486 lines
16 KiB
Plaintext
486 lines
16 KiB
Plaintext
# Configuration for the TF-M Module
|
|
|
|
# Copyright (c) 2019, 2020 Linaro Limited
|
|
# Copyright (c) 2020, 2021 Nordic Semiconductor ASA
|
|
# Copyright 2024 Arm Limited and/or its affiliates <open-source-office@arm.com>
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
config ZEPHYR_TRUSTED_FIRMWARE_M_MODULE
|
|
bool
|
|
|
|
config TFM_BOARD
|
|
string
|
|
default "nxp/lpcxpresso55s69" if BOARD_LPCXPRESSO55S69_LPC55S69_CPU0_NS
|
|
default "arm/mps2/an521" if BOARD_MPS2_AN521_CPU0_NS
|
|
default "arm/mps3/corstone300/fvp" if BOARD_MPS3_CORSTONE300_FVP_NS
|
|
default "arm/mps3/corstone300/an547" if BOARD_MPS3_CORSTONE300_AN547_NS
|
|
default "arm/mps3/corstone300/an552" if BOARD_MPS3_CORSTONE300_AN552_NS
|
|
default "arm/mps3/corstone310/an555" if BOARD_MPS3_CORSTONE310_AN555_NS
|
|
default "arm/mps3/corstone310/fvp" if BOARD_MPS3_CORSTONE310_FVP_NS
|
|
default "stm/b_u585i_iot02a" if BOARD_B_U585I_IOT02A
|
|
default "stm/nucleo_l552ze_q" if BOARD_NUCLEO_L552ZE_Q
|
|
default "stm/stm32l562e_dk" if BOARD_STM32L562E_DK
|
|
default "arm/musca_b1" if BOARD_V2M_MUSCA_B1
|
|
default "arm/musca_s1" if BOARD_V2M_MUSCA_S1
|
|
default "${ZEPHYR_BASE}/modules/trusted-firmware-m/nordic/nrf9160" if SOC_NRF9160
|
|
default "${ZEPHYR_BASE}/modules/trusted-firmware-m/nordic/nrf9120" if SOC_NRF9120
|
|
default "${ZEPHYR_BASE}/modules/trusted-firmware-m/nordic/nrf5340_cpuapp" if SOC_NRF5340_CPUAPP
|
|
help
|
|
The board name used for building TFM. Building with TFM requires that
|
|
TFM has been ported to the given board/SoC.
|
|
|
|
menuconfig BUILD_WITH_TFM
|
|
bool "Build with TF-M as the Secure Execution Environment"
|
|
depends on TRUSTED_EXECUTION_NONSECURE
|
|
depends on TFM_BOARD != ""
|
|
depends on ARM_TRUSTZONE_M
|
|
select BUILD_OUTPUT_HEX
|
|
select PSA_CRYPTO_CLIENT
|
|
imply INIT_ARCH_HW_AT_BOOT
|
|
imply ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS
|
|
imply MBEDTLS
|
|
help
|
|
When enabled, this option instructs the Zephyr build process to
|
|
additionally generate a TF-M image for the Secure Execution
|
|
environment, along with the Zephyr image. The Zephyr image
|
|
itself is to be executed in the Non-Secure Processing Environment.
|
|
The required dependency on TRUSTED_EXECUTION_NONSECURE
|
|
ensures that the Zephyr image is built as a Non-Secure image. Both
|
|
TF-M and Zephyr images, as well as the veneer object file that links
|
|
them, are generated during the normal Zephyr build process.
|
|
|
|
Notes:
|
|
Building with the "/ns" BOARD variant (e.g. "mps2/an521/cpu0/ns")
|
|
ensures that CONFIG_TRUSTED_EXECUTION_NONSECURE is enabled.
|
|
|
|
By default we allow Zephyr preemptible threads be preempted
|
|
while performing a secure function call.
