shahajas
diff --git a/‎modules/trusted-firmware-m/Kconfig
Lines changed: 4 additions & 385 deletions b/‎modules/trusted-firmware-m/Kconfig
Lines changed: 4 additions & 385 deletions
@@ -1,390 +1,9 @@
 # Configuration for the TF-M Module
 
 # Copyright (c) 2019, 2020 Linaro Limited
-# Copyright (c) 2020 Nordic Semiconductor ASA
+# Copyright (c) 2020, 2021 Nordic Semiconductor ASA
 # SPDX-License-Identifier: Apache-2.0
 
-config ZEPHYR_TRUSTED_FIRMWARE_M_MODULE
-	bool
-
-config TFM_BOARD
-	string
-	default "nordic_nrf/nrf9160dk_nrf9160" if BOARD_NRF9160DK_NRF9160NS
-	default "nordic_nrf/nrf5340dk_nrf5340_cpuapp" if BOARD_NRF5340DK_NRF5340_CPUAPPNS
-	default "nxp/lpcxpresso55s69" if BOARD_LPCXPRESSO55S69_CPU0
-	default "mps2/an521" if BOARD_MPS2_AN521
-	default "stm/nucleo_l552ze_q" if BOARD_NUCLEO_L552ZE_Q
-	default "stm/stm32l562e_dk" if BOARD_STM32L562E_DK
-	default "musca_b1/sse_200" if BOARD_MUSCA_B1
-	default "musca_s1" if BOARD_MUSCA_S1
-	default "lairdconnectivity/bl5340_dvk_cpuapp" if BOARD_BL5340_DVK_CPUAPPNS
-	help
-	  The board name used for building TFM. Building with TFM requires that
-	  TFM has been ported to the given board/SoC.
-
-menuconfig BUILD_WITH_TFM
-	bool "Build with TF-M as the Secure Execution Environment"
-	select CMSIS_RTOS_V2
-	imply POLL
-	imply THREAD_NAME
-	imply THREAD_STACK_INFO
-	imply INIT_STACKS
-	imply THREAD_MONITOR
-	depends on TRUSTED_EXECUTION_NONSECURE
-	depends on TFM_BOARD != ""
-	depends on ARM_TRUSTZONE_M
-	select BUILD_OUTPUT_HEX
-	imply INIT_ARCH_HW_AT_BOOT
-	imply ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS
-	help
-	  When enabled, this option instructs the Zephyr build process to
-	  additionaly generate a TF-M image for the Secure Execution
-	  environment, along with the Zephyr image. The Zephyr image
-	  itself is to be executed in the Non-Secure Processing Environment.
-	  The required dependency on TRUSTED_EXECUTION_NONSECURE
-	  ensures that the Zephyr image is built as a Non-Secure image. Both
-	  TF-M and Zephyr images, as well as the veneer object file that links
-	  them, are generated during the normal Zephyr build process.
-
-	  Notes:
-	    Building with the "_nonsecure" BOARD variant (e.g.
-	    "mps2_an521_nonsecure") ensures that
-	    CONFIG_TRUSTED_EXECUTION_NONSECURE ie enabled.
-
-	    By default we allow Zephyr preemptible threads be preempted
-	    while performing a secure function call.
-
-if BUILD_WITH_TFM
-
-config NUM_PREEMPT_PRIORITIES
-	int
-	default 56
-
-config TFM_KEY_FILE_S
-	string "Path to private key used to sign secure firmware images."
-	depends on BUILD_WITH_TFM
-	default "${ZEPHYR_BASE}/../modules/tee/tfm/trusted-firmware-m/bl2/ext/mcuboot/root-RSA-3072.pem"
-	help
-	  The path and filename for the .pem file containing the private key
-	  that should be used by the BL2 bootloader when signing secure
-	  firmware images.
-
-config TFM_KEY_FILE_NS
-	string "Path to private key used to sign non-secure firmware images."
-	depends on BUILD_WITH_TFM
-	default "${ZEPHYR_BASE}/../modules/tee/tfm/trusted-firmware-m/bl2/ext/mcuboot/root-RSA-3072_1.pem"
-	help
-	  The path and filename for the .pem file containing the private key
-	  that should be used by the BL2 bootloader when signing non-secure
-	  firmware images.
