diff --git a/components/esp_app_format/esp_app_desc.c b/components/esp_app_format/esp_app_desc.c index 302250b179..6b68b618d0 100644 --- a/components/esp_app_format/esp_app_desc.c +++ b/components/esp_app_format/esp_app_desc.c @@ -13,7 +13,7 @@ #include "esp_log.h" // startup_internal.h is necessary for startup function definition, which does not exist on Linux (TODO: IDF-9950) -#if !CONFIG_IDF_TARGET_LINUX +#if !CONFIG_IDF_TARGET_LINUX && !ESP_TEE_BUILD #include "esp_private/startup_internal.h" static const char *TAG = "app_init"; @@ -118,7 +118,7 @@ int esp_app_get_elf_sha256(char* dst, size_t size) // startup function definition and execution does not exist on the Linux target // (TODO: IDF-9950) -#if !CONFIG_IDF_TARGET_LINUX +#if !CONFIG_IDF_TARGET_LINUX && !ESP_TEE_BUILD ESP_SYSTEM_INIT_FN(init_show_app_info, CORE, BIT(0), 20) { // Load the current ELF SHA256 diff --git a/components/esp_partition/include/esp_partition.h b/components/esp_partition/include/esp_partition.h index d53d0cbaac..2636bf3106 100644 --- a/components/esp_partition/include/esp_partition.h +++ b/components/esp_partition/include/esp_partition.h @@ -95,6 +95,11 @@ typedef enum { ESP_PARTITION_SUBTYPE_APP_OTA_MAX = ESP_PARTITION_SUBTYPE_APP_OTA_MIN + 16,//!< Max subtype of OTA partition ESP_PARTITION_SUBTYPE_APP_TEST = 0x20, //!< Test application partition + ESP_PARTITION_SUBTYPE_APP_TEE_MIN = 0x30, //!< Base for TEE partition subtypes + ESP_PARTITION_SUBTYPE_APP_TEE_0 = ESP_PARTITION_SUBTYPE_APP_TEE_MIN + 0, //!< TEE partition 0 + ESP_PARTITION_SUBTYPE_APP_TEE_1 = ESP_PARTITION_SUBTYPE_APP_TEE_MIN + 1, //!< TEE partition 1 + ESP_PARTITION_SUBTYPE_APP_TEE_MAX = ESP_PARTITION_SUBTYPE_APP_TEE_1, //!< Max subtype of TEE partition + ESP_PARTITION_SUBTYPE_DATA_OTA = 0x00, //!< OTA selection partition ESP_PARTITION_SUBTYPE_DATA_PHY = 0x01, //!< PHY init data partition ESP_PARTITION_SUBTYPE_DATA_NVS = 0x02, //!< NVS partition @@ -108,6 +113,9 @@ typedef enum { ESP_PARTITION_SUBTYPE_DATA_SPIFFS = 0x82, //!< SPIFFS partition ESP_PARTITION_SUBTYPE_DATA_LITTLEFS = 0x83, //!< LITTLEFS partition + ESP_PARTITION_SUBTYPE_DATA_TEE_OTA = 0x90, //!< TEE OTA selection partition + ESP_PARTITION_SUBTYPE_DATA_TEE_SEC_STORAGE= 0x91, //!< TEE secure storage partition + #if __has_include("extra_partition_subtypes.inc") #include "extra_partition_subtypes.inc" #endif diff --git a/components/esp_phy/src/phy_override.c b/components/esp_phy/src/phy_override.c index 2406e81dc3..4fc5857806 100644 --- a/components/esp_phy/src/phy_override.c +++ b/components/esp_phy/src/phy_override.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -11,6 +11,7 @@ #include "esp_private/sar_periph_ctrl.h" #include "freertos/FreeRTOS.h" +#include "hal/efuse_hal.h" /* * This file is used to override the hooks provided by the PHY lib for some system features. @@ -99,3 +100,20 @@ int16_t phy_get_tsens_value(void) return 0; #endif } + +/* NOTE:: With ESP-TEE enabled, we override certain functions from the libphy + * component archive which directly access the eFuse later (e.g. REG_READ) + * with the HAL APIs. + * + * In the future, ESP-TEE would need to protect the entire eFuse range through + * APM and expects users to use HAL APIs which would be redirected as service calls. + */ +void esp_phy_efuse_get_mac(uint8_t *mac) +{ + efuse_hal_get_mac(mac); +} + +uint32_t