| # Copyright (c) 2017-2020 Linaro Limited |
| # Copyright (c) 2020 Arm Limited |
| # |
| # SPDX-License-Identifier: Apache-2.0 |
| # |
| |
| mainmenu "MCUboot configuration" |
| |
| comment "MCUboot-specific configuration options" |
| |
| # Hidden option to mark a project as MCUboot |
| config MCUBOOT |
| default y |
| bool |
| select MPU_ALLOW_FLASH_WRITE if ARM_MPU |
| select USE_DT_CODE_PARTITION if HAS_FLASH_LOAD_OFFSET |
| select MCUBOOT_BOOTUTIL_LIB |
| |
| config BOOT_USE_MBEDTLS |
| bool |
| # Hidden option |
| default n |
| help |
| Use mbedTLS for crypto primitives. |
| |
| config BOOT_USE_TINYCRYPT |
| bool |
| # Hidden option |
| default n |
| # When building for ECDSA, we use our own copy of mbedTLS, so the |
| # Zephyr one must not be enabled or the MBEDTLS_CONFIG_FILE macros |
| # will collide. |
| depends on ! MBEDTLS |
| help |
| Use TinyCrypt for crypto primitives. |
| |
| config BOOT_USE_CC310 |
| bool |
| # Hidden option |
| default n |
| # When building for ECDSA, we use our own copy of mbedTLS, so the |
| # Zephyr one must not be enabled or the MBEDTLS_CONFIG_FILE macros |
| # will collide. |
| depends on ! MBEDTLS |
| help |
| Use cc310 for crypto primitives. |
| |
| config BOOT_USE_NRF_CC310_BL |
| bool |
| default n |
| |
| config NRFXLIB_CRYPTO |
| bool |
| default n |
| |
| config NRF_CC310_BL |
| bool |
| default n |
| |
| menu "MCUBoot settings" |
| |
| config SINGLE_APPLICATION_SLOT |
| bool "Single slot bootloader" |
| default n |
| help |
| Single image area is used for application which means that |
| uploading a new application overwrites the one that previously |
| occupied the area. |
| |
| choice |
| prompt "Signature type" |
| default BOOT_SIGNATURE_TYPE_RSA |
| |
| config BOOT_SIGNATURE_TYPE_NONE |
| bool "No signature; use only hash check" |
| select BOOT_USE_TINYCRYPT |
| |
| config BOOT_SIGNATURE_TYPE_RSA |
| bool "RSA signatures" |
| select BOOT_USE_MBEDTLS |
| select MBEDTLS |
| |
| if BOOT_SIGNATURE_TYPE_RSA |
| config BOOT_SIGNATURE_TYPE_RSA_LEN |
| int "RSA signature length" |
| range 2048 3072 |
| default 2048 |
| endif |
| |
| config BOOT_SIGNATURE_TYPE_ECDSA_P256 |
| bool "Elliptic curve digital signatures with curve P-256" |
| |
| if BOOT_SIGNATURE_TYPE_ECDSA_P256 |
| choice |
| prompt "Ecdsa implementation" |
| default BOOT_ECDSA_TINYCRYPT |
| |
| config BOOT_ECDSA_TINYCRYPT |
| bool "Use tinycrypt" |
| select BOOT_USE_TINYCRYPT |
| |
| config BOOT_ECDSA_CC310 |
| bool "Use CC310" |
| depends on HAS_HW_NRF_CC310 |
| select BOOT_USE_NRF_CC310_BL |
| select NRF_CC310_BL |
| select NRFXLIB_CRYPTO |
| select BOOT_USE_CC310 |
| endchoice # Ecdsa implementation |
| endif |
| |
| config BOOT_SIGNATURE_TYPE_ED25519 |
| bool "Edwards curve digital signatures using ed25519" |
| |
| if BOOT_SIGNATURE_TYPE_ED25519 |
| choice |
| prompt "Ecdsa implementation" |
| default BOOT_ED25519_TINYCRYPT |
| config BOOT_ED25519_TINYCRYPT |
| bool "Use tinycrypt" |
| select BOOT_USE_TINYCRYPT |
| config BOOT_ED25519_MBEDTLS |
| bool "Use mbedTLS" |
| select BOOT_USE_MBEDTLS |
| select MBEDTLS |
| endchoice |
| endif |
| |
| endchoice |
| |
| config BOOT_SIGNATURE_KEY_FILE |
| string "PEM key file" |
| default "root-ec-p256.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256 |
| default "root-ed25519.pem" if BOOT_SIGNATURE_TYPE_ED25519 |
| default "root-rsa-3072.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=3072 |
| default "root-rsa-2048.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=2048 |
| default "" |
| help |
| You can use either absolute or relative path. |
| In case relative path is used, the build system assumes that it starts |
| from the directory where the MCUBoot KConfig configuration file is |
