# Configuration for the TF-M Module # Copyright (c) 2019, 2020 Linaro Limited # Copyright (c) 2020 Nordic Semiconductor ASA # SPDX-License-Identifier: Apache-2.0 config ZEPHYR_TRUSTED_FIRMWARE_M_MODULE bool config TFM_BOARD string default "nordic_nrf/nrf9160dk_nrf9160" if BOARD_NRF9160DK_NRF9160NS default "nordic_nrf/nrf5340dk_nrf5340_cpuapp" if BOARD_NRF5340DK_NRF5340_CPUAPPNS default "nxp/lpcxpresso55s69" if BOARD_LPCXPRESSO55S69_CPU0 default "mps2/an521" if BOARD_MPS2_AN521 default "stm/nucleo_l552ze_q" if BOARD_NUCLEO_L552ZE_Q default "stm/stm32l562e_dk" if BOARD_STM32L562E_DK default "musca_b1/sse_200" if BOARD_MUSCA_B1 default "musca_s1" if BOARD_MUSCA_S1 help The board name used for building TFM. Building with TFM requires that TFM has been ported to the given board/SoC. menuconfig BUILD_WITH_TFM bool "Build with TF-M as the Secure Execution Environment" depends on TRUSTED_EXECUTION_NONSECURE depends on TFM_BOARD != "" depends on ARM_TRUSTZONE_M select BUILD_OUTPUT_HEX imply INIT_ARCH_HW_AT_BOOT help When enabled, this option instructs the Zephyr build process to additionaly generate a TF-M image for the Secure Execution environment, along with the Zephyr image. The Zephyr image itself is to be executed in the Non-Secure Processing Environment. The required dependency on TRUSTED_EXECUTION_NONSECURE ensures that the Zephyr image is built as a Non-Secure image. Both TF-M and Zephyr images, as well as the veneer object file that links them, are generated during the normal Zephyr build process. Note: Building with the "_nonsecure" BOARD variant (e.g. "mps2_an521_nonsecure") ensures that CONFIG_TRUSTED_EXECUTION_NONSECURE ie enabled. if BUILD_WITH_TFM config TFM_KEY_FILE_S string "Path to private key used to sign secure firmware images." depends on BUILD_WITH_TFM default "${ZEPHYR_BASE}/../modules/tee/tfm/trusted-firmware-m/bl2/ext/mcuboot/root-RSA-3072.pem" help The path and filename for the .pem file containing the private key that should be used by the BL2 bootloader when signing secure firmware images. config TFM_KEY_FILE_NS string "Path to private key used to sign non-secure firmware images." depends on BUILD_WITH_TFM default "${ZEPHYR_BASE}/../modules/tee/tfm/trusted-firmware-m/bl2/ext/mcuboot/root-RSA-3072_1.pem" help The path and filename for the .pem file containing the private key that should be used by the BL2 bootloader when signing non-secure firmware images. config TFM_PROFILE string "The build profile used for TFM Secure image." depends on BUILD_WITH_TFM help Build profile used to build tfm_s image. The available values are profile_medium and profile_small. The default profile does not need to have this configuration set. choice TFM_CMAKE_BUILD_TYPE prompt "The build type for TFM" default TFM_CMAKE_BUILD_TYPE_RELEASE if SPEED_OPTIMIZATIONS && BUILD_OUTPUT_STRIPPED default TFM_CMAKE_BUILD_TYPE_MINSIZEREL if SIZE_OPTIMIZATIONS default TFM_CMAKE_BUILD_TYPE_DEBUG if DEBUG_OPTIMIZATIONS default TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO config TFM_CMAKE_BUILD_TYPE_RELEASE bool "Release build" config TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO bool "Release build with Debug info" config TFM_CMAKE_BUILD_TYPE_MINSIZEREL bool "Release build, optimized for size" config TFM_CMAKE_BUILD_TYPE_DEBUG bool "Debug build" endchoice config TFM_ISOLATION_LEVEL int "Isolation level setting." range 1 3 depends on BUILD_WITH_TFM help Manually set the required TFM isolation level. Possible values are 1,2 or 3; the default is set by build configuration. config TFM_BL2 bool "Add MCUboot to TFM" default y help TFM is designed to run with MCUboot in a certain configuration. This config adds MCUboot to the build - built via TFM's build system. config TFM_MCUBOOT_IMAGE_NUMBER int "Granularity of FW updates of TFM and app" range 1 2 default 2 help How many images the bootloader sees when it looks at TFM and the app. When this is 1, the S and NS are considered as 1 image