1# Copyright (c) 2017-2020 Linaro Limited
2# Copyright (c) 2020 Arm Limited
3# Copyright (c) 2023 Nordic Semiconductor ASA
4#
5# SPDX-License-Identifier: Apache-2.0
6#
7
8mainmenu "MCUboot configuration"
9
10comment "MCUboot-specific configuration options"
11
12# Hidden option to mark a project as MCUboot
13config MCUBOOT
14	default y
15	bool
16	select MPU_ALLOW_FLASH_WRITE if ARM_MPU
17	select USE_DT_CODE_PARTITION if HAS_FLASH_LOAD_OFFSET
18	select MCUBOOT_BOOTUTIL_LIB
19
20config BOOT_USE_MBEDTLS
21	bool
22	# Hidden option
23	default n
24	help
25	  Use mbedTLS for crypto primitives.
26
27config BOOT_USE_TINYCRYPT
28	bool
29	# Hidden option
30	default n
31	# When building for ECDSA, we use our own copy of mbedTLS, so the
32	# Zephyr one must not be enabled or the MBEDTLS_CONFIG_FILE macros
33	# will collide.
34	select MBEDTLS_PROMPTLESS if ZEPHYR_MBEDTLS_MODULE
35	help
36	  Use TinyCrypt for crypto primitives.
37
38config BOOT_USE_CC310
39	bool
40	# Hidden option
41	default n
42	# When building for ECDSA, we use our own copy of mbedTLS, so the
43	# Zephyr one must not be enabled or the MBEDTLS_CONFIG_FILE macros
44	# will collide.
45	help
46	  Use cc310 for crypto primitives.
47
48config BOOT_USE_NRF_CC310_BL
49	bool
50	default n
51
52config NRFXLIB_CRYPTO
53	bool
54	default n
55
56config NRF_CC310_BL
57	bool
58	default n
59
60menu "MCUBoot settings"
61
62config SINGLE_APPLICATION_SLOT
63	bool "Single slot bootloader"
64	default n
65	help
66	  Single image area is used for application which means that
67	  uploading a new application overwrites the one that previously
68	  occupied the area.
69
70choice BOOT_SIGNATURE_TYPE
71	prompt "Signature type"
72	default BOOT_SIGNATURE_TYPE_RSA
73
74config BOOT_SIGNATURE_TYPE_NONE
75	bool "No signature; use only hash check"
76	select BOOT_USE_TINYCRYPT
77
78config BOOT_SIGNATURE_TYPE_RSA
79	bool "RSA signatures"
80	select BOOT_USE_MBEDTLS
81	select MBEDTLS
82	select BOOT_ENCRYPTION_SUPPORT
83
84if BOOT_SIGNATURE_TYPE_RSA
85config BOOT_SIGNATURE_TYPE_RSA_LEN
86	int "RSA signature length"
87	range 2048 3072
88	default 2048
89endif
90
91config BOOT_SIGNATURE_TYPE_ECDSA_P256
92	bool "Elliptic curve digital signatures with curve P-256"
93	select BOOT_ENCRYPTION_SUPPORT
94
95if BOOT_SIGNATURE_TYPE_ECDSA_P256
96choice BOOT_ECDSA_IMPLEMENTATION
97	prompt "Ecdsa implementation"
98	default BOOT_ECDSA_TINYCRYPT
99
100config BOOT_ECDSA_TINYCRYPT
101	bool "Use tinycrypt"
102	select BOOT_USE_TINYCRYPT
103
104config BOOT_ECDSA_CC310
105	bool "Use CC310"
106	depends on HAS_HW_NRF_CC310
107	select BOOT_USE_NRF_CC310_BL
108	select NRF_CC310_BL
109	select NRFXLIB_CRYPTO
110	select BOOT_USE_CC310
111endchoice # Ecdsa implementation
112endif
113
114config BOOT_SIGNATURE_TYPE_ED25519
115	bool "Edwards curve digital signatures using ed25519"
116	select BOOT_ENCRYPTION_SUPPORT
117
118if BOOT_SIGNATURE_TYPE_ED25519
119choice BOOT_ED25519_IMPLEMENTATION
120	prompt "Ecdsa implementation"
121	default BOOT_ED25519_TINYCRYPT
122config BOOT_ED25519_TINYCRYPT
123	bool "Use tinycrypt"
124	select BOOT_USE_TINYCRYPT
125config BOOT_ED25519_MBEDTLS
126	bool "Use mbedTLS"
127	select BOOT_USE_MBEDTLS
128	select MBEDTLS
129endchoice
130endif
131
132endchoice
133
134config BOOT_SIGNATURE_KEY_FILE
135	string "PEM key file"
136	default "root-ec-p256.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256
137	default "root-ed25519.pem" if BOOT_SIGNATURE_TYPE_ED25519
138	default "root-rsa-3072.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=3072
139	default "root-rsa-2048.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=2048
140	default ""