|
|
|
|
if BUILD_WITH_TFM
|
|
|
|
config TFM_PROFILE
|
|
string
|
|
default "profile_small" if TFM_PROFILE_TYPE_SMALL
|
|
default "profile_medium" if TFM_PROFILE_TYPE_MEDIUM
|
|
default "profile_medium_arotless" if TFM_PROFILE_TYPE_AROTLESS
|
|
default "profile_large" if TFM_PROFILE_TYPE_LARGE
|
|
help
|
|
Build profile used to build tfm_s image. The available values are
|
|
profile_large, profile_medium and profile_small. The default profile
|
|
does not need to have this configuration set.
|
|
|
|
choice TFM_PROFILE_TYPE
|
|
prompt "TF-M build profile"
|
|
default TFM_PROFILE_TYPE_NOT_SET
|
|
help
|
|
The TF-M build profile selection. Can be empty (not set),
|
|
small, medium or large. Certain profile types enable other
|
|
TF-M configuration options, namely, the IPC model and the
|
|
isolation level.
|
|
|
|
config TFM_PROFILE_TYPE_NOT_SET
|
|
bool "TF-M build profile: not set (base)"
|
|
|
|
config TFM_PROFILE_TYPE_SMALL
|
|
bool "TF-M build profile: small"
|
|
|
|
config TFM_PROFILE_TYPE_MEDIUM
|
|
bool "TF-M build profile: medium"
|
|
|
|
config TFM_PROFILE_TYPE_AROTLESS
|
|
bool "TF-M build profile: ARoT-less"
|
|
|
|
config TFM_PROFILE_TYPE_LARGE
|
|
bool "TF-M build profile: large"
|
|
|
|
endchoice
|
|
|
|
choice TFM_CMAKE_BUILD_TYPE
|
|
prompt "The build type for TFM"
|
|
default TFM_CMAKE_BUILD_TYPE_RELEASE if SPEED_OPTIMIZATIONS && BUILD_OUTPUT_STRIPPED
|
|
default TFM_CMAKE_BUILD_TYPE_MINSIZEREL if SIZE_OPTIMIZATIONS || SIZE_OPTIMIZATIONS_AGGRESSIVE
|
|
default TFM_CMAKE_BUILD_TYPE_DEBUG if DEBUG_OPTIMIZATIONS
|
|
default TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO
|
|
|
|
config TFM_CMAKE_BUILD_TYPE_RELEASE
|
|
bool "Release build"
|
|
|
|
config TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO
|
|
bool "Release build with Debug info"
|
|
|
|
config TFM_CMAKE_BUILD_TYPE_MINSIZEREL
|
|
bool "Release build, optimized for size"
|
|
|
|
config TFM_CMAKE_BUILD_TYPE_DEBUG
|
|
bool "Debug build"
|
|
|
|
endchoice
|
|
|
|
config TFM_ISOLATION_LEVEL
|
|
int "Isolation level setting." if (TFM_PROFILE_TYPE_NOT_SET && TFM_IPC)
|
|
range 1 3
|
|
default 1 if TFM_PROFILE_TYPE_SMALL || !TFM_IPC
|
|
default 2 if TFM_PROFILE_TYPE_MEDIUM
|
|
default 3 if TFM_PROFILE_TYPE_LARGE
|
|
help
|
|
Manually set the required TFM isolation level. Possible values are
|
|
1,2 or 3; the default is set by build configuration. When TF-M
|
|
Profile option is supplied, do not allow manual setting of the
|
|
isolation level, as it is determined by the profile setting.
|
|
As isolation levels 2 and 3 require PSA_API (TFM_IPC) support,
|
|
force level 1 when TFM_IPC is not enabled.
|
|
|
|
config TFM_ITS_NUM_ASSETS_OVERRIDE
|
|
bool "Override maximum number of Internal Trusted Storage assets"
|
|
help
|
|
Override the platform's default maximum number of assets to be stored in
|
|
Internal Trusted Storage (ITS) with TFM_ITS_NUM_ASSETS.
