1# Copyright (c) 2017-2020 Linaro Limited
2# Copyright (c) 2020 Arm Limited
3# Copyright (c) 2023 Nordic Semiconductor ASA
4#
5# SPDX-License-Identifier: Apache-2.0
6#
7
8mainmenu "MCUboot configuration"
9
10comment "MCUboot-specific configuration options"
11
12# Hidden option to mark a project as MCUboot
13config MCUBOOT
14	default y
15	bool
16	select MPU_ALLOW_FLASH_WRITE if ARM_MPU
17	select USE_DT_CODE_PARTITION if HAS_FLASH_LOAD_OFFSET
18	select MCUBOOT_BOOTUTIL_LIB
19
20config BOOT_USE_MBEDTLS
21	bool
22	# Hidden option
23	default n
24	help
25	  Use mbedTLS for crypto primitives.
26
27config BOOT_USE_PSA_CRYPTO
28	bool
29	# Hidden option
30	help
31	  Hidden option set if using PSA crypt for cryptography functionality
32
33config BOOT_USE_TINYCRYPT
34	bool
35	# Hidden option
36	default n
37	# When building for ECDSA, we use our own copy of mbedTLS, so the
38	# Zephyr one must not be enabled or the MBEDTLS_CONFIG_FILE macros
39	# will collide.
40	select MBEDTLS_PROMPTLESS if ZEPHYR_MBEDTLS_MODULE
41	help
42	  Use TinyCrypt for crypto primitives.
43
44config BOOT_USE_CC310
45	bool
46	# Hidden option
47	default n
48	# When building for ECDSA, we use our own copy of mbedTLS, so the
49	# Zephyr one must not be enabled or the MBEDTLS_CONFIG_FILE macros
50	# will collide.
51	help
52	  Use cc310 for crypto primitives.
53
54config BOOT_USE_NRF_CC310_BL
55	bool
56	default n
57
58config NRFXLIB_CRYPTO
59	bool
60	default n
61
62config NRF_CC310_BL
63	bool
64	default n
65
66menu "MCUBoot settings"
67
68config SINGLE_APPLICATION_SLOT
69	bool "Single slot bootloader"
70	default n
71	help
72	  Single image area is used for application which means that
73	  uploading a new application overwrites the one that previously
74	  occupied the area.
75
76config BOOT_IMG_HASH_ALG_SHA256_ALLOW
77	bool
78	help
79	  Hidden option set by configurations that allow SHA256
80
81config BOOT_IMG_HASH_ALG_SHA384_ALLOW
82	bool
83	help
84	  Hidden option set by configurations that allow SHA384
85
86config BOOT_IMG_HASH_ALG_SHA512_ALLOW
87	bool
88	help
89	  Hidden option set by configurations that allow SHA512
90
91choice BOOT_IMG_HASH_ALG
92	prompt "Selected image hash algorithm"
93	default BOOT_IMG_HASH_ALG_SHA256 if BOOT_IMG_HASH_ALG_SHA256_ALLOW
94	default BOOT_IMG_HASH_ALG_SHA384 if BOOT_IMG_HASH_ALG_SHA384_ALLOW
95	default BOOT_IMG_HASH_ALG_SHA512 if BOOT_IMG_HASH_ALG_SHA512_ALLOW
96	help
97	  Hash algorithm used for image verification. Selection
98	  here may be limited by other configurations, like for
99	  example selected cryptographic signature.
