OrgZephyr/zephyr
OrgZephyr
/
zephyr
mirror of https://github.com/zephyrproject-rtos/zephyr.git
1
0
Fork 0
Code Issues Releases Wiki Activity
zephyr/modules/trusted-firmware-m/Kconfig

225 lines
8.0 KiB
Plaintext
Raw Blame History

# Configuration for the TF-M Module
# Copyright (c) 2019, 2020 Linaro Limited
# Copyright (c) 2020 Nordic Semiconductor ASA
# SPDX-License-Identifier: Apache-2.0
config ZEPHYR_TRUSTED_FIRMWARE_M_MODULE
bool
config TFM_BOARD
string
default "nordic_nrf/nrf9160dk_nrf9160" if BOARD_NRF9160DK_NRF9160NS
default "nordic_nrf/nrf5340dk_nrf5340_cpuapp" if BOARD_NRF5340DK_NRF5340_CPUAPPNS
default "nxp/lpcxpresso55s69" if BOARD_LPCXPRESSO55S69_CPU0
default "mps2/an521" if BOARD_MPS2_AN521
default "stm/nucleo_l552ze_q" if BOARD_NUCLEO_L552ZE_Q
default "stm/stm32l562e_dk" if BOARD_STM32L562E_DK
default "musca_b1/sse_200" if BOARD_MUSCA_B1
default "musca_s1" if BOARD_MUSCA_S1
help
The board name used for building TFM. Building with TFM requires that
TFM has been ported to the given board/SoC.
menuconfig BUILD_WITH_TFM
bool "Build with TF-M as the Secure Execution Environment"
depends on TRUSTED_EXECUTION_NONSECURE
depends on TFM_BOARD != ""
depends on ARM_TRUSTZONE_M
select BUILD_OUTPUT_HEX
imply INIT_ARCH_HW_AT_BOOT
help
When enabled, this option instructs the Zephyr build process to
additionaly generate a TF-M image for the Secure Execution
environment, along with the Zephyr image. The Zephyr image
itself is to be executed in the Non-Secure Processing Environment.
The required dependency on TRUSTED_EXECUTION_NONSECURE
ensures that the Zephyr image is built as a Non-Secure image. Both
TF-M and Zephyr images, as well as the veneer object file that links
them, are generated during the normal Zephyr build process.
Note:
Building with the "_nonsecure" BOARD variant (e.g.
"mps2_an521_nonsecure") ensures that
CONFIG_TRUSTED_EXECUTION_NONSECURE ie enabled.
if BUILD_WITH_TFM
config TFM_KEY_FILE_S
string "Path to private key used to sign secure firmware images."
depends on BUILD_WITH_TFM
default "${ZEPHYR_BASE}/../modules/tee/tfm/trusted-firmware-m/bl2/ext/mcuboot/root-RSA-3072.pem"
help
The path and filename for the .pem file containing the private key
that should be used by the BL2 bootloader when signing secure
firmware images.
config TFM_KEY_FILE_NS
string "Path to private key used to sign non-secure firmware images."
depends on BUILD_WITH_TFM
default "${ZEPHYR_BASE}/../modules/tee/tfm/trusted-firmware-m/bl2/ext/mcuboot/root-RSA-3072_1.pem"
help
The path and filename for the .pem file containing the private key
that should be used by the BL2 bootloader when signing non-secure
firmware images.
config TFM_PROFILE
string "The build profile used for TFM Secure image."
depends on BUILD_WITH_TFM
help
Build profile used to build tfm_s image. The available values are
profile_medium and profile_small. The default profile does not need
to have this configuration set.
choice TFM_CMAKE_BUILD_TYPE
prompt "The build type for TFM"
default TFM_CMAKE_BUILD_TYPE_RELEASE if SPEED_OPTIMIZATIONS && BUILD_OUTPUT_STRIPPED
default TFM_CMAKE_BUILD_TYPE_MINSIZEREL if SIZE_OPTIMIZATIONS
default TFM_CMAKE_BUILD_TYPE_DEBUG if DEBUG_OPTIMIZATIONS
default TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO
config TFM_CMAKE_BUILD_TYPE_RELEASE
bool "Release build"
config TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO
bool "Release build with Debug info"
config TFM_CMAKE_BUILD_TYPE_MINSIZEREL
bool "Release build, optimized for size"
config TFM_CMAKE_BUILD_TYPE_DEBUG
bool "Debug build"
endchoice
config TFM_ISOLATION_LEVEL
int "Isolation level setting."
range 1 3
depends on BUILD_WITH_TFM
help
Manually set the required TFM isolation level. Possible values are
1,2 or 3; the default is set by build configuration.
config TFM_BL2
bool "Add MCUboot to TFM"
default y
help
TFM is designed to run with MCUboot in a certain configuration.
