1# 2# Copyright (c) 2025-2026, Arm Limited. All rights reserved. 3# 4# SPDX-License-Identifier: BSD-3-Clause 5# 6 7ifneq ($(AARCH32_INSTRUCTION_SET),$(filter $(AARCH32_INSTRUCTION_SET),A32 T32)) 8 $(error Error: Unknown AArch32 instruction set ${AARCH32_INSTRUCTION_SET}) 9endif 10 11# Make sure RME configuration is valid 12ifeq (${ENABLE_RME},1) 13 ifneq (${SEPARATE_CODE_AND_RODATA},1) 14 $(error ENABLE_RME requires SEPARATE_CODE_AND_RODATA) 15 endif 16 17 ifneq (${ARCH},aarch64) 18 $(error ENABLE_RME requires AArch64) 19 endif 20 21 ifeq ($(SPMC_AT_EL3),1) 22 $(error SPMC_AT_EL3 and ENABLE_RME cannot both be enabled.) 23 endif 24 25 ifneq (${SPD}, none) 26 ifneq (${SPD}, spmd) 27 $(error ENABLE_RME is incompatible with SPD=${SPD}. Use SPD=spmd) 28 endif 29 endif 30else 31 ifeq (${ENABLE_FEAT_RME_GDI},1) 32 $(error ENABLE_FEAT_RME_GDI requires ENABLE_RME) 33 endif 34endif 35 36ifeq (${CTX_INCLUDE_EL2_REGS}, 1) 37 ifeq (${SPD},none) 38 ifeq (${ENABLE_RME},0) 39 $(error CTX_INCLUDE_EL2_REGS is available only when SPD \ 40 or RME is enabled) 41 endif 42 endif 43endif 44 45################################################################################ 46# Verify FEAT_RME, FEAT_SCTLR2 and FEAT_TCR2 are enabled if FEAT_MEC is enabled. 47################################################################################ 48 49ifneq (${ENABLE_FEAT_MEC},0) 50 ifeq (${ENABLE_RME},0) 51 $(error FEAT_RME must be enabled when FEAT_MEC is enabled.) 52 endif 53 ifeq (${ENABLE_FEAT_TCR2},0) 54 $(error FEAT_TCR2 must be enabled when FEAT_MEC is enabled.) 55 endif 56 ifeq (${ENABLE_FEAT_SCTLR2},0) 57 $(error FEAT_SCTLR2 must be enabled when FEAT_MEC is enabled.) 58 endif 59endif 60 61# Handle all invalid build configurations with SPMD usage. 62ifeq (${ENABLE_SPMD_LP}, 1) 63ifneq (${SPD},spmd) 64 $(error Error: ENABLE_SPMD_LP requires SPD=spmd.) 65endif 66ifeq ($(SPMC_AT_EL3),1) 67 $(error SPMC at EL3 not supported when enabling SPMD Logical partitions.) 68endif 69endif 70 71ifneq (${SPD},none) 72ifeq (${ARCH},aarch32) 73 $(error "Error: SPD is incompatible with AArch32.") 74endif 75ifdef EL3_PAYLOAD_BASE 76 $(warning "SPD and EL3_PAYLOAD_BASE are incompatible build options.") 77 $(warning "The SPD and its BL32 companion will be present but ignored.") 78endif 79ifeq (${SPD},spmd) 80ifeq ($(SPMD_SPM_AT_SEL2),1) 81 ifeq ($(SPMC_AT_EL3),1) 82 $(error SPM cannot be enabled in both S-EL2 and EL3.) 83 endif 84 ifeq ($(CTX_INCLUDE_SVE_REGS),1) 85 $(error SVE context management not needed with Hafnium SPMC.) 86 endif 87endif 88 89ifeq ($(SPMC_AT_EL3_SEL0_SP),1) 90 ifneq ($(SPMC_AT_EL3),1) 91 $(error SEL0 SP cannot be enabled without SPMC at EL3) 92 endif 93endif 94endif #(SPD=spmd) 95endif #(SPD!