David Vincze | 03368b8 | 2020-04-01 12:53:53 +0200 | [diff] [blame] | 1 | # Copyright (c) 2017-2020 Linaro Limited |
David Vincze | c308413 | 2020-02-18 14:50:47 +0100 | [diff] [blame] | 2 | # Copyright (c) 2020 Arm Limited |
Andrzej Puzdrowski | 64ad092 | 2017-09-22 11:33:41 +0200 | [diff] [blame] | 3 | # |
| 4 | # SPDX-License-Identifier: Apache-2.0 |
| 5 | # |
| 6 | |
Marti Bolivar | 0e091c9 | 2018-04-12 11:23:16 -0400 | [diff] [blame] | 7 | mainmenu "MCUboot configuration" |
Andrzej Puzdrowski | 64ad092 | 2017-09-22 11:33:41 +0200 | [diff] [blame] | 8 | |
Marti Bolivar | 0e091c9 | 2018-04-12 11:23:16 -0400 | [diff] [blame] | 9 | comment "MCUboot-specific configuration options" |
Andrzej Puzdrowski | 64ad092 | 2017-09-22 11:33:41 +0200 | [diff] [blame] | 10 | |
Emanuele Di Santo | 865777d | 2018-11-08 11:28:15 +0100 | [diff] [blame] | 11 | # Hidden option to mark a project as MCUboot |
| 12 | config MCUBOOT |
| 13 | default y |
| 14 | bool |
Rajavardhan Gundi | 07ba28f | 2018-12-10 15:44:48 +0530 | [diff] [blame] | 15 | select MPU_ALLOW_FLASH_WRITE if ARM_MPU |
Marcin Niestroj | c6be76a | 2020-03-22 14:39:35 +0100 | [diff] [blame] | 16 | select USE_DT_CODE_PARTITION if HAS_FLASH_LOAD_OFFSET |
Andrzej Puzdrowski | f573b39 | 2020-11-10 14:35:15 +0100 | [diff] [blame] | 17 | select MCUBOOT_BOOTUTIL_LIB |
Emanuele Di Santo | 865777d | 2018-11-08 11:28:15 +0100 | [diff] [blame] | 18 | |
Marti Bolivar | bc2fa4e | 2018-04-12 12:18:32 -0400 | [diff] [blame] | 19 | config BOOT_USE_MBEDTLS |
| 20 | bool |
| 21 | # Hidden option |
| 22 | default n |
| 23 | help |
| 24 | Use mbedTLS for crypto primitives. |
| 25 | |
| 26 | config BOOT_USE_TINYCRYPT |
| 27 | bool |
| 28 | # Hidden option |
| 29 | default n |
Sebastian Bøe | 913a385 | 2019-01-22 13:53:12 +0100 | [diff] [blame] | 30 | # When building for ECDSA, we use our own copy of mbedTLS, so the |
| 31 | # Zephyr one must not be enabled or the MBEDTLS_CONFIG_FILE macros |
| 32 | # will collide. |
| 33 | depends on ! MBEDTLS |
Marti Bolivar | bc2fa4e | 2018-04-12 12:18:32 -0400 | [diff] [blame] | 34 | help |
| 35 | Use TinyCrypt for crypto primitives. |
| 36 | |
Sigvart Hovland | ebd0503 | 2019-03-21 10:47:32 +0100 | [diff] [blame] | 37 | config BOOT_USE_CC310 |
| 38 | bool |
| 39 | # Hidden option |
| 40 | default n |
| 41 | # When building for ECDSA, we use our own copy of mbedTLS, so the |
| 42 | # Zephyr one must not be enabled or the MBEDTLS_CONFIG_FILE macros |
| 43 | # will collide. |
| 44 | depends on ! MBEDTLS |
| 45 | help |
| 46 | Use cc310 for crypto primitives. |
| 47 | |
| 48 | config BOOT_USE_NRF_CC310_BL |
| 49 | bool |
| 50 | default n |
| 51 | |
| 52 | config NRFXLIB_CRYPTO |
| 53 | bool |
| 54 | default n |
| 55 | |
| 56 | config NRF_CC310_BL |
| 57 | bool |
| 58 | default n |
| 59 | |
Andrzej Puzdrowski | 9754328 | 2018-04-12 15:16:56 +0200 | [diff] [blame] | 60 | menu "MCUBoot settings" |
| 61 | |
Andrzej Puzdrowski | fdff3e1 | 2020-09-15 08:23:25 +0200 | [diff] [blame] | 62 | config SINGLE_APPLICATION_SLOT |
| 63 | bool "Single slot bootloader" |
Dominik Ermel | 4dc3f44 | 2020-05-26 08:45:14 +0000 | [diff] [blame] | 64 | default n |
| 65 | help |
| 66 | Single image area is used for application which means that |
| 67 | uploading a new application overwrites the one that previously |
| 68 | occupied the area. |
| 69 | |
Marti Bolivar | bc2fa4e | 2018-04-12 12:18:32 -0400 | [diff] [blame] | 70 | choice |
| 71 | prompt "Signature type" |
| 72 | default BOOT_SIGNATURE_TYPE_RSA |
| 73 | |
Arvin Farahmand | fb5ec18 | 2020-05-05 11:44:12 -0400 | [diff] [blame] | 74 | config BOOT_SIGNATURE_TYPE_NONE |
| 75 | bool "No signature; use only hash check" |
| 76 | select BOOT_USE_TINYCRYPT |
| 77 | |
Marti Bolivar | bc2fa4e | 2018-04-12 12:18:32 -0400 | [diff] [blame] | 78 | config BOOT_SIGNATURE_TYPE_RSA |
| 79 | bool "RSA signatures" |
| 80 | select BOOT_USE_MBEDTLS |
Marti Bolivar | a4818a5 | 2018-04-12 13:02:38 -0400 | [diff] [blame] | 81 | select MBEDTLS |
Marti Bolivar | bc2fa4e | 2018-04-12 12:18:32 -0400 | [diff] [blame] | 82 | |
Fabio Utzig | 105b59a | 2019-05-13 15:08:12 -0700 | [diff] [blame] | 83 | if BOOT_SIGNATURE_TYPE_RSA |
| 84 | config BOOT_SIGNATURE_TYPE_RSA_LEN |
| 85 | int "RSA signature length" |
| 86 | range 2048 3072 |
| 87 | default 2048 |
| 88 | endif |
| 89 | |
Marti Bolivar | bc2fa4e | 2018-04-12 12:18:32 -0400 | [diff] [blame] | 90 | config BOOT_SIGNATURE_TYPE_ECDSA_P256 |
| 91 | bool "Elliptic curve digital signatures with curve P-256" |
Marti Bolivar | bc2fa4e | 2018-04-12 12:18:32 -0400 | [diff] [blame] | 92 | |
