1# General configuration options
2
3# Copyright (c) 2014-2015 Wind River Systems, Inc.
4# Copyright (c) 2016 Intel Corporation
5# Copyright (c) 2023 Nordic Semiconductor ASA
6# SPDX-License-Identifier: Apache-2.0
7
8config MCUBOOT
9	bool
10	help
11	  Hidden option used to indicate that the current image is MCUBoot
12
13config BOOTLOADER_MCUBOOT
14	bool "MCUboot bootloader support"
15	select USE_DT_CODE_PARTITION if !MCUBOOT_BOOTLOADER_MODE_RAM_LOAD
16	imply INIT_ARCH_HW_AT_BOOT if ARCH_SUPPORTS_ARCH_HW_INIT
17	depends on !MCUBOOT
18	help
19	  This option signifies that the target uses MCUboot as a bootloader,
20	  or in other words that the image is to be chain-loaded by MCUboot.
21	  This sets several required build system and Device Tree options in
22	  order for the image generated to be bootable using the MCUboot open
23	  source bootloader. Currently this includes:
24
25	    * Setting ROM_START_OFFSET to a default value that allows space
26	      for the MCUboot image header
27	    * Activating SW_VECTOR_RELAY_CLIENT on Cortex-M0
28	      (or Armv8-M baseline) targets with no built-in vector relocation
29	      mechanisms
30
31	  By default, this option instructs Zephyr to initialize the core
32	  architecture HW registers during boot, when this is supported by
33	  the application. This removes the need by MCUboot to reset
34	  the core registers' state itself.
35
36if BOOTLOADER_MCUBOOT
37
38config MCUBOOT_SIGNATURE_KEY_FILE
39	string "Path to the mcuboot signing key file"
40	default ""
41	depends on !MCUBOOT_GENERATE_UNSIGNED_IMAGE
42	help
43	  The file contains a key pair whose public half is verified
44	  by your target's MCUboot image. The file is in PEM format.
45
46	  If set to a non-empty value, the build system tries to
47	  sign the final binaries using a 'west sign -t imgtool' command.
48	  The signed binaries are placed in the build directory
49	  at zephyr/zephyr.signed.bin and zephyr/zephyr.signed.hex.
50
51	  The file names can be customized with CONFIG_KERNEL_BIN_NAME.
52	  The existence of bin and hex files depends on CONFIG_BUILD_OUTPUT_BIN
53	  and CONFIG_BUILD_OUTPUT_HEX.
54
55	  This option should contain a path to the same file as the
56	  BOOT_SIGNATURE_KEY_FILE option in your MCUboot .config. The path
57	  may be absolute or relative to the west workspace topdir. (The MCUboot
58	  config option is used for the MCUboot bootloader image; this option is
59	  for your application which is to be loaded by MCUboot. The MCUboot
60	  config option can be a relative path from the MCUboot repository
61	  root.)
62
63	  If left empty, you must sign the Zephyr binaries manually.
64
65config MCUBOOT_ENCRYPTION_KEY_FILE
66	string "Path to the mcuboot encryption key file"
67	default ""
68	depends on MCUBOOT_SIGNATURE_KEY_FILE != ""
69	help
70	  The file contains the public key that is used to encrypt the
71	  ephemeral key that encrypts the image. The corresponding
72	  private key is hard coded in the MCUboot source code and is
73	  used to decrypt the ephemeral key that is embedded in the
74	  image. The file is in PEM format.
75
76	  If set to a non-empty value, the build system tries to
77	  sign and encrypt the final binaries using a 'west sign -t imgtool'
78	  command. The binaries are placed in the build directory at
79	  zephyr/zephyr.signed.encrypted.bin and
80	  zephyr/zephyr.signed.encrypted.hex.
81
82	  The file names can be customized with CONFIG_KERNEL_BIN_NAME.
83	  The existence of bin and hex files depends on CONFIG_BUILD_OUTPUT_BIN
84	  and CONFIG_BUILD_OUTPUT_HEX.
85
86	  This option should either be an absolute path or a path relative to
87	  the west workspace topdir.
88	  Example: './bootloader/mcuboot/enc-rsa2048-pub.pem'
89
90	  If left empty, you must encrypt the Zephyr binaries manually.
91
92if MCUBOOT_ENCRYPTION_KEY_FILE != ""
93
94choice MCUBOOT_ENCRYPTION_ALG
95	prompt "Algorithm used for image encryption"
96	default MCUBOOT_ENCRYPTION_ALG_AES_128
97
98config MCUBOOT_ENCRYPTION_ALG_AES_128
99	bool "Use AES-128 for image encryption"
100
101config MCUBOOT_ENCRYPTION_ALG_AES_256
102	bool "Use AES-256 for image encryption"
103
104endchoice # MCUBOOT_ENCRYPTION_ALG
105
106endif # MCUBOOT_ENCRYPTION_KEY_FILE != ""
107
108config MCUBOOT_IMGTOOL_SIGN_VERSION
109	string "Version to pass to imgtool when signing"
110	default "$(APP_VERSION_TWEAK_STRING)" if "$(VERSION_MAJOR)" != ""
111	default "0.0.0+0"
112	help
113	  When signing with imgtool then this setting will be passed as version
114	  argument to the tool.
