CONFIG_BUILD_WITH_TFM

Build with TF-M as the Secure Execution Environment

Build with TF-M as the Secure Execution Environment

Type: bool

Help

When enabled, this option instructs the Zephyr build process to
additionally generate a TF-M image for the Secure Execution
environment, along with the Zephyr image. The Zephyr image
itself is to be executed in the Non-Secure Processing Environment.
The required dependency on TRUSTED_EXECUTION_NONSECURE
ensures that the Zephyr image is built as a Non-Secure image. Both
TF-M and Zephyr images, as well as the veneer object file that links
them, are generated during the normal Zephyr build process.

Notes:
  Building with the "_ns" BOARD variant (e.g. "mps2_an521_ns")
      ensures that CONFIG_TRUSTED_EXECUTION_NONSECURE is enabled.

  By default we allow Zephyr preemptible threads be preempted
  while performing a secure function call.

Help

When enabled, this option instructs the Zephyr build process to
additionally generate a TF-M image for the Secure Execution
environment, along with the Zephyr image. The Zephyr image
itself is to be executed in the Non-Secure Processing Environment.
The required dependency on TRUSTED_EXECUTION_NONSECURE
ensures that the Zephyr image is built as a Non-Secure image. Both
TF-M and Zephyr images, as well as the veneer object file that links
them, are generated during the normal Zephyr build process.

Notes:
  Building with the "_ns" BOARD variant (e.g. "mps2_an521_ns")
      ensures that CONFIG_TRUSTED_EXECUTION_NONSECURE is enabled.

  By default we allow Zephyr preemptible threads be preempted
  while performing a secure function call.

Direct dependencies

BOARD_BL5340_DVK_CPUAPP || BOARD_BL5340_DVK_CPUAPP_NS || BOARD_MPS2_AN521_CPU0 || BOARD_MPS2_AN521_CPU0_NS || BOARD_MPS2_AN521_CPU1 || BOARD_NRF5340DK_NRF5340_CPUAPP || BOARD_NRF5340DK_NRF5340_CPUAPP_NS || NET_L2_OPENTHREAD || (TRUSTED_EXECUTION_NONSECURE && TFM_BOARD != “” && ARM_TRUSTZONE_M) || (TRUSTED_EXECUTION_NONSECURE && TFM_BOARD != “” && ARM_TRUSTZONE_M && 0) || SOC_FAMILY_NRF || SOC_FAMILY_NRF

(Includes any dependencies from ifs and menus.)

Defaults

• y if BOARD_BL5340_DVK_CPUAPP_NS

• y if TRUSTED_EXECUTION_NONSECURE

• n

Symbols selected by this symbol

• EXPERIMENTAL

• BUILD_OUTPUT_HEX

• BUILD_OUTPUT_HEX

• NRF_ENABLE_CACHE if SOC_NRF5340_CPUAPP

• NRF_ENABLE_CACHE if SOC_NRF5340_CPUAPP

Symbols implied by this symbol

• INIT_ARCH_HW_AT_BOOT

• ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS

• INIT_ARCH_HW_AT_BOOT

• ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS

Kconfig definitions

At <Zephyr>/boards/arm/bl5340_dvk/Kconfig.defconfig:41

Included via <Zephyr>/Kconfig:8 → <Zephyr>/Kconfig.zephyr:22

Menu path: (Top)

config BUILD_WITH_TFM
    bool
    default y if BOARD_BL5340_DVK_CPUAPP_NS
    depends on BOARD_BL5340_DVK_CPUAPP || BOARD_BL5340_DVK_CPUAPP_NS

---

At <Zephyr>/boards/arm/mps2_an521/Kconfig.defconfig:21

Included via <Zephyr>/Kconfig:8 → <Zephyr>/Kconfig.zephyr:22

Menu path: (Top)

config BUILD_WITH_TFM
    bool
    default y if TRUSTED_EXECUTION_NONSECURE
    depends on BOARD_MPS2_AN521_CPU0 || BOARD_MPS2_AN521_CPU0_NS || BOARD_MPS2_AN521_CPU1

---

At <Zephyr>/boards/arm/nrf5340dk_nrf5340/Kconfig.defconfig:14

Included via <Zephyr>/Kconfig:8 → <Zephyr>/Kconfig.zephyr:22

Menu path: (Top)

config BUILD_WITH_TFM
    bool
    default n
    depends on BOARD_NRF5340DK_NRF5340_CPUAPP || BOARD_NRF5340DK_NRF5340_CPUAPP_NS

---

At <nRF>/subsys/net/openthread/Kconfig:67

Included via <Zephyr>/Kconfig:8 → <Zephyr>/Kconfig.zephyr:33 → <Zephyr>/modules/Kconfig:6 → <nRF>/doc/_build/kconfig/Kconfig.modules:2 → <nRF>/Kconfig.nrf:92 → <nRF>/subsys/Kconfig:20 → <nRF>/subsys/net/Kconfig:9

