1# Copyright (c) 2017-2020 Linaro Limited 2# Copyright (c) 2020 Arm Limited 3# Copyright (c) 2023 Nordic Semiconductor ASA 4# 5# SPDX-License-Identifier: Apache-2.0 6# 7 8mainmenu "MCUboot configuration" 9 10comment "MCUboot-specific configuration options" 11 12# Hidden option to mark a project as MCUboot 13config MCUBOOT 14 default y 15 bool 16 select MPU_ALLOW_FLASH_WRITE if ARM_MPU 17 select USE_DT_CODE_PARTITION if HAS_FLASH_LOAD_OFFSET 18 select MCUBOOT_BOOTUTIL_LIB 19 20config BOOT_USE_MBEDTLS 21 bool 22 # Hidden option 23 default n 24 help 25 Use mbedTLS for crypto primitives. 26 27config BOOT_USE_PSA_CRYPTO 28 bool 29 # Hidden option 30 help 31 Hidden option set if using PSA crypt for cryptography functionality 32 33config BOOT_USE_TINYCRYPT 34 bool 35 # Hidden option 36 default n 37 # When building for ECDSA, we use our own copy of mbedTLS, so the 38 # Zephyr one must not be enabled or the MBEDTLS_CONFIG_FILE macros 39 # will collide. 40 select MBEDTLS_PROMPTLESS if ZEPHYR_MBEDTLS_MODULE 41 help 42 Use TinyCrypt for crypto primitives. 43 44config BOOT_USE_CC310 45 bool 46 # Hidden option 47 default n 48 # When building for ECDSA, we use our own copy of mbedTLS, so the 49 # Zephyr one must not be enabled or the MBEDTLS_CONFIG_FILE macros 50 # will collide. 51 help 52 Use cc310 for crypto primitives. 53 54config BOOT_USE_NRF_CC310_BL 55 bool 56 default n 57 58config NRFXLIB_CRYPTO 59 bool 60 default n 61 62config NRF_CC310_BL 63 bool 64 default n 65 66if BOOT_USE_MBEDTLS && MBEDTLS_BUILTIN 67 68config BOOT_AES_MBEDTLS_DEPENDENCIES 69 bool 70 select MBEDTLS_CIPHER_AES_ENABLED 71 select MBEDTLS_CIPHER_MODE_CTR_ENABLED 72 73endif 74 75menu "MCUBoot settings" 76 77config SINGLE_APPLICATION_SLOT 78 bool "Single slot bootloader" 79 default n 80 help 81 Single image area is used for application which means that 82 uploading a new application overwrites the one that previously 83 occupied the area. 84 85config BOOT_IMG_HASH_ALG_SHA256_ALLOW 86 bool 87 help 88 Hidden option set by configurations that allow SHA256 89 90config BOOT_IMG_HASH_ALG_SHA384_ALLOW 91 bool 92 help 93 Hidden option set by configurations that allow SHA384 94 95config BOOT_IMG_HASH_ALG_SHA512_ALLOW 96 bool 97 help 98 Hidden option set by configurations that allow SHA512 99 100config BOOT_IMG_HASH_DIRECTLY_ON_STORAGE 101 bool "Hash calculation functions access storage through address space" 102 depends on !BOOT_ENCRYPT_IMAGE 103 help 104 When possible to map storage device, at least for read operations, 105 to address space or RAM area, enabling this option allows hash 106 calculation functions to directly access the storage through that address 107 space or using its own DMA. This reduces flash read overhead done 108 by MCUboot. 109 Notes: 110 - not supported when encrypted images are in use, because calculating 111 SHA requires image to be decrypted first, which is done in RAM. 112 - currently only supported on internal storage of devices; this 113 option will not work with devices that use external storage for 114 either of the image slots. 115 116choice BOOT_IMG_HASH_ALG 117 prompt "Selected image hash algorithm" 118 default BOOT_IMG_HASH_ALG_SHA256 if BOOT_IMG_HASH_ALG_SHA256_ALLOW 119 default BOOT_IMG_HASH_ALG_SHA384 if BOOT_IMG_HASH_ALG_SHA384_ALLOW 120 default BOOT_IMG_HASH_ALG_SHA512 if BOOT_IMG_HASH_ALG_SHA512_ALLOW 121 help 122 Hash algorithm used for image verification. Selection 123 here may be limited by other configurations, like for 124 example selected cryptographic signature. 125 126config BOOT_IMG_HASH_ALG_SHA256 127 bool "SHA256" 128 depends on BOOT_IMG_HASH_ALG_SHA256_ALLOW 129 help 130 SHA256 algorithm 131 132config BOOT_IMG_HASH_ALG_SHA384 133 bool "SHA384" 134 depends on BOOT_IMG_HASH_ALG_SHA384_ALLOW 135 help 136 SHA384 algorithm 137 138config BOOT_IMG_HASH_ALG_SHA512 139 bool "SHA512" 140 depends on BOOT_IMG_HASH_ALG_SHA512_ALLOW 141 help 142 SHA512 algorithm 143 144endchoice # BOOT_IMG_HASH_ALG 145 146config BOOT_SIGNATURE_TYPE_PURE_ALLOW 147 bool 148 help 149 Hidden option set by configurations that allow Pure variant, 150 for example ed25519. The pure variant means that image 151 signature is calculated over entire image instead of hash 152 of an image. 