mirror of
https://github.com/zephyrproject-rtos/zephyr
synced 2025-08-04 09:05:20 +00:00
cb3ec9d759
Make it easier to add TF-M in an app by selecting and implying the necessary configs so the app doesn't have to specify the configs itself. Remove unneeded configs from the prj.conf files in the tfm samples. Also, fix case in key file name. Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
82 lines
2.5 KiB
Plaintext
82 lines
2.5 KiB
Plaintext
# TF-M/PSA Related
|
|
|
|
# Copyright (c) 2019, 2020 Linaro Limited
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
menuconfig BUILD_WITH_TFM
|
|
bool "Build with TF-M as the Secure Execution Environment"
|
|
select CMSIS_RTOS_V2
|
|
imply POLL
|
|
imply THREAD_NAME
|
|
imply THREAD_STACK_INFO
|
|
imply INIT_STACKS
|
|
imply THREAD_MONITOR
|
|
depends on TRUSTED_EXECUTION_NONSECURE
|
|
help
|
|
When enabled, this option instructs the Zephyr build process to
|
|
additionaly generate a TF-M image for the Secure Execution
|
|
environment, along with the Zephyr image. The Zephyr image
|
|
itself is to be executed in the Non-Secure Processing Environment.
|
|
The required dependency on TRUSTED_EXECUTION_NONSECURE
|
|
ensures that the Zephyr image is built as a Non-Secure image. Both
|
|
TF-M and Zephyr images, as well as the veneer object file that links
|
|
them, are generated during the normal Zephyr build process.
|
|
|
|
Note:
|
|
Building with the "_nonsecure" BOARD variant (e.g.
|
|
"mps2_an521_nonsecure") ensures that
|
|
CONFIG_TRUSTED_EXECUTION_NONSECURE ie enabled.
|
|
|
|
if BUILD_WITH_TFM
|
|
|
|
config NUM_PREEMPT_PRIORITIES
|
|
int
|
|
default 56
|
|
|
|
config TFM_KEY_FILE_S
|
|
string "Path to private key used to sign secure firmware images."
|
|
depends on BUILD_WITH_TFM
|
|
default "${ZEPHYR_BASE}/../modules/tee/tfm/trusted-firmware-m/bl2/ext/mcuboot/root-RSA-3072.pem"
|
|
help
|
|
The path and filename for the .pem file containing the private key
|
|
that should be used by the BL2 bootloader when signing secure
|
|
firmware images.
|
|
|
|
config TFM_KEY_FILE_NS
|
|
string "Path to private key used to sign non-secure firmware images."
|
|
depends on BUILD_WITH_TFM
|
|
default "${ZEPHYR_BASE}/../modules/tee/tfm/trusted-firmware-m/bl2/ext/mcuboot/root-RSA-3072_1.pem"
|
|
help
|
|
The path and filename for the .pem file containing the private key
|
|
that should be used by the BL2 bootloader when signing non-secure
|
|
firmware images.
|
|
|
|
choice TFM_BL2
|
|
prompt "BL2 configuration, should TFM build with MCUboot support"
|
|
default TFM_BL2_CONFIG_FILE_DEFAULT
|
|
|
|
config TFM_BL2_CONFIG_FILE_DEFAULT
|
|
bool "Use TFM BL2 setting from TFM configuration file"
|
|
|
|
config TFM_BL2_TRUE
|
|
bool "TFM BL2 enabled"
|
|
|
|
config TFM_BL2_FALSE
|
|
bool "TFM BL2 disabled"
|
|
|
|
endchoice
|
|
|
|
if !TFM_BL2_FALSE
|
|
|
|
config ROM_START_OFFSET
|
|
hex "ROM Start Offset accounting for BL2 Header in the NS image"
|
|
default 0x400
|
|
help
|
|
By default BL2 header size in TF-M is 0x400. ROM_START_OFFSET
|
|
needs to be updated if TF-M switches to use a different header
|
|
size for BL2.
|
|
|
|
endif # !TFM_BL2_FALSE
|
|
|
|
endif # BUILD_WITH_TFM
|