OP-TEE configuration switches

Revision as of 17:59, 5 June 2024 by Registered User (→‎Overview)
Applicable for STM32MP13x lines, STM32MP15x lines, STM32MP25x lines


1. Purpose[edit source]

This article describes the configuration switches used in OP-TEE OS component.
It is recommended to first read OP-TEE overview article for a presentation of OP-TEE.

2. Overview[edit source]

OP-TEE is presented in OP-TEE overview and STM32MPU OP-TEE Profiles articles.

OP-TEE OS build sequence is based on GNU Makefile files. OP-TEE configuration is set straight from the OP-TEE build process and in based on shell environment variables, also used as Makefile variables as shown in the build command lines below: 

 make PLATFORM=stm32mp1-135F_DK

 make PLATFORM=stm32mp1-135F_DK CFG_TEE_CORE_DEBUG=y

 CFG_TEE_CORE_DEBUG=y make PLATFORM=stm32mp1-135F_DK





 make PLATFORM=stm32mp1 CFG_EMBED_DTB_SOURCE_FILE=stm32mp135f-dk.dts CFG_STM32MP_PROFILE=secure_and_system_services

The above make command lines should be enough to build your target boot firmware images.

This article presents many of the OP-TEE configuration switches that can be tuned for a given target. This article does not present all OP-TEE configuration switches. Almost all OP-TEE configuration switches are prefixed CFG_.

Usually the first OP-TEE configuration switches one tunes are debug mode (CFG_TEE_CORE_DEBUG=y|n), log trace level (CFG_TEE_CORE_LOG_LEVEL=[0|1|2|3|]) and the selection of the STM32MPU OP-TEE profile CFG_STM32MP_PROFILE={system_services|secure_and_system_services}. Each platform has a preset of default configuration switches values.


It is also possible to pass a config makefile to the make sequence. The OP-TEE OS configuration file shall set PLATFORM and the other expected configuration variables. 

 make CFG_OPTEE_CONFIG=/path/to/conf-OP-TEE-CUSTOM.mk

3. Main configuration switches[edit source]

The minimal configuration directives required to build OP-TEE OS are the identification of the target (product line + embedded Device Tree) and the cross compilation toolchain.

3.1. Target platform definition[edit source]

OP-TEE OS configuration must define the target product line and the Device Tree source file to be embedded on OP-TEE firmware:

  • PLATFORM=<platform>
    • Ex: PLATFORM=stm32mp1 for STM32MP1 series
    • Ex: PLATFORM=stm32mp2 for STM32MP2 series
  • One of the following exclusive configuration switch must be enabled:
    • CFG_STM32MP13=y when targeting a STM32MP13x lines More info.png platform
    • CFG_STM32MP15=y when targeting a STM32MP15x lines More info.png platform
    • CFG_STM32MP25=y when targeting a STM32MP25x lines More info.png platform
  • CFG_EMBED_DTB_SOURCE_FILE=<device-tree-source-file>: in-tree (core/arch/arm/dts/ ) device tree filename with its .dts extension.
    • Ex: CFG_EMBED_DTB_SOURCE_FILE=stm32mp157f-dk2.dts

OP-TEE OS may guess the target product line (CFG_STM32MPxx=y) based on CFG_EMBED_DTB_SOURCE_FILE value.

Some couples of platform/device-tree source file are predefined in OP-TEE OS source tree. They can be used as an alternative to CFG_EMBED_DTB_SOURCE_FILE, using configuration switch PLATFORM with a platform flavor suffix. For example:

  • PLATFORM=stm32mp1-157F_EV1
    is an equivalent for PLATFORM=stm32mp1 CFG_STM32MP15=y CFG_EMBED_DTB_SOURCE_FILE=stm32mp157f-ev1.dts.
  • PLATFORM=stm32mp1-135F_DK
    is an equivalent for PLATFORM=stm32mp1 CFG_STM32MP13=y CFG_EMBED_DTB_SOURCE_FILE=stm32mp135f-dk.dts.
  • PLATFORM=stm32mp2-257F_DK
    is an equivalent for PLATFORM=stm32mp2 CFG_STM32MP25=y CFG_EMBED_DTB_SOURCE_FILE=stm32mp257f-dk.dts.