141	help
142	  You can use either absolute or relative path.
143	  In case relative path is used, the build system assumes that it starts
144	  from the directory where the MCUBoot KConfig configuration file is
145	  located. If the key file is not there, the build system uses relative
146	  path that starts from the MCUBoot repository root directory.
147	  The key file will be parsed by imgtool's getpub command and a .c source
148	  with the public key information will be written in a format expected by
149	  MCUboot.
150
151config MCUBOOT_CLEANUP_ARM_CORE
152	bool "Perform core cleanup before chain-load the application"
153	depends on CPU_CORTEX_M
154	default y
155	help
156	  This option instructs MCUboot to perform a clean-up of a set of
157	  architecture core HW registers before jumping to the application
158	  firmware. The clean-up sets these registers to their warm-reset
159	  values as specified by the architecture.
160
161	  This option is enabled by default to prevent possible problems when
162	  booting zephyr (or other) applications whereby e.g. a MPU stack guard
163	  may be initialised in RAM which is then used by the application
164	  start-up code which can cause a module fault and potentially make the
165	  module irrecoverable.
166
167config MBEDTLS_CFG_FILE
168	default "mcuboot-mbedtls-cfg.h"
169
170config BOOT_HW_KEY
171	bool "Use HW key for image verification"
172	default n
173	help
174	  Use HW key for image verification, otherwise the public key is embedded
175	  in MCUBoot. If enabled the public key is appended to the signed image
176	  and requires the hash of the public key to be provisioned to the device
177	  beforehand.
178
179config BOOT_VALIDATE_SLOT0
180	bool "Validate image in the primary slot on every boot"
181	default y
182	help
183	  If y, the bootloader attempts to validate the signature of the
184	  primary slot every boot. This adds the signature check time to
185	  every boot, but can mitigate against some changes that are
186	  able to modify the flash image itself.
187
188config BOOT_VALIDATE_SLOT0_ONCE
189	bool "Validate image in the primary slot just once after after upgrade"
190	depends on !BOOT_VALIDATE_SLOT0 && SINGLE_APPLICATION_SLOT
191	default n
192	help
193	  If y, the bootloader attempts to validate the signature of the
194	  primary slot only once after an upgrade of the main slot.
195	  It caches the result in the magic area, which makes it an unsecure
196	  method. This option is usefull for lowering the boot up time for
197	  low end devices with as a compromise lowering the security level.
198	  If unsure, leave at the default value.
199
200config BOOT_PREFER_SWAP_MOVE
201	bool "Prefer the newer swap move algorithm"
202	default y if SOC_FAMILY_NORDIC_NRF
203	default y if !$(dt_nodelabel_enabled,scratch_partition)
204	help
205	  If y, the BOOT_IMAGE_UPGRADE_MODE will default to using
206	  "move" instead of "scratch".  This is a separate bool config
207	  option, because Kconfig doesn't allow defaults to be
208	  overridden in choice options.  Most devices should be using
209	  swap move.
