1#-------------------------------------------------------------------------------
2# Copyright (c) 2022-2024, Arm Limited. All rights reserved.
3#
4# SPDX-License-Identifier: BSD-3-Clause
5#
6#-------------------------------------------------------------------------------
7
8set(RSE_XIP                             OFF        CACHE BOOL     "Whether to run runtime firmware XIP via the SIC")
9
10if (RSE_XIP)
11    set(PLATFORM_DEFAULT_IMAGE_SIGNING      OFF        CACHE BOOL     "Use default image signing implementation")
12
13    set(MCUBOOT_S_IMAGE_FLASH_AREA_NUM      10         CACHE STRING   "ID of the flash area containing the primary Secure image")
14    set(MCUBOOT_NS_IMAGE_FLASH_AREA_NUM     11         CACHE STRING   "ID of the flash area containing the primary Non-Secure image")
15endif()
16
17set(RSE_USE_HOST_UART                   ON         CACHE BOOL     "Whether RSE should setup to use the UART from the host system")
18set(RSE_HAS_EXPANSION_PERIPHERALS       OFF        CACHE BOOL     "Whether RSE has sub-platform specific peripherals in the expansion layer")
19
20set(CRYPTO_HW_ACCELERATOR               ON         CACHE BOOL     "Whether to enable the crypto hardware accelerator on supported platforms")
21set(PLATFORM_DEFAULT_OTP                OFF        CACHE BOOL     "Use trusted on-chip flash to implement OTP memory")
22set(PLATFORM_DEFAULT_CRYPTO_KEYS        OFF        CACHE BOOL     "Use default crypto keys implementation.")
23set(PLATFORM_DEFAULT_PROVISIONING       OFF        CACHE BOOL     "Use default provisioning implementation")
24set(TFM_BL1_DEFAULT_PROVISIONING        OFF        CACHE BOOL     "Whether BL1_1 will use default provisioning")
25set(PLATFORM_DEFAULT_NV_SEED            OFF        CACHE BOOL     "Use default NV seed implementation.")
26set(PLATFORM_DEFAULT_NV_COUNTERS        OFF        CACHE BOOL     "Use default nv counter implementation.")
27set(PLATFORM_DEFAULT_ATTEST_HAL         OFF        CACHE BOOL     "Use default attest hal implementation.")
28set(PLATFORM_DEFAULT_SYSTEM_RESET_HALT  OFF        CACHE BOOL     "Use default system reset/halt implementation")
29set(PLATFORM_HAS_BOOT_DMA               ON         CACHE BOOL     "Enable dma support for memory transactions for bootloader")
30set(PLATFORM_BOOT_DMA_MIN_SIZE_REQ      0x40       CACHE STRING   "Minimum transaction size (in bytes) required to enable dma support for bootloader")
31set(PLATFORM_SVC_HANDLERS               ON         CACHE BOOL     "Platform supports custom SVC handlers")
32
33set(BL1                                 ON         CACHE BOOL     "Whether to build BL1")
34set(PLATFORM_DEFAULT_BL1                ON         CACHE STRING   "Whether to use default BL1 or platform-specific one")
35set(TFM_BL1_SOFTWARE_CRYPTO             OFF        CACHE BOOL     "Whether BL1_1 will use software crypto")
36set(TFM_BL1_MEMORY_MAPPED_FLASH         ON         CACHE BOOL     "Whether BL1 can directly access flash content")
37set(TFM_BL1_PQ_CRYPTO                   ON         CACHE BOOL     "Enable LMS PQ crypto for BL2 verification. This is experimental and should not yet be used in production")
38set(TFM_BL1_DUMMY_TRNG                  OFF        CACHE BOOL     "Whether BL1_1 will use dummy TRNG")
39if (RSE_BRINGUP_OTP_EMULATION)
40    set(TFM_BL1_2_IN_OTP                FALSE      CACHE BOOL      "Whether BL1_2 is stored in OTP")
41endif()
42
43set(BL2                                 ON         CACHE BOOL     "Whether to build BL2")
44set(MCUBOOT_UPGRADE_STRATEGY            "RAM_LOAD" CACHE STRING   "Upgrade strategy when multiple boot images are loaded [OVERWRITE_ONLY, SWAP, DIRECT_XIP, RAM_LOAD]")
45set(MCUBOOT_IMAGE_NUMBER                4          CACHE STRING   "Number of images supported by MCUBoot")
46set(DEFAULT_MCUBOOT_FLASH_MAP           OFF        CACHE BOOL     "Whether to use the default flash map defined by TF-M project")
47set(MCUBOOT_S_IMAGE_FLASH_AREA_NUM      2          CACHE STRING   "ID of the flash area containing the primary Secure image")
48set(MCUBOOT_NS_IMAGE_FLASH_AREA_NUM     3          CACHE STRING   "ID of the flash area containing the primary Non-Secure image")
49set(RSE_USE_HOST_FLASH                  ON         CACHE BOOL     "Enable RSE using the host flash.")