Sigvart Hovland | ebd0503 | 2019-03-21 10:47:32 +0100 | [diff] [blame] | 93 | if BOOT_SIGNATURE_TYPE_ECDSA_P256 |
| 94 | choice |
| 95 | prompt "Ecdsa implementation" |
Fabio Utzig | 34e93a5 | 2020-02-03 09:59:53 -0300 | [diff] [blame] | 96 | default BOOT_ECDSA_TINYCRYPT |
Håkon Øye Amundsen | ee7282d | 2020-09-28 09:48:29 +0000 | [diff] [blame] | 97 | |
Fabio Utzig | 34e93a5 | 2020-02-03 09:59:53 -0300 | [diff] [blame] | 98 | config BOOT_ECDSA_TINYCRYPT |
Sigvart Hovland | ebd0503 | 2019-03-21 10:47:32 +0100 | [diff] [blame] | 99 | bool "Use tinycrypt" |
| 100 | select BOOT_USE_TINYCRYPT |
Håkon Øye Amundsen | ee7282d | 2020-09-28 09:48:29 +0000 | [diff] [blame] | 101 | |
| 102 | config BOOT_ECDSA_CC310 |
Sigvart Hovland | ebd0503 | 2019-03-21 10:47:32 +0100 | [diff] [blame] | 103 | bool "Use CC310" |
Håkon Øye Amundsen | ee7282d | 2020-09-28 09:48:29 +0000 | [diff] [blame] | 104 | depends on HAS_HW_NRF_CC310 |
| 105 | select BOOT_USE_NRF_CC310_BL |
| 106 | select NRF_CC310_BL |
| 107 | select NRFXLIB_CRYPTO |
Sigvart Hovland | ebd0503 | 2019-03-21 10:47:32 +0100 | [diff] [blame] | 108 | select BOOT_USE_CC310 |
Håkon Øye Amundsen | ee7282d | 2020-09-28 09:48:29 +0000 | [diff] [blame] | 109 | endchoice # Ecdsa implementation |
Sigvart Hovland | ebd0503 | 2019-03-21 10:47:32 +0100 | [diff] [blame] | 110 | endif |
Fabio Utzig | 34e93a5 | 2020-02-03 09:59:53 -0300 | [diff] [blame] | 111 | |
| 112 | config BOOT_SIGNATURE_TYPE_ED25519 |
| 113 | bool "Edwards curve digital signatures using ed25519" |
| 114 | |
| 115 | if BOOT_SIGNATURE_TYPE_ED25519 |
| 116 | choice |
| 117 | prompt "Ecdsa implementation" |
| 118 | default BOOT_ED25519_TINYCRYPT |
| 119 | config BOOT_ED25519_TINYCRYPT |
| 120 | bool "Use tinycrypt" |
| 121 | select BOOT_USE_TINYCRYPT |
| 122 | config BOOT_ED25519_MBEDTLS |
| 123 | bool "Use mbedTLS" |
| 124 | select BOOT_USE_MBEDTLS |
| 125 | select MBEDTLS |
| 126 | endchoice |
| 127 | endif |
| 128 | |
Marti Bolivar | bc2fa4e | 2018-04-12 12:18:32 -0400 | [diff] [blame] | 129 | endchoice |
| 130 | |
Fabio Utzig | c690c76 | 2018-04-26 10:51:09 -0300 | [diff] [blame] | 131 | config BOOT_SIGNATURE_KEY_FILE |
| 132 | string "PEM key file" |
Håkon Øye Amundsen | 705c6c2 | 2020-09-28 09:45:40 +0000 | [diff] [blame] | 133 | default "root-ec-p256.pem" if BOOT_SIGNATURE_TYPE_ECDSA_P256 |
| 134 | default "root-ed25519.pem" if BOOT_SIGNATURE_TYPE_ED25519 |
| 135 | default "root-rsa-3072.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=3072 |
| 136 | default "root-rsa-2048.pem" if BOOT_SIGNATURE_TYPE_RSA && BOOT_SIGNATURE_TYPE_RSA_LEN=2048 |
Fabio Utzig | c690c76 | 2018-04-26 10:51:09 -0300 | [diff] [blame] | 137 | default "" |
| 138 | help |
Marek Pieta | bdcfc85 | 2020-08-04 02:22:55 -0700 | [diff] [blame] | 139 | You can use either absolute or relative path. |
| 140 | In case relative path is used, the build system assumes that it starts |
| 141 | from the directory where the MCUBoot KConfig configuration file is |
| 142 | located. If the key file is not there, the build system uses relative |
| 143 | path that starts from the MCUBoot repository root directory. |
Fabio Utzig | c690c76 | 2018-04-26 10:51:09 -0300 | [diff] [blame] | 144 | The key file will be parsed by imgtool's getpub command and a .c source |
| 145 | with the public key information will be written in a format expected by |
| 146 | MCUboot. |
| 147 | |
Andrzej Puzdrowski | 9a605b6 | 2020-03-16 13:34:30 +0100 | [diff] [blame] | 148 | config MCUBOOT_CLEANUP_ARM_CORE |
| 149 | bool "Perform core cleanup before chain-load the application" |
| 150 | depends on CPU_CORTEX_M |
Ioannis Glaropoulos | 518d93a | 2020-10-22 14:22:14 +0200 | [diff] [blame] | 151 | default y if !ARCH_SUPPORTS_ARCH_HW_INIT |
| 152 | help |
| 153 | This option instructs MCUboot to perform a clean-up of a set of |
| 154 | architecture core HW registers before junping to the application |
| 155 | firmware. The clean-up sets these registers to their warm-reset |
| 156 | values as specified by the architecture. |
| 157 | |
| 158 | By default, this option is enabled only if the architecture does |
| 159 | not have the functionality to perform such a register clean-up |
| 160 | during application firmware boot. |
| 161 | |
| 162 | Zephyr applications on Cortex-M will perform this register clean-up |
| 163 | by default, if they are chain-loadable by MCUboot, so MCUboot does |
| 164 | not need to perform such a cleanup itself. |
Andrzej Puzdrowski | 9a605b6 | 2020-03-16 13:34:30 +0100 | [diff] [blame] | 165 | |
Marti Bolivar | a4818a5 | 2018-04-12 13:02:38 -0400 | [diff] [blame] | 166 | config MBEDTLS_CFG_FILE |
