1# General configuration options
2
3# Copyright (c) 2014-2015 Wind River Systems, Inc.
4# Copyright (c) 2016 Intel Corporation
5# Copyright (c) 2023 Nordic Semiconductor ASA
6# SPDX-License-Identifier: Apache-2.0
7
8config MCUBOOT
9	bool
10	help
11	  Hidden option used to indicate that the current image is MCUBoot
12
13config BOOTLOADER_MCUBOOT
14	bool "MCUboot bootloader support"
15	select USE_DT_CODE_PARTITION if !MCUBOOT_BOOTLOADER_MODE_RAM_LOAD
16	imply INIT_ARCH_HW_AT_BOOT if ARCH_SUPPORTS_ARCH_HW_INIT
17	depends on !MCUBOOT
18	help
19	  This option signifies that the target uses MCUboot as a bootloader,
20	  or in other words that the image is to be chain-loaded by MCUboot.
21	  This sets several required build system and Device Tree options in
22	  order for the image generated to be bootable using the MCUboot open
23	  source bootloader. Currently this includes:
24
25	    * Setting ROM_START_OFFSET to a default value that allows space
26	      for the MCUboot image header
27	    * Activating SW_VECTOR_RELAY_CLIENT on Cortex-M0
28	      (or Armv8-M baseline) targets with no built-in vector relocation
29	      mechanisms
30
31	  By default, this option instructs Zephyr to initialize the core
32	  architecture HW registers during boot, when this is supported by
33	  the application. This removes the need by MCUboot to reset
34	  the core registers' state itself.
35
36if BOOTLOADER_MCUBOOT
37
38config MCUBOOT_SIGNATURE_KEY_FILE
39	string "Path to the mcuboot signing key file"
40	default ""
41	depends on !MCUBOOT_GENERATE_UNSIGNED_IMAGE
42	help
43	  The file contains a key pair whose public half is verified
44	  by your target's MCUboot image. The file is in PEM format.
45
46	  If set to a non-empty value, the build system tries to
47	  sign the final binaries using a 'west sign -t imgtool' command.
48	  The signed binaries are placed in the build directory
49	  at zephyr/zephyr.signed.bin and zephyr/zephyr.signed.hex.
50
51	  The file names can be customized with CONFIG_KERNEL_BIN_NAME.
52	  The existence of bin and hex files depends on CONFIG_BUILD_OUTPUT_BIN
53	  and CONFIG_BUILD_OUTPUT_HEX.
54
55	  This option should contain a path to the same file as the
56	  BOOT_SIGNATURE_KEY_FILE option in your MCUboot .config. The path
57	  may be absolute or relative to the west workspace topdir. (The MCUboot
58	  config option is used for the MCUboot bootloader image; this option is
59	  for your application which is to be loaded by MCUboot. The MCUboot
60	  config option can be a relative path from the MCUboot repository
61	  root.)
62
63	  If left empty and MCUBOOT_GENERATE_UNSIGNED_IMAGE is not set, you
64	  must sign and prepare the Zephyr binaries manually to be bootable
65	  from MCUboot.
66
67config MCUBOOT_ENCRYPTION_KEY_FILE
68	string "Path to the mcuboot encryption key file"
69	default ""
70	depends on MCUBOOT_SIGNATURE_KEY_FILE != ""
71	help
72	  The file contains the public key that is used to encrypt the
73	  ephemeral key that encrypts the image. The corresponding
74	  private key is hard coded in the MCUboot source code and is
75	  used to decrypt the ephemeral key that is embedded in the
76	  image. The file is in PEM format.
77
78	  If set to a non-empty value, the build system tries to
79	  sign and encrypt the final binaries using a 'west sign -t imgtool'
80	  command. The binaries are placed in the build directory at
81	  zephyr/zephyr.signed.encrypted.bin and
82	  zephyr/zephyr.signed.encrypted.hex.
83
84	  The file names can be customized with CONFIG_KERNEL_BIN_NAME.
85	  The existence of bin and hex files depends on CONFIG_BUILD_OUTPUT_BIN
86	  and CONFIG_BUILD_OUTPUT_HEX.
87
88	  This option should either be an absolute path or a path relative to
89	  the west workspace topdir.
