1# Configuration for the TF-M Module
2
3# Copyright (c) 2019, 2020 Linaro Limited
4# Copyright (c) 2020, 2021 Nordic Semiconductor ASA
5# Copyright 2024 Arm Limited and/or its affiliates <open-source-office@arm.com>
6# SPDX-License-Identifier: Apache-2.0
7
8config ZEPHYR_TRUSTED_FIRMWARE_M_MODULE
9	bool
10
11config TFM_BOARD
12	string
13	default "nxp/lpcxpresso55s69" if BOARD_LPCXPRESSO55S69_LPC55S69_CPU0_NS
14	default "arm/mps2/an521" if BOARD_MPS2_AN521_CPU0_NS
15	default "arm/mps3/corstone300/fvp"   if BOARD_MPS3_CORSTONE300_FVP_NS
16	default "arm/mps3/corstone300/an547" if BOARD_MPS3_CORSTONE300_AN547_NS
17	default "arm/mps3/corstone300/an552" if BOARD_MPS3_CORSTONE300_AN552_NS
18	default "arm/mps3/corstone310/an555" if BOARD_MPS3_CORSTONE310_AN555_NS
19	default "arm/mps3/corstone310/fvp"   if BOARD_MPS3_CORSTONE310_FVP_NS
20	default "stm/b_u585i_iot02a" if BOARD_B_U585I_IOT02A
21	default "stm/nucleo_l552ze_q" if BOARD_NUCLEO_L552ZE_Q
22	default "stm/stm32l562e_dk" if BOARD_STM32L562E_DK
23	default "arm/musca_b1" if BOARD_V2M_MUSCA_B1
24	default "arm/musca_s1" if BOARD_V2M_MUSCA_S1
25	default "${ZEPHYR_BASE}/modules/trusted-firmware-m/nordic/nrf9160" if SOC_NRF9160
26	default "${ZEPHYR_BASE}/modules/trusted-firmware-m/nordic/nrf9120" if SOC_NRF9120
27	default "${ZEPHYR_BASE}/modules/trusted-firmware-m/nordic/nrf5340_cpuapp" if SOC_NRF5340_CPUAPP
28	help
29	  The board name used for building TFM. Building with TFM requires that
30	  TFM has been ported to the given board/SoC.
31
32menuconfig BUILD_WITH_TFM
33	bool "Build with TF-M as the Secure Execution Environment"
34	depends on TRUSTED_EXECUTION_NONSECURE
35	depends on TFM_BOARD != ""
36	depends on ARM_TRUSTZONE_M
37	select BUILD_OUTPUT_HEX
38	select PSA_CRYPTO_CLIENT
39	imply INIT_ARCH_HW_AT_BOOT
40	imply ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS
41	imply MBEDTLS
42	help
43	  When enabled, this option instructs the Zephyr build process to
44	  additionally generate a TF-M image for the Secure Execution
45	  environment, along with the Zephyr image. The Zephyr image
46	  itself is to be executed in the Non-Secure Processing Environment.
47	  The required dependency on TRUSTED_EXECUTION_NONSECURE
48	  ensures that the Zephyr image is built as a Non-Secure image. Both
49	  TF-M and Zephyr images, as well as the veneer object file that links
50	  them, are generated during the normal Zephyr build process.
51
52	  Notes:
53	    Building with the "/ns" BOARD variant (e.g. "mps2/an521/cpu0/ns")
54	    ensures that CONFIG_TRUSTED_EXECUTION_NONSECURE is enabled.
55
56	    By default we allow Zephyr preemptible threads be preempted
57	    while performing a secure function call.
58
59if BUILD_WITH_TFM
60
61config TFM_PROFILE
62	string
63	default "profile_small" if TFM_PROFILE_TYPE_SMALL
64	default "profile_medium" if TFM_PROFILE_TYPE_MEDIUM
65	default "profile_medium_arotless" if TFM_PROFILE_TYPE_AROTLESS
66	default "profile_large" if TFM_PROFILE_TYPE_LARGE
67	help
68	  Build profile used to build tfm_s image. The available values are
69	  profile_large, profile_medium and profile_small. The default profile
70	  does not need to have this configuration set.
