TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mcuboot / HEAD / . / boot / zephyr / Kconfig
blob: 932110debfd960008ec7a1dc137a830d381cea06 [file] [log] [blame]
# Copyright (c) 2017-2020 Linaro Limited
# Copyright (c) 2020 Arm Limited
#
# SPDX-License-Identifier: Apache-2.0
#
mainmenu "MCUboot configuration"
comment "MCUboot-specific configuration options"
# Hidden option to mark a project as MCUboot
config MCUBOOT
default y
bool
select MPU_ALLOW_FLASH_WRITE if ARM_MPU
select USE_DT_CODE_PARTITION if HAS_FLASH_LOAD_OFFSET
select MCUBOOT_BOOTUTIL_LIB
config BOOT_USE_MBEDTLS
bool
# Hidden option
default n
help
Use mbedTLS for crypto primitives.
config BOOT_USE_TINYCRYPT
bool
# Hidden option
default n
# When building for ECDSA, we use our own copy of mbedTLS, so the
# Zephyr one must not be enabled or the MBEDTLS_CONFIG_FILE macros
# will collide.
depends on ! MBEDTLS
help
Use TinyCrypt for crypto primitives.
config BOOT_USE_CC310
bool
# Hidden option
default n
# When building for ECDSA, we use our own copy of mbedTLS, so the
# Zephyr one must not be enabled or the MBEDTLS_CONFIG_FILE macros
# will collide.
depends on ! MBEDTLS
help
Use cc310 for crypto primitives.
config BOOT_USE_NRF_CC310_BL
bool
default n
config NRFXLIB_CRYPTO
bool
default n
config NRF_CC310_BL
bool
default n
menu "MCUBoot settings"
config SINGLE_APPLICATION_SLOT
bool "Single slot bootloader"
default n
help
Single image area is used for application which means that
uploading a new application overwrites the one that previously
occupied the area.
choice
prompt "Signature type"
default BOOT_SIGNATURE_TYPE_RSA
config BOOT_SIGNATURE_TYPE_NONE
bool "No signature; use only hash check"
select BOOT_USE_TINYCRYPT
config BOOT_SIGNATURE_TYPE_RSA
bool "RSA signatures"
select BOOT_USE_MBEDTLS
select MBEDTLS
if BOOT_SIGNATURE_TYPE_RSA
config BOOT_SIGNATURE_TYPE_RSA_LEN
int "RSA signature length"
range 2048 3072
default 2048
endif
config BOOT_SIGNATURE_TYPE_ECDSA_P256
bool "Elliptic curve digital signatures with curve P-256"
if BOOT_SIGNATURE_TYPE_ECDSA_P256
choice
prompt "Ecdsa implementation"
default BOOT_ECDSA_TINYCRYPT
config BOOT_ECDSA_TINYCRYPT
bool "Use tinycrypt"
select BOOT_USE_TINYCRYPT
config BOOT_ECDSA_CC310
bool "Use CC310"
depends on HAS_HW_NRF_CC310
select BOOT_USE_NRF_CC310_BL
select NRF_CC310_BL
select NRFXLIB_CRYPTO
select BOOT_USE_CC310
endchoice # Ecdsa implementation
endif
config BOOT_SIGNATURE_TYPE_ED25519
bool "Edwards curve digital signatures using ed25519"
if BOOT_SIGNATURE_TYPE_ED25519
choice
prompt "Ecdsa implementation"
default BOOT_ED25519_TINYCRYPT
config BOOT_ED25519_TINYCRYPT
bool "Use tinycrypt"
select BOOT_USE_TINYCRYPT
config BOOT_ED25519_MBEDTLS
bool "Use mbedTLS"
select BOOT_USE_MBEDTLS
select MBEDTLS
endchoice
endif
endchoice
config BOOT_SIGNATURE_KEY_FILE
string "PEM key file"
default "root-ec-p256.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256
default "root-ed25519.pem" if BOOT_SIGNATURE_TYPE_ED25519
default "root-rsa-3072.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=3072
default "root-rsa-2048.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=2048
default ""
help
You can use either absolute or relative path.
In case relative path is used, the build system assumes that it starts
from the directory where the MCUBoot KConfig configuration file is
located. If the key file is not there, the build system uses relative
path that starts from the MCUBoot repository root directory.
