Lines Matching refs:to
5 otherwise, these options are expected to be specified at the build command
6 line and are not to be modified in any component makefiles. Note that the
17 compiler should use. Valid values are T32 and A32. It defaults to T32 due to
20 - ``AARCH32_SP`` : Choose the AArch32 Secure Payload component to be built as
21 as the BL32 image when ``ARCH=aarch32``. The value should be the path to the
22 directory containing the SP source, relative to the ``bl32/``; the directory
23 is expected to contain a makefile called ``<aarch32_sp-value>.mk``.
25 - ``AMU_RESTRICT_COUNTERS``: Register reads to the group 1 counters will return
31 ``aarch64`` or ``aarch32`` as values. By default, it is defined to
36 and defaults to ``none``. It translates into compiler option
40 - ``ARM_ARCH_MAJOR``: The major version of Arm Architecture to target when
41 compiling TF-A. Its value must be numeric, and defaults to 8 . See also,
45 - ``ARM_ARCH_MINOR``: The minor version of Arm Architecture to target when
46 compiling TF-A. Its value must be a numeric, and defaults to 0. See also,
49 - ``ARM_BL2_SP_LIST_DTS``: Path to DTS file snippet to override the hardcoded
52 - ``ARM_SPMC_MANIFEST_DTS`` : path to an alternate manifest file used as the
55 - ``BL2``: This is an optional build option which specifies the path to BL2
59 - ``BL2U``: This is an optional build option which specifies the path to
62 - ``RESET_TO_BL2``: Boolean option to enable BL2 entrypoint as the CPU reset
63 vector instead of the BL1 entrypoint. It can take the value 0 (CPU reset to BL1
64 entrypoint) or 1 (CPU reset to BL2 entrypoint).
67 - ``BL2_RUNS_AT_EL3``: This is an implicit flag to denote that BL2 runs at EL3.
68 While it is explicitly set to 1 when RESET_TO_BL2 is set to 1 it can also be
71 - ``BL2_ENABLE_SP_LOAD``: Boolean option to enable loading SP packages from the
75 (XIP) memory, like BL1. In these use-cases, it is necessary to initialize
78 when RESET_TO_BL2 is set to '1'.
80 - ``BL31``: This is an optional build option which specifies the path to
86 ``SAVE_KEYS=1``, only a file is accepted and it will be used to save the key.
88 - ``BL32``: This is an optional build option which specifies the path to
92 - ``BL32_EXTRA1``: This is an optional build option which specifies the path to
95 - ``BL32_EXTRA2``: This is an optional build option which specifies the path to
100 ``SAVE_KEYS=1``, only a file is accepted and it will be used to save the key.
103 It specifies the path to RMM binary for the ``fip`` target. If the RMM option
104 is not specified, TF-A builds the TRP to load and run at R-EL2.
106 - ``BL33``: Path to BL33 image in the host file system. This is mandatory for
111 ``SAVE_KEYS=1``, only a file is accepted and it will be used to save the key.
113 - ``BRANCH_PROTECTION``: Numeric value to enable ARMv8.3 Pointer Authentication
115 If enabled, it is needed to use a compiler that supports the option
118 emitted (HINT space or not). Selects the branch protection features to use:
121 - 2: Return address signing to its standard level
122 - 3: Extend the signing to include leaf functions
146 This option defaults to 0.
150 - ``BUILD_MESSAGE_TIMESTAMP``: String used to identify the time and date of the
151 compilation of each build. It must be set to a C string (including quotes
152 where applicable). Defaults to a string that contains the time and date of
156 build to be uniquely identified. Defaults to the current git commit id.
158 - ``BUILD_BASE``: Output directory for the build. Defaults to ``./build``
161 addition to the options set by the build system.
167 need to distinguish between primary and secondary CPUs and the boot path can
170 to be implemented in this case.
173 Defaults to ``tbbr``.
177 BL31. This option defaults to the value of ``DEBUG`` - i.e. by default
181 certificate generation tool to create new keys in case no valid keys are
184 - ``CTX_INCLUDE_AARCH32_REGS`` : Boolean option that, when set to 1, will cause
185 the AArch32 system registers to be included when saving and restoring the
186 CPU context. The option must be set to 0 for AArch64-only platforms (that
190 - ``CTX_INCLUDE_FPREGS``: Boolean option that, when set to 1, will cause the FP
191 registers to be included when saving and restoring the CPU context. Default
194 - ``CTX_INCLUDE_MPAM_REGS``: Boolean option that, when set to 1, will cause the
196 registers to be included when saving and restoring the CPU context.
200 registers to be saved/restored when entering/exiting an EL2 execution
201 context. This flag can take values 0 to 2, to align with the
204 - ``CTX_INCLUDE_PAUTH_REGS``: Numeric value to enable the Pointer
206 to be included when saving and restoring the CPU context as part of world
208 can take values 0 to 2, to align with ``ENABLE_FEAT`` mechanism. Default value
215 - ``CTX_INCLUDE_SVE_REGS``: Boolean option that, when set to 1, will cause the
216 SVE registers to be included when saving and restoring the CPU context. Note
217 that this build option requires ``ENABLE_SVE_FOR_SWD`` to be enabled. In
218 general, it is recommended to perform SVE context management in lower ELs
219 and skip in EL3 due to the additional cost of maintaining large data
220 structures to track the SVE state. Hence, the default value is 0.
