blob: 9e86bda7c6fdea2c9086a426d4fc989c807ca345 [file] [log] [blame]
# Configuration for the TF-M Module
# Copyright (c) 2019, 2020 Linaro Limited
# Copyright (c) 2020, 2021 Nordic Semiconductor ASA
# Copyright 2024 Arm Limited and/or its affiliates <open-source-office@arm.com>
# SPDX-License-Identifier: Apache-2.0
config ZEPHYR_TRUSTED_FIRMWARE_M_MODULE
bool
config TFM_BOARD
string
default "nxp/lpcxpresso55s69" if BOARD_LPCXPRESSO55S69_LPC55S69_CPU0_NS
default "arm/mps2/an521" if BOARD_MPS2_AN521_CPU0_NS
default "arm/mps3/corstone300/fvp" if BOARD_MPS3_CORSTONE300_FVP_NS
default "arm/mps3/corstone300/an547" if BOARD_MPS3_CORSTONE300_AN547_NS
default "arm/mps3/corstone300/an552" if BOARD_MPS3_CORSTONE300_AN552_NS
default "arm/mps3/corstone310/an555" if BOARD_MPS3_CORSTONE310_AN555_NS
default "arm/mps3/corstone310/fvp" if BOARD_MPS3_CORSTONE310_FVP_NS
default "stm/b_u585i_iot02a" if BOARD_B_U585I_IOT02A
default "stm/nucleo_l552ze_q" if BOARD_NUCLEO_L552ZE_Q
default "stm/stm32l562e_dk" if BOARD_STM32L562E_DK
default "arm/musca_b1" if BOARD_V2M_MUSCA_B1
default "arm/musca_s1" if BOARD_V2M_MUSCA_S1
default "${ZEPHYR_BASE}/modules/trusted-firmware-m/nordic/nrf9160" if SOC_NRF9160
default "${ZEPHYR_BASE}/modules/trusted-firmware-m/nordic/nrf9120" if SOC_NRF9120
default "${ZEPHYR_BASE}/modules/trusted-firmware-m/nordic/nrf5340_cpuapp" if SOC_NRF5340_CPUAPP
help
The board name used for building TFM. Building with TFM requires that
TFM has been ported to the given board/SoC.
menuconfig BUILD_WITH_TFM
bool "Build with TF-M as the Secure Execution Environment"
depends on TRUSTED_EXECUTION_NONSECURE
depends on TFM_BOARD != ""
depends on ARM_TRUSTZONE_M
select BUILD_OUTPUT_HEX
select PSA_CRYPTO_CLIENT
imply INIT_ARCH_HW_AT_BOOT
imply ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS
imply MBEDTLS
help
When enabled, this option instructs the Zephyr build process to
additionally generate a TF-M image for the Secure Execution
environment, along with the Zephyr image. The Zephyr image
itself is to be executed in the Non-Secure Processing Environment.
The required dependency on TRUSTED_EXECUTION_NONSECURE
ensures that the Zephyr image is built as a Non-Secure image. Both
TF-M and Zephyr images, as well as the veneer object file that links
them, are generated during the normal Zephyr build process.
Notes:
Building with the "/ns" BOARD variant (e.g. "mps2/an521/cpu0/ns")
ensures that CONFIG_TRUSTED_EXECUTION_NONSECURE is enabled.
By default we allow Zephyr preemptible threads be preempted
while performing a secure function call.
if BUILD_WITH_TFM
config TFM_PROFILE
string
default "profile_small" if TFM_PROFILE_TYPE_SMALL
default "profile_medium" if TFM_PROFILE_TYPE_MEDIUM
default "profile_medium_arotless" if TFM_PROFILE_TYPE_AROTLESS
default "profile_large" if TFM_PROFILE_TYPE_LARGE
help
Build profile used to build tfm_s image. The available values are
profile_large, profile_medium and profile_small. The default profile
does not need to have this configuration set.
choice TFM_PROFILE_TYPE
prompt "TF-M build profile"
default TFM_PROFILE_TYPE_NOT_SET
help
The TF-M build profile selection. Can be empty (not set),
small, medium or large. Certain profile types enable other
TF-M configuration options, namely, the IPC model and the
isolation level.
