1# Copyright (c) 2017-2020 Linaro Limited
2# Copyright (c) 2020 Arm Limited
3#
4# SPDX-License-Identifier: Apache-2.0
5#
6
7mainmenu "MCUboot configuration"
8
9comment "MCUboot-specific configuration options"
10
11# Hidden option to mark a project as MCUboot
12config MCUBOOT
13	default y
14	bool
15	select MPU_ALLOW_FLASH_WRITE if ARM_MPU
16	select USE_DT_CODE_PARTITION if HAS_FLASH_LOAD_OFFSET
17	select MCUBOOT_BOOTUTIL_LIB
18
19config BOOT_USE_MBEDTLS
20	bool
21	# Hidden option
22	default n
23	help
24	  Use mbedTLS for crypto primitives.
25
26config BOOT_USE_TINYCRYPT
27	bool
28	# Hidden option
29	default n
30	# When building for ECDSA, we use our own copy of mbedTLS, so the
31	# Zephyr one must not be enabled or the MBEDTLS_CONFIG_FILE macros
32	# will collide.
33	help
34	  Use TinyCrypt for crypto primitives.
35
36config BOOT_USE_CC310
37	bool
38	# Hidden option
39	default n
40	# When building for ECDSA, we use our own copy of mbedTLS, so the
41	# Zephyr one must not be enabled or the MBEDTLS_CONFIG_FILE macros
42	# will collide.
43	help
44	  Use cc310 for crypto primitives.
45
46config BOOT_USE_NRF_CC310_BL
47	bool
48	default n
49
50config NRFXLIB_CRYPTO
51	bool
52	default n
53
54config NRF_CC310_BL
55	bool
56	default n
57
58menu "MCUBoot settings"
59
60config SINGLE_APPLICATION_SLOT
61	bool "Single slot bootloader"
62	default n
63	help
64	  Single image area is used for application which means that
65	  uploading a new application overwrites the one that previously
66	  occupied the area.
67
68choice
69	prompt "Signature type"
70	default BOOT_SIGNATURE_TYPE_RSA
71
72config BOOT_SIGNATURE_TYPE_NONE
73	bool "No signature; use only hash check"
74	select BOOT_USE_TINYCRYPT
75
76config BOOT_SIGNATURE_TYPE_RSA
77	bool "RSA signatures"
78	select BOOT_USE_MBEDTLS
79	select MBEDTLS
80
81if BOOT_SIGNATURE_TYPE_RSA
82config BOOT_SIGNATURE_TYPE_RSA_LEN
83	int "RSA signature length"
84	range 2048 3072
85	default 2048
86endif
87
88config BOOT_SIGNATURE_TYPE_ECDSA_P256
89	bool "Elliptic curve digital signatures with curve P-256"
90
91if BOOT_SIGNATURE_TYPE_ECDSA_P256
92choice
93	prompt "Ecdsa implementation"
94	default BOOT_ECDSA_TINYCRYPT
95
96config BOOT_ECDSA_TINYCRYPT
97	bool "Use tinycrypt"
98	select BOOT_USE_TINYCRYPT
99
100config BOOT_ECDSA_CC310
101	bool "Use CC310"
102	depends on HAS_HW_NRF_CC310
103	select BOOT_USE_NRF_CC310_BL
104	select NRF_CC310_BL
105	select NRFXLIB_CRYPTO
106	select BOOT_USE_CC310
107endchoice # Ecdsa implementation
108endif
109
110config BOOT_SIGNATURE_TYPE_ED25519
111	bool "Edwards curve digital signatures using ed25519"
112
113if BOOT_SIGNATURE_TYPE_ED25519
114choice
115	prompt "Ecdsa implementation"
116	default BOOT_ED25519_TINYCRYPT
117config BOOT_ED25519_TINYCRYPT
118	bool "Use tinycrypt"
119	select BOOT_USE_TINYCRYPT
120config BOOT_ED25519_MBEDTLS
121	bool "Use mbedTLS"
122	select BOOT_USE_MBEDTLS
123	select MBEDTLS
124endchoice
125endif
126
127endchoice
128
129config BOOT_SIGNATURE_KEY_FILE
130	string "PEM key file"
131	default "root-ec-p256.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256
132	default "root-ed25519.pem" if BOOT_SIGNATURE_TYPE_ED25519
133	default "root-rsa-3072.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=3072
134	default "root-rsa-2048.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=2048
135	default ""