90	  Example: './bootloader/mcuboot/enc-rsa2048-pub.pem'
91
92	  If left empty, you must encrypt the Zephyr binaries manually.
93
94if MCUBOOT_ENCRYPTION_KEY_FILE != ""
95
96choice MCUBOOT_ENCRYPTION_ALG
97	prompt "Algorithm used for image encryption"
98	default MCUBOOT_ENCRYPTION_ALG_AES_128
99
100config MCUBOOT_ENCRYPTION_ALG_AES_128
101	bool "Use AES-128 for image encryption"
102
103config MCUBOOT_ENCRYPTION_ALG_AES_256
104	bool "Use AES-256 for image encryption"
105
106endchoice # MCUBOOT_ENCRYPTION_ALG
107
108endif # MCUBOOT_ENCRYPTION_KEY_FILE != ""
109
110config MCUBOOT_IMGTOOL_SIGN_VERSION
111	string "Version to pass to imgtool when signing"
112	default "$(APP_VERSION_TWEAK_STRING)" if "$(VERSION_MAJOR)" != ""
113	default "0.0.0+0"
114	help
115	  When signing with imgtool then this setting will be passed as version
116	  argument to the tool.
117	  The format is major.minor.revision+build.
118
119config MCUBOOT_IMGTOOL_OVERWRITE_ONLY
120	bool "Use overwrite-only instead of swap upgrades"
121	help
122	  If enabled, --overwrite-only option passed to imgtool to avoid
123	  adding the swap status area size when calculating overflow.
124
125config MCUBOOT_IMGTOOL_UUID_VID
126	bool "Append vendor unique identifier TLV"
127	help
128	  If enabled, --vid option passed to imgtool with the value set by
129	  the MCUBOOT_IMGTOOL_UUID_VID_NAME option.
130
131config MCUBOOT_IMGTOOL_UUID_VID_NAME
132	string "Vendor UUID"
133	depends on MCUBOOT_IMGTOOL_UUID_VID
134	help
135	  The vendor unique identifier.
136	  The following formats are supported:
137	   - Domain name (i.e. amce.corp)
138	   - Raw UUID (i.e. 12345678-1234-5678-1234-567812345678)
139	   - Raw HEX UUID (i.e. 12345678123456781234567812345678)
140
141config MCUBOOT_IMGTOOL_UUID_CID
142	bool "Append image class unique identifier TLV"
143	help
144	  If enabled, --cid option passed to imgtool with the value set by
145	  the MCUBOOT_IMGTOOL_UUID_CID_NAME option.
146
147config MCUBOOT_IMGTOOL_UUID_CID_NAME
148	string "Image class UUID"
149	depends on MCUBOOT_IMGTOOL_UUID_CID
150	help
151	  The image class unique identifier.
152	  The following formats are supported:
153	   - Image class name (i.e. nRF5340_door_lock_btperipheral).
154	     This format requires MCUBOOT_IMGTOOL_UUID_VID_NAME to be defined
155	     as the VID UUID is used as the namespace for image class UUID.
156	   - Raw UUID (i.e. 12345678-1234-5678-1234-567812345678)
157	   - Raw HEX UUID (i.e. 12345678123456781234567812345678)
158
159config MCUBOOT_EXTRA_IMGTOOL_ARGS
160	string "Extra arguments to pass to imgtool when signing"
161	default ""
162	help
163	  When signing (CONFIG_MCUBOOT_SIGNATURE_KEY_FILE is a non-empty
164	  string) you can use this option to pass extra options to
165	  imgtool. For example, you could set this to "--version 1.2".
166
167config MCUBOOT_GENERATE_UNSIGNED_IMAGE
168	bool "Generate unsigned binary image bootable with MCUboot"
169	help
170	  Enabling this configuration allows automatic unsigned binary image
171	  generation when MCUboot signing key is not provided,
172	  i.e., MCUBOOT_SIGNATURE_KEY_FILE is left empty. A hash of the
173	  image will be generated and included in the unsigned image, instead
174	  of a signature.
175
176config MCUBOOT_GENERATE_CONFIRMED_IMAGE
177	bool "Also generate a padded, confirmed image"
178	help
179	  The signed, padded, and confirmed binaries are placed in the build
180	  directory at zephyr/zephyr.signed.confirmed.bin and
181	  zephyr/zephyr.signed.confirmed.hex.