=none) 96 97# USE_DEBUGFS experimental feature recommended only in debug builds 98ifeq (${USE_DEBUGFS},1) 99 ifeq (${DEBUG},1) 100 $(warning DEBUGFS experimental feature is enabled.) 101 else 102 $(warning DEBUGFS experimental, recommended in DEBUG builds ONLY) 103 endif 104endif #(USE_DEBUGFS) 105 106# USE_SPINLOCK_CAS requires AArch64 build 107ifeq (${USE_SPINLOCK_CAS},1) 108 ifneq (${ARCH},aarch64) 109 $(error USE_SPINLOCK_CAS requires AArch64) 110 endif 111endif #(USE_SPINLOCK_CAS) 112 113ifdef EL3_PAYLOAD_BASE 114 ifdef PRELOADED_BL33_BASE 115 $(warning "PRELOADED_BL33_BASE and EL3_PAYLOAD_BASE are \ 116 incompatible build options. EL3_PAYLOAD_BASE has priority.") 117 endif 118 ifneq (${GENERATE_COT},0) 119 $(error "GENERATE_COT and EL3_PAYLOAD_BASE are incompatible \ 120 build options.") 121 endif 122 ifneq (${TRUSTED_BOARD_BOOT},0) 123 $(error "TRUSTED_BOARD_BOOT and EL3_PAYLOAD_BASE are \ 124 incompatible \ build options.") 125 endif 126endif #(EL3_PAYLOAD_BASE) 127 128ifeq (${NEED_BL33},yes) 129 ifdef EL3_PAYLOAD_BASE 130 $(warning "BL33 image is not needed when option \ 131 BL33_PAYLOAD_BASE is used and won't be added to the FIP file.") 132 endif 133 ifdef PRELOADED_BL33_BASE 134 $(warning "BL33 image is not needed when option \ 135 PRELOADED_BL33_BASE is used and won't be added to the FIP file.") 136 endif 137endif #(NEED_BL33) 138 139# When building for systems with hardware-assisted coherency, there's no need to 140# use USE_COHERENT_MEM. Require that USE_COHERENT_MEM must be set to 0 too. 141ifeq ($(HW_ASSISTED_COHERENCY)-$(USE_COHERENT_MEM),1-1) 142 $(error USE_COHERENT_MEM cannot be enabled with HW_ASSISTED_COHERENCY) 143endif 144 145#For now, BL2_IN_XIP_MEM is only supported when RESET_TO_BL2 is 1. 146ifeq ($(RESET_TO_BL2)-$(BL2_IN_XIP_MEM),0-1) 147 $(error "BL2_IN_XIP_MEM is only supported when RESET_TO_BL2 is enabled") 148endif 149 150# RAS_EXTENSION is deprecated, provide alternate build options 151ifeq ($(RAS_EXTENSION),1) 152 $(error "RAS_EXTENSION is now deprecated, please use ENABLE_FEAT_RAS \ 153 and HANDLE_EA_EL3_FIRST_NS instead") 154endif 155 156 157# When FAULT_INJECTION_SUPPORT is used, require that FEAT_RAS is enabled 158ifeq ($(FAULT_INJECTION_SUPPORT),1) 159 ifeq ($(ENABLE_FEAT_RAS),0) 160 $(error For FAULT_INJECTION_SUPPORT, ENABLE_FEAT_RAS must not be 0) 161 endif 162endif #(FAULT_INJECTION_SUPPORT) 163 164# DYN_DISABLE_AUTH can be set only when TRUSTED_BOARD_BOOT=1 165ifeq ($(DYN_DISABLE_AUTH), 1) 166 ifeq (${TRUSTED_BOARD_BOOT}, 0) 167 $(error "TRUSTED_BOARD_BOOT must be enabled for DYN_DISABLE_AUTH \ 168 to be set.") 169 endif 170endif #(DYN_DISABLE_AUTH) 171 172# SDEI_IN_FCONF is only supported when SDEI_SUPPORT is enabled. 