TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / trusted-firmware-m / refs/heads/main / . / docs / configuration / index.rst
blob: 3fa2eedd6ffa2b2e1be519112b4fd7f77f9fcfab [file] [log] [blame]
Anton Komlev2cd91532022-11-17 13:36:55 +0000[diff] [blame]1.. _tf-m_configuration:
2
Anton Komlevaffe14f2022-11-01 00:07:41 +0000[diff] [blame]3#############
4Configuration
5#############
6
Anton Komlevaffe14f2022-11-01 00:07:41 +0000[diff] [blame]7.. toctree::
8 :maxdepth: 1
9 :glob:
10
Anton Komlev2cd91532022-11-17 13:36:55 +0000[diff] [blame]11 build_configuration.rst
Kevin Peng75b0b762022-10-25 18:00:27 +0800[diff] [blame]12 Component configuration <header_file_system>
13 Kconfig <kconfig_system>
Anton Komlev2cd91532022-11-17 13:36:55 +0000[diff] [blame]14 Profiles <profiles/index>
15 test_configuration.rst
Anton Komlevaffe14f2022-11-01 00:07:41 +0000[diff] [blame]16
Anton Komlev2cd91532022-11-17 13:36:55 +0000[diff] [blame]17TF-M is highly configurable project with many configuration options to meet
Nicola Mazzucatoafd24bb2024-02-14 17:27:27 +0000[diff] [blame]18a user's needs. A user can select the desired set of services and fine-tune
Anton Komlev2cd91532022-11-17 13:36:55 +0000[diff] [blame]19them to their requirements. There are two types of configuration options
Anton Komlevaffe14f2022-11-01 00:07:41 +0000[diff] [blame]20
Anton Komlev5bc799f2022-11-10 18:22:48 +0000[diff] [blame]21Build configuration
22 Specifies which file or component to include into compilation and build.
23 These are options, usually used by a build system to enable/disable
24 modules, specify location of external dependency or other selection,
25 global to a project. These option set shall be considered while adopting TF-M
26 to other build systems.
Chris Brand80326b72023-03-15 13:07:49 -0700[diff] [blame]27 In the :ref:`Base_configuration` table these options have *Build* type.
Anton Komlevaffe14f2022-11-01 00:07:41 +0000[diff] [blame]28
Anton Komlev5bc799f2022-11-10 18:22:48 +0000[diff] [blame]29Component configuration
Anton Komlev2cd91532022-11-17 13:36:55 +0000[diff] [blame]30 To adjust a particular parameter to a desired value. Those options are
31 local to a component or externally referenced when components are coupled.
Kevin Peng75b0b762022-10-25 18:00:27 +0800[diff] [blame]32 Options are in C header file. The :ref:`Header_configuration` has more
33 details about it.
Georgios Vasilakis11b48702023-05-04 13:36:28 +0200[diff] [blame]34 In the :ref:`Base_configuration` table these options have *Component* type.
Anton Komlevaffe14f2022-11-01 00:07:41 +0000[diff] [blame]35
36.. Note::
Anton Komlev2cd91532022-11-17 13:36:55 +0000[diff] [blame]37 Originally, TF-M used CMake variables for both building and component tuning
38 purposes. It was convenient to have a single system for both building and
39 component's configurations. To simplify and improve configurability and
40 better support build systems other than a CMake, TF-M introduced a
Kevin Peng75b0b762022-10-25 18:00:27 +0800[diff] [blame]41 :ref:`Header_configuration` and moved component options into a dedicated
Anton Komlev2cd91532022-11-17 13:36:55 +0000[diff] [blame]42 config headers.
Anton Komlevaffe14f2022-11-01 00:07:41 +0000[diff] [blame]43
44****************
45How to configure
46****************
47
Anton Komlev5bc799f2022-11-10 18:22:48 +0000[diff] [blame]48TF-M Project provides a base build, defined in ``/config/config_base.cmake``
David Hu64961832023-02-21 23:03:01 +0800[diff] [blame]49and ``/config/config_base.h``.
Anton Komlev5bc799f2022-11-10 18:22:48 +0000[diff] [blame]50Starting from the base, users can enable required services and features using several
51independent methods to configure TF-M.
