feat(esp_tee): Protect the ECC peripheral from REE access

components/esp_system/port/soc/esp32c6/clk.c

@@ -297,8 +297,8 @@ __attribute__((weak)) void esp_perip_clk_init(void)
         periph_ll_disable_clk_set_rst(PERIPH_SHA_MODULE);
         periph_ll_disable_clk_set_rst(PERIPH_HMAC_MODULE);
         periph_ll_disable_clk_set_rst(PERIPH_DS_MODULE);
-#endif
         periph_ll_disable_clk_set_rst(PERIPH_ECC_MODULE);
+#endif
 
         // TODO: Replace with hal implementation
         REG_CLR_BIT(PCR_CTRL_TICK_CONF_REG, PCR_TICK_ENABLE);

components/esp_tee/scripts/esp32c6/sec_srv_tbl_default.yml

@@ -248,6 +248,14 @@ secure_services:
         type: IDF
         function: esp_crypto_mpi_enable_periph_clk
         args: 1
+      - id: 108
+        type: IDF
+        function: esp_ecc_point_multiply
+        args: 4
+      - id: 109
+        type: IDF
+        function: esp_ecc_point_verify
+        args: 1
   # ID: 134-149 (16) - eFuse
   - family: efuse
     entries:

components/esp_tee/src/esp_secure_service_wrapper.c

@@ -342,6 +342,33 @@ void __wrap_esp_crypto_mpi_enable_periph_clk(bool enable)
     esp_tee_service_call(2, SS_ESP_CRYPTO_MPI_ENABLE_PERIPH_CLK, enable);
 }
 
+/* ---------------------------------------------- ECC ------------------------------------------------- */
+
+#define P256_LEN        (256/8)
+#define P192_LEN        (192/8)
+
+typedef struct {
+    uint8_t x[P256_LEN]; /* Little endian order */
+    uint8_t y[P256_LEN]; /* Little endian order */
+    unsigned len;        /* P192_LEN or P256_LEN */
+} ecc_point_t;
+
+int __wrap_esp_ecc_point_multiply(const ecc_point_t *point, const uint8_t *scalar, ecc_point_t *result, bool verify_first)
+{
+    esp_crypto_ecc_lock_acquire();
+    esp_err_t err = esp_tee_service_call(5, SS_ESP_ECC_POINT_MULTIPLY, point, scalar, result, verify_first);
+    esp_crypto_ecc_lock_release();
+    return err;
+}
+
+int __wrap_esp_ecc_point_verify(const ecc_point_t *point)
+{
+    esp_crypto_ecc_lock_acquire();
+    esp_err_t err = esp_tee_service_call(2, SS_ESP_ECC_POINT_VERIFY, point);
+    esp_crypto_ecc_lock_release();
+    return err;
+}
+
 /* ---------------------------------------------- MMU HAL ------------------------------------------------- */
 
 void IRAM_ATTR __wrap_mmu_hal_map_region(uint32_t mmu_id, mmu_target_t mem_type, uint32_t vaddr, uint32_t paddr, uint32_t len, uint32_t *out_len)

components/esp_tee/subproject/main/core/esp_secure_services.c

@@ -29,6 +29,7 @@
 #include "esp_hmac.h"
 #include "esp_ds.h"
 #include "esp_crypto_periph_clk.h"
+#include "ecc_impl.h"
 
 #include "esp_tee.h"
 #include "esp_tee_memory_utils.h"
@@ -444,6 +445,26 @@ void _ss_esp_crypto_mpi_enable_periph_clk(bool enable)
     esp_crypto_mpi_enable_periph_clk(enable);
 }
 