| 167 | default "mcuboot-mbedtls-cfg.h" |
| 168 | |
David Vincze | 03368b8 | 2020-04-01 12:53:53 +0200 | [diff] [blame] | 169 | config BOOT_HW_KEY |
| 170 | bool "Use HW key for image verification" |
| 171 | default n |
| 172 | help |
| 173 | Use HW key for image verification, otherwise the public key is embedded |
| 174 | in MCUBoot. If enabled the public key is appended to the signed image |
| 175 | and requires the hash of the public key to be provisioned to the device |
| 176 | beforehand. |
| 177 | |
Marti Bolivar | bc2fa4e | 2018-04-12 12:18:32 -0400 | [diff] [blame] | 178 | config BOOT_VALIDATE_SLOT0 |
David Vincze | 2d736ad | 2019-02-18 11:50:22 +0100 | [diff] [blame] | 179 | bool "Validate image in the primary slot on every boot" |
Marti Bolivar | bc2fa4e | 2018-04-12 12:18:32 -0400 | [diff] [blame] | 180 | default y |
| 181 | help |
David Vincze | 2d736ad | 2019-02-18 11:50:22 +0100 | [diff] [blame] | 182 | If y, the bootloader attempts to validate the signature of the |
| 183 | primary slot every boot. This adds the signature check time to |
Marti Bolivar | bc2fa4e | 2018-04-12 12:18:32 -0400 | [diff] [blame] | 184 | every boot, but can mitigate against some changes that are |
| 185 | able to modify the flash image itself. |
| 186 | |
Andrzej Puzdrowski | fdff3e1 | 2020-09-15 08:23:25 +0200 | [diff] [blame] | 187 | if !SINGLE_APPLICATION_SLOT |
David Vincze | 5a6e181 | 2020-06-29 13:34:42 +0200 | [diff] [blame] | 188 | choice |
| 189 | prompt "Image upgrade modes" |
| 190 | default BOOT_SWAP_USING_MOVE if SOC_FAMILY_NRF |
| 191 | default BOOT_SWAP_USING_SCRATCH |
| 192 | |
| 193 | config BOOT_SWAP_USING_SCRATCH |
| 194 | bool "Swap mode that run with the scratch partition" |
| 195 | help |
| 196 | This is the most conservative swap mode but it can work even on |
| 197 | devices with heterogeneous flash page layout. |
| 198 | |
Marti Bolivar | bc2fa4e | 2018-04-12 12:18:32 -0400 | [diff] [blame] | 199 | config BOOT_UPGRADE_ONLY |
| 200 | bool "Overwrite image updates instead of swapping" |
Marti Bolivar | bc2fa4e | 2018-04-12 12:18:32 -0400 | [diff] [blame] | 201 | help |
David Vincze | 2d736ad | 2019-02-18 11:50:22 +0100 | [diff] [blame] | 202 | If y, overwrite the primary slot with the upgrade image instead |
| 203 | of swapping them. This prevents the fallback recovery, but |
Marti Bolivar | bc2fa4e | 2018-04-12 12:18:32 -0400 | [diff] [blame] | 204 | uses a much simpler code path. |
| 205 | |
Fabio Utzig | c58842e | 2019-11-28 10:30:01 -0300 | [diff] [blame] | 206 | config BOOT_SWAP_USING_MOVE |
Fabio Utzig | dd2b680 | 2020-01-06 09:10:45 -0300 | [diff] [blame] | 207 | bool "Swap mode that can run without a scratch partition" |
Fabio Utzig | c58842e | 2019-11-28 10:30:01 -0300 | [diff] [blame] | 208 | help |
| 209 | If y, the swap upgrade is done in two steps, where first every |
| 210 | sector of the primary slot is moved up one sector, then for |
| 211 | each sector X in the secondary slot, it is moved to index X in |
| 212 | the primary slot, then the sector at X+1 in the primary is |
| 213 | moved to index X in the secondary. |
| 214 | This allows a swap upgrade without using a scratch partition, |
| 215 | but is currently limited to all sectors in both slots being of |
| 216 | the same size. |
David Vincze | 5a6e181 | 2020-06-29 13:34:42 +0200 | [diff] [blame] | 217 | |
| 218 | config BOOT_DIRECT_XIP |
| 219 | bool "Run the latest image directly from its slot" |
| 220 | help |
| 221 | If y, mcuboot selects the newest valid image based on the image version |
| 222 | numbers, thereafter the selected image can run directly from its slot |
| 223 | without having to move/copy it into the primary slot. For this reason the |
| 224 | images must be linked to be executed from the given image slot. Using this |
| 225 | mode results in a simpler code path and smaller code size. |
| 226 | |
| 227 | endchoice |
Fabio Utzig | c58842e | 2019-11-28 10:30:01 -0300 | [diff] [blame] | 228 | |
David Vincze | 505fba2 | 2020-10-22 13:53:29 +0200 | [diff] [blame] | 229 | config BOOT_DIRECT_XIP_REVERT |
| 230 | bool "Enable the revert mechanism in direct-xip mode" |
Andrzej Puzdrowski | 32342e7 | 2020-11-18 17:04:44 +0100 | [diff] [blame] | 231 | depends on BOOT_DIRECT_XIP |
David Vincze | 505fba2 | 2020-10-22 13:53:29 +0200 | [diff] [blame] | 232 | default n |
| 233 | help |
| 234 | If y, enables the revert mechanism in direct-xip similar to the one in |
| 235 | swap mode. It requires the trailer magic to be added to the signed image. |
| 236 | When a reboot happens without the image being confirmed at runtime, the |