225 - ``DECRYPTION_SUPPORT``: This build flag enables the user to select the
226 authenticated decryption algorithm to be used to decrypt firmware/s during
228 this flag is ``none`` to disable firmware decryption which is an optional
231 - ``DISABLE_BIN_GENERATION``: Boolean option to disable the generation
232 of the binary image. If set to 1, then only the ELF image is built.
235 - ``DISABLE_MTPMU``: Numeric option to disable ``FEAT_MTPMU`` (Multi Threaded
237 This flag can take values 0 to 2, to align with the ``ENABLE_FEAT``
240 - ``DYN_DISABLE_AUTH``: Provides the capability to dynamically disable Trusted
241 Board Boot authentication at runtime. This option is meant to be enabled only
243 flag has to be enabled. 0 is the default.
245 - ``E``: Boolean option to make warnings into errors. Default is 1.
248 defaults to 0. This is done to encourage contributors to use them, as they
249 are expected to produce warnings that would otherwise fail the build. New
250 contributions are still expected to build with ``W=0`` and ``E=1`` (the
253 - ``EARLY_CONSOLE``: This option is used to enable early traces before default
256 otherwise. To use this feature, platforms will have to create the function
262 payload. Please refer to the "Booting an EL3 payload" section for more
269 - ``ENABLE_ASSERTIONS``: This option controls whether or not calls to ``assert()``
270 are compiled out. For debug builds, this option defaults to 1, and calls to
271 ``assert()`` are left in place. For release builds, this option defaults to 0
272 and calls to ``assert()`` function are compiled out. This option can be set
273 independently of ``DEBUG``. It can also be used to hide any auxiliary code
277 - ``ENABLE_BACKTRACE``: This option controls whether to enable backtrace
282 reason enabling this option in AArch32 will force the compiler to only
287 - ``ENABLE_FEAT_AMU``: Numeric value to enable Activity Monitor Unit
288 extensions. This flag can take the values 0 to 2, to align with the
291 and this option can be used to enable this feature on those systems as well.
292 This flag can take the values 0 to 2, the default is 0.
294 - ``ENABLE_FEAT_AMUv1p1``: Numeric value to enable the ``FEAT_AMUv1p1``
296 onwards. This flag can take the values 0 to 2, to align with the
299 - ``ENABLE_FEAT_CLRBHB``: Numeric value to enable the CLRBHB instruction.
300 Clear Branch History clears the branch history for the current context to
304 This flag can take the values of 0 to 2, to align with the ``ENABLE_FEAT`` mechanism.
307 - ``ENABLE_FEAT_CPA2``: Numeric value to enable the ``FEAT_CPA2`` extension.
310 an optional feature starting from Arm v9.4 and This flag can take values 0 to
311 2, to align with the ``ENABLE_FEAT`` mechanism. Default value is ``0``.
313 - ``ENABLE_FEAT_CSV2_2``: Numeric value to enable the ``FEAT_CSV2_2``
314 extension. It allows access to the SCXTNUM_EL2 (Software Context Number)
317 0 to 2, to align with the ``ENABLE_FEAT`` mechanism.
320 - ``ENABLE_FEAT_CSV2_3``: Numeric value to enable support for ``FEAT_CSV2_3``
324 The flag can take values 0 to 2, to align with the ``ENABLE_FEAT``
327 - ``ENABLE_FEAT_DEBUGV8P9``: Numeric value to enable ``FEAT_DEBUGV8P9``
328 extension which allows the ability to implement more than 16 breakpoints
330 from v8.8. This flag can take the values of 0 to 2, to align with the
333 - ``ENABLE_FEAT_DIT``: Numeric value to enable ``FEAT_DIT`` (Data Independent
336 and upwards. This flag can take the values 0 to 2, to align with the
339 - ``ENABLE_FEAT_ECV``: Numeric value to enable support for the Enhanced Counter
340 Virtualization feature, allowing for access to the CNTPOFF_EL2 (Counter-timer
341 Physical Offset register) during EL2 to EL3 context save/restore operations.
343 This flag can take the values 0 to 2, to align with the ``ENABLE_FEAT``
346 - ``ENABLE_FEAT_FPMR``: Numerical value to enable support for Floating Point
347 Mode Register feature, allowing access to the FPMR register. FPMR register
349 feature from v9.2 and upwards. This flag can take value of 0 to 2, to align
352 - ``ENABLE_FEAT_FGT``: Numeric value to enable support for FGT (Fine Grain Traps)
353 feature allowing for access to the HDFGRTR_EL2 (Hypervisor Debug Fine-Grained
354 Read Trap Register) during EL2 to EL3 context save/restore operations.
356 This flag can take the values 0 to 2, to align with the ``ENABLE_FEAT``
359 - ``ENABLE_FEAT_FGT2``: Numeric value to enable support for FGT2
360 (Fine Grain Traps 2) feature allowing for access to Fine-grained trap 2 registers
361 during EL2 to EL3 context save/restore operations.
