brief Decodes the messages received from the NSPE before sending
-- * to SPE.
-- */
--void deliver_msg_to_tfm_spe(void *private);
--
--/**
-- * \brief Encodes the reply of service before sending it to NSPE.
-- */
--void send_service_reply_to_non_secure(int32_t reply, void *private);
--
--/**
-- * \brief Validate and register the message. The message details are
-- * copied inside the unordered_map.
-- *
-- * \retval OPENAMP_SUCCESS      Successfully registered the message.
-- * \retval Other return code    Operation failed with an error code.
-- */
--int32_t register_msg_to_spe_and_verify(void **private,
--                        const void *data, size_t len);
--
--#endif /* __TFM_SPE_DUAL_CORE_PSA_CLIENT_SECURE_LIB_H__ */
-diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_interface.h b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_interface.h
-deleted file mode 100644
-index 25afd5017..000000000
---- a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_interface.h
-+++ /dev/null
-@@ -1,39 +0,0 @@
--/*
-- * Copyright (c) 2020 Linaro Limited
-- *
-- * Copyright (c) 2021, Arm Limited. All rights reserved.
-- *
-- * SPDX-License-Identifier: BSD-3-Clause
-- *
-- */
--
--#ifndef TFM_SPE_OPENAMP_INTERFACE_H_
--#define TFM_SPE_OPENAMP_INTERFACE_H_
--
--#define SUCCESS                     (0)
--#define ERROR                       (INT32_MIN + 1)
--
--
--typedef void (*openamp_to_tfm_callback)(const void *data,
--        size_t len);
--typedef void (*openamp_to_tfm_notify)(void);
--
--/*
-- * These functions are the logical interface from TF-M to
-- * OpenAMP.
-- */
--int32_t tfm_to_openamp_init(openamp_to_tfm_callback cb,
--                            openamp_to_tfm_notify notify);
--void tfm_to_openamp_notify(void);
--void tfm_to_openamp_spe_map_spinlock_acquire(void);
--void tfm_to_openamp_spe_map_spinlock_release(void);
--void tfm_to_openamp_reply_back(const void* data, size_t len);
--void tfm_to_openamp_reply_back_no_copy(const void* data, size_t len);
--void tfm_to_openamp_hold_buffer(const void *buffer);
--void tfm_to_openamp_release_buffer(const void *buffer);
--void *tfm_to_openamp_get_buffer(uint32_t *len);
--int tfm_to_openamp_get_buffer_size(void);
--void *tfm_to_openamp_translate_non_secure_to_secure_ptr(const void *ptr);
--void *tfm_to_openamp_translate_secure_to_non_secure_ptr(const void *ptr);
--
--#endif /* TFM_SPE_OPENAMP_INTERFACE_H_ */
-diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_interface_impl.c b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_interface_impl.c
-deleted file mode 100644
-index aa16e9929..000000000
---- a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_interface_impl.c
-+++ /dev/null
-@@ -1,248 +0,0 @@
--/*
-- * Copyright (c) 2020 Linaro Limited
-- *
-- * Copyright (c) 2021, Arm Limited. All rights reserved.
-- *
-- * SPDX-License-Identifier: BSD-3-Clause
-- *
-- */
--
--#include <metal/device.h>
--#include <metal/spinlock.h>
--#include <openamp/open_amp.h>
--
--#include "tfm_spe_openamp_interface.h"
--#include "tfm_spm_log.h"
--#include "tfm_spe_shm_openamp.h"
--
--static metal_phys_addr_t shm_physmap[] = { SHM_START_PHY_ADDR };
--static struct metal_device shm_device = {
--    .name = SHM_DEVICE_NAME,
--    .bus = NULL,
--    .num_regions = 1,
--    {
--        {
--            .virt       = (void *) SHM_START_VIRT_ADDR,
--            .physmap    = shm_physmap,
--            .size       = SHM_SIZE,
--            .page_shift = 0xffffffff,
--            .page_mask  = 0xffffffff,
--            .mem_flags  = 0,
--            .ops        = { NULL },
--        },
--    },
--    .node = { NULL },
--    .irq_num = 0,
--    .irq_info = NULL
--};
--
--/* Space to be used by virtqueues */
--#define VQ_STATIC_SIZE  (sizeof(struct virtqueue) + (VRING_SIZE * sizeof(struct vq_desc_extra)))
--uint8_t vq1_static_space[VQ_STATIC_SIZE];
--uint8_t vq2_static_space[VQ_STATIC_SIZE];
--
--static struct virtio_vring_info rvrings[2];
--
--static struct virtio_device vdev;
--static struct rpmsg_virtio_device rvdev;
--static struct metal_io_region *io;
--static struct virtqueue *vq[2];
--static struct rpmsg_virtio_shm_pool shpool;
--static struct rpmsg_endpoint tfm_ept;
--static struct rpmsg_endpoint *ep = &tfm_ept;
--static struct metal_spinlock spe_map_slock;
--static openamp_to_tfm_callback tfm_callback = NULL;
--static openamp_to_tfm_notify tfm_notify = NULL;
--
--static unsigned char virtio_get_status(struct virtio_device *vdev)
--{
--    (void)vdev;
--    uint32_t status = *(uint32_t *)VDEV_STATUS_ADDR;
--    return status;
--}
--
--static void virtio_set_status(struct virtio_device *vdev, unsigned char status)
--{
--    (void)vdev;
--    *(uint32_t *)VDEV_STATUS_ADDR = status;
--}
--
--static uint32_t virtio_get_features(struct virtio_device *vdev)
--{
--    (void)vdev;
--    return 1 << VIRTIO_RPMSG_F_NS;
--}
--
--static void virtio_notify(struct virtqueue *vq)
--{
--    (void)vq;
--    tfm_notify();
--}
--
--static struct virtio_dispatch dispatch = {
--    .get_status = virtio_get_status,
--    .set_status = virtio_set_status,
--    .get_features = virtio_get_features,
--    .notify = virtio_notify,
--};
--
--int endpoint_cb(struct rpmsg_endpoint *ept, void *data,
--        size_t len, uint32_t src, void *priv)
--{
--    (void)ept;
--    (void)src;
--    (void)priv;
--    tfm_callback(data, len);
--    return 0;
--}
--
--static void rpmsg_service_unbind(struct rpmsg_endpoint *ept)
--{
--    (void)ept;
--    rpmsg_destroy_ept(ep);
--}
--
--void ns_bind_cb(struct rpmsg_device *rdev, const char *name, uint32_t dest)
--{
--    (void)rpmsg_create_ept(ep, rdev, name,
--        RPMSG_ADDR_ANY, dest,
--        endpoint_cb,
--        rpmsg_service_unbind);
--}
--
--void tfm_to_openamp_notify(void)
--{
--    virtqueue_notification(vq[0]);
--}
--
--void tfm_to_openamp_spe_map_spinlock_acquire(void)
--{
--    metal_spinlock_acquire(&spe_map_slock);
--}
--
--void tfm_to_openamp_spe_map_spinlock_release(void)
--{
--    metal_spinlock_release(&spe_map_slock);
--}
--
--void tfm_to_openamp_reply_back(const void* data, size_t len)
--{
--    rpmsg_send(ep, data, len);
--}
--
--void tfm_to_openamp_reply_back_no_copy(const void* data, size_t len)
--{
--    rpmsg_send_nocopy(ep, data, len);
--}
--
--void tfm_to_openamp_hold_buffer(const void *buffer)
--{
--    rpmsg_hold_rx_buffer(ep, (void*)buffer);
--}
--
--void tfm_to_openamp_release_buffer(const void *buffer)
--{
--    rpmsg_release_rx_buffer(ep, (void*)buffer);
--}
--
--void *tfm_to_openamp_get_buffer(uint32_t *len)
--{
--    return rpmsg_get_tx_payload_buffer(ep, len, 1);
--}
--
--int tfm_to_openamp_get_buffer_size(void)
--{
--    return rpmsg_virtio_get_buffer_size(&rvdev.rdev);
--}
--
--void *tfm_to_openamp_translate_non_secure_to_secure_ptr(const void *ptr)
--{
--    metal_phys_addr_t phys = 0;
--    phys = (metal_phys_addr_t)ptr;
--    return metal_io_phys_to_virt(io, phys);
--}
--
--void *tfm_to_openamp_translate_secure_to_non_secure_ptr(const void *ptr)
--{
--    metal_phys_addr_t phys = metal_io_virt_to_phys(io, (void*)ptr);
--    return (void*)phys;
--}
--
--int32_t tfm_to_openamp_init(openamp_to_tfm_callback cb,
--                   openamp_to_tfm_notify notify)
--{
--    int status = 0;
--    struct metal_device *device;
--    struct metal_init_params metal_params = METAL_INIT_DEFAULTS;
--
--    SPMLOG_INFMSG("TF-M OpenAMP[master] starting initialization...\r\n");
--
--    if (cb == NULL || notify == NULL) {
--        SPMLOG_ERRMSG("invalid parameters\r\n");
--        return ERROR;
--    }
--    tfm_callback = cb;
--    tfm_notify = notify;
--
--    metal_spinlock_init(&spe_map_slock);
--
--    status = metal_init(&metal_params);
--    if (status != 0) {
--        SPMLOG_ERRMSG("metal_init: failed - error code\r\n");
--        return ERROR;
--    }
--
--    status = metal_register_generic_device(&shm_device);
--    if (status != 0) {
--        SPMLOG_ERRMSG("Couldn't register shared memory device\r\n");
--        return ERROR;
--    }
--
--    status = metal_device_open("generic", SHM_DEVICE_NAME, &device);
--    if (status != 0) {
--        SPMLOG_ERRMSG("metal_device_open failed\r\n");
--        return ERROR;
--    }
--
--    io = metal_device_io_region(device, 0);
--    if (io == NULL) {
--        SPMLOG_ERRMSG("metal_device_io_region failed to get region\r\n");
--        return ERROR;
--    }
--
--    /* setup vdev */
--
--    memset(vq1_static_space, 0x0, VQ_STATIC_SIZE);
--    vq[0] = (struct virtqueue *)vq1_static_space;
--
--    memset(vq2_static_space, 0x0, VQ_STATIC_SIZE);
--    vq[1] = (struct virtqueue *)vq2_static_space;
--
--    vdev.role = RPMSG_MASTER;
--    vdev.vrings_num = VRING_COUNT;
--    vdev.func = &dispatch;
--    rvrings[0].io = io;
--    rvrings[0].info.vaddr = (void *)VRING_TX_ADDRESS;
--    rvrings[0].info.num_descs = VRING_SIZE;
--    rvrings[0].info.align = VRING_ALIGNMENT;
--    rvrings[0].vq = vq[0];
--
--    rvrings[1].io = io;
--    rvrings[1].info.vaddr = (void *)VRING_RX_ADDRESS;
--    rvrings[1].info.num_descs = VRING_SIZE;
--    rvrings[1].info.align = VRING_ALIGNMENT;
--    rvrings[1].vq = vq[1];
--
--    vdev.vrings_info = &rvrings[0];
--
--    /* setup rvdev */
--    rpmsg_virtio_init_shm_pool(&shpool, (void *)SHM_START_VIRT_ADDR, SHM_SIZE);
--    status = rpmsg_init_vdev(&rvdev, &vdev, ns_bind_cb, io, &shpool);
--    if (status != 0) {
--        SPMLOG_ERRMSGVAL("rpmsg_init_vdev failed : ", status);
--        return ERROR;
--    }
--    SPMLOG_INFMSG("rpmsg_init_vdev Done!\r\n");
--
--    return SUCCESS;
--}
-diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_platform_interconnect.c b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_platform_interconnect.c
-deleted file mode 100644
-index db8e8ac8b..000000000
---- a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_platform_interconnect.c
-+++ /dev/null
-@@ -1,114 +0,0 @@
--/*
-- * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
-- *
-- * SPDX-License-Identifier: BSD-3-Clause
-- *
-- */
--
--#include "tfm_spe_openamp_platform_interface.h"
--#include "tfm_spe_dual_core_psa_client_secure_lib.h"
--#include "tfm_rpc.h"
--#include "tfm_spe_openamp_interface.h"
--#include "tfm_multi_core.h"
--#include "tfm_spm_log.h"
--#include "utilities.h"
--
--static void *registered_msg = NULL;
--
--/* Process call from the other core. */
--void callback_from_openamp(const void *ns_msg, size_t len)
--{
--    int32_t ret = OPENAMP_SUCCESS;
--    void *priv = NULL;
--
--    ret = register_msg_to_spe_and_verify(&priv, ns_msg, len);
--    if (ret != OPENAMP_SUCCESS) {
--        return;
--    }
--
--    /*
--     * registered_msg will be used inside get_caller_private_data.
--     * get_caller_private_data will be called in the same context:
--     * deliver_msg* => tfm_rpc_xxx => tfm_spm_xxx => spm_init_connection
--     * => tfm_rpc_set_caller_data => get_caller_private_data
--     */
--    registered_msg = priv;
--
--    deliver_msg_to_tfm_spe(priv);
--}
--
--/* RPC reply() callback */
--static void service_reply(const void *priv, int32_t ret)
--{
--    send_service_reply_to_non_secure(ret, (void*)priv);
--}
--
--/* RPC get_caller_data() callback */
--static const void *get_caller_private_data(int32_t client_id)
--{
--    if (!registered_msg) {
--        SPMLOG_ERRMSG("FATAL_ERROR: Map pointer cannot be NULL.\r\n");
--        SPM_ASSERT(0);
--    }
--
--    return registered_msg;
--}
--
--/* Openamp specific operations callback for TF-M RPC */
--static const struct tfm_rpc_ops_t openamp_rpc_ops = {
--    .handle_req = tfm_to_openamp_notify, /* notify openamp for pendsv/irq
--                                          * received from the non-secure */
--    .reply      = service_reply,
--    .get_caller_data = get_caller_private_data,
--};
--
--void notify_request_from_openamp(void)
--{
--    int32_t ret;
--
--    ret = tfm_hal_notify_peer();
--    if (ret) {
--        SPMLOG_ERRMSGVAL("tfm_hal_notify_peer failed ", ret);
--    }
--    return;
--}
--
--/* Openmap initialization */
--static int32_t tfm_spe_openamp_lib_init(void)
--{
--    int32_t ret;
--
--    ret = tfm_dual_core_hal_init();
--    if (ret) {
--        SPMLOG_ERRMSGVAL("tfm_dual_core_hal_init failed ", ret);
--        return OPENAMP_INIT_ERROR;
--    }
--
--    ret = tfm_to_openamp_init(callback_from_openamp,
--                              notify_request_from_openamp);
--    if (ret) {
--        SPMLOG_ERRMSGVAL("tfm_to_openamp_init failed ", ret);
--        return OPENAMP_INIT_ERROR;
--    }
--
--    init_dual_core_psa_client_secure_lib();
--
--    /* Register RPC callbacks */
--    ret = tfm_rpc_register_ops(&openamp_rpc_ops);
--    if (ret) {
--        SPMLOG_ERRMSGVAL("tfm_rpc_register_ops failed ", ret);
--        return OPENAMP_CALLBACK_REG_ERROR;
--    }
--
--    SPMLOG_INFMSG("tfm_spe_openamp_lib_init initialized success.\r\n");
--    return OPENAMP_SUCCESS;
--}
--
--int32_t tfm_inter_core_comm_init(void)
--{
--    if (tfm_spe_openamp_lib_init()) {
--        return TFM_PLAT_ERR_SYSTEM_ERR;
--    }
--
--    return TFM_PLAT_ERR_SUCCESS;
--}
-diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_platform_interface.h b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_platform_interface.h
-deleted file mode 100644
-index 4c720b731..000000000
---- a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_openamp_platform_interface.h
-+++ /dev/null
-@@ -1,31 +0,0 @@
--/*
-- * Copyright (c) 2021, Arm Limited. All rights reserved.
-- *
-- * SPDX-License-Identifier: BSD-3-Clause
-- *
-- */
--
--#ifndef __TFM_SPE_OPENAMP_PLATFORM_INTERFACE_H__
--#define __TFM_SPE_OPENAMP_PLATFORM_INTERFACE_H__
--
--#include "tfm_openamp_lib.h"
--#include "tfm_plat_defs.h"
--
--/**
-- * \brief Platform specific initialization of SPE openamp.
-- *
-- * \retval TFM_PLAT_ERR_SUCCESS     Operation succeeded.
-- * \retval Other return code    Operation failed with an error code.
-- */
--enum tfm_plat_err_t tfm_dual_core_hal_init(void);
--
--/**
-- * \brief Notify NSPE that a PSA client call return result is replied.
-- *        Implemented by platform specific inter-processor communication driver.
-- *
-- * \retval TFM_PLAT_ERR_SUCCESS      The notification is successfully sent out.
-- * \retval Other return code    Operation failed with an error code.
-- */
--enum tfm_plat_err_t tfm_hal_notify_peer(void);
--
--#endif /* __TFM_SPE_OPENAMP_PLATFORM_INTERFACE_H__ */
-diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_psa_client_lib_unordered_map.c b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_psa_client_lib_unordered_map.c
-deleted file mode 100644
-index 007a675bd..000000000
---- a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_psa_client_lib_unordered_map.c
-+++ /dev/null
-@@ -1,151 +0,0 @@
--/*
-- * Copyright (c) 2021, Arm Limited. All rights reserved.
-- *
-- * SPDX-License-Identifier: BSD-3-Clause
-- *
-- */
--
--#include "tfm_spe_psa_client_lib_unordered_map.h"
--#include "utilities.h"
--#include "tfm_spe_openamp_interface.h"
--#include "tfm_spe_shm_openamp.h"
--#include <stdbool.h>
--#include <stddef.h>
--#include <string.h>
--
--/*
-- * SPE map where tf-m copies the psa_client parameters
-- * from non-secure memory to its local secure memory.
-- */
--typedef struct unordered_map {
--    /*
--     * Aligned with TFM_MAX_MESSAGES. A more sophisticated approach is
--     * required if the intent is to increase TFM_MAX_MESSAGES beyond
--     * 32 bits.
--     */
--    uint32_t                    busy_slots; /* protected by a spinlock */
--    unordered_map_entry_t       map[TFM_MAX_MESSAGES];
--} unordered_map_t;
--
--
--/*
-- * TF-M secure memory map: the parameters are copied to secure memory
-- * from openamp non-secure memory. This is to avoid TOCTOU attack.
-- */
--static unordered_map_t psa_client_lib_map_;
--
--static inline int find_first_unset_bit(uint32_t n)
--{
--    int index = -1;
--    n = ~n & (n+1);
--    while(n>0) {
--        n >>= 1;
--        index++;
--    }
--    return index;
--}
--
--static inline bool is_map_full(unordered_map_t *m)
--{
--    return (~(m->busy_slots) == 0);
--}
--
--static inline void set_bit(uint32_t *n, int index)
--{
--    *n = (*n | (1 << index));
--}
--
--static inline bool is_bit_set(uint32_t n, int index)
--{
--    return ((n & (1 << index)) != 0);
--}
--
--static inline void unset_bit(uint32_t *n, int index)
--{
--    uint32_t mask = 0;
--    mask |= (1 << index);
--    *n = (*n & ~mask);
--}
--
--void unordered_map_init(void)
--{
--    tfm_to_openamp_spe_map_spinlock_acquire();
--    psa_client_lib_map_.busy_slots = 0;
--    tfm_to_openamp_spe_map_spinlock_release();
--}
--
--static int32_t alloc_map_entry(unordered_map_handle_t *handle)
--{
--    int32_t ret;
--    tfm_to_openamp_spe_map_spinlock_acquire();
--    do {
--        if (is_map_full(&psa_client_lib_map_)) {
--            ret = OPENAMP_MAP_FULL;
--            break;
--        }
--        *handle = find_first_unset_bit(psa_client_lib_map_.busy_slots);
--        set_bit(&psa_client_lib_map_.busy_slots, *handle);
--        ret = OPENAMP_SUCCESS;
--    } while (0);
--    tfm_to_openamp_spe_map_spinlock_release();
--    return ret;
--}
--
--int32_t unordered_map_insert(const ns_openamp_msg_t *ns_msg, const void *in,
--                                 unordered_map_handle_t *handle)
--{
--    int32_t ret;
--
--    ret = alloc_map_entry(handle);
--    if (ret) {
--        return ret;
--    }
--
--    memcpy(&psa_client_lib_map_.map[*handle].msg, ns_msg,
--                                sizeof(ns_openamp_msg_t));
--
--    psa_client_lib_map_.map[*handle].input_buffer = in;
--    psa_client_lib_map_.map[*handle].output_buffer = NULL;
--    psa_client_lib_map_.map[*handle].output_buffer_len = 0;
--    psa_client_lib_map_.map[*handle].is_input_buffer_hold = false;
--    psa_client_lib_map_.map[*handle].is_output_buffer = false;
--
--    psa_client_lib_map_.map[*handle].handle = *handle;
--
--    return OPENAMP_SUCCESS;
--}
--
--void unordered_map_free(unordered_map_handle_t handle)
--{
--    if (handle >= TFM_MAX_MESSAGES || handle < 0) {
--        return;
--    }
--    spm_memset(&psa_client_lib_map_.map[handle], 0,
--                               sizeof(unordered_map_entry_t));
--
--    tfm_to_openamp_spe_map_spinlock_acquire();
--    unset_bit(&psa_client_lib_map_.busy_slots, handle);
--    tfm_to_openamp_spe_map_spinlock_release();
--}
--
--unordered_map_entry_t* unordered_map_get_entry_ptr(unordered_map_handle_t handle)
--{
--    if (handle >= TFM_MAX_MESSAGES || handle < 0) {
--        return NULL;
--    }
--    if (!is_bit_set(psa_client_lib_map_.busy_slots, handle)) {
--        return NULL;
--    }
--    return &psa_client_lib_map_.map[handle];
--}
--
--unordered_map_handle_t unordered_map_get_entry_handle(
--                                    const unordered_map_entry_t *ptr)
--{
--    if (!ptr) {
--        return INVALID_MAP_HANDLE;
--    }
--
--    return ptr->handle;
--}
--
-diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_psa_client_lib_unordered_map.h b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_psa_client_lib_unordered_map.h
-deleted file mode 100644
-index 1d094133b..000000000
---- a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_psa_client_lib_unordered_map.h
-+++ /dev/null
-@@ -1,50 +0,0 @@
--/*
-- * Copyright (c) 2021, Arm Limited. All rights reserved.
-- *
-- * SPDX-License-Identifier: BSD-3-Clause
-- *
-- */
--
--#ifndef __TFM_SPE_PSA_CLIENT_LIB_UNORDERED_MAP_H__
--#define __TFM_SPE_PSA_CLIENT_LIB_UNORDERED_MAP_H__
--
--#include <stdbool.h>
--#include "tfm_openamp_lib.h"
--
--/* 16 bits are sufficient to store the handle. Also
-- * choosing 16bits allow for better packing inside
-- * the struct unordered_map_entry_t.
-- */
--typedef int16_t unordered_map_handle_t;
--#define INVALID_MAP_HANDLE -1
--
--/* An entry structure of map data structure */
--typedef struct unordered_map_entry {
--    ns_openamp_msg_t msg;
--    const void *input_buffer;
--    void *output_buffer;
--    size_t output_buffer_len;
--    unordered_map_handle_t handle; /* entry handle */
--    bool is_input_buffer_hold; /* true when input buffer is held */
--    bool is_output_buffer; /* true when output buffer is preallocated */
--} unordered_map_entry_t;
--
--/* Initialize the map data structure */
--void unordered_map_init(void);
--
--/* Insert entry into the map and return a handle to the entry */
--int32_t unordered_map_insert(const ns_openamp_msg_t *msg, const void *in,
--                                 unordered_map_handle_t *handle);
--
--/* Free respective entry into the map represented by the handle */
--void unordered_map_free(unordered_map_handle_t handle);
--
--/* Using a handle return the memory pointer of the entry */
--unordered_map_entry_t* unordered_map_get_entry_ptr(
--                                 unordered_map_handle_t handle);
--
--/* Using a entry memory location, return respective handle */
--unordered_map_handle_t unordered_map_get_entry_handle(
--                                 const unordered_map_entry_t *ptr);
--
--#endif /* __TFM_SPE_PSA_CLIENT_LIB_UNORDERED_MAP_H__ */
-diff --git a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_shm_openamp.h b/platform/ext/target/arm/corstone1000/openamp/tfm_spe_shm_openamp.h
-deleted file mode 100644
-index 6e8cde8f4..000000000
---- a/platform/ext/target/arm/corstone1000/openamp/tfm_spe_shm_openamp.h
-+++ /dev/null
-@@ -1,39 +0,0 @@
--/*
-- * Copyright (c) 2020 Linaro Limited
-- *
-- * Copyright (c) 2021, Arm Limited. All rights reserved.
-- *
-- * SPDX-License-Identifier: BSD-3-Clause
-- *
-- */
--
--#ifndef TFM_SPE_SHM_OPEN_AMP_H_
--#define TFM_SPE_SHM_OPEN_AMP_H_
--
--#include "region_defs.h"
--
--#define VDEV_STATUS_ADDR    (OPENAMP_SE_SHARED_MEMORY_START_ADDR)
--#define VDEV_STATUS_SIZE    (0x1000) // 4 KB
--#define SHM_START_VIRT_ADDR (OPENAMP_SE_SHARED_MEMORY_START_ADDR + VDEV_STATUS_SIZE)
--#define SHM_START_PHY_ADDR  (OPENAMP_HOST_SHARED_MEMORY_START_ADDR + VDEV_STATUS_SIZE)
--#define SHM_SIZE            OPENAMP_SHARED_MEMORY_SIZE - VDEV_STATUS_SIZE
--#define SHM_DEVICE_NAME     "cvm.shm"
--
--#define VRING_COUNT         2
--#define VRING_MEM_SIZE      (0x1000) // 4 KB
--#define VRING_TX_ADDRESS    (SHM_START_VIRT_ADDR + SHM_SIZE - VRING_MEM_SIZE)
--#define VRING_RX_ADDRESS    (SHM_START_VIRT_ADDR + SHM_SIZE - (2 * VRING_MEM_SIZE))
--#define VRING_ALIGNMENT     4
--#define VRING_SIZE          16
--
--/*
-- * The tf-m can only accept MAX_MESSAGES at a given time.
-- * The Host should set RPMSG_BUFFER_SIZE accrodingly
-- * such that tf-m does not recieve more than
-- * TFM_MAX_MESSAGES messages.
-- * Changing this macro DOES NOT increase TF-M capabilities
-- * to handle more messages.
-- */
--#define TFM_MAX_MESSAGES            (32)
--
--#endif /* TFM_SPE_SHM_OPEN_AMP_H_ */
-diff --git a/platform/ext/target/arm/corstone1000/partition/region_defs.h b/platform/ext/target/arm/corstone1000/partition/region_defs.h
-index 64ab786e5..a80b07737 100644
---- a/platform/ext/target/arm/corstone1000/partition/region_defs.h
-+++ b/platform/ext/target/arm/corstone1000/partition/region_defs.h
-@@ -59,13 +59,13 @@
- #define S_DATA_LIMIT            (S_DATA_START + S_DATA_SIZE - 1)
- #define S_DATA_PRIV_START       (S_DATA_START + S_UNPRIV_DATA_SIZE)
- 
--/* OpenAMP shared memory region */
--#define OPENAMP_SE_SHARED_MEMORY_START_ADDR 0xA8000000
--#define OPENAMP_HOST_SHARED_MEMORY_START_ADDR 0x88000000
--#define OPENAMP_SHARED_MEMORY_SIZE (1024 * 1024) /* 1MB */
-+/* Shared memory region */
-+#define INTER_PROCESSOR_SE_SHARED_MEMORY_START_ADDR 0xA8000000
-+#define INTER_PROCESSOR_HOST_SHARED_MEMORY_START_ADDR 0x88000000
-+#define INTER_PROCESSOR_SHARED_MEMORY_SIZE (1024 * 1024) /* 1MB */
- 
--#define NS_DATA_START OPENAMP_SE_SHARED_MEMORY_START_ADDR
--#define NS_DATA_SIZE OPENAMP_SHARED_MEMORY_SIZE
-+#define NS_DATA_START INTER_PROCESSOR_SE_SHARED_MEMORY_START_ADDR
-+#define NS_DATA_SIZE INTER_PROCESSOR_SHARED_MEMORY_SIZE
- 
- #define S_CODE_VECTOR_TABLE_SIZE    (0xc0)
- 
-diff --git a/platform/ext/target/arm/corstone1000/rse_comms/CMakeLists.txt b/platform/ext/target/arm/corstone1000/rse_comms/CMakeLists.txt
-new file mode 100644
-index 000000000..7c4bc0fef
---- /dev/null
-+++ b/platform/ext/target/arm/corstone1000/rse_comms/CMakeLists.txt
-@@ -0,0 +1,34 @@
-+#-------------------------------------------------------------------------------
-+# Copyright (c) 2022-2024, Arm Limited. All rights reserved.
-+#
-+# SPDX-License-Identifier: BSD-3-Clause
-+#
-+#-------------------------------------------------------------------------------
-+
-+target_include_directories(platform_s
-+    PUBLIC
-+        .
-+)
-+
-+target_sources(platform_s
-+    PRIVATE
-+        rse_comms.c
-+        rse_comms_hal.c
-+        rse_comms_queue.c
-+        rse_comms_protocol.c
-+        rse_comms_protocol_embed.c
-+)
-+
-+target_compile_definitions(platform_s
-+    PRIVATE
-+        RSE_COMMS_MAX_CONCURRENT_REQ=1
-+        RSE_COMMS_PROTOCOL_EMBED_ENABLED
-+        $<$<BOOL:${CONFIG_TFM_HALT_ON_CORE_PANIC}>:CONFIG_TFM_HALT_ON_CORE_PANIC>
-+)
-+
-+# For spm_log_msgval
-+target_link_libraries(platform_s
-+    PRIVATE
-+        tfm_spm
-+        tfm_sprt
-+)
-diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.c b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.c
-new file mode 100644
-index 000000000..df2b6bffa
---- /dev/null
-+++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.c
-@@ -0,0 +1,176 @@
-+/*
-+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
-+ * Copyright (c) 2023 Cypress Semiconductor Corporation (an Infineon company)
-+ * or an affiliate of Cypress Semiconductor Corporation. All rights reserved.
-+ *
-+ * SPDX-License-Identifier: BSD-3-Clause
-+ *
-+ */
-+
-+#include "rse_comms.h"
-+
-+#include <stddef.h>
-+#include <stdint.h>
-+
-+#include "rse_comms_hal.h"
-+#include "rse_comms_queue.h"
-+#include "tfm_rpc.h"
-+#include "tfm_multi_core.h"
-+#include "tfm_hal_multi_core.h"
-+#include "tfm_psa_call_pack.h"
-+#include "tfm_spm_log.h"
-+#include "rse_comms_permissions_hal.h"
-+
-+static struct client_request_t *req_to_process;
-+
-+static psa_status_t message_dispatch(struct client_request_t *req)
-+{
-+    int32_t client_id;
-+    enum tfm_plat_err_t plat_err;
-+
-+    /* Create the call parameters */
-+    struct client_params_t params = {
-+        .p_invecs = req->in_vec,
-+        .p_outvecs = req->out_vec,
-+    };
-+
-+    SPMLOG_DBGMSG("[RSE-COMMS] Dispatching message\r\n");
-+    SPMLOG_DBGMSGVAL("handle=", req->handle);
-+    SPMLOG_DBGMSGVAL("type=", req->type);
-+    SPMLOG_DBGMSGVAL("in_len=", req->in_len);
-+    SPMLOG_DBGMSGVAL("out_len=", req->out_len);
-+    if (req->in_len > 0) {
-+        SPMLOG_DBGMSGVAL("in_vec[0].len=", req->in_vec[0].len);
-+    }
-+    if (req->in_len > 1) {
-+        SPMLOG_DBGMSGVAL("in_vec[1].len=", req->in_vec[1].len);
-+    }
-+    if (req->in_len > 2) {
-+        SPMLOG_DBGMSGVAL("in_vec[2].len=", req->in_vec[2].len);
-+    }
-+    if (req->in_len > 3) {
-+        SPMLOG_DBGMSGVAL("in_vec[3].len=", req->in_vec[3].len);
-+    }
-+    if (req->out_len > 0) {
-+        SPMLOG_DBGMSGVAL("out_vec[0].len=", req->out_vec[0].len);
-+    }
-+    if (req->out_len > 1) {
-+        SPMLOG_DBGMSGVAL("out_vec[1].len=", req->out_vec[1].len);
-+    }
-+    if (req->out_len > 2) {
-+        SPMLOG_DBGMSGVAL("out_vec[2].len=", req->out_vec[2].len);
-+    }
-+    if (req->out_len > 3) {
-+        SPMLOG_DBGMSGVAL("out_vec[3].len=", req->out_vec[3].len);
-+    }
-+
-+    plat_err = comms_permissions_service_check(req->handle,
-+                                               req->in_vec,
-+                                               req->in_len,
-+                                               req->type);
-+    if (plat_err != TFM_PLAT_ERR_SUCCESS) {
-+        SPMLOG_ERRMSG("[RSE-COMMS] Call not permitted\r\n");
-+        return PSA_ERROR_NOT_PERMITTED;
-+    }
-+
-+    client_id = tfm_hal_client_id_translate(req->mhu_sender_dev,
-+                                            (int32_t)(req->client_id));
-+    if (client_id >= 0) {
-+        SPMLOG_ERRMSGVAL("[RSE-COMMS] Invalid client_id: ",
-+                         (uint32_t)(req->client_id));
-+        return PSA_ERROR_INVALID_ARGUMENT;
-+    }
-+    params.ns_client_id_stateless = client_id;
-+
-+    return tfm_rpc_psa_call(req->handle,
-+                            PARAM_PACK(req->type,
-+                                       req->in_len,
-+                                       req->out_len),
-+                            &params,
-+                            NULL);
-+}
-+
-+static void rse_comms_reply(const void *owner, int32_t ret)
-+{
-+    struct client_request_t *req = (struct client_request_t *)owner;
-+
-+    req->return_val = ret;
-+
-+    SPMLOG_DBGMSG("[RSE-COMMS] Sending reply\r\n");
-+    SPMLOG_DBGMSGVAL("protocol_ver=", req->protocol_ver);
-+    SPMLOG_DBGMSGVAL("seq_num=", req->seq_num);
-+    SPMLOG_DBGMSGVAL("client_id=", req->client_id);
-+    SPMLOG_DBGMSGVAL("return_val=", req->return_val);
-+    SPMLOG_DBGMSGVAL("out_vec[0].len=", req->out_vec[0].len);
-+    SPMLOG_DBGMSGVAL("out_vec[1].len=", req->out_vec[1].len);
-+    SPMLOG_DBGMSGVAL("out_vec[2].len=", req->out_vec[2].len);
-+    SPMLOG_DBGMSGVAL("out_vec[3].len=", req->out_vec[3].len);
-+
-+    if (tfm_multi_core_hal_reply(req) != TFM_PLAT_ERR_SUCCESS) {
-+        SPMLOG_DBGMSG("[RSE-COMMS] Sending reply failed!\r\n");
-+    }
-+}
-+
-+static void rse_comms_handle_req(void)
-+{
-+    psa_status_t status;
-+    void *queue_entry;
-+
-+    /* FIXME: consider memory limitations that may prevent dispatching all
-+     * messages in one go.
-+     */
-+    while (queue_dequeue(&queue_entry) == 0) {
-+        /* Deliver PSA Client call request to handler in SPM. */
-+        req_to_process = queue_entry;
-+        status = message_dispatch(req_to_process);
-+#if CONFIG_TFM_SPM_BACKEND_IPC == 1
-+        /*
-+         * If status == PSA_SUCCESS, peer will be replied when mailbox agent
-+         * partition receives a 'ASYNC_MSG_REPLY' signal from the requested
-+         * service partition.
-+         * If status != PSA_SUCCESS, the service call has been finished.
-+         * Reply to the peer directly.
-+         */
-+        if (status != PSA_SUCCESS) {
-+            SPMLOG_DBGMSGVAL("[RSE-COMMS] Message dispatch failed: ", status);
-+            rse_comms_reply(req_to_process, status);
-+        }
-+#else
-+        /* In SFN model, the service call has been finished. Reply to the peer directly. */
-+        rse_comms_reply(req_to_process, status);
-+#endif
-+    }
-+}
-+
-+static const void *rss_comms_get_caller_data(int32_t client_id)
-+{
-+    (void)client_id;
-+
-+    return req_to_process;
-+}
-+
-+static struct tfm_rpc_ops_t rpc_ops = {
-+    .handle_req = rse_comms_handle_req,
-+    .reply = rse_comms_reply,
-+    .get_caller_data = rss_comms_get_caller_data,
-+};
-+
-+int32_t tfm_inter_core_comm_init(void)
-+{
-+    int32_t ret;
-+
-+    /* Register RPC callbacks */
-+    ret = tfm_rpc_register_ops(&rpc_ops);
-+    if (ret != TFM_RPC_SUCCESS) {
-+        return ret;
-+    }
-+
-+    /* Platform specific initialization */
-+    ret = tfm_multi_core_hal_init();
-+    if (ret != TFM_PLAT_ERR_SUCCESS) {
-+        tfm_rpc_unregister_ops();
-+        return ret;
-+    }
-+
-+    return TFM_RPC_SUCCESS;
-+}
-diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h
-new file mode 100644
-index 000000000..6d79dd3bf
---- /dev/null
-+++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h
-@@ -0,0 +1,48 @@
-+/*
-+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
-+ *
-+ * SPDX-License-Identifier: BSD-3-Clause
-+ *
-+ */
-+
-+#ifndef __RSE_COMMS_H__
-+#define __RSE_COMMS_H__
-+
-+#include "psa/client.h"
-+#include "cmsis_compiler.h"
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+ /* size suits to fit the largest message too (EFI variables) */
-+#define RSE_COMMS_PAYLOAD_MAX_SIZE (0x2100)
-+
-+/*
-+ * Allocated for each client request.
-+ *
-+ * TODO: Sizing of payload_buf, this should be platform dependent:
-+ * - sum in_vec size
-+ * - sum out_vec size
-+ */
-+struct client_request_t {
-+    void *mhu_sender_dev; /* Pointer to MHU sender device to reply on */
-+    uint8_t protocol_ver;
-+    uint8_t seq_num;
-+    uint16_t client_id;
-+    psa_handle_t handle;
-+    int32_t type;
-+    uint32_t in_len;
-+    uint32_t out_len;
-+    psa_invec in_vec[PSA_MAX_IOVEC];
-+    psa_outvec out_vec[PSA_MAX_IOVEC];
-+    int32_t return_val;
-+    uint64_t out_vec_host_addr[PSA_MAX_IOVEC];
-+    uint8_t param_copy_buf[RSE_COMMS_PAYLOAD_MAX_SIZE];
-+};
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+
-+#endif /* __RSE_COMMS_H__ */
-diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_hal.c b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_hal.c
-new file mode 100644
-index 000000000..ef6fb9e02
---- /dev/null
-+++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_hal.c
-@@ -0,0 +1,232 @@
-+/*
-+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
-+ *
-+ * SPDX-License-Identifier: BSD-3-Clause
-+ *
-+ */
-+
-+#include "rse_comms_hal.h"
-+
-+#include "rse_comms.h"
-+#include "rse_comms_queue.h"
-+#include "mhu.h"
-+#include "cmsis.h"
-+#include "device_definition.h"
-+#include "tfm_peripherals_def.h"
-+#include "tfm_spm_log.h"
-+#include "tfm_pools.h"
-+#include "rse_comms_protocol.h"
-+#include <string.h>
-+
-+/* Declared statically to avoid using huge amounts of stack space. Maybe revisit
-+ * if functions not being reentrant becomes a problem.
-+ */
-+static __ALIGNED(4) struct serialized_psa_msg_t msg;
-+static __ALIGNED(4) struct serialized_psa_reply_t reply;
-+
-+/* The 32bit client ID is constructed as following:
-+ * bit31:       always 1
-+ * bit30~bit16: client source identifier.
-+                0x0000  First  mailbox agent client(MHU) (by default)
-+                0x1000  Second mailbox agent client(MHU)
-+                ...
-+ * bit15~bit0:  client input client ID
-+ */
-+#define CLIENT_ID_USER_INPUT_OFFSET (0)
-+#define CLIENT_ID_USER_INPUT_MASK (0xFFFFUL << CLIENT_ID_USER_INPUT_OFFSET)
-+
-+#define CLIENT_ID_MHU_BASE_OFFSET (16)
-+#define CLIENT_ID_MHU_BASE_MASK (0x7FFFUL << CLIENT_ID_MHU_BASE_OFFSET)
-+
-+#define NS_CLIENT_ID_FLAG_OFFSET (31)
-+#define NS_CLIENT_ID_FLAG_MASK (0x1UL << NS_CLIENT_ID_FLAG_OFFSET)
-+
-+/* MHU for RSE <> AP_MONITOR communication */
-+#ifndef MHU0_CLIENT_ID_BASE
-+#define MHU0_CLIENT_ID_BASE (0x0000UL << CLIENT_ID_MHU_BASE_OFFSET)
-+#endif
-+
-+#ifdef MHU_RSE_TO_AP_NS
-+/* MHU for RSE <> AP_NS communication */
-+#ifndef MHU1_CLIENT_ID_BASE
-+#define MHU1_CLIENT_ID_BASE (0x1000UL << CLIENT_ID_MHU_BASE_OFFSET)
-+#endif
-+#endif /* MHU_RSE_TO_AP_NS */
-+
-+TFM_POOL_DECLARE(req_pool, sizeof(struct client_request_t),
-+                 RSE_COMMS_MAX_CONCURRENT_REQ);
-+
-+static enum tfm_plat_err_t initialize_mhu(void)
-+{
-+    enum mhu_error_t err;
-+
-+    err = mhu_init_sender(&MHU1_SE_TO_HOST_DEV);
-+    if (err != MHU_ERR_NONE) {
-+        SPMLOG_ERRMSGVAL("[COMMS] RSE to AP_MONITOR MHU driver init failed: ",
-+                         err);
-+        return TFM_PLAT_ERR_SYSTEM_ERR;
-+    }
-+
-+    err = mhu_init_receiver(&MHU1_HOST_TO_SE_DEV);
-+    if (err != MHU_ERR_NONE) {
-+        SPMLOG_ERRMSGVAL("[COMMS] AP_MONITOR to RSE MHU driver init failed: ",
-+                         err);
-+        return TFM_PLAT_ERR_SYSTEM_ERR;
-+    }
-+
-+#ifdef MHU_RSE_TO_AP_NS
-+    err = mhu_init_sender(&MHU_RSE_TO_AP_NS_DEV);
-+    if (err != MHU_ERR_NONE) {
-+        SPMLOG_ERRMSGVAL("[COMMS] RSE to AP_NS MHU driver init failed: ", err);
-+        return TFM_PLAT_ERR_SYSTEM_ERR;
-+    }
-+
-+    err = mhu_init_receiver(&MHU_AP_NS_TO_RSE_DEV);
-+    if (err != MHU_ERR_NONE) {
-+        SPMLOG_ERRMSGVAL("[COMMS] AP_NS to RSE MHU driver init failed: ", err);
-+        return TFM_PLAT_ERR_SYSTEM_ERR;
-+    }
-+#endif /* MHU_RSE_TO_AP_NS */
-+
-+    SPMLOG_DBGMSG("[COMMS] MHU driver initialized successfully.\r\n");
-+    return TFM_PLAT_ERR_SUCCESS;
-+}
-+
-+enum tfm_plat_err_t tfm_multi_core_hal_receive(void *mhu_receiver_dev,
-+                                               void *mhu_sender_dev,
-+                                               uint32_t source)
-+{
-+    enum mhu_error_t mhu_err;
-+    enum tfm_plat_err_t err;
-+    size_t msg_len = sizeof(msg);
-+    size_t reply_size;
-+
-+    memset(&msg, 0, sizeof(msg));
-+    memset(&reply, 0, sizeof(reply));
-+
-+    /* Receive complete message */
-+    mhu_err = mhu_receive_data(mhu_receiver_dev, (uint8_t *)&msg, &msg_len);
-+
-+    /* Clear the pending interrupt for this MHU. This prevents the mailbox
-+     * interrupt handler from being called without the next request arriving
-+     * through the mailbox
-+     */
-+    NVIC_ClearPendingIRQ(source);
-+
-+    if (mhu_err != MHU_ERR_NONE) {
-+        SPMLOG_DBGMSGVAL("[COMMS] MHU receive failed: ", mhu_err);
-+        /* Can't respond, since we don't know anything about the message */
-+        return TFM_PLAT_ERR_SYSTEM_ERR;
-+    }
-+
-+    SPMLOG_DBGMSG("[COMMS] Received message\r\n");
-+    SPMLOG_DBGMSGVAL("[COMMS] size=", msg_len);
-+    SPMLOG_DBGMSGVAL("[COMMS] seq_num=", msg.header.seq_num);
-+
-+    struct client_request_t *req = tfm_pool_alloc(req_pool);
-+    if (!req) {
-+        /* No free capacity, drop message */
-+        err = TFM_PLAT_ERR_SYSTEM_ERR;
-+        goto out_return_err;
-+    }
-+    memset(req, 0, sizeof(struct client_request_t));
-+
-+    /* Record the MHU sender device to be used for the reply */
-+    req->mhu_sender_dev = mhu_sender_dev;
-+
-+    err = rse_protocol_deserialize_msg(req, &msg, msg_len);
-+    if (err != TFM_PLAT_ERR_SUCCESS) {
-+        /* Deserialisation failed, drop message */
-+        SPMLOG_DBGMSGVAL("[COMMS] Deserialize message failed: ", err);
-+        goto out_return_err;
-+    }
-+
-+    if (queue_enqueue(req) != 0) {
-+        /* No queue capacity, drop message */
-+        err = TFM_PLAT_ERR_SYSTEM_ERR;
-+        goto out_return_err;
-+    }
-+
-+    /* Message successfully received */
-+    return TFM_PLAT_ERR_SUCCESS;
-+
-+out_return_err:
-+    /* Attempt to respond with a failure message */
-+    if (rse_protocol_serialize_error(req, &msg.header,
-+                                     PSA_ERROR_CONNECTION_BUSY,
-+                                     &reply, &reply_size)
-+        == TFM_PLAT_ERR_SUCCESS) {
-+        mhu_send_data(mhu_sender_dev, (uint8_t *)&reply, reply_size);
-+    }
-+
-+    if (req) {
-+        tfm_pool_free(req_pool, req);
-+    }
-+
-+    return err;
-+}
-+
-+enum tfm_plat_err_t tfm_multi_core_hal_reply(struct client_request_t *req)
-+{
-+    enum tfm_plat_err_t err;
-+    enum mhu_error_t mhu_err;
-+    size_t reply_size;
-+
-+    /* This function is called by the mailbox partition with Thread priority, so
-+     * MHU interrupts must be disabled to prevent concurrent accesses by
-+     * tfm_multi_core_hal_receive().
-+     */
-+    NVIC_DisableIRQ(MAILBOX_IRQ);
-+
-+    if (!is_valid_chunk_data_in_pool(req_pool, (uint8_t *)req)) {
-+        err = TFM_PLAT_ERR_SYSTEM_ERR;
-+        goto out;
-+    }
-+
-+    err = rse_protocol_serialize_reply(req, &reply, &reply_size);
-+    if (err != TFM_PLAT_ERR_SUCCESS) {
-+        SPMLOG_DBGMSGVAL("[COMMS] Serialize reply failed: ", err);
-+        goto out_free_req;
-+    }
-+
-+    mhu_err = mhu_send_data(req->mhu_sender_dev, (uint8_t *)&reply, reply_size);
-+    if (mhu_err != MHU_ERR_NONE) {
-+        SPMLOG_DBGMSGVAL("[COMMS] MHU send failed: ", mhu_err);
-+        err = TFM_PLAT_ERR_SYSTEM_ERR;
-+        goto out_free_req;
-+    }
-+
-+    SPMLOG_DBGMSG("[COMMS] Sent reply\r\n");
-+
-+out_free_req:
-+    tfm_pool_free(req_pool, req);
-+out:
-+    NVIC_EnableIRQ(MAILBOX_IRQ);
-+    return err;
-+}
-+
-+enum tfm_plat_err_t tfm_multi_core_hal_init(void)
-+{
-+    int32_t spm_err;
-+
-+    spm_err = tfm_pool_init(req_pool, POOL_BUFFER_SIZE(req_pool),
-+                            sizeof(struct client_request_t),
-+                            RSE_COMMS_MAX_CONCURRENT_REQ);
-+    if (spm_err) {
-+        return TFM_PLAT_ERR_SYSTEM_ERR;
-+    }
-+
-+    return initialize_mhu();
-+}
-+
-+int32_t tfm_hal_client_id_translate(void *owner, int32_t client_id_in)
-+{
-+    if ((uintptr_t)owner == (uintptr_t)&MHU1_SE_TO_HOST_DEV) {
-+        return ((client_id_in & CLIENT_ID_USER_INPUT_MASK) |
-+               (MHU0_CLIENT_ID_BASE & CLIENT_ID_MHU_BASE_MASK) |
-+               (NS_CLIENT_ID_FLAG_MASK));
-+    } else {
-+        SPMLOG_DBGMSG("[COMMS] client_id translation failed: invalid owner\r\n");
-+        return 0;
-+    }
-+}
-diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_hal.h b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_hal.h
-new file mode 100644
-index 000000000..c4676cb2e
---- /dev/null
-+++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_hal.h
-@@ -0,0 +1,56 @@
-+/*
-+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
-+ *
-+ * SPDX-License-Identifier: BSD-3-Clause
-+ *
-+ */
-+
-+#ifndef __RSE_COMMS_HAL_H__
-+#define __RSE_COMMS_HAL_H__
-+
-+#include "rse_comms.h"
-+#include "tfm_plat_defs.h"
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+/**
-+ * \brief Platform specific initialization of SPE multi-core.
-+ *
-+ * \retval TFM_PLAT_ERR_SUCCESS  Operation succeeded.
-+ * \retval Other return code     Operation failed with an error code.
-+ */
-+enum tfm_plat_err_t tfm_multi_core_hal_init(void);
-+
-+/**
-+ * \brief Receive PSA client call request from NSPE.
-+ *        Implemented by platform specific inter-processor communication driver.
-+ *
-+ * \param[in] mhu_receiver_dev  Pointer to MHU receiver device on which to read
-+ *                              the message.
-+ * \param[in] mhu_sender_dev    Pointer to MHU sender device on which to write
-+ *                              the reply.
-+ * \param[in] source            The number of the IRQ source for this MHU.
-+ *
-+ * \retval TFM_PLAT_ERR_SUCCESS  Operation succeeded.
-+ * \retval Other return code     Operation failed with an error code.
-+ */
-+enum tfm_plat_err_t tfm_multi_core_hal_receive(void *mhu_receiver_dev,
-+                                               void *mhu_sender_dev,
-+                                               uint32_t source);
-+
-+/**
-+ * \brief Notify NSPE that a PSA client call return result is replied.
-+ *        Implemented by platform specific inter-processor communication driver.
-+ *
-+ * \retval TFM_PLAT_ERR_SUCCESS  The notification is successfully sent out.
-+ * \retval Other return code     Operation failed with an error code.
-+ */
-+enum tfm_plat_err_t tfm_multi_core_hal_reply(struct client_request_t *req);
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+
-+#endif /* __RSE_COMMS_HAL_H__ */
-diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_permissions_hal.h b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_permissions_hal.h
-new file mode 100644
-index 000000000..5bd0124a6
---- /dev/null
-+++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_permissions_hal.h
-@@ -0,0 +1,58 @@
-+/*
-+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
-+ *
-+ * SPDX-License-Identifier: BSD-3-Clause
-+ *
-+ */
-+
-+#ifndef __RSE_COMMS_PERMISSIONS_HAL_H__
-+#define __RSE_COMMS_PERMISSIONS_HAL_H__
-+
-+#include "psa/client.h"
-+#include "tfm_plat_defs.h"
-+#include "stdbool.h"
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+/**
-+ * \brief Check that RSE comms callers have permission to access a memory
-+ *        buffer.
-+ *
-+ * \param[in]  owner               The owner of host memory against which the
-+ *                                 memory access is checked (e.g. MHU device).
-+ * \param[in]  host_ptr            Address of the memory region to be accessed.
-+ * \param[in]  size                Size of the memory region to be accessed.
-+ * \param[in]  is_write            True, if the memory access is a write
-+ *                                 operation, False otherwise.
-+ *
-+ * \retval TFM_PLAT_ERR_SUCCESS  Caller has permission to access buffer.
-+ * \retval Other return code     Caller does not have permission, or an error
-+ *                               occurred.
-+ */
-+enum tfm_plat_err_t comms_permissions_memory_check(void *owner,
-+                                                   uint64_t host_ptr,
-+                                                   uint32_t size,
-+                                                   bool is_write);
-+
-+/**
-+ * \brief Check that RSE comms callers have permission to access a service.
-+ *
-+ * \note in_vec and in_len are passed in as the Crypto partition encodes which
-+ *       function is requested in the first in_vec.
-+ *
-+ * \retval TFM_PLAT_ERR_SUCCESS  Caller has permission to access service.
-+ * \retval Other return code     Caller does not have permission, or an error
-+ *                               occurred.
-+ */
-+enum tfm_plat_err_t comms_permissions_service_check(psa_handle_t handle,
-+                                                    const psa_invec *in_vec,
-+                                                    size_t in_len,
-+                                                    int32_t type);
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+
-+#endif /* __RSE_COMMS_PERMISSIONS_HAL_H__ */
-diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol.c b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol.c
-new file mode 100644
-index 000000000..94b7995b9
---- /dev/null
-+++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol.c
-@@ -0,0 +1,120 @@
-+/*
-+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
-+ *
-+ * SPDX-License-Identifier: BSD-3-Clause
-+ *
-+ */
-+
-+#include "rse_comms_protocol.h"
-+
-+#include "tfm_spm_log.h"
-+#include <string.h>
-+
-+enum tfm_plat_err_t rse_protocol_deserialize_msg(
-+        struct client_request_t *req, struct serialized_psa_msg_t *msg,
-+        size_t msg_len)
-+{
-+    if (msg_len < sizeof(msg->header)) {
-+        return TFM_PLAT_ERR_INVALID_INPUT;
-+    }
-+
-+    req->protocol_ver = msg->header.protocol_ver;
-+    req->seq_num = msg->header.seq_num;
-+    req->client_id = msg->header.client_id;
-+
-+    switch (msg->header.protocol_ver) {
-+#ifdef RSE_COMMS_PROTOCOL_EMBED_ENABLED
-+    case RSE_COMMS_PROTOCOL_EMBED:
-+        SPMLOG_DBGMSG("[COMMS] Deserializing as embed message\r\n");
-+        return rse_protocol_embed_deserialize_msg(req, &msg->msg.embed,
-+            msg_len - sizeof(struct serialized_rse_comms_header_t));
-+#endif /* RSE_COMMS_PROTOCOL_EMBED_ENABLED */
-+#ifdef RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED
-+    case RSE_COMMS_PROTOCOL_POINTER_ACCESS:
-+        SPMLOG_DBGMSG("[COMMS] Deserializing as pointer_access message\r\n");
-+        return rse_protocol_pointer_access_deserialize_msg(req, &msg->msg.pointer_access,
-+                                               msg_len - sizeof(struct serialized_rse_comms_header_t));
-+#endif
-+    default:
-+        return TFM_PLAT_ERR_UNSUPPORTED;
-+    }
-+}
-+
-+enum tfm_plat_err_t rse_protocol_serialize_reply(struct client_request_t *req,
-+        struct serialized_psa_reply_t *reply, size_t *reply_size)
-+{
-+    enum tfm_plat_err_t err;
-+
-+    memset(reply, 0, sizeof(struct serialized_psa_reply_t));
-+
-+    reply->header.protocol_ver = req->protocol_ver;
-+    reply->header.seq_num = req->seq_num;
-+    reply->header.client_id = req->client_id;
-+
-+    switch (reply->header.protocol_ver) {
-+#ifdef RSE_COMMS_PROTOCOL_EMBED_ENABLED
-+    case RSE_COMMS_PROTOCOL_EMBED:
-+        err = rse_protocol_embed_serialize_reply(req, &reply->reply.embed,
-+                                                 reply_size);
-+        if (err != TFM_PLAT_ERR_SUCCESS) {
-+            return err;
-+        }
-+        break;
-+#endif /* RSE_COMMS_PROTOCOL_EMBED_ENABLED */
-+#ifdef RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED
-+    case RSE_COMMS_PROTOCOL_POINTER_ACCESS:
-+        err = rse_protocol_pointer_access_serialize_reply(req,
-+                &reply->reply.pointer_access, reply_size);
-+        if (err != TFM_PLAT_ERR_SUCCESS) {
-+            return err;
-+        }
-+        break;
-+#endif
-+    default:
-+        return TFM_PLAT_ERR_UNSUPPORTED;
-+    }
-+
-+    *reply_size += sizeof(struct serialized_rse_comms_header_t);
-+
-+    return TFM_PLAT_ERR_SUCCESS;
-+}
-+
-+enum tfm_plat_err_t rse_protocol_serialize_error(
-+        struct client_request_t *req,
-+        struct serialized_rse_comms_header_t *header, psa_status_t error,
-+        struct serialized_psa_reply_t *reply, size_t *reply_size)
-+{
-+    enum tfm_plat_err_t err;
-+
-+    memset(reply, 0, sizeof(struct serialized_psa_reply_t));
-+    memcpy(&reply->header, header,
-+           sizeof(struct serialized_rse_comms_header_t));
-+
-+    switch (reply->header.protocol_ver) {
-+#ifdef RSE_COMMS_PROTOCOL_EMBED_ENABLED
-+    case RSE_COMMS_PROTOCOL_EMBED:
-+        err = rse_protocol_embed_serialize_error(req, error,
-+                                                 &reply->reply.embed,
-+                                                 reply_size);
-+        if (err != TFM_PLAT_ERR_SUCCESS) {
-+            return err;
-+        }
-+        break;
-+#endif /* RSE_COMMS_PROTOCOL_EMBED_ENABLED */
-+#ifdef RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED
-+    case RSE_COMMS_PROTOCOL_POINTER_ACCESS:
-+        err = rse_protocol_pointer_access_serialize_error(req, error,
-+                &reply->reply.pointer_access, reply_size);
-+        if (err != TFM_PLAT_ERR_SUCCESS) {
-+            return err;
-+        }
-+        break;
-+#endif
-+    default:
-+        return TFM_PLAT_ERR_UNSUPPORTED;
-+    }
-+
-+    *reply_size += sizeof(struct serialized_rse_comms_header_t);
-+
-+    return TFM_PLAT_ERR_SUCCESS;
-+}
-diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol.h b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol.h
-new file mode 100644
-index 000000000..c30825f4c
---- /dev/null
-+++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol.h
-@@ -0,0 +1,129 @@
-+/*
-+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
-+ *
-+ * SPDX-License-Identifier: BSD-3-Clause
-+ *
-+ */
-+
-+#ifndef __RSE_COMMS_PROTOCOL_H__
-+#define __RSE_COMMS_PROTOCOL_H__
-+
-+#include "psa/client.h"
-+#include "cmsis_compiler.h"
-+#include "rse_comms.h"
-+#include "tfm_platform_system.h"
-+
-+#ifdef RSE_COMMS_PROTOCOL_EMBED_ENABLED
-+#include "rse_comms_protocol_embed.h"
-+#endif /* RSE_COMMS_PROTOCOL_EMBED_ENABLED */
-+
-+#ifdef RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED
-+#include "rse_comms_protocol_pointer_access.h"
-+#endif /* RSE_MHU_PROTOCOL_V0_ENABLED */
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+enum rse_comms_protocol_version_t {
-+#ifdef RSE_COMMS_PROTOCOL_EMBED_ENABLED
-+    RSE_COMMS_PROTOCOL_EMBED = 0,
-+#endif /* RSE_COMMS_PROTOCOL_EMBED_ENABLED */
-+#ifdef RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED
-+    RSE_COMMS_PROTOCOL_POINTER_ACCESS = 1,
-+#endif /* RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED */
-+};
-+
-+
-+__PACKED_STRUCT serialized_rse_comms_header_t {
-+    uint8_t protocol_ver;
-+    uint8_t seq_num;
-+    uint16_t client_id;
-+};
-+
-+/* MHU message passed from NSPE to SPE to deliver a PSA client call */
-+__PACKED_STRUCT serialized_psa_msg_t {
-+    struct serialized_rse_comms_header_t header;
-+    __PACKED_UNION {
-+#ifdef RSE_COMMS_PROTOCOL_EMBED_ENABLED
-+        struct rse_embed_msg_t embed;
-+#endif /* RSE_COMMS_PROTOCOL_EMBED_ENABLED */
-+#ifdef RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED
-+        struct rse_pointer_access_msg_t pointer_access;
-+#endif /* RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED */
-+    } msg;
-+};
-+
-+/* MHU reply message to hold the PSA client call return result from SPE */
-+__PACKED_STRUCT serialized_psa_reply_t {
-+    struct serialized_rse_comms_header_t header;
-+    __PACKED_UNION {
-+#ifdef RSE_COMMS_PROTOCOL_EMBED_ENABLED
-+        struct rse_embed_reply_t embed;
-+#endif /* RSE_COMMS_PROTOCOL_EMBED_ENABLED */
-+#ifdef RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED
-+        struct rse_pointer_access_reply_t pointer_access;
-+#endif /* RSE_COMMS_PROTOCOL_POINTER_ACCESS_ENABLED */
-+    } reply;
-+};
-+
-+/**
-+ * \brief Convert a serialized message to a client_request_t.
-+ *
-+ * \param[out] req               The client_request_t to fill.
-+ * \param[in]  msg               The serialized message to extract data from.
-+ * \param[in]  msg_len           The size of the message.
-+ *
-+ * \note   The sanitization of the client request structure is the
-+ *         responsibility of the caller.
-+ *
-+ * \retval TFM_PLAT_ERR_SUCCESS  Operation succeeded.
-+ * \retval Other return code     Operation failed with an error code.
-+ */
-+enum tfm_plat_err_t rse_protocol_deserialize_msg(struct client_request_t *req,
-+        struct serialized_psa_msg_t *msg, size_t msg_len);
-+
-+/**
-+ * \brief Convert a a client_request_t to a serialized reply.
-+ *
-+ * \param[in]  req               The client_request_t to serialize data from.
-+ * \param[out] reply             The reply to fill.
-+ * \param[out] reply_size        The size of the reply that was filled.
-+ *
-+ * \retval TFM_PLAT_ERR_SUCCESS  Operation succeeded.
-+ * \retval Other return code     Operation failed with an error code.
-+ */
-+enum tfm_plat_err_t rse_protocol_serialize_reply(struct client_request_t *req,
-+        struct serialized_psa_reply_t *reply, size_t *reply_size);
-+
-+/**
-+ * \brief Create a serialised error reply from a header and an error code.
-+ *        Intended to for the RSE to notify the AP of errors during the message
-+ *        deserialization phase.
-+ *
-+ * \param[in]  req               The client_request_t to serialize data from. If
-+ *                               the error occured in allocation this pointer
-+ *                               may be NULL. This may not contain message
-+ *                               header information if the message
-+ *                               deserialize failed.
-+ * \param[in]  header            The header of the received
-+ *                               serialized_psa_msg_t whose deserialization
-+ *                               caused the error.
-+ * \param[in]  error             The error code to be transmitted to the AP.
-+ * \param[out] reply             The reply to fill.
-+ * \param[out] reply_size        The size of the reply that was filled.
-+ *
-+ * \retval TFM_PLAT_ERR_SUCCESS  Operation succeeded.
-+ * \retval Other return code     Operation failed with an error code.
-+ */
-+enum tfm_plat_err_t rse_protocol_serialize_error(
-+        struct client_request_t *req,
-+        struct serialized_rse_comms_header_t *header, psa_status_t error,
-+        struct serialized_psa_reply_t *reply, size_t *reply_size);
-+
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+
-+#endif /* __RSE_COMMS_PROTOCOL_H__ */
-diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol_embed.c b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol_embed.c
-new file mode 100644
-index 000000000..5544f9fb8
---- /dev/null
-+++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol_embed.c
-@@ -0,0 +1,105 @@
-+/*
-+ * Copyright (c) 2022, Arm Limited. All rights reserved.
-+ *
-+ * SPDX-License-Identifier: BSD-3-Clause
-+ *
-+ */
-+
-+#include "rse_comms_protocol_embed.h"
-+
-+#include <string.h>
-+
-+#include "tfm_psa_call_pack.h"
-+
-+enum tfm_plat_err_t rse_protocol_embed_deserialize_msg(
-+        struct client_request_t *req, struct rse_embed_msg_t *msg,
-+        size_t msg_len)
-+{
-+    uint32_t payload_size = 0;
-+    uint32_t i;
-+
-+    if (msg_len < (sizeof(*msg) - sizeof(msg->payload))) {
-+        return TFM_PLAT_ERR_INVALID_INPUT;
-+    }
-+
-+    req->in_len = PARAM_UNPACK_IN_LEN(msg->ctrl_param);
-+    req->out_len = PARAM_UNPACK_OUT_LEN(msg->ctrl_param);
-+    req->type = PARAM_UNPACK_TYPE(msg->ctrl_param);
-+    req->handle = msg->handle;
-+
-+    /* Only support 4 iovecs */
-+    if (req->in_len + req->out_len > 4) {
-+        return TFM_PLAT_ERR_UNSUPPORTED;
-+    }
-+
-+    /* Invecs */
-+    for (i = 0; i < req->in_len; ++i) {
-+        req->in_vec[i].base = req->param_copy_buf + payload_size;
-+        req->in_vec[i].len = msg->io_size[i];
-+        payload_size += msg->io_size[i];
-+    }
-+
-+    /* Check payload is not too big */
-+    if (payload_size > sizeof(req->param_copy_buf)
-+        || payload_size > sizeof(msg->payload)
-+        || sizeof(*msg) - sizeof(msg->payload) +  payload_size > msg_len ) {
-+        return TFM_PLAT_ERR_INVALID_INPUT;
-+    }
-+
-+    /* Copy payload into the buffer */
-+    memcpy(req->param_copy_buf, msg->payload, payload_size);
-+
-+    /* Outvecs */
-+    for (i = 0; i < req->out_len; ++i) {
-+        req->out_vec[i].base = req->param_copy_buf + payload_size;
-+        req->out_vec[i].len = msg->io_size[req->in_len + i];
-+        payload_size += msg->io_size[req->in_len + i];
-+    }
-+
-+    /* Check payload is not too big */
-+    if (payload_size > sizeof(req->param_copy_buf)) {
-+        return TFM_PLAT_ERR_INVALID_INPUT;
-+    }
-+
-+    return TFM_PLAT_ERR_SUCCESS;
-+}
-+
-+enum tfm_plat_err_t rse_protocol_embed_serialize_reply(
-+        struct client_request_t *req, struct rse_embed_reply_t *reply,
-+        size_t *reply_size)
-+{
-+    size_t payload_size = 0;
-+    size_t len;
-+    uint32_t i;
-+
-+    reply->return_val = req->return_val;
-+
-+    /* Outvecs */
-+    for (i = 0; i < req->out_len; ++i) {
-+        len = req->out_vec[i].len;
-+
-+        if (payload_size + len > sizeof(reply->payload)) {
-+            return TFM_PLAT_ERR_UNSUPPORTED;
-+        }
-+
-+        memcpy(reply->payload + payload_size, req->out_vec[i].base, len);
-+        reply->out_size[i] = len;
-+        payload_size += len;
-+    }
-+
-+    *reply_size = sizeof(*reply) - sizeof(reply->payload) + payload_size;
-+
-+    return TFM_PLAT_ERR_SUCCESS;
-+}
-+
-+enum tfm_plat_err_t rse_protocol_embed_serialize_error(
-+        struct client_request_t *req, psa_status_t err,
-+        struct rse_embed_reply_t *reply, size_t *reply_size)
-+{
-+    reply->return_val = err;
-+
-+    /* Return the minimum reply size, as the out_sizes are all zeroed */
-+    *reply_size = sizeof(*reply) - sizeof(reply->payload);
-+
-+    return TFM_PLAT_ERR_SUCCESS;
-+}
-diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol_embed.h b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol_embed.h
-new file mode 100644
-index 000000000..e1ca1d0c9
---- /dev/null
-+++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_protocol_embed.h
-@@ -0,0 +1,50 @@
-+/*
-+ * Copyright (c) 2022, Arm Limited. All rights reserved.
-+ *
-+ * SPDX-License-Identifier: BSD-3-Clause
-+ *
-+ */
-+
-+#ifndef __RSE_COMMS_PROTOCOL_EMBED_H__
-+#define __RSE_COMMS_PROTOCOL_EMBED_H__
-+
-+#include "psa/client.h"
-+#include "cmsis_compiler.h"
-+#include "rse_comms.h"
-+#include "tfm_platform_system.h"
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+__PACKED_STRUCT rse_embed_msg_t {
-+    psa_handle_t handle;
-+    uint32_t ctrl_param; /* type, in_len, out_len */
-+    uint16_t io_size[PSA_MAX_IOVEC];
-+    uint8_t payload[RSE_COMMS_PAYLOAD_MAX_SIZE];
-+};
-+
-+__PACKED_STRUCT rse_embed_reply_t {
-+    int32_t return_val;
-+    uint16_t out_size[PSA_MAX_IOVEC];
-+    uint8_t payload[RSE_COMMS_PAYLOAD_MAX_SIZE];
-+};
-+
-+enum tfm_plat_err_t rse_protocol_embed_deserialize_msg(
-+        struct client_request_t *req, struct rse_embed_msg_t *msg,
-+        size_t msg_len);
-+
-+enum tfm_plat_err_t rse_protocol_embed_serialize_reply(
-+        struct client_request_t *req, struct rse_embed_reply_t *reply,
-+        size_t *reply_size);
-+
-+enum tfm_plat_err_t rse_protocol_embed_serialize_error(
-+        struct client_request_t *req, psa_status_t err,
-+        struct rse_embed_reply_t *reply, size_t *reply_size);
-+
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+
-+#endif /* __RSE_COMMS_PROTOCOL_EMBED_H__ */
-diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_queue.c b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_queue.c
-new file mode 100644
-index 000000000..d7f244db6
---- /dev/null
-+++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_queue.c
-@@ -0,0 +1,64 @@
-+/*
-+ * Copyright (c) 2022, Arm Limited. All rights reserved.
-+ *
-+ * SPDX-License-Identifier: BSD-3-Clause
-+ *
-+ */
-+
-+#include "rse_comms_queue.h"
-+
-+#include <stdbool.h>
-+#include <stddef.h>
-+
-+#define QUEUE_SIZE (RSE_COMMS_MAX_CONCURRENT_REQ + 1)
-+
-+struct queue_t {
-+    void *buf[QUEUE_SIZE];
-+    size_t head;
-+    size_t tail;
-+};
-+
-+static struct queue_t queue;
-+
-+/* Advance head or tail */
-+static size_t advance(size_t index)
-+{
-+    if (++index == QUEUE_SIZE) {
-+        index = 0;
-+    }
-+    return index;
-+}
-+
-+static inline bool is_empty(void)
-+{
-+    return queue.head == queue.tail;
-+}
-+
-+static inline bool is_full(void)
-+{
-+    return advance(queue.head) == queue.tail;
-+}
-+
-+int32_t queue_enqueue(void *entry)
-+{
-+    if (is_full()) {
-+        return -1;
-+    }
-+
-+    queue.buf[queue.head] = entry;
-+    queue.head = advance(queue.head);
-+
-+    return 0;
-+}
-+
-+int32_t queue_dequeue(void **entry)
-+{
-+    if (is_empty()) {
-+        return -1;
-+    }
-+
-+    *entry = queue.buf[queue.tail];
-+    queue.tail = advance(queue.tail);
-+
-+    return 0;
-+}
-diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_queue.h b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_queue.h
-new file mode 100644
-index 000000000..d3db1dd2e
---- /dev/null
-+++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms_queue.h
-@@ -0,0 +1,25 @@
-+/*
-+ * Copyright (c) 2022, Arm Limited. All rights reserved.
-+ *
-+ * SPDX-License-Identifier: BSD-3-Clause
-+ *
-+ */
-+
-+#ifndef __RSE_COMMS_QUEUE_H__
-+#define __RSE_COMMS_QUEUE_H__
-+
-+#include <stdint.h>
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+int32_t queue_enqueue(void *entry);
-+
-+int32_t queue_dequeue(void **entry);
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+
-+#endif /* __RSE_COMMS_QUEUE_H__ */
-diff --git a/platform/ext/target/arm/corstone1000/rse_comms_permissions_hal.c b/platform/ext/target/arm/corstone1000/rse_comms_permissions_hal.c
-new file mode 100644
-index 000000000..59724bc94
---- /dev/null
-+++ b/platform/ext/target/arm/corstone1000/rse_comms_permissions_hal.c
-@@ -0,0 +1,177 @@
-+/*
-+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
-+ *
-+ * SPDX-License-Identifier: BSD-3-Clause
-+ *
-+ */
-+
-+#include "rse_comms_permissions_hal.h"
-+
-+#include "device_definition.h"
-+#include "psa_manifest/sid.h"
-+#include "region_defs.h"
-+#include "tfm_hal_platform.h"
-+
-+#ifdef TFM_PARTITION_INITIAL_ATTESTATION
-+#include "tfm_attest_defs.h"
-+#endif /* TFM_PARTITION_INITIAL_ATTESTATION */
-+#ifdef TFM_PARTITION_MEASURED_BOOT
-+#include "measured_boot_defs.h"
-+#endif /* TFM_PARTITION_MEASURED_BOOT */
-+#ifdef TFM_PARTITION_DELEGATED_ATTESTATION
-+#include "tfm_delegated_attest_defs.h"
-+#endif /* TFM_PARTITION_DELEGATED_ATTESTATION */
-+#ifdef TFM_PARTITION_CRYPTO
-+#include "tfm_crypto_defs.h"
-+#endif /*TFM_PARTITION_CRYPTO */
-+#ifdef TFM_PARTITION_PLATFORM
-+#include "tfm_platform_api.h"
-+#endif /* TFM_PARTITION_PLATFORM */
-+#ifdef TFM_PARTITION_PROTECTED_STORAGE
-+#include "tfm_ps_defs.h"
-+#endif /* TFM_PARTITION_PROTECTED_STORAGE */
-+#ifdef TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
-+#include "tfm_its_defs.h"
-+#endif /* TFM_PARTITION_INTERNAL_TRUSTED_STORAGE */
-+
-+#define INVALID_REGION_COUNTER_MAX  128
-+#define INVALID_SERVICE_COUNTER_MAX 64
-+
-+static uint32_t invalid_region_counter = 0;
-+static uint32_t invalid_service_counter = 0;
-+
-+/* Check if the interface is  getting a lot of invalid requests, and shutdown
-+ * the system if it exceeds the threshold. This is intended to make fuzzing the
-+ * interface difficult.
-+ */
-+static void counter_check(void) {
-+    if (invalid_region_counter > INVALID_REGION_COUNTER_MAX) {
-+#ifdef CONFIG_TFM_HALT_ON_CORE_PANIC
-+        tfm_hal_system_halt();
-+#else
-+        tfm_hal_system_reset();
-+#endif /* CONFIG_TFM_HALT_ON_CORE_PANIC */
-+    }
-+
-+    if (invalid_service_counter > INVALID_SERVICE_COUNTER_MAX) {
-+#ifdef CONFIG_TFM_HALT_ON_CORE_PANIC
-+        tfm_hal_system_halt();
-+#else
-+        tfm_hal_system_reset();
-+#endif /* CONFIG_TFM_HALT_ON_CORE_PANIC */
-+    }
-+
-+    return;
-+}
-+
-+enum tfm_plat_err_t comms_permissions_memory_check(void *owner,
-+                                                   uint64_t host_ptr,
-+                                                   uint32_t size,
-+                                                   bool is_write)
-+{
-+    /* Is fully within the shared memory */
-+    if ((host_ptr >= INTER_PROCESSOR_HOST_SHARED_MEMORY_START_ADDR) &&
-+        ((host_ptr + size) < (INTER_PROCESSOR_HOST_SHARED_MEMORY_START_ADDR +
-+                              INTER_PROCESSOR_SHARED_MEMORY_SIZE))) {
-+      return TFM_PLAT_ERR_SUCCESS;
-+    }
-+
-+    invalid_region_counter++;
-+    counter_check();
-+
-+    return TFM_PLAT_ERR_UNSUPPORTED;
-+}
-+
-+enum tfm_plat_err_t comms_permissions_service_check(psa_handle_t handle,
-+                                                    const psa_invec *in_vec,
-+                                                    size_t in_len,
-+                                                    int32_t type)
-+{
-+    switch(handle) {
-+#ifdef TFM_PARTITION_PROTECTED_STORAGE
-+    case TFM_PROTECTED_STORAGE_SERVICE_HANDLE:
-+        switch(type) {
-+        case TFM_PS_SET:
-+        case TFM_PS_GET:
-+        case TFM_PS_GET_INFO:
-+        case TFM_PS_REMOVE:
-+        case TFM_PS_GET_SUPPORT:
-+            return TFM_PLAT_ERR_SUCCESS;
-+        default:
-+            goto out_err;
-+        }
-+#endif /* TFM_PARTITION_INTERNAL_TRUSTED_STORAGE */
-+
-+#ifdef TFM_PARTITION_INITIAL_ATTESTATION
-+    case TFM_ATTESTATION_SERVICE_HANDLE:
-+        switch(type) {
-+        case TFM_ATTEST_GET_TOKEN:
-+        case TFM_ATTEST_GET_TOKEN_SIZE:
-+            return TFM_PLAT_ERR_SUCCESS;
-+        default:
-+            goto out_err;
-+        }
-+#endif /* TFM_PARTITION_INITIAL_ATTESTATION */
-+#ifdef TFM_PARTITION_DELEGATED_ATTESTATION
-+    case TFM_DELEGATED_ATTESTATION_HANDLE:
-+        switch(type) {
-+        case DELEGATED_ATTEST_GET_DELEGATED_KEY:
-+        case DELEGATED_ATTEST_GET_PLATFORM_TOKEN:
-+            return TFM_PLAT_ERR_SUCCESS;
-+        default:
-+            goto out_err;
-+        }
-+#endif /* TFM_PARTITION_DELEGATED_ATTESTATION */
-+#ifdef TFM_PARTITION_MEASURED_BOOT
-+    case TFM_MEASURED_BOOT_HANDLE:
-+        switch(type) {
-+        case TFM_MEASURED_BOOT_EXTEND:
-+        case TFM_MEASURED_BOOT_READ:
-+            return TFM_PLAT_ERR_SUCCESS;
-+        default:
-+            goto out_err;
-+        }
-+#endif /* TFM_PARTITION_MEASURED_BOOT */
-+#ifdef TFM_PARTITION_CRYPTO
-+    case TFM_CRYPTO_HANDLE:
-+        /* Every crypto operation is done by the SE */
-+        return TFM_PLAT_ERR_SUCCESS;
-+#endif /* TFM_PARTITION_CRYPTO */
-+#ifdef TFM_PARTITION_PLATFORM
-+    case TFM_PLATFORM_SERVICE_HANDLE:
-+        switch(type) {
-+        case TFM_PLATFORM_API_ID_NV_READ:
-+        case TFM_PLATFORM_API_ID_NV_INCREMENT:
-+        case TFM_PLATFORM_API_ID_SYSTEM_RESET:
-+        case TFM_PLATFORM_API_ID_IOCTL:
-+            return TFM_PLAT_ERR_SUCCESS;
-+        default:
-+            goto out_err;
-+        }
-+#endif /* TFM_PARTITION_PLATFORM */
-+#ifdef TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
-+    case TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_HANDLE:
-+        switch(type) {
-+        case TFM_ITS_SET:
-+        case TFM_ITS_GET:
-+        case TFM_ITS_GET_INFO:
-+        case TFM_ITS_REMOVE:
-+            return TFM_PLAT_ERR_SUCCESS;
-+        default:
-+            goto out_err;
-+        }
-+#endif /* TFM_PARTITION_INTERNAL_TRUSTED_STORAGE */
-+#ifdef TFM_PARTITION_DPE
-+    case TFM_DPE_SERVICE_HANDLE:
-+        return TFM_PLAT_ERR_SUCCESS;
-+#endif /* TFM_PARTITION_DPE */
-+    default:
-+        goto out_err;
-+    }
-+
-+out_err:
-+    invalid_service_counter++;
-+    counter_check();
-+
-+    return TFM_PLAT_ERR_UNSUPPORTED;
-+}
-diff --git a/platform/ext/target/arm/corstone1000/tfm_interrupts.c b/platform/ext/target/arm/corstone1000/tfm_interrupts.c
-new file mode 100644
-index 000000000..47a6c9d7b
---- /dev/null
-+++ b/platform/ext/target/arm/corstone1000/tfm_interrupts.c
-@@ -0,0 +1,51 @@
-+/*
-+ * Copyright (c) 2021-2023, Arm Limited. All rights reserved.
-+ * Copyright (c) 2022 Cypress Semiconductor Corporation (an Infineon
-+ * company) or an affiliate of Cypress Semiconductor Corporation. All rights
-+ * reserved.
-+ *
-+ * SPDX-License-Identifier: BSD-3-Clause
-+ *
-+ */
-+
-+#include "cmsis.h"
-+#include "device_definition.h"
-+#include "spm.h"
-+#include "tfm_hal_interrupt.h"
-+#include "tfm_peripherals_def.h"
-+#include "interrupt.h"
-+#include "load/interrupt_defs.h"
-+#include "platform_irq.h"
-+#include "rse_comms_hal.h"
-+
-+static struct irq_t mbox_irq_info = {0};
-+
-+/* Platform specific inter-processor communication interrupt handler. */
-+void HSE1_RECEIVER_COMBINED_IRQHandler(void)
-+{
-+    (void)tfm_multi_core_hal_receive(&MHU1_HOST_TO_SE_DEV,
-+                                     &MHU1_SE_TO_HOST_DEV,
-+                                     mbox_irq_info.p_ildi->source);
-+
-+    /*
-+     * SPM will send a MAILBOX_SIGNAL to the corresponding partition
-+     * indicating that a message has arrived and can be processed.
-+     */
-+    spm_handle_interrupt(mbox_irq_info.p_pt, mbox_irq_info.p_ildi);
-+}
-+
-+enum tfm_hal_status_t mailbox_irq_init(void *p_pt,
-+                                       const struct irq_load_info_t *p_ildi)
-+{
-+    mbox_irq_info.p_pt = p_pt;
-+    mbox_irq_info.p_ildi = p_ildi;
-+
-+    /* Set MHU interrupt priority to the same as PendSV (the lowest)
-+     * TODO: Consider advantages/disadvantages of setting it one higher
-+     */
-+    NVIC_SetPriority(HSE1_RECEIVER_COMBINED_IRQn, NVIC_GetPriority(PendSV_IRQn));
-+
-+    NVIC_DisableIRQ(HSE1_RECEIVER_COMBINED_IRQn);
-+
-+    return TFM_HAL_SUCCESS;
-+}
--- 
-2.25.1
-
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0012-corstone1000-Remove-reset-after-capsule-update.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0009-corstone1000-Remove-reset-after-capsule-update.patch
index 8ffd567b66..e3333c5325 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0012-corstone1000-Remove-reset-after-capsule-update.patch
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0009-corstone1000-Remove-reset-after-capsule-update.patch
@@ -1,7 +1,7 @@
-From 78db43f80676f8038b35edd6674d22fb5ff85c12 Mon Sep 17 00:00:00 2001
+From 898d3c148521b331302c587e658d7e0a4f645c77 Mon Sep 17 00:00:00 2001
 From: Bence Balogh <bence.balogh@arm.com>
 Date: Mon, 27 May 2024 17:11:31 +0200
-Subject: [PATCH] corstone1000: Remove reset after capsule update
+Subject: [PATCH 09/10] corstone1000: Remove reset after capsule update
 