173ifeq ($(SDEI_SUPPORT)-$(SDEI_IN_FCONF),0-1) 174 $(error "SDEI_IN_FCONF is only supported when SDEI_SUPPORT is enabled") 175endif 176 177# If pointer authentication is used in the firmware, make sure that all the 178# registers associated to it are also saved and restored. 179# Not doing it would leak the value of the keys used by EL3 to EL1 and S-EL1. 180ifneq ($(ENABLE_PAUTH),0) 181 ifeq ($(CTX_INCLUDE_PAUTH_REGS),0) 182 $(error Pointer Authentication requires CTX_INCLUDE_PAUTH_REGS to be enabled) 183 endif 184endif #(ENABLE_PAUTH) 185 186ifneq ($(CTX_INCLUDE_PAUTH_REGS),0) 187 ifneq (${ARCH},aarch64) 188 $(error CTX_INCLUDE_PAUTH_REGS requires AArch64) 189 endif 190endif #(CTX_INCLUDE_PAUTH_REGS) 191 192# Check ENABLE_FEAT_PAUTH_LR 193ifneq (${ENABLE_FEAT_PAUTH_LR},0) 194 195# Make sure PAUTH is enabled 196ifeq (${ENABLE_PAUTH},0) 197 $(error Error: PAUTH_LR cannot be used without PAUTH (see BRANCH_PROTECTION)) 198endif 199 200# Make sure SCTLR2 is enabled 201ifeq (${ENABLE_FEAT_SCTLR2},0) 202 $(error Error: PAUTH_LR cannot be used without ENABLE_FEAT_SCTLR2) 203endif 204 205ifneq (${ENABLE_FEAT_HACDBS},0) 206 ifeq (${ENABLE_FEAT_HDBSS},0) 207 $(error ENABLE_FEAT_HACDBS requires ENABLE_FEAT_HDBSS) 208 endif 209endif 210 211# FEAT_PAUTH_LR is only supported in aarch64 state 212ifneq (${ARCH},aarch64) 213 $(error ENABLE_FEAT_PAUTH_LR requires AArch64) 214endif 215 216endif # ${ENABLE_FEAT_PAUTH_LR} 217 218ifeq ($(FEATURE_DETECTION),1) 219 $(info FEATURE_DETECTION is an experimental feature) 220endif #(FEATURE_DETECTION) 221 222ifneq ($(ENABLE_SME2_FOR_NS), 0) 223 ifeq (${ENABLE_SME_FOR_NS}, 0) 224 $(warning "ENABLE_SME2_FOR_NS requires ENABLE_SME_FOR_NS also \ 225 to be set") 226 $(warning "Forced ENABLE_SME_FOR_NS=1") 227 override ENABLE_SME_FOR_NS := 1 228 endif 229endif #(ENABLE_SME2_FOR_NS) 230 231ifeq (${ARM_XLAT_TABLES_LIB_V1}, 1) 232 ifeq (${ALLOW_RO_XLAT_TABLES}, 1) 233 $(error "ALLOW_RO_XLAT_TABLES requires translation tables \ 234 library v2") 235 endif 236endif #(ARM_XLAT_TABLES_LIB_V1) 237 238ifneq (${DECRYPTION_SUPPORT},none) 239 ifeq (${TRUSTED_BOARD_BOOT}, 0) 240 $(error TRUSTED_BOARD_BOOT must be enabled for DECRYPTION_SUPPORT \ 241 to be set) 242 endif 243endif #(DECRYPTION_SUPPORT) 244 245# Ensure that no Aarch64-only features are enabled in Aarch32 build 246ifeq (${ARCH},aarch32) 247 ifneq (${ENABLE_LTO},0) 248 $(error "ENABLE_LTO is not supported with ARCH=aarch32") 249 endif 250 ifneq (${EL3_EXCEPTION_HANDLING},0) 251 $(error "EL3_EXCEPTION_HANDLING is not supported outside BL31") 252 endif 253 254 ifeq (${CRASH_REPORTING},1) 255 $(error "CRASH_REPORTING is not supported with ARCH=aarch32") 256 endif 257 258 # SME/SVE