363 This flag can take the values 0 to 2, to align with the ``ENABLE_FEAT``
366 - ``ENABLE_FEAT_FGWTE3``: Numeric value to enable support for
367 Fine Grained Write Trap EL3 (FEAT_FGWTE3), a feature that allows EL3 to
370 system registers that are not expected to be overwritten after boot.
372 Armv9.4 onwards. This flag can take values from 0 to 2, aligning with
376 This feature currently traps access to all EL3 registers in
380 If additional traps need to be disabled for specific platforms,
383 - ``ENABLE_FEAT_HCX``: Numeric value to set the bit SCR_EL3.HXEn in EL3 to
384 allow access to HCRX_EL2 (extended hypervisor control register) from EL2 as
385 well as adding HCRX_EL2 to the EL2 context save/restore operations. Its a
387 flag can take the values 0 to 2, to align with the ``ENABLE_FEAT``
390 - ``ENABLE_FEAT_IDTE3``: Numeric value to set SCR_EL3.TID3/TID5 bits which
391 enables trapping of ID register reads by lower ELs to EL3. This allows EL3
392 to control the feature visibility to lower ELs by returning a sanitized value
393 based on current feature enablement status. Hypervisors are expected to
395 values 0 to 2, to align with the ``ENABLE_FEAT`` mechanism.
399 This feature traps all lower EL accesses to Group 3 and Group 5
400 ID registers to EL3. This can incur a performance impact and platforms
403 - ``ENABLE_FEAT_MOPS``: Numeric value to enable FEAT_MOPS (Standardization
408 we expect EL2 to be present. But in case of INIT_UNUSED_NS_EL2=1 ,
410 can take values 0 to 2, to align with the ``ENABLE_FEAT`` mechanism.
413 - ``ENABLE_FEAT_MTE2``: Numeric value to enable Memory Tagging Extension2
414 if the platform wants to use this feature and MTE2 is enabled at ELX.
415 This flag can take values 0 to 2, to align with the ``ENABLE_FEAT``
418 - ``ENABLE_FEAT_PAN``: Numeric value to enable the ``FEAT_PAN`` (Privileged
419 Access Never) extension. ``FEAT_PAN`` adds a bit to PSTATE, generating a
420 permission fault for any privileged data access from EL1/EL2 to virtual
423 flag can take values 0 to 2, to align with the ``ENABLE_FEAT``
426 - ``ENABLE_FEAT_PAUTH_LR``: Numeric value to enable the ``FEAT_PAUTH_LR``
428 onwards. This feature requires PAUTH to be enabled via the
429 ``BRANCH_PROTECTION`` flag. This flag can take the values 0 to 2, to align
432 - ``ENABLE_FEAT_RNG``: Numeric value to enable the ``FEAT_RNG`` extension.
434 flag can take the values 0 to 2, to align with the ``ENABLE_FEAT``
437 - ``ENABLE_FEAT_RNG_TRAP``: Numeric value to enable the ``FEAT_RNG_TRAP``
439 take values 0 to 2, to align with the ``ENABLE_FEAT`` mechanism.
443 - ``ENABLE_FEAT_SB``: Boolean option to let the TF-A code use the ``FEAT_SB``
445 defaults to ``0`` for pre-Armv8.5 CPUs, but is mandatory for Armv8.5 or
449 - ``ENABLE_FEAT_SEL2``: Numeric value to enable the ``FEAT_SEL2`` (Secure EL2)
451 This flag can take values 0 to 2, to align with the ``ENABLE_FEAT``
454 - ``ENABLE_FEAT_TWED``: Numeric value to enable the ``FEAT_TWED`` (Delayed
456 available on Arm v8.6. This flag can take values 0 to 2, to align with the
459 When ``ENABLE_FEAT_TWED`` is set to ``1``, WFE instruction trapping gets
462 - ``ENABLE_FEAT_VHE``: Numeric value to enable the ``FEAT_VHE`` (Virtualization
463 Host Extensions) extension. It allows access to CONTEXTIDR_EL2 register
466 values 0 to 2, to align with the ``ENABLE_FEAT`` mechanism.
469 - ``ENABLE_FEAT_TCR2``: Numeric value to set the bit SCR_EL3.ENTCR2 in EL3 to
470 allow access to TCR2_EL2 (extended translation control) from EL2 as
471 well as adding TCR2_EL2 to the EL2 context save/restore operations. Its a
473 flag can take the values 0 to 2, to align with the ``ENABLE_FEAT``
476 - ``ENABLE_FEAT_S2PIE``: Numeric value to enable support for FEAT_S2PIE
478 can take the values 0 to 2, to align with the ``ENABLE_FEAT``
481 - ``ENABLE_FEAT_S1PIE``: Numeric value to enable support for FEAT_S1PIE
483 can take the values 0 to 2, to align with the ``ENABLE_FEAT``
486 - ``ENABLE_FEAT_S2POE``: Numeric value to enable support for FEAT_S2POE
488 can take the values 0 to 2, to align with the ``ENABLE_FEAT``
491 - ``ENABLE_FEAT_S1POE``: Numeric value to enable support for FEAT_S1POE
493 can take the values 0 to 2, to align with the ``ENABLE_FEAT``
496 - ``ENABLE_FEAT_GCS``: Numeric value to set the bit SCR_EL3.GCSEn in EL3 to
498 registers to the EL2 context save/restore operations. This flag can take
499 the values 0 to 2, to align with the ``ENABLE_FEAT`` mechanism.