136	help
137	  You can use either absolute or relative path.
138	  In case relative path is used, the build system assumes that it starts
139	  from the directory where the MCUBoot KConfig configuration file is
140	  located. If the key file is not there, the build system uses relative
141	  path that starts from the MCUBoot repository root directory.
142	  The key file will be parsed by imgtool's getpub command and a .c source
143	  with the public key information will be written in a format expected by
144	  MCUboot.
145
146config MCUBOOT_CLEANUP_ARM_CORE
147	bool "Perform core cleanup before chain-load the application"
148	depends on CPU_CORTEX_M
149	default y if !ARCH_SUPPORTS_ARCH_HW_INIT
150	help
151	  This option instructs MCUboot to perform a clean-up of a set of
152	  architecture core HW registers before junping to the application
153	  firmware. The clean-up sets these registers to their warm-reset
154	  values as specified by the architecture.
155
156	  By default, this option is enabled only if the architecture does
157	  not have the functionality to perform such a register clean-up
158	  during application firmware boot.
159
160	  Zephyr applications on Cortex-M will perform this register clean-up
161	  by default, if they are chain-loadable by MCUboot, so MCUboot does
162	  not need to perform such a cleanup itself.
163
164config MBEDTLS_CFG_FILE
165	default "mcuboot-mbedtls-cfg.h"
166
167config BOOT_HW_KEY
168	bool "Use HW key for image verification"
169	default n
170	help
171	  Use HW key for image verification, otherwise the public key is embedded
172	  in MCUBoot. If enabled the public key is appended to the signed image
173	  and requires the hash of the public key to be provisioned to the device
174	  beforehand.
175
176config BOOT_VALIDATE_SLOT0
177	bool "Validate image in the primary slot on every boot"
178	default y
179	help
180	  If y, the bootloader attempts to validate the signature of the
181	  primary slot every boot. This adds the signature check time to
182	  every boot, but can mitigate against some changes that are
183	  able to modify the flash image itself.
184
185if !SINGLE_APPLICATION_SLOT
186choice
187	prompt "Image upgrade modes"
188	default BOOT_SWAP_USING_MOVE if SOC_FAMILY_NRF
189	default BOOT_SWAP_USING_SCRATCH
190
191config BOOT_SWAP_USING_SCRATCH
192	bool "Swap mode that run with the scratch partition"
193	help
194	  This is the most conservative swap mode but it can work even on
195	  devices with heterogeneous flash page layout.
196
197config BOOT_UPGRADE_ONLY
198	bool "Overwrite image updates instead of swapping"
199	help
200	  If y, overwrite the primary slot with the upgrade image instead
201	  of swapping them. This prevents the fallback recovery, but
202	  uses a much simpler code path.
203
204config BOOT_SWAP_USING_MOVE
205	bool "Swap mode that can run without a scratch partition"
206	help
207	  If y, the swap upgrade is done in two steps, where first every
208	  sector of the primary slot is moved up one sector, then for
209	  each sector X in the secondary slot, it is moved to index X in
210	  the primary slot, then the sector at X+1 in the primary is
211	  moved to index X in the secondary.
212	  This allows a swap upgrade without using a scratch partition,
213	  but is currently limited to all sectors in both slots being of
214	  the same size.
215
216config BOOT_DIRECT_XIP
217	bool "Run the latest image directly from its slot"
218	help
219	  If y, mcuboot selects the newest valid image based on the image version
220	  numbers, thereafter the selected image can run directly from its slot
221	  without having to move/copy it into the primary slot. For this reason the
222	  images must be linked to be executed from the given image slot. Using this
223	  mode results in a simpler code path and smaller code size.