210
211if !SINGLE_APPLICATION_SLOT
212choice BOOT_IMAGE_UPGRADE_MODE
213	prompt "Image upgrade modes"
214	default BOOT_SWAP_USING_MOVE if BOOT_PREFER_SWAP_MOVE
215	default BOOT_SWAP_USING_SCRATCH
216
217config BOOT_SWAP_USING_SCRATCH
218	bool "Swap mode that run with the scratch partition"
219	help
220	  This is the most conservative swap mode but it can work even on
221	  devices with heterogeneous flash page layout.
222
223config BOOT_UPGRADE_ONLY
224	bool "Overwrite image updates instead of swapping"
225	help
226	  If y, overwrite the primary slot with the upgrade image instead
227	  of swapping them. This prevents the fallback recovery, but
228	  uses a much simpler code path.
229
230config BOOT_SWAP_USING_MOVE
231	bool "Swap mode that can run without a scratch partition"
232	help
233	  If y, the swap upgrade is done in two steps, where first every
234	  sector of the primary slot is moved up one sector, then for
235	  each sector X in the secondary slot, it is moved to index X in
236	  the primary slot, then the sector at X+1 in the primary is
237	  moved to index X in the secondary.
238	  This allows a swap upgrade without using a scratch partition,
239	  but is currently limited to all sectors in both slots being of
240	  the same size.
241
242config BOOT_DIRECT_XIP
243	bool "Run the latest image directly from its slot"
244	help
245	  If y, mcuboot selects the newest valid image based on the image version
246	  numbers, thereafter the selected image can run directly from its slot
247	  without having to move/copy it into the primary slot. For this reason the
248	  images must be linked to be executed from the given image slot. Using this
249	  mode results in a simpler code path and smaller code size.
250
251config BOOT_RAM_LOAD
252	bool "RAM load"
253	help
254	  If y, mcuboot selects the newest valid image based on the image version
255	  numbers, thereafter the selected image is copied to RAM and executed from
256	  there. For this reason, the image has to be linked to be executed from RAM.
257	  The address that the image is copied to is specified using the load-addr
258	  argument to the imgtool.py script which writes it to the image header.
259
260config BOOT_FIRMWARE_LOADER
261	bool "Firmware loader"
262	help
263	  If y, mcuboot will have a single application slot, and the secondary
264	  slot will be for a non-upgradeable firmware loaded image (e.g. for
265	  loading firmware via Bluetooth). The main application will boot by
266	  default unless there is an error with it or the boot mode has been
267	  forced to the firmware loader.
268
269	  Note: The firmware loader image must be signed with the same signing
270	  key as the primary image.
271
272endchoice
273
274# Workaround for not being able to have commas in macro arguments
275DT_CHOSEN_Z_SRAM := zephyr,sram
276
277if BOOT_RAM_LOAD
278config BOOT_IMAGE_EXECUTABLE_RAM_START
279	hex "Boot image executable ram start"
280	default $(dt_chosen_reg_addr_hex,$(DT_CHOSEN_Z_SRAM))
281
282config BOOT_IMAGE_EXECUTABLE_RAM_SIZE
283	int "Boot image executable base size"
284	default $(dt_chosen_reg_size_int,$(DT_CHOSEN_Z_SRAM),0)
285endif
286
287config BOOT_DIRECT_XIP_REVERT
288	bool "Enable the revert mechanism in direct-xip mode"
289	depends on BOOT_DIRECT_XIP
290	default n
291	help
292	  If y, enables the revert mechanism in direct-xip similar to the one in
293	  swap mode. It requires the trailer magic to be added to the signed image.
294	  When a reboot happens without the image being confirmed at runtime, the
295	  bootloader considers the image faulty and erases it. After this it will
296	  attempt to boot the previous image. The images can also be made permanent
297	  (marked as confirmed in advance) just like in swap mode.
298
299config BOOT_BOOTSTRAP
300	bool "Bootstrap erased the primary slot from the secondary slot"
301	default n
302	help
303	  If y, enables bootstraping support. Bootstrapping allows an erased
304	  primary slot to be initialized from a valid image in the secondary slot.