71
72choice TFM_PROFILE_TYPE
73	prompt "TF-M build profile"
74	default TFM_PROFILE_TYPE_NOT_SET
75	help
76	  The TF-M build profile selection. Can be empty (not set),
77	  small, medium or large. Certain profile types enable other
78	  TF-M configuration options, namely, the IPC model and the
79	  isolation level.
80
81config TFM_PROFILE_TYPE_NOT_SET
82	bool "TF-M build profile: not set (base)"
83
84config TFM_PROFILE_TYPE_SMALL
85	bool "TF-M build profile: small"
86
87config TFM_PROFILE_TYPE_MEDIUM
88	bool "TF-M build profile: medium"
89
90config TFM_PROFILE_TYPE_AROTLESS
91	bool "TF-M build profile: ARoT-less"
92
93config TFM_PROFILE_TYPE_LARGE
94	bool "TF-M build profile: large"
95
96endchoice
97
98choice TFM_CMAKE_BUILD_TYPE
99	prompt "The build type for TFM"
100	default TFM_CMAKE_BUILD_TYPE_RELEASE if SPEED_OPTIMIZATIONS && BUILD_OUTPUT_STRIPPED
101	default TFM_CMAKE_BUILD_TYPE_MINSIZEREL if SIZE_OPTIMIZATIONS || SIZE_OPTIMIZATIONS_AGGRESSIVE
102	default TFM_CMAKE_BUILD_TYPE_DEBUG if DEBUG_OPTIMIZATIONS
103	default TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO
104
105config TFM_CMAKE_BUILD_TYPE_RELEASE
106	bool "Release build"
107
108config TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO
109	bool "Release build with Debug info"
110
111config TFM_CMAKE_BUILD_TYPE_MINSIZEREL
112	bool "Release build, optimized for size"
113
114config TFM_CMAKE_BUILD_TYPE_DEBUG
115	bool "Debug build"
116
117endchoice
118
119config TFM_ISOLATION_LEVEL
120	int "Isolation level setting." if (TFM_PROFILE_TYPE_NOT_SET && TFM_IPC)
121	range 1 3
122	default 1 if TFM_PROFILE_TYPE_SMALL || !TFM_IPC
123	default 2 if TFM_PROFILE_TYPE_MEDIUM
124	default 3 if TFM_PROFILE_TYPE_LARGE
125	help
126	  Manually set the required TFM isolation level. Possible values are
127	  1,2 or 3; the default is set by build configuration. When TF-M
128	  Profile option is supplied, do not allow manual setting of the
129	  isolation level, as it is determined by the profile setting.
130	  As isolation levels 2 and 3 require PSA_API (TFM_IPC) support,
131	  force level 1 when TFM_IPC is not enabled.
132
133config TFM_ITS_NUM_ASSETS_OVERRIDE
134	bool "Override maximum number of Internal Trusted Storage assets"
135	help
136	  Override the platform's default maximum number of assets to be stored in
137	  Internal Trusted Storage (ITS) with TFM_ITS_NUM_ASSETS.
138
139config TFM_ITS_NUM_ASSETS
140	int "Maximum number of Internal Trusted Storage assets"
141	depends on TFM_ITS_NUM_ASSETS_OVERRIDE
142	default 0
143	help
144	  Maximum number of assets to be stored in Internal Trusted Storage (ITS).
145
146config TFM_ITS_MAX_ASSET_SIZE_OVERRIDE
147	bool "Override maximum Internal Trusted Storage asset size"
148	help
149	  Override the platform's default maximum size of a single asset to be
150	  stored in Internal Trusted Storage (ITS) with TFM_ITS_MAX_ASSET_SIZE.
151
152config TFM_ITS_MAX_ASSET_SIZE
153	int "Maximum Internal Trusted Storage asset size"
154	depends on TFM_ITS_MAX_ASSET_SIZE_OVERRIDE
155	default 0
156	help
157	  Maximum size (in bytes) of a single asset to be stored in Internal Trusted
158	  Storage (ITS).
159
160config TFM_PARTITION_PLATFORM_CUSTOM_REBOOT
161	bool "Use custom reboot handler"
162	depends on TFM_PARTITION_PLATFORM
163	help
164	  Do not include the default zephyr implementation of calling the TF-M
165	  platform reset service.
166	  Instead the application will have to override the weak ARM
167	  implementation of sys_arch_reset().