config TFM_PROFILE_TYPE_NOT_SET
bool "TF-M build profile: not set (base)"
config TFM_PROFILE_TYPE_SMALL
bool "TF-M build profile: small"
config TFM_PROFILE_TYPE_MEDIUM
bool "TF-M build profile: medium"
config TFM_PROFILE_TYPE_AROTLESS
bool "TF-M build profile: ARoT-less"
config TFM_PROFILE_TYPE_LARGE
bool "TF-M build profile: large"
endchoice
choice TFM_CMAKE_BUILD_TYPE
prompt "The build type for TFM"
default TFM_CMAKE_BUILD_TYPE_RELEASE if SPEED_OPTIMIZATIONS && BUILD_OUTPUT_STRIPPED
default TFM_CMAKE_BUILD_TYPE_MINSIZEREL if SIZE_OPTIMIZATIONS || SIZE_OPTIMIZATIONS_AGGRESSIVE
default TFM_CMAKE_BUILD_TYPE_DEBUG if DEBUG_OPTIMIZATIONS
default TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO
config TFM_CMAKE_BUILD_TYPE_RELEASE
bool "Release build"
config TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO
bool "Release build with Debug info"
config TFM_CMAKE_BUILD_TYPE_MINSIZEREL
bool "Release build, optimized for size"
config TFM_CMAKE_BUILD_TYPE_DEBUG
bool "Debug build"
endchoice
config TFM_ISOLATION_LEVEL
int "Isolation level setting." if (TFM_PROFILE_TYPE_NOT_SET && TFM_IPC)
range 1 3
default 1 if TFM_PROFILE_TYPE_SMALL || !TFM_IPC
default 2 if TFM_PROFILE_TYPE_MEDIUM
default 3 if TFM_PROFILE_TYPE_LARGE
help
Manually set the required TFM isolation level. Possible values are
1,2 or 3; the default is set by build configuration. When TF-M
Profile option is supplied, do not allow manual setting of the
isolation level, as it is determined by the profile setting.
As isolation levels 2 and 3 require PSA_API (TFM_IPC) support,
force level 1 when TFM_IPC is not enabled.
config TFM_ITS_NUM_ASSETS_OVERRIDE
bool "Override maximum number of Internal Trusted Storage assets"
help
Override the platform's default maximum number of assets to be stored in
Internal Trusted Storage (ITS) with TFM_ITS_NUM_ASSETS.
config TFM_ITS_NUM_ASSETS
int "Maximum number of Internal Trusted Storage assets"
depends on TFM_ITS_NUM_ASSETS_OVERRIDE
default 0
help
Maximum number of assets to be stored in Internal Trusted Storage (ITS).
config TFM_ITS_MAX_ASSET_SIZE_OVERRIDE
bool "Override maximum Internal Trusted Storage asset size"
help
Override the platform's default maximum size of a single asset to be
stored in Internal Trusted Storage (ITS) with TFM_ITS_MAX_ASSET_SIZE.
config TFM_ITS_MAX_ASSET_SIZE
int "Maximum Internal Trusted Storage asset size"
depends on TFM_ITS_MAX_ASSET_SIZE_OVERRIDE
default 0
help
Maximum size (in bytes) of a single asset to be stored in Internal Trusted
Storage (ITS).
config TFM_PARTITION_PLATFORM_CUSTOM_REBOOT
bool "Use custom reboot handler"
depends on TFM_PARTITION_PLATFORM
help
Do not include the default zephyr implementation of calling the TF-M
platform reset service.
Instead the application will have to override the weak ARM
implementation of sys_arch_reset().
config TFM_DUMMY_PROVISIONING
bool "Provision with dummy values. NOT to be used in production"
select TFM_INITIAL_ATTESTATION_KEY
default y
help
If this option is enabled (as it is by default), a set of dummy
keys / data will be provisioned. The dummy IAK matches the IAK tested
by the TF-M tests, and the dummy bl2 ROTPKs match the dummy bl2 keys
used by default.
This option MUST not be used in production hardware, as the keys are
insecure.
config TFM_INITIAL_ATTESTATION_KEY
bool
help
Hidden option to mark that the TF-M platform has an initial
attestation key, which is a requirement for the Initial Attestation
partition.
config TFM_BL2_NOT_SUPPORTED
bool
help
Hidden option to mark the BL2, the MCUBoot included in TF-M, as not supported.
Platforms that don't use BL2 should select this option.
config TFM_IMAGE_VERSION_S
string "Version of the Secure Image"
default "$(APP_VERSION_TWEAK_STRING)" if "$(VERSION_MAJOR)" != "" && TFM_MCUBOOT_IMAGE_NUMBER = 1
default "0.0.0+0"
help
Version of the secure image. This version is also used for merged
secure + non-secure builds (TFM_MCUBOOT_IMAGE_NUMBER == 1).
config TFM_IMAGE_VERSION_NS
string "Version of the Non-Secure Image"
default "$(APP_VERSION_TWEAK_STRING)" if "$(VERSION_MAJOR)" != "" && TFM_MCUBOOT_IMAGE_NUMBER = 2
default "0.0.0+0"
help
Version of the non-secure image.
config TFM_BL2
bool "Add MCUboot to TFM"
depends on !TFM_BL2_NOT_SUPPORTED
default y
help
TFM is designed to run with MCUboot in a certain configuration.