 Signed-off-by: Bence Balogh <bence.balogh@arm.com>
 Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/29065]
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0009-platform-corstone1000-Increase-RSE_COMMS-buffer-size.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0009-platform-corstone1000-Increase-RSE_COMMS-buffer-size.patch
deleted file mode 100644
index 3269c0e045..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0009-platform-corstone1000-Increase-RSE_COMMS-buffer-size.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 21b0c9f028b6b04fa2f027510ec90969735f4dd1 Mon Sep 17 00:00:00 2001
-From: Bence Balogh <bence.balogh@arm.com>
-Date: Wed, 17 Apr 2024 19:31:03 +0200
-Subject: [PATCH] platform: corstone1000: Increase RSE_COMMS buffer size
-
-Signed-off-by: Bence Balogh <bence.balogh@arm.com>
-Upstream-Status: Pending
----
- platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h
-index 6d79dd3bf..f079f6504 100644
---- a/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h
-+++ b/platform/ext/target/arm/corstone1000/rse_comms/rse_comms.h
-@@ -16,7 +16,7 @@ extern "C" {
- #endif
- 
-  /* size suits to fit the largest message too (EFI variables) */
--#define RSE_COMMS_PAYLOAD_MAX_SIZE (0x2100)
-+#define RSE_COMMS_PAYLOAD_MAX_SIZE (0x43C0)
- 
- /*
-  * Allocated for each client request.
--- 
-2.25.1
-
-
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0013-platform-CS1000-Add-multicore-support-for-FVP.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0010-platform-CS1000-Add-multicore-support-for-FVP.patch
index 9ede534119..28d81b8d2b 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0013-platform-CS1000-Add-multicore-support-for-FVP.patch
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0010-platform-CS1000-Add-multicore-support-for-FVP.patch
@@ -1,7 +1,7 @@
-From 1120957e74a1a0727a215188813cab3e47602e71 Mon Sep 17 00:00:00 2001
+From 1eb9bc330bf387ff26a6df93d3b8c843174dc40b Mon Sep 17 00:00:00 2001
 From: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
 Date: Thu, 9 May 2024 13:20:57 +0000
-Subject: [PATCH] platform: CS1000: Add multicore support for FVP
+Subject: [PATCH 10/10] platform: CS1000: Add multicore support for FVP
 
 This changeset adds the support to enable the secondary cores for
 the Corstone-1000 FVP
@@ -15,10 +15,10 @@ Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
  3 files changed, 48 insertions(+), 2 deletions(-)
 
 diff --git a/platform/ext/target/arm/corstone1000/CMakeLists.txt b/platform/ext/target/arm/corstone1000/CMakeLists.txt
-index e2a7ac302..a269251aa 100644
+index 95e3f57b4f..e46123cc6f 100644
 --- a/platform/ext/target/arm/corstone1000/CMakeLists.txt
 +++ b/platform/ext/target/arm/corstone1000/CMakeLists.txt
-@@ -374,6 +374,12 @@ target_sources(tfm_psa_rot_partition_ns_agent_mailbox
+@@ -381,6 +381,12 @@ target_sources(tfm_psa_rot_partition_ns_agent_mailbox
          tfm_hal_multi_core.c
  )
  
@@ -32,7 +32,7 @@ index e2a7ac302..a269251aa 100644
  
  target_sources(tfm_spm
 diff --git a/platform/ext/target/arm/corstone1000/Device/Config/device_cfg.h b/platform/ext/target/arm/corstone1000/Device/Config/device_cfg.h
-index 222905d3d..9d48f119e 100644
+index 222905d3dd..9d48f119ed 100644
 --- a/platform/ext/target/arm/corstone1000/Device/Config/device_cfg.h
 +++ b/platform/ext/target/arm/corstone1000/Device/Config/device_cfg.h
 @@ -45,5 +45,11 @@
@@ -48,7 +48,7 @@ index 222905d3d..9d48f119e 100644
  
  #endif  /* __DEVICE_CFG_H__ */
 diff --git a/platform/ext/target/arm/corstone1000/tfm_hal_multi_core.c b/platform/ext/target/arm/corstone1000/tfm_hal_multi_core.c
-index f0e2bc333..ce72e50c9 100644
+index f0e2bc333a..ce72e50c9b 100644
 --- a/platform/ext/target/arm/corstone1000/tfm_hal_multi_core.c
 +++ b/platform/ext/target/arm/corstone1000/tfm_hal_multi_core.c
 @@ -11,9 +11,14 @@
@@ -115,5 +115,5 @@ index f0e2bc333..ce72e50c9 100644
  