168
169config TFM_DUMMY_PROVISIONING
170	bool "Provision with dummy values. NOT to be used in production"
171	select TFM_INITIAL_ATTESTATION_KEY
172	default y
173	help
174	  If this option is enabled (as it is by default), a set of dummy
175	  keys / data will be provisioned. The dummy IAK matches the IAK tested
176	  by the TF-M tests, and the dummy bl2 ROTPKs match the dummy bl2 keys
177	  used by default.
178	  This option MUST not be used in production hardware, as the keys are
179	  insecure.
180
181config TFM_INITIAL_ATTESTATION_KEY
182	bool
183	help
184	  Hidden option to mark that the TF-M platform has an initial
185	  attestation key, which is a requirement for the Initial Attestation
186	  partition.
187
188config TFM_BL2_NOT_SUPPORTED
189	bool
190	help
191	  Hidden option to mark the BL2, the MCUBoot included in TF-M, as not supported.
192	  Platforms that don't use BL2 should select this option.
193
194config TFM_IMAGE_VERSION_S
195	string "Version of the Secure Image"
196	default "$(APP_VERSION_TWEAK_STRING)" if "$(VERSION_MAJOR)" != "" && TFM_MCUBOOT_IMAGE_NUMBER = 1
197	default "0.0.0+0"
198	help
199	  Version of the secure image. This version is also used for merged
200	  secure + non-secure builds (TFM_MCUBOOT_IMAGE_NUMBER == 1).
201
202config TFM_IMAGE_VERSION_NS
203	string "Version of the Non-Secure Image"
204	default "$(APP_VERSION_TWEAK_STRING)" if "$(VERSION_MAJOR)" != "" && TFM_MCUBOOT_IMAGE_NUMBER = 2
205	default "0.0.0+0"
206	help
207	  Version of the non-secure image.
208
209config TFM_BL2
210	bool "Add MCUboot to TFM"
211	depends on !TFM_BL2_NOT_SUPPORTED
212	default y
213	help
214	  TFM is designed to run with MCUboot in a certain configuration.
215	  This config adds MCUboot to the build - built via TFM's build system.
216
217config TFM_USE_NS_APP
218	bool "Use the TF-M Non-Secure application"
219	help
220	  The TF-M build system can produce multiple executable files.
221	  The main one is the TF-M secure firmware. Optionally the TF-M
222	  non-secure application can be built.
223	  Usually the TF-M non-secure application is not used since the
224	  zephyr application is the non-secure application.
225	  With this option enabled this is reversed and the TF-M non-secure
226	  application is used instead of the Zephyr non-secure application.
227
228	  This option is intended for testing purposes only, since this is the
229	  easiest way to integrate and run the TF-M regression tests in the
230	  zephyr build system.
231
232config TFM_CONNECTION_BASED_SERVICE_API
233	bool "TF-M use connection based service APIs"
234	help
235	  The TF-M build system produces an interface source file for accessing
236	  connection based services.
237	  Select this option when TF-M service models requires this source file.
238
239	  Note: This is an auto-generated configuration in the TF-M build
240	  system. When this option is not enabled in the TF-M build system this
241	  will result in compilation error.
242
243if TFM_BL2
244
245config TFM_IMAGE_SECURITY_COUNTER
246	int "Security counter value used for hardware rollback protection"
247	range 1 1024
248	default 1
249	help
250	  By default, TFM enables hardware rollback protection, which requires a security counter
251	  to be embedded in the image trailer. As per "Hardware-based downgrade prevention" in
252	  mcuboot/docs/design.md, this does not need to be incremented on every firmware update,
253	  but hardware rollback protection will only apply when this value is incremented.
254
255config TFM_MCUBOOT_SIGNATURE_TYPE
256	string "The signature type used to sign the secure and non-secure firmware images."
257	default "EC-P256"
258	help
259	  Available types: RSA-2048, RSA-3072, EC-P256, EC-P384.
260
261config TFM_KEY_FILE_S
262	string "Path to private key used to sign secure firmware images."
263	default "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/bl2/ext/mcuboot/root-${CONFIG_TFM_MCUBOOT_SIGNATURE_TYPE}.pem"
264	help
265	  The path and filename for the .pem file containing the private key
266	  that should be used by the BL2 bootloader when signing secure
267	  firmware images. This key file is also used for merged secure +
268	  non-secure builds (TFM_MCUBOOT_IMAGE_NUMBER == 1).
