Lines Matching +full:builds +full:- +full:cache +full:-
1 # Default configuration values for OP-TEE core (all platforms).
3 # Platform-specific overrides are in core/arch/arm32/plat-*/conf.mk.
4 # Some subsystem-specific defaults are not here but rather in */sub.mk.
12 # 4. The platform-specific configuration file: core/arch/arm32/plat-*/conf.mk
14 # 6. Subsystem-specific makefiles (*/sub.mk)
16 # Actual values used during the build are output to $(out-dir)/conf.mk
19 # Cross-compiler prefix and suffix
21 CROSS_COMPILE ?= arm-linux-gnueabihf-
22 # Don't cross-compile if building on aarch64 natively
23 ifneq ($(shell uname -m),aarch64)
24 CROSS_COMPILE64 ?= aarch64-linux-gnu-
28 CROSS_COMPILE ?= riscv-linux-gnu-
29 CROSS_COMPILE64 ?= riscv64-linux-gnu-
50 # Define DEBUG=1 to compile without optimization (forces -O0)
58 # CFG_CC_OPT_LEVEL sets compiler optimization level passed with -O directive.
82 # If user-mode library libutils.a is built with CFG_TEE_TA_LOG_LEVEL=0,
98 # - To debug user-mode (TA) allocations: build OP-TEE *and* the TA with:
100 # - To debug TEE core allocations: build OP-TEE with:
119 CFG_TEE_API_VERSION ?= GPD-1.1-dev
121 # Implementation description (implementation-dependent)
137 TEE_IMPL_VERSION ?= $(shell git describe --always --dirty=-dev 2>/dev/null || \
164 # Enable roll-back protection of REE file system using RPMB.
165 # Roll-back protection only works if CFG_RPMB_FS = y.
167 $(eval $(call cfg-depends-all,CFG_REE_FS_INTEGRITY_RPMB,CFG_RPMB_FS))
170 # The exact meaning of this value is platform-dependent. On Linux, the
171 # tee-supplicant process will open /dev/mmcblk<id>rpmb
177 # - More memory required on heap. A single FAT entry currently has a size of
179 # - Potentially significant speed-ups for RPMB I/O. Depending on how many
180 # entries a function needs to traverse, the number of time-consuming RPMB
181 # read-in operations can be reduced.
182 # Chosing a proper value is both platform- (available memory) and use-case-
188 # When enabled, the cache stores the first 'CFG_RPMB_FS_CACHE_ENTRIES' FAT FS
189 # entries. The cache is populated when FAT FS entries are initially read in.
190 # When traversing the FAT FS entries, we read from the cache instead of reading
192 # written, the cache is updated. In scenarios where an estimate of the number
193 # of FAT FS entries can be made, the cache may be specifically tailored to
202 # depending on how many elements are in the cache, and additional temporary
204 # in case the cache is too small to hold all elements when traversing.
219 # Do *NOT* enable this in product builds, as doing so would allow the TEE to
222 # - Testing
223 # - RPMB key provisioning in a controlled environment (factory setup)
226 # For the kernel driver to enable in-kernel RPMB routing it must know in
227 # advance that OP-TEE supports it. Setting CFG_RPMB_ANNOUNCE_PROBE_CAP=y
228 # will announce OP-TEE's capability for RPMB probing to the kernel and it
229 # will use in-kernel RPMB routing, without it all RPMB commands will be
230 # routed to tee-supplicant. This option is intended give some control over
234 _CFG_WITH_SECURE_STORAGE := $(call cfg-one-enabled,CFG_REE_FS CFG_RPMB_FS)
236 # Signing key for OP-TEE TA's
239 # TA_PUBLIC_KEY's public key will be embedded into OP-TEE OS.
247 # BINARY = <TA-uuid-string>
249 # TA_SUBKEY_ARGS = --subkey subkey.bin --name subkey_ta
257 # Include lib/libutils/compiler-rt in the build. Most platforms need this.
259 # may invoke to perform low-level operations such as long long division
261 # has libgcc, Clang has compiler-rt). OP-TEE often can't use them because
262 # they may be Linux-specific or bring unwanted dependencies. Therefore,
263 # this imports and builds only what's needed.