and must be updated in one atomic operation. When this is 2, they are split and can be updated independently if dependency requirements are met. config TFM_PARTITION_PROTECTED_STORAGE bool "Enable secure partition 'Protected Storage'" default y help Setting this option will cause '-DTFM_PARTITION_PROTECTED_STORAGE' to be passed to the TF-M build system. Look at 'config_default.cmake' in the trusted-firmware-m repository for details regarding this parameter. Any dependencies between the various TFM_PARTITION_* options are handled by the build system in the trusted-firmware-m repository. config TFM_PARTITION_INTERNAL_TRUSTED_STORAGE bool "Enable secure partition 'Internal Trusted Storage'" default y help Setting this option will cause '-DTFM_PARTITION_INTERNAL_TRUSTED_STORAGE' to be passed to the TF-M build system. Look at 'config_default.cmake' in the trusted-firmware-m repository for details regarding this parameter. Any dependencies between the various TFM_PARTITION_* options are handled by the build system in the trusted-firmware-m repository. config TFM_PARTITION_CRYPTO bool "Enable secure partition 'Crypto'" default y help Setting this option will cause '-DTFM_PARTITION_CRYPTO' to be passed to the TF-M build system. Look at 'config_default.cmake' in the trusted-firmware-m repository for details regarding this parameter. Any dependencies between the various TFM_PARTITION_* options are handled by the build system in the trusted-firmware-m repository. config TFM_PARTITION_INITIAL_ATTESTATION bool "Enable secure partition 'Initial Attestation'" default y help Setting this option will cause '-DTFM_PARTITION_INITIAL_ATTESTATION' to be passed to the TF-M build system. Look at 'config_default.cmake' in the trusted-firmware-m repository for details regarding this parameter. Any dependencies between the various TFM_PARTITION_* options are handled by the build system in the trusted-firmware-m repository. config TFM_PARTITION_PLATFORM bool "Enable secure partition 'Platform'" default y help Setting this option will cause '-DTFM_PARTITION_PLATFORM' to be passed to the TF-M build system. Look at 'config_default.cmake' in the trusted-firmware-m repository for details regarding this parameter. Any dependencies between the various TFM_PARTITION_* options are handled by the build system in the trusted-firmware-m repository. # Audit Log partition build fails for profile_medium, so disable # the combination for now. config TFM_PARTITION_AUDIT_LOG bool "Enable secure partition 'Audit Log'" if (TFM_PROFILE != "profile_medium") default y if (TFM_PROFILE != "profile_medium") help Setting this option will cause '-DTFM_PARTITION_AUDIT_LOG' to be passed to the TF-M build system. Look at 'config_default.cmake' in the trusted-firmware-m repository for details regarding this parameter. Any dependencies between the various TFM_PARTITION_* options are handled by the build system in the trusted-firmware-m repository. config TFM_IPC bool "IPC" help When enabled, this option signifies that the TF-M build supports the PSA API (IPC mode) instead of the secure library mode. config TFM_REGRESSION bool "Regression tests" help When enabled, this option signifies that the TF-M build includes the Secure and the Non-Secure regression tests. if TFM_BL2 config ROM_START_OFFSET hex "ROM Start Offset accounting for BL2 Header in the NS image" default 0x400 help By default BL2 header size in TF-M is 0x400. ROM_START_OFFSET needs to be updated if TF-M switches to use a different header size for BL2. endif # !TFM_BL2 # Option to instruct flashing a merged binary consisting of BL2 (optionally), # TF-M (Secure), and application (Non-Secure). config TFM_FLASH_MERGED_BINARY bool help This option instructs west flash to program the combined (merged) binary consisting of the TF-M Secure firmware image, optionally, the BL2 image (if building with TFM_BL2 is enabled), and the Non-Secure application firmware. endif # BUILD_WITH_TFM