786 lines
26 KiB
Plaintext
786 lines
26 KiB
Plaintext
# Copyright (c) 2017-2020 Linaro Limited
|
|
# Copyright (c) 2020 Arm Limited
|
|
# Copyright (c) 2023 Nordic Semiconductor ASA
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
|
|
mainmenu "MCUboot configuration"
|
|
|
|
comment "MCUboot-specific configuration options"
|
|
|
|
# Hidden option to mark a project as MCUboot
|
|
config MCUBOOT
|
|
default y
|
|
bool
|
|
select MPU_ALLOW_FLASH_WRITE if ARM_MPU
|
|
select USE_DT_CODE_PARTITION if HAS_FLASH_LOAD_OFFSET
|
|
select MCUBOOT_BOOTUTIL_LIB
|
|
|
|
config BOOT_USE_MBEDTLS
|
|
bool
|
|
# Hidden option
|
|
default n
|
|
help
|
|
Use mbedTLS for crypto primitives.
|
|
|
|
config BOOT_USE_TINYCRYPT
|
|
bool
|
|
# Hidden option
|
|
default n
|
|
# When building for ECDSA, we use our own copy of mbedTLS, so the
|
|
# Zephyr one must not be enabled or the MBEDTLS_CONFIG_FILE macros
|
|
# will collide.
|
|
select MBEDTLS_PROMPTLESS if ZEPHYR_MBEDTLS_MODULE
|
|
help
|
|
Use TinyCrypt for crypto primitives.
|
|
|
|
config BOOT_USE_CC310
|
|
bool
|
|
# Hidden option
|
|
default n
|
|
# When building for ECDSA, we use our own copy of mbedTLS, so the
|
|
# Zephyr one must not be enabled or the MBEDTLS_CONFIG_FILE macros
|
|
# will collide.
|
|
help
|
|
Use cc310 for crypto primitives.
|
|
|
|
config BOOT_USE_NRF_CC310_BL
|
|
bool
|
|
default n
|
|
|
|
config NRFXLIB_CRYPTO
|
|
bool
|
|
default n
|
|
|
|
config NRF_CC310_BL
|
|
bool
|
|
default n
|
|
|
|
menu "MCUBoot settings"
|
|
|
|
config SINGLE_APPLICATION_SLOT
|
|
bool "Single slot bootloader"
|
|
default n
|
|
help
|
|
Single image area is used for application which means that
|
|
uploading a new application overwrites the one that previously
|
|
occupied the area.
|
|
|
|
choice BOOT_SIGNATURE_TYPE
|
|
prompt "Signature type"
|
|
default BOOT_SIGNATURE_TYPE_RSA
|
|
|
|
config BOOT_SIGNATURE_TYPE_NONE
|
|
bool "No signature; use only hash check"
|
|
select BOOT_USE_TINYCRYPT
|
|
|
|
config BOOT_SIGNATURE_TYPE_RSA
|
|
bool "RSA signatures"
|
|
select BOOT_USE_MBEDTLS
|
|
select MBEDTLS
|
|
select BOOT_ENCRYPTION_SUPPORT
|
|
|
|
if BOOT_SIGNATURE_TYPE_RSA
|
|
config BOOT_SIGNATURE_TYPE_RSA_LEN
|
|
int "RSA signature length"
|
|
range 2048 3072
|
|
default 2048
|
|
endif
|
|
|
|
config BOOT_SIGNATURE_TYPE_ECDSA_P256
|
|
bool "Elliptic curve digital signatures with curve P-256"
|
|
select BOOT_ENCRYPTION_SUPPORT
|
|
|
|
if BOOT_SIGNATURE_TYPE_ECDSA_P256
|
|
choice BOOT_ECDSA_IMPLEMENTATION
|
|
prompt "Ecdsa implementation"
|
|
default BOOT_ECDSA_TINYCRYPT
|
|
|
|
config BOOT_ECDSA_TINYCRYPT
|
|
bool "Use tinycrypt"
|
|
select BOOT_USE_TINYCRYPT
|
|
|
|
config BOOT_ECDSA_CC310
|
|
bool "Use CC310"
|
|
depends on HAS_HW_NRF_CC310
|
|
select BOOT_USE_NRF_CC310_BL
|
|
select NRF_CC310_BL
|
|
select NRFXLIB_CRYPTO
|
|
select BOOT_USE_CC310
|
|
endchoice # Ecdsa implementation
|
|
endif
|
|
|
|
config BOOT_SIGNATURE_TYPE_ED25519
|
|
bool "Edwards curve digital signatures using ed25519"
|
|
select BOOT_ENCRYPTION_SUPPORT
|
|
|
|
if BOOT_SIGNATURE_TYPE_ED25519
|
|
choice BOOT_ED25519_IMPLEMENTATION
|
|
prompt "Ecdsa implementation"
|
|
default BOOT_ED25519_TINYCRYPT
|
|
config BOOT_ED25519_TINYCRYPT
|
|
bool "Use tinycrypt"
|
|
select BOOT_USE_TINYCRYPT
|
|
config BOOT_ED25519_MBEDTLS
|
|
bool "Use mbedTLS"
|
|
select BOOT_USE_MBEDTLS
|
|
select MBEDTLS
|
|
endchoice
|
|
endif
|
|
|
|
endchoice
|
|
|
|
config BOOT_SIGNATURE_KEY_FILE
|
|
string "PEM key file"
|
|
default "root-ec-p256.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256
|
|
default "root-ed25519.pem" if BOOT_SIGNATURE_TYPE_ED25519
|
|
default "root-rsa-3072.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=3072
|
|
default "root-rsa-2048.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=2048
|
|
default ""
|
|
help
|
|
You can use either absolute or relative path.
