# Configure

Qualcomm TEE configurations can be adjusted using the device configuration (devcfg) framework.

Note

Remember to run all the SSH commands in the SELinux Permissive mode. The Enforcing mode will be supported in the future. For instructions on how to connect to the device, see [Qualcomm Linux Build Guide ➝ How to ➝ Log in using SSH](https://docs.qualcomm.com/bundle/publicresource/topics/80-70017-254/how_to.html#use-ssh).

TrustZone offers configuration options through XML files such as the `trustzone_images/ssg/securemsm/trustzone/qsee/mink/oem/config/<chipset>/oem_config.xml` file.

The XML configuration files are built into `devcfg.mbn`. The following command is used to compile the devcfg image from TZ.XF.5.0:

cd trustzone_images/build/ms
    
    $python3 build_all.py -b TZ.XF.5.0 CHIPSET=<chipset> devcfg
    Copy to clipboard

The devcfg.mbn image is generated in the `trustzone_images/build/ms/bin/<build_flavor>` location.

Note

Use `devcfg.mbn` for QCS6490 and `devcfg_iot.mbn` for QCS9100.

For instructions on building and compiling, see [Qualcomm Linux Build Guide ➝ GitHub workflow (firmware and extras)](https://docs.qualcomm.com/bundle/publicresource/topics/80-70017-254/build_addn_info.html).

**Device configuration**

| Property | Description |
| --- | --- |
| `OEM_pil_secure_app_load_region_size` | Configuration to customize TA size. |
| `OEM_pil_subsys_load_region_start` | Configuration to customize the PIL load start address when there is any change from the default memory map. |
| `OEM_pil_subsys_load_region_size` | Configuration to customize the PIL size when there is any change from the default memory map. |
| `OEM_enable_app_fatal_err` | This property can be used to force a TrustZone system to fatal error when a specific TA crashes. Used with `OEM_crash_ta_name`. |
| `OEM_crash_ta_name` | Replaces the entry with the TA name that crashed and the TA on which the secure kernel is expected to crash. |
| `OEM_sec_wdog_bark_time` | Changes the default configuration of the device for secure watchdog bark time. |
| `OEM_sec_wdog_bite_time` | Changes the default configuration of the device for secure watchdog bite time. |
| `OEM_tz_log_level` | Set the TrustZone log level:<br><br><ul class="simple"><br><li><p>Fatal: 0</p></li><br><li><p>Error: 1</p></li><br><li><p>Debug: 2</p></li><br></ul> |

**RPMB-based SFS anti-rollback protection**

The RPMB-based SFS anti-rollback protection can be enabled or disabled in the XML configuration file at: `trustzone_images/ssg/securemsm/trustzone/qsee/mink/oem/config/common/cmnlib_oem_config.xml`

> 
> 
> | `cmnlib_gppo_rpmb_enablement` | <ul class="simple"><br><li><p>Enabled (Default value. Change only when required.)</p></li><br><li><p>Disabled</p></li><br></ul> |
> | --- | --- |

**SELinux configuration**

If SELinux is enabled, you may not be allowed to update the
anti-rollback protection flag.

To check the current SELinux configuration of the device (Enforcing or
Permissive mode):

getenforce
    Copy to clipboard

If it is set to Enforcing mode, run the `setenforce` command to change
the mode.

1. Connect to the device using SSH.
2. Change the SELinux mode by using the following commands.

    - To switch the device to Enforcing mode:

setenforce 1
            Copy to clipboard
    - To switch the device to Permissive mode:

setenforce 0
            Copy to clipboard
    - To recheck the current configuration of the device (Enforcing or
Permissive mode):

getenforce
            Copy to clipboard

- [Enable secure boot](https://docs.qualcomm.com/doc/80-70017-11/topic/enable-secure-boot.html)
Secure boot is enabled by blowing a set of hardware fuses that are part
of QFPROM. The hash of the root certificate is blown into the hardware
fuse, which serves as the primary RoT.
- [Enable SELinux](https://docs.qualcomm.com/doc/80-70017-11/topic/enable-selinux.html)
When SELinux is enabled, all system objects, including files,
directories, processes, sockets, drivers, and more, are labeled with a
security context.
- [Enable UEFI secure boot](https://docs.qualcomm.com/doc/80-70017-11/topic/enable-uefi-secure-boot.html)
You can setup an initial UEFI secure boot configuration, and convert
keys and certificates into a format that UEFI can understand.
- [Sample OpenSSL configuration](https://docs.qualcomm.com/doc/80-70017-11/topic/appendix-openssl-configuration.html)
The sample shows the configuration file used to generate keys and
certificate requests.
- [Install or upgrade QCS5430 SoftSKU feature packs](https://docs.qualcomm.com/doc/80-70017-11/topic/upgrade-qualcomm-wes-feature-pack.html)

Last Published: Jan 30, 2025

[Previous Topic
Bring up](https://docs.qualcomm.com/bundle/publicresource/80-70017-11/topics/bring-up.md) [Next Topic
Enable secure boot](https://docs.qualcomm.com/bundle/publicresource/80-70017-11/topics/enable-secure-boot.md)