1# Copyright (c) 2017-2020 Linaro Limited
2# Copyright (c) 2020 Arm Limited
3# Copyright (c) 2023 Nordic Semiconductor ASA
4#
5# SPDX-License-Identifier: Apache-2.0
6#
7
8mainmenu "MCUboot configuration"
9
10comment "MCUboot-specific configuration options"
11
12# Hidden option to mark a project as MCUboot
13config MCUBOOT
14	default y
15	bool
16	select MPU_ALLOW_FLASH_WRITE if ARM_MPU
17	select USE_DT_CODE_PARTITION if HAS_FLASH_LOAD_OFFSET
18	select MCUBOOT_BOOTUTIL_LIB
19
20config BOOT_USE_MBEDTLS
21	bool
22	# Hidden option
23	default n
24	help
25	  Use mbedTLS for crypto primitives.
26
27config BOOT_USE_PSA_CRYPTO
28	bool
29	# Hidden option
30	help
31	  Hidden option set if using PSA crypt for cryptography functionality
32
33config BOOT_USE_TINYCRYPT
34	bool
35	# Hidden option
36	default n
37	# When building for ECDSA, we use our own copy of mbedTLS, so the
38	# Zephyr one must not be enabled or the MBEDTLS_CONFIG_FILE macros
39	# will collide.
40	select MBEDTLS_PROMPTLESS if ZEPHYR_MBEDTLS_MODULE
41	help
42	  Use TinyCrypt for crypto primitives.
43
44config BOOT_USE_CC310
45	bool
46	# Hidden option
47	default n
48	# When building for ECDSA, we use our own copy of mbedTLS, so the
49	# Zephyr one must not be enabled or the MBEDTLS_CONFIG_FILE macros
50	# will collide.
51	help
52	  Use cc310 for crypto primitives.
53
54config BOOT_USE_NRF_CC310_BL
55	bool
56	default n
57
58config NRFXLIB_CRYPTO
59	bool
60	default n
61
62config NRF_CC310_BL
63	bool
64	default n
65
66if BOOT_USE_MBEDTLS && MBEDTLS_BUILTIN
67
68config BOOT_AES_MBEDTLS_DEPENDENCIES
69	bool
70	select MBEDTLS_CIPHER_AES_ENABLED
71	select MBEDTLS_CIPHER_MODE_CTR_ENABLED
72
73endif
74
75menu "MCUBoot settings"
76
77config SINGLE_APPLICATION_SLOT
78	bool "Single slot bootloader"
79	default n
80	help
81	  Single image area is used for application which means that
82	  uploading a new application overwrites the one that previously
83	  occupied the area.
84
85config BOOT_IMG_HASH_ALG_SHA256_ALLOW
86	bool
87	help
88	  Hidden option set by configurations that allow SHA256
89
90config BOOT_IMG_HASH_ALG_SHA384_ALLOW
91	bool
92	help
93	  Hidden option set by configurations that allow SHA384
94
95config BOOT_IMG_HASH_ALG_SHA512_ALLOW
96	bool
97	help
98	  Hidden option set by configurations that allow SHA512
99
100config BOOT_IMG_HASH_DIRECTLY_ON_STORAGE
101	bool "Hash calculation functions access storage through address space"
102	depends on !BOOT_ENCRYPT_IMAGE
103	help
104	  When possible to map storage device, at least for read operations,
105	  to address space or RAM area, enabling this option allows hash
106	  calculation functions to directly access the storage through that address
107	  space or using its own DMA. This reduces flash read overhead done
108	  by MCUboot.
109	  Notes:
110	    - not supported when encrypted images are in use, because calculating
111	      SHA requires image to be decrypted first, which is done in RAM.
112	    - currently only supported on internal storage of devices; this
113	      option will not work with devices that use external storage for
114	      either of the image slots.
115
116choice BOOT_IMG_HASH_ALG
117	prompt "Selected image hash algorithm"
118	default BOOT_IMG_HASH_ALG_SHA256 if BOOT_IMG_HASH_ALG_SHA256_ALLOW
119	default BOOT_IMG_HASH_ALG_SHA384 if BOOT_IMG_HASH_ALG_SHA384_ALLOW
120	default BOOT_IMG_HASH_ALG_SHA512 if BOOT_IMG_HASH_ALG_SHA512_ALLOW
121	help
122	  Hash algorithm used for image verification. Selection
123	  here may be limited by other configurations, like for
124	  example selected cryptographic signature.
125
126config BOOT_IMG_HASH_ALG_SHA256
127	bool "SHA256"
128	depends on BOOT_IMG_HASH_ALG_SHA256_ALLOW
129	help
130	  SHA256 algorithm
131
132config BOOT_IMG_HASH_ALG_SHA384
133	bool "SHA384"
134	depends on BOOT_IMG_HASH_ALG_SHA384_ALLOW
135	help
136	  SHA384 algorithm
137
138config BOOT_IMG_HASH_ALG_SHA512
139	bool "SHA512"
140	depends on BOOT_IMG_HASH_ALG_SHA512_ALLOW
141	help
142	  SHA512 algorithm
143
144endchoice # BOOT_IMG_HASH_ALG
145
146config BOOT_SIGNATURE_TYPE_PURE_ALLOW
147	bool
148	help
149	  Hidden option set by configurations that allow Pure variant,
150	  for example ed25519. The pure variant means that image
151	  signature is calculated over entire image instead of hash
152	  of an image.
