feedc0de/esp-idf
1
0
Fork 0
forked from espressif/esp-idf
Code Pull Requests Activity

refactor(esp_tee): Migrate secure services list from TBL to YAML

Browse Source
This commit is contained in:
Laukik Hase
2025-01-28 17:57:03 +05:30
parent 8f117c7f4c
commit 37525c605d
19 changed files with 385 additions and 158 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
components/esp_tee/CMakeLists.txt
View File

@@ -1,5 +1,5 @@
idf_build_get_property(esp_tee_build ESP_TEE_BUILD) idf_build_get_property(esp_tee_build ESP_TEE_BUILD)
idf_build_get_property(custom_secure_service_tbl CUSTOM_SECURE_SERVICE_TBL) idf_build_get_property(custom_secure_service_yaml CUSTOM_SECURE_SERVICE_YAML)
idf_build_get_property(custom_secure_service_dir CUSTOM_SECURE_SERVICE_COMPONENT_DIR) idf_build_get_property(custom_secure_service_dir CUSTOM_SECURE_SERVICE_COMPONENT_DIR)
idf_build_get_property(custom_secure_service_component CUSTOM_SECURE_SERVICE_COMPONENT) idf_build_get_property(custom_secure_service_component CUSTOM_SECURE_SERVICE_COMPONENT)
idf_build_get_property(target IDF_TARGET) idf_build_get_property(target IDF_TARGET)
@@ -82,33 +82,33 @@ else()
endif() endif()
endif() endif()
set(secure_service_tbl_parser_py set(secure_service_yml
${COMPONENT_DIR}/scripts/secure_service_tbl_parser.py ${CMAKE_CURRENT_BINARY_DIR}/secure_service.tbl ${COMPONENT_DIR}/scripts/${IDF_TARGET}/sec_srv_tbl_default.yml ${custom_secure_service_yaml}
) )
set(secure_service_gen_headers set(secure_service_yml_parser_py
${CONFIG_DIR}/secure_service_num.h ${CONFIG_DIR}/secure_service_dec.h ${COMPONENT_DIR}/scripts/secure_service_yml_parser.py
${CONFIG_DIR}/secure_service_int.h ${CONFIG_DIR}/secure_service_ext.h
) )
if(CONFIG_SECURE_ENABLE_TEE AND NOT esp_tee_build) if(CONFIG_SECURE_ENABLE_TEE AND NOT esp_tee_build)
# Default secure service API families: flash_protection_spi0, flash_protection_spi1,
# interrupt_handling, hal, crypto, efuse, secure_storage, ota, attestation
set(exclude_srv)
if(NOT CONFIG_SECURE_TEE_ATTESTATION)
list(APPEND exclude_srv "attestation")
endif()
execute_process( execute_process(
COMMAND cat ${COMPONENT_DIR}/scripts/${target}/secure_service.tbl ${custom_secure_service_tbl} COMMAND python ${secure_service_yml_parser_py}
OUTPUT_FILE secure_service.tbl "--sec_srv" ${secure_service_yml}
WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} "--exclude" ${exclude_srv}
WORKING_DIRECTORY ${CONFIG_DIR}
) )
execute_process( execute_process(
COMMAND python ${secure_service_tbl_parser_py} ${secure_service_gen_headers} COMMAND python ${secure_service_yml_parser_py}
WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} "--sec_srv" ${secure_service_yml}
) "--exclude" ${exclude_srv} "--wrap"
set_property(DIRECTORY ${COMPONENT_DIR} APPEND PROPERTY
ADDITIONAL_MAKE_CLEAN_FILES ${secure_service_gen_headers}
)
execute_process(
COMMAND python ${secure_service_tbl_parser_py} "--wrap"
OUTPUT_VARIABLE wrap_list OUTPUT_VARIABLE wrap_list
WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
OUTPUT_STRIP_TRAILING_WHITESPACE OUTPUT_STRIP_TRAILING_WHITESPACE

212
components/esp_tee/scripts/esp32c6/sec_srv_tbl_default.yml Normal file
View File

