1# 2# Copyright (c) 2025-2026, Arm Limited. All rights reserved. 3# 4# SPDX-License-Identifier: BSD-3-Clause 5# 6 7ifneq ($(AARCH32_INSTRUCTION_SET),$(filter $(AARCH32_INSTRUCTION_SET),A32 T32)) 8 $(error Error: Unknown AArch32 instruction set ${AARCH32_INSTRUCTION_SET}) 9endif 10 11# Make sure RME configuration is valid 12ifeq (${ENABLE_RME},1) 13 ifneq (${SEPARATE_CODE_AND_RODATA},1) 14 $(error ENABLE_RME requires SEPARATE_CODE_AND_RODATA) 15 endif 16 17 ifneq (${ARCH},aarch64) 18 $(error ENABLE_RME requires AArch64) 19 endif 20 21 ifeq ($(SPMC_AT_EL3),1) 22 $(error SPMC_AT_EL3 and ENABLE_RME cannot both be enabled.) 23 endif 24 25 ifneq (${SPD}, none) 26 ifneq (${SPD}, spmd) 27 $(error ENABLE_RME is incompatible with SPD=${SPD}. Use SPD=spmd) 28 endif 29 endif 30else 31 ifeq (${ENABLE_FEAT_RME_GDI},1) 32 $(error ENABLE_FEAT_RME_GDI requires ENABLE_RME) 33 endif 34endif 35 36ifeq (${CTX_INCLUDE_EL2_REGS}, 1) 37 ifeq (${SPD},none) 38 ifeq (${ENABLE_RME},0) 39 $(error CTX_INCLUDE_EL2_REGS is available only when SPD \ 40 or RME is enabled) 41 endif 42 endif 43endif 44 45################################################################################ 46# Verify FEAT_RME, FEAT_SCTLR2 and FEAT_TCR2 are enabled if FEAT_MEC is enabled. 47################################################################################ 48 49ifneq (${ENABLE_FEAT_MEC},0) 50 ifeq (${ENABLE_RME},0) 51 $(error FEAT_RME must be enabled when FEAT_MEC is enabled.) 52 endif 53 ifeq (${ENABLE_FEAT_TCR2},0) 54 $(error FEAT_TCR2 must be enabled when FEAT_MEC is enabled.) 55 endif 56 ifeq (${ENABLE_FEAT_SCTLR2},0) 57 $(error FEAT_SCTLR2 must be enabled when FEAT_MEC is enabled.) 58 endif 59endif 60 61# Handle all invalid build configurations with SPMD usage. 62ifeq (${ENABLE_SPMD_LP}, 1) 63ifneq (${SPD},spmd) 64 $(error Error: ENABLE_SPMD_LP requires SPD=spmd.) 65endif 66 67ifeq ($(SPMC_AT_EL3),1) 68 $(error SPMC at EL3 not supported when enabling SPMD Logical partitions.) 69endif 70endif 71 72ifeq (${SUPPORT_SP_LIVE_ACTIVATION}, 1) 73ifeq (${LFA_SUPPORT}, 0) 74 $(error Error: SUPPORT_SP_LIVE_ACTIVATION requires LFA_SUPPORT=1) 75endif #(LFA_SUPPORT) 76ifeq (${ENABLE_SPMD_LP}, 0) 77 $(error Error: SUPPORT_SP_LIVE_ACTIVATION requires ENABLE_SPMD_LP=1) 78endif #(ENABLE_SPMD_LP) 79ifeq (${SPMD_SPM_AT_SEL2},0) 80 $(error Error: SUPPORT_SP_LIVE_ACTIVATION requires SPMD_SPM_AT_SEL2=1) 81endif #(SPMD_SPM_AT_SEL2) 82 $(warning SUPPORT_SP_LIVE_ACTIVATION is an experimental feature) 83endif #(SUPPORT_SP_LIVE_ACTIVATION) 84 85ifneq (${SPD},none) 86ifeq (${ARCH},aarch32) 87 $(error "Error: SPD is incompatible with AArch32.") 88endif 89ifdef EL3_PAYLOAD_BASE 90 $(warning "SPD and EL3_PAYLOAD_BASE are incompatible build options.") 91 $(warning "The SPD and its BL32 companion will be present but ignored.") 