153
154choice BOOT_SIGNATURE_TYPE
155	prompt "Signature type"
156	default BOOT_SIGNATURE_TYPE_RSA
157
158config BOOT_SIGNATURE_TYPE_NONE
159	bool "No signature; use only hash check"
160	select BOOT_USE_TINYCRYPT
161	select BOOT_IMG_HASH_ALG_SHA256_ALLOW
162
163config BOOT_SIGNATURE_TYPE_RSA
164	bool "RSA signatures"
165	select BOOT_USE_MBEDTLS
166	select MBEDTLS
167	select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN
168	select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED if MBEDTLS_BUILTIN
169	select BOOT_ENCRYPTION_SUPPORT
170	select BOOT_IMG_HASH_ALG_SHA256_ALLOW
171	select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE
172
173if BOOT_SIGNATURE_TYPE_RSA
174config BOOT_SIGNATURE_TYPE_RSA_LEN
175	int "RSA signature length"
176	range 2048 3072
177	default 2048
178endif
179
180config BOOT_SIGNATURE_TYPE_ECDSA_P256
181	bool "Elliptic curve digital signatures with curve P-256"
182	select BOOT_ENCRYPTION_SUPPORT
183	select BOOT_IMG_HASH_ALG_SHA256_ALLOW
184
185if BOOT_SIGNATURE_TYPE_ECDSA_P256
186choice BOOT_ECDSA_IMPLEMENTATION
187	prompt "Ecdsa implementation"
188	default BOOT_ECDSA_TINYCRYPT
189
190config BOOT_ECDSA_TINYCRYPT
191	bool "Use tinycrypt"
192	select BOOT_USE_TINYCRYPT
193
194config BOOT_ECDSA_CC310
195	bool "Use CC310"
196	depends on HAS_HW_NRF_CC310
197	select BOOT_USE_NRF_CC310_BL
198	select NRF_CC310_BL
199	select NRFXLIB_CRYPTO
200	select BOOT_USE_CC310
201endchoice # Ecdsa implementation
202endif
203
204config BOOT_SIGNATURE_TYPE_ED25519
205	bool "Edwards curve digital signatures using ed25519"
206	select BOOT_ENCRYPTION_SUPPORT if !BOOT_SIGNATURE_TYPE_PURE
207	select BOOT_IMG_HASH_ALG_SHA256_ALLOW if !BOOT_SIGNATURE_TYPE_PURE
208	# The SHA is used only for key hashing, not for images.
209	select BOOT_SIGNATURE_TYPE_PURE_ALLOW
210	help
211	  This is ed25519 signature calculated over SHA512 of SHA256 of application
212	  image.
213	  To check signature over entire image directly, rather than hash,
214	  select BOOT_SIGNATURE_TYPE_PURE.
215
216if BOOT_SIGNATURE_TYPE_ED25519
217
218config BOOT_SIGNATURE_TYPE_PURE
219	bool "Use Pure signature of image"
220	depends on BOOT_SIGNATURE_TYPE_PURE_ALLOW
221	help
222	  The Pure signature is calculated directly over image rather than
223	  hash of an image, as the BOOT_SIGNATURE_TYPE_ED25519 does by
224	  default.
225	  Image to be verified needs to be accessible through memory address
226	  space that cryptography functions can access via pointers.
227
228choice BOOT_ED25519_IMPLEMENTATION
229	prompt "Ecdsa implementation"
230	default BOOT_ED25519_TINYCRYPT
231config BOOT_ED25519_TINYCRYPT
232	bool "Use tinycrypt"
233	select BOOT_USE_TINYCRYPT
234	select BOOT_IMG_HASH_ALG_SHA512_ALLOW
235config BOOT_ED25519_MBEDTLS
236	bool "Use mbedTLS"
237	select BOOT_USE_MBEDTLS
238	select MBEDTLS
239	select MBEDTLS_ASN1_PARSE_C if MBEDTLS_BUILTIN
240	select BOOT_AES_MBEDTLS_DEPENDENCIES if MBEDTLS_BUILTIN && BOOT_ENCRYPT_IMAGE
241
242endchoice
243endif
244
245endchoice
246
247config BOOT_SIGNATURE_KEY_FILE
248	string "PEM key file"
249	default "root-ec-p256.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256
250	default "root-ed25519.pem" if BOOT_SIGNATURE_TYPE_ED25519
251	default "root-rsa-3072.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=3072
252	default "root-rsa-2048.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=2048
253	default ""
254	help
255	  You can use either absolute or relative path.
256	  In case relative path is used, the build system assumes that it starts
257	  from the directory where the MCUBoot KConfig configuration file is
258	  located. If the key file is not there, the build system uses relative
259	  path that starts from the MCUBoot repository root directory.
