From 001cc2ef47f7ff4a20188871ad556dae342e88e7 Mon Sep 17 00:00:00 2001
From: Sebastien GANDON <sebastien.gandon@st.com>
Date: Thu, 30 Jun 2022 11:06:57 +0200
Subject: [PATCH] TF-A-STM32MP: v2.6-stm32mp-r2

Signed-off-by: Romuald JEANNE <romuald.jeanne@st.com>
Change-Id: I7374c3986e8b2faaf6407ad123d20039839d10c4
---
 classes/fip-utils-stm32mp.bbclass             |    1 +
 .../tf-a-stm32mp-archiver.inc                 |    2 +-
 .../tf-a-stm32mp-common.inc                   |  389 +-
 .../tf-a-stm32mp-config.inc                   |    4 +-
 .../trusted-firmware-a/tf-a-stm32mp.inc       |  374 ++
 .../tf-a-stm32mp/0002-v2.6-stm32mp-r2.patch   | 3630 +++++++++++++++++
 .../trusted-firmware-a/tf-a-stm32mp_2.6.bb    |   41 +-
 7 files changed, 4038 insertions(+), 403 deletions(-)
 create mode 100644 recipes-bsp/trusted-firmware-a/tf-a-stm32mp.inc
 create mode 100644 recipes-bsp/trusted-firmware-a/tf-a-stm32mp/0002-v2.6-stm32mp-r2.patch

diff --git a/classes/fip-utils-stm32mp.bbclass b/classes/fip-utils-stm32mp.bbclass
index 11fed29..abfeab1 100644
--- a/classes/fip-utils-stm32mp.bbclass
+++ b/classes/fip-utils-stm32mp.bbclass
@@ -252,6 +252,7 @@ do_deploy:append:class-target() {
                     --nt-fw-key-cert ${WORKDIR}/nt_fw_key.crt \
                     --tos-fw-cert ${WORKDIR}/tos_fw_content.crt \
                     --tos-fw-key-cert ${WORKDIR}/tos_fw_key.crt \
+                    --stm32mp-cfg-cert ${WORKDIR}/stm32mp_cfg_cert.crt \
                     "
                 # Need fake bl2 binary to generate certificates
                 touch ${WORKDIR}/bl2-fake.bin
diff --git a/recipes-bsp/trusted-firmware-a/tf-a-stm32mp-archiver.inc b/recipes-bsp/trusted-firmware-a/tf-a-stm32mp-archiver.inc
index d1579d8..155f84b 100644
--- a/recipes-bsp/trusted-firmware-a/tf-a-stm32mp-archiver.inc
+++ b/recipes-bsp/trusted-firmware-a/tf-a-stm32mp-archiver.inc
@@ -82,7 +82,7 @@ tf-\$(1)-\$(2): \$3
 				DTB_FILE_NAME=\$(dt).dtb \\
 				\$(if \$(TF_A_EXTRA_OPTFLAGS),\$(TF_A_EXTRA_OPTFLAGS),\$(TF_A_EXTRA_OPTFLAGS_\$(1))) \\
 				\$(if \$(TF_A_MAKE_TARGET),\$(TF_A_MAKE_TARGET),\$(TF_A_MAKE_TARGET_\$(1))) \\
-				\$(shell echo \$(2) | tr a-z A-Z)=1 ; \\
+				\$(shell echo \$(2) | tr a-z A-Z)=1 || exit 1; \\
 		,) \\
 	)
 endef
diff --git a/recipes-bsp/trusted-firmware-a/tf-a-stm32mp-common.inc b/recipes-bsp/trusted-firmware-a/tf-a-stm32mp-common.inc
index 565ac79..56d76fd 100644
--- a/recipes-bsp/trusted-firmware-a/tf-a-stm32mp-common.inc
+++ b/recipes-bsp/trusted-firmware-a/tf-a-stm32mp-common.inc
@@ -1,372 +1,41 @@
-PACKAGE_ARCH = "${MACHINE_ARCH}"
-
 FILESEXTRAPATHS:prepend := "${THISDIR}/tf-a-stm32mp:"
 
-inherit deploy
-inherit fip-utils-stm32mp
+SECTION = "bootloaders"
 
-# Include TF-A config definitions
-include tf-a-stm32mp-config.inc
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://license.rst;md5=1dd070c98a281d18d9eefd938729b031"
 
-# ------------------------------------
-# Set MBEDTLS support
-TFA_MBEDTLS_DIR ?= "mbedtls"
-# MBEDTLS v2.24.0
-SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;protocol=https;destsuffix=git/${TFA_MBEDTLS_DIR};branch=master;name=mbedtls"
-SRCREV_mbedtls = "523f0554b6cdc7ace5d360885c3f5bbcc73ec0e8"
-LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
-LICENSE_MBEDTLS = "Apache-2.0"
-# Add MBEDTLS to our sources
-SRC_URI:append = " ${@bb.utils.contains('TF_A_SIGN_ENABLE', '1', '${SRC_URI_MBEDTLS}', '', d)}"
-# Update license variables
-LICENSE:append = "${@bb.utils.contains('TF_A_SIGN_ENABLE', '1', ' & ${LICENSE_MBEDTLS}', '', d)}"
-LIC_FILES_CHKSUM:append = "${@bb.utils.contains('TF_A_SIGN_ENABLE', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}"
-# Add mbed TLS to version
-SRCREV_FORMAT:append = "${@bb.utils.contains('TF_A_SIGN_ENABLE', '1', '_mbedtls', '', d)}"
-# ------------------------------------
+SRC_URI = "git://github.com/ARM-software/arm-trusted-firmware.git;protocol=https;branch=master"
+SRCREV = "a1f02f4f3daae7e21ee58b4c93ec3e46b8f28d15"
 
-B = "${WORKDIR}/build"
-# Configure build dir for externalsrc class usage through devtool
-EXTERNALSRC_BUILD:pn-${PN} = "${WORKDIR}/build"
+SRC_URI += " \
+    file://0001-v2.6-stm32mp-r1.patch \
+    file://0002-v2.6-stm32mp-r2.patch \
+    "
 
-DEPENDS += "dtc-native"
-DEPENDS:append = " ${@bb.utils.contains('TF_A_ENABLE_DEBUG_WRAPPER', '1', 'stm32wrapper4dbg-native', '', d)}"
+TF_A_VERSION = "v2.6"
+TF_A_SUBVERSION = "stm32mp"
+TF_A_RELEASE = "r2"
+PV = "${TF_A_VERSION}-${TF_A_SUBVERSION}-${TF_A_RELEASE}"
 
-# Default log level
-ST_TF_A_DEBUG ??= "1"
-ST_TF_A_LOG_LEVEL_RELEASE ??= "20"
-ST_TF_A_LOG_LEVEL_DEBUG ??= "40"
+ARCHIVER_ST_BRANCH = "${TF_A_VERSION}-${TF_A_SUBVERSION}"
+ARCHIVER_ST_REVISION = "${PV}"
+ARCHIVER_COMMUNITY_BRANCH = "master"
+ARCHIVER_COMMUNITY_REVISION = "${TF_A_VERSION}"
 
-# Configure make settings
-EXTRA_OEMAKE += 'PLAT=${TFA_PLATFORM}'
-EXTRA_OEMAKE += 'ARCH=${TFA_ARM_ARCH}'
-EXTRA_OEMAKE += 'ARM_ARCH_MAJOR=${TFA_ARM_MAJOR}'
-EXTRA_OEMAKE += 'CROSS_COMPILE=${TARGET_PREFIX}'
-# Debug support
-EXTRA_OEMAKE += "${@bb.utils.contains('ST_TF_A_DEBUG_TRACE', '1', 'DEBUG=${ST_TF_A_DEBUG}', '', d)}"
-EXTRA_OEMAKE += "${@bb.utils.contains('ST_TF_A_DEBUG_TRACE', '1', 'LOG_LEVEL=${ST_TF_A_LOG_LEVEL_DEBUG}', 'LOG_LEVEL=${ST_TF_A_LOG_LEVEL_RELEASE}', d)}"
+S = "${WORKDIR}/git"
 
-# Define default TF-A namings
-TF_A_BASENAME ?= "tf-a"
-TF_A_SUFFIX ?= "stm32"
+# ---------------------------------
+# Configure devupstream class usage
+# ---------------------------------
+BBCLASSEXTEND = "devupstream:target"
 
-# Output the ELF generated
-ELF_DEBUG_ENABLE ?= ""
-TF_A_ELF_SUFFIX = "elf"
+SRC_URI:class-devupstream = "git://github.com/STMicroelectronics/arm-trusted-firmware.git;protocol=https;branch=${ARCHIVER_ST_BRANCH}"
+SRCREV:class-devupstream = "4b6e8e9bf8fa676ff8d1358ea2cf2e44904c2473"
 
-BL1_NAME ?= "bl1/bl1"
-BL1_ELF = "${BL1_NAME}.${TF_A_ELF_SUFFIX}"
-BL1_BASENAME = "${@os.path.basename(d.getVar("BL1_NAME"))}"
-BL1_BASENAME_DEPLOY ?= "${@os.path.basename(d.getVar("BL1_NAME"))}"
+# ---------------------------------
+# Configure default preference to manage dynamic selection between tarball and github
+# ---------------------------------
+STM32MP_SOURCE_SELECTION ?= "tarball"
 
-BL2_NAME ?= "bl2/bl2"
-BL2_ELF = "${BL2_NAME}.${TF_A_ELF_SUFFIX}"
-BL2_BASENAME = "${@os.path.basename(d.getVar("BL2_NAME"))}"
-BL2_BASENAME_DEPLOY ?= "${@os.path.basename(d.getVar("BL2_NAME"))}"
-
-BL31_NAME ?= "bl31/bl31"
-BL31_ELF = "${BL31_NAME}.${TF_A_ELF_SUFFIX}"
-BL31_BASENAME = "${@os.path.basename(d.getVar("BL31_NAME"))}"
-BL31_BASENAME_DEPLOY ?= "${@os.path.basename(d.getVar("BL31_NAME"))}"
-BL31_SUFFIX ?= "bin"
-
-BL32_NAME ?= "bl32/bl32"
-BL32_ELF = "${BL32_NAME}.${TF_A_ELF_SUFFIX}"
-BL32_BASENAME = "${@os.path.basename(d.getVar("BL32_NAME"))}"
-BL32_BASENAME_DEPLOY ?= "${@os.path.basename(d.getVar("BL32_NAME"))}"
-BL32_SUFFIX ?= "bin"
-
-DT_SUFFIX ?= "dtb"
-FWCONFIG_NAME ?= "fw-config"
-
-# Set default TF-A config
-TF_A_CONFIG ?= ""
-
-# Enable the wrapper for debug
-TF_A_ENABLE_DEBUG_WRAPPER ??= "1"
-
-# Set default configuration to allow signing
-TF_A_SIGN_ENABLE ??= "0"
-TF_A_ENCRYPTED_ENABLE ??= "0"
-
-# Set metadata generation
-TF_A_ENABLE_METADATA ??= "${@bb.utils.contains('MACHINE_FEATURES', 'fw-update', '1', '0', 'd')}"
-TF_A_METADATA_NAME ?= "metadata"
-TF_A_METADATA_SUFFIX ?= "bin"
-TF_A_METADATA_BINARY ??= "${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}"
-
-TF_A_METADATA_TOOL ?= "tools/fwu_gen_metadata/fwumd_tool.py"
-TF_A_METADATA_JSON ?= "plat/st/stm32mp1/default_metadata.json"
-
-# Configure specific build flags
-EXTRA_OEMAKE += "${@bb.utils.contains('TF_A_SIGN_ENABLE', '1', 'TRUSTED_BOARD_BOOT=1', '', d)}"
-EXTRA_OEMAKE += "${@bb.utils.contains('TF_A_SIGN_ENABLE', '1', 'MBEDTLS_DIR=${TFA_MBEDTLS_DIR}', '', d)}"
-EXTRA_OEMAKE += "${@bb.utils.contains('TF_A_ENCRYPTED_ENABLE', '1', 'DECRYPTION_SUPPORT=aes_gcm ENCRYPT_BL32=1', '', d)}"
-
-# -----------------------------------------------
-# Handle TF-A config and set internal vars
-#   TF_A_DEVICETREE
-#   TF_A_EXTRA_OPTFLAGS
-python () {
-    import re
-
-    tfaconfigflags = d.getVarFlags('TF_A_CONFIG')
-    # The "doc" varflag is special, we don't want to see it here
-    tfaconfigflags.pop('doc', None)
-    tfaconfig = (d.getVar('TF_A_CONFIG') or "").split()
-    tfabasename = d.getVar('TF_A_BASENAME')
-
-    if not tfaconfig:
-        raise bb.parse.SkipRecipe("TF_A_CONFIG must be set in the %s machine configuration." % d.getVar("MACHINE"))
-    if (d.getVar('TF_A_DEVICETREE') or "").split():
-        raise bb.parse.SkipRecipe("You cannot use TF_A_DEVICETREE as it is internal to TF_A_CONFIG var expansion.")
-    if (d.getVar('TF_A_EXTRA_OPTFLAGS') or "").split():
-        raise bb.parse.SkipRecipe("You cannot use TF_A_EXTRA_OPTFLAGS as it is internal to TF_A_CONFIG var expansion.")
-    if (d.getVar('TF_A_BINARIES') or "").split():
-        raise bb.parse.SkipRecipe("You cannot use TF_A_BINARIES as it is internal to TF_A_CONFIG var expansion.")
-    if (d.getVar('TF_A_MAKE_TARGET') or "").split():
-        raise bb.parse.SkipRecipe("You cannot use TF_A_MAKE_TARGET as it is internal to TF_A_CONFIG var expansion.")
-    if (d.getVar('TF_A_FILES') or "").split():
-        raise bb.parse.SkipRecipe("You cannot use TF_A_FILES as it is internal to TF_A_CONFIG var expansion.")
-
-    if len(tfaconfig) > 0:
-        for config in tfaconfig:
-            for f, v in tfaconfigflags.items():
-                if config == f:
-                    # Make sure to get var flag properly expanded
-                    v = d.getVarFlag('TF_A_CONFIG', config)
-                    if not v.strip():
-                        bb.fatal('[TF_A_CONFIG] Missing configuration for %s config' % config)
-                    items = v.split(',')
-                    if items[0] and len(items) > 5:
-                        raise bb.parse.SkipRecipe('Only <DEVICETREE>,<EXTRA_OPTFLAGS>,<BINARY_BASENAME>,<MAKE_TARGET>,<FILES TYPE> can be specified!')
-                    # Set internal vars
-                    bb.debug(1, "Appending '%s' to TF_A_DEVICETREE" % items[0])
-                    d.appendVar('TF_A_DEVICETREE', items[0] + ',')
-                    if len(items) > 1 and items[1]:
-                        bb.debug(1, "Appending '%s' to TF_A_EXTRA_OPTFLAGS." % items[1])
-                        d.appendVar('TF_A_EXTRA_OPTFLAGS', items[1] + ',')
-                    else:
-                        d.appendVar('TF_A_EXTRA_OPTFLAGS', '' + ',')
-                    if len(items) > 2 and items[2]:
-                        bb.debug(1, "Appending '%s' to TF_A_BINARIES." % items[2])
-                        d.appendVar('TF_A_BINARIES', items[2] + ',')
-                    else:
-                        bb.debug(1, "Appending '%s' to TF_A_BINARIES." % tfabasename)
-                        d.appendVar('TF_A_BINARIES', tfabasename + ',')
-                    if len(items) > 3 and items[3]:
-                        bb.debug(1, "Appending '%s' to TF_A_MAKE_TARGET." % items[3])
-                        d.appendVar('TF_A_MAKE_TARGET', items[3] + ',')
-                    else:
-                        d.appendVar('TF_A_MAKE_TARGET', 'all' + ',')
-                    if len(items) > 4 and items[4]:
-                        bb.debug(1, "Appending '%s' to TF_A_FILES." % items[4])
-                        d.appendVar('TF_A_FILES', items[4] + ',')
-                    else:
-                        d.appendVar('TF_A_FILES', 'bl2' + ',')
-                    break
-
-    # Manage case of signature:
-    # If signature are activated, for winning space, the debug parameter will be remove and levele of trace decrease
-    signature_val = d.getVar('TF_A_SIGN_ENABLE')
-    if signature_val and signature_val == "1":
-        bb.warn("TF-A SIGNATURE: force to disable DEBUG and decrease log level")
-        # force no debug and log level to release
-        d.setVar('ST_TF_A_DEBUG_TRACE', "0")
-}
-
-# -----------------------------------------------
-# Enable use of work-shared folder
-TFA_SHARED_SOURCES ??= "1"
-STAGING_TFA_DIR = "${TMPDIR}/work-shared/${MACHINE}/tfa-source"
-# Make sure to move ${S} to STAGING_TFA_DIR. We can't just
-# create the symlink in advance as the git fetcher can't cope with
-# the symlink.
-do_unpack[cleandirs] += "${S}"
-do_unpack[cleandirs] += "${@bb.utils.contains('TFA_SHARED_SOURCES', '1', '${STAGING_TFA_DIR}', '', d)}"
-do_clean[cleandirs] += "${S}"
-do_clean[cleandirs] += "${@bb.utils.contains('TFA_SHARED_SOURCES', '1', '${STAGING_TFA_DIR}', '', d)}"
-base_do_unpack:append () {
-    # Specific part to update devtool-source class
-    if bb.data.inherits_class('devtool-source', d):
-        # We don't want to move the source to STAGING_TFA_DIR here
-        if d.getVar('STAGING_TFA_DIR', d):
-            d.setVar('STAGING_TFA_DIR', '${S}')
-
-    shared = d.getVar("TFA_SHARED_SOURCES")
-    if shared and oe.types.boolean(shared):
-        # Copy/Paste from kernel class with adaptation to TFA var
-        s = d.getVar("S")
-        if s[-1] == '/':
-            # drop trailing slash, so that os.symlink(tfasrc, s) doesn't use s as directory name and fail
-            s=s[:-1]
-        tfasrc = d.getVar("STAGING_TFA_DIR")
-        if s != tfasrc:
-            bb.utils.mkdirhier(tfasrc)
-            bb.utils.remove(tfasrc, recurse=True)
-            if d.getVar("EXTERNALSRC"):
-                # With EXTERNALSRC S will not be wiped so we can symlink to it
-                os.symlink(s, tfasrc)
-            else:
-                import shutil
-                shutil.move(s, tfasrc)
-                os.symlink(tfasrc, s)
-}
-
-do_compile() {
-    unset LDFLAGS
-    unset CFLAGS
-    unset CPPFLAGS
-
-    unset i
-    for config in ${TF_A_CONFIG}; do
-        i=$(expr $i + 1)
-        # Initialize devicetree list, extra make options and tf-a basename
-        dt_config=$(echo ${TF_A_DEVICETREE} | cut -d',' -f${i})
-        extra_opt=$(echo ${TF_A_EXTRA_OPTFLAGS} | cut -d',' -f${i})
-        tfa_basename=$(echo ${TF_A_BINARIES} | cut -d',' -f${i})
-        tf_a_make_target=$(echo ${TF_A_MAKE_TARGET} | cut -d',' -f${i})
-        for dt in ${dt_config}; do
-            # Init specific soc settings
-            soc_extra_opt=""
-            soc_suffix=""
-            if [ -n "${STM32MP_SOC_NAME}" ]; then
-                for soc in ${STM32MP_SOC_NAME}; do
-                    if [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ]; then
-                        soc_extra_opt="$(echo ${soc} | awk '{print toupper($0)}')=1"
-                        soc_suffix="-${soc}"
-                    fi
-                done
-            fi
-            mkdir -p ${B}/${config}${soc_suffix}
-            oe_runmake -C "${S}" BUILD_PLAT="${B}/${config}${soc_suffix}" DTB_FILE_NAME="${dt}.dtb" ${extra_opt} ${soc_extra_opt} ${tf_a_make_target}
-            # Copy TF-A binary with explicit devicetree filename
-            if [ -f "${B}/${config}${soc_suffix}/${tfa_basename}-${dt}.${TF_A_SUFFIX}" ]; then
-                cp "${B}/${config}${soc_suffix}/${tfa_basename}-${dt}.${TF_A_SUFFIX}" "${B}/${config}${soc_suffix}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}"
-                if [ "${TF_A_ENABLE_DEBUG_WRAPPER}" = "1" ]; then
-                    stm32wrapper4dbg -s "${B}/${config}${soc_suffix}/${tfa_basename}-${dt}.${TF_A_SUFFIX}" -d "${B}/${config}${soc_suffix}/debug-${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}"
-                fi
-            fi
-            # Specific for bl32 target
-            if [ "$(echo ${tf_a_make_target} | grep -cw 'bl32')" = "1" ]; then
-                # Move 'bl32.elf' file to explicit file name with 'soc_suffix' info (same file for all devicetree build)
-                # This avoid unexpected deployment for other config (cf. do_deploy task)
-                if [ -f "${B}/${config}${soc_suffix}/${BL32_ELF}" ]; then
-                    mv -f "${B}/${config}${soc_suffix}/${BL32_ELF}" "${B}/${config}${soc_suffix}/${TF_A_BASENAME}-${BL32_BASENAME}${soc_suffix}.${TF_A_ELF_SUFFIX}"
-                fi
-            fi
-        done
-    done
-
-    if [ "${TF_A_ENABLE_METADATA}" = "1" ]; then
-        ${S}/${TF_A_METADATA_TOOL} jsonparse "${S}/${TF_A_METADATA_JSON}" -b "${B}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}"
-    fi
-}
-
-do_deploy() {
-    install -d ${DEPLOYDIR}
-    install -d ${DEPLOYDIR}/arm-trusted-firmware
-
-    unset i
-    for config in ${TF_A_CONFIG}; do
-        i=$(expr $i + 1)
-        # Initialize devicetree list and tf-a basename
-        dt_config=$(echo ${TF_A_DEVICETREE} | cut -d',' -f${i})
-        tfa_basename=$(echo ${TF_A_BINARIES} | cut -d',' -f${i})
-        tfa_file_type=$(echo ${TF_A_FILES} | cut -d',' -f${i})
-        for dt in ${dt_config}; do
-            # Init soc suffix
-            soc_suffix=""
-            if [ -n "${STM32MP_SOC_NAME}" ]; then
-                for soc in ${STM32MP_SOC_NAME}; do
-                    [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && soc_suffix="-${soc}"
-                done
-            fi
-            for file_type in ${tfa_file_type}; do
-                case "${file_type}" in
-                bl2)
-                    # Install TF-A binary
-                    if [ -f "${B}/${config}${soc_suffix}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" ]; then
-                        install -m 644 "${B}/${config}${soc_suffix}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/"
-                        if [ "${TF_A_ENABLE_DEBUG_WRAPPER}" = "1" ]; then
-                            install -d "${DEPLOYDIR}/arm-trusted-firmware/debug"
-                            install -m 644 "${B}/${config}${soc_suffix}/debug-${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/debug/"
-                        fi
-                    fi
-                    if [ -n "${ELF_DEBUG_ENABLE}" ]; then
-                        install -d ${DEPLOYDIR}/arm-trusted-firmware/debug
-                        if [ -f "${B}/${config}${soc_suffix}/${BL2_ELF}" ]; then
-                            install -m 644 "${B}/${config}${soc_suffix}/${BL2_ELF}" "${DEPLOYDIR}/arm-trusted-firmware/debug/${tfa_basename}-${BL2_BASENAME_DEPLOY}-${config}.${TF_A_ELF_SUFFIX}"
-                        fi
-                    fi
-                    ;;
-                bl31)
-                    # Install BL31 files
-                    if [ -f "${B}/${config}${soc_suffix}/${BL31_BASENAME}.${BL31_SUFFIX}" ]; then
-                        install -d "${DEPLOYDIR}/arm-trusted-firmware/bl31"
-                        # Install BL31 binary
-                        install -m 644 "${B}/${config}${soc_suffix}/${BL31_BASENAME}.${BL31_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/bl31/${tfa_basename}-${BL31_BASENAME_DEPLOY}${soc_suffix}.${BL31_SUFFIX}"
-                        if [ -n "${ELF_DEBUG_ENABLE}" ]; then
-                            if [ -f "${B}/${config}${soc_suffix}/${tfa_basename}-${BL31_BASENAME}${soc_suffix}.${TF_A_ELF_SUFFIX}" ]; then
-                                install -d "${DEPLOYDIR}/arm-trusted-firmware/bl32/debug"
-                                install -m 644 "${B}/${config}${soc_suffix}/${tfa_basename}-${BL31_BASENAME}${soc_suffix}.${TF_A_ELF_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/bl31/debug/${tfa_basename}-${BL31_BASENAME_DEPLOY}${soc_suffix}.${TF_A_ELF_SUFFIX}"
-                            fi
-                        fi
-                    fi
-                    if [ -n "${ELF_DEBUG_ENABLE}" ]; then
-                        install -d "${DEPLOYDIR}/arm-trusted-firmware/debug"
-                        if [ -f "${B}/${config}${soc_suffix}/${BL31_ELF}" ]; then
-                            install -m 644 "${B}/${config}${soc_suffix}/${BL31_ELF}" "${DEPLOYDIR}/arm-trusted-firmware/debug/${tfa_basename}-${BL31_BASENAME_DEPLOY}-${config}.${TF_A_ELF_SUFFIX}"
-                        fi
-                    fi
-                    ;;
-                bl32)
-                    # Install BL32 files
-                    if [ -f "${B}/${config}${soc_suffix}/${BL32_BASENAME}.${BL32_SUFFIX}" ]; then
-                        install -d "${DEPLOYDIR}/arm-trusted-firmware/bl32"
-                        # Install BL32 binary
-                        install -m 644 "${B}/${config}${soc_suffix}/${BL32_BASENAME}.${BL32_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/bl32/${tfa_basename}-${BL32_BASENAME_DEPLOY}${soc_suffix}.${BL32_SUFFIX}"
-                        # Install BL32 devicetree
-                        if [ -f "${B}/${config}${soc_suffix}/fdts/${dt}-${BL32_BASENAME}.${DT_SUFFIX}" ]; then
-                            install -m 644 "${B}/${config}${soc_suffix}/fdts/${dt}-${BL32_BASENAME}.${DT_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/bl32/${dt}-${BL32_BASENAME}.${DT_SUFFIX}"
-                        fi
-                        if [ -n "${ELF_DEBUG_ENABLE}" ]; then
-                            if [ -f "${B}/${config}${soc_suffix}/${tfa_basename}-${BL32_BASENAME}${soc_suffix}.${TF_A_ELF_SUFFIX}" ]; then
-                                install -d "${DEPLOYDIR}/arm-trusted-firmware/bl32/debug"
-                                install -m 644 "${B}/${config}${soc_suffix}/${tfa_basename}-${BL32_BASENAME}${soc_suffix}.${TF_A_ELF_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/bl32/debug/${tfa_basename}-${BL32_BASENAME_DEPLOY}${soc_suffix}.${TF_A_ELF_SUFFIX}"
-                            fi
-                        fi
-                    fi
-                    if [ -n "${ELF_DEBUG_ENABLE}" ]; then
-                        install -d "${DEPLOYDIR}/arm-trusted-firmware/debug"
-                        if [ -f "${B}/${config}${soc_suffix}/${BL32_ELF}" ]; then
-                            install -m 644 "${B}/${config}${soc_suffix}/${BL32_ELF}" "${DEPLOYDIR}/arm-trusted-firmware/debug/${tfa_basename}-${BL32_BASENAME_DEPLOY}-${config}.${TF_A_ELF_SUFFIX}"
-                        fi
-                    fi
-                    ;;
-                fwconfig)
-                    # Install fwconfig
-                    if [ -f "${B}/${config}${soc_suffix}/fdts/${dt}-${FWCONFIG_NAME}.${DT_SUFFIX}" ]; then
-                        install -d "${DEPLOYDIR}/arm-trusted-firmware/fwconfig"
-                        install -m 644 "${B}/${config}${soc_suffix}/fdts/${dt}-${FWCONFIG_NAME}.${DT_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/fwconfig/${dt}-${FWCONFIG_NAME}-${config}.${DT_SUFFIX}"
-                    fi
-                    ;;
-                esac
-            done # for file_type in ${tfa_file_type}
-        done # for dt in ${dt_config}
-        if [ -n "${ELF_DEBUG_ENABLE}" ]; then
-            install -d "${DEPLOYDIR}/arm-trusted-firmware/debug"
-            if [ -f "${B}/${config}${soc_suffix}/${BL1_ELF}" ]; then
-                install -m 644 "${B}/${config}${soc_suffix}/${BL1_ELF}" "${DEPLOYDIR}/arm-trusted-firmware/debug/${tfa_basename}-${BL1_BASENAME_DEPLOY}-${config}.${TF_A_ELF_SUFFIX}"
-            fi
-        fi
-    done # for config in ${TF_A_CONFIG}
-
-    if [ "${TF_A_ENABLE_METADATA}" = "1" ]; then
-        install -d "${DEPLOYDIR}/arm-trusted-firmware"
-        if [ -f "${B}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}" ]; then
-            install -m 644 "${B}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/${TF_A_METADATA_BIN}"
-        fi
-    fi
-}
-addtask deploy before do_build after do_compile
+DEFAULT_PREFERENCE = "${@bb.utils.contains('STM32MP_SOURCE_SELECTION', 'github', '-1', '1', d)}"
diff --git a/recipes-bsp/trusted-firmware-a/tf-a-stm32mp-config.inc b/recipes-bsp/trusted-firmware-a/tf-a-stm32mp-config.inc
index 385cbec..d57d750 100644
--- a/recipes-bsp/trusted-firmware-a/tf-a-stm32mp-config.inc
+++ b/recipes-bsp/trusted-firmware-a/tf-a-stm32mp-config.inc
@@ -7,10 +7,10 @@ TF_A_CONFIG[trusted] ?= "${@' '.join(d for d in '${STM32MP_DEVICETREE}'.split()
 TF_A_CONFIG[serialboot] ?= "${STM32MP_DEVICETREE},AARCH32_SP=sp_min STM32MP_UART_PROGRAMMER=1 STM32MP_USB_PROGRAMMER=1 STM32MP_USE_STM32IMAGE=1"
 
