TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / next / TF-M / trusted-firmware-m / 9ed8987a7c144823f4a4c9453671979da4c51519 / . / config / config_default.cmake
blob: fd0f415328db457a2427f8f79830278d7df1a0a0 [file] [log] [blame]
Raef Coles9ec67e62020-07-10 09:40:35 +0100[diff] [blame]1#-------------------------------------------------------------------------------
Raef Colesdfe519b2021-01-07 12:52:47 +0000[diff] [blame]2# Copyright (c) 2020-2021, Arm Limited. All rights reserved.
Raef Coles9ec67e62020-07-10 09:40:35 +0100[diff] [blame]3#
4# SPDX-License-Identifier: BSD-3-Clause
5#
6#-------------------------------------------------------------------------------
7
Raef Coles69817322020-10-19 14:14:14 +0100[diff] [blame]8set(TFM_TOOLCHAIN_FILE ${CMAKE_SOURCE_DIR}/toolchain_GNUARM.cmake CACHE FILEPATH "Path to TFM compiler toolchain file")
Øyvind Rønningstada9d5eac2021-01-22 14:21:25 +0100[diff] [blame]9set(TFM_PLATFORM "" CACHE STRING "Platform to build TF-M for. Must be either a relative path from [TF-M]/platform/ext/target, or an absolute path.")
Raef Coles69817322020-10-19 14:14:14 +0100[diff] [blame]10set(CROSS_COMPILE arm-none-eabi CACHE STRING "Cross-compilation triplet")
11
Raef Coles9ec67e62020-07-10 09:40:35 +0100[diff] [blame]12set(BL2 ON CACHE BOOL "Whether to build BL2")
13set(NS ON CACHE BOOL "Whether to build NS app")
14
15set(TEST_S OFF CACHE BOOL "Whether to build S regression tests")
16set(TEST_NS OFF CACHE BOOL "Whether to build NS regression tests")
17set(TEST_PSA_API "" CACHE STRING "Which (if any) of the PSA API tests should be compiled")
18
19set(TFM_PSA_API OFF CACHE BOOL "Use PSA api (IPC mode) instead of secure library mode")
20set(TFM_ISOLATION_LEVEL 1 CACHE STRING "Isolation level")
21set(TFM_PROFILE "" CACHE STRING "Profile to use")
Tamas Banb881bea2020-11-04 16:18:36 +0000[diff] [blame]22set(TFM_FIH_PROFILE OFF CACHE STRING "Fault injection hardening profile [OFF, LOW, MEDIUM, HIGH]")
Raef Coles9ec67e62020-07-10 09:40:35 +0100[diff] [blame]23
24set(TFM_NS_CLIENT_IDENTIFICATION OFF CACHE BOOL "Enable NS client identification")
25
26set(TFM_EXTRA_CONFIG_PATH "" CACHE PATH "Path to extra cmake config file")
27set(TFM_EXTRA_MANIFEST_LIST_PATH "" CACHE PATH "Path to extra manifest file, used to declare extra partitions. Appended to standard TFM manifest")
28set(TFM_EXTRA_GENERATED_FILE_LIST_PATH "" CACHE PATH "Path to extra generated file list. Appended to stardard TFM generated file list.")