260	  The key file will be parsed by imgtool's getpub command and a .c source
261	  with the public key information will be written in a format expected by
262	  MCUboot.
263
264config MCUBOOT_CLEANUP_ARM_CORE
265	bool "Perform core cleanup before chain-load the application"
266	depends on CPU_CORTEX_M
267	default y
268	help
269	  This option instructs MCUboot to perform a clean-up of a set of
270	  architecture core HW registers before jumping to the application
271	  firmware. The clean-up sets these registers to their warm-reset
272	  values as specified by the architecture.
273
274	  This option is enabled by default to prevent possible problems when
275	  booting zephyr (or other) applications whereby e.g. a MPU stack guard
276	  may be initialised in RAM which is then used by the application
277	  start-up code which can cause a module fault and potentially make the
278	  module irrecoverable.
279
280config MCUBOOT_CLEANUP_RAM
281	bool "Perform RAM cleanup"
282	depends on CPU_CORTEX_M4 || CPU_CORTEX_M33
283	help
284	  Sets contents of memory to 0 before jumping to application.
285
286if MBEDTLS
287
288config MBEDTLS_CFG_FILE
289	default "config-tls-generic.h" if MBEDTLS_BUILTIN
290	default "mcuboot-mbedtls-cfg.h" if BOOT_USE_MBEDTLS
291
292endif
293
294config BOOT_HW_KEY
295	bool "Use HW key for image verification"
296	default n
297	help
298	  Use HW key for image verification, otherwise the public key is embedded
299	  in MCUBoot. If enabled the public key is appended to the signed image
300	  and requires the hash of the public key to be provisioned to the device
301	  beforehand.
302
303config BOOT_VALIDATE_SLOT0
304	bool "Validate image in the primary slot on every boot"
305	default y
306	help
307	  If y, the bootloader attempts to validate the signature of the
308	  primary slot every boot. This adds the signature check time to
309	  every boot, but can mitigate against some changes that are
310	  able to modify the flash image itself.
311
312config BOOT_VALIDATE_SLOT0_ONCE
313	bool "Validate image in the primary slot just once after after upgrade"
314	depends on !BOOT_VALIDATE_SLOT0 && SINGLE_APPLICATION_SLOT
315	default n
316	help
317	  If y, the bootloader attempts to validate the signature of the
318	  primary slot only once after an upgrade of the main slot.
319	  It caches the result in the magic area, which makes it an unsecure
320	  method. This option is usefull for lowering the boot up time for
321	  low end devices with as a compromise lowering the security level.
322	  If unsure, leave at the default value.
323
324config BOOT_PREFER_SWAP_OFFSET
325	bool "Prefer the newer swap offset algorithm"
326	help
327	  If y, the BOOT_IMAGE_UPGRADE_MODE will default to using "offset" instead of "scratch".
328	  This is a separate bool config option, because Kconfig doesn't allow defaults to be
329	  overridden in choice options. Most devices should be using swap using offset mode.
330
331config BOOT_PREFER_SWAP_MOVE
332	bool "Prefer the newer swap move algorithm"
333	default y if SOC_FAMILY_NORDIC_NRF
334	default y if !$(dt_nodelabel_enabled,scratch_partition)
335	help
336	  If y, the BOOT_IMAGE_UPGRADE_MODE will default to using
337	  "move" instead of "scratch".  This is a separate bool config
338	  option, because Kconfig doesn't allow defaults to be
339	  overridden in choice options. This mode has been superceded
340	  by swap using offset, but is kept to allow existing projects
341	  to make use of it.
342
343if !SINGLE_APPLICATION_SLOT
344choice BOOT_IMAGE_UPGRADE_MODE
345	prompt "Image upgrade modes"
346	default BOOT_SWAP_USING_OFFSET if BOOT_PREFER_SWAP_OFFSET
347	default BOOT_SWAP_USING_MOVE if BOOT_PREFER_SWAP_MOVE
348	default BOOT_SWAP_USING_SCRATCH
349
350config BOOT_SWAP_USING_SCRATCH
351	bool "Swap mode that run with the scratch partition"
352	help
353	  This is the most conservative swap mode but it can work even on
354	  devices with heterogeneous flash page layout.
355
356config BOOT_UPGRADE_ONLY
357	bool "Overwrite image updates instead of swapping"
358	help
359	  If y, overwrite the primary slot with the upgrade image instead
360	  of swapping them. This prevents the fallback recovery, but
361	  uses a much simpler code path.
362
363config BOOT_SWAP_USING_OFFSET
364	bool "Swap using offset mode without scratch partition"
365	help
366	  If y, the swap upgrade is done by each sector X+1 in the secondary slot moved index X in
367	  the primary slot, then the sector at X+1 in the primary is moved to index X in the
368	  secondary.
369	  This allows a swap upgrade without using a scratch partition, but is currently limited
370	  to all sectors in both slots being of the same size. This mode offers faster swap times
371	  with less flash endurance usage than swap using move, firmware updates must be placed at
372	  the second sector in the second slot instead of the first.
373
374config BOOT_SWAP_USING_MOVE
375	bool "Swap using mode mode without scratch partition"
376	help
377	  If y, the swap upgrade is done in two steps, where first every
378	  sector of the primary slot is moved up one sector, then for
379	  each sector X in the secondary slot, it is moved to index X in
380	  the primary slot, then the sector at X+1 in the primary is
381	  moved to index X in the secondary.