 TF_A_CONFIG[emmc]    ?= "${DEVICE_BOARD_ENABLE:EMMC},STM32MP_EMMC=1 ${@bb.utils.contains('MACHINE_FEATURES', 'fw-update', 'PSA_FWU_SUPPORT=1', '', d)}"
-TF_A_CONFIG[nand]    ?= "${DEVICE_BOARD_ENABLE:NAND},STM32MP_RAW_NAND=1 ${@'STM32MP_FORCE_MTD_START_OFFSET=${TF_A_MTD_START_OFFSET_NAND}' if ${TF_A_MTD_START_OFFSET_NAND} else ''}"
+TF_A_CONFIG[nand]    ?= "${DEVICE_BOARD_ENABLE:NAND},STM32MP_RAW_NAND=1 ${@bb.utils.contains('MACHINE_FEATURES', 'fw-update', 'PSA_FWU_SUPPORT=1', '', d)} ${@'STM32MP_FORCE_MTD_START_OFFSET=${TF_A_MTD_START_OFFSET_NAND}' if ${TF_A_MTD_START_OFFSET_NAND} else ''}"
 TF_A_CONFIG[nor]     ?= "${DEVICE_BOARD_ENABLE:NOR},STM32MP_SPI_NOR=1 ${@bb.utils.contains('MACHINE_FEATURES', 'fw-update', 'PSA_FWU_SUPPORT=1', '', d)} ${@'STM32MP_FORCE_MTD_START_OFFSET=${TF_A_MTD_START_OFFSET_NOR}' if ${TF_A_MTD_START_OFFSET_NOR} else ''}"
 TF_A_CONFIG[sdcard]  ?= "${DEVICE_BOARD_ENABLE:SDCARD},STM32MP_SDMMC=1 ${@bb.utils.contains('MACHINE_FEATURES', 'fw-update', 'PSA_FWU_SUPPORT=1', '', d)}"
-TF_A_CONFIG[spinand] ?= "${DEVICE_BOARD_ENABLE:SPINAND},STM32MP_SPI_NAND=1 ${@'STM32MP_FORCE_MTD_START_OFFSET=${TF_A_MTD_START_OFFSET_SPINAND}' if ${TF_A_MTD_START_OFFSET_SPINAND} else ''}"
+TF_A_CONFIG[spinand] ?= "${DEVICE_BOARD_ENABLE:SPINAND},STM32MP_SPI_NAND=1 ${@bb.utils.contains('MACHINE_FEATURES', 'fw-update', 'PSA_FWU_SUPPORT=1', '', d)} ${@'STM32MP_FORCE_MTD_START_OFFSET=${TF_A_MTD_START_OFFSET_SPINAND}' if ${TF_A_MTD_START_OFFSET_SPINAND} else ''}"
 TF_A_CONFIG[uart]    ?= "${STM32MP_DEVICETREE},STM32MP_UART_PROGRAMMER=1"
 TF_A_CONFIG[usb]     ?= "${STM32MP_DEVICETREE},STM32MP_USB_PROGRAMMER=1"
 