92endif 93ifeq (${SPD},spmd) 94ifeq ($(SPMD_SPM_AT_SEL2),1) 95 ifeq ($(SPMC_AT_EL3),1) 96 $(error SPM cannot be enabled in both S-EL2 and EL3.) 97 endif 98 ifeq ($(CTX_INCLUDE_SVE_REGS),1) 99 $(error SVE context management not needed with Hafnium SPMC.) 100 endif 101endif 102 103ifeq ($(SPMC_AT_EL3_SEL0_SP),1) 104 ifneq ($(SPMC_AT_EL3),1) 105 $(error SEL0 SP cannot be enabled without SPMC at EL3) 106 endif 107endif 108endif #(SPD=spmd) 109endif #(SPD!=none) 110 111# USE_DEBUGFS experimental feature recommended only in debug builds 112ifeq (${USE_DEBUGFS},1) 113 ifeq (${DEBUG},1) 114 $(warning DEBUGFS experimental feature is enabled.) 115 else 116 $(warning DEBUGFS experimental, recommended in DEBUG builds ONLY) 117 endif 118endif #(USE_DEBUGFS) 119 120# USE_SPINLOCK_CAS requires AArch64 build 121ifeq (${USE_SPINLOCK_CAS},1) 122 ifneq (${ARCH},aarch64) 123 $(error USE_SPINLOCK_CAS requires AArch64) 124 endif 125endif #(USE_SPINLOCK_CAS) 126 127ifdef EL3_PAYLOAD_BASE 128 ifdef PRELOADED_BL33_BASE 129 $(warning "PRELOADED_BL33_BASE and EL3_PAYLOAD_BASE are \ 130 incompatible build options. EL3_PAYLOAD_BASE has priority.") 131 endif 132 ifneq (${GENERATE_COT},0) 133 $(error "GENERATE_COT and EL3_PAYLOAD_BASE are incompatible \ 134 build options.") 135 endif 136 ifneq (${TRUSTED_BOARD_BOOT},0) 137 $(error "TRUSTED_BOARD_BOOT and EL3_PAYLOAD_BASE are \ 138 incompatible \ build options.") 139 endif 140endif #(EL3_PAYLOAD_BASE) 141 142ifeq (${NEED_BL33},yes) 143 ifdef EL3_PAYLOAD_BASE 144 $(warning "BL33 image is not needed when option \ 145 BL33_PAYLOAD_BASE is used and won't be added to the FIP file.") 146 endif 147 ifdef PRELOADED_BL33_BASE 148 $(warning "BL33 image is not needed when option \ 149 PRELOADED_BL33_BASE is used and won't be added to the FIP file.") 150 endif 151endif #(NEED_BL33) 152 153# When building for systems with hardware-assisted coherency, there's no need to 154# use USE_COHERENT_MEM. Require that USE_COHERENT_MEM must be set to 0 too. 155ifeq ($(HW_ASSISTED_COHERENCY)-$(USE_COHERENT_MEM),1-1) 156 $(error USE_COHERENT_MEM cannot be enabled with HW_ASSISTED_COHERENCY) 157endif 158 159#For now, BL2_IN_XIP_MEM is only supported when RESET_TO_BL2 is 1. 160ifeq ($(RESET_TO_BL2)-$(BL2_IN_XIP_MEM),0-1) 161 $(error "BL2_IN_XIP_MEM is only supported when RESET_TO_BL2 is enabled") 162endif 163 164# RAS_EXTENSION is deprecated, provide alternate build options 165ifeq ($(RAS_EXTENSION),1) 166 $(error "RAS_EXTENSION is now deprecated, please use ENABLE_FEAT_RAS \ 167 and HANDLE_EA_EL3_FIRST_NS instead") 168endif 169 170 171# When FAULT_INJECTION_SUPPORT is used, require that FEAT_RAS is enabled 172ifeq ($(FAULT_INJECTION_SUPPORT),1) 173 ifeq ($(ENABLE_FEAT_RAS),0) 174 $(error For FAULT_INJECTION_SUPPORT, ENABLE_FEAT_RAS must not be 0) 175 endif 176endif #(FAULT_INJECTION_SUPPORT) 177 178# DYN_DISABLE_AUTH can be set only when TRUSTED_BOARD_BOOT=1 179ifeq ($(DYN_DISABLE_AUTH), 1) 180 ifeq (${TRUSTED_BOARD_BOOT}, 0) 181 $(error "TRUSTED_BOARD_BOOT must be enabled for DYN_DISABLE_AUTH \ 182 to be set.") 183 endif 184endif #(DYN_DISABLE_AUTH) 185 186# SDEI_IN_FCONF is only supported when SDEI_SUPPORT is enabled. 