| # Configuration for the TF-M Module |
| |
| # Copyright (c) 2019, 2020 Linaro Limited |
| # Copyright (c) 2020, 2021 Nordic Semiconductor ASA |
| # Copyright 2024 Arm Limited and/or its affiliates <open-source-office@arm.com> |
| # SPDX-License-Identifier: Apache-2.0 |
| |
| config ZEPHYR_TRUSTED_FIRMWARE_M_MODULE |
| bool |
| |
| config TFM_BOARD |
| string |
| default "nxp/lpcxpresso55s69" if BOARD_LPCXPRESSO55S69_LPC55S69_CPU0_NS |
| default "arm/mps2/an521" if BOARD_MPS2_AN521_CPU0_NS |
| default "arm/mps3/corstone300/fvp" if BOARD_MPS3_CORSTONE300_FVP_NS |
| default "arm/mps3/corstone300/an547" if BOARD_MPS3_CORSTONE300_AN547_NS |
| default "arm/mps3/corstone300/an552" if BOARD_MPS3_CORSTONE300_AN552_NS |
| default "arm/mps3/corstone310/an555" if BOARD_MPS3_CORSTONE310_AN555_NS |
| default "arm/mps3/corstone310/fvp" if BOARD_MPS3_CORSTONE310_FVP_NS |
| default "stm/b_u585i_iot02a" if BOARD_B_U585I_IOT02A |
| default "stm/nucleo_l552ze_q" if BOARD_NUCLEO_L552ZE_Q |
| default "stm/stm32l562e_dk" if BOARD_STM32L562E_DK |
| default "arm/musca_b1" if BOARD_V2M_MUSCA_B1 |
| default "arm/musca_s1" if BOARD_V2M_MUSCA_S1 |
| default "${ZEPHYR_BASE}/modules/trusted-firmware-m/nordic/nrf9160" if SOC_NRF9160 |
| default "${ZEPHYR_BASE}/modules/trusted-firmware-m/nordic/nrf9120" if SOC_NRF9120 |
| default "${ZEPHYR_BASE}/modules/trusted-firmware-m/nordic/nrf5340_cpuapp" if SOC_NRF5340_CPUAPP |
| help |
| The board name used for building TFM. Building with TFM requires that |
| TFM has been ported to the given board/SoC. |
| |
| menuconfig BUILD_WITH_TFM |
| bool "Build with TF-M as the Secure Execution Environment" |
| depends on TRUSTED_EXECUTION_NONSECURE |
| depends on TFM_BOARD != "" |
| depends on ARM_TRUSTZONE_M |
| select BUILD_OUTPUT_HEX |
| select PSA_CRYPTO_CLIENT |
| imply INIT_ARCH_HW_AT_BOOT |
| imply ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS |
| imply MBEDTLS |
| help |
| When enabled, this option instructs the Zephyr build process to |
| additionally generate a TF-M image for the Secure Execution |
| environment, along with the Zephyr image. The Zephyr image |
| itself is to be executed in the Non-Secure Processing Environment. |
| The required dependency on TRUSTED_EXECUTION_NONSECURE |
| ensures that the Zephyr image is built as a Non-Secure image. Both |
| TF-M and Zephyr images, as well as the veneer object file that links |
| them, are generated during the normal Zephyr build process. |
| |
| Notes: |
| Building with the "/ns" BOARD variant (e.g. "mps2/an521/cpu0/ns") |
| ensures that CONFIG_TRUSTED_EXECUTION_NONSECURE is enabled. |
| |
| By default we allow Zephyr preemptible threads be preempted |
| while performing a secure function call. |
| |
| if BUILD_WITH_TFM |
| |
| config TFM_PROFILE |
| string |
| default "profile_small" if TFM_PROFILE_TYPE_SMALL |
| default "profile_medium" if TFM_PROFILE_TYPE_MEDIUM |
| default "profile_medium_arotless" if TFM_PROFILE_TYPE_AROTLESS |
| default "profile_large" if TFM_PROFILE_TYPE_LARGE |
| help |
| Build profile used to build tfm_s image. The available values are |
| profile_large, profile_medium and profile_small. The default profile |
| does not need to have this configuration set. |
| |
| choice TFM_PROFILE_TYPE |
| prompt "TF-M build profile" |
| default TFM_PROFILE_TYPE_NOT_SET |
| help |
| The TF-M build profile selection. Can be empty (not set), |
| small, medium or large. Certain profile types enable other |
| TF-M configuration options, namely, the IPC model and the |
| isolation level. |
| |
| config TFM_PROFILE_TYPE_NOT_SET |
| bool "TF-M build profile: not set (base)" |