153 154choice BOOT_SIGNATURE_TYPE 155 prompt "Signature type" 156 default BOOT_SIGNATURE_TYPE_RSA 157 158config BOOT_SIGNATURE_TYPE_NONE 159 bool "No signature; use only hash check" 160 select BOOT_USE_TINYCRYPT 161 select BOOT_IMG_HASH_ALG_SHA256_ALLOW 162 163config BOOT_SIGNATURE_TYPE_RSA 164 bool "RSA signatures" 165 select BOOT_USE_MBEDTLS 166 select MBEDTLS 167 select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN 168 select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED if MBEDTLS_BUILTIN 169 select BOOT_ENCRYPTION_SUPPORT 170 select BOOT_IMG_HASH_ALG_SHA256_ALLOW 171 select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE 172 173if BOOT_SIGNATURE_TYPE_RSA 174config BOOT_SIGNATURE_TYPE_RSA_LEN 175 int "RSA signature length" 176 range 2048 3072 177 default 2048 178endif 179 180config BOOT_SIGNATURE_TYPE_ECDSA_P256 181 bool "Elliptic curve digital signatures with curve P-256" 182 select BOOT_ENCRYPTION_SUPPORT 183 select BOOT_IMG_HASH_ALG_SHA256_ALLOW 184 185if BOOT_SIGNATURE_TYPE_ECDSA_P256 186choice BOOT_ECDSA_IMPLEMENTATION 187 prompt "Ecdsa implementation" 188 default BOOT_ECDSA_TINYCRYPT 189 190config BOOT_ECDSA_TINYCRYPT 191 bool "Use tinycrypt" 192 select BOOT_USE_TINYCRYPT 193 194config BOOT_ECDSA_CC310 195 bool "Use CC310" 196 depends on HAS_HW_NRF_CC310 197 select BOOT_USE_NRF_CC310_BL 198 select NRF_CC310_BL 199 select NRFXLIB_CRYPTO 200 select BOOT_USE_CC310 201endchoice # Ecdsa implementation 202endif 203 204config BOOT_SIGNATURE_TYPE_ED25519 205 bool "Edwards curve digital signatures using ed25519" 206 select BOOT_ENCRYPTION_SUPPORT if !BOOT_SIGNATURE_TYPE_PURE 207 select BOOT_IMG_HASH_ALG_SHA256_ALLOW if !BOOT_SIGNATURE_TYPE_PURE 208 # The SHA is used only for key hashing, not for images. 209 select BOOT_SIGNATURE_TYPE_PURE_ALLOW 210 help 211 This is ed25519 signature calculated over SHA512 of SHA256 of application 212 image. 213 To check signature over entire image directly, rather than hash, 214 select BOOT_SIGNATURE_TYPE_PURE. 215 216if BOOT_SIGNATURE_TYPE_ED25519 217 218config BOOT_SIGNATURE_TYPE_PURE 219 bool "Use Pure signature of image" 220 depends on BOOT_SIGNATURE_TYPE_PURE_ALLOW 221 help 222 The Pure signature is calculated directly over image rather than 223 hash of an image, as the BOOT_SIGNATURE_TYPE_ED25519 does by 224 default. 225 Image to be verified needs to be accessible through memory address 226 space that cryptography functions can access via pointers. 227 228choice BOOT_ED25519_IMPLEMENTATION 229 prompt "Ecdsa implementation" 230 default BOOT_ED25519_TINYCRYPT 231config BOOT_ED25519_TINYCRYPT 232 bool "Use tinycrypt" 233 select BOOT_USE_TINYCRYPT 234 select BOOT_IMG_HASH_ALG_SHA512_ALLOW 235config BOOT_ED25519_MBEDTLS 236 bool "Use mbedTLS" 237 select BOOT_USE_MBEDTLS 238 select MBEDTLS 239 select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN 240 select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE 241 242endchoice 243endif 244 245endchoice 246 247config BOOT_SIGNATURE_KEY_FILE 248 string "PEM key file" 249 default "root-ec-p256.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256 250 default "root-ed25519.pem" if BOOT_SIGNATURE_TYPE_ED25519 251 default "root-rsa-3072.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=3072 252 default "root-rsa-2048.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=2048 253 default "" 254 help 255 You can use either absolute or relative path. 256 In case relative path is used, the build system assumes that it starts 257 from the directory where the MCUBoot KConfig configuration file is 258 located. If the key file is not there, the build system uses relative 259 path that starts from the MCUBoot repository root directory. 260 The key file will be parsed by imgtool's getpub command and a .c source 261 with the public key information will be written in a format expected by 262 MCUboot. 263 264config MCUBOOT_CLEANUP_ARM_CORE 265 bool "Perform core cleanup before chain-load the application" 266 depends on CPU_CORTEX_M 267 default y 268 help 269 This option instructs MCUboot to perform a clean-up of a set of 270 architecture core HW registers before jumping to the application 271 firmware. The clean-up sets these registers to their warm-reset 272 values as specified by the architecture. 273 274 This option is enabled by default to prevent possible problems when 275 booting zephyr (or other) applications whereby e.g. a MPU stack guard 276 may be initialised in RAM which is then used by the application 277 start-up code which can cause a module fault and potentially make the 278 module irrecoverable. 279 280config MCUBOOT_CLEANUP_RAM 281 bool "Perform RAM cleanup" 282 depends on CPU_CORTEX_M4 || CPU_CORTEX_M33 283 help 284 Sets contents of memory to 0 before jumping to application. 