100
101config BOOT_IMG_HASH_ALG_SHA256
102	bool "SHA256"
103	depends on BOOT_IMG_HASH_ALG_SHA256_ALLOW
104	help
105	  SHA256 algorithm
106
107config BOOT_IMG_HASH_ALG_SHA384
108	bool "SHA384"
109	depends on BOOT_IMG_HASH_ALG_SHA384_ALLOW
110	help
111	  SHA384 algorithm
112
113config BOOT_IMG_HASH_ALG_SHA512
114	bool "SHA512"
115	depends on BOOT_IMG_HASH_ALG_SHA512_ALLOW
116	help
117	  SHA512 algorithm
118
119endchoice # BOOT_IMG_HASH_ALG
120
121choice BOOT_SIGNATURE_TYPE
122	prompt "Signature type"
123	default BOOT_SIGNATURE_TYPE_RSA
124
125config BOOT_SIGNATURE_TYPE_NONE
126	bool "No signature; use only hash check"
127	select BOOT_USE_TINYCRYPT
128	select BOOT_IMG_HASH_ALG_SHA256_ALLOW
129
130config BOOT_SIGNATURE_TYPE_RSA
131	bool "RSA signatures"
132	select BOOT_USE_MBEDTLS
133	select MBEDTLS
134	select BOOT_ENCRYPTION_SUPPORT
135	select BOOT_IMG_HASH_ALG_SHA256_ALLOW
136
137if BOOT_SIGNATURE_TYPE_RSA
138config BOOT_SIGNATURE_TYPE_RSA_LEN
139	int "RSA signature length"
140	range 2048 3072
141	default 2048
142endif
143
144config BOOT_SIGNATURE_TYPE_ECDSA_P256
145	bool "Elliptic curve digital signatures with curve P-256"
146	select BOOT_ENCRYPTION_SUPPORT
147	select BOOT_IMG_HASH_ALG_SHA256_ALLOW
148
149if BOOT_SIGNATURE_TYPE_ECDSA_P256
150choice BOOT_ECDSA_IMPLEMENTATION
151	prompt "Ecdsa implementation"
152	default BOOT_ECDSA_TINYCRYPT
153
154config BOOT_ECDSA_TINYCRYPT
155	bool "Use tinycrypt"
156	select BOOT_USE_TINYCRYPT
157
158config BOOT_ECDSA_CC310
159	bool "Use CC310"
160	depends on HAS_HW_NRF_CC310
161	select BOOT_USE_NRF_CC310_BL
162	select NRF_CC310_BL
163	select NRFXLIB_CRYPTO
164	select BOOT_USE_CC310
165endchoice # Ecdsa implementation
166endif
167
168config BOOT_SIGNATURE_TYPE_ED25519
169	bool "Edwards curve digital signatures using ed25519"
170	select BOOT_ENCRYPTION_SUPPORT
171	select BOOT_IMG_HASH_ALG_SHA256_ALLOW
172
173if BOOT_SIGNATURE_TYPE_ED25519
174choice BOOT_ED25519_IMPLEMENTATION
175	prompt "Ecdsa implementation"
176	default BOOT_ED25519_TINYCRYPT
177config BOOT_ED25519_TINYCRYPT
178	bool "Use tinycrypt"
179	select BOOT_USE_TINYCRYPT
180config BOOT_ED25519_MBEDTLS
181	bool "Use mbedTLS"
182	select BOOT_USE_MBEDTLS
183	select MBEDTLS
184endchoice
185endif
186
187endchoice
188
189config BOOT_SIGNATURE_KEY_FILE
190	string "PEM key file"
191	default "root-ec-p256.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256
192	default "root-ed25519.pem" if BOOT_SIGNATURE_TYPE_ED25519
193	default "root-rsa-3072.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=3072
194	default "root-rsa-2048.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=2048
195	default ""
196	help
197	  You can use either absolute or relative path.
198	  In case relative path is used, the build system assumes that it starts
199	  from the directory where the MCUBoot KConfig configuration file is
200	  located. If the key file is not there, the build system uses relative
201	  path that starts from the MCUBoot repository root directory.
202	  The key file will be parsed by imgtool's getpub command and a .c source
203	  with the public key information will be written in a format expected by
204	  MCUboot.
205
206config MCUBOOT_CLEANUP_ARM_CORE
207	bool "Perform core cleanup before chain-load the application"
208	depends on CPU_CORTEX_M
209	default y
210	help
211	  This option instructs MCUboot to perform a clean-up of a set of
212	  architecture core HW registers before jumping to the application
213	  firmware. The clean-up sets these registers to their warm-reset
214	  values as specified by the architecture.
215
216	  This option is enabled by default to prevent possible problems when
217	  booting zephyr (or other) applications whereby e.g. a MPU stack guard
218	  may be initialised in RAM which is then used by the application
219	  start-up code which can cause a module fault and potentially make the
220	  module irrecoverable.
221
222config MBEDTLS_CFG_FILE
223	default "mcuboot-mbedtls-cfg.h"
224
225config BOOT_HW_KEY
226	bool "Use HW key for image verification"
227	default n
228	help
229	  Use HW key for image verification, otherwise the public key is embedded
230	  in MCUBoot. If enabled the public key is appended to the signed image
231	  and requires the hash of the public key to be provisioned to the device
232	  beforehand.
233
234config BOOT_VALIDATE_SLOT0
235	bool "Validate image in the primary slot on every boot"
236	default y
237	help
238	  If y, the bootloader attempts to validate the signature of the
239	  primary slot every boot. This adds the signature check time to
240	  every boot, but can mitigate against some changes that are
241	  able to modify the flash image itself.
