1# Configuration for the TF-M Module 2 3# Copyright (c) 2019, 2020 Linaro Limited 4# Copyright (c) 2020, 2021 Nordic Semiconductor ASA 5# Copyright 2024 Arm Limited and/or its affiliates <open-source-office@arm.com> 6# SPDX-License-Identifier: Apache-2.0 7 8config ZEPHYR_TRUSTED_FIRMWARE_M_MODULE 9 bool 10 11config TFM_BOARD 12 string 13 default "nxp/lpcxpresso55s69" if BOARD_LPCXPRESSO55S69_LPC55S69_CPU0_NS 14 default "arm/mps2/an521" if BOARD_MPS2_AN521_CPU0_NS 15 default "arm/mps3/corstone300/fvp" if BOARD_MPS3_CORSTONE300_FVP_NS 16 default "arm/mps3/corstone300/an547" if BOARD_MPS3_CORSTONE300_AN547_NS 17 default "arm/mps3/corstone300/an552" if BOARD_MPS3_CORSTONE300_AN552_NS 18 default "arm/mps3/corstone310/an555" if BOARD_MPS3_CORSTONE310_AN555_NS 19 default "arm/mps3/corstone310/fvp" if BOARD_MPS3_CORSTONE310_FVP_NS 20 default "stm/b_u585i_iot02a" if BOARD_B_U585I_IOT02A 21 default "stm/nucleo_l552ze_q" if BOARD_NUCLEO_L552ZE_Q 22 default "stm/stm32l562e_dk" if BOARD_STM32L562E_DK 23 default "arm/musca_b1" if BOARD_V2M_MUSCA_B1 24 default "arm/musca_s1" if BOARD_V2M_MUSCA_S1 25 default "${ZEPHYR_BASE}/modules/trusted-firmware-m/nordic/nrf9160" if SOC_NRF9160 26 default "${ZEPHYR_BASE}/modules/trusted-firmware-m/nordic/nrf9120" if SOC_NRF9120 27 default "${ZEPHYR_BASE}/modules/trusted-firmware-m/nordic/nrf5340_cpuapp" if SOC_NRF5340_CPUAPP 28 help 29 The board name used for building TFM. Building with TFM requires that 30 TFM has been ported to the given board/SoC. 31 32menuconfig BUILD_WITH_TFM 33 bool "Build with TF-M as the Secure Execution Environment" 34 depends on TRUSTED_EXECUTION_NONSECURE 35 depends on TFM_BOARD != "" 36 depends on ARM_TRUSTZONE_M 37 select BUILD_OUTPUT_HEX 38 select PSA_CRYPTO_CLIENT 39 imply INIT_ARCH_HW_AT_BOOT 40 imply ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS 41 imply MBEDTLS 42 help 43 When enabled, this option instructs the Zephyr build process to 44 additionally generate a TF-M image for the Secure Execution 45 environment, along with the Zephyr image. The Zephyr image 46 itself is to be executed in the Non-Secure Processing Environment. 47 The required dependency on TRUSTED_EXECUTION_NONSECURE 48 ensures that the Zephyr image is built as a Non-Secure image. Both 49 TF-M and Zephyr images, as well as the veneer object file that links 50 them, are generated during the normal Zephyr build process. 51 52 Notes: 53 Building with the "/ns" BOARD variant (e.g. "mps2/an521/cpu0/ns") 54 ensures that CONFIG_TRUSTED_EXECUTION_NONSECURE is enabled. 55 56 By default we allow Zephyr preemptible threads be preempted 57 while performing a secure function call. 58 59if BUILD_WITH_TFM 60 61config TFM_PROFILE 62 string 63 default "profile_small" if TFM_PROFILE_TYPE_SMALL 64 default "profile_medium" if TFM_PROFILE_TYPE_MEDIUM 65 default "profile_medium_arotless" if TFM_PROFILE_TYPE_AROTLESS 66 default "profile_large" if TFM_PROFILE_TYPE_LARGE 67 help 68 Build profile used to build tfm_s image. The available values are 69 profile_large, profile_medium and profile_small. The default profile 70 does not need to have this configuration set. 71 72choice TFM_PROFILE_TYPE 73 prompt "TF-M build profile" 74 default TFM_PROFILE_TYPE_NOT_SET 75 help 76 The TF-M build profile selection. Can be empty (not set), 77 small, medium or large. Certain profile types enable other 78 TF-M configuration options, namely, the IPC model and the 79 isolation level. 