| |
| config TFM_PROFILE_TYPE_SMALL |
| bool "TF-M build profile: small" |
| |
| config TFM_PROFILE_TYPE_MEDIUM |
| bool "TF-M build profile: medium" |
| |
| config TFM_PROFILE_TYPE_AROTLESS |
| bool "TF-M build profile: ARoT-less" |
| |
| config TFM_PROFILE_TYPE_LARGE |
| bool "TF-M build profile: large" |
| |
| endchoice |
| |
| choice TFM_CMAKE_BUILD_TYPE |
| prompt "The build type for TFM" |
| default TFM_CMAKE_BUILD_TYPE_RELEASE if SPEED_OPTIMIZATIONS && BUILD_OUTPUT_STRIPPED |
| default TFM_CMAKE_BUILD_TYPE_MINSIZEREL if SIZE_OPTIMIZATIONS || SIZE_OPTIMIZATIONS_AGGRESSIVE |
| default TFM_CMAKE_BUILD_TYPE_DEBUG if DEBUG_OPTIMIZATIONS |
| default TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO |
| |
| config TFM_CMAKE_BUILD_TYPE_RELEASE |
| bool "Release build" |
| |
| config TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO |
| bool "Release build with Debug info" |
| |
| config TFM_CMAKE_BUILD_TYPE_MINSIZEREL |
| bool "Release build, optimized for size" |
| |
| config TFM_CMAKE_BUILD_TYPE_DEBUG |
| bool "Debug build" |
| |
| endchoice |
| |
| config TFM_ISOLATION_LEVEL |
| int "Isolation level setting." if (TFM_PROFILE_TYPE_NOT_SET && TFM_IPC) |
| range 1 3 |
| default 1 if TFM_PROFILE_TYPE_SMALL || !TFM_IPC |
| default 2 if TFM_PROFILE_TYPE_MEDIUM |
| default 3 if TFM_PROFILE_TYPE_LARGE |
| help |
| Manually set the required TFM isolation level. Possible values are |
| 1,2 or 3; the default is set by build configuration. When TF-M |
| Profile option is supplied, do not allow manual setting of the |
| isolation level, as it is determined by the profile setting. |
| As isolation levels 2 and 3 require PSA_API (TFM_IPC) support, |
| force level 1 when TFM_IPC is not enabled. |
| |
| config TFM_ITS_NUM_ASSETS_OVERRIDE |
| bool "Override maximum number of Internal Trusted Storage assets" |
| help |
| Override the platform's default maximum number of assets to be stored in |
| Internal Trusted Storage (ITS) with TFM_ITS_NUM_ASSETS. |
| |
| config TFM_ITS_NUM_ASSETS |
| int "Maximum number of Internal Trusted Storage assets" |
| depends on TFM_ITS_NUM_ASSETS_OVERRIDE |
| default 0 |
| help |
| Maximum number of assets to be stored in Internal Trusted Storage (ITS). |
| |
| config TFM_ITS_MAX_ASSET_SIZE_OVERRIDE |
| bool "Override maximum Internal Trusted Storage asset size" |
| help |
| Override the platform's default maximum size of a single asset to be |
| stored in Internal Trusted Storage (ITS) with TFM_ITS_MAX_ASSET_SIZE. |
| |
| config TFM_ITS_MAX_ASSET_SIZE |
| int "Maximum Internal Trusted Storage asset size" |
| depends on TFM_ITS_MAX_ASSET_SIZE_OVERRIDE |
| default 0 |
| help |
| Maximum size (in bytes) of a single asset to be stored in Internal Trusted |
| Storage (ITS). |
| |
| config TFM_PARTITION_PLATFORM_CUSTOM_REBOOT |
| bool "Use custom reboot handler" |
| depends on TFM_PARTITION_PLATFORM |
| help |
| Do not include the default zephyr implementation of calling the TF-M |
| platform reset service. |
| Instead the application will have to override the weak ARM |
| implementation of sys_arch_reset(). |
| |
| config TFM_DUMMY_PROVISIONING |
| bool "Provision with dummy values. NOT to be used in production" |
| select TFM_INITIAL_ATTESTATION_KEY |
| default y |
| help |
| If this option is enabled (as it is by default), a set of dummy |
| keys / data will be provisioned. The dummy IAK matches the IAK tested |
| by the TF-M tests, and the dummy bl2 ROTPKs match the dummy bl2 keys |
| used by default. |
| This option MUST not be used in production hardware, as the keys are |
| insecure. |
| |