|
|
|
|
config TFM_ITS_NUM_ASSETS
|
|
int "Maximum number of Internal Trusted Storage assets"
|
|
depends on TFM_ITS_NUM_ASSETS_OVERRIDE
|
|
default 0
|
|
help
|
|
Maximum number of assets to be stored in Internal Trusted Storage (ITS).
|
|
|
|
config TFM_ITS_MAX_ASSET_SIZE_OVERRIDE
|
|
bool "Override maximum Internal Trusted Storage asset size"
|
|
help
|
|
Override the platform's default maximum size of a single asset to be
|
|
stored in Internal Trusted Storage (ITS) with TFM_ITS_MAX_ASSET_SIZE.
|
|
|
|
config TFM_ITS_MAX_ASSET_SIZE
|
|
int "Maximum Internal Trusted Storage asset size"
|
|
depends on TFM_ITS_MAX_ASSET_SIZE_OVERRIDE
|
|
default 0
|
|
help
|
|
Maximum size (in bytes) of a single asset to be stored in Internal Trusted
|
|
Storage (ITS).
|
|
|
|
config TFM_PARTITION_PLATFORM_CUSTOM_REBOOT
|
|
bool "Use custom reboot handler"
|
|
depends on TFM_PARTITION_PLATFORM
|
|
help
|
|
Do not include the default zephyr implementation of calling the TF-M
|
|
platform reset service.
|
|
Instead the application will have to override the weak ARM
|
|
implementation of sys_arch_reset().
|
|
|
|
config TFM_DUMMY_PROVISIONING
|
|
bool "Provision with dummy values. NOT to be used in production"
|
|
select TFM_INITIAL_ATTESTATION_KEY
|
|
default y
|
|
help
|
|
If this option is enabled (as it is by default), a set of dummy
|
|
keys / data will be provisioned. The dummy IAK matches the IAK tested
|
|
by the TF-M tests, and the dummy bl2 ROTPKs match the dummy bl2 keys
|
|
used by default.
|
|
This option MUST not be used in production hardware, as the keys are
|
|
insecure.
|
|
|
|
config TFM_INITIAL_ATTESTATION_KEY
|
|
bool
|
|
help
|
|
Hidden option to mark that the TF-M platform has an initial
|
|
attestation key, which is a requirement for the Initial Attestation
|
|
partition.
|
|
|
|
config TFM_BL2_NOT_SUPPORTED
|
|
bool
|
|
help
|
|
Hidden option to mark the BL2, the MCUBoot included in TF-M, as not supported.
|
|
Platforms that don't use BL2 should select this option.
|
|
|
|
config TFM_IMAGE_VERSION_S
|
|
string "Version of the Secure Image"
|
|
default "$(APP_VERSION_TWEAK_STRING)" if "$(VERSION_MAJOR)" != "" && TFM_MCUBOOT_IMAGE_NUMBER = 1
|
|
default "0.0.0+0"
|
|
help
|
|
Version of the secure image. This version is also used for merged
|
|
secure + non-secure builds (TFM_MCUBOOT_IMAGE_NUMBER == 1).
|
|
|
|
config TFM_IMAGE_VERSION_NS
|
|
string "Version of the Non-Secure Image"
|
|
default "$(APP_VERSION_TWEAK_STRING)" if "$(VERSION_MAJOR)" != "" && TFM_MCUBOOT_IMAGE_NUMBER = 2
|
|
default "0.0.0+0"
|
|
help
|
|
Version of the non-secure image.
|
|
|
|
config TFM_BL2
|
|
bool "Add MCUboot to TFM"
|
|
depends on !TFM_BL2_NOT_SUPPORTED
|
|
default y
|
|
help
|
|
TFM is designed to run with MCUboot in a certain configuration.
|
|
This config adds MCUboot to the build - built via TFM's build system.
|
|
|
|
config TFM_USE_NS_APP
|
|
bool "Use the TF-M Non-Secure application"
|
|
help
|
|
The TF-M build system can produce multiple executable files.