| located. If the key file is not there, the build system uses relative |
| path that starts from the MCUBoot repository root directory. |
| The key file will be parsed by imgtool's getpub command and a .c source |
| with the public key information will be written in a format expected by |
| MCUboot. |
| |
| config MCUBOOT_CLEANUP_ARM_CORE |
| bool "Perform core cleanup before chain-load the application" |
| depends on CPU_CORTEX_M |
| default y if !ARCH_SUPPORTS_ARCH_HW_INIT |
| help |
| This option instructs MCUboot to perform a clean-up of a set of |
| architecture core HW registers before junping to the application |
| firmware. The clean-up sets these registers to their warm-reset |
| values as specified by the architecture. |
| |
| By default, this option is enabled only if the architecture does |
| not have the functionality to perform such a register clean-up |
| during application firmware boot. |
| |
| Zephyr applications on Cortex-M will perform this register clean-up |
| by default, if they are chain-loadable by MCUboot, so MCUboot does |
| not need to perform such a cleanup itself. |
| |
| config MBEDTLS_CFG_FILE |
| default "mcuboot-mbedtls-cfg.h" |
| |
| config BOOT_HW_KEY |
| bool "Use HW key for image verification" |
| default n |
| help |
| Use HW key for image verification, otherwise the public key is embedded |
| in MCUBoot. If enabled the public key is appended to the signed image |
| and requires the hash of the public key to be provisioned to the device |
| beforehand. |
| |
| config BOOT_VALIDATE_SLOT0 |
| bool "Validate image in the primary slot on every boot" |
| default y |
| help |
| If y, the bootloader attempts to validate the signature of the |
| primary slot every boot. This adds the signature check time to |
| every boot, but can mitigate against some changes that are |
| able to modify the flash image itself. |
| |
| if !SINGLE_APPLICATION_SLOT |
| choice |
| prompt "Image upgrade modes" |
| default BOOT_SWAP_USING_MOVE if SOC_FAMILY_NRF |
| default BOOT_SWAP_USING_SCRATCH |
| |
| config BOOT_SWAP_USING_SCRATCH |
| bool "Swap mode that run with the scratch partition" |
| help |
| This is the most conservative swap mode but it can work even on |
| devices with heterogeneous flash page layout. |
| |
| config BOOT_UPGRADE_ONLY |
| bool "Overwrite image updates instead of swapping" |
| help |
| If y, overwrite the primary slot with the upgrade image instead |
| of swapping them. This prevents the fallback recovery, but |
| uses a much simpler code path. |
| |
| config BOOT_SWAP_USING_MOVE |
| bool "Swap mode that can run without a scratch partition" |
| help |
| If y, the swap upgrade is done in two steps, where first every |
| sector of the primary slot is moved up one sector, then for |
| each sector X in the secondary slot, it is moved to index X in |
| the primary slot, then the sector at X+1 in the primary is |
| moved to index X in the secondary. |
| This allows a swap upgrade without using a scratch partition, |
| but is currently limited to all sectors in both slots being of |
| the same size. |
| |
| config BOOT_DIRECT_XIP |
| bool "Run the latest image directly from its slot" |
| help |
| If y, mcuboot selects the newest valid image based on the image version |
| numbers, thereafter the selected image can run directly from its slot |
| without having to move/copy it into the primary slot. For this reason the |
| images must be linked to be executed from the given image slot. Using this |
| mode results in a simpler code path and smaller code size. |
| |
| endchoice |
| |
| config BOOT_DIRECT_XIP_REVERT |
| bool "Enable the revert mechanism in direct-xip mode" |
| depends on BOOT_DIRECT_XIP |
| default n |
| help |