242
243config BOOT_VALIDATE_SLOT0_ONCE
244	bool "Validate image in the primary slot just once after after upgrade"
245	depends on !BOOT_VALIDATE_SLOT0 && SINGLE_APPLICATION_SLOT
246	default n
247	help
248	  If y, the bootloader attempts to validate the signature of the
249	  primary slot only once after an upgrade of the main slot.
250	  It caches the result in the magic area, which makes it an unsecure
251	  method. This option is usefull for lowering the boot up time for
252	  low end devices with as a compromise lowering the security level.
253	  If unsure, leave at the default value.
254
255config BOOT_PREFER_SWAP_MOVE
256	bool "Prefer the newer swap move algorithm"
257	default y if SOC_FAMILY_NORDIC_NRF
258	default y if !$(dt_nodelabel_enabled,scratch_partition)
259	help
260	  If y, the BOOT_IMAGE_UPGRADE_MODE will default to using
261	  "move" instead of "scratch".  This is a separate bool config
262	  option, because Kconfig doesn't allow defaults to be
263	  overridden in choice options.  Most devices should be using
264	  swap move.
265
266if !SINGLE_APPLICATION_SLOT
267choice BOOT_IMAGE_UPGRADE_MODE
268	prompt "Image upgrade modes"
269	default BOOT_SWAP_USING_MOVE if BOOT_PREFER_SWAP_MOVE
270	default BOOT_SWAP_USING_SCRATCH
271
272config BOOT_SWAP_USING_SCRATCH
273	bool "Swap mode that run with the scratch partition"
274	help
275	  This is the most conservative swap mode but it can work even on
276	  devices with heterogeneous flash page layout.
277
278config BOOT_UPGRADE_ONLY
279	bool "Overwrite image updates instead of swapping"
280	help
281	  If y, overwrite the primary slot with the upgrade image instead
282	  of swapping them. This prevents the fallback recovery, but
283	  uses a much simpler code path.
284
285config BOOT_SWAP_USING_MOVE
286	bool "Swap mode that can run without a scratch partition"
287	help
288	  If y, the swap upgrade is done in two steps, where first every
289	  sector of the primary slot is moved up one sector, then for
290	  each sector X in the secondary slot, it is moved to index X in
291	  the primary slot, then the sector at X+1 in the primary is
292	  moved to index X in the secondary.
293	  This allows a swap upgrade without using a scratch partition,
294	  but is currently limited to all sectors in both slots being of
295	  the same size.
296
297config BOOT_DIRECT_XIP
298	bool "Run the latest image directly from its slot"
299	help
300	  If y, mcuboot selects the newest valid image based on the image version
301	  numbers, thereafter the selected image can run directly from its slot
302	  without having to move/copy it into the primary slot. For this reason the
303	  images must be linked to be executed from the given image slot. Using this
304	  mode results in a simpler code path and smaller code size.
305
306config BOOT_RAM_LOAD
307	bool "RAM load"
308	help
309	  If y, mcuboot selects the newest valid image based on the image version
310	  numbers, thereafter the selected image is copied to RAM and executed from
311	  there. For this reason, the image has to be linked to be executed from RAM.
312	  The address that the image is copied to is specified using the load-addr
313	  argument to the imgtool.py script which writes it to the image header.
314
315config BOOT_FIRMWARE_LOADER
316	bool "Firmware loader"
317	help
318	  If y, mcuboot will have a single application slot, and the secondary
319	  slot will be for a non-upgradeable firmware loaded image (e.g. for
320	  loading firmware via Bluetooth). The main application will boot by
321	  default unless there is an error with it or the boot mode has been
322	  forced to the firmware loader.
323
324	  Note: The firmware loader image must be signed with the same signing
325	  key as the primary image.
326
327endchoice
328
329# Workaround for not being able to have commas in macro arguments
330DT_CHOSEN_Z_SRAM := zephyr,sram
331
332if BOOT_RAM_LOAD
333config BOOT_IMAGE_EXECUTABLE_RAM_START
334	hex "Boot image executable ram start"
335	default $(dt_chosen_reg_addr_hex,$(DT_CHOSEN_Z_SRAM))
336
337config BOOT_IMAGE_EXECUTABLE_RAM_SIZE
338	int "Boot image executable base size"
339	default $(dt_chosen_reg_size_int,$(DT_CHOSEN_Z_SRAM),0)
340endif
341
342config BOOT_DIRECT_XIP_REVERT
343	bool "Enable the revert mechanism in direct-xip mode"
344	depends on BOOT_DIRECT_XIP
345	default n
346	help
347	  If y, enables the revert mechanism in direct-xip similar to the one in
348	  swap mode. It requires the trailer magic to be added to the signed image.