305	  If unsure, leave at the default value.
306
307config BOOT_SWAP_SAVE_ENCTLV
308	bool "Save encrypted key TLVs instead of plaintext keys in swap metadata"
309	default n
310	depends on BOOT_ENCRYPT_IMAGE
311	help
312	  If y, instead of saving the encrypted image keys in plaintext in the
313	  swap resume metadata, save the encrypted image TLVs. This should be used
314	  when there is no security mechanism protecting the data in the primary
315	  slot from being dumped. If n is selected (default), the keys are written
316	  after being decrypted from the image TLVs and could be read by an
317	  attacker who has access to the flash contents of the primary slot (eg
318	  JTAG/SWD or primary slot in external flash).
319	  If unsure, leave at the default value.
320
321endif # !SINGLE_APPLICATION_SLOT
322
323config BOOT_ENCRYPTION_SUPPORT
324	bool
325	help
326	  Hidden option used to check if image encryption is supported.
327
328config BOOT_ENCRYPT_IMAGE
329	bool "Support for encrypted image updates"
330	depends on BOOT_ENCRYPTION_SUPPORT
331	select BOOT_ENCRYPT_RSA if BOOT_SIGNATURE_TYPE_RSA
332	select BOOT_ENCRYPT_EC256 if BOOT_SIGNATURE_TYPE_ECDSA_P256
333	select BOOT_ENCRYPT_X25519 if BOOT_SIGNATURE_TYPE_ED25519
334	depends on !SINGLE_APPLICATION_SLOT || MCUBOOT_SERIAL
335	help
336	  If y, images in the secondary slot can be encrypted and are decrypted
337	  on the fly when upgrading to the primary slot, as well as encrypted
338	  back when swapping from the primary slot to the secondary slot. The
339	  encryption mechanism must match the same type as the signature type,
340	  supported types include:
341	   - RSA-OAEP (2048 bits).
342	   - ECIES using primitives described under "ECIES-P256 encryption" in
343	     docs/encrypted_images.md.
344	   - ECIES using primitives described under "ECIES-X25519 encryption"
345	     in docs/encrypted_images.md.
346
347	  Note that for single slot operation, this can still be used to allow
348	  loading encrypted images via serial recovery which are then
349	  decrypted on-the-fly without needing a second slot.
350
351config BOOT_ENCRYPT_RSA
352	bool
353	help
354	  Hidden option selecting RSA encryption.
355
356config BOOT_ENCRYPT_EC256
357	bool
358	help
359	  Hidden option selecting EC256 encryption.
360
361config BOOT_ENCRYPT_X25519
362	bool
363	help
364	  Hidden option selecting x25519 encryption.
365
366config BOOT_ENCRYPTION_KEY_FILE
367	string "Encryption key file"
368	depends on BOOT_ENCRYPT_IMAGE
369	default "enc-rsa2048-priv.pem" if BOOT_ENCRYPT_RSA
370	default "enc-ec256-priv.pem" if BOOT_ENCRYPT_EC256
371	default "enc-x25519-priv.pem" if BOOT_ENCRYPT_X25519
372	default ""
373	help
374	  You can use either absolute or relative path.
375	  In case relative path is used, the build system assumes that it starts
376	  from the directory where the MCUBoot KConfig configuration file is
377	  located. If the key file is not there, the build system uses relative
378	  path that starts from the MCUBoot repository root directory.
379	  The key file will be parsed by imgtool's getpriv command and a .c source
380	  with the public key information will be written in a format expected by
381	  MCUboot.
382
383config BOOT_MAX_IMG_SECTORS
384	int "Maximum number of sectors per image slot"
385	default 128
386	help
387	  This option controls the maximum number of sectors that each of
388	  the two image areas can contain. Smaller values reduce MCUboot's
389	  memory usage; larger values allow it to support larger images.
