1. Purpose[edit source]
This article describes the configuration switches used in OP-TEE OS component.
2. Overview[edit source]
OP-TEE is presented in OP-TEE overview and How to configure OP-TEE articles.
OP-TEE OS build sequence is based on GNU Makefile files. OP-TEE configuration is set straight from the OP-TEE build process and in based on shell envrionment variables, also used as Makefile variables as shown in the build command lines below:
make PLATFORM=stm32mp1-135F_DK
make PLATFORM=stm32mp1-135F_DK CFG_TEE_CORE_DEBUG=y
CFG_TEE_CORE_DEBUG=y make PLATFORM=stm32mp1-135F_DK
2.1. Main configuration switches[edit source]
Some configuration switches are required to build OP-TEE OS, they define the target platform and the target board (that is the device tree source file to use for that platform):
- PLATFORM=<platform>
- Ex: PLATFORM=stm32mp1 for STM32MP1 series
- Ex: PLATFORM=stm32mp2 for STM32MP2 series
- CFG_EMBED_DTB_SOURCE_FILE=<device-tree-source-file>: in-tree (core/arch/arm/dts/ ) device tree filename with its .dts extension.
- Ex: CFG_EMBED_DTB_SOURCE_FILE=stm32mp157f-dk2.dts
Note that some couples of platform/device-tree source file are predefined in OP-TEE OS source tree. They can be used as an alternative to CFG_EMBED_DTB_SOURCE_FILE, using configuration switch PLATFORM with a platform flavor suffix. For example:
- PLATFORM=stm32mp1-157F_EV1
is an equivalent for PLATFORM=stm32mp1 CFG_EMBED_DTB_SOURCE_FILE=stm32mp157f-ev1.dts. - PLATFORM=stm32mp1-135F_DK
is an equivalent for PLATFORM=stm32mp1 CFG_EMBED_DTB_SOURCE_FILE=stm32mp135f-dk.dts. - PLATFORM=stm32mp2-257F_DK
is an equivalent for PLATFORM=stm32mp2 CFG_EMBED_DTB_SOURCE_FILE=stm32mp257f-dk.dts.
We mention here also the cross compilation prefix, as alternative to generic CROSS_COMPILE:
- CROSS_COMPILE32:
CROSS_COMPILE64:
OP-TEE cross-compilation toolchain is set from CROSS_COMPILE however, for 64bit targets, OP-TEE can host both 32bit and 64bit Trsuted Applications. To build the former, CROSS_COMPILE32 shall be set. CROSS_COMPILE64 is used for 64bit build or build makefiles fallback to CROSS_COMPILE.
STM32MP OP-TEE configuration provides 2 main configuration switch used to select either the resource managemet profile or the secure service profile. These profiles are described in OP-TEE core configuration (FIXME: reference to check) article.
- CFG_STM32_RESOURCE_MANAGEMENT_PROFILE=y
- CFG_STM32_SECIURE_SERVICE_PROFILE=y
2.2. OP-TEE core generic switches[edit source]
Below are some OP-TEE generic optional directives commonly used, described in OP-TEE OS mk/config.mk file:
- CFG_CORE_HEAP_SIZE=<VALUE>: define the byte size of OP-TEE core memory allocation pool
- CFG_NUM_THREADS=<VALUE>: define the number of TEE threads provisioned in OP-TEE
- CFG_REE_FS={n|y}: disable/enable OP-TEE REE filsystem based secure storage area
- CFG_RPMB_FS={n|y}: disable/enable OP-TEE eMMC/RPMB based secure storage area
- CFG_RPMB_FS_DEV_ID=<VALUE>: define the mmcblk block device used by REE for eMMC/RPMB accesses
(e.g. "1" on stm32mp157x-ev1 boards) - CFG_WITH_USER_TA={n|y}: disable/enable support for Trusted Applications in OP-TEE secure memory (default is y)
- CFG_WITH_PAGER={n|y}: disable/enable OP-TEE core "pager" mode, allowing OP-TEE is execute in a size constrained internal RAM for few hundreds of kBytes. The feature is used only on STM32MP15x lines
when secure services are enabled.
- CFG_PAGED_USER_TA={n|y}: disable/enable support for paged Trusted Applications when CFG_WITH_PAGER is enabled.
When CFG_STM32_SECURE_SERVICE_PROFILE is enabled, the above switches related to secure services are defautl enabled. Alternatively, when CFG_STM32_RESOURCE_MANAGER_PROFILE is enabled, the above switches related to secure services are disabled.
[edit source]
OP-TEE generic optional debugging and test directives commonly used, described in OP-TEE OS mk/config.mk file:
- CFG_TEE_CORE_DEBUG={n|y}: disable/enable debug support
- CFG_TEE_CORE_LOG_LEVEL={0|1|2|3|4}: define OP-TEE core trace level (0: no trace, 4: overflow of traces) (default is 2: info)
- CFG_TEE_CORE_TA_LEVEL={0|1|2|3|4}: define OP-TEE Trusted Applications (TAs) trace level (default is 1: error)
- CFG_TEE_CORE_TA_TRACE={n|y}: disable/enable TAs trace message at define OP-TEE core level (default is y)
- CFG_STM32_EARLY_CONSOLE_UART={0|1|2|...}: define the USART instance used for early console trace messages (default is 4)
- CFG_UNWIND={n|y}: disable/enable stack unwind debug trace messages
- CFG_ENABLE_EMBEDDED_TESTS={n|y}; disable/enable embedded test, used by xtest tool (default is y)
- CFG_WITH_STATS={n|y}: disable/enable OP-TEE statistics retrieve from the Stats PTA service.