349	  When a reboot happens without the image being confirmed at runtime, the
350	  bootloader considers the image faulty and erases it. After this it will
351	  attempt to boot the previous image. The images can also be made permanent
352	  (marked as confirmed in advance) just like in swap mode.
353
354config BOOT_BOOTSTRAP
355	bool "Bootstrap erased the primary slot from the secondary slot"
356	default n
357	help
358	  If y, enables bootstraping support. Bootstrapping allows an erased
359	  primary slot to be initialized from a valid image in the secondary slot.
360	  If unsure, leave at the default value.
361
362config BOOT_SWAP_SAVE_ENCTLV
363	bool "Save encrypted key TLVs instead of plaintext keys in swap metadata"
364	default n
365	depends on BOOT_ENCRYPT_IMAGE
366	help
367	  If y, instead of saving the encrypted image keys in plaintext in the
368	  swap resume metadata, save the encrypted image TLVs. This should be used
369	  when there is no security mechanism protecting the data in the primary
370	  slot from being dumped. If n is selected (default), the keys are written
371	  after being decrypted from the image TLVs and could be read by an
372	  attacker who has access to the flash contents of the primary slot (eg
373	  JTAG/SWD or primary slot in external flash).
374	  If unsure, leave at the default value.
375
376endif # !SINGLE_APPLICATION_SLOT
377
378config BOOT_ENCRYPTION_SUPPORT
379	bool
380	help
381	  Hidden option used to check if image encryption is supported.
382
383config BOOT_ENCRYPT_IMAGE
384	bool "Support for encrypted image updates"
385	depends on BOOT_ENCRYPTION_SUPPORT
386	select BOOT_ENCRYPT_RSA if BOOT_SIGNATURE_TYPE_RSA
387	select BOOT_ENCRYPT_EC256 if BOOT_SIGNATURE_TYPE_ECDSA_P256
388	select BOOT_ENCRYPT_X25519 if BOOT_SIGNATURE_TYPE_ED25519
389	depends on !SINGLE_APPLICATION_SLOT || MCUBOOT_SERIAL
390	help
391	  If y, images in the secondary slot can be encrypted and are decrypted
392	  on the fly when upgrading to the primary slot, as well as encrypted
393	  back when swapping from the primary slot to the secondary slot. The
394	  encryption mechanism must match the same type as the signature type,
395	  supported types include:
396	   - RSA-OAEP (2048 bits).
397	   - ECIES using primitives described under "ECIES-P256 encryption" in
398	     docs/encrypted_images.md.
399	   - ECIES using primitives described under "ECIES-X25519 encryption"
400	     in docs/encrypted_images.md.
401
402	  Note that for single slot operation, this can still be used to allow
403	  loading encrypted images via serial recovery which are then
404	  decrypted on-the-fly without needing a second slot.
405
406config BOOT_ENCRYPT_RSA
407	bool
408	help
409	  Hidden option selecting RSA encryption.
410
411config BOOT_ENCRYPT_EC256
412	bool
413	help
414	  Hidden option selecting EC256 encryption.
415
416config BOOT_ENCRYPT_X25519
417	bool
418	help
419	  Hidden option selecting x25519 encryption.
420
421config BOOT_ENCRYPTION_KEY_FILE
422	string "Encryption key file"
423	depends on BOOT_ENCRYPT_IMAGE
424	default "enc-rsa2048-priv.pem" if BOOT_ENCRYPT_RSA
425	default "enc-ec256-priv.pem" if BOOT_ENCRYPT_EC256
426	default "enc-x25519-priv.pem" if BOOT_ENCRYPT_X25519
427	default ""
428	help
429	  You can use either absolute or relative path.
430	  In case relative path is used, the build system assumes that it starts
431	  from the directory where the MCUBoot KConfig configuration file is
432	  located. If the key file is not there, the build system uses relative
433	  path that starts from the MCUBoot repository root directory.