| config TFM_INITIAL_ATTESTATION_KEY |
| bool |
| help |
| Hidden option to mark that the TF-M platform has an initial |
| attestation key, which is a requirement for the Initial Attestation |
| partition. |
| |
| config TFM_BL2_NOT_SUPPORTED |
| bool |
| help |
| Hidden option to mark the BL2, the MCUBoot included in TF-M, as not supported. |
| Platforms that don't use BL2 should select this option. |
| |
| config TFM_IMAGE_VERSION_S |
| string "Version of the Secure Image" |
| default "$(APP_VERSION_TWEAK_STRING)" if "$(VERSION_MAJOR)" != "" && TFM_MCUBOOT_IMAGE_NUMBER = 1 |
| default "0.0.0+0" |
| help |
| Version of the secure image. This version is also used for merged |
| secure + non-secure builds (TFM_MCUBOOT_IMAGE_NUMBER == 1). |
| |
| config TFM_IMAGE_VERSION_NS |
| string "Version of the Non-Secure Image" |
| default "$(APP_VERSION_TWEAK_STRING)" if "$(VERSION_MAJOR)" != "" && TFM_MCUBOOT_IMAGE_NUMBER = 2 |
| default "0.0.0+0" |
| help |
| Version of the non-secure image. |
| |
| config TFM_BL2 |
| bool "Add MCUboot to TFM" |
| depends on !TFM_BL2_NOT_SUPPORTED |
| default y |
| help |
| TFM is designed to run with MCUboot in a certain configuration. |
| This config adds MCUboot to the build - built via TFM's build system. |
| |
| config TFM_USE_NS_APP |
| bool "Use the TF-M Non-Secure application" |
| help |
| The TF-M build system can produce multiple executable files. |
| The main one is the TF-M secure firmware. Optionally the TF-M |
| non-secure application can be built. |
| Usually the TF-M non-secure application is not used since the |
| zephyr application is the non-secure application. |
| With this option enabled this is reversed and the TF-M non-secure |
| application is used instead of the Zephyr non-secure application. |
| |
| This option is intended for testing purposes only, since this is the |
| easiest way to integrate and run the TF-M regression tests in the |
| zephyr build system. |
| |
| config TFM_CONNECTION_BASED_SERVICE_API |
| bool "TF-M use connection based service APIs" |
| help |
| The TF-M build system produces an interface source file for accessing |
| connection based services. |
| Select this option when TF-M service models requires this source file. |
| |
| Note: This is an auto-generated configuration in the TF-M build |
| system. When this option is not enabled in the TF-M build system this |
| will result in compilation error. |
| |
| if TFM_BL2 |
| |
| config TFM_IMAGE_SECURITY_COUNTER |
| int "Security counter value used for hardware rollback protection" |
| range 1 1024 |
| default 1 |
| help |
| By default, TFM enables hardware rollback protection, which requires a security counter |
| to be embedded in the image trailer. As per "Hardware-based downgrade prevention" in |
| mcuboot/docs/design.md, this does not need to be incremented on every firmware update, |
| but hardware rollback protection will only apply when this value is incremented. |
| |
| config TFM_MCUBOOT_SIGNATURE_TYPE |
| string "The signature type used to sign the secure and non-secure firmware images." |
| default "EC-P256" |
| help |
| Available types: RSA-2048, RSA-3072, EC-P256, EC-P384. |
| |
| config TFM_KEY_FILE_S |
| string "Path to private key used to sign secure firmware images." |
| default "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/bl2/ext/mcuboot/root-${CONFIG_TFM_MCUBOOT_SIGNATURE_TYPE}.pem" |
| help |
| The path and filename for the .pem file containing the private key |
| that should be used by the BL2 bootloader when signing secure |
| firmware images. This key file is also used for merged secure + |