115	  The format is major.minor.revision+build.
116
117config MCUBOOT_IMGTOOL_OVERWRITE_ONLY
118	bool "Use overwrite-only instead of swap upgrades"
119	help
120	  If enabled, --overwrite-only option passed to imgtool to avoid
121	  adding the swap status area size when calculating overflow.
122
123config MCUBOOT_EXTRA_IMGTOOL_ARGS
124	string "Extra arguments to pass to imgtool when signing"
125	default ""
126	help
127	  When signing (CONFIG_MCUBOOT_SIGNATURE_KEY_FILE is a non-empty
128	  string) you can use this option to pass extra options to
129	  imgtool. For example, you could set this to "--version 1.2".
130
131config MCUBOOT_GENERATE_UNSIGNED_IMAGE
132	bool "Generate unsigned binary image bootable with MCUboot"
133	help
134	  Enabling this configuration allows automatic unsigned binary image
135	  generation when MCUboot signing key is not provided,
136	  i.e., MCUBOOT_SIGNATURE_KEY_FILE is left empty.
137
138config MCUBOOT_GENERATE_CONFIRMED_IMAGE
139	bool "Also generate a padded, confirmed image"
140	help
141	  The signed, padded, and confirmed binaries are placed in the build
142	  directory at zephyr/zephyr.signed.confirmed.bin and
143	  zephyr/zephyr.signed.confirmed.hex.
144
145	  The file names can be customized with CONFIG_KERNEL_BIN_NAME.
146	  The existence of bin and hex files depends on CONFIG_BUILD_OUTPUT_BIN
147	  and CONFIG_BUILD_OUTPUT_HEX.
148
149menu "On board MCUboot operation mode"
150
151choice MCUBOOT_BOOTLOADER_MODE
152	prompt "Application assumed MCUboot mode of operation"
153	# Should be removed if board dts is updated
154	default MCUBOOT_BOOTLOADER_MODE_SWAP_USING_MOVE if SOC_FAMILY_STM32
155	default MCUBOOT_BOOTLOADER_MODE_SWAP_USING_OFFSET
156	help
157	  Informs application build on assumed MCUboot mode of operation.
158	  This is important for validataing application against DT configuration,
159	  which is done by west sign.
160
161config MCUBOOT_BOOTLOADER_MODE_SINGLE_APP
162	bool "MCUboot has been configured for single slot execution"
163	select MCUBOOT_IMGTOOL_OVERWRITE_ONLY
164	help
165	  MCUboot will only boot slot0_partition placed application and does
166	  not care about other slots. In this mode application is not able
167	  to DFU its own update to secondary slot and all updates need to
168	  be performed using MCUboot serial recovery.
169
170config MCUBOOT_BOOTLOADER_MODE_SWAP_USING_OFFSET
171	bool "MCUboot has been configured for swap using offset operation"
172	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
173	help
174	  MCUboot expects slot0_partition and slot1_partition to be present
175	  in DT and application will boot from slot0_partition.
176	  MCUBOOT_BOOTLOADER_NO_DOWNGRADE should also be selected
177	  if MCUboot has been built with MCUBOOT_DOWNGRADE_PREVENTION.
178
179config MCUBOOT_BOOTLOADER_MODE_SWAP_USING_MOVE
180	bool "MCUboot has been configured for swap using move operation"
181	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
182	help
183	  MCUboot expects slot0_partition and slot1_partition to be present
184	  in DT and application will boot from slot0_partition.
185	  MCUBOOT_BOOTLOADER_NO_DOWNGRADE should also be selected
186	  if MCUboot has been built with MCUBOOT_DOWNGRADE_PREVENTION.
187
188config MCUBOOT_BOOTLOADER_MODE_SWAP_WITHOUT_SCRATCH
189	bool "MCUboot has been configured for swap without scratch operation [DEPRECATED]"
190	select DEPRECATED
191	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
192	help
193	  This Kconfig is deprecated, use MCUBOOT_BOOTLOADER_MODE_SWAP_USING_MOVE instead.
194
195config MCUBOOT_BOOTLOADER_MODE_SWAP_SCRATCH
196	bool "MCUboot has been configured for swap using scratch operation"
197	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
198	help
199	  MCUboot expects slot0_partition, slot1_partition and scratch_partition
200	  to be present in DT, and application will boot from slot0_partition.