This config adds MCUboot to the build - built via TFM's build system.
config TFM_MCUBOOT_IMAGE_NUMBER
int "Granularity of FW updates of TFM and app"
range 1 2
default 2
help
How many images the bootloader sees when it looks at TFM and the app.
When this is 1, the S and NS are considered as 1 image and must be
updated in one atomic operation. When this is 2, they are split and
can be updated independently if dependency requirements are met.
config TFM_PARTITION_PROTECTED_STORAGE
bool "Enable secure partition 'Protected Storage'"
default y
help
Setting this option will cause '-DTFM_PARTITION_PROTECTED_STORAGE'
to be passed to the TF-M build system. Look at 'config_default.cmake'
in the trusted-firmware-m repository for details regarding this
parameter. Any dependencies between the various TFM_PARTITION_*
options are handled by the build system in the trusted-firmware-m
repository.
config TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
bool "Enable secure partition 'Internal Trusted Storage'"
default y
help
Setting this option will cause '-DTFM_PARTITION_INTERNAL_TRUSTED_STORAGE'
to be passed to the TF-M build system. Look at 'config_default.cmake'
in the trusted-firmware-m repository for details regarding this
parameter. Any dependencies between the various TFM_PARTITION_*
options are handled by the build system in the trusted-firmware-m
repository.
config TFM_PARTITION_CRYPTO
bool "Enable secure partition 'Crypto'"
default y
help
Setting this option will cause '-DTFM_PARTITION_CRYPTO'
to be passed to the TF-M build system. Look at 'config_default.cmake'
in the trusted-firmware-m repository for details regarding this
parameter. Any dependencies between the various TFM_PARTITION_*
options are handled by the build system in the trusted-firmware-m
repository.
config TFM_PARTITION_INITIAL_ATTESTATION
bool "Enable secure partition 'Initial Attestation'"
default y
help
Setting this option will cause '-DTFM_PARTITION_INITIAL_ATTESTATION'
to be passed to the TF-M build system. Look at 'config_default.cmake'
in the trusted-firmware-m repository for details regarding this
parameter. Any dependencies between the various TFM_PARTITION_*
options are handled by the build system in the trusted-firmware-m
repository.
config TFM_PARTITION_PLATFORM
bool "Enable secure partition 'Platform'"
default y
help
Setting this option will cause '-DTFM_PARTITION_PLATFORM'
to be passed to the TF-M build system. Look at 'config_default.cmake'
in the trusted-firmware-m repository for details regarding this
parameter. Any dependencies between the various TFM_PARTITION_*
options are handled by the build system in the trusted-firmware-m
repository.
# Audit Log partition build fails for profile_medium, so disable
# the combination for now.
config TFM_PARTITION_AUDIT_LOG
bool "Enable secure partition 'Audit Log'" if (TFM_PROFILE != "profile_medium")
default y if (TFM_PROFILE != "profile_medium")
help
Setting this option will cause '-DTFM_PARTITION_AUDIT_LOG'
to be passed to the TF-M build system. Look at 'config_default.cmake'
in the trusted-firmware-m repository for details regarding this
parameter. Any dependencies between the various TFM_PARTITION_*
options are handled by the build system in the trusted-firmware-m
repository.
config TFM_IPC
bool "IPC"
help
When enabled, this option signifies that the TF-M build supports
the PSA API (IPC mode) instead of the secure library mode.
config TFM_REGRESSION
bool "Regression tests"
help
When enabled, this option signifies that the TF-M build includes
the Secure and the Non-Secure regression tests.
if TFM_BL2
config ROM_START_OFFSET
hex "ROM Start Offset accounting for BL2 Header in the NS image"
default 0x400
help
By default BL2 header size in TF-M is 0x400. ROM_START_OFFSET
needs to be updated if TF-M switches to use a different header
size for BL2.
endif # !TFM_BL2
# Option to instruct flashing a merged binary consisting of BL2 (optionally),
# TF-M (Secure), and application (Non-Secure).
config TFM_FLASH_MERGED_BINARY
bool
help
This option instructs west flash to program the
combined (merged) binary consisting of the TF-M
Secure firmware image, optionally, the BL2 image
(if building with TFM_BL2 is enabled), and the
Non-Secure application firmware.
endif # BUILD_WITH_TFM
Reference in New Issue View Git Blame Copy Permalink