267 # ARM32: EABI defines both a soft-float ABI and a hard-float ABI,
268 # hard-float is basically a super set of soft-float. Hard-float
269 # requires all the support routines provided for soft-float, but the
271 # the floating-point registers instead.
272 # ARM64: EABI doesn't define a soft-float ABI, everything is hard-float (or
273 # nothing with ` -mgeneral-regs-only`)
281 # Note that 32-bit ARM code needs unwind tables for this to work, so enabling
282 # this option will increase the size of the 32-bit TEE binary by a few KB.
283 # Similarly, TAs have to be compiled with -funwind-tables (default when the
285 # Warning: since the unwind sequence for user-mode (TA) code is implemented in
286 # the privileged layer of OP-TEE, enabling this feature will weaken the
287 # user/kernel isolation. Therefore it should be disabled in release builds.
298 # Choosing the architecture(s) of user-mode libraries (used by TAs)
300 # Platforms may define a list of supported architectures for user-mode code
301 # by setting $(supported-ta-targets). Valid values are "ta_arm32", "ta_arm64",
303 # $(supported-ta-targets) defaults to "ta_arm32" when the TEE core is 32-bits,
304 # and "ta_arm32 ta_arm64" when it is 64-bits (that is, when CFG_ARM64_core=y).
305 # The first entry in $(supported-ta-targets) has a special role, see
306 # CFG_USER_TA_TARGET_<ta-name> below.
308 # CFG_USER_TA_TARGETS may be defined to restrict $(supported-ta-targets) or
311 # The list of TA architectures is ultimately stored in $(ta-targets).
313 # CFG_USER_TA_TARGET_<ta-name> (for example, CFG_USER_TA_TARGET_avb), if
314 # defined, selects the unique TA architecture mode for building the in-tree TA
315 # <ta-name>. Can be either ta_arm32 or ta_arm64.
316 # By default, in-tree TAs are built using the first architecture specified in
317 # $(ta-targets).
319 # Address Space Layout Randomization for user-mode Trusted Applications
341 # This flag enables the compiler stack protection mechanisms -fstack-protector.
345 # - A character array larger than 8 bytes.
346 # - An 8-bit integer array larger than 8 bytes.
347 # - A call to alloca() with either a variable size or a constant size bigger
350 # This enable stack protector flag -fstack-protector-strong. Stack protector
352 # - An array of any size and type.
353 # - A call to alloca().
354 # - A local variable that has its address taken.
356 # This enable stack protector flag -fstack-protector-all. Stack protector canary
364 _CFG_CORE_STACK_PROTECTOR := $(call cfg-one-enabled, CFG_CORE_STACK_PROTECTOR \
367 _CFG_TA_STACK_PROTECTOR := $(call cfg-one-enabled, CFG_TA_STACK_PROTECTOR \
371 # Load user TAs from the REE filesystem via tee-supplicant
374 # Pre-authentication of TA binaries loaded from the REE filesystem
376 # - If CFG_REE_FS_TA_BUFFERED=y: load TA binary into a temporary buffer in the
379 # - If disabled: hash the binaries as they are being processed and verify the
382 $(eval $(call cfg-depends-all,CFG_REE_FS_TA_BUFFERED,CFG_REE_FS_TA))
386 # anti-rollback errors. That is, rm /data/tee/dirf.db or rm -rf /data/tee (or
387 # whatever path is configured in tee-supplicant as CFG_TEE_FS_PARENT_PATH)
395 # Such TAs are available even before tee-supplicant is available (hence their
396 # name), but note that many services exported to TAs may need tee-supplicant,
401 # EARLY_TA_PATHS="path/to/8aaaf200-2450-11e4-abe2-0002a5d5c51b.stripped.elf \
402 # path/to/cb3e5ba0-adf1-11e0-998b-0002a5d5c51b.stripped.elf"
409 # $ make EARLY_TA_PATHS=<paths> # Build OP-TEE and embbed the TA(s)
412 # in-tree TAs. CFG_IN_TREE_EARLY_TAS is formatted as:
413 # <name-of-ta>/<uuid>
414 # for instance avb/023f8f1a-292a-432b-8fc4-de8471358067
465 CFG_CORE_BGET_BESTFIT ?= $(call cfg-one-enabled, CFG_WITH_PAGER CFG_LOCKDEP)
477 ifeq (y-y,$(CFG_CORE_SANITIZE_KADDRESS)-$(CFG_CORE_ASLR))
512 # read-only section of the core.
