Kconfig

#
# Copyright (c) Siemens AG, 2021-2023
#
# Authors:
#  Jan Kiszka <jan.kiszka@siemens.com>
#
# This file is subject to the terms and conditions of the MIT License.  See
# COPYING.MIT file in the top-level directory.
#

mainmenu "IOT2050 Image Configuration"

config KAS_BUILD_SYSTEM
	string
	default "isar"

choice
	prompt "Image type"
	default IMAGE_EXAMPLE

config IMAGE_EXAMPLE
	bool "Example image"
	help
	  This is the official example image with several tools as well as
	  Node-RED preinstalled. It comes without a graphical user interface.

config IMAGE_SWUPDATE
	bool "Example image with SWUpdate support"
	help
	  Based on the example image, this adds SWUpdate and changes the
	  partition layout to an A/B rootfs.

config IMAGE_BOOT_PG1
	bool "Firmware image for PG1 devices"
	help
	  Build the firmware image that is responsible for booting Product
	  Generation 1 (PG1) devices.

	  WARNING: Do not flash this image onto your device unless you know
	  that it fits AND you have an external flash programmer at hand that
	  allows to recover. Otherwise you risk to BRICK THE IOT2050!

config IMAGE_BOOT_PG2
	bool "Firmware image for PG2 and M.2 devices"
	help
	  Build the firmware image that is responsible for booting Product
	  Generation 2 (PG2) devices, including its M.2 variant.

	  WARNING: Do not flash this image onto your device unless you know
	  that it fits AND you have an external flash programmer at hand that
	  allows to recover. Otherwise you risk to BRICK THE IOT2050!

endchoice

config KAS_INCLUDE_MAIN
	string
	default "kas-iot2050-example.yml" if IMAGE_EXAMPLE
	default "kas-iot2050-swupdate.yml" if IMAGE_SWUPDATE
	default "kas-iot2050-boot-pg1.yml" if IMAGE_BOOT_PG1
	default "kas-iot2050-boot-pg2.yml" if IMAGE_BOOT_PG2

comment "Image features"

if IMAGE_EXAMPLE || IMAGE_SWUPDATE

config PREEMPT_RT
	bool "Preempt-RT kernel"
	help
	  Build the image with a Preempt-RT kernel, rather than the default
	  non-preemptive one. This can help achieving better real-time
	  latencies with the device.

config KAS_INCLUDE_RT
	string
	default "kas/opt/preempt-rt.yml"
	depends on PREEMPT_RT

config DOCKER
	bool "Docker support"
	default n
	help
	  Building image with docker support.

config KAS_INCLUDE_DOCKER
	string
	default "kas/opt/docker.yml"
	depends on DOCKER

config LXDE
	bool "LXDE graphical user interface"
	help
	  This adds an LXDE-based graphical user interface.

config KAS_INCLUDE_LXDE
	string
	default "kas/opt/lxde.yml"
	depends on LXDE

endif

# Provide two entries so that the help text can be adjusted to the image.
config SECURE_BOOT
	bool "Secure boot & Data encryption"
	depends on IMAGE_SWUPDATE
	help
	  Enable signing of boot artifacts (boot loader, unified kernel image).
	  Furthermore activate dm-verity integrity protection for the read-only
	  root filesystem.

	  This uses the public custMpk.key and certificate by default. Do not
	  use this key in production, it is for demonstration purposes only.

	  The writable persistent /var and /home partitions are encrypted as
	  LUKS2 partitions.

	  The reason of coupling the data encryption with the secure boot is to
	  have a proper integrity chain rooted in hardware (OTP, RPMB, etc.)

config SECURE_BOOT
	bool "Secure boot"
	depends on IMAGE_BOOT_PG2
	help
	  Enable signing of all customizable firmware artifacts, enforce UEFI
	  Secure Boot mode, protect sensitive U-Boot environment variables and
	  prevent interactive access to U-Boot during boot and also on boot
	  failures.

	  This uses the public custMpk.key and certificate by default. Do not
	  use this key in production, it is for demonstration purposes only.

config OTP_PROVISIONING
	bool "OTP Provisioning"
	depends on IMAGE_BOOT_PG2
	help
	  Integrate OTP provisioning data into the firmware artifacts. Various
	  options are avaiable. By default, this will integrate the OTP command
	  data for provision two public key hashes and enable secure boot in
	  OTP. 