Anton Komlevaffe14f2022-11-01 00:07:41 +0000[diff] [blame]52
Kevin Peng75b0b762022-10-25 18:00:27 +0800[diff] [blame]53Use :ref:`tf-m_profiles`.
54 There are 4 sets of predefined configurations for a elected
Anton Komlevaffe14f2022-11-01 00:07:41 +0000[diff] [blame]55 use cases, called profiles. A user can select a profile by providing
56 -DTFM_PROFILE=<profile file name>.
57 Each profiles represented by a pair of configuration files for
58 Building (CMake) options and Component options (.h file)
59
Anton Komlev2cd91532022-11-17 13:36:55 +0000[diff] [blame]60Use a custom profile.
Nicola Mazzucatoafd24bb2024-02-14 17:27:27 +0000[diff] [blame]61 Another method is to take an existing TF-M profile and adjust the desired
Anton Komlev2cd91532022-11-17 13:36:55 +0000[diff] [blame]62 options manually editing CMake and config header files. This is for users
63 familiar with TF-M.
Anton Komlevaffe14f2022-11-01 00:07:41 +0000[diff] [blame]64
Kevin Peng75b0b762022-10-25 18:00:27 +0800[diff] [blame]65Use :ref:`Kconfig_system`.
Anton Komlev2cd91532022-11-17 13:36:55 +0000[diff] [blame]66 This method is recommended for beginners. Starting from the
Kevin Peng75b0b762022-10-25 18:00:27 +0800[diff] [blame]67 *base configuration* a user can enable necessary services and options.
Anton Komlev2cd91532022-11-17 13:36:55 +0000[diff] [blame]68 KConfig ensurers that all selected options are consistent and valid.
Kevin Peng75b0b762022-10-25 18:00:27 +0800[diff] [blame]69 This is new in v1.7.0 and it covers only SPM and PSA services. As an output
Anton Komlevaffe14f2022-11-01 00:07:41 +0000[diff] [blame]70 KConfig produces a pair of configuration files, similar to a profile.
71
72.. Note::
73 In contrast, before TF-M v1.7.0, the default build includes all possible
74 features. With growing functionality, such rich default build became
75 unpractical by not fitting into every platform and confusing of big
76 memory requirements.
77
78**********
79Priorities
80**********
Anton Komlevaffe14f2022-11-01 00:07:41 +0000[diff] [blame]81
Georgios Vasilakis11b48702023-05-04 13:36:28 +0200[diff] [blame]82A project configuration performed in multiple steps with priorities.
Anton Komlev2cd91532022-11-17 13:36:55 +0000[diff] [blame]83The list below explains the process but for the details specific to
Kevin Peng75b0b762022-10-25 18:00:27 +0800[diff] [blame]84:ref:`tfm_cmake_configuration` or :ref:`Header_configuration` please
Anton Komlev2cd91532022-11-17 13:36:55 +0000[diff] [blame]85check the corresponded document.
Anton Komlevaffe14f2022-11-01 00:07:41 +0000[diff] [blame]86
Anton Komlev2cd91532022-11-17 13:36:55 +0000[diff] [blame]87#. The base configuration with default values is used as a starting point
88#. A profile options applied on top of the base
89#. A platform can check the selected configuration and apply restrictions
90#. Finally, command line options can modify the composed set
91
92.. Note::
93 To ensure a clear intention and conscious choice, all options must be
Georgios Vasilakis11b48702023-05-04 13:36:28 +0200[diff] [blame]94 provided explicitly via a project configuration file. Default values
Nicola Mazzucatoafd24bb2024-02-14 17:27:27 +0000[diff] [blame]95 on step 1 will generate warnings which are expected to break a build.
Anton Komlevaffe14f2022-11-01 00:07:41 +0000[diff] [blame]96
Anton Komlev5bc799f2022-11-10 18:22:48 +0000[diff] [blame]97.. _Base_configuration:
98
99******************
100Base Configuration
101******************
102
Georgios Vasilakis11b48702023-05-04 13:36:28 +0200[diff] [blame]103The base configuration is the ground for configuring TF-M, provided defaults
104are defined in ``/config/config_base.cmake`` and ``/config/config_base.h``.
Anton Komlev5bc799f2022-11-10 18:22:48 +0000[diff] [blame]105The base build includes SPM and platform code only.
106
107This table lists the config option categorizations of the SPM and Secure
108Partitions.
