1# Configuration for the TF-M Module
2
3# Copyright (c) 2019, 2020 Linaro Limited
4# Copyright (c) 2020, 2021 Nordic Semiconductor ASA
5# SPDX-License-Identifier: Apache-2.0
6
7config ZEPHYR_TRUSTED_FIRMWARE_M_MODULE
8	bool
9
10config TFM_BOARD
11	string
12	default "nordic_nrf/nrf9160dk_nrf9160" if BOARD_NRF9160DK_NRF9160_NS
13	default "nordic_nrf/nrf5340dk_nrf5340_cpuapp" if BOARD_NRF5340DK_NRF5340_CPUAPP_NS
14	default "nxp/lpcxpresso55s69" if BOARD_LPCXPRESSO55S69_CPU0
15	default "arm/mps2/an521" if BOARD_MPS2_AN521_CPU0_NS
16	default "stm/nucleo_l552ze_q" if BOARD_NUCLEO_L552ZE_Q
17	default "stm/stm32l562e_dk" if BOARD_STM32L562E_DK
18	default "arm/musca_b1/sse_200" if BOARD_MUSCA_B1
19	default "arm/musca_s1" if BOARD_MUSCA_S1
20	default "lairdconnectivity/bl5340_dvk_cpuapp" if BOARD_BL5340_DVK_CPUAPP_NS
21	help
22	  The board name used for building TFM. Building with TFM requires that
23	  TFM has been ported to the given board/SoC.
24
25menuconfig BUILD_WITH_TFM
26	bool "Build with TF-M as the Secure Execution Environment"
27	depends on ZEPHYR_TRUSTED_FIRMWARE_M_MODULE
28	depends on TRUSTED_EXECUTION_NONSECURE
29	depends on TFM_BOARD != ""
30	depends on ARM_TRUSTZONE_M
31	select BUILD_OUTPUT_HEX
32	imply INIT_ARCH_HW_AT_BOOT
33	imply ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS
34	help
35	  When enabled, this option instructs the Zephyr build process to
36	  additionally generate a TF-M image for the Secure Execution
37	  environment, along with the Zephyr image. The Zephyr image
38	  itself is to be executed in the Non-Secure Processing Environment.
39	  The required dependency on TRUSTED_EXECUTION_NONSECURE
40	  ensures that the Zephyr image is built as a Non-Secure image. Both
41	  TF-M and Zephyr images, as well as the veneer object file that links
42	  them, are generated during the normal Zephyr build process.
43
44	  Notes:
45	    Building with the "_ns" BOARD variant (e.g. "mps2_an521_ns")
46		ensures that CONFIG_TRUSTED_EXECUTION_NONSECURE is enabled.
47
48	    By default we allow Zephyr preemptible threads be preempted
49	    while performing a secure function call.
50
51if BUILD_WITH_TFM
52
53config TFM_KEY_FILE_S
54	string "Path to private key used to sign secure firmware images."
55	depends on BUILD_WITH_TFM
56	default "${ZEPHYR_BASE}/../modules/tee/tfm/trusted-firmware-m/bl2/ext/mcuboot/root-RSA-3072.pem"
57	help
58	  The path and filename for the .pem file containing the private key
59	  that should be used by the BL2 bootloader when signing secure
60	  firmware images.
61
62config TFM_KEY_FILE_NS
63	string "Path to private key used to sign non-secure firmware images."
64	depends on BUILD_WITH_TFM
65	default "${ZEPHYR_BASE}/../modules/tee/tfm/trusted-firmware-m/bl2/ext/mcuboot/root-RSA-3072_1.pem"
66	help
67	  The path and filename for the .pem file containing the private key
68	  that should be used by the BL2 bootloader when signing non-secure
69	  firmware images.