  #ifdef EXTERNAL_SYSTEM_SUPPORT
 -- 
-2.34.1
+2.25.1
 
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0011-Platform-CS1000-Fix-Bank-offsets.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0011-Platform-CS1000-Fix-Bank-offsets.patch
new file mode 100644
index 0000000000..218dff385c
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0011-Platform-CS1000-Fix-Bank-offsets.patch
@@ -0,0 +1,36 @@
+From 939a39a0705ed2571fe5b842a9d5f80036f71a12 Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Fri, 2 Aug 2024 22:02:55 +0200
+Subject: [PATCH 9/9] Platform: CS1000: Fix Bank offsets
+
+The BANK_0_PARTITION_OFFSET and BANK_1_PARTITION_OFFSET are used for
+erasing the banks during capsule update. The fwu_agent erases the flash
+using them as starting addresses. The BL2 (MCUBoot) should also
+be erased during capsule update.
+
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Backport [939a39a0705ed2571fe5b842a9d5f80036f71a12]
+---
+ .../ext/target/arm/corstone1000/partition/flash_layout.h    | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/platform/ext/target/arm/corstone1000/partition/flash_layout.h b/platform/ext/target/arm/corstone1000/partition/flash_layout.h
+index 07b4cdea7..f42dda809 100644
+--- a/platform/ext/target/arm/corstone1000/partition/flash_layout.h
++++ b/platform/ext/target/arm/corstone1000/partition/flash_layout.h
+@@ -109,10 +109,8 @@
+ #define FWU_PRIVATE_METADATA_REPLICA_2_OFFSET   (FWU_PRIVATE_METADATA_REPLICA_1_OFFSET + \
+                                                  FWU_METADATA_FLASH_SECTOR_SIZE)
+ 
+-#define BANK_0_PARTITION_OFFSET         (SE_BL2_BANK_0_OFFSET + \
+-                                         SE_BL2_PARTITION_SIZE)
+-#define BANK_1_PARTITION_OFFSET         (SE_BL2_BANK_1_OFFSET + \
+-                                         SE_BL2_PARTITION_SIZE)
++#define BANK_0_PARTITION_OFFSET         (SE_BL2_BANK_0_OFFSET)
++#define BANK_1_PARTITION_OFFSET         (SE_BL2_BANK_1_OFFSET)
+ 
+ /* BL1: mcuboot flashmap configurations */
+ #define FLASH_AREA_8_ID                 (1)
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0011-Platform-corstone1000-Increase-buffers-for-EFI-vars.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0011-Platform-corstone1000-Increase-buffers-for-EFI-vars.patch
deleted file mode 100644
index abf7038909..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0011-Platform-corstone1000-Increase-buffers-for-EFI-vars.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From d7725e629c9ba93523589cc9d8af3186db19d4e8 Mon Sep 17 00:00:00 2001
-From: Bence Balogh <bence.balogh@arm.com>
-Date: Wed, 15 May 2024 22:37:51 +0200
-Subject: [PATCH] Platform: corstone1000: Increase buffers for EFI vars
-
-The UEFI variables are stored in the Protected Storage. The size of
-the variables metadata have been increased so the related buffer sizes
-have to be increased.
-
-Signed-off-by: Bence Balogh <bence.balogh@arm.com>
-Upstream-Status: Pending
----
- .../ext/target/arm/corstone1000/config_tfm_target.h | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/platform/ext/target/arm/corstone1000/config_tfm_target.h b/platform/ext/target/arm/corstone1000/config_tfm_target.h
-index 2eb0924770..6ee823a7dc 100644
---- a/platform/ext/target/arm/corstone1000/config_tfm_target.h
-+++ b/platform/ext/target/arm/corstone1000/config_tfm_target.h
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2022, Arm Limited. All rights reserved.
-+ * Copyright (c) 2022-2024, Arm Limited. All rights reserved.
-  *
-  * SPDX-License-Identifier: BSD-3-Clause
-  *
-@@ -24,4 +24,15 @@
- #undef ITS_MAX_ASSET_SIZE
- #define ITS_MAX_ASSET_SIZE   2048
- 
-+/* The maximum asset size to be stored in the Protected Storage */
-+#undef PS_MAX_ASSET_SIZE
-+#define PS_MAX_ASSET_SIZE   2592
-+
-+/* This is needed to be able to process the EFI variables during PS writes. */
-+#undef CRYPTO_ENGINE_BUF_SIZE
-+#define CRYPTO_ENGINE_BUF_SIZE 0x5000
-+
-+/* This is also has to be increased to fit the EFI variables into the iovecs. */
-+#undef CRYPTO_IOVEC_BUFFER_SIZE
-+#define CRYPTO_IOVEC_BUFFER_SIZE    6000
- #endif /* __CONFIG_TFM_TARGET_H__ */
--- 
-2.25.1
-
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0012-Platform-CS1000-Increase-BL2-partition-size.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0012-Platform-CS1000-Increase-BL2-partition-size.patch
new file mode 100644
index 0000000000..7c2a6325e9
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0012-Platform-CS1000-Increase-BL2-partition-size.patch
@@ -0,0 +1,111 @@
+From ddd4abdb3893e284a35303e4a5ac7b6ad2ed8320 Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Tue, 16 Jul 2024 21:04:49 +0200
+Subject: [PATCH] Platform: CS1000: Increase BL2 partition size
+
+Enabling secure debug increases the BL2 code size considerably. This
+patch increases the BL2 partition size to enable secure debug feature
+on Corstone-1000. The TF-M partition size has to be decreased for this.
+The RAM_MPU_REGION_BLOCK_1_SIZE had to be aligned with the changes to
+fully cover the S_DATA.
+
+Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Backport [https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/30406]
+---
+ .../ext/target/arm/corstone1000/CMakeLists.txt     |  9 ++++++---
+ .../target/arm/corstone1000/create-flash-image.sh  | 14 ++++++++------
+ .../arm/corstone1000/partition/flash_layout.h      |  4 ++--
+ 3 files changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/platform/ext/target/arm/corstone1000/CMakeLists.txt b/platform/ext/target/arm/corstone1000/CMakeLists.txt
+index b13dc26c0e..3ba26e0de7 100644
+--- a/platform/ext/target/arm/corstone1000/CMakeLists.txt
++++ b/platform/ext/target/arm/corstone1000/CMakeLists.txt
+@@ -44,10 +44,13 @@ target_compile_definitions(platform_region_defs
+         # The RAM MPU Region block sizes are calculated manually. The RAM has to be covered
+         # with the MPU regions. These regions also have to be the power of 2 and
+         # the start addresses have to be aligned to these sizes. The sizes can be calculated
+-        # from the S_DATA_START and S_DATA_SIZE defines.
+-        RAM_MPU_REGION_BLOCK_1_SIZE=0x4000
++        # from the S_DATA_START and S_DATA_SIZE defines the following way:
++        # S_DATA_SIZE = RAM_MPU_REGION_BLOCK_1_SIZE + RAM_MPU_REGION_BLOCK_2_SIZE
++        # And the following constraints have to be taken:
++        # S_DATA_START % RAM_MPU_REGION_BLOCK_1_SIZE = 0
++        # (S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE) % RAM_MPU_REGION_BLOCK_2_SIZE = 0
++        RAM_MPU_REGION_BLOCK_1_SIZE=0x10000
+         RAM_MPU_REGION_BLOCK_2_SIZE=0x20000
+-
+ )
+ #========================= Platform common defs ===============================#
+ 
+diff --git a/platform/ext/target/arm/corstone1000/create-flash-image.sh b/platform/ext/target/arm/corstone1000/create-flash-image.sh
+index a6be61384f..06f0d1ec9a 100755
+--- a/platform/ext/target/arm/corstone1000/create-flash-image.sh
++++ b/platform/ext/target/arm/corstone1000/create-flash-image.sh
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ #-------------------------------------------------------------------------------
+-# Copyright (c) 2023, Arm Limited. All rights reserved.
++# Copyright (c) 2023-2024, Arm Limited. All rights reserved.
+ #
+ # SPDX-License-Identifier: BSD-3-Clause
+ #
+@@ -65,6 +65,8 @@ FWU_METADATA_TYPE_UUID="8A7A84A0-8387-40F6-AB41-A8B9A5A60D23"
+ PRIVATE_METADATA_TYPE_UUID="ECB55DC3-8AB7-4A84-AB56-EB0A9974DB42"
+ SE_BL2_TYPE_UUID="64BD8ADB-02C0-4819-8688-03AB4CAB0ED9"
+ TFM_TYPE_UUID="D763C27F-07F6-4FF0-B2F3-060CB465CD4E"
++SE_BL2_PARTITION_SIZE="+144k"
++TFM_S_PARTITION_SIZE="+320K"
+ 
+ # Create the image
+ rm -f $IMAGE
+@@ -81,10 +83,10 @@ sgdisk  --mbrtogpt \
+         --new=3:48:+4K --typecode=3:$FWU_METADATA_TYPE_UUID --partition-guid=3:$(uuidgen) --change-name=3:'Bkup-FWU-Metadata' \
+         --new=4:56:+4K --typecode=4:$PRIVATE_METADATA_TYPE_UUID --partition-guid=4:$(uuidgen) --change-name=4:'private_metadata_replica_1' \
+         --new=5:64:+4k --typecode=5:$PRIVATE_METADATA_TYPE_UUID --partition-guid=5:$(uuidgen) --change-name=5:'private_metadata_replica_2' \
+-        --new=6:72:+100k --typecode=6:$SE_BL2_TYPE_UUID --partition-guid=6:$(uuidgen) --change-name=6:'bl2_primary' \
+-        --new=7:272:+368K --typecode=7:$TFM_TYPE_UUID --partition-guid=7:$(uuidgen) --change-name=7:'tfm_primary' \
+-        --new=8:32784:+100k --typecode=8:$SE_BL2_TYPE_UUID --partition-guid=8:$(uuidgen) --change-name=8:'bl2_secondary' \
+-        --new=9:32984:+368K --typecode=9:$TFM_TYPE_UUID --partition-guid=9:$(uuidgen) --change-name=9:'tfm_secondary' \
++        --new=6:72:$SE_BL2_PARTITION_SIZE --typecode=6:$SE_BL2_TYPE_UUID --partition-guid=6:$(uuidgen) --change-name=6:'bl2_primary' \
++        --new=7:360:$TFM_S_PARTITION_SIZE --typecode=7:$TFM_TYPE_UUID --partition-guid=7:$(uuidgen) --change-name=7:'tfm_primary' \
++        --new=8:32784:$SE_BL2_PARTITION_SIZE --typecode=8:$SE_BL2_TYPE_UUID --partition-guid=8:$(uuidgen) --change-name=8:'bl2_secondary' \
++        --new=9:33072:$TFM_S_PARTITION_SIZE --typecode=9:$TFM_TYPE_UUID --partition-guid=9:$(uuidgen) --change-name=9:'tfm_secondary' \
+         --new=10:65496:65501  --partition-guid=10:$(uuidgen) --change-name=10:'reserved_2' \
+         $IMAGE
+ 
+@@ -93,7 +95,7 @@ sgdisk  --mbrtogpt \
+ # Write partitions
+ # conv=notrunc avoids truncation to keep the geometry of the image.
+ dd if=$BIN_DIR/bl2_signed.bin of=${IMAGE}  seek=72 conv=notrunc
+-dd if=$BIN_DIR/tfm_s_signed.bin of=${IMAGE} seek=272 conv=notrunc
++dd if=$BIN_DIR/tfm_s_signed.bin of=${IMAGE} seek=360 conv=notrunc
+ 
+ # Print the gpt table
+ sgdisk -p $IMAGE
+diff --git a/platform/ext/target/arm/corstone1000/partition/flash_layout.h b/platform/ext/target/arm/corstone1000/partition/flash_layout.h
+index 9fc1d9fa63..73c430ce57 100644
+--- a/platform/ext/target/arm/corstone1000/partition/flash_layout.h
++++ b/platform/ext/target/arm/corstone1000/partition/flash_layout.h
+@@ -92,7 +92,7 @@
+ #define FLASH_DEV_NAME_BL1              FLASH_DEV_NAME
+ 
+ /* Static Configurations of the Flash */
+-#define SE_BL2_PARTITION_SIZE           (0x18000)    /* 96 KB */
++#define SE_BL2_PARTITION_SIZE           (0x24000)    /* 144 KB */
+ #define SE_BL2_BANK_0_OFFSET            (0x9000)  /* 72nd LBA */
+ #define SE_BL2_BANK_1_OFFSET            (0x1002000)  /* 32784th LBA */
+ 
+@@ -137,7 +137,7 @@
+ 
+ /* Bank configurations */
+ #define BANK_PARTITION_SIZE             (0xFE0000)   /* 15.875 MB */
+-#define TFM_PARTITION_SIZE              (0x5C000)    /* 368 KB */
++#define TFM_PARTITION_SIZE              (0x50000)    /* 320 KB */
+ 
+ /************************************************************/
+ /* Bank : Images flash offsets are with respect to the bank */
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0013-CC312-ADAC-Add-PSA_WANT_ALG_SHA_256-definition.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0013-CC312-ADAC-Add-PSA_WANT_ALG_SHA_256-definition.patch
new file mode 100644
index 0000000000..b273700f9b
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0013-CC312-ADAC-Add-PSA_WANT_ALG_SHA_256-definition.patch
@@ -0,0 +1,42 @@
+From 756cfad0cc05e7f4c02faa74aea14962aa54420c Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Wed, 31 Jul 2024 13:38:09 +0200
+Subject: [PATCH 2/3] CC312: ADAC: Add PSA_WANT_ALG_SHA_256 definition
+
+The bl2_mbedcrypto_config is linked to the psa_adac_cc312 target so
+the MCUBOOT_PSA_CRYPTO_CONFIG_FILEPATH and
+MCUBOOT_MBEDCRYPTO_CONFIG_FILEPATH configs are used for the ADAC driver
+too. The MCUBOOT_USE_PSA_CRYPTO is OFF by default, that means the
+MCUBOOT_PSA_CRYPTO_CONFIG_FILEPATH is not included during the build so
+the PSA_WANT_ALG_SHA_256 is not defined for the ADAC driver. Because
+of this, the PSA_HASH_MAX_SIZE is not set correctly for the sources
+of the psa_adac_cc312 target. This caused runtime issues.
+
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/31131]
+---
+ platform/ext/accelerator/cc312/psa-adac/CMakeLists.txt | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/platform/ext/accelerator/cc312/psa-adac/CMakeLists.txt b/platform/ext/accelerator/cc312/psa-adac/CMakeLists.txt
+index cb0553b40a..d7f5a54f3c 100644
+--- a/platform/ext/accelerator/cc312/psa-adac/CMakeLists.txt
++++ b/platform/ext/accelerator/cc312/psa-adac/CMakeLists.txt
+@@ -1,5 +1,5 @@
+ #-------------------------------------------------------------------------------
+-# Copyright (c) 2020-2023, Arm Limited. All rights reserved.
++# Copyright (c) 2020-2024, Arm Limited. All rights reserved.
+ #
+ # SPDX-License-Identifier: BSD-3-Clause
+ #
+@@ -32,6 +32,7 @@ target_compile_options(psa_adac_cc312
+         -DCC_IOT
+         -DUSE_MBEDTLS_CRYPTOCELL
+         -D_INTERNAL_CC_NO_RSA_SCHEME_15_SUPPORT
++        -DPSA_WANT_ALG_SHA_256
+ )
+ 
+ target_link_libraries(psa_adac_cc312
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0014-Platform-CS1000-Add-crypto-configs-for-ADAC.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0014-Platform-CS1000-Add-crypto-configs-for-ADAC.patch
new file mode 100644
index 0000000000..35ba5a305f
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0014-Platform-CS1000-Add-crypto-configs-for-ADAC.patch
@@ -0,0 +1,41 @@
+From 8d6ed0ac3b1eee4b1e279993ec351e9bd80b68dc Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Wed, 31 Jul 2024 13:38:27 +0200
+Subject: [PATCH] Platform: CS1000: Add crypto configs for ADAC
+
+The psa_adac_psa_crypto target needs the MBEDTLS_CONFIG_FILE and
+MBEDTLS_PSA_CRYPTO_CONFIG_FILE defines in order to build correctly.
+The default crypto config files are used here.
+
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/31132]
+---
+ platform/ext/target/arm/corstone1000/CMakeLists.txt | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/platform/ext/target/arm/corstone1000/CMakeLists.txt b/platform/ext/target/arm/corstone1000/CMakeLists.txt
+index 530c4059d..3709bf3ec 100644
+--- a/platform/ext/target/arm/corstone1000/CMakeLists.txt
++++ b/platform/ext/target/arm/corstone1000/CMakeLists.txt
+@@ -412,6 +412,18 @@ if (${PLATFORM_PSA_ADAC_SECURE_DEBUG})
+         PRIVATE
+             platform_bl2
+     )
++
++    target_compile_definitions(psa_adac_psa_crypto
++        PRIVATE
++            MBEDTLS_CONFIG_FILE="${CMAKE_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h"
++            MBEDTLS_PSA_CRYPTO_CONFIG_FILE="${CMAKE_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/crypto_config_default.h"
++    )
++
++    target_link_libraries(psa_adac_psa_crypto
++        PRIVATE
++            psa_crypto_library_config
++    )
++
+ endif()
+ 
+ find_package(Python3)
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0015-Platform-CS1000-Fix-platform-name-in-logs.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0015-Platform-CS1000-Fix-platform-name-in-logs.patch
new file mode 100644
index 0000000000..96ba3c1ec7
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0015-Platform-CS1000-Fix-platform-name-in-logs.patch
@@ -0,0 +1,27 @@
+From 8f0cd9710be508adab91d8b5ab5aa2d39e89c287 Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Wed, 31 Jul 2024 19:57:33 +0200
+Subject: [PATCH] Platform: CS1000: Fix platform name in logs
+
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Backport [c3fa68995b247c802589890c6ea3e721127b0c78]
+---
+ platform/ext/target/arm/corstone1000/bl2/boot_hal_bl2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/platform/ext/target/arm/corstone1000/bl2/boot_hal_bl2.c b/platform/ext/target/arm/corstone1000/bl2/boot_hal_bl2.c
+index 8aacd877e4..f5baf08cb4 100644
+--- a/platform/ext/target/arm/corstone1000/bl2/boot_hal_bl2.c
++++ b/platform/ext/target/arm/corstone1000/bl2/boot_hal_bl2.c
+@@ -192,7 +192,7 @@ int32_t boot_platform_post_init(void)
+         }
+ 
+         result = tfm_to_psa_adac_corstone1000_secure_debug(secure_debug_rotpk, 32);
+-        BOOT_LOG_INF("%s: dipda_secure_debug is a %s.\r\n", __func__,
++        BOOT_LOG_INF("%s: Corstone-1000 Secure Debug is a %s.\r\n", __func__,
+                 (result == 0) ? "success" : "failure");
+ 
+     }
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0016-Platform-corstone1000-Fix-isolation-L2-memory-protection.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0016-Platform-corstone1000-Fix-isolation-L2-memory-protection.patch
new file mode 100644
index 0000000000..267254c4c6
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0016-Platform-corstone1000-Fix-isolation-L2-memory-protection.patch
@@ -0,0 +1,88 @@
+From 4d3ebb03b89b122af490824ca73287954a35bd07 Mon Sep 17 00:00:00 2001
+From: Jamie Fox <jamie.fox@arm.com>
+Date: Thu, 22 Aug 2024 16:54:45 +0100
+Subject: [PATCH] Platform: corstone1000: Fix isolation L2 memory protection
+
+The whole of the SRAM was configured unprivileged on this platform, so
+the memory protection required for isolation level 2 was not present.
+
+This patch changes the S_DATA_START to S_DATA_LIMIT MPU region to be
+configured for privileged access only. It also reorders the MPU regions
+so that the App RoT sub-region overlapping S_DATA has a higher region
+number and so takes priority in the operation of the Armv6-M MPU.
+
+Signed-off-by: Jamie Fox <jamie.fox@arm.com>
+Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/30951]
+---
+ .../arm/corstone1000/tfm_hal_isolation.c      | 43 +++++++++----------
+ 1 file changed, 21 insertions(+), 22 deletions(-)
+
+diff --git a/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c b/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
+index 39b19c535..498f14ed2 100644
+--- a/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
++++ b/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2020-2023, Arm Limited. All rights reserved.
++ * Copyright (c) 2020-2024, Arm Limited. All rights reserved.
+  * Copyright (c) 2022 Cypress Semiconductor Corporation (an Infineon
+  * company) or an affiliate of Cypress Semiconductor Corporation. All rights
+  * reserved.
+@@ -99,6 +99,26 @@ enum tfm_hal_status_t tfm_hal_set_up_static_boundaries(
+         return ret;
+     }
+ 
++    /* Set the RAM attributes. It is needed because the first region overlaps the whole
++     * SRAM and it has to be overridden.
++     * The RAM_MPU_REGION_BLOCK_1_SIZE and RAM_MPU_REGION_BLOCK_2_SIZE are calculated manually
++     * and added to the platform_region_defs compile definitions.
++     */
++    base = S_DATA_START;
++    limit = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE;
++    ret = configure_mpu(rnr++, base, limit,
++                            XN_EXEC_NOT_OK, AP_RW_PRIV_ONLY);
++    if (ret != TFM_HAL_SUCCESS) {
++        return ret;
++    }
++
++    base = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE;
++    limit = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE + RAM_MPU_REGION_BLOCK_2_SIZE;
++    ret = configure_mpu(rnr++, base, limit,
++                            XN_EXEC_NOT_OK, AP_RW_PRIV_ONLY);
++    if (ret != TFM_HAL_SUCCESS) {
++        return ret;
++    }
+ 
+     /* RW, ZI and stack as one region */
+     base = (uint32_t)&REGION_NAME(Image$$, TFM_APP_RW_STACK_START, $$Base);
+@@ -133,27 +153,6 @@ enum tfm_hal_status_t tfm_hal_set_up_static_boundaries(
+ 
+ #endif
+ 
+-    /* Set the RAM attributes. It is needed because the first region overlaps the whole
+-     * SRAM and it has to be overridden.
+-     * The RAM_MPU_REGION_BLOCK_1_SIZE and RAM_MPU_REGION_BLOCK_2_SIZE are calculated manually
+-     * and added to the platform_region_defs compile definitions.
+-     */
+-    base = S_DATA_START;
+-    limit = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE;
+-    ret = configure_mpu(rnr++, base, limit,
+-                            XN_EXEC_NOT_OK, AP_RW_PRIV_UNPRIV);
+-    if (ret != TFM_HAL_SUCCESS) {
+-        return ret;
+-    }
+-
+-    base = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE;
+-    limit = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE + RAM_MPU_REGION_BLOCK_2_SIZE;
+-    ret = configure_mpu(rnr++, base, limit,
+-                            XN_EXEC_NOT_OK, AP_RW_PRIV_UNPRIV);
+-    if (ret != TFM_HAL_SUCCESS) {
+-        return ret;
+-    }
+-
+     arm_mpu_enable();
+ 
+ #endif /* CONFIG_TFM_ENABLE_MEMORY_PROTECT */
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0017-Platform-CS1000-Remove-unused-BL1-files.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0017-Platform-CS1000-Remove-unused-BL1-files.patch
new file mode 100644
index 0000000000..35183c5f25
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0017-Platform-CS1000-Remove-unused-BL1-files.patch
@@ -0,0 +1,451 @@
+From 67e5aa83efce5f75df1c5d027e2d52f0da2eaba0 Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Thu, 5 Sep 2024 17:21:50 +0200
+Subject: [PATCH 1/5] Platform: CS1000: Remove unused BL1 files
+
+These files are not referenced anywhere so removed them to prevent
+confusion.
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Pending [Not submitted to upstream yet]
+---
+ .../arm/corstone1000/bl1/CMakeLists.txt       | 345 ------------------
+ .../arm/corstone1000/bl1/bl1_security_cnt.c   |  75 ----
+ 2 files changed, 420 deletions(-)
+ delete mode 100644 platform/ext/target/arm/corstone1000/bl1/CMakeLists.txt
+ delete mode 100644 platform/ext/target/arm/corstone1000/bl1/bl1_security_cnt.c
+
+diff --git a/platform/ext/target/arm/corstone1000/bl1/CMakeLists.txt b/platform/ext/target/arm/corstone1000/bl1/CMakeLists.txt
+deleted file mode 100644
+index 5e140eecf6..0000000000
+--- a/platform/ext/target/arm/corstone1000/bl1/CMakeLists.txt
++++ /dev/null
+@@ -1,345 +0,0 @@
+-#-------------------------------------------------------------------------------
+-# Copyright (c) 2020-2024, Arm Limited. All rights reserved.
+-#
+-# SPDX-License-Identifier: BSD-3-Clause
+-#
+-#-------------------------------------------------------------------------------
+-
+-cmake_minimum_required(VERSION 3.15)
+-cmake_policy(SET CMP0079 NEW)
+-
+-project("BL1 Bootloader" VERSION 0.0.1 LANGUAGES C ASM)
+-
+-# BL1 only loads the BL2 image, image number always equals 1
+-set(BL1_IMAGE_NUMBER 1)
+-
+-# Version of BL2 image
+-set(BL2_IMAGE_VERSION "0.1.0")
+-
+-add_executable(bl1)
+-
+-set_target_properties(bl1
+-    PROPERTIES
+-        SUFFIX ".axf"
+-        RUNTIME_OUTPUT_DIRECTORY "${CMAKE_BINARY_DIR}/bin"
+-)
+-
+-target_link_options(bl1
+-    PRIVATE
+-        $<$<C_COMPILER_ID:GNU>:-Wl,-Map=${CMAKE_BINARY_DIR}/bin/bl1.map>
+-)
+-
+-add_convert_to_bin_target(bl1)
+-
+-# bl2_mbedcrypto reused as it is, but it pulls the MCUBOOT_IMAGE_NUMBER=${MCUBOOT_IMAGE_NUMBER}
+-# configuration, where image number is 3. (Coming from BL2 build). To not to collide with BL1's
+-# build where image number is 1 mbedcrypto library is separated from the build of other source
+-# files.
+-target_link_libraries(bl1
+-    PRIVATE
+-        bl1_main
+-        bl2_mbedcrypto
+-        cmsis_stack_override
+-        cmsis
+-)
+-
+-# add_convert_to_bin_target(bl1) requires at least one source file added to bl1. This sources will
+-# be built with wrong image number macro (value coming from BL2 config), so the start-up files
+-# added here, as those not use this image number macro.
+-target_sources(bl1
+-    PRIVATE
+-        $<$<C_COMPILER_ID:GNU>:${CMAKE_CURRENT_SOURCE_DIR}/../Device/Source/startup_corstone1000.c>
+-)
+-
+-# Needed for the GCC startup files
+-target_include_directories(bl1
+-    PRIVATE
+-        ${CMAKE_SOURCE_DIR}/platform/include
+-        ../Device/Include
+-)
+-
+-# target_add_scatter_file(bl1) cannot be used as it would add the platform_region_defs dependency
+-# to bl1, again pulling the image number property matching with BL2 build, so scatter setup done
+-# here by hand.
+-target_link_options(bl1
+-    PRIVATE
+-        -T $<TARGET_OBJECTS:bl1_scatter>
+-)
+-
+-add_library(bl1_scatter OBJECT)
+-
+-add_dependencies(bl1
+-        bl1_scatter
+-    )
+-
+-target_sources(bl1_scatter
+-    PRIVATE
+-        ../Device/Source/gcc/corstone1000_bl1.ld
+-)
+-
+-set_source_files_properties(../Device/Source/gcc/corstone1000_bl1.ld
+-    PROPERTIES
+-    LANGUAGE C
+-)
+-
+-target_compile_options(bl1_scatter
+-    PRIVATE
+-        -E
+-        -P
+-        -xc
+-)
+-
+-target_compile_definitions(bl1_scatter
+-    PRIVATE
+-        MCUBOOT_IMAGE_NUMBER=${BL1_IMAGE_NUMBER}
+-        BL1
+-)
+-
+-target_include_directories(bl1_scatter
+-    PRIVATE
+-        ../partition
+-)
+-
+-# Library to spearate build from bl2_mbedcrypto configurations
+-add_library(bl1_main STATIC)
+-
+-target_compile_definitions(bl1_main
+-    PRIVATE
+-        MCUBOOT_IMAGE_NUMBER=${BL1_IMAGE_NUMBER}
+-        BL1
+-        BL2
+-        $<$<BOOL:${PLATFORM_IS_FVP}>:PLATFORM_IS_FVP>
+-)
+-
+-# Configurations based on bl2/CMakeLists.txt
+-
+-# Many files are reused form TF-M's bl2 directory
+-set(BL2_SOURCE ${CMAKE_SOURCE_DIR}/bl2)
+-
+-target_sources(bl1_main
+-    PRIVATE
+-        ${BL2_SOURCE}/src/flash_map.c
+-        ./provisioning.c
+-)
+-
+-target_include_directories(bl1_main
+-    PRIVATE
+-        $<BUILD_INTERFACE:${BL2_SOURCE}/include>
+-)
+-
+-# Include path needed for mbedcrypto headers
+-target_include_directories(bl1_main
+-    PRIVATE
+-        $<BUILD_INTERFACE:${MBEDCRYPTO_PATH}/include>
+-)
+-
+-# Configurations based on bl2/ext/mcuboot/CMakeLists.txt
+-target_link_libraries(bl1_main
+-    PRIVATE
+-        mcuboot_config
+-        bl2_mbedcrypto_config
+-)
+-
+-target_include_directories(bl1_main
+-    PRIVATE
+-        $<BUILD_INTERFACE:${BL2_SOURCE}/ext/mcuboot/include>
+-)
+-
+-target_sources(bl1_main
+-    PRIVATE
+-        ${BL2_SOURCE}/ext/mcuboot/bl2_main.c
+-        ${BL2_SOURCE}/ext/mcuboot/keys.c
+-        ${BL2_SOURCE}/ext/mcuboot/flash_map_legacy.c
+-)
+-
+-# Configurations based on ${MCUBOOT_PATH}/boot/bootutil/CMakeLists.txt
+-# add_subdirectory("${MCUBOOT_PATH}/boot/bootutil" bootutil) cannot work as we want to define different hal
+-# functions compared to BL2
+-target_sources(bl1_main
+-    PRIVATE
+-        ${MCUBOOT_PATH}/boot/bootutil/src/loader.c
+-        ${MCUBOOT_PATH}/boot/bootutil/src/bootutil_misc.c
+-        ${MCUBOOT_PATH}/boot/bootutil/src/bootutil_public.c
+-        ${MCUBOOT_PATH}/boot/bootutil/src/image_validate.c
+-        ${MCUBOOT_PATH}/boot/bootutil/src/image_rsa.c
+-        ${MCUBOOT_PATH}/boot/bootutil/src/tlv.c
+-        ${MCUBOOT_PATH}/boot/bootutil/src/boot_record.c
+-        ${MCUBOOT_PATH}/boot/bootutil/src/swap_scratch.c
+-        ${MCUBOOT_PATH}/boot/bootutil/src/swap_move.c
+-        ${MCUBOOT_PATH}/boot/bootutil/src/swap_misc.c
+-        ${MCUBOOT_PATH}/boot/bootutil/src/encrypted.c
+-        ${MCUBOOT_PATH}/boot/bootutil/src/fault_injection_hardening.c
+-        ${MCUBOOT_PATH}/boot/bootutil/src/fault_injection_hardening_delay_rng_mbedtls.c
+-)
+-
+-target_include_directories(bl1_main
+-    PRIVATE
+-        $<BUILD_INTERFACE:${MCUBOOT_PATH}/boot/bootutil/include>
+-        $<BUILD_INTERFACE:${MCUBOOT_PATH}/boot/bootutil/src>
+-        $<BUILD_INTERFACE:${MCUBOOT_PATH}/boot>
+-)
+-
+-# Configurations based on platform/CMakeLists.txt
+-target_include_directories(bl1_main
+-    PRIVATE
+-        $<BUILD_INTERFACE:${CMAKE_SOURCE_DIR}/platform/include>
+-        $<BUILD_INTERFACE:${CMAKE_SOURCE_DIR}/platform/ext/driver>
+-        $<BUILD_INTERFACE:${CMAKE_SOURCE_DIR}/platform/ext/common>
+-        $<BUILD_INTERFACE:${CMAKE_SOURCE_DIR}/platform/ext>
+-        $<$<BOOL:${CRYPTO_HW_ACCELERATOR}>:${CMAKE_SOURCE_DIR}/platform/ext/accelerator/interface>
+-)
+-
+-target_sources(bl1_main
+-    PRIVATE
+-        $<$<BOOL:${PLATFORM_DEFAULT_UART_STDOUT}>:${CMAKE_SOURCE_DIR}/platform/ext/common/uart_stdout.c>
+-        $<$<BOOL:${PLATFORM_DEFAULT_NV_COUNTERS}>:${CMAKE_SOURCE_DIR}/platform/ext/common/template/nv_counters.c>
+-        $<$<OR:$<BOOL:${PLATFORM_DEFAULT_NV_COUNTERS}>,$<BOOL:${PLATFORM_DEFAULT_OTP}>>:${CMAKE_SOURCE_DIR}/platform/ext/common/template/flash_otp_nv_counters_backend.c>
+-        $<$<BOOL:${PLATFORM_DEFAULT_OTP}>:${CMAKE_SOURCE_DIR}/platform/ext/common/template/otp_flash.c>
+-)
+-
+-target_link_libraries(bl1_main
+-    PRIVATE
+-        bl2_hal
+-        cmsis
+-)
+-
+-target_compile_definitions(bl1_main
+-    PRIVATE
+-        MCUBOOT_${MCUBOOT_UPGRADE_STRATEGY}
+-        $<$<BOOL:${SYMMETRIC_INITIAL_ATTESTATION}>:SYMMETRIC_INITIAL_ATTESTATION>
+-        $<$<BOOL:${PLATFORM_DEFAULT_NV_COUNTERS}>:PLATFORM_DEFAULT_NV_COUNTERS>
+-        $<$<BOOL:${MCUBOOT_HW_KEY}>:MCUBOOT_HW_KEY>
+-        MCUBOOT_FIH_PROFILE_${MCUBOOT_FIH_PROFILE}
+-        $<$<BOOL:${PLATFORM_DEFAULT_NV_COUNTERS}>:PLATFORM_DEFAULT_NV_COUNTERS>
+-        $<$<BOOL:${PLATFORM_DEFAULT_OTP}>:PLATFORM_DEFAULT_OTP>
+-        $<$<BOOL:${OTP_NV_COUNTERS_RAM_EMULATION}>:OTP_NV_COUNTERS_RAM_EMULATION=1>
+-        $<$<BOOL:${TFM_DUMMY_PROVISIONING}>:TFM_DUMMY_PROVISIONING>
+-        $<$<BOOL:${PLATFORM_DEFAULT_OTP_WRITEABLE}>:OTP_WRITEABLE>
+-)
+-
+-# Configurations based on cc312 cmake files
+-target_compile_definitions(bl1_main
+-    PRIVATE
+-        $<$<BOOL:${CRYPTO_HW_ACCELERATOR_OTP_STATE}>:CRYPTO_HW_ACCELERATOR_OTP_${CRYPTO_HW_ACCELERATOR_OTP_STATE}>
+-        $<$<BOOL:${CRYPTO_HW_ACCELERATOR}>:CRYPTO_HW_ACCELERATOR>
+-        $<$<BOOL:${ENABLE_FWU_AGENT_DEBUG_LOGS}>:ENABLE_FWU_AGENT_DEBUG_LOGS>
+-)
+-
+-target_include_directories(bl1_main
+-    PRIVATE
+-        $<$<BOOL:${CRYPTO_HW_ACCELERATOR}>:${CMAKE_SOURCE_DIR}/platform/ext/accelerator/cc312>
+-        $<$<BOOL:${CRYPTO_HW_ACCELERATOR}>:${CMAKE_SOURCE_DIR}/lib/ext/cryptocell-312-runtime/shared/include/mbedtls>
+-        $<$<BOOL:${CRYPTO_HW_ACCELERATOR}>:${CMAKE_SOURCE_DIR}/lib/ext/cryptocell-312-runtime/shared/include/crypto_api/cc3x>
+-        ../soft_crc
+-)
+-
+-# Configurations based on platform level cmake files
+-target_sources(bl1_main
+-    PRIVATE
+-        ../CMSIS_Driver/Driver_Flash.c
+-        ../CMSIS_Driver/Driver_USART.c
+-        ../Device/Source/device_definition.c
+-        ../Device/Source/system_core_init.c
+-        ../Native_Driver/firewall.c
+-        ../Native_Driver/uart_pl011_drv.c
+-        ../fw_update_agent/fwu_agent.c
+-        ../soft_crc/soft_crc.c
+-        ../Native_Driver/arm_watchdog_drv.c
+-        ../Native_Driver/watchdog.c
+-        bl1_boot_hal.c
+-        bl1_flash_map.c
+-        bl1_security_cnt.c
+-        flash_map_extended.c
+-        bl1_rotpk.c
+-)
+-
+-if (PLATFORM_IS_FVP)
+-target_sources(bl1_main
+-    PRIVATE
+-        ${PLATFORM_DIR}/ext/target/arm/drivers/flash/strata/spi_strataflashj3_flash_lib.c
+-        ${PLATFORM_DIR}/ext/target/arm/drivers/flash/cfi/cfi_drv.c
+-)
+-else()
+-target_sources(bl1_main
+-    PRIVATE
+-        ${PLATFORM_DIR}/ext/target/arm/drivers/qspi/xilinx_pg153_axi/xilinx_pg153_axi_qspi_controller_drv.c
+-        ${PLATFORM_DIR}/ext/target/arm/drivers/flash/n25q256a/spi_n25q256a_flash_lib.c
+-        ${PLATFORM_DIR}/ext/target/arm/drivers/flash/sst26vf064b/spi_sst26vf064b_flash_lib.c
+-)
+-endif()
+-
+-target_include_directories(bl1_main
+-    PRIVATE
+-        ../partition
+-        ../Device/Include
+-        ../.
+-        ../CMSIS_Driver/Config
+-        ../Device/Config
+-        ../Native_Driver
+-        ../fw_update_agent
+-        ${PLATFORM_DIR}/ext/target/arm/drivers/flash/common
+-        ${PLATFORM_DIR}/ext/target/arm/drivers/flash/cfi
+-        ${PLATFORM_DIR}/ext/target/arm/drivers/flash/strata
+-        ${PLATFORM_DIR}/ext/target/arm/drivers/qspi/xilinx_pg153_axi
+-        ${PLATFORM_DIR}/ext/target/arm/drivers/flash/n25q256a
+-        ${PLATFORM_DIR}/ext/target/arm/drivers/flash/sst26vf064b
+-
+-)
+-
+-############################### SIGNING BL2 image ##################################
+-
+-find_package(Python3)
+-
+-set(FLASH_AREA_NUM 8)
+-configure_file(signing_layout.c.in ${CMAKE_CURRENT_BINARY_DIR}/signing_layout.c @ONLY)
+-add_library(signing_layout_for_bl2 OBJECT ${CMAKE_CURRENT_BINARY_DIR}/signing_layout.c)
+-
+-target_compile_options(signing_layout_for_bl2
+-    PRIVATE
+-        $<$<C_COMPILER_ID:GNU>:-E\;-xc>
+-        $<$<C_COMPILER_ID:ARMClang>:-E\;-xc>
+-        $<$<C_COMPILER_ID:IAR>:--preprocess=ns\;$<TARGET_OBJECTS:signing_layout_s>>
+-)
+-target_compile_definitions(signing_layout_for_bl2
+-    PRIVATE
+-        MCUBOOT_IMAGE_NUMBER=${BL1_IMAGE_NUMBER}
+-        BL1
+-)
+-
+-target_include_directories(signing_layout_for_bl2
+-    PRIVATE
+-        ../partition
+-)
+-
+-if (CONFIG_TFM_BOOT_STORE_MEASUREMENTS AND CONFIG_TFM_BOOT_STORE_ENCODED_MEASUREMENTS)
+-    set(MCUBOOT_MEASURED_BOOT ON)
+-endif()
+-
+-add_custom_target(bl2_signed_bin
+-    ALL
+-    SOURCES bl2_signed.bin
+-)
+-add_custom_command(OUTPUT bl2_signed.bin
+-    DEPENDS $<TARGET_FILE_DIR:bl2>/bl2.bin
+-    DEPENDS bl2_bin signing_layout_for_bl2
+-    WORKING_DIRECTORY ${MCUBOOT_PATH}/scripts
+-
+-    #Sign secure binary image with provided secret key
+-    COMMAND ${Python3_EXECUTABLE} ${BL2_SOURCE}/ext/mcuboot/scripts/wrapper/wrapper.py
+-        -v ${BL2_IMAGE_VERSION}
+-        --layout $<TARGET_OBJECTS:signing_layout_for_bl2>
+-        -k ${MCUBOOT_KEY_S}
+-        --public-key-format $<IF:$<BOOL:${MCUBOOT_HW_KEY}>,full,hash>
+-        --align 1
+-        --pad
+-        --pad-header
+-        -H 0x400
+-        -s ${MCUBOOT_SECURITY_COUNTER_S}
+-        -d \"\(0,${MCUBOOT_S_IMAGE_MIN_VER}\)\"
+-        $<$<STREQUAL:${MCUBOOT_UPGRADE_STRATEGY},OVERWRITE_ONLY>:--overwrite-only>
+-        $<$<BOOL:${MCUBOOT_ENC_IMAGES}>:-E${MCUBOOT_KEY_ENC}>
+-        $<$<BOOL:${MCUBOOT_MEASURED_BOOT}>:--measured-boot-record>
+-        $<TARGET_FILE_DIR:bl2>/bl2.bin
+-        ${CMAKE_CURRENT_BINARY_DIR}/bl2_signed.bin
+-    COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/bl2_signed.bin $<TARGET_FILE_DIR:bl2>
+-)
+diff --git a/platform/ext/target/arm/corstone1000/bl1/bl1_security_cnt.c b/platform/ext/target/arm/corstone1000/bl1/bl1_security_cnt.c
+deleted file mode 100644
+index 32c1481cca..0000000000
+--- a/platform/ext/target/arm/corstone1000/bl1/bl1_security_cnt.c
++++ /dev/null
+@@ -1,75 +0,0 @@
+-/*
+- * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
+- *
+- * SPDX-License-Identifier: BSD-3-Clause
+- *
+- */
+-
+-#include "bootutil/security_cnt.h"
+-#include "tfm_plat_nv_counters.h"
+-#include "tfm_plat_defs.h"
+-#include "bootutil/fault_injection_hardening.h"
+-#include <stdint.h>
+-#include "tfm_plat_provisioning.h"
+-#include "fwu_agent.h"
+-
+-fih_ret boot_nv_security_counter_init(void)
+-{
+-    FIH_DECLARE(fih_rc, FIH_FAILURE);
+-
+-    fih_rc = fih_ret_encode_zero_equality(tfm_plat_init_nv_counter());
+-
+-    FIH_RET(fih_rc);
+-}
+-
+-fih_ret boot_nv_security_counter_get(uint32_t image_id, fih_int *security_cnt)
+-{
+-    FIH_DECLARE(fih_rc, FIH_FAILURE);
+-    uint32_t security_cnt_soft;
+-
+-    /* Check if it's a null-pointer. */
+-    if (!security_cnt) {
+-        FIH_RET(FIH_FAILURE);
+-    }
+-
+-    if (image_id != 0) {
+-        FIH_RET(FIH_FAILURE);
+-    }
+-
+-    fih_rc = fih_ret_encode_zero_equality(
+-             tfm_plat_read_nv_counter(PLAT_NV_COUNTER_BL1_0,
+-                                      sizeof(security_cnt_soft),
+-                                      (uint8_t *)&security_cnt_soft));
+-    *security_cnt = fih_int_encode(security_cnt_soft);
+-
+-    FIH_RET(fih_rc);
+-}
+-
+-int32_t boot_nv_security_counter_update(uint32_t image_id,
+-                                        uint32_t img_security_cnt)
+-{
+-    enum tfm_plat_err_t err;
+-    enum fwu_agent_error_t fwu_err;
+-
+-    if (image_id != 0) {
+-        return -1;
+-    }
+-
+-    if (tfm_plat_provisioning_is_required()) {
+-
+-        err = tfm_plat_set_nv_counter(PLAT_NV_COUNTER_BL1_0, img_security_cnt);
+-        if (err != TFM_PLAT_ERR_SUCCESS) {
+-            return -1;
+-        }
+-
+-    } else {
+-
+-        fwu_err = fwu_stage_nv_counter(FWU_BL2_NV_COUNTER, img_security_cnt);
+-        if (fwu_err != FWU_AGENT_SUCCESS) {
+-            return -1;
+-        }
+-
+-    }
+-
+-    return 0;
+-}
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0018-Platform-CS1000-Remove-duplicated-metadata-write.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0018-Platform-CS1000-Remove-duplicated-metadata-write.patch
new file mode 100644
index 0000000000..e468916ec4
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0018-Platform-CS1000-Remove-duplicated-metadata-write.patch
@@ -0,0 +1,61 @@
+From 60793058794f0ac8ea35a69b2dddf97ccba1acdb Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Thu, 5 Sep 2024 21:29:07 +0200
+Subject: [PATCH 2/5] Platform: CS1000: Remove duplicated metadata write
+
+The metadata replica_2 was written twice which is not needed.
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Pending [Not submitted to upstream yet]
+---
+ .../corstone1000/fw_update_agent/fwu_agent.c  | 28 -------------------
+ 1 file changed, 28 deletions(-)
+
+diff --git a/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c b/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
+index d0028a56d8..2b69447dc5 100644
+--- a/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
++++ b/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
+@@ -499,20 +499,6 @@ static enum fwu_agent_error_t metadata_write(
+         return FWU_AGENT_ERROR;
+     }
+ 
+-    FWU_LOG_MSG("%s: enter: flash addr = %u, size = %d\n\r", __func__,
+-                  FWU_METADATA_REPLICA_2_OFFSET, sizeof(struct fwu_metadata));
+-
+-    ret = FWU_METADATA_FLASH_DEV.EraseSector(FWU_METADATA_REPLICA_2_OFFSET);
+-    if (ret != ARM_DRIVER_OK) {
+-        return FWU_AGENT_ERROR;
+-    }
+-
+-    ret = FWU_METADATA_FLASH_DEV.ProgramData(FWU_METADATA_REPLICA_2_OFFSET,
+-                                p_metadata, sizeof(struct fwu_metadata));
+-    if (ret < 0 || ret != sizeof(struct fwu_metadata)) {
+-        return FWU_AGENT_ERROR;
+-    }
+-
+     FWU_LOG_MSG("%s: success: active = %u, previous = %d\n\r", __func__,
+                   p_metadata->active_index, p_metadata->previous_active_index);
+     return FWU_AGENT_SUCCESS;
+@@ -569,20 +555,6 @@ static enum fwu_agent_error_t metadata_write(
+         return FWU_AGENT_ERROR;
+     }
+ 
+-    FWU_LOG_MSG("%s: enter: flash addr = %u, size = %d\n\r", __func__,
+-                  FWU_METADATA_REPLICA_2_OFFSET, sizeof(struct fwu_metadata));
+-
+-    ret = FWU_METADATA_FLASH_DEV.EraseSector(FWU_METADATA_REPLICA_2_OFFSET);
+-    if (ret != ARM_DRIVER_OK) {
+-        return FWU_AGENT_ERROR;
+-    }
+-
+-    ret = FWU_METADATA_FLASH_DEV.ProgramData(FWU_METADATA_REPLICA_2_OFFSET,
+-                                p_metadata, sizeof(struct fwu_metadata));
+-    if (ret < 0 || ret != sizeof(struct fwu_metadata)) {
+-        return FWU_AGENT_ERROR;
+-    }
+-
+     FWU_LOG_MSG("%s: success: active = %u, previous = %d\n\r", __func__,
+                   p_metadata->active_index, p_metadata->previous_active_index);
+     return FWU_AGENT_SUCCESS;
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0019-Platform-CS1000-Fix-compiler-switch-in-BL1.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0019-Platform-CS1000-Fix-compiler-switch-in-BL1.patch
new file mode 100644
index 0000000000..7ff3a86897
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0019-Platform-CS1000-Fix-compiler-switch-in-BL1.patch
@@ -0,0 +1,193 @@
+From 09827a44518b05a2cc58602dda18474973abfb83 Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Thu, 5 Sep 2024 17:28:56 +0200
+Subject: [PATCH 3/5] Platform: CS1000: Fix compiler switch in BL1
+
+The fwu_agent.c used the "BL1" definition to check if the source file
+is building for the BL1 or for the TFM_S target.
+But the "BL1" definition is added to the build flags for every file
+that links against platform_region_defs, see
+tfm/cmake/spe-CMakeLists.cmake:
+
+target_compile_definitions(platform_region_defs
+    INTERFACE
+        $<$<BOOL:${BL1}>:BL1>
+       ....
+)
+
+This means the "#if BL1" condition was true for both cases.
+
+This commit:
+- Adds a new definition that is only added to the
+  platform_bl1_1 target.
+- Fixes the #elif with no expression error that came up.
+- Moves the partition table loading because previously it was not
+  loaded during the runtime TFM_S execution, only in BL2.
+
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Pending [Not submitted to upstream yet]
+---
+ .../target/arm/corstone1000/CMakeLists.txt    |  7 ++++
+ .../corstone1000/fw_update_agent/fwu_agent.c  | 33 +++++++++----------
+ 2 files changed, 23 insertions(+), 17 deletions(-)
+
+diff --git a/platform/ext/target/arm/corstone1000/CMakeLists.txt b/platform/ext/target/arm/corstone1000/CMakeLists.txt
+index 89db1732a9..f6880cba3c 100644
+--- a/platform/ext/target/arm/corstone1000/CMakeLists.txt
++++ b/platform/ext/target/arm/corstone1000/CMakeLists.txt
+@@ -144,6 +144,7 @@ target_sources(platform_s
+         partition/gpt.c
+         $<$<NOT:$<BOOL:${PLATFORM_DEFAULT_OTP}>>:${PLATFORM_DIR}/ext/accelerator/cc312/otp_cc312.c>
+         rse_comms_permissions_hal.c
++        platform.c
+ )
+ 
+ if (PLATFORM_IS_FVP)
+@@ -213,6 +214,12 @@ target_compile_definitions(platform_bl1_1
+         $<$<BOOL:${CRYPTO_HW_ACCELERATOR_OTP_PROVISIONING}>:CRYPTO_HW_ACCELERATOR_OTP_PROVISIONING>
+         MBEDTLS_CONFIG_FILE="${CMAKE_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h"
+         MBEDTLS_PSA_CRYPTO_CONFIG_FILE="${CMAKE_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/crypto_config_default.h"
++
++        # This definition is only added to the bl1_main target. There are
++        # files that are shared between the BL1 and TFM_S targets. This flag
++        # can be used if the BL1 target needs different implementation than
++        # the TFM_S target.
++        BL1_BUILD
+ )
+ 
+ target_include_directories(platform_bl1_1_interface
+diff --git a/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c b/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
+index 2b69447dc5..9890eeaf90 100644
+--- a/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
++++ b/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
+@@ -21,7 +21,7 @@
+ #include "uefi_fmp.h"
+ #include "uart_stdout.h"
+ #include "soft_crc.h"
+-#if !BL1
++#ifndef BL1_BUILD
+ #include "partition.h"
+ #include "platform.h"
+ #endif
+@@ -197,7 +197,7 @@ extern ARM_DRIVER_FLASH FWU_METADATA_FLASH_DEV;
+ 
+ #define HOST_ACK_TIMEOUT_SEC    (6 * 60) /* ~seconds, not exact */
+ 
+-#if BL1
++#ifdef BL1_BUILD
+ static enum fwu_agent_error_t private_metadata_read(
+         struct fwu_private_metadata* p_metadata)
+ {
+@@ -220,7 +220,7 @@ static enum fwu_agent_error_t private_metadata_read(
+ 
+     return FWU_AGENT_SUCCESS;
+ }
+-#elif
++#else
+ static enum fwu_agent_error_t private_metadata_read(
+         struct fwu_private_metadata* p_metadata)
+ {
+@@ -253,7 +253,7 @@ static enum fwu_agent_error_t private_metadata_read(
+ }
+ #endif
+ 
+-#if BL1
++#ifdef BL1_BUILD
+ static enum fwu_agent_error_t private_metadata_write(
+         struct fwu_private_metadata* p_metadata)
+ {
+@@ -280,7 +280,7 @@ static enum fwu_agent_error_t private_metadata_write(
+     FWU_LOG_MSG("%s: success\n\r", __func__);
+     return FWU_AGENT_SUCCESS;
+ }
+-#elif
++#else
+ static enum fwu_agent_error_t private_metadata_write(
+         struct fwu_private_metadata* p_metadata)
+ {
+@@ -339,7 +339,7 @@ static enum fwu_agent_error_t metadata_validate(struct fwu_metadata *p_metadata)
+     return FWU_AGENT_SUCCESS;
+ }
+ 
+-#if BL1
++#ifdef BL1_BUILD
+ static enum fwu_agent_error_t metadata_read_without_validation(struct fwu_metadata *p_metadata)
+ {
+     int ret;
+@@ -362,7 +362,7 @@ static enum fwu_agent_error_t metadata_read_without_validation(struct fwu_metada
+ 
+     return FWU_AGENT_SUCCESS;
+ }
+-#elif
++#else
+ static enum fwu_agent_error_t metadata_read_without_validation(struct fwu_metadata *p_metadata)
+ {
+     uuid_t metadata_uuid = FWU_METADATA_TYPE_UUID;
+@@ -396,7 +396,7 @@ static enum fwu_agent_error_t metadata_read_without_validation(struct fwu_metada
+ }
+ #endif
+ 
+-#if BL1
++#ifdef BL1_BUILD
+ static enum fwu_agent_error_t metadata_read(struct fwu_metadata *p_metadata)
+ {
+     int ret;
+@@ -423,7 +423,7 @@ static enum fwu_agent_error_t metadata_read(struct fwu_metadata *p_metadata)
+ 
+     return FWU_AGENT_SUCCESS;
+ }
+-#elif
++#else
+ static enum fwu_agent_error_t metadata_read(struct fwu_metadata *p_metadata)
+ {
+     uuid_t metadata_uuid = FWU_METADATA_TYPE_UUID;
+@@ -461,7 +461,7 @@ static enum fwu_agent_error_t metadata_read(struct fwu_metadata *p_metadata)
+ #endif
+ 
+ 
+-#if BL1
++#ifdef BL1_BUILD
+ static enum fwu_agent_error_t metadata_write(
+                         struct fwu_metadata *p_metadata)
+ {
+@@ -503,7 +503,7 @@ static enum fwu_agent_error_t metadata_write(
+                   p_metadata->active_index, p_metadata->previous_active_index);
+     return FWU_AGENT_SUCCESS;
+ }
+-#elif
++#else
+ static enum fwu_agent_error_t metadata_write(
+                         struct fwu_metadata *p_metadata)
+ {
+@@ -567,11 +567,15 @@ enum fwu_agent_error_t fwu_metadata_init(void)
+     enum fwu_agent_error_t ret;
+     ARM_FLASH_INFO* flash_info;
+ 
+-
+     if (is_initialized) {
+         return FWU_AGENT_SUCCESS;
+     }
+ 
++    #ifndef BL1_BUILD
++    plat_io_storage_init();
++    partition_init(PLATFORM_GPT_IMAGE);
++    #endif
++
+     /* Code assumes everything fits into a sector */
+     if (sizeof(struct fwu_metadata) > FWU_METADATA_FLASH_SECTOR_SIZE) {
+         return FWU_AGENT_ERROR;
+@@ -605,11 +609,6 @@ enum fwu_agent_error_t fwu_metadata_provision(void)
+ 
+     FWU_LOG_MSG("%s: enter\n\r", __func__);
+ 
+-#if !BL1
+-    plat_io_storage_init();
+-    partition_init(PLATFORM_GPT_IMAGE);
+-#endif
+-
+     ret = fwu_metadata_init();
+     if (ret) {
+         return ret;
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0020-Platform-CS1000-Validate-both-metadata-replicas.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0020-Platform-CS1000-Validate-both-metadata-replicas.patch
new file mode 100644
index 0000000000..e38c865104
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0020-Platform-CS1000-Validate-both-metadata-replicas.patch
@@ -0,0 +1,370 @@
+From 5fd2662e1f20b5c645ff0755e84424bae303fa45 Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Mon, 9 Sep 2024 09:42:58 +0200
+Subject: [PATCH] Platform: CS1000: Validate both metadata replicas
+
+According to the [1] both metadata replica integrity should be checked
+during the update agent initialization, and if one of the replica is
+corrupted then it should be fixed by copying the other replica.
+
+This commit:
+- Adds the integrity check and correction to the
+  corstone1000_fwu_host_ack() function. This function is called when
+  the Host core has booted.
+- Updates the metadata_read() function so both replica can be read.
+- Adds metadata_write_replica() function to write metadata replicas
+  separately.
+
+[1] https://developer.arm.com/documentation/den0118/a/?lang=en
+
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Pending [Not submitted to upstream yet]
+---
+ .../corstone1000/fw_update_agent/fwu_agent.c  | 167 ++++++++++++------
+ .../corstone1000/fw_update_agent/fwu_agent.h  |   7 +
+ 2 files changed, 119 insertions(+), 55 deletions(-)
+
+diff --git a/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c b/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
+index 92b918c67..aad6208e0 100644
+--- a/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
++++ b/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
+@@ -395,20 +395,33 @@ static enum fwu_agent_error_t metadata_read_without_validation(struct fwu_metada
+ #endif
+ 
+ #ifdef BL1_BUILD
+-static enum fwu_agent_error_t metadata_read(struct fwu_metadata *p_metadata)
++static enum fwu_agent_error_t metadata_read(struct fwu_metadata *p_metadata, uint8_t replica_num)
+ {
+     int ret;
++    uint32_t replica_offset = 0;
+ 
+-    FWU_LOG_MSG("%s: enter: flash addr = %u, size = %d\n\r", __func__,
+-                  FWU_METADATA_REPLICA_1_OFFSET, sizeof(struct fwu_metadata));
++    FWU_LOG_MSG("%s: enter\n\r", __func__);
+ 
+     if (!p_metadata) {
+         return FWU_AGENT_ERROR;
+     }
+ 
+-    ret = FWU_METADATA_FLASH_DEV.ReadData(FWU_METADATA_REPLICA_1_OFFSET,
+-                                p_metadata, sizeof(struct fwu_metadata));
+-    if (ret < 0 || ret != sizeof(struct fwu_metadata)) {
++    if (replica_num == 1) {
++        replica_offset = FWU_METADATA_REPLICA_1_OFFSET;
++    } else if (replica_num == 2) {
++        replica_offset = FWU_METADATA_REPLICA_2_OFFSET;
++    } else {
++        FWU_LOG_MSG("%s: replica_num must be 1 or 2\n\r", __func__);
++        return FWU_AGENT_ERROR;
++    }
++
++    FWU_LOG_MSG("%s: flash addr = %u, size = %d\n\r", __func__,
++                  replica_offset, sizeof(*p_metadata));
++
++
++    ret = FWU_METADATA_FLASH_DEV.ReadData(replica_offset,
++                                p_metadata, sizeof(*p_metadata));
++    if (ret < 0 || ret != sizeof(*p_metadata)) {
+         return FWU_AGENT_ERROR;
+     }
+ 
+@@ -422,17 +435,27 @@ static enum fwu_agent_error_t metadata_read(struct fwu_metadata *p_metadata)
+     return FWU_AGENT_SUCCESS;
+ }
+ #else
+-static enum fwu_agent_error_t metadata_read(struct fwu_metadata *p_metadata)
++static enum fwu_agent_error_t metadata_read(struct fwu_metadata *p_metadata, uint8_t replica_num)
+ {
+     uuid_t metadata_uuid = FWU_METADATA_TYPE_UUID;
+     partition_entry_t *part;
+     int ret;
+ 
++    FWU_LOG_MSG("%s: enter\n\r", __func__);
++
+     if (!p_metadata) {
+         return FWU_AGENT_ERROR;
+     }
+ 
+-    part = get_partition_entry_by_type(&metadata_uuid);
++    if (replica_num == 1) {
++        part = get_partition_entry_by_type(&metadata_uuid);
++    } else if (replica_num == 2) {
++        part = get_partition_replica_by_type(&metadata_uuid);
++    } else {
++        FWU_LOG_MSG("%s: replica_num must be 1 or 2\n\r", __func__);
++        return FWU_AGENT_ERROR;
++    }
++
+     if (!part) {
+         FWU_LOG_MSG("%s: FWU metadata partition not found\n\r", __func__);
+         return FWU_AGENT_ERROR;
+@@ -461,39 +484,38 @@ static enum fwu_agent_error_t metadata_read(struct fwu_metadata *p_metadata)
+ 
+ #ifdef BL1_BUILD
+ static enum fwu_agent_error_t metadata_write(
+-                        struct fwu_metadata *p_metadata)
++                        struct fwu_metadata *p_metadata, uint8_t replica_num)
+ {
+     int ret;
++    uint32_t replica_offset = 0;
+ 
+-    FWU_LOG_MSG("%s: enter: flash addr = %u, size = %d\n\r", __func__,
+-                  FWU_METADATA_REPLICA_1_OFFSET, sizeof(struct fwu_metadata));
++    FWU_LOG_MSG("%s: enter\n\r", __func__);
+ 
+     if (!p_metadata) {
+         return FWU_AGENT_ERROR;
+     }
+ 
+-    ret = FWU_METADATA_FLASH_DEV.EraseSector(FWU_METADATA_REPLICA_1_OFFSET);
+-    if (ret != ARM_DRIVER_OK) {
+-        return FWU_AGENT_ERROR;
+-    }
+-
+-    ret = FWU_METADATA_FLASH_DEV.ProgramData(FWU_METADATA_REPLICA_1_OFFSET,
+-                                p_metadata, sizeof(struct fwu_metadata));
+-    if (ret < 0 || ret != sizeof(struct fwu_metadata)) {
++    if (replica_num == 1) {
++        replica_offset = FWU_METADATA_REPLICA_1_OFFSET;
++    } else if (replica_num == 2) {
++        replica_offset = FWU_METADATA_REPLICA_2_OFFSET;
++    } else {
++        FWU_LOG_MSG("%s: replica_num must be 1 or 2\n\r", __func__);
+         return FWU_AGENT_ERROR;
+     }
+ 
+     FWU_LOG_MSG("%s: enter: flash addr = %u, size = %d\n\r", __func__,
+-                  FWU_METADATA_REPLICA_2_OFFSET, sizeof(struct fwu_metadata));
++                  replica_offset, sizeof(*p_metadata));
+ 
+-    ret = FWU_METADATA_FLASH_DEV.EraseSector(FWU_METADATA_REPLICA_2_OFFSET);
++
++    ret = FWU_METADATA_FLASH_DEV.EraseSector(replica_offset);
+     if (ret != ARM_DRIVER_OK) {
+         return FWU_AGENT_ERROR;
+     }
+ 
+-    ret = FWU_METADATA_FLASH_DEV.ProgramData(FWU_METADATA_REPLICA_2_OFFSET,
+-                                p_metadata, sizeof(struct fwu_metadata));
+-    if (ret < 0 || ret != sizeof(struct fwu_metadata)) {
++    ret = FWU_METADATA_FLASH_DEV.ProgramData(replica_offset,
++                                p_metadata, sizeof(*p_metadata));
++    if (ret < 0 || ret != sizeof(*p_metadata)) {
+         return FWU_AGENT_ERROR;
+     }
+ 
+@@ -503,7 +525,7 @@ static enum fwu_agent_error_t metadata_write(
+ }
+ #else
+ static enum fwu_agent_error_t metadata_write(
+-                        struct fwu_metadata *p_metadata)
++                        struct fwu_metadata *p_metadata, uint8_t replica_num)
+ {
+     uuid_t metadata_uuid = FWU_METADATA_TYPE_UUID;
+     partition_entry_t *part;
+@@ -513,7 +535,15 @@ static enum fwu_agent_error_t metadata_write(
+         return FWU_AGENT_ERROR;
+     }
+ 
+-    part = get_partition_entry_by_type(&metadata_uuid);
++    if (replica_num == 1) {
++        part = get_partition_entry_by_type(&metadata_uuid);
++    } else if (replica_num == 2) {
++        part = get_partition_replica_by_type(&metadata_uuid);
++    } else {
++        FWU_LOG_MSG("%s: replica_num must be 1 or 2\n\r", __func__);
++        return FWU_AGENT_ERROR;
++    }
++
+     if (!part) {
+         FWU_LOG_MSG("%s: FWU metadata partition not found\n\r", __func__);
+         return FWU_AGENT_ERROR;
+@@ -533,32 +563,51 @@ static enum fwu_agent_error_t metadata_write(
+         return FWU_AGENT_ERROR;
+     }
+ 
+-    part = get_partition_replica_by_type(&metadata_uuid);
+-    if (!part) {
+-        FWU_LOG_MSG("%s: FWU metadata replica partition not found\n\r", __func__);
+-        return FWU_AGENT_ERROR;
+-    }
++    FWU_LOG_MSG("%s: success: active = %u, previous = %d\n\r", __func__,
++                  p_metadata->active_index, p_metadata->previous_active_index);
++    return FWU_AGENT_SUCCESS;
++}
++#endif
+ 
+-    FWU_LOG_MSG("%s: enter: flash addr = %u, size = %d\n\r", __func__,
+-                  part->start, sizeof(struct fwu_metadata));
++static enum fwu_agent_error_t metadata_write_both_replica(
++                        struct fwu_metadata *p_metadata)
++{
++    enum fwu_agent_error_t ret = FWU_AGENT_ERROR;
+ 
+-    ret = FWU_METADATA_FLASH_DEV.EraseSector(part->start);
+-    if (ret != ARM_DRIVER_OK) {
+-        return FWU_AGENT_ERROR;
++    ret = metadata_write(&_metadata, 1);
++    if (ret) {
++        return ret;
+     }
+ 
+-    ret = FWU_METADATA_FLASH_DEV.ProgramData(part->start,
+-                                p_metadata, sizeof(struct fwu_metadata));
+-    if (ret < 0 || ret != sizeof(struct fwu_metadata)) {
+-        return FWU_AGENT_ERROR;
++    ret = metadata_write(&_metadata, 2);
++    if (ret) {
++        return ret;
+     }
+ 
+-    FWU_LOG_MSG("%s: success: active = %u, previous = %d\n\r", __func__,
+-                  p_metadata->active_index, p_metadata->previous_active_index);
+     return FWU_AGENT_SUCCESS;
+ }
+-#endif
+ 
++enum fwu_agent_error_t fwu_metadata_check_and_correct_integrity(void)
++{
++    enum fwu_agent_error_t ret_replica_1 = FWU_AGENT_ERROR;
++    enum fwu_agent_error_t ret_replica_2 = FWU_AGENT_ERROR;
++
++    /* Check integrity of both metadata replica */
++    ret_replica_1 = metadata_read(&_metadata, 1);
++    ret_replica_2 = metadata_read(&_metadata, 2);
++
++    if (ret_replica_1 != FWU_AGENT_SUCCESS && ret_replica_2 != FWU_AGENT_SUCCESS) {
++        return FWU_AGENT_ERROR;
++    } else if (ret_replica_1 == FWU_AGENT_SUCCESS && ret_replica_2 != FWU_AGENT_SUCCESS) {
++        metadata_read(&_metadata, 1);
++        metadata_write(&_metadata, 2);
++    } else if (ret_replica_1 != FWU_AGENT_SUCCESS && ret_replica_2 == FWU_AGENT_SUCCESS) {
++        metadata_read(&_metadata, 2);
++        metadata_write(&_metadata, 1);
++    }
++
++    return FWU_AGENT_SUCCESS;
++}
+ 
+ enum fwu_agent_error_t fwu_metadata_init(void)
+ {
+@@ -617,8 +666,8 @@ enum fwu_agent_error_t fwu_metadata_provision(void)
+      * had a firmware data?. If yes, then don't initialize
+      * metadata
+      */
+-    metadata_read(&_metadata);
+-    if(_metadata.active_index < 2 || _metadata.previous_active_index <2){
++    metadata_read(&_metadata, 1);
++    if(_metadata.active_index < 2 || _metadata.previous_active_index < 2){
+     	if(_metadata.active_index ^ _metadata.previous_active_index)
+     		return FWU_AGENT_SUCCESS;
+     }
+@@ -652,13 +701,13 @@ enum fwu_agent_error_t fwu_metadata_provision(void)
+     _metadata.crc_32 = crc32((uint8_t *)&_metadata.version,
+                              sizeof(struct fwu_metadata) - sizeof(uint32_t));
+ 
+-    ret = metadata_write(&_metadata);
++    ret = metadata_write_both_replica(&_metadata);
+     if (ret) {
+         return ret;
+     }
+ 
+-    memset(&_metadata, 0, sizeof(struct fwu_metadata));
+-    ret = metadata_read(&_metadata);
++    memset(&_metadata, 0, sizeof(_metadata));
++    ret = metadata_read(&_metadata, 1);
+     if (ret) {
+         return ret;
+     }
+@@ -825,7 +874,7 @@ static enum fwu_agent_error_t flash_full_capsule(
+     metadata->crc_32 = crc32((uint8_t *)&metadata->version,
+                               sizeof(struct fwu_metadata) - sizeof(uint32_t));
+ 
+-    ret = metadata_write(metadata);
++    ret = metadata_write_both_replica(metadata);
+     if (ret) {
+         return ret;
+     }
+@@ -852,7 +901,7 @@ enum fwu_agent_error_t corstone1000_fwu_flash_image(void)
+ 
+     Select_Write_Mode_For_Shared_Flash();
+ 
+-    if (metadata_read(&_metadata)) {
++    if (metadata_read(&_metadata, 1)) {
+         ret =  FWU_AGENT_ERROR;
+         goto out;
+     }
+@@ -938,7 +987,7 @@ static enum fwu_agent_error_t accept_full_capsule(
+     metadata->crc_32 = crc32((uint8_t *)&metadata->version,
+                               sizeof(struct fwu_metadata) - sizeof(uint32_t));
+ 
+-    ret = metadata_write(metadata);
++    ret = metadata_write_both_replica(metadata);
+     if (ret) {
+         return ret;
+     }
+@@ -1034,7 +1083,7 @@ static enum fwu_agent_error_t fwu_select_previous(
+     metadata->crc_32 = crc32((uint8_t *)&metadata->version,
+                               sizeof(struct fwu_metadata) - sizeof(uint32_t));
+ 
+-    ret = metadata_write(metadata);
++    ret = metadata_write_both_replica(metadata);
+     if (ret) {
+         return ret;
+     }
+@@ -1064,7 +1113,7 @@ void bl1_get_active_bl2_image(uint32_t *offset)
+         FWU_ASSERT(0);
+     }
+ 
+-    if (metadata_read(&_metadata)) {
++    if (metadata_read(&_metadata, 1)) {
+         FWU_ASSERT(0);
+     }
+ 
+@@ -1203,9 +1252,17 @@ enum fwu_agent_error_t corstone1000_fwu_host_ack(void)
+         return FWU_AGENT_ERROR;
+     }
+ 
++    /* This cannot be added to the fwu_metadata_init() because that function is
++     * called before the logging is enabled by TF-M. */
++    ret = fwu_metadata_check_and_correct_integrity();
++    if (ret = FWU_AGENT_SUCCESS) {
++        FWU_LOG_MSG("fwu_metadata_check_and_correct_integrity failed\r\n");
++        return ret;
++    }
++
+     Select_Write_Mode_For_Shared_Flash();
+ 
+-    if (metadata_read(&_metadata)) {
++    if (metadata_read(&_metadata, 1)) {
+         ret = FWU_AGENT_ERROR;
+         goto out;
+     }
+@@ -1315,7 +1372,7 @@ void host_acknowledgement_timer_to_reset(void)
+         FWU_ASSERT(0);
+     }
+ 
+-    if (metadata_read(&_metadata)) {
++    if (metadata_read(&_metadata, 1)) {
+         FWU_ASSERT(0);
+     }
+ 
+diff --git a/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.h b/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.h
+index 701f20558..78e104277 100644
+--- a/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.h
++++ b/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.h
+@@ -70,4 +70,11 @@ enum fwu_nv_counter_index_t {
+ enum fwu_agent_error_t fwu_stage_nv_counter(enum fwu_nv_counter_index_t index,
+         uint32_t img_security_cnt);
+ 
++/*
++ * Check if both metadata replica is valid by calculating and comparing crc32.
++ * If one of the replica is corrupted then update it with the valid replica.
++ * If both of the replicas are corrupted then the correction is not possible.
++ */
++enum fwu_agent_error_t fwu_metadata_check_and_correct_integrity(void);
++
+ #endif /* FWU_AGENT_H */
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0005-platform-corstone1000-add-unique-guid-for-mps3.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0021-platform-corstone1000-add-unique-guid-for-mps3.patch
index 3711b8ce36..b153b8da56 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0005-platform-corstone1000-add-unique-guid-for-mps3.patch
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0021-platform-corstone1000-add-unique-guid-for-mps3.patch
@@ -1,7 +1,7 @@
-From 3d35eb08fe0cea5c4b882c448f44530bb45c05f0 Mon Sep 17 00:00:00 2001
+From a32e7195a4fc1c9d890f9e22a795443d01dc1e8f Mon Sep 17 00:00:00 2001
 From: Anusmita Dutta Mazumder <anusmita.duttamazumder@arm.com>
 Date: Tue, 2 Apr 2024 13:04:56 +0000
-Subject: [PATCH] platform: corstone1000: add unique guid for mps3
+Subject: [PATCH 03/10] platform: corstone1000: add unique guid for mps3
 