3.2. STM32MPU OP-TEE profile[edit source]

STM32MPU OP-TEE proposes configuration profiles to ease defining the services to embed in OP-TEE. The profiles are described in STM32MPU OP-TEE Profiles article. The configuration switch supported values are:

  • CFG_STM32MP_PROFILE=system_services
  • CFG_STM32MP_PROFILE=secure_and_system_services

On STM32MPU platforms, the default select profile depends on the target, refer to Platform default configuration article.

3.3. Cross-compilation directives[edit source]

We mention here also the cross compilation prefix, as alternative to generic CROSS_COMPILE:

  • CROSS_COMPILE32:
    CROSS_COMPILE64:
    OP-TEE cross-compilation toolchain is set from CROSS_COMPILE however, for 64bit targets, OP-TEE can host both 32bit and 64bit Trusted Applications. To build the former, CROSS_COMPILE32 shall be set. CROSS_COMPILE64 is used for 64bit build or build makefiles fallback to CROSS_COMPILE.

4. OP-TEE core generic switches[edit source]

Below are some OP-TEE generic optional directives commonly used, described in OP-TEE OS mk/config.mk file:

  • CFG_CORE_HEAP_SIZE=<VALUE>: Byte size of OP-TEE core memory allocation pool
    STM32MP13x lines More info.png STM32MP15x lines More info.png without pager and STM32MP25x lines More info.png use OP-TEE native default heap size of 64kBytes. STM32MP15x lines More info.png with pager enabled and security services uses default heap of 48kBytes. The value can be tuned if needed. See also xtest --stats --alloc for information on OP-TEE core heap allocation pool (see CFG_WITH_STATS).
  • CFG_NUM_THREADS=<VALUE>: Number of concurrent TEE thread contexts provisioned in OP-TEE.
    OP-TEE native default value is 2 but STM32MP platforms use other default values: 3 for STM32MP13x lines More info.png, 10 for STM32MP15x lines More info.png with pager and 5 for STM32MP25x lines More info.png. The value can be tuned if needed.


  • CFG_WITH_PAGER={n|y}: disable/enable OP-TEE core "pager" mode, allowing OP-TEE is execute in a size constrained internal RAM for few hundreds of kBytes.
    The feature is used only on STM32MP15x lines More info.png when secure services are enabled. Note that STM32MP15x lines More info.png for TF-A configuration depends on whether OP-TEE is to be booted in secure internal RAM (with pager enabled) or is booted in the external RAM. Refer to STM32MP15 pager impact on TF-A article.


On Armv8-A paltforms, OP-TEE can be built in 64bit (CFG_ARM64_core=y) or in 32bit mode (CFG_ARM32_core=y).

5. Resource management service configuration switches[edit source]

In both Resource Management profile and Secure Service profile, OP-TEE embeds resource management services that are default enabled in STM32MP software delivery. Each can be individually disabled using their related configuration switch:

  • CFG_DEVICE_ENUM_PTA={y|n}: Default enabled. Enumeration of registered embedded services to non-secure world.
    This is used by U-Boot and the Linux kernel to bind driver instances (SCMI, HWRNG, ...).



  • CFG_HWRNG_PTA={y|n}: Default enabled. Interface for Linux/U-Boot to request TRNG random numb ers.
    The switch is default enabled and true random number generator device need to register to crypto API so that HWRNG PTA exposes it and enumerates (see CFG_DEVICE_ENUM_PTA).



  • CFG_RTC_PTA={y|n}: Default disabled. Interface for Linux/U-Boot to access RTC service.
    STM32MP configuration does not yet expose RTC service when STM32 RTC device is assigned to OP-TEE. This is expected in a future service.
  • CFG_SCMI_PTA={y|n}: Default enabled on STM32MPU OpenSTLinux platforms to manage clock, reset, power and voltage domains, and more.

6. Secure services related configuration switches[edit source]

The configuration switch listed in this section all require STM32MPU OP-TEE secure service to be enabled with CFG_STM32MP_PROFILE=secure_and_system_services.

