diff --git a/components/esp_tee/CMakeLists.txt b/components/esp_tee/CMakeLists.txt index 96e92e3567..ef69044eb7 100644 --- a/components/esp_tee/CMakeLists.txt +++ b/components/esp_tee/CMakeLists.txt @@ -1,5 +1,5 @@ idf_build_get_property(esp_tee_build ESP_TEE_BUILD) -idf_build_get_property(custom_secure_service_tbl CUSTOM_SECURE_SERVICE_TBL) +idf_build_get_property(custom_secure_service_yaml CUSTOM_SECURE_SERVICE_YAML) idf_build_get_property(custom_secure_service_dir CUSTOM_SECURE_SERVICE_COMPONENT_DIR) idf_build_get_property(custom_secure_service_component CUSTOM_SECURE_SERVICE_COMPONENT) idf_build_get_property(target IDF_TARGET) @@ -82,33 +82,33 @@ else() endif() endif() -set(secure_service_tbl_parser_py - ${COMPONENT_DIR}/scripts/secure_service_tbl_parser.py ${CMAKE_CURRENT_BINARY_DIR}/secure_service.tbl +set(secure_service_yml + ${COMPONENT_DIR}/scripts/${IDF_TARGET}/sec_srv_tbl_default.yml ${custom_secure_service_yaml} ) -set(secure_service_gen_headers - ${CONFIG_DIR}/secure_service_num.h ${CONFIG_DIR}/secure_service_dec.h - ${CONFIG_DIR}/secure_service_int.h ${CONFIG_DIR}/secure_service_ext.h +set(secure_service_yml_parser_py + ${COMPONENT_DIR}/scripts/secure_service_yml_parser.py ) if(CONFIG_SECURE_ENABLE_TEE AND NOT esp_tee_build) + # Default secure service API families: flash_protection_spi0, flash_protection_spi1, + # interrupt_handling, hal, crypto, efuse, secure_storage, ota, attestation + set(exclude_srv) + if(NOT CONFIG_SECURE_TEE_ATTESTATION) + list(APPEND exclude_srv "attestation") + endif() + execute_process( - COMMAND cat ${COMPONENT_DIR}/scripts/${target}/secure_service.tbl ${custom_secure_service_tbl} - OUTPUT_FILE secure_service.tbl - WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} + COMMAND python ${secure_service_yml_parser_py} + "--sec_srv" ${secure_service_yml} + "--exclude" ${exclude_srv} + WORKING_DIRECTORY ${CONFIG_DIR} ) execute_process( - COMMAND python ${secure_service_tbl_parser_py} ${secure_service_gen_headers} - WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} - ) - - set_property(DIRECTORY ${COMPONENT_DIR} APPEND PROPERTY - ADDITIONAL_MAKE_CLEAN_FILES ${secure_service_gen_headers} - ) - - execute_process( - COMMAND python ${secure_service_tbl_parser_py} "--wrap" + COMMAND python ${secure_service_yml_parser_py} + "--sec_srv" ${secure_service_yml} + "--exclude" ${exclude_srv} "--wrap" OUTPUT_VARIABLE wrap_list WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} OUTPUT_STRIP_TRAILING_WHITESPACE diff --git a/components/esp_tee/scripts/esp32c6/sec_srv_tbl_default.yml b/components/esp_tee/scripts/esp32c6/sec_srv_tbl_default.yml new file mode 100644 index 0000000000..d15d125f3a --- /dev/null +++ b/components/esp_tee/scripts/esp32c6/sec_srv_tbl_default.yml @@ -0,0 +1,212 @@ +secure_services: + - family: misc + entries: + - id: 0 + type: custom + function: invalid_secure_service + args: 0 + # ID: 1-4 (4) - External memory (Flash) protection [SPI0] + - family: flash_protection_spi0 + entries: + - id: 1 + type: IDF + function: mmu_hal_map_region + args: 6 + - id: 2 + type: IDF + function: mmu_hal_unmap_region + args: 3 + - id: 3 + type: IDF + function: mmu_hal_vaddr_to_paddr + args: 4 + - id: 4 + type: IDF + function: mmu_hal_paddr_to_vaddr + args: 5 + # ID: 30-53 (24) - Interrupt Handling + - family: interrupt_handling + entries: + - id: 30 + type: IDF + function: esp_rom_route_intr_matrix + args: 3 + - id: 31 + type: IDF + function: rv_utils_intr_enable + args: 1 + - id: 32 + type: IDF + function: rv_utils_intr_disable + args: 1 + - id: 33 + type: IDF + function: rv_utils_intr_set_priority + args: 2 + - id: 34 + type: IDF + function: rv_utils_intr_set_type + args: 2 + - id: 35 + type: IDF + function: rv_utils_intr_set_threshold + args: 1 + - id: 36 + type: IDF + function: rv_utils_intr_edge_ack + args: 1 + - id: 37 + type: IDF + function: rv_utils_intr_global_enable + args: 0 + # ID: 54-85 (32) - HAL + - family: hal + entries: + - id: 54 + type: IDF + function: efuse_hal_chip_revision + args: 0 + - id: 55 + type: IDF + function: efuse_hal_get_chip_ver_pkg + args: 1 + - id: 56 + type: IDF + function: efuse_hal_get_disable_wafer_version_major + args: 0 + - id: 57 + type: IDF + function: efuse_hal_get_mac + args: 1 + - id: 58 + type: IDF + function: wdt_hal_init + args: 4 + - id: 59 + type: IDF + function: wdt_hal_deinit + args: 1 + # ID: 86-133 (48) - Crypto + - family: crypto + entries: + - id: 86 + type: IDF + function: esp_aes_intr_alloc + args: 0 + - id: 87 + type: IDF + function: esp_aes_crypt_cbc + args: 6 + - id: 88 + type: IDF + function: esp_aes_crypt_cfb8 + args: 6 + - id: 89 + type: IDF + function: esp_aes_crypt_cfb128 + args: 7 + - id: 90 + type: IDF + function: esp_aes_crypt_ctr + args: 7 + - id: 91 + type: IDF + function: esp_aes_crypt_ecb + args: 4 + - id: 92 + type: IDF + function: esp_aes_crypt_ofb + args: 6 + - id: 93 + type: IDF + function: esp_sha + args: 4 + - id: 94 + type: IDF + function: esp_sha_block + args: 3 + - id: 95 + type: IDF + function: esp_sha_dma + args: 6 + - id: 96 + type: IDF + function: esp_sha_read_digest_state + args: 2 + - id: 97 + type: IDF + function: esp_sha_write_digest_state + args: 2 + # ID: 134-149 (16) - eFuse + - family: efuse + entries: + - id: 134 + type: IDF + function: esp_efuse_check_secure_version + args: 1 + - id: 135 + type: IDF + function: esp_efuse_read_field_blob + args: 3 + - id: 136 + type: IDF + function: esp_flash_encryption_enabled + args: 0 + # ID: 150-169 (20) - Reserved for future use + - family: attestation + entries: + - id: 170 + type: custom + function: esp_tee_att_generate_token + args: 6 + # ID: 175-194 (20) - Secure Storage + - family: secure_storage + entries: + - id: 175 + type: custom + function: esp_tee_sec_storage_init + args: 0 + - id: 176 + type: custom + function: esp_tee_sec_storage_gen_key + args: 2 + - id: 177 + type: custom + function: esp_tee_sec_storage_get_signature + args: 4 + - id: 178 + type: custom + function: esp_tee_sec_storage_get_pubkey + args: 2 + - id: 179 + type: custom + function: esp_tee_sec_storage_encrypt + args: 8 + - id: 180 + type: custom + function: esp_tee_sec_storage_decrypt + args: 8 + - id: 181 + type: custom + function: esp_tee_sec_storage_is_slot_empty + args: 1 + - id: 182 + type: custom + function: esp_tee_sec_storage_clear_slot + args: 1 + # ID: 195-199 (5) - OTA + - family: ota + entries: + - id: 195 + type: custom + function: esp_tee_ota_begin + args: 0 + - id: 196 + type: custom + function: esp_tee_ota_write + args: 3 + - id: 197 + type: custom + function: esp_tee_ota_end + args: 0 + # ID: 200+ - User-defined diff --git a/components/esp_tee/scripts/esp32c6/secure_service.tbl b/components/esp_tee/scripts/esp32c6/secure_service.tbl deleted file mode 100644 index 51cd652035..0000000000 --- a/components/esp_tee/scripts/esp32c6/secure_service.tbl +++ /dev/null @@ -1,57 +0,0 @@ -# SS no. API type Function Args -0 custom invalid_secure_service 0 -# ID: 