285 286if MBEDTLS 287 288config MBEDTLS_CFG_FILE 289 default "config-tls-generic.h" if MBEDTLS_BUILTIN 290 default "mcuboot-mbedtls-cfg.h" if BOOT_USE_MBEDTLS 291 292endif 293 294config BOOT_HW_KEY 295 bool "Use HW key for image verification" 296 default n 297 help 298 Use HW key for image verification, otherwise the public key is embedded 299 in MCUBoot. If enabled the public key is appended to the signed image 300 and requires the hash of the public key to be provisioned to the device 301 beforehand. 302 303config BOOT_VALIDATE_SLOT0 304 bool "Validate image in the primary slot on every boot" 305 default y 306 help 307 If y, the bootloader attempts to validate the signature of the 308 primary slot every boot. This adds the signature check time to 309 every boot, but can mitigate against some changes that are 310 able to modify the flash image itself. 311 312config BOOT_VALIDATE_SLOT0_ONCE 313 bool "Validate image in the primary slot just once after after upgrade" 314 depends on !BOOT_VALIDATE_SLOT0 && SINGLE_APPLICATION_SLOT 315 default n 316 help 317 If y, the bootloader attempts to validate the signature of the 318 primary slot only once after an upgrade of the main slot. 319 It caches the result in the magic area, which makes it an unsecure 320 method. This option is usefull for lowering the boot up time for 321 low end devices with as a compromise lowering the security level. 322 If unsure, leave at the default value. 323 324config BOOT_PREFER_SWAP_OFFSET 325 bool "Prefer the newer swap offset algorithm" 326 help 327 If y, the BOOT_IMAGE_UPGRADE_MODE will default to using "offset" instead of "scratch". 328 This is a separate bool config option, because Kconfig doesn't allow defaults to be 329 overridden in choice options. Most devices should be using swap using offset mode. 330 331config BOOT_PREFER_SWAP_MOVE 332 bool "Prefer the newer swap move algorithm" 333 default y if SOC_FAMILY_NORDIC_NRF 334 default y if !$(dt_nodelabel_enabled,scratch_partition) 335 help 336 If y, the BOOT_IMAGE_UPGRADE_MODE will default to using 337 "move" instead of "scratch". This is a separate bool config 338 option, because Kconfig doesn't allow defaults to be 339 overridden in choice options. This mode has been superceded 340 by swap using offset, but is kept to allow existing projects 341 to make use of it. 342 343if !SINGLE_APPLICATION_SLOT 344choice BOOT_IMAGE_UPGRADE_MODE 345 prompt "Image upgrade modes" 346 default BOOT_SWAP_USING_OFFSET if BOOT_PREFER_SWAP_OFFSET 347 default BOOT_SWAP_USING_MOVE if BOOT_PREFER_SWAP_MOVE 348 default BOOT_SWAP_USING_SCRATCH 349 350config BOOT_SWAP_USING_SCRATCH 351 bool "Swap mode that run with the scratch partition" 352 help 353 This is the most conservative swap mode but it can work even on 354 devices with heterogeneous flash page layout. 355 356config BOOT_UPGRADE_ONLY 357 bool "Overwrite image updates instead of swapping" 358 help 359 If y, overwrite the primary slot with the upgrade image instead 360 of swapping them. This prevents the fallback recovery, but 361 uses a much simpler code path. 362 363config BOOT_SWAP_USING_OFFSET 364 bool "Swap using offset mode without scratch partition" 365 help 366 If y, the swap upgrade is done by each sector X+1 in the secondary slot moved index X in 367 the primary slot, then the sector at X+1 in the primary is moved to index X in the 368 secondary. 369 This allows a swap upgrade without using a scratch partition, but is currently limited 370 to all sectors in both slots being of the same size. This mode offers faster swap times 371 with less flash endurance usage than swap using move, firmware updates must be placed at 372 the second sector in the second slot instead of the first. 373 374config BOOT_SWAP_USING_MOVE 375 bool "Swap using mode mode without scratch partition" 376 help 377 If y, the swap upgrade is done in two steps, where first every 378 sector of the primary slot is moved up one sector, then for 379 each sector X in the secondary slot, it is moved to index X in 380 the primary slot, then the sector at X+1 in the primary is 381 moved to index X in the secondary. 382 This allows a swap upgrade without using a scratch partition, 383 but is currently limited to all sectors in both slots being of 384 the same size. 385 386config BOOT_DIRECT_XIP 387 bool "Run the latest image directly from its slot" 388 help 389 If y, mcuboot selects the newest valid image based on the image version 390 numbers, thereafter the selected image can run directly from its slot 391 without having to move/copy it into the primary slot. For this reason the 392 images must be linked to be executed from the given image slot. Using this 393 mode results in a simpler code path and smaller code size. 394 395config BOOT_RAM_LOAD 396 bool "RAM load" 397 help 398 If y, mcuboot selects the newest valid image based on the image version 399 numbers, thereafter the selected image is copied to RAM and executed from 400 there. For this reason, the image has to be linked to be executed from RAM. 401 The address that the image is copied to is specified using the load-addr 402 argument to the imgtool.py script which writes it to the image header. 