6.1. Generic switches for secure services[edit source]

Secure storage:

  • CFG_REE_FS={n|y}: disable/enable OP-TEE secure storage area based on a non-secure filesystem
  • CFG_RPMB_FS={n|y}: disable/enable OP-TEE secure storage area based on eMMC/RPMB resource
  • CFG_RPMB_FS_DEV_ID=<VALUE>: define the mmcblk block device used by REE for eMMC/RPMB accesses
    (e.g. "'1'" on stm32mp157x-ev1 boards)

Hardware Unique Key (HUK) and HUK derivation: OT-TEE generates several key from derivation of the device hardware unique key. On STM32MP13x lines More info.png and STM32MP25x lines More info.png with crypto support, the HUK derivation service is provided by STM32 SAES driver, when SAES is assigned to OP-TEE. These platforms do not expose the HUK. STM32MP15x lines More info.png platforms require CFG_STM32MP15_HUK=y and its sub-configuration switch to implement HUK derivation requirements.

  • CFG_STM32MP15_HUK={y|n} embeds STM32MP15x lines More info.png HUK support using a key read from OTP fuses or not in various ways.
    • CFG_STM32_HUK_FROM_DT={y|n} Default enabled. When enabled, HUK location in BSEC words is found from OP-TEE device tree, from NVMEM node named "huk-otp"'.
    • CFG_STM32MP15_HUK_BSEC_KEY={y|n} Default enabled. When enabled, read HUK constitute read from BSEC OTPs.
    • CFG_STM32MP15_HUK_BSEC_DERIVE_UID={y|n} is default disabled. When enabled and CFG_STM32MP15_HUK_BSEC_KEY=n, the key read from BSEC OTPs are derived with the die ID read also from BSEC interface.
    • CFG_STM32_HUK_TESTKEY={y|n} Default disabled. When enabled, embeds a test key as HUK, refer to source file implementation.
    • CFG_STM32MP15_HUK_OTP_BASE=VALUE is an alternative when CFG_STM32_HUK_FROM_DT=n, to set the BSEC word base index from where HUK bytes shall be read over 4 words.
      • CFG_STM32MP15_HUK_BSEC_KEY_<0|1|2|3>=VALUE is another alternative when CFG_STM32_HUK_FROM_DT=n, to set each index of the 4 BSEC words that constitute the HUK.

6.2. Trusted applications[edit source]

  • CFG_WITH_USER_TA={n|y}: disable/enable support for Trusted Applications in OP-TEE secure memory
  • CFG_PAGED_USER_TA={n|y}: disable/enable support for paged Trusted Applications when CFG_WITH_PAGER is enabled.
  • CFG_USER_TA_TARGETS=ta_arm64\ ta_arm32
    CFG_USER_TA_TARGETS=ta_arm64
    CFG_USER_TA_TARGETS=ta_arm32
    Defines whether a 64bit core support 32bit and/or 64 Trusted Applications.

6.3. BSEC secure fuse[edit source]

  • CFG_STM32_BSEC=y|n: STM32 BSEC2 OTP access interface driver.
    CFG_STM32_BSEC3=y|n: STM32 BSEC3 OTP access interface driver.
    The below config switches require that one of CFG_STM32_BSEC and CFG_STM32_BSEC3 is enabled and its driver probed.
    • CFG_STM32_BSEC_WRITE=y|n: Allow burning OTP fuses.
    • CFG_STM32MP_PROVISIONING=y|n: Load BSEC shadow memory from values read from OP-TEE core secure Device Tree.
    • CFG_BSEC_PTA=y|n: STM32 BSEC secure words access services. Access rights are assigned from OP-TEE core Device Tree.


6.4. Other secure services[edit source]

  • CFG_STM32MP_REMOTEPROC=y: Secure service for attesting secure loading and boot of the Cortex-M remote processor, if available.
    When enabled, it enforces CFG_REMOTEPROC_PTA=y.
  • CFG_ATTESTATION_PTA={y|n} Default disabled. Can be used to ask OP-TEE to certify the Trusted Application state.
    • CFG_ATTESTATION_PTA_KEY_SIZE=<VALUE>: RSA key size used for the attestation, default value is 3072.
  • CFG_SECSTOR_TA_MGMT_PTA={y|n}: Default enabled to allow Installation of TA images in the OP-TEE secure persistent storage.
  • CFG_SYSTEM_PTA={y|n}. Default enabled for TAs to interact with OP-TEE core.
  • CFG_PKCS11_TA=y|n This switch does not change OP-TEE OS but is exported to OP-TEE Test for regression test support.