224
225endchoice
226
227config BOOT_DIRECT_XIP_REVERT
228	bool "Enable the revert mechanism in direct-xip mode"
229	depends on BOOT_DIRECT_XIP
230	default n
231	help
232	  If y, enables the revert mechanism in direct-xip similar to the one in
233	  swap mode. It requires the trailer magic to be added to the signed image.
234	  When a reboot happens without the image being confirmed at runtime, the
235	  bootloader considers the image faulty and erases it. After this it will
236	  attempt to boot the previous image. The images can also be made permanent
237	  (marked as confirmed in advance) just like in swap mode.
238
239config BOOT_BOOTSTRAP
240	bool "Bootstrap erased the primary slot from the secondary slot"
241	default n
242	help
243	  If y, enables bootstraping support. Bootstrapping allows an erased
244	  primary slot to be initialized from a valid image in the secondary slot.
245	  If unsure, leave at the default value.
246
247config BOOT_SWAP_SAVE_ENCTLV
248	bool "Save encrypted key TLVs instead of plaintext keys in swap metadata"
249	default n
250	help
251	  If y, instead of saving the encrypted image keys in plaintext in the
252	  swap resume metadata, save the encrypted image TLVs. This should be used
253	  when there is no security mechanism protecting the data in the primary
254	  slot from being dumped. If n is selected (default), the keys are written
255	  after being decrypted from the image TLVs and could be read by an
256	  attacker who has access to the flash contents of the primary slot (eg
257	  JTAG/SWD or primary slot in external flash).
258	  If unsure, leave at the default value.
259
260config BOOT_ENCRYPT_RSA
261	bool "Support for encrypted upgrade images using RSA"
262	default n
263	help
264	  If y, images in the secondary slot can be encrypted and are decrypted
265	  on the fly when upgrading to the primary slot, as well as encrypted
266	  back when swapping from the primary slot to the secondary slot. The
267	  encryption mechanism used in this case is RSA-OAEP (2048 bits).
268
269config BOOT_ENCRYPT_EC256
270	bool "Support for encrypted upgrade images using ECIES-P256"
271	default n
272	help
273	  If y, images in the secondary slot can be encrypted and are decrypted
274	  on the fly when upgrading to the primary slot, as well as encrypted
275	  back when swapping from the primary slot to the secondary slot. The
276	  encryption mechanism used in this case is ECIES using primitives
277	  described under "ECIES-P256 encryption" in docs/encrypted_images.md.
278
279config BOOT_ENCRYPT_X25519
280	bool "Support for encrypted upgrade images using ECIES-X25519"
281	default n
282	help
283	  If y, images in the secondary slot can be encrypted and are decrypted
284	  on the fly when upgrading to the primary slot, as well as encrypted
285	  back when swapping from the primary slot to the secondary slot. The
286	  encryption mechanism used in this case is ECIES using primitives
287	  described under "ECIES-X25519 encryption" in docs/encrypted_images.md.
288endif # !SINGLE_APPLICATION_SLOT
289
290config BOOT_MAX_IMG_SECTORS
291	int "Maximum number of sectors per image slot"
292	default 128
293	help
294	  This option controls the maximum number of sectors that each of
295	  the two image areas can contain. Smaller values reduce MCUboot's
296	  memory usage; larger values allow it to support larger images.
297	  If unsure, leave at the default value.
298
299config BOOT_ERASE_PROGRESSIVELY
300	bool "Erase flash progressively when receiving new firmware"
301	default y if SOC_FAMILY_NRF
302	help
303	 If enabled, flash is erased as necessary when receiving new firmware,
304	 instead of erasing the whole image slot at once. This is necessary
305	 on some hardware that has long erase times, to prevent long wait
306	 times at the beginning of the DFU process.
307
308config MEASURED_BOOT
309	bool "Store the boot state/measurements in shared memory"
310	default n
311	help
312	  If enabled, the bootloader will store certain boot measurements such as
313	  the hash of the firmware image in a shared memory area. This data can
314	  be used later by runtime services (e.g. by a device attestation service).