diff --git a/recipes-bsp/trusted-firmware-a/tf-a-stm32mp.inc b/recipes-bsp/trusted-firmware-a/tf-a-stm32mp.inc
new file mode 100644
index 0000000..c968d62
--- /dev/null
+++ b/recipes-bsp/trusted-firmware-a/tf-a-stm32mp.inc
@@ -0,0 +1,374 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/tf-a-stm32mp:"
+
+PROVIDES += "virtual/trusted-firmware-a"
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+inherit deploy
+inherit fip-utils-stm32mp
+
+# Include TF-A config definitions
+require tf-a-stm32mp-config.inc
+
+# ------------------------------------
+# Set MBEDTLS support
+TFA_MBEDTLS_DIR ?= "mbedtls"
+# MBEDTLS v2.24.0
+SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;protocol=https;destsuffix=git/${TFA_MBEDTLS_DIR};branch=master;name=mbedtls"
+SRCREV_mbedtls = "523f0554b6cdc7ace5d360885c3f5bbcc73ec0e8"
+LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
+LICENSE_MBEDTLS = "Apache-2.0"
+# Add MBEDTLS to our sources
+SRC_URI:append = " ${@bb.utils.contains('TF_A_SIGN_ENABLE', '1', '${SRC_URI_MBEDTLS}', '', d)}"
+# Update license variables
+LICENSE:append = "${@bb.utils.contains('TF_A_SIGN_ENABLE', '1', ' & ${LICENSE_MBEDTLS}', '', d)}"
+LIC_FILES_CHKSUM:append = "${@bb.utils.contains('TF_A_SIGN_ENABLE', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}"
+# Add mbed TLS to version
+SRCREV_FORMAT:append = "${@bb.utils.contains('TF_A_SIGN_ENABLE', '1', '_mbedtls', '', d)}"
+# ------------------------------------
+
+B = "${WORKDIR}/build"
+# Configure build dir for externalsrc class usage through devtool
+EXTERNALSRC_BUILD:pn-${PN} = "${WORKDIR}/build"
+
+DEPENDS += "dtc-native openssl-native"
+DEPENDS:append = " ${@bb.utils.contains('TF_A_ENABLE_DEBUG_WRAPPER', '1', 'stm32wrapper4dbg-native', '', d)}"
+
+# Default log level
+ST_TF_A_DEBUG ??= "1"
+ST_TF_A_LOG_LEVEL_RELEASE ??= "20"
+ST_TF_A_LOG_LEVEL_DEBUG ??= "40"
+
+# Configure make settings
+EXTRA_OEMAKE += 'PLAT=${TFA_PLATFORM}'
+EXTRA_OEMAKE += 'ARCH=${TFA_ARM_ARCH}'
+EXTRA_OEMAKE += 'ARM_ARCH_MAJOR=${TFA_ARM_MAJOR}'
+EXTRA_OEMAKE += 'CROSS_COMPILE=${TARGET_PREFIX}'
+# Debug support
+EXTRA_OEMAKE += "${@bb.utils.contains('ST_TF_A_DEBUG_TRACE', '1', 'DEBUG=${ST_TF_A_DEBUG}', '', d)}"
+EXTRA_OEMAKE += "${@bb.utils.contains('ST_TF_A_DEBUG_TRACE', '1', 'LOG_LEVEL=${ST_TF_A_LOG_LEVEL_DEBUG}', 'LOG_LEVEL=${ST_TF_A_LOG_LEVEL_RELEASE}', d)}"
+
+# Define default TF-A namings
+TF_A_BASENAME ?= "tf-a"
+TF_A_SUFFIX ?= "stm32"
+
+# Output the ELF generated
+ELF_DEBUG_ENABLE ?= ""
+TF_A_ELF_SUFFIX = "elf"
+
+BL1_NAME ?= "bl1/bl1"
+BL1_ELF = "${BL1_NAME}.${TF_A_ELF_SUFFIX}"
+BL1_BASENAME = "${@os.path.basename(d.getVar("BL1_NAME"))}"
+BL1_BASENAME_DEPLOY ?= "${@os.path.basename(d.getVar("BL1_NAME"))}"
+
+BL2_NAME ?= "bl2/bl2"
+BL2_ELF = "${BL2_NAME}.${TF_A_ELF_SUFFIX}"
+BL2_BASENAME = "${@os.path.basename(d.getVar("BL2_NAME"))}"
+BL2_BASENAME_DEPLOY ?= "${@os.path.basename(d.getVar("BL2_NAME"))}"
+
+BL31_NAME ?= "bl31/bl31"
+BL31_ELF = "${BL31_NAME}.${TF_A_ELF_SUFFIX}"
+BL31_BASENAME = "${@os.path.basename(d.getVar("BL31_NAME"))}"
+BL31_BASENAME_DEPLOY ?= "${@os.path.basename(d.getVar("BL31_NAME"))}"
+BL31_SUFFIX ?= "bin"
+
+BL32_NAME ?= "bl32/bl32"
+BL32_ELF = "${BL32_NAME}.${TF_A_ELF_SUFFIX}"
+BL32_BASENAME = "${@os.path.basename(d.getVar("BL32_NAME"))}"
+BL32_BASENAME_DEPLOY ?= "${@os.path.basename(d.getVar("BL32_NAME"))}"
+BL32_SUFFIX ?= "bin"
+
+DT_SUFFIX ?= "dtb"
+FWCONFIG_NAME ?= "fw-config"
+
+# Set default TF-A config
+TF_A_CONFIG ?= ""
+
+# Enable the wrapper for debug
+TF_A_ENABLE_DEBUG_WRAPPER ??= "1"
+
+# Set default configuration to allow signing
+TF_A_SIGN_ENABLE ??= "0"
+TF_A_ENCRYPTED_ENABLE ??= "0"
+
+# Set metadata generation
+TF_A_ENABLE_METADATA ??= "${@bb.utils.contains('MACHINE_FEATURES', 'fw-update', '1', '0', 'd')}"
+TF_A_METADATA_NAME ?= "metadata"
+TF_A_METADATA_SUFFIX ?= "bin"
+TF_A_METADATA_BINARY ??= "${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}"
+
+TF_A_METADATA_TOOL ?= "tools/fwu_gen_metadata/fwumd_tool.py"
+TF_A_METADATA_JSON ?= "plat/st/stm32mp1/default_metadata.json"
+
+# Configure specific build flags
+EXTRA_OEMAKE += "${@bb.utils.contains('TF_A_SIGN_ENABLE', '1', 'TRUSTED_BOARD_BOOT=1', '', d)}"
+EXTRA_OEMAKE += "${@bb.utils.contains('TF_A_SIGN_ENABLE', '1', 'MBEDTLS_DIR=${TFA_MBEDTLS_DIR}', '', d)}"
+EXTRA_OEMAKE += "${@bb.utils.contains('TF_A_ENCRYPTED_ENABLE', '1', 'DECRYPTION_SUPPORT=aes_gcm ENCRYPT_BL32=1', '', d)}"
+
+# -----------------------------------------------
+# Handle TF-A config and set internal vars
+#   TF_A_DEVICETREE
+#   TF_A_EXTRA_OPTFLAGS
+python () {
+    import re
+
+    tfaconfigflags = d.getVarFlags('TF_A_CONFIG')
+    # The "doc" varflag is special, we don't want to see it here
+    tfaconfigflags.pop('doc', None)
+    tfaconfig = (d.getVar('TF_A_CONFIG') or "").split()
+    tfabasename = d.getVar('TF_A_BASENAME')
+
+    if not tfaconfig:
+        raise bb.parse.SkipRecipe("TF_A_CONFIG must be set in the %s machine configuration." % d.getVar("MACHINE"))
+    if (d.getVar('TF_A_DEVICETREE') or "").split():
+        raise bb.parse.SkipRecipe("You cannot use TF_A_DEVICETREE as it is internal to TF_A_CONFIG var expansion.")
+    if (d.getVar('TF_A_EXTRA_OPTFLAGS') or "").split():
+        raise bb.parse.SkipRecipe("You cannot use TF_A_EXTRA_OPTFLAGS as it is internal to TF_A_CONFIG var expansion.")
+    if (d.getVar('TF_A_BINARIES') or "").split():
+        raise bb.parse.SkipRecipe("You cannot use TF_A_BINARIES as it is internal to TF_A_CONFIG var expansion.")
+    if (d.getVar('TF_A_MAKE_TARGET') or "").split():
+        raise bb.parse.SkipRecipe("You cannot use TF_A_MAKE_TARGET as it is internal to TF_A_CONFIG var expansion.")
+    if (d.getVar('TF_A_FILES') or "").split():
+        raise bb.parse.SkipRecipe("You cannot use TF_A_FILES as it is internal to TF_A_CONFIG var expansion.")
+
+    if len(tfaconfig) > 0:
+        for config in tfaconfig:
+            for f, v in tfaconfigflags.items():
+                if config == f:
+                    # Make sure to get var flag properly expanded
+                    v = d.getVarFlag('TF_A_CONFIG', config)
+                    if not v.strip():
+                        bb.fatal('[TF_A_CONFIG] Missing configuration for %s config' % config)
+                    items = v.split(',')
+                    if items[0] and len(items) > 5:
+                        raise bb.parse.SkipRecipe('Only <DEVICETREE>,<EXTRA_OPTFLAGS>,<BINARY_BASENAME>,<MAKE_TARGET>,<FILES TYPE> can be specified!')
+                    # Set internal vars
+                    bb.debug(1, "Appending '%s' to TF_A_DEVICETREE" % items[0])
+                    d.appendVar('TF_A_DEVICETREE', items[0] + ',')
+                    if len(items) > 1 and items[1]:
+                        bb.debug(1, "Appending '%s' to TF_A_EXTRA_OPTFLAGS." % items[1])
+                        d.appendVar('TF_A_EXTRA_OPTFLAGS', items[1] + ',')
+                    else:
+                        d.appendVar('TF_A_EXTRA_OPTFLAGS', '' + ',')
+                    if len(items) > 2 and items[2]:
+                        bb.debug(1, "Appending '%s' to TF_A_BINARIES." % items[2])
+                        d.appendVar('TF_A_BINARIES', items[2] + ',')
+                    else:
+                        bb.debug(1, "Appending '%s' to TF_A_BINARIES." % tfabasename)
+                        d.appendVar('TF_A_BINARIES', tfabasename + ',')
+                    if len(items) > 3 and items[3]:
+                        bb.debug(1, "Appending '%s' to TF_A_MAKE_TARGET." % items[3])
+                        d.appendVar('TF_A_MAKE_TARGET', items[3] + ',')
+                    else:
+                        d.appendVar('TF_A_MAKE_TARGET', 'all' + ',')
+                    if len(items) > 4 and items[4]:
+                        bb.debug(1, "Appending '%s' to TF_A_FILES." % items[4])
+                        d.appendVar('TF_A_FILES', items[4] + ',')
+                    else:
+                        d.appendVar('TF_A_FILES', 'bl2' + ',')
+                    break
+
+    # Manage case of signature:
+    # If signature are activated, for winning space, the debug parameter will be remove and level of trace decrease
+    signature_val = d.getVar('TF_A_SIGN_ENABLE')
+    if signature_val and signature_val == "1":
+        bb.warn("TF-A SIGNATURE: force to disable DEBUG and decrease log level")
+        # force no debug and log level to release
+        d.setVar('ST_TF_A_DEBUG_TRACE', "0")
+}
+
+# -----------------------------------------------
+# Enable use of work-shared folder
+TFA_SHARED_SOURCES ??= "1"
+STAGING_TFA_DIR = "${TMPDIR}/work-shared/${MACHINE}/tfa-source"
+# Make sure to move ${S} to STAGING_TFA_DIR. We can't just
+# create the symlink in advance as the git fetcher can't cope with
+# the symlink.
+do_unpack[cleandirs] += "${S}"
+do_unpack[cleandirs] += "${@bb.utils.contains('TFA_SHARED_SOURCES', '1', '${STAGING_TFA_DIR}', '', d)}"
+do_clean[cleandirs] += "${S}"
+do_clean[cleandirs] += "${@bb.utils.contains('TFA_SHARED_SOURCES', '1', '${STAGING_TFA_DIR}', '', d)}"
+base_do_unpack:append () {
+    # Specific part to update devtool-source class
+    if bb.data.inherits_class('devtool-source', d):
+        # We don't want to move the source to STAGING_TFA_DIR here
+        if d.getVar('STAGING_TFA_DIR', d):
+            d.setVar('STAGING_TFA_DIR', '${S}')
+
+    shared = d.getVar("TFA_SHARED_SOURCES")
+    if shared and oe.types.boolean(shared):
+        # Copy/Paste from kernel class with adaptation to TFA var
+        s = d.getVar("S")
+        if s[-1] == '/':
+            # drop trailing slash, so that os.symlink(tfasrc, s) doesn't use s as directory name and fail
+            s=s[:-1]
+        tfasrc = d.getVar("STAGING_TFA_DIR")
+        if s != tfasrc:
+            bb.utils.mkdirhier(tfasrc)
+            bb.utils.remove(tfasrc, recurse=True)
+            if d.getVar("EXTERNALSRC"):
+                # With EXTERNALSRC S will not be wiped so we can symlink to it
+                os.symlink(s, tfasrc)
+            else:
+                import shutil
+                shutil.move(s, tfasrc)
+                os.symlink(tfasrc, s)
+}
+
+do_compile() {
+    unset LDFLAGS
+    unset CFLAGS
+    unset CPPFLAGS
+
+    unset i
+    for config in ${TF_A_CONFIG}; do
+        i=$(expr $i + 1)
+        # Initialize devicetree list, extra make options and tf-a basename
+        dt_config=$(echo ${TF_A_DEVICETREE} | cut -d',' -f${i})
+        extra_opt=$(echo ${TF_A_EXTRA_OPTFLAGS} | cut -d',' -f${i})
+        tfa_basename=$(echo ${TF_A_BINARIES} | cut -d',' -f${i})
+        tf_a_make_target=$(echo ${TF_A_MAKE_TARGET} | cut -d',' -f${i})
+        for dt in ${dt_config}; do
+            # Init specific soc settings
+            soc_extra_opt=""
+            soc_suffix=""
+            if [ -n "${STM32MP_SOC_NAME}" ]; then
+                for soc in ${STM32MP_SOC_NAME}; do
+                    if [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ]; then
+                        soc_extra_opt="$(echo ${soc} | awk '{print toupper($0)}')=1"
+                        soc_suffix="-${soc}"
+                    fi
+                done
+            fi
+            mkdir -p ${B}/${config}${soc_suffix}
+            oe_runmake -C "${S}" BUILD_PLAT="${B}/${config}${soc_suffix}" DTB_FILE_NAME="${dt}.dtb" ${extra_opt} ${soc_extra_opt} ${tf_a_make_target}
+            # Copy TF-A binary with explicit devicetree filename
+            if [ -f "${B}/${config}${soc_suffix}/${tfa_basename}-${dt}.${TF_A_SUFFIX}" ]; then
+                cp "${B}/${config}${soc_suffix}/${tfa_basename}-${dt}.${TF_A_SUFFIX}" "${B}/${config}${soc_suffix}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}"
+                if [ "${TF_A_ENABLE_DEBUG_WRAPPER}" = "1" ]; then
+                    stm32wrapper4dbg -s "${B}/${config}${soc_suffix}/${tfa_basename}-${dt}.${TF_A_SUFFIX}" -d "${B}/${config}${soc_suffix}/debug-${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}"
+                fi
+            fi
+            # Specific for bl32 target
+            if [ "$(echo ${tf_a_make_target} | grep -cw 'bl32')" = "1" ]; then
+                # Move 'bl32.elf' file to explicit file name with 'soc_suffix' info (same file for all devicetree build)
+                # This avoid unexpected deployment for other config (cf. do_deploy task)
+                if [ -f "${B}/${config}${soc_suffix}/${BL32_ELF}" ]; then
+                    mv -f "${B}/${config}${soc_suffix}/${BL32_ELF}" "${B}/${config}${soc_suffix}/${TF_A_BASENAME}-${BL32_BASENAME}${soc_suffix}.${TF_A_ELF_SUFFIX}"
+                fi
+            fi
+        done
+    done
+
+    if [ "${TF_A_ENABLE_METADATA}" = "1" ]; then
+        ${S}/${TF_A_METADATA_TOOL} jsonparse "${S}/${TF_A_METADATA_JSON}" -b "${B}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}"
+    fi
+}
+
+do_deploy() {
+    install -d ${DEPLOYDIR}
+    install -d ${DEPLOYDIR}/arm-trusted-firmware
+
+    unset i
+    for config in ${TF_A_CONFIG}; do
+        i=$(expr $i + 1)
+        # Initialize devicetree list and tf-a basename
+        dt_config=$(echo ${TF_A_DEVICETREE} | cut -d',' -f${i})
+        tfa_basename=$(echo ${TF_A_BINARIES} | cut -d',' -f${i})
+        tfa_file_type=$(echo ${TF_A_FILES} | cut -d',' -f${i})
+        for dt in ${dt_config}; do
+            # Init soc suffix
+            soc_suffix=""
+            if [ -n "${STM32MP_SOC_NAME}" ]; then
+                for soc in ${STM32MP_SOC_NAME}; do
+                    [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && soc_suffix="-${soc}"
+                done
+            fi
+            for file_type in ${tfa_file_type}; do
+                case "${file_type}" in
+                bl2)
+                    # Install TF-A binary
+                    if [ -f "${B}/${config}${soc_suffix}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" ]; then
+                        install -m 644 "${B}/${config}${soc_suffix}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/"
+                        if [ "${TF_A_ENABLE_DEBUG_WRAPPER}" = "1" ]; then
+                            install -d "${DEPLOYDIR}/arm-trusted-firmware/debug"
+                            install -m 644 "${B}/${config}${soc_suffix}/debug-${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/debug/"
+                        fi
+                    fi
+                    if [ -n "${ELF_DEBUG_ENABLE}" ]; then
+                        install -d ${DEPLOYDIR}/arm-trusted-firmware/debug
+                        if [ -f "${B}/${config}${soc_suffix}/${BL2_ELF}" ]; then
+                            install -m 644 "${B}/${config}${soc_suffix}/${BL2_ELF}" "${DEPLOYDIR}/arm-trusted-firmware/debug/${tfa_basename}-${BL2_BASENAME_DEPLOY}-${config}.${TF_A_ELF_SUFFIX}"
+                        fi
+                    fi
+                    ;;
+                bl31)
+                    # Install BL31 files
+                    if [ -f "${B}/${config}${soc_suffix}/${BL31_BASENAME}.${BL31_SUFFIX}" ]; then
+                        install -d "${DEPLOYDIR}/arm-trusted-firmware/bl31"
+                        # Install BL31 binary
+                        install -m 644 "${B}/${config}${soc_suffix}/${BL31_BASENAME}.${BL31_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/bl31/${tfa_basename}-${BL31_BASENAME_DEPLOY}${soc_suffix}.${BL31_SUFFIX}"
+                        if [ -n "${ELF_DEBUG_ENABLE}" ]; then
+                            if [ -f "${B}/${config}${soc_suffix}/${tfa_basename}-${BL31_BASENAME}${soc_suffix}.${TF_A_ELF_SUFFIX}" ]; then
+                                install -d "${DEPLOYDIR}/arm-trusted-firmware/bl32/debug"
+                                install -m 644 "${B}/${config}${soc_suffix}/${tfa_basename}-${BL31_BASENAME}${soc_suffix}.${TF_A_ELF_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/bl31/debug/${tfa_basename}-${BL31_BASENAME_DEPLOY}${soc_suffix}.${TF_A_ELF_SUFFIX}"
+                            fi
+                        fi
+                    fi
+                    if [ -n "${ELF_DEBUG_ENABLE}" ]; then
+                        install -d "${DEPLOYDIR}/arm-trusted-firmware/debug"
+                        if [ -f "${B}/${config}${soc_suffix}/${BL31_ELF}" ]; then
+                            install -m 644 "${B}/${config}${soc_suffix}/${BL31_ELF}" "${DEPLOYDIR}/arm-trusted-firmware/debug/${tfa_basename}-${BL31_BASENAME_DEPLOY}-${config}.${TF_A_ELF_SUFFIX}"
+                        fi
+                    fi
+                    ;;
+                bl32)
+                    # Install BL32 files
+                    if [ -f "${B}/${config}${soc_suffix}/${BL32_BASENAME}.${BL32_SUFFIX}" ]; then
+                        install -d "${DEPLOYDIR}/arm-trusted-firmware/bl32"
+                        # Install BL32 binary
+                        install -m 644 "${B}/${config}${soc_suffix}/${BL32_BASENAME}.${BL32_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/bl32/${tfa_basename}-${BL32_BASENAME_DEPLOY}${soc_suffix}.${BL32_SUFFIX}"
+                        # Install BL32 devicetree
+                        if [ -f "${B}/${config}${soc_suffix}/fdts/${dt}-${BL32_BASENAME}.${DT_SUFFIX}" ]; then
+                            install -m 644 "${B}/${config}${soc_suffix}/fdts/${dt}-${BL32_BASENAME}.${DT_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/bl32/${dt}-${BL32_BASENAME}.${DT_SUFFIX}"
+                        fi
+                        if [ -n "${ELF_DEBUG_ENABLE}" ]; then
+                            if [ -f "${B}/${config}${soc_suffix}/${tfa_basename}-${BL32_BASENAME}${soc_suffix}.${TF_A_ELF_SUFFIX}" ]; then
+                                install -d "${DEPLOYDIR}/arm-trusted-firmware/bl32/debug"
+                                install -m 644 "${B}/${config}${soc_suffix}/${tfa_basename}-${BL32_BASENAME}${soc_suffix}.${TF_A_ELF_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/bl32/debug/${tfa_basename}-${BL32_BASENAME_DEPLOY}${soc_suffix}.${TF_A_ELF_SUFFIX}"
+                            fi
+                        fi
+                    fi
+                    if [ -n "${ELF_DEBUG_ENABLE}" ]; then
+                        install -d "${DEPLOYDIR}/arm-trusted-firmware/debug"
+                        if [ -f "${B}/${config}${soc_suffix}/${BL32_ELF}" ]; then
+                            install -m 644 "${B}/${config}${soc_suffix}/${BL32_ELF}" "${DEPLOYDIR}/arm-trusted-firmware/debug/${tfa_basename}-${BL32_BASENAME_DEPLOY}-${config}.${TF_A_ELF_SUFFIX}"
+                        fi
+                    fi
+                    ;;
+                fwconfig)
+                    # Install fwconfig
+                    if [ -f "${B}/${config}${soc_suffix}/fdts/${dt}-${FWCONFIG_NAME}.${DT_SUFFIX}" ]; then
+                        install -d "${DEPLOYDIR}/arm-trusted-firmware/fwconfig"
+                        install -m 644 "${B}/${config}${soc_suffix}/fdts/${dt}-${FWCONFIG_NAME}.${DT_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/fwconfig/${dt}-${FWCONFIG_NAME}-${config}.${DT_SUFFIX}"
+                    fi
+                    ;;
+                esac
+            done # for file_type in ${tfa_file_type}
+        done # for dt in ${dt_config}
+        if [ -n "${ELF_DEBUG_ENABLE}" ]; then
+            install -d "${DEPLOYDIR}/arm-trusted-firmware/debug"
+            if [ -f "${B}/${config}${soc_suffix}/${BL1_ELF}" ]; then
+                install -m 644 "${B}/${config}${soc_suffix}/${BL1_ELF}" "${DEPLOYDIR}/arm-trusted-firmware/debug/${tfa_basename}-${BL1_BASENAME_DEPLOY}-${config}.${TF_A_ELF_SUFFIX}"
+            fi
+        fi
+    done # for config in ${TF_A_CONFIG}
+
+    if [ "${TF_A_ENABLE_METADATA}" = "1" ]; then
+        install -d "${DEPLOYDIR}/arm-trusted-firmware"
+        if [ -f "${B}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}" ]; then
+            install -m 644 "${B}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/${TF_A_METADATA_BIN}"
+        fi
+    fi
+}
+addtask deploy before do_build after do_compile
diff --git a/recipes-bsp/trusted-firmware-a/tf-a-stm32mp/0002-v2.6-stm32mp-r2.patch b/recipes-bsp/trusted-firmware-a/tf-a-stm32mp/0002-v2.6-stm32mp-r2.patch
new file mode 100644
index 0000000..3d31f3e
--- /dev/null
+++ b/recipes-bsp/trusted-firmware-a/tf-a-stm32mp/0002-v2.6-stm32mp-r2.patch
@@ -0,0 +1,3630 @@
+From 0d04beecba631bf4f890f21e7f934ad9d01e00c4 Mon Sep 17 00:00:00 2001
+From: Romuald JEANNE <romuald.jeanne@st.com>
+Date: Fri, 15 Jul 2022 15:16:36 +0200
+Subject: [PATCH] v2.6-stm32mp-r2
+
+Signed-off-by: Romuald JEANNE <romuald.jeanne@st.com>
+---
+ Makefile                                      |   4 +-
+ bl2/bl2_main.c                                |   6 +-
+ common/bl_common.c                            |  10 +-
+ docs/getting_started/porting-guide.rst        |  14 +-
+ docs/plat/stm32mp1.rst                        |   9 +-
+ drivers/auth/tbbr/tbbr_cot_bl1.c              |  15 +
+ drivers/auth/tbbr/tbbr_cot_bl2.c              |   1 -
+ drivers/auth/tbbr/tbbr_cot_common.c           |  15 -
+ drivers/regulator/regulator_core.c            |  10 +-
+ drivers/st/clk/clk-stm32-core.c               |  28 +-
+ drivers/st/clk/clk-stm32-core.h               |  12 -
+ drivers/st/clk/clk-stm32mp13.c                |   2 -
+ drivers/st/ddr/stm32mp1_ddr.c                 |   8 +-
+ drivers/st/ddr/stm32mp1_ddr_helpers.c         |  12 +-
+ drivers/st/ddr/stm32mp1_ram.c                 |   5 +-
+ drivers/st/ddr/stm32mp_ddr.c                  |  49 ++-
+ drivers/st/gpio/stm32_gpio.c                  |  73 ++++
+ drivers/st/mce/stm32_mce.c                    |  34 +-
+ drivers/st/mmc/stm32_sdmmc2.c                 |  26 +-
+ drivers/st/regulator/regulator_fixed.c        |   8 +-
+ drivers/st/regulator/regulator_gpio.c         | 166 +++++++++
+ drivers/st/uart/aarch32/stm32_console.S       |   6 +
+ fdts/stm32mp1-cot-descriptors.dtsi            | 158 +++++++++
+ fdts/stm32mp13-bl2.dtsi                       |   7 +-
+ fdts/stm32mp13-ssp-bl2.dtsi                   |   2 +-
+ fdts/stm32mp131.dtsi                          |   2 +-
+ fdts/stm32mp135d-dk-fw-config.dts             |   7 -
+ fdts/stm32mp135d-dk.dts                       | 320 ------------------
+ fdts/stm32mp135f-dk.dts                       |   4 +-
+ fdts/stm32mp15-bl2.dtsi                       |  17 +-
+ fdts/stm32mp15-bl32.dtsi                      |   2 +-
+ fdts/stm32mp15-ssp-bl2.dtsi                   |   2 +-
+ fdts/stm32mp151.dtsi                          |   4 +-
+ fdts/stm32mp157a-avenger96.dts                |   4 +-
+ fdts/stm32mp157c-odyssey-som.dtsi             |   4 +-
+ fdts/stm32mp15xx-osd32.dtsi                   |   4 +-
+ include/drivers/auth/tbbr_cot_common.h        |   1 -
+ include/drivers/st/regulator_gpio.h           |  12 +
+ include/drivers/st/stm32_gpio.h               |  12 +-
+ include/drivers/st/stm32_mce.h                |  14 +-
+ include/drivers/st/stm32mp_ddr.h              |   8 +-
+ include/dt-bindings/gpio/stm32-gpio.h         |  41 +++
+ include/plat/common/platform.h                |   6 +-
+ lib/optee/optee_utils.c                       |  21 +-
+ plat/arm/common/arm_io_storage.c              |   7 +-
+ plat/common/plat_bl_common.c                  |  10 +-
+ plat/st/common/bl2_io_storage.c               |  65 +++-
+ plat/st/common/include/stm32mp_common.h       |   4 +-
+ plat/st/common/stm32cubeprogrammer_usb.c      |   3 +-
+ plat/st/common/stm32mp_common.c               |   3 +
+ plat/st/common/stm32mp_crypto_lib.c           |  18 +-
+ plat/st/common/stm32mp_fconf_io.c             |   9 +-
+ plat/st/stm32mp1/bl2_plat_setup.c             |  74 ++--
+ plat/st/stm32mp1/cert_create_tbbr.mk          |  19 ++
+ plat/st/stm32mp1/include/plat_def_fip_uuid.h  |  14 +
+ plat/st/stm32mp1/include/plat_tbbr_img_def.h  |  40 +++
+ plat/st/stm32mp1/include/stm32mp1_context.h   |   5 +-
+ .../stm32mp1/include/tbbr/stm32mp1_tbb_cert.h |  19 ++
+ plat/st/stm32mp1/plat_bl2_mem_params_desc.c   |   4 +-
+ plat/st/stm32mp1/plat_def_uuid_config.c       |  18 +
+ plat/st/stm32mp1/plat_fiptool.mk              |  25 ++
+ plat/st/stm32mp1/platform.mk                  |  33 +-
+ plat/st/stm32mp1/services/bsec_svc.c          |  65 +---
+ plat/st/stm32mp1/sp_min/sp_min_setup.c        |   2 +-
+ plat/st/stm32mp1/stm32mp1_context.c           | 108 +++++-
+ plat/st/stm32mp1/stm32mp1_def.h               |  35 +-
+ plat/st/stm32mp1/stm32mp1_fconf_firewall.c    |  13 +-
+ plat/st/stm32mp1/stm32mp1_fip_def.h           |  15 +-
+ plat/st/stm32mp1/stm32mp1_private.c           |  36 +-
+ plat/st/stm32mp1/stm32mp1_ssp.c               |  51 ++-
+ plat/st/stm32mp1/stm32mp1_tbb_cert.c          |  36 ++
+ 71 files changed, 1257 insertions(+), 639 deletions(-)
+ create mode 100644 drivers/st/regulator/regulator_gpio.c
+ create mode 100644 fdts/stm32mp1-cot-descriptors.dtsi
+ delete mode 100644 fdts/stm32mp135d-dk-fw-config.dts
+ delete mode 100644 fdts/stm32mp135d-dk.dts
+ create mode 100644 include/drivers/st/regulator_gpio.h
+ create mode 100644 include/dt-bindings/gpio/stm32-gpio.h
+ create mode 100644 plat/st/stm32mp1/cert_create_tbbr.mk
+ create mode 100644 plat/st/stm32mp1/include/plat_def_fip_uuid.h
+ create mode 100644 plat/st/stm32mp1/include/plat_tbbr_img_def.h
+ create mode 100644 plat/st/stm32mp1/include/tbbr/stm32mp1_tbb_cert.h
+ create mode 100644 plat/st/stm32mp1/plat_def_uuid_config.c
+ create mode 100644 plat/st/stm32mp1/plat_fiptool.mk
+ create mode 100644 plat/st/stm32mp1/stm32mp1_tbb_cert.c
+
+diff --git a/Makefile b/Makefile
+index 35644b8329..77b9dd76cc 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1393,7 +1393,7 @@ checkpatch:		locate-checkpatch
+ certtool: ${CRTTOOL}
+ 
+ ${CRTTOOL}: FORCE
+-	${Q}${MAKE} PLAT=${PLAT} USE_TBBR_DEFS=${USE_TBBR_DEFS} COT=${COT} CRTTOOL=${CRTTOOL} --no-print-directory -C ${CRTTOOLPATH}
++	${Q}${MAKE} PLAT=${PLAT} USE_TBBR_DEFS=${USE_TBBR_DEFS} COT=${COT} CRTTOOL=${CRTTOOL} --no-print-directory -C ${CRTTOOLPATH} all
+ 	@${ECHO_BLANK_LINE}
+ 	@echo "Built $@ successfully"
+ 	@${ECHO_BLANK_LINE}
+@@ -1438,7 +1438,7 @@ fwu_fip: ${BUILD_PLAT}/${FWU_FIP_NAME}
+ 
+ ${FIPTOOL}: FORCE
+ ifdef UNIX_MK
+-	${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} --no-print-directory -C ${FIPTOOLPATH}
++	${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} --no-print-directory -C ${FIPTOOLPATH} all
+ else
+ # Clear the MAKEFLAGS as we do not want
+ # to pass the gnumake flags to nmake.
+diff --git a/bl2/bl2_main.c b/bl2/bl2_main.c
+index 90fe39bc2f..072b5647b6 100644
+--- a/bl2/bl2_main.c
++++ b/bl2/bl2_main.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2013-2021, ARM Limited and Contributors. All rights reserved.
++ * Copyright (c) 2013-2022, ARM Limited and Contributors. All rights reserved.
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  */
+@@ -86,7 +86,9 @@ void bl2_main(void)
+ 	bl2_arch_setup();
+ 
+ #if PSA_FWU_SUPPORT
+-	fwu_init();
++	if (plat_fwu_is_enabled()) {
++		fwu_init();
++	}
+ #endif /* PSA_FWU_SUPPORT */
+ 
+ #if TRUSTED_BOARD_BOOT
+diff --git a/common/bl_common.c b/common/bl_common.c
