Build: Refine Kconfig system
- Set SFN model as default.
- Turn off all secure partitions and refine dependencies.
- Make regression tests imply secure partitions.
- Check platform path and refine python excution path.
- Other minor refinements about Kconfig options.
Signed-off-by: Jianliang Shen <jianliang.shen@arm.com>
Change-Id: I8074d02088cfe0cd93a4a1d81e12b071c26c287e
diff --git a/Kconfig b/Kconfig
index 2aecc9d..007be2d 100644
--- a/Kconfig
+++ b/Kconfig
@@ -14,18 +14,19 @@
config TFM_ISOLATION_LEVEL
int "Isolation level"
default 1
+ range 1 1 if TFM_SPM_BACKEND_SFN
range 1 3 if PLATFORM_HAS_ISOLATION_L3_SUPPORT
range 1 2
choice
prompt "SPM Backend"
-
- config TFM_SPM_BACKEND_IPC
- bool "IPC Backend"
+ default TFM_SPM_BACKEND_SFN
config TFM_SPM_BACKEND_SFN
bool "SFN Backend"
+ config TFM_SPM_BACKEND_IPC
+ bool "IPC Backend"
endchoice
config CONFIG_TFM_SPM_BACKEND
@@ -72,12 +73,6 @@
rsource "platform/Kconfig"
-################################# NS ###########################################
-
-config NS
- bool "NS app"
- default y
-
################################# TEST #########################################
menu "TF-M tests"
@@ -87,9 +82,9 @@
################################# Component ####################################
-# These configs in this menu are are local to a component or externally
-# referenced when components are coupled. Usually, such options are located in
-# C header file. The Header File Config System has more details about it.
+# These configs in this menu are local to a component or externally referenced
+# when components are coupled. Usually, such options are located in C header
+# file. The Header File Config System has more details about it.
# Other configs above which are not in component menu are TF-M build options to
# select which file or component to include into compilation. These are options,
diff --git a/config/tests/regression_config.cmake b/config/tests/regression_config.cmake
index 0033146..3f80f5d 100755
--- a/config/tests/regression_config.cmake
+++ b/config/tests/regression_config.cmake
@@ -28,6 +28,7 @@
set(TFM_PARTITION_PROTECTED_STORAGE ON CACHE BOOL "Enable Protected Storage partition")
set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE ON CACHE BOOL "Enable Internal Trusted Storage partition")
set(TFM_PARTITION_CRYPTO ON CACHE BOOL "Enable Crypto partition")
+ set(TFM_PARTITION_PLATFORM ON CACHE BOOL "Enable Platform partition")
endif()
if(TEST_S_ATTESTATION OR TEST_NS_ATTESTATION)
diff --git a/lib/ext/psa_arch_tests/Kconfig b/lib/ext/psa_arch_tests/Kconfig
index 9ff7ee0..a4e3c69 100644
--- a/lib/ext/psa_arch_tests/Kconfig
+++ b/lib/ext/psa_arch_tests/Kconfig
@@ -8,8 +8,7 @@
menu "PSA Arch Test"
choice
- prompt "Which (if any) of the PSA API tests should be compiled"
- depends on !(TFM_S_REG_TEST || TFM_NS_REG_TEST)
+ prompt "PSA API Test Suite"
config TEST_PSA_API_NONE
bool "None"
@@ -19,29 +18,39 @@
config TEST_PSA_API_CRYPTO
bool "Crypto"
- depends on TFM_PARTITION_CRYPTO
+ imply TFM_PARTITION_CRYPTO
+ imply TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
+ imply TFM_PARTITION_PLATFORM
config TEST_PSA_API_INITIAL_ATTESTATION
bool "Initial attestation"
- depends on TFM_PARTITION_INITIAL_ATTESTATION
+ imply TFM_PARTITION_INITIAL_ATTESTATION
+ imply TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
+ imply TFM_PARTITION_CRYPTO
+ imply TFM_PARTITION_PLATFORM
config TEST_PSA_API_INTERNAL_TRUSTED_STORAGE
bool "Internal trusted storage"
- depends on TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
+ imply TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
config TEST_PSA_API_PROTECTED_STORAGE
bool "Protected storage"
- depends on TFM_PARTITION_PROTECTED_STORAGE
+ imply TFM_PARTITION_PROTECTED_STORAGE