 This patch sets unique GUID for Corstone1000 FVP and MPS3
 
@@ -12,7 +12,7 @@ Signed-off-by: Anusmita Dutta Mazumder <anusmita.duttamazumder@arm.com>
  1 file changed, 7 insertions(+), 1 deletion(-)
 
 diff --git a/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c b/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
-index 2e6cf80470..be04e0e5df 100644
+index 003ab9faf8..5768df19b8 100644
 --- a/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
 +++ b/platform/ext/target/arm/corstone1000/fw_update_agent/fwu_agent.c
 @@ -113,13 +113,19 @@ enum fwu_agent_state_t {
@@ -37,5 +37,5 @@ index 2e6cf80470..be04e0e5df 100644
  #define IMAGE_NOT_ACCEPTED      (0)
  #define BANK_0                  (0)
 -- 
-2.38.1
+2.25.1
 
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0010-CC312-alignment-of-cc312-differences-between-fvp-and.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0022-CC312-alignment-of-cc312-differences.patch
index 3d1b35e46b..45d7049c85 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0010-CC312-alignment-of-cc312-differences-between-fvp-and.patch
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0022-CC312-alignment-of-cc312-differences.patch
@@ -1,22 +1,21 @@
-From a8aeaafd6c26d6bc3066164d12aabc5cb754fe1c Mon Sep 17 00:00:00 2001
+From 60ab8bbf85e9e84afd23948a71cf84c69f4aad7a Mon Sep 17 00:00:00 2001
 From: Ali Can Ozaslan <ali.oezaslan@arm.com>
 Date: Wed, 15 May 2024 12:12:15 +0000
-Subject: [PATCH] CC312: alignment of cc312 differences between fvp and mps3
- corstone1000 platforms
+Subject: [PATCH 07/10] CC312: alignment of cc312 differences between fvp and
+ mps3 corstone1000 platforms
 
-Configures CC312 mps3 model same as predefined cc312 FVP 
+Configures CC312 mps3 model same as predefined cc312 FVP
 configuration while keeping debug ports closed.
 
 Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
 
 Upstream-Status: Inappropriate [Requires an aligment cc3xx with mps3 hw and fvp sw models]
-
 ---
  lib/ext/cryptocell-312-runtime/host/src/cc3x_lib/cc_lib.c | 3 +++
  1 file changed, 3 insertions(+)
 
 diff --git a/lib/ext/cryptocell-312-runtime/host/src/cc3x_lib/cc_lib.c b/lib/ext/cryptocell-312-runtime/host/src/cc3x_lib/cc_lib.c
-index 31e4332be..4d7e6fa61 100644
+index 31e4332bed..4b08c02526 100644
 --- a/lib/ext/cryptocell-312-runtime/host/src/cc3x_lib/cc_lib.c
 +++ b/lib/ext/cryptocell-312-runtime/host/src/cc3x_lib/cc_lib.c
 @@ -207,6 +207,9 @@ CClibRetCode_t CC_LibInit(CCRndContext_t *rndContext_ptr, CCRndWorkBuff_t  *rndW
@@ -29,3 +28,6 @@ index 31e4332be..4d7e6fa61 100644
      /* turn off the DFA since Cerberus doen't support it */
      reg = CC_HAL_READ_REGISTER(CC_REG_OFFSET(HOST_RGF, HOST_AO_LOCK_BITS));
      CC_REG_FLD_SET(0, HOST_AO_LOCK_BITS, HOST_FORCE_DFA_ENABLE, reg, 0x0);
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0001-PSA-revert-header-versions.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0001-PSA-revert-header-versions.patch
new file mode 100644
index 0000000000..47db186621
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0001-PSA-revert-header-versions.patch
@@ -0,0 +1,38 @@
+From 3a53a6ad7b91770a8514082e411e277c03764eb0 Mon Sep 17 00:00:00 2001
+From: Emekcan Aras <emekcan.aras@arm.com>
+Date: Wed, 9 Aug 2023 17:16:03 +0100
+Subject: [PATCH] Revert ADAC cert and token version
+
+Align ADAC certificate versions with versions in secure-debug-manager
+[1] repository. The versions of the certificate and token are checked
+during the authentication process. The debugger connection is refused
+if there is a mismatch between the sent certificate/token and expected
+certificate/token versions.
+
+[1] https://github.com/ARM-software/secure-debug-manager/tree/master
+
+Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
+Upstream-Status: Inappropriate [Add newer dummy token and cert]
+---
+ psa-adac/core/include/psa_adac.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/psa-adac/core/include/psa_adac.h b/psa-adac/core/include/psa_adac.h
+index b190992..6c3feb2 100644
+--- a/psa-adac/core/include/psa_adac.h
++++ b/psa-adac/core/include/psa_adac.h
+@@ -30,8 +30,8 @@ extern "C" {
+  *
+  * Current version numbers for certificate and token format.
+  */
+-#define ADAC_CERT_MAJOR 1u
+-#define ADAC_CERT_MINOR 0u
++#define ADAC_CERT_MAJOR 0u
++#define ADAC_CERT_MINOR 1u
+ #define ADAC_TOKEN_MAJOR 1u
+ #define ADAC_TOKEN_MINOR 0u
+ 
+-- 
+2.25.1
+
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0002-ADAC-Link-psa_interface-instead-of-tfm_sprt.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0002-ADAC-Link-psa_interface-instead-of-tfm_sprt.patch
new file mode 100644
index 0000000000..fcfe892e79
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0002-ADAC-Link-psa_interface-instead-of-tfm_sprt.patch
@@ -0,0 +1,35 @@
+From af71103845498eef4f859deba4b904a195f2817f Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Mon, 22 Jul 2024 17:33:23 +0200
+Subject: [PATCH] ADAC: Link psa_interface instead of tfm_sprt
+
+The tfm_sprt brings in other functionalities that are not needed for
+the Secure Debug.
+
+The printf() override in tfm_sp_log_raw.c can cause problems because
+it calls tfm_hal_output_sp_log() which triggers an SVC. The SVC calls
+tfm_hal_output_spm_log which relies on an SPM, which might not be
+initialized at that point.
+
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Pending [Not submitted to upstream yet]
+---
+ psa_crypto/CMakeLists.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/psa_crypto/CMakeLists.txt b/psa_crypto/CMakeLists.txt
+index 3e70624..58d95f7 100644
+--- a/psa_crypto/CMakeLists.txt
++++ b/psa_crypto/CMakeLists.txt
+@@ -18,7 +18,7 @@ target_sources(psa_adac_psa_crypto
+ target_link_libraries(psa_adac_psa_crypto
+     PRIVATE
+         psa_adac_config
+-        tfm_sprt
++        psa_interface
+ )
+ 
+ target_link_libraries(trusted-firmware-m-psa-adac
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0003-Fix-psa_key_handle_t-initialization.patch b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0003-Fix-psa_key_handle_t-initialization.patch
new file mode 100644
index 0000000000..d620cc191a
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0003-Fix-psa_key_handle_t-initialization.patch
@@ -0,0 +1,32 @@
+From 972bf711ad884607409c225f9338bf25206e29e8 Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Wed, 31 Jul 2024 15:56:51 +0200
+Subject: [PATCH] Fix psa_key_handle_t initialization
+
+If the MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER macro is defined in the
+mbedcrypto configuration header file then the psa_key_handle_t is a
+struct. In this case, it is defined in the used configuration header
+so the struct cannot be initialized with -1.
+
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Pending [Not submitted to upstream yet]
+---
+ psa_crypto/adac_crypto_psa_mac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/psa_crypto/adac_crypto_psa_mac.c b/psa_crypto/adac_crypto_psa_mac.c
+index 046fef7..93ab8f9 100644
+--- a/psa_crypto/adac_crypto_psa_mac.c
++++ b/psa_crypto/adac_crypto_psa_mac.c
+@@ -198,7 +198,7 @@ psa_status_t psa_adac_verify_mac(uint8_t key_type,
+                                  size_t mac_size)
+ {
+     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+-    psa_key_handle_t handle = -1;
++    psa_key_handle_t handle = {0};
+     psa_status_t ret = PSA_ERROR_NOT_SUPPORTED;
+     psa_key_type_t type = 0;
+     size_t bits = 0;
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-2.0.0-src.inc b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-2.0.0-src.inc
deleted file mode 100644
index 82543258d7..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-2.0.0-src.inc
+++ /dev/null
@@ -1,46 +0,0 @@
-# Common src definitions for trusted-firmware-m and trusted-firmware-m-scripts
-
-LICENSE = "BSD-2-Clause & BSD-3-Clause & Apache-2.0"
-
-LIC_FILES_CHKSUM = "file://license.rst;md5=07f368487da347f3c7bd0fc3085f3afa \
-                    file://../tf-m-tests/license.rst;md5=4481bae2221b0cfca76a69fb3411f390 \
-                    file://../mbedtls/LICENSE;md5=379d5819937a6c2f1ef1630d341e026d \
-                    file://../mcuboot/LICENSE;md5=b6ee33f1d12a5e6ee3de1e82fb51eeb8"
-
-SRC_URI_TRUSTED_FIRMWARE_M ?= "git://git.trustedfirmware.org/TF-M/trusted-firmware-m.git;protocol=https"
-SRC_URI_TRUSTED_FIRMWARE_M_EXTRAS ?= "git://git.trustedfirmware.org/TF-M/tf-m-extras.git;protocol=https"
-SRC_URI_TRUSTED_FIRMWARE_M_TESTS ?= "git://git.trustedfirmware.org/TF-M/tf-m-tests.git;protocol=https"
-SRC_URI_TRUSTED_FIRMWARE_M_MBEDTLS ?= "git://github.com/ARMmbed/mbedtls.git;protocol=https"
-SRC_URI_TRUSTED_FIRMWARE_M_MCUBOOT ?= "git://github.com/mcu-tools/mcuboot.git;protocol=https"
-SRC_URI_TRUSTED_FIRMWARE_M_QCBOR ?= "git://github.com/laurencelundblade/QCBOR.git;protocol=https"
-SRC_URI  = "${SRC_URI_TRUSTED_FIRMWARE_M};branch=${SRCBRANCH_tfm};name=tfm;destsuffix=git/tfm \
-            ${SRC_URI_TRUSTED_FIRMWARE_M_EXTRAS};branch=${SRCBRANCH_tfm-extras};name=tfm-extras;destsuffix=git/tfm-extras \
-            ${SRC_URI_TRUSTED_FIRMWARE_M_TESTS};branch=${SRCBRANCH_tfm-tests};name=tfm-tests;destsuffix=git/tf-m-tests \
-            ${SRC_URI_TRUSTED_FIRMWARE_M_MBEDTLS};branch=${SRCBRANCH_mbedtls};name=mbedtls;destsuffix=git/mbedtls \
-            ${SRC_URI_TRUSTED_FIRMWARE_M_MCUBOOT};branch=${SRCBRANCH_mcuboot};name=mcuboot;destsuffix=git/mcuboot \
-            ${SRC_URI_TRUSTED_FIRMWARE_M_QCBOR};branch=${SRCBRANCH_qcbor};name=qcbor;destsuffix=git/qcbor \
-            "
-
-# The required dependencies are documented in tf-m/config/config_default.cmake
-# TF-Mv2.0.0
-SRCBRANCH_tfm ?= "release/2.0.x"
-SRCREV_tfm = "9ca8a5eb3c85eecee1303dffa262800ea0385584"
-# TF-Mv2.0.0
-SRCBRANCH_tfm-extras ?= "release/2.0.x"
-SRCREV_tfm-extras = "676a1465f361439bc95f5a50ef71749f27caffc1"
-# TF-Mv2.0.0
-SRCBRANCH_tfm-tests ?= "release/2.0.x"
-SRCREV_tfm-tests = "69fbb233dc6e45f8306d98694ca5760559f9d2ef"
-# mbedtls-3.5.1
-SRCBRANCH_mbedtls ?= "master"
-SRCREV_mbedtls = "edb8fec9882084344a314368ac7fd957a187519c"
-# mcuboot v2.0.0
-SRCBRANCH_mcuboot ?= "main"
-SRCREV_mcuboot = "304fd41980ed929533b9f387dde1b463b0be5b90"
-# QCBOR v1.2
-SRCBRANCH_qcbor ?= "master"
-SRCREV_qcbor = "b0e7033268e88c9f27146fa9a1415ef4c19ebaff"
-
-SRCREV_FORMAT = "tfm"
-
-S = "${WORKDIR}/git/tfm"
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc
index 4777251d6d..9c38d1ad5d 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc
@@ -11,6 +11,8 @@ TFM_PLATFORM_IS_FVP ?= "FALSE"
 EXTRA_OECMAKE += "-DPLATFORM_IS_FVP=${TFM_PLATFORM_IS_FVP}"
 EXTRA_OECMAKE += "-DCC312_LEGACY_DRIVER_API_ENABLED=OFF"
 EXTRA_OECMAKE:append:corstone1000-fvp = " -DENABLE_MULTICORE=${@bb.utils.contains('MACHINE_FEATURES', 'corstone1000_fvp_smp', 'TRUE', 'FALSE', d)}"
+EXTRA_OECMAKE:append:corstone1000-mps3 = " -DPLATFORM_PSA_ADAC_SECURE_DEBUG=${@bb.utils.contains('MACHINE_FEATURES', 'secure-debug', 'ON', 'OFF', d)}"
+EXTRA_OECMAKE:append:corstone1000-mps3 = " -DPLATFORM_PSA_ADAC_SOURCE_PATH=${S}/../tfm-psa-adac -DPLATFORM_PSA_ADAC_BUILD_PATH=${B}/tfm-psa-adac-build"
 
 SRC_URI += " \
             file://0001-arm-trusted-firmware-m-disable-address-warnings-into.patch \
@@ -18,19 +20,35 @@ SRC_URI += " \
 
 FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 SRC_URI:append:corstone1000 = " \
-    file://0001-platform-corstone1000-Update-MPU-configuration.patch \
-    file://0002-platform-corstone1000-Cover-S_DATA-with-MPU.patch \
-    file://0003-platform-corstone1000-align-capsule-update-structs.patch \
-    file://0004-Platform-Corstone1000-skip-the-first-nv-counter.patch \
-    file://0005-platform-corstone1000-add-unique-guid-for-mps3.patch \
-    file://0006-Platform-Corstone1000-Enable-host-firewall-in-FVP.patch \
-    file://0007-platform-corstone1000-Increase-ITS-max-asset-size.patch \
-    file://0008-Platform-CS1000-Replace-OpenAMP-with-RSE_COMMS.patch \
-    file://0009-platform-corstone1000-Increase-RSE_COMMS-buffer-size.patch \
-    file://0010-CC312-alignment-of-cc312-differences-between-fvp-and.patch \
-    file://0011-Platform-corstone1000-Increase-buffers-for-EFI-vars.patch \
-    file://0012-corstone1000-Remove-reset-after-capsule-update.patch \
-    file://0013-platform-CS1000-Add-multicore-support-for-FVP.patch \
+    file://0001-Platform-Corstone1000-Align-capsule-UEFI-structs.patch \
+    file://0002-Platform-Corstone1000-Fix-NV-counter-writing.patch \
+    file://0003-Platform-Corstone1000-Enable-firewall-in-FVP.patch \
+    file://0004-Platform-CS1000-Increase-ITS-max-asset-size.patch \
+    file://0005-Platform-CS1000-Increase-RSE_COMMS-buffer-size.patch \
+    file://0006-Platform-CS1000-Increase-buffers-for-EFI-vars.patch \
+    file://0007-Plaform-Corstone1000-Switch-to-metadata-v2.patch \
+    file://0008-Platform-CS1000-Increase-flash-PS-area-size.patch \
+    file://0009-corstone1000-Remove-reset-after-capsule-update.patch \
+    file://0010-platform-CS1000-Add-multicore-support-for-FVP.patch \
+    file://0011-Platform-CS1000-Fix-Bank-offsets.patch \
+    file://0012-Platform-CS1000-Increase-BL2-partition-size.patch \
+    file://0013-CC312-ADAC-Add-PSA_WANT_ALG_SHA_256-definition.patch \
+    file://0014-Platform-CS1000-Add-crypto-configs-for-ADAC.patch \
+    file://0015-Platform-CS1000-Fix-platform-name-in-logs.patch \
+    file://0016-Platform-corstone1000-Fix-isolation-L2-memory-protection.patch \
+    file://0017-Platform-CS1000-Remove-unused-BL1-files.patch \
+    file://0018-Platform-CS1000-Remove-duplicated-metadata-write.patch \
+    file://0019-Platform-CS1000-Fix-compiler-switch-in-BL1.patch \
+    file://0020-Platform-CS1000-Validate-both-metadata-replicas.patch \
+    file://0021-platform-corstone1000-add-unique-guid-for-mps3.patch \
+    file://0022-CC312-alignment-of-cc312-differences.patch \
+    "
+
+FILESEXTRAPATHS:prepend:corstone1000-mps3 := "${THISDIR}/files/corstone1000/psa-adac:"
+SRC_URI:append:corstone1000-mps3 = " \
+    file://0001-PSA-revert-header-versions.patch;patchdir=../tfm-psa-adac \
+    file://0002-ADAC-Link-psa_interface-instead-of-tfm_sprt.patch;patchdir=../tfm-psa-adac \
+    file://0003-Fix-psa_key_handle_t-initialization.patch;patchdir=../tfm-psa-adac \
     "
 
 # TF-M ships patches for external dependencies that needs to be applied
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-scripts-native_2.0.0.bb b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-scripts-native_2.0.0.bb
deleted file mode 100644
index d50d886f60..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-scripts-native_2.0.0.bb
+++ /dev/null
@@ -1,2 +0,0 @@
-require recipes-bsp/trusted-firmware-m/trusted-firmware-m-${PV}-src.inc
-require recipes-bsp/trusted-firmware-m/trusted-firmware-m-scripts-native.inc
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m_2.0.0.bb b/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m_2.0.0.bb
deleted file mode 100644
index 3464f49dd9..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m_2.0.0.bb
+++ /dev/null
@@ -1,2 +0,0 @@
-require recipes-bsp/trusted-firmware-m/trusted-firmware-m-${PV}-src.inc
-require recipes-bsp/trusted-firmware-m/trusted-firmware-m.inc
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot-corstone1000.inc b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot-corstone1000.inc
index 7d8155d4f7..2470db0285 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot-corstone1000.inc
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot-corstone1000.inc
@@ -65,6 +65,9 @@ SRC_URI:append = " \
     file://0047-corstone1000-dts-add-external-system-node.patch \
     file://0048-corstone1000-Enable-UEFI-Secure-boot.patch 			  \
     file://0049-corstone1000-Add-secondary-cores-cpu-nodes-for-FVP.patch	  \
+    file://0050-fwu-Use-metadata-v2.patch	  \
+    ${@bb.utils.contains('MACHINE_FEATURES', 'corstone1000-extsys', \
+                         '', 'file://0051-corstone1000-purge-remoteproc-dts-node.patch' , d)} \
     "
 
 do_configure:append() {
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot-fvp-base.inc b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot-fvp-base.inc
index 9f8c178a29..1bde9c6494 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot-fvp-base.inc
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot-fvp-base.inc
@@ -4,5 +4,6 @@ SRC_URI:append = " \
     file://0001-vexpress64-Set-the-DM_RNG-property.patch \
     file://0002-vexpress64-Select-PSCI-RESET-by-default.patch \
     file://0003-vexpress64-Imply-CONFIG_ARM64_CRC32-by-default.patch \
-    file://tick.patch \
+    file://0004-arm-Move-sev-and-wfe-definitions-to-common-Arm-heade.patch \
+    file://0005-armv8-generic_timer-Use-event-stream-for-udelay.patch \
     "
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0019-arm-corstone1000-esrt-support.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0019-arm-corstone1000-esrt-support.patch
index f8d4be8623..0781e37416 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0019-arm-corstone1000-esrt-support.patch
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0019-arm-corstone1000-esrt-support.patch
@@ -153,7 +153,7 @@ index c883e2ff0a..c6ab6e2182 100644
 +	       return EFI_EXIT(ret);
 +
 +	image_info_version_size_var -= image_info_name_size_var;
-+	image_info->image_id_name = runner;
++	image_info->image_id_name = (u16*)runner;
 +	runner += image_info_name_size_var;
 +
 +        /* Consider changing the string modfication logic */
@@ -164,7 +164,7 @@ index c883e2ff0a..c6ab6e2182 100644
 +	if (ret != EFI_SUCCESS)
 +	        return EFI_EXIT(ret);
 +
-+	image_info->version_name = runner;
++	image_info->version_name = (u16*)runner;
 +
 +	*image_info_size = image_info_size_var;
 +
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0050-fwu-Use-metadata-v2.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0050-fwu-Use-metadata-v2.patch
new file mode 100644
index 0000000000..4388db443f
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0050-fwu-Use-metadata-v2.patch
@@ -0,0 +1,105 @@
+From 54b407fc74c9989c72ab7a571395d8793b409514 Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Wed, 3 Jul 2024 16:38:22 +0200
+Subject: [PATCH] fwu: Use metadata v2
+
+The mdata structure was modified to use the v2 and did the minimal
+necessarry changes to make it build without errors. This way the 
+U-Boot metadata is aligned with the TF-A and TF-M structs.
+
+Upstream-Status: Inappropriate
+[This is done correctly upstream but using the upstream patches would
+require too many backported patches. The merge commit of the upstream
+changes is 7e52d6ccfb76e2afc2d183b357abe2a2e2f948cf.]
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+---
+ cmd/fwu_mdata.c       |  2 +-
+ include/fwu_mdata.h   | 17 ++++++++++++++++-
+ lib/fwu_updates/fwu.c |  8 ++++----
+ 3 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/cmd/fwu_mdata.c b/cmd/fwu_mdata.c
+index f04af27de6..73374dca8b 100644
+--- a/cmd/fwu_mdata.c
++++ b/cmd/fwu_mdata.c
+@@ -27,7 +27,7 @@ static void print_mdata(struct fwu_mdata *mdata)
+ 
+ 	printf("\tImage Info\n");
+ 	for (i = 0; i < CONFIG_FWU_NUM_IMAGES_PER_BANK; i++) {
+-		img_entry = &mdata->img_entry[i];
++		img_entry = &mdata->fw_desc.img_entry[i];
+ 		printf("\nImage Type Guid: %pUL\n",
+ 		       &img_entry->image_type_uuid);
+ 		printf("Location Guid: %pUL\n", &img_entry->location_uuid);
+diff --git a/include/fwu_mdata.h b/include/fwu_mdata.h
+index c61221a917..6a0eb7dce9 100644
+--- a/include/fwu_mdata.h
++++ b/include/fwu_mdata.h
+@@ -40,6 +40,16 @@ struct fwu_image_entry {
+ 	struct fwu_image_bank_info img_bank_info[CONFIG_FWU_NUM_BANKS];
+ } __packed;
+ 
++struct fwu_fw_store_desc {
++	uint8_t  num_banks;
++	uint8_t  reserved;
++	uint16_t num_images;
++	uint16_t img_entry_size;
++	uint16_t bank_info_entry_size;
++
++	struct fwu_image_entry img_entry[CONFIG_FWU_NUM_IMAGES_PER_BANK];
++} __packed;
++
+ /**
+  * struct fwu_mdata - FWU metadata structure for multi-bank updates
+  * @crc32: crc32 value for the FWU metadata
+@@ -60,8 +70,13 @@ struct fwu_mdata {
+ 	uint32_t version;
+ 	uint32_t active_index;
+ 	uint32_t previous_active_index;
++	uint32_t metadata_size;
++	uint16_t desc_offset;
++	uint16_t reserved1;
++	uint8_t  bank_state[4];
++	uint32_t reserved2;
+ 
+-	struct fwu_image_entry img_entry[CONFIG_FWU_NUM_IMAGES_PER_BANK];
++	struct fwu_fw_store_desc fw_desc;
+ } __packed;
+ 
+ #endif /* _FWU_MDATA_H_ */
+diff --git a/lib/fwu_updates/fwu.c b/lib/fwu_updates/fwu.c
+index 5313d07302..488c9cc661 100644
+--- a/lib/fwu_updates/fwu.c
++++ b/lib/fwu_updates/fwu.c
+@@ -131,7 +131,7 @@ static int in_trial_state(struct fwu_mdata *mdata)
+ 	struct fwu_image_bank_info *img_bank_info;
+ 
+ 	active_bank = mdata->active_index;
+-	img_entry = &mdata->img_entry[0];
++	img_entry = &mdata->fw_desc.img_entry[0];
+ 	for (i = 0; i < CONFIG_FWU_NUM_IMAGES_PER_BANK; i++) {
+ 		img_bank_info = &img_entry[i].img_bank_info[active_bank];
+ 		if (!img_bank_info->accepted) {
+@@ -418,8 +418,8 @@ int fwu_get_image_index(u8 *image_index)
+ 	 */
+ 	for (i = 0; i < CONFIG_FWU_NUM_IMAGES_PER_BANK; i++) {
+ 		if (!guidcmp(&image_type_id,
+-			     &mdata.img_entry[i].image_type_uuid)) {
+-			img_entry = &mdata.img_entry[i];
++			     &mdata.fw_desc.img_entry[i].image_type_uuid)) {
++			img_entry = &mdata.fw_desc.img_entry[i];
+ 			img_bank_info = &img_entry->img_bank_info[update_bank];
+ 			image_guid = &img_bank_info->image_uuid;
+ 			ret = fwu_plat_get_alt_num(dev, image_guid, &alt_num);
+@@ -512,7 +512,7 @@ static int fwu_clrset_image_accept(efi_guid_t *img_type_id, u32 bank, u8 action)
+ 	if (ret)
+ 		return ret;
+ 
+-	img_entry = &mdata.img_entry[0];
++	img_entry = &mdata.fw_desc.img_entry[0];
+ 	for (i = 0; i < CONFIG_FWU_NUM_IMAGES_PER_BANK; i++) {
+ 		if (!guidcmp(&img_entry[i].image_type_uuid, img_type_id)) {
+ 			img_bank_info = &img_entry[i].img_bank_info[bank];
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0051-corstone1000-purge-remoteproc-dts-node.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0051-corstone1000-purge-remoteproc-dts-node.patch
new file mode 100644
index 0000000000..3b0430c827
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/corstone1000/0051-corstone1000-purge-remoteproc-dts-node.patch
@@ -0,0 +1,34 @@
+From 4e0ab7af882fcf498fd8beb4024ea024e6464cef Mon Sep 17 00:00:00 2001
+From: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
+Date: Wed, 14 Aug 2024 14:33:50 +0000
+Subject: [PATCH] corstone1000: purge remoteproc DTS node
+
+Purge remoteproc DTS node
+This is done to remove the remote proc node from the DTS passed
+to Linux from U-Boot because the device tree binding for remoteproc
+has not been upstreamed yet. Existence of remoteproc DTS node in Linux 
+is causing dt-schema test for SystemReady-IR v2.0 certification to fail.
+
+Upstream-Status: Pending
+Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
+---
+ board/armltd/corstone1000/corstone1000.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/board/armltd/corstone1000/corstone1000.c b/board/armltd/corstone1000/corstone1000.c
+index ef74dc9032..d474fce1b2 100644
+--- a/board/armltd/corstone1000/corstone1000.c
++++ b/board/armltd/corstone1000/corstone1000.c
+@@ -30,8 +30,7 @@ DT_NON_COMPLIANT_PURGE_LIST(foo) = {
+ 	{ .node_path = "/soc/mhu@1b010000" },
+ 	{ .node_path = "/soc/mhu@1b020000" },
+ 	{ .node_path = "/soc/mhu@1b030000" },
+-	{ .node_path = "/soc/client" },
+-	{ .node_path = "/soc/extsys@1A010310" },
++	{ .node_path = "/soc/remoteproc@1a010310" },
+ };
+ 
+ #define CORSTONE1000_KERNEL_PARTS 2
+-- 
+2.34.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/fvp-base/0004-arm-Move-sev-and-wfe-definitions-to-common-Arm-heade.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/fvp-base/0004-arm-Move-sev-and-wfe-definitions-to-common-Arm-heade.patch
new file mode 100644
index 0000000000..088b4dccb5
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/fvp-base/0004-arm-Move-sev-and-wfe-definitions-to-common-Arm-heade.patch
@@ -0,0 +1,84 @@
+From b18a3c183d20812933d192d4b0d622b11ef2bf29 Mon Sep 17 00:00:00 2001
+From: Peter Hoyes <Peter.Hoyes@arm.com>
+Date: Wed, 1 May 2024 09:16:32 +0100
+Subject: [PATCH] arm: Move sev() and wfe() definitions to common Arm header
+ file
+
+The sev() and wfe() asm macros are currently defined only for
+mach-exynos. As these are common Arm instructions, move them to the
+common asm/system.h header file, for both Armv7 and Armv8, so they
+can be used by other machines.
+
+wfe may theoretically trigger a context switch if an interrupt occurs
+so add a memory barrier to this call.
+
+Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
+Reviewed-by: Andre Przywara<andre.przywara@arm.com>
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ arch/arm/include/asm/system.h              |  9 +++++++++
+ arch/arm/mach-exynos/include/mach/system.h | 19 -------------------
+ 2 files changed, 9 insertions(+), 19 deletions(-)
+
+diff --git a/arch/arm/include/asm/system.h b/arch/arm/include/asm/system.h
+index 43f7503571d7..51123c296843 100644
+--- a/arch/arm/include/asm/system.h
++++ b/arch/arm/include/asm/system.h
+@@ -154,6 +154,13 @@ enum dcache_option {
+ 	"wfi" : : : "memory");		\
+ 	})
+ 
++#define wfe()				\
++	({asm volatile(			\
++	"wfe" : : : "memory");		\
++	})
++
++#define sev() asm volatile("sev")
++
+ static inline unsigned int current_el(void)
+ {
+ 	unsigned long el;
+@@ -369,6 +376,8 @@ void switch_to_hypervisor_ret(void);
+ 
+ #ifdef __ARM_ARCH_7A__
+ #define wfi() __asm__ __volatile__ ("wfi" : : : "memory")
++#define wfe() __asm__ __volatile__ ("wfe" : : : "memory")
++#define sev() __asm__ __volatile__ ("sev")
+ #else
+ #define wfi()
+ #endif
+diff --git a/arch/arm/mach-exynos/include/mach/system.h b/arch/arm/mach-exynos/include/mach/system.h
+index 5d0bebac5733..0aed4c3e2bf6 100644
+--- a/arch/arm/mach-exynos/include/mach/system.h
++++ b/arch/arm/mach-exynos/include/mach/system.h
+@@ -36,25 +36,6 @@ struct exynos5_sysreg {
+ 
+ #define USB20_PHY_CFG_HOST_LINK_EN	(1 << 0)
+ 
+-/*
+- * This instruction causes an event to be signaled to all cores
+- * within a multiprocessor system. If SEV is implemented,
+- * WFE must also be implemented.
+- */
+-#define sev() __asm__ __volatile__ ("sev\n\t" : : );
+-/*
+- * If the Event Register is not set, WFE suspends execution until
+- * one of the following events occurs:
+- * - an IRQ interrupt, unless masked by the CPSR I-bit
+- * - an FIQ interrupt, unless masked by the CPSR F-bit
+- * - an Imprecise Data abort, unless masked by the CPSR A-bit
+- * - a Debug Entry request, if Debug is enabled
+- * - an Event signaled by another processor using the SEV instruction.
+- * If the Event Register is set, WFE clears it and returns immediately.
+- * If WFE is implemented, SEV must also be implemented.
+- */
+-#define wfe() __asm__ __volatile__ ("wfe\n\t" : : );
+-
+ /* Move 0xd3 value to CPSR register to enable SVC mode */
+ #define svc32_mode_en() __asm__ __volatile__				\
+ 			("@ I&F disable, Mode: 0x13 - SVC\n\t"		\
+-- 
+2.30.2
+
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/tick.patch b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/fvp-base/0005-armv8-generic_timer-Use-event-stream-for-udelay.patch
index 370bc27459..ac29b463cd 100644
--- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/tick.patch
+++ b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/fvp-base/0005-armv8-generic_timer-Use-event-stream-for-udelay.patch
@@ -1,92 +1,7 @@
-From b18a3c183d20812933d192d4b0d622b11ef2bf29 Mon Sep 17 00:00:00 2001
-From: Peter Hoyes <Peter.Hoyes@arm.com>
-Date: Wed, 1 May 2024 09:16:32 +0100
-Subject: [PATCH 1/2] arm: Move sev() and wfe() definitions to common Arm
- header file
-
-The sev() and wfe() asm macros are currently defined only for
-mach-exynos. As these are common Arm instructions, move them to the
-common asm/system.h header file, for both Armv7 and Armv8, so they
-can be used by other machines.
-
-wfe may theoretically trigger a context switch if an interrupt occurs
-so add a memory barrier to this call.
-
-Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
-Reviewed-by: Andre Przywara<andre.przywara@arm.com>
-
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
----
- arch/arm/include/asm/system.h              |  9 +++++++++
- arch/arm/mach-exynos/include/mach/system.h | 19 -------------------
- 2 files changed, 9 insertions(+), 19 deletions(-)
-
-diff --git a/arch/arm/include/asm/system.h b/arch/arm/include/asm/system.h
-index 43f7503571..51123c2968 100644
---- a/arch/arm/include/asm/system.h
-+++ b/arch/arm/include/asm/system.h
-@@ -154,6 +154,13 @@ enum dcache_option {
- 	"wfi" : : : "memory");		\
- 	})
- 
-+#define wfe()				\
-+	({asm volatile(			\
-+	"wfe" : : : "memory");		\
-+	})
-+
-+#define sev() asm volatile("sev")
-+
- static inline unsigned int current_el(void)
- {
- 	unsigned long el;
-@@ -369,6 +376,8 @@ void switch_to_hypervisor_ret(void);
- 
- #ifdef __ARM_ARCH_7A__
- #define wfi() __asm__ __volatile__ ("wfi" : : : "memory")
-+#define wfe() __asm__ __volatile__ ("wfe" : : : "memory")
-+#define sev() __asm__ __volatile__ ("sev")
- #else
- #define wfi()
- #endif
-diff --git a/arch/arm/mach-exynos/include/mach/system.h b/arch/arm/mach-exynos/include/mach/system.h
-index 5d0bebac57..0aed4c3e2b 100644
---- a/arch/arm/mach-exynos/include/mach/system.h
-+++ b/arch/arm/mach-exynos/include/mach/system.h
-@@ -36,25 +36,6 @@ struct exynos5_sysreg {
- 
- #define USB20_PHY_CFG_HOST_LINK_EN	(1 << 0)
- 
--/*
-- * This instruction causes an event to be signaled to all cores
-- * within a multiprocessor system. If SEV is implemented,
-- * WFE must also be implemented.
-- */
--#define sev() __asm__ __volatile__ ("sev\n\t" : : );
--/*
-- * If the Event Register is not set, WFE suspends execution until
-- * one of the following events occurs:
-- * - an IRQ interrupt, unless masked by the CPSR I-bit
-- * - an FIQ interrupt, unless masked by the CPSR F-bit
-- * - an Imprecise Data abort, unless masked by the CPSR A-bit
-- * - a Debug Entry request, if Debug is enabled
-- * - an Event signaled by another processor using the SEV instruction.
-- * If the Event Register is set, WFE clears it and returns immediately.
-- * If WFE is implemented, SEV must also be implemented.
-- */
--#define wfe() __asm__ __volatile__ ("wfe\n\t" : : );
--
- /* Move 0xd3 value to CPSR register to enable SVC mode */
- #define svc32_mode_en() __asm__ __volatile__				\
- 			("@ I&F disable, Mode: 0x13 - SVC\n\t"		\
--- 
-2.34.1
-
-
 From ebc84d7b60c1ed3398e9f600fe3dc8406500bd35 Mon Sep 17 00:00:00 2001
 From: Peter Hoyes <Peter.Hoyes@arm.com>
 Date: Wed, 1 May 2024 09:16:33 +0100
-Subject: [PATCH 2/2] armv8: generic_timer: Use event stream for udelay
+Subject: [PATCH] armv8: generic_timer: Use event stream for udelay
 
 Polling cntpct_el0 in a tight loop for delays is inefficient.
 This is particularly apparent on Arm FVPs, which do not simulate
@@ -105,6 +20,9 @@ board family.
 
 Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
 Reviewed-by: Andre Przywara <andre.przywara@arm.com>
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
 ---
  arch/arm/cpu/armv8/Kconfig         |  8 ++++++++
  arch/arm/cpu/armv8/generic_timer.c | 27 +++++++++++++++++++++++++++
@@ -112,7 +30,7 @@ Reviewed-by: Andre Przywara <andre.przywara@arm.com>
  3 files changed, 39 insertions(+), 2 deletions(-)
 
 diff --git a/arch/arm/cpu/armv8/Kconfig b/arch/arm/cpu/armv8/Kconfig
-index 9f0fb369f7..199335cd60 100644
+index 9f0fb369f773..199335cd6040 100644
 --- a/arch/arm/cpu/armv8/Kconfig
 +++ b/arch/arm/cpu/armv8/Kconfig
 @@ -191,6 +191,14 @@ config ARMV8_EA_EL3_FIRST
@@ -131,7 +49,7 @@ index 9f0fb369f7..199335cd60 100644
  	bool "ARM64 Accelerated Cryptographic Algorithms"
  
 diff --git a/arch/arm/cpu/armv8/generic_timer.c b/arch/arm/cpu/armv8/generic_timer.c
-index e4aa5a4745..1de7ec596f 100644
+index e4aa5a474553..1de7ec596fc7 100644
 --- a/arch/arm/cpu/armv8/generic_timer.c
 +++ b/arch/arm/cpu/armv8/generic_timer.c
 @@ -114,3 +114,30 @@ ulong timer_get_boot_us(void)
@@ -166,7 +84,7 @@ index e4aa5a4745..1de7ec596f 100644
 +}
 +#endif
 diff --git a/arch/arm/include/asm/system.h b/arch/arm/include/asm/system.h
-index 51123c2968..7e30cac32a 100644
+index 51123c296843..7e30cac32a09 100644
 --- a/arch/arm/include/asm/system.h
 +++ b/arch/arm/include/asm/system.h
 @@ -69,8 +69,10 @@
@@ -183,5 +101,5 @@ index 51123c2968..7e30cac32a 100644
  /*
   * HCR_EL2 bits definitions
 -- 
-2.34.1
+2.30.2
 
diff --git a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/tc/bootargs.cfg b/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/tc/bootargs.cfg
deleted file mode 100644
index 2bfd403f5b..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot/tc/bootargs.cfg
+++ /dev/null
@@ -1,3 +0,0 @@
-CONFIG_USE_BOOTARGS=y
-CONFIG_BOOTARGS="console=ttyAMA0 debug earlycon=pl011,0x7ff80000"
-CONFIG_BOOTDELAY=0
diff --git a/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/arm64.cfg b/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/arm64.cfg
deleted file mode 100644
index 62c0238786..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/arm64.cfg
+++ /dev/null
@@ -1,17 +0,0 @@
-# SPDX-License-Identifier: MIT
-#
-# ARM64
-#
-CONFIG_ARM64=y
-CONFIG_64BIT=y
-CONFIG_ARCH_VEXPRESS=y
-
-#
-# Bus support
-#
-CONFIG_ARM_AMBA=y
-
-#
-# Bus devices
-#
-CONFIG_VEXPRESS_CONFIG=y
diff --git a/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/fvp-common-peripherals.cfg b/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/fvp-common-peripherals.cfg
deleted file mode 100644
index ecb3cc9da4..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/fvp-common-peripherals.cfg
+++ /dev/null
@@ -1,8 +0,0 @@
-# SPDX-License-Identifier: MIT
-CONFIG_SERIAL_AMBA_PL011=y
-CONFIG_SERIAL_AMBA_PL011_CONSOLE=y
-
-CONFIG_ARM_SP805_WATCHDOG=y
-
-CONFIG_RTC_CLASS=y
-CONFIG_RTC_DRV_PL031=y
diff --git a/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/fvp/fvp-drm.cfg b/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/fvp/fvp-drm.cfg
index 77133a9dfe..0a6e3f6739 100644
--- a/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/fvp/fvp-drm.cfg
+++ b/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/fvp/fvp-drm.cfg
@@ -2,4 +2,3 @@
 CONFIG_DRM=y
 CONFIG_DRM_PL111=y
 CONFIG_FB=y
-CONFIG_FB_ARMCLCD=y
diff --git a/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/juno/juno-drm.cfg b/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/juno/juno-drm.cfg
index 1216297943..7b22508307 100644
--- a/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/juno/juno-drm.cfg
+++ b/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/juno/juno-drm.cfg
@@ -1,5 +1,5 @@
 CONFIG_DRM=y
 CONFIG_DRM_HDLCD=y
+CONFIG_DRM_PL111=y
 CONFIG_DRM_I2C_NXP_TDA998X=y
 CONFIG_FB=y
-CONFIG_FB_ARMCLCD=y
diff --git a/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/juno/juno-fb.cfg b/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/juno/juno-fb.cfg
index 59499fa649..ba143a0a45 100644
--- a/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/juno/juno-fb.cfg
+++ b/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/juno/juno-fb.cfg
@@ -1,4 +1,3 @@
 CONFIG_FB=y
-CONFIG_FB_ARMCLCD=y
 CONFIG_FRAMEBUFFER_CONSOLE=y
 # CONFIG_VGA_CONSOLE is not set
diff --git a/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/juno/juno-thermal.cfg b/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/juno/juno-thermal.cfg
index f4d220e0de..a5b0e69bd0 100644
--- a/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/juno/juno-thermal.cfg
+++ b/meta-arm/meta-arm-bsp/recipes-kernel/linux/arm-platforms-kmeta/bsp/arm-platforms/juno/juno-thermal.cfg
@@ -5,4 +5,3 @@ CONFIG_THERMAL_GOV_POWER_ALLOCATOR=y
 CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR=y
 CONFIG_THERMAL_GOV_USER_SPACE=y
 CONFIG_CPU_THERMAL=y
-CONFIG_THERMAL_WRITABLE_TRIPS=y
diff --git a/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-arm-platforms.inc b/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-arm-platforms.inc
index ae22531f16..01803ba205 100644
--- a/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-arm-platforms.inc
+++ b/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-arm-platforms.inc
@@ -35,13 +35,21 @@ SRC_URI:append:corstone1000 = " ${@bb.utils.contains('MACHINE_FEATURES', \
                                                             'file://corstone1000_kernel_debug.cfg', \
                                                             '', \
                                                              d)}"
-
 SRC_URI:append:corstone1000 = " \
-    file://extsys.cfg \
-    file://0001-remoteproc-Add-Arm-remoteproc-driver.patch \
-    file://0002-arm64-dts-Add-corstone1000-external-system-device-no.patch \
-    file://0003-dt-bindings-remoteproc-Add-Arm-remoteproc.patch \
-    "
+    ${@bb.utils.contains( \
+              'MACHINE_FEATURES', \
+              'corstone1000-extsys', \
+              ' \
+		  file://extsys.cfg \
+		  file://0001-remoteproc-Add-Arm-remoteproc-driver.patch \
+		  file://0002-arm64-dts-Add-corstone1000-external-system-device-no.patch \
+		  file://0003-dt-bindings-remoteproc-Add-Arm-remoteproc.patch \
+              ', \
+              '', \
+              d \
+        ) \
+    } \
+"
 
 # Default kernel features not needed for corstone1000
 # otherwise the extra kernel modules will increase the rootfs size
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/files/optee-os/corstone1000/0002-increase-tzdram-size.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/files/optee-os/corstone1000/0002-increase-tzdram-size.patch
index c499a163b1..0c89bd0e80 100644
--- a/meta-arm/meta-arm-bsp/recipes-security/optee/files/optee-os/corstone1000/0002-increase-tzdram-size.patch
+++ b/meta-arm/meta-arm-bsp/recipes-security/optee/files/optee-os/corstone1000/0002-increase-tzdram-size.patch
@@ -3,7 +3,7 @@ From: Emekcan Aras <Emekcan.Aras@arm.com>
 Date: Wed, 3 Apr 2024 16:05:07 +0100
 Subject: [PATCH] increase tzdram size
 
-Upstream-Status: Pending
+Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/commit/258b72d242cd1a8ae56c87f9572a0624084785c7]
 Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
 Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
 ---
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os/0003-optee-enable-clang-support.patch b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os/0003-optee-enable-clang-support.patch
deleted file mode 100644
index 3c13ce3f02..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os/0003-optee-enable-clang-support.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 59d4c190eae11c93b26cca5a7b005a17dadc8248 Mon Sep 17 00:00:00 2001
-From: Brett Warren <brett.warren@arm.com>
-Date: Wed, 23 Sep 2020 09:27:34 +0100
-Subject: [PATCH] optee: enable clang support
-
-When compiling with clang, the LIBGCC_LOCATE_CFLAG variable used
-to provide a sysroot wasn't included, which results in not locating
-compiler-rt. This is mitigated by including the variable as ammended.
-
-Upstream-Status: Pending
-ChangeId: 8ba69a4b2eb8ebaa047cb266c9aa6c2c3da45701
-Signed-off-by: Brett Warren <brett.warren@arm.com>
-
----
- mk/clang.mk | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/mk/clang.mk b/mk/clang.mk
-index a045beee8..1ebe2f702 100644
---- a/mk/clang.mk
-+++ b/mk/clang.mk
-@@ -30,7 +30,7 @@ comp-cflags-warns-clang := -Wno-language-extension-token \
- 
- # Note, use the compiler runtime library (libclang_rt.builtins.*.a) instead of
- # libgcc for clang
--libgcc$(sm)	:= $(shell $(CC$(sm)) $(CFLAGS$(arch-bits-$(sm))) \
-+libgcc$(sm)	:= $(shell $(CC$(sm)) $(LIBGCC_LOCATE_CFLAGS) $(CFLAGS$(arch-bits-$(sm))) \
- 			-rtlib=compiler-rt -print-libgcc-file-name 2> /dev/null)
- 
- # Core ASLR relies on the executable being ready to run from its preferred load
diff --git a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.1.0.bb b/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.1.0.bb
deleted file mode 100644
index bfb61eb28b..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.1.0.bb
+++ /dev/null
@@ -1,10 +0,0 @@
-require recipes-security/optee/optee-os.inc
-
-DEPENDS += "dtc-native"
-
-FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
-
-SRCREV = "18b424c23aa5a798dfe2e4d20b4bde3919dc4e99"
-SRC_URI += " \
-    file://0003-optee-enable-clang-support.patch \
-   "
diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-stub-capsule-update-service-components.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-stub-capsule-update-service-components.patch
index 0f6fab819f..fa33f78c53 100644
--- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-stub-capsule-update-service-components.patch
+++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0001-Add-stub-capsule-update-service-components.patch
@@ -8,7 +8,7 @@ stub components are added to provide a starting point for an
 implementation. The capsule update service provider is integrated
 into the se-proxy/common deployment.
 
-Upstream-Status: Pending
+Upstream-Status: Inappropriate [Trusted-Services Design needs to be followed]
 Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com>
 Signed-off-by: Julian Hall <julian.hall@arm.com>
 Change-Id: I0d4049bb4de5af7ca80806403301692507085d28
diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fix-in-AEAD-for-psa-arch-test-254.patch
index 524d6f7af1..02c9c668a8 100644
--- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch
+++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0002-Fix-in-AEAD-for-psa-arch-test-254.patch
@@ -1,23 +1,29 @@
-From 1923e1f4dbd8f912701c2870822fa4b61eb6082d Mon Sep 17 00:00:00 2001
+From 834d5184902341414eb147204eeda8b0ff01f38c Mon Sep 17 00:00:00 2001
 From: Satish Kumar <satish.kumar01@arm.com>
 Date: Mon, 14 Feb 2022 08:22:25 +0000
-Subject: [PATCH 2/8] Fixes in AEAD for psa-arch test 54 and 58.
+Subject: [PATCH 2/8] Fix in AEAD for psa-arch test 254
 
-Upstream-Status: Pending [Not submitted to upstream yet]
+PSA crypto test 254 fails at checkpoint 6.
+Fix output arguments in various crypto AEAD functions
+to match crypto service implementation in TF-M. AEAD API's
+in TF-M start expecting output size as an argument.
+
+Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/31176] 
 Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
 Signed-off-by: Satish Kumar <satish.kumar01@arm.com>
 Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
 ---
- .../crypto/client/caller/packed-c/crypto_caller_aead.h    | 1 +
- components/service/crypto/include/psa/crypto_sizes.h      | 2 +-
- .../crypto/provider/extension/aead/aead_provider.c        | 8 ++++++--
- .../extension/aead/serializer/aead_provider_serializer.h  | 1 +
- .../packed-c/packedc_aead_provider_serializer.c           | 2 ++
- protocols/service/crypto/packed-c/aead.h                  | 1 +
- 6 files changed, 12 insertions(+), 3 deletions(-)
+ .../crypto/client/caller/packed-c/crypto_caller_aead.h |  1 +
+ components/service/crypto/include/psa/crypto_sizes.h   |  2 +-
+ .../crypto/provider/extension/aead/aead_provider.c     | 10 ++++++++--
+ .../aead/serializer/aead_provider_serializer.h         |  1 +
+ .../packed-c/packedc_aead_provider_serializer.c        |  2 ++
+ protocols/service/crypto/packed-c/aead.h               |  1 +
+ 6 files changed, 14 insertions(+), 3 deletions(-)
 
 diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h
-index bf39762b0..27ffbc66e 100644
+index 417189e..236d3e2 100644
 --- a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h
 +++ b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h
 @@ -314,6 +314,7 @@ static inline psa_status_t crypto_caller_aead_update(struct service_client *cont
@@ -29,7 +35,7 @@ index bf39762b0..27ffbc66e 100644
  
  	/* Mandatory input data parameter */
 diff --git a/components/service/crypto/include/psa/crypto_sizes.h b/components/service/crypto/include/psa/crypto_sizes.h
-index 30aa102da..130d27295 100644
+index 30aa102..130d272 100644
 --- a/components/service/crypto/include/psa/crypto_sizes.h
 +++ b/components/service/crypto/include/psa/crypto_sizes.h
 @@ -351,7 +351,7 @@
@@ -42,7 +48,7 @@ index 30aa102da..130d27295 100644
  /** A sufficient output buffer size for psa_aead_update().
   *
 diff --git a/components/service/crypto/provider/extension/aead/aead_provider.c b/components/service/crypto/provider/extension/aead/aead_provider.c
-index b73d88d32..6a0f96c3c 100644
+index b73d88d..510cffa 100644
 --- a/components/service/crypto/provider/extension/aead/aead_provider.c
 +++ b/components/service/crypto/provider/extension/aead/aead_provider.c
 @@ -283,10 +283,11 @@ static rpc_status_t aead_update_handler(void *context, struct rpc_request *req)
@@ -58,22 +64,24 @@ index b73d88d32..6a0f96c3c 100644
  
  	if (rpc_status == RPC_SUCCESS) {
  
-@@ -300,9 +301,12 @@ static rpc_status_t aead_update_handler(void *context, struct rpc_request *req)
+@@ -300,9 +301,14 @@ static rpc_status_t aead_update_handler(void *context, struct rpc_request *req)
  		if (crypto_context) {
  
  			size_t output_len = 0;
 -			size_t output_size = PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(input_len);
 +			size_t output_size = PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(24);
++			/* Always allocate maximum size to be more robust to implementations of psa_aead_update() */
  			uint8_t *output = malloc(output_size);
  
 +                        if (recv_output_size < output_size) {
 +                            output_size = recv_output_size;
 +                        }
++
  			if (output) {
  
  				psa_status = psa_aead_update(&crypto_context->op.aead,
 diff --git a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h
-index be76d2bc6..590973048 100644
+index be76d2b..5909730 100644
 --- a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h
 +++ b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h
 @@ -51,6 +51,7 @@ struct aead_provider_serializer {
@@ -85,7 +93,7 @@ index be76d2bc6..590973048 100644
  
  	rpc_status_t (*serialize_aead_update_resp)(struct rpc_buffer *resp_buf,
 diff --git a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c
-index 8f8c3c7f2..922a7b651 100644
+index 8f8c3c7..922a7b6 100644
 --- a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c
 +++ b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c
 @@ -192,6 +192,7 @@ static rpc_status_t deserialize_aead_update_ad_req(const struct rpc_buffer *req_
@@ -105,7 +113,7 @@ index 8f8c3c7f2..922a7b651 100644
  		tlv_const_iterator_begin(&req_iter,
  			(uint8_t*)req_buf->data + expected_fixed_len,
 diff --git a/protocols/service/crypto/packed-c/aead.h b/protocols/service/crypto/packed-c/aead.h
-index 0be266b52..435fd3b52 100644
+index 0be266b..435fd3b 100644
 --- a/protocols/service/crypto/packed-c/aead.h
 +++ b/protocols/service/crypto/packed-c/aead.h
 @@ -98,6 +98,7 @@ enum
diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-Fix-psa-api-crypto-test-no-243.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-Fix-psa-api-crypto-test-no-243.patch
new file mode 100644
index 0000000000..bb30a7668e
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-Fix-psa-api-crypto-test-no-243.patch
@@ -0,0 +1,31 @@
+From 372d6e9e5827486841ffe15a1b050569fff762b6 Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Wed, 10 Apr 2024 09:17:39 +0200
+Subject: [PATCH 5/8] Fix psa-api-crypto-test no 243
+
+Enable MbedTLS ECP DP SECP521R1 ECC algorithm to pass
+PSA-API tests's `psa-api-crypto-test` number 243 as it is
+required for Corstone-1000.
+
+Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/31177/1]
+Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
+Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
+---
+ platform/providers/arm/corstone1000/platform.cmake | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake
+index d944acf..e811c25 100644
+--- a/platform/providers/arm/corstone1000/platform.cmake
++++ b/platform/providers/arm/corstone1000/platform.cmake
+@@ -14,6 +14,7 @@ target_compile_definitions(${TGT} PRIVATE
+ 	SMM_VARIABLE_INDEX_STORAGE_UID=0x787
+ 	PLAT_RSS_COMMS_PAYLOAD_MAX_SIZE=0x2080
+ 	COMMS_MHU_MSG_SIZE=0x3500
++	MBEDTLS_ECP_DP_SECP521R1_ENABLED
+ )
+ 
+ get_property(_platform_driver_dependencies TARGET ${TGT}
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch
deleted file mode 100644
index e116690516..0000000000
--- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From a7818585e1113aabf310a94eea802ff79234b0db Mon Sep 17 00:00:00 2001
-From: Bence Balogh <bence.balogh@arm.com>
-Date: Wed, 10 Apr 2024 09:17:39 +0200
-Subject: [PATCH 5/8] plat: corstone1000: add compile definitions for 
- ECP_DP_SECP512R1
-
-Corstone1000 runs PSA-API tests which requires this ECC algorithm.
-Without setting this, corstone1000 fails psa-api-crypto-test no 243.
-
-Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
-Upstream-Status: Pending
----
- platform/providers/arm/corstone1000/platform.cmake | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake
-index 663226740..83350f788 100644
---- a/platform/providers/arm/corstone1000/platform.cmake
-+++ b/platform/providers/arm/corstone1000/platform.cmake
-@@ -26,3 +26,5 @@ get_property(_platform_driver_dependencies TARGET ${TGT}
- if ("mhu" IN_LIST _platform_driver_dependencies)
- 	include(${TS_ROOT}/platform/drivers/arm/mhu_driver/mhu_v2_x/driver.cmake)
- endif()
-+
-+add_compile_definitions(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
--- 
-2.25.1
-
diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0018-Change-RSS_COMMS-cmake-variables-to-cahce-vars.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0018-Make-RSS-and-MHU-sizes-compile-time-definitions-user.patch
index 76e78fa365..e503efe5ff 100644
--- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0018-Change-RSS_COMMS-cmake-variables-to-cahce-vars.patch
+++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0018-Make-RSS-and-MHU-sizes-compile-time-definitions-user.patch
@@ -1,19 +1,22 @@
-From e8b577d02d1d4ed2492bb0b6c3a5bb7d2656f13a Mon Sep 17 00:00:00 2001
+From 6e7e3f2f1cb96eb1c895e8573fae8c141e9b64c8 Mon Sep 17 00:00:00 2001
 From: Bence Balogh <bence.balogh@arm.com>
 Date: Fri, 17 May 2024 13:21:07 +0200
-Subject: [PATCH] Change RSS_COMMS cmake variables to cahce vars
+Subject: [PATCH] Make RSS and MHU sizes compile-time definitions
+ user-configurable
 
-This way they can be set externally as well for the corstone1000
-platform.
+Replace the hardcoded RSS and MHU compile definitions values with CMake
+cache variables that users can configure to change the size of the RSS
+communication payload and the MHU message.
 
+Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/31178/1]
 Signed-off-by: Bence Balogh <bence.balogh@arm.com>
-Upstream-Status: Pending
+Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
 ---
  platform/providers/arm/corstone1000/platform.cmake | 6 ++++--
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake
-index 16139c80e..82ac14f0b 100644
+index e811c25..8997155 100644
 --- a/platform/providers/arm/corstone1000/platform.cmake
 +++ b/platform/providers/arm/corstone1000/platform.cmake
 @@ -9,11 +9,13 @@
@@ -29,9 +32,9 @@ index 16139c80e..82ac14f0b 100644
 -	COMMS_MHU_MSG_SIZE=0x3500
 +	PLAT_RSS_COMMS_PAYLOAD_MAX_SIZE=${PLAT_RSS_COMMS_PAYLOAD_MAX_SIZE}
 +	COMMS_MHU_MSG_SIZE=${COMMS_MHU_MSG_SIZE}
+ 	MBEDTLS_ECP_DP_SECP521R1_ENABLED
  )
  
- get_property(_platform_driver_dependencies TARGET ${TGT}
 -- 
 2.25.1
 
diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0019-Align-PSA-Crypto-with-TF-Mv2.1.patch b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0019-Align-PSA-Crypto-with-TF-Mv2.1.patch
new file mode 100644
index 0000000000..88413dd3f4
--- /dev/null
+++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/corstone1000/0019-Align-PSA-Crypto-with-TF-Mv2.1.patch
@@ -0,0 +1,300 @@
+From 3bb579379bcfe32ae0b81f721b370afcb58e9693 Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Wed, 10 Jul 2024 11:07:09 +0200
+Subject: [PATCH] Align PSA Crypto with TF-Mv2.1
+
+Update following files using the TF-Mv2.1 release (0c4c99b) commit.
+
+* crypto_sid.h
+This is derived from TF-M's tfm_crypto_defs.h file. The crypto function
+ID definitions were reworked. This change had to be done on the TS
+side too to keep the compatibility.
+
+* crypto_ipc_backend.h
+This file is also derived from the tfm_crypto_defs.h file. The
+tfm_crypto_pack_iovec struct changed in TF-M so the
+psa_ipc_crypto_pack_iovec struct had to be updated in TS to
+keep the compatibility.
+
+* crypto_client_struct.h
+The psa_client_key_attributes_s struct had to be aligned with the
+psa_key_attributes_s struct in TF-M. (psa_crypto.c)
+
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TS/trusted-services/+/31179/1]
+---
+ .../service/common/include/psa/crypto_sid.h   | 168 +++++-------------
+ .../backend/psa_ipc/crypto_ipc_backend.h      |   9 +-
+ .../crypto/include/psa/crypto_client_struct.h |   4 +-
+ 3 files changed, 55 insertions(+), 126 deletions(-)
+
+diff --git a/components/service/common/include/psa/crypto_sid.h b/components/service/common/include/psa/crypto_sid.h
+index 5b05f46d7..fe057ce40 100644
+--- a/components/service/common/include/psa/crypto_sid.h
++++ b/components/service/common/include/psa/crypto_sid.h
+@@ -18,22 +18,24 @@ extern "C" {
+  *        nine groups (Random, Key management, Hash, MAC, Cipher, AEAD,
+  *        Asym sign, Asym encrypt, Key derivation).
+  */
+-enum tfm_crypto_group_id {
+-    TFM_CRYPTO_GROUP_ID_RANDOM = 0x0,
+-    TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT,
+-    TFM_CRYPTO_GROUP_ID_HASH,
+-    TFM_CRYPTO_GROUP_ID_MAC,
+-    TFM_CRYPTO_GROUP_ID_CIPHER,
+-    TFM_CRYPTO_GROUP_ID_AEAD,
+-    TFM_CRYPTO_GROUP_ID_ASYM_SIGN,
+-    TFM_CRYPTO_GROUP_ID_ASYM_ENCRYPT,
+-    TFM_CRYPTO_GROUP_ID_KEY_DERIVATION,
++enum tfm_crypto_group_id_t {
++    TFM_CRYPTO_GROUP_ID_RANDOM          = UINT8_C(1),
++    TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT  = UINT8_C(2),
++    TFM_CRYPTO_GROUP_ID_HASH            = UINT8_C(3),
++    TFM_CRYPTO_GROUP_ID_MAC             = UINT8_C(4),
++    TFM_CRYPTO_GROUP_ID_CIPHER          = UINT8_C(5),
++    TFM_CRYPTO_GROUP_ID_AEAD            = UINT8_C(6),
++    TFM_CRYPTO_GROUP_ID_ASYM_SIGN       = UINT8_C(7),
++    TFM_CRYPTO_GROUP_ID_ASYM_ENCRYPT    = UINT8_C(8),
++    TFM_CRYPTO_GROUP_ID_KEY_DERIVATION  = UINT8_C(9)
+ };
+ 
+-/* X macro describing each of the available PSA Crypto APIs */
++/* Set of X macros describing each of the available PSA Crypto APIs */
++#define RANDOM_FUNCS                               \
++    X(TFM_CRYPTO_GENERATE_RANDOM)
++
+ #define KEY_MANAGEMENT_FUNCS                       \
+     X(TFM_CRYPTO_GET_KEY_ATTRIBUTES)               \
+-    X(TFM_CRYPTO_RESET_KEY_ATTRIBUTES)             \
+     X(TFM_CRYPTO_OPEN_KEY)                         \
+     X(TFM_CRYPTO_CLOSE_KEY)                        \
+     X(TFM_CRYPTO_IMPORT_KEY)                       \
+@@ -89,13 +91,13 @@ enum tfm_crypto_group_id {
+     X(TFM_CRYPTO_AEAD_VERIFY)                      \
+     X(TFM_CRYPTO_AEAD_ABORT)
+ 
+-#define ASYMMETRIC_SIGN_FUNCS                      \
++#define ASYM_SIGN_FUNCS                            \
+     X(TFM_CRYPTO_ASYMMETRIC_SIGN_MESSAGE)          \
+     X(TFM_CRYPTO_ASYMMETRIC_VERIFY_MESSAGE)        \
+     X(TFM_CRYPTO_ASYMMETRIC_SIGN_HASH)             \
+     X(TFM_CRYPTO_ASYMMETRIC_VERIFY_HASH)
+ 
+-#define AYSMMETRIC_ENCRYPT_FUNCS                   \
++#define ASYM_ENCRYPT_FUNCS                         \
+     X(TFM_CRYPTO_ASYMMETRIC_ENCRYPT)               \
+     X(TFM_CRYPTO_ASYMMETRIC_DECRYPT)
+ 
+@@ -106,133 +108,55 @@ enum tfm_crypto_group_id {
+     X(TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY)      \
+     X(TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES)       \
+     X(TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY)         \
++    X(TFM_CRYPTO_KEY_DERIVATION_INPUT_INTEGER)     \
+     X(TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT)     \
+     X(TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES)      \
+     X(TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY)        \
+     X(TFM_CRYPTO_KEY_DERIVATION_ABORT)
+ 
+-#define RANDOM_FUNCS                               \
+-    X(TFM_CRYPTO_GENERATE_RANDOM)
+-
+-/*
+- * Define function IDs in each group. The function ID will be encoded into
+- * tfm_crypto_func_sid below.
+- * Each group is defined as a dedicated enum in case the total number of
+- * PSA Crypto APIs exceeds 256.
+- */
+-#define X(func_id)    func_id,
+-enum tfm_crypto_key_management_func_id {
+-    KEY_MANAGEMENT_FUNCS
+-};
+-enum tfm_crypto_hash_func_id {
+-    HASH_FUNCS
+-};
+-enum tfm_crypto_mac_func_id {
+-    MAC_FUNCS
+-};
+-enum tfm_crypto_cipher_func_id {
+-    CIPHER_FUNCS
+-};
+-enum tfm_crypto_aead_func_id {
+-    AEAD_FUNCS
+-};
+-enum tfm_crypto_asym_sign_func_id {
+-    ASYMMETRIC_SIGN_FUNCS
+-};
+-enum tfm_crypto_asym_encrypt_func_id {
+-    AYSMMETRIC_ENCRYPT_FUNCS
+-};
+-enum tfm_crypto_key_derivation_func_id {
+-    KEY_DERIVATION_FUNCS
+-};
+-enum tfm_crypto_random_func_id {
+-    RANDOM_FUNCS
+-};
+-#undef X
+-
+-#define FUNC_ID(func_id)    (((func_id) & 0xFF) << 8)
++#define BASE__VALUE(x) ((uint16_t)((((uint16_t)(x)) << 8) & 0xFF00))
+ 
+-/*
+- * Numerical progressive value identifying a function API exposed through
+- * the interfaces (S or NS). It's used to dispatch the requests from S/NS
+- * to the corresponding API implementation in the Crypto service backend.
++/**
++ * \brief This type defines numerical progressive values identifying a function API
++ *        exposed through the interfaces (S or NS). It's used to dispatch the requests
++ *        from S/NS to the corresponding API implementation in the Crypto service backend.
++ *
++ * \note Each function SID is encoded as uint16_t.
++ *        +------------+------------+
++ *        |  Group ID  |  Func ID   |
++ *        +------------+------------+
++ *   (MSB)15         8 7          0(LSB)
+  *
+- * Each function SID is encoded as uint16_t.
+- *     |  Func ID  |  Group ID |
+- *     15         8 7          0
+- * Func ID is defined in each group func_id enum above
+- * Group ID is defined in tfm_crypto_group_id.
+  */
+-enum tfm_crypto_func_sid {
+-
+-#define X(func_id)      func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \
+-                                   (TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT & 0xFF)),
+-
++enum tfm_crypto_func_sid_t {
++#define X(FUNCTION_NAME) FUNCTION_NAME ## _SID,
++    BASE__RANDOM         = BASE__VALUE(TFM_CRYPTO_GROUP_ID_RANDOM) - 1,
++    RANDOM_FUNCS
++    BASE__KEY_MANAGEMENT = BASE__VALUE(TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT) - 1,
+     KEY_MANAGEMENT_FUNCS
+-
+-#undef X
+-#define X(func_id)      func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \
+-                                            (TFM_CRYPTO_GROUP_ID_HASH & 0xFF)),
++    BASE__HASH           = BASE__VALUE(TFM_CRYPTO_GROUP_ID_HASH) - 1,
+     HASH_FUNCS
+-
+-#undef X
+-#define X(func_id)      func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \
+-                                            (TFM_CRYPTO_GROUP_ID_MAC & 0xFF)),
++    BASE__MAC            = BASE__VALUE(TFM_CRYPTO_GROUP_ID_MAC) - 1,
+     MAC_FUNCS
+-
+-#undef X
+-#define X(func_id)      func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \
+-                                           (TFM_CRYPTO_GROUP_ID_CIPHER & 0xFF)),
++    BASE__CIPHER         = BASE__VALUE(TFM_CRYPTO_GROUP_ID_CIPHER) - 1,
+     CIPHER_FUNCS
+-
+-#undef X
+-#define X(func_id)      func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \
+-                                             (TFM_CRYPTO_GROUP_ID_AEAD & 0xFF)),
++    BASE__AEAD           = BASE__VALUE(TFM_CRYPTO_GROUP_ID_AEAD) - 1,
+     AEAD_FUNCS
+-
+-#undef X
+-#define X(func_id)      func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \
+-                                        (TFM_CRYPTO_GROUP_ID_ASYM_SIGN & 0xFF)),
+-    ASYMMETRIC_SIGN_FUNCS
+-
+-#undef X
+-#define X(func_id)      func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \
+-                                     (TFM_CRYPTO_GROUP_ID_ASYM_ENCRYPT & 0xFF)),
+-    AYSMMETRIC_ENCRYPT_FUNCS
+-
+-#undef X
+-#define X(func_id)      func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \
+-                                   (TFM_CRYPTO_GROUP_ID_KEY_DERIVATION & 0xFF)),
++    BASE__ASYM_SIGN      = BASE__VALUE(TFM_CRYPTO_GROUP_ID_ASYM_SIGN) - 1,
++    ASYM_SIGN_FUNCS
++    BASE__ASYM_ENCRYPT   = BASE__VALUE(TFM_CRYPTO_GROUP_ID_ASYM_ENCRYPT) - 1,
++    ASYM_ENCRYPT_FUNCS
++    BASE__KEY_DERIVATION = BASE__VALUE(TFM_CRYPTO_GROUP_ID_KEY_DERIVATION) - 1,
+     KEY_DERIVATION_FUNCS
+-
+ #undef X
+-#define X(func_id)      func_id ## _SID = (uint16_t)((FUNC_ID(func_id)) | \
+-                                           (TFM_CRYPTO_GROUP_ID_RANDOM & 0xFF)),
+-    RANDOM_FUNCS
+-
+ };
+-#undef X
+ 
+ /**
+- * \brief Define an invalid value for an SID
+- *
++ * \brief This macro is used to extract the group_id from an encoded function id
++ *        by accessing the upper 8 bits. A \a _function_id is uint16_t type
+  */
+-#define TFM_CRYPTO_SID_INVALID (~0x0u)
+-
+-/**
+- * \brief This value is used to mark an handle as invalid.
+- *
+- */
+-#define TFM_CRYPTO_INVALID_HANDLE (0x0u)
+-
+-/**
+- * \brief Define miscellaneous literal constants that are used in the service
+- *
+- */
+-enum {
+-    TFM_CRYPTO_NOT_IN_USE = 0,
+-    TFM_CRYPTO_IN_USE = 1
+-};
++#define TFM_CRYPTO_GET_GROUP_ID(_function_id) \
++    ((enum tfm_crypto_group_id_t)(((uint16_t)(_function_id) >> 8) & 0xFF))
+ 
+ #ifdef __cplusplus
+ }
+diff --git a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h
+index 27ac59837..d7e733b89 100644
+--- a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h
++++ b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h
+@@ -30,10 +30,9 @@ struct psa_ipc_crypto_aead_pack_input {
+ struct psa_ipc_crypto_pack_iovec {
+     psa_key_id_t key_id;     /*!< Key id */
+     psa_algorithm_t alg;     /*!< Algorithm */
+-    uint32_t op_handle;      /*!< Frontend context handle associated to a
++    uint32_t op_handle;      /*!< Client context handle associated to a
+                               *   multipart operation
+                               */
+-    uint32_t capacity;         /*!< Key derivation capacity */
+     uint32_t ad_length;        /*!< Additional Data length for multipart AEAD */
+     uint32_t plaintext_length; /*!< Plaintext length for multipart AEAD */
+ 
+@@ -44,7 +43,11 @@ struct psa_ipc_crypto_pack_iovec {
+                               *   See tfm_crypto_func_sid for detail
+                               */
+     uint16_t step;           /*!< Key derivation step */
+-}__packed;
++    union {
++        size_t capacity;     /*!< Key derivation capacity */
++        uint64_t value;      /*!< Key derivation integer for update*/
++    };
++};
+ 
+ #define iov_size sizeof(struct psa_ipc_crypto_pack_iovec)
+ 
+diff --git a/components/service/crypto/include/psa/crypto_client_struct.h b/components/service/crypto/include/psa/crypto_client_struct.h
+index 1f68aba21..ebc400811 100644
+--- a/components/service/crypto/include/psa/crypto_client_struct.h
++++ b/components/service/crypto/include/psa/crypto_client_struct.h
+@@ -34,9 +34,11 @@ struct psa_client_key_attributes_s
+     uint16_t type;
+     uint16_t bits;
+     uint32_t lifetime;
+-    psa_key_id_t id;
+     uint32_t usage;
+     uint32_t alg;
++    uint32_t alg2;
++    uint32_t id;
++    int32_t owner_id;
+ };
+ 
+ #define PSA_CLIENT_KEY_ATTRIBUTES_INIT {0, 0, 0, 0, 0, 0}
+-- 
+2.25.1
+
diff --git a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc
index 837f68718c..af313f4450 100644
--- a/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc
+++ b/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-arm-platforms.inc
@@ -3,10 +3,10 @@ FILESEXTRAPATHS:prepend:corstone1000 := "${THISDIR}/corstone1000:"
 COMPATIBLE_MACHINE:corstone1000 = "corstone1000"
 SRC_URI:append:corstone1000  = " \
     file://0001-Add-stub-capsule-update-service-components.patch \
-    file://0002-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch \
+    file://0002-Fix-in-AEAD-for-psa-arch-test-254.patch \
     file://0003-FMP-Support-in-Corstone1000.patch \
     file://0004-smm_gateway-GetNextVariableName-Fix.patch     \
-    file://0005-plat-corstone1000-add-compile-definitions-for-ECP_DP.patch \
+    file://0005-Fix-psa-api-crypto-test-no-243.patch \
     file://0006-plat-corstone1000-Use-the-stateless-platform-service.patch \
     file://0007-plat-corstone1000-Initialize-capsule-update-provider.patch \
     file://0008-plat-corstone1000-add-client_id-for-FMP-service.patch \
@@ -19,8 +19,12 @@ SRC_URI:append:corstone1000  = " \
     file://0015-Add-timestamp-validation-for-uefi-variables.patch \
     file://0016-Isolate-common-uefi-variable-authentication-steps.patch \
     file://0017-Implement-Private-Authenticated-Variable-verificatio.patch \
-    file://0018-Change-RSS_COMMS-cmake-variables-to-cahce-vars.patch \
+    file://0018-Make-RSS-and-MHU-sizes-compile-time-definitions-user.patch \
+    file://0019-Align-PSA-Crypto-with-TF-Mv2.1.patch \
     "
 
+# The patches above introduce errors with GCC 14.1, silence them for now
+CFLAGS:append:corstone1000 = " -Wno-int-conversion -Wno-implicit-function-declaration"
+
 COMPATIBLE_MACHINE:fvp-base = "fvp-base"
 TS_PLATFORM:fvp-base = "arm/fvp/fvp_base_revc-2xaemv8a"
diff --git a/meta-arm/meta-arm-bsp/wic/corstone1000-flash-firmware.wks.in b/meta-arm/meta-arm-bsp/wic/corstone1000-flash-firmware.wks.in
index 6919afd0c4..6ab4f04857 100644
--- a/meta-arm/meta-arm-bsp/wic/corstone1000-flash-firmware.wks.in
+++ b/meta-arm/meta-arm-bsp/wic/corstone1000-flash-firmware.wks.in
@@ -15,9 +15,11 @@ part --source empty --size 4k --align 4 --offset 24k --part-name="Bkup-FWU-Metad
 part --source empty --size 4k --align 4 --offset 28k --part-name="private_metadata_replica_2" --uuid 3CC3B456-DEC8-4CE3-BC5C-965483CE4828 --part-type ECB55DC3-8AB7-4A84-AB56-EB0A9974DB42
 part --source empty --size 4k --align 4 --offset 32k --part-name="private_metadata_replica_2" --uuid DCE9C503-8DFD-4DCB-8889-647E49641552 --part-type ECB55DC3-8AB7-4A84-AB56-EB0A9974DB42
 
-part --source rawcopy --size 100k --sourceparams="file=bl2_signed.bin" --offset 36k --align 4 --part-name="bl2_primary" --uuid 9A3A8FBF-55EF-439C-80C9-A3F728033929 --part-type 64BD8ADB-02C0-4819-8688-03AB4CAB0ED9
+# The size has to be aligned to TF-M's SE_BL2_PARTITION_SIZE (tfm/platform/ext/target/arm/corstone1000/partition/flash_layout.h)
+part --source rawcopy --size 144k --sourceparams="file=bl2_signed.bin" --offset 36k --align 4 --part-name="bl2_primary" --uuid 9A3A8FBF-55EF-439C-80C9-A3F728033929 --part-type 64BD8ADB-02C0-4819-8688-03AB4CAB0ED9
 
-part --source rawcopy --size 368k --sourceparams="file=tfm_s_signed.bin" --align 4 --part-name="tfm_primary" --uuid 07F9616C-1233-439C-ACBA-72D75421BF70 --part-type D763C27F-07F6-4FF0-B2F3-060CB465CD4E
+# The size has to be aligned to TF-M's TFM_PARTITION_SIZE (tfm/platform/ext/target/arm/corstone1000/partition/flash_layout.h)
+part --source rawcopy --size 320k --sourceparams="file=tfm_s_signed.bin" --align 4 --part-name="tfm_primary" --uuid 07F9616C-1233-439C-ACBA-72D75421BF70 --part-type D763C27F-07F6-4FF0-B2F3-060CB465CD4E
 
 # Rawcopy of the FIP binary
 part --source rawcopy --size 2 --sourceparams="file=signed_fip-corstone1000.bin" --align 4 --part-name="FIP_A" --uuid B9C7AC9D-40FF-4675-956B-EEF4DE9DF1C5 --part-type B5EB19BD-CF56-45E8-ABA7-7ADB228FFEA7
@@ -26,8 +28,9 @@ part --source rawcopy --size 2 --sourceparams="file=signed_fip-corstone1000.bin"
 part --source rawcopy --size 12 --sourceparams="file=Image.gz-initramfs-${MACHINE}.bin" --align 4 --part-name="kernel_primary" --uuid BF7A6142-0662-47FD-9434-6A8811980816 --part-type 8197561D-6124-46FC-921E-141CC5745B05
 