+index 7b6d89887a..ae7bca2c7f 100644
+--- a/common/bl_common.c
++++ b/common/bl_common.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2013-2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2013-2022, Arm Limited and Contributors. All rights reserved.
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  */
+@@ -259,11 +259,15 @@ int load_auth_image(unsigned int image_id, image_info_t *image_data)
+  * when PSA FWU is enabled.
+  */
+ #if PSA_FWU_SUPPORT
+-	err = load_auth_image_internal(image_id, image_data);
++	do {
++		err = load_auth_image_internal(image_id, image_data);
++	} while ((err != 0) && (plat_try_backup_partitions(image_id) != 0));
+ #else
+ 	do {
+ 		err = load_auth_image_internal(image_id, image_data);
+-	} while ((err != 0) && (plat_try_next_boot_source(image_id) != 0));
++	} while (((err != 0) && ((plat_try_next_boot_source() != 0) ||
++				 (plat_try_backup_partitions(image_id) != 0))));
++
+ #endif /* PSA_FWU_SUPPORT */
+ 
+ 	return err;
+diff --git a/docs/getting_started/porting-guide.rst b/docs/getting_started/porting-guide.rst
+index 27bcca094c..775b8cd0e1 100644
+--- a/docs/getting_started/porting-guide.rst
++++ b/docs/getting_started/porting-guide.rst
+@@ -976,6 +976,18 @@ resets while booting from the active bank, the platform can then switch to boot
+ from a different bank. This function then returns the bank that the platform
+ should boot its images from.
+ 
++Function : plat_fwu_is_enabled() [when PSA_FWU_SUPPORT == 1]
++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++
++::
++
++    Argument : void
++    Return   : bool
++
++This function is mandatory when PSA_FWU_SUPPORT is enabled. It checks at
++platform level that all conditions are met to initialize FWU process.
++
++
+ Common optional modifications
+ -----------------------------
+ 
+@@ -3161,7 +3173,7 @@ amount of open resources per driver.
+ 
+ --------------
+ 
+-*Copyright (c) 2013-2021, Arm Limited and Contributors. All rights reserved.*
++*Copyright (c) 2013-2022, Arm Limited and Contributors. All rights reserved.*
+ 
+ .. _PSCI: http://infocenter.arm.com/help/topic/com.arm.doc.den0022c/DEN0022C_Power_State_Coordination_Interface.pdf
+ .. _Arm Generic Interrupt Controller version 2.0 (GICv2): http://infocenter.arm.com/help/topic/com.arm.doc.ihi0048b/index.html
+diff --git a/docs/plat/stm32mp1.rst b/docs/plat/stm32mp1.rst
+index 2403b275a6..3575b1547b 100644
+--- a/docs/plat/stm32mp1.rst
++++ b/docs/plat/stm32mp1.rst
+@@ -137,6 +137,8 @@ Other configuration flags:
+   | Default: stm32mp157c-ev1.dtb
+ - | ``STM32MP_EARLY_CONSOLE``: to enable early traces before clock driver is setup.
+   | Default: 0 (disabled)
++- | ``STM32MP_RECONFIGURE_CONSOLE``: to re-configure crash console (especially after BL2).
++  | Default: 0 (disabled)
+ - | ``STM32MP_UART_BAUDRATE``: to select UART baud rate.
+   | Default: 115200
+ - | ``STM32_TF_VERSION``: to manage BL2 monotonic counter.
+@@ -245,19 +247,20 @@ __________________
+         --nt-fw-cert build/stm32mp1/cert_images/u-boot.bin.crt \
+         --nt-fw-key-cert build/stm32mp1/cert_images/u-boot.bin.key-crt \
+         --hw-config <u-boot_directory>/u-boot.dtb \
+-        --fw-config build/stm32mp1/debug/fdts/fw-config.dtb
++        --fw-config build/stm32mp1/debug/fdts/fw-config.dtb \
++        --stm32mp-cfg-cert build/stm32mp1/cert_images/stm32mp_cfg_cert.crt
+ 
+     tools/fiptool/fiptool create --tos-fw <optee_directory>/tee-header_v2.bin \
+         --tos-fw-extra1 <optee_directory>/tee-pager_v2.bin \
+         --tos-fw-extra2 <optee_directory>/tee-pageable_v2.bin \
+         --nt-fw <u-boot_directory>/u-boot-nodtb.bin \
+         --hw-config <u-boot_directory>/u-boot.dtb \
++        --fw-config build/stm32mp1/debug/fdts/fw-config.dtb \
+         --tos-fw-cert build/stm32mp1/cert_images/tee-header_v2.bin.crt \
+         --tos-fw-key-cert build/stm32mp1/cert_images/tee-header_v2.bin.key-crt \
+         --nt-fw-cert build/stm32mp1/cert_images/u-boot.bin.crt \
+         --nt-fw-key-cert build/stm32mp1/cert_images/u-boot.bin.key-crt \
+-        --trusted-key-cert build/stm32mp1/cert_images/trusted-key-cert.key-crt \
+-        --tb-fw-cert build/stm32mp1/cert_images/trusted-boot-fw.key-crt stm32mp1.fip
++        --stm32mp-cfg-cert build/stm32mp1/stm32mp_cfg_cert.crt stm32mp1.fip
+ 
+ 
+ 
+diff --git a/drivers/auth/tbbr/tbbr_cot_bl1.c b/drivers/auth/tbbr/tbbr_cot_bl1.c
+index 15a35431d6..e4c92213ae 100644
+--- a/drivers/auth/tbbr/tbbr_cot_bl1.c
++++ b/drivers/auth/tbbr/tbbr_cot_bl1.c
+@@ -150,6 +150,21 @@ static const auth_img_desc_t tb_fw_config = {
+ 	}
+ };
+ 
++static const auth_img_desc_t fw_config = {
++	.img_id = FW_CONFIG_ID,
++	.img_type = IMG_RAW,
++	.parent = &trusted_boot_fw_cert,
++	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
++		[0] = {
++			.type = AUTH_METHOD_HASH,
++			.param.hash = {
++				.data = &raw_data,
++				.hash = &fw_config_hash
++			}
++		}
++	}
++};
++
+ /*
+  * TBBR Chain of trust definition
+  */
+diff --git a/drivers/auth/tbbr/tbbr_cot_bl2.c b/drivers/auth/tbbr/tbbr_cot_bl2.c
+index de7ad8f902..65a0478abf 100644
+--- a/drivers/auth/tbbr/tbbr_cot_bl2.c
++++ b/drivers/auth/tbbr/tbbr_cot_bl2.c
+@@ -671,7 +671,6 @@ static const auth_img_desc_t * const cot_desc[] = {
+ 	[NON_TRUSTED_FW_CONTENT_CERT_ID]	=	&non_trusted_fw_content_cert,
+ 	[BL33_IMAGE_ID]				=	&bl33_image,
+ 	[NT_FW_CONFIG_ID]			=	&nt_fw_config,
+-	[FW_CONFIG_ID]				=	&fw_config,
+ #if defined(SPD_spmd)
+ 	[SIP_SP_CONTENT_CERT_ID]		=	&sip_sp_content_cert,
+ 	[SP_PKG1_ID]				=	&sp_pkg1,
+diff --git a/drivers/auth/tbbr/tbbr_cot_common.c b/drivers/auth/tbbr/tbbr_cot_common.c
+index 279f30e2e2..ff3f22de15 100644
+--- a/drivers/auth/tbbr/tbbr_cot_common.c
++++ b/drivers/auth/tbbr/tbbr_cot_common.c
+@@ -124,18 +124,3 @@ const auth_img_desc_t hw_config = {
+ 		}
+ 	}
+ };
+-
+-const auth_img_desc_t fw_config = {
+-	.img_id = FW_CONFIG_ID,
+-	.img_type = IMG_RAW,
+-	.parent = &trusted_boot_fw_cert,
+-	.img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
+-		[0] = {
+-			.type = AUTH_METHOD_HASH,
+-			.param.hash = {
+-				.data = &raw_data,
+-				.hash = &fw_config_hash
+-			}
+-		}
+-	}
+-};
+diff --git a/drivers/regulator/regulator_core.c b/drivers/regulator/regulator_core.c
+index 05a1b45110..de915a4a69 100644
+--- a/drivers/regulator/regulator_core.c
++++ b/drivers/regulator/regulator_core.c
+@@ -688,6 +688,7 @@ static void parse_low_power_modes(const void *fdt, struct rdev *rdev, int node)
+ #else
+ static int parse_properties(const void *fdt, struct rdev *rdev, int node)
+ {
++	const fdt32_t *cuint;
+ 	int ret;
+ 
+ 	if (fdt_getprop(fdt, node, "regulator-always-on", NULL) != NULL) {
+@@ -698,6 +699,13 @@ static int parse_properties(const void *fdt, struct rdev *rdev, int node)
+ 		}
+ 	}
+ 
++	cuint = fdt_getprop(fdt, node, "regulator-enable-ramp-delay", NULL);
++	if (cuint != NULL) {
++		rdev->enable_ramp_delay = fdt32_to_cpu(*cuint);
++		VERBOSE("%s: enable_ramp_delay=%u\n", rdev->desc->node_name,
++			rdev->enable_ramp_delay);
++	}
++
+ 	return 0;
+ }
+ #endif
+@@ -803,7 +811,7 @@ int regulator_register(const struct regul_description *desc, int node)
+ 	}
+ 
+ 	if (rdev == rdev_array + PLAT_NB_RDEVS) {
+-		WARN("out of memory\n");
++		WARN("Not enough place for regulators, PLAT_NB_RDEVS should be increased.\n");
+ 		return -ENOMEM;
+ 	}
+ 
+diff --git a/drivers/st/clk/clk-stm32-core.c b/drivers/st/clk/clk-stm32-core.c
+index 16a1c78b1a..ff90e8af90 100644
+--- a/drivers/st/clk/clk-stm32-core.c
++++ b/drivers/st/clk/clk-stm32-core.c
+@@ -144,7 +144,7 @@ int clk_oscillator_wait_ready(struct stm32_clk_priv *priv, int id, bool ready_on
+ {
+ 	struct clk_oscillator_data *osc_data = clk_oscillator_get_data(priv, id);
+ 
+-	return _clk_stm32_gate_wait_ready(priv, osc_data->gate_id, ready_on);
++	return _clk_stm32_gate_wait_ready(priv, osc_data->gate_rdy_id, ready_on);
+ }
+ 
+ int clk_oscillator_wait_ready_on(struct stm32_clk_priv *priv, int id)
+@@ -216,24 +216,6 @@ int _clk_stm32_gate_enable(struct stm32_clk_priv *priv, uint16_t gate_id)
+ 	return 0;
+ }
+ 
+-const char *_clk_stm32_get_name(struct stm32_clk_priv *priv, int id)
+-{
+-	return priv->clks[id].name;
+-}
+-
+-const char *clk_stm32_get_name(struct stm32_clk_priv *priv,
+-			       unsigned long binding_id)
+-{
+-	int id;
+-
+-	id = clk_get_index(priv, binding_id);
+-	if (id == -EINVAL) {
+-		return NULL;
+-	}
+-
+-	return _clk_stm32_get_name(priv, id);
+-}
+-
+ const struct clk_stm32 *_clk_get(struct stm32_clk_priv *priv, int id)
+ {
+ 	if ((unsigned int)id < priv->num) {
+@@ -984,6 +966,10 @@ int clk_stm32_osc_gate_enable(struct stm32_clk_priv *priv, int id)
+ {
+ 	struct clk_oscillator_data *osc_data = clk_oscillator_get_data(priv, id);
+ 
++	if (osc_data->frequency == 0UL) {
++		return 0;
++	}
++
+ 	_clk_stm32_gate_enable(priv, osc_data->gate_id);
+ 
+ 	if (_clk_stm32_gate_wait_ready(priv, osc_data->gate_rdy_id, true) != 0U) {
+@@ -998,6 +984,10 @@ void clk_stm32_osc_gate_disable(struct stm32_clk_priv *priv, int id)
+ {
+ 	struct clk_oscillator_data *osc_data = clk_oscillator_get_data(priv, id);
+ 
++	if (osc_data->frequency == 0UL) {
++		return;
++	}
++
+ 	_clk_stm32_gate_disable(priv, osc_data->gate_id);
+ 
+ 	if (_clk_stm32_gate_wait_ready(priv, osc_data->gate_rdy_id, false) != 0U) {
+diff --git a/drivers/st/clk/clk-stm32-core.h b/drivers/st/clk/clk-stm32-core.h
+index c771c6fbfe..280141badf 100644
+--- a/drivers/st/clk/clk-stm32-core.h
++++ b/drivers/st/clk/clk-stm32-core.h
+@@ -54,7 +54,6 @@ struct stm32_clk_ops {
+ };
+ 
+ struct clk_stm32 {
+-	const char *name;
+ 	uint16_t binding;
+ 	uint16_t parent;
+ 	uint8_t flags;
+@@ -163,8 +162,6 @@ int clk_oscillator_wait_ready(struct stm32_clk_priv *priv, int id, bool ready_on
+ int clk_oscillator_wait_ready_on(struct stm32_clk_priv *priv, int id);
+ int clk_oscillator_wait_ready_off(struct stm32_clk_priv *priv, int id);
+ 
+-const char *_clk_stm32_get_name(struct stm32_clk_priv *priv, int id);
+-const char *clk_stm32_get_name(struct stm32_clk_priv *priv, unsigned long binding_id);
+ int clk_stm32_get_counter(unsigned long binding_id);
+ 
+ void _clk_stm32_gate_disable(struct stm32_clk_priv *priv, uint16_t gate_id);
+@@ -226,7 +223,6 @@ struct clk_stm32_div_cfg {
+ 
+ #define STM32_DIV(idx, _binding, _parent, _flags, _div_id) \
+ 	[(idx)] = (struct clk_stm32){ \
+-		.name		= #idx,\
+ 		.binding	= (_binding),\
+ 		.parent		=  (_parent),\
+ 		.flags		= (_flags),\
+@@ -242,7 +238,6 @@ struct clk_stm32_gate_cfg {
+ 
+ #define STM32_GATE(idx, _binding, _parent, _flags, _gate_id) \
+ 	[(idx)] = (struct clk_stm32){ \
+-		.name		= #idx,\
+ 		.binding	= (_binding),\
+ 		.parent		=  (_parent),\
+ 		.flags		= (_flags),\
+@@ -262,7 +257,6 @@ unsigned long fixed_factor_recalc_rate(struct stm32_clk_priv *priv,
+ 
+ #define FIXED_FACTOR(idx, _idx, _parent, _mult, _div) \
+ 	[(idx)] = (struct clk_stm32){ \
+-		.name		= #idx,\
+ 		.binding	= (_idx),\
+ 		.parent		= (_parent),\
+ 		.clock_cfg	= &(struct fixed_factor_cfg){\
+@@ -274,7 +268,6 @@ unsigned long fixed_factor_recalc_rate(struct stm32_clk_priv *priv,
+ 
+ #define GATE(idx, _binding, _parent, _flags, _offset, _bit_idx) \
+ 	[(idx)] = (struct clk_stm32){ \
+-		.name		= #idx,\
+ 		.binding	= (_binding),\
+ 		.parent		=  (_parent),\
+ 		.flags		= (_flags),\
+@@ -287,7 +280,6 @@ unsigned long fixed_factor_recalc_rate(struct stm32_clk_priv *priv,
+ 
+ #define STM32_MUX(idx, _binding, _mux_id, _flags) \
+ 	[(idx)] = (struct clk_stm32){ \
+-		.name		= #idx,\
+ 		.binding	= (_binding),\
+ 		.parent		= (MUX(_mux_id)),\
+ 		.flags		= (_flags),\
+@@ -302,7 +294,6 @@ struct clk_timer_cfg {
+ 
+ #define CK_TIMER(idx, _idx, _parent, _flags, _apbdiv, _timpre) \
+ 	[(idx)] = (struct clk_stm32){ \
+-		.name		= #idx,\
+ 		.binding	= (_idx),\
+ 		.parent		= (_parent),\
+ 		.flags		= (CLK_SET_RATE_PARENT | (_flags)),\
+@@ -319,7 +310,6 @@ struct clk_stm32_fixed_rate_cfg {
+ 
+ #define CLK_FIXED_RATE(idx, _binding, _rate) \
+ 	[(idx)] = (struct clk_stm32){ \
+-		.name		= #idx,\
+ 		.binding	= (_binding),\
+ 		.parent		= (CLK_IS_ROOT),\
+ 		.clock_cfg	= &(struct clk_stm32_fixed_rate_cfg){\
+@@ -370,7 +360,6 @@ struct stm32_osc_cfg {
+ 
+ #define CLK_OSC(idx, _idx, _parent, _osc_id) \
+ 	[(idx)] = (struct clk_stm32){ \
+-		.name		= #idx,\
+ 		.binding	= (_idx),\
+ 		.parent		= (_parent),\
+ 		.flags		= CLK_IS_CRITICAL,\
+@@ -382,7 +371,6 @@ struct stm32_osc_cfg {
+ 
+ #define CLK_OSC_FIXED(idx, _idx, _parent, _osc_id) \
+ 	[(idx)] = (struct clk_stm32){ \
+-		.name		= #idx,\
+ 		.binding	= (_idx),\
+ 		.parent		= (_parent),\
+ 		.flags		= CLK_IS_CRITICAL,\
+diff --git a/drivers/st/clk/clk-stm32mp13.c b/drivers/st/clk/clk-stm32mp13.c
+index 19613d021d..321b1fdc9a 100644
+--- a/drivers/st/clk/clk-stm32mp13.c
++++ b/drivers/st/clk/clk-stm32mp13.c
+@@ -1751,7 +1751,6 @@ const struct stm32_clk_ops clk_stm32_pll_ops = {
+ };
+ 
+ #define CLK_PLL(idx, _idx, _parent, _gate, _pll_id, _flags)[idx] = {\
+-	.name = #idx,\
+ 	.binding = _idx,\
+ 	.parent = _parent,\
+ 	.flags = (_flags),\
+@@ -1808,7 +1807,6 @@ const struct stm32_clk_ops clk_stm32_composite_ops = {
+ 
+ #define STM32_COMPOSITE(idx, _binding, _parent, _flags, _gate_id,\
+ 			_div_id)[idx] = {\
+-	.name = #idx,\
+ 	.binding = (_binding),\
+ 	.parent =  (_parent),\
+ 	.flags = (_flags),\
+diff --git a/drivers/st/ddr/stm32mp1_ddr.c b/drivers/st/ddr/stm32mp1_ddr.c
+index befdfacbf0..4376f5dce2 100644
+--- a/drivers/st/ddr/stm32mp1_ddr.c
++++ b/drivers/st/ddr/stm32mp1_ddr.c
+@@ -217,7 +217,7 @@ static void stm32mp1_ddrphy_idone_wait(struct stm32mp_ddrphy *phy)
+ {
+ 	uint32_t pgsr;
+ 	int error = 0;
+-	uint64_t timeout = timeout_init_us(TIMEOUT_US_1S);
++	uint64_t timeout = timeout_init_us(DDR_TIMEOUT_US_1S);
+ 
+ 	do {
+ 		pgsr = mmio_read_32((uintptr_t)&phy->pgsr);
+@@ -268,7 +268,7 @@ static void stm32mp1_ddrphy_init(struct stm32mp_ddrphy *phy, uint32_t pir)
+ 		mmio_read_32((uintptr_t)&phy->pir));
+ 
+ 	/* Need to wait 10 configuration clock before start polling */
+-	udelay(10);
++	udelay(DDR_DELAY_10US);
+ 
+ 	/* Wait DRAM initialization and Gate Training Evaluation complete */
+ 	stm32mp1_ddrphy_idone_wait(phy);
+@@ -281,7 +281,7 @@ static void stm32mp1_wait_operating_mode(struct stm32mp_ddr_priv *priv, uint32_t
+ 	uint32_t stat;
+ 	int break_loop = 0;
+ 
+-	timeout = timeout_init_us(TIMEOUT_US_1S);
++	timeout = timeout_init_us(DDR_TIMEOUT_US_1S);
+ 	for ( ; ; ) {
+ 		uint32_t operating_mode;
+ 		uint32_t selref_type;
+@@ -734,7 +734,7 @@ void stm32mp1_ddr_init(struct stm32mp_ddr_priv *priv,
+ 	mmio_clrbits_32(priv->rcc + RCC_DDRITFCR, RCC_DDRITFCR_DDRCAPBRST);
+ 
+ 	/* 1.4. wait 128 cycles to permit initialization of end logic */
+-	udelay(2);
++	udelay(DDR_DELAY_2US);
+ 	/* For PCLK = 133MHz => 1 us is enough, 2 to allow lower frequency */
+ 
+ 	/* 1.5. initialize registers ddr_umctl2 */
+diff --git a/drivers/st/ddr/stm32mp1_ddr_helpers.c b/drivers/st/ddr/stm32mp1_ddr_helpers.c
+index 49f9c3d097..facac102be 100644
+--- a/drivers/st/ddr/stm32mp1_ddr_helpers.c
++++ b/drivers/st/ddr/stm32mp1_ddr_helpers.c
+@@ -96,7 +96,7 @@ static int ddr_sw_self_refresh_in(void)
+ 	mmio_clrbits_32(ddrphyc_base + DDRPHYC_DSGCR, DDRPHYC_DSGCR_CKOE);
+ 
+ 	/* Additional delay to avoid early latch */
+-	udelay(10);
++	udelay(DDR_DELAY_10US);
+ 
+ 	/* Activate sw retention in PWRCTRL */
+ 	stm32mp_pwr_regs_lock();
+@@ -201,7 +201,7 @@ int ddr_sw_self_refresh_exit(void)
+ #endif
+ 
+ 	/* Additional delay to avoid early DLL clock switch */
+-	udelay(50);
++	udelay(DDR_DELAY_50US);
+ 
+ 	/* Switch controller clocks (uMCTL2/PUBL) to DLL ref clock */
+ 	stm32mp1_clk_rcc_regs_lock();
+@@ -211,7 +211,7 @@ int ddr_sw_self_refresh_exit(void)
+ 	mmio_clrbits_32(ddrphyc_base + DDRPHYC_ACDLLCR,
+ 			DDRPHYC_ACDLLCR_DLLSRST);
+ 
+-	udelay(10);
++	udelay(DDR_DELAY_10US);
+ 
+ 	mmio_setbits_32(ddrphyc_base + DDRPHYC_ACDLLCR,
+ 			DDRPHYC_ACDLLCR_DLLSRST);
+@@ -222,10 +222,10 @@ int ddr_sw_self_refresh_exit(void)
+ 		      DDRPHYC_PIR_ITMSRST | DDRPHYC_PIR_INIT);
+ 
+ 	/* Need to wait at least 10 clock cycles before accessing PGSR */
+-	udelay(1);
++	udelay(DDR_DELAY_1US);
+ 
+ 	/* Pool end of init */
+-	timeout = timeout_init_us(TIMEOUT_500US);
++	timeout = timeout_init_us(DDR_TIMEOUT_500US);
+ 
+ 	while ((mmio_read_32(ddrphyc_base + DDRPHYC_PGSR) &
+ 		DDRPHYC_PGSR_IDONE) == 0U) {
+@@ -285,7 +285,7 @@ int ddr_sw_self_refresh_exit(void)
+ 	stm32mp_ddr_sw_selfref_exit((struct stm32mp_ddrctl *)ddrctrl_base);
+ 
+ 	/* Wait operating_mode == normal */
+-	timeout = timeout_init_us(TIMEOUT_500US);
++	timeout = timeout_init_us(DDR_TIMEOUT_500US);
+ 	while ((mmio_read_32(ddrctrl_base + DDRCTRL_STAT) &
+ 		DDRCTRL_STAT_OPERATING_MODE_MASK) !=
+ 	       DDRCTRL_STAT_OPERATING_MODE_NORMAL) {
+diff --git a/drivers/st/ddr/stm32mp1_ram.c b/drivers/st/ddr/stm32mp1_ram.c
+index 615fa2862d..48b287d5b7 100644
+--- a/drivers/st/ddr/stm32mp1_ram.c
++++ b/drivers/st/ddr/stm32mp1_ram.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2018-2021, STMicroelectronics - All Rights Reserved
++ * Copyright (C) 2018-2022, STMicroelectronics - All Rights Reserved
+  *
+  * SPDX-License-Identifier: GPL-2.0+ OR BSD-3-Clause
+  */
+@@ -161,6 +161,9 @@ static int stm32mp1_ddr_setup(void)
+ 	/* Save DDR self_refresh state */
+ 	ddr_self_refresh = config.self_refresh;
+ 
++	/* Flush the value that will be used during MMU OFF sequence */
++	flush_dcache_range((uintptr_t)&ddr_self_refresh, sizeof(ddr_self_refresh));
++
+ 	return 0;
+ }
+ 
+diff --git a/drivers/st/ddr/stm32mp_ddr.c b/drivers/st/ddr/stm32mp_ddr.c
+index d162c75d1a..6e261ba697 100644
+--- a/drivers/st/ddr/stm32mp_ddr.c
++++ b/drivers/st/ddr/stm32mp_ddr.c
+@@ -14,6 +14,9 @@
+ 
+ #define INVALID_OFFSET	0xFFU
+ 
++static bool axi_port_reenable_request;
++static bool host_interface_reenable_request;
++
+ static uintptr_t get_base_addr(const struct stm32mp_ddr_priv *priv, enum stm32mp_ddr_base_type base)
+ {
+ 	if (base == DDRPHY_BASE) {
+@@ -65,7 +68,7 @@ void stm32mp_ddr_wait_sw_done_ack(struct stm32mp_ddrctl *ctl)
+ 	VERBOSE("[0x%lx] swctl = 0x%x\n",
+ 		(uintptr_t)&ctl->swctl, mmio_read_32((uintptr_t)&ctl->swctl));
+ 
+-	timeout = timeout_init_us(TIMEOUT_US_1S);
++	timeout = timeout_init_us(DDR_TIMEOUT_US_1S);
+ 	do {
+ 		swstat = mmio_read_32((uintptr_t)&ctl->swstat);
+ 		VERBOSE("[0x%lx] swstat = 0x%x ",
+@@ -116,7 +119,7 @@ int stm32mp_ddr_disable_axi_port(struct stm32mp_ddrctl *ctl)
+ 	 * Poll PSTAT.rd_port_busy_n = 0
+ 	 * Poll PSTAT.wr_port_busy_n = 0
+ 	 */
+-	timeout = timeout_init_us(TIMEOUT_US_1S);
++	timeout = timeout_init_us(DDR_TIMEOUT_US_1S);
+ 	do {
+ 		pstat = mmio_read_32((uintptr_t)&ctl->pstat);
+ 		VERBOSE("[0x%lx] pstat = 0x%x ",
+@@ -129,6 +132,11 @@ int stm32mp_ddr_disable_axi_port(struct stm32mp_ddrctl *ctl)
+ 	return 0;
+ }
+ 
++static bool ddr_is_axi_port_enabled(struct stm32mp_ddrctl *ctl)
++{
++	return (mmio_read_32((uintptr_t)&ctl->pctrl_0) & DDRCTRL_PCTRL_N_PORT_EN) != 0U;
++}
++
+ void stm32mp_ddr_enable_host_interface(struct stm32mp_ddrctl *ctl)
+ {
+ 	mmio_clrbits_32((uintptr_t)&ctl->dbg1, DDRCTRL_DBG1_DIS_HIF);
+@@ -158,7 +166,7 @@ void stm32mp_ddr_disable_host_interface(struct stm32mp_ddrctl *ctl)
+ 	 * data_pipeline fields must be polled twice to ensure
+ 	 * value propoagation, so count is added to loop condition.
+ 	 */
+-	timeout = timeout_init_us(TIMEOUT_US_1S);
++	timeout = timeout_init_us(DDR_TIMEOUT_US_1S);
+ 	do {
+ 		dbgcam = mmio_read_32((uintptr_t)&ctl->dbgcam);
+ 		VERBOSE("[0x%lx] dbgcam = 0x%x ",
+@@ -171,6 +179,11 @@ void stm32mp_ddr_disable_host_interface(struct stm32mp_ddrctl *ctl)
+ 		  DDRCTRL_DBG_Q_AND_DATA_PIPELINE_EMPTY) || (count < 2));
+ }
+ 
++static bool ddr_is_host_interface_enabled(struct stm32mp_ddrctl *ctl)
++{
++	return (mmio_read_32((uintptr_t)&ctl->dbg1) & DDRCTRL_DBG1_DIS_HIF) == 0U;
++}
++
+ int stm32mp_ddr_sw_selfref_entry(struct stm32mp_ddrctl *ctl)
+ {
+ 	uint64_t timeout;
+@@ -189,7 +202,7 @@ int stm32mp_ddr_sw_selfref_entry(struct stm32mp_ddrctl *ctl)
+ 	 * Ensure transition to self-refresh was due to software
+ 	 * by checking also that STAT.selfref_type[1:0]=2.
+ 	 */
+-	timeout = timeout_init_us(TIMEOUT_500US);
++	timeout = timeout_init_us(DDR_TIMEOUT_500US);
+ 	while (!timeout_elapsed(timeout)) {
+ 		stat = mmio_read_32((uintptr_t)&ctl->stat);
+ 		operating_mode = stat & DDRCTRL_STAT_OPERATING_MODE_MASK;
+@@ -214,18 +227,34 @@ void stm32mp_ddr_sw_selfref_exit(struct stm32mp_ddrctl *ctl)
+ 
+ void stm32mp_ddr_set_qd3_update_conditions(struct stm32mp_ddrctl *ctl)
+ {
+-	if (stm32mp_ddr_disable_axi_port(ctl) != 0) {
+-		panic();
++	if (ddr_is_axi_port_enabled(ctl)) {
++		if (stm32mp_ddr_disable_axi_port(ctl) != 0) {
++			panic();
++		}
++		axi_port_reenable_request = true;
++	}
++
++	if (ddr_is_host_interface_enabled(ctl)) {
++		stm32mp_ddr_disable_host_interface(ctl);
++		host_interface_reenable_request = true;
+ 	}
+-	stm32mp_ddr_disable_host_interface(ctl);
++
+ 	stm32mp_ddr_start_sw_done(ctl);
+ }
+ 
+ void stm32mp_ddr_unset_qd3_update_conditions(struct stm32mp_ddrctl *ctl)
+ {
+ 	stm32mp_ddr_wait_sw_done_ack(ctl);
+-	stm32mp_ddr_enable_host_interface(ctl);
+-	stm32mp_ddr_enable_axi_port(ctl);
++
++	if (host_interface_reenable_request) {
++		stm32mp_ddr_enable_host_interface(ctl);
++		host_interface_reenable_request = false;
++	}
++
++	if (axi_port_reenable_request) {
++		stm32mp_ddr_enable_axi_port(ctl);
++		axi_port_reenable_request = false;
++	}
+ }
+ 
+ void stm32mp_ddr_wait_refresh_update_done_ack(struct stm32mp_ddrctl *ctl)
+@@ -246,7 +275,7 @@ void stm32mp_ddr_wait_refresh_update_done_ack(struct stm32mp_ddrctl *ctl)
+ 	VERBOSE("[0x%lx] rfshctl3 = 0x%x\n",
+ 		(uintptr_t)&ctl->rfshctl3, mmio_read_32((uintptr_t)&ctl->rfshctl3));
+ 
+-	timeout = timeout_init_us(TIMEOUT_US_1S);
++	timeout = timeout_init_us(DDR_TIMEOUT_US_1S);
+ 	do {
+ 		rfshctl3 = mmio_read_32((uintptr_t)&ctl->rfshctl3);
+ 		VERBOSE("[0x%lx] rfshctl3 = 0x%x ", (uintptr_t)&ctl->rfshctl3, rfshctl3);
+diff --git a/drivers/st/gpio/stm32_gpio.c b/drivers/st/gpio/stm32_gpio.c
+index dbd11ccddf..259445866c 100644
+--- a/drivers/st/gpio/stm32_gpio.c
++++ b/drivers/st/gpio/stm32_gpio.c
+@@ -14,9 +14,11 @@
+ 
+ #include <common/bl_common.h>
+ #include <common/debug.h>
++#include <common/fdt_wrappers.h>
+ #include <drivers/clk.h>
+ #include <drivers/st/stm32_gpio.h>
+ #include <drivers/st/stm32mp_clkfunc.h>
++#include <dt-bindings/gpio/stm32-gpio.h>
+ #include <lib/mmio.h>
+ #include <lib/utils_def.h>
+ 
+@@ -321,3 +323,74 @@ void set_gpio_reset_cfg(uint32_t bank, uint32_t pin)
+ 		 GPIO_SPEED_LOW, GPIO_NO_PULL, 0U, GPIO_ALTERNATE_(0), DT_DISABLED);
+ 	set_gpio_secure_cfg(bank, pin, stm32_gpio_is_secure_at_reset(bank));
+ }
++
++void set_gpio_level(uint32_t bank, uint32_t pin, enum gpio_level level)
++{
++	uintptr_t base = stm32_get_gpio_bank_base(bank);
++	unsigned long clock = stm32_get_gpio_bank_clock(bank);
++
++	assert(pin <= GPIO_PIN_MAX);
++
++	clk_enable(clock);
++
++	if (level == GPIO_LEVEL_HIGH) {
++		mmio_write_32(base + GPIO_BSRR_OFFSET, BIT(pin));
++	} else {
++		mmio_write_32(base + GPIO_BSRR_OFFSET, BIT(pin + 16U));
++	}
++
++	VERBOSE("GPIO %u level set to 0x%x\n", bank,
++		mmio_read_32(base + GPIO_IDR_OFFSET));
++
++	clk_disable(clock);
++}
++
++enum gpio_level get_gpio_level(uint32_t bank, uint32_t pin)
++{
++	uintptr_t base = stm32_get_gpio_bank_base(bank);
++	unsigned long clock = stm32_get_gpio_bank_clock(bank);
++	enum gpio_level level = GPIO_LEVEL_LOW;
++
++	assert(pin <= GPIO_PIN_MAX);
++
++	clk_enable(clock);
++
++	if (mmio_read_32(base + GPIO_IDR_OFFSET) & BIT(pin)) {
++		level = GPIO_LEVEL_HIGH;
++	}
++
++	VERBOSE("GPIO %u get level 0x%x\n", bank,
++		mmio_read_32(base + GPIO_IDR_OFFSET));
++
++	clk_disable(clock);
++
++	return level;
++}
++
++void set_gpio_config(uint32_t bank, uint32_t pin, uint32_t config, uint8_t status)
++{
++	uint32_t mode = GPIO_MODE_OUTPUT;
++	uint32_t od = 0U;
++	uint32_t pull = GPIO_NO_PULL;
++
++	VERBOSE("GPIO %u:%u set config to 0x%x\n", bank, pin, config);
++
++	if (config & GPIOF_DIR_IN) {
++		mode = GPIO_MODE_INPUT;
++	}
++
++	if (config & GPIOF_OUT_INIT_HIGH) {
++		od = 1U;
++	}
++
++	if (config & GPIOF_PULL_UP) {
++		pull |= GPIO_PULL_UP;
++	}
++
++	if (config & GPIOF_PULL_DOWN) {
++		pull |= GPIO_PULL_DOWN;
++	}
++
++	set_gpio(bank, pin, mode, GPIO_TYPE_PUSH_PULL, GPIO_SPEED_LOW,
++		 pull, od, GPIO_ALTERNATE_(0), status);
++}
+diff --git a/drivers/st/mce/stm32_mce.c b/drivers/st/mce/stm32_mce.c
+index 114bec6bc5..9ceb58c128 100644
+--- a/drivers/st/mce/stm32_mce.c
++++ b/drivers/st/mce/stm32_mce.c
+@@ -82,16 +82,6 @@ struct mce_dt_id_attr {
+ 	fdt32_t id_attr[MCE_IP_MAX_REGION_NB];
+ };
+ 
+-struct stm32_mce_region_s {
+-	uint32_t encrypt_mode;	/*
+-				 * Specifies the region encryption mode.
+-				 * This parameter can be a value of
+-				 * @ref MCE_*_MODE (in driver header file).
+-				 */
+-	uint32_t start_address;	/* Specifies the region start address */
+-	uint32_t end_address;	/* Specifies the region end address */
+-};
+-
+ /*
+  * @brief  Configure privileged access to the MCE registers.
+  * @param  privilege: Only privileged (true) or all (false) access are granted.
+@@ -358,6 +348,28 @@ int stm32_mce_get_address_encryption_state(uint32_t address, uint32_t *state)
+ 	return 0;
+ }
+ 
++void stm32_mce_reload_configuration(void)
++{
++	uint32_t idx;
++
++	for (idx = 0U; idx < MCE_IP_MAX_REGION_NB; idx++) {
++		struct stm32_mce_region_s region;
++
++		stm32mp1_pm_get_mce_region(idx, &region);
++
++		if (region.end_address == 0U) {
++			break;
++		}
++
++		VERBOSE("%s: mce cell found with value = 0x%x 0x%x 0x%x\n", __func__,
++			region.start_address, region.end_address, region.encrypt_mode);
++
++		if (stm32_mce_configure_region(idx, &region) != 0) {
++			panic();
++		}
++	}
++}
++
+ static int fconf_populate_mce(uintptr_t config)
+ {
+ 	int node, len;
+@@ -403,6 +415,8 @@ static int fconf_populate_mce(uintptr_t config)
+ 		if (stm32_mce_configure_region(i, &region) != 0) {
+ 			panic();
+ 		}
++
++		stm32mp1_pm_save_mce_region(i, &region);
+ 	}
+ 
+ 	return 0;
+diff --git a/drivers/st/mmc/stm32_sdmmc2.c b/drivers/st/mmc/stm32_sdmmc2.c
+index 66c7a2271b..d226003b74 100644
+--- a/drivers/st/mmc/stm32_sdmmc2.c
++++ b/drivers/st/mmc/stm32_sdmmc2.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2018-2021, STMicroelectronics - All Rights Reserved
++ * Copyright (c) 2018-2022, STMicroelectronics - All Rights Reserved
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  */
+@@ -748,8 +748,6 @@ unsigned long long stm32_sdmmc2_mmc_get_device_size(void)
+ 
+ int stm32_sdmmc2_mmc_init(struct stm32_sdmmc2_params *params)
+ {
+-	int rc;
+-
+ 	assert((params != NULL) &&
+ 	       ((params->reg_base & MMC_BLOCK_MASK) == 0U) &&
+ 	       ((params->bus_width == MMC_BUS_WIDTH_1) ||
+@@ -767,16 +765,20 @@ int stm32_sdmmc2_mmc_init(struct stm32_sdmmc2_params *params)
+ 
+ 	clk_enable(sdmmc2_params.clock_id);
+ 
+-	rc = stm32mp_reset_assert(sdmmc2_params.reset_id, TIMEOUT_US_1_MS);
+-	if (rc != 0) {
+-		panic();
+-	}
+-	udelay(2);
+-	rc = stm32mp_reset_deassert(sdmmc2_params.reset_id, TIMEOUT_US_1_MS);