187ifeq ($(SDEI_SUPPORT)-$(SDEI_IN_FCONF),0-1) 188 $(error "SDEI_IN_FCONF is only supported when SDEI_SUPPORT is enabled") 189endif 190 191# If pointer authentication is used in the firmware, make sure that all the 192# registers associated to it are also saved and restored. 193# Not doing it would leak the value of the keys used by EL3 to EL1 and S-EL1. 194ifneq ($(ENABLE_PAUTH),0) 195 ifeq ($(CTX_INCLUDE_PAUTH_REGS),0) 196 $(error Pointer Authentication requires CTX_INCLUDE_PAUTH_REGS to be enabled) 197 endif 198endif #(ENABLE_PAUTH) 199 200ifneq ($(CTX_INCLUDE_PAUTH_REGS),0) 201 ifneq (${ARCH},aarch64) 202 $(error CTX_INCLUDE_PAUTH_REGS requires AArch64) 203 endif 204endif #(CTX_INCLUDE_PAUTH_REGS) 205 206# Check ENABLE_FEAT_PAUTH_LR 207ifneq (${ENABLE_FEAT_PAUTH_LR},0) 208 209# Make sure PAUTH is enabled 210ifeq (${ENABLE_PAUTH},0) 211 $(error Error: PAUTH_LR cannot be used without PAUTH (see BRANCH_PROTECTION)) 212endif 213 214# Make sure SCTLR2 is enabled 215ifeq (${ENABLE_FEAT_SCTLR2},0) 216 $(error Error: PAUTH_LR cannot be used without ENABLE_FEAT_SCTLR2) 217endif 218 219ifneq (${ENABLE_FEAT_HACDBS},0) 220 ifeq (${ENABLE_FEAT_HDBSS},0) 221 $(error ENABLE_FEAT_HACDBS requires ENABLE_FEAT_HDBSS) 222 endif 223endif 224 225# FEAT_PAUTH_LR is only supported in aarch64 state 226ifneq (${ARCH},aarch64) 227 $(error ENABLE_FEAT_PAUTH_LR requires AArch64) 228endif 229 230endif # ${ENABLE_FEAT_PAUTH_LR} 231 232ifeq ($(FEATURE_DETECTION),1) 233 $(info FEATURE_DETECTION is an experimental feature) 234endif #(FEATURE_DETECTION) 235 236ifneq ($(ENABLE_SME2_FOR_NS), 0) 237 ifeq (${ENABLE_SME_FOR_NS}, 0) 238 $(warning "ENABLE_SME2_FOR_NS requires ENABLE_SME_FOR_NS also \ 239 to be set") 240 $(warning "Forced ENABLE_SME_FOR_NS=1") 241 override ENABLE_SME_FOR_NS := 1 242 endif 243endif #(ENABLE_SME2_FOR_NS) 244 245ifeq (${ARM_XLAT_TABLES_LIB_V1}, 1) 246 ifeq (${ALLOW_RO_XLAT_TABLES}, 1) 247 $(error "ALLOW_RO_XLAT_TABLES requires translation tables \ 248 library v2") 249 endif 250endif #(ARM_XLAT_TABLES_LIB_V1) 251 252ifneq (${DECRYPTION_SUPPORT},none) 253 ifeq (${TRUSTED_BOARD_BOOT}, 0) 254 $(error TRUSTED_BOARD_BOOT must be enabled for DECRYPTION_SUPPORT \ 255 to be set) 256 endif 257endif #(DECRYPTION_SUPPORT) 258 259# Ensure that no Aarch64-only features are enabled in Aarch32 build 260ifeq (${ARCH},aarch32) 261 ifneq (${ENABLE_LTO},0) 262 $(error "ENABLE_LTO is not supported with