|
|
In case relative path is used, the build system assumes that it starts
|
|
from the directory where the MCUBoot KConfig configuration file is
|
|
located. If the key file is not there, the build system uses relative
|
|
path that starts from the MCUBoot repository root directory.
|
|
The key file will be parsed by imgtool's getpub command and a .c source
|
|
with the public key information will be written in a format expected by
|
|
MCUboot.
|
|
|
|
config MCUBOOT_CLEANUP_ARM_CORE
|
|
bool "Perform core cleanup before chain-load the application"
|
|
depends on CPU_CORTEX_M
|
|
default y
|
|
help
|
|
This option instructs MCUboot to perform a clean-up of a set of
|
|
architecture core HW registers before jumping to the application
|
|
firmware. The clean-up sets these registers to their warm-reset
|
|
values as specified by the architecture.
|
|
|
|
This option is enabled by default to prevent possible problems when
|
|
booting zephyr (or other) applications whereby e.g. a MPU stack guard
|
|
may be initialised in RAM which is then used by the application
|
|
start-up code which can cause a module fault and potentially make the
|
|
module irrecoverable.
|
|
|
|
config MBEDTLS_CFG_FILE
|
|
default "mcuboot-mbedtls-cfg.h"
|
|
|
|
config BOOT_HW_KEY
|
|
bool "Use HW key for image verification"
|
|
default n
|
|
help
|
|
Use HW key for image verification, otherwise the public key is embedded
|
|
in MCUBoot. If enabled the public key is appended to the signed image
|
|
and requires the hash of the public key to be provisioned to the device
|
|
beforehand.
|
|
|
|
config BOOT_VALIDATE_SLOT0
|
|
bool "Validate image in the primary slot on every boot"
|
|
default y
|
|
help
|
|
If y, the bootloader attempts to validate the signature of the
|
|
primary slot every boot. This adds the signature check time to
|
|
every boot, but can mitigate against some changes that are
|
|
able to modify the flash image itself.
|
|
|
|
config BOOT_VALIDATE_SLOT0_ONCE
|
|
bool "Validate image in the primary slot just once after after upgrade"
|
|
depends on !BOOT_VALIDATE_SLOT0 && SINGLE_APPLICATION_SLOT
|
|
default n
|
|
help
|
|
If y, the bootloader attempts to validate the signature of the
|
|
primary slot only once after an upgrade of the main slot.
|
|
It caches the result in the magic area, which makes it an unsecure
|
|
method. This option is usefull for lowering the boot up time for
|
|
low end devices with as a compromise lowering the security level.
|
|
If unsure, leave at the default value.
|
|
|
|
config BOOT_PREFER_SWAP_MOVE
|
|
bool "Prefer the newer swap move algorithm"
|
|
default y if SOC_FAMILY_NORDIC_NRF
|
|
default y if !$(dt_nodelabel_enabled,scratch_partition)
|
|
help
|
|
If y, the BOOT_IMAGE_UPGRADE_MODE will default to using
|
|
"move" instead of "scratch". This is a separate bool config
|
|
option, because Kconfig doesn't allow defaults to be
|
|
overridden in choice options. Most devices should be using
|
|
swap move.