+-	if (rc != 0) {
+-		panic();
++	if ((int)sdmmc2_params.reset_id >= 0) {
++		int rc;
++
++		rc = stm32mp_reset_assert(sdmmc2_params.reset_id, TIMEOUT_US_1_MS);
++		if (rc != 0) {
++			panic();
++		}
++		udelay(2);
++		rc = stm32mp_reset_deassert(sdmmc2_params.reset_id, TIMEOUT_US_1_MS);
++		if (rc != 0) {
++			panic();
++		}
++		mdelay(1);
+ 	}
+-	mdelay(1);
+ 
+ 	sdmmc2_params.clk_rate = clk_get_rate(sdmmc2_params.clock_id);
+ 	sdmmc2_params.device_info->ocr_voltage = OCR_3_2_3_3 | OCR_3_3_3_4;
+diff --git a/drivers/st/regulator/regulator_fixed.c b/drivers/st/regulator/regulator_fixed.c
+index 56593717f6..3001b362e0 100644
+--- a/drivers/st/regulator/regulator_fixed.c
++++ b/drivers/st/regulator/regulator_fixed.c
+@@ -12,8 +12,8 @@
+ #include <drivers/regulator.h>
+ #include <drivers/st/regulator_fixed.h>
+ 
+-#ifndef PLAT_NB_FIXED_REGS
+-#error "Missing PLAT_NB_FIXED_REGS"
++#ifndef PLAT_NB_FIXED_REGUS
++#error "Missing PLAT_NB_FIXED_REGUS"
+ #endif
+ 
+ #define FIXED_NAME_LEN 32U
+@@ -24,7 +24,7 @@ struct fixed_data {
+ 	struct regul_description desc;
+ };
+ 
+-static struct fixed_data data[PLAT_NB_FIXED_REGS];
++static struct fixed_data data[PLAT_NB_FIXED_REGUS];
+ 
+ static int fixed_set_state(const struct regul_description *desc, bool state)
+ {
+@@ -83,7 +83,7 @@ int fixed_regulator_register(void)
+ 		}
+ 
+ 		count++;
+-		assert(count <= PLAT_NB_FIXED_REGS);
++		assert(count <= PLAT_NB_FIXED_REGUS);
+ 
+ 	} while (node > 0);
+ 
+diff --git a/drivers/st/regulator/regulator_gpio.c b/drivers/st/regulator/regulator_gpio.c
+new file mode 100644
+index 0000000000..36311e9df1
+--- /dev/null
++++ b/drivers/st/regulator/regulator_gpio.c
+@@ -0,0 +1,166 @@
++/*
++ * Copyright (c) 2022, STMicroelectronics
++ *
++ * SPDX-License-Identifier: BSD-3-Clause
++ */
++
++#include <assert.h>
++#include <errno.h>
++
++#include <common/debug.h>
++#include <common/fdt_wrappers.h>
++#include <drivers/regulator.h>
++#include <drivers/st/regulator_gpio.h>
++#include <drivers/st/stm32_gpio.h>
++#include <libfdt.h>
++
++#ifndef PLAT_NB_GPIO_REGUS
++#error "Missing PLAT_NB_GPIO_REGUS"
++#endif
++
++#define MAX_NAME_LEN 32
++
++#define REGU_DISABLED 0
++#define REGU_ENABLED 1
++
++#define GPIO_DESC_SIZE 3U
++
++struct gpio_config {
++	uint32_t bank;
++	uint32_t pin;
++	uint32_t config;
++	uint8_t status;
++};
++
++struct gpio_regu_data {
++	char name[MAX_NAME_LEN];
++	struct regul_description desc;
++	struct gpio_config en_gpio;
++	bool active_high;
++};
++
++static struct gpio_regu_data data[PLAT_NB_GPIO_REGUS];
++
++static int gpio_set_state(const struct regul_description *desc, bool state)
++{
++	struct gpio_regu_data *d = (struct gpio_regu_data *)desc->driver_data;
++	enum gpio_level level = GPIO_LEVEL_LOW;
++
++	VERBOSE("regul %s set state=%d\n", d->name, state);
++
++	if ((d->active_high && state) || (!d->active_high && !state)) {
++		level = GPIO_LEVEL_HIGH;
++	}
++
++	set_gpio_level(d->en_gpio.bank, d->en_gpio.pin, level);
++
++	return 0;
++}
++
++static int gpio_get_state(const struct regul_description *desc)
++{
++	struct gpio_regu_data *d = (struct gpio_regu_data *)desc->driver_data;
++	enum gpio_level level = get_gpio_level(d->en_gpio.bank, d->en_gpio.pin);
++
++	if ((d->active_high && level == GPIO_LEVEL_HIGH) ||
++	    (!d->active_high && level == GPIO_LEVEL_LOW)) {
++		return REGU_ENABLED;
++	}
++
++	return REGU_DISABLED;
++}
++
++static struct regul_ops gpio_regu_ops = {
++	.set_state = gpio_set_state,
++	.get_state = gpio_get_state,
++};
++
++static int read_gpio_config_from_dt(const void *fdt, int node, char *name,
++				    struct gpio_config *gpio)
++{
++	uint32_t utable[GPIO_DESC_SIZE];
++	int ret;
++
++	gpio->status = fdt_get_status(node);
++	if (gpio->status == DT_DISABLED) {
++		return -FDT_ERR_NOTFOUND;
++	}
++
++	ret = fdt_read_uint32_array(fdt, node, name, GPIO_DESC_SIZE, utable);
++	if (ret != 0) {
++		ERROR("Missing gpio description\n");
++		return ret;
++	}
++
++	gpio->bank = utable[0];
++	gpio->pin = utable[1];
++	gpio->config = utable[2];
++
++	return 0;
++}
++
++int gpio_regulator_register(void)
++{
++	uint32_t count = 0U;
++	void *fdt;
++	int node = 0;
++
++	VERBOSE("gpio_regu reg init\n");
++
++	if (fdt_get_address(&fdt) == 0) {
++		return -FDT_ERR_NOTFOUND;
++	}
++
++	do {
++		int len __unused;
++		int ret;
++		struct gpio_regu_data *d = &data[count];
++		const char *reg_name;
++
++		node = fdt_node_offset_by_compatible(fdt, node, "st,stm32-regulator-gpio");
++		if (node < 0) {
++			break;
++		}
++
++		reg_name = fdt_get_name(fdt, node, NULL);
++
++		VERBOSE("register gpio_regu reg %s\n", reg_name);
++
++		if (count == PLAT_NB_GPIO_REGUS) {
++			WARN("Not enough place for regulators, PLAT_NB_GPIO_REGUS should be increased.\n");
++			return -ENOMEM;
++		}
++
++		len = snprintf(d->name, MAX_NAME_LEN - 1, "%s", reg_name);
++		assert((len > 0) && (len < (MAX_NAME_LEN - 1)));
++
++		d->desc.node_name = d->name;
++		d->desc.driver_data = d;
++		d->desc.ops = &gpio_regu_ops;
++
++		ret = read_gpio_config_from_dt(fdt, node, "st,enable-gpios", &d->en_gpio);
++		if (ret != 0) {
++			ERROR("Incorrect gpio regul description\n");
++			return ret;
++		}
++
++		VERBOSE("%s: en_gpio bank=%u pin=%u cfg=%x\n", d->name,
++			d->en_gpio.bank, d->en_gpio.pin, d->en_gpio.config);
++
++		set_gpio_config(d->en_gpio.bank, d->en_gpio.pin, d->en_gpio.config,
++				d->en_gpio.status);
++
++		if (fdt_getprop(fdt, node, "enable-active-high", NULL))
++			d->active_high = true;
++
++		ret = regulator_register(&d->desc, node);
++		if (ret != 0) {
++			WARN("Failed to register %s\n", reg_name);
++			return ret;
++		}
++
++		count++;
++	} while (node > 0);
++
++	return 0;
++}
+diff --git a/drivers/st/uart/aarch32/stm32_console.S b/drivers/st/uart/aarch32/stm32_console.S
+index ab1c3bdccc..abe47b53fa 100644
+--- a/drivers/st/uart/aarch32/stm32_console.S
++++ b/drivers/st/uart/aarch32/stm32_console.S
+@@ -46,10 +46,16 @@ func console_stm32_core_init
+ 	cmp	r0, #0
+ 	beq	core_init_fail
+ #if !defined(IMAGE_BL2)
++#if STM32MP_RECONFIGURE_CONSOLE
++	/* UART clock rate is set to 0 in BL32, skip init in that case */
++	cmp	r1, #0
++	beq	1f
++#else /* STM32MP_RECONFIGURE_CONSOLE */
+ 	/* Skip UART initialization if it is already enabled */
+ 	ldr	r3, [r0, #USART_CR1]
+ 	ands	r3, r3, #USART_CR1_UE
+ 	bne	1f
++#endif /* STM32MP_RECONFIGURE_CONSOLE */
+ #endif /* IMAGE_BL2 */
+ 	/* Check baud rate and uart clock for sanity */
+ 	cmp	r1, #0
+diff --git a/fdts/stm32mp1-cot-descriptors.dtsi b/fdts/stm32mp1-cot-descriptors.dtsi
+new file mode 100644
+index 0000000000..c47b2e7376
+--- /dev/null
++++ b/fdts/stm32mp1-cot-descriptors.dtsi
+@@ -0,0 +1,158 @@
++/*
++ * Copyright (c) 2020-2022, ARM Limited. All rights reserved.
++ *
++ * SPDX-License-Identifier: BSD-3-Clause
++ */
++
++#include <tools_share/tbbr_oid.h>
++#include <common/tbbr/tbbr_img_def.h>
++#include <common/nv_cntr_ids.h>
++
++cot {
++	manifests {
++		compatible = "arm, cert-descs";
++
++		stm32mp_cfg_cert: stm32mp_cfg_cert {
++			root-certificate;
++			image-id = <STM32MP_CONFIG_CERT_ID>;
++			antirollback-counter = <&trusted_nv_counter>;
++
++			hw_config_hash: hw_config_hash {
++				oid = HW_CONFIG_HASH_OID;
++			};
++
++			fw_config_hash: fw_config_hash {
++				oid = FW_CONFIG_HASH_OID;
++			};
++		};
++
++		trusted_key_cert: trusted_key_cert {
++			root-certificate;
++			image-id = <TRUSTED_KEY_CERT_ID>;
++			antirollback-counter = <&trusted_nv_counter>;
++
++			trusted_world_pk: trusted_world_pk {
++				oid = TRUSTED_WORLD_PK_OID;
++			};
++			non_trusted_world_pk: non_trusted_world_pk {
++				oid = NON_TRUSTED_WORLD_PK_OID;
++			};
++		};
++
++		trusted_os_fw_key_cert: trusted_os_fw_key_cert {
++			image-id = <TRUSTED_OS_FW_KEY_CERT_ID>;
++			parent = <&trusted_key_cert>;
++			signing-key = <&trusted_world_pk>;
++			antirollback-counter = <&trusted_nv_counter>;
++
++			tos_fw_content_pk: tos_fw_content_pk {
++				oid = TRUSTED_OS_FW_CONTENT_CERT_PK_OID;
++			};
++		};
++
++		trusted_os_fw_content_cert: trusted_os_fw_content_cert {
++			image-id = <TRUSTED_OS_FW_CONTENT_CERT_ID>;
++			parent = <&trusted_os_fw_key_cert>;
++			signing-key = <&tos_fw_content_pk>;
++			antirollback-counter = <&trusted_nv_counter>;
++
++			tos_fw_hash: tos_fw_hash {
++				oid = TRUSTED_OS_FW_HASH_OID;
++			};
++			tos_fw_extra1_hash: tos_fw_extra1_hash {
++				oid = TRUSTED_OS_FW_EXTRA1_HASH_OID;
++			};
++			tos_fw_extra2_hash: tos_fw_extra2_hash {
++				oid = TRUSTED_OS_FW_EXTRA2_HASH_OID;
++			};
++			tos_fw_config_hash: tos_fw_config_hash {
++				oid = TRUSTED_OS_FW_CONFIG_HASH_OID;
++			};
++		};
++
++		non_trusted_fw_key_cert: non_trusted_fw_key_cert {
++			image-id = <NON_TRUSTED_FW_KEY_CERT_ID>;
++			parent = <&trusted_key_cert>;
++			signing-key = <&non_trusted_world_pk>;
++			antirollback-counter = <&non_trusted_nv_counter>;
++
++			nt_fw_content_pk: nt_fw_content_pk {
++				oid = NON_TRUSTED_FW_CONTENT_CERT_PK_OID;
++			};
++		};
++
++		non_trusted_fw_content_cert: non_trusted_fw_content_cert {
++			image-id = <NON_TRUSTED_FW_CONTENT_CERT_ID>;
++			parent = <&non_trusted_fw_key_cert>;
++			signing-key = <&nt_fw_content_pk>;
++			antirollback-counter = <&non_trusted_nv_counter>;
++
++			nt_world_bl_hash: nt_world_bl_hash {
++				oid = NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID;
++			};
++		};
++	};
++
++	images {
++		compatible = "arm, img-descs";
++
++		hw_config {
++			image-id = <HW_CONFIG_ID>;
++			parent = <&stm32mp_cfg_cert>;
++			hash = <&hw_config_hash>;
++		};
++
++		fw_config {
++			image-id = <FW_CONFIG_ID>;
++			parent = <&stm32mp_cfg_cert>;
++			hash = <&fw_config_hash>;
++		};
++
++		bl32_image {
++			image-id = <BL32_IMAGE_ID>;
++			parent = <&trusted_os_fw_content_cert>;
++			hash = <&tos_fw_hash>;
++		};
++
++		bl32_extra1_image {
++			image-id = <BL32_EXTRA1_IMAGE_ID>;
++			parent = <&trusted_os_fw_content_cert>;
++			hash = <&tos_fw_extra1_hash>;
++		};
++
++		bl32_extra2_image {
++			image-id = <BL32_EXTRA2_IMAGE_ID>;
++			parent = <&trusted_os_fw_content_cert>;
++			hash = <&tos_fw_extra2_hash>;
++		};
++
++		tos_fw_config {
++			image-id = <TOS_FW_CONFIG_ID>;
++			parent = <&trusted_os_fw_content_cert>;
++			hash = <&tos_fw_config_hash>;
++		};
++
++		bl33_image {
++			image-id = <BL33_IMAGE_ID>;
++			parent = <&non_trusted_fw_content_cert>;
++			hash = <&nt_world_bl_hash>;
++		};
++	};
++};
++
++non_volatile_counters: non_volatile_counters {
++	compatible = "arm, non-volatile-counter";
++
++	#address-cells = <1>;
++	#size-cells = <0>;
++
++	trusted_nv_counter: trusted_nv_counter {
++		id  = <TRUSTED_NV_CTR_ID>;
++		oid = TRUSTED_FW_NVCOUNTER_OID;
++	};
++
++	non_trusted_nv_counter: non_trusted_nv_counter {
++		id  = <NON_TRUSTED_NV_CTR_ID>;
++		oid = NON_TRUSTED_FW_NVCOUNTER_OID;
++	};
++};
+diff --git a/fdts/stm32mp13-bl2.dtsi b/fdts/stm32mp13-bl2.dtsi
+index 5eca49c672..983d66b660 100644
+--- a/fdts/stm32mp13-bl2.dtsi
++++ b/fdts/stm32mp13-bl2.dtsi
+@@ -32,7 +32,7 @@
+ 		/delete-node/ usbphyc@5a006000;
+ #endif
+ 
+-		pin-controller@50002000 {
++		pinctrl@50002000 {
+ #if !STM32MP_EMMC && !STM32MP_SDMMC
+ 			/delete-node/ sdmmc1-b4-0;
+ 			/delete-node/ sdmmc2-b4-0;
+@@ -55,10 +55,9 @@
+ 			bl33_uuid = "d6d0eea7-fcea-d54b-9782-9934f234b6e4";
+ 			hw_cfg_uuid = "08b8f1d9-c9cf-9349-a962-6fbc6b7265cc";
+ 			tos_fw_cfg_uuid = "26257c1a-dbc6-7f47-8d96-c4c4b0248021";
+-			nt_fw_cfg_uuid = "28da9815-93e8-7e44-ac66-1aaf801550f9";
+ #if TRUSTED_BOARD_BOOT
++			stm32mp_cfg_cert_uuid = "501d8dd2-8bce-49a5-84eb-559a9f2eaeaf";
+ 			t_key_cert_uuid = "827ee890-f860-e411-a1b4-777a21b4f94c";
+-			t_boot_fw_cert_uuid = "d6e269ea-5d63-e411-8d8c-9fbabe9956a5";
+ 			tos_fw_key_cert_uuid = "9477d603-fb60-e411-85dd-b7105b8cee04";
+ 			nt_fw_key_cert_uuid = "8ad5832a-fb60-e411-8aaf-df30bbc49859";
+ 			tos_fw_content_cert_uuid = "a49f4411-5e63-e411-8728-3f05722af33d";
+@@ -82,7 +81,7 @@
+ 		mbedtls_heap_size = <0x2000>; /* SRAM2_SIZE */
+ 	};
+ 
+-#include "cot_descriptors.dtsi"
++#include "stm32mp1-cot-descriptors.dtsi"
+ #endif
+ 
+ };
+diff --git a/fdts/stm32mp13-ssp-bl2.dtsi b/fdts/stm32mp13-ssp-bl2.dtsi
+index 7de2d743c5..8f5fc5b45c 100644
+--- a/fdts/stm32mp13-ssp-bl2.dtsi
++++ b/fdts/stm32mp13-ssp-bl2.dtsi
+@@ -44,7 +44,7 @@
+ 		/delete-node/ usbphyc@5a006000;
+ #endif
+ 
+-		pin-controller@50002000 {
++		pinctrl@50002000 {
+ 			/delete-node/ sdmmc1-b4-0;
+ 			/delete-node/ sdmmc2-b4-0;
+ 		};
+diff --git a/fdts/stm32mp131.dtsi b/fdts/stm32mp131.dtsi
+index bc91c8370b..18a813474d 100644
+--- a/fdts/stm32mp131.dtsi
++++ b/fdts/stm32mp131.dtsi
+@@ -458,7 +458,7 @@
+ 		 * Break node order to solve dependency probe issue between
+ 		 * pinctrl and exti.
+ 		 */
+-		pinctrl: pin-controller@50002000 {
++		pinctrl: pinctrl@50002000 {
+ 			#address-cells = <1>;
+ 			#size-cells = <1>;
+ 			compatible = "st,stm32mp135-pinctrl";
+diff --git a/fdts/stm32mp135d-dk-fw-config.dts b/fdts/stm32mp135d-dk-fw-config.dts
+deleted file mode 100644
+index 21f82422b3..0000000000
+--- a/fdts/stm32mp135d-dk-fw-config.dts
++++ /dev/null
+@@ -1,7 +0,0 @@
+-// SPDX-License-Identifier: (GPL-2.0+ OR BSD-3-Clause)
+-/*
+- * Copyright (c) 2022, STMicroelectronics - All Rights Reserved
+- */
+-
+-#define DDR_SIZE	0x20000000 /* 512MB */
+-#include "stm32mp13-fw-config.dtsi"
+diff --git a/fdts/stm32mp135d-dk.dts b/fdts/stm32mp135d-dk.dts
+deleted file mode 100644
+index debf5cf0a6..0000000000
+--- a/fdts/stm32mp135d-dk.dts
++++ /dev/null
+@@ -1,320 +0,0 @@
+-// SPDX-License-Identifier: (GPL-2.0+ OR BSD-3-Clause)
+-/*
+- * Copyright (C) STMicroelectronics 2022 - All Rights Reserved
+- * Author: Alexandre Torgue <alexandre.torgue@st.com> for STMicroelectronics.
+- */
+-
+-/dts-v1/;
+-
+-#include <dt-bindings/clock/stm32mp13-clksrc.h>
+-#include "stm32mp135.dtsi"
+-#include "stm32mp13xd.dtsi"
+-#include "stm32mp13-ddr3-1x4Gb-1066-binF.dtsi"
+-#include "stm32mp13-pinctrl.dtsi"
+-
+-/ {
+-	model = "STMicroelectronics STM32MP135D-DK Discovery Board";
+-	compatible = "st,stm32mp135d-dk", "st,stm32mp135";
+-
+-	aliases {
+-		serial0 = &uart4;
+-		serial1 = &usart1;
+-		serial2 = &uart8;
+-		serial3 = &usart2;
+-	};
+-
+-	chosen {
+-		stdout-path = "serial0:115200n8";
+-	};
+-
+-	memory@c0000000 {
+-		device_type = "memory";
+-		reg = <0xc0000000 0x20000000>;
+-	};
+-
+-	vin: vin {
+-		compatible = "regulator-fixed";
+-		regulator-name = "vin";
+-		regulator-min-microvolt = <5000000>;
+-		regulator-max-microvolt = <5000000>;
+-		regulator-always-on;
+-	};
+-
+-	v3v3_ao: v3v3_ao {
+-		compatible = "regulator-fixed";
+-		regulator-name = "v3v3_ao";
+-		regulator-min-microvolt = <3300000>;
+-		regulator-max-microvolt = <3300000>;
+-		regulator-always-on;
+-	};
+-};
+-
+-&bsec {
+-	board_id: board_id@f0 {
+-		reg = <0xf0 0x4>;
+-		st,non-secure-otp;
+-	};
+-};
+-
+-&cpu0 {
+-	cpu-supply = <&vddcpu>;
+-};
+-
+-&hash {
+-	status = "okay";
+-};
+-
+-&i2c4 {
+-	pinctrl-names = "default";
+-	pinctrl-0 = <&i2c4_pins_a>;
+-	i2c-scl-rising-time-ns = <185>;
+-	i2c-scl-falling-time-ns = <20>;
+-	clock-frequency = <400000>;
+-	status = "okay";
+-
+-	pmic: stpmic@33 {
+-		compatible = "st,stpmic1";
+-		reg = <0x33>;
+-
+-		status = "okay";
+-
+-		regulators {
+-			compatible = "st,stpmic1-regulators";
+-			buck1-supply = <&vin>;
+-			buck2-supply = <&vin>;
+-			buck3-supply = <&vin>;
+-			buck4-supply = <&vin>;
+-			ldo1-supply = <&vin>;
+-			ldo4-supply = <&vin>;
+-			ldo5-supply = <&vin>;
+-			ldo6-supply = <&vin>;
+-			vref_ddr-supply = <&vin>;
+-			pwr_sw1-supply = <&bst_out>;
+-			pwr_sw2-supply = <&v3v3_ao>;
+-
+-			vddcpu: buck1 {
+-				regulator-name = "vddcpu";
+-				regulator-min-microvolt = <1250000>;
+-				regulator-max-microvolt = <1250000>;
+-				regulator-always-on;
+-				regulator-over-current-protection;
+-			};
+-
+-			vdd_ddr: buck2 {
+-				regulator-name = "vdd_ddr";
+-				regulator-min-microvolt = <1350000>;
+-				regulator-max-microvolt = <1350000>;
+-				regulator-always-on;
+-				regulator-over-current-protection;
+-			};
+-
+-			vdd: buck3 {
+-				regulator-name = "vdd";
+-				regulator-min-microvolt = <3300000>;
+-				regulator-max-microvolt = <3300000>;
+-				regulator-always-on;
+-				st,mask-reset;
+-				regulator-over-current-protection;
+-			};
+-
+-			vddcore: buck4 {
+-				regulator-name = "vddcore";
+-				regulator-min-microvolt = <1250000>;
+-				regulator-max-microvolt = <1250000>;
+-				regulator-always-on;
+-				regulator-over-current-protection;
+-			};
+-
+-			vdd_adc: ldo1 {
+-				regulator-name = "vdd_adc";
+-				regulator-min-microvolt = <3300000>;
+-				regulator-max-microvolt = <3300000>;
+-			};
+-
+-			vdd_usb: ldo4 {
+-				regulator-name = "vdd_usb";
+-				regulator-min-microvolt = <3300000>;
+-				regulator-max-microvolt = <3300000>;
+-			};
+-
+-			vdd_sd: ldo5 {
+-				regulator-name = "vdd_sd";
+-				regulator-min-microvolt = <3300000>;
+-				regulator-max-microvolt = <3300000>;
+-				regulator-boot-on;
+-			};
+-
+-			v1v8_periph: ldo6 {
+-				regulator-name = "v1v8_periph";
+-				regulator-min-microvolt = <1800000>;
+-				regulator-max-microvolt = <1800000>;
+-			};
+-
+-			vref_ddr: vref_ddr {
+-				regulator-name = "vref_ddr";
+-				regulator-always-on;
+-			};
+-
+-			bst_out: boost {
+-				regulator-name = "bst_out";
+-			};
+-
+-			v3v3_sw: pwr_sw2 {
+-				regulator-name = "v3v3_sw";
+-				regulator-active-discharge = <1>;
+-				regulator-always-on;
+-			};
+-		};
+-	};
+-};
+-
+-&iwdg2 {
+-	timeout-sec = <32>;
+-	status = "okay";
+-};
+-
+-&pwr_regulators {
+-	vdd-supply = <&vdd>;
+-	vdd_3v3_usbfs-supply = <&vdd_usb>;
+-};
+-
+-&rcc {
+-	st,clksrc = <
+-		CLK_MPU_PLL1P
+-		CLK_AXI_PLL2P
+-		CLK_MLAHBS_PLL3
+-		CLK_CKPER_HSE
+-		CLK_RTC_LSE
+-		CLK_SDMMC1_PLL4P
+-		CLK_SDMMC2_PLL4P
+-		CLK_STGEN_HSE
+-		CLK_USBPHY_HSE
+-		CLK_I2C4_HSI
+-		CLK_USBO_USBPHY
+-		CLK_I2C12_HSI
+-		CLK_UART2_HSI
+-		CLK_UART4_HSI
+-	>;
+-
+-	st,clkdiv = <
+-		DIV(DIV_AXI, 0)
+-		DIV(DIV_MLAHB, 0)
+-		DIV(DIV_APB1, 1)
+-		DIV(DIV_APB2, 1)
+-		DIV(DIV_APB3, 1)
+-		DIV(DIV_APB4, 1)
+-		DIV(DIV_APB5, 2)
+-		DIV(DIV_APB6, 1)
+-		DIV(DIV_RTC, 0)
+-	>;
+-
+-	st,pll_vco {
+-		pll1_vco_1300Mhz: pll1-vco-1300Mhz {
+-			src = < CLK_PLL12_HSE >;
+-			divmn = < 2 80 >;
+-			frac = < 0x800 >;
+-		};
+-
+-		pll2_vco_1066Mhz: pll2-vco-1066Mhz {
+-			src = < CLK_PLL12_HSE >;
+-			divmn = < 2 65 >;
+-			frac = < 0x1400 >;
+-		};
+-
+-		pll3_vco_417_8Mhz: pll2-vco-417_8Mhz {
+-			src = < CLK_PLL3_HSE >;
+-			divmn = < 1 33 >;
+-			frac = < 0x1a04 >;
+-		};
+-
+-		pll4_vco_600Mhz: pll2-vco-600Mhz {
+-			src = < CLK_PLL4_HSE >;
+-			divmn = < 1 49 >;
+-		};
+-	};
+-
+-	/* VCO = 1300.0 MHz => P = 650 (CPU) */
+-	pll1:st,pll@0 {
+-		compatible = "st,stm32mp1-pll";
+-		reg = <0>;
+-
+-		st,pll = < &pll1_cfg1 >;
+-
+-		pll1_cfg1: pll1_cfg1 {
+-			st,pll_vco = < &pll1_vco_1300Mhz >;
+-			st,pll_div_pqr = < 0 1 1 >;
+-		};
+-	};
+-
+-	/* VCO = 1066.0 MHz => P = 266 (AXI), Q = 266, R = 533 (DDR) */
+-	pll2:st,pll@1 {
+-		compatible = "st,stm32mp1-pll";
+-		reg = <1>;
+-
+-		st,pll = < &pll2_cfg1 >;
+-
+-		pll2_cfg1: pll2_cfg1 {
+-			st,pll_vco = < &pll2_vco_1066Mhz >;
+-			st,pll_div_pqr = < 1 1 0 >;
+-		};
+-	};
+-
+-	/* VCO = 417.8 MHz => P = 209, Q = 24, R = 209 */
+-	pll3:st,pll@2 {
+-		compatible = "st,stm32mp1-pll";
+-		reg = <2>;
+-
+-		st,pll = < &pll3_cfg1 >;
+-
+-		pll3_cfg1: pll3_cfg1 {
+-			st,pll_vco = < &pll3_vco_417_8Mhz >;
+-			st,pll_div_pqr = < 1 16 1 >;
+-		};
+-	};
+-
+-	/* VCO = 600.0 MHz => P = 50, Q = 10, R = 100 */
+-	pll4:st,pll@3 {
+-		compatible = "st,stm32mp1-pll";
+-		reg = <3>;
+-
+-		st,pll = < &pll4_cfg1 >;
+-
+-		pll4_cfg1: pll4_cfg1 {
+-			st,pll_vco = < &pll4_vco_600Mhz >;
+-			st,pll_div_pqr = < 11 59 5 >;
+-		};
+-	};
+-};
+-
+-&rng {
+-	status = "okay";
+-};
+-
+-&sdmmc1 {
+-	pinctrl-names = "default";
+-	pinctrl-0 = <&sdmmc1_b4_pins_a &sdmmc1_clk_pins_a>;
+-	disable-wp;
+-	st,neg-edge;
+-	bus-width = <4>;
+-	vmmc-supply = <&vdd_sd>;
+-	status = "okay";
+-};
+-
+-&uart4 {
+-	pinctrl-names = "default";
+-	pinctrl-0 = <&uart4_pins_a>;
+-	status = "okay";
+-};
+-
+-&uart8 {
+-	pinctrl-names = "default";
+-	pinctrl-0 = <&uart8_pins_a>;
+-	status = "disabled";
+-};
+-
+-&usart1 {
+-	pinctrl-names = "default";
+-	pinctrl-0 = <&usart1_pins_a>;
+-	uart-has-rtscts;
+-	status = "disabled";
+-};
+diff --git a/fdts/stm32mp135f-dk.dts b/fdts/stm32mp135f-dk.dts
+index 9dce65f0d9..a6a8648865 100644
+--- a/fdts/stm32mp135f-dk.dts
++++ b/fdts/stm32mp135f-dk.dts
+@@ -226,13 +226,13 @@
+ 			frac = < 0x1400 >;
+ 		};
+ 
+-		pll3_vco_417_8Mhz: pll2-vco-417_8Mhz {
++		pll3_vco_417_8Mhz: pll3-vco-417_8Mhz {
+ 			src = < CLK_PLL3_HSE >;
+ 			divmn = < 1 33 >;
+ 			frac = < 0x1a04 >;
+ 		};
+ 
+-		pll4_vco_600Mhz: pll2-vco-600Mhz {
++		pll4_vco_600Mhz: pll4-vco-600Mhz {
+ 			src = < CLK_PLL4_HSE >;
+ 			divmn = < 1 49 >;
+ 		};
+diff --git a/fdts/stm32mp15-bl2.dtsi b/fdts/stm32mp15-bl2.dtsi
+index 66067a40ae..6938d9e3f1 100644
+--- a/fdts/stm32mp15-bl2.dtsi
++++ b/fdts/stm32mp15-bl2.dtsi
+@@ -45,7 +45,7 @@
+ 		/delete-node/ i2c@5c009000;
+ 		/delete-node/ tamp@5c00a000;
+ 
+-		pin-controller@50002000 {
++		pinctrl@50002000 {
+ #if !STM32MP_RAW_NAND
+ 			/delete-node/ fmc-0;
+ #endif
+@@ -83,10 +83,9 @@
+ 			bl33_uuid = "d6d0eea7-fcea-d54b-9782-9934f234b6e4";
+ 			hw_cfg_uuid = "08b8f1d9-c9cf-9349-a962-6fbc6b7265cc";
+ 			tos_fw_cfg_uuid = "26257c1a-dbc6-7f47-8d96-c4c4b0248021";
+-			nt_fw_cfg_uuid = "28da9815-93e8-7e44-ac66-1aaf801550f9";
+ #if TRUSTED_BOARD_BOOT
++			stm32mp_cfg_cert_uuid = "501d8dd2-8bce-49a5-84eb-559a9f2eaeaf";
+ 			t_key_cert_uuid = "827ee890-f860-e411-a1b4-777a21b4f94c";
+-			t_boot_fw_cert_uuid = "d6e269ea-5d63-e411-8d8c-9fbabe9956a5";
+ 			tos_fw_key_cert_uuid = "9477d603-fb60-e411-85dd-b7105b8cee04";
+ 			nt_fw_key_cert_uuid = "8ad5832a-fb60-e411-8aaf-df30bbc49859";
+ 			tos_fw_content_cert_uuid = "a49f4411-5e63-e411-8728-3f05722af33d";
+@@ -110,16 +109,6 @@
+ 		mbedtls_heap_size = <0x0>;
+ 	};
+ 
+-#include "cot_descriptors.dtsi"
++#include "stm32mp1-cot-descriptors.dtsi"
+ #endif
+ };
+-
+-&rcc {
+-	/* VCO = 1300.0 MHz => P = 650 (CPU) */
+-	pll1: st,pll@0 {
+-		compatible = "st,stm32mp1-pll";
+-		reg = <0>;
+-		cfg = <2 80 0 0 0 PQR(1,0,0)>;
+-		frac = <0x800>;
+-	};
+-};
+diff --git a/fdts/stm32mp15-bl32.dtsi b/fdts/stm32mp15-bl32.dtsi
+index 0e198f0db6..264aaf0984 100644
+--- a/fdts/stm32mp15-bl32.dtsi
++++ b/fdts/stm32mp15-bl32.dtsi
+@@ -26,7 +26,7 @@
+ 		/delete-node/ stgen@5c008000;
+ 		/delete-node/ i2c@5c009000;
+ 
+-		pin-controller@50002000 {
++		pinctrl@50002000 {
+ 			/delete-node/ fmc-0;
+ 			/delete-node/ qspi-clk-0;
+ 			/delete-node/ qspi-bk1-0;
+diff --git a/fdts/stm32mp15-ssp-bl2.dtsi b/fdts/stm32mp15-ssp-bl2.dtsi
+index eac8036bb2..b8c75c0733 100644
+--- a/fdts/stm32mp15-ssp-bl2.dtsi
++++ b/fdts/stm32mp15-ssp-bl2.dtsi
+@@ -72,7 +72,7 @@
+ 		/delete-node/ i2c@5c009000;
+ 		/delete-node/ tamp@5c00a000;
+ 
+-		pin-controller@50002000 {
++		pinctrl@50002000 {
+ 			/delete-node/ fmc-0;
+ 			/delete-node/ qspi-clk-0;
+ 			/delete-node/ qspi-bk1-0;
+diff --git a/fdts/stm32mp151.dtsi b/fdts/stm32mp151.dtsi
+index b2fd7f875f..6e8a3a2161 100644
+--- a/fdts/stm32mp151.dtsi
++++ b/fdts/stm32mp151.dtsi
+@@ -543,7 +543,7 @@
+ 		 * Break node order to solve dependency probe issue between
+ 		 * pinctrl and exti.
+ 		 */
+-		pinctrl: pin-controller@50002000 {
++		pinctrl: pinctrl@50002000 {
+ 			#address-cells = <1>;
+ 			#size-cells = <1>;
+ 			compatible = "st,stm32mp157-pinctrl";
+@@ -674,7 +674,7 @@
+ 			};
+ 		};
+ 
+-		pinctrl_z: pin-controller-z@54004000 {
++		pinctrl_z: pinctrl@54004000 {
+ 			#address-cells = <1>;
+ 			#size-cells = <1>;
+ 			compatible = "st,stm32mp157-z-pinctrl";
+diff --git a/fdts/stm32mp157a-avenger96.dts b/fdts/stm32mp157a-avenger96.dts
+index 5ebc1a998e..5d8f01c1fd 100644
+--- a/fdts/stm32mp157a-avenger96.dts
++++ b/fdts/stm32mp157a-avenger96.dts
+@@ -133,10 +133,9 @@
+ 
+ 			vtt_ddr: ldo3 {
+ 				regulator-name = "vtt_ddr";
+-				regulator-min-microvolt = <500000>;
+-				regulator-max-microvolt = <750000>;
+ 				regulator-always-on;
+ 				regulator-over-current-protection;
++				st,regulator-sink-source;
+ 			};
+ 
+ 			vdd_usb: ldo4 {
+@@ -161,7 +160,6 @@
+ 			vref_ddr: vref_ddr {
+ 				regulator-name = "vref_ddr";
+ 				regulator-always-on;
+-				regulator-over-current-protection;
+ 			};
+ 
+ 			bst_out: boost {
+diff --git a/fdts/stm32mp157c-odyssey-som.dtsi b/fdts/stm32mp157c-odyssey-som.dtsi
+index 2fede62766..b7250f7590 100644
+--- a/fdts/stm32mp157c-odyssey-som.dtsi
++++ b/fdts/stm32mp157c-odyssey-som.dtsi
+@@ -140,10 +140,9 @@
+ 
+ 			vtt_ddr: ldo3 {
+ 				regulator-name = "vtt_ddr";
+-				regulator-min-microvolt = <500000>;
+-				regulator-max-microvolt = <750000>;
+ 				regulator-always-on;
+ 				regulator-over-current-protection;
++				st,regulator-sink-source;
+ 			};
+ 
+ 			vdd_usb: ldo4 {
+@@ -170,7 +169,6 @@
+ 			vref_ddr: vref_ddr {
+ 				regulator-name = "vref_ddr";
+ 				regulator-always-on;
+-				regulator-over-current-protection;
+ 			};
+ 
+ 			bst_out: boost {
+diff --git a/fdts/stm32mp15xx-osd32.dtsi b/fdts/stm32mp15xx-osd32.dtsi
+index 29cf83afeb..18ebd61ae2 100644
+--- a/fdts/stm32mp15xx-osd32.dtsi
++++ b/fdts/stm32mp15xx-osd32.dtsi
+@@ -81,10 +81,9 @@
+ 
+ 			vtt_ddr: ldo3 {
+ 				regulator-name = "vtt_ddr";
+-				regulator-min-microvolt = <500000>;
+-				regulator-max-microvolt = <750000>;
+ 				regulator-always-on;
+ 				regulator-over-current-protection;
++				st,regulator-sink-source;
+ 			};
+ 
+ 			vdd_usb: ldo4 {
+@@ -110,7 +109,6 @@
+ 			vref_ddr: vref_ddr {
+ 				regulator-name = "vref_ddr";
+ 				regulator-always-on;
+-				regulator-over-current-protection;
+ 			};
+ 
+ 			bst_out: boost {
+diff --git a/include/drivers/auth/tbbr_cot_common.h b/include/drivers/auth/tbbr_cot_common.h
+index 21bcd520a4..a51faee1aa 100644
+--- a/include/drivers/auth/tbbr_cot_common.h
++++ b/include/drivers/auth/tbbr_cot_common.h
+@@ -25,6 +25,5 @@ extern auth_param_type_desc_t fw_config_hash;
+ 
+ extern const auth_img_desc_t trusted_boot_fw_cert;
+ extern const auth_img_desc_t hw_config;
+-extern const auth_img_desc_t fw_config;
+ 
+ #endif /* TBBR_COT_COMMON_H */
+diff --git a/include/drivers/st/regulator_gpio.h b/include/drivers/st/regulator_gpio.h
+new file mode 100644
+index 0000000000..3362f7e248
+--- /dev/null
++++ b/include/drivers/st/regulator_gpio.h
+@@ -0,0 +1,12 @@
++/*
++ * Copyright (c) 2022, STMicroelectronics - All Rights Reserved
++ *
++ * SPDX-License-Identifier: BSD-3-Clause
++ */
++
++#ifndef REGULATOR_GPIO_H
++#define REGULATOR_GPIO_H
++
++int gpio_regulator_register(void);
++
++#endif /* REGULATOR_GPIO_H */
+diff --git a/include/drivers/st/stm32_gpio.h b/include/drivers/st/stm32_gpio.h
+index 84ef3b8beb..4ed1e39473 100644
+--- a/include/drivers/st/stm32_gpio.h
++++ b/include/drivers/st/stm32_gpio.h
+@@ -13,6 +13,7 @@
+ #define GPIO_TYPE_OFFSET	U(0x04)
+ #define GPIO_SPEED_OFFSET	U(0x08)
+ #define GPIO_PUPD_OFFSET	U(0x0C)
++#define GPIO_IDR_OFFSET		U(0x10)
+ #define GPIO_OD_OFFSET		U(0x14)
+ #define GPIO_BSRR_OFFSET	U(0x18)
+ #define GPIO_AFRL_OFFSET	U(0x20)
