espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-07 22:54:33 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat(esp_tee): Make the attestation service configurable

Browse Source
This commit is contained in:
Laukik Hase
2024-12-19 17:42:22 +05:30
parent 4d9358703a
commit a91f89026c
17 changed files with 129 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
components/esp_tee/Kconfig.projbuild
View File

@@ -59,44 +59,56 @@ menu "ESP-TEE (Trusted Execution Environment)"
endmenu
choice SECURE_TEE_SEC_STG_MODE
prompt "Secure Storage: Mode"
menu "Secure Services"
depends on SECURE_ENABLE_TEE
default SECURE_TEE_SEC_STG_MODE_DEVELOPMENT
help
Select the TEE secure storage mode
config SECURE_TEE_SEC_STG_MODE_DEVELOPMENT
bool "Development"
choice SECURE_TEE_SEC_STG_MODE
prompt "Secure Storage: Mode"
depends on SECURE_ENABLE_TEE
default SECURE_TEE_SEC_STG_MODE_DEVELOPMENT
help
Secure storage will be encrypted by the data stored in eFuse BLK2
Select the TEE secure storage mode
config SECURE_TEE_SEC_STG_MODE_RELEASE
depends on IDF_TARGET_ESP32C6
bool "Release"
config SECURE_TEE_SEC_STG_MODE_DEVELOPMENT
bool "Development"
help
Secure storage will be encrypted by the data stored in eFuse BLK2
config SECURE_TEE_SEC_STG_MODE_RELEASE
depends on IDF_TARGET_ESP32C6
bool "Release"
help
Secure storage will be encrypted by the data stored in eFuse block
configured through the SECURE_TEE_SEC_STG_KEY_EFUSE_BLK option
endchoice
config SECURE_TEE_SEC_STG_KEY_EFUSE_BLK
int "Secure Storage: Encryption key eFuse block"
depends on SECURE_TEE_SEC_STG_MODE_RELEASE
range 4 10
default 10
help
Secure storage will be encrypted by the data stored in eFuse block
configured through the SECURE_TEE_SEC_STG_KEY_EFUSE_BLK option
eFuse block ID storing the TEE secure storage encryption key
endchoice
config SECURE_TEE_ATTESTATION
bool "Enable Attestation"
default y
help
This configuration enables the support for the Attestation service.
config SECURE_TEE_SEC_STG_KEY_EFUSE_BLK
int "Secure Storage: Encryption key eFuse block"
depends on SECURE_TEE_SEC_STG_MODE_RELEASE
range 4 10
default 10
help
eFuse block ID storing the TEE secure storage encryption key
config SECURE_TEE_ATT_KEY_SLOT_ID
depends on SECURE_ENABLE_TEE
int "Attestation: Secure Storage slot ID for EAT signing"
default 0
range 0 14
help
This configuration sets the slot ID from the TEE secure storage
storing the ECDSA keypair for executing sign/verify operations
from the TEE side (E.g. Attestation)
config SECURE_TEE_ATT_KEY_SLOT_ID
depends on SECURE_TEE_ATTESTATION
int "Attestation: Secure Storage slot ID for EAT signing"
default 0
range 0 14
help
This configuration sets the slot ID from the TEE secure storage
storing the ECDSA keypair for executing sign/verify operations
from the TEE side for attestation.
endmenu
config SECURE_TEE_DEBUG_MODE
bool "Enable Debug Mode"

1
components/esp_tee/scripts/esp32c6/secure_service.tbl
View File

@@ -43,4 +43,3 @@
41 custom esp_tee_sec_storage_decrypt 8
42 custom esp_tee_sec_storage_is_slot_empty 1
43 custom esp_tee_sec_storage_clear_slot 1
44 custom esp_tee_att_generate_token 6

2
components/esp_tee/subproject/CMakeLists.txt
View File

@@ -25,7 +25,7 @@ set(ESP_TEE_BUILD 1)
set(NON_OS_BUILD 1)
# TEE-specific components
list(APPEND COMPONENTS tee_flash_mgr tee_ota_ops tee_sec_storage attestation)
list(APPEND COMPONENTS tee_flash_mgr tee_ota_ops tee_sec_storage tee_attestation)
# Include sdkconfig.h derived from the parent build.
include_directories(${CONFIG_DIR})

