#
# Copyright (c) 2018 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#

menu "Bootloader"

config BUILD_S1_VARIANT
	# This can not depend on BOOTLOADER_MCUBOOT, or SECURE_BOOT as this
	# option has to be set when building MCUBoot (or any other child image
	# which will be stored in S0 and S1) itself.
	bool "Build S1 variant of specified image"
	help
	  Build upgrade candidate of image for alternative slot S1.

config S1_VARIANT_IMAGE_NAME
	string
	default "mcuboot" if MCUBOOT || BOOTLOADER_MCUBOOT
	default "app" if !BOOTLOADER_MCUBOOT
	depends on BUILD_S1_VARIANT
	help
	  Which image should be linked against S1.

config SECURE_BOOT
	bool "Use Secure Bootloader"
	depends on !IS_SECURE_BOOTLOADER
	select FW_INFO
	select SW_VECTOR_RELAY if SOC_SERIES_NRF51X
	help
	  Set this option to enable the first stage bootloader which
	  verifies the signature of the app.

config BOOTLOADER_PROVISION_HEX
	bool
	default y if SECURE_BOOT
	default y if MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION
	help
	  Generate provision.hex if NSIB is enabled or if MCUboot hardware
	  counters are enabled.

if SECURE_BOOT

module=B0
source "${ZEPHYR_BASE}/../nrf/subsys/partition_manager/Kconfig.template.build_strategy"

config SB_PRIVATE_KEY_PROVIDED
	bool
	help
	  Hidden config specifying whether the build system has access to the
	  private key used for signing, and will use it to perform signing and
	  create the public key to be provisioned.

choice SB_SIGNING
	prompt "Firmware signing method"
	default SB_SIGNING_PYTHON
	config SB_SIGNING_PYTHON
		bool "Sign with Python ecdsa library"
		select SB_PRIVATE_KEY_PROVIDED

	config SB_SIGNING_OPENSSL
		bool "Sign with openssl command line tool"
		select SB_PRIVATE_KEY_PROVIDED

	config SB_SIGNING_CUSTOM
		bool "Sign with custom command"
endchoice

config SB_SIGNING_KEY_FILE
	string
	prompt "Private key PEM file" if SB_PRIVATE_KEY_PROVIDED
	default ""
	help
	  Absolute path to the private key PEM file.
	  Specifies the private key used for signing the firmware image.
	  The hash of the corresponding public key is stored as the first
	  entry in the list of public key hashes in the provision hex file.
	  This value can also be set by exporting an environment variable
	  named 'SB_SIGNING_KEY_FILE' or passing
	  '-DSB_SIGNING_KEY_FILE=/path/to/my/pem' when running cmake.
	  See also SB_PUBLIC_KEY_FILES.

config SB_SIGNING_COMMAND
	string
	prompt "Custom signing command" if !SB_PRIVATE_KEY_PROVIDED
	default ""
	help
	  This command will be called to produce a signature of the firmware.
	  It will be called as "${CONFIG_SB_SIGNING_COMMAND} <file>"
	  The command must calculate the signature over the contents
	  of the <file> and write the signature to stdout.
	  The signature must be on DER format.

config SB_SIGNING_PUBLIC_KEY
	string
	prompt "Public key PEM file" if !SB_PRIVATE_KEY_PROVIDED
	default ""
	help
	  Path to a PEM file.
	  When using a custom signing command, specify the corresponding public
	  key here. This public key is checked during building, and added as
	  the first entry in the provisioned data. See SB_PUBLIC_KEY_FILES.

config SB_PUBLIC_KEY_FILES
	string "Public Key PEM files"
	default ""
	help
	  Comma-separated list of absolute paths to public key pem files.
	  The provision hex file will contain a list of hashes of public keys.
	  The first public key hash is the one corresponding to the private
	  signing key used to sign the image. See SB_SIGNING_KEY_FILE.
	  The hashes of the public keys specified in this configuration will be
	  placed after the aforementioned public key hash, in the order
	  they appear in this config. The order is significant since if an image
	  is successfully validated against a public key in the list, all
	  public keys before it in the list will be invalidated.
	  Example value: ~/keys/pk1.pem,~/keys/pk2.pem,~/keys/pk3.pem
	  If config is the string "debug", 2 generated debug files will be used.
	  If config is an empty string then only the public key hash
	  corresponding to the private signing key used to sign the image is
	  included in provision.hex.

config SB_DEBUG_SIGNATURE_PUBLIC_KEY_LAST
	bool "[DEBUG] Place signing public key last"
	default n
	help
	  Place the public key used for signing last in the list instead of
	  first. This is meant to be used for testing looping through the
	  public keys.

config SB_DEBUG_NO_VERIFY_HASHES
	bool
	help
	  [DEBUG] Don't check public key hashes for applicability.
	  Use this only in (negative) tests!

config SB_MONOTONIC_COUNTER
	bool "Enable HW monotonic version counter"
	default y
	help
	  The counter stores the current firmware version in a way that ensures that the value
	  can only increase. This is used to prevent malicious rollback of the firmware.
	  An array of slots is used for the counter. One slot is used per
	  counter update, and each new slot must have a larger value than the
	  previous. Application versions are checked against the largest
	  counter value before being booted.