The key file will be parsed by imgtool's getpub command and a .c source
with the public key information will be written in a format expected by
MCUboot.
config MCUBOOT_CLEANUP_ARM_CORE
bool "Perform core cleanup before chain-load the application"
depends on CPU_CORTEX_M
default y if !ARCH_SUPPORTS_ARCH_HW_INIT
help
This option instructs MCUboot to perform a clean-up of a set of
architecture core HW registers before junping to the application
firmware. The clean-up sets these registers to their warm-reset
values as specified by the architecture.
By default, this option is enabled only if the architecture does
not have the functionality to perform such a register clean-up
during application firmware boot.
Zephyr applications on Cortex-M will perform this register clean-up
by default, if they are chain-loadable by MCUboot, so MCUboot does
not need to perform such a cleanup itself.
config MBEDTLS_CFG_FILE
default "mcuboot-mbedtls-cfg.h"
config BOOT_HW_KEY
bool "Use HW key for image verification"
default n
help
Use HW key for image verification, otherwise the public key is embedded
in MCUBoot. If enabled the public key is appended to the signed image
and requires the hash of the public key to be provisioned to the device
beforehand.
config BOOT_VALIDATE_SLOT0
bool "Validate image in the primary slot on every boot"
default y
help
If y, the bootloader attempts to validate the signature of the
primary slot every boot. This adds the signature check time to
every boot, but can mitigate against some changes that are
able to modify the flash image itself.
if !SINGLE_APPLICATION_SLOT
choice
prompt "Image upgrade modes"
default BOOT_SWAP_USING_MOVE if SOC_FAMILY_NRF
default BOOT_SWAP_USING_SCRATCH
config BOOT_SWAP_USING_SCRATCH
bool "Swap mode that run with the scratch partition"
help
This is the most conservative swap mode but it can work even on
devices with heterogeneous flash page layout.
config BOOT_UPGRADE_ONLY
bool "Overwrite image updates instead of swapping"
help
If y, overwrite the primary slot with the upgrade image instead
of swapping them. This prevents the fallback recovery, but
uses a much simpler code path.
config BOOT_SWAP_USING_MOVE
bool "Swap mode that can run without a scratch partition"
help
If y, the swap upgrade is done in two steps, where first every
sector of the primary slot is moved up one sector, then for
each sector X in the secondary slot, it is moved to index X in
the primary slot, then the sector at X+1 in the primary is
moved to index X in the secondary.
This allows a swap upgrade without using a scratch partition,
but is currently limited to all sectors in both slots being of
the same size.
config BOOT_DIRECT_XIP
bool "Run the latest image directly from its slot"
help
If y, mcuboot selects the newest valid image based on the image version
numbers, thereafter the selected image can run directly from its slot
without having to move/copy it into the primary slot. For this reason the
images must be linked to be executed from the given image slot. Using this
mode results in a simpler code path and smaller code size.
endchoice
config BOOT_DIRECT_XIP_REVERT
bool "Enable the revert mechanism in direct-xip mode"
depends on BOOT_DIRECT_XIP
default n
help
If y, enables the revert mechanism in direct-xip similar to the one in
swap mode. It requires the trailer magic to be added to the signed image.
When a reboot happens without the image being confirmed at runtime, the
bootloader considers the image faulty and erases it. After this it will
attempt to boot the previous image. The images can also be made permanent
(marked as confirmed in advance) just like in swap mode.
config BOOT_BOOTSTRAP
bool "Bootstrap erased the primary slot from the secondary slot"
default n
help
If y, enables bootstraping support. Bootstrapping allows an erased
primary slot to be initialized from a valid image in the secondary slot.
If unsure, leave at the default value.
config BOOT_SWAP_SAVE_ENCTLV
bool "Save encrypted key TLVs instead of plaintext keys in swap metadata"
default n
help
If y, instead of saving the encrypted image keys in plaintext in the
swap resume metadata, save the encrypted image TLVs. This should be used
when there is no security mechanism protecting the data in the primary
slot from being dumped. If n is selected (default), the keys are written
after being decrypted from the image TLVs and could be read by an
attacker who has access to the flash contents of the primary slot (eg
JTAG/SWD or primary slot in external flash).