390	  If unsure, leave at the default value.
391
392config BOOT_SHARE_BACKEND_AVAILABLE
393	bool
394	default n
395	help
396	  Hidden open which indicates if there is a sharing backend available.
397
398# Workaround for not being able to have commas in macro arguments
399DT_CHOSEN_BOOTLOADER_INFO := zephyr,bootloader-info
400
401config BOOT_SHARE_BACKEND_AVAILABLE
402	bool
403	default n
404	help
405	  Hidden open which indicates if there is a sharing backend available.
406
407choice BOOT_SHARE_BACKEND
408	prompt "Shared data backend"
409	default BOOT_SHARE_BACKEND_DISABLED
410
411config BOOT_SHARE_BACKEND_DISABLED
412	bool "Disabled"
413	help
414	  No data sharing support.
415
416config BOOT_SHARE_BACKEND_RETENTION
417	bool "Retention"
418	depends on RETENTION
419	depends on $(dt_chosen_enabled,$(DT_CHOSEN_BOOTLOADER_INFO))
420	select BOOT_SHARE_BACKEND_AVAILABLE
421	help
422	  Use retention to share data with application. Requires:
423	    - Retained memory area
424	    - Retention partition of retained memory area
425	    - Chosen node "zephyr,bootloader-info" to be set to the retention
426	      partition
427
428config BOOT_SHARE_BACKEND_EXTERNAL
429	bool "External (user-provided code)"
430	select BOOT_SHARE_BACKEND_AVAILABLE
431	help
432	  Use a custom user-specified storage.
433
434endchoice
435
436menuconfig BOOT_SHARE_DATA
437	bool "Save application specific data"
438	default n
439	depends on BOOT_SHARE_BACKEND_AVAILABLE
440	help
441	  This will allow data to be shared between MCUboot and an application,
442	  it does not include any informatiom by default.
443
444	  Note: This requires a backend to function, see
445	  BOOT_SHARE_BACKEND_RETENTION for details on using the retention
446	  subsystem as a backend.
447
448config BOOT_SHARE_DATA_BOOTINFO
449	bool "Save boot information data"
450	default n
451	depends on BOOT_SHARE_DATA
452	help
453	  This will place information about the MCUboot configuration and
454	  running application into a shared memory area.
455
456menuconfig MEASURED_BOOT
457	bool "Store the boot state/measurements in shared memory area"
458	default n
459	depends on BOOT_SHARE_BACKEND_AVAILABLE
460	help
461	  If enabled, the bootloader will store certain boot measurements such as
462	  the hash of the firmware image in a shared memory area. This data can
463	  be used later by runtime services (e.g. by a device attestation service).
464
465	  Note: This requires a backend to function, see
466	  BOOT_SHARE_BACKEND_RETENTION for details on using the retention
467	  subsystem as a backend.
468
469config MEASURED_BOOT_MAX_CBOR_SIZE
470	int "Maximum CBOR size of boot state/measurements"
471	default 64
472	range 0 256
473	depends on MEASURED_BOOT
474	help
475	  The maximum size of the CBOR message which stores boot
476	  state/measurements.
477
478choice BOOT_FAULT_INJECTION_HARDENING_PROFILE
479	prompt "Fault injection hardening profile"
480	default BOOT_FIH_PROFILE_OFF
481
482config BOOT_FIH_PROFILE_OFF
483	bool "No hardening against hardware level fault injection"
484	help
485	  No hardening in SW against hardware level fault injection: power or
486	  clock glitching, etc.
487
488config BOOT_FIH_PROFILE_LOW
489	bool "Moderate level hardening against hardware level fault injection"
490	help
491	  Moderate level hardening: Long global fail loop to avoid break out,
492	  control flow integrity check to discover discrepancy in expected code
493	  flow.
494
495config BOOT_FIH_PROFILE_MEDIUM
496	bool "Medium level hardening against hardware level fault injection"
497	help
498	  Medium level hardening: Long global fail loop to avoid break out,
499	  control flow integrity check to discover discrepancy in expected code
500	  flow, double variables to discover register or memory corruption.
