# Configuration for the TF-M Module # Copyright (c) 2019, 2020 Linaro Limited # Copyright (c) 2020, 2021 Nordic Semiconductor ASA # SPDX-License-Identifier: Apache-2.0 config ZEPHYR_TRUSTED_FIRMWARE_M_MODULE bool config TFM_BOARD string default "nxp/lpcxpresso55s69" if BOARD_LPCXPRESSO55S69_CPU0 default "arm/mps2/an521" if BOARD_MPS2_AN521_CPU0_NS default "arm/mps3/an547" if BOARD_MPS3_AN547 default "stm/b_u585i_iot02a" if BOARD_B_U585I_IOT02A default "stm/nucleo_l552ze_q" if BOARD_NUCLEO_L552ZE_Q default "stm/stm32l562e_dk" if BOARD_STM32L562E_DK default "arm/musca_b1" if BOARD_MUSCA_B1 default "arm/musca_s1" if BOARD_MUSCA_S1 default "${ZEPHYR_BASE}/modules/trusted-firmware-m/nordic_nrf/nrf9160" if SOC_NRF9160 default "${ZEPHYR_BASE}/modules/trusted-firmware-m/nordic_nrf/nrf9120" if SOC_NRF9120 default "${ZEPHYR_BASE}/modules/trusted-firmware-m/nordic_nrf/nrf5340_cpuapp" if SOC_NRF5340_CPUAPP help The board name used for building TFM. Building with TFM requires that TFM has been ported to the given board/SoC. menuconfig BUILD_WITH_TFM bool "Build with TF-M as the Secure Execution Environment" depends on TRUSTED_EXECUTION_NONSECURE depends on TFM_BOARD != "" depends on ARM_TRUSTZONE_M select BUILD_OUTPUT_HEX imply INIT_ARCH_HW_AT_BOOT imply ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS help When enabled, this option instructs the Zephyr build process to additionally generate a TF-M image for the Secure Execution environment, along with the Zephyr image. The Zephyr image itself is to be executed in the Non-Secure Processing Environment. The required dependency on TRUSTED_EXECUTION_NONSECURE ensures that the Zephyr image is built as a Non-Secure image. Both TF-M and Zephyr images, as well as the veneer object file that links them, are generated during the normal Zephyr build process. Notes: Building with the "_ns" BOARD variant (e.g. "mps2_an521_ns") ensures that CONFIG_TRUSTED_EXECUTION_NONSECURE is enabled. By default we allow Zephyr preemptible threads be preempted while performing a secure function call. if BUILD_WITH_TFM config TFM_KEY_FILE_S string "Path to private key used to sign secure firmware images." depends on BUILD_WITH_TFM default "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/bl2/ext/mcuboot/root-RSA-3072.pem" help The path and filename for the .pem file containing the private key that should be used by the BL2 bootloader when signing secure firmware images. config TFM_KEY_FILE_NS string "Path to private key used to sign non-secure firmware images." depends on BUILD_WITH_TFM default "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/bl2/ext/mcuboot/root-RSA-3072_1.pem" help The path and filename for the .pem file containing the private key that should be used by the BL2 bootloader when signing non-secure firmware images. config TFM_PROFILE string depends on BUILD_WITH_TFM default "profile_small" if TFM_PROFILE_TYPE_SMALL default "profile_medium" if TFM_PROFILE_TYPE_MEDIUM default "profile_large" if TFM_PROFILE_TYPE_LARGE help Build profile used to build tfm_s image. The available values are profile_large, profile_medium and profile_small. The default profile does not need to have this configuration set. choice TFM_PROFILE_TYPE prompt "TF-M build profile" depends on BUILD_WITH_TFM default TFM_PROFILE_TYPE_NOT_SET help The TF-M build profile selection. Can be empty (not set), small, medium or large. Certain profile types enable other TF-M configuration options, namely, the IPC model and the isolation level. config TFM_PROFILE_TYPE_NOT_SET bool "TF-M build profile is not set" config TFM_PROFILE_TYPE_SMALL bool "TF-M build profile: small" config