|
|
|
|
if !SINGLE_APPLICATION_SLOT
|
|
choice BOOT_IMAGE_UPGRADE_MODE
|
|
prompt "Image upgrade modes"
|
|
default BOOT_SWAP_USING_MOVE if BOOT_PREFER_SWAP_MOVE
|
|
default BOOT_SWAP_USING_SCRATCH
|
|
|
|
config BOOT_SWAP_USING_SCRATCH
|
|
bool "Swap mode that run with the scratch partition"
|
|
help
|
|
This is the most conservative swap mode but it can work even on
|
|
devices with heterogeneous flash page layout.
|
|
|
|
config BOOT_UPGRADE_ONLY
|
|
bool "Overwrite image updates instead of swapping"
|
|
help
|
|
If y, overwrite the primary slot with the upgrade image instead
|
|
of swapping them. This prevents the fallback recovery, but
|
|
uses a much simpler code path.
|
|
|
|
config BOOT_SWAP_USING_MOVE
|
|
bool "Swap mode that can run without a scratch partition"
|
|
help
|
|
If y, the swap upgrade is done in two steps, where first every
|
|
sector of the primary slot is moved up one sector, then for
|
|
each sector X in the secondary slot, it is moved to index X in
|
|
the primary slot, then the sector at X+1 in the primary is
|
|
moved to index X in the secondary.
|
|
This allows a swap upgrade without using a scratch partition,
|
|
but is currently limited to all sectors in both slots being of
|
|
the same size.
|
|
|
|
config BOOT_DIRECT_XIP
|
|
bool "Run the latest image directly from its slot"
|
|
help
|
|
If y, mcuboot selects the newest valid image based on the image version
|
|
numbers, thereafter the selected image can run directly from its slot
|
|
without having to move/copy it into the primary slot. For this reason the
|
|
images must be linked to be executed from the given image slot. Using this
|
|
mode results in a simpler code path and smaller code size.
|
|
|
|
config BOOT_RAM_LOAD
|
|
bool "RAM load"
|
|
help
|
|
If y, mcuboot selects the newest valid image based on the image version
|
|
numbers, thereafter the selected image is copied to RAM and executed from
|
|
there. For this reason, the image has to be linked to be executed from RAM.
|
|
The address that the image is copied to is specified using the load-addr
|
|
argument to the imgtool.py script which writes it to the image header.
|
|
|
|
config BOOT_FIRMWARE_LOADER
|
|
bool "Firmware loader"
|
|
help
|
|
If y, mcuboot will have a single application slot, and the secondary
|
|
slot will be for a non-upgradeable firmware loaded image (e.g. for
|
|
loading firmware via Bluetooth). The main application will boot by
|
|
default unless there is an error with it or the boot mode has been
|
|
forced to the firmware loader.
|
|
|
|
Note: The firmware loader image must be signed with the same signing
|
|
key as the primary image.
|
|
|
|
endchoice
|
|
|
|
# Workaround for not being able to have commas in macro arguments
|
|
DT_CHOSEN_Z_SRAM := zephyr,sram
|
|
|
|
if BOOT_RAM_LOAD
|
|
config BOOT_IMAGE_EXECUTABLE_RAM_START
|
|
hex "Boot image executable ram start"
|
|
default $(dt_chosen_reg_addr_hex,$(DT_CHOSEN_Z_SRAM))
|
|
|
|
config BOOT_IMAGE_EXECUTABLE_RAM_SIZE
|
|
int "Boot image executable base size"
|
|
default $(dt_chosen_reg_size_int,$(DT_CHOSEN_Z_SRAM),0)
|
|
endif
|
|
|
|
config BOOT_DIRECT_XIP_REVERT
|
|
bool "Enable the revert mechanism in direct-xip mode"
|
|
depends on BOOT_DIRECT_XIP
|
|
default n
|
|
help
|
|
If y, enables the revert mechanism in direct-xip similar to the one in
|
|
swap mode. It requires the trailer magic to be added to the signed image.
|
|
When a reboot happens without the image being confirmed at runtime, the
|
|
bootloader considers the image faulty and erases it. After this it will
|
|
attempt to boot the previous image. The images can also be made permanent
|
|
(marked as confirmed in advance) just like in swap mode.