382	  This allows a swap upgrade without using a scratch partition,
383	  but is currently limited to all sectors in both slots being of
384	  the same size.
385
386config BOOT_DIRECT_XIP
387	bool "Run the latest image directly from its slot"
388	help
389	  If y, mcuboot selects the newest valid image based on the image version
390	  numbers, thereafter the selected image can run directly from its slot
391	  without having to move/copy it into the primary slot. For this reason the
392	  images must be linked to be executed from the given image slot. Using this
393	  mode results in a simpler code path and smaller code size.
394
395config BOOT_RAM_LOAD
396	bool "RAM load"
397	help
398	  If y, mcuboot selects the newest valid image based on the image version
399	  numbers, thereafter the selected image is copied to RAM and executed from
400	  there. For this reason, the image has to be linked to be executed from RAM.
401	  The address that the image is copied to is specified using the load-addr
402	  argument to the imgtool.py script which writes it to the image header.
403
404config BOOT_FIRMWARE_LOADER
405	bool "Firmware loader"
406	help
407	  If y, mcuboot will have a single application slot, and the secondary
408	  slot will be for a non-upgradeable firmware loaded image (e.g. for
409	  loading firmware via Bluetooth). The main application will boot by
410	  default unless there is an error with it or the boot mode has been
411	  forced to the firmware loader.
412
413	  Note: The firmware loader image must be signed with the same signing
414	  key as the primary image.
415
416endchoice
417
418config BOOT_DIRECT_XIP_REVERT
419	bool "Enable the revert mechanism in direct-xip mode"
420	depends on BOOT_DIRECT_XIP
421	default n
422	help
423	  If y, enables the revert mechanism in direct-xip similar to the one in
424	  swap mode. It requires the trailer magic to be added to the signed image.
425	  When a reboot happens without the image being confirmed at runtime, the
426	  bootloader considers the image faulty and erases it. After this it will
427	  attempt to boot the previous image. The images can also be made permanent
428	  (marked as confirmed in advance) just like in swap mode.
429
430config BOOT_BOOTSTRAP
431	bool "Bootstrap erased the primary slot from the secondary slot"
432	default n
433	help
434	  If y, enables bootstraping support. Bootstrapping allows an erased
435	  primary slot to be initialized from a valid image in the secondary slot.
436	  If unsure, leave at the default value.
437
438config BOOT_SWAP_SAVE_ENCTLV
439	bool "Save encrypted key TLVs instead of plaintext keys in swap metadata"
440	default n
441	depends on BOOT_ENCRYPT_IMAGE
442	help
443	  If y, instead of saving the encrypted image keys in plaintext in the
444	  swap resume metadata, save the encrypted image TLVs. This should be used
445	  when there is no security mechanism protecting the data in the primary
446	  slot from being dumped. If n is selected (default), the keys are written
447	  after being decrypted from the image TLVs and could be read by an
448	  attacker who has access to the flash contents of the primary slot (eg
449	  JTAG/SWD or primary slot in external flash).
450	  If unsure, leave at the default value.
451
452endif # !SINGLE_APPLICATION_SLOT
453
454config SINGLE_APPLICATION_SLOT_RAM_LOAD
455	bool "RAM load for single application slot"
456	help
457	  If y, the image is loaded to RAM and executed from there. For this reason,
458	  the image has to be linked to be executed from RAM. The address that the
459	  image is copied to is specified using the load-addr argument to the
460	  imgtool.py script which writes it to the image header.
461
462# Workaround for not being able to have commas in macro arguments
463DT_CHOSEN_Z_SRAM := zephyr,sram
464
465if BOOT_RAM_LOAD || SINGLE_APPLICATION_SLOT_RAM_LOAD
466config BOOT_IMAGE_EXECUTABLE_RAM_START
467	hex "Boot image executable ram start"
468	default $(dt_chosen_reg_addr_hex,$(DT_CHOSEN_Z_SRAM))
469
470config BOOT_IMAGE_EXECUTABLE_RAM_SIZE
471	int "Boot image executable base size"
472	default $(dt_chosen_reg_size_int,$(DT_CHOSEN_Z_SRAM),0)
473endif
474
475config FLASH_RUNTIME_SOURCES
476	bool "Images are read from flash partitions defined at runtime"
477	depends on SINGLE_APPLICATION_SLOT
478	help
479	  Instead of using information on the flash slots to decide which images
480	  to load/update, the application provides the information from which
481	  flash slot to load in runtime. This is useful when the application
482	  reads the state for hardware straps or other sources to decide which
483	  image to load. Usually, application will provide a boot_go_hook() to
484	  decide which image to load.
