aboutsummaryrefslogtreecommitdiff
path: root/docs/getting_started/user-guide.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/getting_started/user-guide.rst')
-rw-r--r--docs/getting_started/user-guide.rst49
1 files changed, 44 insertions, 5 deletions
diff --git a/docs/getting_started/user-guide.rst b/docs/getting_started/user-guide.rst
index b447f14938..015de9a68a 100644
--- a/docs/getting_started/user-guide.rst
+++ b/docs/getting_started/user-guide.rst
@@ -287,6 +287,12 @@ Common build options
enable this use-case. For now, this option is only supported when BL2_AT_EL3
is set to '1'.
+- ``BL2_INV_DCACHE``: This is an optional build option which control dcache
+ invalidation upon BL2 entry. Some platform cannot handle cache operations
+ during entry as the coherency unit is not yet initialized. This may cause
+ crashing. Leaving this option to '1' (default) will allow the operation.
+ This option is only relevant when BL2_AT_EL3 is set to '1'.
+
- ``BL31``: This is an optional build option which specifies the path to
BL31 image for the ``fip`` target. In this case, the BL31 in TF-A will not
be built.
@@ -383,6 +389,13 @@ Common build options
registers to be included when saving and restoring the CPU context. Default
is 0.
+- ``CTX_INCLUDE_MTE_REGS``: Enables register saving/reloading support for
+ ARMv8.5 Memory Tagging Extension. A value of 0 will disable
+ saving/reloading and restrict the use of MTE to the normal world if the
+ CPU has support, while a value of 1 enables the saving/reloading, allowing
+ the use of MTE in both the secure and non-secure worlds. Default is 0
+ (disabled) and this feature is experimental.
+
- ``CTX_INCLUDE_PAUTH_REGS``: Boolean option that, when set to 1, enables
Pointer Authentication for Secure world. This will cause the ARMv8.3-PAuth
registers to be included when saving and restoring the CPU context as
@@ -581,10 +594,20 @@ Common build options
- ``KEY_ALG``: This build flag enables the user to select the algorithm to be
used for generating the PKCS keys and subsequent signing of the certificate.
- It accepts 3 values: ``rsa``, ``rsa_1_5`` and ``ecdsa``. The option
- ``rsa_1_5`` is the legacy PKCS#1 RSA 1.5 algorithm which is not TBBR
- compliant and is retained only for compatibility. The default value of this
- flag is ``rsa`` which is the TBBR compliant PKCS#1 RSA 2.1 scheme.
+ It accepts 2 values: ``rsa`` and ``ecdsa``. The default value of this flag
+ is ``rsa`` which is the TBBR compliant PKCS#1 RSA 2.1 scheme.
+
+- ``KEY_SIZE``: This build flag enables the user to select the key size for
+ the algorithm specified by ``KEY_ALG``. The valid values for ``KEY_SIZE``
+ depend on the chosen algorithm.
+
+ +-----------+------------------------------------+
+ | KEY_ALG | Possible key sizes |
+ +===========+====================================+
+ | rsa | 1024, 2048 (default), 3072, 4096 |
+ +-----------+------------------------------------+
+ | ecdsa | unavailable |
+ +-----------+------------------------------------+
- ``HASH_ALG``: This build flag enables the user to select the secure hash
algorithm. It accepts 3 values: ``sha256``, ``sha384`` and ``sha512``.
@@ -684,6 +707,21 @@ Common build options
file that contains the ROT private key in PEM format. If ``SAVE_KEYS=1``, this
file name will be used to save the key.
+- ``SANITIZE_UB``: This option enables the Undefined Behaviour sanitizer. It
+ can take 3 values: 'off' (default), 'on' and 'trap'. When using 'trap',
+ gcc and clang will insert calls to ``__builtin_trap`` on detected
+ undefined behaviour, which defaults to a ``brk`` instruction. When using
+ 'on', undefined behaviour is translated to a call to special handlers which
+ prints the exact location of the problem and its cause and then panics.
+
+ .. note::
+ Because of the space penalty of the Undefined Behaviour sanitizer,
+ this option will increase the size of the binary. Depending on the
+ memory constraints of the target platform, it may not be possible to
+ enable the sanitizer for all images (BL1 and BL2 are especially
+ likely to be memory constrained). We recommend that the
+ sanitizer is enabled only in debug builds.
+
- ``SAVE_KEYS``: This option is used when ``GENERATE_COT=1``. It tells the
certificate generation tool to save the keys used to establish the Chain of
Trust. Allowed options are '0' or '1'. Default is '0' (do not save).
@@ -798,6 +836,7 @@ Common build options
cluster platforms). If this option is enabled, then warm boot path
enables D-caches immediately after enabling MMU. This option defaults to 0.
+
Arm development platform specific build options
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -1154,7 +1193,7 @@ images with support for these features:
is important to use a version that is compatible with TF-A and fixes any
known security vulnerabilities. See `mbed TLS Security Center`_ for more
information. The latest version of TF-A is tested with tag
- ``mbedtls-2.16.0``.
+ ``mbedtls-2.16.2``.
The ``drivers/auth/mbedtls/mbedtls_*.mk`` files contain the list of mbed TLS
source files the modules depend upon.