bartoszek/zephyr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5bda586c64
zephyr/modules/Kconfig.tfm
Ioannis Glaropoulos 3758b3328c modules: tfm: make BL2 header in non-secure image configurable 
When we build Zephyr for a Non-Secure image, using TFM
as the Secure counterpart, we may or may not use BL2 (e.g.
MCUboot in TFM). If we build with BL2 we need to account
for a ROM offset before the start of the non-secure image
where TFM BL2 expects the BL2 header. This offset is not
needed when TFM is built without BL2. We use the existing
Kconfig options to determine whether we need a ROM offset
or not. We use the value of 0x400 for the BL2 header,
which is the default value used in TFM, but the option is
non-hidden, allowing the user to overwrite the default
value if needed.

Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
2020-09-22 19:38:51 +02:00

72 lines
2.3 KiB
Plaintext
Raw Blame History

# TF-M/PSA Related
# Copyright (c) 2019, 2020 Linaro Limited
# SPDX-License-Identifier: Apache-2.0
menuconfig BUILD_WITH_TFM
bool "Build with TF-M as the Secure Execution Environment"
depends on TRUSTED_EXECUTION_NONSECURE
help
When enabled, this option instructs the Zephyr build process to
additionaly generate a TF-M image for the Secure Execution
environment, along with the Zephyr image. The Zephyr image
itself is to be executed in the Non-Secure Processing Environment.
The required dependency on TRUSTED_EXECUTION_NONSECURE
ensures that the Zephyr image is built as a Non-Secure image. Both
TF-M and Zephyr images, as well as the veneer object file that links
them, are generated during the normal Zephyr build process.
Note:
Building with the "_nonsecure" BOARD variant (e.g.
"mps2_an521_nonsecure") ensures that
CONFIG_TRUSTED_EXECUTION_NONSECURE ie enabled.
if BUILD_WITH_TFM
config TFM_KEY_FILE_S
string "Path to private key used to sign secure firmware images."
depends on BUILD_WITH_TFM
default "${ZEPHYR_BASE}/../modules/tee/tfm/trusted-firmware-m/bl2/ext/mcuboot/root-rsa-3072.pem"
help
The path and filename for the .pem file containing the private key
that should be used by the BL2 bootloader when signing secure
firmware images.
config TFM_KEY_FILE_NS
string "Path to private key used to sign non-secure firmware images."
depends on BUILD_WITH_TFM
default "${ZEPHYR_BASE}/../modules/tee/tfm/trusted-firmware-m/bl2/ext/mcuboot/root-rsa-3072_1.pem"
help
The path and filename for the .pem file containing the private key
that should be used by the BL2 bootloader when signing non-secure
firmware images.
choice TFM_BL2
prompt "BL2 configuration, should TFM build with MCUboot support"
default TFM_BL2_CONFIG_FILE_DEFAULT
config TFM_BL2_CONFIG_FILE_DEFAULT
bool "Use TFM BL2 setting from TFM configuration file"
config TFM_BL2_TRUE
bool "TFM BL2 enabled"
config TFM_BL2_FALSE
bool "TFM BL2 disabled"
endchoice
if !TFM_BL2_FALSE
config ROM_START_OFFSET
hex "ROM Start Offset accounting for BL2 Header in the NS image"
default 0x400
help
By default BL2 header size in TF-M is 0x400. ROM_START_OFFSET
needs to be updated if TF-M switches to use a different header
size for BL2.
endif # !TFM_BL2_FALSE
endif # BUILD_WITH_TFM
Reference in New Issue View Git Blame Copy Permalink