+/* ---------------------------------------------- ECC ------------------------------------------------- */
+
+int _ss_esp_ecc_point_multiply(const ecc_point_t *point, const uint8_t *scalar, ecc_point_t *result, bool verify_first)
+{
+    bool valid_addr = (esp_tee_ptr_in_ree((void *)result)) &&
+                      esp_tee_ptr_in_ree((void *)((char *)result + sizeof(ecc_point_t)));
+
+    if (!valid_addr) {
+        return -1;
+    }
+    ESP_FAULT_ASSERT(valid_addr);
+
+    return esp_ecc_point_multiply(point, scalar, result, verify_first);
+}
+
+int _ss_esp_ecc_point_verify(const ecc_point_t *point)
+{
+    return esp_ecc_point_verify(point);
+}
+
 /* ---------------------------------------------- OTA ------------------------------------------------- */
 
 int _ss_esp_tee_ota_begin(void)

components/esp_tee/subproject/main/ld/esp32c6/esp_tee.ld.in

@@ -177,6 +177,7 @@ SECTIONS
  * | SHA       | text          | Flash  |
  * | HMAC      | text          | Flash  |
  * | DS        | text          | Flash  |
+ * | ECC       | text          | Flash  |
  * | BROWNOUT  | text          | Flash  |
  * | EFUSE     | text          | Flash  |
  * | LPTIMER   | text          | Flash  |
@@ -196,6 +197,7 @@ SECTIONS
     *libhal.a:sha_hal.c*(.literal .text .literal.* .text.*)
     *libhal.a:hmac_hal.c*(.literal .text .literal.* .text.*)
     *libhal.a:ds_hal.c*(.literal .text .literal.* .text.*)
+    *libhal.a:ecc_hal.c*(.literal .text .literal.* .text.*)
     *libhal.a:apm_hal.c*(.literal .text .literal.* .text.*)
     *libhal.a:brownout_hal.c*(.literal .text .literal.* .text.*)
     *libhal.a:spi_flash_hal.c*(.literal .text .literal.* .text.*)

components/esp_tee/subproject/main/soc/esp32c6/esp_tee_apm_prot_cfg.c

@@ -107,7 +107,7 @@ apm_ctrl_region_config_data_t hp_apm_pms_data[] = {
         .filter_enable   = 1,
     },
     /* Region 6/7: Peripherals [H/W Lock - HMAC] (RW) */
-    /* Protected: AES, SHA, DS, HMAC */
+    /* Protected: AES, SHA, ECC, DS, HMAC */
     {
         .regn_num = 6,
         .regn_start_addr = DR_REG_ATOMIC_BASE,
@@ -118,12 +118,12 @@ apm_ctrl_region_config_data_t hp_apm_pms_data[] = {
     {
         .regn_num = 7,
         .regn_start_addr = DR_REG_RSA_BASE,
-        .regn_end_addr   = (DR_REG_DS_BASE - 0x4),
+        .regn_end_addr   = (DR_REG_ECC_MULT_BASE - 0x4),
         .regn_pms        = 0x6,
         .filter_enable   = 1,
     },
-    /* Region 8/9/10: Peripherals [DS - TEE Controller & APM] (RW) */
+    /* Region 8/9/10: Peripherals [IO_MUX - TEE Controller & APM] (RW) */
-    /* Protected: AES, SHA, DS, HMAC PCR, APM, TEE Controller */
+    /* Protected: AES, SHA, ECC, DS and HMAC PCRs, APM, TEE Controller */
     {
         .regn_num = 8,
         .regn_start_addr = DR_REG_IO_MUX_BASE,
@@ -134,7 +134,7 @@ apm_ctrl_region_config_data_t hp_apm_pms_data[] = {
     {
         .regn_num = 9,
         .regn_start_addr = PCR_RSA_CONF_REG,
-        .regn_end_addr   = (PCR_DS_CONF_REG - 0x4),
+        .regn_end_addr   = (PCR_ECC_CONF_REG - 0x4),
         .regn_pms        = 0x6,
         .filter_enable   = 1,
     },

components/esp_tee/subproject/main/soc/esp32c6/esp_tee_secure_sys_cfg.c

@@ -16,6 +16,7 @@
 #include "hal/sha_ll.h"
 #include "hal/hmac_ll.h"
 #include "hal/ds_ll.h"
+#include "hal/ecc_ll.h"
 
