OP-TEE configuration switches

Revision as of 17:43, 22 March 2024 by Registered User (→‎Cryptographic operation configuration: sort crypto algo switches)
Applicable for STM32MP13x lines, STM32MP15x lines, STM32MP25x lines


1. Purpose[edit source]

This article describes the configuration switches used in OP-TEE OS component.

2. Overview[edit source]

OP-TEE is presented in OP-TEE overview and How to configure OP-TEE articles.

OP-TEE OS build sequence is based on GNU Makefile files. OP-TEE configuration is set straight from the OP-TEE build process and in based on shell envrionment variables, also used as Makefile variables as shown in the build command lines below: 

 make PLATFORM=stm32mp1-135F_DK

 make PLATFORM=stm32mp1-135F_DK CFG_TEE_CORE_DEBUG=y

 CFG_TEE_CORE_DEBUG=y make PLATFORM=stm32mp1-135F_DK

2.1. Main configuration switches[edit source]

Some configuration switches are required to build OP-TEE OS, they define the target platform and the target board (that is the device tree source file to use for that platform):

  • PLATFORM=<platform>
    • Ex: PLATFORM=stm32mp1 for STM32MP1 series
    • Ex: PLATFORM=stm32mp2 for STM32MP2 series
  • CFG_EMBED_DTB_SOURCE_FILE=<device-tree-source-file>: in-tree (core/arch/arm/dts/ ) device tree filename with its .dts extension.
    • Ex: CFG_EMBED_DTB_SOURCE_FILE=stm32mp157f-dk2.dts

Note that some couples of platform/device-tree source file are predefined in OP-TEE OS source tree. They can be used as an alternative to CFG_EMBED_DTB_SOURCE_FILE, using configuration switch PLATFORM with a platform flavor suffix. For example:

  • PLATFORM=stm32mp1-157F_EV1
    is an equivalent for PLATFORM=stm32mp1 CFG_EMBED_DTB_SOURCE_FILE=stm32mp157f-ev1.dts.
  • PLATFORM=stm32mp1-135F_DK
    is an equivalent for PLATFORM=stm32mp1 CFG_EMBED_DTB_SOURCE_FILE=stm32mp135f-dk.dts.
  • PLATFORM=stm32mp2-257F_DK
    is an equivalent for PLATFORM=stm32mp2 CFG_EMBED_DTB_SOURCE_FILE=stm32mp257f-dk.dts.

We mention here also the cross compilation prefix, as alternative to generic CROSS_COMPILE:

  • CROSS_COMPILE32:
    CROSS_COMPILE64:
    OP-TEE cross-compilation toolchain is set from CROSS_COMPILE however, for 64bit targets, OP-TEE can host both 32bit and 64bit Trsuted Applications. To build the former, CROSS_COMPILE32 shall be set. CROSS_COMPILE64 is used for 64bit build or build makefiles fallback to CROSS_COMPILE.

STM32MP OP-TEE configuration provides 2 main configuration switch used to select either the resource managemet profile or the secure service profile. These profiles are described in OP-TEE core configuration (FIXME: reference to check) article.

  • CFG_STM32_RESOURCE_MANAGEMENT_PROFILE=y
  • CFG_STM32_SECIURE_SERVICE_PROFILE=y


2.2. OP-TEE core generic switches[edit source]

Below are some OP-TEE generic optional directives commonly used, described in OP-TEE OS mk/config.mk file:

  • CFG_CORE_HEAP_SIZE=<VALUE>: define the byte size of OP-TEE core memory allocation pool
  • CFG_NUM_THREADS=<VALUE>: define the number of TEE threads provisioned in OP-TEE
  • CFG_REE_FS={n|y}: disable/enable OP-TEE REE filsystem based secure storage area
  • CFG_RPMB_FS={n|y}: disable/enable OP-TEE eMMC/RPMB based secure storage area
  • CFG_RPMB_FS_DEV_ID=<VALUE>: define the mmcblk block device used by REE for eMMC/RPMB accesses
    (e.g. "1" on stm32mp157x-ev1 boards)
  • CFG_WITH_USER_TA={n|y}: disable/enable support for Trusted Applications in OP-TEE secure memory (default is y)
  • CFG_WITH_PAGER={n|y}: disable/enable OP-TEE core "pager" mode, allowing OP-TEE is execute in a size constrained internal RAM for few hundreds of kBytes. The feature is used only on STM32MP15x lines More info.png when secure services are enabled.
  • CFG_PAGED_USER_TA={n|y}: disable/enable support for paged Trusted Applications when CFG_WITH_PAGER is enabled.



When CFG_STM32_SECURE_SERVICE_PROFILE is enabled, the above switches related to secure services are defautl enabled. Alternatively, when CFG_STM32_RESOURCE_MANAGER_PROFILE is enabled, the above switches related to secure services are disabled.

2.3. Debug related configuraiton switches[edit source]

OP-TEE generic optional debugging and test directives commonly used, described in OP-TEE OS mk/config.mk file:

  • CFG_TEE_CORE_DEBUG={n|y}: disable/enable debug support
  • CFG_TEE_CORE_LOG_LEVEL={0|1|2|3|4}: define OP-TEE core trace level (0: no trace, 4: overflow of traces) (default is 2: info)
  • CFG_TEE_CORE_TA_LEVEL={0|1|2|3|4}: define OP-TEE Trusted Applications (TAs) trace level (default is 1: error)
  • CFG_TEE_CORE_TA_TRACE={n|y}: disable/enable TAs trace message at define OP-TEE core level (default is y)
  • CFG_STM32_EARLY_CONSOLE_UART={0|1|2|...}: define the USART instance used for early console trace messages (default is 4)
  • CFG_UNWIND={n|y}: disable/enable stack unwind debug trace messages
  • CFG_ENABLE_EMBEDDED_TESTS={n|y}; disable/enable embedded test, used by xtest tool (default is y)
  • CFG_WITH_STATS={n|y}: disable/enable OP-TEE statistics retrieve from the Stats PTA service.
  • CFG_WERROR={n|y}: disable/enable build error trigger on OP-TEE build warning occurences.
  • CFG_TA_GPROF_SUPPORT={n|y}: disable/enable profiling of Trusted Application implementation based on gprof standard tool
  • CFG_FTRACE_SUPPORT={n|y}: disable/enable function trace support in Trusted Applications based on ftrace standard tool
  • CFG_SYSCALL_FTRACE={n|y}: disable/enable support for ftrace syscall graph generation


Information on configuration switches CFG_TEE_CORE_DEBUG, CFG_TEE_CORE_LOG_LEVEL and CFG_UNWIND can be found in the How_to_debug_OP-TEE article.

2.4. Resource management service configuration switches[edit source]

In both Resource Management profile and Secure Service profile, OP-TEE embeds resource management services that are default enabled in STM32MP software delivery. Each can be individually disabled using their related configuration switch:

$(call force,CFG_HWRNG_PTA,n)

2.5. STM32 driver configuration switches[edit source]

  • CFG_STM32_CRYP=y|n:
  • CFG_STM32_HASH=y|n:
  • CFG_STM32_PKA=y|n:
  • CFG_STM32_SAES=y|n:

2.6. Cryptographic operation configuration[edit source]

Main siwtches:

  • CFG_CRYPTOLIB_NAME=tomcrypt|mbedtls
    Target software crypto library embedded in OP-TEE core. Default is libtomcrypt.
  • CFG_CRYPTO=y|n

Digest and hashing functions:

