From 1c4969bc476c41462f182b75fbddf643fe8f3b04 Mon Sep 17 00:00:00 2001 From: Laukik Hase Date: Thu, 10 Apr 2025 11:42:11 +0530 Subject: [PATCH] feat(esp_security): Add a TEE-specific crypto lock layer with stub implementations --- components/esp_security/CMakeLists.txt | 2 +- components/esp_security/src/esp_crypto_lock.c | 52 ++++++++++++++++++- components/mbedtls/port/aes/dma/esp_aes.c | 5 -- components/mbedtls/port/sha/core/sha.c | 12 +---- 4 files changed, 54 insertions(+), 17 deletions(-) diff --git a/components/esp_security/CMakeLists.txt b/components/esp_security/CMakeLists.txt index af523cc28a..39004e9bb8 100644 --- a/components/esp_security/CMakeLists.txt +++ b/components/esp_security/CMakeLists.txt @@ -32,7 +32,7 @@ if(NOT non_os_build) list(APPEND srcs "src/esp_crypto_lock.c" "src/esp_crypto_periph_clk.c") list(APPEND priv_requires efuse esp_hw_support esp_system esp_timer) elseif(esp_tee_build) - list(APPEND srcs "src/esp_crypto_periph_clk.c") + list(APPEND srcs "src/esp_crypto_lock.c" "src/esp_crypto_periph_clk.c") list(APPEND includes "src/${IDF_TARGET}") list(APPEND priv_requires esp_hw_support) endif() diff --git a/components/esp_security/src/esp_crypto_lock.c b/components/esp_security/src/esp_crypto_lock.c index 0712c1acbb..0d3050910a 100644 --- a/components/esp_security/src/esp_crypto_lock.c +++ b/components/esp_security/src/esp_crypto_lock.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -18,6 +18,7 @@ DS: needs HMAC (which needs SHA), AES and MPI ECDSA: needs ECC and MPI */ +#if !NON_OS_BUILD #ifdef SOC_DIG_SIGN_SUPPORTED /* Lock for DS peripheral */ static _lock_t s_crypto_ds_lock; @@ -162,3 +163,52 @@ void esp_crypto_key_manager_lock_release(void) _lock_release(&s_crypto_key_manager_lock); } #endif /* SOC_KEY_MANAGER_SUPPORTED */ +#else /* NON_OS_BUILD */ +#ifdef SOC_HMAC_SUPPORTED +void esp_crypto_hmac_lock_acquire(void) {} + +void esp_crypto_hmac_lock_release(void) {} +#endif /* SOC_HMAC_SUPPORTED */ + +#ifdef SOC_DIG_SIGN_SUPPORTED +void esp_crypto_ds_lock_acquire(void) {} + +void esp_crypto_ds_lock_release(void) {} +#endif /* SOC_DIG_SIGN_SUPPORTED */ + +#if defined(SOC_SHA_SUPPORTED) || defined(SOC_AES_SUPPORTED) +void esp_crypto_sha_aes_lock_acquire(void) {} + +void esp_crypto_sha_aes_lock_release(void) {} +#endif /* defined(SOC_SHA_SUPPORTED) || defined(SOC_AES_SUPPORTED) */ + +#if defined(SOC_SHA_CRYPTO_DMA) || defined(SOC_AES_CRYPTO_DMA) +void esp_crypto_dma_lock_acquire(void) {} + +void esp_crypto_dma_lock_release(void) {} +#endif /* defined(SOC_SHA_CRYPTO_DMA) || defined(SOC_AES_CRYPTO_DMA) */ + +#ifdef SOC_MPI_SUPPORTED +void esp_crypto_mpi_lock_acquire(void) {} + +void esp_crypto_mpi_lock_release(void) {} +#endif /* SOC_MPI_SUPPORTED */ + +#ifdef SOC_ECC_SUPPORTED +void esp_crypto_ecc_lock_acquire(void) {} + +void esp_crypto_ecc_lock_release(void) {} +#endif /* SOC_ECC_SUPPORTED */ + +#ifdef SOC_ECDSA_SUPPORTED +void esp_crypto_ecdsa_lock_acquire(void) {} + +void esp_crypto_ecdsa_lock_release(void) {} +#endif /* SOC_ECDSA_SUPPORTED */ + +#ifdef SOC_KEY_MANAGER_SUPPORTED +void esp_crypto_key_manager_lock_acquire(void) {} + +void esp_crypto_key_manager_lock_release(void) {} +#endif /* SOC_KEY_MANAGER_SUPPORTED */ +#endif /* !NON_OS_BUILD */ diff --git a/components/mbedtls/port/aes/dma/esp_aes.c b/components/mbedtls/port/aes/dma/esp_aes.c index e6b6f69d1b..696168a9c3 100644 --- a/components/mbedtls/port/aes/dma/esp_aes.c +++ b/components/mbedtls/port/aes/dma/esp_aes.c @@ -35,13 +35,8 @@ #include "esp_crypto_periph_clk.h" #if SOC_AES_GDMA -#if !ESP_TEE_BUILD #define AES_LOCK() esp_crypto_sha_aes_lock_acquire() #define AES_RELEASE() esp_crypto_sha_aes_lock_release() -#else -#define AES_LOCK() -#define AES_RELEASE() -#endif #elif SOC_AES_CRYPTO_DMA #define AES_LOCK() esp_crypto_dma_lock_acquire() #define AES_RELEASE() esp_crypto_dma_lock_release() diff --git a/components/mbedtls/port/sha/core/sha.c b/components/mbedtls/port/sha/core/sha.c index 369e39b745..a573a79d3a 100644 --- a/components/mbedtls/port/sha/core/sha.c +++ b/components/mbedtls/port/sha/core/sha.c @@ -52,14 +52,6 @@ #endif #endif /* SOC_SHA_SUPPORT_DMA */ -#if !ESP_TEE_BUILD -#define SHA_LOCK() esp_crypto_sha_aes_lock_acquire() -#define SHA_RELEASE() esp_crypto_sha_aes_lock_release() -#else -#define SHA_LOCK() -#define SHA_RELEASE() -#endif - void esp_sha_write_digest_state(esp_sha_type sha_type, void *digest_state) { sha_hal_write_digest(sha_type, digest_state); @@ -99,7 +91,7 @@ inline static size_t block_length(esp_sha_type type) void esp_sha_acquire_hardware(void) { /* Released when releasing hw with esp_sha_release_hardware() */ - SHA_LOCK(); + esp_crypto_sha_aes_lock_acquire(); esp_crypto_sha_enable_periph_clk(true); } @@ -107,7 +99,7 @@ void esp_sha_acquire_hardware(void) void esp_sha_release_hardware(void) { esp_crypto_sha_enable_periph_clk(false); - SHA_RELEASE(); + esp_crypto_sha_aes_lock_release(); } void esp_sha_block(esp_sha_type sha_type, const void *data_block, bool is_first_block)