434	  The key file will be parsed by imgtool's getpriv command and a .c source
435	  with the public key information will be written in a format expected by
436	  MCUboot.
437
438config BOOT_MAX_IMG_SECTORS_AUTO
439	bool "Calculate maximum sectors automatically"
440	default y
441	help
442	  If this option is enabled then the maximum number of supported sectors per image will
443	  be calculated automatically from the flash erase sizes and size of each partition for
444	  the first image.
445
446	  If this information is not available, or multiple images are used, then this option
447	  should be disabled and BOOT_MAX_IMG_SECTORS should be set instead
448
449config BOOT_MAX_IMG_SECTORS
450	int "Maximum number of sectors per image slot"
451	default 128
452	depends on !BOOT_MAX_IMG_SECTORS_AUTO
453	help
454	  This option controls the maximum number of sectors that each of
455	  the two image areas can contain. Smaller values reduce MCUboot's
456	  memory usage; larger values allow it to support larger images.
457	  If unsure, leave at the default value.
458
459config BOOT_SHARE_BACKEND_AVAILABLE
460	bool
461	default n
462	help
463	  Hidden open which indicates if there is a sharing backend available.
464
465# Workaround for not being able to have commas in macro arguments
466DT_CHOSEN_BOOTLOADER_INFO := zephyr,bootloader-info
467
468config BOOT_SHARE_BACKEND_AVAILABLE
469	bool
470	default n
471	help
472	  Hidden open which indicates if there is a sharing backend available.
473
474choice BOOT_SHARE_BACKEND
475	prompt "Shared data backend"
476	default BOOT_SHARE_BACKEND_DISABLED
477
478config BOOT_SHARE_BACKEND_DISABLED
479	bool "Disabled"
480	help
481	  No data sharing support.
482
483config BOOT_SHARE_BACKEND_RETENTION
484	bool "Retention"
485	depends on RETENTION
486	depends on $(dt_chosen_enabled,$(DT_CHOSEN_BOOTLOADER_INFO))
487	select BOOT_SHARE_BACKEND_AVAILABLE
488	help
489	  Use retention to share data with application. Requires:
490	    - Retained memory area
491	    - Retention partition of retained memory area
492	    - Chosen node "zephyr,bootloader-info" to be set to the retention
493	      partition
494
495config BOOT_SHARE_BACKEND_EXTERNAL
496	bool "External (user-provided code)"
497	select BOOT_SHARE_BACKEND_AVAILABLE
498	help
499	  Use a custom user-specified storage.
500
501endchoice
502
503menuconfig BOOT_SHARE_DATA
504	bool "Save application specific data"
505	default n
506	depends on BOOT_SHARE_BACKEND_AVAILABLE
507	help
508	  This will allow data to be shared between MCUboot and an application,
509	  it does not include any informatiom by default.
510
511	  Note: This requires a backend to function, see
512	  BOOT_SHARE_BACKEND_RETENTION for details on using the retention
513	  subsystem as a backend.
514
515config BOOT_SHARE_DATA_BOOTINFO
516	bool "Save boot information data"
517	default n
518	depends on BOOT_SHARE_DATA
519	help
520	  This will place information about the MCUboot configuration and
521	  running application into a shared memory area.
522
523menuconfig MEASURED_BOOT
524	bool "Store the boot state/measurements in shared memory area"
525	default n
526	depends on BOOT_SHARE_BACKEND_AVAILABLE
527	help
528	  If enabled, the bootloader will store certain boot measurements such as
529	  the hash of the firmware image in a shared memory area. This data can
530	  be used later by runtime services (e.g. by a device attestation service).
531
532	  Note: This requires a backend to function, see
533	  BOOT_SHARE_BACKEND_RETENTION for details on using the retention
534	  subsystem as a backend.
535
536config MEASURED_BOOT_MAX_CBOR_SIZE
537	int "Maximum CBOR size of boot state/measurements"
538	default 64
539	range 0 256
540	depends on MEASURED_BOOT
541	help
542	  The maximum size of the CBOR message which stores boot
543	  state/measurements.
544
545choice BOOT_FAULT_INJECTION_HARDENING_PROFILE
546	prompt "Fault injection hardening profile"
547	default BOOT_FIH_PROFILE_OFF
548
549config BOOT_FIH_PROFILE_OFF
550	bool "No hardening against hardware level fault injection"
551	help
552	  No hardening in SW against hardware level fault injection: power or
553	  clock glitching, etc.
554
555config BOOT_FIH_PROFILE_LOW
556	bool "Moderate level hardening against hardware level fault injection"
557	help
558	  Moderate level hardening: Long global fail loop to avoid break out,
559	  control flow integrity check to discover discrepancy in expected code
560	  flow.
