1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
|
#
# Copyright (c) 2016-2023, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
# Default, static values for build variables, listed in alphabetic order.
# Dependencies between build options, if any, are handled in the top-level
# Makefile, after this file is included. This ensures that the former is better
# poised to handle dependencies, as all build variables would have a default
# value by then.
# Use T32 by default
AARCH32_INSTRUCTION_SET := T32
# The AArch32 Secure Payload to be built as BL32 image
AARCH32_SP := none
# The Target build architecture. Supported values are: aarch64, aarch32.
ARCH := aarch64
# ARM Architecture feature modifiers: none by default
ARM_ARCH_FEATURE := none
# ARM Architecture major and minor versions: 8.0 by default.
ARM_ARCH_MAJOR := 8
ARM_ARCH_MINOR := 0
# Base commit to perform code check on
BASE_COMMIT := origin/master
# Execute BL2 at EL3
RESET_TO_BL2 := 0
# Only use SP packages if SP layout JSON is defined
BL2_ENABLE_SP_LOAD := 0
# BL2 image is stored in XIP memory, for now, this option is only supported
# when RESET_TO_BL2 is 1.
BL2_IN_XIP_MEM := 0
# Do dcache invalidate upon BL2 entry at EL3
BL2_INV_DCACHE := 1
# Select the branch protection features to use.
BRANCH_PROTECTION := 0
# By default, consider that the platform may release several CPUs out of reset.
# The platform Makefile is free to override this value.
COLD_BOOT_SINGLE_CPU := 0
# Flag to compile in coreboot support code. Exclude by default. The coreboot
# Makefile system will set this when compiling TF as part of a coreboot image.
COREBOOT := 0
# For Chain of Trust
CREATE_KEYS := 1
# Build flag to include AArch32 registers in cpu context save and restore during
# world switch. This flag must be set to 0 for AArch64-only platforms.
CTX_INCLUDE_AARCH32_REGS := 1
# Include FP registers in cpu context
CTX_INCLUDE_FPREGS := 0
# Include pointer authentication (ARMv8.3-PAuth) registers in cpu context. This
# must be set to 1 if the platform wants to use this feature in the Secure
# world. It is not needed to use it in the Non-secure world.
CTX_INCLUDE_PAUTH_REGS := 0
# Include Nested virtualization control (Armv8.4-NV) registers in cpu context.
# This must be set to 1 if architecture implements Nested Virtualization
# Extension and platform wants to use this feature in the Secure world
CTX_INCLUDE_NEVE_REGS := 0
# Debug build
DEBUG := 0
# By default disable authenticated decryption support.
DECRYPTION_SUPPORT := none
# Build platform
DEFAULT_PLAT := fvp
# Disable the generation of the binary image (ELF only).
DISABLE_BIN_GENERATION := 0
# Disable MTPMU if FEAT_MTPMU is supported. Default is 0 to keep backwards
# compatibility.
DISABLE_MTPMU := 0
# Enable capability to disable authentication dynamically. Only meant for
# development platforms.
DYN_DISABLE_AUTH := 0
# Build option to enable MPAM for lower ELs
ENABLE_MPAM_FOR_LOWER_ELS := 0
# Enable the Maximum Power Mitigation Mechanism on supporting cores.
ENABLE_MPMM := 0
# Enable MPMM configuration via FCONF.
ENABLE_MPMM_FCONF := 0
# Flag to Enable Position Independant support (PIE)
ENABLE_PIE := 0
# Flag to enable Performance Measurement Framework
ENABLE_PMF := 0
# Flag to enable PSCI STATs functionality
ENABLE_PSCI_STAT := 0
# Flag to enable Realm Management Extension (FEAT_RME)
ENABLE_RME := 0
# Flag to enable runtime instrumentation using PMF
ENABLE_RUNTIME_INSTRUMENTATION := 0
# Flag to enable stack corruption protection
ENABLE_STACK_PROTECTOR := 0