1-47 (47) - External memory (Flash) protection -1 IDF mmu_hal_map_region 6 -2 IDF mmu_hal_unmap_region 3 -3 IDF mmu_hal_vaddr_to_paddr 4 -4 IDF mmu_hal_paddr_to_vaddr 5 -# Services before the ID 48 will be placed in the internal memory table, -# while the rest will be placed in the external memory table. -# ID: 48-71 (24) - Interrupt Handling -48 IDF esp_rom_route_intr_matrix 3 -49 IDF rv_utils_intr_enable 1 -50 IDF rv_utils_intr_disable 1 -51 IDF rv_utils_intr_set_priority 2 -52 IDF rv_utils_intr_set_type 2 -53 IDF rv_utils_intr_set_threshold 1 -54 IDF rv_utils_intr_edge_ack 1 -55 IDF rv_utils_intr_global_enable 0 -# ID: 72-119 (48) - HAL -72 IDF efuse_hal_chip_revision 0 -73 IDF efuse_hal_get_chip_ver_pkg 1 -74 IDF efuse_hal_get_disable_wafer_version_major 0 -75 IDF efuse_hal_get_mac 1 -76 IDF wdt_hal_init 4 -77 IDF wdt_hal_deinit 1 -# ID: 120-167 (48) - Crypto -120 IDF esp_aes_intr_alloc 0 -121 IDF esp_aes_crypt_cbc 6 -122 IDF esp_aes_crypt_cfb8 6 -123 IDF esp_aes_crypt_cfb128 7 -124 IDF esp_aes_crypt_ctr 7 -125 IDF esp_aes_crypt_ecb 4 -126 IDF esp_aes_crypt_ofb 6 -127 IDF esp_sha 4 -128 IDF esp_sha_dma 6 -129 IDF esp_sha_read_digest_state 2 -130 IDF esp_sha_write_digest_state 2 -131 IDF esp_sha_block 3 -# ID: 168-183 (16) - eFuse -168 IDF esp_efuse_check_secure_version 1 -169 IDF esp_efuse_read_field_blob 3 -170 IDF esp_flash_encryption_enabled 0 -# ID: 184-249 (66) - Reserved for future use -# ID: 270-293 (24) - Secure Storage -270 custom esp_tee_sec_storage_init 0 -271 custom esp_tee_sec_storage_gen_key 2 -272 custom esp_tee_sec_storage_get_signature 4 -273 custom esp_tee_sec_storage_get_pubkey 2 -274 custom esp_tee_sec_storage_encrypt 8 -275 custom esp_tee_sec_storage_decrypt 8 -276 custom esp_tee_sec_storage_is_slot_empty 1 -277 custom esp_tee_sec_storage_clear_slot 1 -# ID: 294-299 (6) - OTA -294 custom esp_tee_ota_begin 0 -295 custom esp_tee_ota_write 3 -296 custom esp_tee_ota_end 0 -# ID: 300+ - User-defined diff --git a/components/esp_tee/scripts/secure_service_tbl_parser.py b/components/esp_tee/scripts/secure_service_yml_parser.py similarity index 55% rename from components/esp_tee/scripts/secure_service_tbl_parser.py rename to components/esp_tee/scripts/secure_service_yml_parser.py index 94cb3f9c2c..8dc18e8aca 100644 --- a/components/esp_tee/scripts/secure_service_tbl_parser.py +++ b/components/esp_tee/scripts/secure_service_yml_parser.py @@ -1,25 +1,37 @@ # SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD # SPDX-License-Identifier: Apache-2.0 import argparse -import re from typing import List +from typing import Set from typing import Tuple -SEC_SRV_TABLE_SPLIT_ID = 48 +import yaml + +SEC_SRV_TABLE_SPLIT_ID = 30 +OUTPUT_HEADERS = [ + 'secure_service_num.h', + 'secure_service_dec.h', + 'secure_service_int.h', + 'secure_service_ext.h', +] -def parse_services(secure_service_tbl: str) -> List[Tuple[int, str, int]]: +def parse_services(yml_files: List[str], excluded_fam: Set[str]) -> List[Tuple[int, str, int]]: services, service_ids = [], set() - pattern = re.compile(r'^([0-9A-Fa-fXx]+)\s+\S+\s+(\S+)\s+(\d+)') - with open(secure_service_tbl, 'r') as f: - for line in f: - if match := pattern.match(line): - service_id = int(match.group(1), 0) - if service_id in service_ids: - raise ValueError(f'Duplicate service call ID found: 0x{service_id:X}') - service_ids.add(service_id) - services.append((service_id, match.group(2), int(match.group(3)))) + for yml_file in yml_files: + with open(yml_file, 