ARCH=aarch32") 263 endif 264 ifneq (${EL3_EXCEPTION_HANDLING},0) 265 $(error "EL3_EXCEPTION_HANDLING is not supported outside BL31") 266 endif 267 268 ifeq (${CRASH_REPORTING},1) 269 $(error "CRASH_REPORTING is not supported with ARCH=aarch32") 270 endif 271 272 # SME/SVE only supported on AArch64 273 ifneq (${ENABLE_SME_FOR_NS},0) 274 $(error "ENABLE_SME_FOR_NS cannot be used with ARCH=aarch32") 275 endif 276 277 ifneq (${ENABLE_SVE_FOR_NS},0) 278 $(error "ENABLE_SVE_FOR_NS cannot be used with ARCH=aarch32") 279 endif 280 281 ifneq (${ENABLE_SPE_FOR_NS},0) 282 $(error "ENABLE_SPE_FOR_NS cannot be used with ARCH=aarch32") 283 endif 284 285 # BRBE is not supported in AArch32 286 ifneq (${ENABLE_BRBE_FOR_NS},0) 287 $(error "ENABLE_BRBE_FOR_NS cannot be used with ARCH=aarch32") 288 endif 289 290 # FEAT_RNG_TRAP is not supported in AArch32 291 ifneq (${ENABLE_FEAT_RNG_TRAP},0) 292 $(error "ENABLE_FEAT_RNG_TRAP cannot be used with ARCH=aarch32") 293 endif 294 295 ifneq (${ENABLE_FEAT_FPMR},0) 296 $(error "ENABLE_FEAT_FPMR cannot be used with ARCH=aarch32") 297 endif 298 299 ifeq (${ARCH_FEATURE_AVAILABILITY},1) 300 $(error "ARCH_FEATURE_AVAILABILITY cannot be used with ARCH=aarch32") 301 endif 302 # FEAT_MOPS is only supported on AArch64 303 ifneq (${ENABLE_FEAT_MOPS},0) 304 $(error "ENABLE_FEAT_MOPS cannot be used with ARCH=aarch32") 305 endif 306 ifneq (${ENABLE_FEAT_GCIE},0) 307 $(error "ENABLE_FEAT_GCIE cannot be used with ARCH=aarch32") 308 endif 309 ifneq (${ENABLE_FEAT_CPA2},0) 310 $(error "ENABLE_FEAT_CPA2 cannot be used with ARCH=aarch32") 311 endif 312 ifneq (${USE_SPINLOCK_CAS},0) 313 $(error "USE_SPINLOCK_CAS is not supported with ARCH=aarch32") 314 endif 315 ifneq (${PLATFORM_NODE_COUNT},1) 316 $(error "NUMA AWARE PER CPU is not supported with ARCH=aarch32") 317 endif 318 ifeq (${ENABLE_FEAT_CRYPTO},1) 319 $(error "ENABLE_FEAT_CRYPTO cannot be used with ARCH=aarch32") 320 endif 321 ifeq (${ENABLE_FEAT_CRYPTO_SHA3},1) 322 $(error "ENABLE_FEAT_CRYPTO_SHA3 cannot be used with ARCH=aarch32") 323 endif 324 ifneq (${ENABLE_FEAT_MPAM},0) 325 $(error "ENABLE_FEAT_MPAM cannot be used with ARCH=aarch32") 326 endif 327 ifneq (${ENABLE_FEAT_UINJ},0) 328 $(error "ENABLE_FEAT_UINJ cannot be used with ARCH=aarch32") 329 endif 330 ifneq (${ENABLE_FEAT_STEP2},0) 331 $(error "ENABLE_FEAT_STEP2 cannot be used with ARCH=aarch32") 332 endif 333 ifneq (${ENABLE_FEAT_HDBSS},0) 334 $(error "ENABLE_FEAT_HDBSS cannot be used with ARCH=aarch32") 335 endif 336 ifneq (${ENABLE_FEAT_HACDBS},0) 337 $(error "ENABLE_FEAT_HACDBS cannot be used with ARCH=aarch32") 338 endif 339endif #(ARCH=aarch32) 340 341ifneq (${ENABLE_FEAT_FPMR},0) 342 ifeq (${ENABLE_FEAT_FGT},0) 343 $(error "ENABLE_FEAT_FPMR requires ENABLE_FEAT_FGT") 344 endif 345 ifeq (${ENABLE_FEAT_HCX},0) 346 $(error "ENABLE_FEAT_FPMR requires ENABLE_FEAT_HCX") 347 endif 348endif #(ENABLE_FEAT_FPMR) 349 350ifneq (${ENABLE_FEAT_CPA2},0) 351 ifeq (${ENABLE_FEAT_SCTLR2},0) 352 $(error "Error: ENABLE_FEAT_CPA2 cannot be used without ENABLE_FEAT_SCTLR2") 353 endif 354endif #${ENABLE_FEAT_CPA2} 355 356ifneq (${ENABLE_SME_FOR_NS},0) 357 ifeq (${ENABLE_SVE_FOR_NS},0) 358 $(error "ENABLE_SME_FOR_NS requires ENABLE_SVE_FOR_NS") 359 endif 360endif #(ENABLE_SME_FOR_NS) 361 362# Secure SME/SVE requires the non-secure component as well 363ifeq (${ENABLE_SME_FOR_SWD},1) 364 ifeq (${ENABLE_SME_FOR_NS},0) 365 $(error "ENABLE_SME_FOR_SWD requires ENABLE_SME_FOR_NS") 366 endif 367 ifeq (${ENABLE_SVE_FOR_SWD},0) 368 $(error "ENABLE_SME_FOR_SWD requires ENABLE_SVE_FOR_SWD") 369 endif 370endif #(ENABLE_SME_FOR_SWD) 371 372# Enabling SVE for SWD requires enabling SVE for NWD due to ENABLE_FEAT 373# mechanism. 374ifeq (${ENABLE_SVE_FOR_SWD},1) 375 ifeq (${ENABLE_SVE_FOR_NS},0) 376 $(error "ENABLE_SVE_FOR_SWD requires ENABLE_SVE_FOR_NS") 377 endif 378endif 379 380# Enabling FEAT_MOPS requires access to hcrx_el2 registers which is 381# available only when FEAT_HCX is enabled. 382ifneq (${ENABLE_FEAT_MOPS},0) 383 ifeq (${ENABLE_FEAT_HCX},0) 384 $(error "ENABLE_FEAT_MOPS requires ENABLE_FEAT_HCX") 385 endif 386endif 387 388# Enabling SVE for both the worlds typically requires the context 389# management of SVE registers. The only exception being SPMC at S-EL2. 390ifeq (${ENABLE_SVE_FOR_SWD}, 1) 391 ifneq (${ENABLE_SVE_FOR_NS}, 0) 392 ifeq (${CTX_INCLUDE_SVE_REGS}-$(SPMD_SPM_AT_SEL2),0-0) 393 $(warning "ENABLE_SVE_FOR_SWD and ENABLE_SVE_FOR_NS together require CTX_INCLUDE_SVE_REGS") 394 endif 395 endif 396endif 397 398# Enabling SHA3 requires regular Crypto extension to be enabled 399ifeq (${ENABLE_FEAT_CRYPTO_SHA3}, 1) 400 ifeq (${ENABLE_FEAT_CRYPTO}, 0) 401 $(error "ENABLE_FEAT_CRYPTO_SHA3 requires ENABLE_FEAT_CRYPTO") 402 endif 403endif 404 405ifeq (${ENABLE_FEAT_CRYPTO_SHA3}, 2) 406 $(warning "ENABLE_FEAT_CRYPTO_SHA3 does not have any effect when set to 2") 407endif 408 409ifeq (${ENABLE_FEAT_CRYPTO}, 2) 410 $(warning "ENABLE_FEAT_CRYPTO does not have any effect when set to 2") 411endif 412 413# Enabling SVE in either world while enabling CTX_INCLUDE_FPREGS requires 414# CTX_INCLUDE_SVE_REGS to be enabled due to architectural dependency between FP 415# and SVE registers. 416ifeq (${CTX_INCLUDE_FPREGS}, 1) 417 ifneq (${ENABLE_SVE_FOR_NS},0) 418 ifeq (${CTX_INCLUDE_SVE_REGS},0) 419 # Warning instead of error due to CI dependency on this 420 $(warning "CTX_INCLUDE_FPREGS and ENABLE_SVE_FOR_NS together require CTX_INCLUDE_SVE_REGS") 421 $(warning "Forced ENABLE_SVE_FOR_NS=0") 422 override ENABLE_SVE_FOR_NS := 0 423 endif 424 endif 425endif #(CTX_INCLUDE_FPREGS) 426 427# SVE context management is only required if secure world has access to SVE/FP 428# functionality. 