only supported on AArch64 259 ifneq (${ENABLE_SME_FOR_NS},0) 260 $(error "ENABLE_SME_FOR_NS cannot be used with ARCH=aarch32") 261 endif 262 263 ifneq (${ENABLE_SVE_FOR_NS},0) 264 $(error "ENABLE_SVE_FOR_NS cannot be used with ARCH=aarch32") 265 endif 266 267 ifneq (${ENABLE_SPE_FOR_NS},0) 268 $(error "ENABLE_SPE_FOR_NS cannot be used with ARCH=aarch32") 269 endif 270 271 # BRBE is not supported in AArch32 272 ifneq (${ENABLE_BRBE_FOR_NS},0) 273 $(error "ENABLE_BRBE_FOR_NS cannot be used with ARCH=aarch32") 274 endif 275 276 # FEAT_RNG_TRAP is not supported in AArch32 277 ifneq (${ENABLE_FEAT_RNG_TRAP},0) 278 $(error "ENABLE_FEAT_RNG_TRAP cannot be used with ARCH=aarch32") 279 endif 280 281 ifneq (${ENABLE_FEAT_FPMR},0) 282 $(error "ENABLE_FEAT_FPMR cannot be used with ARCH=aarch32") 283 endif 284 285 ifeq (${ARCH_FEATURE_AVAILABILITY},1) 286 $(error "ARCH_FEATURE_AVAILABILITY cannot be used with ARCH=aarch32") 287 endif 288 # FEAT_MOPS is only supported on AArch64 289 ifneq (${ENABLE_FEAT_MOPS},0) 290 $(error "ENABLE_FEAT_MOPS cannot be used with ARCH=aarch32") 291 endif 292 ifneq (${ENABLE_FEAT_GCIE},0) 293 $(error "ENABLE_FEAT_GCIE cannot be used with ARCH=aarch32") 294 endif 295 ifneq (${ENABLE_FEAT_CPA2},0) 296 $(error "ENABLE_FEAT_CPA2 cannot be used with ARCH=aarch32") 297 endif 298 ifneq (${USE_SPINLOCK_CAS},0) 299 $(error "USE_SPINLOCK_CAS is not supported with ARCH=aarch32") 300 endif 301 ifneq (${PLATFORM_NODE_COUNT},1) 302 $(error "NUMA AWARE PER CPU is not supported with ARCH=aarch32") 303 endif 304 ifeq (${ENABLE_FEAT_CRYPTO},1) 305 $(error "ENABLE_FEAT_CRYPTO cannot be used with ARCH=aarch32") 306 endif 307 ifeq (${ENABLE_FEAT_CRYPTO_SHA3},1) 308 $(error "ENABLE_FEAT_CRYPTO_SHA3 cannot be used with ARCH=aarch32") 309 endif 310 ifneq (${ENABLE_FEAT_MPAM},0) 311 $(error "ENABLE_FEAT_MPAM cannot be used with ARCH=aarch32") 312 endif 313 ifneq (${ENABLE_FEAT_UINJ},0) 314 $(error "ENABLE_FEAT_UINJ cannot be used with ARCH=aarch32") 315 endif 316 ifneq (${ENABLE_FEAT_STEP2},0) 317 $(error "ENABLE_FEAT_STEP2 cannot be used with ARCH=aarch32") 318 endif 319 ifneq (${ENABLE_FEAT_HDBSS},0) 320 $(error "ENABLE_FEAT_HDBSS cannot be used with ARCH=aarch32") 321 endif 322 ifneq (${ENABLE_FEAT_HACDBS},0) 323 $(error "ENABLE_FEAT_HACDBS cannot be used with ARCH=aarch32") 324 endif 325endif #(ARCH=aarch32) 326 327ifneq (${ENABLE_FEAT_FPMR},0) 328 ifeq (${ENABLE_FEAT_FGT},0) 329 $(error "ENABLE_FEAT_FPMR requires ENABLE_FEAT_FGT") 330 endif 331 ifeq (${ENABLE_FEAT_HCX},0) 332 $(error "ENABLE_FEAT_FPMR requires ENABLE_FEAT_HCX") 333 endif 334endif #(ENABLE_FEAT_FPMR) 335 336ifneq (${ENABLE_FEAT_CPA2},0) 337 ifeq (${ENABLE_FEAT_SCTLR2},0) 338 $(error "Error: ENABLE_FEAT_CPA2 cannot be used without ENABLE_FEAT_SCTLR2") 339 endif 340endif #${ENABLE_FEAT_CPA2} 341 342ifneq (${ENABLE_SME_FOR_NS},0) 343 ifeq (${ENABLE_SVE_FOR_NS},0) 344 $(error "ENABLE_SME_FOR_NS requires ENABLE_SVE_FOR_NS") 345 endif 346endif #(ENABLE_SME_FOR_NS) 347 348# Secure SME/SVE requires the non-secure component as well 349ifeq (${ENABLE_SME_FOR_SWD},1) 350 ifeq (${ENABLE_SME_FOR_NS},0) 351 $(error "ENABLE_SME_FOR_SWD requires ENABLE_SME_FOR_NS") 352 endif 353 ifeq (${ENABLE_SVE_FOR_SWD},0) 354 $(error "ENABLE_SME_FOR_SWD requires ENABLE_SVE_FOR_SWD") 355 endif 356endif #(ENABLE_SME_FOR_SWD) 357 358# Enabling SVE for SWD requires enabling SVE for NWD due to ENABLE_FEAT 359# mechanism. 360ifeq (${ENABLE_SVE_FOR_SWD},1) 361 ifeq (${ENABLE_SVE_FOR_NS},0) 362 $(error "ENABLE_SVE_FOR_SWD requires ENABLE_SVE_FOR_NS") 363 endif 364endif 365 366# Enabling FEAT_MOPS requires access to hcrx_el2 registers which is 367# available only when FEAT_HCX is enabled. 368ifneq (${ENABLE_FEAT_MOPS},0) 369 ifeq (${ENABLE_FEAT_HCX},0) 370 $(error "ENABLE_FEAT_MOPS requires ENABLE_FEAT_HCX") 371 endif 372endif 373 374# Enabling SVE for both the worlds typically requires the context 375# management of SVE registers. The only exception being SPMC at S-EL2. 376ifeq (${ENABLE_SVE_FOR_SWD}, 1) 377 ifneq (${ENABLE_SVE_FOR_NS}, 0) 378 ifeq (${CTX_INCLUDE_SVE_REGS}-$(SPMD_SPM_AT_SEL2),0-0) 379 $(warning "ENABLE_SVE_FOR_SWD and ENABLE_SVE_FOR_NS together require CTX_INCLUDE_SVE_REGS") 380 endif 381 endif 382endif 383 384# Enabling SHA3 requires regular Crypto extension to be enabled 385ifeq (${ENABLE_FEAT_CRYPTO_SHA3}, 1) 386 ifeq (${ENABLE_FEAT_CRYPTO}, 0) 387 $(error "ENABLE_FEAT_CRYPTO_SHA3 requires ENABLE_FEAT_CRYPTO") 388 endif 389endif 390 391ifeq (${ENABLE_FEAT_CRYPTO_SHA3}, 2) 392 $(warning "ENABLE_FEAT_CRYPTO_SHA3 does not have any effect when set to 2") 393endif 394 395ifeq (${ENABLE_FEAT_CRYPTO}, 2) 396 $(warning "ENABLE_FEAT_CRYPTO does not have any effect when set to 2") 397endif 398 399# Enabling SVE in either world while enabling CTX_INCLUDE_FPREGS requires 400# CTX_INCLUDE_SVE_REGS to be enabled due to architectural dependency between FP 401# and SVE registers. 402ifeq (${CTX_INCLUDE_FPREGS}, 1) 403 ifneq (${ENABLE_SVE_FOR_NS},0) 404 ifeq (${CTX_INCLUDE_SVE_REGS},0) 405 # Warning instead of error due to CI dependency on this 406 $(warning "CTX_INCLUDE_FPREGS and ENABLE_SVE_FOR_NS together require CTX_INCLUDE_SVE_REGS") 407 $(warning "Forced ENABLE_SVE_FOR_NS=0") 408 override ENABLE_SVE_FOR_NS := 0 409 endif 410 endif 411endif #(CTX_INCLUDE_FPREGS) 412 413# SVE context management is only required if secure world has access to SVE/FP 414# functionality. 