-
-config TFM_PROFILE
-	string
-	depends on BUILD_WITH_TFM
-	default "profile_small" if TFM_PROFILE_TYPE_SMALL
-	default "profile_medium" if TFM_PROFILE_TYPE_MEDIUM
-	default "profile_large" if TFM_PROFILE_TYPE_LARGE
-	help
-	  Build profile used to build tfm_s image. The available values are
-	  profile_large, profile_medium and profile_small. The default profile
-	  does not need to have this configuration set.
-
-choice TFM_PROFILE_TYPE
-	prompt "TF-M build profile"
-	depends on BUILD_WITH_TFM
-	default TFM_PROFILE_TYPE_NOT_SET
-	help
-	  The TF-M build profile selection. Can be empty (not set),
-	  small, medium or large. Certain profile types enable other
-	  TF-M configuration options, namely, the IPC model and the
-	  isolation level.
-
-config TFM_PROFILE_TYPE_NOT_SET
-	bool "TF-M build profile is not set"
-
-config TFM_PROFILE_TYPE_SMALL
-	bool "TF-M build profile: small"
-
-config TFM_PROFILE_TYPE_MEDIUM
-	bool "TF-M build profile: medium"
-
-config TFM_PROFILE_TYPE_LARGE
-	bool "TF-M build profile: large"
-
-endchoice
-
-choice TFM_CMAKE_BUILD_TYPE
-	prompt "The build type for TFM"
-	default TFM_CMAKE_BUILD_TYPE_RELEASE if SPEED_OPTIMIZATIONS && BUILD_OUTPUT_STRIPPED
-	default TFM_CMAKE_BUILD_TYPE_MINSIZEREL if SIZE_OPTIMIZATIONS
-	default TFM_CMAKE_BUILD_TYPE_DEBUG if DEBUG_OPTIMIZATIONS
-	default TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO
-
-config TFM_CMAKE_BUILD_TYPE_RELEASE
-	bool "Release build"
-
-config TFM_CMAKE_BUILD_TYPE_RELWITHDEBINFO
-	bool "Release build with Debug info"
-
-config TFM_CMAKE_BUILD_TYPE_MINSIZEREL
-	bool "Release build, optimized for size"
-
-config TFM_CMAKE_BUILD_TYPE_DEBUG
-	bool "Debug build"
-
-endchoice
-
-config TFM_ISOLATION_LEVEL
-	int "Isolation level setting." if (TFM_PROFILE_TYPE_NOT_SET && TFM_IPC)
-	range 1 3
-	depends on BUILD_WITH_TFM
-	default 1 if TFM_PROFILE_TYPE_SMALL || !TFM_IPC
-	default 2 if TFM_PROFILE_TYPE_MEDIUM
-	default 3 if TFM_PROFILE_TYPE_LARGE
-	help
-	  Manually set the required TFM isolation level. Possible values are
-	  1,2 or 3; the default is set by build configuration. When TF-M
-	  Profile option is supplied, do not allow manual setting of the
-	  isolation level, as it is determined by the profile setting.
-	  As isolation levels 2 and 3 require PSA_API (TFM_IPC) support,
-	  force level 1 when TFM_IPC is not enabled.
-
-config TFM_BL2
-	bool "Add MCUboot to TFM"
-	default y
-	depends on !NORDIC_SECURITY_BACKEND
-	help
-	  TFM is designed to run with MCUboot in a certain configuration.
-	  This config adds MCUboot to the build - built via TFM's build system.
-	  We currently do not support builds with MCUboot and TF-M if the
-	  Nordic Security backend is used.
-
-config TFM_MCUBOOT_IMAGE_NUMBER
-	int "Granularity of FW updates of TFM and app"
-	range 1 2
-	default 2
-	help
-	  How many images the bootloader sees when it looks at TFM and the app.
-	  When this is 1, the S and NS are considered as 1 image and must be
-	  updated in one atomic operation. When this is 2, they are split and
-	  can be updated independently if dependency requirements are met.
-
-config TFM_PARTITION_PROTECTED_STORAGE
-	bool "Enable secure partition 'Protected Storage'"
-	default y
-	help
-	  Setting this option will cause '-DTFM_PARTITION_PROTECTED_STORAGE'
-	  to be passed to the TF-M build system. Look at 'config_default.cmake'
-	  in the trusted-firmware-m repository for details regarding this
-	  parameter. Any dependencies between the various TFM_PARTITION_*
-	  options are handled by the build system in the trusted-firmware-m
-	  repository.