|
|
|
|
config BOOT_BOOTSTRAP
|
|
bool "Bootstrap erased the primary slot from the secondary slot"
|
|
default n
|
|
help
|
|
If y, enables bootstraping support. Bootstrapping allows an erased
|
|
primary slot to be initialized from a valid image in the secondary slot.
|
|
If unsure, leave at the default value.
|
|
|
|
config BOOT_SWAP_SAVE_ENCTLV
|
|
bool "Save encrypted key TLVs instead of plaintext keys in swap metadata"
|
|
default n
|
|
depends on BOOT_ENCRYPT_IMAGE
|
|
help
|
|
If y, instead of saving the encrypted image keys in plaintext in the
|
|
swap resume metadata, save the encrypted image TLVs. This should be used
|
|
when there is no security mechanism protecting the data in the primary
|
|
slot from being dumped. If n is selected (default), the keys are written
|
|
after being decrypted from the image TLVs and could be read by an
|
|
attacker who has access to the flash contents of the primary slot (eg
|
|
JTAG/SWD or primary slot in external flash).
|
|
If unsure, leave at the default value.
|
|
|
|
endif # !SINGLE_APPLICATION_SLOT
|
|
|
|
config BOOT_ENCRYPTION_SUPPORT
|
|
bool
|
|
help
|
|
Hidden option used to check if image encryption is supported.
|
|
|
|
config BOOT_ENCRYPT_IMAGE
|
|
bool "Support for encrypted image updates"
|
|
depends on BOOT_ENCRYPTION_SUPPORT
|
|
select BOOT_ENCRYPT_RSA if BOOT_SIGNATURE_TYPE_RSA
|
|
select BOOT_ENCRYPT_EC256 if BOOT_SIGNATURE_TYPE_ECDSA_P256
|
|
select BOOT_ENCRYPT_X25519 if BOOT_SIGNATURE_TYPE_ED25519
|
|
depends on !SINGLE_APPLICATION_SLOT || MCUBOOT_SERIAL
|
|
help
|
|
If y, images in the secondary slot can be encrypted and are decrypted
|
|
on the fly when upgrading to the primary slot, as well as encrypted
|
|
back when swapping from the primary slot to the secondary slot. The
|
|
encryption mechanism must match the same type as the signature type,
|
|
supported types include:
|
|
- RSA-OAEP (2048 bits).
|
|
- ECIES using primitives described under "ECIES-P256 encryption" in
|
|
docs/encrypted_images.md.
|
|
- ECIES using primitives described under "ECIES-X25519 encryption"
|
|
in docs/encrypted_images.md.
|
|
|
|
Note that for single slot operation, this can still be used to allow
|
|
loading encrypted images via serial recovery which are then
|
|
decrypted on-the-fly without needing a second slot.
|
|
|
|
config BOOT_ENCRYPT_RSA
|
|
bool
|
|
help
|
|
Hidden option selecting RSA encryption.
|
|
|
|
config BOOT_ENCRYPT_EC256
|
|
bool
|
|
help
|
|
Hidden option selecting EC256 encryption.
|
|
|
|
config BOOT_ENCRYPT_X25519
|
|
bool
|
|
help
|
|
Hidden option selecting x25519 encryption.
|
|
|
|
config BOOT_ENCRYPTION_KEY_FILE
|
|
string "Encryption key file"
|
|
depends on BOOT_ENCRYPT_IMAGE
|
|
default "enc-rsa2048-priv.pem" if BOOT_ENCRYPT_RSA
|
|
default "enc-ec256-priv.pem" if BOOT_ENCRYPT_EC256
|
|
default "enc-x25519-priv.pem" if BOOT_ENCRYPT_X25519
|
|
default ""
|
|
help
|
|
You can use either absolute or relative path.
|
|
In case relative path is used, the build system assumes that it starts
|
|
from the directory where the MCUBoot KConfig configuration file is
|
|
located. If the key file is not there, the build system uses relative
|
|
path that starts from the MCUBoot repository root directory.
|
|
The key file will be parsed by imgtool's getpriv command and a .c source
|
|
with the public key information will be written in a format expected by
|
|
MCUboot.
|
|
|
|
config BOOT_MAX_IMG_SECTORS
|
|
int "Maximum number of sectors per image slot"
|
|
default 128
|
|
help
|
|
This option controls the maximum number of sectors that each of
|
|
the two image areas can contain. Smaller values reduce MCUboot's
|
|
memory usage; larger values allow it to support larger images.
|
|
If unsure, leave at the default value.