 
-part --source empty --size 100k --offset 16488k --align 4 --part-name="bl2_secondary" --uuid 3F0C49A4-48B7-4D1E-AF59-3E4A3CE1BA9F --part-type 64BD8ADB-02C0-4819-8688-03AB4CAB0ED9
-part --source empty --size 368k --align 4 --part-name="tfm_secondary" --uuid 009A6A12-64A6-4F0F-9882-57CD79A34A3D --part-type D763C27F-07F6-4FF0-B2F3-060CB465CD4E
+# The offset has to be aligned to TF-M's SE_BL2_BANK_1_OFFSET define (tfm/platform/ext/target/arm/corstone1000/partition/flash_layout.h)
+part --source empty --size 144k --offset 16392k --align 4 --part-name="bl2_secondary" --uuid 3F0C49A4-48B7-4D1E-AF59-3E4A3CE1BA9F --part-type 64BD8ADB-02C0-4819-8688-03AB4CAB0ED9
+part --source empty --size 320k --align 4 --part-name="tfm_secondary" --uuid 009A6A12-64A6-4F0F-9882-57CD79A34A3D --part-type D763C27F-07F6-4FF0-B2F3-060CB465CD4E
 part --source empty --size 2 --align 4 --part-name="FIP_B" --uuid 9424E370-7BC9-43BB-8C23-71EE645E1273 --part-type B5EB19BD-CF56-45E8-ABA7-7ADB228FFEA7
 part --source empty --size 12 --align 4 --part-name="kernel_secondary" --uuid A2698A91-F9B1-4629-9188-94E4520808F8 --part-type 8197561D-6124-46FC-921E-141CC5745B05
 
diff --git a/meta-arm/meta-arm-systemready/README.md b/meta-arm/meta-arm-systemready/README.md
index 49cfed6e33..73cd188dd6 100644
--- a/meta-arm/meta-arm-systemready/README.md
+++ b/meta-arm/meta-arm-systemready/README.md
@@ -83,18 +83,18 @@ Currently, this layer only supports
 To build the firmware for Arm SystemReady on the supported machines (take the
 `fvp-base` machine as an example):
 
-    kas build kas/fvp-base.yml:kas/arm-systemready-firmware.yml
+    ARM_FVP_EULA_ACCEPT=1 kas build kas/fvp-base.yml:kas/arm-systemready-firmware.yml
 
 
 To run the Arm SystemReady ACS tests on the supported machines (take running
 Arm SystemReady IR on the `fvp-base` machine as an example):
 
-    kas build kas/fvp-base.yml:kas/arm-systemready-ir-acs.yml
+    ARM_FVP_EULA_ACCEPT=1 kas build kas/fvp-base.yml:kas/arm-systemready-ir-acs.yml
 
 To run the Linux distributions installation on the supported machines (take
 installing openSUSE on the `fvp-base` machine as an example):
 
-    kas build kas/fvp-base.yml:kas/arm-systemready-linux-distros-opensuse.yml
+    ARM_FVP_EULA_ACCEPT=1 kas build kas/fvp-base.yml:kas/arm-systemready-linux-distros-opensuse.yml
 
     kas shell \
         kas/fvp-base.yml:kas/arm-systemready-linux-distros-opensuse.yml \
diff --git a/meta-arm/meta-arm-systemready/classes/arm-systemready-acs.bbclass b/meta-arm/meta-arm-systemready/classes/arm-systemready-acs.bbclass
index 9dc3635dcd..d817b69321 100644
--- a/meta-arm/meta-arm-systemready/classes/arm-systemready-acs.bbclass
+++ b/meta-arm/meta-arm-systemready/classes/arm-systemready-acs.bbclass
@@ -29,7 +29,7 @@ IMAGE_POSTPROCESS_COMMAND += "write_image_test_data; "
 python do_deploy() {
     deploydir = d.getVar('DEPLOYDIR')
     suffix = d.getVar('IMAGE_DEPLOY_SUFFIX')
-    imgfile = os.path.join(d.getVar('WORKDIR'), d.getVar('IMAGE_FILENAME'))
+    imgfile = os.path.join(d.getVar('UNPACKDIR'), d.getVar('IMAGE_FILENAME'))
     deployfile = os.path.join(deploydir, d.getVar('IMAGE_NAME') + suffix)
     linkfile = os.path.join(deploydir, d.getVar('IMAGE_LINK_NAME') + suffix)
 
@@ -47,14 +47,14 @@ python do_deploy() {
 
     # Copy the report.txt to DEPLOYDIR
     # The machine-specific implementation can optionally put the report file in
-    # ${WORKDIR}/report.txt. If there is no such file present, use the template.
-    workdir = d.getVar('WORKDIR')
-    report_file = os.path.join(workdir, "report.txt")
+    # ${UNPACKDIR}/report.txt. If there is no such file present, use the template.
+    unpackdir = d.getVar('UNPACKDIR')
+    report_file = os.path.join(unpackdir, "report.txt")
     report_file_dest = os.path.join(deploydir, "report.txt")
     if os.path.exists(report_file):
         report_file_to_copy = report_file
     else:
-        report_file_to_copy = os.path.join(workdir, "systemready-ir-template",
+        report_file_to_copy = os.path.join(unpackdir, "systemready-ir-template",
                                             "report.txt")
     shutil.copyfile(report_file_to_copy, report_file_dest)
 
diff --git a/meta-arm/meta-arm-systemready/classes/extra_imagedepends_only.bbclass b/meta-arm/meta-arm-systemready/classes/extra_imagedepends_only.bbclass
index bf06a9f490..224b724e72 100644
--- a/meta-arm/meta-arm-systemready/classes/extra_imagedepends_only.bbclass
+++ b/meta-arm/meta-arm-systemready/classes/extra_imagedepends_only.bbclass
@@ -23,3 +23,5 @@ do_rootfs[noexec] = "1"
 do_image[noexec] = "1"
 do_image_complete[noexec] = "1"
 do_build[depends] = ""
+
+IMAGE_CLASSES:remove = "create-spdx-image-3.0"
diff --git a/meta-arm/meta-arm-systemready/conf/layer.conf b/meta-arm/meta-arm-systemready/conf/layer.conf
index 79ef3a1441..58f84fd9c8 100644
--- a/meta-arm/meta-arm-systemready/conf/layer.conf
+++ b/meta-arm/meta-arm-systemready/conf/layer.conf
@@ -8,7 +8,7 @@ BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
 BBFILE_COLLECTIONS += "meta-arm-systemready"
 BBFILE_PATTERN_meta-arm-systemready = "^${LAYERDIR}/"
 
-LAYERSERIES_COMPAT_meta-arm-systemready = "nanbield scarthgap"
+LAYERSERIES_COMPAT_meta-arm-systemready = "styhead"
 
 LAYERDEPENDS_meta-arm-systemready = "core"
 
diff --git a/meta-arm/meta-arm-systemready/lib/oeqa/runtime/cases/arm_systemready_fedora_unattended.py b/meta-arm/meta-arm-systemready/lib/oeqa/runtime/cases/arm_systemready_fedora_unattended.py
new file mode 100644
index 0000000000..f607fb1271
--- /dev/null
+++ b/meta-arm/meta-arm-systemready/lib/oeqa/runtime/cases/arm_systemready_fedora_unattended.py
@@ -0,0 +1,39 @@
+from oeqa.runtime.case import OERuntimeTestCase
+
+
+class SystemReadyFedoraUnattendedTest(OERuntimeTestCase):
+    def setUp(self):
+        super().setUp()
+        self.console = self.target.DEFAULT_CONSOLE
+
+    def test_fedora_unattended(self):
+        # Turn on the FVP.
+        self.target.transition('on')
+
+        # Timeout value = elapsed time * 2; where elapsed time was collected
+        # from the elapsed time in the log.do_testimage for each function after
+        # the build is finished on the development machine.
+        self.target.expect(self.console,
+                           '  Booting `Install Fedora 39\'',
+                           timeout=(2 * 60))
+        bb.plain('Installation status: Loading the installer, kernel and initrd...')
+
+        self.target.expect(self.console,
+                           'Setting up the installation environment',
+                           timeout=(2 * 60 * 60))
+        bb.plain('Installation status: Setting up the installation environment...')
+
+        self.target.expect(self.console,
+                           'Installing the software',
+                           timeout=(30 * 60))
+        bb.plain('Installation status: Installing the software packages...')
+
+        # Waiting to respond to the boot loader prompt error message.
+        self.target.expect(self.console,
+                           'Please respond \'yes\' or \'no\': ',
+                           timeout=(16 * 60 * 60))
+        self.target.sendline(self.console, 'yes')
+
+        # Waiting till the installation is finished.
+        self.target.expect(self.console, r'.*login: ', timeout=(5 * 60 * 60))
+        bb.plain('Installation status: Fedora installation finished successfully.')
diff --git a/meta-arm/meta-arm-systemready/lib/oeqa/runtime/cases/arm_systemready_opensuse_unattended.py b/meta-arm/meta-arm-systemready/lib/oeqa/runtime/cases/arm_systemready_opensuse_unattended.py
new file mode 100644
index 0000000000..aea8df3e10
--- /dev/null
+++ b/meta-arm/meta-arm-systemready/lib/oeqa/runtime/cases/arm_systemready_opensuse_unattended.py
@@ -0,0 +1,42 @@
+from oeqa.runtime.case import OERuntimeTestCase
+
+class SystemReadyOpenSUSEUnattendedTest(OERuntimeTestCase):
+    def setUp(self):
+        super().setUp()
+        self.console = self.target.DEFAULT_CONSOLE
+
+    def test_opensuse_unattended(self):
+        # Turn on the FVP.
+        self.target.transition('on')
+
+        # Timeout value = elapsed time * 2; where elapsed time was collected
+        # from the elapsed time in the log.do_testimage for each function after
+        # the build is finished on the development machine.
+        self.target.expect(self.console,
+                           'Booting `Installation\'',
+                           timeout=(2 * 60))
+        bb.plain('Installation status: Loading the kernel, initrd and basic drivers...')
+
+        self.target.expect(self.console,
+                           'Starting hardware detection...',
+                           timeout=(40 * 60))
+        bb.plain('Installation status: Starting hardware detection...')
+
+        self.target.expect(self.console,
+                           'Loading Installation System',
+                           timeout=(60 * 60))
+        bb.plain('Installation status: Loading Installation System...')
+
+        self.target.expect(self.console,
+                           'Starting Installer',
+                           timeout=(40 * 60))
+        bb.plain('Installation status: Performing Installation...')
+
+        self.target.expect(self.console,
+                           'Finishing Configuration',
+                           timeout=(15 * 60 * 60))
+        bb.plain('Installation status: Finishing Configuration...')
+
+        # Waiting till the installation is finished.
+        self.target.expect(self.console, r'.*login: ', timeout=(6 * 60 * 60))
+        bb.plain('Installation status: openSUSE installation finished successfully.')
diff --git a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-acs/arm-systemready-ir-acs.bb b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-acs/arm-systemready-ir-acs.bb
index 41ac2f7759..83257b3017 100644
--- a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-acs/arm-systemready-ir-acs.bb
+++ b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-acs/arm-systemready-ir-acs.bb
@@ -39,7 +39,7 @@ file://${COMMON_LICENSE_DIR}/Unicode-DFS-2016;md5=907371994d651afe53e98adc278246
 file://${COMMON_LICENSE_DIR}/Unicode-TOU;md5=666362dc5dba74f477af0f44fb85bd22 \
 file://${COMMON_LICENSE_DIR}/Zlib;md5=87f239f408daca8a157858e192597633 \
 "
-IMAGE_CLASSES:remove = "license_image"
+IMAGE_CLASSES:remove = "license_image create-spdx-image-3.0"
 
 COMPATIBLE_MACHINE = "(fvp-.+|.+-fvp)"
 
@@ -58,4 +58,6 @@ SRC_URI[acs-img.sha256sum] = "ea52f84dab44bde97de3e2d2224d883acaae35724dd8e2bdfb
 # Revision pointing to v2023.04 tag
 SRCREV_sr-ir-template = "c714db178ddf72e5ae5017f15421095297d5bf0e"
 
+S = "${WORKDIR}/sources-unpack"
+
 inherit arm-systemready-acs
diff --git a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-fedora.bb b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-fedora.bb
index 25990b3038..de4ea36dd0 100644
--- a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-fedora.bb
+++ b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-fedora.bb
@@ -98,6 +98,22 @@ file://${COMMON_LICENSE_DIR}/OPUBL-1.0;md5=99367d4750dbf0ae6cc74209ddd52f6d \
 
 ARM_SYSTEMREADY_LINUX_DISTRO_INSTALL_SIZE = "6144"
 
+TEST_SUITES = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "arm_systemready_fedora_unattended", "", d)}"
+
+ISO_LABEL = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "Fedora-S-dvd-aarch64-39", "", d)}"
+BOOT_CATALOG = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "boot.catalog", "", d)}"
+BOOT_IMAGE = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "EFI/BOOT/BOOTAA64.EFI", "", d)}"
+EFI_IMAGE = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "images/efiboot.img", "", d)}"
+
 PV = "39.1.5"
 SRC_URI = "https://download.fedoraproject.org/pub/fedora/linux/releases/39/Server/aarch64/iso/Fedora-Server-dvd-aarch64-39-1.5.iso;unpack=0;downloadfilename=${ISO_IMAGE_NAME}.iso"
 SRC_URI[sha256sum] = "d19dc2a39758155fa53e6fd555d0d173ccc8175b55dea48002d499f39cb30ce0"
+
+modifyiso() {
+    UNATTENDED_CONF_DIR="${THISDIR}/unattended-boot-conf/Fedora"
+    
+    cp "${UNATTENDED_CONF_DIR}/ks.cfg" ${EXTRACTED_ISO_TEMP_DIR}
+    sed -i 's/set default="1"/set default="0"/g' "${EXTRACTED_ISO_TEMP_DIR}/EFI/BOOT/grub.cfg"
+    sed -i 's/set timeout=60/set timeout=0/g' "${EXTRACTED_ISO_TEMP_DIR}/EFI/BOOT/grub.cfg"
+    sed -i '0,/vmlinuz/s/vmlinuz/& inst.ks=hd:LABEL=Fedora-S-dvd-aarch64-39:\/ks.cfg/' "${EXTRACTED_ISO_TEMP_DIR}/EFI/BOOT/grub.cfg"
+}
diff --git a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-opensuse.bb b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-opensuse.bb
index 06135d1537..33f20587b4 100644
--- a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-opensuse.bb
+++ b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-opensuse.bb
@@ -72,3 +72,18 @@ ISO_TYPE = "DVD"
 BUILD_NO = "491.1"
 SRC_URI = "https://download.opensuse.org/distribution/leap/${PV}/iso/openSUSE-Leap-${PV}-${ISO_TYPE}-aarch64-Build${BUILD_NO}-Media.iso;unpack=0;downloadfilename=${ISO_IMAGE_NAME}.iso"
 SRC_URI[sha256sum] = "456cc4f99b044429d8a89bd302c06e9e382d6ac4dc590139a7096ebb54f5357b"
+
+TEST_SUITES = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "arm_systemready_opensuse_unattended", "", d)}"
+
+ISO_LABEL = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "OEMDRV", "", d)}"
+BOOT_CATALOG = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "boot.catalog", "", d)}"
+BOOT_IMAGE = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "EFI/BOOT/bootaa64.efi", "", d)}"
+EFI_IMAGE = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "boot/aarch64/efi", "", d)}"
+
+modifyiso() {
+    UNATTENDED_CONF_DIR="${THISDIR}/unattended-boot-conf/openSUSE"
+
+    #create installation configuration files, remove grub timeout, setup network
+    cp "${UNATTENDED_CONF_DIR}/autoinst.xml" ${EXTRACTED_ISO_TEMP_DIR}
+    sed -i 's/timeout=60/timeout=0/g' "${EXTRACTED_ISO_TEMP_DIR}/EFI/BOOT/grub.cfg"
+}
+\ No newline at end of file
diff --git a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-unattended.inc b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-unattended.inc
new file mode 100644
index 0000000000..75951b0e84
--- /dev/null
+++ b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros-unattended.inc
@@ -0,0 +1,45 @@
+SUMMARY = "Arm SystemReady Linux distros unattended requirements"
+DESCRIPTION = "Arm SystemReady Linux distro unattended configurations \
+               and ISO image modification"
+
+EXTRACTED_ISO_TEMP_DIR = "${WORKDIR}/extracted_iso_temp_dir"
+NEW_ISO_TEMP_DIR = "${WORKDIR}/new_iso_temp_dir"
+
+# oeqa test case must be added to TEST_SUITES to acknowledge that the unattended
+# installation was successful.
+inherit testimage
+
+python () {
+    unattended_required_vars = ['ISO_LABEL', 'BOOT_CATALOG', 'BOOT_IMAGE', 'EFI_IMAGE']
+
+    for var in unattended_required_vars:
+        if not d.getVar(var):
+            raise bb.parse.SkipRecipe(f'{var} variable is not set')
+}
+
+unpackiso() {
+    # Unpack the ISO image
+    bsdtar -xf ${UNPACKDIR}/${ISO_IMAGE_NAME}.iso -C ${EXTRACTED_ISO_TEMP_DIR}
+    chmod -R u+rw ${EXTRACTED_ISO_TEMP_DIR}
+}
+
+modifyiso() {
+
+}
+
+repackiso() {
+    # Repack the ISO image
+    mkisofs -o ${NEW_ISO_TEMP_DIR}/${ISO_IMAGE_NAME}.iso -U -r -v -T -J -joliet-long -V ${ISO_LABEL} \
+            -volset ${ISO_LABEL} -A ${ISO_LABEL} -b ${BOOT_IMAGE} -c ${BOOT_CATALOG} -no-emul-boot \
+            -boot-load-size 4 -boot-info-table -J -R -V ${ISO_LABEL} -eltorito-alt-boot \
+            -eltorito-boot ${EFI_IMAGE} -no-emul-boot ${EXTRACTED_ISO_TEMP_DIR}
+
+    mv -f ${NEW_ISO_TEMP_DIR}/${ISO_IMAGE_NAME}.iso ${UNPACKDIR}
+}
+
+# Write the test data in IMAGE_POSTPROCESS_COMMAND
+IMAGE_POSTPROCESS_COMMAND += "write_image_test_data; "
+
+do_unpack[depends] += "cdrtools-native:do_populate_sysroot libarchive-native:do_populate_sysroot"
+do_unpack[postfuncs] += "unpackiso modifyiso repackiso"
+do_unpack[cleandirs] += "${EXTRACTED_ISO_TEMP_DIR} ${NEW_ISO_TEMP_DIR}"
+\ No newline at end of file
diff --git a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros.inc b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros.inc
index d80cf2373e..5e8a18e2f1 100644
--- a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros.inc
+++ b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/arm-systemready-linux-distros.inc
@@ -2,7 +2,12 @@ SUMMARY = "Arm SystemReady Linux distros installation"
 DESCRIPTION = "Arm SystemReady Linux distro CD/DVD images and installation \
                target disk image"
 
-IMAGE_CLASSES:remove = "license_image testimage"
+DISTRO_UNATTENDED_INST_TESTS ?= "0"
+
+require ${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "arm-systemready-linux-distros-unattended.inc", "", d)}
+
+IMAGE_CLASSES:remove = "license_image create-spdx-image-3.0"
+IMAGE_CLASSES:remove = "${@oe.utils.vartrue("DISTRO_UNATTENDED_INST_TESTS", "", "testimage", d)}"
 BUILDHISTORY_FEATURES:remove = "image"
 
 INHIBIT_DEFAULT_DEPS = "1"
@@ -15,13 +20,15 @@ do_configure[noexec] = "1"
 do_compile[noexec] = "1"
 
 ISO_IMAGE_NAME = "${PN}-${PV}"
-IMAGE_LINK_NAME = "${PN}-${PV}-${MACHINE}"
+IMAGE_LINK_NAME = "${PN}-${MACHINE}"
 
 ARM_SYSTEMREADY_LINUX_DISTRO_ISO_IMAGE = \
     "${DEPLOY_DIR_IMAGE}/${ISO_IMAGE_NAME}.iso"
 # Size of installation disk in MB
 ARM_SYSTEMREADY_LINUX_DISTRO_INSTALL_SIZE ?= "4096"
 
+S = "${WORKDIR}/sources-unpack"
+
 do_image() {
     dd if=/dev/zero of=${WORKDIR}/${IMAGE_LINK_NAME}.wic \
         bs=1M count=${ARM_SYSTEMREADY_LINUX_DISTRO_INSTALL_SIZE} status=none
@@ -29,7 +36,7 @@ do_image() {
 
 do_deploy() {
     # Deploy the iso and installation target disk image to the deploy folder
-    install -m 644 ${WORKDIR}/${ISO_IMAGE_NAME}.iso ${DEPLOYDIR}
+    install -m 644 ${UNPACKDIR}/${ISO_IMAGE_NAME}.iso ${DEPLOYDIR}
     install -m 644 ${WORKDIR}/${IMAGE_LINK_NAME}.wic ${DEPLOYDIR}
 }
 
@@ -44,7 +51,13 @@ python do_image_complete() {
     from oe.utils import execute_pre_post_process
     post_process_cmds = d.getVar("IMAGE_POSTPROCESS_COMMAND")
     execute_pre_post_process(d, post_process_cmds)
+
+    if d.getVar('DISTRO_UNATTENDED_INST_TESTS') == "1":
+        # Ensure an empty rootfs manifest exists (required by testimage)
+        fname = os.path.join(d.getVar('IMGDEPLOYDIR'), d.getVar('IMAGE_LINK_NAME') + ".manifest")
+        open(fname, 'w').close()
 }
+
 do_image_complete[nostamp] = "1"
 addtask image_complete after do_deploy before do_build
 
diff --git a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/unattended-boot-conf/Fedora/ks.cfg b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/unattended-boot-conf/Fedora/ks.cfg
new file mode 100644
index 0000000000..f8ea3bc678
--- /dev/null
+++ b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/unattended-boot-conf/Fedora/ks.cfg
@@ -0,0 +1,39 @@
+# Generated by Anaconda 39.32.6                                                                                                                                                              
+# Generated by pykickstart v3.48                                                                                                                                                             
+#version=DEVEL                                                                                                                                                                               
+# Use text mode install
+text
+
+# Keyboard layouts
+keyboard --vckeymap=us --xlayouts='us'
+# System language
+lang en_GB.UTF-8
+
+# Use CDROM installation media
+cdrom
+
+%packages --excludedocs --ignoremissing
+@core --nodefaults
+ 
+%end
+
+# Run the Setup Agent on first boot
+firstboot --enable
+# Do not configure the X Window System
+skipx
+
+# System bootloader configuration
+bootloader --location=mbr --boot-drive=vda
+autopart
+# Partition clearing information
+clearpart --all --initlabel --drives=vda
+
+# System timezone
+timezone Europe/London --utc
+
+# Root password
+rootpw --lock
+user --groups=wheel --name=user --password=unsafe --gecos="usr1" 
+
+# Reboot after installation with an attempt to eject the installation media
+reboot --eject
diff --git a/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/unattended-boot-conf/openSUSE/autoinst.xml b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/unattended-boot-conf/openSUSE/autoinst.xml
new file mode 100755
index 0000000000..8da6e1cbad
--- /dev/null
+++ b/meta-arm/meta-arm-systemready/recipes-test/arm-systemready-linux-distros/unattended-boot-conf/openSUSE/autoinst.xml
@@ -0,0 +1,935 @@
+<?xml version="1.0"?>
+<!DOCTYPE profile>
+<profile xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns">
+  <bootloader t="map">
+    <global t="map">
+      <append>splash=silent preempt=full mitigations=auto quiet security=apparmor</append>
+      <cpu_mitigations>auto</cpu_mitigations>
+      <gfxmode>auto</gfxmode>
+      <hiddenmenu>false</hiddenmenu>
+      <os_prober>true</os_prober>
+      <secure_boot>true</secure_boot>
+      <terminal>gfxterm</terminal>
+      <timeout t="integer">8</timeout>
+      <update_nvram>true</update_nvram>
+    </global>
+    <loader_type>grub2-efi</loader_type>
+  </bootloader>
+  <firewall t="map">
+    <default_zone>public</default_zone>
+    <enable_firewall t="boolean">true</enable_firewall>
+    <log_denied_packets>off</log_denied_packets>
+    <start_firewall t="boolean">true</start_firewall>
+    <zones t="list">
+      <zone t="map">
+        <description>Unsolicited incoming network packets are rejected. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
+        <interfaces t="list"/>
+        <masquerade t="boolean">false</masquerade>
+        <name>block</name>
+        <ports t="list"/>
+        <protocols t="list"/>
+        <services t="list"/>
+        <short>Block</short>
+        <target>%%REJECT%%</target>
+      </zone>
+      <zone t="map">
+        <description>For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.</description>
+        <interfaces t="list"/>
+        <masquerade t="boolean">false</masquerade>
+        <name>dmz</name>
+        <ports t="list"/>
+        <protocols t="list"/>
+        <services t="list">
+          <service>ssh</service>
+        </services>
+        <short>DMZ</short>
+        <target>default</target>
+      </zone>
+      <zone t="map">
+        <description>All network connections are accepted.</description>
+        <interfaces t="list">
+          <interface>docker0</interface>
+        </interfaces>
+        <masquerade t="boolean">false</masquerade>
+        <name>docker</name>
+        <ports t="list"/>
+        <protocols t="list"/>
+        <services t="list"/>
+        <short>docker</short>
+        <target>ACCEPT</target>
+      </zone>
+      <zone t="map">
+        <description>Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
+        <interfaces t="list"/>
+        <masquerade t="boolean">false</masquerade>
+        <name>drop</name>
+        <ports t="list"/>
+        <protocols t="list"/>
+        <services t="list"/>
+        <short>Drop</short>
+        <target>DROP</target>
+      </zone>
+      <zone t="map">
+        <description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
+        <interfaces t="list"/>
+        <masquerade t="boolean">true</masquerade>
+        <name>external</name>
+        <ports t="list"/>
+        <protocols t="list"/>
+        <services t="list">
+          <service>ssh</service>
+        </services>
+        <short>External</short>
+        <target>default</target>
+      </zone>
+      <zone t="map">
+        <description>For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
+        <interfaces t="list"/>
+        <masquerade t="boolean">false</masquerade>
+        <name>home</name>
+        <ports t="list"/>
+        <protocols t="list"/>
+        <services t="list">
+          <service>dhcpv6-client</service>
+          <service>mdns</service>
+          <service>samba-client</service>
+          <service>ssh</service>
+        </services>
+        <short>Home</short>
+        <target>default</target>
+      </zone>
+      <zone t="map">
+        <description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description>
+        <interfaces t="list"/>
+        <masquerade t="boolean">false</masquerade>
+        <name>internal</name>
+        <ports t="list"/>
+        <protocols t="list"/>
+        <services t="list">
+          <service>dhcpv6-client</service>
+          <service>mdns</service>
+          <service>samba-client</service>
+          <service>ssh</service>
+        </services>
+        <short>Internal</short>
+        <target>default</target>
+      </zone>
+      <zone t="map">
+        <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
+        <interfaces t="list">
+          <interface>eth0</interface>
+        </interfaces>
+        <masquerade t="boolean">false</masquerade>
+        <name>public</name>
+        <ports t="list"/>
+        <protocols t="list"/>
+        <services t="list">
+          <service>dhcpv6-client</service>
+          <service>ssh</service>
+        </services>
+        <short>Public</short>
+        <target>default</target>
+      </zone>
+      <zone t="map">
+        <description>All network connections are accepted.</description>
+        <interfaces t="list"/>
+        <masquerade t="boolean">false</masquerade>
+        <name>trusted</name>
+        <ports t="list"/>
+        <protocols t="list"/>
+        <services t="list"/>
+        <short>Trusted</short>
+        <target>ACCEPT</target>
+      </zone>
+      <zone t="map">
+        <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
+        <interfaces t="list"/>
+        <masquerade t="boolean">false</masquerade>
+        <name>work</name>
+        <ports t="list"/>
+        <protocols t="list"/>
+        <services t="list">
+          <service>dhcpv6-client</service>
+          <service>ssh</service>
+        </services>
+        <short>Work</short>
+        <target>default</target>
+      </zone>
+    </zones>
+  </firewall>
+  <general t="map">
+    <mode t="map">
+      <confirm t="boolean">false</confirm>
+    </mode>
+  </general>
+  <groups t="list">
+    <group t="map">
+      <gid>100</gid>
+      <groupname>users</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>499</gid>
+      <groupname>messagebus</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>1</gid>
+      <groupname>bin</groupname>
+      <userlist>daemon</userlist>
+    </group>
+    <group t="map">
+      <gid>488</gid>
+      <groupname>input</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>495</gid>
+      <groupname>kmem</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>493</gid>
+      <groupname>utmp</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>62</gid>
+      <groupname>man</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>477</gid>
+      <groupname>polkitd</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>479</gid>
+      <groupname>systemd-timesync</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>2</gid>
+      <groupname>daemon</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>480</gid>
+      <groupname>systemd-network</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>71</gid>
+      <groupname>ntadmin</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>490</gid>
+      <groupname>dialout</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>59</gid>
+      <groupname>maildrop</groupname>
+      <userlist>postfix</userlist>
+    </group>
+    <group t="map">
+      <gid>478</gid>
+      <groupname>nscd</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>51</gid>
+      <groupname>postfix</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>485</gid>
+      <groupname>tape</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>487</gid>
+      <groupname>render</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>476</gid>
+      <groupname>sshd</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>491</gid>
+      <groupname>cdrom</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>486</gid>
+      <groupname>sgx</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>0</gid>
+      <groupname>root</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>489</gid>
+      <groupname>disk</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>15</gid>
+      <groupname>shadow</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>484</gid>
+      <groupname>video</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>496</gid>
+      <groupname>wheel</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>483</gid>
+      <groupname>audit</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>498</gid>
+      <groupname>mail</groupname>
+      <userlist>postfix</userlist>
+    </group>
+    <group t="map">
+      <gid>5</gid>
+      <groupname>tty</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>65533</gid>
+      <groupname>nogroup</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>65534</gid>
+      <groupname>nobody</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>497</gid>
+      <groupname>lp</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>482</gid>
+      <groupname>chrony</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>492</gid>
+      <groupname>audio</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>494</gid>
+      <groupname>lock</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>36</gid>
+      <groupname>kvm</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>42</gid>
+      <groupname>trusted</groupname>
+      <userlist/>
+    </group>
+    <group t="map">
+      <gid>481</gid>
+      <groupname>systemd-journal</groupname>
+      <userlist/>
+    </group>
+  </groups>
+  <host t="map">
+    <hosts t="list">
+      <hosts_entry t="map">
+        <host_address>127.0.0.1</host_address>
+        <names t="list">
+          <name>localhost</name>
+        </names>
+      </hosts_entry>
+      <hosts_entry t="map">
+        <host_address>::1</host_address>
+        <names t="list">
+          <name>localhost ipv6-localhost ipv6-loopback</name>
+        </names>
+      </hosts_entry>
+      <hosts_entry t="map">
+        <host_address>fe00::0</host_address>
+        <names t="list">
+          <name>ipv6-localnet</name>
+        </names>
+      </hosts_entry>
+      <hosts_entry t="map">
+        <host_address>ff00::0</host_address>
+        <names t="list">
+          <name>ipv6-mcastprefix</name>
+        </names>
+      </hosts_entry>
+      <hosts_entry t="map">
+        <host_address>ff02::1</host_address>
+        <names t="list">
+          <name>ipv6-allnodes</name>
+        </names>
+      </hosts_entry>
+      <hosts_entry t="map">
+        <host_address>ff02::2</host_address>
+        <names t="list">
+          <name>ipv6-allrouters</name>
+        </names>
+      </hosts_entry>
+      <hosts_entry t="map">
+        <host_address>ff02::3</host_address>
+        <names t="list">
+          <name>ipv6-allhosts</name>
+        </names>
+      </hosts_entry>
+    </hosts>
+  </host>
+  <language t="map">
+    <language>en_GB</language>
+    <languages>en_GB</languages>
+  </language>
+  <networking t="map">
+    <dhcp_options t="map">
+      <dhclient_client_id/>
+      <dhclient_hostname_option>AUTO</dhclient_hostname_option>
+    </dhcp_options>
+    <dns t="map">
+      <dhcp_hostname t="boolean">true</dhcp_hostname>
+      <hostname>localhost</hostname>
+      <resolv_conf_policy>auto</resolv_conf_policy>
+    </dns>
+    <interfaces t="list">
+      <interface t="map">
+        <bootproto>dhcp</bootproto>
+        <name>eth0</name>
+        <startmode>auto</startmode>
+        <zone>public</zone>
+      </interface>
+    </interfaces>
+    <ipv6 t="boolean">true</ipv6>
+    <keep_install_network t="boolean">true</keep_install_network>
+    <managed t="boolean">false</managed>
+    <routing t="map">
+      <ipv4_forward t="boolean">false</ipv4_forward>
+      <ipv6_forward t="boolean">false</ipv6_forward>
+    </routing>
+  </networking>
+  <ntp-client t="map">
+    <ntp_policy>auto</ntp_policy>
+    <ntp_servers t="list"/>
+    <ntp_sync>systemd</ntp_sync>
+  </ntp-client>
+  <partitioning t="list">
+    <drive t="map">
+      <device>/dev/vda</device>
+      <disklabel>gpt</disklabel>
+      <enable_snapshots t="boolean">false</enable_snapshots>
+      <partitions t="list">
+        <partition t="map">
+          <create t="boolean">true</create>
+          <filesystem t="symbol">vfat</filesystem>
+          <format t="boolean">true</format>
+          <fstopt>utf8</fstopt>
+          <mount>/boot/efi</mount>
+          <mountby t="symbol">uuid</mountby>
+          <partition_id t="integer">259</partition_id>
+          <partition_nr t="integer">1</partition_nr>
+          <resize t="boolean">false</resize>
+          <size>134217728</size>
+        </partition>
+        <partition t="map">
+          <create t="boolean">true</create>
+          <create_subvolumes t="boolean">true</create_subvolumes>
+          <filesystem t="symbol">btrfs</filesystem>
+          <format t="boolean">true</format>
+          <mount>/</mount>
+          <mountby t="symbol">uuid</mountby>
+          <partition_id t="integer">131</partition_id>
+          <partition_nr t="integer">2</partition_nr>
+          <quotas t="boolean">false</quotas>
+          <resize t="boolean">false</resize>
+          <size>6307167744</size>
+          <subvolumes t="list">
+            <subvolume t="map">
+              <copy_on_write t="boolean">false</copy_on_write>
+              <path>var</path>
+            </subvolume>
+            <subvolume t="map">
+              <copy_on_write t="boolean">true</copy_on_write>
+              <path>usr/local</path>
+            </subvolume>
+            <subvolume t="map">
+              <copy_on_write t="boolean">true</copy_on_write>
+              <path>tmp</path>
+            </subvolume>
+            <subvolume t="map">
+              <copy_on_write t="boolean">true</copy_on_write>
+              <path>srv</path>
+            </subvolume>
+            <subvolume t="map">
+              <copy_on_write t="boolean">true</copy_on_write>
+              <path>root</path>
+            </subvolume>
+            <subvolume t="map">
+              <copy_on_write t="boolean">true</copy_on_write>
+              <path>opt</path>
+            </subvolume>
+            <subvolume t="map">
+              <copy_on_write t="boolean">true</copy_on_write>
+              <path>home</path>
+            </subvolume>
+            <subvolume t="map">
+              <copy_on_write t="boolean">true</copy_on_write>
+              <path>boot/grub2/arm64-efi</path>
+            </subvolume>
+          </subvolumes>
+          <subvolumes_prefix>@</subvolumes_prefix>
+        </partition>
+      </partitions>
+      <type t="symbol">CT_DISK</type>
+      <use>all</use>
+    </drive>
+  </partitioning>
+  <proxy t="map">
+    <enabled t="boolean">false</enabled>
+  </proxy>
+  <services-manager t="map">
+    <default_target>multi-user</default_target>
+    <services t="map">
+      <enable t="list">
+        <service>YaST2-Firstboot</service>
+        <service>YaST2-Second-Stage</service>
+        <service>apparmor</service>
+        <service>auditd</service>
+        <service>klog</service>
+        <service>chronyd</service>
+        <service>cron</service>
+        <service>cups</service>
+        <service>firewalld</service>
+        <service>wickedd-auto4</service>
+        <service>wickedd-dhcp4</service>
+        <service>wickedd-dhcp6</service>
+        <service>wickedd-nanny</service>
+        <service>irqbalance</service>
+        <service>issue-generator</service>
+        <service>kbdsettings</service>
+        <service>wicked</service>
+        <service>nscd</service>
+        <service>postfix</service>
+        <service>purge-kernels</service>
+        <service>rsyslog</service>
+        <service>smartd</service>
+        <service>sshd</service>
+        <service>systemd-pstore</service>
+        <service>systemd-remount-fs</service>
+      </enable>
+    </services>
+  </services-manager>
+  <software t="map">
+    <install_recommended t="boolean">true</install_recommended>
+    <instsource/>
+    <packages t="list">
+      <package>wicked</package>
+      <package>shim</package>
+      <package>os-prober</package>
+      <package>openssh</package>
+      <package>openSUSE-release</package>
+      <package>mokutil</package>
+      <package>kexec-tools</package>
+      <package>grub2-arm64-efi</package>
+      <package>glibc</package>
+      <package>firewalld</package>
+      <package>e2fsprogs</package>
+      <package>dosfstools</package>
+      <package>chrony</package>
+      <package>btrfsprogs</package>
+      <package>autoyast2</package>
+    </packages>
+    <patterns t="list">
+      <pattern>apparmor</pattern>
+      <pattern>base</pattern>
+      <pattern>documentation</pattern>
+      <pattern>enhanced_base</pattern>
+      <pattern>minimal_base</pattern>
+      <pattern>sw_management</pattern>
+      <pattern>yast2_basis</pattern>
+    </patterns>
+    <products t="list">
+      <product>Leap</product>
+    </products>
+  </software>
+  <ssh_import t="map">
+    <copy_config t="boolean">false</copy_config>
+    <import t="boolean">false</import>
+  </ssh_import>
+  <user_defaults t="map">
+    <expire/>
+    <group>100</group>
+    <home>/home</home>
+    <inactive>-1</inactive>
+    <shell>/bin/bash</shell>
+    <umask>022</umask>
+  </user_defaults>
+  <users t="list">
+    <user t="map">
+      <authorized_keys t="list"/>
+      <encrypted t="boolean">true</encrypted>
+      <fullname>user</fullname>
+      <gid>100</gid>
+      <home>/home/user</home>
+      <home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
+      <password_settings t="map">
+        <expire/>
+        <flag/>
+        <inact/>
+        <max>99999</max>
+        <min>0</min>
+        <warn>7</warn>
+      </password_settings>
+      <shell>/bin/bash</shell>
+      <uid>1000</uid>
+      <user_password>$6$WV8CB/c6j0zhAi5S$4euhbt4alH7WNfaatS9IJgPiiKDJ48d5Ru1zCZCA0N9GiyOPuefN2PAUWlyYeTgqAInpyvPh1frdp4fFVjvEn0</user_password>
+      <username>user</username>
+    </user>
+    <user t="map">
+      <encrypted t="boolean">true</encrypted>
+      <fullname>User for nscd</fullname>
+      <gid>478</gid>
+      <home>/run/nscd</home>
+      <home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
+      <password_settings t="map">
+        <expire/>
+        <flag/>
+        <inact/>
+        <max/>
+        <min/>
+        <warn/>
+      </password_settings>
+      <shell>/sbin/nologin</shell>
+      <uid>478</uid>
+      <user_password>!</user_password>
+      <username>nscd</username>
+    </user>
+    <user t="map">
+      <encrypted t="boolean">true</encrypted>
+      <fullname>systemd Network Management</fullname>
+      <gid>480</gid>
+      <home>/</home>
+      <home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
+      <password_settings t="map">
+        <expire/>
+        <flag/>
+        <inact/>
+        <max/>
+        <min/>
+        <warn/>
+      </password_settings>
+      <shell>/usr/sbin/nologin</shell>
+      <uid>480</uid>
+      <user_password>!*</user_password>
+      <username>systemd-network</username>
+    </user>
+    <user t="map">
+      <encrypted t="boolean">true</encrypted>
+      <fullname>Daemon</fullname>
+      <gid>2</gid>
+      <home>/sbin</home>
+      <home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
+      <password_settings t="map">
+        <expire/>
+        <flag/>
+        <inact/>
+        <max/>
+        <min/>
+        <warn/>
+      </password_settings>
+      <shell>/usr/sbin/nologin</shell>
+      <uid>2</uid>
+      <user_password>!</user_password>
+      <username>daemon</username>
+    </user>
+    <user t="map">
+      <encrypted t="boolean">true</encrypted>
+      <fullname>systemd Time Synchronization</fullname>
+      <gid>479</gid>
+      <home>/</home>
+      <home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
+      <password_settings t="map">
+        <expire/>
+        <flag/>
+        <inact/>
+        <max/>
+        <min/>
+        <warn/>
+      </password_settings>
+      <shell>/usr/sbin/nologin</shell>
+      <uid>479</uid>
+      <user_password>!*</user_password>
+      <username>systemd-timesync</username>
+    </user>
+    <user t="map">
+      <encrypted t="boolean">true</encrypted>
+      <fullname>user for rpcbind</fullname>
+      <gid>65534</gid>
+      <home>/var/lib/empty</home>
+      <home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
+      <password_settings t="map">
+        <expire/>
+        <flag/>
+        <inact/>
+        <max/>
+        <min/>
+        <warn/>
+      </password_settings>
+      <shell>/sbin/nologin</shell>
+      <uid>475</uid>
+      <user_password>!</user_password>
+      <username>rpc</username>
+    </user>
+    <user t="map">
+      <encrypted t="boolean">true</encrypted>
+      <fullname>SSH daemon</fullname>
+      <gid>476</gid>
+      <home>/var/lib/sshd</home>
+      <home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
+      <password_settings t="map">
+        <expire/>
+        <flag/>
+        <inact/>
+        <max/>
+        <min/>
+        <warn/>
+      </password_settings>
+      <shell>/usr/sbin/nologin</shell>
+      <uid>476</uid>
+      <user_password>!</user_password>
+      <username>sshd</username>
+    </user>
+    <user t="map">
+      <encrypted t="boolean">true</encrypted>
+      <fullname>Postfix Daemon</fullname>
+      <gid>51</gid>
+      <home>/var/spool/postfix</home>
+      <home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
+      <password_settings t="map">
+        <expire/>
+        <flag/>
+        <inact/>
+        <max/>
+        <min/>
+        <warn/>
+      </password_settings>
+      <shell>/usr/sbin/nologin</shell>
+      <uid>51</uid>
+      <user_password>!</user_password>
+      <username>postfix</username>
+    </user>
+    <user t="map">
+      <encrypted t="boolean">true</encrypted>
+      <fullname>NFS statd daemon</fullname>
+      <gid>65533</gid>
+      <home>/var/lib/nfs</home>
+      <home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
+      <password_settings t="map">
+        <expire/>
+        <flag/>
+        <inact/>
+        <max/>
+        <min/>
+        <warn/>
+      </password_settings>
+      <shell>/sbin/nologin</shell>
+      <uid>474</uid>
+      <user_password>!</user_password>
+      <username>statd</username>
+    </user>
+    <user t="map">
+      <encrypted t="boolean">true</encrypted>
+      <fullname>bin</fullname>
+      <gid>1</gid>
+      <home>/bin</home>
+      <home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
+      <password_settings t="map">
+        <expire/>
+        <flag/>
+        <inact/>
+        <max/>
+        <min/>
+        <warn/>
+      </password_settings>
+      <shell>/usr/sbin/nologin</shell>
+      <uid>1</uid>
+      <user_password>!</user_password>
+      <username>bin</username>
+    </user>
+    <user t="map">
+      <authorized_keys t="list"/>
+      <encrypted t="boolean">true</encrypted>
+      <fullname>root</fullname>
+      <gid>0</gid>
+      <home>/root</home>
+      <home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
+      <password_settings t="map">
+        <expire/>
+        <flag/>
+        <inact/>
+        <max/>
+        <min/>
+        <warn/>
+      </password_settings>
+      <shell>/bin/bash</shell>
+      <uid>0</uid>
+      <user_password>$6$zAe5W7gw/kja9aKy$mM.BWtNyjalXrDNig4CUfN3bgfmehUIs8.zvBwWn1XroK104G.rY3lyup3OH8TujieUmgO4J74Df.LktV4A1K1</user_password>
+      <username>root</username>
+    </user>
+    <user t="map">
+      <encrypted t="boolean">true</encrypted>
+      <fullname>User for D-Bus</fullname>
+      <gid>499</gid>
+      <home>/run/dbus</home>
+      <home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
+      <password_settings t="map">
+        <expire/>
+        <flag/>
+        <inact/>
+        <max/>
+        <min/>
+        <warn/>
+      </password_settings>
+      <shell>/usr/bin/false</shell>
+      <uid>499</uid>
+      <user_password>!</user_password>
+      <username>messagebus</username>
+    </user>
+    <user t="map">
+      <encrypted t="boolean">true</encrypted>
+      <fullname>Manual pages viewer</fullname>
+      <gid>62</gid>
+      <home>/var/lib/empty</home>
+      <home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
+      <password_settings t="map">
+        <expire/>
+        <flag/>
+        <inact/>
+        <max/>
+        <min/>
+        <warn/>
+      </password_settings>
+      <shell>/usr/sbin/nologin</shell>
+      <uid>13</uid>
+      <user_password>!</user_password>
+      <username>man</username>
+    </user>
+    <user t="map">
+      <encrypted t="boolean">true</encrypted>
+      <fullname>Printing daemon</fullname>
+      <gid>497</gid>
+      <home>/var/spool/lpd</home>
+      <home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
+      <password_settings t="map">
+        <expire/>
+        <flag/>
+        <inact/>
+        <max/>
+        <min/>
+        <warn/>
+      </password_settings>
+      <shell>/usr/sbin/nologin</shell>
+      <uid>497</uid>
+      <user_password>!</user_password>
+      <username>lp</username>
+    </user>
+    <user t="map">
+      <encrypted t="boolean">true</encrypted>
+      <fullname>User for polkitd</fullname>
+      <gid>477</gid>
+      <home>/var/lib/polkit</home>
+      <home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
+      <password_settings t="map">
+        <expire/>
+        <flag/>
+        <inact/>
+        <max/>
+        <min/>
+        <warn/>
+      </password_settings>
+      <shell>/usr/sbin/nologin</shell>
+      <uid>477</uid>
+      <user_password>!</user_password>
+      <username>polkitd</username>
+    </user>
+    <user t="map">
+      <encrypted t="boolean">true</encrypted>
+      <fullname>Chrony Daemon</fullname>
+      <gid>482</gid>
+      <home>/var/lib/chrony</home>
+      <home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
+      <password_settings t="map">
+        <expire/>
+        <flag/>
+        <inact/>
+        <max/>
+        <min/>
+        <warn/>
+      </password_settings>
+      <shell>/usr/sbin/nologin</shell>
+      <uid>496</uid>
+      <user_password>!</user_password>
+      <username>chrony</username>
+    </user>
+    <user t="map">
+      <encrypted t="boolean">true</encrypted>
+      <fullname>nobody</fullname>
+      <gid>65534</gid>
+      <home>/var/lib/nobody</home>
+      <home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
+      <password_settings t="map">
+        <expire/>
+        <flag/>
+        <inact/>
+        <max/>
+        <min/>
+        <warn/>
+      </password_settings>
+      <shell>/bin/bash</shell>
+      <uid>65534</uid>
+      <user_password>!</user_password>
+      <username>nobody</username>
+    </user>
+    <user t="map">
+      <encrypted t="boolean">true</encrypted>
+      <fullname>Mailer daemon</fullname>
+      <gid>498</gid>
+      <home>/var/spool/clientmqueue</home>
+      <home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
+      <password_settings t="map">
+        <expire/>
+        <flag/>
+        <inact/>
+        <max/>
+        <min/>
+        <warn/>
+      </password_settings>
+      <shell>/usr/sbin/nologin</shell>
+      <uid>498</uid>
+      <user_password>!</user_password>
+      <username>mail</username>
+    </user>
+  </users>
+</profile>
diff --git a/meta-arm/meta-arm-toolchain/conf/layer.conf b/meta-arm/meta-arm-toolchain/conf/layer.conf
index 06494936ec..456dbe0d04 100644
--- a/meta-arm/meta-arm-toolchain/conf/layer.conf
+++ b/meta-arm/meta-arm-toolchain/conf/layer.conf
@@ -9,4 +9,4 @@ BBFILE_PATTERN_arm-toolchain := "^${LAYERDIR}/"
 BBFILE_PRIORITY_arm-toolchain = "5"
 