502 - ``ENABLE_FEAT_GCIE``: Boolean value to enable support for the GICv5 CPU
507 - ``ENABLE_FEAT_THE``: Numeric value to enable support for FEAT_THE
509 SCR_EL3.RCWMASKEn in EL3 to allow access to RCWMASK_EL1 and RCWSMASK_EL1
512 This flag can take the values 0 to 2, to align with the ``ENABLE_FEAT``
515 - ``ENABLE_FEAT_SCTLR2``: Numeric value to enable support for FEAT_SCTLR2
516 (Extension to SCTLR_ELx) at EL2 and below, setting the bit
517 SCR_EL3.SCTLR2En in EL3 to allow access to SCTLR2_ELx registers and
520 This flag can take the values 0 to 2, to align with the ``ENABLE_FEAT``
523 - ``ENABLE_FEAT_D128``: Numeric value to enable support for FEAT_D128
524 at EL2 and below, setting the bit SCT_EL3.D128En in EL3 to allow access to
529 This flag can take the values 0 to 2, to align with the ``ENABLE_FEAT``
532 - ``ENABLE_FEAT_UINJ``: Numerical value to enable FEAT_UINJ support which
534 The objective of this feature is to provide higher privilege software with a
535 future proofed mechanism to inject an Undefined Instruction exception into
537 and mandatory from v9.6. This flag can take value of 0 to 2,
538 to align with the ``FEATURE_DETECTION`` mechanism. Default value is ``0``.
540 - ``ENABLE_LTO``: Boolean option to enable Link Time Optimization (LTO)
542 applies to TF-A proper, and not its libraries. If LTO on libraries (except
547 - ``ENABLE_FEAT_MPAM``: Numeric value to enable lower ELs to use MPAM
549 system components and resources to define partitions; software running at
550 various ELs can assign themselves to desired partition to control their
553 This flag can take values 0 to 2, to align with the ``ENABLE_FEAT``
554 mechanism. When this option is set to ``1`` or ``2``, EL3 allows lower ELs to
558 defaults to ``2`` since MPAM is enabled by default for NS world only.
563 PE-side bandwidth controls and disables traps to EL3/EL2 (when
564 ``INIT_UNUSED_NS_EL2`` = 1). The flag accepts values from 0 to 2, in
565 line with the ``ENABLE_FEAT`` mechanism, and defaults to ``0``.
567 - ``ENABLE_FEAT_LS64_ACCDATA``: Numeric value to enable access and save and
569 take the values 0 to 2, to align with the ``ENABLE_FEAT`` mechanism.
572 - ``ENABLE_FEAT_AIE``: Numeric value to enable access to the (A)MAIR2 system
573 registers from non-secure world. This flag can take the values 0 to 2, to
577 - ``ENABLE_FEAT_PFAR``: Numeric value to enable access to the PFAR system
578 registers from non-secure world. This flag can take the values 0 to 2, to
582 - ``ENABLE_MPMM``: Boolean option to enable support for the Maximum Power
584 firmware to detect and limit high activity events to assist in SoC processor
586 (i.e. clock chopping) responses to overcurrent conditions. Defaults to ``0``.
588 - ``ENABLE_PIE``: Boolean option to enable Position Independent Executable(PIE)
593 - ``ENABLE_PMF``: Boolean option to enable support for optional Performance
596 - ``ENABLE_PSCI_STAT``: Boolean option to enable support for optional PSCI
602 - ``ENABLE_RUNTIME_INSTRUMENTATION``: Boolean option to enable runtime
603 instrumentation which injects timestamp collection points into TF-A to
604 allow runtime performance to be measured. Currently, only PSCI is
608 - ``ENABLE_SPE_FOR_NS`` : Numeric value to enable Statistical Profiling
610 This flag can take the values 0 to 2, to align with the ``ENABLE_FEAT``
614 - ``ENABLE_SVE_FOR_NS``: Numeric value to enable Scalable Vector Extension
616 for AArch64. This flag can take the values 0 to 2, to align with the
621 to SVE, SIMD and floating-point functionality from the Secure world is
623 ``CTX_INCLUDE_FPREGS`` and ``ENABLE_SVE_FOR_NS`` together, it is mandatory to
624 enable ``CTX_INCLUDE_SVE_REGS``. This is to avoid corruption of the Non-secure
627 - ``ENABLE_SVE_FOR_SWD``: Boolean option to enable SVE and FPU/SIMD functionality
633 This build flag requires ``ENABLE_SVE_FOR_NS`` to be enabled. When enabling
637 - ``ENABLE_STACK_PROTECTOR``: String option to enable the stack protection
639 default value is set to "none". "strong" is the recommended stack protection
642 platform hook needs to be implemented. The value is passed as the last
646 option to enable the workarounds for all errata that TF-A implements. Normally
648 recommended for release builds. This option is default set to 0.