109
110Crypto
111======
112+-------------------------------------+-----------+------------+
113| Options | Type | Base Value |
114+=====================================+===========+============+
115|TFM_PARTITION_CRYPTO | Build | OFF |
116+-------------------------------------+-----------+------------+
117|CRYPTO_TFM_BUILTIN_KEYS_DRIVER | Build | ON |
118+-------------------------------------+-----------+------------+
119|CRYPTO_NV_SEED | Component | ON |
120+-------------------------------------+-----------+------------+
121|CRYPTO_ENGINE_BUF_SIZE | Component | 0x2080 |
122+-------------------------------------+-----------+------------+
123|CRYPTO_IOVEC_BUFFER_SIZE | Component | 5120 |
124+-------------------------------------+-----------+------------+
125|CRYPTO_STACK_SIZE | Component | 0x1B00 |
126+-------------------------------------+-----------+------------+
127|CRYPTO_CONC_OPER_NUM | Component | 8 |
128+-------------------------------------+-----------+------------+
129|CRYPTO_RNG_MODULE_ENABLED | Component | 1 |
130+-------------------------------------+-----------+------------+
131|CRYPTO_KEY_MODULE_ENABLED | Component | 1 |
132+-------------------------------------+-----------+------------+
133|CRYPTO_AEAD_MODULE_ENABLED | Component | 1 |
134+-------------------------------------+-----------+------------+
135|CRYPTO_MAC_MODULE_ENABLED | Component | 1 |
136+-------------------------------------+-----------+------------+
137|CRYPTO_HASH_MODULE_ENABLED | Component | 1 |
138+-------------------------------------+-----------+------------+
139|CRYPTO_CIPHER_MODULE_ENABLED | Component | 1 |
140+-------------------------------------+-----------+------------+
141|CRYPTO_ASYM_SIGN_MODULE_ENABLED | Component | 1 |
142+-------------------------------------+-----------+------------+
143|CRYPTO_ASYM_ENCRYPT_MODULE_ENABLED | Component | 1 |
144+-------------------------------------+-----------+------------+
145|CRYPTO_KEY_DERIVATION_MODULE_ENABLED | Component | 1 |
146+-------------------------------------+-----------+------------+
147|CRYPTO_SINGLE_PART_FUNCS_ENABLED | Component | 1 |
148+-------------------------------------+-----------+------------+
149
150Initial Attestation
151===================
152+-------------------------------------+-----------+-------------+
153| Options | Type | Base Value |
154+=====================================+===========+=============+
155|TFM_PARTITION_INITIAL_ATTESTATION | Build | OFF |
156+-------------------------------------+-----------+-------------+
157|SYMMETRIC_INITIAL_ATTESTATION | Build | OFF |
158+-------------------------------------+-----------+-------------+
Anton Komlev5bc799f2022-11-10 18:22:48 +0000[diff] [blame]159|ATTEST_KEY_BITS | Build | 256 |
160+-------------------------------------+-----------+-------------+
161|ATTEST_TOKEN_PROFILE | Component | "PSA_IOT_1" |
162+-------------------------------------+-----------+-------------+
163|ATTEST_INCLUDE_OPTIONAL_CLAIMS | Component | 1 |
164+-------------------------------------+-----------+-------------+
165|ATTEST_INCLUDE_COSE_KEY_ID | Component | 0 |
166+-------------------------------------+-----------+-------------+
Tamas Ban6bff4682024-09-25 15:15:26 +0200[diff] [blame]167|ATTEST_STACK_SIZE | Component | 0x800 |
Anton Komlev5bc799f2022-11-10 18:22:48 +0000[diff] [blame]168+-------------------------------------+-----------+-------------+
169
170Internal Trusted Storage
171========================
172+---------------------------------------+-----------+------------------------+
173| Options | Type | Base Value |
174+=======================================+===========+========================+
175|TFM_PARTITION_INTERNAL_TRUSTED_STORAGE | Build | OFF |
176+---------------------------------------+-----------+------------------------+
177|ITS_CREATE_FLASH_LAYOUT | Component | 1 |
178+---------------------------------------+-----------+------------------------+
179|ITS_RAM_FS | Component | 0 |
180+---------------------------------------+-----------+------------------------+