2
components/esp_tee/subproject/components/attestation/private_include/esp_attestation_utils.h
View File

@@ -41,7 +41,7 @@ extern "C" {
#define ESP_ATT_TK_MIN_SIZE (ESP_ATT_HDR_JSON_MAX_SZ + ESP_ATT_EAT_JSON_MAX_SZ + ESP_ATT_PUBKEY_JSON_MAX_SZ + ESP_ATT_SIGN_JSON_MAX_SZ)
#if ESP_TEE_BUILD
#if ESP_TEE_BUILD && CONFIG_SECURE_TEE_ATTESTATION
#define ESP_ATT_TK_KEY_ID (CONFIG_SECURE_TEE_ATT_KEY_SLOT_ID)
#else
#define ESP_ATT_TK_KEY_ID (-1)

14
components/esp_tee/subproject/components/tee_attestation/CMakeLists.txt
View File

@@ -1,13 +1,17 @@
idf_build_get_property(esp_tee_build ESP_TEE_BUILD)
if(esp_tee_build)
return()
endif()
set(srcs "esp_tee_attestation.c")
set(srcs)
set(include_dirs ".")
set(priv_requires esp_tee)
if(esp_tee_build)
list(APPEND priv_requires attestation main)
endif()
if(CONFIG_SECURE_TEE_ATTESTATION)
list(APPEND srcs "esp_tee_attestation.c")
endif()
idf_component_register(SRCS ${srcs}
INCLUDE_DIRS ${include_dirs}
PRIV_REQUIRES ${priv_requires})

5
components/esp_tee/subproject/components/tee_attestation/esp_tee_att.cmake Normal file
View File

@@ -0,0 +1,5 @@
# This file must be manually included in the project's top level CMakeLists.txt before project()
# This ensures that the variables are set before TEE starts building
# Append secure service table consisting of secure services
idf_build_set_property(CUSTOM_SECURE_SERVICE_TBL ${CMAKE_CURRENT_LIST_DIR}/esp_tee_att.tbl APPEND)

2
components/esp_tee/subproject/components/tee_attestation/esp_tee_att.tbl Normal file
View File

@@ -0,0 +1,2 @@
# SS no. API type Function Args
101 custom esp_tee_att_generate_token 6

30
components/esp_tee/subproject/components/tee_attestation/esp_tee_attestation.c
View File

@@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@@ -12,6 +12,12 @@
#include "esp_log.h"
#include "esp_err.h"
#if ESP_TEE_BUILD
#include "esp_fault.h"
#include "esp_tee_memory_utils.h"
#include "esp_attestation.h"
#endif
#include "esp_tee.h"
#include "secure_service_num.h"
@@ -19,9 +25,31 @@
static __attribute__((unused)) const char *TAG = "esp_tee_att";
#if ESP_TEE_BUILD
esp_err_t _ss_esp_tee_att_generate_token(const uint32_t nonce, const uint32_t client_id, const char *psa_cert_ref,
uint8_t *token_buf, const size_t token_buf_size, uint32_t *token_len)
{
bool valid_addr = (esp_tee_ptr_in_ree((void *)psa_cert_ref) &&
esp_tee_ptr_in_ree((void *)token_buf) &&
esp_tee_ptr_in_ree((void *)token_len));
valid_addr &= (esp_tee_ptr_in_ree((void *)((char *)psa_cert_ref + 20)) &&
esp_tee_ptr_in_ree((void *)((char *)token_buf + token_buf_size)));
if (!valid_addr) {
return ESP_ERR_INVALID_ARG;
}
ESP_FAULT_ASSERT(valid_addr);
return esp_att_generate_token(nonce, client_id, psa_cert_ref, token_buf, token_buf_size, token_len);
}
#else
esp_err_t esp_tee_att_generate_token(const uint32_t nonce, const uint32_t client_id, const char *psa_cert_ref,
uint8_t *token_buf, const size_t token_buf_size, uint32_t *token_len)
{
return (esp_err_t)esp_tee_service_call_with_noniram_intr_disabled(7, SS_ESP_TEE_ATT_GENERATE_TOKEN, nonce, client_id,
psa_cert_ref, token_buf, token_buf_size, token_len);
}
#endif

