# Enable device configurations from Qualcomm TEE

Configuring Qualcomm TEE is essential for maintaining the security, compliance, performance, and flexibility of devices that manage sensitive data and run trusted applications. Qualcomm TEE configurations can be adjusted using the device configuration (devcfg) framework, which provides a centralized way to manage and adjust device-specific settings.

**Prerequisites**

> 
> 
> - [Build and compile the software on the device](https://docs.qualcomm.com/bundle/publicresource/topics/80-70020-254/build_addn_info.html).
> - [Enable the secure shell (SSH) in permissive mode to securely access your host device](https://docs.qualcomm.com/bundle/publicresource/topics/80-70020-254/how_to.html#use-ssh).

## Compile devcfg image from TrustZone

1. Select the configuration options that TrustZone offers through the built in `devcfg.mbn` XML files. For example: `trustzone_images/ssg/securemsm/trustzone/qsee/mink/oem/config/<chipset>/oem_config.xml`.
2. Use the command to compile the devcfg image from TZ.XF.5.29.1.

cd trustzone_images/build/ms
        
        python3 build_all.py -b TZ.XF.5.0 CHIPSET=<chipset> <devcfg> --cfg=build_config_deploy_<chipset>.xml
        Copy to clipboard

    This steps generates the `devcfg.mbn` images at `trustzone_images/build/ms/bin/<build_flavor>`. Use the following build flavors and commands.

> 
> 
> Build flavors
> 
> 
> 
> > 
> > 
> > Tab QCS5430/QCS6490
> > Tab IQ-9075/IQ-9100
> > Tab IQ-8275/IQ-8300
> > Tab IQ-615
> > 
> > EACAANAA
> >         Copy to clipboard
> > 
> > MAKAANAA
> >         Copy to clipboard
> > 
> > FAQAANAA
> >         Copy to clipboard
> > 
> > GABAANAA
> >         Copy to clipboard
> 
> 
> 
> Build commands
> 
> 
> 
> > 
> > 
> > Tab QCS5430/QCS6490
> > Tab IQ-9075/IQ-9100
> > Tab IQ-8275/IQ-8300
> > Tab IQ-615
> > 
> > python3 trustzone_images/build/ms/build_all.py CHIPSET=kodiak devcfg
> >         Copy to clipboard
> > 
> > python3 trustzone_images/build/ms/build_all.py CHIPSET=lemans devcfg
> >         Copy to clipboard
> > 
> > python3 trustzone_images/build/ms/build_all.py CHIPSET=monaco devcfg
> >         Copy to clipboard
> > 
> > python3 trustzone_images/build/ms/build_all.py CHIPSET=talos devcfg
> >         Copy to clipboard

Note

Use the following devcfg files:

&lt;devcfg&gt; is

> 
> 
> - `devcfg` for QCS6490
> - `devcfg_iot` for IQ-9100

Important

The devcfg\_iot.mbn file isn’t being generated by default. Apply the following changes to build devcfg\_iot.mbn.

> 
> 
> trustzone_images/build/ms/build_config_deploy_lemans.xml
>     @@ -60,9 +60,12 @@
>     <alias build-once="false" disable="false" internal-test="false" recompile="true" strip="false" name="devcfg_auto_sgvm">
>     <artifact name="devcfg_auto_sgvm"/>
>     </alias>
>     +  <alias build-once="false" disable="false" internal-test="false" recompile="true" strip="false" name="devcfg_iot">
>     +  <artifact name="devcfg_iot"/>
>     +  </alias>
>     Copy to clipboard

## Customize device using configuration parameters

Use the configuration parameters listed in the following table to customize the device as needed.

| Configuration parameters | Description |
| --- | --- |
| `OEM_pil_secure_app_load_region_size` | Customizes the TA size. |
| `OEM_pil_subsys_load_region_start` | Customizes the PIL load start address when there is any change from the default memory map. |
| `OEM_pil_subsys_load_region_size` | Customizes the PIL size when there is any change from the default memory map. |
| `OEM_enable_app_fatal_err` | Forces a TrustZone system to fatal error when a specific TA crashes. Use with `OEM_crash_ta_name`. |
| `OEM_crash_ta_name` | Replaces the entry with the TA name that crashed and the TA on which the secure kernel is expected to crash. |
| `OEM_sec_wdog_bark_time` | Changes the default configuration of the device for secure watchdog bark time. |
| `OEM_sec_wdog_bite_time` | Changes the default configuration of the device for secure watchdog bite time. |
| `OEM_tz_log_level` | Sets the TrustZone log level:<br><ul class="simple"><br><li><p>Fatal: 0</p></li><br><li><p>Error: 1</p></li><br><li><p>Debug: 2</p></li><br></ul> |

## Enable RPMB-based SFS anti-rollback protection

To enable or disable the RPMB-based SFS anti-rollback protection, use the following configuration parameter and the XML file.

**Configuration parameter**

`cmnlib_gppo_rpmb_enablement`, can be set to Enabled or Disabled, where the default value is Enabled and must be changed only when required.

**XML file location**

`trustzone_images/ssg/securemsm/trustzone/qsee/mink/oem/config/common/cmnlib_oem_config.xml`

## Next steps

- To enable secure boot and to ensure only trusted applications runs on the device, see [Enable secure boot](https://docs.qualcomm.com/doc/80-70020-11/topic/enable-secure-boot.html#enable-secure-boot).
- To enable secure boot, QFPROM fuses must be blown. This is a one-time, irreversible process that permanently sets these values. For more information, see [Set the QFPROM fuses](https://docs.qualcomm.com/doc/80-70020-11/topic/appendix-fuse-configurations.html#appendix-fuse-configurations).

Last Published: Apr 14, 2026

[Previous Topic
Configure security services](https://docs.qualcomm.com/bundle/publicresource/80-70020-11/topics/configure.md) [Next Topic
Enable secure boot](https://docs.qualcomm.com/bundle/publicresource/80-70020-11/topics/enable-secure-boot.md)