70
71config TFM_PROFILE
72	string
73	depends on BUILD_WITH_TFM
74	default "profile_small" if TFM_PROFILE_TYPE_SMALL
75	default "profile_medium" if TFM_PROFILE_TYPE_MEDIUM
76	default "profile_large" if TFM_PROFILE_TYPE_LARGE
77	help
78	  Build profile used to build tfm_s image. The available values are
79	  profile_large, profile_medium and profile_small. The default profile
80	  does not need to have this configuration set.
81
82choice TFM_PROFILE_TYPE
83	prompt "TF-M build profile"
84	depends on BUILD_WITH_TFM
85	default TFM_PROFILE_TYPE_NOT_SET
86	help
87	  The TF-M build profile selection. Can be empty (not set),
88	  small, medium or large. Certain profile types enable other
89	  TF-M configuration options, namely, the IPC model and the
90	  isolation level.
91
92config TFM_PROFILE_TYPE_NOT_SET
93	bool "TF-M build profile is not set"
94
95config TFM_PROFILE_TYPE_SMALL
96	bool "TF-M build profile: small"
97
98config TFM_PROFILE_TYPE_MEDIUM
99	bool "TF-M build profile: medium"
100
101config TFM_PROFILE_TYPE_LARGE
102	bool "TF-M build profile: large"
103
104endchoice
105
106choice TFM_CMAKE_BUILD_TYPE
107	prompt "The build type for TFM"
108	default TFM_CMAKE_BUILD_TYPE_RELEASE if SPEED_OPTIMIZATIONS && BUILD_OUTPUT_STRIPPED
109	default TFM_CMAKE_BUILD_TYPE_MINSIZEREL if SIZE_OPTIMIZATIONS
110	default TFM_CMAKE_BUILD_TYPE_DEBUG if DEBUG_OPTIMIZATIONS
111	default TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO
112
113config TFM_CMAKE_BUILD_TYPE_RELEASE
114	bool "Release build"
115
116config TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO
117	bool "Release build with Debug info"
118
119config TFM_CMAKE_BUILD_TYPE_MINSIZEREL
120	bool "Release build, optimized for size"
121
122config TFM_CMAKE_BUILD_TYPE_DEBUG
123	bool "Debug build"
124
125endchoice
126
127config TFM_ISOLATION_LEVEL
128	int "Isolation level setting." if (TFM_PROFILE_TYPE_NOT_SET && TFM_IPC)
129	range 1 3
130	depends on BUILD_WITH_TFM
131	default 1 if TFM_PROFILE_TYPE_SMALL || !TFM_IPC
132	default 2 if TFM_PROFILE_TYPE_MEDIUM
133	default 3 if TFM_PROFILE_TYPE_LARGE
134	help
135	  Manually set the required TFM isolation level. Possible values are
136	  1,2 or 3; the default is set by build configuration. When TF-M
137	  Profile option is supplied, do not allow manual setting of the
138	  isolation level, as it is determined by the profile setting.
139	  As isolation levels 2 and 3 require PSA_API (TFM_IPC) support,
140	  force level 1 when TFM_IPC is not enabled.
141
142config TFM_BL2
143	bool "Add MCUboot to TFM"
144	default y
145	help
146	  TFM is designed to run with MCUboot in a certain configuration.
147	  This config adds MCUboot to the build - built via TFM's build system.
148
149if TFM_BL2
150
151config TFM_MCUBOOT_IMAGE_NUMBER
152	int "Granularity of FW updates of TFM and app"
153	range 1 2
154	default 2
155	help
156	  How many images the bootloader sees when it looks at TFM and the app.
157	  When this is 1, the S and NS are considered as 1 image and must be
158	  updated in one atomic operation. When this is 2, they are split and
159	  can be updated independently if dependency requirements are met.
160
161choice TFM_MCUBOOT_PATH
162	prompt "Path to MCUboot or DOWNLOAD to fetch automatically"
163	default TFM_MCUBOOT_PATH_LOCAL
164	help
165	   Path to MCUboot for TF-M builds. The default option
166	   is to use Zephyr's MCUboot module. As an alternative,
167	   users may switch to the 'download' version; in that
168	   case MCUboot will be fetched by the TF-M build during
169	   build time. The default option ensures that Zephyr builds
170	   with TF-M do not fetch external trees.