50set(RSE_LOAD_NS_IMAGE                   ON         CACHE BOOL     "Whether to load an RSE NSPE image")
51
52set(TFM_PARTITION_CRYPTO                ON         CACHE BOOL     "Enable Crypto partition")
53set(TFM_PARTITION_PROTECTED_STORAGE     OFF        CACHE BOOL     "Enable Protected Storage partition")
54set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE OFF     CACHE BOOL     "Enable Internal Trusted Storage partition")
55set(TFM_PARTITION_PLATFORM              ON         CACHE BOOL     "Enable Platform partition")
56set(MEASURED_BOOT_HASH_ALG              PSA_ALG_SHA_256 CACHE STRING "Hash algorithm used by Measured boot services")
57set(TFM_MBEDCRYPTO_PLATFORM_EXTRA_CONFIG_PATH ${CMAKE_CURRENT_LIST_DIR}/mbedtls_extra_config.h CACHE PATH "Config to append to standard Mbed Crypto config, used by platforms to cnfigure feature support")
58
59set(TFM_ATTESTATION_SCHEME              "PSA"      CACHE STRING   "Attestation scheme to use [OFF, PSA, CCA, DPE]")
60
61set(TFM_EXTRAS_REPO_PATH                "DOWNLOAD" CACHE PATH    "Path to tf-m-extras repo (or DOWNLOAD to fetch automatically")
62set(TFM_EXTRAS_REPO_VERSION             "4b8a6d6"  CACHE STRING  "The version of tf-m-extras to use")
63set(TFM_EXTRAS_REPO_EXTRA_PARTITIONS    "measured_boot;delegated_attestation;dice_protection_environment" CACHE STRING "List of extra secure partition directory name(s)")
64# Below TFM_EXTRAS_REPO_EXTRA_MANIFEST_LIST path is relative to tf-m-extras repo
65set(TFM_EXTRAS_REPO_EXTRA_MANIFEST_LIST "partitions/measured_boot/measured_boot_manifest_list.yaml;partitions/delegated_attestation/delegated_attestation_manifest_list.yaml;partitions/dice_protection_environment/dpe_manifest_list.yaml" CACHE STRING "List of extra secure partition manifests")
66
67set(ATTEST_KEY_BITS                     384        CACHE STRING   "The size of the initial attestation key in bits")
68set(PSA_INITIAL_ATTEST_MAX_TOKEN_SIZE   0x800      CACHE STRING    "The maximum possible size of a token")
69
70set(TFM_NS_NV_COUNTER_AMOUNT            3          CACHE STRING   "How many NS NV counters are enabled")
71
72set(TFM_PLAT_SPECIFIC_MULTI_CORE_COMM   ON         CACHE BOOL     "Whether to use a platform specific inter-core communication instead of mailbox in dual-cpu topology")
73
74set(TFM_ISOLATION_LEVEL                 2          CACHE STRING   "Isolation level")
75set(TFM_PXN_ENABLE                      ON         CACHE BOOL     "Use Privileged execute never (PXN)")
76
77set(TFM_MANIFEST_LIST                   "${CMAKE_CURRENT_LIST_DIR}/manifest/tfm_manifest_list.yaml" CACHE PATH "Platform specific Secure Partition manifests file")
78
79# Platform-specific configurations
80if (RSE_LOAD_NS_IMAGE)
81    set(CONFIG_TFM_USE_TRUSTZONE            ON)
82else()
83    set(CONFIG_TFM_USE_TRUSTZONE            OFF)
84endif()
85
86if (TFM_ATTESTATION_SCHEME      STREQUAL "PSA")
87    set(TFM_PARTITION_INITIAL_ATTESTATION   ON      CACHE BOOL  "Enable Initial Attestation partition")
88    set(TFM_PARTITION_DELEGATED_ATTESTATION OFF     CACHE BOOL  "Enable Delegated Attestation partition")
89    set(TFM_PARTITION_DPE                   OFF     CACHE BOOL  "Enable DICE Protection Environment partition")
90    set(TFM_PARTITION_MEASURED_BOOT         OFF     CACHE BOOL  "Enable Measured Boot partition")
91elseif (TFM_ATTESTATION_SCHEME  STREQUAL "CCA")
92    set(TFM_PARTITION_INITIAL_ATTESTATION   ON      CACHE BOOL  "Enable Initial Attestation partition")
93    set(TFM_PARTITION_DELEGATED_ATTESTATION ON      CACHE BOOL  "Enable Delegated Attestation partition")
94    set(TFM_PARTITION_DPE                   OFF     CACHE BOOL  "Enable DICE Protection Environment partition")
95    set(TFM_PARTITION_MEASURED_BOOT         ON      CACHE BOOL  "Enable Measured Boot partition")
96elseif (TFM_ATTESTATION_SCHEME  STREQUAL "DPE")
97    set(TFM_PARTITION_INITIAL_ATTESTATION   OFF     CACHE BOOL  "Enable Initial Attestation partition")
98    set(TFM_PARTITION_DELEGATED_ATTESTATION OFF     CACHE BOOL  "Enable Delegated Attestation partition")
99    set(TFM_PARTITION_DPE                   ON      CACHE BOOL  "Enable DICE Protection Environment partition")
100    set(TFM_PARTITION_MEASURED_BOOT         OFF     CACHE BOOL  "Enable Measured Boot partition")
101    set(RSE_USE_SDS_LIB                     ON)
102    # Temporarily only 256-bit IAK is allowed when DPE is enabled
103    set(ATTEST_KEY_BITS                     256     CACHE STRING    "The size of the initial attestation key in bits" FORCE)
104else()
105    # Disable attestation
106    set(TFM_PARTITION_INITIAL_ATTESTATION   OFF     CACHE BOOL  "Enable Initial Attestation partition")
107    set(TFM_PARTITION_DELEGATED_ATTESTATION OFF     CACHE BOOL  "Enable Delegated Attestation partition")
108    set(TFM_PARTITION_DPE                   OFF     CACHE BOOL  "Enable DICE Protection Environment partition")
109    set(TFM_PARTITION_MEASURED_BOOT         OFF     CACHE BOOL  "Enable Measured Boot partition")
110    set(CONFIG_TFM_BOOT_STORE_MEASUREMENTS  OFF     CACHE BOOL  "Store measurement values from all the boot stages. Used for initial attestation token.")