403 404config BOOT_FIRMWARE_LOADER 405 bool "Firmware loader" 406 help 407 If y, mcuboot will have a single application slot, and the secondary 408 slot will be for a non-upgradeable firmware loaded image (e.g. for 409 loading firmware via Bluetooth). The main application will boot by 410 default unless there is an error with it or the boot mode has been 411 forced to the firmware loader. 412 413 Note: The firmware loader image must be signed with the same signing 414 key as the primary image. 415 416endchoice 417 418config BOOT_DIRECT_XIP_REVERT 419 bool "Enable the revert mechanism in direct-xip mode" 420 depends on BOOT_DIRECT_XIP 421 default n 422 help 423 If y, enables the revert mechanism in direct-xip similar to the one in 424 swap mode. It requires the trailer magic to be added to the signed image. 425 When a reboot happens without the image being confirmed at runtime, the 426 bootloader considers the image faulty and erases it. After this it will 427 attempt to boot the previous image. The images can also be made permanent 428 (marked as confirmed in advance) just like in swap mode. 429 430config BOOT_BOOTSTRAP 431 bool "Bootstrap erased the primary slot from the secondary slot" 432 default n 433 help 434 If y, enables bootstraping support. Bootstrapping allows an erased 435 primary slot to be initialized from a valid image in the secondary slot. 436 If unsure, leave at the default value. 437 438config BOOT_SWAP_SAVE_ENCTLV 439 bool "Save encrypted key TLVs instead of plaintext keys in swap metadata" 440 default n 441 depends on BOOT_ENCRYPT_IMAGE 442 help 443 If y, instead of saving the encrypted image keys in plaintext in the 444 swap resume metadata, save the encrypted image TLVs. This should be used 445 when there is no security mechanism protecting the data in the primary 446 slot from being dumped. If n is selected (default), the keys are written 447 after being decrypted from the image TLVs and could be read by an 448 attacker who has access to the flash contents of the primary slot (eg 449 JTAG/SWD or primary slot in external flash). 450 If unsure, leave at the default value. 451 452endif # !SINGLE_APPLICATION_SLOT 453 454config SINGLE_APPLICATION_SLOT_RAM_LOAD 455 bool "RAM load for single application slot" 456 help 457 If y, the image is loaded to RAM and executed from there. For this reason, 458 the image has to be linked to be executed from RAM. The address that the 459 image is copied to is specified using the load-addr argument to the 460 imgtool.py script which writes it to the image header. 461 462# Workaround for not being able to have commas in macro arguments 463DT_CHOSEN_Z_SRAM := zephyr,sram 464 465if BOOT_RAM_LOAD || SINGLE_APPLICATION_SLOT_RAM_LOAD 466config BOOT_IMAGE_EXECUTABLE_RAM_START 467 hex "Boot image executable ram start" 468 default $(dt_chosen_reg_addr_hex,$(DT_CHOSEN_Z_SRAM)) 469 470config BOOT_IMAGE_EXECUTABLE_RAM_SIZE 471 int "Boot image executable base size" 472 default $(dt_chosen_reg_size_int,$(DT_CHOSEN_Z_SRAM),0) 473endif 474 475config FLASH_RUNTIME_SOURCES 476 bool "Images are read from flash partitions defined at runtime" 477 depends on SINGLE_APPLICATION_SLOT 478 help 479 Instead of using information on the flash slots to decide which images 480 to load/update, the application provides the information from which 481 flash slot to load in runtime. This is useful when the application 482 reads the state for hardware straps or other sources to decide which 483 image to load. Usually, application will provide a boot_go_hook() to 484 decide which image to load. 485 486config BOOT_ENCRYPTION_SUPPORT 487 bool 488 help 489 Hidden option used to check if image encryption is supported. 490 491config BOOT_ENCRYPT_IMAGE 492 bool "Support for encrypted image updates" 493 depends on BOOT_ENCRYPTION_SUPPORT 494 select BOOT_ENCRYPT_RSA if BOOT_SIGNATURE_TYPE_RSA 495 select BOOT_ENCRYPT_EC256 if BOOT_SIGNATURE_TYPE_ECDSA_P256 496 select BOOT_ENCRYPT_X25519 if BOOT_SIGNATURE_TYPE_ED25519 497 depends on !SINGLE_APPLICATION_SLOT || MCUBOOT_SERIAL 498 help 499 If y, images in the secondary slot can be encrypted and are decrypted 500 on the fly when upgrading to the primary slot, as well as encrypted 501 back when swapping from the primary slot to the secondary slot. The 502 encryption mechanism must match the same type as the signature type, 503 supported types include: 504 - RSA-OAEP (2048 bits). 