Build: Move MCUboot configs to bl2 specific config file
Move MCUboot configurations to bl2 path to clean config_default.
Signed-off-by: Jianliang Shen <jianliang.shen@arm.com>
Change-Id: I09ffbb800d6e5957032b04e6f6034c897160f6af
diff --git a/bl2/ext/mcuboot/mcuboot_default_config.cmake b/bl2/ext/mcuboot/mcuboot_default_config.cmake
new file mode 100644
index 0000000..08a5df6
--- /dev/null
+++ b/bl2/ext/mcuboot/mcuboot_default_config.cmake
@@ -0,0 +1,47 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+
+########################## MCUBoot #############################################
+
+set(DEFAULT_MCUBOOT_SECURITY_COUNTERS ON CACHE BOOL "Whether to use the default security counter configuration defined by TF-M project")
+set(DEFAULT_MCUBOOT_FLASH_MAP ON CACHE BOOL "Whether to use the default flash map defined by TF-M project")
+
+set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "Whether to combine S and NS into either 1 image, or sign each seperately")
+set(MCUBOOT_EXECUTION_SLOT 1 CACHE STRING "Slot from which to execute the image, used for XIP mode")
+set(MCUBOOT_LOG_LEVEL "INFO" CACHE STRING "Level of logging to use for MCUboot [OFF, ERROR, WARNING, INFO, DEBUG]")
+set(MCUBOOT_HW_KEY ON CACHE BOOL "Whether to embed the entire public key in the image metadata instead of the hash only")
+set(MCUBOOT_UPGRADE_STRATEGY "OVERWRITE_ONLY" CACHE STRING "Upgrade strategy for images")
+
+# Specifying a scope of the accepted values of MCUBOOT_UPGRADE_STRATEGY for
+# platforms to choose a specific upgrade strategy for images. These certain
+# configurations will be used to facilitate the later validation.
+set_property(CACHE MCUBOOT_UPGRADE_STRATEGY PROPERTY STRINGS "OVERWRITE_ONLY;SWAP;DIRECT_XIP;RAM_LOAD")
+
+set(MCUBOOT_DIRECT_XIP_REVERT ON CACHE BOOL "Enable the revert mechanism in direct-xip mode")
+set(MCUBOOT_MEASURED_BOOT ON CACHE BOOL "Add boot measurement values to boot status. Used for initial attestation token")
+set(MCUBOOT_HW_ROLLBACK_PROT ON CACHE BOOL "Enable security counter validation against non-volatile HW counters")
+set(MCUBOOT_ENC_IMAGES OFF CACHE BOOL "Enable encrypted image upgrade support")
+set(MCUBOOT_ENCRYPT_RSA OFF CACHE BOOL "Use RSA for encrypted image upgrade support")
+set(MCUBOOT_FIH_PROFILE OFF CACHE STRING "Fault injection hardening profile [OFF, LOW, MEDIUM, HIGH]")
+
+# Note - If either SIGNATURE_TYPE or KEY_LEN are changed, the entries for KEY_S
+# and KEY_NS will either have to be updated manually or removed from the cache.
+# `cmake .. -UMCUBOOT_KEY_S -UMCUBOOT_KEY_NS`. Once removed from the cache it
+# will be set to default again.