561
562config BOOT_FIH_PROFILE_MEDIUM
563	bool "Medium level hardening against hardware level fault injection"
564	help
565	  Medium level hardening: Long global fail loop to avoid break out,
566	  control flow integrity check to discover discrepancy in expected code
567	  flow, double variables to discover register or memory corruption.
568
569config BOOT_FIH_PROFILE_HIGH
570	bool "Maximum level hardening against hardware level fault injection"
571	select MBEDTLS
572	help
573	  Maximum level hardening: Long global fail loop to avoid break out,
574	  control flow integrity check to discover discrepancy in expected code
575	  flow, double variables to discover register or memory corruption, random
576	  delays to make code execution less predictable. Random delays requires an
577	  entropy source.
578
579endchoice
580
581choice BOOT_USB_DFU
582	prompt "USB DFU"
583	default BOOT_USB_DFU_NO
584
585config BOOT_USB_DFU_NO
586	prompt "Disabled"
587
588config BOOT_USB_DFU_WAIT
589	bool "Wait for a prescribed duration to see if USB DFU is invoked"
590	select USB_DEVICE_STACK
591	select USB_DFU_CLASS
592	select IMG_MANAGER
593	select STREAM_FLASH
594	select MULTITHREADING
595	help
596	  If y, MCUboot waits for a prescribed duration of time to allow
597	  for USB DFU to be invoked. Please note DFU always updates the
598	  slot1 image.
599
600config BOOT_USB_DFU_GPIO
601	bool "Use GPIO to detect whether to trigger DFU mode"
602	select USB_DEVICE_STACK
603	select USB_DFU_CLASS
604	select IMG_MANAGER
605	select STREAM_FLASH
606	select MULTITHREADING
607	help
608	  If y, MCUboot uses GPIO to detect whether to invoke USB DFU.
609
610endchoice
611
612config BOOT_USB_DFU_WAIT_DELAY_MS
613	int "USB DFU wait duration"
614	depends on BOOT_USB_DFU_WAIT
615	default 12000
616	help
617	  Milliseconds to wait for USB DFU to be invoked.
618
619if BOOT_USB_DFU_GPIO
620
621config BOOT_USB_DFU_DETECT_DELAY
622	int "Serial detect pin detection delay time [ms]"
623	default 0
624	help
625	  Used to prevent the bootloader from loading on button press.
626	  Useful for powering on when using the same button as
627	  the one used to place the device in bootloader mode.
628
629endif # BOOT_USB_DFU_GPIO
630
631config BOOT_USB_DFU_NO_APPLICATION
632	bool "Stay in bootloader if no application"
633	help
634	  Allows for entering USB DFU recovery mode if there is no bootable
635	  application that the bootloader can jump to.
636
637config BOOT_USE_BENCH
638        bool "Enable benchmark code"
639        default n
640        help
641          If y, adds support for simple benchmarking that can record
642          time intervals between two calls.  The time printed depends
643          on the particular Zephyr target, and is generally ticks of a
644          specific board-specific timer.
645
646module = MCUBOOT
647module-str = MCUBoot bootloader
648source "subsys/logging/Kconfig.template.log_config"
649
650config MCUBOOT_LOG_THREAD_STACK_SIZE
651	int "Stack size for the MCUBoot log processing thread"
652	depends on LOG && !LOG_IMMEDIATE
653	default 2048 if COVERAGE_GCOV
654	default 1024 if NO_OPTIMIZATIONS
655	default 1024 if XTENSA
656	default 4096 if (X86 && X86_64)
657	default 4096 if ARM64
658	default 768
659	help
660	  Set the internal stack size for MCUBoot log processing thread.
661
662config MCUBOOT_INDICATION_LED
663	bool "Turns on LED indication when device is in DFU"
664	select GPIO
665	help
666	  Device device activates the LED while in bootloader mode.
667	  mcuboot-led0 alias must be set in the device's .dts
668	  definitions for this to work.
669
670rsource "Kconfig.serial_recovery"
671
672rsource "Kconfig.firmware_loader"
673
674config BOOT_INTR_VEC_RELOC
675	bool "Relocate the interrupt vector to the application"
676	default n
677	depends on SW_VECTOR_RELAY || CPU_CORTEX_M_HAS_VTOR
678	help
679	  Relocate the interrupt vector to the application before it is started.
680	  Select this option if application requires vector relocation,
681	  but it doesn't relocate vector in its reset handler.
