Build: Change config_default to build minimum.
- disable all partitions
- default SPM backend is SFN
= set log level to silent
- adjust platform's CMake scripts
- to include acceleartor conditionally
- enable partitions required for some platform
Signed-off-by: Anton Komlev <anton.komlev@arm.com>
Change-Id: Icc36078c396e3a94a91fdf93d7f1bd5a46dc0d69
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 417b7d7..380168b 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -55,12 +55,6 @@
set(TFM_INSTALL_PATH ${CMAKE_INSTALL_PREFIX} CACHE PATH "Path to which to install TF-M files" FORCE)
endif()
-############################ Config Check ######################################
-
-include(${CMAKE_SOURCE_DIR}/config/check_config.cmake)
-
-################################################################################
-
add_subdirectory(lib/ext)
add_subdirectory(lib/fih)
add_subdirectory(tools)
@@ -88,4 +82,10 @@
add_subdirectory(platform/ext/accelerator)
endif()
+############################ Config Check ######################################
+
+include(${CMAKE_SOURCE_DIR}/config/check_config.cmake)
+
+################################################################################
+
include(cmake/install.cmake)
diff --git a/config/config_default.cmake b/config/config_default.cmake
index 4cfd886..dd085d2 100755
--- a/config/config_default.cmake
+++ b/config/config_default.cmake
@@ -27,7 +27,13 @@
set(TFM_PROFILE "" CACHE STRING "Profile to use")
set(TFM_FIH_PROFILE OFF CACHE STRING "Fault injection hardening profile [OFF, LOW, MEDIUM, HIGH]")
set(CONFIG_TFM_CONN_HANDLE_MAX_NUM 8 CACHE STRING "The maximal number of secure services that are connected or requested at the same time")
+
+# If isolation level is overwritten in the command line
+if (TFM_ISOLATION_LEVEL EQUAL 1)
+set(CONFIG_TFM_SPM_BACKEND "SFN" CACHE STRING "The SPM backend [IPC, SFN]")
+else()
set(CONFIG_TFM_SPM_BACKEND "IPC" CACHE STRING "The SPM backend [IPC, SFN]")
+endif()
# An NSPE client_id is provided by the NSPE OS via the SPM or directly by the SPM.
# When `TFM_NS_MANAGE_NSID` is `ON`, TF-M supports NSPE OS providing NSPE client_id.
@@ -40,8 +46,8 @@
set(TFM_EXTRA_GENERATED_FILE_LIST_PATH "" CACHE PATH "Path to extra generated file list. Appended to stardard TFM generated file list.")
set(TFM_EXTRA_PARTITION_PATHS "" CACHE PATH "List of extra Secure Partitions directories. An extra Secure Parition folder contains source code, CMakeLists.txt and manifest files")
-set(TFM_SPM_LOG_LEVEL TFM_SPM_LOG_LEVEL_INFO CACHE STRING "Set default SPM log level as INFO level")
-set(TFM_PARTITION_LOG_LEVEL TFM_PARTITION_LOG_LEVEL_INFO CACHE STRING "Set default Secure Partition log level as INFO level")
+set(TFM_SPM_LOG_LEVEL TFM_SPM_LOG_LEVEL_SILENCE CACHE STRING "Set default SPM log level as INFO level")
+set(TFM_PARTITION_LOG_LEVEL TFM_PARTITION_LOG_LEVEL_SILENCE CACHE STRING "Set default Secure Partition log level as INFO level")
set(TFM_CODE_SHARING OFF CACHE PATH "Enable code sharing between MCUboot and secure firmware")
set(CONFIG_TFM_BOOT_STORE_MEASUREMENTS ON CACHE BOOL "Store measurement values from all the boot stages. Used for initial attestation token.")
