1#------------------------------------------------------------------------------- 2# Copyright (c) 2021-2024, Arm Limited. All rights reserved. 3# 4# SPDX-License-Identifier: BSD-3-Clause 5# 6#------------------------------------------------------------------------------- 7 8########################## MCUBoot ############################################# 9 10set(TEST_BL2 OFF CACHE BOOL "Whether to build bl2 tests") 11 12set(DEFAULT_MCUBOOT_SECURITY_COUNTERS ON CACHE BOOL "Whether to use the default security counter configuration defined by TF-M project") 13set(DEFAULT_MCUBOOT_FLASH_MAP ON CACHE BOOL "Whether to use the default flash map defined by TF-M project") 14 15set(MCUBOOT_S_IMAGE_FLASH_AREA_NUM 0 CACHE STRING "ID of the flash area containing the primary Secure image") 16set(MCUBOOT_NS_IMAGE_FLASH_AREA_NUM 1 CACHE STRING "ID of the flash area containing the primary Non-Secure image") 17 18set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "Whether to combine S and NS into either 1 image, or sign each seperately") 19set(MCUBOOT_EXECUTION_SLOT 1 CACHE STRING "Slot from which to execute the image, used for XIP mode") 20set(MCUBOOT_LOG_LEVEL "INFO" CACHE STRING "Level of logging to use for MCUboot [OFF, ERROR, WARNING, INFO, DEBUG]") 21set(MCUBOOT_HW_KEY ON CACHE BOOL "Whether to embed the entire public key in the image metadata instead of the hash only") 22set(MCUBOOT_BUILTIN_KEY OFF CACHE BOOL "Use builtin key(s) for validation, no public key data is embedded into the image metadata") 23set(MCUBOOT_UPGRADE_STRATEGY "OVERWRITE_ONLY" CACHE STRING "Upgrade strategy for images") 24set(BL2_HEADER_SIZE 0x400 CACHE STRING "Header size") 25set(BL2_TRAILER_SIZE 0x400 CACHE STRING "Trailer size") 26set(MCUBOOT_ALIGN_VAL 1 CACHE STRING "align option for mcuboot and build image with imgtool [1, 2, 4, 8, 16, 32]") 27set(MCUBOOT_CONFIRM_IMAGE OFF CACHE BOOL "Whether to confirm the image if REVERT is supported in MCUboot") 28 29# Specifying a scope of the accepted values of MCUBOOT_UPGRADE_STRATEGY for 30# platforms to choose a specific upgrade strategy for images. These certain 31# configurations will be used to facilitate the later validation. 32set_property(CACHE MCUBOOT_UPGRADE_STRATEGY PROPERTY STRINGS "OVERWRITE_ONLY;SWAP_USING_SCRATCH;SWAP_USING_MOVE;DIRECT_XIP;RAM_LOAD") 33 34# Specifying a scope of the accepted values of MCUBOOT_ALIGN_VAL for 35# platforms requiring specific flash alignmnent 36set_property(CACHE MCUBOOT_ALIGN_VAL PROPERTY STRINGS "1;2;4;8;16;32") 37 38set(MCUBOOT_DIRECT_XIP_REVERT OFF CACHE BOOL "Enable the revert mechanism in direct-xip mode") 39set(MCUBOOT_HW_ROLLBACK_PROT ON CACHE BOOL "Enable security counter validation against non-volatile HW counters") 40set(MCUBOOT_ENC_IMAGES OFF CACHE BOOL "Enable encrypted image upgrade support") 41set(MCUBOOT_BOOTSTRAP OFF CACHE BOOL "Support initial state with empty primary slot and images installed from secondary slots") 42set(MCUBOOT_ENCRYPT_RSA OFF CACHE BOOL "Use RSA for encrypted image upgrade support") 43set(MCUBOOT_FIH_PROFILE OFF CACHE STRING "Fault injection hardening profile [OFF, LOW, MEDIUM, HIGH]") 44set(MCUBOOT_USE_PSA_CRYPTO OFF CACHE BOOL "Enable the cryptographic abstraction layer to use PSA Crypto APIs") 45 46# Note - If SIGNATURE_TYPE is changed, the entries for KEY_S 47# and KEY_NS will either have to be updated manually or removed from the cache. 48# `cmake .. -UMCUBOOT_KEY_S -UMCUBOOT_KEY_NS`. Once removed from the cache it 49# will be set to default again. 50set(MCUBOOT_SIGNATURE_TYPE "RSA-3072" CACHE STRING "Algorithm to use for signature validation [RSA-2048, RSA-3072, EC-P256, EC-P384]") 51set(MCUBOOT_GENERATE_SIGNING_KEYPAIR OFF CACHE BOOL "Generate new keypair for signing and use that instead of MCUBOOT_KEY_S and MCUBOOT_KEY_NS") 52set(MCUBOOT_KEY_S "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}.pem" CACHE FILEPATH "Path to key with which to sign secure binary") 53set(MCUBOOT_KEY_NS "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}_1.pem" CACHE FILEPATH "Path to key with which to sign non-secure binary") 54 55set(MCUBOOT_IMAGE_VERSION_S ${TFM_VERSION} CACHE STRING "Version number of S image") 56set(MCUBOOT_IMAGE_VERSION_NS 0.0.0 CACHE STRING "Version number of NS image") 57set(MCUBOOT_SECURITY_COUNTER_S 1 CACHE STRING "Security counter for S image. auto sets it to IMAGE_VERSION_S") 58set(MCUBOOT_SECURITY_COUNTER_NS 1 CACHE STRING "Security counter for NS image. auto sets it to IMAGE_VERSION_NS") 59set(MCUBOOT_S_IMAGE_MIN_VER 0.0.0+0 CACHE STRING "Minimum version of secure image required by the non-secure image for upgrade to this non-secure image. If MCUBOOT_IMAGE_NUMBER == 1 this option has no effect") 60set(MCUBOOT_NS_IMAGE_MIN_VER 0.0.0+0 CACHE STRING "Minimum version of non-secure image required by the secure image for upgrade to this secure image. If MCUBOOT_IMAGE_NUMBER == 1 this option has no effect") 61set(MCUBOOT_ENC_KEY_LEN 128 CACHE STRING "Length of the AES key for encrypting images") 62set(MCUBOOT_MBEDCRYPTO_CONFIG_FILEPATH "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/config/mcuboot-mbedtls-cfg.h" CACHE FILEPATH "Mbed TLS config file to use with MCUboot") 63set(MCUBOOT_PSA_CRYPTO_CONFIG_FILEPATH "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/config/mcuboot_crypto_config.h" CACHE FILEPATH "Mbed TLS PSA Crypto config file to use with MCUboot") 64