This config adds MCUboot to the build - built via TFM's build system.
config TFM_USE_NS_APP
bool "Use the TF-M Non-Secure application"
help
The TF-M build system can produce multiple executable files.
The main one is the TF-M secure firmware. Optionally the TF-M
non-secure application can be built.
Usually the TF-M non-secure application is not used since the
zephyr application is the non-secure application.
With this option enabled this is reversed and the TF-M non-secure
application is used instead of the Zephyr non-secure application.
This option is intended for testing purposes only, since this is the
easiest way to integrate and run the TF-M regression tests in the
zephyr build system.
config TFM_CONNECTION_BASED_SERVICE_API
bool "TF-M use connection based service APIs"
help
The TF-M build system produces an interface source file for accessing
connection based services.
Select this option when TF-M service models requires this source file.
Note: This is an auto-generated configuration in the TF-M build
system. When this option is not enabled in the TF-M build system this
will result in compilation error.
if TFM_BL2
config TFM_IMAGE_SECURITY_COUNTER
int "Security counter value used for hardware rollback protection"
range 1 1024
default 1
help
By default, TFM enables hardware rollback protection, which requires a security counter
to be embedded in the image trailer. As per "Hardware-based downgrade prevention" in
mcuboot/docs/design.md, this does not need to be incremented on every firmware update,
but hardware rollback protection will only apply when this value is incremented.
config TFM_MCUBOOT_SIGNATURE_TYPE
string "The signature type used to sign the secure and non-secure firmware images."
default "EC-P256"
help
Available types: RSA-2048, RSA-3072, EC-P256, EC-P384.
config TFM_KEY_FILE_S
string "Path to private key used to sign secure firmware images."
default "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/bl2/ext/mcuboot/root-${CONFIG_TFM_MCUBOOT_SIGNATURE_TYPE}.pem"
help
The path and filename for the .pem file containing the private key
that should be used by the BL2 bootloader when signing secure
firmware images. This key file is also used for merged secure +
non-secure builds (TFM_MCUBOOT_IMAGE_NUMBER == 1).
config TFM_KEY_FILE_NS
string "Path to private key used to sign non-secure firmware images."
default "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/bl2/ext/mcuboot/root-${CONFIG_TFM_MCUBOOT_SIGNATURE_TYPE}_1.pem"
help
The path and filename for the .pem file containing the private key
that should be used by the BL2 bootloader when signing non-secure
firmware images.
config TFM_MCUBOOT_IMAGE_NUMBER
int "Granularity of FW updates of TFM and app"
range 1 2
default 2
help
How many images the bootloader sees when it looks at TFM and the app.
When this is 1, the S and NS are considered as 1 image and must be
updated in one atomic operation. When this is 2, they are split and
can be updated independently if dependency requirements are met.
choice TFM_MCUBOOT_PATH
prompt "Path to MCUboot or DOWNLOAD to fetch automatically"
default TFM_MCUBOOT_PATH_LOCAL
help
Path to MCUboot for TF-M builds. The default option
is to use Zephyr's MCUboot module. As an alternative,
users may switch to the 'download' version; in that
case MCUboot will be fetched by the TF-M build during
build time. The default option ensures that Zephyr builds
with TF-M do not fetch external trees.
config TFM_MCUBOOT_PATH_LOCAL
bool "TF-M to use Zephyr's MCUboot"
help
TF-M builds with BL2 will use the Zephyr's MCUboot version,
which is present in the MCUboot module.
config TFM_MCUBOOT_PATH_DOWNLOAD
bool "TF-M to automatically download MCUboot during build"
help
TF-M builds with BL2 will let the TF-M build to automatically
fetch and check-out the MCUboot version to use in the build.
endchoice
config TFM_QCBOR_PATH
string
prompt "Path to QCBOR or DOWNLOAD to fetch automatically"
default ""
help
Path to QCBOR for TF-M builds. Due to a license issue with this
library Zephyr does not ship with this library.
If the application wishes to still use this library they can point
to their own checkout of this library, or set to DOWNLOAD to allow
TF-M build system to automatically download this.
config TFM_MCUBOOT_DATA_SHARING
bool "Share app-specific data between TF-M and MCUBoot"
help
Add sharing of application specific data using the same
shared data area as for the measured boot.
endif # TFM_BL2
choice TFM_MODEL
prompt "TF-M Firmware Framework model"
default TFM_SFN if TFM_PROFILE_TYPE_SMALL
default TFM_IPC
help
The Firmware Framework M (FF-M) provides different programming models
for Secure Partitions.
config TFM_IPC
bool "IPC Model"
help
Use the IPC Model as the SPM backend for the PSA API.