@@ -103,7 +109,7 @@
set(BL2_TRAILER_SIZE 0x000 CACHE STRING "BL2 Trailer size")
############################ Partitions ########################################
-set(TFM_PARTITION_PROTECTED_STORAGE ON CACHE BOOL "Enable Protected Storage partition")
+set(TFM_PARTITION_PROTECTED_STORAGE OFF CACHE BOOL "Enable Protected Storage partition")
set(PS_CREATE_FLASH_LAYOUT ON CACHE BOOL "Create flash FS if it doesn't exist for Protected Storage partition")
set(PS_ENCRYPTION ON CACHE BOOL "Enable encryption for Protected Storage partition")
set(PS_RAM_FS OFF CACHE BOOL "Enable emulated RAM FS for platforms that don't have flash for Protected Storage partition")
@@ -114,7 +120,7 @@
set(PS_CRYPTO_AEAD_ALG PSA_ALG_GCM CACHE STRING "The AEAD algorithm to use for authenticated encryption in Protected Storage")
set(PS_STACK_SIZE "0x700" CACHE STRING "The stack size of the Protected Storage Secure Partition")
-set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE ON CACHE BOOL "Enable Internal Trusted Storage partition")
+set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE OFF CACHE BOOL "Enable Internal Trusted Storage partition")
set(ITS_CREATE_FLASH_LAYOUT ON CACHE BOOL "Create flash FS if it doesn't exist for Internal Trusted Storage partition")
set(ITS_RAM_FS OFF CACHE BOOL "Enable emulated RAM FS for platforms that don't have flash for Internal Trusted Storage partition")
set(ITS_VALIDATE_METADATA_FROM_FLASH ON CACHE BOOL "Validate filesystem metadata every time it is read from flash")
@@ -123,7 +129,7 @@
set(ITS_BUF_SIZE "" CACHE STRING "Size of the ITS internal data transfer buffer (defaults to ITS_MAX_ASSET_SIZE if not set)")
set(ITS_STACK_SIZE "0x720" CACHE STRING "The stack size of the Internal Trusted Storage Secure Partition")
-set(TFM_PARTITION_CRYPTO ON CACHE BOOL "Enable Crypto partition")
+set(TFM_PARTITION_CRYPTO OFF CACHE BOOL "Enable Crypto partition")
# CRYPTO_ENGINE_BUF_SIZE needs to be >8KB for EC signing by attest module.
set(CRYPTO_ENGINE_BUF_SIZE 0x2080 CACHE STRING "Heap size for the crypto backend")
set(CRYPTO_CONC_OPER_NUM 8 CACHE STRING "The max number of concurrent operations that can be active (allocated) at any time in Crypto")
@@ -142,7 +148,7 @@
set(CRYPTO_TFM_BUILTIN_KEYS_DRIVER ON CACHE BOOL "Whether to allow crypto service to store builtin keys. Without this, ALL builtin keys must be stored in a platform-specific location")
set(CRYPTO_STACK_SIZE "0x1B00" CACHE STRING "The stack size of the Crypto Secure Partition")
-set(TFM_PARTITION_INITIAL_ATTESTATION ON CACHE BOOL "Enable Initial Attestation partition")
+set(TFM_PARTITION_INITIAL_ATTESTATION OFF CACHE BOOL "Enable Initial Attestation partition")
set(SYMMETRIC_INITIAL_ATTESTATION OFF CACHE BOOL "Use symmetric crypto for inital attestation")
set(ATTEST_INCLUDE_OPTIONAL_CLAIMS ON CACHE BOOL "Include optional claims in initial attestation token")
set(ATTEST_INCLUDE_COSE_KEY_ID OFF CACHE BOOL "Include COSE key-id in initial attestation token")
@@ -151,7 +157,7 @@
set(ATTEST_INCLUDE_TEST_CODE OFF CACHE BOOL "Include minimal development tests in the initial attestation regression test suite")
set(ATTEST_KEY_BITS 256 CACHE STRING "The size of the initial attestation key in bits")
-set(TFM_PARTITION_PLATFORM ON CACHE BOOL "Enable Platform partition")
+set(TFM_PARTITION_PLATFORM OFF CACHE BOOL "Enable Platform partition")
set(PLATFORM_SERVICE_INPUT_BUFFER_SIZE 64 CACHE STRING "Size of input buffer in platform service.")
set(PLATFORM_SERVICE_OUTPUT_BUFFER_SIZE 64 CACHE STRING "Size of output buffer in platform service.")
set(PLATFORM_SP_STACK_SIZE "0x500" CACHE STRING "The stack size of the TF-M Platform Secure Partition")
diff --git a/config/profile/profile_large.cmake b/config/profile/profile_large.cmake
index 5801157..e5fb0d0 100644
--- a/config/profile/profile_large.cmake
+++ b/config/profile/profile_large.cmake
@@ -28,3 +28,5 @@
set(TFM_MBEDCRYPTO_CONFIG_PATH "${CMAKE_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h" CACHE PATH "Config to use for Mbed Crypto")
set(TFM_MBEDCRYPTO_PSA_CRYPTO_CONFIG_PATH "${CMAKE_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/crypto_config_profile_large.h" CACHE PATH "Config to use psa crypto setting for Mbed Crypto.")