  • CFG_CRYPTO_MD5=y|n
  • CFG_CRYPTO_SHA1=y|n
  • CFG_CRYPTO_SHA224=y|n
  • CFG_CRYPTO_SHA256=y|n
  • CFG_CRYPTO_SHA384=y|n
  • CFG_CRYPTO_SHA3_224=y|n
  • CFG_CRYPTO_SHA3_256=y|n
  • CFG_CRYPTO_SHA3_384=y|n
  • CFG_CRYPTO_SHA3_512=y|n
  • CFG_CRYPTO_SHA512=y|n
  • CFG_CRYPTO_SHA512_256=y|n
  • CFG_CRYPTO_SHAKE128=y|n
  • CFG_CRYPTO_SHAKE256=y|n
  • CFG_CRYPTO_SM3=y|n

Symmetric cryptographic algorithms:

  • CFG_CRYPTO_AES=y|n
  • CFG_CRYPTO_AES_GCM_FROM_CRYPTOLIB=y|n
  • CFG_CRYPTO_CBC=y|n
  • CFG_CRYPTO_CBC_MAC=y|n
    • CFG_CRYPTO_CBC_MAC_BUNDLE_BLOCKS=64
  • CFG_CRYPTO_CCM=y|n
  • CFG_CRYPTO_CMAC=y|n
  • CFG_CRYPTO_CTR=y|n
  • CFG_CRYPTO_CTS=y|n
  • CFG_CRYPTO_DES=y|n
  • CFG_CRYPTO_ECB=y|n
  • CFG_CRYPTO_GCM=y|n
  • CFG_CRYPTO_XTS=y|n
  • CFG_CRYPTO_SM4=y|n

MAC and HAMC algorithms:

  • CFG_CRYPTO_HMAC=y|n

Key derivation support:

  • CFG_CRYPTO_HKDF=y|n
  • CFG_CRYPTO_PBKDF2=y|n
  • CFG_CRYPTO_CONCAT_KDF=y|n
  • CFG_CRYPTO_HW_PBKDF2=y|n

Asymmetric cryptographic algorithms:

  • CFG_CRYPTO_DH=y|n
  • CFG_CRYPTO_DSA=y|n
  • CFG_CRYPTO_ECC=y|n
  • CFG_CRYPTO_ED25519=y|n
  • CFG_CRYPTO_RSA=y|n
  • CFG_CRYPTO_RSASSA_NA1=y|n
  • CFG_CRYPTO_SM2_DSA=y|n
  • CFG_CRYPTO_SM2_KEP=y|n
  • CFG_CRYPTO_SM2_PKE=y|n
  • CFG_CRYPTO_X25519=y|n
  • CFG_WITH_SOFTWARE_PRNG=y|n
  • CFG_CRYPTO_SIZE_OPTIMIZATION=y|n
  • CFG_CRYPTO_DRIVER=y|n
  • CFG_CRYPTO_DRIVER_DEBUG=0|...
  • CFG_CRYPTO_DRV_ACIPHER=y|n
  • CFG_CRYPTO_DRV_CIPHER=y|n
  • CFG_CRYPTO_DRV_ECC=y|n
  • CFG_CRYPTO_DRV_HASH=y|n
  • CFG_CRYPTO_DRV_MAC=y|n

3. References[edit source]



Open portable trusted execution environment

Operating system

Trusted execution environment

Device tree binary (or Blob)

File system or filesystem, method and data structure that the operating system uses to control how data is stored and retrieved -NEW

Former spelling for e•MMC ('e' in italic)

Trusted application

Random access memory (Early computer memories generally hadserial access. Memories where any given address can be accessed when desired were then called "random access" to distinguish them from the memories where contents can only be accessed in a fixed order. The term is used today for volatile random-acces ssemiconductor memories.)

Universal asynchronous receiver/transmitter

Universal synchronous/asynchronous receiver/transmitter

Pseudo Trusted Application

Cryptographic processor

Message digest 5

Advanced encryption standard

Compatibility test suite (Android specific) or clear to send (in UART context)

Data encryption standard

Hash-based Message authentication code

Elliptic curve cryptography

Error correction capability

Retrieved from "https://wiki.st.com/stm32mpu/index.php?title=OP-TEE_configuration_switches&oldid=100997"