# Configuration for the TF-M Module

# Copyright (c) 2019, 2020 Linaro Limited
# Copyright (c) 2020 Nordic Semiconductor ASA
# SPDX-License-Identifier: Apache-2.0


config TFM_BOARD
	string
	default "nordic_nrf/nrf9160dk_nrf9160" if BOARD_NRF9160DK_NRF9160NS
	default "nordic_nrf/nrf5340dk_nrf5340_cpuapp" if BOARD_NRF5340DK_NRF5340_CPUAPPNS
	default "nordic_nrf/nrf5340pdk_nrf5340_cpuapp" if BOARD_NRF5340PDK_NRF5340_CPUAPPNS
	default "nxp/lpcxpresso55s69" if BOARD_LPCXPRESSO55S69_CPU0
	default "mps2/an521" if BOARD_MPS2_AN521
	default "stm/nucleo_l552ze_q" if BOARD_NUCLEO_L552ZE_Q
	default "musca_b1" if BOARD_MUSCA_B1
	help
	  The board name used for building TFM. Building with TFM requires that
	  TFM has been ported to the given board/SoC.

menuconfig BUILD_WITH_TFM
	bool "Build with TF-M as the Secure Execution Environment"
	select CMSIS_RTOS_V2
	imply POLL
	imply THREAD_NAME
	imply THREAD_STACK_INFO
	imply INIT_STACKS
	imply THREAD_MONITOR
	depends on TRUSTED_EXECUTION_NONSECURE
	depends on TFM_BOARD != ""
	help
	  When enabled, this option instructs the Zephyr build process to
	  additionaly generate a TF-M image for the Secure Execution
	  environment, along with the Zephyr image. The Zephyr image
	  itself is to be executed in the Non-Secure Processing Environment.
	  The required dependency on TRUSTED_EXECUTION_NONSECURE
	  ensures that the Zephyr image is built as a Non-Secure image. Both
	  TF-M and Zephyr images, as well as the veneer object file that links
	  them, are generated during the normal Zephyr build process.

	  Note:
	    Building with the "_nonsecure" BOARD variant (e.g.
	    "mps2_an521_nonsecure") ensures that
	    CONFIG_TRUSTED_EXECUTION_NONSECURE ie enabled.

if BUILD_WITH_TFM

config NUM_PREEMPT_PRIORITIES
	int
	default 56

config TFM_KEY_FILE_S
	string "Path to private key used to sign secure firmware images."
	depends on BUILD_WITH_TFM
	default "${ZEPHYR_BASE}/../modules/tee/tfm/trusted-firmware-m/bl2/ext/mcuboot/root-RSA-3072.pem"
	help
	  The path and filename for the .pem file containing the private key
	  that should be used by the BL2 bootloader when signing secure
	  firmware images.

config TFM_KEY_FILE_NS
	string "Path to private key used to sign non-secure firmware images."
	depends on BUILD_WITH_TFM
	default "${ZEPHYR_BASE}/../modules/tee/tfm/trusted-firmware-m/bl2/ext/mcuboot/root-RSA-3072_1.pem"
	help
	  The path and filename for the .pem file containing the private key
	  that should be used by the BL2 bootloader when signing non-secure
	  firmware images.

choice TFM_BL2
        prompt "BL2 configuration, should TFM build with MCUboot support"
        default TFM_BL2_CONFIG_FILE_DEFAULT

config TFM_BL2_CONFIG_FILE_DEFAULT
        bool "Use TFM BL2 setting from TFM configuration file"

config TFM_BL2_TRUE
        bool "TFM BL2 enabled"

config TFM_BL2_FALSE
        bool "TFM BL2 disabled"

endchoice

config TFM_IPC
	bool "IPC"
	help
	  When enabled, this option signifies that the TF-M build supports
	  the PSA API (IPC mode) instead of the secure library mode.

config TFM_REGRESSION
	bool "Regression tests"
	help
	  When enabled, this option signifies that the TF-M build includes
	  the Secure and the Non-Secure regression tests.


if !TFM_BL2_FALSE

config ROM_START_OFFSET
	hex "ROM Start Offset accounting for BL2 Header in the NS image"
	default 0x400
	help
	  By default BL2 header size in TF-M is 0x400. ROM_START_OFFSET
	  needs to be updated if TF-M switches to use a different header
	  size for BL2.

endif # !TFM_BL2_FALSE

endif # BUILD_WITH_TFM