7. STM32 drivers configuration switches[edit source]

STM32MPU variants: inherited from the Device Tree File name, or set by build environment.
The following switches are exclusive: only one can be enabled:

  • CFG_STM32MP13=y|n
  • CFG_STM32MP15=y|n
  • CFG_STM32MP25=y|n

Clocks, reset controllers, voltage regulators, pin muxing and GPIOs based on STM32 interfaces:

  • CFG_STM32MP{15|13|25}_CLK=y|n: Clock drivers. Required enabled for related STM32MPU variant.
    RCC device shall have a node in OP-TEE device tree, see clock device tree configuration article.
  • CFG_STM32MP{15|13|25}_RSTCTRL=y|n: Reset controller drivers. Required enabled for related STM32MPU variant.
    RCC device shall have a node in OP-TEE device tree, see reset device tree configuration article.
  • CFG_STM32_UART=y: Enabled for OP-TEE output console trace messages.
    See alsoUSART and serial TTY device device tree configuration articles. STM32MP OP-TEE proposes an early trace message configuration switch, defining which UART instance of the STM32MPU device is to be used, see CFG_STM32_EARLY_CONSOLE_UART.
  • CFG_STM32_LPTIMER=y|n: Required by STM32MP1 series for clock calibration service (CFG_STM32_CLKCALIB). See also LPTIM and LPTIM device tree configuration articles.
  • CFG_STM32_I2C=y|n: STM32 I2C bus interface driver. Required when using an STPMIC control chip.
    STM32 I2C driver is initialized upon a compatible node in OP-TEE device tree. Refer also to I2C device tree configuration article.
  • CFG_STM32_RNG=y|n: High quality hardware Random Number Generator STM32 RNG.
    When enabled and CFG_WITH_SOFTWARE_PRNG=n (aka CFG_WITH_TRNG=y), STM32 RNG is used a RNG source by OP-TEE core.
    When enabled and CFG_WITH_SOFTWARE_PRNG=y, OP-TEE PRNG is seeded by STM32 RNG before non-secure world boots. This can be used for platforms willing to drive STM32 RNG from the non-secure world (U-Boot, Linux). STM32 RNG driver is initialized upon a compatible node in OP-TEE device tree. Refer also to RNG device tree configuration article.

STM32MP resource access firewalls support:

  • CFG_STM32_FIREWALL=y : STM32MP firewall drivers framework
  • CFG_STM32_ETZPC=y: Firewall enforced enabled in MP13 and MP15 for the Secure Services profile. See also ETZPC interface and ETZPC device tree configuration articles.
  • CFG_STM32_{RIF|RIFSC|RISAB|RISAF}=y: Firewall drivers enforced enabled in MP25 for the Secure Services profile. See also relevant articles on RIFSC, RIFSAF, RISAB and their device tree artciles ( RIFSC configuration, RISAF configuration and RISAB configuration).
  • CFG_STM32_IAC=y, CFG_STM32_SERC=y|n: Invalid resource access monitoring on STM32MP25x lines More info.png.
    • CFG_STM32_PANIC_ON_IAC_EVENT=y|n: Panic possibly with a debug trace message on IAC violation.
      Default y when CFG_TEE_CORE_DEBUG=y.
    • CFG_STM32_PANIC_ON_SERC_EVENT=y|n: Panic spossibly with a debug trace message on SERC events.
      Default y when CFG_TEE_CORE_DEBUG=y.