+@@ -52,10 +53,19 @@
+ 
+ #ifndef __ASSEMBLER__
+ #include <stdint.h>
+-
+ int dt_set_pinctrl_config(int node);
+ void set_gpio_secure_cfg(uint32_t bank, uint32_t pin, bool secure);
+ void set_gpio_reset_cfg(uint32_t bank, uint32_t pin);
++
++enum gpio_level {
++	GPIO_LEVEL_LOW,
++	GPIO_LEVEL_HIGH
++};
++
++void set_gpio_level(uint32_t bank, uint32_t pin, enum gpio_level level);
++enum gpio_level get_gpio_level(uint32_t bank, uint32_t pin);
++
++void set_gpio_config(uint32_t bank, uint32_t pin, uint32_t config, uint8_t status);
+ #endif /*__ASSEMBLER__*/
+ 
+ #endif /* STM32_GPIO_H */
+diff --git a/include/drivers/st/stm32_mce.h b/include/drivers/st/stm32_mce.h
+index e796ecb316..81c4d20d73 100644
+--- a/include/drivers/st/stm32_mce.h
++++ b/include/drivers/st/stm32_mce.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2020, STMicroelectronics - All Rights Reserved
++ * Copyright (c) 2020-2022, STMicroelectronics - All Rights Reserved
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  */
+@@ -20,6 +20,16 @@
+ /* IP configuration */
+ #define MCE_IP_MAX_REGION_NB		1U
+ 
++struct stm32_mce_region_s {
++	uint32_t encrypt_mode;	/*
++				 * Specifies the region encryption mode.
++				 * This parameter can be a value of
++				 * @ref MCE_*_MODE (in driver header file).
++				 */
++	uint32_t start_address;	/* Specifies the region start address */
++	uint32_t end_address;	/* Specifies the region end address */
++};
++
+ void stm32_mce_init(void);
+ 
+ int stm32_mce_write_master_key(uint8_t *mkey);
+@@ -31,4 +41,6 @@ bool stm32_mce_is_globally_locked(void);
+ bool stm32_mce_is_hw_encryption_functional(void);
+ 
+ int stm32_mce_get_address_encryption_state(uint32_t address, uint32_t *state);
++
++void stm32_mce_reload_configuration(void);
+ #endif /* STM32_MCE_H */
+diff --git a/include/drivers/st/stm32mp_ddr.h b/include/drivers/st/stm32mp_ddr.h
+index 7f0f7cab98..23ef80c899 100644
+--- a/include/drivers/st/stm32mp_ddr.h
++++ b/include/drivers/st/stm32mp_ddr.h
+@@ -57,8 +57,12 @@ struct stm32mp_ddr_info {
+ 	uint32_t size;  /* Memory size in byte = col * row * width */
+ };
+ 
+-#define TIMEOUT_US_1S	1000000U
+-#define TIMEOUT_500US	500U
++#define DDR_DELAY_1US		1U
++#define DDR_DELAY_2US		2U
++#define DDR_DELAY_10US		10U
++#define DDR_DELAY_50US		50U
++#define DDR_TIMEOUT_500US	500U
++#define DDR_TIMEOUT_US_1S	1000000U
+ 
+ void stm32mp_ddr_set_reg(const struct stm32mp_ddr_priv *priv, enum stm32mp_ddr_reg_type type,
+ 			 const void *param, const struct stm32mp_ddr_reg_info *ddr_registers);
+diff --git a/include/dt-bindings/gpio/stm32-gpio.h b/include/dt-bindings/gpio/stm32-gpio.h
+new file mode 100644
+index 0000000000..3820bd1fb3
+--- /dev/null
++++ b/include/dt-bindings/gpio/stm32-gpio.h
+@@ -0,0 +1,41 @@
++/* SPDX-License-Identifier: (GPL-2.0+ OR BSD-3-Clause) */
++/*
++ * Copyright (C) STMicroelectronics 2022 - All Rights Reserved
++ * Author: Paillet Pascal <p.paillet@foss.st.com> for STMicroelectronics.
++ */
++
++#ifndef _DT_BINDINGS_STM32_GPIO_H
++#define _DT_BINDINGS_STM32_GPIO_H
++
++/* Bank IDs used in GPIO driver API */
++#define GPIO_BANK_A			0U
++#define GPIO_BANK_B			1U
++#define GPIO_BANK_C			2U
++#define GPIO_BANK_D			3U
++#define GPIO_BANK_E			4U
++#define GPIO_BANK_F			5U
++#define GPIO_BANK_G			6U
++#define GPIO_BANK_H			7U
++#define GPIO_BANK_I			8U
++#define GPIO_BANK_J			9U
++#define GPIO_BANK_K			10U
++#define GPIO_BANK_Z			25U
++
++/* Bit 0 is used to set GPIO in input mode */
++#define GPIOF_DIR_OUT			0x0
++#define GPIOF_DIR_IN			0x1
++
++/* Bit 1 is used to set GPIO high level during init */
++#define GPIOF_INIT_LOW			0x0
++#define GPIOF_INIT_HIGH			0x2
++
++#define GPIOF_IN			(GPIOF_DIR_IN)
++#define GPIOF_OUT_INIT_LOW		(GPIOF_DIR_OUT | GPIOF_INIT_LOW)
++#define GPIOF_OUT_INIT_HIGH		(GPIOF_DIR_OUT | GPIOF_INIT_HIGH)
++
++/* Bit 2 is used to set GPIO pull up */
++#define GPIOF_PULL_UP			0x4
++/* Bit 3 is used to set GPIO pull down */
++#define GPIOF_PULL_DOWN			0x8
++
++#endif /* _DT_BINDINGS_STM32_GPIO_H */
+diff --git a/include/plat/common/platform.h b/include/plat/common/platform.h
+index 1a9b9b5d20..60d43d7022 100644
+--- a/include/plat/common/platform.h
++++ b/include/plat/common/platform.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2013-2021, ARM Limited and Contributors. All rights reserved.
++ * Copyright (c) 2013-2022, ARM Limited and Contributors. All rights reserved.
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  */
+@@ -125,7 +125,8 @@ void plat_error_handler(int err) __dead2;
+ void plat_panic_handler(void) __dead2;
+ const char *plat_log_get_prefix(unsigned int log_level);
+ void bl2_plat_preload_setup(void);
+-int plat_try_next_boot_source(unsigned int image_id);
++int plat_try_next_boot_source(void);
++int plat_try_backup_partitions(unsigned int image_id);
+ 
+ #if MEASURED_BOOT
+ int plat_mboot_measure_image(unsigned int image_id, image_info_t *image_data);
+@@ -388,5 +389,6 @@ int plat_fwu_set_metadata_image_source(unsigned int image_id,
+ 				       uintptr_t *image_spec);
+ void plat_fwu_set_images_source(const struct fwu_metadata *metadata);
+ uint32_t plat_fwu_get_boot_idx(void);
++bool plat_fwu_is_enabled(void);
+ 
+ #endif /* PLATFORM_H */
+diff --git a/lib/optee/optee_utils.c b/lib/optee/optee_utils.c
+index 72979cd9de..d30248fa29 100644
+--- a/lib/optee/optee_utils.c
++++ b/lib/optee/optee_utils.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2017-2021, ARM Limited and Contributors. All rights reserved.
++ * Copyright (c) 2017-2022, ARM Limited and Contributors. All rights reserved.
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  */
+@@ -192,8 +192,17 @@ int parse_optee_header(entry_point_info_t *header_ep,
+ 				&header->optee_image_list[num]);
+ 		} else if (header->optee_image_list[num].image_id ==
+ 				OPTEE_PAGED_IMAGE_ID) {
+-			ret = parse_optee_image(paged_image_info,
+-				&header->optee_image_list[num]);
++			if (paged_image_info == NULL) {
++				if (header->optee_image_list[num].size != 0U) {
++					ERROR("Paged image is not supported\n");
++					return -1;
++				}
++
++				continue;
++			} else {
++				ret = parse_optee_image(paged_image_info,
++							&header->optee_image_list[num]);
++			}
+ 		} else {
+ 			ERROR("Parse optee image failed.\n");
+ 			return -1;
+@@ -215,8 +224,10 @@ int parse_optee_header(entry_point_info_t *header_ep,
+ 	 * header image arguments so that can be read by the
+ 	 * BL32 SPD.
+ 	 */
+-	header_ep->args.arg1 = paged_image_info->image_base;
+-	header_ep->args.arg2 = paged_image_info->image_size;
++	if (paged_image_info != NULL) {
++		header_ep->args.arg1 = paged_image_info->image_base;
++		header_ep->args.arg2 = paged_image_info->image_size;
++	}
+ 
+ 	/* Set OPTEE runtime arch - aarch32/aarch64 */
+ 	if (header->arch == 0) {
+diff --git a/plat/arm/common/arm_io_storage.c b/plat/arm/common/arm_io_storage.c
+index 19ee1b0b05..aa44903ff1 100644
+--- a/plat/arm/common/arm_io_storage.c
++++ b/plat/arm/common/arm_io_storage.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2015-2021, ARM Limited. All rights reserved.
++ * Copyright (c) 2015-2022, ARM Limited. All rights reserved.
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  */
+@@ -247,4 +247,9 @@ int plat_fwu_set_metadata_image_source(unsigned int image_id,
+ 
+ 	return result;
+ }
++
++bool plat_fwu_is_enabled(void)
++{
++	return true;
++}
+ #endif /* PSA_FWU_SUPPORT */
+diff --git a/plat/common/plat_bl_common.c b/plat/common/plat_bl_common.c
+index 5bbd73bd94..cdf5a26d02 100644
+--- a/plat/common/plat_bl_common.c
++++ b/plat/common/plat_bl_common.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2018-2020, ARM Limited and Contributors. All rights reserved.
++ * Copyright (c) 2018-2022, ARM Limited and Contributors. All rights reserved.
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  */
+@@ -25,6 +25,7 @@
+ #pragma weak bl2_plat_handle_pre_image_load
+ #pragma weak bl2_plat_handle_post_image_load
+ #pragma weak plat_try_next_boot_source
++#pragma weak plat_try_backup_partitions
+ #pragma weak plat_get_enc_key_info
+ #pragma weak plat_is_smccc_feature_available
+ #pragma weak plat_get_soc_version
+@@ -69,7 +70,12 @@ int bl2_plat_handle_post_image_load(unsigned int image_id)
+ 	return 0;
+ }
+ 
+-int plat_try_next_boot_source(unsigned int image_id)
++int plat_try_next_boot_source(void)
++{
++	return 0;
++}
++
++int plat_try_backup_partitions(unsigned int image_id)
+ {
+ 	return 0;
+ }
+diff --git a/plat/st/common/bl2_io_storage.c b/plat/st/common/bl2_io_storage.c
+index 2d2150cf43..27ac563018 100644
+--- a/plat/st/common/bl2_io_storage.c
++++ b/plat/st/common/bl2_io_storage.c
+@@ -48,7 +48,7 @@ uintptr_t fip_dev_handle;
+ uintptr_t storage_dev_handle;
+ 
+ static const io_dev_connector_t *fip_dev_con;
+-static uint32_t nand_bkp_offset;
++static uint32_t nand_block_sz;
+ 
+ #ifndef DECRYPTION_SUPPORT_none
+ static const io_dev_connector_t *enc_dev_con;
+@@ -278,7 +278,7 @@ static void boot_fmc2_nand(boot_api_context_t *boot_context)
+ 				&storage_dev_handle);
+ 	assert(io_result == 0);
+ 
+-	nand_bkp_offset = nand_dev_spec.erase_size;
++	nand_block_sz = nand_dev_spec.erase_size;
+ }
+ #endif /* STM32MP_RAW_NAND */
+ 
+@@ -299,7 +299,7 @@ static void boot_spi_nand(boot_api_context_t *boot_context)
+ 				&storage_dev_handle);
+ 	assert(io_result == 0);
+ 
+-	nand_bkp_offset = spi_nand_dev_spec.erase_size;
++	nand_block_sz = spi_nand_dev_spec.erase_size;
+ }
+ #endif /* STM32MP_SPI_NAND */
+ 
+@@ -431,6 +431,10 @@ int bl2_plat_handle_pre_image_load(unsigned int image_id)
+ 	static bool gpt_init_done __unused;
+ 	uint16_t boot_itf = stm32mp_get_boot_itf_selected();
+ 
++	if (stm32mp_skip_boot_device_after_standby()) {
++		return 0;
++	}
++
+ 	switch (boot_itf) {
+ #if STM32MP_SDMMC || STM32MP_EMMC
+ 	case BOOT_API_CTX_BOOT_INTERFACE_SEL_FLASH_SD:
+@@ -480,7 +484,14 @@ int bl2_plat_handle_pre_image_load(unsigned int image_id)
+ #if STM32MP_SPI_NAND
+ 	case BOOT_API_CTX_BOOT_INTERFACE_SEL_FLASH_NAND_QSPI:
+ #endif
++/*
++ * With FWU Multi Bank feature enabled, the selection of
++ * the image to boot will be done by fwu_init calling the
++ * platform hook, plat_fwu_set_images_source.
++ */
++#if !PSA_FWU_SUPPORT
+ 		image_block_spec.offset = STM32MP_NAND_FIP_OFFSET;
++#endif
+ 		break;
+ #endif
+ 
+@@ -550,28 +561,34 @@ int plat_get_image_source(unsigned int image_id, uintptr_t *dev_handle,
+  * This function shall return 0 if it cannot find an alternate
+  * image to be loaded or it returns 1 otherwise.
+  */
+-int plat_try_next_boot_source(unsigned int image_id)
++int plat_try_backup_partitions(unsigned int image_id)
+ {
+ 	static unsigned int backup_id;
+-	static unsigned int backup_nb;
++	static unsigned int backup_block_nb;
+ 
+-	/* No backup available */
+-	if (nand_bkp_offset == 0U) {
++	/* Check if NAND storage used */
++	if (nand_block_sz == 0U) {
+ 		return 0;
+ 	}
+ 
+ 	if (backup_id != image_id) {
+-		backup_nb = 0;
++		backup_block_nb = PLATFORM_MTD_MAX_PART_SIZE / nand_block_sz;
+ 		backup_id = image_id;
+ 	}
+ 
+-	backup_nb++;
++	if (backup_block_nb-- == 0U) {
++		return 0;
++	}
+ 
+-	if (backup_nb >= PLATFORM_MTD_BACKUP_BLOCKS) {
++#if PSA_FWU_SUPPORT
++	if (((image_block_spec.offset < STM32MP_NAND_FIP_B_OFFSET) &&
++	     ((image_block_spec.offset + nand_block_sz) >= STM32MP_NAND_FIP_B_OFFSET)) ||
++	    (image_block_spec.offset + nand_block_sz >= STM32MP_NAND_FIP_B_MAX_OFFSET)) {
+ 		return 0;
+ 	}
++#endif
+ 
+-	image_block_spec.offset += nand_bkp_offset;
++	image_block_spec.offset += nand_block_sz;
+ 
+ 	return 1;
+ }
+@@ -675,8 +692,14 @@ void plat_fwu_set_images_source(const struct fwu_metadata *metadata)
+ 		}
+ #endif
+ #if (STM32MP_SPI_NAND || STM32MP_RAW_NAND)
+-#error "FWU NAND not yet implemented"
+-		panic();
++		if (guidcmp(img_uuid, &STM32MP_NAND_FIP_A_GUID) == 0) {
++			image_spec->offset = STM32MP_NAND_FIP_A_OFFSET;
++		} else if (guidcmp(img_uuid, &STM32MP_NAND_FIP_B_GUID) == 0) {
++			image_spec->offset = STM32MP_NAND_FIP_B_OFFSET;
++		} else {
++			ERROR("Invalid uuid mentioned in metadata\n");
++			panic();
++		}
+ #endif
+ 	}
+ }
+@@ -719,6 +742,17 @@ static int plat_set_image_source(unsigned int image_id,
+ 
+ 	spec->length = sizeof(struct fwu_metadata);
+ #endif
++
++#if (STM32MP_SPI_NAND || STM32MP_RAW_NAND)
++	if (image_id == FWU_METADATA_IMAGE_ID) {
++		spec->offset = STM32MP_NAND_METADATA1_OFFSET;
++	} else {
++		spec->offset = STM32MP_NAND_METADATA2_OFFSET;
++	}
++
++	spec->length = sizeof(struct fwu_metadata);
++#endif
++
+ 	*image_spec = policy->image_spec;
+ 	*handle = *policy->dev_handle;
+ 
+@@ -734,4 +768,9 @@ int plat_fwu_set_metadata_image_source(unsigned int image_id,
+ 
+ 	return plat_set_image_source(image_id, handle, image_spec);
+ }
++
++bool plat_fwu_is_enabled(void)
++{
++	return !stm32mp_skip_boot_device_after_standby();
++}
+ #endif /* PSA_FWU_SUPPORT */
+diff --git a/plat/st/common/include/stm32mp_common.h b/plat/st/common/include/stm32mp_common.h
+index ab8130fb20..f3c0ca1177 100644
+--- a/plat/st/common/include/stm32mp_common.h
++++ b/plat/st/common/include/stm32mp_common.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2018-2021, STMicroelectronics - All Rights Reserved
++ * Copyright (C) 2018-2022, STMicroelectronics - All Rights Reserved
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  */
+@@ -81,6 +81,8 @@ static inline void stm32mp_setup_early_console(void)
+ 
+ void stm32mp_set_console_after_standby(void);
+ 
++bool stm32mp_skip_boot_device_after_standby(void);
++
+ /*
+  * Platform util functions for the GPIO driver
+  * @bank: Target GPIO bank ID as per DT bindings
+diff --git a/plat/st/common/stm32cubeprogrammer_usb.c b/plat/st/common/stm32cubeprogrammer_usb.c
+index 962ffd403f..28e41c1f81 100644
+--- a/plat/st/common/stm32cubeprogrammer_usb.c
++++ b/plat/st/common/stm32cubeprogrammer_usb.c
+@@ -1,11 +1,12 @@
+ /*
+- * Copyright (c) 2021, STMicroelectronics - All Rights Reserved
++ * Copyright (c) 2021-2022, STMicroelectronics - All Rights Reserved
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  */
+ 
+ #include <assert.h>
+ #include <errno.h>
++#include <string.h>
+ 
+ #include <tools_share/firmware_image_package.h>
+ 
+diff --git a/plat/st/common/stm32mp_common.c b/plat/st/common/stm32mp_common.c
+index 2b9f74eca0..8119ffe694 100644
+--- a/plat/st/common/stm32mp_common.c
++++ b/plat/st/common/stm32mp_common.c
+@@ -260,8 +260,11 @@ int stm32mp_uart_console_setup(void)
+ #if STM32MP_EARLY_CONSOLE
+ void stm32mp_setup_early_console(void)
+ {
++#if defined(IMAGE_BL2) || STM32MP_RECONFIGURE_CONSOLE
+ 	plat_crash_console_init();
++#endif
+ 	set_console(STM32MP_DEBUG_USART_BASE, STM32MP_DEBUG_USART_CLK_FRQ);
++	NOTICE("Early console setup\n");
+ }
+ #endif /* STM32MP_EARLY_CONSOLE */
+ 
+diff --git a/plat/st/common/stm32mp_crypto_lib.c b/plat/st/common/stm32mp_crypto_lib.c
+index ccba38b119..606e011443 100644
+--- a/plat/st/common/stm32mp_crypto_lib.c
++++ b/plat/st/common/stm32mp_crypto_lib.c
+@@ -54,6 +54,14 @@ static void crypto_lib_init(void)
+ 
+ 	int ret;
+ 
++	NOTICE("TRUSTED_BOARD_BOOT support enabled\n");
++
++	ret = stm32_hash_register();
++	if (ret != 0) {
++		ERROR("HASH init (%d)\n", ret);
++		panic();
++	}
++
+ 	if (!stm32mp_is_closed_device() && !stm32mp_is_auth_supported()) {
+ 		return;
+ 	}
+@@ -76,12 +84,6 @@ static void crypto_lib_init(void)
+ 	auth_ops.verify_signature =
+ 		boot_context->bootrom_ecdsa_verify_signature;
+ #endif
+-
+-	ret = stm32_hash_register();
+-	if (ret != 0) {
+-		ERROR("HASH init (%d)\n", ret);
+-		panic();
+-	}
+ }
+ 
+ int get_plain_pk_from_asn1(void *pk_ptr, unsigned int pk_len, void **plain_pk,
+@@ -313,6 +315,10 @@ static int crypto_verify_signature(void *data_ptr, unsigned int data_len,
+ 	size_t bignum_len = sizeof(sig) / 2U;
+ 	unsigned int seq_num = 0U;
+ 
++	if (!stm32mp_is_closed_device() && !stm32mp_is_auth_supported()) {
++		return CRYPTO_SUCCESS;
++	}
++
+ 	/* Get pointers to signature OID and parameters */
+ 	p = (unsigned char *)sig_alg;
+ 	end = (unsigned char *)(p + sig_alg_len);
+diff --git a/plat/st/common/stm32mp_fconf_io.c b/plat/st/common/stm32mp_fconf_io.c
+index 8c52a131bf..be73e5dee4 100644
+--- a/plat/st/common/stm32mp_fconf_io.c
++++ b/plat/st/common/stm32mp_fconf_io.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2021, STMicroelectronics - All Rights Reserved
++ * Copyright (c) 2021-2022, STMicroelectronics - All Rights Reserved
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  */
+@@ -27,7 +27,7 @@ static io_block_spec_t gpt_block_spec = {
+ };
+ #endif
+ 
+-#if (STM32MP_SDMMC || STM32MP_EMMC || STM32MP_SPI_NOR) && PSA_FWU_SUPPORT
++#if PSA_FWU_SUPPORT
+ io_block_spec_t metadata_block_spec = {
+ 	.offset = 0,    /* To be filled at runtime */
+ 	.length = 0,    /* To be filled at runtime */
+@@ -74,7 +74,7 @@ struct plat_io_policy policies[MAX_NUMBER_IDS] = {
+ #endif /* PSA_FWU_SUPPORT */
+ };
+ 
+-#define DEFAULT_UUID_NUMBER	U(8)
++#define DEFAULT_UUID_NUMBER	U(7)
+ 
+ #if TRUSTED_BOARD_BOOT
+ #define TBBR_UUID_NUMBER	U(6)
+@@ -102,9 +102,8 @@ static const struct policies_load_info load_info[FCONF_ST_IO_UUID_NUMBER] = {
+ 	{BL33_IMAGE_ID, "bl33_uuid"},
+ 	{HW_CONFIG_ID, "hw_cfg_uuid"},
+ 	{TOS_FW_CONFIG_ID, "tos_fw_cfg_uuid"},
+-	{NT_FW_CONFIG_ID, "nt_fw_cfg_uuid"},
+ #if TRUSTED_BOARD_BOOT
+-	{TRUSTED_BOOT_FW_CERT_ID, "t_boot_fw_cert_uuid"},
++	{STM32MP_CONFIG_CERT_ID, "stm32mp_cfg_cert_uuid"},
+ 	{TRUSTED_KEY_CERT_ID, "t_key_cert_uuid"},
+ 	{TRUSTED_OS_FW_KEY_CERT_ID, "tos_fw_key_cert_uuid"},
+ 	{NON_TRUSTED_FW_KEY_CERT_ID, "nt_fw_key_cert_uuid"},
+diff --git a/plat/st/stm32mp1/bl2_plat_setup.c b/plat/st/stm32mp1/bl2_plat_setup.c
+index 6232d7b3c8..61e9eff328 100644
+--- a/plat/st/stm32mp1/bl2_plat_setup.c
++++ b/plat/st/stm32mp1/bl2_plat_setup.c
+@@ -19,6 +19,7 @@
+ #include <drivers/mmc.h>
+ #include <drivers/st/bsec.h>
+ #include <drivers/st/regulator_fixed.h>
++#include <drivers/st/regulator_gpio.h>
+ #include <drivers/st/stm32_iwdg.h>
+ #if STM32MP13
+ #include <drivers/st/stm32_mce.h>
+@@ -352,6 +353,12 @@ skip_console_init:
+ 		panic();
+ 	}
+ 
++#if (PLAT_NB_GPIO_REGUS > 0)
++	if (gpio_regulator_register() != 0) {
++		panic();
++	}
++#endif
++
+ 	if (dt_pmic_status() > 0) {
+ 		initialize_pmic();
+ 		if (!stm32mp1_is_wakeup_from_standby() &&
+@@ -394,7 +401,15 @@ skip_console_init:
+ 
+ 	fconf_populate("TB_FW", STM32MP_DTB_BASE);
+ 
+-	stm32mp_io_setup();
++	if (stm32mp_skip_boot_device_after_standby()) {
++		bl_mem_params_node_t *bl_mem_params = get_bl_mem_params_node(FW_CONFIG_ID);
++
++		assert(bl_mem_params != NULL);
++
++		bl_mem_params->image_info.h.attr |= IMAGE_ATTRIB_SKIP_LOADING;
++	} else {
++		stm32mp_io_setup();
++	}
+ }
+ 
+ #if STM32MP13
+@@ -406,6 +421,7 @@ static void prepare_encryption(void)
+ 
+ 	if (stm32mp1_is_wakeup_from_standby()) {
+ 		stm32mp1_pm_get_mce_mkey_from_context(mkey);
++		stm32_mce_reload_configuration();
+ 	} else {
+ 		/* Generate MCE master key from RNG */
+ 		if (stm32_rng_read(mkey, MCE_KEY_SIZE_IN_BYTES) != 0) {
+@@ -456,6 +472,10 @@ int bl2_plat_handle_post_image_load(unsigned int image_id)
+ 			prepare_encryption();
+ 		}
+ #endif
++		if (stm32mp_skip_boot_device_after_standby()) {
++			return 0;
++		}
++
+ 		/* Set global DTB info for fixed fw_config information */
+ 		set_config_info(STM32MP_FW_CONFIG_BASE, STM32MP_FW_CONFIG_MAX_SIZE, FW_CONFIG_ID);
+ 		fconf_populate("FW_CONFIG", STM32MP_FW_CONFIG_BASE);
+@@ -499,9 +519,12 @@ int bl2_plat_handle_post_image_load(unsigned int image_id)
+ 
+ 				/* Init base and size for pager if exist */
+ 				paged_mem_params = get_bl_mem_params_node(BL32_EXTRA2_IMAGE_ID);
+-				paged_mem_params->image_info.image_base = STM32MP_DDR_BASE +
+-					(dt_get_ddr_size() - STM32MP_DDR_S_SIZE);
+-				paged_mem_params->image_info.image_max_size = STM32MP_DDR_S_SIZE;
++				if (paged_mem_params != NULL) {
++					paged_mem_params->image_info.image_base = STM32MP_DDR_BASE +
++						(dt_get_ddr_size() - STM32MP_DDR_S_SIZE);
++					paged_mem_params->image_info.image_max_size =
++						STM32MP_DDR_S_SIZE;
++				}
+ 				break;
+ 
+ 			case BL33_IMAGE_ID:
+@@ -527,39 +550,46 @@ int bl2_plat_handle_post_image_load(unsigned int image_id)
+ 		break;
+ 
+ 	case BL32_IMAGE_ID:
+-#if STM32MP13
+-		if (wakeup_ddr_sr) {
++		if (wakeup_ddr_sr && stm32mp_skip_boot_device_after_standby()) {
+ 			bl_mem_params->ep_info.pc = stm32_pm_get_optee_ep();
++			if (stm32mp1_addr_inside_backupsram(bl_mem_params->ep_info.pc)) {
++				clk_enable(BKPSRAM);
++			}
+ 			break;
+ 		}
+-#endif
++
+ 		if (optee_header_is_valid(bl_mem_params->image_info.image_base)) {
++			image_info_t *paged_image_info = NULL;
++
+ 			/* BL32 is OP-TEE header */
+ 			bl_mem_params->ep_info.pc = bl_mem_params->image_info.image_base;
+-			if (wakeup_ddr_sr) {
+-				bl_mem_params->ep_info.pc = stm32_pm_get_optee_ep();
+-				if (stm32mp1_addr_inside_backupsram(bl_mem_params->ep_info.pc)) {
+-					clk_enable(BKPSRAM);
+-				}
+ 
+-				break;
+-			}
+ 			pager_mem_params = get_bl_mem_params_node(BL32_EXTRA1_IMAGE_ID);
++			assert(pager_mem_params != NULL);
++
+ 			paged_mem_params = get_bl_mem_params_node(BL32_EXTRA2_IMAGE_ID);
+-			assert((pager_mem_params != NULL) && (paged_mem_params != NULL));
++			if (paged_mem_params != NULL) {
++				paged_image_info = &paged_mem_params->image_info;
++			}
+ 
+ 			err = parse_optee_header(&bl_mem_params->ep_info,
+ 						 &pager_mem_params->image_info,
+-						 &paged_mem_params->image_info);
+-			if (err) {
++						 paged_image_info);
++			if (err != 0) {
+ 				ERROR("OPTEE header parse error.\n");
+ 				panic();
+ 			}
+ 
+ 			/* Set optee boot info from parsed header data */
+-			bl_mem_params->ep_info.args.arg0 = paged_mem_params->image_info.image_base;
+-			bl_mem_params->ep_info.args.arg1 = 0; /* Unused */
+-			bl_mem_params->ep_info.args.arg2 = 0; /* No DT supported */
++			if (paged_mem_params != NULL) {
++				bl_mem_params->ep_info.args.arg0 =
++					paged_mem_params->image_info.image_base;
++			} else {
++				bl_mem_params->ep_info.args.arg0 = 0U;
++			}
++
++			bl_mem_params->ep_info.args.arg1 = 0U; /* Unused */
++			bl_mem_params->ep_info.args.arg2 = 0U; /* No DT supported */
+ 		} else {
+ 			bl_mem_params->ep_info.pc = bl_mem_params->image_info.image_base;
+ 			tos_fw_mem_params = get_bl_mem_params_node(TOS_FW_CONFIG_ID);
+@@ -578,7 +608,9 @@ int bl2_plat_handle_post_image_load(unsigned int image_id)
+ 		assert(bl32_mem_params != NULL);
+ 		bl32_mem_params->ep_info.lr_svc = bl_mem_params->ep_info.pc;
+ #if PSA_FWU_SUPPORT
+-		stm32mp1_fwu_set_boot_idx();
++		if (plat_fwu_is_enabled()) {
++			stm32mp1_fwu_set_boot_idx();
++		}
+ #endif /* PSA_FWU_SUPPORT */
+ 		break;
+ 
+diff --git a/plat/st/stm32mp1/cert_create_tbbr.mk b/plat/st/stm32mp1/cert_create_tbbr.mk
+new file mode 100644
+index 0000000000..d5a9c84616
+--- /dev/null
++++ b/plat/st/stm32mp1/cert_create_tbbr.mk
+@@ -0,0 +1,19 @@
++#
++# Copyright (c) 2022, STMicroelectronics - All Rights Reserved
++#
++# SPDX-License-Identifier: BSD-3-Clause
++#
++
++# Override TBBR Cert to update generic certificate
++
++$(eval $(call add_define,PDEF_CERTS))
++
++PLAT_INCLUDE	+= -I${PLAT_DIR}include \
++
++src/stm32mp1_tbb_cert.o: ${PLAT_DIR}stm32mp1_tbb_cert.c
++	${Q}${HOSTCC} -c ${HOSTCCFLAGS} ${INC_DIR} $< -o $@
++
++PLAT_OBJECTS	= src/stm32mp1_tbb_cert.o
++
++OBJECTS		+= $(PLAT_OBJECTS)
++
+diff --git a/plat/st/stm32mp1/include/plat_def_fip_uuid.h b/plat/st/stm32mp1/include/plat_def_fip_uuid.h
+new file mode 100644
+index 0000000000..e5fbc2dfc5
+--- /dev/null
++++ b/plat/st/stm32mp1/include/plat_def_fip_uuid.h
+@@ -0,0 +1,14 @@
++/*
++ * Copyright (c) 2021-2022, STMicroelectronics - All Rights Reserved
++ *
++ * SPDX-License-Identifier: BSD-3-Clause
++ */
++
++#ifndef PLAT_DEF_FIP_UUID_H
++#define PLAT_DEF_FIP_UUID_H
++
++#define UUID_STM32MP_CONFIG_CERT \
++	{{0x50, 0x1d, 0x8d, 0xd2}, {0x8b, 0xce}, {0x49, 0xa5}, 0x84, 0xeb, \
++	 {0x55, 0x9a, 0x9f, 0x2e, 0xae, 0xaf} }
++#endif /* PLAT_DEF_FIP_UUID_H */
++
+diff --git a/plat/st/stm32mp1/include/plat_tbbr_img_def.h b/plat/st/stm32mp1/include/plat_tbbr_img_def.h
+new file mode 100644
+index 0000000000..984aae85b2
+--- /dev/null
++++ b/plat/st/stm32mp1/include/plat_tbbr_img_def.h
+@@ -0,0 +1,40 @@
++/*
++ * Copyright (c) 2022, STMicroelectronics - All Rights Reserved
++ *
++ * SPDX-License-Identifier: BSD-3-Clause
++ *
++ */
++
++#ifndef STM32MP1_IMG_DEF_H
++#define STM32MP1_IMG_DEF_H
++
++#include <export/common/tbbr/tbbr_img_def_exp.h>
++
++/* Undef the existing values */
++#undef BL32_EXTRA1_IMAGE_ID
++#undef BL32_EXTRA2_IMAGE_ID
++#undef TOS_FW_CONFIG_ID
++#undef TRUSTED_BOOT_FW_CERT_ID
++#undef FWU_METADATA_IMAGE_ID
++#undef BKUP_FWU_METADATA_IMAGE_ID
++#undef FW_CONFIG_ID
++#undef HW_CONFIG_ID
++#undef GPT_IMAGE_ID
++#undef ENC_IMAGE_ID
++
++/* Define the STM32MP1 used ID */
++#define FW_CONFIG_ID			U(1)
++#define HW_CONFIG_ID			U(2)
++#define GPT_IMAGE_ID			U(3)
++#define ENC_IMAGE_ID			U(6)
++#define BL32_EXTRA1_IMAGE_ID		U(8)
++#define BL32_EXTRA2_IMAGE_ID		U(9)
++#define FWU_METADATA_IMAGE_ID		U(12)
++#define BKUP_FWU_METADATA_IMAGE_ID	U(13)
++#define TOS_FW_CONFIG_ID		U(16)
++#define STM32MP_CONFIG_CERT_ID		U(17)
++
++/* Increase the MAX_NUMBER_IDS to match the authentication pool required */
++#define MAX_NUMBER_IDS			U(19)
++
++#endif	/* STM32MP1_IMG_DEF_H */
+diff --git a/plat/st/stm32mp1/include/stm32mp1_context.h b/plat/st/stm32mp1/include/stm32mp1_context.h
+index 703fdce370..c89c213b3e 100644
+--- a/plat/st/stm32mp1/include/stm32mp1_context.h
++++ b/plat/st/stm32mp1/include/stm32mp1_context.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2017-2021, ARM Limited and Contributors. All rights reserved.
++ * Copyright (c) 2017-2022, ARM Limited and Contributors. All rights reserved.
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  */
+@@ -10,6 +10,7 @@
+ #include <stdbool.h>
+ #include <stdint.h>
+ 
++#include <drivers/st/stm32_mce.h>
+ #include <drivers/st/stm32_rtc.h>
+ 
+ void stm32_clean_context(void);
+@@ -32,6 +33,8 @@ uint32_t stm32_pm_get_optee_ep(void);
+ #if STM32MP13
+ void stm32mp1_pm_save_mce_mkey_in_context(uint8_t *data);
+ void stm32mp1_pm_get_mce_mkey_from_context(uint8_t *data);
++void stm32mp1_pm_save_mce_region(uint32_t index, struct stm32_mce_region_s *config);
++void stm32mp1_pm_get_mce_region(uint32_t index, struct stm32_mce_region_s *config);
+ #endif
+ 
+ void stm32mp1_pm_save_clock_cfg(size_t offset, uint8_t *data, size_t size);
+diff --git a/plat/st/stm32mp1/include/tbbr/stm32mp1_tbb_cert.h b/plat/st/stm32mp1/include/tbbr/stm32mp1_tbb_cert.h
+new file mode 100644
+index 0000000000..2cc1e19e49
+--- /dev/null
++++ b/plat/st/stm32mp1/include/tbbr/stm32mp1_tbb_cert.h
+@@ -0,0 +1,19 @@
++/*
++ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
++ *
++ * SPDX-License-Identifier: BSD-3-Clause
++ */
++
++#ifndef STM32MP1_TBB_CERT_H
++#define STM32MP1_TBB_CERT_H
++
++#include <tbbr/tbb_cert.h>
++
++/*
++ * Enumerate the certificates that are used to establish the chain of trust
++ */
++enum {
++	STM32MP_CONFIG_CERT = FWU_CERT + 1
++};
++