- CFG_WERROR={n|y}: disable/enable build error trigger on OP-TEE build warning occurences.
- CFG_TA_GPROF_SUPPORT={n|y}: disable/enable profiling of Trusted Application implementation based on gprof standard tool
- CFG_FTRACE_SUPPORT={n|y}: disable/enable function trace support in Trusted Applications based on ftrace standard tool
- CFG_SYSCALL_FTRACE={n|y}: disable/enable support for ftrace syscall graph generation
Information on configuration switches CFG_TEE_CORE_DEBUG, CFG_TEE_CORE_LOG_LEVEL and CFG_UNWIND can be found in the How_to_debug_OP-TEE article.
2.4. Resource management service configuration switches[edit source]
In both Resource Management profile and Secure Service profile, OP-TEE embeds resource management services that are default enabled in STM32MP software delivery. Each can be individually disabled using their related configuration switch:
$(call force,CFG_HWRNG_PTA,n)
2.5. STM32 driver configuration switches[edit source]
- CFG_STM32_CRYP=y|n:
- CFG_STM32_HASH=y|n:
- CFG_STM32_PKA=y|n:
- CFG_STM32_SAES=y|n:
2.6. Cryptographic operation configuration[edit source]
Main siwtches:
- CFG_CRYPTOLIB_NAME=tomcrypt|mbedtls
Target software crypto library embedded in OP-TEE core. Default is libtomcrypt. - CFG_CRYPTO=y|n
Digest and hashing functions:
- CFG_CRYPTO_MD5=y|n
- CFG_CRYPTO_SHA1=y|n
- CFG_CRYPTO_SHA224=y|n
- CFG_CRYPTO_SHA256=y|n
- CFG_CRYPTO_SHA384=y|n
- CFG_CRYPTO_SHA3_224=y|n
- CFG_CRYPTO_SHA3_256=y|n
- CFG_CRYPTO_SHA3_384=y|n
- CFG_CRYPTO_SHA3_512=y|n
- CFG_CRYPTO_SHA512=y|n
- CFG_CRYPTO_SHA512_256=y|n
- CFG_CRYPTO_SHAKE128=y|n
- CFG_CRYPTO_SHAKE256=y|n
- CFG_CRYPTO_SM3=y|n
Symmetric cryptographic algorithms:
- CFG_CRYPTO_AES=y|n
- CFG_CRYPTO_AES_GCM_FROM_CRYPTOLIB=y|n
- CFG_CRYPTO_CBC=y|n
- CFG_CRYPTO_CBC_MAC=y|n
- CFG_CRYPTO_CBC_MAC_BUNDLE_BLOCKS=64
- CFG_CRYPTO_CCM=y|n
- CFG_CRYPTO_CMAC=y|n
- CFG_CRYPTO_CTR=y|n
- CFG_CRYPTO_CTS=y|n
- CFG_CRYPTO_DES=y|n
- CFG_CRYPTO_ECB=y|n
- CFG_CRYPTO_GCM=y|n
- CFG_CRYPTO_XTS=y|n
- CFG_CRYPTO_SM4=y|n
MAC and HAMC algorithms:
- CFG_CRYPTO_HMAC=y|n
Key derivation support:
- CFG_CRYPTO_HKDF=y|n
- CFG_CRYPTO_PBKDF2=y|n
- CFG_CRYPTO_CONCAT_KDF=y|n
- CFG_CRYPTO_HW_PBKDF2=y|n
Asymmetric cryptographic algorithms:
- CFG_CRYPTO_DH=y|n
- CFG_CRYPTO_DSA=y|n
- CFG_CRYPTO_ECC=y|n
- CFG_CRYPTO_ED25519=y|n
- CFG_CRYPTO_RSA=y|n
- CFG_CRYPTO_RSASSA_NA1=y|n
- CFG_CRYPTO_SM2_DSA=y|n
- CFG_CRYPTO_SM2_KEP=y|n
- CFG_CRYPTO_SM2_PKE=y|n
- CFG_CRYPTO_X25519=y|n
- CFG_WITH_SOFTWARE_PRNG=y|n
- CFG_CRYPTO_SIZE_OPTIMIZATION=y|n
- CFG_CRYPTO_DRIVER=y|n
- CFG_CRYPTO_DRIVER_DEBUG=0|...
- CFG_CRYPTO_DRV_ACIPHER=y|n
- CFG_CRYPTO_DRV_CIPHER=y|n
- CFG_CRYPTO_DRV_ECC=y|n
- CFG_CRYPTO_DRV_HASH=y|n
- CFG_CRYPTO_DRV_MAC=y|n
3. References[edit source]