1#------------------------------------------------------------------------------- 2# Copyright (c) 2020-2023, Arm Limited. All rights reserved. 3# Copyright (c) 2022 Cypress Semiconductor Corporation (an Infineon company) 4# or an affiliate of Cypress Semiconductor Corporation. All rights reserved. 5# 6# SPDX-License-Identifier: BSD-3-Clause 7# 8#------------------------------------------------------------------------------- 9 10#################################################################################################### 11# These configurations below are not included in Kconfig configuration system. 12 13set(TFM_TOOLCHAIN_FILE ${CMAKE_SOURCE_DIR}/toolchain_GNUARM.cmake CACHE FILEPATH "Path to TFM compiler toolchain file") 14set(TFM_PLATFORM "" CACHE STRING "Platform to build TF-M for. Must be either a relative path from [TF-M]/platform/ext/target, or an absolute path.") 15set(CROSS_COMPILE arm-none-eabi CACHE STRING "Cross-compilation triplet") 16 17set(TFM_INSTALL_PATH ${CMAKE_BINARY_DIR}/install CACHE PATH "Path to which to install TF-M files") 18 19set(TFM_DEBUG_SYMBOLS ON CACHE BOOL "Add debug symbols. Note that setting CMAKE_BUILD_TYPE to Debug or RelWithDebInfo will also add debug symbols.") 20set(TFM_CODE_COVERAGE OFF CACHE BOOL "Whether to build the binary for lcov tools") 21 22set(PROJECT_CONFIG_HEADER_FILE "" CACHE FILEPATH "User defined header file for TF-M config") 23 24# External libraries source and version 25set(MBEDCRYPTO_PATH "DOWNLOAD" CACHE PATH "Path to Mbed Crypto (or DOWNLOAD to fetch automatically") 26set(MBEDCRYPTO_FORCE_PATCH OFF CACHE BOOL "Always apply MBed Crypto patches") 27set(MBEDCRYPTO_VERSION "mbedtls-3.4.0" CACHE STRING "The version of Mbed Crypto to use") 28set(MBEDCRYPTO_GIT_REMOTE "https://github.com/Mbed-TLS/mbedtls.git" CACHE STRING "The URL (or path) to retrieve MbedTLS from.") 29 30set(MCUBOOT_PATH "DOWNLOAD" CACHE PATH "Path to MCUboot (or DOWNLOAD to fetch automatically") 31set(MCUBOOT_VERSION "258a6c7" CACHE STRING "The version of MCUboot to use") 32 33set(PSA_ARCH_TESTS_PATH "DOWNLOAD" CACHE PATH "Path to PSA arch tests (or DOWNLOAD to fetch automatically") 34set(PSA_ARCH_TESTS_VERSION "cf8bd71" CACHE STRING "The version of PSA arch tests to use") 35set(PSA_ARCH_TESTS_FORCE_PATCH OFF CACHE BOOL "Always apply PSA arch tests patches") 36 37set(PLATFORM_PSA_ADAC_SECURE_DEBUG FALSE CACHE BOOL "Whether to use psa-adac secure debug.") 38set(PLATFORM_PSA_ADAC_SOURCE_PATH "DOWNLOAD" CACHE PATH "Path to source dir of psa-adac.") 39set(PLATFORM_PSA_ADAC_VERSION "4c35930fb6df95400ea4fe5722acaaa594ac3b8b" CACHE STRING "The version of psa-adac to use.") 40 41set(PLATFORM_IS_FVP FALSE CACHE BOOL "Whether to enable FVP or FPGA build of the platform.") 42 43#################################################################################################### 44# These configurations below are also referred by Kconfig configuration system, 45# together with TF-M Header File Config System options. 46 47set(BL1 OFF CACHE BOOL "Whether to build BL1") 48set(BL2 ON CACHE BOOL "Whether to build BL2") 49set(NS ON CACHE BOOL "Whether to build NS app") 50set(NS_EVALUATION_APP_PATH "" CACHE PATH "Path to TFM NS Evaluation Application") 51 52set(TEST_S OFF CACHE BOOL "Whether to build S regression tests") 53set(TEST_NS OFF CACHE BOOL "Whether to build NS regression tests") 54set(TEST_PSA_API "" CACHE STRING "Which (if any) of the PSA API tests should be compiled") 55set(TEST_BL1_1 OFF CACHE BOOL "Whether to build BL1_1 tests") 56set(TEST_BL1_2 OFF CACHE BOOL "Whether to build BL1_2 tests") 57 58set(TFM_ISOLATION_LEVEL 1 CACHE STRING "Isolation level") 59set(PSA_FRAMEWORK_HAS_MM_IOVEC