# Configuration for the TF-M Module # Copyright (c) 2019, 2020 Linaro Limited # Copyright (c) 2020 Nordic Semiconductor ASA # SPDX-License-Identifier: Apache-2.0 config TFM_BOARD string default "nordic_nrf/nrf9160dk_nrf9160" if BOARD_NRF9160DK_NRF9160NS default "nordic_nrf/nrf5340dk_nrf5340_cpuapp" if BOARD_NRF5340DK_NRF5340_CPUAPPNS default "nordic_nrf/nrf5340pdk_nrf5340_cpuapp" if BOARD_NRF5340PDK_NRF5340_CPUAPPNS default "nxp/lpcxpresso55s69" if BOARD_LPCXPRESSO55S69_CPU0 default "mps2/an521" if BOARD_MPS2_AN521 default "stm/nucleo_l552ze_q" if BOARD_NUCLEO_L552ZE_Q default "musca_b1" if BOARD_MUSCA_B1 default "musca_s1" if BOARD_MUSCA_S1 help The board name used for building TFM. Building with TFM requires that TFM has been ported to the given board/SoC. menuconfig BUILD_WITH_TFM bool "Build with TF-M as the Secure Execution Environment" depends on TRUSTED_EXECUTION_NONSECURE depends on TFM_BOARD != "" depends on ARM_TRUSTZONE_M imply INIT_ARCH_HW_AT_BOOT help When enabled, this option instructs the Zephyr build process to additionaly generate a TF-M image for the Secure Execution environment, along with the Zephyr image. The Zephyr image itself is to be executed in the Non-Secure Processing Environment. The required dependency on TRUSTED_EXECUTION_NONSECURE ensures that the Zephyr image is built as a Non-Secure image. Both TF-M and Zephyr images, as well as the veneer object file that links them, are generated during the normal Zephyr build process. Note: Building with the "_nonsecure" BOARD variant (e.g. "mps2_an521_nonsecure") ensures that CONFIG_TRUSTED_EXECUTION_NONSECURE ie enabled. if BUILD_WITH_TFM config TFM_KEY_FILE_S string "Path to private key used to sign secure firmware images." depends on BUILD_WITH_TFM default "${ZEPHYR_BASE}/../modules/tee/tfm/trusted-firmware-m/bl2/ext/mcuboot/root-RSA-3072.pem" help The path and filename for the .pem file containing the private key that should be used by the BL2 bootloader when signing secure firmware images. config TFM_KEY_FILE_NS string "Path to private key used to sign non-secure firmware images." depends on BUILD_WITH_TFM default "${ZEPHYR_BASE}/../modules/tee/tfm/trusted-firmware-m/bl2/ext/mcuboot/root-RSA-3072_1.pem" help The path and filename for the .pem file containing the private key that should be used by the BL2 bootloader when signing non-secure firmware images. config TFM_PROFILE string "The build profile used for TFM Secure image." depends on BUILD_WITH_TFM help Build profile used to build tfm_s image. The available values are profile_medium and profile_small. The default profile does not need to have this configuration set. config TFM_ISOLATION_LEVEL int "Isolation level setting." range 1 3 depends on BUILD_WITH_TFM help Manually set the required TFM isolation level. Possible values are 1,2 or 3; the default is set by build configuration. choice TFM_BL2 prompt "BL2 configuration, should TFM build with MCUboot support" default TFM_BL2_CONFIG_FILE_DEFAULT config TFM_BL2_CONFIG_FILE_DEFAULT bool "Use TFM BL2 setting from TFM configuration file" help This option does not set -DBL2 in TFM, which means the TF-M platform's default is used. Currently all TF-M platforms have BL2=ON as default. config TFM_BL2_TRUE bool "TFM BL2 enabled" config TFM_BL2_FALSE bool "TFM BL2 disabled" endchoice config TFM_IPC bool "IPC" help When enabled, this option signifies that the TF-M build supports the PSA API (IPC mode) instead of the secure library mode. config TFM_REGRESSION bool "Regression tests" help When enabled, this option signifies that the TF-M build includes the Secure and the Non-Secure regression tests. if !TFM_BL2_FALSE config ROM_START_OFFSET hex "ROM Start Offset accounting for BL2 Header in the NS image" default 0x400 help By default BL2 header size in TF-M is 0x400. ROM_START_OFFSET needs to be updated if TF-M switches to use a different header size for BL2. endif # !TFM_BL2_FALSE endif # BUILD_WITH_TFM