29
Shawn Shanfffd7ee2020-11-23 18:07:54 +0800[diff] [blame]30set(TFM_SPM_LOG_LEVEL TFM_SPM_LOG_LEVEL_INFO CACHE STRING "Set default SPM log level as INFO level")
Shawn Shan9ea2f802020-11-19 11:04:39 +0800[diff] [blame]31set(TFM_PARTITION_LOG_LEVEL TFM_PARTITION_LOG_LEVEL_INFO CACHE STRING "Set default Secure Partition log level as INFO level")
Shawn Shan6f33aad2020-10-16 15:30:17 +0800[diff] [blame]32
Tamas Banf8b0b2d2020-10-26 13:03:13 +0000[diff] [blame]33set(TFM_CODE_SHARING OFF CACHE PATH "Enable code sharing between MCUboot and secure firmware")
34set(TFM_CODE_SHARING_PATH "" CACHE PATH "Path to repo which shares code with secure firmware")
35
Raef Colesa198a442020-11-24 11:42:53 +0000[diff] [blame]36set(TFM_INSTALL_PATH ${CMAKE_BINARY_DIR}/install CACHE PATH "Path to which to install TF-M files")
37
Karl Zhangf897e9e2021-01-08 17:52:53 +0800[diff] [blame]38set(TFM_CODE_COVERAGE OFF CACHE BOOL "Whether to build the binary for lcov tools by adding -g")
39
Summer Qin2cd2ab72020-04-22 14:55:00 +0800[diff] [blame]40set(TFM_SP_META_PTR_ENABLE OFF CACHE BOOL "Use Partition Metadata Pointer")
41
Summer Qind8395932021-02-25 14:56:49 +0800[diff] [blame]42set(TFM_PXN_ENABLE OFF CACHE BOOL "Use Privileged execute never (PXN)")
43
Raef Coles9ec67e62020-07-10 09:40:35 +0100[diff] [blame]44########################## BL2 #################################################
45
46set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "Whether to combine S and NS into either 1 image, or sign each seperately")
47set(MCUBOOT_EXECUTION_SLOT 1 CACHE STRING "Slot from which to execute the image, used for XIP mode")
48set(MCUBOOT_LOG_LEVEL "INFO" CACHE STRING "Level of logging to use for MCUboot [OFF, ERROR, WARNING, INFO, DEBUG]")
49set(MCUBOOT_HW_KEY ON CACHE BOOL "Whether to embed the entire public key in the image metadata instead of the hash only")
David Vincze0c515de2020-11-25 19:02:57 +0100[diff] [blame]50set(MCUBOOT_UPGRADE_STRATEGY "OVERWRITE_ONLY" CACHE STRING "Upgrade strategy for images")
Raef Coles9ec67e62020-07-10 09:40:35 +0100[diff] [blame]51set(MCUBOOT_MEASURED_BOOT ON CACHE BOOL "Add boot measurement values to boot status. Used for initial attestation token")
52set(MCUBOOT_HW_ROLLBACK_PROT ON CACHE BOOL "Enable security counter validation against non-volatile HW counters")
53set(MCUBOOT_ENC_IMAGES OFF CACHE BOOL "Enable encrypted image upgrade support")
54set(MCUBOOT_ENCRYPT_RSA OFF CACHE BOOL "Use RSA for encrypted image upgrade support")
Tamas Ban1bfc9da2020-07-09 13:55:38 +0100[diff] [blame]55set(MCUBOOT_FIH_PROFILE OFF CACHE STRING "Fault injection hardening profile [OFF, LOW, MEDIUM, HIGH]")
Raef Coles9ec67e62020-07-10 09:40:35 +0100[diff] [blame]56
57# Note - If either SIGNATURE_TYPE or KEY_LEN are changed, the entries for KEY_S
58# and KEY_NS will either have to be updated manually or removed from the cache.
59# `cmake .. -UMCUBOOT_KEY_S -UMCUBOOT_KEY_NS`. Once removed from the cache it
60# will be set to default again.