415# Enabling CTX_INCLUDE_SVE_REGS requires CTX_INCLUDE_FPREGS to be enabled due 416# to architectural dependency between FP and SVE registers. 417ifeq (${CTX_INCLUDE_SVE_REGS},1) 418 ifeq (${ENABLE_SVE_FOR_SWD},0) 419 $(error "CTX_INCLUDE_SVE_REGS requires ENABLE_SVE_FOR_SWD to also be enabled") 420 endif 421 ifeq (${CTX_INCLUDE_FPREGS},0) 422 $(error "CTX_INCLUDE_SVE_REGS requires CTX_INCLUDE_FPREGS to also be enabled") 423 endif #(CTX_INCLUDE_FPREGS) 424endif #(CTX_INCLUDE_SVE_REGS) 425 426# SME cannot be used with CTX_INCLUDE_FPREGS since SPM does its own context 427# management including FPU registers. 428ifeq (${CTX_INCLUDE_FPREGS},1) 429 ifneq (${ENABLE_SME_FOR_NS},0) 430 $(error "ENABLE_SME_FOR_NS cannot be used with CTX_INCLUDE_FPREGS") 431 endif 432endif #(CTX_INCLUDE_FPREGS) 433 434ifeq ($(DRTM_SUPPORT),1) 435 $(info DRTM_SUPPORT is an experimental feature) 436endif 437 438ifeq (${HOB_LIST},1) 439 $(warning HOB_LIST is an experimental feature) 440endif 441 442ifeq (${TRANSFER_LIST},1) 443 $(info TRANSFER_LIST is an experimental feature) 444endif 445 446ifeq ($(PSA_CRYPTO),1) 447 $(info PSA_CRYPTO is an experimental feature) 448endif 449 450ifeq ($(DICE_PROTECTION_ENVIRONMENT),1) 451 $(info DICE_PROTECTION_ENVIRONMENT is an experimental feature) 452endif 453 454ifeq (${LFA_SUPPORT},1) 455 $(warning LFA_SUPPORT is an experimental feature) 456endif #(LFA_SUPPORT) 457 458ifneq (${ENABLE_FEAT_MPAM_PE_BW_CTRL},0) 459 ifeq (${ENABLE_FEAT_MPAM},0) 460 $(error "ENABLE_FEAT_MPAM_PW_BW_CTRL requires ENABLE_FEAT_MPAM") 461 endif 462endif #(ENABLE_FEAT_MPAM_PE_BW_CTRL) 463 464ifneq (${DYNAMIC_WORKAROUND_CVE_2018_3639},0) 465 ifeq (${WORKAROUND_CVE_2018_3639},0) 466 $(error Error: WORKAROUND_CVE_2018_3639 must be 1 if DYNAMIC_WORKAROUND_CVE_2018_3639 is 1) 467 endif 468endif 469 470ifeq (${WORKAROUND_CVE_2025_0647},1) 471ifeq "8.5" "$(word 1, $(sort 8.5 $(ARM_ARCH_MAJOR).$(ARM_ARCH_MINOR)))" 472else 473 $(error Error: WORKAROUND_CVE_2025_0647 can only be used with Arm Arch v8.5+, set ARM_ARCH_MAJOR and ARM_ARCH_MINOR appropriately.) 474endif 475endif 476 477ifneq ($(ENABLE_FEAT_MORELLO),0) 478 ifneq ($($(ARCH)-cc-id),llvm-clang) 479 $(error ENABLE_FEAT_MORELLO requires Clang toolchain) 480 endif 481 $(warning Morello capability is an experimental feature) 482endif 483 484# Handle all deprecated build options. 485ifeq (${ERROR_DEPRECATED}, 1) 486 ifneq (${NS_TIMER_SWITCH},0) 487 $(error "NS_TIMER_SWITCH breaks Linux preemption model, hence deprecated") 488 endif 489 ifneq (${SPM_MM},0) 490 $(error "SPM_MM build option is deprecated") 491 endif 492endif 493 494ifneq (${ENABLE_FEAT_IDTE3},0) 495 $(info FEAT_IDTE3 is an experimental feature) 496endif #(ENABLE_FEAT_IDTE3) 497