@@ -0,0 +1,212 @@
secure_services:
- family: misc
entries:
- id: 0
type: custom
function: invalid_secure_service
args: 0
# ID: 1-4 (4) - External memory (Flash) protection [SPI0]
- family: flash_protection_spi0
entries:
- id: 1
type: IDF
function: mmu_hal_map_region
args: 6
- id: 2
type: IDF
function: mmu_hal_unmap_region
args: 3
- id: 3
type: IDF
function: mmu_hal_vaddr_to_paddr
args: 4
- id: 4
type: IDF
function: mmu_hal_paddr_to_vaddr
args: 5
# ID: 30-53 (24) - Interrupt Handling
- family: interrupt_handling
entries:
- id: 30
type: IDF
function: esp_rom_route_intr_matrix
args: 3
- id: 31
type: IDF
function: rv_utils_intr_enable
args: 1
- id: 32
type: IDF
function: rv_utils_intr_disable
args: 1
- id: 33
type: IDF
function: rv_utils_intr_set_priority
args: 2
- id: 34
type: IDF
function: rv_utils_intr_set_type
args: 2
- id: 35
type: IDF
function: rv_utils_intr_set_threshold
args: 1
- id: 36
type: IDF
function: rv_utils_intr_edge_ack
args: 1
- id: 37
type: IDF
function: rv_utils_intr_global_enable
args: 0
# ID: 54-85 (32) - HAL
- family: hal
entries:
- id: 54
type: IDF
function: efuse_hal_chip_revision
args: 0
- id: 55
type: IDF
function: efuse_hal_get_chip_ver_pkg
args: 1
- id: 56
type: IDF
function: efuse_hal_get_disable_wafer_version_major
args: 0
- id: 57
type: IDF
function: efuse_hal_get_mac
args: 1
- id: 58
type: IDF
function: wdt_hal_init
args: 4
- id: 59
type: IDF
function: wdt_hal_deinit
args: 1
# ID: 86-133 (48) - Crypto
- family: crypto
entries:
- id: 86
type: IDF
function: esp_aes_intr_alloc
args: 0
- id: 87
type: IDF
function: esp_aes_crypt_cbc
args: 6
- id: 88
type: IDF
function: esp_aes_crypt_cfb8
args: 6
- id: 89
type: IDF
function: esp_aes_crypt_cfb128
args: 7
- id: 90
type: IDF
function: esp_aes_crypt_ctr
args: 7
- id: 91
type: IDF
function: esp_aes_crypt_ecb
args: 4
- id: 92
type: IDF
function: esp_aes_crypt_ofb
args: 6
- id: 93
type: IDF
function: esp_sha
args: 4
- id: 94
type: IDF
function: esp_sha_block
args: 3
- id: 95
type: IDF
function: esp_sha_dma
args: 6
- id: 96
type: IDF
function: esp_sha_read_digest_state
args: 2
- id: 97
type: IDF
function: esp_sha_write_digest_state
args: 2
# ID: 134-149 (16) - eFuse
- family: efuse
entries:
- id: 134
type: IDF
function: esp_efuse_check_secure_version
args: 1
- id: 135
type: IDF
function: esp_efuse_read_field_blob
args: 3
- id: 136
type: IDF
function: esp_flash_encryption_enabled
args: 0
# ID: 150-169 (20) - Reserved for future use
- family: attestation
entries:
- id: 170
type: custom
function: esp_tee_att_generate_token
args: 6
# ID: 175-194 (20) - Secure Storage
- family: secure_storage
entries:
- id: 175
type: custom
function: esp_tee_sec_storage_init
args: 0
- id: 176
type: custom
function: esp_tee_sec_storage_gen_key
args: 2
- id: 177
type: custom
function: esp_tee_sec_storage_get_signature
args: 4
- id: 178
type: custom
function: esp_tee_sec_storage_get_pubkey
args: 2
- id: 179
type: custom
function: esp_tee_sec_storage_encrypt
args: 8
- id: 180
type: custom
function: esp_tee_sec_storage_decrypt
args: 8
- id: 181
type: custom
function: esp_tee_sec_storage_is_slot_empty
args: 1
- id: 182
type: custom
function: esp_tee_sec_storage_clear_slot
args: 1
# ID: 195-199 (5) - OTA
- family: ota
entries:
- id: 195
type: custom
function: esp_tee_ota_begin
args: 0
- id: 196
type: custom
function: esp_tee_ota_write
args: 3
- id: 197
type: custom
function: esp_tee_ota_end
args: 0
# ID: 200+ - User-defined