'r') as f: + data = yaml.safe_load(f) + for family in data.get('secure_services', []): + family_name = family.get('family', '') + if family_name in excluded_fam: + continue + for entry in family.get('entries', []): + service_id = entry['id'] + if service_id in service_ids: + raise ValueError(f'Duplicate service call ID found: 0x{service_id:X}') + service_ids.add(service_id) + services.append((service_id, entry['function'], entry['args'])) return sorted(services, key=lambda x: x[0]) @@ -83,30 +95,36 @@ def generate_table_split(services: List[Tuple[int, str, int]], output_file_1: st f2.write(header + body_2) -def generate_wrap_list(secure_service_tbl: str) -> None: - pattern = re.compile(r'^[0-9A-Fa-fXx]+\s+IDF\s+(\S+)\s+\d+') - with open(secure_service_tbl, 'r') as f: - wrap_list = [f'-Wl,--wrap={match.group(1)}' for line in f if (match := pattern.match(line))] +def generate_wrap_list(yml_files: List[str], excluded_fam: Set[str]) -> None: + wrap_list: list[str] = [] + for yml_file in yml_files: + with open(yml_file, 'r') as f: + data = yaml.safe_load(f) + wrap_list.extend( + f'-Wl,--wrap={entry["function"]}' + for family in data.get('secure_services', []) + for entry in family.get('entries', []) + if entry['type'] == 'IDF' and family.get('family', '') not in excluded_fam + ) print(' '.join(wrap_list), end='') def main() -> None: - parser = argparse.ArgumentParser(description='Generate secure service outputs') + parser = argparse.ArgumentParser(description='Generate secure service outputs from YAML table') parser.add_argument('--wrap', action='store_true', help='Generate linker wrap options') - parser.add_argument('secure_service_tbl', type=str, help='Path to secure service table file') - parser.add_argument('output_files', nargs='*', help='Output files: [secure_service_num.h, secure_service_dec.h, secure_service_1.h, secure_service_2.h]') + parser.add_argument('-s', '--sec_srv', nargs='+', required=True, help='Secure service table(s) in YAML') + parser.add_argument('--exclude', nargs='*', default=[], help='List of API families to exclude from the output') args = parser.parse_args() + excluded_fam = set(args.exclude) if args.wrap: - generate_wrap_list(args.secure_service_tbl) + generate_wrap_list(args.sec_srv, excluded_fam) else: - if len(args.output_files) != 4: - parser.error('Missing output header files!') - services = parse_services(args.secure_service_tbl) - generate_num_header(services, args.output_files[0]) - generate_dec_header(services, args.output_files[1]) - generate_table_split(services, args.output_files[2], args.output_files[3]) + services = parse_services(args.sec_srv, excluded_fam) + generate_num_header(services, OUTPUT_HEADERS[0]) + generate_dec_header(services, OUTPUT_HEADERS[1]) + generate_table_split(services, OUTPUT_HEADERS[2], OUTPUT_HEADERS[3]) if __name__ == '__main__': diff --git a/components/esp_tee/subproject/components/tee_attestation/esp_tee_att.cmake b/components/esp_tee/subproject/components/tee_attestation/esp_tee_att.cmake deleted file mode 100644 index b99f4aaf7f..0000000000 --- a/components/esp_tee/subproject/components/tee_attestation/esp_tee_att.cmake +++ /dev/null @@ -1,5 +0,0 @@ -# This file must be manually included in the project's top level CMakeLists.txt before project() -# This ensures that the variables are set before TEE starts building - -# Append secure service table consisting of secure services -idf_build_set_property(CUSTOM_SECURE_SERVICE_TBL ${CMAKE_CURRENT_LIST_DIR}/esp_tee_att.tbl APPEND) diff --git a/components/esp_tee/subproject/components/tee_attestation/esp_tee_att.tbl b/components/esp_tee/subproject/components/tee_attestation/esp_tee_att.tbl deleted file mode 100644 index 5541be8625..0000000000 --- a/components/esp_tee/subproject/components/tee_attestation/esp_tee_att.tbl +++ /dev/null @@ -1,2 +0,0 @@ -# SS no. API type Function Args -250 custom esp_tee_att_generate_token 6 diff --git a/components/esp_tee/test_apps/tee_cli_app/CMakeLists.txt b/components/esp_tee/test_apps/tee_cli_app/CMakeLists.txt index 25d05f1b65..721b1cfd91 100644 --- a/components/esp_tee/test_apps/tee_cli_app/CMakeLists.txt +++ b/components/esp_tee/test_apps/tee_cli_app/CMakeLists.txt @@ -4,7 +4,4 @@ cmake_minimum_required(VERSION 3.16) include($ENV{IDF_PATH}/tools/cmake/project.cmake) -# For registering the attestation secure service -include($ENV{IDF_PATH}/components/esp_tee/subproject/components/tee_attestation/esp_tee_att.cmake) - project(tee_cli) diff --git a/components/esp_tee/test_apps/tee_test_fw/CMakeLists.txt b/components/esp_tee/test_apps/tee_test_fw/CMakeLists.txt index 2a92d2d729..0269fa8801 100644 --- a/components/esp_tee/test_apps/tee_test_fw/CMakeLists.txt +++ b/components/esp_tee/test_apps/tee_test_fw/CMakeLists.txt @@ -5,6 +5,5 @@ include($ENV{IDF_PATH}/tools/cmake/project.cmake) # For registering the test-specific and attestation secure services include(${CMAKE_CURRENT_LIST_DIR}/components/test_sec_srv/test_tee_project.cmake) -include($ENV{IDF_PATH}/components/esp_tee/subproject/components/tee_attestation/esp_tee_att.cmake) project(esp_tee_test) diff --git a/components/esp_tee/test_apps/tee_test_fw/components/test_sec_srv/sec_srv_tbl_test.yml b/components/esp_tee/test_apps/tee_test_fw/components/test_sec_srv/sec_srv_tbl_test.yml new file mode 100644 index 0000000000..76ba15c605 --- /dev/null +++ b/components/esp_tee/test_apps/tee_test_fw/components/test_sec_srv/sec_srv_tbl_test.yml @@ -0,0 +1,71 @@ +secure_services: + - family: test + entries: + - id: 200 + type: custom + function: esp_tee_service_add + args: 2 + - id: 201 + type: custom + function: esp_tee_service_sub + args: 2 + - id: 202 + type: custom + function: esp_tee_service_mul + args: 2 + - id: 203 + type: custom + function: esp_tee_service_div + args: 2 + - id: 204 + type: custom + function: esp_tee_test_timer_init + args: 1 + - id: 205 + type: custom + function: esp_tee_secure_int_test + args: 0 + - id: 206 + type: custom + function: esp_tee_non_secure_int_test + args: 1 + - id: 207 + type: custom + function: esp_tee_test_int_count + args: 1 + - id: 208 + type: custom + function: esp_tee_test_resv_reg1_write_violation + args: 0 + - id: 209 + type: custom + function: esp_tee_test_resv_reg1_exec_violation + args: 0 + - id: 210 + type: custom + function: esp_tee_test_iram_reg1_write_violation + args: 0 + - id: 211 + type: custom + function: esp_tee_test_iram_reg2_write_violation + args: 0 + - id: 212 + type: custom + function: esp_tee_test_dram_reg1_exec_violation + args: 0 + - id: 213 + type: custom + function: esp_tee_test_dram_reg2_exec_violation + args: 0 + - id: 214 + type: custom + function: esp_tee_test_illegal_instruction + args: 0 + - id: 215 + type: custom + function: dummy_secure_service + args: 0 + - id: 216 + type: custom + function: add_in_loop + args: 3 diff --git a/components/esp_tee/test_apps/tee_test_fw/components/test_sec_srv/test.tbl b/components/esp_tee/test_apps/tee_test_fw/components/test_sec_srv/test.tbl