182
183	  The file names can be customized with CONFIG_KERNEL_BIN_NAME.
184	  The existence of bin and hex files depends on CONFIG_BUILD_OUTPUT_BIN
185	  and CONFIG_BUILD_OUTPUT_HEX.
186
187menu "On board MCUboot operation mode"
188
189choice MCUBOOT_BOOTLOADER_MODE
190	prompt "Application assumed MCUboot mode of operation"
191	# Should be removed if board dts is updated
192	default MCUBOOT_BOOTLOADER_MODE_SWAP_USING_MOVE if SOC_FAMILY_ESPRESSIF_ESP32
193	default MCUBOOT_BOOTLOADER_MODE_SWAP_USING_OFFSET
194	help
195	  Informs application build on assumed MCUboot mode of operation.
196	  This is important for validataing application against DT configuration,
197	  which is done by west sign.
198
199config MCUBOOT_BOOTLOADER_MODE_SINGLE_APP
200	bool "MCUboot has been configured for single slot execution"
201	select MCUBOOT_IMGTOOL_OVERWRITE_ONLY
202	help
203	  MCUboot will only boot slot0_partition placed application and does
204	  not care about other slots. In this mode application is not able
205	  to DFU its own update to secondary slot and all updates need to
206	  be performed using MCUboot serial recovery.
207
208config MCUBOOT_BOOTLOADER_MODE_SWAP_USING_OFFSET
209	bool "MCUboot has been configured for swap using offset operation"
210	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
211	help
212	  MCUboot expects slot0_partition and slot1_partition to be present
213	  in DT and application will boot from slot0_partition.
214	  MCUBOOT_BOOTLOADER_NO_DOWNGRADE should also be selected
215	  if MCUboot has been built with MCUBOOT_DOWNGRADE_PREVENTION.
216
217config MCUBOOT_BOOTLOADER_MODE_SWAP_USING_MOVE
218	bool "MCUboot has been configured for swap using move operation"
219	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
220	help
221	  MCUboot expects slot0_partition and slot1_partition to be present
222	  in DT and application will boot from slot0_partition.
223	  MCUBOOT_BOOTLOADER_NO_DOWNGRADE should also be selected
224	  if MCUboot has been built with MCUBOOT_DOWNGRADE_PREVENTION.
225
226config MCUBOOT_BOOTLOADER_MODE_SWAP_WITHOUT_SCRATCH
227	bool "MCUboot has been configured for swap without scratch operation [DEPRECATED]"
228	select DEPRECATED
229	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
230	help
231	  This Kconfig is deprecated, use MCUBOOT_BOOTLOADER_MODE_SWAP_USING_MOVE instead.
232
233config MCUBOOT_BOOTLOADER_MODE_SWAP_SCRATCH
234	bool "MCUboot has been configured for swap using scratch operation"
235	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
236	help
237	  MCUboot expects slot0_partition, slot1_partition and scratch_partition
238	  to be present in DT, and application will boot from slot0_partition.
239	  In this mode scratch_partition is used as temporary storage when
240	  MCUboot swaps application from the secondary slot to the primary
241	  slot.
242	  MCUBOOT_BOOTLOADER_NO_DOWNGRADE should also be selected
243	  if MCUboot has been built with MCUBOOT_DOWNGRADE_PREVENTION.
244
245config MCUBOOT_BOOTLOADER_MODE_OVERWRITE_ONLY
246	bool "MCUboot has been configured to just overwrite primary slot"
247	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
248	select MCUBOOT_IMGTOOL_OVERWRITE_ONLY
249	help
250	  MCUboot will take contents of secondary slot of an image and will
251	  overwrite primary slot with it.
252	  In this mode it is not possible to revert back to previous version
253	  as it is not stored in the secondary slot.
254	  This mode supports MCUBOOT_BOOTLOADER_NO_DOWNGRADE which means
255	  that the overwrite will not happen unless the version of secondary
256	  slot is higher than the version in primary slot.
257
258config MCUBOOT_BOOTLOADER_MODE_RAM_LOAD
259	bool "MCUboot has been configured for RAM LOAD operation"
260	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
261	select MCUBOOT_BOOTLOADER_NO_DOWNGRADE
262	help
263	  MCUboot expects slot0_partition and slot1_partition to exist in DT. In this mode, MCUboot
264	  will select the image with the higher version number, copy it to RAM and begin execution
265	  from there. The image must be linked to execute from RAM, the address that it is copied
266	  to is specified using the load-addr argument when running imgtool.
