> ## Documentation Index
> Fetch the complete documentation index at: https://dragonwingdocs.qualcomm.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Enable device configurations from Qualcomm TEE

Configuring Qualcomm TEE is essential for maintaining the security, compliance, performance, and flexibility of devices that manage sensitive data and run trusted applications. Qualcomm TEE configurations can be adjusted using the device configuration (devcfg) framework, which provides a centralized way to manage and adjust device-specific settings.

## **Prerequisites**

> * [Build and compile the software on the device](https://dragonwingdocs.qualcomm.com/Key-Documents/Firmware-Guide/build-firmware).
> * [Enable the secure shell (SSH) in permissive mode to securely access your host device](https://docs.qualcomm.com/bundle/publicresource/topics/80-80021-254/how_to.html#use-ssh).

## **Compile devcfg image from TrustZone**

1. Select the configuration options that TrustZone offers through the built in `devcfg.mbn` XML files. For example: `trustzone_images/ssg/securemsm/trustzone/qsee/mink/oem/config/<chipset>/oem_config.xml`.
2. Use the command to compile the devcfg image from TZ.XF.5.29.1.
   ```text theme={null}
   cd trustzone_images/build/ms
   python3 build_all.py -b TZ.XF.5.0 CHIPSET=<chipset> <devcfg> --cfg=build_config_deploy_<chipset>.xml
   ```
   This steps generates the `devcfg.mbn` images at `trustzone_images/build/ms/bin/<build_flavor>`. Use the following build flavors and commands.

Build flavors

<Tabs>
  <Tab title="QCS5430/QCS6490">
    ```text theme={null}
    EACAANAA
    ```
  </Tab>

  <Tab title="IQ-9075/IQ-9100">
    ```text theme={null}
    MAKAANAA
    ```
  </Tab>

  <Tab title="IQ-8275/IQ-8300">
    ```text theme={null}
    FAQAANAA
    ```
  </Tab>

  <Tab title="IQ-615">
    ```text theme={null}
    GABAANAA
    ```
  </Tab>
</Tabs>

Build commands:

<Tabs>
  <Tab title="QCS5430/QCS6490">
    ```text theme={null}
    python3 trustzone_images/build/ms/build_all.py CHIPSET=kodiak devcfg
    ```
  </Tab>

  <Tab title="IQ-9075/IQ-9100">
    ```text theme={null}
    python3 trustzone_images/build/ms/build_all.py CHIPSET=lemans devcfg
    ```
  </Tab>

  <Tab title="IQ-8275/IQ-8300">
    ```text theme={null}
    python3 trustzone_images/build/ms/build_all.py CHIPSET=monaco devcfg
    ```
  </Tab>

  <Tab title="IQ-615">
    ```text theme={null}
    python3 trustzone_images/build/ms/build_all.py CHIPSET=talos devcfg
    ```
  </Tab>
</Tabs>

<Note>
  Use the following devcfg files:

  \<devcfg> is

  > * `devcfg` for QCS6490
  > * `devcfg_iot` for IQ-9100
</Note>

## **Customize device using configuration parameters**

Use the configuration parameters listed in the following table to customize the device as needed.

|      **Configuration parameters**     |                                                **Description**                                               |
| :-----------------------------------: | :----------------------------------------------------------------------------------------------------------: |
| `OEM_pil_secure_app_load_region_size` |                                            Customizes the TA size.                                           |
|   `OEM_pil_subsys_load_region_start`  |          Customizes the PIL load start address when there is any change from the default memory map.         |
|   `OEM_pil_subsys_load_region_size`   |                 Customizes the PIL size when there is any change from the default memory map.                |
|       `OEM_enable_app_fatal_err`      |      Forces a TrustZone system to fatal error when a specific TA crashes. Use with `OEM_crash_ta_name`.      |
|          `OEM_crash_ta_name`          | Replaces the entry with the TA name that crashed and the TA on which the secure kernel is expected to crash. |
|        `OEM_sec_wdog_bark_time`       |                Changes the default configuration of the device for secure watchdog bark time.                |
|        `OEM_sec_wdog_bite_time`       |                Changes the default configuration of the device for secure watchdog bite time.                |
|           `OEM_tz_log_level`          |          Sets the TrustZone log level: <ul><li>Fatal: 0</li><li>Error: 1</li><li>Debug: 2</li></ul>          |

## **Enable RPMB-based SFS anti-rollback protection**

To enable or disable the RPMB-based SFS anti-rollback protection, use the following configuration parameter and the XML file.

### **Configuration parameter**

`cmnlib_gppo_rpmb_enablement`, can be set to Enabled or Disabled, where the default value is Enabled and must be changed only when required.

### **XML file location**

`trustzone_images/ssg/securemsm/trustzone/qsee/mink/oem/config/common/cmnlib_oem_config.xml`

## **Next steps**

* To enable secure boot and to ensure only trusted applications runs on the device, see [Enable secure boot](./enable-secure-boot).
* To enable secure boot, QFPROM fuses must be blown. This is a one-time, irreversible process that permanently sets these values. For more information, see [Set the QFPROM fuses](./set-the-qfprom-fuses).