-
-config TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
-	bool "Enable secure partition 'Internal Trusted Storage'"
-	default y
-	help
-	  Setting this option will cause '-DTFM_PARTITION_INTERNAL_TRUSTED_STORAGE'
-	  to be passed to the TF-M build system. Look at 'config_default.cmake'
-	  in the trusted-firmware-m repository for details regarding this
-	  parameter. Any dependencies between the various TFM_PARTITION_*
-	  options are handled by the build system in the trusted-firmware-m
-	  repository.
-
-menuconfig TFM_PARTITION_CRYPTO
-	bool "Enable secure partition 'Crypto'"
-	default y
-	help
-	  Setting this option will cause '-DTFM_PARTITION_CRYPTO'
-	  to be passed to the TF-M build system. Look at 'config_default.cmake'
-	  in the trusted-firmware-m repository for details regarding this
-	  parameter. Any dependencies between the various TFM_PARTITION_*
-	  options are handled by the build system in the trusted-firmware-m
-	  repository.
-
-if TFM_PARTITION_CRYPTO
-
-config TFM_CRYPTO_KEY_MODULE_ENABLED
-	bool "Enable KEY crypto module"
-	default y
-	help
-	  Enables the KEY crypto module within the crypto partition.
-	  Unset this option if the functionality provided by 'crypto_key.c'
-	  is not used.
-
-config TFM_CRYPTO_AEAD_MODULE_ENABLED
-	bool "Enable AEAD crypto module"
-	default y
-	help
-	  Enables the AEAD crypto module within the crypto partition.
-	  Unset this option if the functionality provided by 'crypto_aead.c'
-	  is not used.
-
-config TFM_CRYPTO_MAC_MODULE_ENABLED
-	bool "Enable MAC crypto module"
-	default y
-	help
-	  Enables the MAC crypto module within the crypto partition.
-	  Unset this option if the functionality provided by 'crypto_mac.c'
-	  is not used.
-
-config TFM_CRYPTO_HASH_MODULE_ENABLED
-	bool "Enable HASH crypto module"
-	default y
-	help
-	  Enables the HASH crypto module within the crypto partition.
-	  Unset this option if the functionality provided by 'crypto_hash.c'
-	  is not used.
-
-config TFM_CRYPTO_CIPHER_MODULE_ENABLED
-	bool "Enable CIPHER crypto module"
-	default y
-	help
-	  Enables the CIPHER crypto module within the crypto partition.
-	  Unset this option if the functionality provided by 'crypto_cipher.c'
-	  is not used.
-
-config TFM_CRYPTO_GENERATOR_MODULE_ENABLED
-	bool "Enable GENERATOR crypto module"
-	default y
-	help
-	  Enables the GENERATOR crypto module within the crypto partition.
-	  Unset this option if the key generation, generate, raw key and
-	  key derivation features from 'tfm_crypto_secure_api.c' is not used.
-
-config TFM_CRYPTO_ASYMMETRIC_MODULE_ENABLED
-	bool "Enable ASYMMETRIC crypto module"
-	default y
-	help
-	  Enables the ASYMMETRIC crypto module within the crypto partition.
-	  Unset this option if the functionality provided by 'crypto_asymmetric.c'
-	  is not used.
-
-config TFM_CRYPTO_KEY_DERIVATION_MODULE_ENABLED
-	bool "Enable KEY DERIVATION crypto module"
-	default y
-	help
-	  Enables the KEY_DERIVATION crypto module within the crypto partition.
-	  Unset this option if the functionality provided by 'crypto_key_derivation.c'
-	  is not used.
-
-endif # TFM_PARTITION_CRYPTO
-
-config TFM_PARTITION_INITIAL_ATTESTATION
-	bool "Enable secure partition 'Initial Attestation'"
-	default y
-	help
-	  Setting this option will cause '-DTFM_PARTITION_INITIAL_ATTESTATION'
-	  to be passed to the TF-M build system. Look at 'config_default.cmake'
-	  in the trusted-firmware-m repository for details regarding this
-	  parameter. Any dependencies between the various TFM_PARTITION_*
-	  options are handled by the build system in the trusted-firmware-m
-	  repository.