TFM_PROFILE_TYPE_MEDIUM bool "TF-M build profile: medium" config TFM_PROFILE_TYPE_LARGE bool "TF-M build profile: large" endchoice choice TFM_CMAKE_BUILD_TYPE prompt "The build type for TFM" default TFM_CMAKE_BUILD_TYPE_RELEASE if SPEED_OPTIMIZATIONS && BUILD_OUTPUT_STRIPPED default TFM_CMAKE_BUILD_TYPE_MINSIZEREL if SIZE_OPTIMIZATIONS default TFM_CMAKE_BUILD_TYPE_DEBUG if DEBUG_OPTIMIZATIONS default TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO config TFM_CMAKE_BUILD_TYPE_RELEASE bool "Release build" config TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO bool "Release build with Debug info" config TFM_CMAKE_BUILD_TYPE_MINSIZEREL bool "Release build, optimized for size" config TFM_CMAKE_BUILD_TYPE_DEBUG bool "Debug build" endchoice config TFM_ISOLATION_LEVEL int "Isolation level setting." if (TFM_PROFILE_TYPE_NOT_SET && TFM_IPC) range 1 3 depends on BUILD_WITH_TFM default 1 if TFM_PROFILE_TYPE_SMALL || !TFM_IPC default 2 if TFM_PROFILE_TYPE_MEDIUM default 3 if TFM_PROFILE_TYPE_LARGE help Manually set the required TFM isolation level. Possible values are 1,2 or 3; the default is set by build configuration. When TF-M Profile option is supplied, do not allow manual setting of the isolation level, as it is determined by the profile setting. As isolation levels 2 and 3 require PSA_API (TFM_IPC) support, force level 1 when TFM_IPC is not enabled. config TFM_ITS_NUM_ASSETS_OVERRIDE bool "Override maximum number of Internal Trusted Storage assets" help Override the platform's default maximum number of assets to be stored in Internal Trusted Storage (ITS) with TFM_ITS_NUM_ASSETS. config TFM_ITS_NUM_ASSETS int "Maximum number of Internal Trusted Storage assets" depends on TFM_ITS_NUM_ASSETS_OVERRIDE default 0 help Maximum number of assets to be stored in Internal Trusted Storage (ITS). config TFM_ITS_MAX_ASSET_SIZE_OVERRIDE bool "Override maximum Internal Trusted Storage asset size" help Override the platform's default maximum size of a single asset to be stored in Internal Trusted Storage (ITS) with TFM_ITS_MAX_ASSET_SIZE. config TFM_ITS_MAX_ASSET_SIZE int "Maximum Internal Trusted Storage asset size" depends on TFM_ITS_MAX_ASSET_SIZE_OVERRIDE default 0 help Maximum size (in bytes) of a single asset to be stored in Internal Trusted Storage (ITS). config TFM_PARTITION_PLATFORM_CUSTOM_REBOOT bool "Use custom reboot handler" depends on TFM_PARTITION_PLATFORM help Do not include the default zephyr implementation of calling the TF-M platform reset service. Instead the application will have to override the weak ARM implementation of sys_arch_reset(). config TFM_BL2_NOT_SUPPORTED bool help Hidden option to mark the BL2, the MCUBoot included in TF-M, as not supported. Platforms that don't use BL2 should select this option. config TFM_IMAGE_VERSION_S string "Version of the Secure Image" default "0.0.0+0" help MCUBoot may be configured to prevent rollback prevention based on image versions of both the secure firmware and non-secure firmware. This sets the secure firmware's version for rollback prevention. config TFM_IMAGE_VERSION_NS string "Version of the Non-Secure Image" default "0.0.0+0" help MCUBoot may be configured to prevent rollback prevention based on image versions of both the secure firmware and non-secure firmware. This sets the non-secure firmware's version for rollback prevention. config TFM_BL2 bool "Add MCUboot to TFM" depends on !TFM_BL2_NOT_SUPPORTED default y help TFM is designed to run with MCUboot in a certain configuration. This config adds MCUboot to the build - built via TFM's build system. config TFM_BUILD_NS bool "Build the TF-M Non-Secure