.. toctree::
:maxdepth: 1
:glob:
build_configuration.rst
Component configuration <header_file_system>
Kconfig <kconfig_system>
Profiles <profiles/index>
test_configuration.rst
TF-M is highly configurable project with many configuration options to meet a user needs. A user can select the desired set of services and fine-tune them to their requirements. There are two types of configuration options
- Build configuration
- Specifies which file or component to include into compilation and build. These are options, usually used by a build system to enable/disable modules, specify location of external dependency or other selection, global to a project. These option set shall be considered while adopting TF-M to other build systems. In the :ref:`Base_configuration` table these options have Build type.
- Component configuration
- To adjust a particular parameter to a desired value. Those options are local to a component or externally referenced when components are coupled. Options are in C header file. The :ref:`Header_configuration` has more details about it. In the :ref:`Base_configuration` table these options have Component type.
Note
Originally, TF-M used CMake variables for both building and component tuning purposes. It was convenient to have a single system for both building and component's configurations. To simplify and improve configurability and better support build systems other than a CMake, TF-M introduced a :ref:`Header_configuration` and moved component options into a dedicated config headers.
TF-M Project provides a base build, defined in /config/config_base.cmake
and /config/config_base.h.
Starting from the base, users can enable required services and features using several
independent methods to configure TF-M.
- Use :ref:`tf-m_profiles`.
- There are 4 sets of predefined configurations for a elected use cases, called profiles. A user can select a profile by providing -DTFM_PROFILE=<profile file name>. Each profiles represented by a pair of configuration files for Building (CMake) options and Component options (.h file)
- Use a custom profile.
- Another method is to take existing TF-M profile and adjust the desired options manually editing CMake and config header files. This is for users familiar with TF-M.
- Use :ref:`Kconfig_system`.
- This method is recommended for beginners. Starting from the base configuration a user can enable necessary services and options. KConfig ensurers that all selected options are consistent and valid. This is new in v1.7.0 and it covers only SPM and PSA services. As an output KConfig produces a pair of configuration files, similar to a profile.
Note
In contrast, before TF-M v1.7.0, the default build includes all possible features. With growing functionality, such rich default build became unpractical by not fitting into every platform and confusing of big memory requirements.
A project configuration performed in multiple steps with priorities. The list below explains the process but for the details specific to :ref:`tfm_cmake_configuration` or :ref:`Header_configuration` please check the corresponded document.
- The base configuration with default values is used as a starting point
- A profile options applied on top of the base
- A platform can check the selected configuration and apply restrictions
- Finally, command line options can modify the composed set
Note
To ensure a clear intention and conscious choice, all options must be provided explicitly via a project configuration file. Default values on step 1 will generate warnings which expected to break a build.
The base configuration is the ground for configuring TF-M, provided defaults
are defined in /config/config_base.cmake and /config/config_base.h.
