modules-tfm: Configure image versions with KConfig

theotherjimmy · mbolivar-nordic · commit 0dcd6bd58a49 · 2022-04-08T15:52:01.000-07:00
Previously, you were required to set the image versions through the
CMake variables TFM_IMAGE_VERSION_{S,NS}. For better integration with
the rest of the zephyr build system, these are now KConfig variables
with the same name.

Signed-off-by: Jimmy Brisson &lt;jimmy.brisson@linaro.org&gt;
diff --git a/modules/trusted-firmware-m/CMakeLists.txt b/modules/trusted-firmware-m/CMakeLists.txt
@@ -347,15 +347,6 @@ if (CONFIG_BUILD_WITH_TFM)
   # To ensure that generated include files are created before they are used.
   add_dependencies(zephyr_interface tfm)
 
-  # Set default image versions if not defined elsewhere
-  if (NOT DEFINED TFM_IMAGE_VERSION_S)
-    set(TFM_IMAGE_VERSION_S 0.0.0+0)
-  endif()
-
-  if (NOT DEFINED TFM_IMAGE_VERSION_NS)
-    set(TFM_IMAGE_VERSION_NS 0.0.0+0)
-  endif()
-
   if (CONFIG_TFM_BL2)
     set(PREPROCESSED_FILE_S "${TFM_BINARY_DIR}/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
     set(PREPROCESSED_FILE_NS "${TFM_BINARY_DIR}/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
@@ -390,7 +381,7 @@ if (CONFIG_BUILD_WITH_TFM)
       -k ${CONFIG_TFM_KEY_FILE_${SUFFIX}}
       --public-key-format ${TFM_PUBLIC_KEY_FORMAT}
       --align 1
-      -v ${TFM_IMAGE_VERSION_${SUFFIX}}
+      -v ${CONFIG_TFM_IMAGE_VERSION_${SUFFIX}}
       ${pad_args}
       ${HEX_ADDR_ARGS_${SUFFIX}}
       ${ADD_${SUFFIX}_IMAGE_MIN_VER}
diff --git a/modules/trusted-firmware-m/Kconfig.tfm b/modules/trusted-firmware-m/Kconfig.tfm
@@ -173,6 +173,22 @@ config TFM_BL2_NOT_SUPPORTED
 	  Hidden option to mark the BL2, the MCUBoot included in TF-M, as not supported.
 	  Platforms that don't use BL2 should select this option.
 
+config TFM_IMAGE_VERSION_S
+	string "Version of the Secure Image"
+	default "0.0.0+0"
+	help
+	  MCUBoot may be configured to prevent rollback prevention based on image
+	  versions of both the secure firmware and non-secure firmware. This sets
+	  the secure firmware's version for rollback prevention.
+
+config TFM_IMAGE_VERSION_NS
+	string "Version of the Non-Secure Image"
+	default "0.0.0+0"
+	help
+	  MCUBoot may be configured to prevent rollback prevention based on image
+	  versions of both the secure firmware and non-secure firmware. This sets
+	  the non-secure firmware's version for rollback prevention.
+
 config TFM_BL2
 	bool "Add MCUboot to TFM"
 	depends on !TFM_BL2_NOT_SUPPORTED
diff --git a/samples/tfm_integration/psa_firmware/CMakeLists.txt b/samples/tfm_integration/psa_firmware/CMakeLists.txt
@@ -2,10 +2,6 @@
 
 cmake_minimum_required(VERSION 3.13.1)
 
-if (NOT TFM_IMAGE_VERSION_NS)
-   set(TFM_IMAGE_VERSION_NS 0.0.1+0)
-endif()
-
 find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
 
 project(tfm_psa_firmware)
diff --git a/samples/tfm_integration/psa_firmware/prj.conf b/samples/tfm_integration/psa_firmware/prj.conf
@@ -8,6 +8,8 @@ CONFIG_BUILD_WITH_TFM=y
 CONFIG_TFM_BL2=y
 CONFIG_TFM_IPC=y
 CONFIG_TFM_PARTITION_FIRMWARE_UPDATE=y
+CONFIG_TFM_IMAGE_VERSION_S="0.0.3"
+CONFIG_TFM_IMAGE_VERSION_NS="0.0.1"
 
 # The Zephyr CMSIS emulation assumes that ticks are ms, currently
 CONFIG_SYS_CLOCK_TICKS_PER_SEC=1000
