feat(esp_security): Add a TEE-specific crypto lock layer with stub implementations

components/esp_security/CMakeLists.txt

@@ -32,7 +32,7 @@ if(NOT non_os_build)
     list(APPEND srcs "src/esp_crypto_lock.c" "src/esp_crypto_periph_clk.c")
     list(APPEND priv_requires efuse esp_hw_support esp_system esp_timer)
 elseif(esp_tee_build)
-    list(APPEND srcs "src/esp_crypto_periph_clk.c")
+    list(APPEND srcs "src/esp_crypto_lock.c" "src/esp_crypto_periph_clk.c")
     list(APPEND includes "src/${IDF_TARGET}")
     list(APPEND priv_requires esp_hw_support)
 endif()

components/esp_security/src/esp_crypto_lock.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -18,6 +18,7 @@ DS: needs HMAC (which needs SHA), AES and MPI
 ECDSA: needs ECC and MPI
 */
 
+#if !NON_OS_BUILD
 #ifdef SOC_DIG_SIGN_SUPPORTED
 /* Lock for DS peripheral */
 static _lock_t s_crypto_ds_lock;
@@ -162,3 +163,52 @@ void esp_crypto_key_manager_lock_release(void)
     _lock_release(&s_crypto_key_manager_lock);
 }
 #endif /* SOC_KEY_MANAGER_SUPPORTED */
+#else /* NON_OS_BUILD */
+#ifdef SOC_HMAC_SUPPORTED
+void esp_crypto_hmac_lock_acquire(void) {}
+
+void esp_crypto_hmac_lock_release(void) {}
+#endif /* SOC_HMAC_SUPPORTED */
+
+#ifdef SOC_DIG_SIGN_SUPPORTED
+void esp_crypto_ds_lock_acquire(void) {}
+
+void esp_crypto_ds_lock_release(void) {}
+#endif /* SOC_DIG_SIGN_SUPPORTED */
+
+#if defined(SOC_SHA_SUPPORTED) || defined(SOC_AES_SUPPORTED)
+void esp_crypto_sha_aes_lock_acquire(void) {}
+
+void esp_crypto_sha_aes_lock_release(void) {}
+#endif /* defined(SOC_SHA_SUPPORTED) || defined(SOC_AES_SUPPORTED) */
+
+#if defined(SOC_SHA_CRYPTO_DMA) || defined(SOC_AES_CRYPTO_DMA)
+void esp_crypto_dma_lock_acquire(void) {}
+
+void esp_crypto_dma_lock_release(void) {}
+#endif /* defined(SOC_SHA_CRYPTO_DMA) || defined(SOC_AES_CRYPTO_DMA) */
+
+#ifdef SOC_MPI_SUPPORTED
+void esp_crypto_mpi_lock_acquire(void) {}
+
+void esp_crypto_mpi_lock_release(void) {}
+#endif /* SOC_MPI_SUPPORTED */
+
+#ifdef SOC_ECC_SUPPORTED
+void esp_crypto_ecc_lock_acquire(void) {}
+
+void esp_crypto_ecc_lock_release(void) {}
+#endif /* SOC_ECC_SUPPORTED */
+
+#ifdef SOC_ECDSA_SUPPORTED
+void esp_crypto_ecdsa_lock_acquire(void) {}
+
+void esp_crypto_ecdsa_lock_release(void) {}
+#endif /* SOC_ECDSA_SUPPORTED */
+
+#ifdef SOC_KEY_MANAGER_SUPPORTED
+void esp_crypto_key_manager_lock_acquire(void) {}
+
+void esp_crypto_key_manager_lock_release(void) {}
+#endif /* SOC_KEY_MANAGER_SUPPORTED */
+#endif /* !NON_OS_BUILD */

components/mbedtls/port/aes/dma/esp_aes.c

@@ -35,13 +35,8 @@
 #include "esp_crypto_periph_clk.h"
 
 #if SOC_AES_GDMA
-#if !ESP_TEE_BUILD
 #define AES_LOCK() esp_crypto_sha_aes_lock_acquire()
 #define AES_RELEASE() esp_crypto_sha_aes_lock_release()
-#else
-#define AES_LOCK()
-#define AES_RELEASE()
-#endif
 #elif SOC_AES_CRYPTO_DMA
 #define AES_LOCK() esp_crypto_dma_lock_acquire()
 #define AES_RELEASE() esp_crypto_dma_lock_release()

components/mbedtls/port/sha/core/sha.c

@@ -52,14 +52,6 @@
 #endif
 #endif /* SOC_SHA_SUPPORT_DMA */
 
-#if !ESP_TEE_BUILD
-#define SHA_LOCK()    esp_crypto_sha_aes_lock_acquire()
-#define SHA_RELEASE() esp_crypto_sha_aes_lock_release()
-#else
-#define SHA_LOCK()
-#define SHA_RELEASE()
-#endif
-
 void esp_sha_write_digest_state(esp_sha_type sha_type, void *digest_state)
 {
     sha_hal_write_digest(sha_type, digest_state);
@@ -99,7 +91,7 @@ inline static size_t block_length(esp_sha_type type)
 void esp_sha_acquire_hardware(void)
 {
     /* Released when releasing hw with esp_sha_release_hardware() */
-    SHA_LOCK();
+    esp_crypto_sha_aes_lock_acquire();
     esp_crypto_sha_enable_periph_clk(true);
 }
 
@@ -107,7 +99,7 @@ void esp_sha_acquire_hardware(void)
 void esp_sha_release_hardware(void)
 {
     esp_crypto_sha_enable_periph_clk(false);
-    SHA_RELEASE();
+    esp_crypto_sha_aes_lock_release();
 }
 
 void esp_sha_block(esp_sha_type sha_type, const void *data_block, bool is_first_block)