deleted file mode 100644 index b93f500728..0000000000 --- a/components/esp_tee/test_apps/tee_test_fw/components/test_sec_srv/test.tbl +++ /dev/null @@ -1,18 +0,0 @@ -# SS no. API type Function Args -300 custom esp_tee_service_add 2 -301 custom esp_tee_service_sub 2 -302 custom esp_tee_service_mul 2 -303 custom esp_tee_service_div 2 -304 custom esp_tee_test_timer_init 1 -305 custom esp_tee_secure_int_test 0 -306 custom esp_tee_non_secure_int_test 1 -307 custom esp_tee_test_int_count 1 -308 custom esp_tee_test_resv_reg1_write_violation 0 -309 custom esp_tee_test_resv_reg1_exec_violation 0 -310 custom esp_tee_test_iram_reg1_write_violation 0 -311 custom esp_tee_test_iram_reg2_write_violation 0 -312 custom esp_tee_test_dram_reg1_exec_violation 0 -313 custom esp_tee_test_dram_reg2_exec_violation 0 -314 custom esp_tee_test_illegal_instruction 0 -315 custom dummy_secure_service 0 -316 custom add_in_loop 3 diff --git a/components/esp_tee/test_apps/tee_test_fw/components/test_sec_srv/test_tee_project.cmake b/components/esp_tee/test_apps/tee_test_fw/components/test_sec_srv/test_tee_project.cmake index d4a389ad76..29e6e3290c 100644 --- a/components/esp_tee/test_apps/tee_test_fw/components/test_sec_srv/test_tee_project.cmake +++ b/components/esp_tee/test_apps/tee_test_fw/components/test_sec_srv/test_tee_project.cmake @@ -5,7 +5,7 @@ get_filename_component(directory "${CMAKE_CURRENT_LIST_DIR}/.." ABSOLUTE DIRECTO get_filename_component(name ${CMAKE_CURRENT_LIST_DIR} NAME) # Append secure service table consisting of secure services -idf_build_set_property(CUSTOM_SECURE_SERVICE_TBL ${CMAKE_CURRENT_LIST_DIR}/test.tbl APPEND) +idf_build_set_property(CUSTOM_SECURE_SERVICE_YAML ${CMAKE_CURRENT_LIST_DIR}/sec_srv_tbl_test.yml APPEND) # Append the directory of this component which is used by esp_tee component as # EXTRA_COMPONENT_DIRS diff --git a/docs/en/security/tee/tee-advanced.rst b/docs/en/security/tee/tee-advanced.rst index c539e59389..24ca16191f 100644 --- a/docs/en/security/tee/tee-advanced.rst +++ b/docs/en/security/tee/tee-advanced.rst @@ -286,31 +286,43 @@ To extend the ESP-TEE framework with custom service calls, follow the steps outl 1. Create a Custom Service Call Table ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Define a component for defining custom service calls and create a ``.tbl`` file within the component. +Define a component for defining custom service calls and create a ``.yml`` file within the component. .. code-block:: bash - touch /custom_srvcall.tbl + touch /custom_srvcall.yml -Add your custom service call entries to the ``.tbl`` file in the following format: +Add your custom service call entries to the ``.yml`` file in the following format: -.. code-block:: none +.. code-block:: yaml - custom + secure_services: + - family: + entries: + - id: + type: custom + function: + args: **Example Entry** -.. code-block:: none +.. code-block:: yaml - # SS no. API type Function Args - 201 custom custom_sec_srv_op 1 + secure_services: + - family: example + entries: + - id: 300 + type: custom + function: example_sec_serv_aes_op + args: 5 -- ``201``: Unique service call number + +- ``300``: Unique service call number - ``custom``: Custom service call type -- ``custom_sec_srv_op``: Function name -- ``1``: Number of arguments +- ``example_sec_serv_aes_op``: Function name +- ``5``: Number of arguments -Ensure that the custom service call numbers does not conflict with the :component_file:`default service call table`. The ESP-TEE framework parses the custom service call table along with the default table to generate relevant header files used in applications. +Ensure that the custom service call numbers does not conflict with the :component_file:`default service call table`. The ESP-TEE framework parses the custom service call table along with the default table to generate relevant header files used in applications. 