315
316config BOOT_SHARE_DATA
317	bool "Save application specific data in shared memory area"
318	default n
319
320choice
321	prompt "Fault injection hardening profile"
322	default BOOT_FIH_PROFILE_OFF
323
324config BOOT_FIH_PROFILE_OFF
325	bool "No hardening against hardware level fault injection"
326	help
327	  No hardening in SW against hardware level fault injection: power or
328	  clock glitching, etc.
329
330config BOOT_FIH_PROFILE_LOW
331	bool "Moderate level hardening against hardware level fault injection"
332	help
333	  Moderate level hardening: Long global fail loop to avoid break out,
334	  control flow integrity check to discover discrepancy in expected code
335	  flow.
336
337config BOOT_FIH_PROFILE_MEDIUM
338	bool "Medium level hardening against hardware level fault injection"
339	help
340	  Medium level hardening: Long global fail loop to avoid break out,
341	  control flow integrity check to discover discrepancy in expected code
342	  flow, double variables to discover register or memory corruption.
343
344config BOOT_FIH_PROFILE_HIGH
345	bool "Maximum level hardening against hardware level fault injection"
346	select MBEDTLS
347	help
348	  Maximum level hardening: Long global fail loop to avoid break out,
349	  control flow integrity check to discover discrepancy in expected code
350	  flow, double variables to discover register or memory corruption, random
351	  delays to make code execution less predictable. Random delays requires an
352	  entropy source.
353
354endchoice
355
356choice BOOT_USB_DFU
357	prompt "USB DFU"
358	default BOOT_USB_DFU_NO
359
360config BOOT_USB_DFU_NO
361	prompt "Disabled"
362
363config BOOT_USB_DFU_WAIT
364	bool "Wait for a prescribed duration to see if USB DFU is invoked"
365	select USB_DEVICE_STACK
366	select USB_DFU_CLASS
367	select IMG_MANAGER
368	help
369	  If y, MCUboot waits for a prescribed duration of time to allow
370	  for USB DFU to be invoked. Please note DFU always updates the
371	  slot1 image.
372
373config BOOT_USB_DFU_GPIO
374	bool "Use GPIO to detect whether to trigger DFU mode"
375	select USB_DEVICE_STACK
376	select USB_DFU_CLASS
377	select IMG_MANAGER
378	help
379	  If y, MCUboot uses GPIO to detect whether to invoke USB DFU.
380
381endchoice
382
383config BOOT_USB_DFU_WAIT_DELAY_MS
384	int "USB DFU wait duration"
385	depends on BOOT_USB_DFU_WAIT
386	default 12000
387	help
388	  Milliseconds to wait for USB DFU to be invoked.
389
390if BOOT_USB_DFU_GPIO
391
392config BOOT_USB_DFU_DETECT_PORT
393	string "GPIO device to trigger USB DFU mode"
394	default GPIO_0 if SOC_FAMILY_NRF
395	help
396	  Zephyr GPIO device that contains the pin used to trigger
397	  USB DFU.
398
399config BOOT_USB_DFU_DETECT_PIN
400	int "Pin to trigger USB DFU mode"
401	default 6 if BOARD_NRF9160DK_NRF9160
402	default 11 if BOARD_NRF52840DK_NRF52840
403	default 13 if BOARD_NRF52DK_NRF52832
404	default 23 if BOARD_NRF5340_DK_NRF5340_CPUAPP || BOARD_NRF5340_DK_NRF5340_CPUAPP_NS
405	default 43 if BOARD_BL5340_DVK_CPUAPP || BOARD_BL5340_DVK_CPUAPP_NS
406	help
407	  Pin on the DFU detect port that triggers DFU mode.
408
409config BOOT_USB_DFU_DETECT_PIN_VAL
410	int "USB DFU detect pin trigger value"
411	default 0
412	range 0 1
413	help
414	  Logic value of the detect pin that triggers USB DFU mode.
415
416config BOOT_USB_DFU_DETECT_DELAY
417	int "Serial detect pin detection delay time [ms]"
418	default 0
419	help
420	  Used to prevent the bootloader from loading on button press.
421	  Useful for powering on when using the same button as
422	  the one used to place the device in bootloader mode.