 LAYERDEPENDS_arm-toolchain = "core"
-LAYERSERIES_COMPAT_arm-toolchain = "nanbield scarthgap"
+LAYERSERIES_COMPAT_arm-toolchain = "styhead"
diff --git a/meta-arm/meta-arm-toolchain/recipes-core/util-linux/util-linux_%.bbappend b/meta-arm/meta-arm-toolchain/recipes-core/util-linux/util-linux_%.bbappend
new file mode 100644
index 0000000000..75227a5675
--- /dev/null
+++ b/meta-arm/meta-arm-toolchain/recipes-core/util-linux/util-linux_%.bbappend
@@ -0,0 +1 @@
+PACKAGECONFIG:remove = "${@bb.utils.contains('TCMODE', 'external-arm', 'libmount-mountfd-support', '' , d)}"
diff --git a/meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/external-arm-toolchain.bb b/meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/external-arm-toolchain.bb
index 49ad744270..1e8c1116e8 100644
--- a/meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/external-arm-toolchain.bb
+++ b/meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/external-arm-toolchain.bb
@@ -56,8 +56,16 @@ PV = "${EAT_VER_MAIN}"
 BINV = "${EAT_VER_GCC}"
 
 SRC_URI = "file://SUPPORTED"
+S = "${WORKDIR}/sources"
+UNPACKDIR = "${S}"
 
 do_install() {
+        # do_copy_locale expects SUPPORTED to be in WORKDIR, but recent
+        # changes have made it so that the source/unpack location is no
+        # longer WORKDIR and cannot be pointed to be such.  So, do this
+        # copy manually here
+        install -m 0644 ${UNPACKDIR}/SUPPORTED ${WORKDIR}/SUPPORTED
+
 	# Add stubs for files OE-core expects
 	install -d ${S}/nscd/
 	touch  ${S}/nscd/nscd.init
diff --git a/meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/gcc-aarch64-none-elf_13.2.Rel1.bb b/meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/gcc-aarch64-none-elf_13.3.rel1.bb
index 6262e76cae..edb4ff6fcf 100644
--- a/meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/gcc-aarch64-none-elf_13.2.Rel1.bb
+++ b/meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/gcc-aarch64-none-elf_13.3.rel1.bb
@@ -12,8 +12,8 @@ LIC_FILES_CHKSUM:aarch64 = "file://share/doc/gcc/Copying.html;md5=402090210d41f0
 LIC_FILES_CHKSUM:x86-64 = "file://share/doc/gcc/Copying.html;md5=2a62a4d37ddad55da732679acd9edf03"
 
 SRC_URI = "https://developer.arm.com/-/media/Files/downloads/gnu/${PV}/binrel/arm-gnu-toolchain-${PV}-${HOST_ARCH}-${BINNAME}.tar.xz;name=gcc-${HOST_ARCH}"
-SRC_URI[gcc-aarch64.sha256sum] = "f3871c0d91a7375834eb43eb758f4df6d8dadf20ad9deca2eb569d5599d98e89"
-SRC_URI[gcc-x86_64.sha256sum] = "7fe7b8548258f079d6ce9be9144d2a10bd2bf93b551dafbf20fe7f2e44e014b8"
+SRC_URI[gcc-aarch64.sha256sum] = "fad7d567be5c095943d42f7078ea6f9a8452062dfe151152c2ec825814d254e0"
+SRC_URI[gcc-x86_64.sha256sum] = "7fedf894040580b1db747d06ac5d4263c46e591ffe7695656d1da5accb00a159"
 
 S = "${WORKDIR}/arm-gnu-toolchain-${PV}-${HOST_ARCH}-${BINNAME}"
 
diff --git a/meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/gcc-arm-none-eabi_13.2.Rel1.bb b/meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/gcc-arm-none-eabi_13.3.rel1.bb
index 6569911df3..185ecfed4a 100644
--- a/meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/gcc-arm-none-eabi_13.2.Rel1.bb
+++ b/meta-arm/meta-arm-toolchain/recipes-devtools/external-arm-toolchain/gcc-arm-none-eabi_13.3.rel1.bb
@@ -12,8 +12,8 @@ LIC_FILES_CHKSUM:aarch64 = "file://share/doc/gcc/Copying.html;md5=402090210d41f0
 LIC_FILES_CHKSUM:x86-64 = "file://share/doc/gcc/Copying.html;md5=2a62a4d37ddad55da732679acd9edf03"
 
 SRC_URI = "https://developer.arm.com/-/media/Files/downloads/gnu/${PV}/binrel/arm-gnu-toolchain-${PV}-${HOST_ARCH}-${BINNAME}.tar.xz;name=gcc-${HOST_ARCH}"
-SRC_URI[gcc-aarch64.sha256sum] = "8fd8b4a0a8d44ab2e195ccfbeef42223dfb3ede29d80f14dcf2183c34b8d199a"
-SRC_URI[gcc-x86_64.sha256sum] = "6cd1bbc1d9ae57312bcd169ae283153a9572bd6a8e4eeae2fedfbc33b115fdbb"
+SRC_URI[gcc-aarch64.sha256sum] = "c8824bffd057afce2259f7618254e840715f33523a3d4e4294f471208f976764"
+SRC_URI[gcc-x86_64.sha256sum] = "95c011cee430e64dd6087c75c800f04b9c49832cc1000127a92a97f9c8d83af4"
 
 S = "${WORKDIR}/arm-gnu-toolchain-${PV}-${HOST_ARCH}-${BINNAME}"
 
diff --git a/meta-arm/meta-arm/classes/fvpboot.bbclass b/meta-arm/meta-arm/classes/fvpboot.bbclass
index 3159cd43db..3d8536fc98 100644
--- a/meta-arm/meta-arm/classes/fvpboot.bbclass
+++ b/meta-arm/meta-arm/classes/fvpboot.bbclass
@@ -24,10 +24,8 @@ FVP_CONSOLES[default] ?= "${FVP_CONSOLE}"
 # Arbitrary extra arguments
 FVP_EXTRA_ARGS ?= ""
 # Bitbake variables to pass to the FVP environment
-FVP_ENV_PASSTHROUGH ?= "FASTSIM_DISABLE_TA ARMLMD_LICENSE_FILE"
+FVP_ENV_PASSTHROUGH ?= "ARMLMD_LICENSE_FILE"
 FVP_ENV_PASSTHROUGH[vardeps] = "${FVP_ENV_PASSTHROUGH}"
-# Disable timing annotation by default
-FASTSIM_DISABLE_TA ?= "1"
 
 EXTRA_IMAGEDEPENDS += "${FVP_PROVIDER}"
 
diff --git a/meta-arm/meta-arm/classes/sbsign.bbclass b/meta-arm/meta-arm/classes/sbsign.bbclass
new file mode 100644
index 0000000000..551b951dc2
--- /dev/null
+++ b/meta-arm/meta-arm/classes/sbsign.bbclass
@@ -0,0 +1,31 @@
+# Sign binaries for UEFI Secure Boot
+#
+# Usage in recipes:
+#
+# Set binary to sign per recipe:
+# SBSIGN_TARGET_BINARY = "${B}/binary_to_sign"
+#
+# Then call do_sbsign() in correct stage of the build
+# do_compile:append() {
+#     do_sbsign
+# }
+
+DEPENDS += 'gen-sbkeys'
+DEPENDS += "sbsigntool-native"
+
+SBSIGN_KEY = "${SBSIGN_KEYS_DIR}/db.key"
+SBSIGN_CERT = "${SBSIGN_KEYS_DIR}/db.crt"
+SBSIGN_TARGET_BINARY ?= "binary_to_sign"
+
+# Not adding as task since recipes may need to sign binaries at different
+# stages. Instead they can call this function when needed by calling this function
+do_sbsign() {
+    bbnote "Signing ${PN} binary ${SBSIGN_TARGET_BINARY} with ${SBSIGN_KEY} and ${SBSIGN_CERT}"
+    ${STAGING_BINDIR_NATIVE}/sbsign \
+        --key "${SBSIGN_KEY}" \
+        --cert "${SBSIGN_CERT}" \
+        --output  "${SBSIGN_TARGET_BINARY}.signed" \
+        "${SBSIGN_TARGET_BINARY}"
+    cp "${SBSIGN_TARGET_BINARY}" "${SBSIGN_TARGET_BINARY}.unsigned"
+    cp "${SBSIGN_TARGET_BINARY}.signed" "${SBSIGN_TARGET_BINARY}"
+}
diff --git a/meta-arm/meta-arm/conf/layer.conf b/meta-arm/meta-arm/conf/layer.conf
index 9e9c9dbda1..f2fb5c02b2 100644
--- a/meta-arm/meta-arm/conf/layer.conf
+++ b/meta-arm/meta-arm/conf/layer.conf
@@ -13,7 +13,7 @@ LAYERDEPENDS_meta-arm = " \
     core \
     arm-toolchain \
 "
-LAYERSERIES_COMPAT_meta-arm = "nanbield scarthgap"
+LAYERSERIES_COMPAT_meta-arm = "styhead"
 
 # runfvp --console needs telnet, so pull this in for testimage.
 HOSTTOOLS_NONFATAL += "telnet"
diff --git a/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf
index 55c4cab457..78a39c03c1 100644
--- a/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf
+++ b/meta-arm/meta-arm/conf/machine/qemuarm64-secureboot.conf
@@ -7,8 +7,7 @@ KMACHINE = "qemuarm64"
 # secure=on can't ever use KVM, so force it off
 QEMU_USE_KVM = ""
 
-QB_MACHINE = "-machine virt,secure=on"
-QB_OPT_APPEND += "-no-acpi"
+QB_MACHINE = "-machine virt,secure=on,acpi=off"
 QB_MEM = "-m 1024"
 QB_DEFAULT_FSTYPE = "wic.qcow2"
 QB_DEFAULT_BIOS = "flash.bin"
diff --git a/meta-arm/meta-arm/lib/fvp/runner.py b/meta-arm/meta-arm/lib/fvp/runner.py
index e7c1358553..4e414e995d 100644
--- a/meta-arm/meta-arm/lib/fvp/runner.py
+++ b/meta-arm/meta-arm/lib/fvp/runner.py
@@ -134,8 +134,14 @@ class FVPRunner:
         for console in self._pexpects:
             import pexpect
             # Ensure pexpect logs all remaining output to the logfile
-            console.expect(pexpect.EOF, timeout=5.0)
-            console.close()
+            try:
+                console.expect(pexpect.EOF, timeout=30.0)
+            except pexpect.TIMEOUT:
+                pexpect_logfile = ""
+                if console.logfile is not None:
+                    pexpect_logfile = f" ({console.logfile})"
+                self._logger.debug(f"Unable to get EOF on pexpect spawn obj{pexpect_logfile}.")
+            console.close(force=True)
 
         if self._fvp_process and self._fvp_process.returncode and \
                 self._fvp_process.returncode > 0:
diff --git a/meta-arm/meta-arm/lib/oeqa/controllers/fvp.py b/meta-arm/meta-arm/lib/oeqa/controllers/fvp.py
index 80f72aab6b..dddc10ee3a 100644
--- a/meta-arm/meta-arm/lib/oeqa/controllers/fvp.py
+++ b/meta-arm/meta-arm/lib/oeqa/controllers/fvp.py
@@ -3,6 +3,7 @@ import enum
 import pathlib
 import pexpect
 import os
+import time
 
 from oeqa.core.target.ssh import OESSHTarget
 from fvp import runner
@@ -127,9 +128,19 @@ class OEFVPTarget(OESSHTarget):
         def call_pexpect(terminal, *args, **kwargs):
             attr = getattr(self.terminals[terminal], name)
             if callable(attr):
-                return attr(*args, **kwargs)
+                self.logger.debug(f"Calling {name} on {terminal} : with arguments -> {args}  :  {kwargs}")
+                start_time = time.monotonic()  # Record the start time
+
+                attr = getattr(self.terminals[terminal], name)
+                result = attr(*args, **kwargs)
+
+                end_time = time.monotonic()  # Record the end time
+                elapsed_time = end_time - start_time
+                self.logger.debug(f"Execution time for result: [ {result} ] - elapsed_time: {elapsed_time} seconds")
             else:
-                return attr
+                result = attr
+
+            return result
 
         return call_pexpect
 
diff --git a/meta-arm/meta-arm/lib/oeqa/runtime/cases/fvp_devices.py b/meta-arm/meta-arm/lib/oeqa/runtime/cases/fvp_devices.py
index 0246e76a94..c9d08c0344 100644
--- a/meta-arm/meta-arm/lib/oeqa/runtime/cases/fvp_devices.py
+++ b/meta-arm/meta-arm/lib/oeqa/runtime/cases/fvp_devices.py
@@ -1,16 +1,29 @@
 from oeqa.runtime.case import OERuntimeTestCase
 from oeqa.core.decorator.data import skipIfNotInDataVar
 from oeqa.core.decorator.depends import OETestDepends
+from time import sleep
 
 
 class FvpDevicesTest(OERuntimeTestCase):
-    def run_cmd(self, cmd, check=True):
+    def run_cmd(self, cmd, check=True, retry=3):
         """
         A wrapper around self.target.run, which:
           * Fails the test on command failure by default
           * Allows the "run" behavior to be overridden in sub-classes
+          * Has a retry mechanism when SSH returns 255
         """
-        (status, output) = self.target.run(cmd)
+        status = 255
+        # The loop is retrying the self.target.run() which uses SSH only when
+        # the SSH return code is 255, which might be an issue with
+        # "Connection refused" because the port isn't open yet
+        while status == 255 and retry > 0:
+            (status, output) = self.target.run(cmd)
+            retry -= 1
+            # In case the status is 255, delay the next retry to give time to
+            # the system to settle
+            if status == 255:
+                sleep(30)
+
         if status and check:
             self.fail("Command '%s' returned non-zero exit "
                       "status %d:\n%s" % (cmd, status, output))
diff --git a/meta-arm/meta-arm/lib/oeqa/runtime/cases/parselogs-ignores-qemuarm64-secureboot.txt b/meta-arm/meta-arm/lib/oeqa/runtime/cases/parselogs-ignores-qemuarm64-secureboot.txt
new file mode 100644
index 0000000000..92de01b66a
--- /dev/null
+++ b/meta-arm/meta-arm/lib/oeqa/runtime/cases/parselogs-ignores-qemuarm64-secureboot.txt
@@ -0,0 +1,3 @@
+optee: Failed to initialize async notifications: -95
+ARM FF-A: Failed to register driver sched callback -95
+ARM FF-A: Notification setup failed -95, not enabled
diff --git a/meta-arm/meta-arm/lib/oeqa/runtime/cases/uefi_secureboot.py b/meta-arm/meta-arm/lib/oeqa/runtime/cases/uefi_secureboot.py
new file mode 100644
index 0000000000..bdd97f5e2c
--- /dev/null
+++ b/meta-arm/meta-arm/lib/oeqa/runtime/cases/uefi_secureboot.py
@@ -0,0 +1,29 @@
+#
+# SPDX-License-Identifier: MIT
+#
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.oetimeout import OETimeout
+
+
+class UEFI_SB_TestSuite(OERuntimeTestCase):
+    """
+    Validate Secure Boot is Enabled
+    """
+
+    @OETimeout(1300)
+    def test_uefi_secureboot(self):
+        # Validate Secure Boot is enabled by checking
+        # 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot.
+        # The GUID '8be4df61-93ca-11d2-aa0d-00e098032b8c' is a well-known
+        # identifier for the Secure Boot UEFI variable. By checking the value of
+        # this variable, specifically
+        # '8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot', we can determine
+        # whether Secure Boot is enabled or not. This variable is set by the
+        # UEFI firmware to indicate the current Secure Boot state. If the
+        # variable is set to a value of '0x1' (or '1'), it indicates that Secure
+        # Boot is enabled. If the variable is set to a value of '0x0' (or '0'),
+        # it indicates that Secure Boot is disabled.
+        cmd = "echo $( od -t u2  -A n -j 4 -N 4 /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c )"
+        status, output = self.target.run(cmd, timeout=120)
+        self.assertEqual(output, "1", msg="\n".join([cmd, output]))
diff --git a/meta-arm/meta-arm/recipes-bsp/boot-wrapper-aarch64/boot-wrapper-aarch64_git.bb b/meta-arm/meta-arm/recipes-bsp/boot-wrapper-aarch64/boot-wrapper-aarch64_git.bb
index d0605dd7a5..d0f7893d8c 100644
--- a/meta-arm/meta-arm/recipes-bsp/boot-wrapper-aarch64/boot-wrapper-aarch64_git.bb
+++ b/meta-arm/meta-arm/recipes-bsp/boot-wrapper-aarch64/boot-wrapper-aarch64_git.bb
@@ -4,7 +4,7 @@ LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=bb63326febfb5fb909226c8e7ebcef5c"
 
 SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/mark/boot-wrapper-aarch64.git;branch=master;protocol=https"
-SRCREV = "d3b1a15d18542b2086e72bfdc3fc43f454772a3b"
+SRCREV = "5e3760073454c72f3458805a1b7a89ecf80353cb"
 
 # boot-wrapper doesn't make releases
 UPSTREAM_CHECK_COMMITS = "1"
diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-bl31_runtime-revert-usage-of-plat_ic_has_interrupt_t.patch b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-bl31_runtime-revert-usage-of-plat_ic_has_interrupt_t.patch
deleted file mode 100644
index f6f054df5a..0000000000
--- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-bl31_runtime-revert-usage-of-plat_ic_has_interrupt_t.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From fd13a4d304da4233cb954329bf287ec9dfbb7367 Mon Sep 17 00:00:00 2001
-From: Jon Mason <jon.mason@arm.com>
-Date: Mon, 4 Dec 2023 10:20:21 -0500
-Subject: [PATCH] bl31_runtime: revert usage of plat_ic_has_interrupt_type
-
-There is a regression caused by commit
-1f6bb41dd951714b47bf07bb9a332346ca261033 for the trusted services tests.
-This is due to the fact that the referenced commit changes the behavior
-from checking for both INTR_TYPE_EL3 and INTR_TYPE_S_EL1, to referencing
-an existing function that #if for _either_ INTR_TYPE_EL3 or
-INTR_TYPE_S_EL1 (depending on the value of GICV2_G0_FOR_EL3).  To work
-around this issue, revert the check back to its original form.
-
-Signed-off-by: Jon Mason <jon.mason@arm.com>
-Upstream-Status: Pending
----
- bl31/interrupt_mgmt.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/bl31/interrupt_mgmt.c b/bl31/interrupt_mgmt.c
-index 68c7f10add21..8e888b676b35 100644
---- a/bl31/interrupt_mgmt.c
-+++ b/bl31/interrupt_mgmt.c
-@@ -47,9 +47,9 @@ static intr_type_desc_t intr_type_descs[MAX_INTR_TYPES];
-  ******************************************************************************/
- static int32_t validate_interrupt_type(uint32_t type)
- {
--	if (plat_ic_has_interrupt_type(type)) {
-+	if ((type == INTR_TYPE_S_EL1) || (type == INTR_TYPE_NS) ||
-+	    (type == INTR_TYPE_EL3))
- 		return 0;
--	}
- 
- 	return -EINVAL;
- }
--- 
-2.30.2
-
diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-fix-zynqmp-handle-secure-SGI-at-EL1-for-OP-TEE.patch b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-fix-zynqmp-handle-secure-SGI-at-EL1-for-OP-TEE.patch
new file mode 100644
index 0000000000..3dcc2de81c
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-fix-zynqmp-handle-secure-SGI-at-EL1-for-OP-TEE.patch
@@ -0,0 +1,33 @@
+From f5b2fa90e0c0324f31e72429e7a7382f49a25912 Mon Sep 17 00:00:00 2001
+From: Shen Jiamin <shen_jiamin@comp.nus.edu.sg>
+Date: Wed, 24 Jul 2024 18:58:55 +0800
+Subject: [PATCH] fix(zynqmp): handle secure SGI at EL1 for OP-TEE
+
+OP-TEE requires SGIs to be handled at S-EL1. The
+Makefile was not properly setting the flag
+GICV2_G0_FOR_EL3 to 0 when the SPD is OP-TEE.
+
+Change-Id: I256afa37ddf4ad4a154c43d51807de670c3689bb
+Signed-off-by: Shen Jiamin <shen_jiamin@comp.nus.edu.sg>
+---
+ plat/xilinx/zynqmp/platform.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Upstream-Status: Backport
+
+diff --git a/plat/xilinx/zynqmp/platform.mk b/plat/xilinx/zynqmp/platform.mk
+index c340009d0..22eceb621 100644
+--- a/plat/xilinx/zynqmp/platform.mk
++++ b/plat/xilinx/zynqmp/platform.mk
+@@ -21,7 +21,7 @@ ENABLE_LTO := 1
+ EL3_EXCEPTION_HANDLING := $(SDEI_SUPPORT)
+ 
+ # pncd SPD requires secure SGI to be handled at EL1
+-ifeq (${SPD}, $(filter ${SPD},pncd tspd))
++ifeq (${SPD}, $(filter ${SPD},pncd tspd opteed))
+ ifeq (${ZYNQMP_WDT_RESTART},1)
+ $(error "Error: ZYNQMP_WDT_RESTART and SPD=pncd are incompatible")
+ endif
+-- 
+2.34.1
+
diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch
index 2d189d8e8c..75103332e3 100644
--- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch
+++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch
@@ -1,4 +1,4 @@
-From 1d1425bde8435d6e2b3e4f2b7bcb2eb293ef9601 Mon Sep 17 00:00:00 2001
+From b91c651e6d596cfe27448b19c8fb2f1168493827 Mon Sep 17 00:00:00 2001
 From: Mikko Rapeli <mikko.rapeli@linaro.org>
 Date: Mon, 15 Jan 2024 09:26:56 +0000
 Subject: [PATCH] qemu_measured_boot.c: ignore TPM error and continue with boot
@@ -18,10 +18,10 @@ Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/plat/qemu/qemu/qemu_measured_boot.c b/plat/qemu/qemu/qemu_measured_boot.c
-index 122bb23b14..731b081c47 100644
+index 76a4da17e6a9..ec7f44d3720d 100644
 --- a/plat/qemu/qemu/qemu_measured_boot.c
 +++ b/plat/qemu/qemu/qemu_measured_boot.c
-@@ -79,7 +79,8 @@ void bl2_plat_mboot_finish(void)
+@@ -80,7 +80,8 @@ void bl2_plat_mboot_finish(void)
  		 * Note: In QEMU platform, OP-TEE uses nt_fw_config to get the
  		 * secure Event Log buffer address.
  		 */
@@ -31,6 +31,3 @@ index 122bb23b14..731b081c47 100644
  	}
  
  	/* Copy Event Log to Non-secure memory */
--- 
-2.34.1
-
diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
index 80d41f328a..f90b588444 100644
--- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
+++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
@@ -1,5 +1,5 @@
 DESCRIPTION = "Trusted Firmware-A"
-LICENSE = "BSD-3-Clause & MIT"
+LICENSE = "BSD-2-Clause & BSD-3-Clause & MIT & Apache-2.0"
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 
diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
index 3d42a97c7b..d996d83beb 100644
--- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
+++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend
@@ -9,7 +9,6 @@ TOOLCHAIN:qemuarm-secureboot = "gcc"
 FILESEXTRAPATHS:prepend:qemuarm64-secureboot := "${THISDIR}/files:"
 SRC_URI:append:qemuarm64-secureboot = " \
             file://0001-Add-spmc_manifest-for-qemu.patch \
-            file://0001-bl31_runtime-revert-usage-of-plat_ic_has_interrupt_t.patch \
         "
 
 TFA_PLATFORM:qemuarm64-secureboot = "qemu"
diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.4.bb b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.4.bb
index f7da508252..8cdfda443c 100644
--- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.4.bb
+++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.4.bb
@@ -16,4 +16,5 @@ LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc
 # continue to boot also without TPM
 SRC_URI += "\
     file://0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch \
+    file://0001-fix-zynqmp-handle-secure-SGI-at-EL1-for-OP-TEE.patch \
 "
diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.11.0.bb b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.11.0.bb
index 27cdfc0953..cb73b48d8d 100644
--- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.11.0.bb
+++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.11.0.bb
@@ -16,4 +16,5 @@ LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=379d5819937a6c2f1ef1630d3
 # continue to boot also without TPM
 SRC_URI += "\
     file://0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch \
+    file://0001-fix-zynqmp-handle-secure-SGI-at-EL1-for-OP-TEE.patch \
 "
diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_git.bb b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_git.bb
new file mode 100644
index 0000000000..91e0f86d2d
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_git.bb
@@ -0,0 +1,22 @@
+require recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
+
+# TF-A master
+SRCREV_tfa = "bcce173da397f776fc0ec14e9dac03c13ddeb722"
+SRCBRANCH = "master"
+
+LIC_FILES_CHKSUM += "file://docs/license.rst;md5=83b7626b8c7a37263c6a58af8d19bee1"
+
+# in TF-A src, docs/getting_started/prerequisites.rst lists the expected version mbedtls
+# mbedtls-3.6.1
+SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;destsuffix=git/mbedtls;branch=mbedtls-3.6"
+SRCREV_mbedtls = "71c569d44bf3a8bd53d874c81ee8ac644dd6e9e3"
+
+LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=379d5819937a6c2f1ef1630d341e026d"
+
+# continue to boot also without TPM
+SRC_URI += "\
+    file://0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch \
+"
+
+# Not a release recipe, try our hardest to not pull this in implicitly
+DEFAULT_PREFERENCE = "-1"
diff --git a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m-2.1.0-src.inc b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m-2.1.0-src.inc
index f804bf049f..fb4ddcb673 100644
--- a/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m-2.1.0-src.inc
+++ b/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m-2.1.0-src.inc
@@ -5,7 +5,8 @@ LICENSE = "BSD-2-Clause & BSD-3-Clause & Apache-2.0"
 LIC_FILES_CHKSUM = "file://license.rst;md5=07f368487da347f3c7bd0fc3085f3afa \
                     file://../tf-m-tests/license.rst;md5=4481bae2221b0cfca76a69fb3411f390 \
                     file://../mbedtls/LICENSE;md5=379d5819937a6c2f1ef1630d341e026d \
-                    file://../mcuboot/LICENSE;md5=b6ee33f1d12a5e6ee3de1e82fb51eeb8"
+                    file://../mcuboot/LICENSE;md5=b6ee33f1d12a5e6ee3de1e82fb51eeb8 \
+                    file://../tfm-psa-adac/license.rst;md5=07f368487da347f3c7bd0fc3085f3afa"
 
 SRC_URI_TRUSTED_FIRMWARE_M ?= "git://git.trustedfirmware.org/TF-M/trusted-firmware-m.git;protocol=https"
 SRC_URI_TRUSTED_FIRMWARE_M_EXTRAS ?= "git://git.trustedfirmware.org/TF-M/tf-m-extras.git;protocol=https"
@@ -14,6 +15,7 @@ SRC_URI_TRUSTED_FIRMWARE_M_CMSIS ?= "git://github.com/ARM-software/CMSIS_6.git;p
 SRC_URI_TRUSTED_FIRMWARE_M_MBEDTLS ?= "gitsm://github.com/ARMmbed/mbedtls.git;protocol=https"
 SRC_URI_TRUSTED_FIRMWARE_M_MCUBOOT ?= "git://github.com/mcu-tools/mcuboot.git;protocol=https"
 SRC_URI_TRUSTED_FIRMWARE_M_QCBOR ?= "git://github.com/laurencelundblade/QCBOR.git;protocol=https"
+SRC_URI_TRUSTED_FIRMWARE_M_PSA_ADAC ?= "git://git.trustedfirmware.org/shared/psa-adac.git;protocol=https"
 SRC_URI  = "${SRC_URI_TRUSTED_FIRMWARE_M};branch=${SRCBRANCH_tfm};name=tfm;destsuffix=git/tfm \
             ${SRC_URI_TRUSTED_FIRMWARE_M_EXTRAS};branch=${SRCBRANCH_tfm-extras};name=tfm-extras;destsuffix=git/tfm-extras \
             ${SRC_URI_TRUSTED_FIRMWARE_M_TESTS};branch=${SRCBRANCH_tfm-tests};name=tfm-tests;destsuffix=git/tf-m-tests \
@@ -21,6 +23,7 @@ SRC_URI  = "${SRC_URI_TRUSTED_FIRMWARE_M};branch=${SRCBRANCH_tfm};name=tfm;dests
             ${SRC_URI_TRUSTED_FIRMWARE_M_MBEDTLS};branch=${SRCBRANCH_mbedtls};name=mbedtls;destsuffix=git/mbedtls \
             ${SRC_URI_TRUSTED_FIRMWARE_M_MCUBOOT};branch=${SRCBRANCH_mcuboot};name=mcuboot;destsuffix=git/mcuboot \
             ${SRC_URI_TRUSTED_FIRMWARE_M_QCBOR};branch=${SRCBRANCH_qcbor};name=qcbor;destsuffix=git/qcbor \
+            ${SRC_URI_TRUSTED_FIRMWARE_M_PSA_ADAC};branch=${SRCBRANCH_tfm-psa-adac};name=tfm-psa-adac;destsuffix=git/tfm-psa-adac \
             "
 
 # The required dependencies are documented in tf-m/config/config_base.cmake
@@ -45,6 +48,9 @@ SRCREV_mcuboot = "9c99326b9756dbcc35b524636d99ed5f3e6cb29b"
 # QCBOR v1.2
 SRCBRANCH_qcbor ?= "master"
 SRCREV_qcbor = "b0e7033268e88c9f27146fa9a1415ef4c19ebaff"
+# PSA-ADAC (intermediate SHA, default value for PLATFORM_PSA_ADAC_VERSION in TF-M)
+SRCBRANCH_tfm-psa-adac = "master"
+SRCREV_tfm-psa-adac = "5f5490cebe66ae997f316f83c3fbf1f97deef625"
 
 SRCREV_FORMAT = "tfm"
 
diff --git a/meta-arm/meta-arm/recipes-bsp/u-boot/u-boot-uefi-secureboot.inc b/meta-arm/meta-arm/recipes-bsp/u-boot/u-boot-uefi-secureboot.inc
new file mode 100644
index 0000000000..e58035a9c2
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-bsp/u-boot/u-boot-uefi-secureboot.inc
@@ -0,0 +1,17 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += "file://uefi-secureboot.cfg"
+
+inherit sbsign
+
+DEPENDS += 'python3-pyopenssl-native'
+
+do_compile:prepend() {
+    export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
+
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk  -d "${SBSIGN_KEYS_DIR}"/PK.esl  -t file
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${SBSIGN_KEYS_DIR}"/KEK.esl -t file
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db  -d "${SBSIGN_KEYS_DIR}"/db.esl  -t file
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${SBSIGN_KEYS_DIR}"/dbx.esl -t file
+    "${S}"/tools/efivar.py print -i "${S}"/ubootefi.var
+}
diff --git a/meta-arm/meta-arm/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg b/meta-arm/meta-arm/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
new file mode 100644
index 0000000000..acdcfdddf3
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
@@ -0,0 +1,10 @@
+CONFIG_CMD_BOOTMENU=y
+CONFIG_USE_BOOTCOMMAND=y
+CONFIG_BOOTCOMMAND="bootmenu"
+CONFIG_USE_PREBOOT=y
+CONFIG_EFI_VAR_BUF_SIZE=65536
+CONFIG_FIT_SIGNATURE=y
+CONFIG_EFI_SECURE_BOOT=y
+CONFIG_EFI_VARIABLES_PRESEED=y
+CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig"
+CONFIG_PREBOOT_DEFINED=y
diff --git a/meta-arm/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
index 0683a78389..8542ccfc90 100644
--- a/meta-arm/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
+++ b/meta-arm/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
@@ -2,3 +2,5 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
 
 SRC_URI:append:qemuarm64-secureboot = " file://qemuarm64.cfg"
 SRC_URI:append:qemuarm-secureboot = " file://qemuarm.cfg"
+
+require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-uefi-secureboot.inc', '', d)}
diff --git a/meta-arm/meta-arm/recipes-bsp/uefi/edk2-firmware.inc b/meta-arm/meta-arm/recipes-bsp/uefi/edk2-firmware.inc
index 274852e26d..42668d9d9c 100644
--- a/meta-arm/meta-arm/recipes-bsp/uefi/edk2-firmware.inc
+++ b/meta-arm/meta-arm/recipes-bsp/uefi/edk2-firmware.inc
@@ -3,6 +3,8 @@ DESCRIPTION = "UEFI EDK2 Firmware for Arm reference platforms"
 HOMEPAGE = "https://github.com/tianocore/edk2"
 LICENSE = "BSD-2-Clause-Patent"
 
+CVE_PRODUCT = "tianocore:edk2"
+
 PROVIDES = "virtual/bootloader"
 
 # EDK2
diff --git a/meta-arm/meta-arm/recipes-bsp/uefi/sbsa-acs/0001-Patch-in-the-paths-to-the-SBSA-test-suite.patch b/meta-arm/meta-arm/recipes-bsp/uefi/sbsa-acs/0001-Patch-in-the-paths-to-the-SBSA-test-suite.patch
index 236245fe79..6d626be5b8 100644
--- a/meta-arm/meta-arm/recipes-bsp/uefi/sbsa-acs/0001-Patch-in-the-paths-to-the-SBSA-test-suite.patch
+++ b/meta-arm/meta-arm/recipes-bsp/uefi/sbsa-acs/0001-Patch-in-the-paths-to-the-SBSA-test-suite.patch
@@ -1,4 +1,4 @@
-From 3a164d9f17591a545d1eafa629b486d4a1563722 Mon Sep 17 00:00:00 2001
+From e7918dbd4a02be2a474534da3f1e565931a5e632 Mon Sep 17 00:00:00 2001
 From: Ross Burton <ross.burton@arm.com>
 Date: Thu, 16 Feb 2023 21:53:25 +0000
 Subject: [PATCH] Patch in the paths to the SBSA test suite
@@ -10,7 +10,7 @@ Signed-off-by: Ross Burton <ross.burton@arm.com>
  1 file changed, 3 insertions(+)
 
 diff --git a/ShellPkg/ShellPkg.dsc b/ShellPkg/ShellPkg.dsc
-index dd0d88603f11..91710c0795dc 100644
+index 557b0ec0f3d6..85b3f4fc65d0 100644
 --- a/ShellPkg/ShellPkg.dsc
 +++ b/ShellPkg/ShellPkg.dsc
 @@ -23,6 +23,8 @@
diff --git a/meta-arm/meta-arm/recipes-bsp/uefi/sbsa-acs/0002-Enforce-using-good-old-BFD-linker.patch b/meta-arm/meta-arm/recipes-bsp/uefi/sbsa-acs/0002-Enforce-using-good-old-BFD-linker.patch
index 284191d30b..68a25c71c1 100644
--- a/meta-arm/meta-arm/recipes-bsp/uefi/sbsa-acs/0002-Enforce-using-good-old-BFD-linker.patch
+++ b/meta-arm/meta-arm/recipes-bsp/uefi/sbsa-acs/0002-Enforce-using-good-old-BFD-linker.patch
@@ -1,4 +1,4 @@
-From 6c403e3ccaae3bb3fd9d0ad220ed8ea98b2b1354 Mon Sep 17 00:00:00 2001
+From 365fb8ebbefaa3c642e18e3c3a16eeccfa0dcc82 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Wed, 7 Apr 2021 00:16:07 -0700
 Subject: [PATCH] Enforce using good old BFD linker
@@ -17,7 +17,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/BaseTools/Conf/tools_def.template b/BaseTools/Conf/tools_def.template
-index 1bf62362b611..2b41be8d5a44 100755
+index c34ecfd557c5..153d097a2688 100755
 --- a/BaseTools/Conf/tools_def.template
 +++ b/BaseTools/Conf/tools_def.template
 @@ -747,7 +747,7 @@ DEFINE GCC_AARCH64_CC_FLAGS        = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -fno-
diff --git a/meta-arm/meta-arm/recipes-core/musl/files/0001-Revert-ldso-fix-non-functional-fix-to-early-dynamic-.patch b/meta-arm/meta-arm/recipes-core/musl/files/0001-Revert-ldso-fix-non-functional-fix-to-early-dynamic-.patch
new file mode 100644
index 0000000000..65d19da589
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-core/musl/files/0001-Revert-ldso-fix-non-functional-fix-to-early-dynamic-.patch
@@ -0,0 +1,42 @@
+From b91e2227575744a70f05b8b12d2c78b0c651fb86 Mon Sep 17 00:00:00 2001
+From: Jon Mason <jdmason@kudzu.us>
+Date: Wed, 4 Sep 2024 16:20:45 -0400
+Subject: [PATCH] Revert "ldso: fix non-functional fix to early dynamic
+ PAGE_SIZE access"
+
+This reverts commit 6f666231bf51703fadbef10460d462fb573548a1.
+
+Signed-off-by: Jon Mason <jon.mason@arm.com>
+Upstream-Status: Inappropriate
+---
+ ldso/dynlink.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/ldso/dynlink.c b/ldso/dynlink.c
+index 3b57c07fabcb..cc90efbd30bf 100644
+--- a/ldso/dynlink.c
++++ b/ldso/dynlink.c
+@@ -21,17 +21,15 @@
+ #include <sys/membarrier.h>
+ #include "pthread_impl.h"
+ #include "fork_impl.h"
+-#include "libc.h"
+ #include "dynlink.h"
+ 
+ static size_t ldso_page_size;
+-/* libc.h may have defined a macro for dynamic PAGE_SIZE already, but
+- * PAGESIZE is only defined if it's constant for the arch. */
+-#ifndef PAGESIZE
+-#undef PAGE_SIZE
++#ifndef PAGE_SIZE
+ #define PAGE_SIZE ldso_page_size
+ #endif
+ 
++#include "libc.h"
++
+ #define malloc __libc_malloc
+ #define calloc __libc_calloc
+ #define realloc __libc_realloc
+-- 
+2.39.2
+
diff --git a/meta-arm/meta-arm/recipes-core/musl/musl_%.bbappend b/meta-arm/meta-arm/recipes-core/musl/musl_%.bbappend
new file mode 100644
index 0000000000..3d1cc88b0b
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-core/musl/musl_%.bbappend
@@ -0,0 +1,2 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+SRC_URI += "${@bb.utils.contains('MACHINE_FEATURES', 'ts-crypto', 'file://0001-Revert-ldso-fix-non-functional-fix-to-early-dynamic-.patch', '', d)}"
diff --git a/meta-arm/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc b/meta-arm/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
new file mode 100644
index 0000000000..84196a681e
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
@@ -0,0 +1,7 @@
+inherit sbsign
+
+SBSIGN_TARGET_BINARY = "${B}/src/boot/efi/systemd-boot${EFI_ARCH}.efi"
+
+do_compile:append() {
+    do_sbsign
+}
diff --git a/meta-arm/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend b/meta-arm/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend
new file mode 100644
index 0000000000..9850bbf9a6
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'systemd-boot-uefi-secureboot.inc', '', d)}
diff --git a/meta-arm/meta-arm/recipes-core/systemd/systemd-efi.inc b/meta-arm/meta-arm/recipes-core/systemd/systemd-efi.inc
new file mode 100644
index 0000000000..5572e51ae9
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-core/systemd/systemd-efi.inc
@@ -0,0 +1 @@
+PACKAGECONFIG:append = " efi"
diff --git a/meta-arm/meta-arm/recipes-core/systemd/systemd_%.bbappend b/meta-arm/meta-arm/recipes-core/systemd/systemd_%.bbappend
new file mode 100644
index 0000000000..660358c29b
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-core/systemd/systemd_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'systemd-efi.inc', '', d)}
diff --git a/meta-arm/meta-arm/recipes-devtools/fvp/fvp-base-a-aem_11.25.15.bb b/meta-arm/meta-arm/recipes-devtools/fvp/fvp-base-a-aem_11.26.11.bb
index eab2255f6f..54c7e0fd05 100644
--- a/meta-arm/meta-arm/recipes-devtools/fvp/fvp-base-a-aem_11.25.15.bb
+++ b/meta-arm/meta-arm/recipes-devtools/fvp/fvp-base-a-aem_11.26.11.bb
@@ -2,11 +2,13 @@ require fvp-envelope.inc
 
 SUMMARY = "Arm Fixed Virtual Platform - Armv-A Base RevC Architecture Envelope Model FVP"
 LIC_FILES_CHKSUM = "file://license_terms/license_agreement.txt;md5=1a33828e132ba71861c11688dbb0bd16 \
-                    file://license_terms/third_party_licenses/third_party_licenses.txt;md5=b9005e55057311e41efe02ccfea8ea72 \
-                    file://license_terms/third_party_licenses/arm_license_management_utilities/third_party_licenses.txt;md5=c09526c02e631abb95ad61528892552d"
+                    file://license_terms/third_party_licenses/third_party_licenses.txt;md5=58b552b918d097a8ba802168312d76b2 \
+                    file://license_terms/third_party_licenses/arm_license_management_utilities/third_party_licenses.txt;md5=abcaafefc7b7a0cdf6664c51f9075c5b"
 
-SRC_URI[fvp-aarch64.sha256sum] = "22096fc2267ad776abe0ff32d0d3b870c9fae10036d9c16f4f0fe4a64487a11e"
-SRC_URI[fvp-x86_64.sha256sum] = "5f33707a1bdaa96a933b89949f28643110ad80ac9835a75f139c200b64a394dc"
+
+SRC_URI = "https://developer.arm.com/-/cdn-downloads/permalink/Fixed-Virtual-Platforms/${PV_URL_SHORT}/${MODEL_CODE}_${PV_URL}_${FVP_ARCH}.tgz;subdir=${BP};name=fvp-${HOST_ARCH}"
+SRC_URI[fvp-aarch64.sha256sum] = "0a262327073d410146a6689c068162f60e72f45845734650b08a1d45483853ca"
+SRC_URI[fvp-x86_64.sha256sum] = "a314f0f8c55492b70ab469fbbe2bb71ab8bb7c7ae4608ed1c432d8de8f4edb27"
 
 # The CSS used in the FVP homepage make it too difficult to query with the tooling currently in Yocto
 UPSTREAM_VERSION_UNKNOWN = "1"
diff --git a/meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc b/meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc
index 29de89f222..477c45f411 100644
--- a/meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc
+++ b/meta-arm/meta-arm/recipes-devtools/fvp/fvp-common.inc
@@ -32,7 +32,7 @@ def get_real_pv(d):
 def get_fm_short_pv_url(d):
     # FVP versions are like 11.12_43
     pv = d.getVar("PV")
-    return "FM_%s_%s" % tuple(pv.split("."))[:2]
+    return "FM-%s.%s" % tuple(pv.split("."))[:2]
 
 
 # If PV is 1.2.3, VERSION=1.2, BUILD=3, PV_URL=1.2_3.
diff --git a/meta-arm/meta-arm/recipes-devtools/gator-daemon/gator-daemon/0001-Include-missing-cstdint.patch b/meta-arm/meta-arm/recipes-devtools/gator-daemon/gator-daemon/0001-Include-missing-cstdint.patch
index 294f804fb4..20e994e84e 100644
--- a/meta-arm/meta-arm/recipes-devtools/gator-daemon/gator-daemon/0001-Include-missing-cstdint.patch
+++ b/meta-arm/meta-arm/recipes-devtools/gator-daemon/gator-daemon/0001-Include-missing-cstdint.patch
@@ -1,4 +1,4 @@
-From 87745a6cad0f7819ac8f8d3826f5e228ebd843c5 Mon Sep 17 00:00:00 2001
+From 8fba2fe012648efb526d17688c8ed3e5e72f715c Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Thu, 2 Feb 2023 16:39:26 -0800
 Subject: [PATCH] Include missing <cstdint>
@@ -16,7 +16,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/daemon/xml/CurrentConfigXML.h b/daemon/xml/CurrentConfigXML.h
-index 0b239fd..d9047e3 100644
+index 0b239fdb1d70..d9047e3bc080 100644
 --- a/daemon/xml/CurrentConfigXML.h
 +++ b/daemon/xml/CurrentConfigXML.h
 @@ -1,6 +1,7 @@
@@ -27,6 +27,3 @@ index 0b239fd..d9047e3 100644
  #include <set>
  #include <string>
  
--- 
-2.39.1
-
diff --git a/meta-arm/meta-arm/recipes-devtools/gator-daemon/gator-daemon/0001-daemon-mxml-Define-_GNU_SOURCE.patch b/meta-arm/meta-arm/recipes-devtools/gator-daemon/gator-daemon/0001-daemon-mxml-Define-_GNU_SOURCE.patch
index d2460434f0..0cab34aeaa 100644
--- a/meta-arm/meta-arm/recipes-devtools/gator-daemon/gator-daemon/0001-daemon-mxml-Define-_GNU_SOURCE.patch
+++ b/meta-arm/meta-arm/recipes-devtools/gator-daemon/gator-daemon/0001-daemon-mxml-Define-_GNU_SOURCE.patch
@@ -1,4 +1,4 @@
-From 04e2e924c3ab8da41343277746804dbcd7bf520d Mon Sep 17 00:00:00 2001
+From ab3b2c4a6f2ae839bf3bbcae97493ece574852a7 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Sat, 13 Aug 2022 16:49:52 -0700
 Subject: [PATCH] daemon/mxml: Define _GNU_SOURCE
@@ -14,7 +14,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
  1 file changed, 2 insertions(+)
 
 diff --git a/daemon/mxml/mxml-string.c b/daemon/mxml/mxml-string.c
-index 678aeb9..c9cd153 100644
+index 678aeb9c7605..c9cd153030da 100644
 --- a/daemon/mxml/mxml-string.c
 +++ b/daemon/mxml/mxml-string.c
 @@ -13,6 +13,8 @@
@@ -26,6 +26,3 @@ index 678aeb9..c9cd153 100644
  #include "config.h"
  
  
--- 
-2.37.2
-
diff --git a/meta-arm/meta-arm/recipes-devtools/gn/gn_git.bb b/meta-arm/meta-arm/recipes-devtools/gn/gn_git.bb
index 2bb29cc3bc..620f75643a 100644
--- a/meta-arm/meta-arm/recipes-devtools/gn/gn_git.bb
+++ b/meta-arm/meta-arm/recipes-devtools/gn/gn_git.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=0fca02217a5d49a14dfe2d11837bb34d"
 UPSTREAM_CHECK_COMMITS = "1"
 
 SRC_URI = "git://gn.googlesource.com/gn;protocol=https;branch=main"
-SRCREV = "f284b6b47039a2d7edfcbfc51f52664f82b5a789"
+SRCREV = "b2afae122eeb6ce09c52d63f67dc53fc517dbdc8"
 PV = "0+git"
 
 S = "${WORKDIR}/git"
diff --git a/meta-arm/meta-arm/recipes-devtools/opencsd/opencsd_1.5.2.bb b/meta-arm/meta-arm/recipes-devtools/opencsd/opencsd_1.5.3.bb
index cc55a3633a..fdd0d636e9 100644
--- a/meta-arm/meta-arm/recipes-devtools/opencsd/opencsd_1.5.2.bb
+++ b/meta-arm/meta-arm/recipes-devtools/opencsd/opencsd_1.5.3.bb
@@ -4,7 +4,7 @@ LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=ad8cb685eb324d2fa2530b985a43f3e5"
 
 SRC_URI = "git://github.com/Linaro/OpenCSD;protocol=https;branch=master"
-SRCREV = "5d86f27a8c0af16a473833da3a0936cd2a0999d3"
+SRCREV = "adb97189b906d524d1c3008e67e4da34aaa0397d"
 
