# Enable device configuration (Devcfg) from Qualcomm TEE

Configuring Qualcomm TEE is essential for maintaining the security, compliance, performance, and flexibility of devices that manage sensitive data and run trusted applications. Qualcomm TEE configurations can be adjusted using the device configuration (devcfg) framework, which provides a centralized way to manage and adjust device-specific settings.

Note

- Remember to run all the SSH commands in the SELinux Permissive mode. The Enforcing mode will be supported in the future.
- For instructions on how to connect to the device, see [Qualcomm Linux Build Guide ➝ How to ➝ Sign in using SSH](https://docs.qualcomm.com/bundle/publicresource/topics/80-70017-254/how_to.html#use-ssh).

## Compile devcfg image from TrustZone

1. Select the configuration options that TrustZone offers through the built in `devcfg.mbn` XML files. For example: `trustzone_images/ssg/securemsm/trustzone/qsee/mink/oem/config/<chipset>/oem_config.xml`.
2. Use the command to compile the devcfg image from TZ.XF.5.29.1.

cd trustzone_images/build/ms
        
        python3 build_all.py -b TZ.XF.5.0 CHIPSET=<chipset> <devcfg> --cfg=build_config_deploy_<chipset>.xml
        Copy to clipboard

    This step generates the devcfg.mbn image at the following location: `trustzone_images/build/ms/bin/<build_flavor>`.

Note

Use the following devcfg files accordingly:

&lt;devcfg&gt; is

> 
> 
> - `devcfg` for QCS6490
> - `devcfg_iot` for QCS9100

Important

> 
> 
> The devcfg\_iot.mbn file isn’t being generated by default. Apply the following changes to build devcfg\_iot.mbn.
> 
> 
> 
> > 
> > 
> > trustzone_images/build/ms/build_config_deploy_lemans.xml
> >     @@ -60,9 +60,12 @@
> >     <alias build-once="false" disable="false" internal-test="false" recompile="true" strip="false" name="devcfg_auto_sgvm">
> >     <artifact name="devcfg_auto_sgvm"/>
> >     </alias>
> >     +  <alias build-once="false" disable="false" internal-test="false" recompile="true" strip="false" name="devcfg_iot">
> >     +  <artifact name="devcfg_iot"/>
> >     +  </alias>
> >     Copy to clipboard

The issue is expected to be resolved in the next release.

For instructions on building and compiling, see [Qualcomm Linux Build Guide ➝ GitHub workflow (firmware and extras)](https://docs.qualcomm.com/bundle/publicresource/topics/80-70017-254/build_addn_info.html).

## Customize device using configuration parameters

Use the configuration parameters listed in the following table to customize the device as needed.

| Configuration parameters | Description |
| --- | --- |
| `OEM_pil_secure_app_load_region_size` | Customizes the TA size. |
| `OEM_pil_subsys_load_region_start` | Customizes the PIL load start address when there is any change from the default memory map. |
| `OEM_pil_subsys_load_region_size` | Customizes the PIL size when there is any change from the default memory map. |
| `OEM_enable_app_fatal_err` | Forces a TrustZone system to fatal error when a specific TA crashes. Use with `OEM_crash_ta_name`. |
| `OEM_crash_ta_name` | Replaces the entry with the TA name that crashed and the TA on which the secure kernel is expected to crash. |
| `OEM_sec_wdog_bark_time` | Changes the default configuration of the device for secure watchdog bark time. |
| `OEM_sec_wdog_bite_time` | Changes the default configuration of the device for secure watchdog bite time. |
| `OEM_tz_log_level` | Sets the TrustZone log level:<br><ul class="simple"><br><li><p>Fatal: 0</p></li><br><li><p>Error: 1</p></li><br><li><p>Debug: 2</p></li><br></ul> |

## Enable RPMB-based SFS anti-rollback protection

To enable or disable the RPMB-based SFS anti-rollback protection, use the following configuration parameter and the XML file.

**Configuration parameter**

`cmnlib_gppo_rpmb_enablement`, can be set to Enabled or Disabled, where the default value is Enabled and must be changed only when required.

**XML file location**

`trustzone_images/ssg/securemsm/trustzone/qsee/mink/oem/config/common/cmnlib_oem_config.xml`

## Next steps

- To enable secure boot and to ensure only trusted applications runs on the device, see [Enable secure boot](https://docs.qualcomm.com/doc/80-70018-11/topic/enable-secure-boot.html#enable-secure-boot).
- To enable secure boot, QFPROM fuses must be blown. This is a one-time, irreversible process that permanently sets these values. For more information see [QFPROM fuses](https://docs.qualcomm.com/doc/80-70018-11/topic/appendix-fuse-configurations.html#appendix-fuse-configurations).

Last Published: Apr 10, 2025

[Previous Topic
Configure security services](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/configure.md) [Next Topic
Enable secure boot](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/enable-secure-boot.md)