61set(MCUBOOT_SIGNATURE_TYPE "RSA" CACHE STRING "Algorithm to use for signature validation")
62set(MCUBOOT_SIGNATURE_KEY_LEN 3072 CACHE STRING "Key length to use for signature validation")
63set(MCUBOOT_KEY_S "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}-${MCUBOOT_SIGNATURE_KEY_LEN}.pem" CACHE FILEPATH "Path to key with which to sign secure binary")
64set(MCUBOOT_KEY_NS "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}-${MCUBOOT_SIGNATURE_KEY_LEN}_1.pem" CACHE FILEPATH "Path to key with which to sign non-secure binary")
65
66set(MCUBOOT_IMAGE_VERSION_S ${TFM_VERSION} CACHE STRING "Version number of S image")
67set(MCUBOOT_IMAGE_VERSION_NS 0.0.0 CACHE STRING "Version number of NS image")
68set(MCUBOOT_SECURITY_COUNTER_S "auto" CACHE STRING "Security counter for S image. auto sets it to IMAGE_VERSION_S")
69set(MCUBOOT_SECURITY_COUNTER_NS "auto" CACHE STRING "Security counter for NS image. auto sets it to IMAGE_VERSION_NS")
70set(MCUBOOT_S_IMAGE_MIN_VER 0.0.0+0 CACHE STRING "Minimum version for upgrade of secure image")
71set(MCUBOOT_NS_IMAGE_MIN_VER 0.0.0+0 CACHE STRING "Minimum version for upgrade of non-secure image")
72
73############################ Platform ##########################################
74
75set(TFM_MULTI_CORE_TOPOLOGY OFF CACHE BOOL "Whether to build for a dual-cpu architecture")
David Hu8b526d42020-11-27 20:59:52 +0800[diff] [blame]76set(NUM_MAILBOX_QUEUE_SLOT 1 CACHE BOOL "Number of mailbox queue slots")
David Hu60863942020-10-14 14:49:19 +0800[diff] [blame]77
Raef Coles9ec67e62020-07-10 09:40:35 +0100[diff] [blame]78set(DEBUG_AUTHENTICATION CHIP_DEFAULT CACHE STRING "Debug authentication setting. [CHIP_DEFAULT, NONE, NS_ONLY, FULL")
79set(SECURE_UART1 OFF CACHE BOOL "Enable secure UART1")
80
81set(CRYPTO_HW_ACCELERATOR OFF CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
82set(CRYPTO_HW_ACCELERATOR_OTP_STATE OFF CACHE STRING "Whether to enable the crypto hardware accelerator OTP memory on supported platforms (Set to PROVISIONING to enable OTP provisioning)")
83
84set(PLATFORM_DUMMY_ATTEST_HAL TRUE CACHE BOOL "Use dummy attest hal implementation. Should not be used in production.")
85set(PLATFORM_DUMMY_NV_COUNTERS TRUE CACHE BOOL "Use dummy nv counter implementation. Should not be used in production.")
86set(PLATFORM_DUMMY_CRYPTO_KEYS TRUE CACHE BOOL "Use dummy crypto keys. Should not be used in production.")
87set(PLATFORM_DUMMY_ROTPK TRUE CACHE BOOL "Use dummy root of trust public key. Dummy key is the public key for the default keys in bl2. Should not be used in production.")
88set(PLATFORM_DUMMY_IAK TRUE CACHE BOOL "Use dummy initial attestation_key. Should not be used in production.")
Gabor Abonyi931622b2020-10-19 15:08:40 +0200[diff] [blame]89set(PLATFORM_DEFAULT_UART_STDOUT TRUE CACHE BOOL "Use default uart stdout implementation.")