 #include "esp_tee.h"
 #include "esp_tee_intr.h"
@@ -95,12 +96,14 @@ void esp_tee_soc_secure_sys_init(void)
     esp_tee_protect_intr_src(ETS_EFUSE_INTR_SOURCE);        // eFuse
     esp_tee_protect_intr_src(ETS_AES_INTR_SOURCE);          // AES
     esp_tee_protect_intr_src(ETS_SHA_INTR_SOURCE);          // SHA
+    esp_tee_protect_intr_src(ETS_ECC_INTR_SOURCE);          // ECC
 
     /* Disable protected crypto peripheral clocks; they will be toggled as needed when the peripheral is in use */
     aes_ll_enable_bus_clock(false);
     sha_ll_enable_bus_clock(false);
     hmac_ll_enable_bus_clock(false);
     ds_ll_enable_bus_clock(false);
+    ecc_ll_enable_bus_clock(false);
 }
 
 IRAM_ATTR inline void esp_tee_switch_to_ree(uint32_t ree_entry_addr)

components/esp_tee/test_apps/tee_test_fw/main/CMakeLists.txt

@@ -32,6 +32,10 @@ list(APPEND srcs "${mbedtls_test_srcs_dir}/test_mbedtls_sha.c"
 
 # Mixed
 list(APPEND srcs "${mbedtls_test_srcs_dir}/test_aes_sha_parallel.c")
+
+# ECC
+list(APPEND srcs "${mbedtls_test_srcs_dir}/test_ecp.c")
+
 # Utility
 list(APPEND srcs "${mbedtls_test_srcs_dir}/test_apb_dport_access.c"
                  "${mbedtls_test_srcs_dir}/test_mbedtls_utils.c")

components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_att.c

@@ -256,7 +256,6 @@ TEST_CASE("Test TEE Attestation - Generate and verify the EAT", "[attestation]")
     uint8_t *token_buf = heap_caps_calloc(ESP_ATT_TK_BUF_SIZE, sizeof(uint8_t), MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
     TEST_ASSERT_NOT_NULL(token_buf);
 
-    ESP_LOGI(TAG, "Generating EAT for all active firmwares (Bootloader, TEE and non-secure app)...");
     // Generating the attestation token
     uint32_t token_len = 0;
     TEST_ESP_OK(esp_tee_att_generate_token(0xA1B2C3D4, 0x0FACADE0, (const char *)ESP_ATT_TK_PSA_CERT_REF,
@@ -275,7 +274,6 @@ TEST_CASE("Test TEE Attestation - Generate and verify the EAT", "[attestation]")
     esp_tee_sec_storage_sign_t sign_ctx = {};
     fetch_signature((const char *)token_buf, &sign_ctx);
 
-    ESP_LOGI(TAG, "Verifying the generated EAT...");
     // Verifying the generated token
     TEST_ASSERT_EQUAL(0, verify_ecdsa_sign(digest, sizeof(digest), &pubkey_ctx, &sign_ctx, false));
     free(token_buf);

components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_panic.c

@@ -63,7 +63,8 @@ TEST_CASE("Test APM violation interrupt: AES", "[apm_violation]")
 TEST_CASE("Test APM violation interrupt: HMAC", "[apm_violation]")
 {
     uint32_t val = UINT32_MAX;
-    REG_WRITE(HMAC_SET_PARA_KEY_REG, val);
+    val = REG_READ(HMAC_SET_PARA_KEY_REG);
+    TEST_ASSERT_EQUAL(0, val);
     TEST_FAIL_MESSAGE("APM violation interrupt should have been generated");
 }
 
@@ -77,16 +78,15 @@ TEST_CASE("Test APM violation interrupt: DS", "[apm_violation]")
 