| 237 | bootloader considers the image faulty and erases it. After this it will |
| 238 | attempt to boot the previous image. The images can also be made permanent |
| 239 | (marked as confirmed in advance) just like in swap mode. |
| 240 | |
Fabio Utzig | d0533ed | 2018-12-19 07:56:33 -0200 | [diff] [blame] | 241 | config BOOT_BOOTSTRAP |
Sam Bristow | d0ca0ff | 2019-10-30 20:51:35 +1300 | [diff] [blame] | 242 | bool "Bootstrap erased the primary slot from the secondary slot" |
Fabio Utzig | d0533ed | 2018-12-19 07:56:33 -0200 | [diff] [blame] | 243 | default n |
| 244 | help |
| 245 | If y, enables bootstraping support. Bootstrapping allows an erased |
David Vincze | 2d736ad | 2019-02-18 11:50:22 +0100 | [diff] [blame] | 246 | primary slot to be initialized from a valid image in the secondary slot. |
Fabio Utzig | d0533ed | 2018-12-19 07:56:33 -0200 | [diff] [blame] | 247 | If unsure, leave at the default value. |
| 248 | |
Fabio Utzig | ca8ead2 | 2019-12-20 07:06:04 -0300 | [diff] [blame] | 249 | config BOOT_SWAP_SAVE_ENCTLV |
| 250 | bool "Save encrypted key TLVs instead of plaintext keys in swap metadata" |
| 251 | default n |
| 252 | help |
| 253 | If y, instead of saving the encrypted image keys in plaintext in the |
| 254 | swap resume metadata, save the encrypted image TLVs. This should be used |
| 255 | when there is no security mechanism protecting the data in the primary |
| 256 | slot from being dumped. If n is selected (default), the keys are written |
| 257 | after being decrypted from the image TLVs and could be read by an |
| 258 | attacker who has access to the flash contents of the primary slot (eg |
| 259 | JTAG/SWD or primary slot in external flash). |
| 260 | If unsure, leave at the default value. |
| 261 | |
Fabio Utzig | 5fe874c | 2018-08-31 07:41:50 -0300 | [diff] [blame] | 262 | config BOOT_ENCRYPT_RSA |
Fabio Utzig | 42cc29a | 2019-11-05 07:54:41 -0300 | [diff] [blame] | 263 | bool "Support for encrypted upgrade images using RSA" |
Fabio Utzig | 5fe874c | 2018-08-31 07:41:50 -0300 | [diff] [blame] | 264 | default n |
| 265 | help |
David Vincze | 2d736ad | 2019-02-18 11:50:22 +0100 | [diff] [blame] | 266 | If y, images in the secondary slot can be encrypted and are decrypted |
| 267 | on the fly when upgrading to the primary slot, as well as encrypted |
Fabio Utzig | 42cc29a | 2019-11-05 07:54:41 -0300 | [diff] [blame] | 268 | back when swapping from the primary slot to the secondary slot. The |
| 269 | encryption mechanism used in this case is RSA-OAEP (2048 bits). |
| 270 | |
| 271 | config BOOT_ENCRYPT_EC256 |
| 272 | bool "Support for encrypted upgrade images using ECIES-P256" |
| 273 | default n |
| 274 | help |
| 275 | If y, images in the secondary slot can be encrypted and are decrypted |
| 276 | on the fly when upgrading to the primary slot, as well as encrypted |
| 277 | back when swapping from the primary slot to the secondary slot. The |
| 278 | encryption mechanism used in this case is ECIES using primitives |
| 279 | described under "ECIES-P256 encryption" in docs/encrypted_images.md. |
Fabio Utzig | 5fe874c | 2018-08-31 07:41:50 -0300 | [diff] [blame] | 280 | |
Fabio Utzig | b6f014c | 2020-04-02 13:25:01 -0300 | [diff] [blame] | 281 | config BOOT_ENCRYPT_X25519 |
| 282 | bool "Support for encrypted upgrade images using ECIES-X25519" |
| 283 | default n |
| 284 | help |
| 285 | If y, images in the secondary slot can be encrypted and are decrypted |
| 286 | on the fly when upgrading to the primary slot, as well as encrypted |
| 287 | back when swapping from the primary slot to the secondary slot. The |
| 288 | encryption mechanism used in this case is ECIES using primitives |
| 289 | described under "ECIES-X25519 encryption" in docs/encrypted_images.md. |
David Vincze | 505fba2 | 2020-10-22 13:53:29 +0200 | [diff] [blame] | 290 | endif # !SINGLE_APPLICATION_SLOT |
Fabio Utzig | b6f014c | 2020-04-02 13:25:01 -0300 | [diff] [blame] | 291 | |
Marti Bolivar | 0e091c9 | 2018-04-12 11:23:16 -0400 | [diff] [blame] | 292 | config BOOT_MAX_IMG_SECTORS |
| 293 | int "Maximum number of sectors per image slot" |
| 294 | default 128 |
| 295 | help |
| 296 | This option controls the maximum number of sectors that each of |
| 297 | the two image areas can contain. Smaller values reduce MCUboot's |
| 298 | memory usage; larger values allow it to support larger images. |
| 299 | If unsure, leave at the default value. |
| 300 | |
Emanuele Di Santo | 205c8c6 | 2018-07-20 11:42:31 +0200 | [diff] [blame] | 301 | config BOOT_ERASE_PROGRESSIVELY |