+
+set(CONFIG_TFM_SPM_BACKEND "IPC" CACHE STRING "The SPM backend [IPC, SFN]")
diff --git a/config/profile/profile_medium.cmake b/config/profile/profile_medium.cmake
index 99687cc..26b1233 100644
--- a/config/profile/profile_medium.cmake
+++ b/config/profile/profile_medium.cmake
@@ -20,3 +20,5 @@
set(TFM_MBEDCRYPTO_CONFIG_PATH "${CMAKE_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h" CACHE PATH "Config to use for Mbed Crypto")
set(TFM_MBEDCRYPTO_PSA_CRYPTO_CONFIG_PATH "${CMAKE_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/crypto_config_profile_medium.h" CACHE PATH "Config to use psa crypto setting for Mbed Crypto.")
+
+set(CONFIG_TFM_SPM_BACKEND "IPC" CACHE STRING "The SPM backend [IPC, SFN]")
diff --git a/config/set_config.cmake b/config/set_config.cmake
index 804dbff..e563ed8 100644
--- a/config/set_config.cmake
+++ b/config/set_config.cmake
@@ -60,13 +60,6 @@
include(${CMAKE_SOURCE_DIR}/config/tfm_build_log_config.cmake)
-# Load TF-M model specific default config
-if (CONFIG_TFM_SPM_BACKEND STREQUAL "SFN")
- include(config/tfm_sfn_config_default.cmake)
-else() #The default backend is IPC
- include(config/tfm_ipc_config_default.cmake)
-endif()
-
# Load bl1 config
if (BL1 AND PLATFORM_DEFAULT_BL1)
include(${CMAKE_SOURCE_DIR}/bl1/config/bl1_config_default.cmake)
@@ -86,6 +79,13 @@
# Load defaults, setting options not already set
include(config/config_default.cmake)
+# Load TF-M model specific default config
+if (CONFIG_TFM_SPM_BACKEND STREQUAL "SFN")
+ include(config/tfm_sfn_config_default.cmake)
+else() #The default backend is IPC
+ include(config/tfm_ipc_config_default.cmake)
+endif()
+
# Fetch tf-m-tests repo during config, if NS or regression test is required.
# Therefore tf-m-tests configs can be set with TF-M configs since their configs
# are coupled.
diff --git a/platform/CMakeLists.txt b/platform/CMakeLists.txt
index 0f0fc1c..db47177 100755
--- a/platform/CMakeLists.txt
+++ b/platform/CMakeLists.txt
@@ -103,8 +103,8 @@
PRIVATE
psa_interface
tfm_partition_defs
- platform_crypto_keys
tfm_spm_defs # For tfm_spm_log.h
+ $<$<BOOL:${TFM_PARTITION_CRYPTO}>:platform_crypto_keys>
$<$<BOOL:${PLATFORM_DEFAULT_ATTEST_HAL}>:tfm_sprt>
$<$<BOOL:${TFM_PARTITION_CRYPTO}>:crypto_service_mbedcrypto>
$<$<BOOL:${TFM_PARTITION_INITIAL_ATTESTATION}>:tfm_attestation_defs>
diff --git a/platform/ext/target/arm/corstone1000/config.cmake b/platform/ext/target/arm/corstone1000/config.cmake
index c8af4ea..d7585ea 100644
--- a/platform/ext/target/arm/corstone1000/config.cmake
+++ b/platform/ext/target/arm/corstone1000/config.cmake
@@ -27,8 +27,12 @@
set(CONFIG_TFM_USE_TRUSTZONE OFF CACHE BOOL "Enable use of TrustZone to transition between NSPE and SPE")
set(TFM_MULTI_CORE_TOPOLOGY ON CACHE BOOL "Whether to build for a dual-cpu architecture")
set(TFM_PLAT_SPECIFIC_MULTI_CORE_COMM ON CACHE BOOL "Whether to use a platform specific inter core communication instead of mailbox in dual-cpu topology")
-set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
-set(CRYPTO_NV_SEED OFF CACHE BOOL "Use stored NV seed to provide entropy")
+
+if(TFM_PARTITION_CRYPTO)
+ set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
+ set(CRYPTO_NV_SEED OFF CACHE BOOL "Use stored NV seed to provide entropy")
+endif()
+
set(TFM_CRYPTO_TEST_ALG_CFB OFF CACHE BOOL "Test CFB cryptography mode")
set(NS FALSE CACHE BOOL "Whether to build NS app")
set(EXTERNAL_SYSTEM_SUPPORT OFF CACHE BOOL "Whether to include external system support.")