| If y, enables the revert mechanism in direct-xip similar to the one in |
| swap mode. It requires the trailer magic to be added to the signed image. |
| When a reboot happens without the image being confirmed at runtime, the |
| bootloader considers the image faulty and erases it. After this it will |
| attempt to boot the previous image. The images can also be made permanent |
| (marked as confirmed in advance) just like in swap mode. |
| |
| config BOOT_BOOTSTRAP |
| bool "Bootstrap erased the primary slot from the secondary slot" |
| default n |
| help |
| If y, enables bootstraping support. Bootstrapping allows an erased |
| primary slot to be initialized from a valid image in the secondary slot. |
| If unsure, leave at the default value. |
| |
| config BOOT_SWAP_SAVE_ENCTLV |
| bool "Save encrypted key TLVs instead of plaintext keys in swap metadata" |
| default n |
| help |
| If y, instead of saving the encrypted image keys in plaintext in the |
| swap resume metadata, save the encrypted image TLVs. This should be used |
| when there is no security mechanism protecting the data in the primary |
| slot from being dumped. If n is selected (default), the keys are written |
| after being decrypted from the image TLVs and could be read by an |
| attacker who has access to the flash contents of the primary slot (eg |
| JTAG/SWD or primary slot in external flash). |
| If unsure, leave at the default value. |
| |
| config BOOT_ENCRYPT_RSA |
| bool "Support for encrypted upgrade images using RSA" |
| default n |
| help |
| If y, images in the secondary slot can be encrypted and are decrypted |
| on the fly when upgrading to the primary slot, as well as encrypted |
| back when swapping from the primary slot to the secondary slot. The |
| encryption mechanism used in this case is RSA-OAEP (2048 bits). |
| |
| config BOOT_ENCRYPT_EC256 |
| bool "Support for encrypted upgrade images using ECIES-P256" |
| default n |
| help |
| If y, images in the secondary slot can be encrypted and are decrypted |
| on the fly when upgrading to the primary slot, as well as encrypted |
| back when swapping from the primary slot to the secondary slot. The |
| encryption mechanism used in this case is ECIES using primitives |
| described under "ECIES-P256 encryption" in docs/encrypted_images.md. |
| |
| config BOOT_ENCRYPT_X25519 |
| bool "Support for encrypted upgrade images using ECIES-X25519" |
| default n |
| help |
| If y, images in the secondary slot can be encrypted and are decrypted |
| on the fly when upgrading to the primary slot, as well as encrypted |
| back when swapping from the primary slot to the secondary slot. The |
| encryption mechanism used in this case is ECIES using primitives |
| described under "ECIES-X25519 encryption" in docs/encrypted_images.md. |
| endif # !SINGLE_APPLICATION_SLOT |
| |
| config BOOT_MAX_IMG_SECTORS |
| int "Maximum number of sectors per image slot" |
| default 128 |
| help |
| This option controls the maximum number of sectors that each of |
| the two image areas can contain. Smaller values reduce MCUboot's |
| memory usage; larger values allow it to support larger images. |
| If unsure, leave at the default value. |
| |
| config BOOT_ERASE_PROGRESSIVELY |
| bool "Erase flash progressively when receiving new firmware" |
| default y if SOC_FAMILY_NRF |
| help |
| If enabled, flash is erased as necessary when receiving new firmware, |
| instead of erasing the whole image slot at once. This is necessary |
| on some hardware that has long erase times, to prevent long wait |
| times at the beginning of the DFU process. |
| |
| config MEASURED_BOOT |
| bool "Store the boot state/measurements in shared memory" |
| default n |
| help |