269
270config TFM_KEY_FILE_NS
271	string "Path to private key used to sign non-secure firmware images."
272	default "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/bl2/ext/mcuboot/root-${CONFIG_TFM_MCUBOOT_SIGNATURE_TYPE}_1.pem"
273	help
274	  The path and filename for the .pem file containing the private key
275	  that should be used by the BL2 bootloader when signing non-secure
276	  firmware images.
277
278config TFM_MCUBOOT_IMAGE_NUMBER
279	int "Granularity of FW updates of TFM and app"
280	range 1 2
281	default 2
282	help
283	  How many images the bootloader sees when it looks at TFM and the app.
284	  When this is 1, the S and NS are considered as 1 image and must be
285	  updated in one atomic operation. When this is 2, they are split and
286	  can be updated independently if dependency requirements are met.
287
288choice TFM_MCUBOOT_PATH
289	prompt "Path to MCUboot or DOWNLOAD to fetch automatically"
290	default TFM_MCUBOOT_PATH_LOCAL
291	help
292	   Path to MCUboot for TF-M builds. The default option
293	   is to use Zephyr's MCUboot module. As an alternative,
294	   users may switch to the 'download' version; in that
295	   case MCUboot will be fetched by the TF-M build during
296	   build time. The default option ensures that Zephyr builds
297	   with TF-M do not fetch external trees.
298
299config TFM_MCUBOOT_PATH_LOCAL
300	bool "TF-M to use Zephyr's MCUboot"
301	help
302	  TF-M builds with BL2 will use the Zephyr's MCUboot version,
303	  which is present in the MCUboot module.
304
305config TFM_MCUBOOT_PATH_DOWNLOAD
306	bool "TF-M to automatically download MCUboot during build"
307	help
308	  TF-M builds with BL2 will let the TF-M build to automatically
309	  fetch and check-out the MCUboot version to use in the build.
310
311endchoice
312
313config TFM_QCBOR_PATH
314	string
315	prompt "Path to QCBOR or DOWNLOAD to fetch automatically"
316	default ""
317	help
318	  Path to QCBOR for TF-M builds. Due to a license issue with this
319	  library Zephyr does not ship with this library.
320	  If the application wishes to still use this library they can point
321	  to their own checkout of this library, or set to DOWNLOAD to allow
322	  TF-M build system to automatically download this.
323
324config TFM_MCUBOOT_DATA_SHARING
325	bool "Share app-specific data between TF-M and MCUBoot"
326	help
327	  Add sharing of application specific data using the same
328	  shared data area as for the measured boot.
329
330endif # TFM_BL2
331
332choice TFM_MODEL
333	prompt "TF-M Firmware Framework model"
334	default TFM_SFN if TFM_PROFILE_TYPE_SMALL
335	default TFM_IPC
336	help
337	  The Firmware Framework M (FF-M) provides different programming models
338	  for Secure Partitions.
339
340config TFM_IPC
341	bool "IPC Model"
342	help
343	  Use the IPC Model as the SPM backend for the PSA API.
344	  The IPC model supports the IPC and SFN Partition models, and
345	  isolation levels 1, 2 and 3.
346
347	  In this model each Secure Partition processes signals in any order,
348	  and can defer responding to a message while continuing to process
349	  other signals.
350
351	  The IPC model conforms to the PSA Firmware Framework for M (FF-M)
352	  v1.1.
353
354config TFM_SFN
355	bool "SFN model"
356	help
357	  Use the SFN Model as the SPM backend for the PSA API.
358	  The SFN model supports the SFN Partition model, and isolation level 1.
359
360	  In this model each Secure Partition is made up of a collection of
361	  callback functions which implement secure services.
362
363	  The SFN model conforms to the PSA Firmware Framework for M (FF-M)
364	  v1.1.
365
366endchoice # TFM_MODEL
367
368config TFM_REGRESSION_S
369	bool "TF-M Secure Regression tests"
370	help
371	  When enabled, this option signifies that the TF-M build includes
372	  the Secure domain regression tests.