501
502config BOOT_FIH_PROFILE_HIGH
503	bool "Maximum level hardening against hardware level fault injection"
504	select MBEDTLS
505	help
506	  Maximum level hardening: Long global fail loop to avoid break out,
507	  control flow integrity check to discover discrepancy in expected code
508	  flow, double variables to discover register or memory corruption, random
509	  delays to make code execution less predictable. Random delays requires an
510	  entropy source.
511
512endchoice
513
514choice BOOT_USB_DFU
515	prompt "USB DFU"
516	default BOOT_USB_DFU_NO
517
518config BOOT_USB_DFU_NO
519	prompt "Disabled"
520
521config BOOT_USB_DFU_WAIT
522	bool "Wait for a prescribed duration to see if USB DFU is invoked"
523	select USB_DEVICE_STACK
524	select USB_DFU_CLASS
525	select IMG_MANAGER
526	select STREAM_FLASH
527	select MULTITHREADING
528	help
529	  If y, MCUboot waits for a prescribed duration of time to allow
530	  for USB DFU to be invoked. Please note DFU always updates the
531	  slot1 image.
532
533config BOOT_USB_DFU_GPIO
534	bool "Use GPIO to detect whether to trigger DFU mode"
535	select USB_DEVICE_STACK
536	select USB_DFU_CLASS
537	select IMG_MANAGER
538	select STREAM_FLASH
539	select MULTITHREADING
540	help
541	  If y, MCUboot uses GPIO to detect whether to invoke USB DFU.
542
543endchoice
544
545config BOOT_USB_DFU_WAIT_DELAY_MS
546	int "USB DFU wait duration"
547	depends on BOOT_USB_DFU_WAIT
548	default 12000
549	help
550	  Milliseconds to wait for USB DFU to be invoked.
551
552if BOOT_USB_DFU_GPIO
553
554config BOOT_USB_DFU_DETECT_DELAY
555	int "Serial detect pin detection delay time [ms]"
556	default 0
557	help
558	  Used to prevent the bootloader from loading on button press.
559	  Useful for powering on when using the same button as
560	  the one used to place the device in bootloader mode.
561
562endif # BOOT_USB_DFU_GPIO
563
564config BOOT_USE_BENCH
565        bool "Enable benchmark code"
566        default n
567        help
568          If y, adds support for simple benchmarking that can record
569          time intervals between two calls.  The time printed depends
570          on the particular Zephyr target, and is generally ticks of a
571          specific board-specific timer.
572
573module = MCUBOOT
574module-str = MCUBoot bootloader
575source "subsys/logging/Kconfig.template.log_config"
576
577config MCUBOOT_LOG_THREAD_STACK_SIZE
578	int "Stack size for the MCUBoot log processing thread"
579	depends on LOG && !LOG_IMMEDIATE
580	default 2048 if COVERAGE_GCOV
581	default 1024 if NO_OPTIMIZATIONS
582	default 1024 if XTENSA
583	default 4096 if (X86 && X86_64)
584	default 4096 if ARM64
585	default 768
586	help
587	  Set the internal stack size for MCUBoot log processing thread.
588
589config MCUBOOT_INDICATION_LED
590	bool "Turns on LED indication when device is in DFU"
591	select GPIO
592	help
593	  Device device activates the LED while in bootloader mode.
594	  mcuboot-led0 alias must be set in the device's .dts
595	  definitions for this to work.
596
597rsource "Kconfig.serial_recovery"
598
599rsource "Kconfig.firmware_loader"
600
601config BOOT_INTR_VEC_RELOC
602	bool "Relocate the interrupt vector to the application"
603	default n
604	depends on SW_VECTOR_RELAY || CPU_CORTEX_M_HAS_VTOR
605	help
606	  Relocate the interrupt vector to the application before it is started.
607	  Select this option if application requires vector relocation,
608	  but it doesn't relocate vector in its reset handler.