682
683config UPDATEABLE_IMAGE_NUMBER
684	int "Number of updateable images"
685	default 1
686	range 1 1 if SINGLE_APPLICATION_SLOT
687	help
688	  Enables support of multi image update.
689
690config BOOT_VERSION_CMP_USE_BUILD_NUMBER
691	bool "Use build number while comparing image version"
692	depends on (UPDATEABLE_IMAGE_NUMBER > 1) || BOOT_DIRECT_XIP || \
693		   BOOT_RAM_LOAD || MCUBOOT_DOWNGRADE_PREVENTION
694	help
695	  By default, the image version comparison relies only on version major,
696	  minor and revision. Enable this option to take into account the build
697	  number as well.
698
699choice BOOT_DOWNGRADE_PREVENTION_CHOICE
700	prompt "Downgrade prevention"
701	optional
702
703config MCUBOOT_DOWNGRADE_PREVENTION
704	bool "SW based downgrade prevention"
705	depends on !BOOT_DIRECT_XIP
706	help
707	  Prevent downgrades by enforcing incrementing version numbers.
708	  When this option is set, any upgrade must have greater major version
709	  or greater minor version with equal major version. This mechanism
710	  only protects against some attacks against version downgrades (for
711	  example, a JTAG could be used to write an older version).
712
713config MCUBOOT_DOWNGRADE_PREVENTION_SECURITY_COUNTER
714	bool "Use image security counter instead of version number"
715	depends on MCUBOOT_DOWNGRADE_PREVENTION
716	depends on (BOOT_SWAP_USING_MOVE || BOOT_SWAP_USING_SCRATCH)
717	help
718       Security counter is used for version eligibility check instead of pure
719       version.  When this option is set, any upgrade must have greater or
720       equal security counter value.
721       Because of the acceptance of equal values it allows for software
722       downgrades to some extent.
723
724config MCUBOOT_HW_DOWNGRADE_PREVENTION
725	bool "HW based downgrade prevention"
726	help
727	  Prevent undesirable/malicious software downgrades. When this option is
728	  set, any upgrade must have greater or equal security counter value.
729	  Because of the acceptance of equal values it allows for software
730	  downgrade to some extent.
731
732endchoice
733
734config BOOT_WATCHDOG_FEED
735	bool "Feed the watchdog while doing swap"
736	default y if WATCHDOG
737	default y if SOC_FAMILY_NORDIC_NRF
738	imply BOOT_WATCHDOG_FEED_NRFX_WDT if SOC_FAMILY_NORDIC_NRF
739	help
740	  Enables implementation of MCUBOOT_WATCHDOG_FEED() macro which is
741	  used to feed watchdog while doing time consuming operations.
742
743config BOOT_WATCHDOG_FEED_NRFX_WDT
744	bool "Feed the watchdog using NRFX WDT directly"
745	depends on SOC_FAMILY_NORDIC_NRF
746	# for nRF nrfx based implementation is available
747	imply NRFX_WDT
748	imply NRFX_WDT0
749	imply NRFX_WDT1
750	imply NRFX_WDT30
751	imply NRFX_WDT31
752
753config BOOT_IMAGE_ACCESS_HOOKS
754	bool "Enable hooks for overriding MCUboot's native routines"
755	help
756	  Allow to provide procedures for override or extend native
757	  MCUboot's routines required for access the image data and the image
758	  update. It is up to the project customization to add required source
759	  files to the build.
760
761config MCUBOOT_ACTION_HOOKS
762	bool "Enable hooks for responding to MCUboot status changes"
763	help
764	  This will call a handler when the MCUboot status changes which allows
765	  for some level of user feedback, for instance to change LED status to
766	  indicate a failure, using the callback:
767	  'void mcuboot_status_change(mcuboot_status_type_t status)' where
768	  'mcuboot_status_type_t' is listed in
769	  boot/bootutil/include/bootutil/mcuboot_status.h
770
771config BOOT_DISABLE_CACHES
772	bool "Disable I/D caches before chain-loading application"
773	depends on CPU_HAS_ICACHE || CPU_HAS_DCACHE
774	default y
775	help
776	  Will flush and disable the instruction and data caches on the CPU prior to
777	  booting an application, this is required on some ARM Cortex devices and
778	  increases protection against data leakage from MCUboot to applications via
779	  these caches.