111    set(CONFIG_TFM_BOOT_STORE_ENCODED_MEASUREMENTS  OFF CACHE BOOL  "Enable storing of encoded measurements in boot.")
112endif()
113
114if (TFM_PARTITION_MEASURED_BOOT OR TFM_PARTITION_DPE)
115    set(CONFIG_TFM_BOOT_STORE_ENCODED_MEASUREMENTS  OFF CACHE BOOL  "Enable storing of encoded measurements in boot.")
116    set(MCUBOOT_DATA_SHARING                        ON)
117endif()
118
119set(TFM_MULTI_CORE_TOPOLOGY             ON)
120
121set(PLAT_MHU_VERSION                    2          CACHE STRING  "Supported MHU version by platform")
122
123set(RSE_AMOUNT                          1          CACHE STRING  "Amount of RSEes in the system")
124
125set(BL1_SHARED_SYMBOLS_PATH             ${CMAKE_CURRENT_LIST_DIR}/bl1/bl1_1_shared_symbols.txt CACHE FILEPATH "Path to list of symbols that BL1_1 that can be referenced from BL1_2")
126set(RSE_TP_MODE                         TCI        CACHE STRING "Whether system is in Test or Production mode")
127
128if (RSE_TP_MODE STREQUAL "TCI")
129    set(RSE_RTL_KEY_PATH                ${CMAKE_CURRENT_LIST_DIR}/provisioning/tci_krtl.bin CACHE FILEPATH "Path to binary RTL key for encrypting provisioning bundles")
130elseif(RSE_TP_MODE STREQUAL "PCI")
131    set(RSE_RTL_KEY_PATH                ${CMAKE_CURRENT_LIST_DIR}/provisioning/pci_krtl_dummy.bin CACHE FILEPATH "Path to binary RTL key for encrypting provisioning bundles")
132else()
133    message(FATAL_ERROR "Invalid TP mode ${RSE_TP_MODE}")
134endif()
135
136set(RSE_ENCRYPTED_OTP_KEYS              ON         CACHE BOOL "Whether keys in OTP are encrypted")
137set(RSE_ENABLE_TRAM                     OFF        CACHE BOOL "Whether TRAM encryption is enabled")
138
139set(RSE_BIT_PROGRAMMABLE_OTP            ON         CACHE BOOL "Whether RSE OTP words can be programmed bit by bit, or whole words must be programmed at once")
140
141if (RSE_USE_ROM_LIB_FROM_SRAM)
142    set(CODE_SHARING_OUTPUT_FILE_SUFFIX     "_shared_symbols.axf" CACHE STRING "Suffix to use for code-sharing output files")
143    set(CODE_SHARING_INPUT_FILE_SUFFIX      "_shared_symbols_in_sram.axf" CACHE STRING "Suffix to use for code-sharing input files")
144endif()
145
146set(RSE_SUPPORT_ROM_LIB_RELOCATION      OFF        CACHE BOOL "Whether shared ROM code supports being copied to SRAM and then executed")
147set(RSE_USE_ROM_LIB_FROM_SRAM           OFF        CACHE BOOL "Whether shared ROM code will be used XIP from ROM or copied to SRAM and then executed")
148
149set(RSE_HAS_MANUFACTURING_DATA          OFF        CACHE BOOL "Whether manufacturing data is provisioned into RSE OTP")
150
151################################################################################
152
153# Specifying the accepted values for certain configuration options to facilitate
154# their later validation.
155
156########################## Attestation #########################################
157
158set_property(CACHE TFM_ATTESTATION_SCHEME PROPERTY STRINGS "OFF;PSA;CCA;DPE")
159