| If enabled, the bootloader will store certain boot measurements such as |
| the hash of the firmware image in a shared memory area. This data can |
| be used later by runtime services (e.g. by a device attestation service). |
| |
| config BOOT_SHARE_DATA |
| bool "Save application specific data in shared memory area" |
| default n |
| |
| choice |
| prompt "Fault injection hardening profile" |
| default BOOT_FIH_PROFILE_OFF |
| |
| config BOOT_FIH_PROFILE_OFF |
| bool "No hardening against hardware level fault injection" |
| help |
| No hardening in SW against hardware level fault injection: power or |
| clock glitching, etc. |
| |
| config BOOT_FIH_PROFILE_LOW |
| bool "Moderate level hardening against hardware level fault injection" |
| help |
| Moderate level hardening: Long global fail loop to avoid break out, |
| control flow integrity check to discover discrepancy in expected code |
| flow. |
| |
| config BOOT_FIH_PROFILE_MEDIUM |
| bool "Medium level hardening against hardware level fault injection" |
| help |
| Medium level hardening: Long global fail loop to avoid break out, |
| control flow integrity check to discover discrepancy in expected code |
| flow, double variables to discover register or memory corruption. |
| |
| config BOOT_FIH_PROFILE_HIGH |
| bool "Maximum level hardening against hardware level fault injection" |
| select MBEDTLS |
| help |
| Maximum level hardening: Long global fail loop to avoid break out, |
| control flow integrity check to discover discrepancy in expected code |
| flow, double variables to discover register or memory corruption, random |
| delays to make code execution less predictable. Random delays requires an |
| entropy source. |
| |
| endchoice |
| |
| choice BOOT_USB_DFU |
| prompt "USB DFU" |
| default BOOT_USB_DFU_NO |
| |
| config BOOT_USB_DFU_NO |
| prompt "Disabled" |
| |
| config BOOT_USB_DFU_WAIT |
| bool "Wait for a prescribed duration to see if USB DFU is invoked" |
| select USB |
| select USB_DFU_CLASS |
| select IMG_MANAGER |
| help |
| If y, MCUboot waits for a prescribed duration of time to allow |
| for USB DFU to be invoked. Please note DFU always updates the |
| slot1 image. |
| |
| config BOOT_USB_DFU_GPIO |
| bool "Use GPIO to detect whether to trigger DFU mode" |
| select USB |
| select USB_DFU_CLASS |
| select IMG_MANAGER |
| help |
| If y, MCUboot uses GPIO to detect whether to invoke USB DFU. |
| |
| endchoice |
| |
| config BOOT_USB_DFU_WAIT_DELAY_MS |
| int "USB DFU wait duration" |
| depends on BOOT_USB_DFU_WAIT |
| default 12000 |
| help |
| Milliseconds to wait for USB DFU to be invoked. |
| |
| if BOOT_USB_DFU_GPIO |
| |
| config BOOT_USB_DFU_DETECT_PORT |
| string "GPIO device to trigger USB DFU mode" |
| default GPIO_0 if SOC_FAMILY_NRF |
| help |
| Zephyr GPIO device that contains the pin used to trigger |
| USB DFU. |
| |
| config BOOT_USB_DFU_DETECT_PIN |
| int "Pin to trigger USB DFU mode" |
| default 6 if BOARD_NRF9160DK_NRF9160 |
| default 11 if BOARD_NRF52840DK_NRF52840 |
| default 13 if BOARD_NRF52DK_NRF52832 |
| default 23 if BOARD_NRF5340_DK_NRF5340_CPUAPP || BOARD_NRF5340_DK_NRF5340_CPUAPPNS |
| default 43 if BOARD_BL5340_DVK_CPUAPP || BOARD_BL5340_DVK_CPUAPPNS |
| help |
| Pin on the DFU detect port that triggers DFU mode. |
| |
| config BOOT_USB_DFU_DETECT_PIN_VAL |
| int "USB DFU detect pin trigger value" |
| default 0 |
| range 0 1 |
| help |
| Logic value of the detect pin that triggers USB DFU mode. |
| |
| config BOOT_USB_DFU_DETECT_DELAY |
| int "Serial detect pin detection delay time [ms]" |
| default 0 |
| help |
| Used to prevent the bootloader from loading on button press. |
| Useful for powering on when using the same button as |
| the one used to place the device in bootloader mode. |