505 - ECIES using primitives described under "ECIES-P256 encryption" in 506 docs/encrypted_images.md. 507 - ECIES using primitives described under "ECIES-X25519 encryption" 508 in docs/encrypted_images.md. 509 510 Note that for single slot operation, this can still be used to allow 511 loading encrypted images via serial recovery which are then 512 decrypted on-the-fly without needing a second slot. 513 514config BOOT_ENCRYPT_RSA 515 bool 516 help 517 Hidden option selecting RSA encryption. 518 519config BOOT_ENCRYPT_EC256 520 bool 521 help 522 Hidden option selecting EC256 encryption. 523 524config BOOT_ENCRYPT_X25519 525 bool 526 help 527 Hidden option selecting x25519 encryption. 528 529config BOOT_ENCRYPTION_KEY_FILE 530 string "Encryption key file" 531 depends on BOOT_ENCRYPT_IMAGE 532 default "enc-rsa2048-priv.pem" if BOOT_ENCRYPT_RSA 533 default "enc-ec256-priv.pem" if BOOT_ENCRYPT_EC256 534 default "enc-x25519-priv.pem" if BOOT_ENCRYPT_X25519 535 default "" 536 help 537 You can use either absolute or relative path. 538 In case relative path is used, the build system assumes that it starts 539 from the directory where the MCUBoot KConfig configuration file is 540 located. If the key file is not there, the build system uses relative 541 path that starts from the MCUBoot repository root directory. 542 The key file will be parsed by imgtool's getpriv command and a .c source 543 with the public key information will be written in a format expected by 544 MCUboot. 545 546config BOOT_MAX_IMG_SECTORS_AUTO 547 bool "Calculate maximum sectors automatically" 548 default y 549 help 550 If this option is enabled then the maximum number of supported sectors per image will 551 be calculated automatically from the flash erase sizes and size of each partition for 552 the first image. 553 554 If this information is not available, or multiple images are used, then this option 555 should be disabled and BOOT_MAX_IMG_SECTORS should be set instead 556 557config BOOT_MAX_IMG_SECTORS 558 int "Maximum number of sectors per image slot" 559 default 128 560 depends on !BOOT_MAX_IMG_SECTORS_AUTO 561 help 562 This option controls the maximum number of sectors that each of 563 the two image areas can contain. Smaller values reduce MCUboot's 564 memory usage; larger values allow it to support larger images. 565 If unsure, leave at the default value. 566 567config BOOT_SHARE_BACKEND_AVAILABLE 568 bool 569 default n 570 help 571 Hidden open which indicates if there is a sharing backend available. 572 573# Workaround for not being able to have commas in macro arguments 574DT_CHOSEN_BOOTLOADER_INFO := zephyr,bootloader-info 575 576config BOOT_SHARE_BACKEND_AVAILABLE 577 bool 578 default n 579 help 580 Hidden open which indicates if there is a sharing backend available. 581 582choice BOOT_SHARE_BACKEND 583 prompt "Shared data backend" 584 default BOOT_SHARE_BACKEND_DISABLED 585 586config BOOT_SHARE_BACKEND_DISABLED 587 bool "Disabled" 588 help 589 No data sharing support. 590 591config BOOT_SHARE_BACKEND_RETENTION 592 bool "Retention" 593 depends on RETENTION 594 depends on $(dt_chosen_enabled,$(DT_CHOSEN_BOOTLOADER_INFO)) 595 select BOOT_SHARE_BACKEND_AVAILABLE 596 help 597 Use retention to share data with application. Requires: 598 - Retained memory area 599 - Retention partition of retained memory area 600 - Chosen node "zephyr,bootloader-info" to be set to the retention 601 partition 602 603config BOOT_SHARE_BACKEND_EXTERNAL 604 bool "External (user-provided code)" 605 select BOOT_SHARE_BACKEND_AVAILABLE 606 help 607 Use a custom user-specified storage. 608 609endchoice 610 611menuconfig BOOT_SHARE_DATA 612 bool "Save application specific data" 613 default n 614 depends on BOOT_SHARE_BACKEND_AVAILABLE 615 help 616 This will allow data to be shared between MCUboot and an application, 617 it does not include any informatiom by default. 618 619 Note: This requires a backend to function, see 620 BOOT_SHARE_BACKEND_RETENTION for details on using the retention 621 subsystem as a backend. 