esp_phy_efuse_get_chip_ver_pkg(void) +{ + return efuse_hal_get_chip_ver_pkg(); +} diff --git a/components/esp_rom/CMakeLists.txt b/components/esp_rom/CMakeLists.txt index 3a09baf959..647da65396 100644 --- a/components/esp_rom/CMakeLists.txt +++ b/components/esp_rom/CMakeLists.txt @@ -126,6 +126,12 @@ if(CONFIG_ESP_ROM_HAS_VERSION) rom_linker_script("version") endif() +if(ESP_TEE_BUILD) + if(target STREQUAL "esp32c6") + rom_linker_script("spiflash") + endif() +endif() + if(BOOTLOADER_BUILD) if(target STREQUAL "esp32") if(NOT CONFIG_SPI_FLASH_ROM_DRIVER_PATCH) diff --git a/components/esp_rom/esp32c6/ld/esp32c6.rom.ld b/components/esp_rom/esp32c6/ld/esp32c6.rom.ld index 2af963d508..79737553fe 100644 --- a/components/esp_rom/esp32c6/ld/esp32c6.rom.ld +++ b/components/esp_rom/esp32c6/ld/esp32c6.rom.ld @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -259,11 +259,11 @@ gpio_bypass_matrix_in = 0x40000714; ***************************************/ /* Functions */ -esprv_intc_int_set_priority = 0x40000718; -esprv_intc_int_set_threshold = 0x4000071c; -esprv_intc_int_enable = 0x40000720; -esprv_intc_int_disable = 0x40000724; -esprv_intc_int_set_type = 0x40000728; +PROVIDE( esprv_intc_int_set_priority = 0x40000718 ); +PROVIDE( esprv_intc_int_set_threshold = 0x4000071c ); +PROVIDE( esprv_intc_int_enable = 0x40000720 ); +PROVIDE( esprv_intc_int_disable = 0x40000724 ); +PROVIDE( esprv_intc_int_set_type = 0x40000728 ); PROVIDE( intr_handler_set = 0x4000072c ); intr_matrix_set = 0x40000730; ets_intr_lock = 0x40000734; diff --git a/components/esptool_py/CMakeLists.txt b/components/esptool_py/CMakeLists.txt index 66778dc019..955c63a0fa 100644 --- a/components/esptool_py/CMakeLists.txt +++ b/components/esptool_py/CMakeLists.txt @@ -1,9 +1,15 @@ idf_build_get_property(target IDF_TARGET) +idf_build_get_property(esp_tee_build ESP_TEE_BUILD) if(${target} STREQUAL "linux") return() # This component is not supported by the POSIX/Linux simulator endif() +if(esp_tee_build) + idf_component_register() + return() +endif() + idf_component_register(REQUIRES bootloader PRIV_REQUIRES partition_table) if(NOT BOOTLOADER_BUILD) diff --git a/components/esptool_py/project_include.cmake b/components/esptool_py/project_include.cmake index de0efe407c..89547014ed 100644 --- a/components/esptool_py/project_include.cmake +++ b/components/esptool_py/project_include.cmake @@ -112,7 +112,7 @@ idf_build_get_property(build_dir BUILD_DIR) idf_build_get_property(elf_name EXECUTABLE_NAME GENERATOR_EXPRESSION) idf_build_get_property(elf EXECUTABLE GENERATOR_EXPRESSION) -if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES AND NOT BOOTLOADER_BUILD) +if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES AND NOT non_os_build) set(unsigned_project_binary "${elf_name}-unsigned.bin") else() set(unsigned_project_binary "${elf_name}.bin") diff --git a/components/log/include/esp_log.h b/components/log/include/esp_log.h index e2cb068f43..0886504627 100644 --- a/components/log/include/esp_log.h +++ b/components/log/include/esp_log.h @@ -101,7 +101,7 @@ void esp_log_writev(esp_log_level_t level, const char* tag, const char* format, esp_rom_printf(LOG_FORMAT(log_tag_letter, format), esp_log_timestamp(), tag, ##__VA_ARGS__); \ }} while(0) -#ifndef NON_OS_BUILD +#if !NON_OS_BUILD #if defined(__cplusplus) && (__cplusplus > 201703L) #define ESP_LOGE( tag, format, ... ) ESP_LOG_LEVEL_LOCAL(ESP_LOG_ERROR, tag, format __VA_OPT__(,) __VA_ARGS__) #define ESP_LOGW( tag, format, ... ) ESP_LOG_LEVEL_LOCAL(ESP_LOG_WARN, tag, format __VA_OPT__(,) __VA_ARGS__) diff --git a/components/log/include/esp_log_level.h b/components/log/include/esp_log_level.h index 1f10660b99..bfd390ab9e 100644 --- a/components/log/include/esp_log_level.h +++ b/components/log/include/esp_log_level.h @@ -32,12 +32,14 @@ typedef enum { #ifndef LOG_LOCAL_LEVEL #if BOOTLOADER_BUILD #define LOG_LOCAL_LEVEL CONFIG_BOOTLOADER_LOG_LEVEL -#else // !BOOTLOADER_BUILD +#elif ESP_TEE_BUILD +#define LOG_LOCAL_LEVEL CONFIG_SECURE_TEE_LOG_LEVEL +#else #define LOG_LOCAL_LEVEL CONFIG_LOG_MAXIMUM_LEVEL -#endif // !BOOTLOADER_BUILD +#endif #endif // LOG_LOCAL_LEVEL -#ifdef NON_OS_BUILD +#if NON_OS_BUILD #define _ESP_LOG_ENABLED(log_level) (LOG_LOCAL_LEVEL >= (log_level)) #define _ESP_LOG_EARLY_ENABLED(log_level) _ESP_LOG_ENABLED(log_level) diff --git a/components/log/src/log_timestamp_common.c b/components/log/src/log_timestamp_common.c index 7905899da5..40aaab6c2e 100644 --- a/components/log/src/log_timestamp_common.c +++ b/components/log/src/log_timestamp_common.c @@ -12,7 +12,7 @@ #include "esp_private/log_timestamp.h" #include "sdkconfig.h" -#ifndef NON_OS_BUILD +#if !NON_OS_BUILD #include #include "freertos/FreeRTOS.h" #include "freertos/task.h" diff --git a/components/partition_table/Kconfig.projbuild b/components/partition_table/Kconfig.projbuild index e3740d9dad..c7ef8b073f 100644 --- a/components/partition_table/Kconfig.projbuild +++ b/components/partition_table/Kconfig.projbuild @@ -100,6 +100,30 @@ menu "Partition Table" The corresponding CSV file in the IDF directory is components/partition_table/partitions_two_ota_encr_nvs.csv + config PARTITION_TABLE_SINGLE_APP_TEE + bool "Single factory app, no OTA, TEE" + depends on SECURE_ENABLE_TEE + help + This is a variation of the default "Single factory app, no OTA" partition table + that supports the ESP-TEE framework. See the Trusted Execution Environment (TEE) section + in the ESP-IDF Programmers Guide for more information. + + The corresponding CSV file in the IDF directory is + components/partition_table/partitions_singleapp_tee.csv + + config PARTITION_TABLE_TWO_OTA_TEE + bool "Two OTA definitions, TEE" + depends on SECURE_ENABLE_TEE + help + This is a basic OTA-enabled partition table with two OTA app partitions each + for the TEE and the user (REE) application. The user app partition sizes are 1536K, + so this partition table requires 4MB or larger flash size. See the + Trusted Execution Environment (TEE) section in the ESP-IDF Programmers Guide + for more information. + + The corresponding CSV file in the IDF directory is + components/partition_table/partitions_two_ota_tee.csv + endchoice config PARTITION_TABLE_CUSTOM_FILENAME @@ -122,6 +146,8 @@ menu "Partition Table" default "partitions_two_ota_coredump.csv" if PARTITION_TABLE_TWO_OTA && ESP_COREDUMP_ENABLE_TO_FLASH default "partitions_two_ota_encr_nvs.csv" if PARTITION_TABLE_TWO_OTA_ENCRYPTED_NVS default "partitions_two_ota_large.csv" if PARTITION_TABLE_TWO_OTA_LARGE && !ESP_COREDUMP_ENABLE_TO_FLASH + default "partitions_singleapp_tee.csv" if PARTITION_TABLE_SINGLE_APP_TEE + default "partitions_two_ota_tee.csv" if