application and libraries" help Instruct the TF-M build system to build the TF-M Non-Secure application and libraries. This option is intended for testing purposes only, since this is the easiest way to build the TF-M regression tests application and test support libraries in the zephyr build system. config TFM_USE_NS_APP bool "Use the TF-M Non-Secure application" depends on TFM_BUILD_NS help The TF-M build system can produce multiple executable files. The main one is the TF-M secure firmware. Optionally the TF-M non-secure application can be built. Usually the TF-M non-secure application is not used since the zephyr application is the non-secure application. With this option enabled this is reversed and the TF-M non-secure application is used instead of the Zephyr non-secure application. This option is intended for testing purposes only, since this is the easiest way to integrate and run the TF-M regression tests in the zephyr build system. config TFM_CONNECTION_BASED_SERVICE_API bool "TF-M use connection based service APIs" help The TF-M build system produces an interface source file for accessing connection based services. Select this option when TF-M service models requires this source file. Note: This is an auto-generated configuration in the TF-M build system. When this option is not enabled in the TF-M build system this will result in compilation error. if TFM_BL2 config TFM_MCUBOOT_IMAGE_NUMBER int "Granularity of FW updates of TFM and app" range 1 2 default 2 help How many images the bootloader sees when it looks at TFM and the app. When this is 1, the S and NS are considered as 1 image and must be updated in one atomic operation. When this is 2, they are split and can be updated independently if dependency requirements are met. choice TFM_MCUBOOT_PATH prompt "Path to MCUboot or DOWNLOAD to fetch automatically" default TFM_MCUBOOT_PATH_LOCAL help Path to MCUboot for TF-M builds. The default option is to use Zephyr's MCUboot module. As an alternative, users may switch to the 'download' version; in that case MCUboot will be fetched by the TF-M build during build time. The default option ensures that Zephyr builds with TF-M do not fetch external trees. config TFM_MCUBOOT_PATH_LOCAL bool "TF-M to use Zephyr's MCUboot" help TF-M builds with BL2 will use the Zephyr's MCUboot version, which is present in the MCUboot module. config TFM_MCUBOOT_PATH_DOWNLOAD bool "TF-M to automatically download MCUboot during build" help TF-M builds with BL2 will let the TF-M build to automatically fetch and check-out the MCUboot version to use in the build. endchoice config TFM_QCBOR_PATH string prompt "Path to QCBOR or DOWNLOAD to fetch automatically" default "" help Path to QCBOR for TF-M builds. Due to a license issue with this library Zephyr does not ship with this library. If the application wishes to still use this library they can point to their own checkout of this library, or set to DOWNLOAD to allow TF-M build system to automatically download this. config TFM_MCUBOOT_DATA_SHARING bool "Share app-specific data between TF-M and MCUBoot" help Add sharing of application specific data using the same shared data area as for the measured boot. endif # TFM_BL2 choice TFM_MODEL prompt "TF-M Firmware Framework model" default TFM_SFN if TFM_PROFILE_TYPE_SMALL default TFM_IPC help The Firmware Framework M (FF-M) provides different programming models for Secure Partitions. config TFM_IPC bool "IPC Model" help Use the IPC Model as the SPM backend for the PSA API. The IPC model supports the IPC and SFN Partition models, and isolation levels 1, 2 and 3. In this model each Secure Partition processes