OTP fuses service:

STM32MP cryptographic hardware assistance:

Power and low power modes resources:

  • Voltage regulators:
    • CFG_STM32_VREFBUF=y: STM32MPU internal VREFBUF voltage regulator driver.
    • CFG_STM32_PWR=y: PWR internal peripheral driver.
    • CFG_STPMIC1=y|n, CFG_STPMIC2=y|n: PMIC companion chip, refer to PMIC article.
    • CFG_STM32MP13_REGULATOR_IOD=y: IO drive level driver for STM32MP13x lines More info.png.
  • Generic voltage regulator drivers:
    • CFG_REGULATOR_FIXED=y: Use device tree to define fixed level regulators that may be gated through an output GPIO signal.
    • CFG_REGULATOR_GPIO=y: Use device tree to define 2-level voltage regulators, gated and leveled through output GPIO signals.
  • Low power resources:
    • CFG_STM32_EXTI=y|n: Driver for wake up pin management.
    • CFG_STM32_CPU_OPP=y|n: Driver for CPU dynamic voltage and frequency scaling.
    • CFG_SYSCFG=y|n,: Driver for STM32MP1 series IO compensation, High speed/Low voltage mode interfaces.
    • CFG_STM32_PWR_IRQ=y|n: Driver PWR internal peripheral interrupts, likely used for PMIC interrupt signals.

Other STM32MPU drivers:

  • CFG_STM32_OMM=y, CFG_STM32_FMC=y, CFG_STM32_HPDMA=y
    These configurations apply to STM32MP25x lines More info.png. OMM, FMC and HPDMA drivers needs to be embedded in OP-TEE to configure of their security firewalls and to handle low power states.


  • Remote processor management:
    CFG_STM32_HSEM=y|n, CFG_STM32_IPCC=y|n.
  • Tampering and monitoring
    CFG_STM32_TAMP=y|n, CFG_STM32_TAMP_NVRAM=y|n, CFG_STM32_HSE_MONITORING=y|n.
  • Real Time measurement with CFG_STM32_RTC=y|n: Default enabled. Persistent real time.
    See also STM32 RTC and RTC device tree configuration articles.


Debugging the traces:

  • CFG_STM32_EARLY_CONSOLE_UART={0|1|..} : OP-TEE core early trace UART instance. When 0, early traces (e.g. before MMU is enabled) are disabled. When 1, or more, this is the UART/USART instance used, likely already setup by some previous boot stage.
  • CFG_STM32_CLK_DEBUG=y|n: Print clocks state at run time from STM32 clock drivers.

8. Cryptographic operation configuration[edit source]

Main switches:

  • CFG_CRYPTO=y|n
  • CFG_CRYPTOLIB_NAME=tomcrypt, alternatively CFG_CRYPTOLIB_NAME=mbedtls
    CFG_CRYPTOLIB_DIR=core/lib/libtomcrypt (resp. CFG_CRYPTOLIB_DIR=lib/mbedtls)
    Target software cryptographic library embedded in OP-TEE core. Default is libtomcrypt and its internal path.

For all the cryptographic algorithms listed below, all those that are enabled by do not have hardware assistance are processed by the software cryptography library of OP-TEE, either the TomCrypt library [1] or the MbedTLS library [2].

Digest and hashing functions:
Note: CFG_STM32_HASH selects MD5, SHA*, SHA3_*, and SHAKE*.

  • CFG_CRYPTO_[MD5|SHA1|SHA224|SHA256|SHA384]=y|n
  • CFG_CRYPTO_SHA3_[224|384|512]=y|n
  • CFG_CRYPTO_SHA512|SHA512_256]=y|n
  • CFG_CRYPTO_SHAKE[128|256]=y|n
  • CFG_CRYPTO_SM3=y|n

Symmetric cryptographic algorithms:
Note: CFG_STM32_CRYP enforces support for AES ECB/CBC/CTR/GCM/CCM and DES/TDES EBC/CBC.
CFG_STM32_SAES enforces support for AES ECB/CBC/CTR/GCM/CCM.

  • CFG_CRYPTO_AES=y|n:
  • CFG_CRYPTO_AES_GCM_FROM_CRYPTOLIB=y|n
  • CFG_CRYPTO_DES=y|n
  • CFG_CRYPTO_SM4=y|n
  • CFG_CRYPTO_HMAC=y|n

and their related modes (when applicable):

  • CFG_CRYPTO_ECB=y|n
  • CFG_CRYPTO_CBC=y|n
  • CFG_CRYPTO_CBC_MAC=y|n
    • CFG_CRYPTO_CBC_MAC_BUNDLE_BLOCKS=64
  • CFG_CRYPTO_[CCM|CMAC|CTR|CTS|GCM|XTS]=y|n

Key derivation support:

  • CFG_CRYPTO_HKDF=y|n
  • CFG_CRYPTO_PBKDF2=y|n
  • CFG_CRYPTO_CONCAT_KDF=y|n
  • CFG_CRYPTO_HW_PBKDF2=y|n

Asymmetric cryptographic algorithms:
CFG_STM32_PKA=y enables ECC operations.