| non-secure builds (TFM_MCUBOOT_IMAGE_NUMBER == 1). |
| |
| config TFM_KEY_FILE_NS |
| string "Path to private key used to sign non-secure firmware images." |
| default "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/bl2/ext/mcuboot/root-${CONFIG_TFM_MCUBOOT_SIGNATURE_TYPE}_1.pem" |
| help |
| The path and filename for the .pem file containing the private key |
| that should be used by the BL2 bootloader when signing non-secure |
| firmware images. |
| |
| config TFM_MCUBOOT_IMAGE_NUMBER |
| int "Granularity of FW updates of TFM and app" |
| range 1 2 |
| default 2 |
| help |
| How many images the bootloader sees when it looks at TFM and the app. |
| When this is 1, the S and NS are considered as 1 image and must be |
| updated in one atomic operation. When this is 2, they are split and |
| can be updated independently if dependency requirements are met. |
| |
| choice TFM_MCUBOOT_PATH |
| prompt "Path to MCUboot or DOWNLOAD to fetch automatically" |
| default TFM_MCUBOOT_PATH_LOCAL |
| help |
| Path to MCUboot for TF-M builds. The default option |
| is to use Zephyr's MCUboot module. As an alternative, |
| users may switch to the 'download' version; in that |
| case MCUboot will be fetched by the TF-M build during |
| build time. The default option ensures that Zephyr builds |
| with TF-M do not fetch external trees. |
| |
| config TFM_MCUBOOT_PATH_LOCAL |
| bool "TF-M to use Zephyr's MCUboot" |
| help |
| TF-M builds with BL2 will use the Zephyr's MCUboot version, |
| which is present in the MCUboot module. |
| |
| config TFM_MCUBOOT_PATH_DOWNLOAD |
| bool "TF-M to automatically download MCUboot during build" |
| help |
| TF-M builds with BL2 will let the TF-M build to automatically |
| fetch and check-out the MCUboot version to use in the build. |
| |
| endchoice |
| |
| config TFM_QCBOR_PATH |
| string |
| prompt "Path to QCBOR or DOWNLOAD to fetch automatically" |
| default "" |
| help |
| Path to QCBOR for TF-M builds. Due to a license issue with this |
| library Zephyr does not ship with this library. |
| If the application wishes to still use this library they can point |
| to their own checkout of this library, or set to DOWNLOAD to allow |
| TF-M build system to automatically download this. |
| |
| config TFM_MCUBOOT_DATA_SHARING |
| bool "Share app-specific data between TF-M and MCUBoot" |
| help |
| Add sharing of application specific data using the same |
| shared data area as for the measured boot. |
| |
| endif # TFM_BL2 |
| |
| choice TFM_MODEL |
| prompt "TF-M Firmware Framework model" |
| default TFM_SFN if TFM_PROFILE_TYPE_SMALL |
| default TFM_IPC |
| help |
| The Firmware Framework M (FF-M) provides different programming models |
| for Secure Partitions. |
| |
| config TFM_IPC |
| bool "IPC Model" |
| help |
| Use the IPC Model as the SPM backend for the PSA API. |
| The IPC model supports the IPC and SFN Partition models, and |
| isolation levels 1, 2 and 3. |
| |
| In this model each Secure Partition processes signals in any order, |
| and can defer responding to a message while continuing to process |
| other signals. |
| |
| The IPC model conforms to the PSA Firmware Framework for M (FF-M) |
| v1.1. |
| |
| config TFM_SFN |
| bool "SFN model" |
| help |
| Use the SFN Model as the SPM backend for the PSA API. |
| The SFN model supports the SFN Partition model, and isolation level 1. |
| |
| In this model each Secure Partition is made up of a collection of |
| callback functions which implement secure services. |
| |
| The SFN model conforms to the PSA Firmware Framework for M (FF-M) |
| v1.1. |
| |
| endchoice # TFM_MODEL |