signals in any order, and can defer responding to a message while continuing to process other signals. The IPC model conforms to the PSA Firmware Framework for M (FF-M) v1.1. config TFM_SFN bool "SFN model" help Use the SFN Model as the SPM backend for the PSA API. The SFN model supports the SFN Partition model, and isolation level 1. In this model each Secure Partition is made up of a collection of callback functions which implement secure services. The SFN model conforms to the PSA Firmware Framework for M (FF-M) v1.1. endchoice # TFM_MODEL config TFM_REGRESSION_S bool "TF-M Secure Regression tests" help When enabled, this option signifies that the TF-M build includes the Secure domain regression tests. The regression tests will be included in the TF-M secure firmware. config TFM_REGRESSION_NS bool "TF-M Non-Secure Regression tests" help When enabled, this option signifies that the TF-M build includes the Non-Secure domain regression tests. The regression tests will be included in the TF-M non-secure application. choice TFM_PSA_TEST prompt "Enable a PSA test suite" default TFM_PSA_TEST_NONE config TFM_PSA_TEST_CRYPTO bool "Crypto tests" depends on MAIN_STACK_SIZE >= 4096 help Enable the PSA Crypto test suite. config TFM_PSA_TEST_PROTECTED_STORAGE bool "Storage tests" help Enable the PSA Protected Storage test suite. config TFM_PSA_TEST_INTERNAL_TRUSTED_STORAGE bool "Internal Trusted Storage tests" help Enable the PSA Internal Trusted Storage test suite. config TFM_PSA_TEST_STORAGE bool "Storage tests" help Enable the PSA Storage test suite. This is a combination of the protected storage and internal trusted storage tests. config TFM_PSA_TEST_INITIAL_ATTESTATION bool "Initial attestation tests" depends on MAIN_STACK_SIZE >= 4096 help Enable the PSA Initial Attestation test suite. config TFM_PSA_TEST_NONE bool "No PSA test suite" endchoice if TFM_BL2 config ROM_START_OFFSET hex "ROM Start Offset accounting for BL2 Header in the NS image" default 0x400 help By default BL2 header size in TF-M is 0x400. ROM_START_OFFSET needs to be updated if TF-M switches to use a different header size for BL2. choice TFM_BL2_LOG_LEVEL prompt "BL2 Log Level" if !TFM_LOG_LEVEL_SILENCE default TFM_BL2_LOG_LEVEL_INFO config TFM_BL2_LOG_LEVEL_DEBUG bool "Debug" config TFM_BL2_LOG_LEVEL_INFO bool "Info" config TFM_BL2_LOG_LEVEL_WARNING bool "Warning" config TFM_BL2_LOG_LEVEL_ERROR bool "Error" config TFM_BL2_LOG_LEVEL_OFF bool "Off" endchoice endif # !TFM_BL2 # Option to instruct flashing a merged binary consisting of BL2 (optionally), # TF-M (Secure), and application (Non-Secure). config TFM_FLASH_MERGED_BINARY bool help This option instructs west flash to program the combined (merged) binary consisting of the TF-M Secure firmware image, optionally, the BL2 image (if building with TFM_BL2 is enabled), and the Non-Secure application firmware. config TFM_LOG_LEVEL_SILENCE bool "TF-M Disable secure logging" help Set the log level to silence for all TF-M modules (SPM, partition, etc.). On some platforms this will release the UART from the secure domain and reduce the uart driver's flash usage. choice TFM_SPM_LOG_LEVEL prompt "TF-M SPM Log Level" if !TFM_LOG_LEVEL_SILENCE default TFM_SPM_LOG_LEVEL_INFO config TFM_SPM_LOG_LEVEL_DEBUG bool "Debug" config TFM_SPM_LOG_LEVEL_INFO bool "Info" config TFM_SPM_LOG_LEVEL_ERROR bool "Error" config TFM_SPM_LOG_LEVEL_SILENCE bool "Off" endchoice config TFM_EXCEPTION_INFO_DUMP bool "TF-M exception info dump" default y help On fatal errors in the secure firmware, capture info about the exception. Print the info if the SPM log level is sufficient. endif # BUILD_WITH_TFM