80 81config TFM_PROFILE_TYPE_NOT_SET 82 bool "TF-M build profile: not set (base)" 83 84config TFM_PROFILE_TYPE_SMALL 85 bool "TF-M build profile: small" 86 87config TFM_PROFILE_TYPE_MEDIUM 88 bool "TF-M build profile: medium" 89 90config TFM_PROFILE_TYPE_AROTLESS 91 bool "TF-M build profile: ARoT-less" 92 93config TFM_PROFILE_TYPE_LARGE 94 bool "TF-M build profile: large" 95 96endchoice 97 98choice TFM_CMAKE_BUILD_TYPE 99 prompt "The build type for TFM" 100 default TFM_CMAKE_BUILD_TYPE_RELEASE if SPEED_OPTIMIZATIONS && BUILD_OUTPUT_STRIPPED 101 default TFM_CMAKE_BUILD_TYPE_MINSIZEREL if SIZE_OPTIMIZATIONS || SIZE_OPTIMIZATIONS_AGGRESSIVE 102 default TFM_CMAKE_BUILD_TYPE_DEBUG if DEBUG_OPTIMIZATIONS 103 default TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO 104 105config TFM_CMAKE_BUILD_TYPE_RELEASE 106 bool "Release build" 107 108config TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO 109 bool "Release build with Debug info" 110 111config TFM_CMAKE_BUILD_TYPE_MINSIZEREL 112 bool "Release build, optimized for size" 113 114config TFM_CMAKE_BUILD_TYPE_DEBUG 115 bool "Debug build" 116 117endchoice 118 119config TFM_ISOLATION_LEVEL 120 int "Isolation level setting." if (TFM_PROFILE_TYPE_NOT_SET && TFM_IPC) 121 range 1 3 122 default 1 if TFM_PROFILE_TYPE_SMALL || !TFM_IPC 123 default 2 if TFM_PROFILE_TYPE_MEDIUM 124 default 3 if TFM_PROFILE_TYPE_LARGE 125 help 126 Manually set the required TFM isolation level. Possible values are 127 1,2 or 3; the default is set by build configuration. When TF-M 128 Profile option is supplied, do not allow manual setting of the 129 isolation level, as it is determined by the profile setting. 130 As isolation levels 2 and 3 require PSA_API (TFM_IPC) support, 131 force level 1 when TFM_IPC is not enabled. 132 133config TFM_ITS_NUM_ASSETS_OVERRIDE 134 bool "Override maximum number of Internal Trusted Storage assets" 135 help 136 Override the platform's default maximum number of assets to be stored in 137 Internal Trusted Storage (ITS) with TFM_ITS_NUM_ASSETS. 138 139config TFM_ITS_NUM_ASSETS 140 int "Maximum number of Internal Trusted Storage assets" 141 depends on TFM_ITS_NUM_ASSETS_OVERRIDE 142 default 0 143 help 144 Maximum number of assets to be stored in Internal Trusted Storage (ITS). 145 146config TFM_ITS_MAX_ASSET_SIZE_OVERRIDE 147 bool "Override maximum Internal Trusted Storage asset size" 148 help 149 Override the platform's default maximum size of a single asset to be 150 stored in Internal Trusted Storage (ITS) with TFM_ITS_MAX_ASSET_SIZE. 151 152config TFM_ITS_MAX_ASSET_SIZE 153 int "Maximum Internal Trusted Storage asset size" 154 depends on TFM_ITS_MAX_ASSET_SIZE_OVERRIDE 155 default 0 156 help 157 Maximum size (in bytes) of a single asset to be stored in Internal Trusted 158 Storage (ITS). 159 160config TFM_PARTITION_PLATFORM_CUSTOM_REBOOT 161 bool "Use custom reboot handler" 162 depends on TFM_PARTITION_PLATFORM 163 help 164 Do not include the default zephyr implementation of calling the TF-M 165 platform reset service. 166 Instead the application will have to override the weak ARM 167 implementation of sys_arch_reset(). 168 169config TFM_DUMMY_PROVISIONING 170 bool "Provision with dummy values. NOT to be used in production" 171 select TFM_INITIAL_ATTESTATION_KEY 172 default y 173 help 174 If this option is enabled (as it is by default), a set of dummy 175 keys / data will be provisioned. The dummy IAK matches the IAK tested 176 by the TF-M tests, and the dummy bl2 ROTPKs match the dummy bl2 keys 177 used by default. 178 This option MUST not be used in production hardware, as the keys are 179 insecure. 180 181config TFM_INITIAL_ATTESTATION_KEY 182 bool 183 help 184 Hidden option to mark that the TF-M platform has an initial 185 attestation key, which is a requirement for the Initial Attestation 186 partition. 187 188config TFM_BL2_NOT_SUPPORTED 189 bool 190 help 191 Hidden option to mark the BL2, the MCUBoot included in TF-M, as not supported. 