|
|
The main one is the TF-M secure firmware. Optionally the TF-M
|
|
non-secure application can be built.
|
|
Usually the TF-M non-secure application is not used since the
|
|
zephyr application is the non-secure application.
|
|
With this option enabled this is reversed and the TF-M non-secure
|
|
application is used instead of the Zephyr non-secure application.
|
|
|
|
This option is intended for testing purposes only, since this is the
|
|
easiest way to integrate and run the TF-M regression tests in the
|
|
zephyr build system.
|
|
|
|
config TFM_CONNECTION_BASED_SERVICE_API
|
|
bool "TF-M use connection based service APIs"
|
|
help
|
|
The TF-M build system produces an interface source file for accessing
|
|
connection based services.
|
|
Select this option when TF-M service models requires this source file.
|
|
|
|
Note: This is an auto-generated configuration in the TF-M build
|
|
system. When this option is not enabled in the TF-M build system this
|
|
will result in compilation error.
|
|
|
|
if TFM_BL2
|
|
|
|
config TFM_IMAGE_SECURITY_COUNTER
|
|
int "Security counter value used for hardware rollback protection"
|
|
range 1 1024
|
|
default 1
|
|
help
|
|
By default, TFM enables hardware rollback protection, which requires a security counter
|
|
to be embedded in the image trailer. As per "Hardware-based downgrade prevention" in
|
|
mcuboot/docs/design.md, this does not need to be incremented on every firmware update,
|
|
but hardware rollback protection will only apply when this value is incremented.
|
|
|
|
config TFM_MCUBOOT_SIGNATURE_TYPE
|
|
string "The signature type used to sign the secure and non-secure firmware images."
|
|
default "EC-P256"
|
|
help
|
|
Available types: RSA-2048, RSA-3072, EC-P256, EC-P384.
|
|
|
|
config TFM_KEY_FILE_S
|
|
string "Path to private key used to sign secure firmware images."
|
|
default "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/bl2/ext/mcuboot/root-${CONFIG_TFM_MCUBOOT_SIGNATURE_TYPE}.pem"
|
|
help
|
|
The path and filename for the .pem file containing the private key
|
|
that should be used by the BL2 bootloader when signing secure
|
|
firmware images. This key file is also used for merged secure +
|
|
non-secure builds (TFM_MCUBOOT_IMAGE_NUMBER == 1).
|
|
|
|
config TFM_KEY_FILE_NS
|
|
string "Path to private key used to sign non-secure firmware images."
|
|
default "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/bl2/ext/mcuboot/root-${CONFIG_TFM_MCUBOOT_SIGNATURE_TYPE}_1.pem"
|
|
help
|
|
The path and filename for the .pem file containing the private key
|
|
that should be used by the BL2 bootloader when signing non-secure
|
|
firmware images.
|
|
|
|
config TFM_MCUBOOT_IMAGE_NUMBER
|
|
int "Granularity of FW updates of TFM and app"
|
|
range 1 2
|
|
default 2
|
|
help
|
|
How many images the bootloader sees when it looks at TFM and the app.
|
|
When this is 1, the S and NS are considered as 1 image and must be
|
|
updated in one atomic operation. When this is 2, they are split and
|
|
can be updated independently if dependency requirements are met.
|
|
|
|
choice TFM_MCUBOOT_PATH
|
|
prompt "Path to MCUboot or DOWNLOAD to fetch automatically"
|
|
default TFM_MCUBOOT_PATH_LOCAL
|
|
help
|
|
Path to MCUboot for TF-M builds. The default option
|
|
is to use Zephyr's MCUboot module. As an alternative,
|
|
users may switch to the 'download' version; in that
|
|
case MCUboot will be fetched by the TF-M build during
|
|
build time. The default option ensures that Zephyr builds
|
|
with TF-M do not fetch external trees.