609
610config UPDATEABLE_IMAGE_NUMBER
611	int "Number of updateable images"
612	default 1
613	range 1 1 if SINGLE_APPLICATION_SLOT
614	help
615	  Enables support of multi image update.
616
617config BOOT_VERSION_CMP_USE_BUILD_NUMBER
618	bool "Use build number while comparing image version"
619	depends on (UPDATEABLE_IMAGE_NUMBER > 1) || BOOT_DIRECT_XIP || \
620		   BOOT_RAM_LOAD || MCUBOOT_DOWNGRADE_PREVENTION
621	help
622	  By default, the image version comparison relies only on version major,
623	  minor and revision. Enable this option to take into account the build
624	  number as well.
625
626choice BOOT_DOWNGRADE_PREVENTION_CHOICE
627	prompt "Downgrade prevention"
628	optional
629
630config MCUBOOT_DOWNGRADE_PREVENTION
631	bool "SW based downgrade prevention"
632	depends on !BOOT_DIRECT_XIP
633	help
634	  Prevent downgrades by enforcing incrementing version numbers.
635	  When this option is set, any upgrade must have greater major version
636	  or greater minor version with equal major version. This mechanism
637	  only protects against some attacks against version downgrades (for
638	  example, a JTAG could be used to write an older version).
639
640config MCUBOOT_DOWNGRADE_PREVENTION_SECURITY_COUNTER
641	bool "Use image security counter instead of version number"
642	depends on MCUBOOT_DOWNGRADE_PREVENTION
643	depends on (BOOT_SWAP_USING_MOVE || BOOT_SWAP_USING_SCRATCH)
644	help
645       Security counter is used for version eligibility check instead of pure
646       version.  When this option is set, any upgrade must have greater or
647       equal security counter value.
648       Because of the acceptance of equal values it allows for software
649       downgrades to some extent.
650
651config MCUBOOT_HW_DOWNGRADE_PREVENTION
652	bool "HW based downgrade prevention"
653	help
654	  Prevent undesirable/malicious software downgrades. When this option is
655	  set, any upgrade must have greater or equal security counter value.
656	  Because of the acceptance of equal values it allows for software
657	  downgrade to some extent.
658
659endchoice
660
661config BOOT_WATCHDOG_FEED
662	bool "Feed the watchdog while doing swap"
663	default y if WATCHDOG
664	default y if SOC_FAMILY_NORDIC_NRF
665	# for nRF nrfx based implementation is available
666	imply NRFX_WDT if SOC_FAMILY_NORDIC_NRF
667	imply NRFX_WDT0 if SOC_FAMILY_NORDIC_NRF
668	imply NRFX_WDT1 if SOC_FAMILY_NORDIC_NRF
669	imply NRFX_WDT30 if SOC_FAMILY_NORDIC_NRF
670	imply NRFX_WDT31 if SOC_FAMILY_NORDIC_NRF
671	help
672	  Enables implementation of MCUBOOT_WATCHDOG_FEED() macro which is
673	  used to feed watchdog while doing time consuming operations.
674
675config BOOT_IMAGE_ACCESS_HOOKS
676	bool "Enable hooks for overriding MCUboot's native routines"
677	help
678	  Allow to provide procedures for override or extend native
679	  MCUboot's routines required for access the image data and the image
680	  update. It is up to the project customization to add required source
681	  files to the build.
682
683config MCUBOOT_ACTION_HOOKS
684	bool "Enable hooks for responding to MCUboot status changes"
685	help
686	  This will call a handler when the MCUboot status changes which allows
687	  for some level of user feedback, for instance to change LED status to
688	  indicate a failure, using the callback:
689	  'void mcuboot_status_change(mcuboot_status_type_t status)' where
690	  'mcuboot_status_type_t' is listed in
691	  boot/bootutil/include/bootutil/mcuboot_status.h
692
693config BOOT_DISABLE_CACHES
694	bool "Disable I/D caches before chain-loading application"
695	depends on CPU_HAS_ICACHE || CPU_HAS_DCACHE
696	default y
697	help
698	  Will flush and disable the instruction and data caches on the CPU prior to
699	  booting an application, this is required on some ARM Cortex devices and
700	  increases protection against data leakage from MCUboot to applications via
701	  these caches.