# Flag to enable exception handling in EL3
EL3_EXCEPTION_HANDLING := 0
# Flag to enable Branch Target Identification.
# Internal flag not meant for direct setting.
# Use BRANCH_PROTECTION to enable BTI.
ENABLE_BTI := 0
# Flag to enable Pointer Authentication.
# Internal flag not meant for direct setting.
# Use BRANCH_PROTECTION to enable PAUTH.
ENABLE_PAUTH := 0
# Flag to enable AMUv1p1 extension.
ENABLE_FEAT_AMUv1p1 := 0
# Flag to enable CSV2_2 extension.
ENABLE_FEAT_CSV2_2 := 0
# Flag to enable access to the HCRX_EL2 register by setting SCR_EL3.HXEn.
ENABLE_FEAT_HCX := 0
# Flag to enable access to the HDFGRTR_EL2 register
ENABLE_FEAT_FGT := 0
# Flag to enable access to the CNTPOFF_EL2 register
ENABLE_FEAT_ECV := 0
# Flag to enable use of the DIT feature.
ENABLE_FEAT_DIT := 0
# Flag to enable access to Privileged Access Never bit of PSTATE.
ENABLE_FEAT_PAN := 0
# Flag to enable access to the Random Number Generator registers
ENABLE_FEAT_RNG := 0
# Flag to enable support for EL3 trapping of reads of the RNDR and RNDRRS
# registers, by setting SCR_EL3.TRNDR.
ENABLE_FEAT_RNG_TRAP := 0
# Flag to enable Speculation Barrier Instruction
ENABLE_FEAT_SB := 0
# Flag to enable Secure EL-2 feature.
ENABLE_FEAT_SEL2 := 0
# Flag to enable Virtualization Host Extensions
ENABLE_FEAT_VHE := 0
# Flag to enable delayed trapping of WFE instruction (FEAT_TWED)
ENABLE_FEAT_TWED := 0
# Flag to enable access to TCR2 (FEAT_TCR2)
ENABLE_FEAT_TCR2 := 0
# Flag to enable access to Stage 2 Permission Indirection (FEAT_S2PIE)
ENABLE_FEAT_S2PIE := 0
# Flag to enable access to Stage 1 Permission Indirection (FEAT_S1PIE)
ENABLE_FEAT_S1PIE := 0
# Flag to enable access to Stage 2 Permission Overlay (FEAT_S2POE)
ENABLE_FEAT_S2POE := 0
# Flag to enable access to Stage 1 Permission Overlay (FEAT_S1POE)
ENABLE_FEAT_S1POE := 0
# Flag to enable access to Guarded Control Stack (FEAT_GCS)
ENABLE_FEAT_GCS := 0
# By default BL31 encryption disabled
ENCRYPT_BL31 := 0
# By default BL32 encryption disabled
ENCRYPT_BL32 := 0
# Default dummy firmware encryption key
ENC_KEY := 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
# Default dummy nonce for firmware encryption
ENC_NONCE := 1234567890abcdef12345678
# Build flag to treat usage of deprecated platform and framework APIs as error.
ERROR_DEPRECATED := 0
# Fault injection support
FAULT_INJECTION_SUPPORT := 0
# Flag to enable architectural features detection mechanism
FEATURE_DETECTION := 0
# Byte alignment that each component in FIP is aligned to
FIP_ALIGN := 0
# Default FIP file name
FIP_NAME := fip.bin
# Default FWU_FIP file name
FWU_FIP_NAME := fwu_fip.bin
# By default firmware encryption with SSK
FW_ENC_STATUS := 0
# For Chain of Trust
GENERATE_COT := 0
# Hint platform interrupt control layer that Group 0 interrupts are for EL3. By
# default, they are for Secure EL1.
GICV2_G0_FOR_EL3 := 0
# Route NS External Aborts to EL3. Disabled by default; External Aborts are handled
# by lower ELs.
HANDLE_EA_EL3_FIRST_NS := 0
# Secure hash algorithm flag, accepts 3 values: sha256, sha384 and sha512.
# The default value is sha256.
HASH_ALG := sha256
# Whether system coherency is managed in hardware, without explicit software
# operations.
HW_ASSISTED_COHERENCY := 0
# Flag to enable trapping of implementation defined sytem registers
IMPDEF_SYSREG_TRAP := 0
# Set the default algorithm for the generation of Trusted Board Boot keys
KEY_ALG := rsa
# Set the default key size in case KEY_ALG is rsa
ifeq ($(KEY_ALG),rsa)