622 623config BOOT_SHARE_DATA_BOOTINFO 624 bool "Save boot information data" 625 default n 626 depends on BOOT_SHARE_DATA 627 help 628 This will place information about the MCUboot configuration and 629 running application into a shared memory area. 630 631menuconfig MEASURED_BOOT 632 bool "Store the boot state/measurements in shared memory area" 633 default n 634 depends on BOOT_SHARE_BACKEND_AVAILABLE 635 help 636 If enabled, the bootloader will store certain boot measurements such as 637 the hash of the firmware image in a shared memory area. This data can 638 be used later by runtime services (e.g. by a device attestation service). 639 640 Note: This requires a backend to function, see 641 BOOT_SHARE_BACKEND_RETENTION for details on using the retention 642 subsystem as a backend. 643 644config MEASURED_BOOT_MAX_CBOR_SIZE 645 int "Maximum CBOR size of boot state/measurements" 646 default 64 647 range 0 256 648 depends on MEASURED_BOOT 649 help 650 The maximum size of the CBOR message which stores boot 651 state/measurements. 652 653choice BOOT_FAULT_INJECTION_HARDENING_PROFILE 654 prompt "Fault injection hardening profile" 655 default BOOT_FIH_PROFILE_OFF 656 657config BOOT_FIH_PROFILE_OFF 658 bool "No hardening against hardware level fault injection" 659 help 660 No hardening in SW against hardware level fault injection: power or 661 clock glitching, etc. 662 663config BOOT_FIH_PROFILE_LOW 664 bool "Moderate level hardening against hardware level fault injection" 665 help 666 Moderate level hardening: Long global fail loop to avoid break out, 667 control flow integrity check to discover discrepancy in expected code 668 flow. 669 670config BOOT_FIH_PROFILE_MEDIUM 671 bool "Medium level hardening against hardware level fault injection" 672 help 673 Medium level hardening: Long global fail loop to avoid break out, 674 control flow integrity check to discover discrepancy in expected code 675 flow, double variables to discover register or memory corruption. 676 677config BOOT_FIH_PROFILE_HIGH 678 bool "Maximum level hardening against hardware level fault injection" 679 select MBEDTLS 680 help 681 Maximum level hardening: Long global fail loop to avoid break out, 682 control flow integrity check to discover discrepancy in expected code 683 flow, double variables to discover register or memory corruption, random 684 delays to make code execution less predictable. Random delays requires an 685 entropy source. 686 687endchoice 688 689choice BOOT_USB_DFU 690 prompt "USB DFU" 691 default BOOT_USB_DFU_NO 692 693config BOOT_USB_DFU_NO 694 prompt "Disabled" 695 696config BOOT_USB_DFU_WAIT 697 bool "Wait for a prescribed duration to see if USB DFU is invoked" 698 select USB_DEVICE_STACK 699 select USB_DFU_CLASS 700 select IMG_MANAGER 701 select STREAM_FLASH 702 select MULTITHREADING 703 help 704 If y, MCUboot waits for a prescribed duration of time to allow 705 for USB DFU to be invoked. Please note DFU always updates the 706 slot1 image. 707 708config BOOT_USB_DFU_GPIO 709 bool "Use GPIO to detect whether to trigger DFU mode" 710 select USB_DEVICE_STACK 711 select USB_DFU_CLASS 712 select IMG_MANAGER 713 select STREAM_FLASH 714 select MULTITHREADING 715 help 716 If y, MCUboot uses GPIO to detect whether to invoke USB DFU. 717 718endchoice 719 720config BOOT_USB_DFU_WAIT_DELAY_MS 721 int "USB DFU wait duration" 722 depends on BOOT_USB_DFU_WAIT 723 default 12000 724 help 725 Milliseconds to wait for USB DFU to be invoked. 726 727if BOOT_USB_DFU_GPIO 728 729config BOOT_USB_DFU_DETECT_DELAY 730 int "Serial detect pin detection delay time [ms]" 731 default 0 732 help 733 Used to prevent the bootloader from loading on button press. 734 Useful for powering on when using the same button as 735 the one used to place the device in bootloader mode. 736 737endif # BOOT_USB_DFU_GPIO 738 739config BOOT_USB_DFU_NO_APPLICATION 740 bool "Stay in bootloader if no application" 741 help 742 Allows for entering USB DFU recovery mode if there is no bootable 743 application that the bootloader can jump to. 744 745config BOOT_USE_BENCH 746 bool "Enable benchmark code" 747 default n 748 help 749 If y, adds support for simple benchmarking that can record 750 time intervals between two calls. The time printed depends 751 on the particular Zephyr target, and is generally ticks of a 752 specific board-specific timer. 753 754module = MCUBOOT 755module-str = MCUBoot bootloader 756source "subsys/logging/Kconfig.template.log_config" 757 758config MCUBOOT_LOG_THREAD_STACK_SIZE 759 int "Stack size for the MCUBoot log processing thread" 760 depends on LOG && !LOG_IMMEDIATE 761 default 2048 if COVERAGE_GCOV 762 default 1024 if NO_OPTIMIZATIONS 763 default 1024 if XTENSA 764 default 4096 if (X86 && X86_64) 765 default 4096 if ARM64 766 default 768 767 help 768 Set the internal stack size for MCUBoot log processing thread. 