485
486config BOOT_ENCRYPTION_SUPPORT
487	bool
488	help
489	  Hidden option used to check if image encryption is supported.
490
491config BOOT_ENCRYPT_IMAGE
492	bool "Support for encrypted image updates"
493	depends on BOOT_ENCRYPTION_SUPPORT
494	select BOOT_ENCRYPT_RSA if BOOT_SIGNATURE_TYPE_RSA
495	select BOOT_ENCRYPT_EC256 if BOOT_SIGNATURE_TYPE_ECDSA_P256
496	select BOOT_ENCRYPT_X25519 if BOOT_SIGNATURE_TYPE_ED25519
497	depends on !SINGLE_APPLICATION_SLOT || MCUBOOT_SERIAL
498	help
499	  If y, images in the secondary slot can be encrypted and are decrypted
500	  on the fly when upgrading to the primary slot, as well as encrypted
501	  back when swapping from the primary slot to the secondary slot. The
502	  encryption mechanism must match the same type as the signature type,
503	  supported types include:
504	   - RSA-OAEP (2048 bits).
505	   - ECIES using primitives described under "ECIES-P256 encryption" in
506	     docs/encrypted_images.md.
507	   - ECIES using primitives described under "ECIES-X25519 encryption"
508	     in docs/encrypted_images.md.
509
510	  Note that for single slot operation, this can still be used to allow
511	  loading encrypted images via serial recovery which are then
512	  decrypted on-the-fly without needing a second slot.
513
514config BOOT_ENCRYPT_RSA
515	bool
516	help
517	  Hidden option selecting RSA encryption.
518
519config BOOT_ENCRYPT_EC256
520	bool
521	help
522	  Hidden option selecting EC256 encryption.
523
524config BOOT_ENCRYPT_X25519
525	bool
526	help
527	  Hidden option selecting x25519 encryption.
528
529config BOOT_ENCRYPTION_KEY_FILE
530	string "Encryption key file"
531	depends on BOOT_ENCRYPT_IMAGE
532	default "enc-rsa2048-priv.pem" if BOOT_ENCRYPT_RSA
533	default "enc-ec256-priv.pem" if BOOT_ENCRYPT_EC256
534	default "enc-x25519-priv.pem" if BOOT_ENCRYPT_X25519
535	default ""
536	help
537	  You can use either absolute or relative path.
538	  In case relative path is used, the build system assumes that it starts
539	  from the directory where the MCUBoot KConfig configuration file is
540	  located. If the key file is not there, the build system uses relative
541	  path that starts from the MCUBoot repository root directory.
542	  The key file will be parsed by imgtool's getpriv command and a .c source
543	  with the public key information will be written in a format expected by
544	  MCUboot.
545
546config BOOT_MAX_IMG_SECTORS_AUTO
547	bool "Calculate maximum sectors automatically"
548	default y
549	help
550	  If this option is enabled then the maximum number of supported sectors per image will
551	  be calculated automatically from the flash erase sizes and size of each partition for
552	  the first image.
553
554	  If this information is not available, or multiple images are used, then this option
555	  should be disabled and BOOT_MAX_IMG_SECTORS should be set instead
556
557config BOOT_MAX_IMG_SECTORS
558	int "Maximum number of sectors per image slot"
559	default 128
560	depends on !BOOT_MAX_IMG_SECTORS_AUTO
561	help
562	  This option controls the maximum number of sectors that each of
563	  the two image areas can contain. Smaller values reduce MCUboot's
564	  memory usage; larger values allow it to support larger images.
565	  If unsure, leave at the default value.
566
567config BOOT_SHARE_BACKEND_AVAILABLE
568	bool
569	default n
570	help
571	  Hidden open which indicates if there is a sharing backend available.
572
573# Workaround for not being able to have commas in macro arguments
574DT_CHOSEN_BOOTLOADER_INFO := zephyr,bootloader-info
575
576config BOOT_SHARE_BACKEND_AVAILABLE
577	bool
578	default n
579	help
580	  Hidden open which indicates if there is a sharing backend available.
581
582choice BOOT_SHARE_BACKEND
583	prompt "Shared data backend"
584	default BOOT_SHARE_BACKEND_DISABLED
585
586config BOOT_SHARE_BACKEND_DISABLED
587	bool "Disabled"
588	help
589	  No data sharing support.
590
591config BOOT_SHARE_BACKEND_RETENTION
592	bool "Retention"
593	depends on RETENTION
594	depends on $(dt_chosen_enabled,$(DT_CHOSEN_BOOTLOADER_INFO))
595	select BOOT_SHARE_BACKEND_AVAILABLE
596	help
597	  Use retention to share data with application. Requires:
598	    - Retained memory area
599	    - Retention partition of retained memory area
600	    - Chosen node "zephyr,bootloader-info" to be set to the retention
601	      partition
602
603config BOOT_SHARE_BACKEND_EXTERNAL
604	bool "External (user-provided code)"
605	select BOOT_SHARE_BACKEND_AVAILABLE
606	help
607	  Use a custom user-specified storage.
608
609endchoice
610
611menuconfig BOOT_SHARE_DATA
612	bool "Save application specific data"
613	default n
614	depends on BOOT_SHARE_BACKEND_AVAILABLE
615	help
616	  This will allow data to be shared between MCUboot and an application,
617	  it does not include any informatiom by default.
618
619	  Note: This requires a backend to function, see
620	  BOOT_SHARE_BACKEND_RETENTION for details on using the retention
621	  subsystem as a backend.
622
623config BOOT_SHARE_DATA_BOOTINFO
624	bool "Save boot information data"
625	default n
626	depends on BOOT_SHARE_DATA
627	help
628	  This will place information about the MCUboot configuration and
629	  running application into a shared memory area.