650 - ``ENCRYPT_BL31``: Binary flag to enable encryption of BL31 firmware. This
653 - ``ENCRYPT_BL32``: Binary flag to enable encryption of Secure BL32 payload.
664 - ``ERROR_DEPRECATED``: This option decides whether to treat the usage of
669 - ``ETHOSN_NPU_DRIVER``: boolean option to enable a SiP service that can
675 - ``ETHOSN_NPU_TZMP1``: boolean option to enable TZMP1 support for the
677 ``TRUSTED_BOARD_BOOT`` to be enabled.
683 - ``EL3_EXCEPTION_HANDLING``: When set to ``1``, enable handling of exceptions
685 handled at EL3, and a panic will result. The exception to this rule is when
686 ``SPMD_SPM_AT_SEL2`` is set to ``1``, in which case, only exceptions
687 occuring during normal world execution, are trapped to EL3. Any exception
688 trapped during secure world execution are trapped to the SPMC. This is
692 injection from lower ELs, and this build option enables lower ELs to use
693 Error Records accessed via System Registers to inject faults. This is
694 applicable only to AArch64 builds.
696 This feature is intended for testing purposes only, and is advisable to keep
716 - ``GENERATE_COT``: Boolean flag used to build and execute the ``cert_create``
717 tool to create certificates as per the Chain of Trust described in
718 :ref:`Trusted Board Boot`. The build system then calls ``fiptool`` to
721 Specify both ``TRUSTED_BOARD_BOOT=1`` and ``GENERATE_COT=1`` to include support
722 for the Trusted Board Boot feature in the BL1 and BL2 images, to generate
723 the corresponding certificates, and to include those certificates in the
728 include the corresponding certificates. This FIP can be used to verify the
737 to ``1`` assumes GICv2 *Group 0* interrupts are expected to target EL3, both
740 This allows GICv2 platforms to enable features requiring EL3 interrupt type.
741 This also means that all GICv2 Group 0 interrupts are delivered to EL3, and
742 the Secure Payload interrupts needs to be synchronously handed over to Secure
744 Group 0 interrupts are assumed to be handled by Secure EL1.
746 - ``HANDLE_EA_EL3_FIRST_NS``: When set to ``1``, External Aborts and SError
748 EL3 i.e. in BL31 at runtime. When set to ``0`` (default), these exceptions
752 - ``HW_ASSISTED_COHERENCY``: On most Arm systems to-date, platform-specific
753 software operations are required for CPUs to enter and exit coherency.
754 However, newer systems exist where CPUs' entry to and exit from coherency
755 is managed in hardware. Such systems require software to only initiate these
757 management. In such systems, this boolean option enables TF-A to carry out
759 This option defaults to 0 and if it is enabled, then it implies
774 - ``IMPDEF_SYSREG_TRAP``: Numeric value to enable the handling traps for
779 bottom, higher addresses at the top. This build flag can be set to '1' to
784 safely in scenario where NS-EL2 is present but unused. This flag is set to 0
787 - ``KEY_ALG``: This build flag enables the user to select the algorithm to be
795 - ``KEY_SIZE``: This build flag enables the user to select the key size for
811 - ``HASH_ALG``: This build flag enables the user to select the secure hash
818 - ``LDFLAGS``: Extra user options appended to the linkers' command line in
819 addition to the one set by the build system.
833 All log output up to and including the selected log level is compiled into
836 - ``MEASURED_BOOT``: Boolean flag to include support for the Measured Boot
837 feature. This flag can be enabled with ``TRUSTED_BOARD_BOOT`` in order to
841 This option defaults to 0.
843 - ``DISCRETE_TPM``: Boolean flag to include support for a Discrete TPM.
845 This option defaults to 0.
847 - ``TPM_INTERFACE``: When ``DISCRETE_TPM=1``, this is a required flag to
854 - ``MBOOT_TPM_HASH_ALG``: Build flag to select the TPM hash algorithm used during
857 - ``MARCH_DIRECTIVE``: used to pass a -march option from the platform build
858 options to the compiler. An example usage:
864 - ``HARDEN_SLS``: used to pass -mharden-sls=all from the TF-A build
865 options to the compiler currently supporting only of the options.
875 This option defaults to 0.
880 will be used to save the key.
882 - ``NS_BL2U``: Path to NS_BL2U image in the host file system. This image is
884 is required in order to build the ``fwu_fip`` target.
