| shejia01 | 8444011 | 2021-07-07 10:49:09 +0800 | [diff] [blame] | 1 | #------------------------------------------------------------------------------- |
| Raef Coles | f77cc17 | 2022-01-07 11:05:47 +0000 | [diff] [blame] | 2 | # Copyright (c) 2021-2022, Arm Limited. All rights reserved. |
| shejia01 | 8444011 | 2021-07-07 10:49:09 +0800 | [diff] [blame] | 3 | # |
| 4 | # SPDX-License-Identifier: BSD-3-Clause |
| 5 | # |
| 6 | #------------------------------------------------------------------------------- |
| 7 | |
| 8 | ########################## MCUBoot ############################################# |
| 9 | |
| Raef Coles | f77cc17 | 2022-01-07 11:05:47 +0000 | [diff] [blame] | 10 | set(TEST_BL2 OFF CACHE BOOL "Whether to build bl2 tests") |
| 11 | |
| shejia01 | 8444011 | 2021-07-07 10:49:09 +0800 | [diff] [blame] | 12 | set(DEFAULT_MCUBOOT_SECURITY_COUNTERS ON CACHE BOOL "Whether to use the default security counter configuration defined by TF-M project") |
| 13 | set(DEFAULT_MCUBOOT_FLASH_MAP ON CACHE BOOL "Whether to use the default flash map defined by TF-M project") |
| 14 | |
| 15 | set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "Whether to combine S and NS into either 1 image, or sign each seperately") |
| 16 | set(MCUBOOT_EXECUTION_SLOT 1 CACHE STRING "Slot from which to execute the image, used for XIP mode") |
| 17 | set(MCUBOOT_LOG_LEVEL "INFO" CACHE STRING "Level of logging to use for MCUboot [OFF, ERROR, WARNING, INFO, DEBUG]") |
| 18 | set(MCUBOOT_HW_KEY ON CACHE BOOL "Whether to embed the entire public key in the image metadata instead of the hash only") |
| 19 | set(MCUBOOT_UPGRADE_STRATEGY "OVERWRITE_ONLY" CACHE STRING "Upgrade strategy for images") |
| Ludovic Barre | 5319ac0 | 2021-11-02 09:51:29 +0100 | [diff] [blame] | 20 | set(BL2_HEADER_SIZE 0x400 CACHE STRING "Header size") |
| Ludovic Barre | 6432c7f | 2021-11-08 11:17:33 +0100 | [diff] [blame] | 21 | set(BL2_TRAILER_SIZE 0x400 CACHE STRING "Trailer size") |
| shejia01 | 8444011 | 2021-07-07 10:49:09 +0800 | [diff] [blame] | 22 | |
| 23 | # Specifying a scope of the accepted values of MCUBOOT_UPGRADE_STRATEGY for |
| 24 | # platforms to choose a specific upgrade strategy for images. These certain |
| 25 | # configurations will be used to facilitate the later validation. |
| Michel Jaouen | 4f342a4 | 2021-12-22 17:23:58 +0100 | [diff] [blame] | 26 | set_property(CACHE MCUBOOT_UPGRADE_STRATEGY PROPERTY STRINGS "OVERWRITE_ONLY;SWAP_USING_SCRATCH;SWAP_USING_MOVE;DIRECT_XIP;RAM_LOAD") |
| shejia01 | 8444011 | 2021-07-07 10:49:09 +0800 | [diff] [blame] | 27 | |
| 28 | set(MCUBOOT_DIRECT_XIP_REVERT ON CACHE BOOL "Enable the revert mechanism in direct-xip mode") |
| 29 | set(MCUBOOT_MEASURED_BOOT ON CACHE BOOL "Add boot measurement values to boot status. Used for initial attestation token") |
| 30 | set(MCUBOOT_HW_ROLLBACK_PROT ON CACHE BOOL "Enable security counter validation against non-volatile HW counters") |
| 31 | set(MCUBOOT_ENC_IMAGES OFF CACHE BOOL "Enable encrypted image upgrade support") |
| 32 | set(MCUBOOT_ENCRYPT_RSA OFF CACHE BOOL "Use RSA for encrypted image upgrade support") |
| 33 | set(MCUBOOT_FIH_PROFILE OFF CACHE STRING "Fault injection hardening profile [OFF, LOW, MEDIUM, HIGH]") |
| 34 | |
| 35 | # Note - If either SIGNATURE_TYPE or KEY_LEN are changed, the entries for KEY_S |
| 36 | # and KEY_NS will either have to be updated manually or removed from the cache. |
| 37 | # `cmake .. -UMCUBOOT_KEY_S -UMCUBOOT_KEY_NS`. Once removed from the cache it |
| 38 | # will be set to default again. |
| 39 | set(MCUBOOT_SIGNATURE_TYPE "RSA" CACHE STRING "Algorithm to use for signature validation") |
| 40 | set(MCUBOOT_SIGNATURE_KEY_LEN 3072 CACHE STRING "Key length to use for signature validation") |
| 41 | set(MCUBOOT_KEY_S "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}-${MCUBOOT_SIGNATURE_KEY_LEN}.pem" CACHE FILEPATH "Path to key with which to sign secure binary") |
| 42 | set(MCUBOOT_KEY_NS "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/root-${MCUBOOT_SIGNATURE_TYPE}-${MCUBOOT_SIGNATURE_KEY_LEN}_1.pem" CACHE FILEPATH "Path to key with which to sign non-secure binary") |
| 43 | |
| 44 | set(MCUBOOT_IMAGE_VERSION_S ${TFM_VERSION} CACHE STRING "Version number of S image") |
| 45 | set(MCUBOOT_IMAGE_VERSION_NS 0.0.0 CACHE STRING "Version number of NS image") |
| Raef Coles | 91fadb9 | 2021-06-18 09:20:50 +0100 | [diff] [blame] | 46 | set(MCUBOOT_SECURITY_COUNTER_S 1 CACHE STRING "Security counter for S image. auto sets it to IMAGE_VERSION_S") |
| 47 | set(MCUBOOT_SECURITY_COUNTER_NS 1 CACHE STRING "Security counter for NS image. auto sets it to IMAGE_VERSION_NS") |
| shejia01 | 8444011 | 2021-07-07 10:49:09 +0800 | [diff] [blame] | 48 | set(MCUBOOT_S_IMAGE_MIN_VER 0.0.0+0 CACHE STRING "Minimum version of secure image required by the non-secure image for upgrade to this non-secure image. If MCUBOOT_IMAGE_NUMBER == 1 this option has no effect") |
| 49 | set(MCUBOOT_NS_IMAGE_MIN_VER 0.0.0+0 CACHE STRING "Minimum version of non-secure image required by the secure image for upgrade to this secure image. If MCUBOOT_IMAGE_NUMBER == 1 this option has no effect") |
| Sherry Zhang | bc7fe46 | 2021-11-03 16:07:00 +0800 | [diff] [blame] | 50 | set(MCUBOOT_ENC_KEY_LEN_S 128 CACHE STRING "Length of the AES key for encrypt S image") |
| 51 | set(MCUBOOT_ENC_KEY_LEN_NS 128 CACHE STRING "Length of the AES key for encrypt NS image") |
| shejia01 | 8444011 | 2021-07-07 10:49:09 +0800 | [diff] [blame] | 52 | set(MCUBOOT_MBEDCRYPTO_CONFIG_FILEPATH "${CMAKE_SOURCE_DIR}/bl2/ext/mcuboot/config/mcuboot-mbedtls-cfg.h" CACHE FILEPATH "Mbedtls config file to use with MCUboot") |