 TEST_CASE("Test APM violation interrupt: SHA PCR", "[apm_violation]")
 {
-    uint32_t val = UINT32_MAX;
+    uint32_t val = 0;
-    val = REG_READ(PCR_SHA_CONF_REG);
+    REG_WRITE(PCR_SHA_CONF_REG, val);
-    TEST_ASSERT_EQUAL(0, val);
     TEST_FAIL_MESSAGE("APM violation interrupt should have been generated");
 }
 
-TEST_CASE("Test APM violation interrupt: DS PCR", "[apm_violation]")
+TEST_CASE("Test APM violation interrupt: ECC PCR", "[apm_violation]")
 {
-    uint32_t val = UINT32_MAX;
+    uint32_t val = 0;
-    REG_WRITE(PCR_DS_CONF_REG, val);
+    REG_WRITE(PCR_ECC_CONF_REG, val);
     TEST_FAIL_MESSAGE("APM violation interrupt should have been generated");
 }
 

components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_sec_stg.c

@@ -88,7 +88,6 @@ TEST_CASE("Test TEE Secure Storage - Sign-verify (ecdsa_secp256r1) with all key-
     TEST_ESP_OK(esp_tee_sec_storage_init());
 
     for (uint16_t slot_id = 0; slot_id <= MAX_SEC_STG_SLOT_ID; slot_id++) {
-        ESP_LOGI(TAG, "Slot ID: %u", slot_id);
         TEST_ESP_OK(esp_tee_sec_storage_clear_slot(slot_id));
         TEST_ESP_OK(esp_tee_sec_storage_gen_key(slot_id, ESP_SEC_STG_KEY_ECDSA_SECP256R1));
 
@@ -98,7 +97,6 @@ TEST_CASE("Test TEE Secure Storage - Sign-verify (ecdsa_secp256r1) with all key-
         esp_tee_sec_storage_pubkey_t pubkey = {};
         TEST_ESP_OK(esp_tee_sec_storage_get_pubkey(slot_id, ESP_SEC_STG_KEY_ECDSA_SECP256R1, &pubkey));
 
-        ESP_LOGI(TAG, "Verifying generated signature...");
         TEST_ESP_OK(verify_ecdsa_sign(msg_digest, sizeof(msg_digest), &pubkey, &sign, false));
 
         TEST_ESP_OK(esp_tee_sec_storage_clear_slot(slot_id));
@@ -122,7 +120,6 @@ TEST_CASE("Test TEE Secure Storage - Sign-verify (ecdsa_secp192r1) with all key-
     TEST_ESP_OK(esp_tee_sec_storage_init());
 
     for (uint16_t slot_id = 0; slot_id <= MAX_SEC_STG_SLOT_ID; slot_id++) {
-        ESP_LOGI(TAG, "Slot ID: %u", slot_id);
         TEST_ESP_OK(esp_tee_sec_storage_clear_slot(slot_id));
         TEST_ESP_OK(esp_tee_sec_storage_gen_key(slot_id, ESP_SEC_STG_KEY_ECDSA_SECP192R1));
 
@@ -132,7 +129,6 @@ TEST_CASE("Test TEE Secure Storage - Sign-verify (ecdsa_secp192r1) with all key-
         esp_tee_sec_storage_pubkey_t pubkey = {};
         TEST_ESP_OK(esp_tee_sec_storage_get_pubkey(slot_id, ESP_SEC_STG_KEY_ECDSA_SECP192R1, &pubkey));
 
-        ESP_LOGI(TAG, "Verifying generated signature...");
         TEST_ESP_OK(verify_ecdsa_sign(msg_digest, sizeof(msg_digest), &pubkey, &sign, true));
 