Menu path: (Top) → Modules → nrf (/home/runner/work/sdk-nrf/sdk-nrf/ncs/nrf) → Nordic nRF Connect → Networking → OpenThread

config BUILD_WITH_TFM
    bool
    select EXPERIMENTAL
    depends on NET_L2_OPENTHREAD

---

At <Zephyr>/modules/trusted-firmware-m/Kconfig.tfm:26

Included via <Zephyr>/Kconfig:8 → <Zephyr>/Kconfig.zephyr:33 → <Zephyr>/modules/Kconfig:6 → <nRF>/doc/_build/kconfig/Kconfig.modules:20 → <nRF>/modules/trusted-firmware-m/Kconfig:44

Menu path: (Top) → Modules → trusted-firmware-m (/home/runner/work/sdk-nrf/sdk-nrf/ncs/modules/tee/tf-m/trusted-firmware-m)

menuconfig BUILD_WITH_TFM
    bool "Build with TF-M as the Secure Execution Environment"
    select BUILD_OUTPUT_HEX
    imply INIT_ARCH_HW_AT_BOOT
    imply ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS
    depends on TRUSTED_EXECUTION_NONSECURE && TFM_BOARD != "" && ARM_TRUSTZONE_M
    help
      When enabled, this option instructs the Zephyr build process to
      additionally generate a TF-M image for the Secure Execution
      environment, along with the Zephyr image. The Zephyr image
      itself is to be executed in the Non-Secure Processing Environment.
      The required dependency on TRUSTED_EXECUTION_NONSECURE
      ensures that the Zephyr image is built as a Non-Secure image. Both
      TF-M and Zephyr images, as well as the veneer object file that links
      them, are generated during the normal Zephyr build process.

      Notes:
        Building with the "_ns" BOARD variant (e.g. "mps2_an521_ns")
            ensures that CONFIG_TRUSTED_EXECUTION_NONSECURE is enabled.

        By default we allow Zephyr preemptible threads be preempted
        while performing a secure function call.

---

At <Zephyr>/modules/trusted-firmware-m/Kconfig.tfm:26

Included via <Zephyr>/Kconfig:8 → <Zephyr>/Kconfig.zephyr:33 → <Zephyr>/modules/Kconfig:80 → <Zephyr>/modules/trusted-firmware-m/Kconfig:7

Menu path: (Top) → Modules

menuconfig BUILD_WITH_TFM
    bool "Build with TF-M as the Secure Execution Environment"
    select BUILD_OUTPUT_HEX
    imply INIT_ARCH_HW_AT_BOOT
    imply ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS
    depends on TRUSTED_EXECUTION_NONSECURE && TFM_BOARD != "" && ARM_TRUSTZONE_M && 0
    help
      When enabled, this option instructs the Zephyr build process to
      additionally generate a TF-M image for the Secure Execution
      environment, along with the Zephyr image. The Zephyr image
      itself is to be executed in the Non-Secure Processing Environment.
      The required dependency on TRUSTED_EXECUTION_NONSECURE
      ensures that the Zephyr image is built as a Non-Secure image. Both
      TF-M and Zephyr images, as well as the veneer object file that links
      them, are generated during the normal Zephyr build process.

      Notes:
        Building with the "_ns" BOARD variant (e.g. "mps2_an521_ns")
            ensures that CONFIG_TRUSTED_EXECUTION_NONSECURE is enabled.

        By default we allow Zephyr preemptible threads be preempted
        while performing a secure function call.

---

At <Zephyr>/soc/arm/nordic_nrf/nrf53/Kconfig.soc:228

Included via <Zephyr>/Kconfig:8 → <Zephyr>/Kconfig.zephyr:38 → <Zephyr>/soc/Kconfig:15 → <nRF>/doc/_build/kconfig/Kconfig.soc.arch:2 → <Zephyr>/soc/arm/nordic_nrf/Kconfig:17

Menu path: (Top) → Hardware Configuration

config BUILD_WITH_TFM
    bool
    select NRF_ENABLE_CACHE if SOC_NRF5340_CPUAPP
    depends on SOC_FAMILY_NRF

---

At <Zephyr>/soc/arm/nordic_nrf/nrf53/Kconfig.soc:228

Included via <Zephyr>/Kconfig:8 → <Zephyr>/Kconfig.zephyr:38 → <Zephyr>/soc/Kconfig:18 → <Zephyr>/soc/arm/nordic_nrf/Kconfig:17

Menu path: (Top) → Hardware Configuration

config BUILD_WITH_TFM
    bool
    select NRF_ENABLE_CACHE if SOC_NRF5340_CPUAPP
    depends on SOC_FAMILY_NRF

(The ‘depends on’ condition includes propagated dependencies from ifs and menus.)