If unsure, leave at the default value.
config BOOT_ENCRYPT_RSA
bool "Support for encrypted upgrade images using RSA"
default n
help
If y, images in the secondary slot can be encrypted and are decrypted
on the fly when upgrading to the primary slot, as well as encrypted
back when swapping from the primary slot to the secondary slot. The
encryption mechanism used in this case is RSA-OAEP (2048 bits).
config BOOT_ENCRYPT_EC256
bool "Support for encrypted upgrade images using ECIES-P256"
default n
help
If y, images in the secondary slot can be encrypted and are decrypted
on the fly when upgrading to the primary slot, as well as encrypted
back when swapping from the primary slot to the secondary slot. The
encryption mechanism used in this case is ECIES using primitives
described under "ECIES-P256 encryption" in docs/encrypted_images.md.
config BOOT_ENCRYPT_X25519
bool "Support for encrypted upgrade images using ECIES-X25519"
default n
help
If y, images in the secondary slot can be encrypted and are decrypted
on the fly when upgrading to the primary slot, as well as encrypted
back when swapping from the primary slot to the secondary slot. The
encryption mechanism used in this case is ECIES using primitives
described under "ECIES-X25519 encryption" in docs/encrypted_images.md.
endif # !SINGLE_APPLICATION_SLOT
config BOOT_MAX_IMG_SECTORS
int "Maximum number of sectors per image slot"
default 128
help
This option controls the maximum number of sectors that each of
the two image areas can contain. Smaller values reduce MCUboot's
memory usage; larger values allow it to support larger images.
If unsure, leave at the default value.
config BOOT_ERASE_PROGRESSIVELY
bool "Erase flash progressively when receiving new firmware"
default y if SOC_FAMILY_NRF
help
If enabled, flash is erased as necessary when receiving new firmware,
instead of erasing the whole image slot at once. This is necessary
on some hardware that has long erase times, to prevent long wait
times at the beginning of the DFU process.
config MEASURED_BOOT
bool "Store the boot state/measurements in shared memory"
default n
help
If enabled, the bootloader will store certain boot measurements such as
the hash of the firmware image in a shared memory area. This data can
be used later by runtime services (e.g. by a device attestation service).
config BOOT_SHARE_DATA
bool "Save application specific data in shared memory area"
default n
choice
prompt "Fault injection hardening profile"
default BOOT_FIH_PROFILE_OFF
config BOOT_FIH_PROFILE_OFF
bool "No hardening against hardware level fault injection"
help
No hardening in SW against hardware level fault injection: power or
clock glitching, etc.
config BOOT_FIH_PROFILE_LOW
bool "Moderate level hardening against hardware level fault injection"
help
Moderate level hardening: Long global fail loop to avoid break out,
control flow integrity check to discover discrepancy in expected code
flow.
config BOOT_FIH_PROFILE_MEDIUM
bool "Medium level hardening against hardware level fault injection"
help
Medium level hardening: Long global fail loop to avoid break out,
control flow integrity check to discover discrepancy in expected code
flow, double variables to discover register or memory corruption.
config BOOT_FIH_PROFILE_HIGH
bool "Maximum level hardening against hardware level fault injection"
select MBEDTLS
help
Maximum level hardening: Long global fail loop to avoid break out,
control flow integrity check to discover discrepancy in expected code
flow, double variables to discover register or memory corruption, random
delays to make code execution less predictable. Random delays requires an
entropy source.
endchoice
choice BOOT_USB_DFU
prompt "USB DFU"
default BOOT_USB_DFU_NO
config BOOT_USB_DFU_NO
prompt "Disabled"
config BOOT_USB_DFU_WAIT
bool "Wait for a prescribed duration to see if USB DFU is invoked"
select USB
select USB_DFU_CLASS
select IMG_MANAGER
help
If y, MCUboot waits for a prescribed duration of time to allow
for USB DFU to be invoked. Please note DFU always updates the
slot1 image.
config BOOT_USB_DFU_GPIO
bool "Use GPIO to detect whether to trigger DFU mode"
select USB
select USB_DFU_CLASS
select IMG_MANAGER
help
If y, MCUboot uses GPIO to detect whether to invoke USB DFU.
endchoice
config BOOT_USB_DFU_WAIT_DELAY_MS
int "USB DFU wait duration"
depends on BOOT_USB_DFU_WAIT
default 12000
help
Milliseconds to wait for USB DFU to be invoked.
if BOOT_USB_DFU_GPIO
config BOOT_USB_DFU_DETECT_PORT
string "GPIO device to trigger USB DFU mode"
default GPIO_0 if SOC_FAMILY_NRF
help
Zephyr GPIO device that contains the pin used to trigger
USB DFU.