         TEST_ESP_OK(esp_tee_sec_storage_clear_slot(slot_id));
@@ -161,7 +157,6 @@ TEST_CASE("Test TEE Secure Storage - Encrypt-decrypt (aes256_gcm) with all key-s
     TEST_ESP_OK(esp_tee_sec_storage_init());
 
     for (uint16_t slot_id = 0; slot_id <= MAX_SEC_STG_SLOT_ID; slot_id++) {
-        ESP_LOGI(TAG, "Slot ID: %u", slot_id);
         TEST_ESP_OK(esp_tee_sec_storage_clear_slot(slot_id));
         TEST_ESP_OK(esp_tee_sec_storage_gen_key(slot_id, ESP_SEC_STG_KEY_AES256));
 
@@ -380,7 +375,6 @@ static void test_ecdsa_sign(mbedtls_ecp_group_id gid, const uint8_t *hash, int s
     TEST_ASSERT_MBEDTLS_OK(mbedtls_mpi_write_binary(&r, sign.sign_r, key_len));
     TEST_ASSERT_MBEDTLS_OK(mbedtls_mpi_write_binary(&s, sign.sign_s, key_len));
 
-    ESP_LOGI(TAG, "Verifying generated signature...");
     TEST_ESP_OK(verify_ecdsa_sign(sha, sizeof(sha), &pubkey, &sign, is_crv_p192));
 
     mbedtls_pk_free(&key_ctx);

components/esp_tee/test_apps/tee_test_fw/pytest_esp_tee_ut.py

@@ -39,7 +39,7 @@ REE_ISOLATION_TEST_EXC_RSN: Dict[str, Any] = {
     }
 }
 
-TEE_APM_VIOLATION_EXC_CHK = ['eFuse', 'MMU', 'AES', 'HMAC', 'DS', 'SHA PCR', 'DS PCR']
+TEE_APM_VIOLATION_EXC_CHK = ['eFuse', 'MMU', 'AES', 'HMAC', 'DS', 'SHA PCR', 'ECC PCR']
 
 # ---------------- TEE default tests ----------------
 

components/hal/CMakeLists.txt

@@ -52,7 +52,8 @@ if(esp_tee_build)
                      "aes_hal.c"
                      "sha_hal.c"
                      "hmac_hal.c"
-                     "ds_hal.c")
+                     "ds_hal.c"
+                     "ecc_hal.c")
 
     if(CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1)
         list(APPEND srcs "spi_flash_hal.c")

components/mbedtls/esp_tee/esp_tee_mbedtls.cmake

@@ -61,3 +61,6 @@ target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/core/esp_sha1.c"
 
 target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/core/sha.c"
                                   "${COMPONENT_DIR}/port/sha/esp_sha.c")
+
+target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/ecc/esp_ecc.c"
+                                  "${COMPONENT_DIR}/port/ecc/ecc_alt.c")

components/mbedtls/esp_tee/esp_tee_mbedtls_config.h

@@ -57,6 +57,11 @@
 #define MBEDTLS_SHA256_ALT
 #endif
 
+#ifdef CONFIG_MBEDTLS_HARDWARE_ECC
+#define MBEDTLS_ECP_MUL_ALT
+#define MBEDTLS_ECP_VERIFY_ALT
+#endif
+
 #define MBEDTLS_ENTROPY_C
 
 #endif /* ESP_TEE_MBEDTLS_CONFIG_H */

docs/en/security/tee/tee-advanced.rst

@@ -164,6 +164,7 @@ The following peripherals are protected using the APM module and accessible only
 
     - Access Permission Management (APM) peripheral
     - AES, SHA accelerators
+    - ECC accelerator
     - Hash-Based Message Authentication Code (HMAC) module
     - Digital Signature module
     - eFuse Controller
@@ -176,7 +177,6 @@ The following peripherals are protected using the APM module and accessible only
   -  The following peripherals will be secured in future releases -
 
      - MPI accelerator (RSA)
-     - ECC accelerator
 
 Firmware
 ^^^^^^^^