-
-config TFM_PARTITION_PLATFORM
-	bool "Enable secure partition 'Platform'"
-	default y
-	help
-	  Setting this option will cause '-DTFM_PARTITION_PLATFORM'
-	  to be passed to the TF-M build system. Look at 'config_default.cmake'
-	  in the trusted-firmware-m repository for details regarding this
-	  parameter. Any dependencies between the various TFM_PARTITION_*
-	  options are handled by the build system in the trusted-firmware-m
-	  repository.
-
-config TFM_PARTITION_AUDIT_LOG
-	bool "Enable secure partition 'Audit Log'" if !TFM_IPC
-	depends on !TFM_IPC
-	default y
-	help
-	  Setting this option will cause '-DTFM_PARTITION_AUDIT_LOG'
-	  to be passed to the TF-M build system. Look at 'config_default.cmake'
-	  in the trusted-firmware-m repository for details regarding this
-	  parameter. Any dependencies between the various TFM_PARTITION_*
-	  options are handled by the build system in the trusted-firmware-m
-	  repository.
-	  Note: the Audit Log service does not implement the IPC model
-	  interface so it may not be enabled together with IPC option.
-
-config TFM_IPC
-	bool "IPC" if TFM_PROFILE_TYPE_NOT_SET
-	default y if (TFM_PROFILE_TYPE_MEDIUM || TFM_PROFILE_TYPE_LARGE)
-	help
-	  When enabled, this option signifies that the TF-M build supports
-	  the PSA API (IPC mode) instead of the secure library mode. When
-	  TF-M Profile option is supplied, do not allow manual setting of
-	  the IPC mode, as it is determined by the profile setting.
-
-config TFM_REGRESSION_S
-	bool "TF-M Secure Regression tests"
-	help
-	  When enabled, this option signifies that the TF-M build includes
-	  the Secure domain regression tests.
-
-config TFM_REGRESSION_NS
-	bool "Use the TF-M Non-Secure Regression test application"
-	help
-	  When this is enabled, the Zephyr application as a whole will be
-	  replaced with the TF-M Non-Secure Regression test application.
-
-choice TFM_PSA_TEST
-	prompt "Enable a PSA test suite"
-	default TFM_PSA_TEST_NONE
-
-config TFM_PSA_TEST_CRYPTO
-	bool "Crypto tests"
-	depends on MAIN_STACK_SIZE >= 4096
-	help
-	  Enable the PSA Crypto test suite.
-
-config TFM_PSA_TEST_PROTECTED_STORAGE
-	bool "Storage tests"
-	help
-	  Enable the PSA Protected Storage test suite.
-
-config TFM_PSA_TEST_INTERNAL_TRUSTED_STORAGE
-	bool "Internal Trusted Storage tests"
-	help
-	  Enable the PSA Internal Trusted Storage test suite.
-
-config TFM_PSA_TEST_STORAGE
-	bool "Storage tests"
-	help
-	  Enable the PSA Storage test suite. This is a combination of the
-	  protected storage and internal trusted storage tests.
-
-config TFM_PSA_TEST_INITIAL_ATTESTATION
-	bool "Initial attestation tests"
-	depends on MAIN_STACK_SIZE >= 4096
-	help
-	  Enable the PSA Initial Attestation test suite.
-
-config TFM_PSA_TEST_NONE
-	bool "No PSA test suite"
-
-endchoice
-
-if TFM_BL2
-
-config ROM_START_OFFSET
-	hex "ROM Start Offset accounting for BL2 Header in the NS image"
-	default 0x400
-	help
-	  By default BL2 header size in TF-M is 0x400. ROM_START_OFFSET
-	  needs to be updated if TF-M switches to use a different header
-	  size for BL2.
-
-endif # !TFM_BL2
-
-# Option to instruct flashing a merged binary consisting of BL2 (optionally),
-# TF-M (Secure), and application (Non-Secure).
-config TFM_FLASH_MERGED_BINARY
-	bool
-	help
-		This option instructs west flash to program the
-		combined (merged) binary consisting of the TF-M
-		Secure firmware image, optionally, the BL2 image
-		(if building with TFM_BL2 is enabled), and the
-		Non-Secure application firmware.
-
-endif # BUILD_WITH_TFM
+rsource "Kconfig.tfm"
+rsource "Kconfig.tfm.partitions"
+rsource "Kconfig.tfm.crypto_modules"