| |
| endif # BOOT_USB_DFU_GPIO |
| |
| config ZEPHYR_TRY_MASS_ERASE |
| bool "Try to mass erase flash when flashing MCUboot image" |
| default y |
| help |
| If y, attempt to configure the Zephyr build system's "flash" |
| target to mass-erase the flash device before flashing the |
| MCUboot image. This ensures the scratch and other partitions |
| are in a consistent state. |
| |
| This is not available for all targets. |
| |
| config BOOT_USE_BENCH |
| bool "Enable benchmark code" |
| default n |
| help |
| If y, adds support for simple benchmarking that can record |
| time intervals between two calls. The time printed depends |
| on the particular Zephyr target, and is generally ticks of a |
| specific board-specific timer. |
| |
| module = MCUBOOT |
| module-str = MCUBoot bootloader |
| source "subsys/logging/Kconfig.template.log_config" |
| |
| config MCUBOOT_LOG_THREAD_STACK_SIZE |
| int "Stack size for the MCUBoot log processing thread" |
| depends on LOG && !LOG_IMMEDIATE |
| default 2048 if COVERAGE_GCOV |
| default 1024 if NO_OPTIMIZATIONS |
| default 1024 if XTENSA |
| default 4096 if (X86 && X86_64) |
| default 4096 if ARM64 |
| default 768 |
| help |
| Set the internal stack size for MCUBoot log processing thread. |
| |
| menuconfig MCUBOOT_SERIAL |
| bool "MCUboot serial recovery" |
| default n |
| select REBOOT |
| select GPIO |
| select SERIAL |
| select UART_INTERRUPT_DRIVEN |
| select BASE64 |
| select TINYCBOR |
| help |
| If y, enables a serial-port based update mode. This allows |
| MCUboot itself to load update images into flash over a UART. |
| If unsure, leave at the default value. |
| |
| if MCUBOOT_SERIAL |
| |
| choice |
| prompt "Serial device" |
| default BOOT_SERIAL_UART if !BOARD_NRF52840DONGLE_NRF52840 |
| default BOOT_SERIAL_CDC_ACM if BOARD_NRF52840DONGLE_NRF52840 |
| |
| config BOOT_SERIAL_UART |
| bool "UART" |
| # SERIAL and UART_INTERRUPT_DRIVEN already selected |
| |
| config BOOT_SERIAL_CDC_ACM |
| bool "CDC ACM" |
| select USB |
| select USB_DEVICE_STACK |
| select USB_CDC_ACM |
| |
| endchoice |
| |
| config MCUBOOT_INDICATION_LED |
| bool "Turns on LED indication when device is in DFU" |
| default n |
| help |
| Device device activates the LED while in bootloader mode. |
| bootloader-led0 alias must be set in the device's .dts |
| definitions for this to work. |
| |
| config BOOT_MAX_LINE_INPUT_LEN |
| int "Maximum command line length" |
| default 512 |
| help |
| Maximum length of commands transported over the serial port. |
| |
| config BOOT_SERIAL_DETECT_PORT |
| string "GPIO device to trigger serial recovery mode" |
| default GPIO_0 if SOC_FAMILY_NRF |
| help |
| Zephyr GPIO device that contains the pin used to trigger |
| serial recovery mode. |
| |
| config BOOT_SERIAL_DETECT_PIN |
| int "Pin to trigger serial recovery mode" |
| default 6 if BOARD_NRF9160DK_NRF9160 |
| default 11 if BOARD_NRF52840DK_NRF52840 |
| default 13 if BOARD_NRF52DK_NRF52832 |
| default 23 if BOARD_NRF5340PDK_NRF5340_CPUAPP || BOARD_NRF5340PDK_NRF5340_CPUAPPNS || \ |
| BOARD_NRF5340DK_NRF5340_CPUAPP || BOARD_NRF5340DK_NRF5340_CPUAPPNS |
| help |
| Pin on the serial detect port that triggers serial recovery mode. |
| |
| config BOOT_SERIAL_DETECT_PIN_VAL |
| int "Serial detect pin trigger value" |
| default 0 |
| range 0 1 |
| help |
| Logic value of the detect pin that triggers serial recovery |
| mode. |
| |
| config BOOT_SERIAL_DETECT_DELAY |
| int "Serial detect pin detection delay time [ms]" |
| default 0 |
| help |
| Used to prevent the bootloader from loading on button press. |
| Useful for powering on when using the same button as |
| the one used to place the device in bootloader mode. |
| |