2. Define the Service Call Implementation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -327,7 +339,7 @@ Define the function corresponding to the custom service call in the TEE. This fu return 0; } -The function name should have the prefix ``_ss_`` before the name and must match the name specified in the ``.tbl`` file. +The function name should have the prefix ``_ss_`` before the name and must match the name specified in the ``.yml`` file. For reference, all default service call functions are defined in the :component_file:`file`. @@ -342,7 +354,7 @@ Define a CMake file (e.g., ``custom_sec_srv.cmake``) in the component that defin .. code-block:: cmake - idf_build_set_property(CUSTOM_SECURE_SERVICE_TBL ${CMAKE_CURRENT_LIST_DIR}/custom_srvcall.tbl APPEND) + idf_build_set_property(CUSTOM_SECURE_SERVICE_YAML ${CMAKE_CURRENT_LIST_DIR}/custom_srvcall.yml APPEND) #. Set the custom component directory and name so that the ``esp_tee`` subproject can use it diff --git a/docs/en/security/tee/tee-attestation.rst b/docs/en/security/tee/tee-attestation.rst index c57eec865d..780229f606 100644 --- a/docs/en/security/tee/tee-attestation.rst +++ b/docs/en/security/tee/tee-attestation.rst @@ -255,8 +255,6 @@ API Reference .. note:: - - To use the TEE Attestation APIs in your project, ensure that the :component:`tee_attestation ` component is listed as a local dependency in the component manager manifest file `idf_component.yml `_. Refer to the :example:`tee_attestation ` example for guidance. - - - Additionally, the component-specific :component_file:`CMake ` file needs to be included in the top-level ``CMakeLists.txt`` of your project before calling the ``project()`` command to integrate the corresponding service calls into the project. + To use the TEE Attestation APIs in your project, ensure that the :component:`tee_attestation ` component is listed as a local dependency in the component manager manifest file `idf_component.yml `_. Refer to the :example:`tee_attestation ` example for guidance. .. include-build-file:: inc/esp_tee_attestation.inc diff --git a/docs/en/security/tee/tee.rst b/docs/en/security/tee/tee.rst index d1c578f1b0..b8ea2ab93f 100644 --- a/docs/en/security/tee/tee.rst +++ b/docs/en/security/tee/tee.rst @@ -120,7 +120,7 @@ All features that the TEE exposes to the REE are implemented as secure services. Since multitasking is not currently supported in the TEE, secure service calls are serialized, and subsequent calls remain pending until the current service completes. -For {IDF_TARGET_NAME}, a list of secure services can be found at this :component_file:`table`. Following are the types of secure services. +For {IDF_TARGET_NAME}, a list of secure services can be found at this :component_file:`table`. Following are the types of secure services. - **Core secure services**: Built-in services within the TEE firmware that provide routine functionalities to the REE, such as interrupt configuration and eFuse access. diff --git a/examples/security/tee/tee_attestation/CMakeLists.txt