The IPC model supports the IPC and SFN Partition models, and
isolation levels 1, 2 and 3.
In this model each Secure Partition processes signals in any order,
and can defer responding to a message while continuing to process
other signals.
The IPC model conforms to the PSA Firmware Framework for M (FF-M)
v1.1.
config TFM_SFN
bool "SFN model"
help
Use the SFN Model as the SPM backend for the PSA API.
The SFN model supports the SFN Partition model, and isolation level 1.
In this model each Secure Partition is made up of a collection of
callback functions which implement secure services.
The SFN model conforms to the PSA Firmware Framework for M (FF-M)
v1.1.
endchoice # TFM_MODEL
config TFM_REGRESSION_S
bool "TF-M Secure Regression tests"
help
When enabled, this option signifies that the TF-M build includes
the Secure domain regression tests.
The regression tests will be included in the TF-M secure firmware.
config TFM_REGRESSION_NS
bool "TF-M Non-Secure Regression tests"
help
When enabled, this option signifies that the TF-M build includes
the Non-Secure domain regression tests.
The regression tests will be included in the TF-M non-secure
application.
choice TFM_PSA_TEST
prompt "Enable a PSA test suite"
default TFM_PSA_TEST_NONE
config TFM_PSA_TEST_CRYPTO
bool "Crypto tests"
depends on MAIN_STACK_SIZE >= 4096
help
Enable the PSA Crypto test suite.
config TFM_PSA_TEST_PROTECTED_STORAGE
bool "Storage tests"
help
Enable the PSA Protected Storage test suite.
config TFM_PSA_TEST_INTERNAL_TRUSTED_STORAGE
bool "Internal Trusted Storage tests"
help
Enable the PSA Internal Trusted Storage test suite.
config TFM_PSA_TEST_STORAGE
bool "Storage tests"
help
Enable the PSA Storage test suite. This is a combination of the
protected storage and internal trusted storage tests.
config TFM_PSA_TEST_INITIAL_ATTESTATION
bool "Initial attestation tests"
depends on MAIN_STACK_SIZE >= 4096
select TFM_PARTITION_INITIAL_ATTESTATION
help
Enable the PSA Initial Attestation test suite.
config TFM_PSA_TEST_NONE
bool "No PSA test suite"
endchoice
if TFM_BL2
config ROM_START_OFFSET
hex "ROM Start Offset accounting for BL2 Header in the NS image"
default 0x400
help
By default BL2 header size in TF-M is 0x400. ROM_START_OFFSET
needs to be updated if TF-M switches to use a different header
size for BL2.
choice TFM_BL2_LOG_LEVEL
prompt "BL2 Log Level" if !TFM_LOG_LEVEL_SILENCE
default TFM_BL2_LOG_LEVEL_INFO
config TFM_BL2_LOG_LEVEL_DEBUG
bool "Debug"
config TFM_BL2_LOG_LEVEL_INFO
bool "Info"
config TFM_BL2_LOG_LEVEL_WARNING
bool "Warning"
config TFM_BL2_LOG_LEVEL_ERROR
bool "Error"
config TFM_BL2_LOG_LEVEL_OFF
bool "Off"
endchoice
endif # !TFM_BL2
# Option to instruct flashing a merged binary consisting of BL2 (optionally),
# TF-M (Secure), and application (Non-Secure).
config TFM_FLASH_MERGED_BINARY
bool
help
This option instructs west flash to program the combined (merged)
binary consisting of the TF-M Secure firmware image, optionally, the
BL2 image (if building with TFM_BL2 is enabled), and the Non-Secure
application firmware.
config TFM_LOG_LEVEL_SILENCE
bool "TF-M Disable secure logging"
help
Set the log level to silence for all TF-M modules (SPM, partition, etc.).
On some platforms this will release the UART from
the secure domain and reduce the uart driver's flash usage.
choice TFM_SPM_LOG_LEVEL
prompt "TF-M SPM Log Level" if !TFM_LOG_LEVEL_SILENCE
default TFM_SPM_LOG_LEVEL_INFO
config TFM_SPM_LOG_LEVEL_DEBUG
bool "Debug"
config TFM_SPM_LOG_LEVEL_INFO
bool "Info"
config TFM_SPM_LOG_LEVEL_ERROR
bool "Error"
config TFM_SPM_LOG_LEVEL_SILENCE
bool "Off"
endchoice
config TFM_EXCEPTION_INFO_DUMP
bool "TF-M exception info dump"
default y
help
On fatal errors in the secure firmware, capture info about the exception.
Print the info if the SPM log level is sufficient.
endif # BUILD_WITH_TFM