Skip to main content
Configuring Qualcomm TEE is essential for maintaining the security, compliance, performance, and flexibility of devices that manage sensitive data and run trusted applications. Qualcomm TEE configurations can be adjusted using the device configuration (devcfg) framework, which provides a centralized way to manage and adjust device-specific settings.

Prerequisites

Compile devcfg image from TrustZone

  1. Select the configuration options that TrustZone offers through the built in devcfg.mbn XML files. For example: trustzone_images/ssg/securemsm/trustzone/qsee/mink/oem/config/<chipset>/oem_config.xml.
  2. Use the command to compile the devcfg image from TZ.XF.5.29.1.
    cd trustzone_images/build/ms
    python3 build_all.py -b TZ.XF.5.0 CHIPSET=<chipset> <devcfg> --cfg=build_config_deploy_<chipset>.xml
    
    This steps generates the devcfg.mbn images at trustzone_images/build/ms/bin/<build_flavor>. Use the following build flavors and commands.
Build flavors
EACAANAA
Build commands:
python3 trustzone_images/build/ms/build_all.py CHIPSET=kodiak devcfg
Use the following devcfg files:<devcfg> is
  • devcfg for QCS6490
  • devcfg_iot for IQ-9100

Customize device using configuration parameters

Use the configuration parameters listed in the following table to customize the device as needed.
Configuration parametersDescription
OEM_pil_secure_app_load_region_sizeCustomizes the TA size.
OEM_pil_subsys_load_region_startCustomizes the PIL load start address when there is any change from the default memory map.
OEM_pil_subsys_load_region_sizeCustomizes the PIL size when there is any change from the default memory map.
OEM_enable_app_fatal_errForces a TrustZone system to fatal error when a specific TA crashes. Use with OEM_crash_ta_name.
OEM_crash_ta_nameReplaces the entry with the TA name that crashed and the TA on which the secure kernel is expected to crash.
OEM_sec_wdog_bark_timeChanges the default configuration of the device for secure watchdog bark time.
OEM_sec_wdog_bite_timeChanges the default configuration of the device for secure watchdog bite time.
OEM_tz_log_levelSets the TrustZone log level:
  • Fatal: 0
  • Error: 1
  • Debug: 2

Enable RPMB-based SFS anti-rollback protection

To enable or disable the RPMB-based SFS anti-rollback protection, use the following configuration parameter and the XML file.

Configuration parameter

cmnlib_gppo_rpmb_enablement, can be set to Enabled or Disabled, where the default value is Enabled and must be changed only when required.

XML file location

trustzone_images/ssg/securemsm/trustzone/qsee/mink/oem/config/common/cmnlib_oem_config.xml

Next steps

  • To enable secure boot and to ensure only trusted applications runs on the device, see Enable secure boot.
  • To enable secure boot, QFPROM fuses must be blown. This is a one-time, irreversible process that permanently sets these values. For more information, see Set the QFPROM fuses.