  • CFG_CRYPTO_[DH|DSA|RSA|RSASSA_NA1]=y|n
  • CFG_CRYPTO_[ECC|ED25519|X25519]=y|n
  • CFG_CRYPTO_SM2_[DSA|KEP|PKE]=y|n

Generic cryptographic processing framework configuration switches:

  • CFG_WITH_SOFTWARE_PRNG={y|n}
    CFG_WITH_TRNG=n|y
    Exclusive enabled switches
    When CFG_WITH_SOFTWARE_PRNG=y: Random bytes are generated by a software implementation (Fortuna algorithm [3]).
    When CFG_WITH_SOFTWARE_PRNG=n: Random bytes can be generated with a hardware source with CFG_WITH_TRNG=y. TRNG device are registered at boot time in OP-TEE core.


  • CFG_CRYPTO_SIZE_OPTIMIZATION=y|n: Defines memory size footprint optimization of the cryptographic software libraries.

9. Debug related configuration switches[edit source]

OP-TEE generic optional debugging and test directives commonly used, described in OP-TEE OS mk/config.mk file:

  • CFG_TEE_CORE_DEBUG=n|y: disable/enable debug support (including support for assert() through NDEBUG)
  • CFG_TEE_CORE_LOG_LEVEL={0|1|2|3|4}: define OP-TEE core trace level (0: no trace, 4: overflow of traces) (default is 2: info)
  • CFG_TEE_CORE_TA_LEVEL={0|1|2|3|4}: define OP-TEE Trusted Applications (TAs) trace level (default is 1: error)
  • CFG_TEE_CORE_TA_TRACE=n|y: disable/enable TAs trace message at define OP-TEE core level (default is y)
  • CFG_TEE_CORE_MALLOC_DEBUG=n|y: disable/enable debug support for heap allocations in OP-TEE core
  • CFG_TEE_TA_MALLOC_DEBUG=n|y: disable/enable debug support for heap allocations in Trusted Applications (TAs)
  • CFG_CC_OPT_LEVEL=[s|0|1|2] sets GCC/Clang optimization level "-O0", "-O1", "-O2" or "-Os". Default is s for size.
  • CFG_UNWIND=n|y: disable/enable stack unwind debug trace messages
  • CFG_ENABLE_EMBEDDED_TESTS=n|y; disable/enable embedded test, used by xtest tool (default is y)
  • CFG_WITH_STATS=n|y: disable/enable OP-TEE statistics retrieval through OP-TEE Statistics PTA service interface.
  • CFG_WERROR=n|y: disable/enable build error trigger on OP-TEE build warning occurrences.
  • CFG_TA_GPROF_SUPPORT=n|y: disable/enable profiling of Trusted Application implementation based on gprof standard tool
  • CFG_FTRACE_SUPPORT=n|y: disable/enable function trace support in Trusted Applications based on ftrace standard tool
  • CFG_SYSCALL_FTRACE=n|y: disable/enable support for ftrace syscall graph generation
  • CFG_CORE_DEBUG_CHECK_STACKS=n|y: disable/enable compiler instrumentation for stack overflow protection
  • CFG_WITH_STACK_CANARIES=n|y: (default enabled) disable/enable canaries value at stack limits
  • CFG_DEBUG_INFO=n|y: (default enabled) disable/enable embedding implementation debug information in OP-TEE core image


Information on configuration switches CFG_TEE_CORE_DEBUG, CFG_TEE_CORE_LOG_LEVEL and CFG_UNWIND can be found in the How_to_debug_OP-TEE article.