++#endif /* STM32MP1_TBB_CERT_H */
+diff --git a/plat/st/stm32mp1/plat_bl2_mem_params_desc.c b/plat/st/stm32mp1/plat_bl2_mem_params_desc.c
+index 6fe13391c6..9f1a3e588f 100644
+--- a/plat/st/stm32mp1/plat_bl2_mem_params_desc.c
++++ b/plat/st/stm32mp1/plat_bl2_mem_params_desc.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2016-2021, ARM Limited and Contributors. All rights reserved.
++ * Copyright (c) 2016-2022, ARM Limited and Contributors. All rights reserved.
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  */
+@@ -68,6 +68,7 @@ static bl_mem_params_node_t bl2_mem_params_descs[] = {
+ 
+ 		.next_handoff_image_id = INVALID_IMAGE_ID,
+ 	},
++#if STM32MP15
+ 	/* Fill BL32 external 2 image related information */
+ 	{
+ 		.image_id = BL32_EXTRA2_IMAGE_ID,
+@@ -82,6 +83,7 @@ static bl_mem_params_node_t bl2_mem_params_descs[] = {
+ 
+ 		.next_handoff_image_id = INVALID_IMAGE_ID,
+ 	},
++#endif
+ 
+ 	/* Fill HW_CONFIG related information if it exists */
+ 	{
+diff --git a/plat/st/stm32mp1/plat_def_uuid_config.c b/plat/st/stm32mp1/plat_def_uuid_config.c
+new file mode 100644
+index 0000000000..efaf567014
+--- /dev/null
++++ b/plat/st/stm32mp1/plat_def_uuid_config.c
+@@ -0,0 +1,18 @@
++/*
++ * Copyright (c) 2022, STMicroelectronics - All Rights Reserved
++ *
++ * SPDX-License-Identifier: BSD-3-Clause
++ */
++
++#include <firmware_image_package.h>
++
++#include "tbbr_config.h"
++
++toc_entry_t plat_def_toc_entries[] = {
++	{
++		.name = "STM32MP CONFIG CERT",
++		.uuid = UUID_STM32MP_CONFIG_CERT,
++		.cmdline_name = "stm32mp-cfg-cert"
++	}
++};
++
+diff --git a/plat/st/stm32mp1/plat_fiptool.mk b/plat/st/stm32mp1/plat_fiptool.mk
+new file mode 100644
+index 0000000000..00570c2b3f
+--- /dev/null
++++ b/plat/st/stm32mp1/plat_fiptool.mk
+@@ -0,0 +1,25 @@
++#
++# Copyright (c) 2021-2022, STMicroelectronics - All Rights Reserved
++#
++# SPDX-License-Identifier: BSD-3-Clause
++#
++
++# Name of the platform defined source file name,
++# which contains platform defined UUID entries populated
++# in the plat_def_toc_entries[].
++PLAT_DEF_UUID_FILE_NAME	:= plat_def_uuid_config
++
++INCLUDE_PATHS		+= -I${PLAT_DIR}/include -I./
++
++PLAT_DEF_UUID		:= yes
++
++ifeq (${PLAT_DEF_UUID},yes)
++HOSTCCFLAGS += -DPLAT_DEF_FIP_UUID
++
++${PLAT_DEF_UUID_FILE_NAME}.o: ${PLAT_DIR}${PLAT_DEF_UUID_FILE_NAME}.c
++	${HOSTCC} -c ${CPPFLAGS} ${HOSTCCFLAGS} ${INCLUDE_PATHS} $< -o $@
++
++PLAT_OBJECTS += ${PLAT_DEF_UUID_FILE_NAME}.o
++endif
++
++OBJECTS += ${PLAT_OBJECTS}
+diff --git a/plat/st/stm32mp1/platform.mk b/plat/st/stm32mp1/platform.mk
+index b2ffe5a223..9a4122184b 100644
+--- a/plat/st/stm32mp1/platform.mk
++++ b/plat/st/stm32mp1/platform.mk
+@@ -10,11 +10,13 @@ BL2_AT_EL3		:=	1
+ USE_COHERENT_MEM	:=	0
+ 
+ STM32MP_EARLY_CONSOLE	?=	0
++STM32MP_RECONFIGURE_CONSOLE ?=	0
+ STM32MP_UART_BAUDRATE	?=	115200
+ 
+ # Add specific ST version
+-ST_VERSION 		:=	r1.0
+-VERSION_STRING		:=	v${VERSION_MAJOR}.${VERSION_MINOR}-${PLAT}-${ST_VERSION}(${BUILD_TYPE}):${BUILD_STRING}
++ST_VERSION 		:=	r2.0
++ST_GIT_SHA1		:=	$(shell git rev-parse --short=8 HEAD 2>/dev/null)
++VERSION_STRING		:=	v${VERSION_MAJOR}.${VERSION_MINOR}-${PLAT}-${ST_VERSION}(${BUILD_TYPE}):${BUILD_STRING}(${ST_GIT_SHA1})
+ 
+ TRUSTED_BOARD_BOOT	?=	0
+ STM32MP_USE_EXTERNAL_HEAP ?=	0
+@@ -187,11 +189,11 @@ endif
+ $(eval $(call TOOL_ADD_PAYLOAD,${STM32MP_FW_CONFIG},--fw-config))
+ # Add the HW_CONFIG to FIP and specify the same to certtool
+ $(eval $(call TOOL_ADD_PAYLOAD,${STM32MP_HW_CONFIG},--hw-config))
+-ifeq (${GENERATE_COT},1)
+-$(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/tb_fw.crt,--tb-fw-cert))
++ifeq ($(GENERATE_COT),1)
++STM32MP_CFG_CERT	:=	$(BUILD_PLAT)/stm32mp_cfg_cert.crt
++# Add the STM32MP_CFG_CERT to FIP and specify the same to certtool
++$(eval $(call TOOL_ADD_PAYLOAD,${STM32MP_CFG_CERT},--stm32mp-cfg-cert))
+ endif
+-$(eval $(call CERT_ADD_CMD_OPT,${BUILD_PLAT}/bl2.bin,--tb-fw))
+-CRT_DEPS+=${BUILD_PLAT}/bl2.bin
+ ifeq ($(AARCH32_SP),sp_min)
+ STM32MP_TOS_FW_CONFIG	:= $(addprefix ${BUILD_PLAT}/fdts/, $(patsubst %.dtb,%-bl32.dtb,$(DTB_FILE_NAME)))
+ $(eval $(call TOOL_ADD_PAYLOAD,${STM32MP_TOS_FW_CONFIG},--tos-fw-config))
+@@ -212,6 +214,7 @@ $(eval $(call assert_booleans,\
+ 		BL33_HYP \
+ 		PKA_USE_BRAINPOOL_P256T1 \
+ 		PKA_USE_NIST_P256 \
++		PLAT_TBBR_IMG_DEF \
+ 		PLAT_XLAT_TABLES_DYNAMIC \
+ 		STM32MP_DDR_32BIT_INTERFACE \
+ 		STM32MP_DDR_DUAL_AXI_PORT \
+@@ -219,6 +222,7 @@ $(eval $(call assert_booleans,\
+ 		STM32MP_EMMC \
+ 		STM32MP_EMMC_BOOT \
+ 		STM32MP_RAW_NAND \
++		STM32MP_RECONFIGURE_CONSOLE \
+ 		STM32MP_SDMMC \
+ 		STM32MP_SPI_NAND \
+ 		STM32MP_SPI_NOR \
+@@ -245,6 +249,7 @@ $(eval $(call add_defines,\
+ 		PKA_USE_BRAINPOOL_P256T1 \
+ 		PKA_USE_NIST_P256 \
+ 		PLAT_PARTITION_MAX_ENTRIES \
++		PLAT_TBBR_IMG_DEF \
+ 		PLAT_XLAT_TABLES_DYNAMIC \
+ 		STM32_TF_A_COPIES \
+ 		STM32_TF_VERSION \
+@@ -254,6 +259,7 @@ $(eval $(call add_defines,\
+ 		STM32MP_EMMC \
+ 		STM32MP_EMMC_BOOT \
+ 		STM32MP_RAW_NAND \
++		STM32MP_RECONFIGURE_CONSOLE \
+ 		STM32MP_SDMMC \
+ 		STM32MP_SPI_NAND \
+ 		STM32MP_SPI_NOR \
+@@ -303,6 +309,7 @@ PLAT_BL_COMMON_SOURCES	+=	drivers/arm/tzc/tzc400.c				\
+ 				drivers/st/pmic/stm32mp_pmic.c				\
+ 				drivers/st/pmic/stpmic1.c				\
+ 				drivers/st/regulator/regulator_fixed.c			\
++				drivers/st/regulator/regulator_gpio.c			\
+ 				drivers/st/reset/stm32mp1_reset.c			\
+ 				plat/st/common/stm32mp_dt.c				\
+ 				plat/st/common/stm32mp_shres_helpers.c			\
+@@ -359,14 +366,22 @@ NTFW_NVCTR_VAL		:=	0
+ KEY_SIZE		:=
+ KEY_ALG			:=	ecdsa
+ HASH_ALG		:=	sha256
++
++ifeq (${SAVE_KEYS},1)
++TRUSTED_WORLD_KEY	?=	${BUILD_PLAT}/trusted.pem
++NON_TRUSTED_WORLD_KEY	?=	${BUILD_PLAT}/non-trusted.pem
++BL32_KEY		?=	${BUILD_PLAT}/trusted_os.pem
++BL33_KEY		?=	${BUILD_PLAT}/non-trusted_os.pem
++endif
++
+ endif
+ TF_MBEDTLS_KEY_ALG 	:=	ecdsa
+ MBEDTLS_CONFIG_FILE	?=	"<stm32mp15_mbedtls_config.h>"
+ 
+ include drivers/auth/mbedtls/mbedtls_x509.mk
+ 
+-
+-AUTH_SOURCES		+=	drivers/auth/tbbr/tbbr_cot_common.c			\
++COT_DESC_IN_DTB		:=	1
++AUTH_SOURCES		+=	lib/fconf/fconf_cot_getter.c				\
+ 				lib/fconf/fconf_tbbr_getter.c				\
+ 				plat/st/common/stm32mp_crypto_lib.c
+ 
+@@ -375,8 +390,6 @@ AUTH_SOURCES		+=	drivers/st/crypto/stm32_pka.c
+ AUTH_SOURCES		+=	drivers/st/crypto/stm32_saes.c
+ endif
+ 
+-BL2_SOURCES		+=	drivers/auth/tbbr/tbbr_cot_bl2.c
+-
+ BL2_SOURCES		+=	$(AUTH_SOURCES)						\
+ 				plat/st/common/stm32mp_trusted_boot.c
+ endif
+diff --git a/plat/st/stm32mp1/services/bsec_svc.c b/plat/st/stm32mp1/services/bsec_svc.c
+index eb9c4fe748..9b00324776 100644
+--- a/plat/st/stm32mp1/services/bsec_svc.c
++++ b/plat/st/stm32mp1/services/bsec_svc.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2016-2021, STMicroelectronics - All Rights Reserved
++ * Copyright (c) 2016-2022, STMicroelectronics - All Rights Reserved
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  */
+@@ -34,12 +34,6 @@
+  */
+ #define BSEC_SERVICE_VERSION		0x02U
+ 
+-enum bsec_ssp_status {
+-	BSEC_NO_SSP = 0,
+-	BSEC_SSP_SET,
+-	BSEC_SSP_ERROR
+-};
+-
+ /* Global status bitfield */
+ #define BSEC_STATE_SEC_OPEN	U(0x0)
+ #define BSEC_STATE_SEC_CLOSED	U(0x1)
+@@ -67,51 +61,6 @@ struct otp_exchange {
+ 	struct otp_state otp[STM32MP1_OTP_MAX_ID];
+ };
+ 
+-static enum bsec_ssp_status bsec_check_ssp(uint32_t otp, uint32_t update)
+-{
+-	boot_api_context_t *boot_context =
+-		(boot_api_context_t *)BOOT_PARAM_ADDR;
+-
+-	/* No SSP update or SSP already done*/
+-	if ((((otp & SSP_OTP_MASK) == 0U) && ((update & SSP_OTP_MASK) == 0U)) ||
+-	    (((otp & SSP_OTP_MASK) == SSP_OTP_MASK) &&
+-	     ((update & SSP_OTP_MASK) == SSP_OTP_MASK))) {
+-		return BSEC_NO_SSP;
+-	}
+-
+-	/* SSP update */
+-	if ((update & SSP_OTP_MASK) != 0U) {
+-		if ((update & SSP_OTP_SUCCESS) != 0U) {
+-			return BSEC_SSP_ERROR;
+-		}
+-
+-		/* SSP boot process */
+-		boot_context->p_ssp_config->ssp_cmd =
+-			BOOT_API_CTX_SSP_CMD_CALC_CHIP_PUBK;
+-#ifndef DCACHE_OFF
+-		flush_dcache_range((uintptr_t)boot_context->p_ssp_config,
+-				   sizeof(boot_api_ssp_config_t));
+-#endif
+-		if (dt_pmic_status() > 0) {
+-			struct rdev *regul;
+-
+-			initialize_pmic();
+-
+-			regul = dt_get_cpu_regulator();
+-			if (regul == NULL) {
+-				return BSEC_SSP_ERROR;
+-			}
+-
+-			if (regulator_set_flag(regul, REGUL_MASK_RESET) < 0) {
+-				return BSEC_SSP_ERROR;
+-			}
+-		}
+-
+-		return BSEC_SSP_SET;
+-	}
+-	return BSEC_NO_SSP;
+-}
+-
+ static uint32_t bsec_read_all_bsec(struct otp_exchange *exchange)
+ {
+ 	uint32_t i;
+@@ -306,18 +255,6 @@ uint32_t bsec_main(uint32_t x1, uint32_t x2, uint32_t x3,
+ 		break;
+ 	case STM32_SMC_PROG_OTP:
+ 		*ret_otp_value = 0U;
+-		if (x2 == BOOT_API_OTP_SSP_WORD_NB) {
+-			result = bsec_read_otp(&tmp_data, x2);
+-			if (result != BSEC_OK) {
+-				break;
+-			}
+-
+-			*ret_otp_value = (uint32_t)bsec_check_ssp(tmp_data, x3);
+-			if (*ret_otp_value == (uint32_t)BSEC_SSP_ERROR) {
+-				result = BSEC_OK;
+-				break;
+-			}
+-		}
+ 		result = bsec_program_otp(x3, x2);
+ 		break;
+ 	case STM32_SMC_WRITE_SHADOW:
+diff --git a/plat/st/stm32mp1/sp_min/sp_min_setup.c b/plat/st/stm32mp1/sp_min/sp_min_setup.c
+index 7044d9a479..d30608ed52 100644
+--- a/plat/st/stm32mp1/sp_min/sp_min_setup.c
++++ b/plat/st/stm32mp1/sp_min/sp_min_setup.c
+@@ -477,7 +477,7 @@ void sp_min_early_platform_setup2(u_register_t arg0, u_register_t arg1,
+ 		panic();
+ 	}
+ 
+-	if (bl33_image_ep_info.args.arg2 != 0U) {
++	if ((bl33_image_ep_info.pc != 0U) && (bl33_image_ep_info.args.arg2 != 0U)) {
+ 		populate_ns_dt(bl33_image_ep_info.args.arg2);
+ 	}
+ 
+diff --git a/plat/st/stm32mp1/stm32mp1_context.c b/plat/st/stm32mp1/stm32mp1_context.c
+index 7cf0c0fd78..4ed88e6c42 100644
+--- a/plat/st/stm32mp1/stm32mp1_context.c
++++ b/plat/st/stm32mp1/stm32mp1_context.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2017-2021, ARM Limited and Contributors. All rights reserved.
++ * Copyright (c) 2017-2022, ARM Limited and Contributors. All rights reserved.
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  */
+@@ -9,6 +9,7 @@
+ 
+ #include <arch_helpers.h>
+ #include <context.h>
++#include <drivers/arm/tzc400.h>
+ #include <drivers/clk.h>
+ #include <drivers/regulator.h>
+ #include <drivers/st/stm32_rtc.h>
+@@ -80,10 +81,28 @@ struct backup_data_s {
+ 	uint32_t bl2_end;
+ #if STM32MP13
+ 	uint8_t mce_mkey[MCE_KEY_SIZE_IN_BYTES];
++	struct stm32_mce_region_s mce_regions[MCE_IP_MAX_REGION_NB];
+ #endif
+ };
+ 
+ #if defined(IMAGE_BL32)
++#define STM32MP1_TZC_REGION_OFFSET(num_region)		(U(0x20) * ((num_region) - U(1)))
++#define STM32MP1_TZC_REGION_LOW(num_region)		(U(0x120) + \
++							 STM32MP1_TZC_REGION_OFFSET(num_region))
++#define STM32MP1_TZC_REGION_TOP(num_region)		(U(0x128) + \
++							 STM32MP1_TZC_REGION_OFFSET(num_region))
++#define STM32MP1_TZC_REGION_ATTRIBUTE(num_region)	(U(0x130) + \
++							 STM32MP1_TZC_REGION_OFFSET(num_region))
++#define STM32MP1_TZC_REGION_ACCESS(num_region)		(U(0x134) + \
++							 STM32MP1_TZC_REGION_OFFSET(num_region))
++
++struct tzc_regions {
++	uint32_t low;
++	uint32_t top;
++	uint32_t attribute;
++	uint32_t access;
++};
++
+ struct backup_bl32_data_s {
+ 	uint32_t canary_id;
+ 	smc_ctx_t saved_smc_context[PLATFORM_CORE_COUNT];
+@@ -93,6 +112,7 @@ struct backup_bl32_data_s {
+ 	uint8_t clock_cfg[CLOCK_CONTEXT_SIZE];
+ 	uint8_t scmi_context[SCMI_CONTEXT_SIZE];
+ 	uint8_t regul_context[PLAT_BACKUP_REGULATOR_SIZE];
++	struct tzc_regions tzc_backup_context[STM32MP1_TZC_MAX_REGIONS];
+ };
+ 
+ static struct backup_bl32_data_s *get_bl32_backup_data(void)
+@@ -179,6 +199,55 @@ void stm32mp1_pm_restore_clock_cfg(size_t offset, uint8_t *data, size_t size)
+ 	clk_disable(BKPSRAM);
+ }
+ 
++static void tzc_backup_context_save(struct tzc_regions *regions)
++{
++	unsigned int i;
++
++	assert(regions != NULL);
++
++	zeromem(regions, sizeof(struct tzc_regions) * STM32MP1_TZC_MAX_REGIONS);
++
++	tzc400_init(STM32MP1_TZC_BASE);
++
++	for (i = 0U; i < STM32MP1_TZC_MAX_REGIONS; i++) {
++		unsigned int reg_num = i + 1U;
++
++		regions[i].low = mmio_read_32(STM32MP1_TZC_BASE +
++					      STM32MP1_TZC_REGION_LOW(reg_num));
++		regions[i].top = mmio_read_32(STM32MP1_TZC_BASE +
++					      STM32MP1_TZC_REGION_TOP(reg_num));
++		regions[i].attribute = mmio_read_32(STM32MP1_TZC_BASE +
++						    STM32MP1_TZC_REGION_ATTRIBUTE(reg_num));
++		regions[i].access = mmio_read_32(STM32MP1_TZC_BASE +
++						 STM32MP1_TZC_REGION_ACCESS(reg_num));
++	}
++}
++
++static void tzc_backup_context_restore(struct tzc_regions *regions)
++{
++	unsigned int i;
++
++	assert(regions != NULL);
++
++	tzc400_init(STM32MP1_TZC_BASE);
++
++	for (i = 0U; i < STM32MP1_TZC_MAX_REGIONS; i++) {
++		unsigned int reg_num = i + 1U;
++
++		mmio_write_32(STM32MP1_TZC_BASE + STM32MP1_TZC_REGION_LOW(reg_num),
++			      regions[i].low);
++		mmio_write_32(STM32MP1_TZC_BASE + STM32MP1_TZC_REGION_TOP(reg_num),
++			      regions[i].top);
++		mmio_write_32(STM32MP1_TZC_BASE + STM32MP1_TZC_REGION_ATTRIBUTE(reg_num),
++			      regions[i].attribute);
++		mmio_write_32(STM32MP1_TZC_BASE + STM32MP1_TZC_REGION_ACCESS(reg_num),
++			      regions[i].access);
++	}
++
++	/* Disable Region 0 access */
++	tzc400_configure_region0(TZC_REGION_S_NONE, 0);
++}
++
+ int stm32_save_context(uint32_t zq0cr0_zdata,
+ 		       struct stm32_rtc_calendar *rtc_time,
+ 		       unsigned long long stgen_cnt)
+@@ -231,6 +300,8 @@ int stm32_save_context(uint32_t zq0cr0_zdata,
+ 	regulator_core_backup_context(backup_bl32_data->regul_context,
+ 				      sizeof(backup_bl32_data->regul_context));
+ 
++	tzc_backup_context_save(backup_bl32_data->tzc_backup_context);
++
+ 	clk_disable(BKPSRAM);
+ 
+ 	return 0;
+@@ -268,6 +339,8 @@ int stm32_restore_context(void)
+ 
+ 	restore_clock_pm_context();
+ 
++	tzc_backup_context_restore(backup_bl32_data->tzc_backup_context);
++
+ 	stm32mp1_pm_restore_scmi_state(backup_bl32_data->scmi_context,
+ 				       sizeof(backup_bl32_data->scmi_context));
+ 
+@@ -525,4 +598,37 @@ void stm32mp1_pm_get_mce_mkey_from_context(uint8_t *data)
+ 	clk_disable(BKPSRAM);
+ }
+ 
++void stm32mp1_pm_save_mce_region(uint32_t index, struct stm32_mce_region_s *config)
++{
++	struct backup_data_s *backup_data;
++
++	if (index >= MCE_IP_MAX_REGION_NB) {
++		panic();
++	}
++
++	backup_data = (struct backup_data_s *)STM32MP_BACKUP_RAM_BASE;
++
++	clk_enable(BKPSRAM);
++
++	memcpy(&backup_data->mce_regions[index], config, sizeof(struct stm32_mce_region_s));
++
++	clk_disable(BKPSRAM);
++}
++
++void stm32mp1_pm_get_mce_region(uint32_t index, struct stm32_mce_region_s *config)
++{
++	struct backup_data_s *backup_data;
++
++	if (index >= MCE_IP_MAX_REGION_NB) {
++		panic();
++	}
++
++	backup_data = (struct backup_data_s *)STM32MP_BACKUP_RAM_BASE;
++
++	clk_enable(BKPSRAM);
++
++	memcpy(config, &backup_data->mce_regions[index], sizeof(struct stm32_mce_region_s));
++
++	clk_disable(BKPSRAM);
++}
+ #endif
+diff --git a/plat/st/stm32mp1/stm32mp1_def.h b/plat/st/stm32mp1/stm32mp1_def.h
+index d95945c228..ba92bd3213 100644
+--- a/plat/st/stm32mp1/stm32mp1_def.h
++++ b/plat/st/stm32mp1/stm32mp1_def.h
+@@ -10,6 +10,7 @@
+ #include <common/tbbr/tbbr_img_def.h>
+ #include <drivers/st/stm32mp1_rcc.h>
+ #include <dt-bindings/clock/stm32mp1-clks.h>
++#include <dt-bindings/gpio/stm32-gpio.h>
+ #include <dt-bindings/reset/stm32mp1-resets.h>
+ #include <dt-bindings/soc/st,stm32-etzpc.h>
+ #include <lib/utils_def.h>
+@@ -89,11 +90,6 @@
+ #define PKG_AD_TFBGA257		U(1)
+ #endif
+ 
+-/*******************************************************************************
+- * BOOT PARAM
+- ******************************************************************************/
+-#define BOOT_PARAM_ADDR			U(0x2FFC0078)
+-
+ /*******************************************************************************
+  * STM32MP1 memory map related constants
+  ******************************************************************************/
+@@ -219,9 +215,9 @@ enum ddr_type {
+ #endif
+ /*
+  * Only used for MTD devices that need some backup blocks.
+- * Must define a number of reserved blocks (depends on devices).
++ * Must define a maximum size for a partition.
+  */
+-#define PLATFORM_MTD_BACKUP_BLOCKS	U(20)	/* (20 * MTD block size) */
++#define PLATFORM_MTD_MAX_PART_SIZE	U(0x00400000)
+ 
+ /*******************************************************************************
+  * STM32MP1 device/io map related constants (used for MMU)
+@@ -277,29 +273,21 @@ enum ddr_type {
+ #endif
+ #define GPIO_BANK_OFFSET		U(0x1000)
+ 
+-/* Bank IDs used in GPIO driver API */
+-#define GPIO_BANK_A			U(0)
+-#define GPIO_BANK_B			U(1)
+-#define GPIO_BANK_C			U(2)
+-#define GPIO_BANK_D			U(3)
+-#define GPIO_BANK_E			U(4)
+-#define GPIO_BANK_F			U(5)
+-#define GPIO_BANK_G			U(6)
+-#define GPIO_BANK_H			U(7)
+-#define GPIO_BANK_I			U(8)
+ #if STM32MP15
+-#define GPIO_BANK_J			U(9)
+-#define GPIO_BANK_K			U(10)
+-#define GPIO_BANK_Z			U(25)
+-
+ #define STM32MP_GPIOZ_PIN_MAX_COUNT	8
+ #endif
+ 
+ /*******************************************************************************
+  * STM32MP1 UART
+  ******************************************************************************/
++#if STM32MP13
++#define USART1_BASE			U(0x4C000000)
++#define USART2_BASE			U(0x4C001000)
++#endif
++#if STM32MP15
+ #define USART1_BASE			U(0x5C000000)
+ #define USART2_BASE			U(0x4000E000)
++#endif
+ #define USART3_BASE			U(0x4000F000)
+ #define UART4_BASE			U(0x40010000)
+ #define UART5_BASE			U(0x40011000)
+@@ -351,6 +339,7 @@ enum ddr_type {
+  * STM32MP1 TZC (TZ400)
+  ******************************************************************************/
+ #define STM32MP1_TZC_BASE		U(0x5C006000)
++#define STM32MP1_TZC_MAX_REGIONS	U(8)
+ 
+ #if STM32MP13
+ #define STM32MP1_FILTER_BIT_ALL		TZC_400_REGION_ATTR_FILTER_BIT(0)
+@@ -648,7 +637,9 @@ static inline uintptr_t tamp_bkpr(uint32_t idx)
+ /* 3 PWR + 1 VREFBUF + 14 PMIC regulators + 1 FIXED */
+ #define PLAT_NB_RDEVS			U(19)
+ /* 2 FIXED */
+-#define PLAT_NB_FIXED_REGS		U(2)
++#define PLAT_NB_FIXED_REGUS		U(2)
++/* No GPIO regu */
++#define PLAT_NB_GPIO_REGUS		U(0)
+ /* Number of low power modes defined in the device tree */
+ #define PLAT_NB_SUSPEND_MODES		7
+ 
+diff --git a/plat/st/stm32mp1/stm32mp1_fconf_firewall.c b/plat/st/stm32mp1/stm32mp1_fconf_firewall.c
+index aa65ed036b..2697e0d1f8 100644
+--- a/plat/st/stm32mp1/stm32mp1_fconf_firewall.c
++++ b/plat/st/stm32mp1/stm32mp1_fconf_firewall.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2021, STMicroelectronics - All Rights Reserved
++ * Copyright (c) 2021-2022, STMicroelectronics - All Rights Reserved
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  */
+@@ -10,6 +10,7 @@
+ #include <common/fdt_wrappers.h>
+ #include <drivers/arm/tzc400.h>
+ #include <drivers/clk.h>
++#include <drivers/st/stm32mp1_ram.h>
+ #include <dt-bindings/clock/stm32mp1-clks.h>
+ #include <lib/fconf/fconf.h>
+ #include <lib/object_pool.h>
+@@ -56,6 +57,11 @@ void stm32mp1_security_setup(void)
+ {
+ 	uint8_t i;
+ 
++	/* DDR content will be restored, do not change the firewall protection */
++	if (stm32mp1_ddr_is_restored()) {
++		return;
++	}
++
+ 	assert(nb_regions > 0U);
+ 
+ 	tzc400_init(STM32MP1_TZC_BASE);
+@@ -85,6 +91,11 @@ static int fconf_populate_stm32mp1_firewall(uintptr_t config)
+ 	/* Assert the node offset point to "st,mem-firewall" compatible property */
+ 	const char *compatible_str = "st,mem-firewall";
+ 
++	/* DDR content will be restored, do not change the firewall protection */
++	if (stm32mp1_ddr_is_restored()) {
++		return 0;
++	}
++
+ 	node = fdt_node_offset_by_compatible(dtb, -1, compatible_str);
+ 	if (node < 0) {
+ 		ERROR("FCONF: Can't find %s compatible in dtb\n", compatible_str);
+diff --git a/plat/st/stm32mp1/stm32mp1_fip_def.h b/plat/st/stm32mp1/stm32mp1_fip_def.h
+index d9a9e7a39d..5a673a038e 100644
+--- a/plat/st/stm32mp1/stm32mp1_fip_def.h
++++ b/plat/st/stm32mp1/stm32mp1_fip_def.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2021, STMicroelectronics - All Rights Reserved
++ * Copyright (C) 2021-2022, STMicroelectronics - All Rights Reserved
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  */
+@@ -159,6 +159,19 @@
+ 					0xd5bf, 0x45af, 0xac, 0xee, 0x33, 0x53, 0x03,\
+ 					0x76, 0x6f, 0xb3)
+ 
++#define STM32MP_NAND_METADATA1_OFFSET	U(0x00100000)
++#define STM32MP_NAND_METADATA2_OFFSET	U(0x00180000)
++#define STM32MP_NAND_FIP_A_OFFSET	U(0x00200000)
++#define STM32MP_NAND_FIP_A_GUID		(const struct efi_guid)EFI_GUID(0x4fd84c93,  \
++					0x54ef, 0x463f, 0xa7, 0xef, 0xae, 0x25, 0xff,\
++					0x88, 0x70, 0x87)
++
++#define STM32MP_NAND_FIP_B_OFFSET	U(0x00A00000)
++#define STM32MP_NAND_FIP_B_GUID		(const struct efi_guid)EFI_GUID(0x09c54952,  \
++					0xd5bf, 0x45af, 0xac, 0xee, 0x33, 0x53, 0x03,\
++					0x76, 0x6f, 0xb3)
++
++#define STM32MP_NAND_FIP_B_MAX_OFFSET	U(0x01200000)
+ #else /* PSA_FWU_SUPPORT */
+ #ifndef STM32MP_NOR_FIP_OFFSET
+ #define STM32MP_NOR_FIP_OFFSET		U(0x00080000)
+diff --git a/plat/st/stm32mp1/stm32mp1_private.c b/plat/st/stm32mp1/stm32mp1_private.c
+index cff66ec20c..7e2c0ed4e3 100644
+--- a/plat/st/stm32mp1/stm32mp1_private.c
++++ b/plat/st/stm32mp1/stm32mp1_private.c
+@@ -239,6 +239,8 @@ unsigned long stm32_get_gpio_bank_clock(unsigned int bank)
+ 
+ int stm32_get_gpio_bank_pinctrl_node(void *fdt, unsigned int bank)
+ {
++	const char *node_compatible = NULL;
++
+ 	switch (bank) {
+ 	case GPIO_BANK_A:
+ 	case GPIO_BANK_B:
+@@ -249,18 +251,24 @@ int stm32_get_gpio_bank_pinctrl_node(void *fdt, unsigned int bank)
+ 	case GPIO_BANK_G:
+ 	case GPIO_BANK_H:
+ 	case GPIO_BANK_I:
++#if STM32MP13
++		node_compatible = "st,stm32mp135-pinctrl";
++		break;
++#endif
+ #if STM32MP15
+ 	case GPIO_BANK_J:
+ 	case GPIO_BANK_K:
+-#endif
+-		return fdt_path_offset(fdt, "/soc/pin-controller");
+-#if STM32MP15
++		node_compatible = "st,stm32mp157-pinctrl";
++		break;
+ 	case GPIO_BANK_Z:
+-		return fdt_path_offset(fdt, "/soc/pin-controller-z");
++		node_compatible = "st,stm32mp157-z-pinctrl";
++		break;
+ #endif
+ 	default:
+ 		panic();
+ 	}
++
++	return fdt_node_offset_by_compatible(fdt, -1, node_compatible);
+ }
+ 
+ #if STM32MP_UART_PROGRAMMER || !defined(IMAGE_BL2)
+@@ -822,6 +830,26 @@ bool stm32mp1_is_wakeup_from_standby(void)
+ 	return stm32_pm_context_is_valid();
+ }
+ 
++bool stm32mp_skip_boot_device_after_standby(void)
++{
++	static int skip = -1;
++
++	if (skip == -1) {
++		if (stm32mp1_is_wakeup_from_standby()) {
++			skip = 1;
++#if STM32MP15
++			if (stm32_pm_get_optee_ep() == 0U) {
++				skip = 0;
++			}
++#endif
++		} else {
++			skip = 0;
++		}
++	}
++
++	return skip == 1;
++}
++
+ void stm32_save_boot_interface(uint32_t interface, uint32_t instance)
+ {
+ 	uintptr_t bkpr_itf_idx = tamp_bkpr(TAMP_BOOT_ITF_BACKUP_REG_ID);
+diff --git a/plat/st/stm32mp1/stm32mp1_ssp.c b/plat/st/stm32mp1/stm32mp1_ssp.c
+index 14ce023814..ed1fd8ec04 100644
+--- a/plat/st/stm32mp1/stm32mp1_ssp.c
++++ b/plat/st/stm32mp1/stm32mp1_ssp.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2017-2021, STMicroelectronics - All Rights Reserved
++ * Copyright (c) 2017-2022, STMicroelectronics - All Rights Reserved
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  */
+@@ -208,6 +208,7 @@ static int ssp_secrets_check(boot_api_context_t *boot_ctx)
+ 	uint32_t check_val;
+ 	uint32_t otp_bytes = boot_ctx->p_ssp_config->p_blob_payload->oem_secret_size_bytes;
+ 	uint32_t otp_decrypted;
++	uint32_t *val;
+ 
+ 	if (otp_bytes == 0U) {
+ 		return -EINVAL;
+@@ -241,8 +242,16 @@ static int ssp_secrets_check(boot_api_context_t *boot_ctx)
+ 		return -EINVAL;
+ 	}
+ 
++	val = (uint32_t *)boot_ctx->p_ssp_config->p_ssp_oem_secrets_decrypted;
++
+ 	/* Check all OTP available */
+ 	for (i = SSP_OTP_SECRET_BASE; i < SSP_OTP_SECRET_BASE + otp_decrypted - 1U; i++) {
++		val++;
++
++		if (*val == 0U) {
++			continue;
++		}
++
+ 		if (stm32_get_otp_value_from_idx(i, &check_val) != 0) {
+ 			return -EINVAL;
+ 		}
+@@ -263,6 +272,7 @@ static int ssp_secrets_flash(boot_api_context_t *boot_ctx)
+ {
+ 	uint32_t i;
+ 	uint32_t *val;
++	uint32_t otp_val;
+ 	uint32_t otp_bytes =
+ 		boot_ctx->p_ssp_config->p_blob_payload->oem_secret_size_bytes;
+ 	uint32_t otp_decrypted;
+@@ -287,6 +297,20 @@ static int ssp_secrets_flash(boot_api_context_t *boot_ctx)
+ 		return -EINVAL;
+ 	}
+ 
++	if (bsec_shadow_read_otp(&otp_val, otp_rma.idx) != BSEC_OK) {
++		return -EINVAL;
++	}
++
++	if ((otp_val & RMA_OTP_MASK) != (*val & RMA_OTP_MASK)) {
++		WARN("RMA programming failed\n");
++		return -EINVAL;
++	}
++
++	if (bsec_permanent_lock_otp(otp_rma.idx) != BSEC_OK) {
++		WARN("Error locking RMA OTP\n");
++		return -EINVAL;
++	}
++
+ 	val++;
+ 	otp_decrypted--;
+ 	for (i = SSP_OTP_SECRET_BASE; i < (SSP_OTP_SECRET_BASE + otp_decrypted - 1U); i++) {
+@@ -461,6 +485,29 @@ static int prepare_certificate(uint8_t *cert, const uint8_t *pubkey)
+ 	return 0;
+ }
+ 
++/*
++ * Clean OTP value that might be still in shadow registers
++ */
++static void cleanup_otp_value(void)
++{
++	unsigned int i;
++
++	/* RMA clear and lock */
++	if (bsec_write_otp(0U, otp_rma.idx) != BSEC_OK) {
++		return;
++	}
++
++	if (bsec_set_sr_lock(otp_rma.idx) != BSEC_OK) {
++		return;
++	}
++
++	for (i = SSP_OTP_SECRET_BASE; i < SSP_OTP_SECRET_END + 1U; i++) {
++		if (bsec_write_otp(0U, otp_rma.idx) != BSEC_OK) {
++			return;
++		}
++	}
++}
++
+ /*
+  * Clean external data and bootrom context secret values.
+  */
+@@ -638,6 +685,8 @@ static int ssp_secret_programming(boot_api_context_t *boot_context)
+ 	}
+ 
+ clean:
++	cleanup_otp_value();
++
+ 	ssp_cleanup(boot_context);
+ 
+ 	if (result != 0) {
+diff --git a/plat/st/stm32mp1/stm32mp1_tbb_cert.c b/plat/st/stm32mp1/stm32mp1_tbb_cert.c
+new file mode 100644
+index 0000000000..3d46b0d162
+--- /dev/null
++++ b/plat/st/stm32mp1/stm32mp1_tbb_cert.c
+@@ -0,0 +1,36 @@
++/*
++ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
++ *
++ * SPDX-License-Identifier: BSD-3-Clause
++ */
++
++#include "tbbr/stm32mp1_tbb_cert.h"
++#include "tbbr/tbb_ext.h"
++#include "tbbr/tbb_key.h"
++
++/*
++ * Certificates used in the chain of trust
++ *
++ * The order of the certificates must follow the enumeration specified in
++ * stm32mp1_tbb_cert.h. All certificates are self-signed, so the issuer certificate
++ * field points to itself.
++ */
++static cert_t stm32mp1_tbb_certs[] = {
++	[0] = {
++		.id = STM32MP_CONFIG_CERT,
++		.opt = "stm32mp-cfg-cert",
++		.help_msg = "STM32MP Config Certificate (output file)",
++		.fn = NULL,
++		.cn = "STM32MP config FW Certificate",
++		.key = ROT_KEY,
++		.issuer = STM32MP_CONFIG_CERT,
++		.ext = {
++			TRUSTED_FW_NVCOUNTER_EXT,
++			HW_CONFIG_HASH_EXT,
++			FW_CONFIG_HASH_EXT
++		},
++		.num_ext = 3
++	},
++};
++
++PLAT_REGISTER_COT(stm32mp1_tbb_certs);
+-- 
+2.17.1
+
diff --git a/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.6.bb b/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.6.bb
index 34fcdb8..490a6f7 100644
--- a/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.6.bb
+++ b/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.6.bb
@@ -1,32 +1,8 @@
 require tf-a-stm32mp-common.inc
+require tf-a-stm32mp.inc
 