192 Platforms that don't use BL2 should select this option. 193 194config TFM_IMAGE_VERSION_S 195 string "Version of the Secure Image" 196 default "$(APP_VERSION_TWEAK_STRING)" if "$(VERSION_MAJOR)" != "" && TFM_MCUBOOT_IMAGE_NUMBER = 1 197 default "0.0.0+0" 198 help 199 Version of the secure image. This version is also used for merged 200 secure + non-secure builds (TFM_MCUBOOT_IMAGE_NUMBER == 1). 201 202config TFM_IMAGE_VERSION_NS 203 string "Version of the Non-Secure Image" 204 default "$(APP_VERSION_TWEAK_STRING)" if "$(VERSION_MAJOR)" != "" && TFM_MCUBOOT_IMAGE_NUMBER = 2 205 default "0.0.0+0" 206 help 207 Version of the non-secure image. 208 209config TFM_BL2 210 bool "Add MCUboot to TFM" 211 depends on !TFM_BL2_NOT_SUPPORTED 212 default y 213 help 214 TFM is designed to run with MCUboot in a certain configuration. 215 This config adds MCUboot to the build - built via TFM's build system. 216 217config TFM_USE_NS_APP 218 bool "Use the TF-M Non-Secure application" 219 help 220 The TF-M build system can produce multiple executable files. 221 The main one is the TF-M secure firmware. Optionally the TF-M 222 non-secure application can be built. 223 Usually the TF-M non-secure application is not used since the 224 zephyr application is the non-secure application. 225 With this option enabled this is reversed and the TF-M non-secure 226 application is used instead of the Zephyr non-secure application. 227 228 This option is intended for testing purposes only, since this is the 229 easiest way to integrate and run the TF-M regression tests in the 230 zephyr build system. 231 232config TFM_CONNECTION_BASED_SERVICE_API 233 bool "TF-M use connection based service APIs" 234 help 235 The TF-M build system produces an interface source file for accessing 236 connection based services. 237 Select this option when TF-M service models requires this source file. 238 239 Note: This is an auto-generated configuration in the TF-M build 240 system. When this option is not enabled in the TF-M build system this 241 will result in compilation error. 242 243if TFM_BL2 244 245config TFM_IMAGE_SECURITY_COUNTER 246 int "Security counter value used for hardware rollback protection" 247 range 1 1024 248 default 1 249 help 250 By default, TFM enables hardware rollback protection, which requires a security counter 251 to be embedded in the image trailer. As per "Hardware-based downgrade prevention" in 252 mcuboot/docs/design.md, this does not need to be incremented on every firmware update, 253 but hardware rollback protection will only apply when this value is incremented. 254 255config TFM_MCUBOOT_SIGNATURE_TYPE 256 string "The signature type used to sign the secure and non-secure firmware images." 257 default "EC-P256" 258 help 259 Available types: RSA-2048, RSA-3072, EC-P256, EC-P384. 260 261config TFM_KEY_FILE_S 262 string "Path to private key used to sign secure firmware images." 263 default "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/bl2/ext/mcuboot/root-${CONFIG_TFM_MCUBOOT_SIGNATURE_TYPE}.pem" 264 help 265 The path and filename for the .pem file containing the private key 266 that should be used by the BL2 bootloader when signing secure 267 firmware images. This key file is also used for merged secure + 268 non-secure builds (TFM_MCUBOOT_IMAGE_NUMBER == 1). 269 270config TFM_KEY_FILE_NS 271 string "Path to private key used to sign non-secure firmware images." 272 default "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/bl2/ext/mcuboot/root-${CONFIG_TFM_MCUBOOT_SIGNATURE_TYPE}_1.pem" 273 help 274 The path and filename for the .pem file containing the private key 275 that should be used by the BL2 bootloader when signing non-secure 276 firmware images. 