config BOOT_USB_DFU_DETECT_PIN
int "Pin to trigger USB DFU mode"
default 6 if BOARD_NRF9160DK_NRF9160
default 11 if BOARD_NRF52840DK_NRF52840
default 13 if BOARD_NRF52DK_NRF52832
default 23 if BOARD_NRF5340_DK_NRF5340_CPUAPP || BOARD_NRF5340_DK_NRF5340_CPUAPPNS
default 43 if BOARD_BL5340_DVK_CPUAPP || BOARD_BL5340_DVK_CPUAPPNS
help
Pin on the DFU detect port that triggers DFU mode.
config BOOT_USB_DFU_DETECT_PIN_VAL
int "USB DFU detect pin trigger value"
default 0
range 0 1
help
Logic value of the detect pin that triggers USB DFU mode.
config BOOT_USB_DFU_DETECT_DELAY
int "Serial detect pin detection delay time [ms]"
default 0
help
Used to prevent the bootloader from loading on button press.
Useful for powering on when using the same button as
the one used to place the device in bootloader mode.
endif # BOOT_USB_DFU_GPIO
config ZEPHYR_TRY_MASS_ERASE
bool "Try to mass erase flash when flashing MCUboot image"
default y
help
If y, attempt to configure the Zephyr build system's "flash"
target to mass-erase the flash device before flashing the
MCUboot image. This ensures the scratch and other partitions
are in a consistent state.
This is not available for all targets.
config BOOT_USE_BENCH
bool "Enable benchmark code"
default n
help
If y, adds support for simple benchmarking that can record
time intervals between two calls. The time printed depends
on the particular Zephyr target, and is generally ticks of a
specific board-specific timer.
module = MCUBOOT
module-str = MCUBoot bootloader
source "subsys/logging/Kconfig.template.log_config"
config MCUBOOT_LOG_THREAD_STACK_SIZE
int "Stack size for the MCUBoot log processing thread"
depends on LOG && !LOG_IMMEDIATE
default 2048 if COVERAGE_GCOV
default 1024 if NO_OPTIMIZATIONS
default 1024 if XTENSA
default 4096 if (X86 && X86_64)
default 4096 if ARM64
default 768
help
Set the internal stack size for MCUBoot log processing thread.
menuconfig MCUBOOT_SERIAL
bool "MCUboot serial recovery"
default n
select REBOOT
select GPIO
select SERIAL
select UART_INTERRUPT_DRIVEN
select BASE64
select TINYCBOR
help
If y, enables a serial-port based update mode. This allows
MCUboot itself to load update images into flash over a UART.
If unsure, leave at the default value.
if MCUBOOT_SERIAL
choice
prompt "Serial device"
default BOOT_SERIAL_UART if !BOARD_NRF52840DONGLE_NRF52840
default BOOT_SERIAL_CDC_ACM if BOARD_NRF52840DONGLE_NRF52840
config BOOT_SERIAL_UART
bool "UART"
# SERIAL and UART_INTERRUPT_DRIVEN already selected
config BOOT_SERIAL_CDC_ACM
bool "CDC ACM"
select USB
select USB_DEVICE_STACK
select USB_CDC_ACM
endchoice
config MCUBOOT_INDICATION_LED
bool "Turns on LED indication when device is in DFU"
default n
help
Device device activates the LED while in bootloader mode.
bootloader-led0 alias must be set in the device's .dts
definitions for this to work.
config BOOT_MAX_LINE_INPUT_LEN
int "Maximum command line length"
default 512
help
Maximum length of commands transported over the serial port.
config BOOT_SERIAL_DETECT_PORT
string "GPIO device to trigger serial recovery mode"
default GPIO_0 if SOC_FAMILY_NRF
help
Zephyr GPIO device that contains the pin used to trigger
serial recovery mode.
config BOOT_SERIAL_DETECT_PIN
int "Pin to trigger serial recovery mode"
default 6 if BOARD_NRF9160DK_NRF9160
default 11 if BOARD_NRF52840DK_NRF52840
default 13 if BOARD_NRF52DK_NRF52832
default 23 if BOARD_NRF5340PDK_NRF5340_CPUAPP || BOARD_NRF5340PDK_NRF5340_CPUAPPNS || \
BOARD_NRF5340DK_NRF5340_CPUAPP || BOARD_NRF5340DK_NRF5340_CPUAPPNS
help
Pin on the serial detect port that triggers serial recovery mode.
config BOOT_SERIAL_DETECT_PIN_VAL
int "Serial detect pin trigger value"
default 0
range 0 1
help
Logic value of the detect pin that triggers serial recovery
mode.
config BOOT_SERIAL_DETECT_DELAY
int "Serial detect pin detection delay time [ms]"
default 0
help
Used to prevent the bootloader from loading on button press.