OFF CACHE BOOL "Enable MM-IOVEC") 60set(TFM_PROFILE "" CACHE STRING "Profile to use") 61set(TFM_FIH_PROFILE OFF CACHE STRING "Fault injection hardening profile [OFF, LOW, MEDIUM, HIGH]") 62set(CONFIG_TFM_SPM_BACKEND "SFN" CACHE STRING "The SPM backend [IPC, SFN]") 63 64# An NSPE client_id is provided by the NSPE OS via the SPM or directly by the SPM. 65# When `TFM_NS_MANAGE_NSID` is `ON`, TF-M supports NSPE OS providing NSPE client_id. 66set(TFM_NS_MANAGE_NSID OFF CACHE BOOL "Support NSPE OS providing NSPE client_id") 67 68set(TFM_EXTRA_CONFIG_PATH "" CACHE PATH "Path to extra cmake config file") 69 70set(TFM_MANIFEST_LIST ${CMAKE_SOURCE_DIR}/tools/tfm_manifest_list.yaml CACHE FILEPATH "TF-M native Secure Partition manifests list file") 71set(TFM_EXTRA_MANIFEST_LIST_FILES "" CACHE FILEPATH "Extra manifest list file(s), used to list extra Secure Partition manifests.") 72set(TFM_EXTRA_GENERATED_FILE_LIST_PATH "" CACHE PATH "Path to extra generated file list. Appended to stardard TFM generated file list.") 73set(TFM_EXTRA_PARTITION_PATHS "" CACHE PATH "List of extra Secure Partitions directories. An extra Secure Parition folder contains source code, CMakeLists.txt and manifest files") 74 75set(TFM_CODE_SHARING OFF CACHE PATH "Enable code sharing between MCUboot and secure firmware") 76set(CONFIG_TFM_BOOT_STORE_MEASUREMENTS ON CACHE BOOL "Store measurement values from all the boot stages. Used for initial attestation token.") 77set(CONFIG_TFM_BOOT_STORE_ENCODED_MEASUREMENTS ON CACHE BOOL "Enable storing of encoded measurements in boot.") 78 79set(TFM_PXN_ENABLE OFF CACHE BOOL "Use Privileged execute never (PXN)") 80 81set(TFM_EXCEPTION_INFO_DUMP OFF CACHE BOOL "On fatal errors in the secure firmware, capture info about the exception. Print the info if the SPM log level is sufficient.") 82 83set(CONFIG_TFM_HALT_ON_CORE_PANIC OFF CACHE BOOL "On fatal errors in the secure firmware, halt instead of rebooting.") 84 85set(CONFIG_TFM_STACK_WATERMARKS OFF CACHE BOOL "Whether to pre-fill partition stacks with a set value to help determine stack usage") 86 87############################ Platform ########################################## 88 89set(NUM_MAILBOX_QUEUE_SLOT 1 CACHE BOOL "Number of mailbox queue slots") 90set(TFM_PLAT_SPECIFIC_MULTI_CORE_COMM OFF CACHE BOOL "Whether to use a platform specific inter-core communication instead of mailbox in dual-cpu topology") 91 92set(DEBUG_AUTHENTICATION CHIP_DEFAULT CACHE STRING "Debug authentication setting. [CHIP_DEFAULT, NONE, NS_ONLY, FULL") 93set(SECURE_UART1 OFF CACHE BOOL "Enable secure UART1") 94 95set(CRYPTO_HW_ACCELERATOR OFF CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms") 96 97set(OTP_NV_COUNTERS_RAM_EMULATION OFF CACHE BOOL "Enable OTP/NV_COUNTERS emulation in RAM. Has no effect on non-default implementations of the OTP and NV_COUNTERS") 98set(TFM_NS_NV_COUNTER_AMOUNT 0 CACHE STRING "How many NS NV counters are enabled") 99 100set(PLATFORM_DEFAULT_BL1 ON CACHE STRING "Whether to use default BL1 or platform-specific one") 101 102set(PLATFORM_DEFAULT_ATTEST_HAL ON CACHE BOOL "Use default attest hal implementation.") 103set(PLATFORM_DEFAULT_NV_COUNTERS ON CACHE BOOL "Use default nv counter implementation.") 104set(PLATFORM_DEFAULT_CRYPTO_KEYS ON CACHE BOOL "Use default crypto keys implementation.") 105set(PLATFORM_DEFAULT_ROTPK ON CACHE BOOL "Use default root of trust public key.") 106set(PLATFORM_DEFAULT_IAK ON CACHE BOOL "Use default initial attestation_key.") 107set(PLATFORM_DEFAULT_UART_STDOUT ON CACHE BOOL "Use default uart stdout implementation.") 108set(PLATFORM_DEFAULT_NV_SEED ON CACHE BOOL "Use default NV seed implementation.") 