+set(MCUBOOT_SIGNATURE_TYPE "RSA" CACHE STRING "Algorithm to use for signature validation")
+set(MCUBOOT_SIGNATURE_KEY_LEN 3072 CACHE STRING "Key length to use for signature validation")
+set(MCUBOOT_KEY_S "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}-${MCUBOOT_SIGNATURE_KEY_LEN}.pem" CACHE FILEPATH "Path to key with which to sign secure binary")
+set(MCUBOOT_KEY_NS "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}-${MCUBOOT_SIGNATURE_KEY_LEN}_1.pem" CACHE FILEPATH "Path to key with which to sign non-secure binary")
+
+set(MCUBOOT_IMAGE_VERSION_S ${TFM_VERSION} CACHE STRING "Version number of S image")
+set(MCUBOOT_IMAGE_VERSION_NS 0.0.0 CACHE STRING "Version number of NS image")
+set(MCUBOOT_SECURITY_COUNTER_S "auto" CACHE STRING "Security counter for S image. auto sets it to IMAGE_VERSION_S")
+set(MCUBOOT_SECURITY_COUNTER_NS "auto" CACHE STRING "Security counter for NS image. auto sets it to IMAGE_VERSION_NS")
+set(MCUBOOT_S_IMAGE_MIN_VER 0.0.0+0 CACHE STRING "Minimum version of secure image required by the non-secure image for upgrade to this non-secure image. If MCUBOOT_IMAGE_NUMBER == 1 this option has no effect")
+set(MCUBOOT_NS_IMAGE_MIN_VER 0.0.0+0 CACHE STRING "Minimum version of non-secure image required by the secure image for upgrade to this secure image. If MCUBOOT_IMAGE_NUMBER == 1 this option has no effect")
+
+set(MCUBOOT_MBEDCRYPTO_CONFIG_FILEPATH "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/config/mcuboot-mbedtls-cfg.h" CACHE FILEPATH "Mbedtls config file to use with MCUboot")
diff --git a/config/check_config.cmake b/config/check_config.cmake
index 4204200..2ac6380 100644
--- a/config/check_config.cmake
+++ b/config/check_config.cmake
@@ -52,7 +52,7 @@
########################## BL2 #################################################
get_property(MCUBOOT_STRATEGY_LIST CACHE MCUBOOT_UPGRADE_STRATEGY PROPERTY STRINGS)
-tfm_invalid_config(NOT MCUBOOT_UPGRADE_STRATEGY IN_LIST MCUBOOT_STRATEGY_LIST)
+tfm_invalid_config(BL2 AND (NOT MCUBOOT_UPGRADE_STRATEGY IN_LIST MCUBOOT_STRATEGY_LIST))
####################### Code sharing ###########################################
diff --git a/config/config_default.cmake b/config/config_default.cmake
index b21f938..09db32e 100644
--- a/config/config_default.cmake
+++ b/config/config_default.cmake
@@ -46,41 +46,6 @@
set(TFM_EXCEPTION_INFO_DUMP OFF CACHE BOOL "On fatal errors in the secure firmware, capture info about the exception. Print the info if the SPM log level is sufficient.")
-########################## BL2 #################################################
-
-set(DEFAULT_MCUBOOT_SECURITY_COUNTERS ON CACHE BOOL "Whether to use the default security counter configuration defined by TF-M project")
-set(DEFAULT_MCUBOOT_FLASH_MAP ON CACHE BOOL "Whether to use the default flash map defined by TF-M project")
-
-set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "Whether to combine S and NS into either 1 image, or sign each seperately")
-set(MCUBOOT_EXECUTION_SLOT 1 CACHE STRING "Slot from which to execute the image, used for XIP mode")
-set(MCUBOOT_LOG_LEVEL "INFO" CACHE STRING "Level of logging to use for MCUboot [OFF, ERROR, WARNING, INFO, DEBUG]")
-set(MCUBOOT_HW_KEY ON CACHE BOOL "Whether to embed the entire public key in the image metadata instead of the hash only")
-set(MCUBOOT_UPGRADE_STRATEGY "OVERWRITE_ONLY" CACHE STRING "Upgrade strategy for images")
-set(MCUBOOT_DIRECT_XIP_REVERT ON CACHE BOOL "Enable the revert mechanism in direct-xip mode")
-set(MCUBOOT_MEASURED_BOOT ON CACHE BOOL "Add boot measurement values to boot status. Used for initial attestation token")
-set(MCUBOOT_HW_ROLLBACK_PROT ON CACHE BOOL "Enable security counter validation against non-volatile HW counters")
-set(MCUBOOT_ENC_IMAGES OFF CACHE BOOL "Enable encrypted image upgrade support")
-set(MCUBOOT_ENCRYPT_RSA OFF CACHE BOOL "Use RSA for encrypted image upgrade support")
-set(MCUBOOT_FIH_PROFILE OFF CACHE STRING "Fault injection hardening profile [OFF, LOW, MEDIUM, HIGH]")
-
-# Note - If either SIGNATURE_TYPE or KEY_LEN are changed, the entries for KEY_S
-# and KEY_NS will either have to be updated manually or removed from the cache.