769 770config MCUBOOT_INDICATION_LED 771 bool "Turns on LED indication when device is in DFU" 772 select GPIO 773 help 774 Device device activates the LED while in bootloader mode. 775 mcuboot-led0 alias must be set in the device's .dts 776 definitions for this to work. 777 778rsource "Kconfig.serial_recovery" 779 780rsource "Kconfig.firmware_loader" 781 782config BOOT_INTR_VEC_RELOC 783 bool "Relocate the interrupt vector to the application" 784 default n 785 depends on SW_VECTOR_RELAY || CPU_CORTEX_M_HAS_VTOR 786 help 787 Relocate the interrupt vector to the application before it is started. 788 Select this option if application requires vector relocation, 789 but it doesn't relocate vector in its reset handler. 790 791config UPDATEABLE_IMAGE_NUMBER 792 int "Number of updateable images" 793 default 1 794 range 1 1 if SINGLE_APPLICATION_SLOT || SINGLE_APPLICATION_SLOT_RAM_LOAD 795 help 796 Enables support of multi image update. 797 798config BOOT_VERSION_CMP_USE_BUILD_NUMBER 799 bool "Use build number while comparing image version" 800 depends on (UPDATEABLE_IMAGE_NUMBER > 1) || BOOT_DIRECT_XIP || \ 801 BOOT_RAM_LOAD || MCUBOOT_DOWNGRADE_PREVENTION 802 help 803 By default, the image version comparison relies only on version major, 804 minor and revision. Enable this option to take into account the build 805 number as well. 806 807choice BOOT_DOWNGRADE_PREVENTION_CHOICE 808 prompt "Downgrade prevention" 809 optional 810 811config MCUBOOT_DOWNGRADE_PREVENTION 812 bool "SW based downgrade prevention" 813 depends on !BOOT_DIRECT_XIP 814 help 815 Prevent downgrades by enforcing incrementing version numbers. 816 When this option is set, any upgrade must have greater major version 817 or greater minor version with equal major version. This mechanism 818 only protects against some attacks against version downgrades (for 819 example, a JTAG could be used to write an older version). 820 821config MCUBOOT_DOWNGRADE_PREVENTION_SECURITY_COUNTER 822 bool "Use image security counter instead of version number" 823 depends on MCUBOOT_DOWNGRADE_PREVENTION 824 depends on (BOOT_SWAP_USING_MOVE || BOOT_SWAP_USING_SCRATCH || BOOT_SWAP_USING_OFFSET) 825 help 826 Security counter is used for version eligibility check instead of pure 827 version. When this option is set, any upgrade must have greater or 828 equal security counter value. 829 Because of the acceptance of equal values it allows for software 830 downgrades to some extent. 831 832config MCUBOOT_HW_DOWNGRADE_PREVENTION 833 bool "HW based downgrade prevention" 834 help 835 Prevent undesirable/malicious software downgrades. When this option is 836 set, any upgrade must have greater or equal security counter value. 837 Because of the acceptance of equal values it allows for software 838 downgrade to some extent. 839 840endchoice 841 842config BOOT_WATCHDOG_FEED 843 bool "Feed the watchdog while doing swap" 844 default y if WATCHDOG 845 default y if SOC_FAMILY_NORDIC_NRF 846 imply BOOT_WATCHDOG_FEED_NRFX_WDT if SOC_FAMILY_NORDIC_NRF 847 help 848 Enables implementation of MCUBOOT_WATCHDOG_FEED() macro which is 849 used to feed watchdog while doing time consuming operations. 850 851config BOOT_WATCHDOG_FEED_NRFX_WDT 852 bool "Feed the watchdog using NRFX WDT directly" 853 depends on SOC_FAMILY_NORDIC_NRF 854 # for nRF nrfx based implementation is available 855 imply NRFX_WDT 856 imply NRFX_WDT0 857 imply NRFX_WDT1 858 imply NRFX_WDT30 859 imply NRFX_WDT31 860 861config BOOT_IMAGE_ACCESS_HOOKS 862 bool "Enable hooks for overriding MCUboot's native routines" 863 help 864 Allow to provide procedures for override or extend native 865 MCUboot's routines required for access the image data and the image 866 update. It is up to the project customization to add required source 867 files to the build. 868 869config BOOT_GO_HOOKS 870 bool "Enable hooks for overriding MCUBOOT's boot_go routine" 871 help 872 Allow to provide procedures for override or extend native 873 MCUboot's boot_go routine. It is up to the project customization to 874 add required source files to the build. 875 876config BOOT_FLASH_AREA_HOOKS 877 bool "Enable hooks for overriding MCUboot's flash area routines" 878 help 879 Allow to provide procedures for override or extend native 880 MCUboot's flash area routines. It is up to the project customization to 881 add required source files to the build. 