630
631menuconfig MEASURED_BOOT
632	bool "Store the boot state/measurements in shared memory area"
633	default n
634	depends on BOOT_SHARE_BACKEND_AVAILABLE
635	help
636	  If enabled, the bootloader will store certain boot measurements such as
637	  the hash of the firmware image in a shared memory area. This data can
638	  be used later by runtime services (e.g. by a device attestation service).
639
640	  Note: This requires a backend to function, see
641	  BOOT_SHARE_BACKEND_RETENTION for details on using the retention
642	  subsystem as a backend.
643
644config MEASURED_BOOT_MAX_CBOR_SIZE
645	int "Maximum CBOR size of boot state/measurements"
646	default 64
647	range 0 256
648	depends on MEASURED_BOOT
649	help
650	  The maximum size of the CBOR message which stores boot
651	  state/measurements.
652
653choice BOOT_FAULT_INJECTION_HARDENING_PROFILE
654	prompt "Fault injection hardening profile"
655	default BOOT_FIH_PROFILE_OFF
656
657config BOOT_FIH_PROFILE_OFF
658	bool "No hardening against hardware level fault injection"
659	help
660	  No hardening in SW against hardware level fault injection: power or
661	  clock glitching, etc.
662
663config BOOT_FIH_PROFILE_LOW
664	bool "Moderate level hardening against hardware level fault injection"
665	help
666	  Moderate level hardening: Long global fail loop to avoid break out,
667	  control flow integrity check to discover discrepancy in expected code
668	  flow.
669
670config BOOT_FIH_PROFILE_MEDIUM
671	bool "Medium level hardening against hardware level fault injection"
672	help
673	  Medium level hardening: Long global fail loop to avoid break out,
674	  control flow integrity check to discover discrepancy in expected code
675	  flow, double variables to discover register or memory corruption.
676
677config BOOT_FIH_PROFILE_HIGH
678	bool "Maximum level hardening against hardware level fault injection"
679	select MBEDTLS
680	help
681	  Maximum level hardening: Long global fail loop to avoid break out,
682	  control flow integrity check to discover discrepancy in expected code
683	  flow, double variables to discover register or memory corruption, random
684	  delays to make code execution less predictable. Random delays requires an
685	  entropy source.
686
687endchoice
688
689choice BOOT_USB_DFU
690	prompt "USB DFU"
691	default BOOT_USB_DFU_NO
692
693config BOOT_USB_DFU_NO
694	prompt "Disabled"
695
696config BOOT_USB_DFU_WAIT
697	bool "Wait for a prescribed duration to see if USB DFU is invoked"
698	select USB_DEVICE_STACK
699	select USB_DFU_CLASS
700	select IMG_MANAGER
701	select STREAM_FLASH
702	select MULTITHREADING
703	help
704	  If y, MCUboot waits for a prescribed duration of time to allow
705	  for USB DFU to be invoked. Please note DFU always updates the
706	  slot1 image.
707
708config BOOT_USB_DFU_GPIO
709	bool "Use GPIO to detect whether to trigger DFU mode"
710	select USB_DEVICE_STACK
711	select USB_DFU_CLASS
712	select IMG_MANAGER
713	select STREAM_FLASH
714	select MULTITHREADING
715	help
716	  If y, MCUboot uses GPIO to detect whether to invoke USB DFU.
717
718endchoice
719
720config BOOT_USB_DFU_WAIT_DELAY_MS
721	int "USB DFU wait duration"
722	depends on BOOT_USB_DFU_WAIT
723	default 12000
724	help
725	  Milliseconds to wait for USB DFU to be invoked.
726
727if BOOT_USB_DFU_GPIO
728
729config BOOT_USB_DFU_DETECT_DELAY
730	int "Serial detect pin detection delay time [ms]"
731	default 0
732	help
733	  Used to prevent the bootloader from loading on button press.
734	  Useful for powering on when using the same button as
735	  the one used to place the device in bootloader mode.
736
737endif # BOOT_USB_DFU_GPIO
738
739config BOOT_USB_DFU_NO_APPLICATION
740	bool "Stay in bootloader if no application"
741	help
742	  Allows for entering USB DFU recovery mode if there is no bootable
743	  application that the bootloader can jump to.
744
745config BOOT_USE_BENCH
746        bool "Enable benchmark code"
747        default n
748        help
749          If y, adds support for simple benchmarking that can record
750          time intervals between two calls.  The time printed depends
751          on the particular Zephyr target, and is generally ticks of a
752          specific board-specific timer.
753
754module = MCUBOOT
755module-str = MCUBoot bootloader
756source "subsys/logging/Kconfig.template.log_config"
757
758config MCUBOOT_LOG_THREAD_STACK_SIZE
759	int "Stack size for the MCUBoot log processing thread"
760	depends on LOG && !LOG_IMMEDIATE
761	default 2048 if COVERAGE_GCOV
762	default 1024 if NO_OPTIMIZATIONS
763	default 1024 if XTENSA
764	default 4096 if (X86 && X86_64)
765	default 4096 if ARM64
766	default 768
767	help
768	  Set the internal stack size for MCUBoot log processing thread.
769
770config MCUBOOT_INDICATION_LED
771	bool "Turns on LED indication when device is in DFU"
772	select GPIO
773	help
774	  Device device activates the LED while in bootloader mode.
775	  mcuboot-led0 alias must be set in the device's .dts
776	  definitions for this to work.
