[PATCH v3 11/14] security: optee: add optee_handoff_overlay helper

Marco Felsch m.felsch at pengutronix.de
Wed Feb 11 14:41:22 PST 2026 

Add a helper to pass the OP-TEE provided overlay to barebox via the
handoff mechanism. This can be useful to generalize the reserved-memory
node handling since OP-TEE can provide this information via the overlay
if configured in OP-TEE.

While on it sort the include headers in alphabetical order.

Reviewed-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
Signed-off-by: Marco Felsch <m.felsch at pengutronix.de>
---
 include/tee/optee.h |  5 +++++
 security/Kconfig    |  9 +++++++++
 security/optee.c    | 15 ++++++++++++++-
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/include/tee/optee.h b/include/tee/optee.h
index 10e829c04f8832c4c04771800f1963e25f425482..ba3de3e410c84619cd2baea27fc89e2901df6ecf 100644
--- a/include/tee/optee.h
+++ b/include/tee/optee.h
@@ -37,6 +37,7 @@ int optee_verify_header (const struct optee_header *hdr);
 
 void optee_set_membase(const struct optee_header *hdr);
 int optee_get_membase(u64 *membase);
+void optee_handoff_overlay(void *ovl, unsigned int ovl_sz);
 
 #else
 
@@ -49,6 +50,10 @@ static inline int optee_get_membase(u64 *membase)
 	return -ENOSYS;
 }
 
+static inline void optee_handoff_overlay(void *ovl, unsigned int ovl_sz)
+{
+}
+
 #endif /* CONFIG_HAVE_OPTEE */
 
 #ifdef __PBL__
diff --git a/security/Kconfig b/security/Kconfig
index 338bc1e5a72d91bc1617865cacd9d2d8941ca8f5..c90f2bbacf266ee0dcb7f494279843be65f5fec1 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -117,6 +117,15 @@ config HAVE_OPTEE
 	  bidirectional communication with OP-TEE is enabled via
 	  CONFIG_OPTEE.
 
+config OPTEE_APPLY_OVERLAY
+	bool "Apply OP-TEE DTBO to barebox and kernel DT"
+	depends on HAVE_OPTEE
+	help
+	  Apply the OP-TEE provided device-tree overlay to internal barebox DT
+	  and the kernel DT if this option is enabled. This requires barebox
+	  machine support and the board lowlevel code to pass the barebox
+	  internal DT to OP-TEE while booting.
+
 config OPTEE_SIZE
 	hex
 	default 0x02000000
diff --git a/security/optee.c b/security/optee.c
index 422bc1c90924ba8ab266b1aa8d06e52c819d2010..d2cda9d77b85947ff222390177666e75e54f9adb 100644
--- a/security/optee.c
+++ b/security/optee.c
@@ -2,10 +2,12 @@
 
 #define pr_fmt(fmt) "optee: " fmt
 
-#include <tee/optee.h>
+#include <compressed-dtb.h>
 #include <linux/printk.h>
 #include <linux/errno.h>
 #include <linux/limits.h>
+#include <pbl/handoff-data.h>
+#include <tee/optee.h>
 
 static u64 optee_membase = U64_MAX;
 
@@ -60,3 +62,14 @@ void optee_set_membase(const struct optee_header *hdr)
 	optee_membase = (u64)hdr->init_load_addr_hi << 32;
 	optee_membase |= hdr->init_load_addr_lo;
 }
+
+void optee_handoff_overlay(void *ovl, unsigned int ovl_sz)
+{
+	if (!IS_ENABLED(CONFIG_OPTEE_APPLY_OVERLAY))
+		return;
+
+	if (!blob_is_fdt(ovl))
+		return;
+
+	handoff_data_add(HANDOFF_DATA_TEE_DT_OVL, ovl, ovl_sz);
+}

-- 
2.47.3

More information about the barebox mailing list