882 883config MCUBOOT_ACTION_HOOKS 884 bool "Enable hooks for responding to MCUboot status changes" 885 help 886 This will call a handler when the MCUboot status changes which allows 887 for some level of user feedback, for instance to change LED status to 888 indicate a failure, using the callback: 889 'void mcuboot_status_change(mcuboot_status_type_t status)' where 890 'mcuboot_status_type_t' is listed in 891 boot/bootutil/include/bootutil/mcuboot_status.h 892 893config BOOT_DISABLE_CACHES 894 bool "Disable I/D caches before chain-loading application" 895 depends on CPU_HAS_ICACHE || CPU_HAS_DCACHE 896 default y 897 help 898 Will flush and disable the instruction and data caches on the CPU prior to 899 booting an application, this is required on some ARM Cortex devices and 900 increases protection against data leakage from MCUboot to applications via 901 these caches. 902 903config MCUBOOT_BOOT_BANNER 904 bool "Use MCUboot boot banner" 905 depends on BOOT_BANNER 906 depends on "$(APP_VERSION_EXTENDED_STRING)" != "" 907 default y 908 help 909 Uses a MCUboot boot banner instead of the default zephyr one, which will output the 910 MCUboot name and version, followed by the zephyr name and version. 911 912 For example: 913 914 *** Booting MCUboot v2.0.0-72-g8c0e36c88663 *** 915 *** Using Zephyr OS build v3.6.0-2607-gd0be2010c31f *** 916 917config BOOT_BANNER_STRING 918 default "Using Zephyr OS build" if MCUBOOT_BOOT_BANNER 919 920config BOOT_DECOMPRESSION_SUPPORT 921 bool 922 help 923 Hidden symbol which should be selected if a system provided decompression support. 924 925if BOOT_DECOMPRESSION_SUPPORT 926 927menuconfig BOOT_DECOMPRESSION 928 bool "Decompression" 929 help 930 If enabled, will include support for compressed images being loaded to the secondary slot 931 which then get decompressed into the primary slot. This mode allows the secondary slot to 932 be smaller than primary slot which otherwise would not be allowed. 933 934if BOOT_DECOMPRESSION 935 936config BOOT_DECOMPRESSION_BUFFER_SIZE 937 int "Write buffer size" 938 range 16 16384 939 default 4096 940 help 941 The size of a secondary buffer used for writing decompressed data to the storage device. 942 943endif # BOOT_DECOMPRESSION 944 945endif # BOOT_DECOMPRESSION_SUPPORT 946 947endmenu 948 949config MCUBOOT_DEVICE_SETTINGS 950 # Hidden selector for device-specific settings 951 bool 952 default y 953 # CPU options 954 select MCUBOOT_DEVICE_CPU_CORTEX_M0 if CPU_CORTEX_M0 955 # Enable flash page layout if available 956 select FLASH_PAGE_LAYOUT if FLASH_HAS_PAGE_LAYOUT 957 # Enable flash_map module as flash I/O back-end 958 select FLASH_MAP 959 960config MCUBOOT_DEVICE_CPU_CORTEX_M0 961 # Hidden selector for Cortex-M0 settings 962 bool 963 default n 964 select SW_VECTOR_RELAY if !CPU_CORTEX_M0_HAS_VECTOR_TABLE_REMAP 965 966comment "Zephyr configuration options" 967 968# Disabling MULTITHREADING provides a code size advantage, but 969# it requires peripheral drivers (particularly a flash driver) 970# that works properly with the option enabled. 971# 972# If you know for sure that your hardware will work, you can default 973# it to n here. Otherwise, having it on by default makes the most 974# hardware work. 975config MULTITHREADING 976 default y if BOOT_SERIAL_CDC_ACM #usb driver requires MULTITHREADING 977 default y if BOOT_USB_DFU_GPIO || BOOT_USB_DFU_WAIT 978 default n if SOC_FAMILY_NORDIC_NRF 979 default n if SOC_FAMILY_ESPRESSIF_ESP32 && MCUBOOT 980 default y 981 982config LOG_PROCESS_THREAD 983 default n # mcuboot has its own log processing thread 984 985# override USB device name 986config USB_DEVICE_PRODUCT 987 default "MCUBOOT" 988 989# use MCUboot's own log configuration 990config MCUBOOT_BOOTUTIL_LIB_OWN_LOG 991 bool 992 default n 993 994config MCUBOOT_VERIFY_IMG_ADDRESS 995 bool "Verify reset address of image in secondary slot" 996 depends on UPDATEABLE_IMAGE_NUMBER > 1 997 depends on !BOOT_ENCRYPT_IMAGE 998 depends on ARM 999 default y if BOOT_UPGRADE_ONLY 1000 help 1001 Verify that the reset address in the image located in the secondary slot 1002 is contained within the corresponding primary slot. This is recommended 1003 if swapping is not used (that is, BOOT_UPGRADE_ONLY is set). If a user 1004 incorrectly uploads an update for image 1 to image 0's secondary slot 1005 MCUboot will overwrite image 0's primary slot with this image even 1006 though it will not boot. If swapping is enabled this will be handled 1007 since the image will not confirm itself. If, however, swapping is not 1008 enabled then the only mitigation is serial recovery. This feature can 1009 also be useful when BOOT_DIRECT_XIP is enabled, to ensure that the image 1010 linked at the correct address is loaded. 1011 1012source "Kconfig.zephyr" 1013