423
424endif # BOOT_USB_DFU_GPIO
425
426config ZEPHYR_TRY_MASS_ERASE
427	bool "Try to mass erase flash when flashing MCUboot image"
428	default y
429	help
430	  If y, attempt to configure the Zephyr build system's "flash"
431	  target to mass-erase the flash device before flashing the
432	  MCUboot image. This ensures the scratch and other partitions
433	  are in a consistent state.
434
435	  This is not available for all targets.
436
437config BOOT_USE_BENCH
438        bool "Enable benchmark code"
439        default n
440        help
441          If y, adds support for simple benchmarking that can record
442          time intervals between two calls.  The time printed depends
443          on the particular Zephyr target, and is generally ticks of a
444          specific board-specific timer.
445
446module = MCUBOOT
447module-str = MCUBoot bootloader
448source "subsys/logging/Kconfig.template.log_config"
449
450config MCUBOOT_LOG_THREAD_STACK_SIZE
451	int "Stack size for the MCUBoot log processing thread"
452	depends on LOG && !LOG_IMMEDIATE
453	default 2048 if COVERAGE_GCOV
454	default 1024 if NO_OPTIMIZATIONS
455	default 1024 if XTENSA
456	default 4096 if (X86 && X86_64)
457	default 4096 if ARM64
458	default 768
459	help
460	  Set the internal stack size for MCUBoot log processing thread.
461
462menuconfig MCUBOOT_SERIAL
463	bool "MCUboot serial recovery"
464	default n
465	select REBOOT
466	select GPIO
467	select SERIAL
468	select UART_INTERRUPT_DRIVEN
469	select BASE64
470	help
471	  If y, enables a serial-port based update mode. This allows
472	  MCUboot itself to load update images into flash over a UART.
473	  If unsure, leave at the default value.
474
475if MCUBOOT_SERIAL
476
477choice
478	prompt "Serial device"
479	default BOOT_SERIAL_UART if !BOARD_NRF52840DONGLE_NRF52840
480	default BOOT_SERIAL_CDC_ACM if BOARD_NRF52840DONGLE_NRF52840
481
482config BOOT_SERIAL_UART
483	bool "UART"
484	# SERIAL and UART_INTERRUPT_DRIVEN already selected
485
486config BOOT_SERIAL_CDC_ACM
487	bool "CDC ACM"
488	select USB_DEVICE_STACK
489
490endchoice
491
492config MCUBOOT_INDICATION_LED
493	bool "Turns on LED indication when device is in DFU"
494	default n
495	help
496	  Device device activates the LED while in bootloader mode.
497	  bootloader-led0 alias must be set in the device's .dts
498	  definitions for this to work.
499
500config BOOT_MAX_LINE_INPUT_LEN
501	int "Maximum command line length"
502	default 512
503	help
504	  Maximum length of commands transported over the serial port.
505
506config BOOT_SERIAL_DETECT_PORT
507	string "GPIO device to trigger serial recovery mode"
508	default GPIO_0 if SOC_FAMILY_NRF
509	help
510	  Zephyr GPIO device that contains the pin used to trigger
511	  serial recovery mode.
512
513config BOOT_SERIAL_DETECT_PIN
514	int "Pin to trigger serial recovery mode"
515	default 6 if BOARD_NRF9160DK_NRF9160
516	default 11 if BOARD_NRF52840DK_NRF52840
517	default 13 if BOARD_NRF52DK_NRF52832 || BOARD_NRF52833DK_NRF52833
518	default 23 if BOARD_NRF5340PDK_NRF5340_CPUAPP || BOARD_NRF5340PDK_NRF5340_CPUAPP_NS || \
519		BOARD_NRF5340DK_NRF5340_CPUAPP || BOARD_NRF5340DK_NRF5340_CPUAPP_NS
520	help
521	  Pin on the serial detect port that triggers serial recovery mode.
522
523config BOOT_SERIAL_DETECT_PIN_VAL
524	int "Serial detect pin trigger value"
525	default 0
526	range 0 1
527	help
528	  Logic value of the detect pin that triggers serial recovery
529	  mode.