| |
| config TFM_REGRESSION_S |
| bool "TF-M Secure Regression tests" |
| help |
| When enabled, this option signifies that the TF-M build includes |
| the Secure domain regression tests. |
| The regression tests will be included in the TF-M secure firmware. |
| |
| config TFM_REGRESSION_NS |
| bool "TF-M Non-Secure Regression tests" |
| help |
| When enabled, this option signifies that the TF-M build includes |
| the Non-Secure domain regression tests. |
| The regression tests will be included in the TF-M non-secure |
| application. |
| |
| choice TFM_PSA_TEST |
| prompt "Enable a PSA test suite" |
| default TFM_PSA_TEST_NONE |
| |
| config TFM_PSA_TEST_CRYPTO |
| bool "Crypto tests" |
| depends on MAIN_STACK_SIZE >= 4096 |
| help |
| Enable the PSA Crypto test suite. |
| |
| config TFM_PSA_TEST_PROTECTED_STORAGE |
| bool "Storage tests" |
| help |
| Enable the PSA Protected Storage test suite. |
| |
| config TFM_PSA_TEST_INTERNAL_TRUSTED_STORAGE |
| bool "Internal Trusted Storage tests" |
| help |
| Enable the PSA Internal Trusted Storage test suite. |
| |
| config TFM_PSA_TEST_STORAGE |
| bool "Storage tests" |
| help |
| Enable the PSA Storage test suite. This is a combination of the |
| protected storage and internal trusted storage tests. |
| |
| config TFM_PSA_TEST_INITIAL_ATTESTATION |
| bool "Initial attestation tests" |
| depends on MAIN_STACK_SIZE >= 4096 |
| select TFM_PARTITION_INITIAL_ATTESTATION |
| help |
| Enable the PSA Initial Attestation test suite. |
| |
| config TFM_PSA_TEST_NONE |
| bool "No PSA test suite" |
| |
| endchoice |
| |
| if TFM_BL2 |
| |
| config ROM_START_OFFSET |
| hex "ROM Start Offset accounting for BL2 Header in the NS image" |
| default 0x400 |
| help |
| By default BL2 header size in TF-M is 0x400. ROM_START_OFFSET |
| needs to be updated if TF-M switches to use a different header |
| size for BL2. |
| |
| choice TFM_BL2_LOG_LEVEL |
| prompt "BL2 Log Level" if !TFM_LOG_LEVEL_SILENCE |
| default TFM_BL2_LOG_LEVEL_INFO |
| config TFM_BL2_LOG_LEVEL_DEBUG |
| bool "Debug" |
| config TFM_BL2_LOG_LEVEL_INFO |
| bool "Info" |
| config TFM_BL2_LOG_LEVEL_WARNING |
| bool "Warning" |
| config TFM_BL2_LOG_LEVEL_ERROR |
| bool "Error" |
| config TFM_BL2_LOG_LEVEL_OFF |
| bool "Off" |
| endchoice |
| |
| endif # !TFM_BL2 |
| |
| # Option to instruct flashing a merged binary consisting of BL2 (optionally), |
| # TF-M (Secure), and application (Non-Secure). |
| config TFM_FLASH_MERGED_BINARY |
| bool |
| help |
| This option instructs west flash to program the combined (merged) |
| binary consisting of the TF-M Secure firmware image, optionally, the |
| BL2 image (if building with TFM_BL2 is enabled), and the Non-Secure |
| application firmware. |
| |
| config TFM_LOG_LEVEL_SILENCE |
| bool "TF-M Disable secure logging" |
| help |
| Set the log level to silence for all TF-M modules (SPM, partition, etc.). |
| On some platforms this will release the UART from |
| the secure domain and reduce the uart driver's flash usage. |
| |
| choice TFM_SPM_LOG_LEVEL |
| prompt "TF-M SPM Log Level" if !TFM_LOG_LEVEL_SILENCE |
| default TFM_SPM_LOG_LEVEL_INFO |
| config TFM_SPM_LOG_LEVEL_DEBUG |
| bool "Debug" |
| config TFM_SPM_LOG_LEVEL_INFO |
| bool "Info" |
| config TFM_SPM_LOG_LEVEL_ERROR |
| bool "Error" |
| config TFM_SPM_LOG_LEVEL_SILENCE |
| bool "Off" |
| endchoice |
| |
| config TFM_EXCEPTION_INFO_DUMP |
| bool "TF-M exception info dump" |
| default y |
| help |
| On fatal errors in the secure firmware, capture info about the exception. |
| Print the info if the SPM log level is sufficient. |
| |
| endif # BUILD_WITH_TFM |