| # Workaround for not being able to have commas in macro arguments |
| DT_CHOSEN_Z_CONSOLE := zephyr,console |
| |
| config RECOVERY_UART_DEV_NAME |
| string "UART Device Name for Recovery UART" |
| default "$(dt_chosen_label,$(DT_CHOSEN_Z_CONSOLE))" if HAS_DTS |
| default "UART_0" |
| depends on BOOT_SERIAL_UART |
| help |
| This option specifies the name of UART device to be used for |
| serial recovery. |
| |
| endif # MCUBOOT_SERIAL |
| |
| config BOOT_INTR_VEC_RELOC |
| bool "Relocate the interrupt vector to the application" |
| default n |
| depends on SW_VECTOR_RELAY || CPU_CORTEX_M_HAS_VTOR |
| help |
| Relocate the interrupt vector to the application before it is started. |
| Select this option if application requires vector relocation, |
| but it doesn't relocate vector in its reset handler. |
| |
| config UPDATEABLE_IMAGE_NUMBER |
| int "Number of updateable images" |
| default 1 |
| range 1 1 if SINGLE_APPLICATION_SLOT |
| help |
| Enables support of multi image update. |
| |
| choice |
| prompt "Downgrade prevention" |
| optional |
| |
| config MCUBOOT_DOWNGRADE_PREVENTION |
| bool "SW based downgrade prevention" |
| depends on BOOT_UPGRADE_ONLY |
| help |
| Prevent downgrades by enforcing incrementing version numbers. |
| When this option is set, any upgrade must have greater major version |
| or greater minor version with equal major version. This mechanism |
| only protects against some attacks against version downgrades (for |
| example, a JTAG could be used to write an older version). |
| |
| config MCUBOOT_HW_DOWNGRADE_PREVENTION |
| bool "HW based downgrade prevention" |
| help |
| Prevent undesirable/malicious software downgrades. When this option is |
| set, any upgrade must have greater or equal security counter value. |
| Because of the acceptance of equal values it allows for software |
| downgrade to some extent. |
| |
| endchoice |
| |
| config BOOT_WATCHDOG_FEED |
| bool "Feed the watchdog while doing swap" |
| default y if SOC_FAMILY_NRF |
| imply NRFX_WDT |
| imply NRFX_WDT0 |
| imply NRFX_WDT1 |
| help |
| Enables implementation of MCUBOOT_WATCHDOG_FEED() macro which is |
| used to feed watchdog while doing time consuming operations. |
| |
| endmenu |
| |
| config MCUBOOT_DEVICE_SETTINGS |
| # Hidden selector for device-specific settings |
| bool |
| default y |
| # CPU options |
| select MCUBOOT_DEVICE_CPU_CORTEX_M0 if CPU_CORTEX_M0 |
| # Enable flash page layout if available |
| select FLASH_PAGE_LAYOUT if FLASH_HAS_PAGE_LAYOUT |
| # Enable flash_map module as flash I/O back-end |
| select FLASH_MAP |
| |
| config MCUBOOT_DEVICE_CPU_CORTEX_M0 |
| # Hidden selector for Cortex-M0 settings |
| bool |
| default n |
| select SW_VECTOR_RELAY if !CPU_CORTEX_M0_HAS_VECTOR_TABLE_REMAP |
| |
| comment "Zephyr configuration options" |
| |
| # Disabling MULTITHREADING provides a code size advantage, but |
| # it requires peripheral drivers (particularly a flash driver) |
| # that works properly with the option enabled. |
| # |
| # If you know for sure that your hardware will work, you can default |
| # it to n here. Otherwise, having it on by default makes the most |
| # hardware work. |
| config MULTITHREADING |
| default y if BOOT_SERIAL_CDC_ACM #usb driver requires MULTITHREADING |
| default y if BOOT_USB_DFU_GPIO || BOOT_USB_DFU_WAIT |
| default n if SOC_FAMILY_NRF |
| default y |
| |
| config LOG_IMMEDIATE |
| default n if MULTITHREADING |
| default y |
| |
| config LOG_PROCESS_THREAD |
| default n # mcuboot has its own log processing thread |
| |
| # override USB device name |
| config USB_DEVICE_PRODUCT |
| default "MCUBOOT" |
| |
| # use MCUboot's own log configuration |
| config MCUBOOT_BOOTUTIL_LIB_OWN_LOG |
| bool |
| default n |
| |
| source "Kconfig.zephyr" |