KEY_SIZE := 2048
endif
# Option to build TF with Measured Boot support
MEASURED_BOOT := 0
# NS timer register save and restore
NS_TIMER_SWITCH := 0
# Include lib/libc in the final image
OVERRIDE_LIBC := 0
# Build PL011 UART driver in minimal generic UART mode
PL011_GENERIC_UART := 0
# By default, consider that the platform's reset address is not programmable.
# The platform Makefile is free to override this value.
PROGRAMMABLE_RESET_ADDRESS := 0
# Flag used to choose the power state format: Extended State-ID or Original
PSCI_EXTENDED_STATE_ID := 0
# Enable PSCI OS-initiated mode support
PSCI_OS_INIT_MODE := 0
# Enable RAS Support
ENABLE_FEAT_RAS := 0
RAS_FFH_SUPPORT := 0
# By default, BL1 acts as the reset handler, not BL31
RESET_TO_BL31 := 0
# For Chain of Trust
SAVE_KEYS := 0
# Software Delegated Exception support
SDEI_SUPPORT := 0
# True Random Number firmware Interface support
TRNG_SUPPORT := 0
# Check to see if Errata ABI is supported
ERRATA_ABI_SUPPORT := 0
# Check to enable Errata ABI for platforms with non-arm interconnect
ERRATA_NON_ARM_INTERCONNECT := 0
# SMCCC PCI support
SMC_PCI_SUPPORT := 0
# Whether code and read-only data should be put on separate memory pages. The
# platform Makefile is free to override this value.
SEPARATE_CODE_AND_RODATA := 0
# Put NOBITS sections (.bss, stacks, page tables, and coherent memory) in a
# separate memory region, which may be discontiguous from the rest of BL31.
SEPARATE_NOBITS_REGION := 0
# Put BL2 NOLOAD sections (.bss, stacks, page tables) in a separate memory
# region, platform Makefile is free to override this value.
SEPARATE_BL2_NOLOAD_REGION := 0
# If the BL31 image initialisation code is recalimed after use for the secondary
# cores stack
RECLAIM_INIT_CODE := 0
# SPD choice
SPD := none
# Enable the Management Mode (MM)-based Secure Partition Manager implementation
SPM_MM := 0
# Use the FF-A SPMC implementation in EL3.
SPMC_AT_EL3 := 0
# Use SPM at S-EL2 as a default config for SPMD
SPMD_SPM_AT_SEL2 := 1
# Flag to introduce an infinite loop in BL1 just before it exits into the next
# image. This is meant to help debugging the post-BL2 phase.
SPIN_ON_BL1_EXIT := 0
# Flags to build TF with Trusted Boot support
TRUSTED_BOARD_BOOT := 0
# Build option to choose whether Trusted Firmware uses Coherent memory or not.
USE_COHERENT_MEM := 1
# Build option to add debugfs support
USE_DEBUGFS := 0
# Build option to fconf based io
ARM_IO_IN_DTB := 0
# Build option to support SDEI through fconf
SDEI_IN_FCONF := 0
# Build option to support Secure Interrupt descriptors through fconf
SEC_INT_DESC_IN_FCONF := 0
# Build option to choose whether Trusted Firmware uses library at ROM
USE_ROMLIB := 0
# Build option to choose whether the xlat tables of BL images can be read-only.
# Note that this only serves as a higher level option to PLAT_RO_XLAT_TABLES,
# which is the per BL-image option that actually enables the read-only tables
# API. The reason for having this additional option is to have a common high
# level makefile where we can check for incompatible features/build options.
ALLOW_RO_XLAT_TABLES := 0
# Chain of trust.
COT := tbbr
# Use tbbr_oid.h instead of platform_oid.h
USE_TBBR_DEFS := 1
# Build verbosity
V := 0
# Whether to enable D-Cache early during warm boot. This is usually
# applicable for platforms wherein interconnect programming is not
# required to enable cache coherency after warm reset (eg: single cluster
# platforms).
WARMBOOT_ENABLE_DCACHE_EARLY := 0
# Build option to enable/disable the Statistical Profiling Extensions
ENABLE_SPE_FOR_NS := 2
# SPE is only supported on AArch64 so disable it on AArch32.
ifeq (${ARCH},aarch32)