diff --git a/platform/ext/target/arm/musca_b1/config.cmake b/platform/ext/target/arm/musca_b1/config.cmake
index 9a25d15..6e747db 100644
--- a/platform/ext/target/arm/musca_b1/config.cmake
+++ b/platform/ext/target/arm/musca_b1/config.cmake
@@ -14,12 +14,15 @@
set(CONFIG_TFM_USE_TRUSTZONE ON CACHE BOOL "Enable use of TrustZone to transition between NSPE and SPE")
set(TFM_MULTI_CORE_TOPOLOGY OFF CACHE BOOL "Whether to build for a dual-cpu architecture")
-set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
-set(CRYPTO_NV_SEED OFF CACHE BOOL "Use stored NV seed to provide entropy")
set(MCUBOOT_DATA_SHARING ON CACHE BOOL "Add sharing of application specific data using the same shared data area as for the measured boot")
set(PLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT ON CACHE BOOL "Platform supports firmware update, such as network connectivities and bootloader support")
set(TFM_PARTITION_FIRMWARE_UPDATE ON CACHE BOOL "Enable firmware update partition")
+if(TFM_PARTITION_CRYPTO)
+ set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
+ set(CRYPTO_NV_SEED OFF CACHE BOOL "Use stored NV seed to provide entropy")
+endif()
+
set(TFM_EXTRA_GENERATED_FILE_LIST_PATH ${CMAKE_SOURCE_DIR}/platform/ext/target/arm/musca_b1/generated_file_list.yaml CACHE PATH "Path to extra generated file list. Appended to stardard TFM generated file list." FORCE)
set(PSA_API_TEST_TARGET "musca_b1" CACHE STRING "Target to use when building the PSA API tests")
diff --git a/platform/ext/target/arm/musca_s1/config.cmake b/platform/ext/target/arm/musca_s1/config.cmake
index 59d2715..d081f9c 100644
--- a/platform/ext/target/arm/musca_s1/config.cmake
+++ b/platform/ext/target/arm/musca_s1/config.cmake
@@ -7,8 +7,11 @@
#
#-------------------------------------------------------------------------------
-set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
-set(CRYPTO_NV_SEED OFF CACHE BOOL "Use stored NV seed to provide entropy")
+if(TFM_PARTITION_CRYPTO)
+ set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
+ set(CRYPTO_NV_SEED OFF CACHE BOOL "Use stored NV seed to provide entropy")
+endif()
+
set(TFM_CRYPTO_TEST_ALG_CFB OFF CACHE BOOL "Test CFB cryptography mode")
set(PLATFORM_GPLED_ENABLED OFF CACHE BOOL "Use the general purpose LEDs on the platform board")
diff --git a/platform/ext/target/cypress/psoc64/config.cmake b/platform/ext/target/cypress/psoc64/config.cmake
index a40661b..c2e28db 100644
--- a/platform/ext/target/cypress/psoc64/config.cmake
+++ b/platform/ext/target/cypress/psoc64/config.cmake
@@ -20,6 +20,10 @@
set(NUM_MAILBOX_QUEUE_SLOT 4 CACHE BOOL "Number of mailbox queue slots")
set(PLATFORM_SLIH_IRQ_TEST_SUPPORT ON CACHE BOOL "Platform supports SLIH IRQ tests")
set(PLATFORM_FLIH_IRQ_TEST_SUPPORT ON CACHE BOOL "Platform supports FLIH IRQ tests")
+set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE ON CACHE BOOL "Enable Internal Trusted Storage partition")
+set(TFM_PARTITION_PROTECTED_STORAGE ON CACHE BOOL "Enable Protected Storage partition")
+set(TFM_PARTITION_PLATFORM ON CACHE BOOL "Enable Platform partition")
+set(TFM_PARTITION_CRYPTO ON CACHE BOOL "Enable Crypto partition")
################################## Dependencies ################################