889 this to 1 if it wants the timer registers to be saved and restored. This
892 - ``OVERRIDE_LIBC``: This option allows platforms to override the default libc
896 - ``PL011_GENERIC_UART``: Boolean option to indicate the PL011 driver that
902 - ``PLAT``: Choose a platform to build TF-A for. The chosen platform name
904 platform makefile named ``platform.mk``. For example, to build TF-A for the
912 - ``PLAT_EXTRA_LD_SCRIPT``: Allows the platform to include a custom LD script
914 to 0.
922 - ``PRESERVE_DSU_PMU_REGS``: This options when enabled allows the platform to
925 default and platforms that require this feature have to enable them.
932 case, there is no need to identify the entrypoint on boot and the boot path
934 does not need to be implemented in this case.
938 formats. This flag if set to 1, configures the generic PSCI layer to use the
943 enabled on Arm platforms, the option ``ARM_RECOM_STATE_ID_ENC`` needs to be
944 set to 1 as well.
946 - ``PSCI_OS_INIT_MODE``: Boolean flag to enable support for optional PSCI
947 OS-initiated mode. This option defaults to 0.
949 - ``ARCH_FEATURE_AVAILABILITY``: Boolean flag to enable support for the
952 defaults to 0.
954 - ``ENABLE_FEAT_RAS``: Boolean flag to enable Armv8.2 RAS features. RAS features
957 NOTE: This flag enables use of IESB capability to reduce entry latency into
959 flag is recommended to be turned on Armv8.2 and later CPUs.
962 of the BL1 entrypoint. It can take the value 0 (CPU reset to BL1
963 entrypoint) or 1 (CPU reset to BL31 entrypoint).
968 instead of the BL1 entrypoint. It can take the value 0 (CPU reset to BL1
969 entrypoint) or 1 (CPU reset to SP_MIN entrypoint). The default value is 0.
976 - from 0 to 512 and must be a power of 2. The value of 0 is special and
978 - value is 1 which corresponds to block size of 512MB per bit of bitlock
981 - ``RME_GPT_MAX_BLOCK``: Numeric value in MB to define the maximum size of
983 values 0, 2, 32 and 512. Setting this value to 0 disables use of Contigious
989 accepted and it will be used to save the key.
992 certificate generation tool to save the keys used to establish the Chain of
995 - ``SCP_BL2``: Path to SCP_BL2 image in the host file system. This image is optional.
1001 If ``SAVE_KEYS=1``, only a file is accepted and it will be used to save the key.
1003 - ``SCP_BL2U``: Path to SCP_BL2U image in the host file system. This image is
1005 is required in order to build the ``fwu_fip`` target.
1007 - ``SDEI_SUPPORT``: Setting this to ``1`` enables support for Software
1008 Delegated Exception Interface to BL31 image. This defaults to ``0``.
1010 When set to ``1``, the build option ``EL3_EXCEPTION_HANDLING`` must also be
1011 set to ``1``.
1019 - ``SEPARATE_NOBITS_REGION``: Setting this option to ``1`` allows the NOBITS
1020 sections of BL31 (.bss, stacks, page tables, and coherent memory) to be
1022 platform is expected to provide definitions for ``BL31_NOBITS_BASE`` and
1026 - ``SEPARATE_BL2_NOLOAD_REGION``: Setting this option to ``1`` allows the
1027 NOLOAD sections of BL2 (.bss, stacks, page tables) to be allocated in RAM
1028 discontiguous from loaded firmware images. When set, the platform need to
1037 - ``SEPARATE_SIMD_SECTION``: Setting this option to ``1`` allows the SIMD context
1038 data structures to be put in a dedicated memory region as decided by platform
1042 - ``SMC_PCI_SUPPORT``: This option allows platforms to handle PCI configuration
1047 - ``SPD``: Choose a Secure Payload Dispatcher component to be built into TF-A.
1049 the path to the directory containing the SPD source, relative to
1050 ``services/spd/``; the directory is expected to contain a makefile called
1057 execution in BL1 just before handing over to BL31. At this point, all
1059 turned off. Refer to the "Debugging options" section for more details.
1067 - ``SPMC_AT_EL3_SEL0_SP`` : Boolean option to enable SEL0 SP load support when
1072 Dispatcher option (``SPD=spmd``) and with ``SPMD_SPM_AT_SEL2=0`` to
1085 - ``SPM_MM`` : Boolean option to enable the Management Mode (MM)-based Secure
1090 - ``SP_LAYOUT_FILE``: Platform provided path to JSON file containing the
1095 - ``SP_MIN_WITH_SECURE_FIQ``: Boolean flag to indicate the SP_MIN handles
1097 this directive if they need to handle such interruption. When enabled,
1099 to mask these events. Platforms that enable FIQ handling in SP_MIN shall
1102 - ``SVE_VECTOR_LEN``: SVE vector length to configure in ZCR_EL3.
1103 Platforms can configure this if they need to lower the hardware
1104 limit, for example due to asymmetric configuration or limitations of
1107 hardware will limit the effective VL to the maximum physically supported
1110 - ``TRNG_SUPPORT``: Setting this to ``1`` enables support for True
1111 Random Number Generator Interface to BL31 image. This defaults to ``0``.
1113 - ``TRUSTED_BOARD_BOOT``: Boolean flag to include support for the Trusted Board
1114 Boot feature. When set to '1', BL1 and BL2 images include support to load
1121 This option depends on ``CREATE_KEYS`` to be enabled. If the keys
1127 it will be used to save the key.