201	  In this mode scratch_partition is used as temporary storage when
202	  MCUboot swaps application from the secondary slot to the primary
203	  slot.
204	  MCUBOOT_BOOTLOADER_NO_DOWNGRADE should also be selected
205	  if MCUboot has been built with MCUBOOT_DOWNGRADE_PREVENTION.
206
207config MCUBOOT_BOOTLOADER_MODE_OVERWRITE_ONLY
208	bool "MCUboot has been configured to just overwrite primary slot"
209	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
210	select MCUBOOT_IMGTOOL_OVERWRITE_ONLY
211	help
212	  MCUboot will take contents of secondary slot of an image and will
213	  overwrite primary slot with it.
214	  In this mode it is not possible to revert back to previous version
215	  as it is not stored in the secondary slot.
216	  This mode supports MCUBOOT_BOOTLOADER_NO_DOWNGRADE which means
217	  that the overwrite will not happen unless the version of secondary
218	  slot is higher than the version in primary slot.
219
220config MCUBOOT_BOOTLOADER_MODE_RAM_LOAD
221	bool "MCUboot has been configured for RAM LOAD operation"
222	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
223	select MCUBOOT_BOOTLOADER_NO_DOWNGRADE
224	help
225	  MCUboot expects slot0_partition and slot1_partition to exist in DT. In this mode, MCUboot
226	  will select the image with the higher version number, copy it to RAM and begin execution
227	  from there. The image must be linked to execute from RAM, the address that it is copied
228	  to is specified using the load-addr argument when running imgtool.
229	  This option automatically selects MCUBOOT_BOOTLOADER_NO_DOWNGRADE as it is not possible
230	  to swap back to older version of the application.
231
232config MCUBOOT_BOOTLOADER_MODE_RAM_LOAD_WITH_REVERT
233	bool "MCUboot has been configured for RAM LOAD with revert"
234	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
235	select MCUBOOT_BOOTLOADER_NO_DOWNGRADE
236	help
237	  MCUboot expects slot0_partition and slot1_partition to exist in DT. In this mode, MCUboot
238	  will select the image with the higher version number, copy it to RAM and begin execution
239	  from there. The image must be linked to execute from RAM, the address that it is copied
240	  to is specified using the load-addr argument when running imgtool.
241	  This option automatically selectes MCUBOOT_BOOTLOADER_NO_DOWNGRADE as
242	  MCUBoot will automatically select the highest revision of the application
243	  to boot. Note however that MCUBoot will select an older revision of
244	  the application if the booted revision does not mark itself as confirmed.
245	  In this mode MCUboot will boot the application with the higher
246	  version from either slot, as long as it has been marked to be boot
247	  next time for test or permanently. In case when application is marked
248	  for test it needs to confirm itself, on the first boot, or it will be
249	  removed and MCUboot will revert to booting previously approved
250	  application. Note that in this mode MCUboot will not boot an
251	  application if it does not have an image header, so if an application
252	  is flashed manually it should be marked as confirmed
253
254config MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP
255	bool "MCUboot has been configured for DirectXIP operation"
256	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
257	select MCUBOOT_BOOTLOADER_NO_DOWNGRADE
258	help
259	  MCUboot expects slot0_partition and slot1_partition to exist in DT.
260	  In this mode MCUboot can boot from either partition and will
261	  select one with higher application image version, which usually
262	  means major.minor.patch triple, unless BOOT_VERSION_CMP_USE_BUILD_NUMBER
263	  is also selected that enables comparison of build number.
264	  This option automatically selects
265	  MCUBOOT_BOOTLOADER_NO_DOWNGRADE as it is not possible
266	  to swap back to older version of application.
267
268config MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP_WITH_REVERT
269	bool "MCUboot has been configured for DirectXIP with revert"
270	select MCUBOOT_BOOTUTIL_LIB
271	select MCUBOOT_BOOTUTIL_LIB_FOR_DIRECT_XIP
272	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
273	select MCUBOOT_BOOTLOADER_NO_DOWNGRADE
274	imply MCUBOOT_GENERATE_CONFIRMED_IMAGE
275	help
276	  MCUboot expects slot0_partition and slot1_partition to exist in DT.
277	  In this mode MCUboot will boot the application with the higher version
278	  from either slot, as long as it has been marked to be boot
279	  next time for test or permanently. In case when application is marked
280	  for test it needs to confirm itself, on the first boot, or it will
281	  be removed and MCUboot will revert to booting previously approved
282	  application.
