# Configure

Source: [https://docs.qualcomm.com/doc/80-70015-11/topic/configure.html](https://docs.qualcomm.com/doc/80-70015-11/topic/configure.html)

Qualcomm TEE configurations can be adjusted via the device configuration
            (devcfg) framework.

Note: Remember to run all the SSH
                commands in the SELinux Permissive mode. The Enforcing mode will
                be supported in the future. For instructions on how to connect to the device,
                    see [Qualcomm Linux Build Guide ➝ How to ➝ Use SSH](https://docs.qualcomm.com/bundle/publicresource/topics/80-70015-254/how_to.html#use-ssh).

TrustZone offers configuration options through XML files such as the
                trustzone\_images/ssg/securemsm/trustzone/qsee/mink/oem/config/<chipset>/oem\_config.xml
            file.

The XML configuration files are built into `devcfg.mbn`. The following
            command is used to compile the devcfg image from TZ.XF.5.0:

    cd trustzone_images/build/ms$python3 build_all.py -b TZ.XF.5.0 CHIPSET=<chipset> devcfg
    devcfg.mbn image is generated under below location
    trustzone_images/build/ms/bin/<build_flavor>Copy to clipboard

For instructions on building and compiling, see [Qualcomm Linux Build Guide ➝ GitHub workflow
                (firmware and extras)](https://docs.qualcomm.com/bundle/publicresource/topics/80-70015-254/build_addn_info.html).

## Device configuration

| Property | Description |
| --- | --- |
| `OEM_pil_secure_app_load_region_size` | Configuration to customize TA size. |
| `OEM_pil_subsys_load_region_start` | Configuration to customize the PIL load start address when there<br>                                is any change from the default memory map. |
| `OEM_pil_subsys_load_region_size` | Configuration to customize the PIL size when there is any change<br>                                from the default memory map. |
| `OEM_enable_app_fatal_err` | This property can be used to force a TrustZone system to fatal<br>                                error when a specific TA crashes. Used with<br>                                    `OEM_crash_ta_name`. |
| `OEM_crash_ta_name` | Replaces the entry with the TA name that crashed and the TA on<br>                                which the secure kernel is expected to crash. |
| `OEM_sec_wdog_bark_time` | Changes the default configuration of the device for secure<br>                                watchdog bark time. |
| `OEM_sec_wdog_bite_time` | Changes the default configuration of the device for secure<br>                                watchdog bite time. |
| `OEM_tz_log_level` | Set the TrustZone log level:<br><br><br>                                <ul class="ul" id="configure__ul_y4m_dm3_p1c"><br>                                    <li class="li">Fatal: 0</li><br><br>                                    <li class="li">Error: 1</li><br><br>                                    <li class="li">Debug: 2</li><br><br>                                </ul> |

## RPMB-based SFS anti-rollback protection

The RPMB-based SFS anti-rollback protection can be enabled or disabled in the XML
                configuration file at:
                    trustzone\_images/ssg/securemsm/trustzone/qsee/mink/oem/config/common/
                    cmnlib\_oem\_config.xml

| `cmnlib_gppo_rpmb_enablement` | <ul class="ul" id="configure__ul_nhr_smm_q1c"><br>                                    <li class="li">Enabled (Default value. Change only when required.)</li><br><br>                                    <li class="li">Disabled</li><br><br>                                </ul> |
| --- | --- |

## SELinux configuration

If SELinux is enabled, you may not be allowed to update the anti-rollback protection
                flag.

To check the current SELinux configuration of the device (Enforcing or Permissive
                    mode):

    getenforceCopy to clipboard

If it is set to Enforcing mode, run the `setenforce` command
                to change the mode.

1. Connect to the device via SSH.
2. Change the SELinux mode by using the following commands.

    - To switch the device to Enforcing mode:

            setenforce 1Copy to clipboard
    - To switch the device to Permissive mode:

            setenforce 0Copy to clipboard
    - To recheck the current configuration of the device (Enforcing or
                                Permissive
                            mode):

            getenforceCopy to clipboard

- **[Enable secure boot](https://docs.qualcomm.com/doc/80-70015-11/topic/enable-secure-boot.html)**  

Secure boot is enabled by blowing a set of hardware fuses that are part of QFPROM.         The hash of the root certificate is blown into the hardware fuse, which serves as the         primary RoT.
- **[Enable SELinux](https://docs.qualcomm.com/doc/80-70015-11/topic/enable-selinux.html)**  

When SELinux is enabled, all system objects, including files, directories, processes,         sockets, drivers, and more, are labeled with a security context.
- **[Enable UEFI secure boot](https://docs.qualcomm.com/doc/80-70015-11/topic/enable-uefi-secure-boot.html)**  

You can setup an initial UEFI secure boot configuration, and convert keys and         certificates into a format that UEFI can understand.
- **[Sample OpenSSL configuration](https://docs.qualcomm.com/doc/80-70015-11/topic/appendix-openssl-configuration.html)**  

The sample shows the configuration file used to generate keys and certificate         requests.
- **[Install or upgrade QCS5430 SoftSKU feature packs](https://docs.qualcomm.com/doc/80-70015-11/topic/upgrade-qualcomm-wes-feature-pack.html)**  

You can upgrade the QCS5430 soft stock keeping unit (SKU) feature packs using the             Qualcomm^®^ wireless edge services (WES) license.

Last Published: Oct 14, 2024

[Previous Topic
Bring up](https://docs.qualcomm.com/bundle/publicresource/80-70015-11/topics/bring-up.md) [Next Topic
Enable secure boot](https://docs.qualcomm.com/bundle/publicresource/80-70015-11/topics/enable-secure-boot.md)