Useful for powering on when using the same button as
the one used to place the device in bootloader mode.
# Workaround for not being able to have commas in macro arguments
DT_CHOSEN_Z_CONSOLE := zephyr,console
config RECOVERY_UART_DEV_NAME
string "UART Device Name for Recovery UART"
default "$(dt_chosen_label,$(DT_CHOSEN_Z_CONSOLE))" if HAS_DTS
default "UART_0"
depends on BOOT_SERIAL_UART
help
This option specifies the name of UART device to be used for
serial recovery.
endif # MCUBOOT_SERIAL
config BOOT_INTR_VEC_RELOC
bool "Relocate the interrupt vector to the application"
default n
depends on SW_VECTOR_RELAY || CPU_CORTEX_M_HAS_VTOR
help
Relocate the interrupt vector to the application before it is started.
Select this option if application requires vector relocation,
but it doesn't relocate vector in its reset handler.
config UPDATEABLE_IMAGE_NUMBER
int "Number of updateable images"
default 1
range 1 1 if SINGLE_APPLICATION_SLOT
help
Enables support of multi image update.
choice
prompt "Downgrade prevention"
optional
config MCUBOOT_DOWNGRADE_PREVENTION
bool "SW based downgrade prevention"
depends on BOOT_UPGRADE_ONLY
help
Prevent downgrades by enforcing incrementing version numbers.
When this option is set, any upgrade must have greater major version
or greater minor version with equal major version. This mechanism
only protects against some attacks against version downgrades (for
example, a JTAG could be used to write an older version).
config MCUBOOT_HW_DOWNGRADE_PREVENTION
bool "HW based downgrade prevention"
help
Prevent undesirable/malicious software downgrades. When this option is
set, any upgrade must have greater or equal security counter value.
Because of the acceptance of equal values it allows for software
downgrade to some extent.
endchoice
config BOOT_WATCHDOG_FEED
bool "Feed the watchdog while doing swap"
default y if SOC_FAMILY_NRF
imply NRFX_WDT
imply NRFX_WDT0
imply NRFX_WDT1
help
Enables implementation of MCUBOOT_WATCHDOG_FEED() macro which is
used to feed watchdog while doing time consuming operations.
endmenu
config MCUBOOT_DEVICE_SETTINGS
# Hidden selector for device-specific settings
bool
default y
# CPU options
select MCUBOOT_DEVICE_CPU_CORTEX_M0 if CPU_CORTEX_M0
# Enable flash page layout if available
select FLASH_PAGE_LAYOUT if FLASH_HAS_PAGE_LAYOUT
# Enable flash_map module as flash I/O back-end
select FLASH_MAP
config MCUBOOT_DEVICE_CPU_CORTEX_M0
# Hidden selector for Cortex-M0 settings
bool
default n
select SW_VECTOR_RELAY if !CPU_CORTEX_M0_HAS_VECTOR_TABLE_REMAP
comment "Zephyr configuration options"
# Disabling MULTITHREADING provides a code size advantage, but
# it requires peripheral drivers (particularly a flash driver)
# that works properly with the option enabled.
#
# If you know for sure that your hardware will work, you can default
# it to n here. Otherwise, having it on by default makes the most
# hardware work.
config MULTITHREADING
default y if BOOT_SERIAL_CDC_ACM #usb driver requires MULTITHREADING
default y if BOOT_USB_DFU_GPIO || BOOT_USB_DFU_WAIT
default n if SOC_FAMILY_NRF
default y
config LOG_IMMEDIATE
default n if MULTITHREADING
default y
config LOG_PROCESS_THREAD
default n # mcuboot has its own log processing thread
# override USB device name
config USB_DEVICE_PRODUCT
default "MCUBOOT"
# use MCUboot's own log configuration
config MCUBOOT_BOOTUTIL_LIB_OWN_LOG
bool
default n
source "Kconfig.zephyr"