STM32MP has a few platform specific configuration switch related to development and debug support:

  • CFG_STM32_EARLY_CONSOLE_UART={0|1|2|...}: define the USART instance used for early console trace messages (default is 4)
  • CFG_STM32MP_PROVISIONING=n|y is a development and debugging feature this is not intended for product release.
    When enabled, OP-TEE initialization sequence look up into its device tree for node with compatible = st,provisioning which load in BSEC shadow registers value read from the device tree. This can help testing fuses with burning them, as for watchdog freeze during suspend or for product below 2.5V support.
  • CFG_TEE_CORE_DEBUG generic switch is presented above but has also impact on some STM32MP platform support:
    • On STM32MP1 series devices that are in open state (refer to device life cycle article), all JTAG debug controls are enabled when CFG_TEE_CORE_DEBUG=y, and only internal software debug accesses are enabled when CFG_TEE_CORE_DEBUG=n. For devices in closed state, refer to the device reference manual.
    • On STM32MP2 series devices, hardware debug support is not related to CFG_TEE_CORE_DEBUG. All JTAG debug controls are enabled on devices in open state. For devices in closed state, refer to the device reference manual. Refer to device life cycle article for information on device open and closed states.

10. Constraints with OP-TEE Pager[edit source]

This section details the constraint related to when enabling OP-TEE pager, as specifically needed with STM32MP15x lines More info.png when enabling the secure services. These constraints are all related to the size of the internal secure memory assigned to OP-TEE OS. Details on the secure internal memory that can be assigned to OP-TEE can be found in [[STM32MPU_OP-TEE_profiles#Platform_default_configuration_and_constraints|STM32MP15x lines More info.png platform constraints]] article.

TO BE FILLED with information on OP-TEE performance impact related to the internal secure memory size and its use.

TO BE FILLED with specific info on CFG_TEE_CORE_LOG_LEVEL, CFG_TEE_CORE_DEBUG CFG_CORE_HEAP_SIZE and CFG_NUM_THREADS impact on pager resident memory


11. References[edit source]



Open portable trusted execution environment

Operating system

Trusted execution environment

Device tree binary (or Blob)

Random access memory (Early computer memories generally hadserial access. Memories where any given address can be accessed when desired were then called "random access" to distinguish them from the memories where contents can only be accessed in a fixed order. The term is used today for volatile random-acces ssemiconductor memories.)

Trusted firmware for Arm® Cortex®-A

Pseudo Trusted Application

Das U-Boot -- the universal boot loader (see U-Boot)

Linux® is a registered trademark of Linus Torvalds.

System control and management interface

Application programming interface

Real time clock

File system or filesystem, method and data structure that the operating system uses to control how data is stored and retrieved -NEW

Former spelling for e•MMC ('e' in italic)

Hardware unique key

One time programmed

Device tree

Boot and Security and OTP control

Trusted application

Cortex®

Independent watchdog

General-purpose input/output (A realization of open ended transmission between devices on an embedded level. These pins available on a processor can be programmed to be used to either accept input or provide output to external devices depending on user desires and applications requirements.)

Universal asynchronous receiver/transmitter

Inter-integrated circuit (Bi-directional 2-wire bus standard for efficient inter-IC control.)

Random number generator

also known as

Extended trustzone protection controller

Resource Isolation Framework

Resource Isolation Framework Security Controller - NEW

Resource Isolation Slave unit for Address space protection (Block-based) - NEW

Resource Isolation Slave unit for Address space protection (Full version) - NEW

Illegal ACcesses - NEW

Software Error Robustness Collector - NEW

Cryptographic processor

Voltage reference buffer (STM32 specific)

Power management integrated circuit

input/output

External interrupt

Central processing unit

Operating performance point (link to voltage and frequency scaling)

System configuration

Hardware semaphore

Inter-processor communication controller

Tamper

High speed external oscillator (STM32 clock source)

Memory management unit. (A hardware device or circuit that supports virtual memory and paging by translating virtual addresses into physical addresses.)

Universal synchronous/asynchronous receiver/transmitter

Message digest 5

Secure hash algorithm

Advanced encryption standard

Data encryption standard

Triple data encryption standard

Hash-based Message authentication code

Compatibility test suite (Android specific) or clear to send (in UART context)

Elliptic curve cryptography

Error correction capability

debug and test protocol, named from the Joint Test Action Group that developed it

Retrieved from "https://wiki.st.com/stm32mpu/index.php?title=OP-TEE_configuration_switches&oldid=103169"