override ENABLE_SPE_FOR_NS := 0
endif
# Include Memory Tagging Extension registers in cpu context. This must be set
# to 1 if the platform wants to use this feature in the Secure world and MTE is
# enabled at ELX.
CTX_INCLUDE_MTE_REGS := 0
ENABLE_FEAT_AMU := 0
ENABLE_AMU_AUXILIARY_COUNTERS := 0
ENABLE_AMU_FCONF := 0
AMU_RESTRICT_COUNTERS := 0
# Enable SVE for non-secure world by default
ENABLE_SVE_FOR_NS := 2
# SVE is only supported on AArch64 so disable it on AArch32.
ifeq (${ARCH},aarch32)
override ENABLE_SVE_FOR_NS := 0
endif
ENABLE_SVE_FOR_SWD := 0
# Default SVE vector length to maximum architected value
SVE_VECTOR_LEN := 2048
# SME defaults to disabled
ENABLE_SME_FOR_NS := 0
ENABLE_SME_FOR_SWD := 0
ENABLE_SME2_FOR_NS := 0
SANITIZE_UB := off
# For ARMv8.1 (AArch64) platforms, enabling this option selects the spinlock
# implementation variant using the ARMv8.1-LSE compare-and-swap instruction.
# Default: disabled
USE_SPINLOCK_CAS := 0
# Enable Link Time Optimization
ENABLE_LTO := 0
# This option will include EL2 registers in cpu context save and restore during
# EL2 firmware entry/exit. Internal flag not meant for direct setting.
# Use SPD=spmd and SPMD_SPM_AT_SEL2=1 or ENABLE_RME=1 to enable
# CTX_INCLUDE_EL2_REGS.
CTX_INCLUDE_EL2_REGS := 0
# Enable Memory tag extension which is supported for architecture greater
# than Armv8.5-A
# By default it is set to "no"
SUPPORT_STACK_MEMTAG := no
# Select workaround for AT speculative behaviour.
ERRATA_SPECULATIVE_AT := 0
# Trap RAS error record access from Non secure
RAS_TRAP_NS_ERR_REC_ACCESS := 0
# Build option to create cot descriptors using fconf
COT_DESC_IN_DTB := 0
# Build option to provide OpenSSL directory path
OPENSSL_DIR := /usr
# Select the openssl binary provided in OPENSSL_DIR variable
ifeq ("$(wildcard ${OPENSSL_DIR}/bin)", "")
OPENSSL_BIN_PATH = ${OPENSSL_DIR}/apps
else
OPENSSL_BIN_PATH = ${OPENSSL_DIR}/bin
endif
# Build option to use the SP804 timer instead of the generic one
USE_SP804_TIMER := 0
# Build option to define number of firmware banks, used in firmware update
# metadata structure.
NR_OF_FW_BANKS := 2
# Build option to define number of images in firmware bank, used in firmware
# update metadata structure.
NR_OF_IMAGES_IN_FW_BANK := 1
# Disable Firmware update support by default
PSA_FWU_SUPPORT := 0
# By default, disable access of trace buffer control registers from NS
# lower ELs i.e. NS-EL2, or NS-EL1 if NS-EL2 implemented but unused
# if FEAT_TRBE is implemented.
# Note FEAT_TRBE is only supported on AArch64 - therefore do not enable in
# AArch32.
ifneq (${ARCH},aarch32)
ENABLE_TRBE_FOR_NS := 0
else
override ENABLE_TRBE_FOR_NS := 0
endif
# By default, disable access to branch record buffer control registers from NS
# lower ELs i.e. NS-EL2, or NS-EL1 if NS-EL2 implemented but unused
# if FEAT_BRBE is implemented.
ENABLE_BRBE_FOR_NS := 0
# By default, disable access of trace system registers from NS lower
# ELs i.e. NS-EL2, or NS-EL1 if NS-EL2 implemented but unused if
# system register trace is implemented.
ENABLE_SYS_REG_TRACE_FOR_NS := 0
# By default, disable trace filter control registers access to NS
# lower ELs, i.e. NS-EL2, or NS-EL1 if NS-EL2 implemented but unused
# if FEAT_TRF is implemented.
ENABLE_TRF_FOR_NS := 0
# In v8.6+ platforms with delayed trapping of WFE being supported
# via FEAT_TWED, this flag takes the delay value to be set in the
# SCR_EL3.TWEDEL(4bit) field, when FEAT_TWED is implemented.
# By default it takes 0, and need to be updated by the platforms.
TWED_DELAY := 0
# By default, disable the mocking of RSS provided services
PLAT_RSS_NOT_SUPPORTED := 0
# Dynamic Root of Trust for Measurement support
DRTM_SUPPORT := 0
# Check platform if cache management operations should be performed.
# Disabled by default.
CONDITIONAL_CMO := 0
|