|
|
|
|
config BOOT_SHARE_BACKEND_AVAILABLE
|
|
bool
|
|
default n
|
|
help
|
|
Hidden open which indicates if there is a sharing backend available.
|
|
|
|
# Workaround for not being able to have commas in macro arguments
|
|
DT_CHOSEN_BOOTLOADER_INFO := zephyr,bootloader-info
|
|
|
|
config BOOT_SHARE_BACKEND_AVAILABLE
|
|
bool
|
|
default n
|
|
help
|
|
Hidden open which indicates if there is a sharing backend available.
|
|
|
|
choice BOOT_SHARE_BACKEND
|
|
prompt "Shared data backend"
|
|
default BOOT_SHARE_BACKEND_DISABLED
|
|
|
|
config BOOT_SHARE_BACKEND_DISABLED
|
|
bool "Disabled"
|
|
help
|
|
No data sharing support.
|
|
|
|
config BOOT_SHARE_BACKEND_RETENTION
|
|
bool "Retention"
|
|
depends on RETENTION
|
|
depends on $(dt_chosen_enabled,$(DT_CHOSEN_BOOTLOADER_INFO))
|
|
select BOOT_SHARE_BACKEND_AVAILABLE
|
|
help
|
|
Use retention to share data with application. Requires:
|
|
- Retained memory area
|
|
- Retention partition of retained memory area
|
|
- Chosen node "zephyr,bootloader-info" to be set to the retention
|
|
partition
|
|
|
|
config BOOT_SHARE_BACKEND_EXTERNAL
|
|
bool "External (user-provided code)"
|
|
select BOOT_SHARE_BACKEND_AVAILABLE
|
|
help
|
|
Use a custom user-specified storage.
|
|
|
|
endchoice
|
|
|
|
menuconfig BOOT_SHARE_DATA
|
|
bool "Save application specific data"
|
|
default n
|
|
depends on BOOT_SHARE_BACKEND_AVAILABLE
|
|
help
|
|
This will allow data to be shared between MCUboot and an application,
|
|
it does not include any informatiom by default.
|
|
|
|
Note: This requires a backend to function, see
|
|
BOOT_SHARE_BACKEND_RETENTION for details on using the retention
|
|
subsystem as a backend.
|
|
|
|
config BOOT_SHARE_DATA_BOOTINFO
|
|
bool "Save boot information data"
|
|
default n
|
|
depends on BOOT_SHARE_DATA
|
|
help
|
|
This will place information about the MCUboot configuration and
|
|
running application into a shared memory area.
|
|
|
|
menuconfig MEASURED_BOOT
|
|
bool "Store the boot state/measurements in shared memory area"
|
|
default n
|
|
depends on BOOT_SHARE_BACKEND_AVAILABLE
|
|
help
|
|
If enabled, the bootloader will store certain boot measurements such as
|
|
the hash of the firmware image in a shared memory area. This data can
|
|
be used later by runtime services (e.g. by a device attestation service).
|
|
|
|
Note: This requires a backend to function, see
|
|
BOOT_SHARE_BACKEND_RETENTION for details on using the retention
|
|
subsystem as a backend.
|
|
|
|
config MEASURED_BOOT_MAX_CBOR_SIZE
|
|
int "Maximum CBOR size of boot state/measurements"
|
|
default 64
|
|
range 0 256
|
|
depends on MEASURED_BOOT
|
|
help
|
|
The maximum size of the CBOR message which stores boot
|
|
state/measurements.
|
|
|
|
choice BOOT_FAULT_INJECTION_HARDENING_PROFILE
|
|
prompt "Fault injection hardening profile"
|
|
default BOOT_FIH_PROFILE_OFF
|
|
|
|
config BOOT_FIH_PROFILE_OFF
|
|
bool "No hardening against hardware level fault injection"
|
|
help
|
|
No hardening in SW against hardware level fault injection: power or
|
|
clock glitching, etc.
|
|
|
|
config BOOT_FIH_PROFILE_LOW
|
|
bool "Moderate level hardening against hardware level fault injection"
|
|
help
|
|
Moderate level hardening: Long global fail loop to avoid break out,
|
|
control flow integrity check to discover discrepancy in expected code
|
|
flow.
|
|
|
|
config BOOT_FIH_PROFILE_MEDIUM
|
|
bool "Medium level hardening against hardware level fault injection"
|
|
help
|
|
Medium level hardening: Long global fail loop to avoid break out,
|
|
control flow integrity check to discover discrepancy in expected code
|
|
flow, double variables to discover register or memory corruption.