PARTITION_TABLE_TWO_OTA_TEE default PARTITION_TABLE_CUSTOM_FILENAME if PARTITION_TABLE_CUSTOM config PARTITION_TABLE_OFFSET diff --git a/components/partition_table/gen_esp32part.py b/components/partition_table/gen_esp32part.py index d8d19d6e7e..029ac4104e 100755 --- a/components/partition_table/gen_esp32part.py +++ b/components/partition_table/gen_esp32part.py @@ -24,6 +24,8 @@ PARTITION_TABLE_SIZE = 0x1000 # Size of partition table MIN_PARTITION_SUBTYPE_APP_OTA = 0x10 NUM_PARTITION_SUBTYPE_APP_OTA = 16 +MIN_PARTITION_SUBTYPE_APP_TEE = 0x30 +NUM_PARTITION_SUBTYPE_APP_TEE = 2 SECURE_NONE = None SECURE_V1 = 'v1' @@ -82,6 +84,8 @@ SUBTYPES = { 'fat': 0x81, 'spiffs': 0x82, 'littlefs': 0x83, + 'tee_ota': 0x90, + 'tee_sec_stg': 0x91, }, } @@ -308,6 +312,18 @@ class PartitionTable(list): critical('%s' % (p.to_csv())) raise InputError('otadata partition must have size = 0x2000') + # Above checks but for TEE otadata + otadata_duplicates = [p for p in self if p.type == TYPES['data'] and p.subtype == SUBTYPES[DATA_TYPE]['tee_ota']] + if len(otadata_duplicates) > 1: + for p in otadata_duplicates: + critical('%s' % (p.to_csv())) + raise InputError('Found multiple TEE otadata partitions. Only one partition can be defined with type="data"(1) and subtype="tee_ota"(0x90).') + + if len(otadata_duplicates) == 1 and otadata_duplicates[0].size != 0x2000: + p = otadata_duplicates[0] + critical('%s' % (p.to_csv())) + raise InputError('TEE otadata partition must have size = 0x2000') + def flash_size(self): """ Return the size that partitions will occupy in flash (ie the offset the last partition ends at) @@ -379,6 +395,10 @@ class PartitionDefinition(object): for ota_slot in range(NUM_PARTITION_SUBTYPE_APP_OTA): SUBTYPES[TYPES['app']]['ota_%d' % ota_slot] = MIN_PARTITION_SUBTYPE_APP_OTA + ota_slot + # add subtypes for the 2 TEE OTA slot values ("tee_XX, etc.") + for tee_slot in range(NUM_PARTITION_SUBTYPE_APP_TEE): + SUBTYPES[TYPES['app']]['tee_%d' % tee_slot] = MIN_PARTITION_SUBTYPE_APP_TEE + tee_slot + def __init__(self): self.name = '' self.type = None diff --git a/components/partition_table/partitions_singleapp_tee.csv b/components/partition_table/partitions_singleapp_tee.csv new file mode 100644 index 0000000000..aefbee66f6 --- /dev/null +++ b/components/partition_table/partitions_singleapp_tee.csv @@ -0,0 +1,7 @@ +# Name, Type, SubType, Offset, Size, Flags +# Note: if you have increased the bootloader size, make sure to update the offsets to avoid overlap +tee, app, tee_0, , 192K, +secure_storage, data, tee_sec_stg, , 64K, +factory, app, factory, , 1536K, +nvs, data, nvs, , 24K, +phy_init, data, phy, , 4K, diff --git a/components/partition_table/partitions_two_ota_tee.csv b/components/partition_table/partitions_two_ota_tee.csv new file mode 100644 index 0000000000..98ee581e0e --- /dev/null +++ b/components/partition_table/partitions_two_ota_tee.csv @@ -0,0 +1,11 @@ +# Name, Type, SubType, Offset, Size, Flags +# Note: if you have increased the bootloader size, make sure to update the offsets to avoid overlap +tee_0, app, tee_0, , 192K, +tee_1, app, tee_1, , 192K, +tee_otadata, data, tee_ota, , 8K, +secure_storage, data, tee_sec_stg, , 56K, +ota_0, app, ota_0, , 1536K, +ota_1, app, ota_1, , 1536K, +otadata, data, ota, , 8K, +nvs, data, nvs, , 24K, +phy_init, data, phy, , 4K,