528 # This option enables OP-TEE to support boot arguments handover via Transfer
545 $(eval $(call cfg-depends-all,CFG_DT_CACHED_NODE_INFO,CFG_EMBED_DTB))
562 ifeq (y-y,$(CFG_EXTERNAL_DTB_OVERLAY)-$(CFG_GENERATE_DTB_OVERLAY))
565 _CFG_USE_DTB_OVERLAY := $(call cfg-one-enabled,CFG_EXTERNAL_DTB_OVERLAY \
575 CFG_TRANSFER_LIST_TEST ?= $(call cfg-all-enabled,CFG_TRANSFER_LIST \
594 # CFG_WITH_STATS when enabled embeds PTA statistics service to allow non-secure
603 # This option enables OP-TEE to respond to SMP boot request: the Rich OS
604 # issues this to request OP-TEE to release secondaries cores out of reset,
605 # with specific core number and non-secure entry address.
616 # When this option is enabled, OP-TEE can execute Trusted Applications
617 # instrumented with GCC's -pg flag and will output profiling information
618 # in gmon.out format to /tmp/gmon-<ta_uuid>.out (path is defined in
619 # tee-supplicant)
628 # When this option is enabled, OP-TEE can execute Trusted Applications
629 # instrumented with GCC's -pg flag and will output function tracing
630 # information for all functions compiled with -pg to
631 # /tmp/ftrace-<ta_uuid>.out (path is defined in tee-supplicant).
635 # When this option is enabled, OP-TEE core is instrumented with GCC's
636 # -pg flag and will output syscall function graph in user TA ftrace
639 $(call cfg-depends-all,CFG_SYSCALL_FTRACE,CFG_FTRACE_SUPPORT)
641 # Enable to compile user TA libraries with profiling (-pg).
654 # - Static libraries are still generated when this is enabled, but TAs will use
655 # the shared libraries unless explicitly linked with the -static flag.
656 # - Shared libraries are made of two files: for example, libutee is
657 # libutee.so and 527f1a47-b92c-4a74-95bd-72f19f4a6f74.ta. The '.so' file
663 ifeq (y-y,$(CFG_TA_GPROF_SUPPORT)-$(CFG_ULIBS_SHARED))
671 # Enable Secure Data Path support in OP-TEE core (TA may be invoked with
678 CFG_SECSTOR_TA ?= $(call cfg-all-enabled,CFG_REE_FS CFG_WITH_USER_TA)
679 $(eval $(call cfg-depends-all,CFG_SECSTOR_TA,CFG_REE_FS CFG_WITH_USER_TA))
682 CFG_SECSTOR_TA_MGMT_PTA ?= $(call cfg-all-enabled,CFG_SECSTOR_TA)
683 $(eval $(call cfg-depends-all,CFG_SECSTOR_TA_MGMT_PTA,CFG_SECSTOR_TA))
686 # GlobalPlatform TEE Internal Core API (for example, re-seeding RNG entropy
689 $(eval $(call cfg-depends-all,CFG_SYSTEM_PTA,CFG_WITH_USER_TA))
698 $(eval $(call cfg-depends-all,CFG_ATTESTATION_PTA,_CFG_WITH_SECURE_STORAGE))
701 # other algorithm parameters (RSA PSS with SHA-256 and 32-byte salt), but
703 # See https://tools.ietf.org/html/rfc8017#section-8.1.1 and
704 # https://tools.ietf.org/html/rfc8017#section-9.1.1
706 # emLen = ceil((modBits - 1) / 8) => emLen is the key size in bytes
722 # non-secure memory).
730 # paddr_t as a 64-bit type.
764 # the non-secure world. OP-TEE will not work without a compatible hypervisor
765 # in the non-secure world if this option is enabled.