|
|
|
|
config BOOT_FIH_PROFILE_HIGH
|
|
bool "Maximum level hardening against hardware level fault injection"
|
|
select MBEDTLS
|
|
help
|
|
Maximum level hardening: Long global fail loop to avoid break out,
|
|
control flow integrity check to discover discrepancy in expected code
|
|
flow, double variables to discover register or memory corruption, random
|
|
delays to make code execution less predictable. Random delays requires an
|
|
entropy source.
|
|
|
|
endchoice
|
|
|
|
choice BOOT_USB_DFU
|
|
prompt "USB DFU"
|
|
default BOOT_USB_DFU_NO
|
|
|
|
config BOOT_USB_DFU_NO
|
|
prompt "Disabled"
|
|
|
|
config BOOT_USB_DFU_WAIT
|
|
bool "Wait for a prescribed duration to see if USB DFU is invoked"
|
|
select USB_DEVICE_STACK
|
|
select USB_DFU_CLASS
|
|
select IMG_MANAGER
|
|
select STREAM_FLASH
|
|
select MULTITHREADING
|
|
help
|
|
If y, MCUboot waits for a prescribed duration of time to allow
|
|
for USB DFU to be invoked. Please note DFU always updates the
|
|
slot1 image.
|
|
|
|
config BOOT_USB_DFU_GPIO
|
|
bool "Use GPIO to detect whether to trigger DFU mode"
|
|
select USB_DEVICE_STACK
|
|
select USB_DFU_CLASS
|
|
select IMG_MANAGER
|
|
select STREAM_FLASH
|
|
select MULTITHREADING
|
|
help
|
|
If y, MCUboot uses GPIO to detect whether to invoke USB DFU.
|
|
|
|
endchoice
|
|
|
|
config BOOT_USB_DFU_WAIT_DELAY_MS
|
|
int "USB DFU wait duration"
|
|
depends on BOOT_USB_DFU_WAIT
|
|
default 12000
|
|
help
|
|
Milliseconds to wait for USB DFU to be invoked.
|
|
|
|
if BOOT_USB_DFU_GPIO
|
|
|
|
config BOOT_USB_DFU_DETECT_DELAY
|
|
int "Serial detect pin detection delay time [ms]"
|
|
default 0
|
|
help
|
|
Used to prevent the bootloader from loading on button press.
|
|
Useful for powering on when using the same button as
|
|
the one used to place the device in bootloader mode.
|
|
|
|
endif # BOOT_USB_DFU_GPIO
|
|
|
|
config BOOT_USE_BENCH
|
|
bool "Enable benchmark code"
|
|
default n
|
|
help
|
|
If y, adds support for simple benchmarking that can record
|
|
time intervals between two calls. The time printed depends
|
|
on the particular Zephyr target, and is generally ticks of a
|
|
specific board-specific timer.
|
|
|
|
module = MCUBOOT
|
|
module-str = MCUBoot bootloader
|
|
source "subsys/logging/Kconfig.template.log_config"
|
|
|
|
config MCUBOOT_LOG_THREAD_STACK_SIZE
|
|
int "Stack size for the MCUBoot log processing thread"
|
|
depends on LOG && !LOG_IMMEDIATE
|
|
default 2048 if COVERAGE_GCOV
|
|
default 1024 if NO_OPTIMIZATIONS
|
|
default 1024 if XTENSA
|
|
default 4096 if (X86 && X86_64)
|
|
default 4096 if ARM64
|
|
default 768
|
|
help
|
|
Set the internal stack size for MCUBoot log processing thread.
|
|
|
|
config MCUBOOT_INDICATION_LED
|
|
bool "Turns on LED indication when device is in DFU"
|
|
select GPIO
|
|
help
|
|
Device device activates the LED while in bootloader mode.
|
|
mcuboot-led0 alias must be set in the device's .dts
|
|
definitions for this to work.
|
|
|
|
rsource "Kconfig.serial_recovery"
|
|
|
|
rsource "Kconfig.firmware_loader"
|
|
|
|
config BOOT_INTR_VEC_RELOC
|
|
bool "Relocate the interrupt vector to the application"
|
|
default n
|
|
depends on SW_VECTOR_RELAY || CPU_CORTEX_M_HAS_VTOR
|
|
help
|
|
Relocate the interrupt vector to the application before it is started.