20
components/esp_tee/subproject/main/core/esp_secure_services.c
View File

@@ -434,26 +434,8 @@ esp_err_t _ss_esp_tee_sec_storage_clear_slot(uint16_t slot_id)
return esp_tee_sec_storage_clear_slot(slot_id);
}
/* ---------------------------------------------- Attestation ------------------------------------------------- */
esp_err_t _ss_esp_tee_att_generate_token(const uint32_t nonce, const uint32_t client_id, const char *psa_cert_ref,
uint8_t *token_buf, const size_t token_buf_size, uint32_t *token_len)
{
bool valid_addr = (is_valid_ree_address((void *)psa_cert_ref) && is_valid_ree_address((void *)token_buf) &&
is_valid_ree_address((void *)token_len));
valid_addr &= (is_valid_ree_address((void *)((char *)psa_cert_ref + 32)) && is_valid_ree_address((void *)((char *)token_buf + token_buf_size)));
if (!valid_addr) {
return ESP_ERR_INVALID_ARG;
}
ESP_FAULT_ASSERT(valid_addr);
return esp_att_generate_token(nonce, client_id, psa_cert_ref, token_buf, token_buf_size, token_len);
}
/* ---------------------------------------------- MMU HAL ------------------------------------------------- */
void _ss_mmu_hal_map_region(uint32_t mmu_id, mmu_target_t mem_type, uint32_t vaddr,
uint32_t paddr, uint32_t len, uint32_t *out_len)
{

4
components/esp_tee/test_apps/tee_cli_app/CMakeLists.txt
View File

@@ -13,4 +13,8 @@ list(APPEND EXTRA_COMPONENT_DIRS $ENV{IDF_PATH}/components/esp_tee/subproject/co
$ENV{IDF_PATH}/components/esp_tee/subproject/components/tee_sec_storage)
include($ENV{IDF_PATH}/tools/cmake/project.cmake)
# Including the attestation service calls
include($ENV{IDF_PATH}/components/esp_tee/subproject/components/tee_attestation/esp_tee_att.cmake)
project(tee_cli)

1
components/esp_tee/test_apps/tee_test_fw/CMakeLists.txt
View File

@@ -14,5 +14,6 @@ list(APPEND EXTRA_COMPONENT_DIRS $ENV{IDF_PATH}/tools/unit-test-app/components
include($ENV{IDF_PATH}/tools/cmake/project.cmake)
include(${CMAKE_CURRENT_LIST_DIR}/components/test_sec_srv/test_tee_project.cmake)
include($ENV{IDF_PATH}/components/esp_tee/subproject/components/tee_attestation/esp_tee_att.cmake)
project(esp_tee_test)

34
components/esp_tee/test_apps/tee_test_fw/components/test_sec_srv/test.tbl
View File

@@ -1,18 +1,18 @@
# SS no. API type Function Args
101 custom esp_tee_service_add 6
102 custom esp_tee_service_sub 6
103 custom esp_tee_service_mul 6
104 custom esp_tee_service_div 6
105 custom esp_tee_test_timer_init 6
106 custom esp_tee_secure_int_test 6
107 custom esp_tee_non_secure_int_test 6
108 custom esp_tee_test_int_count 6
109 custom esp_tee_test_resv_reg1_write_violation 0
110 custom esp_tee_test_resv_reg1_exec_violation 0
111 custom esp_tee_test_iram_reg1_write_violation 0
112 custom esp_tee_test_iram_reg2_write_violation 0
113 custom esp_tee_test_dram_reg1_exec_violation 0
114 custom esp_tee_test_dram_reg2_exec_violation 0
115 custom esp_tee_test_illegal_instruction 0
201 custom dummy_secure_service 6
202 custom add_in_loop 6
201 custom esp_tee_service_add 6
202 custom esp_tee_service_sub 6
203 custom esp_tee_service_mul 6
204 custom esp_tee_service_div 6
205 custom esp_tee_test_timer_init 6
206 custom esp_tee_secure_int_test 6
207 custom esp_tee_non_secure_int_test 6
208 custom esp_tee_test_int_count 6
209 custom esp_tee_test_resv_reg1_write_violation 0
210 custom esp_tee_test_resv_reg1_exec_violation 0
211 custom esp_tee_test_iram_reg1_write_violation 0
212 custom esp_tee_test_iram_reg2_write_violation 0
213 custom esp_tee_test_dram_reg1_exec_violation 0
214 custom esp_tee_test_dram_reg2_exec_violation 0
215 custom esp_tee_test_illegal_instruction 0
216 custom dummy_secure_service 6
217 custom add_in_loop 6

