Prerequisites
Compile devcfg image from TrustZone
- Select the configuration options that TrustZone offers through the built in
devcfg.mbnXML files. For example:trustzone_images/ssg/securemsm/trustzone/qsee/mink/oem/config/<chipset>/oem_config.xml. - Use the command to compile the devcfg image from TZ.XF.5.29.1.
This steps generates the
devcfg.mbnimages attrustzone_images/build/ms/bin/<build_flavor>. Use the following build flavors and commands.
- QCS5430/QCS6490
- IQ-9075/IQ-9100
- IQ-8275/IQ-8300
- IQ-615
- QCS5430/QCS6490
- IQ-9075/IQ-9100
- IQ-8275/IQ-8300
- IQ-615
Use the following devcfg files:<devcfg> is
devcfgfor QCS6490devcfg_iotfor IQ-9100
Customize device using configuration parameters
Use the configuration parameters listed in the following table to customize the device as needed.| Configuration parameters | Description |
|---|---|
OEM_pil_secure_app_load_region_size | Customizes the TA size. |
OEM_pil_subsys_load_region_start | Customizes the PIL load start address when there is any change from the default memory map. |
OEM_pil_subsys_load_region_size | Customizes the PIL size when there is any change from the default memory map. |
OEM_enable_app_fatal_err | Forces a TrustZone system to fatal error when a specific TA crashes. Use with OEM_crash_ta_name. |
OEM_crash_ta_name | Replaces the entry with the TA name that crashed and the TA on which the secure kernel is expected to crash. |
OEM_sec_wdog_bark_time | Changes the default configuration of the device for secure watchdog bark time. |
OEM_sec_wdog_bite_time | Changes the default configuration of the device for secure watchdog bite time. |
OEM_tz_log_level | Sets the TrustZone log level:
|
Enable RPMB-based SFS anti-rollback protection
To enable or disable the RPMB-based SFS anti-rollback protection, use the following configuration parameter and the XML file.Configuration parameter
cmnlib_gppo_rpmb_enablement, can be set to Enabled or Disabled, where the default value is Enabled and must be changed only when required.
XML file location
trustzone_images/ssg/securemsm/trustzone/qsee/mink/oem/config/common/cmnlib_oem_config.xml
Next steps
- To enable secure boot and to ensure only trusted applications runs on the device, see Enable secure boot.
- To enable secure boot, QFPROM fuses must be blown. This is a one-time, irreversible process that permanently sets these values. For more information, see Set the QFPROM fuses.

