diff --git a/components/esp_tee/subproject/main/core/esp_secure_services_iram.c b/components/esp_tee/subproject/main/core/esp_secure_services_iram.c index ffa5110662..17b2bc2e61 100644 --- a/components/esp_tee/subproject/main/core/esp_secure_services_iram.c +++ b/components/esp_tee/subproject/main/core/esp_secure_services_iram.c @@ -212,6 +212,11 @@ uint32_t _ss_spi_flash_hal_check_status(spi_flash_host_inst_t *host) esp_err_t _ss_spi_flash_hal_common_command(spi_flash_host_inst_t *host, spi_flash_trans_t *trans) { + bool paddr_chk = esp_tee_flash_check_paddr_in_tee_region(trans->address); + if (paddr_chk) { + ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, trans->address); + return ESP_FAIL; + } return spi_flash_hal_common_command(host, trans); } diff --git a/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_flash_prot.c b/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_flash_prot.c index c6172ea3e0..7c5d3cb9b9 100644 --- a/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_flash_prot.c +++ b/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_flash_prot.c @@ -125,13 +125,13 @@ static void test_esp_partition_api_w(const esp_partition_t *part) TEST_ASSERT_NOT_NULL(part); uint8_t buf_w[128]; memset(buf_w, 0xA5, sizeof(buf_w)); - TEST_ESP_OK(esp_partition_write(part, 0x00, buf_w, sizeof(buf_w))); + TEST_ESP_ERR(ESP_FAIL, esp_partition_write(part, 0x00, buf_w, sizeof(buf_w))); } static void test_esp_partition_api_e(const esp_partition_t *part) { TEST_ASSERT_NOT_NULL(part); - TEST_ESP_OK(esp_partition_erase_range(part, 0x00, SPI_FLASH_SEC_SIZE)); + TEST_ESP_ERR(ESP_FAIL, esp_partition_erase_range(part, 0x00, SPI_FLASH_SEC_SIZE)); } static void test_esp_partition_api(void) @@ -229,12 +229,12 @@ static void test_esp_flash_api_w(uint32_t paddr) { uint8_t buf_w[128]; memset(buf_w, 0xA5, sizeof(buf_w)); - TEST_ESP_OK(esp_flash_write(NULL, buf_w, paddr, sizeof(buf_w))); + TEST_ESP_ERR(ESP_FAIL, esp_flash_write(NULL, buf_w, paddr, sizeof(buf_w))); } static void test_esp_flash_api_e(uint32_t paddr) { - TEST_ESP_OK(esp_flash_erase_region(NULL, paddr, SPI_FLASH_SEC_SIZE)); + TEST_ESP_ERR(ESP_FAIL, esp_flash_erase_region(NULL, paddr, SPI_FLASH_SEC_SIZE)); } static void test_esp_flash_api(void) diff --git a/components/esp_tee/test_apps/tee_test_fw/pytest_esp_tee_ut.py b/components/esp_tee/test_apps/tee_test_fw/pytest_esp_tee_ut.py index 6b4654e79e..958a9ff053 100644 --- a/components/esp_tee/test_apps/tee_test_fw/pytest_esp_tee_ut.py +++ b/components/esp_tee/test_apps/tee_test_fw/pytest_esp_tee_ut.py @@ -1,5 +1,6 @@ # SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD # SPDX-License-Identifier: Apache-2.0 +import re from enum import Enum from typing import Dict from typing import Tuple @@ -20,7 +21,7 @@ CONFIG_DEFAULT = [ CONFIG_OTA = [ # 'config, target, skip_autoflash, markers', - ('ota', target, 'y', (pytest.mark.generic,)) + ('ota', target, 'y', (pytest.mark.host_test,)) for target in SUPPORTED_TARGETS ] @@ -198,8 +199,18 @@ def expect_panic_rsn(dut: IdfDut, expected_rsn: str) -> None: def run_multiple_stages(dut: IdfDut, test_case_num: int, stages: int, api: TeeFlashAccessApi) -> None: expected_ops = { - TeeFlashAccessApi.ESP_PARTITION: ['read', 'program_page', 'program_page', 'erase_sector'], - TeeFlashAccessApi.ESP_FLASH: ['program_page', 'read', 'erase_sector', 'program_page'], + TeeFlashAccessApi.ESP_PARTITION: [ + 'read', + 'program_page|common_command', + 'program_page|common_command', + 'erase_sector|common_command', + ], + TeeFlashAccessApi.ESP_FLASH: [ + 'program_page|common_command', + 'read', + 'erase_sector|common_command', + 'program_page|common_command', + ], } flash_enc_enabled = dut.app.sdkconfig.get('SECURE_FLASH_ENC_ENABLED', True) @@ -225,7 +236,7 @@ def run_multiple_stages(dut: IdfDut, test_case_num: int, stages: int, api: TeeFl r'\[_ss_spi_flash_hal_(\w+)\] Illegal flash access at \s*(0x[0-9a-fA-F]+)', timeout=10 ) actual_op = match.group(1).decode() - if actual_op != curr_op: + if not re.fullmatch(curr_op, actual_op): raise RuntimeError(f'Unexpected flash operation: {actual_op} (expected: {curr_op})') elif api == TeeFlashAccessApi.ESP_ROM_SPIFLASH: expect_panic_rsn(dut, 'APM - Authority exception')