config SB_NUM_VER_COUNTER_SLOTS
	int "Number of monotonic counter slots used for the firmware version"
	default 20 if BOOTLOADER_MCUBOOT || MCUBOOT
	default 240
	range 2 300 if SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X
	range 2 1800 if SOC_SERIES_NRF52X
	range 2 400 if SOC_SERIES_NRF51X
	depends on SB_MONOTONIC_COUNTER
	help
	  The number of monotonic counter slots available for the counter,
	  i.e., the number of times the counter can be updated.
	  The slots are 16 bits each. The number of slots must be an even
	  number to ensure that the total size of header and slots is aligned on a 32-bit word.
	  Rationale for the default number (240): Assume one update a month for
	  10 years, then double that value just in case. This default fits
	  comfortably within the OTP region of UICR.
	  When a second stage bootloader is enabled, such as MCUboot, this counter is used
	  for the updates of the second stage bootloader and not of the application image. Thus
	  the default when MCUboot is enabled is 20, to allow two updates a year for 10 years.
	  Regarding ranges: The actual maximum depends on the number of
	  provisioned public keys, since they share the space. The same is true if
	  other data is stored in the "OTP" region (on for example nRF91 and nRF53).
	  This configuration should not be used in code. Instead, the header before the
	  slots should be read at run-time.

endif # SECURE_BOOT

config PM_PARTITION_SIZE_PROVISION
	hex
	default 0x280 if SOC_SERIES_NRF91X || SOC_NRF5340_CPUAPP # Stored in OTP region
	default 0x280 if SOC_NRF5340_CPUNET # Second instance stored in internal flash of NET
	default FPROTECT_BLOCK_SIZE
	prompt "Flash space reserved for PROVISION" if !(SOC_NRF9160 || SOC_NRF5340_CPUAPP)
	help
	  Flash space set aside for the PROVISION partition.

config B0_MIN_PARTITION_SIZE
	bool "Use minimimum partition size"

config PM_PARTITION_SIZE_B0_IMAGE
	hex "Flash space reserved for B0_IMAGE"
	default 0x8000 if !B0_MIN_PARTITION_SIZE && (SOC_SERIES_NRF91X || SOC_NRF5340_CPUAPP || SOC_NRF52840)
	default 0x7800 if !B0_MIN_PARTITION_SIZE && (SOC_NRF5340_CPUNET)
	default FPROTECT_BLOCK_SIZE if SOC_SERIES_NRF91X || SOC_NRF5340_CPUAPP
	default 0x3800 if SOC_NRF5340_CPUNET
	default 0x7000 if !B0_MIN_PARTITION_SIZE
	default 0x4000
	help
	  Flash space set aside for the B0_IMAGE partition.

menuconfig IS_SECURE_BOOTLOADER
	bool "Current app is bootloader"
	select SECURE_BOOT_VALIDATION
	select SECURE_BOOT_STORAGE
	select SW_VECTOR_RELAY if SOC_SERIES_NRF51X
	select NRFX_NVMC
	help
	  This option is set by the first stage bootloader app to include all
	  files and set all the options required.

if IS_SECURE_BOOTLOADER

menuconfig SECURE_BOOT_DEBUG
	bool "Printing"
	select NCS_BOOT_BANNER
	select PRINTK
	select CONSOLE
	select SERIAL

if SECURE_BOOT_DEBUG
choice SECURE_BOOT_DEBUG_BACKEND
	prompt "Where to print to"
	default SECURE_BOOT_DEBUG_UART

config SECURE_BOOT_DEBUG_UART
	bool "Print to UART"
	select UART_NRFX
	select UART_CONSOLE

config SECURE_BOOT_DEBUG_RTT
	bool "Print to RTT"
	select RTT_CONSOLE
	select USE_SEGGER_RTT
endchoice

config SB_BPROT_IN_DEBUG
	bool "Enable block protect in debug"
	default y
	depends on (HAS_HW_NRF_BPROT || HAS_HW_NRF_MPU)

endif # SECURE_BOOT_DEBUG
endif # IS_SECURE_BOOTLOADER

config IS_BOOTLOADER_IMG
	bool
	default y if IS_SECURE_BOOTLOADER || MCUBOOT
	help
	  Helper symbol which is set when the current image is a bootloader. This includes mcuboot
	  and the secure bootloader.

config NRF53_UPGRADE_NETWORK_CORE
	bool "Support updating nRF53 Network Core application"
	default y
	depends on SOC_NRF5340_CPUAPP
	depends on BOOTLOADER_MCUBOOT
	help
	  Enables support for updating the application on the nRF53 Network
	  core.

config NRF53_ENFORCE_IMAGE_VERSION_EQUALITY
	bool "Enforce the equality between APP and NET core image versions"
	depends on NRF53_UPGRADE_NETWORK_CORE
	help
	  When enabled, MCUboot proceeds with the image swapping only if both the application core and
	  the network core updates have been downloaded and they have the same version.

rsource "bl_crypto/Kconfig"
rsource "bl_validation/Kconfig"
rsource "bl_storage/Kconfig"

endmenu