171
172config TFM_MCUBOOT_PATH_LOCAL
173	bool "TF-M to use Zephyr's MCUboot"
174	help
175	  TF-M builds with BL2 will use the Zephyr's MCUboot version,
176	  which is present in the MCUboot module.
177
178config TFM_MCUBOOT_PATH_DOWNLOAD
179	bool "TF-M to automatically download MCUboot during build"
180	help
181	  TF-M bulds with BL2 will let the TF-M build to automatically
182	  fetch and check-out the MCUboot version to use in the build.
183
184endchoice
185
186endif # TFM_BL2
187
188config TFM_IPC
189	bool "IPC" if TFM_PROFILE_TYPE_NOT_SET
190	default y if (TFM_PROFILE_TYPE_MEDIUM || TFM_PROFILE_TYPE_LARGE)
191	help
192	  When enabled, this option signifies that the TF-M build supports
193	  the PSA API (IPC mode) instead of the secure library mode. When
194	  TF-M Profile option is supplied, do not allow manual setting of
195	  the IPC mode, as it is determined by the profile setting.
196
197config TFM_REGRESSION_S
198	bool "TF-M Secure Regression tests"
199	help
200	  When enabled, this option signifies that the TF-M build includes
201	  the Secure domain regression tests.
202
203config TFM_REGRESSION_NS
204	bool "Use the TF-M Non-Secure Regression test application"
205	help
206	  When this is enabled, the Zephyr application as a whole will be
207	  replaced with the TF-M Non-Secure Regression test application.
208
209choice TFM_PSA_TEST
210	prompt "Enable a PSA test suite"
211	default TFM_PSA_TEST_NONE
212
213config TFM_PSA_TEST_CRYPTO
214	bool "Crypto tests"
215	depends on MAIN_STACK_SIZE >= 4096
216	help
217	  Enable the PSA Crypto test suite.
218
219config TFM_PSA_TEST_PROTECTED_STORAGE
220	bool "Storage tests"
221	help
222	  Enable the PSA Protected Storage test suite.
223
224config TFM_PSA_TEST_INTERNAL_TRUSTED_STORAGE
225	bool "Internal Trusted Storage tests"
226	help
227	  Enable the PSA Internal Trusted Storage test suite.
228
229config TFM_PSA_TEST_STORAGE
230	bool "Storage tests"
231	help
232	  Enable the PSA Storage test suite. This is a combination of the
233	  protected storage and internal trusted storage tests.
234
235config TFM_PSA_TEST_INITIAL_ATTESTATION
236	bool "Initial attestation tests"
237	depends on MAIN_STACK_SIZE >= 4096
238	help
239	  Enable the PSA Initial Attestation test suite.
240
241config TFM_PSA_TEST_NONE
242	bool "No PSA test suite"
243
244endchoice
245
246if TFM_BL2
247
248config ROM_START_OFFSET
249	hex "ROM Start Offset accounting for BL2 Header in the NS image"
250	default 0x400
251	help
252	  By default BL2 header size in TF-M is 0x400. ROM_START_OFFSET
253	  needs to be updated if TF-M switches to use a different header
254	  size for BL2.
255
256endif # !TFM_BL2
257
258# Option to instruct flashing a merged binary consisting of BL2 (optionally),
259# TF-M (Secure), and application (Non-Secure).
260config TFM_FLASH_MERGED_BINARY
261	bool
262	help
263		This option instructs west flash to program the
264		combined (merged) binary consisting of the TF-M
265		Secure firmware image, optionally, the BL2 image
266		(if building with TFM_BL2 is enabled), and the
267		Non-Secure application firmware.
268
269endif # BUILD_WITH_TFM
270