373	  The regression tests will be included in the TF-M secure firmware.
374
375config TFM_REGRESSION_NS
376	bool "TF-M Non-Secure Regression tests"
377	help
378	  When enabled, this option signifies that the TF-M build includes
379	  the Non-Secure domain regression tests.
380	  The regression tests will be included in the TF-M non-secure
381	  application.
382
383choice TFM_PSA_TEST
384	prompt "Enable a PSA test suite"
385	default TFM_PSA_TEST_NONE
386
387config TFM_PSA_TEST_CRYPTO
388	bool "Crypto tests"
389	depends on MAIN_STACK_SIZE >= 4096
390	help
391	  Enable the PSA Crypto test suite.
392
393config TFM_PSA_TEST_PROTECTED_STORAGE
394	bool "Storage tests"
395	help
396	  Enable the PSA Protected Storage test suite.
397
398config TFM_PSA_TEST_INTERNAL_TRUSTED_STORAGE
399	bool "Internal Trusted Storage tests"
400	help
401	  Enable the PSA Internal Trusted Storage test suite.
402
403config TFM_PSA_TEST_STORAGE
404	bool "Storage tests"
405	help
406	  Enable the PSA Storage test suite. This is a combination of the
407	  protected storage and internal trusted storage tests.
408
409config TFM_PSA_TEST_INITIAL_ATTESTATION
410	bool "Initial attestation tests"
411	depends on MAIN_STACK_SIZE >= 4096
412	select TFM_PARTITION_INITIAL_ATTESTATION
413	help
414	  Enable the PSA Initial Attestation test suite.
415
416config TFM_PSA_TEST_NONE
417	bool "No PSA test suite"
418
419endchoice
420
421if TFM_BL2
422
423config ROM_START_OFFSET
424	hex "ROM Start Offset accounting for BL2 Header in the NS image"
425	default 0x400
426	help
427	  By default BL2 header size in TF-M is 0x400. ROM_START_OFFSET
428	  needs to be updated if TF-M switches to use a different header
429	  size for BL2.
430
431choice TFM_BL2_LOG_LEVEL
432	prompt "BL2 Log Level" if !TFM_LOG_LEVEL_SILENCE
433	default TFM_BL2_LOG_LEVEL_INFO
434	config TFM_BL2_LOG_LEVEL_DEBUG
435		bool "Debug"
436	config TFM_BL2_LOG_LEVEL_INFO
437		bool "Info"
438	config TFM_BL2_LOG_LEVEL_WARNING
439		bool "Warning"
440	config TFM_BL2_LOG_LEVEL_ERROR
441		bool "Error"
442	config TFM_BL2_LOG_LEVEL_OFF
443		bool "Off"
444endchoice
445
446endif # !TFM_BL2
447
448# Option to instruct flashing a merged binary consisting of BL2 (optionally),
449# TF-M (Secure), and application (Non-Secure).
450config TFM_FLASH_MERGED_BINARY
451	bool
452	help
453	  This option instructs west flash to program the combined (merged)
454	  binary consisting of the TF-M Secure firmware image, optionally, the
455	  BL2 image (if building with TFM_BL2 is enabled), and the Non-Secure
456	  application firmware.
457
458config TFM_LOG_LEVEL_SILENCE
459	bool "TF-M Disable secure logging"
460	help
461	  Set the log level to silence for all TF-M modules (SPM, partition, etc.).
462	  On some platforms this will release the UART from
463	  the secure domain and reduce the uart driver's flash usage.
464
465choice TFM_SPM_LOG_LEVEL
466	prompt "TF-M SPM Log Level" if !TFM_LOG_LEVEL_SILENCE
467	default TFM_SPM_LOG_LEVEL_INFO
468config TFM_SPM_LOG_LEVEL_DEBUG
469	bool "Debug"
470config TFM_SPM_LOG_LEVEL_INFO
471	bool "Info"
472config TFM_SPM_LOG_LEVEL_ERROR
473	bool "Error"
474config TFM_SPM_LOG_LEVEL_SILENCE
475	bool "Off"
476endchoice
477
478config TFM_EXCEPTION_INFO_DUMP
479	bool "TF-M exception info dump"
480	default y
481	help
482	  On fatal errors in the secure firmware, capture info about the exception.
483	  Print the info if the SPM log level is sufficient.
484
485endif # BUILD_WITH_TFM
486