forked from nrfconnect/sdk-nrf
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Kconfig.secureboot
126 lines (108 loc) · 4.39 KB
/
Kconfig.secureboot
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# Copyright (c) 2023 Nordic Semiconductor
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
menuconfig SECURE_BOOT
bool "Secure Bootloader"
help
Set this option to enable the first stage bootloader which
verifies the signature of the app.
if SECURE_BOOT
config SECURE_BOOT_APPCORE
bool "Appcore"
help
Locate first stage bootloader on application core.
config SECURE_BOOT_NETCORE
bool "Netcore"
depends on SUPPORT_NETCORE
help
Locate first stage bootloader on network core.
config SECURE_BOOT_NETWORK_BOARD
string
default "nrf5340dk_nrf5340_cpunet" if SECURE_BOOT_NETCORE && ($(BOARD) = "nrf5340dk_nrf5340_cpuapp" || $(BOARD) = "nrf5340dk_nrf5340_cpuapp_ns")
default "thingy53_nrf5340_cpunet" if SECURE_BOOT_NETCORE && ($(BOARD) = "thingy53_nrf5340_cpuapp" || $(BOARD) = "thingy53_nrf5340_cpuapp_ns")
default "nrf7002dk_nrf5340_cpunet" if SECURE_BOOT_NETCORE && ($(BOARD) = "nrf7002dk_nrf5340_cpuapp" || $(BOARD) = "nrf7002dk_nrf5340_cpuapp")
depends on SECURE_BOOT_NETCORE
help
Remote board when building this sample.
If not set, the board given to sysbuild is used.
config SECURE_BOOT_BUILD_S1_VARIANT_IMAGE
bool
default y
depends on SECURE_BOOT_APPCORE
help
Will build an S1 variant image for the second slot.
choice SECURE_BOOT_SIGNING
prompt "Firmware signing method"
default SECURE_BOOT_SIGNING_PYTHON
config SECURE_BOOT_SIGNING_PYTHON
bool "Sign with Python ecdsa library"
select SECURE_BOOT_PRIVATE_KEY_PROVIDED
config SECURE_BOOT_SIGNING_OPENSSL
bool "Sign with openssl command line tool"
select SECURE_BOOT_PRIVATE_KEY_PROVIDED
config SECURE_BOOT_SIGNING_CUSTOM
bool "Sign with custom command"
endchoice
config SECURE_BOOT_SIGNING_KEY_FILE
string
prompt "Private key PEM file" if !SECURE_BOOT_SIGNING_CUSTOM
default ""
help
Absolute path to the private key PEM file.
Specifies the private key used for signing the firmware image.
The hash of the corresponding public key is stored as the first
entry in the list of public key hashes in the provision hex file.
This value can also be set by exporting an environment variable
named 'SECURE_BOOT_SIGNING_KEY_FILE' or passing
'-DSECURE_BOOT_SIGNING_KEY_FILE=/path/to/my/pem' when running cmake.
See also SECURE_BOOT_PUBLIC_KEY_FILES.
config SECURE_BOOT_SIGNING_COMMAND
string
prompt "Custom signing command" if SECURE_BOOT_SIGNING_CUSTOM
default ""
help
This command will be called to produce a signature of the firmware.
It will be called as "${CONFIG_SECURE_BOOT_SIGNING_COMMAND} <file>"
The command must calculate the signature over the contents
of the <file> and write the signature to stdout.
The signature must be on DER format.
config SECURE_BOOT_SIGNING_PUBLIC_KEY
string
prompt "Public key PEM file" if SECURE_BOOT_SIGNING_CUSTOM
default ""
help
Path to a PEM file.
When using a custom signing command, specify the corresponding public
key here. This public key is checked during building, and added as
the first entry in the provisioned data. See SECURE_BOOT_PUBLIC_KEY_FILES.
config SECURE_BOOT_PUBLIC_KEY_FILES
string "Public Key PEM files"
default ""
help
Comma-separated list of absolute paths to public key pem files.
The provision hex file will contain a list of hashes of public keys.
The first public key hash is the one corresponding to the private
signing key used to sign the image. See SECURE_BOOT_SIGNING_KEY_FILE.
The hashes of the public keys specified in this configuration will be
placed after the aforementioned public key hash, in the order
they appear in this config. The order is significant since if an image
is successfully validated against a public key in the list, all
public keys before it in the list will be invalidated.
Example value: ~/keys/pk1.pem,~/keys/pk2.pem,~/keys/pk3.pem
If config is the string "debug", 2 generated debug files will be used.
If config is an empty string then only the public key hash
corresponding to the private signing key used to sign the image is
included in provision.hex.
config SECURE_BOOT_DEBUG_SIGNATURE_PUBLIC_KEY_LAST
bool "[DEBUG] Place signing public key last"
default n
help
Place the public key used for signing last in the list instead of
first. This is meant to be used for testing looping through the
public keys.
config SECURE_BOOT_DEBUG_NO_VERIFY_HASHES
bool
help
[DEBUG] Don't check public key hashes for applicability.
Use this only in (negative) tests!
endif