 SUMMARY = "Trusted Firmware-A for STM32MP1"
-SECTION = "bootloaders"
 LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://license.rst;md5=1dd070c98a281d18d9eefd938729b031"
-
-PROVIDES += "virtual/trusted-firmware-a"
-
-FILESEXTRAPATHS:prepend:stm32mpcommon := "${THISDIR}/tf-a-stm32mp:"
-
-SRC_URI = "git://github.com/ARM-software/arm-trusted-firmware.git;protocol=https;nobranch=1"
-SRCREV = "a1f02f4f3daae7e21ee58b4c93ec3e46b8f28d15"
-
-SRC_URI += " \
-     file://0001-v2.6-stm32mp-r1.patch \
-     "
-
-TF_A_VERSION = "v2.6"
-TF_A_SUBVERSION = "stm32mp"
-TF_A_RELEASE = "r1"
-PV = "${TF_A_VERSION}-${TF_A_SUBVERSION}-${TF_A_RELEASE}"
-
-ARCHIVER_ST_BRANCH = "${TF_A_VERSION}-${TF_A_SUBVERSION}"
-ARCHIVER_ST_REVISION = "${PV}"
-ARCHIVER_COMMUNITY_BRANCH = "master"
-ARCHIVER_COMMUNITY_REVISION = "${TF_A_VERSION}"
-
-S = "${WORKDIR}/git"
 
 # Configure settings
 TFA_PLATFORM  = "stm32mp1"
@@ -40,18 +16,3 @@ TF_A_ENABLE_DEBUG_WRAPPER ?= "1"
 # Configure archiver use
 # ---------------------------------
 include ${@oe.utils.ifelse(d.getVar('ST_ARCHIVER_ENABLE') == '1', 'tf-a-stm32mp-archiver.inc','')}
-
-# ---------------------------------
-# Configure devupstream class usage
-# ---------------------------------
-BBCLASSEXTEND = "devupstream:target"
-
-SRC_URI:class-devupstream = "git://github.com/STMicroelectronics/arm-trusted-firmware.git;protocol=https;branch=${ARCHIVER_ST_BRANCH}"
-SRCREV:class-devupstream = "c6da17964e4260944af2a703171a3c36b9e3edf8"
-
-# ---------------------------------
-# Configure default preference to manage dynamic selection between tarball and github
-# ---------------------------------
-STM32MP_SOURCE_SELECTION ?= "tarball"
-
-DEFAULT_PREFERENCE = "${@bb.utils.contains('STM32MP_SOURCE_SELECTION', 'github', '-1', '1', d)}"