|
|
Select this option if application requires vector relocation,
|
|
but it doesn't relocate vector in its reset handler.
|
|
|
|
config UPDATEABLE_IMAGE_NUMBER
|
|
int "Number of updateable images"
|
|
default 1
|
|
range 1 1 if SINGLE_APPLICATION_SLOT
|
|
help
|
|
Enables support of multi image update.
|
|
|
|
config BOOT_VERSION_CMP_USE_BUILD_NUMBER
|
|
bool "Use build number while comparing image version"
|
|
depends on (UPDATEABLE_IMAGE_NUMBER > 1) || BOOT_DIRECT_XIP || \
|
|
BOOT_RAM_LOAD || MCUBOOT_DOWNGRADE_PREVENTION
|
|
help
|
|
By default, the image version comparison relies only on version major,
|
|
minor and revision. Enable this option to take into account the build
|
|
number as well.
|
|
|
|
choice BOOT_DOWNGRADE_PREVENTION_CHOICE
|
|
prompt "Downgrade prevention"
|
|
optional
|
|
|
|
config MCUBOOT_DOWNGRADE_PREVENTION
|
|
bool "SW based downgrade prevention"
|
|
depends on !BOOT_DIRECT_XIP
|
|
help
|
|
Prevent downgrades by enforcing incrementing version numbers.
|
|
When this option is set, any upgrade must have greater major version
|
|
or greater minor version with equal major version. This mechanism
|
|
only protects against some attacks against version downgrades (for
|
|
example, a JTAG could be used to write an older version).
|
|
|
|
config MCUBOOT_DOWNGRADE_PREVENTION_SECURITY_COUNTER
|
|
bool "Use image security counter instead of version number"
|
|
depends on MCUBOOT_DOWNGRADE_PREVENTION
|
|
depends on (BOOT_SWAP_USING_MOVE || BOOT_SWAP_USING_SCRATCH)
|
|
help
|
|
Security counter is used for version eligibility check instead of pure
|
|
version. When this option is set, any upgrade must have greater or
|
|
equal security counter value.
|
|
Because of the acceptance of equal values it allows for software
|
|
downgrades to some extent.
|
|
|
|
config MCUBOOT_HW_DOWNGRADE_PREVENTION
|
|
bool "HW based downgrade prevention"
|
|
help
|
|
Prevent undesirable/malicious software downgrades. When this option is
|
|
set, any upgrade must have greater or equal security counter value.
|
|
Because of the acceptance of equal values it allows for software
|
|
downgrade to some extent.
|
|
|
|
endchoice
|
|
|
|
config BOOT_WATCHDOG_FEED
|
|
bool "Feed the watchdog while doing swap"
|
|
default y if WATCHDOG
|
|
default y if SOC_FAMILY_NORDIC_NRF
|
|
# for nRF nrfx based implementation is available
|
|
imply NRFX_WDT if SOC_FAMILY_NORDIC_NRF
|
|
imply NRFX_WDT0 if SOC_FAMILY_NORDIC_NRF
|
|
imply NRFX_WDT1 if SOC_FAMILY_NORDIC_NRF
|
|
imply NRFX_WDT30 if SOC_FAMILY_NORDIC_NRF
|
|
imply NRFX_WDT31 if SOC_FAMILY_NORDIC_NRF
|
|
help
|
|
Enables implementation of MCUBOOT_WATCHDOG_FEED() macro which is
|
|
used to feed watchdog while doing time consuming operations.
|
|
|
|
config BOOT_IMAGE_ACCESS_HOOKS
|
|
bool "Enable hooks for overriding MCUboot's native routines"
|
|
help
|
|
Allow to provide procedures for override or extend native
|
|
MCUboot's routines required for access the image data and the image
|
|
update. It is up to the project customization to add required source
|
|
files to the build.
|
|
|
|
config MCUBOOT_ACTION_HOOKS
|
|
bool "Enable hooks for responding to MCUboot status changes"
|
|
help
|
|
This will call a handler when the MCUboot status changes which allows
|
|
for some level of user feedback, for instance to change LED status to
|
|
indicate a failure, using the callback:
|
|
'void mcuboot_status_change(mcuboot_status_type_t status)' where
|
|
'mcuboot_status_type_t' is listed in
|
|
boot/bootutil/include/bootutil/mcuboot_status.h
|
|
|
|
config BOOT_DISABLE_CACHES
|
|
bool "Disable I/D caches before chain-loading application"
|
|
depends on CPU_HAS_ICACHE || CPU_HAS_DCACHE
|
|
default y
|
|
help
|
|
Will flush and disable the instruction and data caches on the CPU prior to
|
|
booting an application, this is required on some ARM Cortex devices and
|
|
increases protection against data leakage from MCUboot to applications via
|
|
these caches.