530
531config BOOT_SERIAL_DETECT_DELAY
532	int "Serial detect pin detection delay time [ms]"
533	default 0
534	help
535	  Used to prevent the bootloader from loading on button press.
536	  Useful for powering on when using the same button as
537	  the one used to place the device in bootloader mode.
538
539endif # MCUBOOT_SERIAL
540
541config BOOT_INTR_VEC_RELOC
542	bool "Relocate the interrupt vector to the application"
543	default n
544	depends on SW_VECTOR_RELAY || CPU_CORTEX_M_HAS_VTOR
545	help
546	  Relocate the interrupt vector to the application before it is started.
547	  Select this option if application requires vector relocation,
548	  but it doesn't relocate vector in its reset handler.
549
550config UPDATEABLE_IMAGE_NUMBER
551	int "Number of updateable images"
552	default 1
553	range 1 1 if SINGLE_APPLICATION_SLOT
554	help
555	  Enables support of multi image update.
556
557choice
558	prompt "Downgrade prevention"
559	optional
560
561config MCUBOOT_DOWNGRADE_PREVENTION
562	bool "SW based downgrade prevention"
563	depends on BOOT_UPGRADE_ONLY
564	help
565	  Prevent downgrades by enforcing incrementing version numbers.
566	  When this option is set, any upgrade must have greater major version
567	  or greater minor version with equal major version. This mechanism
568	  only protects against some attacks against version downgrades (for
569	  example, a JTAG could be used to write an older version).
570
571config MCUBOOT_HW_DOWNGRADE_PREVENTION
572	bool "HW based downgrade prevention"
573	help
574	  Prevent undesirable/malicious software downgrades. When this option is
575	  set, any upgrade must have greater or equal security counter value.
576	  Because of the acceptance of equal values it allows for software
577	  downgrade to some extent.
578
579endchoice
580
581config BOOT_WATCHDOG_FEED
582	bool "Feed the watchdog while doing swap"
583	default y if SOC_FAMILY_NRF
584	imply NRFX_WDT
585	imply NRFX_WDT0
586	imply NRFX_WDT1
587	help
588	  Enables implementation of MCUBOOT_WATCHDOG_FEED() macro which is
589	  used to feed watchdog while doing time consuming operations.
590
591endmenu
592
593config MCUBOOT_DEVICE_SETTINGS
594	# Hidden selector for device-specific settings
595	bool
596	default y
597        # CPU options
598	select MCUBOOT_DEVICE_CPU_CORTEX_M0 if CPU_CORTEX_M0
599        # Enable flash page layout if available
600	select FLASH_PAGE_LAYOUT if FLASH_HAS_PAGE_LAYOUT
601	# Enable flash_map module as flash I/O back-end
602	select FLASH_MAP
603
604config MCUBOOT_DEVICE_CPU_CORTEX_M0
605	# Hidden selector for Cortex-M0 settings
606	bool
607	default n
608	select SW_VECTOR_RELAY if !CPU_CORTEX_M0_HAS_VECTOR_TABLE_REMAP
609
610comment "Zephyr configuration options"
611
612# Disabling MULTITHREADING provides a code size advantage, but
613# it requires peripheral drivers (particularly a flash driver)
614# that works properly with the option enabled.
615#
616# If you know for sure that your hardware will work, you can default
617# it to n here. Otherwise, having it on by default makes the most
618# hardware work.
619config MULTITHREADING
620	default y if BOOT_SERIAL_CDC_ACM #usb driver requires MULTITHREADING
621	default y if BOOT_USB_DFU_GPIO || BOOT_USB_DFU_WAIT
622	default n if SOC_FAMILY_NRF
623	default y
624
625config LOG_PROCESS_THREAD
626	default n # mcuboot has its own log processing thread
627
628# override USB device name
629config USB_DEVICE_PRODUCT
630	default "MCUBOOT"
631
632# use MCUboot's own log configuration
633config MCUBOOT_BOOTUTIL_LIB_OWN_LOG
634	bool
635	default n
636
637source "Kconfig.zephyr"
638