429# Enabling CTX_INCLUDE_SVE_REGS requires CTX_INCLUDE_FPREGS to be enabled due 430# to architectural dependency between FP and SVE registers. 431ifeq (${CTX_INCLUDE_SVE_REGS},1) 432 ifeq (${ENABLE_SVE_FOR_SWD},0) 433 $(error "CTX_INCLUDE_SVE_REGS requires ENABLE_SVE_FOR_SWD to also be enabled") 434 endif 435 ifeq (${CTX_INCLUDE_FPREGS},0) 436 $(error "CTX_INCLUDE_SVE_REGS requires CTX_INCLUDE_FPREGS to also be enabled") 437 endif #(CTX_INCLUDE_FPREGS) 438endif #(CTX_INCLUDE_SVE_REGS) 439 440# SME cannot be used with CTX_INCLUDE_FPREGS since SPM does its own context 441# management including FPU registers. 442ifeq (${CTX_INCLUDE_FPREGS},1) 443 ifneq (${ENABLE_SME_FOR_NS},0) 444 $(error "ENABLE_SME_FOR_NS cannot be used with CTX_INCLUDE_FPREGS") 445 endif 446endif #(CTX_INCLUDE_FPREGS) 447 448ifeq ($(DRTM_SUPPORT),1) 449 $(info DRTM_SUPPORT is an experimental feature) 450endif 451 452ifeq (${HOB_LIST},1) 453 $(warning HOB_LIST is an experimental feature) 454endif 455 456ifeq (${TRANSFER_LIST},1) 457 $(info TRANSFER_LIST is an experimental feature) 458endif 459 460ifeq ($(PSA_CRYPTO),1) 461 $(info PSA_CRYPTO is an experimental feature) 462endif 463 464ifeq ($(DICE_PROTECTION_ENVIRONMENT),1) 465 $(info DICE_PROTECTION_ENVIRONMENT is an experimental feature) 466endif 467 468ifeq (${LFA_SUPPORT},1) 469 $(warning LFA_SUPPORT is an experimental feature) 470endif #(LFA_SUPPORT) 471 472ifneq (${ENABLE_FEAT_MPAM_PE_BW_CTRL},0) 473 ifeq (${ENABLE_FEAT_MPAM},0) 474 $(error "ENABLE_FEAT_MPAM_PW_BW_CTRL requires ENABLE_FEAT_MPAM") 475 endif 476endif #(ENABLE_FEAT_MPAM_PE_BW_CTRL) 477 478ifneq (${DYNAMIC_WORKAROUND_CVE_2018_3639},0) 479 ifeq (${WORKAROUND_CVE_2018_3639},0) 480 $(error Error: WORKAROUND_CVE_2018_3639 must be 1 if DYNAMIC_WORKAROUND_CVE_2018_3639 is 1) 481 endif 482endif 483 484ifeq (${WORKAROUND_CVE_2025_0647},1) 485ifeq "8.5" "$(word 1, $(sort 8.5 $(ARM_ARCH_MAJOR).$(ARM_ARCH_MINOR)))" 486else 487 $(error Error: WORKAROUND_CVE_2025_0647 can only be used with Arm Arch v8.5+, set ARM_ARCH_MAJOR and ARM_ARCH_MINOR appropriately.) 488endif 489endif 490 491ifneq ($(ENABLE_FEAT_MORELLO),0) 492 ifneq ($($(ARCH)-cc-id),llvm-clang) 493 $(error ENABLE_FEAT_MORELLO requires Clang toolchain) 494 endif 495 $(warning Morello capability is an experimental feature) 496endif 497 498# Handle all deprecated build options. 499ifeq (${ERROR_DEPRECATED}, 1) 500 ifneq (${NS_TIMER_SWITCH},0) 501 $(error "NS_TIMER_SWITCH breaks Linux preemption model, hence deprecated") 502 endif 503 ifneq (${SPM_MM},0) 504 $(error "SPM_MM build option is deprecated") 505 endif 506endif 507 508ifneq (${ENABLE_FEAT_IDTE3},0) 509 $(info FEAT_IDTE3 is an experimental feature) 510endif #(ENABLE_FEAT_IDTE3) 511