Raef Coles9ec67e62020-07-10 09:40:35 +0100[diff] [blame]90
91############################ Partitions ########################################
92
93set(TFM_PARTITION_PROTECTED_STORAGE ON CACHE BOOL "Enable Protected Storage partition")
Jamie Fox865778b2020-10-23 19:52:51 +0100[diff] [blame]94set(PS_CREATE_FLASH_LAYOUT ON CACHE BOOL "Create flash FS if it doesn't exist for Protected Storage partition")
Raef Coles9ec67e62020-07-10 09:40:35 +0100[diff] [blame]95set(PS_ENCRYPTION ON CACHE BOOL "Enable encryption for Protected Storage partition")
96set(PS_RAM_FS OFF CACHE BOOL "Enable emulated RAM FS for platforms that don't have flash for Protected Storage partition")
97set(PS_ROLLBACK_PROTECTION ON CACHE BOOL "Enable rollback protection for Protected Storage partition")
Jamie Fox34a7a232020-10-20 16:19:09 +0100[diff] [blame]98set(PS_VALIDATE_METADATA_FROM_FLASH ON CACHE BOOL "Validate filesystem metadata every time it is read from flash")
Jamie Fox865778b2020-10-23 19:52:51 +0100[diff] [blame]99set(PS_MAX_ASSET_SIZE "2048" CACHE STRING "The maximum asset size to be stored in the Protected Storage area")
100set(PS_NUM_ASSETS "10" CACHE STRING "The maximum number of assets to be stored in the Protected Storage area")
101set(PS_CRYPTO_AEAD_ALG PSA_ALG_GCM CACHE STRING "The AEAD algorithm to use for authenticated encryption in Protected Storage")
Raef Coles9ec67e62020-07-10 09:40:35 +0100[diff] [blame]102
103set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE ON CACHE BOOL "Enable Internal Trusted Storage partition")
Jamie Fox865778b2020-10-23 19:52:51 +0100[diff] [blame]104set(ITS_CREATE_FLASH_LAYOUT ON CACHE BOOL "Create flash FS if it doesn't exist for Internal Trusted Storage partition")
105set(ITS_RAM_FS OFF CACHE BOOL "Enable emulated RAM FS for platforms that don't have flash for Internal Trusted Storage partition")
Jamie Fox34a7a232020-10-20 16:19:09 +0100[diff] [blame]106set(ITS_VALIDATE_METADATA_FROM_FLASH ON CACHE BOOL "Validate filesystem metadata every time it is read from flash")
Jamie Fox865778b2020-10-23 19:52:51 +0100[diff] [blame]107set(ITS_MAX_ASSET_SIZE "512" CACHE STRING "The maximum asset size to be stored in the Internal Trusted Storage area")
108set(ITS_NUM_ASSETS "10" CACHE STRING "The maximum number of assets to be stored in the Internal Trusted Storage area")
Raef Coles9ec67e62020-07-10 09:40:35 +0100[diff] [blame]109set(ITS_BUF_SIZE "" CACHE STRING "Size of the ITS internal data transfer buffer (defaults to ITS_MAX_ASSET_SIZE if not set)")
110
111set(TFM_PARTITION_CRYPTO ON CACHE BOOL "Enable Crypto partition")
Soby Mathew4739c732020-10-07 12:11:05 +0100[diff] [blame]112# CRYPTO_ENGINE_BUF_SIZE needs to be >8KB for EC signing by attest module.
Summer Qine8412b42020-10-15 14:20:21 +0800[diff] [blame]113set(CRYPTO_ENGINE_BUF_SIZE 0x2080 CACHE STRING "Heap size for the crypto backend")
Soby Mathew4739c732020-10-07 12:11:05 +0100[diff] [blame]114set(CRYPTO_CONC_OPER_NUM 8 CACHE STRING "The max number of concurrent operations that can be active (allocated) at any time in Crypto")
115set(CRYPTO_KEY_MODULE_DISABLED FALSE CACHE BOOL "Disable PSA Crypto Key module")
116set(CRYPTO_AEAD_MODULE_DISABLED FALSE CACHE BOOL "Disable PSA Crypto AEAD module")