-# `cmake .. -UMCUBOOT_KEY_S -UMCUBOOT_KEY_NS`. Once removed from the cache it
-# will be set to default again.
-set(MCUBOOT_SIGNATURE_TYPE "RSA" CACHE STRING "Algorithm to use for signature validation")
-set(MCUBOOT_SIGNATURE_KEY_LEN 3072 CACHE STRING "Key length to use for signature validation")
-set(MCUBOOT_KEY_S "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}-${MCUBOOT_SIGNATURE_KEY_LEN}.pem" CACHE FILEPATH "Path to key with which to sign secure binary")
-set(MCUBOOT_KEY_NS "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}-${MCUBOOT_SIGNATURE_KEY_LEN}_1.pem" CACHE FILEPATH "Path to key with which to sign non-secure binary")
-
-set(MCUBOOT_IMAGE_VERSION_S ${TFM_VERSION} CACHE STRING "Version number of S image")
-set(MCUBOOT_IMAGE_VERSION_NS 0.0.0 CACHE STRING "Version number of NS image")
-set(MCUBOOT_SECURITY_COUNTER_S "auto" CACHE STRING "Security counter for S image. auto sets it to IMAGE_VERSION_S")
-set(MCUBOOT_SECURITY_COUNTER_NS "auto" CACHE STRING "Security counter for NS image. auto sets it to IMAGE_VERSION_NS")
-set(MCUBOOT_S_IMAGE_MIN_VER 0.0.0+0 CACHE STRING "Minimum version of secure image required by the non-secure image for upgrade to this non-secure image. If MCUBOOT_IMAGE_NUMBER == 1 this option has no effect")
-set(MCUBOOT_NS_IMAGE_MIN_VER 0.0.0+0 CACHE STRING "Minimum version of non-secure image required by the secure image for upgrade to this secure image. If MCUBOOT_IMAGE_NUMBER == 1 this option has no effect")
-
-set(MCUBOOT_MBEDCRYPTO_CONFIG_FILEPATH "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/config/mcuboot-mbedtls-cfg.h" CACHE FILEPATH "Mbedtls config file to use with MCUboot")
-
############################ Platform ##########################################
set(TFM_MULTI_CORE_TOPOLOGY OFF CACHE BOOL "Whether to build for a dual-cpu architecture")
@@ -170,10 +135,6 @@
# Specifying the accepted values for certain configuration options to facilitate
# their later validation.
-########################## BL2 #################################################
-
-set_property(CACHE MCUBOOT_UPGRADE_STRATEGY PROPERTY STRINGS "OVERWRITE_ONLY;SWAP;DIRECT_XIP;RAM_LOAD")
-
########################## FIH #################################################
set_property(CACHE TFM_FIH_PROFILE PROPERTY STRINGS "OFF;LOW;MEDIUM;HIGH")
diff --git a/config/set_config.cmake b/config/set_config.cmake
index 63a7bc7..9cb3cff 100644
--- a/config/set_config.cmake
+++ b/config/set_config.cmake
@@ -50,6 +50,11 @@
# Load defaults, setting options not already set
include(config/config_default.cmake)
+# Load MCUboot specific default.cmake
+if (BL2)
+ include(${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/mcuboot_default_config.cmake)
+endif()
+
# Fetch tf-m-tests repo during config, if NS or regression test is required.
# Therefore tf-m-tests configs can be set with TF-M configs since their configs
# are coupled.