277 278config TFM_MCUBOOT_IMAGE_NUMBER 279 int "Granularity of FW updates of TFM and app" 280 range 1 2 281 default 2 282 help 283 How many images the bootloader sees when it looks at TFM and the app. 284 When this is 1, the S and NS are considered as 1 image and must be 285 updated in one atomic operation. When this is 2, they are split and 286 can be updated independently if dependency requirements are met. 287 288choice TFM_MCUBOOT_PATH 289 prompt "Path to MCUboot or DOWNLOAD to fetch automatically" 290 default TFM_MCUBOOT_PATH_LOCAL 291 help 292 Path to MCUboot for TF-M builds. The default option 293 is to use Zephyr's MCUboot module. As an alternative, 294 users may switch to the 'download' version; in that 295 case MCUboot will be fetched by the TF-M build during 296 build time. The default option ensures that Zephyr builds 297 with TF-M do not fetch external trees. 298 299config TFM_MCUBOOT_PATH_LOCAL 300 bool "TF-M to use Zephyr's MCUboot" 301 help 302 TF-M builds with BL2 will use the Zephyr's MCUboot version, 303 which is present in the MCUboot module. 304 305config TFM_MCUBOOT_PATH_DOWNLOAD 306 bool "TF-M to automatically download MCUboot during build" 307 help 308 TF-M builds with BL2 will let the TF-M build to automatically 309 fetch and check-out the MCUboot version to use in the build. 310 311endchoice 312 313config TFM_ETHOS_DRIVER_PATH_LOCAL 314 string "Path to a locally available Ethos-U driver or an empty string" 315 depends on SOC_SERIES_MPS3 316 default "${ZEPHYR_HAL_ETHOS_U_MODULE_DIR}" 317 help 318 Path to a locally available Ethos-U driver to be used for TF-M builds or 319 an empty string to allow TF-M to automatically fetch the Ethos-U 320 driver from an external repository at build time. 321 By default Zephyr's Ethos-U driver will be used. It is present in 322 the hal_ethos_u module. 323 Alternatively, applications can point to their own paths for Ethos-U driver. 324 325config TFM_QCBOR_PATH 326 string 327 prompt "Path to QCBOR or DOWNLOAD to fetch automatically" 328 default "" 329 help 330 Path to QCBOR for TF-M builds. Due to a license issue with this 331 library Zephyr does not ship with this library. 332 If the application wishes to still use this library they can point 333 to their own checkout of this library, or set to DOWNLOAD to allow 334 TF-M build system to automatically download this. 335 336config TFM_MCUBOOT_DATA_SHARING 337 bool "Share app-specific data between TF-M and MCUBoot" 338 help 339 Add sharing of application specific data using the same 340 shared data area as for the measured boot. 341 342endif # TFM_BL2 343 344choice TFM_MODEL 345 prompt "TF-M Firmware Framework model" 346 default TFM_SFN if TFM_PROFILE_TYPE_SMALL 347 default TFM_IPC 348 help 349 The Firmware Framework M (FF-M) provides different programming models 350 for Secure Partitions. 351 352config TFM_IPC 353 bool "IPC Model" 354 help 355 Use the IPC Model as the SPM backend for the PSA API. 356 The IPC model supports the IPC and SFN Partition models, and 357 isolation levels 1, 2 and 3. 358 359 In this model each Secure Partition processes signals in any order, 360 and can defer responding to a message while continuing to process 361 other signals. 362 363 The IPC model conforms to the PSA Firmware Framework for M (FF-M) 364 v1.1. 365 366config TFM_SFN 367 bool "SFN model" 368 help 369 Use the SFN Model as the SPM backend for the PSA API. 370 The SFN model supports the SFN Partition model, and isolation level 1. 371 372 In this model each Secure Partition is made up of a collection of 373 callback functions which implement secure services. 