	  WARNING: This uses the dummy keys by default. Do not use these keys
	  in production, they are for demonstration purposes only.

config RPMB_SETUP
	bool "OPTEE RPMB setup for OTP key write"
	depends on IMAGE_BOOT_PG2 && !SECURE_BOOT
	help
	   Enable one-time pairing between processor and secure storage
	   (RPMB on eMMC). Do not sign and distribute this version. Run it
	   only in a secure environment on the target device, then replace it
	   with signed production firmware and enable secure boot.

config KAS_INCLUDE_SECURE_BOOT
	string
	default "kas/opt/secure-boot.yml"
	depends on SECURE_BOOT

config KAS_INCLUDE_OTP_PROVISIONING
	string
	default "kas/opt/otpcmd/key-provision.yml" if OTP_PROVISIONING_2KEYS_ENABLE
	default "kas/opt/otpcmd/key-provision-keys-only.yml" if OTP_PROVISIONING_2KEYS
	default "kas/opt/otpcmd/key-provision-3keys.yml" if OTP_PROVISIONING_3KEYS_ENABLE
	default "kas/opt/otpcmd/key-provision-enabling-only.yml" if OTP_PROVISIONING_ENABLING_ONLY
	default "kas/opt/otpcmd/key-switch.yml" if OTP_PROVISIONING_KEY_SWITCHING_1TO2
	default "kas/opt/otpcmd/key-switch-2to3.yml" if OTP_PROVISIONING_KEY_SWITCHING_2TO3
	depends on OTP_PROVISIONING

config KAS_INCLUDE_RPMB_SETUP
	string
	default "kas/opt/rpmb-setup.yml"
	depends on RPMB_SETUP

comment "Build options"

config SDK
	bool "Build SDK"
	depends on IMAGE_EXAMPLE || IMAGE_SWUPDATE
	help
	  Generate an SDK consisting of a cross-compiler and library headers
	  needed to build applications for the device.

	  Note: This will not generate the image for the device itself.

config KAS_INCLUDE_SDK
	string
	default "kas/opt/sdk.yml"
	depends on SDK

config PACKAGE_LOCK
	bool "Use Debian packages from release"
	help
	  Use the same Debian packages that were selected for building the
	  released image or firmware version.

config KAS_INCLUDE_PACKAGE_LOCK
	string
	default "kas/opt/package-lock.yml"
	depends on PACKAGE_LOCK

config DEBIAN_MIRROR
	bool "Use specific debian mirror"
	depends on !PACKAGE_LOCK
	help
	  Rather than relying on deb.debian.org to select the best local
	  mirror, specify a specific one.

config DEBIAN_MIRROR_URL
	string "URL of Debian mirror"
	default "http://ftp.de.debian.org"
	depends on DEBIAN_MIRROR

config KAS_INCLUDE_DEBIAN_MIRROR
	string
	default "kas/opt/debian-mirror.yml"
	depends on DEBIAN_MIRROR

config FIRMWARE_SECURE_VER
	string "Use specific firmware secure version"
	default "0"
	depends on SECURE_BOOT && IMAGE_BOOT_PG2
	help
	  Use specific anti-rollback secure version rather than the default 0.
	  Range 0 - 127.

choice
	prompt "*** OTP provisioning command type ***"
	depends on OTP_PROVISIONING
	default OTP_PROVISIONING_2KEYS_ENABLE

config OTP_PROVISIONING_2KEYS_ENABLE
	bool "2 keys & enabling secure boot"
	help
	  OTP provisioning command data contains the public key hashes of 
	  below keys and enabling secure boot:
	  * recipes-bsp/secure-boot-otp-provisioning/files/keys/custMpk.pem
	  * recipes-bsp/secure-boot-otp-provisioning/files/keys/custSmpk.pem


config OTP_PROVISIONING_2KEYS
	bool "2 keys only"
	help
	  OTP provisioning command data contains the public key hashes of 
	  below keys but without enabling secure boot:
	  * recipes-bsp/secure-boot-otp-provisioning/files/keys/custMpk.pem
	  * recipes-bsp/secure-boot-otp-provisioning/files/keys/custSmpk.pem

config OTP_PROVISIONING_3KEYS_ENABLE
	bool "3 keys & enabling secure boot"
	help
	  OTP provisioning command data contains the public key hashes of 
	  below keys and enabling secure boot:
	  * recipes-bsp/secure-boot-otp-provisioning/files/keys/custMpk.pem
	  * recipes-bsp/secure-boot-otp-provisioning/files/keys/custSmpk.pem
	  * recipes-bsp/secure-boot-otp-provisioning/files/keys/custBmpk.pem

config OTP_PROVISIONING_ENABLING_ONLY
	bool "Enabling secure boot only"
	help
	  OTP provisioning command data only contains enabling secure boot.

config OTP_PROVISIONING_KEY_SWITCHING_1TO2
	bool "Key switching from key 1 to key 2"
	help
	  OTP provisioning command data contains key switching from key 1
	  to key 2.

config OTP_PROVISIONING_KEY_SWITCHING_2TO3
	bool "Key switching from key 2 to key 3"
	help
	  OTP provisioning command data contains key switching from key 2
	  to key 3.

endchoice