TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / trusted-firmware-m / f57c6a73e0aa50b36c75de3c96bda65d44f44c6b / . / bl2 / ext / mcuboot / Kconfig
blob: e475b6ac17d264578ad7e6bf90503265415bc874 [file] [log] [blame]
Jianliang Shenf57c6a72023-02-20 14:04:38 +0800[diff] [blame^]1#-------------------------------------------------------------------------------
2# Copyright (c) 2023, Arm Limited. All rights reserved.
3#
4# SPDX-License-Identifier: BSD-3-Clause
5#
6#-------------------------------------------------------------------------------
7
8menuconfig BL2
9 bool "BL2"
10 default y
11
12if BL2
13
14config DEFAULT_MCUBOOT_SECURITY_COUNTERS
15 bool "Use the default security counter configuration"
16 default y
17 help
18 Use the default security counter configuration defined by TF-M project
19
20config DEFAULT_MCUBOOT_FLASH_MAP
21 bool "Use the default flash map"
22 default y
23 help
24 Whether to use the default flash map defined by TF-M project
25
26config MCUBOOT_S_IMAGE_FLASH_AREA_NUM
27 int "ID of the flash area containing the primary Secure image"
28 default 0
29 help
30 ID of the flash area containing the primary Secure image
31
32config MCUBOOT_NS_IMAGE_FLASH_AREA_NUM
33 int "ID of the flash area containing the primary Non-Secure image"
34 default 1
35
36config MCUBOOT_IMAGE_NUMBER
37 int "Whether to combine S and NS into either 1 image, or sign each seperately"
38 default 2
39 range 1 4
40
41config MCUBOOT_EXECUTION_SLOT
42 int "Slot from which to execute the image, used for XIP mode"
43 default 1
44
45config MCUBOOT_HW_KEY
46 bool "Embed the entire public key"
47 default y
48 help
49 Whether to embed the entire public key in the image metadata instead of
50 the hash only
51
52choice
53 prompt "Upgrade strategy for images"
54 default MCUBOOT_UPGRADE_STRATEGY_OVERWRITE_ONLY
55
56 config MCUBOOT_UPGRADE_STRATEGY_OVERWRITE_ONLY
57 bool "Overwrite only"
58
59 config MCUBOOT_UPGRADE_STRATEGY_SWAP_USING_SCRATCH
60 bool "Swap using scratch"
61
62 config MCUBOOT_UPGRADE_STRATEGY_SWAP_USING_MOVE
63 bool "Swap using move"
64
65 config MCUBOOT_UPGRADE_STRATEGY_DIRECT_XIP
66 bool "Direct xip"
67 depends on !TFM_PARTITION_FIRMWARE_UPDATE
68
69 config MCUBOOT_UPGRADE_STRATEGY_RAM_LOAD
70 bool "Ram load"
71 depends on !TFM_PARTITION_FIRMWARE_UPDATE
72endchoice
73
74config MCUBOOT_UPGRADE_STRATEGY
75 string "Upgrade strategy for images"
76 default "OVERWRITE_ONLY" if MCUBOOT_UPGRADE_STRATEGY_OVERWRITE_ONLY
77 default "SWAP_USING_SCRATCH" if MCUBOOT_UPGRADE_STRATEGY_SWAP_USING_SCRATCH
78 default "SWAP_USING_MOVE" if MCUBOOT_UPGRADE_STRATEGY_SWAP_USING_MOVE
79 default "DIRECT_XIP" if MCUBOOT_UPGRADE_STRATEGY_DIRECT_XIP
80 default "RAM_LOAD" if MCUBOOT_UPGRADE_STRATEGY_RAM_LOAD
81
82config BL2_HEADER_SIZE
83 hex "BL2 Header size"
84 default 0x400
85
86config BL2_TRAILER_SIZE
87 hex "BL2 Trailer size"
88 default 0x400
89
90choice
91 prompt "Align option for mcuboot and build image with imgtool"
92 config MCUBOOT_ALIGN_VAL_1
93 bool "1"
94 config MCUBOOT_ALIGN_VAL_2
95 bool "2"
96 config MCUBOOT_ALIGN_VAL_4
97 bool "4"
98 config MCUBOOT_ALIGN_VAL_8
99 bool "8"
100 config MCUBOOT_ALIGN_VAL_16
101 bool "16"
102 config MCUBOOT_ALIGN_VAL_32
103 bool "32"
104endchoice
105
106config MCUBOOT_ALIGN_VAL
107 int
108 default 1 if MCUBOOT_ALIGN_VAL_1
109 default 2 if MCUBOOT_ALIGN_VAL_2
110 default 4 if MCUBOOT_ALIGN_VAL_4
111 default 8 if MCUBOOT_ALIGN_VAL_8
112 default 16 if MCUBOOT_ALIGN_VAL_16
113 default 32 if MCUBOOT_ALIGN_VAL_32
114
115config MCUBOOT_CONFIRM_IMAGE
116 bool "Whether to confirm the image if REVERT is supported in MCUboot"
117 default n
118
119config MCUBOOT_DIRECT_XIP_REVERT
120 bool "Enable the revert mechanism in direct-xip mode"
121 default y
122
123config MCUBOOT_HW_ROLLBACK_PROT
124 bool "Enable security counter validation against non-volatile HW counters"