|
|
|
|
config TFM_MCUBOOT_PATH_LOCAL
|
|
bool "TF-M to use Zephyr's MCUboot"
|
|
help
|
|
TF-M builds with BL2 will use the Zephyr's MCUboot version,
|
|
which is present in the MCUboot module.
|
|
|
|
config TFM_MCUBOOT_PATH_DOWNLOAD
|
|
bool "TF-M to automatically download MCUboot during build"
|
|
help
|
|
TF-M builds with BL2 will let the TF-M build to automatically
|
|
fetch and check-out the MCUboot version to use in the build.
|
|
|
|
endchoice
|
|
|
|
config TFM_QCBOR_PATH
|
|
string
|
|
prompt "Path to QCBOR or DOWNLOAD to fetch automatically"
|
|
default ""
|
|
help
|
|
Path to QCBOR for TF-M builds. Due to a license issue with this
|
|
library Zephyr does not ship with this library.
|
|
If the application wishes to still use this library they can point
|
|
to their own checkout of this library, or set to DOWNLOAD to allow
|
|
TF-M build system to automatically download this.
|
|
|
|
config TFM_MCUBOOT_DATA_SHARING
|
|
bool "Share app-specific data between TF-M and MCUBoot"
|
|
help
|
|
Add sharing of application specific data using the same
|
|
shared data area as for the measured boot.
|
|
|
|
endif # TFM_BL2
|
|
|
|
choice TFM_MODEL
|
|
prompt "TF-M Firmware Framework model"
|
|
default TFM_SFN if TFM_PROFILE_TYPE_SMALL
|
|
default TFM_IPC
|
|
help
|
|
The Firmware Framework M (FF-M) provides different programming models
|
|
for Secure Partitions.
|
|
|
|
config TFM_IPC
|
|
bool "IPC Model"
|
|
help
|
|
Use the IPC Model as the SPM backend for the PSA API.
|
|
The IPC model supports the IPC and SFN Partition models, and
|
|
isolation levels 1, 2 and 3.
|
|
|
|
In this model each Secure Partition processes signals in any order,
|
|
and can defer responding to a message while continuing to process
|
|
other signals.
|
|
|
|
The IPC model conforms to the PSA Firmware Framework for M (FF-M)
|
|
v1.1.
|
|
|
|
config TFM_SFN
|
|
bool "SFN model"
|
|
help
|
|
Use the SFN Model as the SPM backend for the PSA API.
|
|
The SFN model supports the SFN Partition model, and isolation level 1.
|
|
|
|
In this model each Secure Partition is made up of a collection of
|
|
callback functions which implement secure services.
|
|
|
|
The SFN model conforms to the PSA Firmware Framework for M (FF-M)
|
|
v1.1.
|
|
|
|
endchoice # TFM_MODEL
|
|
|
|
config TFM_REGRESSION_S
|
|
bool "TF-M Secure Regression tests"
|
|
help
|
|
When enabled, this option signifies that the TF-M build includes
|
|
the Secure domain regression tests.
|
|
The regression tests will be included in the TF-M secure firmware.
|
|
|
|
config TFM_REGRESSION_NS
|
|
bool "TF-M Non-Secure Regression tests"
|
|
help
|
|
When enabled, this option signifies that the TF-M build includes
|
|
the Non-Secure domain regression tests.
|
|
The regression tests will be included in the TF-M non-secure
|
|
application.
|
|
|
|
choice TFM_PSA_TEST
|
|
prompt "Enable a PSA test suite"
|
|
default TFM_PSA_TEST_NONE
|
|
|
|
config TFM_PSA_TEST_CRYPTO
|
|
bool "Crypto tests"
|
|
depends on MAIN_STACK_SIZE >= 4096
|
|
help
|
|
Enable the PSA Crypto test suite.
|
|
|
|
config TFM_PSA_TEST_PROTECTED_STORAGE
|
|
bool "Storage tests"
|
|
help
|
|
Enable the PSA Protected Storage test suite.