|
|
|
|
config MCUBOOT_BOOT_BANNER
|
|
bool "Use MCUboot boot banner"
|
|
depends on BOOT_BANNER
|
|
depends on "$(APP_VERSION_EXTENDED_STRING)" != ""
|
|
default y
|
|
help
|
|
Uses a MCUboot boot banner instead of the default zephyr one, which will output the
|
|
MCUboot name and version, followed by the zephyr name and version.
|
|
|
|
For example:
|
|
|
|
*** Booting MCUboot v2.0.0-72-g8c0e36c88663 ***
|
|
*** Using Zephyr OS build v3.6.0-2607-gd0be2010c31f ***
|
|
|
|
config BOOT_BANNER_STRING
|
|
default "Using Zephyr OS build" if MCUBOOT_BOOT_BANNER
|
|
|
|
endmenu
|
|
|
|
config MCUBOOT_DEVICE_SETTINGS
|
|
# Hidden selector for device-specific settings
|
|
bool
|
|
default y
|
|
# CPU options
|
|
select MCUBOOT_DEVICE_CPU_CORTEX_M0 if CPU_CORTEX_M0
|
|
# Enable flash page layout if available
|
|
select FLASH_PAGE_LAYOUT if FLASH_HAS_PAGE_LAYOUT
|
|
# Enable flash_map module as flash I/O back-end
|
|
select FLASH_MAP
|
|
|
|
config MCUBOOT_DEVICE_CPU_CORTEX_M0
|
|
# Hidden selector for Cortex-M0 settings
|
|
bool
|
|
default n
|
|
select SW_VECTOR_RELAY if !CPU_CORTEX_M0_HAS_VECTOR_TABLE_REMAP
|
|
|
|
comment "Zephyr configuration options"
|
|
|
|
# Disabling MULTITHREADING provides a code size advantage, but
|
|
# it requires peripheral drivers (particularly a flash driver)
|
|
# that works properly with the option enabled.
|
|
#
|
|
# If you know for sure that your hardware will work, you can default
|
|
# it to n here. Otherwise, having it on by default makes the most
|
|
# hardware work.
|
|
config MULTITHREADING
|
|
default y if BOOT_SERIAL_CDC_ACM #usb driver requires MULTITHREADING
|
|
default y if BOOT_USB_DFU_GPIO || BOOT_USB_DFU_WAIT
|
|
default n if SOC_FAMILY_NORDIC_NRF
|
|
default n if SOC_FAMILY_ESPRESSIF_ESP32 && MCUBOOT
|
|
default y
|
|
|
|
config LOG_PROCESS_THREAD
|
|
default n # mcuboot has its own log processing thread
|
|
|
|
# override USB device name
|
|
config USB_DEVICE_PRODUCT
|
|
default "MCUBOOT"
|
|
|
|
# use MCUboot's own log configuration
|
|
config MCUBOOT_BOOTUTIL_LIB_OWN_LOG
|
|
bool
|
|
default n
|
|
|
|
config MCUBOOT_VERIFY_IMG_ADDRESS
|
|
bool "Verify reset address of image in secondary slot"
|
|
depends on UPDATEABLE_IMAGE_NUMBER > 1
|
|
depends on !BOOT_ENCRYPT_IMAGE
|
|
depends on ARM
|
|
default y if BOOT_UPGRADE_ONLY
|
|
help
|
|
Verify that the reset address in the image located in the secondary slot
|
|
is contained within the corresponding primary slot. This is recommended
|
|
if swapping is not used (that is, BOOT_UPGRADE_ONLY is set). If a user
|
|
incorrectly uploads an update for image 1 to image 0's secondary slot
|
|
MCUboot will overwrite image 0's primary slot with this image even
|
|
though it will not boot. If swapping is enabled this will be handled
|
|
since the image will not confirm itself. If, however, swapping is not
|
|
enabled then the only mitigation is serial recovery. This feature can
|
|
also be useful when BOOT_DIRECT_XIP is enabled, to ensure that the image
|
|
linked at the correct address is loaded.
|
|
|
|
source "Kconfig.zephyr"
|