777
778rsource "Kconfig.serial_recovery"
779
780rsource "Kconfig.firmware_loader"
781
782config BOOT_INTR_VEC_RELOC
783	bool "Relocate the interrupt vector to the application"
784	default n
785	depends on SW_VECTOR_RELAY || CPU_CORTEX_M_HAS_VTOR
786	help
787	  Relocate the interrupt vector to the application before it is started.
788	  Select this option if application requires vector relocation,
789	  but it doesn't relocate vector in its reset handler.
790
791config UPDATEABLE_IMAGE_NUMBER
792	int "Number of updateable images"
793	default 1
794	range 1 1 if SINGLE_APPLICATION_SLOT || SINGLE_APPLICATION_SLOT_RAM_LOAD
795	help
796	  Enables support of multi image update.
797
798config BOOT_VERSION_CMP_USE_BUILD_NUMBER
799	bool "Use build number while comparing image version"
800	depends on (UPDATEABLE_IMAGE_NUMBER > 1) || BOOT_DIRECT_XIP || \
801		   BOOT_RAM_LOAD || MCUBOOT_DOWNGRADE_PREVENTION
802	help
803	  By default, the image version comparison relies only on version major,
804	  minor and revision. Enable this option to take into account the build
805	  number as well.
806
807choice BOOT_DOWNGRADE_PREVENTION_CHOICE
808	prompt "Downgrade prevention"
809	optional
810
811config MCUBOOT_DOWNGRADE_PREVENTION
812	bool "SW based downgrade prevention"
813	depends on !BOOT_DIRECT_XIP
814	help
815	  Prevent downgrades by enforcing incrementing version numbers.
816	  When this option is set, any upgrade must have greater major version
817	  or greater minor version with equal major version. This mechanism
818	  only protects against some attacks against version downgrades (for
819	  example, a JTAG could be used to write an older version).
820
821config MCUBOOT_DOWNGRADE_PREVENTION_SECURITY_COUNTER
822	bool "Use image security counter instead of version number"
823	depends on MCUBOOT_DOWNGRADE_PREVENTION
824	depends on (BOOT_SWAP_USING_MOVE || BOOT_SWAP_USING_SCRATCH || BOOT_SWAP_USING_OFFSET)
825	help
826       Security counter is used for version eligibility check instead of pure
827       version.  When this option is set, any upgrade must have greater or
828       equal security counter value.
829       Because of the acceptance of equal values it allows for software
830       downgrades to some extent.
831
832config MCUBOOT_HW_DOWNGRADE_PREVENTION
833	bool "HW based downgrade prevention"
834	help
835	  Prevent undesirable/malicious software downgrades. When this option is
836	  set, any upgrade must have greater or equal security counter value.
837	  Because of the acceptance of equal values it allows for software
838	  downgrade to some extent.
839
840endchoice
841
842config BOOT_WATCHDOG_FEED
843	bool "Feed the watchdog while doing swap"
844	default y if WATCHDOG
845	default y if SOC_FAMILY_NORDIC_NRF
846	imply BOOT_WATCHDOG_FEED_NRFX_WDT if SOC_FAMILY_NORDIC_NRF
847	help
848	  Enables implementation of MCUBOOT_WATCHDOG_FEED() macro which is
849	  used to feed watchdog while doing time consuming operations.
850
851config BOOT_WATCHDOG_FEED_NRFX_WDT
852	bool "Feed the watchdog using NRFX WDT directly"
853	depends on SOC_FAMILY_NORDIC_NRF
854	# for nRF nrfx based implementation is available
855	imply NRFX_WDT
856	imply NRFX_WDT0
857	imply NRFX_WDT1
858	imply NRFX_WDT30
859	imply NRFX_WDT31
860
861config BOOT_IMAGE_ACCESS_HOOKS
862	bool "Enable hooks for overriding MCUboot's native routines"
863	help
864	  Allow to provide procedures for override or extend native
865	  MCUboot's routines required for access the image data and the image
866	  update. It is up to the project customization to add required source
867	  files to the build.
868
869config BOOT_GO_HOOKS
870	bool "Enable hooks for overriding MCUBOOT's boot_go routine"
871	help
872	  Allow to provide procedures for override or extend native
873	  MCUboot's boot_go routine. It is up to the project customization to
874	  add required source files to the build.
875
876config BOOT_FLASH_AREA_HOOKS
877	bool "Enable hooks for overriding MCUboot's flash area routines"
878	help
879	  Allow to provide procedures for override or extend native
880	  MCUboot's flash area routines. It is up to the project customization to
881	  add required source files to the build.