374 375 The SFN model conforms to the PSA Firmware Framework for M (FF-M) 376 v1.1. 377 378endchoice # TFM_MODEL 379 380config TFM_REGRESSION_S 381 bool "TF-M Secure Regression tests" 382 help 383 When enabled, this option signifies that the TF-M build includes 384 the Secure domain regression tests. 385 The regression tests will be included in the TF-M secure firmware. 386 387config TFM_REGRESSION_NS 388 bool "TF-M Non-Secure Regression tests" 389 help 390 When enabled, this option signifies that the TF-M build includes 391 the Non-Secure domain regression tests. 392 The regression tests will be included in the TF-M non-secure 393 application. 394 395choice TFM_PSA_TEST 396 prompt "Enable a PSA test suite" 397 default TFM_PSA_TEST_NONE 398 399config TFM_PSA_TEST_CRYPTO 400 bool "Crypto tests" 401 depends on MAIN_STACK_SIZE >= 4096 402 help 403 Enable the PSA Crypto test suite. 404 405config TFM_PSA_TEST_PROTECTED_STORAGE 406 bool "Storage tests" 407 help 408 Enable the PSA Protected Storage test suite. 409 410config TFM_PSA_TEST_INTERNAL_TRUSTED_STORAGE 411 bool "Internal Trusted Storage tests" 412 help 413 Enable the PSA Internal Trusted Storage test suite. 414 415config TFM_PSA_TEST_STORAGE 416 bool "Storage tests" 417 help 418 Enable the PSA Storage test suite. This is a combination of the 419 protected storage and internal trusted storage tests. 420 421config TFM_PSA_TEST_INITIAL_ATTESTATION 422 bool "Initial attestation tests" 423 depends on MAIN_STACK_SIZE >= 4096 424 select TFM_PARTITION_INITIAL_ATTESTATION 425 help 426 Enable the PSA Initial Attestation test suite. 427 428config TFM_PSA_TEST_NONE 429 bool "No PSA test suite" 430 431endchoice 432 433if TFM_BL2 434 435config ROM_START_OFFSET 436 hex "ROM Start Offset accounting for BL2 Header in the NS image" 437 default 0x400 438 help 439 By default BL2 header size in TF-M is 0x400. ROM_START_OFFSET 440 needs to be updated if TF-M switches to use a different header 441 size for BL2. 442 443choice TFM_BL2_LOG_LEVEL 444 prompt "BL2 Log Level" if !TFM_LOG_LEVEL_SILENCE 445 default TFM_BL2_LOG_LEVEL_INFO 446 config TFM_BL2_LOG_LEVEL_DEBUG 447 bool "Debug" 448 config TFM_BL2_LOG_LEVEL_INFO 449 bool "Info" 450 config TFM_BL2_LOG_LEVEL_WARNING 451 bool "Warning" 452 config TFM_BL2_LOG_LEVEL_ERROR 453 bool "Error" 454 config TFM_BL2_LOG_LEVEL_OFF 455 bool "Off" 456endchoice 457 458endif # !TFM_BL2 459 460# Option to instruct flashing a merged binary consisting of BL2 (optionally), 461# TF-M (Secure), and application (Non-Secure). 462config TFM_FLASH_MERGED_BINARY 463 bool 464 help 465 This option instructs west flash to program the combined (merged) 466 binary consisting of the TF-M Secure firmware image, optionally, the 467 BL2 image (if building with TFM_BL2 is enabled), and the Non-Secure 468 application firmware. 469 470config TFM_LOG_LEVEL_SILENCE 471 bool "TF-M Disable secure logging" 472 help 473 Set the log level to silence for all TF-M modules (SPM, partition, etc.). 474 On some platforms this will release the UART from 475 the secure domain and reduce the uart driver's flash usage. 476 477choice TFM_SPM_LOG_LEVEL 478 prompt "TF-M SPM Log Level" if !TFM_LOG_LEVEL_SILENCE 479 default TFM_SPM_LOG_LEVEL_INFO 480config TFM_SPM_LOG_LEVEL_DEBUG 481 bool "Debug" 482config TFM_SPM_LOG_LEVEL_INFO 483 bool "Info" 484config TFM_SPM_LOG_LEVEL_ERROR 485 bool "Error" 486config TFM_SPM_LOG_LEVEL_SILENCE 487 bool "Off" 488endchoice 489 490config TFM_EXCEPTION_INFO_DUMP 491 bool "TF-M exception info dump" 492 default y 493 help 494 On fatal errors in the secure firmware, capture info about the exception. 495 Print the info if the SPM log level is sufficient. 496 497endif # BUILD_WITH_TFM 498