181|ITS_VALIDATE_METADATA_FROM_FLASH | Component | 1 |
182+---------------------------------------+-----------+------------------------+
183|ITS_MAX_ASSET_SIZE | Component | 512 |
184+---------------------------------------+-----------+------------------------+
185|ITS_NUM_ASSETS | Component | 10 |
186+---------------------------------------+-----------+------------------------+
187|ITS_BUF_SIZE | Component | ITS_MAX_ASSET_SIZE |
188+---------------------------------------+-----------+------------------------+
189|ITS_STACK_SIZE | Component | 0x720 |
190+---------------------------------------+-----------+------------------------+
191
192Protected Storage
193=================
194+---------------------------------------+-----------+-----------------+
195| Options | Type | Base Value |
196+=======================================+===========+=================+
197|TFM_PARTITION_PROTECTED_STORAGE | Build | OFF |
198+---------------------------------------+-----------+-----------------+
199|PS_ENCRYPTION | Build | ON |
200+---------------------------------------+-----------+-----------------+
Chris Brande8d48d72024-07-24 12:19:07 -0700[diff] [blame]201|PS_SUPPORT_FORMAT_TRANSITION | Build | OFF |
202+---------------------------------------+-----------+-----------------+
Anton Komlev5bc799f2022-11-10 18:22:48 +0000[diff] [blame]203|PS_CRYPTO_AEAD_ALG | Build | PSA_ALG_GCM |
204+---------------------------------------+-----------+-----------------+
Chris Brand934761b2024-07-19 12:03:44 -0700[diff] [blame]205|PS_AES_KEY_USAGE_LIMIT | Build | 0 |
206+---------------------------------------+-----------+-----------------+
Anton Komlev5bc799f2022-11-10 18:22:48 +0000[diff] [blame]207|PS_CREATE_FLASH_LAYOUT | Component | 1 |
208+---------------------------------------+-----------+-----------------+
209|PS_RAM_FS | Component | 0 |
210+---------------------------------------+-----------+-----------------+
211|PS_VALIDATE_METADATA_FROM_FLASH | Component | 1 |
212+---------------------------------------+-----------+-----------------+
213|PS_MAX_ASSET_SIZE | Component | 2048 |
214+---------------------------------------+-----------+-----------------+
215|PS_NUM_ASSETS | Component | 10 |
216+---------------------------------------+-----------+-----------------+
217|PS_ROLLBACK_PROTECTION | Component | 1 |
218+---------------------------------------+-----------+-----------------+
219|PS_STACK_SIZE | Component | 0x700 |
220+---------------------------------------+-----------+-----------------+
221
222Firmware Update
223===============
224+-------------------------------------+-----------+-------------------------------------+
225| Options | Type | Base Value |
226+=====================================+===========+=====================================+
227|PLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT | Build | OFF |
228+-------------------------------------+-----------+-------------------------------------+
229|TFM_PARTITION_FIRMWARE_UPDATE | Build | OFF |
230+-------------------------------------+-----------+-------------------------------------+
231|TFM_CONFIG_FWU_MAX_WRITE_SIZE | Build | 1024 |
232+-------------------------------------+-----------+-------------------------------------+
233|TFM_CONFIG_FWU_MAX_MANIFEST_SIZE | Build | 0 |
234+-------------------------------------+-----------+-------------------------------------+
235|FWU_DEVICE_CONFIG_FILE | Build | "" |
236+-------------------------------------+-----------+-------------------------------------+
237|FWU_SUPPORT_TRIAL_STATE | Build | Depends on MCUBOOT_UPGRADE_STRATEGY |
238+-------------------------------------+-----------+-------------------------------------+
239|TFM_FWU_BOOTLOADER_LIB | Build | "mcuboot" |
240+-------------------------------------+-----------+-------------------------------------+
241|TFM_FWU_BUF_SIZE | Component | PSA_FWU_MAX_BLOCK_SIZE |
242+-------------------------------------+-----------+-------------------------------------+
243|FWU_STACK_SIZE | Component | 0x600 |