882
883config MCUBOOT_ACTION_HOOKS
884	bool "Enable hooks for responding to MCUboot status changes"
885	help
886	  This will call a handler when the MCUboot status changes which allows
887	  for some level of user feedback, for instance to change LED status to
888	  indicate a failure, using the callback:
889	  'void mcuboot_status_change(mcuboot_status_type_t status)' where
890	  'mcuboot_status_type_t' is listed in
891	  boot/bootutil/include/bootutil/mcuboot_status.h
892
893config BOOT_DISABLE_CACHES
894	bool "Disable I/D caches before chain-loading application"
895	depends on CPU_HAS_ICACHE || CPU_HAS_DCACHE
896	default y
897	help
898	  Will flush and disable the instruction and data caches on the CPU prior to
899	  booting an application, this is required on some ARM Cortex devices and
900	  increases protection against data leakage from MCUboot to applications via
901	  these caches.
902
903config MCUBOOT_BOOT_BANNER
904	bool "Use MCUboot boot banner"
905	depends on BOOT_BANNER
906	depends on "$(APP_VERSION_EXTENDED_STRING)" != ""
907	default y
908	help
909	  Uses a MCUboot boot banner instead of the default zephyr one, which will output the
910	  MCUboot name and version, followed by the zephyr name and version.
911
912	  For example:
913
914	    *** Booting MCUboot v2.0.0-72-g8c0e36c88663 ***
915	    *** Using Zephyr OS build v3.6.0-2607-gd0be2010c31f ***
916
917config BOOT_BANNER_STRING
918        default "Using Zephyr OS build" if MCUBOOT_BOOT_BANNER
919
920config BOOT_DECOMPRESSION_SUPPORT
921	bool
922	help
923	  Hidden symbol which should be selected if a system provided decompression support.
924
925if BOOT_DECOMPRESSION_SUPPORT
926
927menuconfig BOOT_DECOMPRESSION
928	bool "Decompression"
929	help
930	  If enabled, will include support for compressed images being loaded to the secondary slot
931	  which then get decompressed into the primary slot. This mode allows the secondary slot to
932	  be smaller than primary slot which otherwise would not be allowed.
933
934if BOOT_DECOMPRESSION
935
936config BOOT_DECOMPRESSION_BUFFER_SIZE
937	int "Write buffer size"
938	range 16 16384
939	default 4096
940	help
941	  The size of a secondary buffer used for writing decompressed data to the storage device.
942
943endif # BOOT_DECOMPRESSION
944
945endif # BOOT_DECOMPRESSION_SUPPORT
946
947endmenu
948
949config MCUBOOT_DEVICE_SETTINGS
950	# Hidden selector for device-specific settings
951	bool
952	default y
953        # CPU options
954	select MCUBOOT_DEVICE_CPU_CORTEX_M0 if CPU_CORTEX_M0
955        # Enable flash page layout if available
956	select FLASH_PAGE_LAYOUT if FLASH_HAS_PAGE_LAYOUT
957	# Enable flash_map module as flash I/O back-end
958	select FLASH_MAP
959
960config MCUBOOT_DEVICE_CPU_CORTEX_M0
961	# Hidden selector for Cortex-M0 settings
962	bool
963	default n
964	select SW_VECTOR_RELAY if !CPU_CORTEX_M0_HAS_VECTOR_TABLE_REMAP
965
966comment "Zephyr configuration options"
967
968# Disabling MULTITHREADING provides a code size advantage, but
969# it requires peripheral drivers (particularly a flash driver)
970# that works properly with the option enabled.
971#
972# If you know for sure that your hardware will work, you can default
973# it to n here. Otherwise, having it on by default makes the most
974# hardware work.
975config MULTITHREADING
976	default y if BOOT_SERIAL_CDC_ACM #usb driver requires MULTITHREADING
977	default y if BOOT_USB_DFU_GPIO || BOOT_USB_DFU_WAIT
978	default n if SOC_FAMILY_NORDIC_NRF
979	default n if SOC_FAMILY_ESPRESSIF_ESP32 && MCUBOOT
980	default y
981
982config LOG_PROCESS_THREAD
983	default n # mcuboot has its own log processing thread
984
985# override USB device name
986config USB_DEVICE_PRODUCT
987	default "MCUBOOT"
988
989# use MCUboot's own log configuration
990config MCUBOOT_BOOTUTIL_LIB_OWN_LOG
991	bool
992	default n
993
994config MCUBOOT_VERIFY_IMG_ADDRESS
995	bool "Verify reset address of image in secondary slot"
996	depends on UPDATEABLE_IMAGE_NUMBER > 1
997	depends on !BOOT_ENCRYPT_IMAGE
998	depends on ARM
999	default y if BOOT_UPGRADE_ONLY
1000	help
1001	  Verify that the reset address in the image located in the secondary slot
1002	  is contained within the corresponding primary slot. This is recommended
1003	  if swapping is not used (that is, BOOT_UPGRADE_ONLY is set). If a user
1004	  incorrectly uploads an update for image 1 to image 0's secondary slot
1005	  MCUboot will overwrite image 0's primary slot with this image even
1006	  though it will not boot. If swapping is enabled this will be handled
1007	  since the image will not confirm itself. If, however, swapping is not
1008	  enabled then the only mitigation is serial recovery. This feature can
1009	  also be useful when BOOT_DIRECT_XIP is enabled, to ensure that the image
1010	  linked at the correct address is loaded.
1011
1012source "Kconfig.zephyr"
1013