283	  This mode does not allow freely switching between application
284	  versions, as, once higher version application is approved, it is
285	  not possible to select lower version for boot.
286	  This mode selects MCUBOOT_BOOTLOADER_NO_DOWNGRADE as it is not possible
287	  to downgrade running application, but note that MCUboot may do that
288	  if application with higher version will not get confirmed.
289
290config MCUBOOT_BOOTLOADER_MODE_FIRMWARE_UPDATER
291	bool "MCUboot has been configured in firmware updater mode"
292	select MCUBOOT_IMGTOOL_OVERWRITE_ONLY
293	help
294	  MCUboot will only boot slot0_partition for the main application but has
295	  an entrance mechanism defined for entering the slot1_partition which is
296	  a dedicated firmware updater application used to update the slot0_partition
297	  application.
298
299config MCUBOOT_BOOTLOADER_MODE_SINGLE_APP_RAM_LOAD
300	bool "MCUboot has been configured in single app RAM load mode"
301	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
302	select MCUBOOT_BOOTLOADER_NO_DOWNGRADE
303	help
304	  MCUboot can load the image to RAM from an arbitrary location. In this mode,
305	  MCUboot will copy the image to RAM and begin execution from there. The image
306	  must be linked to execute from RAM, the address that it is copied to is
307	  specified using the load-addr argument when running imgtool.
308	  Note that while not used directly, a slot0_partition must be defined in the
309	  DT, as it is used to get information about size of the image to be loaded.
310	  This option automatically selects MCUBOOT_BOOTLOADER_NO_DOWNGRADE as it is
311	  not possible to swap back to older version of the application. In fact, none
312	  of the swap operations are supported in this mode.
313
314endchoice # MCUBOOT_BOOTLOADER_MODE
315
316config MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
317	bool
318	help
319	  Selected mode supports downgrade prevention, where you cannot switch to
320	  an application with lower version than the currently running application.
321
322if MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
323config MCUBOOT_BOOTLOADER_NO_DOWNGRADE
324	bool "MCUboot mode has downgrade prevention enabled"
325	help
326	  Selected MCUboot mode has downgrade prevention enabled, where you are not
327	  able to change back to image with lower version number.
328	  This options should be selected when MCUboot has been built with
329	  MCUBOOT_DOWNGRADE_PREVENTION option enabled.
330endif
331
332config MCUBOOT_BOOTLOADER_USES_SHA512
333	bool "MCUboot uses SHA512 for image hash"
334	help
335	  MCUboot has been compiled to verify images using SHA512.
336
337config MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE
338	bool "Signature is verified over an image rather than sha of an image"
339	help
340	  MCUboot has been compiled to verify images using pure signature
341	  verification, i.e., the signature is verified over the image rather
342	  than the SHA of the image.
343
344config MCUBOOT_APPLICATION_FIRMWARE_UPDATER
345	bool "Application is firmware updater image"
346	depends on MCUBOOT_BOOTLOADER_MODE_FIRMWARE_UPDATER
347	help
348	  Select this if the current image is the firmware updater image. This will use slot 1
349	  information when signing the image.
350
351	  Note that the zephyr chosen node ``zephyr,code-partition`` should be set to
352	  ``slot1_partition`` for this image.
353
354endmenu # On board MCUboot operation mode
355
356endif # BOOTLOADER_MCUBOOT
357
358menuconfig MCUBOOT_BOOTUTIL_LIB
359	bool "MCUboot utility library"
360	help
361	  Enable MCUboot utility library which implements functions
362	  required by the chain-loaded application and the MCUboot.
363
364if MCUBOOT_BOOTUTIL_LIB
365
366# hidden option for disabling module-own log configuration
367# while building MCUboot bootloader
368config MCUBOOT_BOOTUTIL_LIB_OWN_LOG
369	bool
370	default y
371
372if MCUBOOT_BOOTUTIL_LIB_OWN_LOG
373module = MCUBOOT_UTIL
374module-str = MCUboot bootutil
375source "subsys/logging/Kconfig.template.log_config"
376endif
377
378config BOOT_IMAGE_ACCESS_HOOKS
379	bool "Hooks for overriding MCUboot's bootutil native routines"
380	help
381	  Allow to provide procedures for override or extend native
382	  MCUboot's routines required for access the image data.
383	  It is up to the application project to add source file which
384	  implements hooks to the build.
385
386if MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP_WITH_REVERT
387
388config MCUBOOT_BOOTUTIL_LIB_FOR_DIRECT_XIP
389	bool
390	help
391	  Adds support for setting for test and confirming images
392	  when bootloader is in DirectXIP-revert mode.
393endif
394
395endif # MCUBOOT_BOOTUTIL_LIB
396