+ imply TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
+ imply TFM_PARTITION_CRYPTO
+ imply TFM_PARTITION_PLATFORM
config TEST_PSA_API_STORAGE
bool "Storage(ITS+PS)"
- depends on TFM_PARTITION_INTERNAL_TRUSTED_STORAGE && TFM_PARTITION_PROTECTED_STORAGE
+ imply TFM_PARTITION_PROTECTED_STORAGE
+ imply TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
+ imply TFM_PARTITION_CRYPTO
+ imply TFM_PARTITION_PLATFORM
endchoice
config TEST_PSA_API
string
- depends on !(TFM_S_REG_TEST || TFM_NS_REG_TEST)
default "" if TEST_PSA_API_NONE
default "IPC" if TEST_PSA_API_IPC
default "CRYPTO" if TEST_PSA_API_CRYPTO
diff --git a/lib/ext/tf-m-tests/Kconfig b/lib/ext/tf-m-tests/Kconfig
index 4c894cc..30408e9 100644
--- a/lib/ext/tf-m-tests/Kconfig
+++ b/lib/ext/tf-m-tests/Kconfig
@@ -20,7 +20,6 @@
config TEST_NS
bool "Enable default non-secure test cases"
- depends on NS
default n
imply TEST_NS_ATTESTATION
imply TEST_NS_T_COSE
@@ -41,27 +40,40 @@
config TEST_S_ATTESTATION
bool "Attestation"
- depends on TFM_PARTITION_INITIAL_ATTESTATION
+ default n
+ imply TFM_PARTITION_INITIAL_ATTESTATION
+ imply TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
+ imply TFM_PARTITION_CRYPTO
config TEST_S_CRYPTO
bool "Crypto"
- depends on TFM_PARTITION_CRYPTO
+ default n
+ imply TFM_PARTITION_CRYPTO
+ imply TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
config TEST_S_ITS
bool "ITS"
- depends on TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
+ default n
+ imply TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
config TEST_S_PS
bool "PS"
- depends on TFM_PARTITION_PROTECTED_STORAGE
+ default n
+ imply TFM_PARTITION_PROTECTED_STORAGE
+ imply TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
+ imply TFM_PARTITION_CRYPTO
+ imply TFM_PARTITION_PLATFORM
+
config TEST_S_PLATFORM
bool "Platform"
- depends on TFM_PARTITION_PLATFORM
+ default n
+ imply TFM_PARTITION_PLATFORM
config TEST_S_FWU
bool "FWU"
- depends on TFM_PARTITION_FIRMWARE_UPDATE
+ default n
+ imply TFM_PARTITION_FIRMWARE_UPDATE
config TEST_S_IPC
bool "IPC"
@@ -79,42 +91,53 @@
################################# Non-secure test ##############################
menu "Non-Secure regression tests"
- depends on NS
config TEST_NS_ATTESTATION
bool "Attestation"
- depends on TFM_PARTITION_INITIAL_ATTESTATION
+ default n
+ imply TFM_PARTITION_INITIAL_ATTESTATION
+ imply TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
+ imply TFM_PARTITION_CRYPTO
config TEST_NS_T_COSE
bool "t_cose"
- depends on TFM_PARTITION_INITIAL_ATTESTATION && !SYMMETRIC_INITIAL_ATTESTATION
+ default n
+ imply TFM_PARTITION_INITIAL_ATTESTATION
config TEST_NS_QCBOR
bool "QCBOR"
- depends on TFM_PARTITION_INITIAL_ATTESTATION
+ default n
+ imply TFM_PARTITION_INITIAL_ATTESTATION
config TEST_NS_CRYPTO
bool "Crypto"
- depends on TFM_PARTITION_CRYPTO
-
-comment "PS NS test depends on partition ITS and PS, and NS ITS test"
- depends on !(TFM_PARTITION_PROTECTED_STORAGE && TEST_NS_ITS)
+ default n
+ imply TFM_PARTITION_CRYPTO
+ imply TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
config TEST_NS_PS
bool "PS"
- depends on TFM_PARTITION_PROTECTED_STORAGE && TEST_NS_ITS
+ default n
+ imply TFM_PARTITION_PROTECTED_STORAGE
+ imply TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
+ imply TFM_PARTITION_CRYPTO
+ imply TFM_PARTITION_PLATFORM
+ imply TEST_NS_ITS
config TEST_NS_ITS
bool "ITS"
- depends on TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
+ default n
+ imply TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
config TEST_NS_PLATFORM
bool "Platform"
- depends on TFM_PARTITION_PLATFORM
+ default n
+ imply TFM_PARTITION_PLATFORM
config TEST_NS_FWU
bool "FWU"
- depends on TFM_PARTITION_FIRMWARE_UPDATE
+ default n
+ imply TFM_PARTITION_FIRMWARE_UPDATE