799 # to a TA or FF-A SP, so a TPM Service could use it to extend any measurement
827 $(eval $(call cfg-depends-all,CFG_SCMI_MSG_SMT_FASTCALL_ENTRY,CFG_SCMI_MSG_SMT))
828 $(eval $(call cfg-depends-all,CFG_SCMI_MSG_SMT_INTERRUPT_ENTRY,CFG_SCMI_MSG_SMT))
829 $(eval $(call cfg-depends-one,CFG_SCMI_MSG_SMT_THREAD_ENTRY,CFG_SCMI_MSG_SMT CFG_SCMI_MSG_SHM_MSG))
839 # from SCP-firmware package as an built-in SCMI stack in core. This
841 # CFG_SCMI_SCPFW_PRODUCT and the SCP-firmware source tree path with
856 # in SCP-firmware that will retrieve resources in "scmi" fdt node.
858 $(eval $(call cfg-depends-all,CFG_SCMI_SCPFW_FROM_DT,CFG_SCMI_SCPFW CFG_EMBED_DTB))
860 ifeq ($(CFG_SCMI_MSG_DRIVERS)-$(CFG_SCMI_SCPFW),y-y)
868 $(eval $(call cfg-depends-all,CFG_SCMI_MSG_USE_CLK,CFG_DRIVERS_CLK CFG_SCMI_MSG_DRIVERS))
889 # the API. For example preventing buffers in non-secure shared memory when
900 # Pseudo-TA to export hardware RNG output to Normal World
904 # Output rate of hw_get_random_bytes() in bytes per second, 0: not rate-limited
920 # When enabled, CFG_DRIVERS_CLK embeds a clock framework in OP-TEE core.
924 # CFG_DRIVERS_CLK_FIXED add support for "fixed-clock" compatible clocks
927 # state on OP-TEE core console with the info trace level.
929 CFG_DRIVERS_CLK_DT ?= $(call cfg-all-enabled,CFG_DRIVERS_CLK CFG_DT)
934 $(eval $(call cfg-depends-all,CFG_DRIVERS_CLK_DT,CFG_DRIVERS_CLK CFG_DT))
935 $(eval $(call cfg-depends-all,CFG_DRIVERS_CLK_FIXED,CFG_DRIVERS_CLK_DT))
938 # OP-TEE core to provide reset controls on subsystems of the devices.
942 # OP-TEE core to provide GPIO support for drivers.
953 # OP-TEE core to provide drivers a way to apply pin muxing configurations based
954 # on device-tree.
958 # OP-TEE core to provide drivers a common regulator interface and describe
962 # DT compatible "regulator-fixed" devices.
965 # DT compatible "regulator-gpio" devices.
968 # regulator tree state on OP-TEE core console with the info trace level.
974 $(eval $(call cfg-enable-all-depends,CFG_REGULATOR_FIXED, \
976 $(eval $(call cfg-enable-all-depends,CFG_REGULATOR_GPIO, \
979 # When enabled, CFG_INSECURE permits insecure configuration of OP-TEE core
984 # is that the one making products based on OP-TEE should override this flag in
985 # plat-xxx/conf.mk for the platform they're basing their products on after
986 # they've finalized implementing stubbed functionality (see OP-TEE
1013 # --enable-standard-branch-protection is needed to use this option.
1016 $(eval $(call cfg-depends-all,CFG_CORE_BTI,CFG_ARM64_core))
1022 $(eval $(call cfg-depends-all,CFG_TA_BTI,CFG_ARM64_core))
1024 ifeq (y-y,$(CFG_NS_VIRTUALIZATION)-$(call cfg-one-enabled, CFG_TA_BTI CFG_CORE_BTI))
1028 ifeq (y-y,$(CFG_PAGED_USER_TA)-$(CFG_TA_BTI))
1034 # CFG_CORE_SANITIZE_KADDRESS which covers both S-EL1 and S-EL0.
1037 $(eval $(call cfg-depends-all,CFG_MEMTAG,CFG_ARM64_core))
1038 ifeq (y-y,$(CFG_CORE_SANITIZE_KADDRESS)-$(CFG_MEMTAG))
1041 ifeq (y-y,$(CFG_WITH_PAGER)-$(CFG_MEMTAG))
1047 # For RISC-V architecture, CSR {m|s}status.SUM bit is used to implement PAN.