5
components/esp_tee/test_apps/tee_test_fw/main/CMakeLists.txt
View File

@@ -13,9 +13,12 @@ list(APPEND srcs "test_esp_tee_ctx_switch.c"
"test_esp_tee_panic.c"
"test_esp_tee_sec_stg.c"
"test_esp_tee_ota.c"
"test_esp_tee_att.c"
"test_esp_tee_flash_prot.c")
if(CONFIG_SECURE_TEE_ATTESTATION)
list(APPEND srcs "test_esp_tee_att.c")
endif()
set(mbedtls_test_srcs_dir "${idf_path}/components/mbedtls/test_apps/main")
# AES

8
docs/en/security/tee/tee-attestation.rst
View File

@@ -10,6 +10,10 @@ Thus, the attestation service is employed by the device to communicate evidence
To ensure security, the EAT is cryptographically protected. The remote relying party can then verify the authenticity of the EAT and make decisions about engaging with the device based on its contents.
.. note::
- Support for Attestation can be toggled using the option :ref:`CONFIG_SECURE_TEE_ATTESTATION` (enabled by default).
Attestation Flow
----------------
@@ -251,6 +255,8 @@ API Reference
.. note::
To use the TEE Attestation APIs into your project, ensure the :component:`tee_attestation <esp_tee/subproject/components/tee_attestation>` component is included by setting ``EXTRA_COMPONENT_DIRS`` in your project's ``CMakeLists.txt`` file, as shown in the :example:`tee_attestation <security/tee/tee_attestation>` example. For more information, refer to the :ref:`optional_project_variable` section from the :doc:`Build System </api-guides/build-system>` documentation.
- To use the TEE Attestation APIs into your project, ensure the :component:`tee_attestation <esp_tee/subproject/components/tee_attestation>` component is included by setting ``EXTRA_COMPONENT_DIRS`` in your project's ``CMakeLists.txt`` file, as shown in the :example:`tee_attestation <security/tee/tee_attestation>` example. For more information, refer to the :ref:`optional_project_variable` section from the :doc:`Build System </api-guides/build-system>` documentation.
- Additionally, the component-specific :component_file:`CMake <esp_tee/subproject/components/tee_attestation/esp_tee_att.cmake>` file needs to be included in the top-level ``CMakeLists.txt`` of your project before calling the ``project()`` command to integrate the corresponding service calls into the project.
.. include-build-file:: inc/esp_tee_attestation.inc

4
examples/security/tee/tee_attestation/CMakeLists.txt
View File

@@ -8,4 +8,8 @@ cmake_minimum_required(VERSION 3.16)
list(APPEND EXTRA_COMPONENT_DIRS $ENV{IDF_PATH}/components/esp_tee/subproject/components/tee_attestation)
include($ENV{IDF_PATH}/tools/cmake/project.cmake)
# Including the attestation service calls
include($ENV{IDF_PATH}/components/esp_tee/subproject/components/tee_attestation/esp_tee_att.cmake)
project(tee_attestation)

1
examples/security/tee/tee_basic/CMakeLists.txt
View File

@@ -4,6 +4,7 @@ cmake_minimum_required(VERSION 3.16)
include($ENV{IDF_PATH}/tools/cmake/project.cmake)
# Including the example service calls
include(${CMAKE_CURRENT_LIST_DIR}/components/example_secure_service/tee_project.cmake)
project(tee_basic)

1
examples/security/tee/tee_basic/sdkconfig.defaults
View File

@@ -1,3 +1,4 @@
# Enabling TEE
CONFIG_SECURE_ENABLE_TEE=y
CONFIG_PARTITION_TABLE_SINGLE_APP_TEE=y
CONFIG_SECURE_TEE_ATTESTATION=n