117set(CRYPTO_MAC_MODULE_DISABLED FALSE CACHE BOOL "Disable PSA Crypto MAC module")
118set(CRYPTO_HASH_MODULE_DISABLED FALSE CACHE BOOL "Disable PSA Crypto Hash module")
119set(CRYPTO_CIPHER_MODULE_DISABLED FALSE CACHE BOOL "Disable PSA Crypto Cipher module")
120set(CRYPTO_GENERATOR_MODULE_DISABLED FALSE CACHE BOOL "Disable PSA Crypto Key Derivation module")
121set(CRYPTO_ASYMMETRIC_MODULE_DISABLED FALSE CACHE BOOL "Disable PSA Crypto Asymmetric key module")
Håkon Øye Amundsen112e48d2021-01-19 15:41:10 +0100[diff] [blame]122set(CRYPTO_KEY_DERIVATION_MODULE_DISABLED FALSE CACHE BOOL "Disable PSA Crypto key derivation module")
Soby Mathew4739c732020-10-07 12:11:05 +0100[diff] [blame]123set(CRYPTO_IOVEC_BUFFER_SIZE 5120 CACHE STRING "Default size of the internal scratch buffer used for PSA FF IOVec allocations")
Raef Coles9ec67e62020-07-10 09:40:35 +0100[diff] [blame]124
125set(TFM_PARTITION_INITIAL_ATTESTATION ON CACHE BOOL "Enable Initial Attestation partition")
126set(SYMMETRIC_INITIAL_ATTESTATION OFF CACHE BOOL "Use symmetric crypto for inital attestation")
127set(ATTEST_INCLUDE_OPTIONAL_CLAIMS ON CACHE BOOL "Include optional claims in initial attestation token")
128set(ATTEST_INCLUDE_COSE_KEY_ID OFF CACHE BOOL "Include COSE key-id in initial attestation token")
129
130set(TFM_PARTITION_PLATFORM ON CACHE BOOL "Enable Platform partition")
131
132set(TFM_PARTITION_AUDIT_LOG ON CACHE BOOL "Enable Audit Log partition")
133
Mark Horvathb9ac0d52020-09-09 10:48:22 +0200[diff] [blame]134set(FORWARD_PROT_MSG OFF CACHE BOOL "Whether to forward all PSA RoT messages to a Secure Enclave")
Sherry Zhang07b42412021-01-07 14:19:41 +0800[diff] [blame]135set(TFM_PARTITION_FIRMWARE_UPDATE OFF CACHE BOOL "Enable firmware update partition")
136set(TFM_FWU_BOOTLOADER_LIB ${CMAKE_SOURCE_DIR}/secure_fw/partitions/firmware_update/bootloader/mcuboot/mcuboot_utilities.cmake CACHE FILEPATH "Bootloader configure file for Firmware Update partition")
Mark Horvathb9ac0d52020-09-09 10:48:22 +0200[diff] [blame]137
Raef Coles9ec67e62020-07-10 09:40:35 +0100[diff] [blame]138################################## Tests #######################################
139
Raef Colesabe4f2c2020-10-02 10:32:35 +0100[diff] [blame]140set(TFM_INTERACTIVE_TEST OFF CACHE BOOL "Enable interactive tests")
Raef Colesc342d5c2020-10-12 10:08:38 +0100[diff] [blame]141set(TFM_IRQ_TEST OFF CACHE BOOL "Enable IRQ tests")
142set(TFM_PERIPH_ACCESS_TEST OFF CACHE BOOL "Enable peripheral access tests")
Raef Colesabe4f2c2020-10-02 10:32:35 +0100[diff] [blame]143
Kevin Peng95b55062020-11-09 11:27:25 +0800[diff] [blame]144set(PS_TEST_NV_COUNTERS ON CACHE BOOL "Use the test NV counters to test Protected Storage rollback scenarios")
Jamie Fox87014842020-10-22 23:28:10 +0100[diff] [blame]145
Raef Coles9ec67e62020-07-10 09:40:35 +0100[diff] [blame]146set(TFM_CRYPTO_TEST_ALG_CBC ON CACHE BOOL "Test CBC cryptography mode")
147set(TFM_CRYPTO_TEST_ALG_CCM ON CACHE BOOL "Test CCM cryptography mode")
148set(TFM_CRYPTO_TEST_ALG_CFB ON CACHE BOOL "Test CFB cryptography mode")
149set(TFM_CRYPTO_TEST_ALG_CTR ON CACHE BOOL "Test CTR cryptography mode")
150set(TFM_CRYPTO_TEST_ALG_GCM ON CACHE BOOL "Test GCM cryptography mode")
151set(TFM_CRYPTO_TEST_ALG_SHA_512 ON CACHE BOOL "Test SHA-512 cryptography algorithm")