config TEST_NS_MULTI_CORE
bool "Multi-core"
@@ -131,7 +154,6 @@
config TEST_NS_NONE_IRQ
bool "None IRQ test"
- # Make FLIH IRQ test as the default IRQ test
config TEST_NS_FLIH_IRQ
bool "First-Level Interrupt Handling"
@@ -146,11 +168,11 @@
config TEST_NS_IPC
bool "IPC"
- depends on CONFIG_TFM_SPM_BACKEND_IPC
+ depends on TFM_SPM_BACKEND_IPC
config TEST_NS_SFN_BACKEND
bool "SFN backend"
- depends on CONFIG_TFM_SPM_BACKEND_SFN
+ depends on TFM_SPM_BACKEND_SFN
endmenu
diff --git a/platform/Kconfig b/platform/Kconfig
index 0f8b3b2..1f38cdf 100644
--- a/platform/Kconfig
+++ b/platform/Kconfig
@@ -56,4 +56,7 @@
bool "Use default system reset/halt implementation"
default y
+config PLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT
+ bool
+ default n
endmenu
diff --git a/secure_fw/partitions/Kconfig b/secure_fw/partitions/Kconfig
index e7e1014..df68df3 100644
--- a/secure_fw/partitions/Kconfig
+++ b/secure_fw/partitions/Kconfig
@@ -6,53 +6,52 @@
#-------------------------------------------------------------------------------
menu "Secure partitions"
+
+################################# Crypto #######################################
+
+comment "Crypto depends on ITS"
+ depends on !TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
+
config TFM_PARTITION_CRYPTO
bool "Crypto"
- default y
+ depends on TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
-if TFM_PARTITION_CRYPTO
+################################# Attestation ##################################
- config CRYPTO_HW_ACCELERATOR
- bool "Enable the crypto hardware accelerator"
- default n
-
- config CRYPTO_TFM_BUILTIN_KEYS_DRIVER
- bool "Allow crypto service to store builtin keys"
- default y
- help
- Whether to allow crypto service to store builtin keys. Without this,
- all builtin keys must be stored in a platform-specific location.
-endif
+comment "Initial attestation depends on Crypto"
+ depends on !TFM_PARTITION_CRYPTO
config TFM_PARTITION_INITIAL_ATTESTATION
bool "Initial attestation"
- default y
+ depends on TFM_PARTITION_CRYPTO
+
+################################# ITS ##########################################
config TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
bool "Internal Trusted Storage"
- default y
+ default n
+
+################################# Platform #####################################
config TFM_PARTITION_PLATFORM
bool "Platform"
- default y
+ default n
-comment "Firmware update depends on partition Platform"
- depends on !TFM_PARTITION_PLATFORM
+################################# FWU ##########################################
+
+comment "Firmware update depends on Crypto and Platform, and FWU support"
+ depends on !(TFM_PARTITION_PLATFORM && TFM_PARTITION_CRYPTO && PLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT)
config TFM_PARTITION_FIRMWARE_UPDATE
bool "Firmware update"
- default n
- depends on TFM_PARTITION_PLATFORM
+ depends on TFM_PARTITION_PLATFORM && TFM_PARTITION_CRYPTO && PLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT
-comment "Protected Storage depends on partition ITS and Platform"
- depends on !(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE && TFM_PARTITION_PLATFORM)
+################################# PS ###########################################
+
+comment "Protected Storage depends on Crypto, ITS and Platform"
+ depends on !(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE && TFM_PARTITION_PLATFORM && TFM_PARTITION_CRYPTO)
config TFM_PARTITION_PROTECTED_STORAGE
bool "Protected Storage"
- default y
- depends on TFM_PARTITION_INTERNAL_TRUSTED_STORAGE && TFM_PARTITION_PLATFORM
- help
- PS only uses the platform partition when PS_ROLLBACK_PROTECTION is ON,
- but the dependency in the manifest file means the dependency is
- unconditional.