|
|
|
|
config TFM_PSA_TEST_INTERNAL_TRUSTED_STORAGE
|
|
bool "Internal Trusted Storage tests"
|
|
help
|
|
Enable the PSA Internal Trusted Storage test suite.
|
|
|
|
config TFM_PSA_TEST_STORAGE
|
|
bool "Storage tests"
|
|
help
|
|
Enable the PSA Storage test suite. This is a combination of the
|
|
protected storage and internal trusted storage tests.
|
|
|
|
config TFM_PSA_TEST_INITIAL_ATTESTATION
|
|
bool "Initial attestation tests"
|
|
depends on MAIN_STACK_SIZE >= 4096
|
|
select TFM_PARTITION_INITIAL_ATTESTATION
|
|
help
|
|
Enable the PSA Initial Attestation test suite.
|
|
|
|
config TFM_PSA_TEST_NONE
|
|
bool "No PSA test suite"
|
|
|
|
endchoice
|
|
|
|
if TFM_BL2
|
|
|
|
config ROM_START_OFFSET
|
|
hex "ROM Start Offset accounting for BL2 Header in the NS image"
|
|
default 0x400
|
|
help
|
|
By default BL2 header size in TF-M is 0x400. ROM_START_OFFSET
|
|
needs to be updated if TF-M switches to use a different header
|
|
size for BL2.
|
|
|
|
choice TFM_BL2_LOG_LEVEL
|
|
prompt "BL2 Log Level" if !TFM_LOG_LEVEL_SILENCE
|
|
default TFM_BL2_LOG_LEVEL_INFO
|
|
config TFM_BL2_LOG_LEVEL_DEBUG
|
|
bool "Debug"
|
|
config TFM_BL2_LOG_LEVEL_INFO
|
|
bool "Info"
|
|
config TFM_BL2_LOG_LEVEL_WARNING
|
|
bool "Warning"
|
|
config TFM_BL2_LOG_LEVEL_ERROR
|
|
bool "Error"
|
|
config TFM_BL2_LOG_LEVEL_OFF
|
|
bool "Off"
|
|
endchoice
|
|
|
|
endif # !TFM_BL2
|
|
|
|
# Option to instruct flashing a merged binary consisting of BL2 (optionally),
|
|
# TF-M (Secure), and application (Non-Secure).
|
|
config TFM_FLASH_MERGED_BINARY
|
|
bool
|
|
help
|
|
This option instructs west flash to program the combined (merged)
|
|
binary consisting of the TF-M Secure firmware image, optionally, the
|
|
BL2 image (if building with TFM_BL2 is enabled), and the Non-Secure
|
|
application firmware.
|
|
|
|
config TFM_LOG_LEVEL_SILENCE
|
|
bool "TF-M Disable secure logging"
|
|
help
|
|
Set the log level to silence for all TF-M modules (SPM, partition, etc.).
|
|
On some platforms this will release the UART from
|
|
the secure domain and reduce the uart driver's flash usage.
|
|
|
|
choice TFM_SPM_LOG_LEVEL
|
|
prompt "TF-M SPM Log Level" if !TFM_LOG_LEVEL_SILENCE
|
|
default TFM_SPM_LOG_LEVEL_INFO
|
|
config TFM_SPM_LOG_LEVEL_DEBUG
|
|
bool "Debug"
|
|
config TFM_SPM_LOG_LEVEL_INFO
|
|
bool "Info"
|
|
config TFM_SPM_LOG_LEVEL_ERROR
|
|
bool "Error"
|
|
config TFM_SPM_LOG_LEVEL_SILENCE
|
|
bool "Off"
|
|
endchoice
|
|
|
|
config TFM_EXCEPTION_INFO_DUMP
|
|
bool "TF-M exception info dump"
|
|
default y
|
|
help
|
|
On fatal errors in the secure firmware, capture info about the exception.
|
|
Print the info if the SPM log level is sufficient.
|
|
|
|
endif # BUILD_WITH_TFM
|