b/examples/security/tee/tee_attestation/CMakeLists.txt index 115dffc941..f2683dfc68 100644 --- a/examples/security/tee/tee_attestation/CMakeLists.txt +++ b/examples/security/tee/tee_attestation/CMakeLists.txt @@ -4,9 +4,6 @@ cmake_minimum_required(VERSION 3.16) include($ENV{IDF_PATH}/tools/cmake/project.cmake) -# For registering the attestation secure service -include($ENV{IDF_PATH}/components/esp_tee/subproject/components/tee_attestation/esp_tee_att.cmake) - # "Trim" the build. Include the minimal set of components, main, and anything it depends on. idf_build_set_property(MINIMAL_BUILD ON) project(tee_attestation) diff --git a/examples/security/tee/tee_basic/README.md b/examples/security/tee/tee_basic/README.md index e3bd576494..894ba5e4fc 100644 --- a/examples/security/tee/tee_basic/README.md +++ b/examples/security/tee/tee_basic/README.md @@ -13,7 +13,7 @@ └── example_secure_service # Component parent directory ├── CMakeLists.txt ├── example_service.c # Custom secure service APIs - ├── example.tbl # Custom secure service table, which is appended to the default one provided by TEE + ├── sec_srv_tbl_example.yml # Custom secure service table, which is parsed alongwith the default one provided by TEE ├── include │   └── example_service.h └── tee_project.cmake # To be manually included in the project's top level CMakeLists.txt before project(...) diff --git a/examples/security/tee/tee_basic/components/example_secure_service/example.tbl b/examples/security/tee/tee_basic/components/example_secure_service/example.tbl deleted file mode 100644 index e801439ed5..0000000000 --- a/examples/security/tee/tee_basic/components/example_secure_service/example.tbl +++ /dev/null @@ -1,2 +0,0 @@ -# SS no. API type Function Args -300 custom example_sec_serv_aes_op 5 diff --git a/examples/security/tee/tee_basic/components/example_secure_service/sec_srv_tbl_example.yml b/examples/security/tee/tee_basic/components/example_secure_service/sec_srv_tbl_example.yml new file mode 100644 index 0000000000..8b55150673 --- /dev/null +++ b/examples/security/tee/tee_basic/components/example_secure_service/sec_srv_tbl_example.yml @@ -0,0 +1,7 @@ +secure_services: + - family: example + entries: + - id: 200 + type: custom + function: example_sec_serv_aes_op + args: 5 diff --git a/examples/security/tee/tee_basic/components/example_secure_service/tee_project.cmake b/examples/security/tee/tee_basic/components/example_secure_service/tee_project.cmake index 28ffbc57ec..f0340c19e1 100644 --- a/examples/security/tee/tee_basic/components/example_secure_service/tee_project.cmake +++ b/examples/security/tee/tee_basic/components/example_secure_service/tee_project.cmake @@ -1,11 +1,11 @@ -# tee_project.cmake file must be manually included in the project's top level CMakeLists.txt before project() +# This file must be manually included in the project's top level CMakeLists.txt before project() # This ensures that the variables are set before TEE starts building get_filename_component(directory "${CMAKE_CURRENT_LIST_DIR}/.." ABSOLUTE DIRECTORY) get_filename_component(name ${CMAKE_CURRENT_LIST_DIR} NAME) # Append secure service table consisting of secure services -idf_build_set_property(CUSTOM_SECURE_SERVICE_TBL ${CMAKE_CURRENT_LIST_DIR}/example.tbl APPEND) +idf_build_set_property(CUSTOM_SECURE_SERVICE_YAML ${CMAKE_CURRENT_LIST_DIR}/sec_srv_tbl_example.yml APPEND) # Append the directory of this component which is used by esp_tee component as # EXTRA_COMPONENT_DIRS