+ depends on TFM_PARTITION_INTERNAL_TRUSTED_STORAGE && TFM_PARTITION_PLATFORM && TFM_PARTITION_CRYPTO
endmenu
diff --git a/secure_fw/partitions/platform/Kconfig b/secure_fw/partitions/platform/Kconfig
index f133b24..24d574f 100644
--- a/secure_fw/partitions/platform/Kconfig
+++ b/secure_fw/partitions/platform/Kconfig
@@ -20,4 +20,8 @@
hex "Stack size"
default 0x500
+config PLATFORM_NV_COUNTER_MODULE_DISABLED
+ bool "Disable Non-volatile counter module"
+ default n
+
endmenu
diff --git a/secure_fw/spm/Kconfig b/secure_fw/spm/Kconfig
index bb992a7..164af37 100644
--- a/secure_fw/spm/Kconfig
+++ b/secure_fw/spm/Kconfig
@@ -16,6 +16,6 @@
config CONFIG_TFM_DOORBELL_API
bool "Enable the doorbell APIs"
- default n if CONFIG_TFM_SPM_BACKEND_SFN
+ depends on TFM_SPM_BACKEND_IPC
default y
endmenu
diff --git a/secure_fw/spm/include/config_spm.h b/secure_fw/spm/include/config_spm.h
index 6d7172d..215947b 100644
--- a/secure_fw/spm/include/config_spm.h
+++ b/secure_fw/spm/include/config_spm.h
@@ -19,13 +19,10 @@
/* Set the doorbell APIs */
#ifndef CONFIG_TFM_DOORBELL_API
-#if CONFIG_TFM_SPM_BACKEND_SFN == 1
-#pragma message("CONFIG_TFM_DOORBELL_API is defaulted to 0 for SFN backend. Please check and set it explicitly.")
-#define CONFIG_TFM_DOORBELL_API 0
-#else /* CONFIG_TFM_SPM_BACKEND_SFN == 1 */
+#if CONFIG_TFM_SPM_BACKEND_IPC == 1
#pragma message("CONFIG_TFM_DOORBELL_API is defaulted to 1 for IPC backend. Please check and set it explicitly.")
#define CONFIG_TFM_DOORBELL_API 1
-#endif /* CONFIG_TFM_SPM_BACKEND_SFN == 1 */
+#endif /* CONFIG_TFM_SPM_BACKEND_IPC == 1 */
#endif /* !CONFIG_TFM_DOORBELL_API */
/* Check invalid configs */
diff --git a/tools/kconfig/tfm_kconfig.py b/tools/kconfig/tfm_kconfig.py
index 3c4b953..c18acc3 100755
--- a/tools/kconfig/tfm_kconfig.py
+++ b/tools/kconfig/tfm_kconfig.py
@@ -8,7 +8,6 @@
import logging
import os
import re
-import hashlib
from kconfiglib import Kconfig
import menuconfig
@@ -50,8 +49,7 @@
'-p', '--platform-path',
dest = 'platform_path',
required = False,
- help = 'The platform path which contains specific Kconfig and defconfig\
- files'
+ help = 'The platform path which contains specific Kconfig and defconfig files'
)
args = parser.parse_args()
@@ -75,7 +73,7 @@
The regular expression is used to parse the text like:
- CONFIG_FOO=val
- # CONFIG_FOO is not set
- The 'FOO" will be saved into the name part of groupdict, and the 'val' will
+ The 'FOO' will be saved into the name part of groupdict, and the 'val' will
be saved into the 'val' part of groupdict.
'''
pattern_set = re.compile('CONFIG_(?P<name>[A-Za-z|_|0-9]*)=(?P<val>\S+)')
@@ -181,23 +179,23 @@
def_config = ''
mtime_prv = 0
- if not os.path.exists(args.output_path):
- os.mkdir(args.output_path)
-
- if args.platform_path:
+ if args.platform_path and os.path.exists(args.platform_path):
platform_abs_path = os.path.abspath(args.platform_path)
+ def_config = os.path.join(platform_abs_path, 'defconfig')
# Pass environment variable to Kconfig to load extra Kconfig file.
os.environ['PLATFORM_PATH'] = platform_abs_path
- def_config = os.path.join(platform_abs_path, 'defconfig')
- else:
- os.environ['PLATFORM_PATH'] = ''
-
# Load Kconfig file. kconfig_file is the root Kconfig file. The path is
# input by users from the command.
tfm_kconfig = Kconfig(args.kconfig_file)
+ if not os.path.exists(args.output_path):
+ os.mkdir(args.output_path)
+
+ # Change program execution path to the output folder path.
+ os.chdir(args.output_path)
+
if os.path.exists(dot_config):
# Load .config which contains the previous configurations.
mtime_prv = os.stat(dot_config).st_mtime
@@ -208,9 +206,6 @@
tfm_kconfig.load_config(def_config)
logging.info('Load configs from \'{}\''.format(def_config))
- # Change program execution path to the output folder path.
- os.chdir(args.output_path)
-
# UI options
if args.ui == 'tui':
menuconfig.menuconfig(tfm_kconfig)