| 302 | bool "Erase flash progressively when receiving new firmware" |
Bernt Johan Damslora | a2fad12 | 2019-09-20 18:25:34 +0200 | [diff] [blame] | 303 | default y if SOC_FAMILY_NRF |
Emanuele Di Santo | 205c8c6 | 2018-07-20 11:42:31 +0200 | [diff] [blame] | 304 | help |
| 305 | If enabled, flash is erased as necessary when receiving new firmware, |
| 306 | instead of erasing the whole image slot at once. This is necessary |
| 307 | on some hardware that has long erase times, to prevent long wait |
| 308 | times at the beginning of the DFU process. |
| 309 | |
David Vincze | 1cf11b5 | 2020-03-24 07:51:09 +0100 | [diff] [blame] | 310 | config MEASURED_BOOT |
| 311 | bool "Store the boot state/measurements in shared memory" |
| 312 | default n |
| 313 | help |
| 314 | If enabled, the bootloader will store certain boot measurements such as |
| 315 | the hash of the firmware image in a shared memory area. This data can |
| 316 | be used later by runtime services (e.g. by a device attestation service). |
| 317 | |
| 318 | config BOOT_SHARE_DATA |
| 319 | bool "Save application specific data in shared memory area" |
| 320 | default n |
| 321 | |
Tamas Ban | fce8733 | 2020-07-10 12:40:11 +0100 | [diff] [blame] | 322 | choice |
| 323 | prompt "Fault injection hardening profile" |
| 324 | default BOOT_FIH_PROFILE_OFF |
| 325 | |
| 326 | config BOOT_FIH_PROFILE_OFF |
| 327 | bool "No hardening against hardware level fault injection" |
| 328 | help |
| 329 | No hardening in SW against hardware level fault injection: power or |
| 330 | clock glitching, etc. |
| 331 | |
| 332 | config BOOT_FIH_PROFILE_LOW |
| 333 | bool "Moderate level hardening against hardware level fault injection" |
| 334 | help |
| 335 | Moderate level hardening: Long global fail loop to avoid break out, |
| 336 | control flow integrity check to discover discrepancy in expected code |
| 337 | flow. |
| 338 | |
| 339 | config BOOT_FIH_PROFILE_MEDIUM |
| 340 | bool "Medium level hardening against hardware level fault injection" |
| 341 | help |
| 342 | Medium level hardening: Long global fail loop to avoid break out, |
| 343 | control flow integrity check to discover discrepancy in expected code |
| 344 | flow, double variables to discover register or memory corruption. |
| 345 | |
| 346 | config BOOT_FIH_PROFILE_HIGH |
| 347 | bool "Maximum level hardening against hardware level fault injection" |
| 348 | select MBEDTLS |
| 349 | help |
| 350 | Maximum level hardening: Long global fail loop to avoid break out, |
| 351 | control flow integrity check to discover discrepancy in expected code |
| 352 | flow, double variables to discover register or memory corruption, random |
| 353 | delays to make code execution less predictable. Random delays requires an |
| 354 | entropy source. |
| 355 | |
| 356 | endchoice |
| 357 | |
Josh Gao | 837cf88 | 2020-11-13 18:51:27 -0800 | [diff] [blame] | 358 | choice BOOT_USB_DFU |
| 359 | prompt "USB DFU" |
| 360 | default BOOT_USB_DFU_NO |
| 361 | |
| 362 | config BOOT_USB_DFU_NO |
| 363 | prompt "Disabled" |
| 364 | |
| 365 | config BOOT_USB_DFU_WAIT |
Rajavardhan Gundi | 51c9d70 | 2019-02-20 14:08:52 +0530 | [diff] [blame] | 366 | bool "Wait for a prescribed duration to see if USB DFU is invoked" |
Rajavardhan Gundi | 51c9d70 | 2019-02-20 14:08:52 +0530 | [diff] [blame] | 367 | select USB |
| 368 | select USB_DFU_CLASS |
| 369 | select IMG_MANAGER |
| 370 | help |
| 371 | If y, MCUboot waits for a prescribed duration of time to allow |
| 372 | for USB DFU to be invoked. Please note DFU always updates the |
| 373 | slot1 image. |
| 374 | |
Josh Gao | 837cf88 | 2020-11-13 18:51:27 -0800 | [diff] [blame] | 375 | config BOOT_USB_DFU_GPIO |
| 376 | bool "Use GPIO to detect whether to trigger DFU mode" |
| 377 | select USB |
| 378 | select USB_DFU_CLASS |
| 379 | select IMG_MANAGER |
| 380 | help |
| 381 | If y, MCUboot uses GPIO to detect whether to invoke USB DFU. |
| 382 | |
| 383 | endchoice |
| 384 | |
| 385 | config BOOT_USB_DFU_WAIT_DELAY_MS |
| 386 | int "USB DFU wait duration" |
| 387 | depends on BOOT_USB_DFU_WAIT |
| 388 | default 12000 |
| 389 | help |
| 390 | Milliseconds to wait for USB DFU to be invoked. |
| 391 | |
| 392 | if BOOT_USB_DFU_GPIO |
| 393 | |
| 394 | config BOOT_USB_DFU_DETECT_PORT |
| 395 | string "GPIO device to trigger USB DFU mode" |
| 396 | default GPIO_0 if SOC_FAMILY_NRF |
| 397 | help |
| 398 | Zephyr GPIO device that contains the pin used to trigger |
| 399 | USB DFU. |
| 400 | |
| 401 | config BOOT_USB_DFU_DETECT_PIN |
| 402 | int "Pin to trigger USB DFU mode" |
| 403 | default 6 if BOARD_NRF9160DK_NRF9160 |