 S = "${WORKDIR}/git"
 
diff --git a/meta-arm/meta-arm/recipes-kernel/arm-tstee/arm-tstee_2.0.0.bb b/meta-arm/meta-arm/recipes-kernel/arm-tstee/arm-tstee_2.0.0.bb
deleted file mode 100644
index 34beac945f..0000000000
--- a/meta-arm/meta-arm/recipes-kernel/arm-tstee/arm-tstee_2.0.0.bb
+++ /dev/null
@@ -1,23 +0,0 @@
-SUMMARY = "A Linux kernel module providing user space access to Trusted Services"
-DESCRIPTION = "${SUMMARY}"
-LICENSE = "GPL-2.0-only"
-LIC_FILES_CHKSUM = "file://COPYING;md5=05e355bbd617507216a836c56cf24983"
-
-inherit module
-
-SRC_URI = "git://gitlab.arm.com/linux-arm/linux-trusted-services;protocol=https;branch=main \
-           file://Makefile;subdir=git \
-          "
-S = "${WORKDIR}/git"
-
-# Tag tee-v2.0.0
-SRCREV = "a2d7349a96c3b3afb44bf1555d53f1c46e45a23d"
-UPSTREAM_CHECK_GITTAGREGEX = "^tee-v(?P<pver>\d+(\.\d+)+)$"
-
-COMPATIBLE_HOST = "(arm|aarch64).*-linux"
-KERNEL_MODULE_AUTOLOAD += "arm-tstee"
-
-do_install:append() {
-    install -d ${D}${includedir}
-    install -m 0644 ${S}/uapi/arm_tstee.h ${D}${includedir}/
-}
diff --git a/meta-arm/meta-arm/recipes-kernel/linux/files/arm-ffa-transport.cfg b/meta-arm/meta-arm/recipes-kernel/linux/files/arm-ffa-transport.cfg
index 34de78e895..53f19610cc 100644
--- a/meta-arm/meta-arm/recipes-kernel/linux/files/arm-ffa-transport.cfg
+++ b/meta-arm/meta-arm/recipes-kernel/linux/files/arm-ffa-transport.cfg
@@ -1 +1,2 @@
 CONFIG_ARM_FFA_TRANSPORT=y
+CONFIG_ARM_TSTEE=y
diff --git a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
index a287d0e181..71e643a954 100644
--- a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
+++ b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
@@ -25,3 +25,5 @@ SRC_URI:append:qemuarm = " \
 
 FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}"
 require ${FFA_TRANSPORT_INCLUDE}
+
+require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'linux-yocto-uefi-secureboot.inc', '', d)}
diff --git a/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
new file mode 100644
index 0000000000..5c1f4de7a0
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
@@ -0,0 +1,14 @@
+KERNEL_FEATURES += "cfg/efi-ext.scc"
+
+inherit sbsign
+
+# shell variable set inside do_compile task
+SBSIGN_TARGET_BINARY = "$KERNEL_IMAGE"
+
+do_compile:append() {
+    KERNEL_IMAGE=$(find ${B} -name ${KERNEL_IMAGETYPE} -print -quit)
+    do_sbsign
+}
+
+RRECOMMENDS:${PN} += "kernel-module-efivarfs"
+RRECOMMENDS:${PN} += "kernel-module-efivars"
diff --git a/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch b/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch
index 7c61105b76..3506127cfd 100644
--- a/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch
+++ b/meta-arm/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch
@@ -1,4 +1,4 @@
-From cd7b41b30cf157338cfd5cda3c0f6f33164ad16d Mon Sep 17 00:00:00 2001
+From 2bb67529a8b6096fadd3dd0cf740beded9a01432 Mon Sep 17 00:00:00 2001
 From: Maxim Uvarov <maxim.uvarov@linaro.org>
 Date: Fri, 17 Apr 2020 12:05:53 +0100
 Subject: [PATCH] add enum to ta flags
@@ -13,7 +13,7 @@ Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
-index 92c33c1..e83619d 100644
+index 92c33c169320..e83619d55d3c 100644
 --- a/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
 +++ b/Samples/ARM32-FirmwareTPM/optee_ta/fTPM/user_ta_header_defines.h
 @@ -44,7 +44,7 @@
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-client.inc b/meta-arm/meta-arm/recipes-security/optee/optee-client.inc
index ddda2d1a3a..f387c80574 100644
--- a/meta-arm/meta-arm/recipes-security/optee/optee-client.inc
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-client.inc
@@ -5,12 +5,13 @@ HOMEPAGE = "https://www.op-tee.org/"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=69663ab153298557a59c67a60a743e5b"
 
-inherit systemd update-rc.d cmake
+inherit systemd update-rc.d cmake useradd
 
 SRC_URI = " \
     git://github.com/OP-TEE/optee_client.git;branch=master;protocol=https \
     file://tee-supplicant@.service \
     file://tee-supplicant.sh \
+    file://optee-udev.rules \
 "
 
 UPSTREAM_CHECK_GITTAGREGEX = "^(?P<pver>\d+(\.\d+)+)$"
@@ -26,6 +27,8 @@ EXTRA_OECMAKE:append:toolchain-clang = " -DCFG_WERROR=0"
 do_install:append() {
     install -D -p -m0644 ${UNPACKDIR}/tee-supplicant@.service ${D}${systemd_system_unitdir}/tee-supplicant@.service
     install -D -p -m0755 ${UNPACKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant
+    install -d ${D}${sysconfdir}/udev/rules.d
+    install -m 0644 ${UNPACKDIR}/optee-udev.rules ${D}${sysconfdir}/udev/rules.d/optee.rules
 
     sed -i -e s:@sysconfdir@:${sysconfdir}:g \
            -e s:@sbindir@:${sbindir}:g \
@@ -38,3 +41,6 @@ SYSTEMD_SERVICE:${PN} = "tee-supplicant@.service"
 INITSCRIPT_PACKAGES = "${PN}"
 INITSCRIPT_NAME:${PN} = "tee-supplicant"
 INITSCRIPT_PARAMS:${PN} = "start 10 1 2 3 4 5 . stop 90 0 6 ."
+
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM:${PN} = "--system teeclnt"
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-client/optee-udev.rules b/meta-arm/meta-arm/recipes-security/optee/optee-client/optee-udev.rules
new file mode 100644
index 0000000000..075f469c04
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-client/optee-udev.rules
@@ -0,0 +1,6 @@
+KERNEL=="tee[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", TAG+="systemd"
+
+# If a /dev/teepriv[0-9]* device is detected, start an instance of
+# tee-supplicant.service with the device name as parameter
+KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", \
+    TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service"
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service b/meta-arm/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service
index 72c0b9aa57..8325b6be51 100644
--- a/meta-arm/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-client/tee-supplicant@.service
@@ -1,10 +1,12 @@
 [Unit]
 Description=TEE Supplicant on %i
+DefaultDependencies=no
+After=dev-%i.device
+Wants=dev-%i.device
+Conflicts=shutdown.target
+Before=tpm2.target sysinit.target shutdown.target
 
 [Service]
-User=root
 EnvironmentFile=-@sysconfdir@/default/tee-supplicant
 ExecStart=@sbindir@/tee-supplicant $OPTARGS
-
-[Install]
-WantedBy=basic.target
+ExecStop=-/bin/sh -c "/sbin/modprobe -v -r tpm_ftpm_tee ; /bin/kill $MAINPID"
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_4.2.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_4.2.0.bb
index 961d525179..2e43254a04 100644
--- a/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_4.2.0.bb
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-os-tadevkit_4.2.0.bb
@@ -20,9 +20,6 @@ do_deploy() {
 
 FILES:${PN} = "${includedir}/optee/"
 
-# Build paths are currently embedded
-INSANE_SKIP:${PN}-dev += "buildpaths"
-
 # Include extra headers needed by SPMC tests to TA DEVKIT.
 # Supported after op-tee v3.20
 EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'optee-spmc-test', \
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os.inc b/meta-arm/meta-arm/recipes-security/optee/optee-os.inc
index e9f252e36e..5a89e5baad 100644
--- a/meta-arm/meta-arm/recipes-security/optee/optee-os.inc
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-os.inc
@@ -24,6 +24,7 @@ EXTRA_OEMAKE += " \
     CFG_${OPTEE_CORE}_core=y \
     CROSS_COMPILE_core=${HOST_PREFIX} \
     CROSS_COMPILE_ta_${OPTEE_ARCH}=${HOST_PREFIX} \
+    AFLAGS="${CFLAGS}" \
     ta-targets=ta_${OPTEE_ARCH} \
     O=${B} \
 "
@@ -75,7 +76,5 @@ FILES:${PN}-ta = "${nonarch_base_libdir}/optee_armtz/*"
 
 # note: "textrel" is not triggered on all archs
 INSANE_SKIP:${PN} = "textrel"
-# Build paths are currently embedded
-INSANE_SKIP:${PN} += "buildpaths"
 INSANE_SKIP:${PN}-dev = "staticdev"
 INHIBIT_PACKAGE_STRIP = "1"
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os/0001-arm64.h-fix-compile-error-with-Clang.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os/0001-arm64.h-fix-compile-error-with-Clang.patch
new file mode 100644
index 0000000000..e4508b3435
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-os/0001-arm64.h-fix-compile-error-with-Clang.patch
@@ -0,0 +1,70 @@
+From dc9fd53be9d69c4a6bc67d9de951b8f2a92abade Mon Sep 17 00:00:00 2001
+From: Jerome Forissier <jerome.forissier@linaro.org>
+Date: Fri, 14 Jun 2024 17:51:22 +0200
+Subject: [PATCH 1/2] arm64.h: fix compile error with Clang
+
+Clang 18.1.6 fails to compile OP-TEE OS with the following error:
+
+   CC      out/arm/core/arch/arm/kernel/vfp.o
+ In file included from core/arch/arm/kernel/vfp.c:6:
+ In file included from core/arch/arm/include/arm.h:137:
+ core/arch/arm/include/arm64.h:455:1: error: expected readable system register
+   455 | DEFINE_U32_REG_READWRITE_FUNCS(fpcr)
+       | ^
+ core/arch/arm/include/arm64.h:436:3: note: expanded from macro 'DEFINE_U32_REG_READWRITE_FUNCS'
+   436 |                 DEFINE_U32_REG_READ_FUNC(reg)   \
+       |                 ^
+ core/arch/arm/include/arm64.h:430:3: note: expanded from macro 'DEFINE_U32_REG_READ_FUNC'
+   430 |                 DEFINE_REG_READ_FUNC_(reg, uint32_t, reg)
+       |                 ^
+ core/arch/arm/include/arm64.h:417:15: note: expanded from macro 'DEFINE_REG_READ_FUNC_'
+   417 |         asm volatile("mrs %0, " #asmreg : "=r" (val64));        \
+       |                      ^
+ <inline asm>:1:10: note: instantiated into assembly here
+     1 |         mrs x8, fpcr
+       |                 ^
+
+...and similar ones for fpcr write, as well as fpsr read and write.
+
+Clang 12.0.0 does not have any problem with this code which makes me
+think that it's a Clang/LLVM issue.
+
+Work around the problem by using the coded system register identifiers
+S3_3_c4_c4_0 and S3_3_c4_c4_1 instead of fpcr and fpsr, respectively.
+The values 3-3-4-4-0 and 3-3-4-4-1 are taken from the Arm ARM sections
+C.5.2.8 and C.5.2.9.
+
+Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
+Acked-by: Joakim Bech <joakim.bech@linaro.org>
+Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
+
+Upstream-Status: Backport
+Signed-off-by: Jon Mason <jon.mason@arm.com>
+
+---
+ core/arch/arm/include/arm64.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/core/arch/arm/include/arm64.h b/core/arch/arm/include/arm64.h
+index 28922631f637..c72b5cd7bbd3 100644
+--- a/core/arch/arm/include/arm64.h
++++ b/core/arch/arm/include/arm64.h
+@@ -452,8 +452,15 @@ static inline __noprof void write_##reg(type val)		\
+ 
+ DEFINE_U32_REG_READWRITE_FUNCS(cpacr_el1)
+ DEFINE_U32_REG_READWRITE_FUNCS(daif)
++#ifdef __clang__
++DEFINE_REG_READ_FUNC_(fpcr, uint32_t, S3_3_c4_c4_0)
++DEFINE_REG_WRITE_FUNC_(fpcr, uint32_t, S3_3_c4_c4_0)
++DEFINE_REG_READ_FUNC_(fpsr, uint32_t, S3_3_c4_c4_1)
++DEFINE_REG_WRITE_FUNC_(fpsr, uint32_t, S3_3_c4_c4_1)
++#else
+ DEFINE_U32_REG_READWRITE_FUNCS(fpcr)
+ DEFINE_U32_REG_READWRITE_FUNCS(fpsr)
++#endif
+ 
+ DEFINE_U32_REG_READ_FUNC(ctr_el0)
+ #define read_ctr() read_ctr_el0()
+-- 
+2.39.5
+
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os/0001-checkconf.mk-do-not-use-full-path-to-generate-guard-.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os/0001-checkconf.mk-do-not-use-full-path-to-generate-guard-.patch
new file mode 100644
index 0000000000..29719b4505
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-os/0001-checkconf.mk-do-not-use-full-path-to-generate-guard-.patch
@@ -0,0 +1,45 @@
+From c8a2a6529dc3ff609281ef4fe5c5bc949c805b5c Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Date: Thu, 6 Jun 2024 11:42:46 +0200
+Subject: [PATCH] checkconf.mk: do not use full path to generate guard symbol
+ in conf.h
+
+The combination of building with -g3 (which emits definitions of all
+defined preprocessor macros to the debug info) and using a full path
+to define the name of this preprocessor guard means that the output is
+not binary reproducible across different build hosts. For example, in
+my Yocto build, the string
+
+  __home_ravi_yocto_tmp_glibc_work_stm32mp135fdk_oe_linux_gnueabi_optee_os_stm32mp_3_19_0_stm32mp_r1_1_build_stm32mp135f_dk_include_generated_conf_h_
+
+appears in several build artifacts. Another developer or buildbot
+would not build in some /home/ravi/... directory.
+
+In order to increase binary reproducibility, only use the path sans
+the $(out-dir)/ prefix of the conf.h file.
+
+Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+---
+ mk/checkconf.mk | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Upstream-Status: Backport [c8a2a6529dc3ff609281ef4fe5c5bc949c805b5c]
+
+diff --git a/mk/checkconf.mk b/mk/checkconf.mk
+index 449b1c2b8..bb08d6b15 100644
+--- a/mk/checkconf.mk
++++ b/mk/checkconf.mk
+@@ -17,7 +17,8 @@ define check-conf-h
+ 	cnf='$(strip $(foreach var,				\
+ 		$(call cfg-vars-by-prefix,$1),			\
+ 		$(call cfg-make-define,$(var))))';		\
+-	guard="_`echo $@ | tr -- -/.+ _`_";			\
++	guardpath="$(patsubst $(out-dir)/%,%,$@)"		\
++	guard="_`echo "$${guardpath}" | tr -- -/.+ _`_";	\
+ 	mkdir -p $(dir $@);					\
+ 	echo "#ifndef $${guard}" >$@.tmp;			\
+ 	echo "#define $${guard}" >>$@.tmp;			\
+-- 
+2.34.1
+
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os/0001-compile.mk-use-CFLAGS-from-environment.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os/0001-compile.mk-use-CFLAGS-from-environment.patch
new file mode 100644
index 0000000000..6577dce38b
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-os/0001-compile.mk-use-CFLAGS-from-environment.patch
@@ -0,0 +1,43 @@
+From 978cc08a393b7d5d0043bf7f4d33f0e33b2b18d8 Mon Sep 17 00:00:00 2001
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+Date: Thu, 1 Aug 2024 13:58:36 +0000
+Subject: [PATCH 1/3] compile.mk: use CFLAGS from environment
+
+Users can set CFLAGS just like AFLAGS, CC,
+LD etc and expect them to be used. It's ok to amend
+to them but overwriting should not be done.
+Build environment like yocto expect that these
+variables are used to call the compiler etc tools.
+Linux distro build environments usually set
+these variables.
+
+Helps to remove build time paths from generated binaries
+since mappings to remove them can be set by the distro
+build system in CFLAGS automatically for each SW component
+in the build.
+
+Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
+Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+---
+ mk/compile.mk | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Upstream-Status: Backport
+
+diff --git a/mk/compile.mk b/mk/compile.mk
+index b3d807ba4..0de7ea259 100644
+--- a/mk/compile.mk
++++ b/mk/compile.mk
+@@ -80,7 +80,8 @@ comp-compiler-$2 := $$(CC$(sm))
+ comp-flags-$2 = $$(filter-out $$(CFLAGS_REMOVE) $$(cflags-remove) \
+ 			      $$(cflags-remove-$$(comp-sm-$2)) \
+ 			      $$(cflags-remove-$2), \
+-		   $$(CFLAGS$$(arch-bits-$$(comp-sm-$2))) $$(CFLAGS_WARNS) \
++		   $$(CFLAGS$$(arch-bits-$$(comp-sm-$2))) $$(CFLAGS) \
++		   $$(CFLAGS_WARNS) \
+ 		   $$(comp-cflags$$(comp-sm-$2)) $$(cflags$$(comp-sm-$2)) \
+ 		   $$(cflags-lib$$(comp-lib-$2)) $$(cflags-$2))
+ ifeq ($C,1)
+-- 
+2.34.1
+
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os/0001-mk-compile.mk-remove-absolute-build-time-paths.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os/0001-mk-compile.mk-remove-absolute-build-time-paths.patch
new file mode 100644
index 0000000000..63fb63a251
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-os/0001-mk-compile.mk-remove-absolute-build-time-paths.patch
@@ -0,0 +1,53 @@
+From 29b84ae5b277b85cd7244acde077694e6643fcde Mon Sep 17 00:00:00 2001
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+Date: Thu, 18 Jul 2024 07:54:18 +0000
+Subject: [PATCH] mk/compile.mk: remove absolute build time paths
+
+Some generated files get a __FILE_ID__ which include absolute
+build time paths. Remove the paths and use plain file name.
+Fixes yocto QA check.
+
+Problem/bug:
+
+$ strings ../image/lib/firmware/tee.elf | grep mikko
+__FILE_ID__
+_home_mikko_build_core_ta_pub_key_c
+__FILE_ID__
+_home_mikko_build_core_ldelf_hex_c
+__FILE_ID__
+_home_mikko_build_core_early_ta_fd02c9da_306c_48c7_a49c_bbd827ae86ee_c
+
+With this patch:
+
+$ strings ../image/lib/firmware/tee.elf | grep mikko
+$ strings ../image/lib/firmware/tee.elf | grep FILE_ID | egrep \
+"core_ta_pub_key_c|core_ldelf_hex_c|core_early_ta_fd02c9da_306c_4"
+__FILE_ID__ core_ta_pub_key_c
+__FILE_ID__ core_ldelf_hex_c
+__FILE_ID__ core_early_ta_fd02c9da_306c_48c7_a49c_bbd827ae86ee_c
+
+Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
+Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
+Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+---
+ mk/compile.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Upstream-Status: Backport
+
+diff --git a/mk/compile.mk b/mk/compile.mk
+index b3d807ba4..338535bf3 100644
+--- a/mk/compile.mk
++++ b/mk/compile.mk
+@@ -120,7 +120,7 @@ comp-cppflags-$2 = $$(filter-out $$(CPPFLAGS_REMOVE) $$(cppflags-remove) \
+ 		      $$(addprefix -I,$$(incdirs-$2)) \
+ 		      $$(cppflags$$(comp-sm-$2)) \
+ 		      $$(cppflags-lib$$(comp-lib-$2)) $$(cppflags-$2)) \
+-		      -D__FILE_ID__=$$(subst -,_,$$(subst /,_,$$(subst .,_,$1)))
++		      -D__FILE_ID__=$$(subst -,_,$$(subst /,_,$$(subst .,_,$$(patsubst $$(out-dir)/%,%,$1))))
+ 
+ comp-flags-$2 += -MD -MF $$(comp-dep-$2) -MT $$@
+ comp-flags-$2 += $$(comp-cppflags-$2)
+-- 
+2.34.1
+
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os/0002-libutils-zlib-fix-Clang-warnings.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os/0002-libutils-zlib-fix-Clang-warnings.patch
new file mode 100644
index 0000000000..fb50fecbd0
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-os/0002-libutils-zlib-fix-Clang-warnings.patch
@@ -0,0 +1,64 @@
+From 47d5e6cbd61a38d1c31538e6b1775b901273fdec Mon Sep 17 00:00:00 2001
+From: Jerome Forissier <jerome.forissier@linaro.org>
+Date: Fri, 14 Jun 2024 18:40:53 +0200
+Subject: [PATCH 2/2] libutils, zlib: fix Clang warnings
+
+Clang 18.1.6 reports the following warnings:
+
+   CC      out/arm/ldelf-lib/libutils/isoc/bget_malloc.o
+ In file included from lib/libutils/isoc/bget_malloc.c:127:
+ lib/libutils/isoc/bget.c:607:7: warning: a function definition without a prototype is deprecated in all versions of C and is not supported in C23 [-Wdeprecated-non-prototype]
+   607 | void *bget(requested_align, hdr_size, requested_size, poolset)
+       |       ^
+
+And same with lib/zlib/{adler32.c,inffast.c,inflate.c,zutil.c}.
+
+In addition, zutil.c causes:
+
+  CC      out/arm/core/lib/zlib/zutil.o
+core/lib/zlib/zutil.c:28:33: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
+   28 | const char * ZEXPORT zlibVersion()
+      |                                 ^
+      |                                  void
+
+Add -Wno-deprecated-non-prototype to libutils' bget_malloc.c to silence
+the first series, and simply remove -Wstrict-prototypes (added by
+default by mk/compile.mk) when building zlib.
+
+Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
+Acked-by: Joakim Bech <joakim.bech@linaro.org>
+Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
+
+Upstream-Status: Backport
+Signed-off-by: Jon Mason <jon.mason@arm.com>
+
+---
+ core/lib/zlib/sub.mk     | 2 ++
+ lib/libutils/isoc/sub.mk | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/core/lib/zlib/sub.mk b/core/lib/zlib/sub.mk
+index d4f225dfbfc4..399544d02e20 100644
+--- a/core/lib/zlib/sub.mk
++++ b/core/lib/zlib/sub.mk
+@@ -6,3 +6,5 @@ srcs-y += inftrees.c
+ srcs-y += zutil.c
+ cflags-remove-y += -Wold-style-definition
+ cflags-remove-y += -Wswitch-default
++cflags-remove-y += -Wstrict-prototypes
++cflags-y += $(call cc-option,-Wno-deprecated-non-prototype)
+diff --git a/lib/libutils/isoc/sub.mk b/lib/libutils/isoc/sub.mk
+index ef1ca5da8cf0..705090211627 100644
+--- a/lib/libutils/isoc/sub.mk
++++ b/lib/libutils/isoc/sub.mk
+@@ -3,6 +3,7 @@ global-incdirs-y += include
+ srcs-y += bget_malloc.c
+ cflags-remove-bget_malloc.c-y += -Wold-style-definition -Wredundant-decls
+ cflags-bget_malloc.c-y += -Wno-sign-compare -Wno-cast-align
++cflags-bget_malloc.c-y += $(call cc-option,-Wno-deprecated-non-prototype)
+ ifeq ($(sm),core)
+ cflags-remove-bget_malloc.c-y += $(cflags_kasan)
+ endif
+-- 
+2.39.5
+
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os/0002-link.mk-use-CFLAGS-with-version.o.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os/0002-link.mk-use-CFLAGS-with-version.o.patch
new file mode 100644
index 0000000000..08bc15d764
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-os/0002-link.mk-use-CFLAGS-with-version.o.patch
@@ -0,0 +1,45 @@
+From f9207376ed58836bf748cc4cea0fcbf46624a709 Mon Sep 17 00:00:00 2001
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+Date: Thu, 1 Aug 2024 14:03:11 +0000
+Subject: [PATCH 2/3] link.mk: use CFLAGS with version.o
+
+Should be used by all compilations.
+
+Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
+Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+---
+ core/arch/arm/kernel/link.mk   | 2 +-
+ core/arch/riscv/kernel/link.mk | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+Upstream-Status: Backport
+
+diff --git a/core/arch/arm/kernel/link.mk b/core/arch/arm/kernel/link.mk
+index 49e9f4fa1..377a82b65 100644
+--- a/core/arch/arm/kernel/link.mk
++++ b/core/arch/arm/kernel/link.mk
+@@ -151,7 +151,7 @@ define update-buildcount
+ endef
+ 
+ # filter-out to workaround objdump warning
+-version-o-cflags = $(filter-out -g3,$(core-platform-cflags) \
++version-o-cflags = $(filter-out -g3,$(CFLAGS) $(core-platform-cflags) \
+ 			$(platform-cflags) $(cflagscore))
+ # SOURCE_DATE_EPOCH defined for reproducible builds
+ ifneq ($(SOURCE_DATE_EPOCH),)
+diff --git a/core/arch/riscv/kernel/link.mk b/core/arch/riscv/kernel/link.mk
+index 3d1000d15..1fff0a379 100644
+--- a/core/arch/riscv/kernel/link.mk
++++ b/core/arch/riscv/kernel/link.mk
+@@ -62,7 +62,7 @@ define update-buildcount
+ endef
+ 
+ # filter-out to workaround objdump warning
+-version-o-cflags = $(filter-out -g3,$(core-platform-cflags) \
++version-o-cflags = $(filter-out -g3,$(CFLAGS) $(core-platform-cflags) \
+ 			$(platform-cflags) $(cflagscore))
+ # SOURCE_DATE_EPOCH defined for reproducible builds
+ ifneq ($(SOURCE_DATE_EPOCH),)
+-- 
+2.34.1
+
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os/0003-link.mk-generate-version.o-in-link-out-dir.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os/0003-link.mk-generate-version.o-in-link-out-dir.patch
new file mode 100644
index 0000000000..0e559b2ee2
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-os/0003-link.mk-generate-version.o-in-link-out-dir.patch
@@ -0,0 +1,70 @@
+From 8f100f355e645376729086edbace8f01cf7aa3b4 Mon Sep 17 00:00:00 2001
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+Date: Thu, 1 Aug 2024 14:04:55 +0000
+Subject: [PATCH 3/3] link.mk: generate version.o in link-out-dir
+
+When source code is piped to compiler, then the
+current working directory is left into debug
+data. If the working directory is not the output
+directory, then mappings which strip absolute output
+directory paths don't work.
+
+Removes absolute build time paths from version.o
+debug info.
+
+Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
+Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+---
+ core/arch/arm/kernel/link.mk   | 5 +++--
+ core/arch/riscv/kernel/link.mk | 5 +++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+Upstream-Status: Backport
+
+diff --git a/core/arch/arm/kernel/link.mk b/core/arch/arm/kernel/link.mk
+index 377a82b65..d1d527224 100644
+--- a/core/arch/arm/kernel/link.mk
++++ b/core/arch/arm/kernel/link.mk
+@@ -163,14 +163,15 @@ CORE_CC_VERSION = `$(CCcore) -v 2>&1 | grep "version " | sed 's/ *$$//'`
+ define gen-version-o
+ 	$(call update-buildcount,$(link-out-dir)/.buildcount)
+ 	@$(cmd-echo-silent) '  GEN     $(link-out-dir)/version.o'
+-	$(q)echo -e "const char core_v_str[] =" \
++	$(q)cd $(link-out-dir) && \
++		echo -e "const char core_v_str[] =" \
+ 		"\"$(TEE_IMPL_VERSION) \"" \
+ 		"\"($(CORE_CC_VERSION)) \"" \
+ 		"\"#$(BUILD_COUNT_STR) \"" \
+ 		"\"$(DATE_STR) \"" \
+ 		"\"$(CFG_KERN_LINKER_ARCH)\";\n" \
+ 		| $(CCcore) $(version-o-cflags) \
+-			-xc - -c -o $(link-out-dir)/version.o
++			-xc - -c -o version.o
+ endef
+ $(link-out-dir)/version.o:
+ 	$(call gen-version-o)
+diff --git a/core/arch/riscv/kernel/link.mk b/core/arch/riscv/kernel/link.mk
+index 1fff0a379..6511586e2 100644
+--- a/core/arch/riscv/kernel/link.mk
++++ b/core/arch/riscv/kernel/link.mk
+@@ -74,14 +74,15 @@ CORE_CC_VERSION = `$(CCcore) -v 2>&1 | grep "version " | sed 's/ *$$//'`
+ define gen-version-o
+ 	$(call update-buildcount,$(link-out-dir)/.buildcount)
+ 	@$(cmd-echo-silent) '  GEN     $(link-out-dir)/version.o'
+-	$(q)echo -e "const char core_v_str[] =" \
++	$(q)cd $(link-out-dir) && \
++		echo -e "const char core_v_str[] =" \
+ 		"\"$(TEE_IMPL_VERSION) \"" \
+ 		"\"($(CORE_CC_VERSION)) \"" \
+ 		"\"#$(BUILD_COUNT_STR) \"" \
+ 		"\"$(DATE_STR) \"" \
+ 		"\"$(CFG_KERN_LINKER_ARCH)\";\n" \
+ 		| $(CCcore) $(version-o-cflags) \
+-			-xc - -c -o $(link-out-dir)/version.o
++			-xc - -c -o version.o
+ endef
+ 
+ $(link-out-dir)/version.o:
+-- 
+2.34.1
+
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os/0003-optee-enable-clang-support.patch b/meta-arm/meta-arm/recipes-security/optee/optee-os/0003-optee-enable-clang-support.patch
index 3c13ce3f02..253a01db2d 100644
--- a/meta-arm/meta-arm/recipes-security/optee/optee-os/0003-optee-enable-clang-support.patch
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-os/0003-optee-enable-clang-support.patch
@@ -1,4 +1,4 @@
-From 59d4c190eae11c93b26cca5a7b005a17dadc8248 Mon Sep 17 00:00:00 2001
+From 9cf8ac4e6fcecb33af377e1a322f4841ed4e30ce Mon Sep 17 00:00:00 2001
 From: Brett Warren <brett.warren@arm.com>
 Date: Wed, 23 Sep 2020 09:27:34 +0100
 Subject: [PATCH] optee: enable clang support
@@ -10,13 +10,12 @@ compiler-rt. This is mitigated by including the variable as ammended.
 Upstream-Status: Pending
 ChangeId: 8ba69a4b2eb8ebaa047cb266c9aa6c2c3da45701
 Signed-off-by: Brett Warren <brett.warren@arm.com>
-
 ---
  mk/clang.mk | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/mk/clang.mk b/mk/clang.mk
-index a045beee8..1ebe2f702 100644
+index a045beee8482..1ebe2f702dcd 100644
 --- a/mk/clang.mk
 +++ b/mk/clang.mk
 @@ -30,7 +30,7 @@ comp-cflags-warns-clang := -Wno-language-extension-token \
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee-os_4.2.0.bb b/meta-arm/meta-arm/recipes-security/optee/optee-os_4.2.0.bb
index 8ae219f415..3f00c7b361 100644
--- a/meta-arm/meta-arm/recipes-security/optee/optee-os_4.2.0.bb
+++ b/meta-arm/meta-arm/recipes-security/optee/optee-os_4.2.0.bb
@@ -7,4 +7,11 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
 SRCREV = "12d7c4ee4642d2d761e39fbcf21a06fb77141dea"
 SRC_URI += " \
     file://0003-optee-enable-clang-support.patch \
-   "
+    file://0001-checkconf.mk-do-not-use-full-path-to-generate-guard-.patch \
+    file://0001-mk-compile.mk-remove-absolute-build-time-paths.patch \
+    file://0001-compile.mk-use-CFLAGS-from-environment.patch \
+    file://0002-link.mk-use-CFLAGS-with-version.o.patch \
+    file://0003-link.mk-generate-version.o-in-link-out-dir.patch \
+    file://0001-arm64.h-fix-compile-error-with-Clang.patch \
+    file://0002-libutils-zlib-fix-Clang-warnings.patch \
+"
diff --git a/meta-arm/meta-arm/recipes-security/optee/optee.inc b/meta-arm/meta-arm/recipes-security/optee/optee.inc
index 37676f1496..c5514f5651 100644
--- a/meta-arm/meta-arm/recipes-security/optee/optee.inc
+++ b/meta-arm/meta-arm/recipes-security/optee/optee.inc
@@ -14,9 +14,6 @@ OPTEE_ARCH:arm = "arm32"
 OPTEE_ARCH:aarch64 = "arm64"
 OPTEE_CORE = "${@d.getVar('OPTEE_ARCH').upper()}"
 
-# FIXME - breaks with Clang 18.  See https://github.com/OP-TEE/optee_os/issues/6754
-TOOLCHAIN = "gcc"
-
 OPTEE_TOOLCHAIN = "${@d.getVar('TOOLCHAIN') or 'gcc'}"
 OPTEE_COMPILER = "${@bb.utils.contains("BBFILE_COLLECTIONS", "clang-layer", "${OPTEE_TOOLCHAIN}", "gcc", d)}"
 
diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/libts/0001-Remove-TEE-driver-external-component.patch b/meta-arm/meta-arm/recipes-security/trusted-services/libts/0001-Remove-TEE-driver-external-component.patch
new file mode 100644
index 0000000000..79a2022947
--- /dev/null
+++ b/meta-arm/meta-arm/recipes-security/trusted-services/libts/0001-Remove-TEE-driver-external-component.patch
@@ -0,0 +1,223 @@
+From cc9589c03cb0fcd9c3248b95f05cce1afaa37d0f Mon Sep 17 00:00:00 2001
+From: Balint Dobszay <balint.dobszay@arm.com>
+Date: Thu, 19 Oct 2023 16:35:05 +0200
+Subject: [PATCH] Remove TEE driver external component
+
+The TSTEE driver has been merged to Linux kernel v6.10, which makes the
+out-of-tree version deprecated. Remove the external component that was
+downloading it. Also, the in-tree version doesn't have a module version
+field defined, so the sanity check for reading the out-of-tree module's
+version is removed too.
+
+Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>
+Change-Id: I57ee44293c5e940ee7fa944d1420ebcba624fc56
+Upstream-Status: Backport
+---
+ .../rpc/ts_rpc/caller/linux/component.cmake   |  6 --
+ .../ts_rpc/caller/linux/ts_rpc_caller_linux.c | 56 +++----------------
+ .../spm/optee/userspace-programs-on-fvp.rst   |  3 +-
+ docs/quickstart/optee-testing.rst             |  1 -
+ .../LinuxFfaTeeDriver/LinuxFfaTeeDriver.cmake | 54 ------------------
+ 5 files changed, 9 insertions(+), 111 deletions(-)
+ delete mode 100644 external/LinuxFfaTeeDriver/LinuxFfaTeeDriver.cmake
+
+diff --git a/components/rpc/ts_rpc/caller/linux/component.cmake b/components/rpc/ts_rpc/caller/linux/component.cmake
+index c9f439e20da4..f8e4a52fb70c 100644
+--- a/components/rpc/ts_rpc/caller/linux/component.cmake
++++ b/components/rpc/ts_rpc/caller/linux/component.cmake
+@@ -8,8 +8,6 @@ if (NOT DEFINED TGT)
+ 	message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+ endif()
+ 
+-include(${TS_ROOT}/external/LinuxFfaTeeDriver/LinuxFfaTeeDriver.cmake)
+-
+ set_property(TARGET ${TGT} APPEND PROPERTY PUBLIC_HEADER
+ 	"${CMAKE_CURRENT_LIST_DIR}/ts_rpc_caller_linux.h"
+ 	)
+@@ -17,7 +15,3 @@ set_property(TARGET ${TGT} APPEND PROPERTY PUBLIC_HEADER
+ target_sources(${TGT} PRIVATE
+ 	"${CMAKE_CURRENT_LIST_DIR}/ts_rpc_caller_linux.c"
+ 	)
+-
+-target_include_directories(${TGT} PRIVATE
+-	"${LINUX_FFA_TEE_DRIVER_INCLUDE_DIR}"
+-	)
+diff --git a/components/rpc/ts_rpc/caller/linux/ts_rpc_caller_linux.c b/components/rpc/ts_rpc/caller/linux/ts_rpc_caller_linux.c
+index 7c4606e56f09..3402a9f6ae2b 100644
+--- a/components/rpc/ts_rpc/caller/linux/ts_rpc_caller_linux.c
++++ b/components/rpc/ts_rpc/caller/linux/ts_rpc_caller_linux.c
+@@ -6,7 +6,6 @@
+ 
+ #include "ts_rpc_caller_linux.h"
+ 
+-#include <arm_tstee.h>
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <linux/tee.h>
+@@ -24,11 +23,16 @@
+ 
+ #define INVALID_SESS_ID		  0
+ #define MAX_TEE_DEV_NUM		  16
+-#define TS_TEE_DRV_REQ_VER_MAJOR  2
+-#define TS_TEE_DRV_REQ_VER_MINOR  0
+-#define TS_TEE_DRV_REQ_VER_PATCH  0
+ #define TS_TEE_DRV_INVALID_SHM_ID (0)
+ 
++/*
++ * This define is part of linux/tee.h starting from Linux v6.10
++ * Let's keep a copy here in case the kernel headers come from an older version
++ */
++#ifndef TEE_IMPL_ID_TSTEE
++#define TEE_IMPL_ID_TSTEE 3
++#endif
++
+ struct ts_tee_dev {
+ 	uint16_t endpoint_id;
+ 	char path[16];
+@@ -236,47 +240,6 @@ static rpc_status_t call(void *context, uint16_t opcode,
+ 	return RPC_SUCCESS;
+ }
+ 
+-static bool ts_tee_drv_check_version(void)
+-{
+-	unsigned int major = 0;
+-	unsigned int minor = 0;
+-	unsigned int patch = 0;
+-	FILE *f = NULL;
+-	int cnt = 0;
+-
+-	f = fopen("/sys/module/arm_tstee/version", "r");
+-	if (f) {
+-		cnt = fscanf(f, "%u.%u.%u", &major, &minor, &patch);
+-		fclose(f);
+-
+-		if (cnt != 3) {
+-			printf("error: cannot read TS TEE driver version\n");
+-			return false;
+-		}
+-	} else {
+-		printf("error: TS TEE driver not available\n");
+-		return false;
+-	}
+-
+-	if (major != TS_TEE_DRV_REQ_VER_MAJOR)
+-		goto err;
+-
+-	if (minor < TS_TEE_DRV_REQ_VER_MINOR)
+-		goto err;
+-
+-	if (minor == TS_TEE_DRV_REQ_VER_MINOR)
+-		if (patch < TS_TEE_DRV_REQ_VER_PATCH)
+-			goto err;
+-
+-	return true;
+-
+-err:
+-	printf("error: TS TEE driver is v%u.%u.%u but required v%u.%u.%u\n", major, minor, patch,
+-	       TS_TEE_DRV_REQ_VER_MAJOR, TS_TEE_DRV_REQ_VER_MINOR, TS_TEE_DRV_REQ_VER_PATCH);
+-
+-	return false;
+-}
+-
+ static void ts_tee_drv_discover(struct ts_tee_dev *ts_tee_devs, size_t count)
+ {
+ 	struct tee_ioctl_version_data vers = { 0 };
+@@ -314,9 +277,6 @@ rpc_status_t ts_rpc_caller_linux_init(struct rpc_caller_interface *rpc_caller)
+ 	if (!rpc_caller || rpc_caller->context)
+ 		return RPC_ERROR_INVALID_VALUE;
+ 
+-	if (!ts_tee_drv_check_version())
+-		return RPC_ERROR_INTERNAL;
+-
+ 	context = (struct ts_rpc_caller_linux_context *)calloc(
+ 		1, sizeof(struct ts_rpc_caller_linux_context));
+ 	if (!context)
+diff --git a/docs/environments/secure-partitions/spm/optee/userspace-programs-on-fvp.rst b/docs/environments/secure-partitions/spm/optee/userspace-programs-on-fvp.rst
+index f81e1dff3264..aeb26fb3462a 100644
+--- a/docs/environments/secure-partitions/spm/optee/userspace-programs-on-fvp.rst
++++ b/docs/environments/secure-partitions/spm/optee/userspace-programs-on-fvp.rst
+@@ -59,8 +59,7 @@ Once it boots to the login prompt, log in as root and from the FVP terminal, ent
+   # Install the shared library and executables
+   cp -vat /usr out/ts-install/arm-linux/lib out/ts-install/arm-linux/bin
+ 
+-  # Load the kernel modules
+-  out/linux-arm-ffa-tee/load_module.sh
++  # Load the kernel module
+   out/linux-arm-ffa-user/load_module.sh
+ 
+   # Run the test application
+diff --git a/docs/quickstart/optee-testing.rst b/docs/quickstart/optee-testing.rst
+index 7eccf7ab9031..9ff2421d5565 100644
+--- a/docs/quickstart/optee-testing.rst
++++ b/docs/quickstart/optee-testing.rst
+@@ -47,7 +47,6 @@ Once it boots to the login prompt, log in as root and from the FVP terminal, ent
+ 
+   cd /mnt/host
+   cp -vat /usr out/ts-install/arm-linux/lib out/ts-install/arm-linux/bin
+-  out/linux-arm-ffa-tee/load_module.sh
+   out/linux-arm-ffa-user/load_module.sh
+   ts-service-test -v
+ 
+diff --git a/external/LinuxFfaTeeDriver/LinuxFfaTeeDriver.cmake b/external/LinuxFfaTeeDriver/LinuxFfaTeeDriver.cmake
+deleted file mode 100644
+index da0a5b3def7e..000000000000
+--- a/external/LinuxFfaTeeDriver/LinuxFfaTeeDriver.cmake
++++ /dev/null
+@@ -1,54 +0,0 @@
+-#-------------------------------------------------------------------------------
+-# Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
+-#
+-# SPDX-License-Identifier: BSD-3-Clause
+-#
+-#-------------------------------------------------------------------------------
+-
+-# If the driver is already installed, try to find that
+-find_path(LINUX_FFA_TEE_DRIVER_INCLUDE_DIR
+-	NAMES arm_tstee.h
+-	DOC "Linux FF-A TEE driver include directory"
+-)
+-
+-# If not found, download it
+-if(NOT LINUX_FFA_TEE_DRIVER_INCLUDE_DIR)
+-	set(LINUX_FFA_TEE_DRIVER_URL "https://git.gitlab.arm.com/linux-arm/linux-trusted-services.git"
+-		CACHE STRING "Linux FF-A TEE driver repository URL")
+-
+-	# Note: the aim of this external component is to make the header file defining the IOCTL API
+-	#        available. Fetching a moving reference is ok as long as API compatibility is guaranteed.
+-	set(LINUX_FFA_TEE_DRIVER_REFSPEC "origin/tee-v2"
+-		CACHE STRING "Linux FF-A TEE driver git refspec")
+-
+-	set(LINUX_FFA_TEE_DRIVER_SOURCE_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/linux_ffa_tee_driver-src"
+-		CACHE PATH "Location of Linux TEE driver source.")
+-
+-	if (DEFINED ENV{LINUX_FFA_TEE_DRIVER_SOURCE_DIR})
+-		set(LINUX_FFA_TEE_DRIVER_SOURCE_DIR $ENV{LINUX_FFA_TEE_DRIVER_SOURCE_DIR}
+-			CACHE PATH "Location of Linux TEE driver source." FORCE)
+-	endif()
+-
+-	set(GIT_OPTIONS
+-		GIT_REPOSITORY ${LINUX_FFA_TEE_DRIVER_URL}
+-		GIT_TAG ${LINUX_FFA_TEE_DRIVER_REFSPEC}
+-		GIT_SHALLOW TRUE
+-		)
+-		include(${TS_ROOT}/tools/cmake/common/LazyFetch.cmake REQUIRED)
+-		LazyFetch_MakeAvailable(
+-			DEP_NAME linux_ffa_tee_driver
+-			FETCH_OPTIONS "${GIT_OPTIONS}"
+-			SOURCE_DIR ${LINUX_FFA_TEE_DRIVER_SOURCE_DIR}
+-		)
+-
+-	find_path(LINUX_FFA_TEE_DRIVER_INCLUDE_DIR
+-		NAMES arm_tstee.h
+-		PATHS ${LINUX_FFA_TEE_DRIVER_SOURCE_DIR}/uapi
+-		NO_DEFAULT_PATH
+-		REQUIRED
+-		DOC "Linux FF-A TEE driver include directory"
+-	)
+-endif()
+-
+-set_property(DIRECTORY APPEND PROPERTY CMAKE_CONFIGURE_DEPENDS
+-	"${LINUX_FFA_TEE_DRIVER_INCLUDE_DIR}/arm_tstee.h")
+-- 
+2.39.2
+
diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/libts_git.bb b/meta-arm/meta-arm/recipes-security/trusted-services/libts_git.bb
index dfcd4bde98..635e4769af 100644
--- a/meta-arm/meta-arm/recipes-security/trusted-services/libts_git.bb
+++ b/meta-arm/meta-arm/recipes-security/trusted-services/libts_git.bb
@@ -6,12 +6,12 @@ TS_ENV = "arm-linux"
 require trusted-services.inc
 
 SRC_URI += "file://tee-udev.rules \
+            file://0001-Remove-TEE-driver-external-component.patch \
            "
 
 OECMAKE_SOURCEPATH="${S}/deployments/libts/${TS_ENV}"
 
-DEPENDS           += "arm-tstee arm-ffa-user"
-RRECOMMENDS:${PN} += "arm-tstee"
+DEPENDS           += "arm-ffa-user"
 
 # Unix group name for dev/tee* ownership.
 TEE_GROUP_NAME ?= "teeclnt"
diff --git a/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb b/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb
index 669e87aed1..1fda415ad1 100644
--- a/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb
+++ b/meta-arm/meta-arm/recipes-security/trusted-services/ts-newlib_4.1.0.bb
@@ -20,9 +20,18 @@ EXTRA_OECMAKE += '-DNEWLIB_SOURCE_DIR=${WORKDIR}/git/newlib \
 
 OECMAKE_SOURCEPATH = "${S}/deployments/newlib/${TS_ENV}/"
 
+# Silence compilation errors from GCC 14.1 due to stricter code validation
+export NEWLIB_CFLAGS_TARGET = "-Wno-implicit-function-declaration -Wno-int-conversion"
+
 # TS ships a patch that needs to be applied to newlib
 apply_ts_patch() {
-    ( cd ${WORKDIR}/git/newlib;    git stash; git branch -f bf_am; git am ${S}/external/newlib/*.patch; git reset bf_am )
+    set -ex
+    cd ${WORKDIR}/git/newlib
+    check_git_config
+    git stash
+    git branch -f bf_am
+    git am ${S}/external/newlib/*.patch
+    git reset bf_am
 }
 do_patch[postfuncs] += "apply_ts_patch"
 
diff --git a/meta-arm/meta-arm/wic/efi-disk.wks.in b/meta-arm/meta-arm/wic/efi-disk.wks.in
index 1f06830a5f..e1120da056 100644
--- a/meta-arm/meta-arm/wic/efi-disk.wks.in
+++ b/meta-arm/meta-arm/wic/efi-disk.wks.in
@@ -2,10 +2,10 @@
 # long-description: Creates a partitioned EFI disk image that the user
 # can directly dd to boot media.
 
-part /boot --source bootimg-efi --sourceparams="loader=${EFI_PROVIDER}" --label boot --active --align 1024 --use-uuid
+part /boot --source bootimg-efi --sourceparams="loader=${EFI_PROVIDER},dtb=${KERNEL_DTB_NAME}" --label boot --active --align 1024 --use-uuid
 
 part / --source rootfs --fstype=ext4 --label root --align 1024 --use-uuid
 
 part swap --size 44 --label swap --fstype=swap --use-uuid
 
-bootloader --ptable gpt --timeout=5 --append="rootwait rootfstype=ext4"
+bootloader --ptable gpt --timeout=5 --append="rootwait rootfstype=ext4 console=${KERNEL_CONSOLE}"
diff --git a/meta-arm/meta-arm/wic/qemu-efi-disk.wks.in b/meta-arm/meta-arm/wic/qemu-efi-disk.wks.in
index 4f898efa51..100d0edbd6 100644
--- a/meta-arm/meta-arm/wic/qemu-efi-disk.wks.in
+++ b/meta-arm/meta-arm/wic/qemu-efi-disk.wks.in
@@ -8,4 +8,4 @@ part / --source rootfs --fstype=ext4 --label root --align 1024 --use-uuid
 
 part swap --size 44 --label swap --fstype=swap --use-uuid
 
-bootloader --ptable gpt --timeout=5 --append="rootfstype=ext4 ip=dhcp"
+bootloader --ptable gpt --timeout=5 --append="rootwait rootfstype=ext4 ip=dhcp"
author	Patrick Williams <patrick@stwcx.xyz>	2024-12-14 02:56:42 +0300
committer	Patrick Williams <patrick@stwcx.xyz>	2024-12-14 04:38:25 +0300
commit	e73366c8bab752f44899222f9df7ce7ed080f2e9 (patch)
tree	57ae1423728ade061bb318ab6413a18e1afb9c20 /meta-arm
parent	1d19bb6db66dd40f999dbfcd25be489aa4ecd0b3 (diff)
download	openbmc-styhead.tar.xz