152set(TFM_CRYPTO_TEST_HKDF ON CACHE BOOL "Test SHA-512 cryptography algorithm")
153
Sherry Zhang4c697c62021-03-09 16:07:16 +0800[diff] [blame]154set(TFM_FWU_TEST_REQUEST_REBOOT OFF CACHE BOOL "Test psa_fwu_request_reboot")
155set(TFM_FWU_TEST_WRITE_WITH_NULL OFF CACHE BOOL "Test psa_fwu_write with data block NULL")
156set(TFM_FWU_TEST_QUERY_WITH_NULL OFF CACHE BOOL "Test psa_fwu_query with info NULL")
157
Raef Coles9ec67e62020-07-10 09:40:35 +0100[diff] [blame]158################################## Dependencies ################################
159
160set(MBEDCRYPTO_PATH "DOWNLOAD" CACHE PATH "Path to Mbed Crypto (or DOWNLOAD to fetch automatically")
Maulik Patel28659c42021-01-06 14:09:22 +0000[diff] [blame]161set(MBEDCRYPTO_VERSION "mbedtls-2.25.0" CACHE STRING "The version of Mbed Crypto to use")
Øyvind Rønningstad6d3f3df2021-02-10 18:25:56 +0100[diff] [blame]162set(MBEDCRYPTO_GIT_REMOTE "https://github.com/ARMmbed/mbedtls.git" CACHE STRING "The URL (or path) to retrieve MbedTLS from.")
Raef Coles9ec67e62020-07-10 09:40:35 +0100[diff] [blame]163set(MBEDCRYPTO_BUILD_TYPE "${CMAKE_BUILD_TYPE}" CACHE STRING "Build type of Mbed Crypto library")
164set(TFM_MBEDCRYPTO_CONFIG_PATH "${CMAKE_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h" CACHE PATH "Config to use for Mbed Crypto")
165set(TFM_MBEDCRYPTO_PLATFORM_EXTRA_CONFIG_PATH "" CACHE PATH "Config to append to standard Mbed Crypto config, used by platforms to cnfigure feature support")
166
167set(TFM_TEST_REPO_PATH "DOWNLOAD" CACHE PATH "Path to TFM-TEST repo (or DOWNLOAD to fetch automatically")
David Hu9f2c91f2021-02-05 11:33:49 +0800[diff] [blame]168set(TFM_TEST_REPO_VERSION "98adf32d" CACHE STRING "The version of tf-m-tests to use")
Raef Coles9ec67e62020-07-10 09:40:35 +0100[diff] [blame]169set(CMSIS_5_PATH "DOWNLOAD" CACHE PATH "Path to CMSIS_5 (or DOWNLOAD to fetch automatically")
170
171set(MCUBOOT_PATH "DOWNLOAD" CACHE PATH "Path to MCUboot (or DOWNLOAD to fetch automatically")
Sherry Zhang70c865b2021-03-16 18:24:19 +0800[diff] [blame]172set(MCUBOOT_VERSION "v1.7.2" CACHE STRING "The version of MCUboot to use")
Raef Coles9ec67e62020-07-10 09:40:35 +0100[diff] [blame]173
174set(PSA_ARCH_TESTS_PATH "DOWNLOAD" CACHE PATH "Path to PSA arch tests (or DOWNLOAD to fetch automatically")
Salome Thirotd85023f2021-02-04 15:38:27 +0000[diff] [blame]175set(PSA_ARCH_TESTS_VERSION "8644bd0" CACHE STRING "The version of PSA arch tests to use")
David Vincze0c515de2020-11-25 19:02:57 +0100[diff] [blame]176
177################################################################################
178################################################################################
179
180# Specifying the accepted values for certain configuration options to facilitate
181# their later validation.
182
183########################## BL2 #################################################
184
185set_property(CACHE MCUBOOT_UPGRADE_STRATEGY PROPERTY STRINGS "OVERWRITE_ONLY;SWAP;DIRECT_XIP;RAM_LOAD")
Tamas Banb881bea2020-11-04 16:18:36 +0000[diff] [blame]186
187########################## FIH #################################################
188
189set_property(CACHE TFM_FIH_PROFILE PROPERTY STRINGS "OFF;LOW;MEDIUM;HIGH")