1137 to EL3 causing immediate preemption of TSP. The EL3 is responsible
1139 default routing model (when the value is 0) is to route non-secure
1140 interrupts to TSP allowing it to save its context and hand over
1141 synchronously to EL3 via an SMC.
1145 must also be set to ``1``.
1147 - ``TS_SP_FW_CONFIG``: DTC build flag to include Trusted Services (Crypto and
1150 - ``TWED_DELAY``: Numeric value to be set in order to delay the trapping of
1151 WFE instruction. ``ENABLE_FEAT_TWED`` build option must be enabled to set
1154 Platforms need to explicitly update this value based on their requirements.
1156 - ``USE_ARM_LINK``: This flag determines whether to enable support for ARM
1157 linker. When the ``LINKER`` build variable points to the armlink linker,
1159 will have to provide a scatter file for the BL image. Currently, Tegra
1160 platforms use the armlink support to compile BL3-1 images.
1162 - ``USE_COHERENT_MEM``: This flag determines whether to include the coherent
1169 device tree is passed to BL33 using register x0, aligning with the expectations
1173 is set), and it will be removed once all platforms have transitioned to that
1178 ``PRESERVE_DSU_PMU_REGS`` build option, provides access to PMU registers at
1179 EL1 and allows platforms to configure powerdown and power settings of DSU.
1181 - ``ARM_IO_IN_DTB``: This flag determines whether to use IO based on the
1185 - ``COT_DESC_IN_DTB``: This flag determines whether to create COT descriptors
1188 and properties. Currently, COT descriptors used by BL2 are moved to the
1192 - ``SDEI_IN_FCONF``: This flag determines whether to configure SDEI setup in
1198 - ``SEC_INT_DESC_IN_FCONF``: This flag determines whether to configure Group 0
1205 This feature creates a library of functions to be placed in ROM and thus
1206 reduces SRAM usage. Refer to :ref:`Library at ROM` for further details. Default
1213 Defaults to a string formed by concatenating the version number, build type
1217 regrouped and put in the root Makefile. This flag can take the values 0 to 3,
1220 This option is closely related to the ``E`` option, which enables
1226 ``-Wextra``, as well as various bad practices and things that are likely to
1232 Enables warnings we want the generic build to include but are too time
1233 consuming to fix at the moment. It re-enables warnings taken out for
1235 to eventually be merged into ``W=0``. Some warnings are expected on some
1240 Enables warnings we want the generic build to include but cannot be enabled
1241 due to external libraries. This level is expected to eventually be merged
1254 refer to the `GCC`_ or `Clang`_ documentation for more information on the
1257 - ``WARMBOOT_ENABLE_DCACHE_EARLY`` : Boolean option to enable D-cache early on
1259 require interconnect programming to enable cache coherency (eg: single
1261 enables D-caches immediately after enabling MMU. This option defaults to 0.
1263 - ``ERRATA_SPECULATIVE_AT``: This flag determines whether to enable ``AT``
1293 implement this workaround due to the behaviour of the errata mentioned
1296 - ``ERRATA_SME_POWER_DOWN``: Boolean option to disable SME (PSTATE.{ZA,SM}=0)
1297 before power down and downgrade a suspend to power down request to a normal
1300 connected to it will reject its power down request. The default value is 0.
1303 bit, to trap access to the RAS ERR and RAS ERX registers from lower ELs.
1306 - ``OPENSSL_DIR``: This option is used to provide the path to a directory on the
1308 to build the certificate generation, firmware encryption and FIP tools. If
1315 - ``ENABLE_BRBE_FOR_NS``: Numeric value to enable access to the branch record
1318 0 to 2, to align with the ``ENABLE_FEAT`` mechanism. The default is 0
1321 - ``ENABLE_TRBE_FOR_NS``: Numeric value to enable access of trace buffer
1324 feature for AArch64. This flag can take the values 0 to 2, to align with the
1328 - ``USE_SPINLOCK_CAS``: Numeric value to use FEAT_LSE atomics instead of
1330 feature from v8.1, however it is only architecturally guaranteed to work on
1331 "conventional memory" which may not apply to tightly coupled memory (eg. SRAM,
1333 by atomics before enabling this feature. Expected to increase performance on
1334 systems with many cores. This flag can take the values 0 to 2, to align with
1337 - ``ENABLE_SYS_REG_TRACE_FOR_NS``: Numeric value to enable trace system
1341 0 to 2, to align with the ``ENABLE_FEAT`` mechanism. The default is 0.