| 404 | default 11 if BOARD_NRF52840DK_NRF52840 |
| 405 | default 13 if BOARD_NRF52DK_NRF52832 |
| 406 | default 23 if BOARD_NRF5340_DK_NRF5340_CPUAPP || BOARD_NRF5340_DK_NRF5340_CPUAPPNS |
Jamie McCrae | 10a8112 | 2021-05-04 10:52:17 +0100 | [diff] [blame] | 407 | default 43 if BOARD_BL5340_DVK_CPUAPP || BOARD_BL5340_DVK_CPUAPPNS |
Josh Gao | 837cf88 | 2020-11-13 18:51:27 -0800 | [diff] [blame] | 408 | help |
| 409 | Pin on the DFU detect port that triggers DFU mode. |
| 410 | |
| 411 | config BOOT_USB_DFU_DETECT_PIN_VAL |
| 412 | int "USB DFU detect pin trigger value" |
| 413 | default 0 |
| 414 | range 0 1 |
| 415 | help |
| 416 | Logic value of the detect pin that triggers USB DFU mode. |
| 417 | |
| 418 | config BOOT_USB_DFU_DETECT_DELAY |
| 419 | int "Serial detect pin detection delay time [ms]" |
| 420 | default 0 |
| 421 | help |
| 422 | Used to prevent the bootloader from loading on button press. |
| 423 | Useful for powering on when using the same button as |
| 424 | the one used to place the device in bootloader mode. |
| 425 | |
| 426 | endif # BOOT_USB_DFU_GPIO |
| 427 | |
Marti Bolivar | bc2fa4e | 2018-04-12 12:18:32 -0400 | [diff] [blame] | 428 | config ZEPHYR_TRY_MASS_ERASE |
| 429 | bool "Try to mass erase flash when flashing MCUboot image" |
| 430 | default y |
| 431 | help |
| 432 | If y, attempt to configure the Zephyr build system's "flash" |
| 433 | target to mass-erase the flash device before flashing the |
| 434 | MCUboot image. This ensures the scratch and other partitions |
| 435 | are in a consistent state. |
| 436 | |
| 437 | This is not available for all targets. |
| 438 | |
David Brown | f6d14c2 | 2019-12-10 15:36:36 -0700 | [diff] [blame] | 439 | config BOOT_USE_BENCH |
| 440 | bool "Enable benchmark code" |
| 441 | default n |
| 442 | help |
| 443 | If y, adds support for simple benchmarking that can record |
| 444 | time intervals between two calls. The time printed depends |
| 445 | on the particular Zephyr target, and is generally ticks of a |
| 446 | specific board-specific timer. |
| 447 | |
Michael Scott | 74ceae5 | 2019-02-01 14:01:09 -0800 | [diff] [blame] | 448 | module = MCUBOOT |
Piotr Mienkowski | 15aa6ef | 2019-04-08 22:48:15 +0200 | [diff] [blame] | 449 | module-str = MCUBoot bootloader |
Michael Scott | 74ceae5 | 2019-02-01 14:01:09 -0800 | [diff] [blame] | 450 | source "subsys/logging/Kconfig.template.log_config" |
Michael Scott | 74ceae5 | 2019-02-01 14:01:09 -0800 | [diff] [blame] | 451 | |
Andrzej Puzdrowski | af14853 | 2020-02-25 12:51:26 +0100 | [diff] [blame] | 452 | config MCUBOOT_LOG_THREAD_STACK_SIZE |
| 453 | int "Stack size for the MCUBoot log processing thread" |
| 454 | depends on LOG && !LOG_IMMEDIATE |
| 455 | default 2048 if COVERAGE_GCOV |
| 456 | default 1024 if NO_OPTIMIZATIONS |
| 457 | default 1024 if XTENSA |
| 458 | default 4096 if (X86 && X86_64) |
| 459 | default 4096 if ARM64 |
| 460 | default 768 |
| 461 | help |
| 462 | Set the internal stack size for MCUBoot log processing thread. |
| 463 | |
Marti Bolivar | 0e091c9 | 2018-04-12 11:23:16 -0400 | [diff] [blame] | 464 | menuconfig MCUBOOT_SERIAL |
| 465 | bool "MCUboot serial recovery" |
| 466 | default n |
| 467 | select REBOOT |
Emanuele Di Santo | 30a9265 | 2019-01-16 14:01:08 +0100 | [diff] [blame] | 468 | select GPIO |
Marti Bolivar | 0e091c9 | 2018-04-12 11:23:16 -0400 | [diff] [blame] | 469 | select SERIAL |
Emanuele Di Santo | 30a9265 | 2019-01-16 14:01:08 +0100 | [diff] [blame] | 470 | select UART_INTERRUPT_DRIVEN |
Marti Bolivar | 0e091c9 | 2018-04-12 11:23:16 -0400 | [diff] [blame] | 471 | select BASE64 |
| 472 | select TINYCBOR |
| 473 | help |
| 474 | If y, enables a serial-port based update mode. This allows |
| 475 | MCUboot itself to load update images into flash over a UART. |
| 476 | If unsure, leave at the default value. |
| 477 | |
| 478 | if MCUBOOT_SERIAL |
| 479 | |
Emanuele Di Santo | c4bf780 | 2018-07-20 11:39:57 +0200 | [diff] [blame] | 480 | choice |
| 481 | prompt "Serial device" |
Andrzej Puzdrowski | f4a9a9d | 2020-04-24 12:31:51 +0200 | [diff] [blame] | 482 | default BOOT_SERIAL_UART if !BOARD_NRF52840DONGLE_NRF52840 |
| 483 | default BOOT_SERIAL_CDC_ACM if BOARD_NRF52840DONGLE_NRF52840 |
Emanuele Di Santo | c4bf780 | 2018-07-20 11:39:57 +0200 | [diff] [blame] | 484 | |
| 485 | config BOOT_SERIAL_UART |
| 486 | bool "UART" |
| 487 | # SERIAL and UART_INTERRUPT_DRIVEN already selected |
| 488 | |
| 489 | config BOOT_SERIAL_CDC_ACM |
| 490 | bool "CDC ACM" |
| 491 | select USB |
| 492 | select USB_DEVICE_STACK |
| 493 | select USB_CDC_ACM |
| 494 | |