109set(PLATFORM_DEFAULT_OTP ON CACHE BOOL "Use trusted on-chip flash to implement OTP memory") 110set(PLATFORM_DEFAULT_OTP_WRITEABLE ON CACHE BOOL "Use OTP memory with write support") 111set(PLATFORM_DEFAULT_PROVISIONING ON CACHE BOOL "Use default provisioning implementation") 112set(PLATFORM_DEFAULT_SYSTEM_RESET_HALT ON CACHE BOOL "Use default system reset/halt implementation") 113set(PLATFORM_DEFAULT_IMAGE_SIGNING ON CACHE BOOL "Use default image signing implementation") 114 115set(TFM_DUMMY_PROVISIONING ON CACHE BOOL "Provision with dummy values. NOT to be used in production") 116 117set(BL1_HEADER_SIZE 0x000 CACHE STRING "BL1 Header size") 118set(BL1_TRAILER_SIZE 0x000 CACHE STRING "BL1 Trailer size") 119 120set(BL2_HEADER_SIZE 0x000 CACHE STRING "BL2 Header size") 121set(BL2_TRAILER_SIZE 0x000 CACHE STRING "BL2 Trailer size") 122 123############################ Partitions ######################################## 124set(TFM_PARTITION_PROTECTED_STORAGE OFF CACHE BOOL "Enable Protected Storage partition") 125set(PS_ENCRYPTION ON CACHE BOOL "Enable encryption for Protected Storage partition") 126set(PS_CRYPTO_AEAD_ALG PSA_ALG_GCM CACHE STRING "The AEAD algorithm to use for authenticated encryption in Protected Storage") 127 128set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE OFF CACHE BOOL "Enable Internal Trusted Storage partition") 129 130set(TFM_PARTITION_CRYPTO OFF CACHE BOOL "Enable Crypto partition") 131set(CRYPTO_TFM_BUILTIN_KEYS_DRIVER ON CACHE BOOL "Whether to allow crypto service to store builtin keys. Without this, ALL builtin keys must be stored in a platform-specific location") 132 133set(TFM_PARTITION_INITIAL_ATTESTATION OFF CACHE BOOL "Enable Initial Attestation partition") 134set(SYMMETRIC_INITIAL_ATTESTATION OFF CACHE BOOL "Use symmetric crypto for inital attestation") 135set(ATTEST_INCLUDE_TEST_CODE OFF CACHE BOOL "Include minimal development tests in the initial attestation regression test suite") 136set(ATTEST_KEY_BITS 256 CACHE STRING "The size of the initial attestation key in bits") 137 138set(TFM_PARTITION_PLATFORM OFF CACHE BOOL "Enable Platform partition") 139 140############################ Mbedcrypto configurations ######################### 141 142set(MBEDCRYPTO_BUILD_TYPE "${CMAKE_BUILD_TYPE}" CACHE STRING "Build type of Mbed Crypto library") 143set(TFM_MBEDCRYPTO_CONFIG_PATH 144 "${CMAKE_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h" CACHE PATH 145 "Config to use for Mbed Crypto. For increased flexibility when pointing to a file, set the type \ 146of this setting to 'STRING' by passing the :<type> portion when specifying the setting value in \ 147the command line. E.g. '-DTFM_MBEDCRYPTO_CONFIG_PATH:STRING=some_file_which_is_generated.h' \ 148This can be useful if the config file is generated and placed inside a directory already added \ 149to the include path of mbedtls.") 150set(TFM_MBEDCRYPTO_PSA_CRYPTO_CONFIG_PATH "${CMAKE_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/crypto_config_default.h" CACHE PATH "Config to use psa crypto setting for Mbed Crypto.") 151set(TFM_MBEDCRYPTO_PLATFORM_EXTRA_CONFIG_PATH "" CACHE PATH "Config to append to standard Mbed Crypto config, used by platforms to cnfigure feature support") 152 153################################################################################ 154################################################################################ 155 156# Specifying the accepted values for certain configuration options to facilitate 157# their later validation. 158 159########################## FIH ################################################# 160 161set_property(CACHE TFM_FIH_PROFILE PROPERTY STRINGS "OFF;LOW;MEDIUM;HIGH") 162