267	  This option automatically selects MCUBOOT_BOOTLOADER_NO_DOWNGRADE as it is not possible
268	  to swap back to older version of the application.
269
270config MCUBOOT_BOOTLOADER_MODE_RAM_LOAD_WITH_REVERT
271	bool "MCUboot has been configured for RAM LOAD with revert"
272	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
273	select MCUBOOT_BOOTLOADER_NO_DOWNGRADE
274	help
275	  MCUboot expects slot0_partition and slot1_partition to exist in DT. In this mode, MCUboot
276	  will select the image with the higher version number, copy it to RAM and begin execution
277	  from there. The image must be linked to execute from RAM, the address that it is copied
278	  to is specified using the load-addr argument when running imgtool.
279	  This option automatically selects MCUBOOT_BOOTLOADER_NO_DOWNGRADE as
280	  MCUBoot will automatically select the highest revision of the application
281	  to boot. Note however that MCUBoot will select an older revision of
282	  the application if the booted revision does not mark itself as confirmed.
283	  In this mode MCUboot will boot the application with the higher
284	  version from either slot, as long as it has been marked to be boot
285	  next time for test or permanently. In case when application is marked
286	  for test it needs to confirm itself, on the first boot, or it will be
287	  removed and MCUboot will revert to booting previously approved
288	  application. Note that in this mode MCUboot will not boot an
289	  application if it does not have an image header, so if an application
290	  is flashed manually it should be marked as confirmed
291
292config MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP
293	bool "MCUboot has been configured for DirectXIP operation"
294	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
295	select MCUBOOT_BOOTLOADER_NO_DOWNGRADE
296	help
297	  MCUboot expects slot0_partition and slot1_partition to exist in DT.
298	  In this mode MCUboot can boot from either partition and will
299	  select one with higher application image version, which usually
300	  means major.minor.patch triple, unless BOOT_VERSION_CMP_USE_BUILD_NUMBER
301	  is also selected that enables comparison of build number.
302	  This option automatically selects
303	  MCUBOOT_BOOTLOADER_NO_DOWNGRADE as it is not possible
304	  to swap back to older version of application.
305
306config MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP_WITH_REVERT
307	bool "MCUboot has been configured for DirectXIP with revert"
308	select MCUBOOT_BOOTUTIL_LIB
309	select MCUBOOT_BOOTUTIL_LIB_FOR_DIRECT_XIP
310	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
311	select MCUBOOT_BOOTLOADER_NO_DOWNGRADE
312	imply MCUBOOT_GENERATE_CONFIRMED_IMAGE
313	help
314	  MCUboot expects slot0_partition and slot1_partition to exist in DT.
315	  In this mode MCUboot will boot the application with the higher version
316	  from either slot, as long as it has been marked to be boot
317	  next time for test or permanently. In case when application is marked
318	  for test it needs to confirm itself, on the first boot, or it will
319	  be removed and MCUboot will revert to booting previously approved
320	  application.
321	  This mode does not allow freely switching between application
322	  versions, as, once higher version application is approved, it is
323	  not possible to select lower version for boot.
324	  This mode selects MCUBOOT_BOOTLOADER_NO_DOWNGRADE as it is not possible
325	  to downgrade running application, but note that MCUboot may do that
326	  if application with higher version will not get confirmed.
327
328config MCUBOOT_BOOTLOADER_MODE_FIRMWARE_UPDATER
329	bool "MCUboot has been configured in firmware updater mode"
330	select MCUBOOT_IMGTOOL_OVERWRITE_ONLY
331	help
332	  MCUboot will only boot slot0_partition for the main application but has
333	  an entrance mechanism defined for entering the slot1_partition which is
334	  a dedicated firmware updater application used to update the slot0_partition
335	  application.
336
337config MCUBOOT_BOOTLOADER_MODE_SINGLE_APP_RAM_LOAD
338	bool "MCUboot has been configured in single app RAM load mode"
339	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
340	select MCUBOOT_BOOTLOADER_NO_DOWNGRADE
341	help
342	  MCUboot can load the image to RAM from an arbitrary location. In this mode,
343	  MCUboot will copy the image to RAM and begin execution from there. The image
344	  must be linked to execute from RAM, the address that it is copied to is
345	  specified using the load-addr argument when running imgtool.