244+-------------------------------------+-----------+-------------------------------------+
245
246Platform Secure Partition
247=========================
248+-------------------------------------+-----------+------------+
249| Options | Type | Base Value |
250+=====================================+===========+============+
251|TFM_PARTITION_PLATFORM | Build | OFF |
252+-------------------------------------+-----------+------------+
253|PLATFORM_SERVICE_INPUT_BUFFER_SIZE | Component | 64 |
254+-------------------------------------+-----------+------------+
255|PLATFORM_SERVICE_OUTPUT_BUFFER_SIZE | Component | 64 |
256+-------------------------------------+-----------+------------+
257|PLATFORM_SP_STACK_SIZE | Component | 0x500 |
258+-------------------------------------+-----------+------------+
259|PLATFORM_NV_COUNTER_MODULE_DISABLED | Component | 0 |
260+-------------------------------------+-----------+------------+
261
Sherry Zhang415d7132023-08-09 16:26:56 +0800[diff] [blame]262NS Agent Mailbox Secure Partition
263=================================
264+-------------------------------------+-----------+------------+
265| Options | Type | Base Value |
266+=====================================+===========+============+
267|NS_AGENT_MAILBOX_STACK_SIZE | Component | 0x800 |
268+-------------------------------------+-----------+------------+
Chris Brandda938d82024-08-01 12:42:10 -0700[diff] [blame]269|MAILBOX_IS_UNCACHED_S | Component | 1 |
270+-------------------------------------+-----------+------------+
271|MAILBOX_IS_UNCACHED_NS | Component | 1 |
272+-------------------------------------+-----------+------------+
Sherry Zhang415d7132023-08-09 16:26:56 +0800[diff] [blame]273
274
Anton Komlev5bc799f2022-11-10 18:22:48 +0000[diff] [blame]275Secure Partition Manager
276========================
Chris Brand80326b72023-03-15 13:07:49 -0700[diff] [blame]277+----------------------------------------+-----------+-------------+
278| Options | Type | Base Values |
279+========================================+===========+=============+
280|TFM_ISOLATION_LEVEL | Build | 1 |
281+----------------------------------------+-----------+-------------+
282|PSA_FRAMEWORK_HAS_MM_IOVEC | Build | OFF |
283+----------------------------------------+-----------+-------------+
284|CONFIG_TFM_SPM_BACKEND | Build | "SFN" |
285+----------------------------------------+-----------+-------------+
286|TFM_SPM_LOG_LEVEL | Build | 1 |
287+----------------------------------------+-----------+-------------+
Chris Brandcba6a092024-04-10 11:36:59 -0700[diff] [blame]288|CONFIG_TFM_STACK_WATERMARKS | Build | OFF |
289+----------------------------------------+-----------+-------------+
Chris Brand80326b72023-03-15 13:07:49 -0700[diff] [blame]290|CONFIG_TFM_CONN_HANDLE_MAX_NUM | Component | 8 |
291+----------------------------------------+-----------+-------------+
292|CONFIG_TFM_DOORBELL_API | Component | 0 |
293+----------------------------------------+-----------+-------------+
Chris Brand3b44fe92023-03-30 15:53:49 -0700[diff] [blame]294|CONFIG_TFM_SCHEDULE_WHEN_NS_INTERRUPTED | Component | 0 |
Chris Brand80326b72023-03-15 13:07:49 -0700[diff] [blame]295+----------------------------------------+-----------+-------------+
Nicola Mazzucatob369b332025-01-02 09:11:57 +0000[diff] [blame]296|CONFIG_TFM_HYBRID_PLAT_SCHED_TYPE | Component | 0 |
297+----------------------------------------+-----------+-------------+
Anton Komlev5bc799f2022-11-10 18:22:48 +0000[diff] [blame]298
Anton Komlevaffe14f2022-11-01 00:07:41 +0000[diff] [blame]299--------------
300
David Vincze30087aa2025-02-20 12:54:14 +0000[diff] [blame]301*SPDX-FileCopyrightText: Copyright The TrustedFirmware-M Contributors*
302
Chris Brandda938d82024-08-01 12:42:10 -0700[diff] [blame]303*Copyright (c) 2023-2024 Cypress Semiconductor Corporation (an Infineon company)
Chris Brand80326b72023-03-15 13:07:49 -0700[diff] [blame]304or an affiliate of Cypress Semiconductor Corporation. All rights reserved.*
David Vincze30087aa2025-02-20 12:54:14 +0000[diff] [blame]305
306*SPDX-License-Identifier: BSD-3-Clause*