The base build includes SPM and platform code only.
This table lists the config option categorizations of the SPM and Secure Partitions.
| Options | Type | Base Value |
|---|---|---|
| TFM_PARTITION_CRYPTO | Build | OFF |
| CRYPTO_TFM_BUILTIN_KEYS_DRIVER | Build | ON |
| CRYPTO_NV_SEED | Component | ON |
| CRYPTO_ENGINE_BUF_SIZE | Component | 0x2080 |
| CRYPTO_IOVEC_BUFFER_SIZE | Component | 5120 |
| CRYPTO_STACK_SIZE | Component | 0x1B00 |
| CRYPTO_CONC_OPER_NUM | Component | 8 |
| CRYPTO_RNG_MODULE_ENABLED | Component | 1 |
| CRYPTO_KEY_MODULE_ENABLED | Component | 1 |
| CRYPTO_AEAD_MODULE_ENABLED | Component | 1 |
| CRYPTO_MAC_MODULE_ENABLED | Component | 1 |
| CRYPTO_HASH_MODULE_ENABLED | Component | 1 |
| CRYPTO_CIPHER_MODULE_ENABLED | Component | 1 |
| CRYPTO_ASYM_SIGN_MODULE_ENABLED | Component | 1 |
| CRYPTO_ASYM_ENCRYPT_MODULE_ENABLED | Component | 1 |
| CRYPTO_KEY_DERIVATION_MODULE_ENABLED | Component | 1 |
| CRYPTO_SINGLE_PART_FUNCS_ENABLED | Component | 1 |
| Options | Type | Base Value |
|---|---|---|
| TFM_PARTITION_INITIAL_ATTESTATION | Build | OFF |
| SYMMETRIC_INITIAL_ATTESTATION | Build | OFF |
| ATTEST_INCLUDE_TEST_CODE | Build | OFF |
| ATTEST_KEY_BITS | Build | 256 |
| ATTEST_TOKEN_PROFILE | Component | "PSA_IOT_1" |
| ATTEST_INCLUDE_OPTIONAL_CLAIMS | Component | 1 |
| ATTEST_INCLUDE_COSE_KEY_ID | Component | 0 |
| ATTEST_STACK_SIZE | Component | 0x700 |
| Options | Type | Base Value |
|---|---|---|
| TFM_PARTITION_INTERNAL_TRUSTED_STORAGE | Build | OFF |
| ITS_CREATE_FLASH_LAYOUT | Component | 1 |
| ITS_RAM_FS | Component | 0 |
| ITS_VALIDATE_METADATA_FROM_FLASH | Component | 1 |
| ITS_MAX_ASSET_SIZE | Component | 512 |
| ITS_NUM_ASSETS | Component | 10 |
| ITS_BUF_SIZE | Component | ITS_MAX_ASSET_SIZE |
| ITS_STACK_SIZE | Component | 0x720 |
| Options | Type | Base Value |
|---|---|---|
| TFM_PARTITION_PROTECTED_STORAGE | Build | OFF |
| PS_ENCRYPTION | Build | ON |
| PS_CRYPTO_AEAD_ALG | Build | PSA_ALG_GCM |
| PS_CREATE_FLASH_LAYOUT | Component | 1 |
| PS_RAM_FS | Component | 0 |
| PS_VALIDATE_METADATA_FROM_FLASH | Component | 1 |
| PS_MAX_ASSET_SIZE | Component | 2048 |
| PS_NUM_ASSETS | Component | 10 |
| PS_ROLLBACK_PROTECTION | Component | 1 |
| PS_STACK_SIZE | Component | 0x700 |
| Options | Type | Base Value |
|---|---|---|
| PLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT | Build | OFF |
| TFM_PARTITION_FIRMWARE_UPDATE | Build | OFF |
| TFM_CONFIG_FWU_MAX_WRITE_SIZE | Build | 1024 |
| TFM_CONFIG_FWU_MAX_MANIFEST_SIZE | Build | 0 |
| FWU_DEVICE_CONFIG_FILE | Build | "" |
| FWU_SUPPORT_TRIAL_STATE | Build | Depends on MCUBOOT_UPGRADE_STRATEGY |
| TFM_FWU_BOOTLOADER_LIB | Build | "mcuboot" |
| TFM_FWU_BUF_SIZE | Component | PSA_FWU_MAX_BLOCK_SIZE |
| FWU_STACK_SIZE | Component | 0x600 |
| Options | Type | Base Value |
|---|---|---|
| TFM_PARTITION_PLATFORM | Build | OFF |
| PLATFORM_SERVICE_INPUT_BUFFER_SIZE | Component | 64 |
| PLATFORM_SERVICE_OUTPUT_BUFFER_SIZE | Component | 64 |
| PLATFORM_SP_STACK_SIZE | Component | 0x500 |
| PLATFORM_NV_COUNTER_MODULE_DISABLED | Component | 0 |
| Options | Type | Base Value |
|---|---|---|
| NS_AGENT_MAILBOX_STACK_SIZE | Component | 0x800 |
| Options | Type | Base Values |
|---|---|---|
| TFM_ISOLATION_LEVEL | Build | 1 |
| PSA_FRAMEWORK_HAS_MM_IOVEC | Build | OFF |
| CONFIG_TFM_SPM_BACKEND | Build | "SFN" |
| TFM_SPM_LOG_LEVEL | Build | 1 |
| CONFIG_TFM_CONN_HANDLE_MAX_NUM | Component | 8 |
| CONFIG_TFM_DOORBELL_API | Component | 0 |
| CONFIG_TFM_SCHEDULE_WHEN_NS_INTERRUPTED | Component | 0 |
Copyright (c) 2022, Arm Limited. All rights reserved. Copyright (c) 2023 Cypress Semiconductor Corporation (an Infineon company) or an affiliate of Cypress Semiconductor Corporation. All rights reserved.