780
781config MCUBOOT_BOOT_BANNER
782	bool "Use MCUboot boot banner"
783	depends on BOOT_BANNER
784	depends on "$(APP_VERSION_EXTENDED_STRING)" != ""
785	default y
786	help
787	  Uses a MCUboot boot banner instead of the default zephyr one, which will output the
788	  MCUboot name and version, followed by the zephyr name and version.
789
790	  For example:
791
792	    *** Booting MCUboot v2.0.0-72-g8c0e36c88663 ***
793	    *** Using Zephyr OS build v3.6.0-2607-gd0be2010c31f ***
794
795config BOOT_BANNER_STRING
796        default "Using Zephyr OS build" if MCUBOOT_BOOT_BANNER
797
798config BOOT_DECOMPRESSION_SUPPORT
799	bool
800	help
801	  Hidden symbol which should be selected if a system provided decompression support.
802
803if BOOT_DECOMPRESSION_SUPPORT
804
805menuconfig BOOT_DECOMPRESSION
806	bool "Decompression"
807	help
808	  If enabled, will include support for compressed images being loaded to the secondary slot
809	  which then get decompressed into the primary slot. This mode allows the secondary slot to
810	  be smaller than primary slot which otherwise would not be allowed.
811
812if BOOT_DECOMPRESSION
813
814config BOOT_DECOMPRESSION_BUFFER_SIZE
815	int "Write buffer size"
816	range 16 16384
817	default 4096
818	help
819	  The size of a secondary buffer used for writing decompressed data to the storage device.
820
821endif # BOOT_DECOMPRESSION
822
823endif # BOOT_DECOMPRESSION_SUPPORT
824
825endmenu
826
827config MCUBOOT_DEVICE_SETTINGS
828	# Hidden selector for device-specific settings
829	bool
830	default y
831        # CPU options
832	select MCUBOOT_DEVICE_CPU_CORTEX_M0 if CPU_CORTEX_M0
833        # Enable flash page layout if available
834	select FLASH_PAGE_LAYOUT if FLASH_HAS_PAGE_LAYOUT
835	# Enable flash_map module as flash I/O back-end
836	select FLASH_MAP
837
838config MCUBOOT_DEVICE_CPU_CORTEX_M0
839	# Hidden selector for Cortex-M0 settings
840	bool
841	default n
842	select SW_VECTOR_RELAY if !CPU_CORTEX_M0_HAS_VECTOR_TABLE_REMAP
843
844comment "Zephyr configuration options"
845
846# Disabling MULTITHREADING provides a code size advantage, but
847# it requires peripheral drivers (particularly a flash driver)
848# that works properly with the option enabled.
849#
850# If you know for sure that your hardware will work, you can default
851# it to n here. Otherwise, having it on by default makes the most
852# hardware work.
853config MULTITHREADING
854	default y if BOOT_SERIAL_CDC_ACM #usb driver requires MULTITHREADING
855	default y if BOOT_USB_DFU_GPIO || BOOT_USB_DFU_WAIT
856	default n if SOC_FAMILY_NORDIC_NRF
857	default n if SOC_FAMILY_ESPRESSIF_ESP32 && MCUBOOT
858	default y
859
860config LOG_PROCESS_THREAD
861	default n # mcuboot has its own log processing thread
862
863# override USB device name
864config USB_DEVICE_PRODUCT
865	default "MCUBOOT"
866
867# use MCUboot's own log configuration
868config MCUBOOT_BOOTUTIL_LIB_OWN_LOG
869	bool
870	default n
871
872config MCUBOOT_VERIFY_IMG_ADDRESS
873	bool "Verify reset address of image in secondary slot"
874	depends on UPDATEABLE_IMAGE_NUMBER > 1
875	depends on !BOOT_ENCRYPT_IMAGE
876	depends on ARM
877	default y if BOOT_UPGRADE_ONLY
878	help
879	  Verify that the reset address in the image located in the secondary slot
880	  is contained within the corresponding primary slot. This is recommended
881	  if swapping is not used (that is, BOOT_UPGRADE_ONLY is set). If a user
882	  incorrectly uploads an update for image 1 to image 0's secondary slot
883	  MCUboot will overwrite image 0's primary slot with this image even
884	  though it will not boot. If swapping is enabled this will be handled
885	  since the image will not confirm itself. If, however, swapping is not
886	  enabled then the only mitigation is serial recovery. This feature can
887	  also be useful when BOOT_DIRECT_XIP is enabled, to ensure that the image
888	  linked at the correct address is loaded.
889
890source "Kconfig.zephyr"
891