346	  Note that while not used directly, a slot0_partition must be defined in the
347	  DT, as it is used to get information about size of the image to be loaded.
348	  This option automatically selects MCUBOOT_BOOTLOADER_NO_DOWNGRADE as it is
349	  not possible to swap back to older version of the application. In fact, none
350	  of the swap operations are supported in this mode.
351
352endchoice # MCUBOOT_BOOTLOADER_MODE
353
354config MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
355	bool
356	help
357	  Selected mode supports downgrade prevention, where you cannot switch to
358	  an application with lower version than the currently running application.
359
360if MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
361config MCUBOOT_BOOTLOADER_NO_DOWNGRADE
362	bool "MCUboot mode has downgrade prevention enabled"
363	help
364	  Selected MCUboot mode has downgrade prevention enabled, where you are not
365	  able to change back to image with lower version number.
366	  This options should be selected when MCUboot has been built with
367	  MCUBOOT_DOWNGRADE_PREVENTION option enabled.
368endif
369
370config MCUBOOT_BOOTLOADER_USES_SHA512
371	bool "MCUboot uses SHA512 for image hash"
372	help
373	  MCUboot has been compiled to verify images using SHA512.
374
375config MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE
376	bool "Signature is verified over an image rather than sha of an image"
377	help
378	  MCUboot has been compiled to verify images using pure signature
379	  verification, i.e., the signature is verified over the image rather
380	  than the SHA of the image.
381
382config MCUBOOT_APPLICATION_FIRMWARE_UPDATER
383	bool "Application is firmware updater image"
384	depends on MCUBOOT_BOOTLOADER_MODE_FIRMWARE_UPDATER
385	help
386	  Select this if the current image is the firmware updater image. This will use slot 1
387	  information when signing the image.
388
389	  Note that the zephyr chosen node ``zephyr,code-partition`` should be set to
390	  ``slot1_partition`` for this image.
391
392endmenu # On board MCUboot operation mode
393
394endif # BOOTLOADER_MCUBOOT
395
396menuconfig MCUBOOT_BOOTUTIL_LIB
397	bool "MCUboot utility library"
398	help
399	  Enable MCUboot utility library which implements functions
400	  required by the chain-loaded application and the MCUboot.
401
402if MCUBOOT_BOOTUTIL_LIB
403
404# hidden option for disabling module-own log configuration
405# while building MCUboot bootloader
406config MCUBOOT_BOOTUTIL_LIB_OWN_LOG
407	bool
408	default y
409
410if MCUBOOT_BOOTUTIL_LIB_OWN_LOG
411module = MCUBOOT_UTIL
412module-str = MCUboot bootutil
413source "subsys/logging/Kconfig.template.log_config"
414endif
415
416config BOOT_IMAGE_ACCESS_HOOKS
417	bool "Hooks for overriding MCUboot's bootutil native routines"
418	help
419	  Allow to provide procedures for override or extend native
420	  MCUboot's routines required for access the image data.
421	  It is up to the application project to add source file which
422	  implements hooks to the build.
423
424if MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP_WITH_REVERT
425
426config MCUBOOT_BOOTUTIL_LIB_FOR_DIRECT_XIP
427	bool
428	help
429	  Adds support for setting for test and confirming images
430	  when bootloader is in DirectXIP-revert mode.
431endif
432
433DT_CHOSEN_ZEPHYR_FLASH := zephyr,flash
434DT_CHOSEN_ZEPHYR_FLASH_NODE := $(dt_chosen_path,$(DT_CHOSEN_ZEPHYR_FLASH))
435
436config MCUBOOT_BOOT_MAX_ALIGN
437	int "Override programmable flash block alignment"
438	default $(dt_node_int_prop_int,$(DT_CHOSEN_ZEPHYR_FLASH_NODE),write-block-size)
439	help
440	  Allow to override the programmable flash block alignment size.
441	  By default it's set to the maximum of the write block size of
442	  the chosen zephyr,flash node and 8.
443
444endif # MCUBOOT_BOOTUTIL_LIB
445