| 495 | endchoice |
| 496 | |
Jared Wolff | 8e4d791 | 2021-01-21 19:34:05 -0500 | [diff] [blame] | 497 | config MCUBOOT_INDICATION_LED |
| 498 | bool "Turns on LED indication when device is in DFU" |
| 499 | default n |
| 500 | help |
| 501 | Device device activates the LED while in bootloader mode. |
| 502 | bootloader-led0 alias must be set in the device's .dts |
| 503 | definitions for this to work. |
| 504 | |
Marti Bolivar | 0e091c9 | 2018-04-12 11:23:16 -0400 | [diff] [blame] | 505 | config BOOT_MAX_LINE_INPUT_LEN |
| 506 | int "Maximum command line length" |
| 507 | default 512 |
| 508 | help |
| 509 | Maximum length of commands transported over the serial port. |
| 510 | |
| 511 | config BOOT_SERIAL_DETECT_PORT |
| 512 | string "GPIO device to trigger serial recovery mode" |
| 513 | default GPIO_0 if SOC_FAMILY_NRF |
| 514 | help |
Josh Gao | 837cf88 | 2020-11-13 18:51:27 -0800 | [diff] [blame] | 515 | Zephyr GPIO device that contains the pin used to trigger |
Marti Bolivar | 0e091c9 | 2018-04-12 11:23:16 -0400 | [diff] [blame] | 516 | serial recovery mode. |
| 517 | |
| 518 | config BOOT_SERIAL_DETECT_PIN |
| 519 | int "Pin to trigger serial recovery mode" |
Andrzej Puzdrowski | f4a9a9d | 2020-04-24 12:31:51 +0200 | [diff] [blame] | 520 | default 6 if BOARD_NRF9160DK_NRF9160 |
Andrzej Puzdrowski | fefdea2 | 2020-03-27 09:41:14 +0100 | [diff] [blame] | 521 | default 11 if BOARD_NRF52840DK_NRF52840 |
Andrzej Puzdrowski | f4a9a9d | 2020-04-24 12:31:51 +0200 | [diff] [blame] | 522 | default 13 if BOARD_NRF52DK_NRF52832 |
Ole Sæther | 83ec842 | 2020-11-25 13:26:21 +0100 | [diff] [blame] | 523 | default 23 if BOARD_NRF5340PDK_NRF5340_CPUAPP || BOARD_NRF5340PDK_NRF5340_CPUAPPNS || \ |
| 524 | BOARD_NRF5340DK_NRF5340_CPUAPP || BOARD_NRF5340DK_NRF5340_CPUAPPNS |
Marti Bolivar | 0e091c9 | 2018-04-12 11:23:16 -0400 | [diff] [blame] | 525 | help |
Josh Gao | 837cf88 | 2020-11-13 18:51:27 -0800 | [diff] [blame] | 526 | Pin on the serial detect port that triggers serial recovery mode. |
Marti Bolivar | 0e091c9 | 2018-04-12 11:23:16 -0400 | [diff] [blame] | 527 | |
| 528 | config BOOT_SERIAL_DETECT_PIN_VAL |
| 529 | int "Serial detect pin trigger value" |
| 530 | default 0 |
| 531 | range 0 1 |
| 532 | help |
Josh Gao | 837cf88 | 2020-11-13 18:51:27 -0800 | [diff] [blame] | 533 | Logic value of the detect pin that triggers serial recovery |
Marti Bolivar | 0e091c9 | 2018-04-12 11:23:16 -0400 | [diff] [blame] | 534 | mode. |
| 535 | |
Jared Wolff | 8e4d791 | 2021-01-21 19:34:05 -0500 | [diff] [blame] | 536 | config BOOT_SERIAL_DETECT_DELAY |
Jared Wolff | df8e974 | 2021-02-04 11:17:00 -0500 | [diff] [blame] | 537 | int "Serial detect pin detection delay time [ms]" |
Jared Wolff | 8e4d791 | 2021-01-21 19:34:05 -0500 | [diff] [blame] | 538 | default 0 |
| 539 | help |
| 540 | Used to prevent the bootloader from loading on button press. |
| 541 | Useful for powering on when using the same button as |
| 542 | the one used to place the device in bootloader mode. |
| 543 | |
Andrzej Puzdrowski | f000480 | 2019-10-01 14:13:35 +0200 | [diff] [blame] | 544 | # Workaround for not being able to have commas in macro arguments |
| 545 | DT_CHOSEN_Z_CONSOLE := zephyr,console |
| 546 | |
| 547 | config RECOVERY_UART_DEV_NAME |
| 548 | string "UART Device Name for Recovery UART" |
| 549 | default "$(dt_chosen_label,$(DT_CHOSEN_Z_CONSOLE))" if HAS_DTS |
| 550 | default "UART_0" |
| 551 | depends on BOOT_SERIAL_UART |
| 552 | help |
| 553 | This option specifies the name of UART device to be used for |
| 554 | serial recovery. |
| 555 | |
Marti Bolivar | 0e091c9 | 2018-04-12 11:23:16 -0400 | [diff] [blame] | 556 | endif # MCUBOOT_SERIAL |
Andrzej Puzdrowski | 64ad092 | 2017-09-22 11:33:41 +0200 | [diff] [blame] | 557 | |
Rafał Kuźnia | d854bb6 | 2020-06-17 15:06:47 +0200 | [diff] [blame] | 558 | config BOOT_INTR_VEC_RELOC |
| 559 | bool "Relocate the interrupt vector to the application" |
| 560 | default n |
| 561 | depends on SW_VECTOR_RELAY || CPU_CORTEX_M_HAS_VTOR |
| 562 | help |
| 563 | Relocate the interrupt vector to the application before it is started. |
| 564 | Select this option if application requires vector relocation, |
| 565 | but it doesn't relocate vector in its reset handler. |
| 566 | |
Andrzej Puzdrowski | 16b6d15 | 2020-06-01 14:16:54 +0200 | [diff] [blame] | 567 | config UPDATEABLE_IMAGE_NUMBER |
| 568 | int "Number of updateable images" |
| 569 | default 1 |
Andrzej Puzdrowski | fdff3e1 | 2020-09-15 08:23:25 +0200 | [diff] [blame] | 570 | range 1 1 if SINGLE_APPLICATION_SLOT |