702
703config MCUBOOT_BOOT_BANNER
704	bool "Use MCUboot boot banner"
705	depends on BOOT_BANNER
706	depends on "$(APP_VERSION_EXTENDED_STRING)" != ""
707	default y
708	help
709	  Uses a MCUboot boot banner instead of the default zephyr one, which will output the
710	  MCUboot name and version, followed by the zephyr name and version.
711
712	  For example:
713
714	    *** Booting MCUboot v2.0.0-72-g8c0e36c88663 ***
715	    *** Using Zephyr OS build v3.6.0-2607-gd0be2010c31f ***
716
717config BOOT_BANNER_STRING
718        default "Using Zephyr OS build" if MCUBOOT_BOOT_BANNER
719
720endmenu
721
722config MCUBOOT_DEVICE_SETTINGS
723	# Hidden selector for device-specific settings
724	bool
725	default y
726        # CPU options
727	select MCUBOOT_DEVICE_CPU_CORTEX_M0 if CPU_CORTEX_M0
728        # Enable flash page layout if available
729	select FLASH_PAGE_LAYOUT if FLASH_HAS_PAGE_LAYOUT
730	# Enable flash_map module as flash I/O back-end
731	select FLASH_MAP
732
733config MCUBOOT_DEVICE_CPU_CORTEX_M0
734	# Hidden selector for Cortex-M0 settings
735	bool
736	default n
737	select SW_VECTOR_RELAY if !CPU_CORTEX_M0_HAS_VECTOR_TABLE_REMAP
738
739comment "Zephyr configuration options"
740
741# Disabling MULTITHREADING provides a code size advantage, but
742# it requires peripheral drivers (particularly a flash driver)
743# that works properly with the option enabled.
744#
745# If you know for sure that your hardware will work, you can default
746# it to n here. Otherwise, having it on by default makes the most
747# hardware work.
748config MULTITHREADING
749	default y if BOOT_SERIAL_CDC_ACM #usb driver requires MULTITHREADING
750	default y if BOOT_USB_DFU_GPIO || BOOT_USB_DFU_WAIT
751	default n if SOC_FAMILY_NORDIC_NRF
752	default n if SOC_FAMILY_ESPRESSIF_ESP32 && MCUBOOT
753	default y
754
755config LOG_PROCESS_THREAD
756	default n # mcuboot has its own log processing thread
757
758# override USB device name
759config USB_DEVICE_PRODUCT
760	default "MCUBOOT"
761
762# use MCUboot's own log configuration
763config MCUBOOT_BOOTUTIL_LIB_OWN_LOG
764	bool
765	default n
766
767config MCUBOOT_VERIFY_IMG_ADDRESS
768	bool "Verify reset address of image in secondary slot"
769	depends on UPDATEABLE_IMAGE_NUMBER > 1
770	depends on !BOOT_ENCRYPT_IMAGE
771	depends on ARM
772	default y if BOOT_UPGRADE_ONLY
773	help
774	  Verify that the reset address in the image located in the secondary slot
775	  is contained within the corresponding primary slot. This is recommended
776	  if swapping is not used (that is, BOOT_UPGRADE_ONLY is set). If a user
777	  incorrectly uploads an update for image 1 to image 0's secondary slot
778	  MCUboot will overwrite image 0's primary slot with this image even
779	  though it will not boot. If swapping is enabled this will be handled
780	  since the image will not confirm itself. If, however, swapping is not
781	  enabled then the only mitigation is serial recovery. This feature can
782	  also be useful when BOOT_DIRECT_XIP is enabled, to ensure that the image
783	  linked at the correct address is loaded.
784
785source "Kconfig.zephyr"
786