125 default y
126
127config MCUBOOT_ENC_IMAGES
128 bool "Enable encrypted image upgrade support"
129 default n
130
131config MCUBOOT_BOOTSTRAP
132 bool "Support initial state with empty primary slot and images installed from secondary slots"
133 default n
134
135config MCUBOOT_ENCRYPT_RSA
136 bool "Use RSA for encrypted image upgrade support"
137 default n
138
139choice
140 prompt "Fault injection hardening profile"
141 default MCUBOOT_FIH_PROFILE_OFF
142
143 config MCUBOOT_FIH_PROFILE_OFF
144 bool "OFF"
145
146 config MCUBOOT_FIH_PROFILE_LOW
147 bool "LOW"
148
149 config MCUBOOT_FIH_PROFILE_MEDIUM
150 bool "MEDIUM"
151
152 config MCUBOOT_FIH_PROFILE_HIGH
153 bool "HIGH"
154endchoice
155
156config MCUBOOT_FIH_PROFILE
157 string
158 default "OFF" if MCUBOOT_FIH_PROFILE_OFF
159 default "LOW" if MCUBOOT_FIH_PROFILE_LOW
160 default "MEDIUM" if MCUBOOT_FIH_PROFILE_MEDIUM
161 default "HIGH" if MCUBOOT_FIH_PROFILE_HIGH
162
163config MCUBOOT_SIGNATURE_TYPE
164 string "Algorithm to use for signature validation"
165 default "RSA"
166 help
167 Note - If either SIGNATURE_TYPE or KEY_LEN are changed, the entries for KEY_S
168 and KEY_NS will either have to be updated manually or removed from the cache.
169 `cmake .. -UMCUBOOT_KEY_S -UMCUBOOT_KEY_NS`. Once removed from the cache it
170 will be set to default again.
171
172config MCUBOOT_SIGNATURE_KEY_LEN
173 int "Key length to use for signature validation"
174 default 3072
175
176config MCUBOOT_KEY_S
177 string "Path to key with which to sign secure binary"
178 default "$(TFM_SOURCE_DIR)/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}-${MCUBOOT_SIGNATURE_KEY_LEN}.pem"
179
180config MCUBOOT_KEY_NS
181 string "Path to key with which to sign non-secure binary"
182 default "$(TFM_SOURCE_DIR)/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}-${MCUBOOT_SIGNATURE_KEY_LEN}_1.pem"
183
184config MCUBOOT_IMAGE_VERSION_S
185 string "Version number of S image"
186 default "$(TFM_VERSION)"
187
188config MCUBOOT_IMAGE_VERSION_NS
189 string "Version number of NS image"
190 default "0.0.0"
191
192config MCUBOOT_SECURITY_COUNTER_S
193 int "Security counter for S image. auto sets it to IMAGE_VERSION_S"
194 default 1
195
196config MCUBOOT_SECURITY_COUNTER_NS
197 int "Security counter for NS image. auto sets it to IMAGE_VERSION_NS"
198 default 1
199
200config MCUBOOT_S_IMAGE_MIN_VER
201 string "Minimum version of secure image"
202 default "0.0.0+0"
203 help
204 Minimum version of secure image required by the non-secure image for
205 upgrade to this non-secure image. If MCUBOOT_IMAGE_NUMBER == 1 this
206 option has no effect
207
208config MCUBOOT_NS_IMAGE_MIN_VER
209 string "Minimum version of non-secure image"
210 default "0.0.0+0"
211 help
212 Minimum version of non-secure image required by the secure image for
213 upgrade to this secure image. If MCUBOOT_IMAGE_NUMBER == 1 this option
214 has no effect
215
216config MCUBOOT_ENC_KEY_LEN
217 int "Length of the AES key for encrypting images"
218 default 128
219
220config MCUBOOT_MBEDCRYPTO_CONFIG_FILEPATH
221 string "Mbedtls config file to use with MCUboot"
222 default "$(TFM_SOURCE_DIR)/bl2/ext/mcuboot/config/mcuboot-mbedtls-cfg.h"
223
224choice
225 prompt "MCUBoot Log Level"
226 default MCUBOOT_LOG_LEVEL_INFO
227
228 config MCUBOOT_LOG_LEVEL_DEBUG
229 bool "Debug"
230 config MCUBOOT_LOG_LEVEL_INFO
231 bool "Info"
232 config MCUBOOT_LOG_LEVEL_WARNING
233 bool "Warning"
234 config MCUBOOT_LOG_LEVEL_ERROR
235 bool "Error"
236 config MCUBOOT_LOG_LEVEL_OFF
237 bool "Off"
238endchoice
239
240config MCUBOOT_LOG_LEVEL
241 string
242 default "DEBUG" if MCUBOOT_LOG_LEVEL_DEBUG
243 default "INFO" if MCUBOOT_LOG_LEVEL_INFO
244 default "WARNING" if MCUBOOT_LOG_LEVEL_WARNING
245 default "ERROR" if MCUBOOT_LOG_LEVEL_ERROR
246 default "OFF" if MCUBOOT_LOG_LEVEL_OFF
247endif