1050 $(eval $(call cfg-depends-one,CFG_PAN,CFG_ARM64_core CFG_RV64_core CFG_RV32_core))
1054 # FF-A case, handled via the FF-A ABI
1067 # Callout by default disabled for SPMC at S-EL2 since Hafnium may crash,
1076 CFG_NOTIF_TEST_WD ?= $(call cfg-all-enabled,CFG_ENABLE_EMBEDDED_TESTS \
1078 $(eval $(call cfg-depends-all,CFG_NOTIF_TEST_WD,CFG_CALLOUT \
1081 $(eval $(call cfg-enable-all-depends,CFG_MEMPOOL_REPORT_LAST_OFFSET, \
1099 $(eval $(call cfg-depends-all,CFG_CORE_PAUTH,CFG_ARM64_core))
1100 $(eval $(call cfg-depends-all,CFG_TA_PAUTH,CFG_ARM64_core))
1102 ifeq (y-y,$(CFG_NS_VIRTUALIZATION)-$(CFG_CORE_PAUTH))
1105 ifeq (y-y,$(CFG_NS_VIRTUALIZATION)-$(CFG_TA_PAUTH))
1109 ifeq (y-y,$(CFG_TA_GPROF_SUPPORT)-$(CFG_TA_PAUTH))
1113 ifeq (y-y,$(CFG_FTRACE_SUPPORT)-$(CFG_TA_PAUTH))
1118 # This watchdog will then be usable by non-secure world through SMC calls.
1121 # Enable watchdog SMC handling compatible with arm-smc-wdt Linux driver
1124 $(eval $(call cfg-enable-all-depends,CFG_WDT_SM_HANDLER,CFG_WDT))
1127 # arm-smc-wdt service. Platform can also override this ID with a platform
1128 # specific SMC function ID to access arm-smc-wdt service thanks to
1140 # Enable PTA for RTC access from non-secure world
1143 # Enable the FF-A SPMC tests in xtests
1146 # Allocate the translation tables needed to map the S-EL0 application
1149 ifeq (y-y,$(CFG_CORE_PREALLOC_EL0_TBLS)-$(CFG_WITH_PAGER))
1154 # mapping page table cache used for Trusted Application mapping.
1174 # When this option is enabled, OP-TEE provides a debug method for
1184 # Enables TEE Internal Core API v1.1 compatibility for in-tree TAs. Note
1186 # this set that are affected. Each out-of-tree must set this if to enable
1188 # preserved in the TA dev-kit.
1195 # Testcases: - PerInstance/SigningOperationsTest#
1196 # - PerInstance/NewKeyGenerationTest#
1197 # - PerInstance/ImportKeyTest#
1198 # - PerInstance/EncryptionOperationsTest#
1199 # - PerInstance/AttestationTest#
1207 # Testcases: - PerInstance/EncryptionOperationsTest.RsaNoPaddingSuccess
1209 # to NIST SP800-56B recommendation and be in the range 65537 <= e < 2^256.
1215 $(eval $(call cfg-depends-all,CFG_CRYPTO_HW_PBKDF2,CFG_CRYPTO_PBKDF2))
1223 $(eval $(call cfg-depends-all,CFG_MULTI_CORE_HALTING,CFG_GIC))
1229 $(eval $(call cfg-depends-all,CFG_HALT_CORES_ON_PANIC,CFG_MULTI_CORE_HALTING))
1246 # DTB as OP-TEE HUK.
1248 $(eval $(call cfg-depends-all,CFG_WIDEVINE_HUK,CFG_DT))
1251 # DT node "/options/op-tee/widevine" to some specific TAs.
1253 $(eval $(call cfg-depends-all,CFG_WIDEVINE_PTA,CFG_DT CFG_WIDEVINE_HUK))
1272 # When CFG_SEMIHOSTING_CONSOLE_FILE=NULL, OP-TEE console reads/writes
1274 # When CFG_SEMIHOSTING_CONSOLE_FILE="{your_log_file}", OP-TEE console
1290 # CFG_FFA_CONSOLE, when enabled, embeds a FFA console driver. OP-TEE console
1296 # value set by CFG_CONSOLE_RUNTIME_LOG_LEVEL after OP-TEE has finished booting.
1303 # timing attacks, 'safe' one is designed to take constant-time that is
1320 # CFG_EXTERNAL_ABORT_PLAT_HANDLER is used to implement platform-specific
1333 $(eval $(call cfg-depends-all,CFG_CORE_DYN_PROTMEM,CFG_CORE_DYN_SHM,CFG_SECURE_DATA_PATH))