1343 - ``ENABLE_TRF_FOR_NS``: Numeric value to enable trace filter control registers
1345 if FEAT_TRF is implemented. This flag can take the values 0 to 2, to align
1348 - ``CONDITIONAL_CMO``: Boolean option to enable call to platform-defined routine
1354 - ``ERRATA_ABI_SUPPORT``: Boolean option to enable support for Errata management
1357 - ``ERRATA_NON_ARM_INTERCONNECT``: Boolean option to enable support for the
1361 - ``ENABLE_CONSOLE_GETC``: Boolean option to enable `getc()` feature in console
1363 vector into TF-A by potentially allowing an attacker to inject arbitrary data.
1377 or function definitions. It is then the platform's responsibility to provide
1384 - ``3``: use the GICv3 driver. See the next section on how to further configure
1390 For GIC driver versions other than ``1``, deciding when to save and restore GIC
1393 provides implementations of all necessary subroutines, they only need to be
1408 GIC-600, so is safe to select even for a GIC500 implementation.
1409 This option defaults to 0.
1412 for GIC-600 AE. Enabling this option will introduce support to initialize
1413 the FMU. Platforms should call the init function during boot to enable the
1414 FMU and its safety mechanisms. This option defaults to 0.
1417 functionality. This option defaults to 0
1421 functions. This is required for FVP platform which need to simulate GIC save
1425 This option defaults to 0.
1427 - ``GIC_EXT_INTID``: When set to ``1``, GICv3 driver will support extended
1428 PPI (1056-1119) and SPI (4096-5119) range. This option defaults to 0.
1441 DWARF symbols to be emitted by GCC. This can be achieved by using the
1442 ``-gdwarf-<version>`` flag, with the version being set to 2, 3, 4 or 5. Setting
1443 the version to 4 is recommended for Arm-DS.
1445 When debugging logic problems it might also be useful to disable all compiler
1449 Using ``-O0`` could cause output images to be larger and base addresses
1450 might need to be recalculated (see the **Memory layout on Arm development
1453 Extra debug options can be passed to the build system by setting ``CFLAGS`` or
1464 It is also possible to introduce an infinite loop to help in debugging the
1466 ``SPIN_ON_BL1_EXIT=1`` build flag. Refer to the :ref:`build_options_common`
1494 - ``DICE_PROTECTION_ENVIRONMENT``: Boolean flag to specify the measured boot
1496 set to ``1`` then measurements and additional metadata collected during the
1497 measured boot process are sent to the DICE Protection Environment for storage
1501 - ``DRTM_SUPPORT``: Boolean flag to enable support for Dynamic Root of Trust
1504 platforms which use BL2 to load/authenticate BL31 ``TRUSTED_BOARD_BOOT`` can
1506 should have mechanism to authenticate BL31. This option defaults to 0.
1508 - ``ENABLE_RME``: Numeric value to enable support for the ARMv9 Realm
1509 Management Extension. This flag can take the values 0 to 2, to align with
1512 - ``ENABLE_FEAT_MEC``: Numeric value to enable support for the ARMv9.2 Memory
1513 Encryption Contexts (MEC). This flag can take the values 0 to 2, to align
1518 - ``RMMD_ENABLE_EL3_TOKEN_SIGN``: Numeric value to enable support for singing
1520 values 0 and 1. The default value is ``0``. When set to ``1``, this option
1521 enables additional RMMD SMCs to push and pop requests for signing to
1522 EL3 along with platform hooks that must be implemented to service those
1525 - ``ENABLE_SME_FOR_NS``: Numeric value to enable Scalable Matrix Extension
1529 world to trap to EL3. Requires ``ENABLE_SVE_FOR_NS`` to be set as SME is a
1532 SPD=spmd/SPM_MM and atempting to build with this option will fail.
1533 This flag can take the values 0 to 2, to align with the ``ENABLE_FEAT``
1536 - ``ENABLE_SME2_FOR_NS``: Numeric value to enable Scalable Matrix Extension
1540 accesses will still be trapped. This flag can take the values 0 to 2, to
1543 - ``ENABLE_SME_FOR_SWD``: Boolean option to enable the Scalable Matrix
1545 ENABLE_SME_FOR_NS and ENABLE_SVE_FOR_SWD must also be set to use this.
1554 - ``FEATURE_DETECTION``: Boolean option to enable the architectural features
1562 software emulators, or for hardware platforms at bringup time, to verify
1572 - ``LFA_SUPPORT``: Boolean flag to enable support for Live Firmware
1573 activation as per the specification. This option defaults to 0.
1575 - ``TRANSFER_LIST``: Setting this to ``1`` enables support for Firmware
1577 This defaults to ``0``. Current implementation follows the Firmware Handoff
1580 - ``USE_DEBUGFS``: When set to 1 this option exposes a virtual filesystem
1584 - ``HOB_LIST``: Setting this to ``1`` enables support for passing boot
1586 This defaults to ``0``.
1588 - ``ENABLE_ACS_SMC``: When set to ``1``, this enables support for ACS SMC
1589 handler code to handle SMC calls from the Architecture Compliance Suite. The
1590 handler is intentionally empty to reserve the SMC section and allow
1600 - BL2 is not part of the protocol-updatable images. If BL2 needs to
1608 set to '2'.
1614 flag is by default set to '1'.
1620 structure where a platform can choose to not include the firmware