diff --git a/platform/ext/target/stm/b_u585i_iot02a/config.cmake b/platform/ext/target/stm/b_u585i_iot02a/config.cmake
index 7b20320..7f770b3 100644
--- a/platform/ext/target/stm/b_u585i_iot02a/config.cmake
+++ b/platform/ext/target/stm/b_u585i_iot02a/config.cmake
@@ -22,6 +22,8 @@
set(MCUBOOT_ENC_IMAGES ON CACHE BOOL "Enable encrypted image upgrade support")
set(MCUBOOT_ENCRYPT_RSA ON CACHE BOOL "Use RSA for encrypted image upgrade support")
################################## Dependencies ################################
+set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE ON CACHE BOOL "Enable Internal Trusted Storage partition")
+set(TFM_PARTITION_CRYPTO ON CACHE BOOL "Enable Crypto partition")
set(CONFIG_TFM_USE_TRUSTZONE ON CACHE BOOL "Enable use of TrustZone to transition between NSPE and SPE")
set(TFM_MULTI_CORE_TOPOLOGY OFF CACHE BOOL "Whether to build for a dual-cpu architecture")
set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
diff --git a/platform/ext/target/stm/nucleo_l552ze_q/config.cmake b/platform/ext/target/stm/nucleo_l552ze_q/config.cmake
index dfe6e1f..2d41250 100644
--- a/platform/ext/target/stm/nucleo_l552ze_q/config.cmake
+++ b/platform/ext/target/stm/nucleo_l552ze_q/config.cmake
@@ -16,6 +16,8 @@
################################## Dependencies ################################
set(CONFIG_TFM_USE_TRUSTZONE ON CACHE BOOL "Enable use of TrustZone to transition between NSPE and SPE")
set(TFM_MULTI_CORE_TOPOLOGY OFF CACHE BOOL "Whether to build for a dual-cpu architecture")
-set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
-set(CRYPTO_NV_SEED OFF CACHE BOOL "Use stored NV seed to provide entropy")
-set(MBEDCRYPTO_BUILD_TYPE minsizerel CACHE STRING "Build type of Mbed Crypto library")
+if(TFM_PARTITION_CRYPTO)
+ set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
+ set(CRYPTO_NV_SEED OFF CACHE BOOL "Use stored NV seed to provide entropy")
+ set(MBEDCRYPTO_BUILD_TYPE minsizerel CACHE STRING "Build type of Mbed Crypto library")
+endif()
diff --git a/platform/ext/target/stm/stm32l562e_dk/config.cmake b/platform/ext/target/stm/stm32l562e_dk/config.cmake
index 85e68b6..2f91b5f 100644
--- a/platform/ext/target/stm/stm32l562e_dk/config.cmake
+++ b/platform/ext/target/stm/stm32l562e_dk/config.cmake
@@ -18,7 +18,10 @@
################################## Dependencies ################################
set(CONFIG_TFM_USE_TRUSTZONE ON CACHE BOOL "Enable use of TrustZone to transition between NSPE and SPE")
set(TFM_MULTI_CORE_TOPOLOGY OFF CACHE BOOL "Whether to build for a dual-cpu architecture")
-set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
-set(CRYPTO_NV_SEED OFF CACHE BOOL "Use stored NV seed to provide entropy")
-set(MBEDCRYPTO_BUILD_TYPE minsizerel CACHE STRING "Build type of Mbed Crypto library")
+
+if(TFM_PARTITION_CRYPTO)
+ set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
+ set(CRYPTO_NV_SEED OFF CACHE BOOL "Use stored NV seed to provide entropy")
+ set(MBEDCRYPTO_BUILD_TYPE minsizerel CACHE STRING "Build type of Mbed Crypto library")
+endif()
set(TFM_EXTRA_GENERATED_FILE_LIST_PATH ${CMAKE_CURRENT_SOURCE_DIR}/platform/ext/target/stm/common/generated_file_list.yaml CACHE PATH "Path to extra generated file list. Appended to stardard TFM generated file list." FORCE)