Andrzej Puzdrowski | 16b6d15 | 2020-06-01 14:16:54 +0200 | [diff] [blame] | 571 | help |
| 572 | Enables support of multi image update. |
| 573 | |
| 574 | choice |
| 575 | prompt "Downgrade prevention" |
| 576 | optional |
| 577 | |
| 578 | config MCUBOOT_DOWNGRADE_PREVENTION |
| 579 | bool "SW based downgrade prevention" |
| 580 | depends on BOOT_UPGRADE_ONLY |
| 581 | help |
| 582 | Prevent downgrades by enforcing incrementing version numbers. |
| 583 | When this option is set, any upgrade must have greater major version |
| 584 | or greater minor version with equal major version. This mechanism |
| 585 | only protects against some attacks against version downgrades (for |
| 586 | example, a JTAG could be used to write an older version). |
| 587 | |
| 588 | config MCUBOOT_HW_DOWNGRADE_PREVENTION |
| 589 | bool "HW based downgrade prevention" |
| 590 | help |
| 591 | Prevent undesirable/malicious software downgrades. When this option is |
| 592 | set, any upgrade must have greater or equal security counter value. |
| 593 | Because of the acceptance of equal values it allows for software |
| 594 | downgrade to some extent. |
| 595 | |
| 596 | endchoice |
| 597 | |
Andrzej Puzdrowski | d21442a | 2020-10-12 16:47:28 +0200 | [diff] [blame] | 598 | config BOOT_WATCHDOG_FEED |
| 599 | bool "Feed the watchdog while doing swap" |
| 600 | default y if SOC_FAMILY_NRF |
| 601 | imply NRFX_WDT |
| 602 | imply NRFX_WDT0 |
| 603 | imply NRFX_WDT1 |
| 604 | help |
| 605 | Enables implementation of MCUBOOT_WATCHDOG_FEED() macro which is |
| 606 | used to feed watchdog while doing time consuming operations. |
| 607 | |
Andrzej Puzdrowski | 9754328 | 2018-04-12 15:16:56 +0200 | [diff] [blame] | 608 | endmenu |
| 609 | |
Carles Cufi | 84ede58 | 2018-01-29 15:12:00 +0100 | [diff] [blame] | 610 | config MCUBOOT_DEVICE_SETTINGS |
| 611 | # Hidden selector for device-specific settings |
| 612 | bool |
| 613 | default y |
| 614 | # CPU options |
| 615 | select MCUBOOT_DEVICE_CPU_CORTEX_M0 if CPU_CORTEX_M0 |
Carles Cufi | 67c792e | 2018-01-29 15:14:31 +0100 | [diff] [blame] | 616 | # Enable flash page layout if available |
| 617 | select FLASH_PAGE_LAYOUT if FLASH_HAS_PAGE_LAYOUT |
Andrzej Puzdrowski | b788c71 | 2018-04-12 12:42:49 +0200 | [diff] [blame] | 618 | # Enable flash_map module as flash I/O back-end |
| 619 | select FLASH_MAP |
Carles Cufi | 84ede58 | 2018-01-29 15:12:00 +0100 | [diff] [blame] | 620 | |
| 621 | config MCUBOOT_DEVICE_CPU_CORTEX_M0 |
| 622 | # Hidden selector for Cortex-M0 settings |
| 623 | bool |
| 624 | default n |
| 625 | select SW_VECTOR_RELAY if !CPU_CORTEX_M0_HAS_VECTOR_TABLE_REMAP |
| 626 | |
Marti Bolivar | 0e091c9 | 2018-04-12 11:23:16 -0400 | [diff] [blame] | 627 | comment "Zephyr configuration options" |
Andrzej Puzdrowski | 64ad092 | 2017-09-22 11:33:41 +0200 | [diff] [blame] | 628 | |
Marti Bolivar | f84cc4b | 2019-08-20 16:06:56 -0700 | [diff] [blame] | 629 | # Disabling MULTITHREADING provides a code size advantage, but |
| 630 | # it requires peripheral drivers (particularly a flash driver) |
| 631 | # that works properly with the option enabled. |
| 632 | # |
| 633 | # If you know for sure that your hardware will work, you can default |
| 634 | # it to n here. Otherwise, having it on by default makes the most |
| 635 | # hardware work. |
| 636 | config MULTITHREADING |
Andrzej Puzdrowski | 9a4946c | 2020-02-20 12:39:12 +0100 | [diff] [blame] | 637 | default y if BOOT_SERIAL_CDC_ACM #usb driver requires MULTITHREADING |
Josh Gao | 837cf88 | 2020-11-13 18:51:27 -0800 | [diff] [blame] | 638 | default y if BOOT_USB_DFU_GPIO || BOOT_USB_DFU_WAIT |
Marti Bolivar | f84cc4b | 2019-08-20 16:06:56 -0700 | [diff] [blame] | 639 | default n if SOC_FAMILY_NRF |
| 640 | default y |
| 641 | |
Andrzej Puzdrowski | 9a4946c | 2020-02-20 12:39:12 +0100 | [diff] [blame] | 642 | config LOG_IMMEDIATE |
| 643 | default n if MULTITHREADING |
Andrzej Puzdrowski | 3f092bd | 2020-02-17 13:25:32 +0100 | [diff] [blame] | 644 | default y |
| 645 | |
| 646 | config LOG_PROCESS_THREAD |
| 647 | default n # mcuboot has its own log processing thread |
| 648 | |
| 649 | # override USB device name |
| 650 | config USB_DEVICE_PRODUCT |
| 651 | default "MCUBOOT" |
Andrzej Puzdrowski | 9a4946c | 2020-02-20 12:39:12 +0100 | [diff] [blame] | 652 | |
Andrzej Puzdrowski | f573b39 | 2020-11-10 14:35:15 +0100 | [diff] [blame] | 653 | # use MCUboot's own log configuration |
| 654 | config MCUBOOT_BOOTUTIL_LIB_OWN_LOG |
| 655 | bool |
| 656 | default n |
| 657 | |
Robert Lubos | 1b19d2a | 2020-01-31 14:05:35 +0100 | [diff] [blame] | 658 | source "Kconfig.zephyr" |