57
components/esp_tee/scripts/esp32c6/secure_service.tbl
View File

@@ -1,57 +0,0 @@
# SS no. API type Function Args
0 custom invalid_secure_service 0
# ID: 1-47 (47) - External memory (Flash) protection
1 IDF mmu_hal_map_region 6
2 IDF mmu_hal_unmap_region 3
3 IDF mmu_hal_vaddr_to_paddr 4
4 IDF mmu_hal_paddr_to_vaddr 5
# Services before the ID 48 will be placed in the internal memory table,
# while the rest will be placed in the external memory table.
# ID: 48-71 (24) - Interrupt Handling
48 IDF esp_rom_route_intr_matrix 3
49 IDF rv_utils_intr_enable 1
50 IDF rv_utils_intr_disable 1
51 IDF rv_utils_intr_set_priority 2
52 IDF rv_utils_intr_set_type 2
53 IDF rv_utils_intr_set_threshold 1
54 IDF rv_utils_intr_edge_ack 1
55 IDF rv_utils_intr_global_enable 0
# ID: 72-119 (48) - HAL
72 IDF efuse_hal_chip_revision 0
73 IDF efuse_hal_get_chip_ver_pkg 1
74 IDF efuse_hal_get_disable_wafer_version_major 0
75 IDF efuse_hal_get_mac 1
76 IDF wdt_hal_init 4
77 IDF wdt_hal_deinit 1
# ID: 120-167 (48) - Crypto
120 IDF esp_aes_intr_alloc 0
121 IDF esp_aes_crypt_cbc 6
122 IDF esp_aes_crypt_cfb8 6
123 IDF esp_aes_crypt_cfb128 7
124 IDF esp_aes_crypt_ctr 7
125 IDF esp_aes_crypt_ecb 4
126 IDF esp_aes_crypt_ofb 6
127 IDF esp_sha 4
128 IDF esp_sha_dma 6
129 IDF esp_sha_read_digest_state 2
130 IDF esp_sha_write_digest_state 2
131 IDF esp_sha_block 3
# ID: 168-183 (16) - eFuse
168 IDF esp_efuse_check_secure_version 1
169 IDF esp_efuse_read_field_blob 3
170 IDF esp_flash_encryption_enabled 0
# ID: 184-249 (66) - Reserved for future use
# ID: 270-293 (24) - Secure Storage
270 custom esp_tee_sec_storage_init 0
271 custom esp_tee_sec_storage_gen_key 2
272 custom esp_tee_sec_storage_get_signature 4
273 custom esp_tee_sec_storage_get_pubkey 2
274 custom esp_tee_sec_storage_encrypt 8
275 custom esp_tee_sec_storage_decrypt 8
276 custom esp_tee_sec_storage_is_slot_empty 1
277 custom esp_tee_sec_storage_clear_slot 1
# ID: 294-299 (6) - OTA
294 custom esp_tee_ota_begin 0
295 custom esp_tee_ota_write 3
296 custom esp_tee_ota_end 0
# ID: 300+ - User-defined

64
components/esp_tee/scripts/secure_service_tbl_parser.py → components/esp_tee/scripts/secure_service_yml_parser.py
View File

@@ -1,25 +1,37 @@
# SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD # SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
import argparse import argparse
import re
from typing import List from typing import List
from typing import Set
from typing import Tuple from typing import Tuple
SEC_SRV_TABLE_SPLIT_ID = 48 import yaml
SEC_SRV_TABLE_SPLIT_ID = 30
OUTPUT_HEADERS = [
'secure_service_num.h',
'secure_service_dec.h',
'secure_service_int.h',
'secure_service_ext.h',
]
def parse_services(secure_service_tbl: str) -> List[Tuple[int, str, int]]: def parse_services(yml_files: List[str], excluded_fam: Set[str]) -> List[Tuple[int, str, int]]:
services, service_ids = [], set() services, service_ids = [], set()
pattern = re.compile(r'^([0-9A-Fa-fXx]+)\s+\S+\s+(\S+)\s+(\d+)')
with open(secure_service_tbl, 'r') as f: for yml_file in yml_files:
for line in f: with open(yml_file, 'r') as f:
if match := pattern.match(line): data = yaml.safe_load(f)
service_id = int(match.group(1), 0) for family in data.get('secure_services', []):
family_name = family.get('family', '')
if family_name in excluded_fam:
continue
for entry in family.get('entries', []):
service_id = entry['id']
if service_id in service_ids: if service_id in service_ids:
raise ValueError(f'Duplicate service call ID found: 0x{service_id:X}') raise ValueError(f'Duplicate service call ID found: 0x{service_id:X}')
service_ids.add(service_id) service_ids.add(service_id)
services.append((service_id, match.group(2), int(match.group(3)))) services.append((service_id, entry['function'], entry['args']))
return sorted(services, key=lambda x: x[0]) return sorted(services, key=lambda x: x[0])
@@ -83,30 +95,36 @@ def generate_table_split(services: List[Tuple[int, str, int]], output_file_1: st
f2.write(header + body_2) f2.write(header + body_2)
def generate_wrap_list(secure_service_tbl: str) -> None: def generate_wrap_list(yml_files: List[str], excluded_fam: Set[str]) -> None:
pattern = re.compile(r'^[0-9A-Fa-fXx]+\s+IDF\s+(\S+)\s+\d+') wrap_list: list[str] = []
with open(secure_service_tbl, 'r') as f: for yml_file in yml_files:
wrap_list = [f'-Wl,--wrap={match.group(1)}' for line in f if (match := pattern.match(line))] with open(yml_file, 'r') as f:
data = yaml.safe_load(f)
wrap_list.extend(
f'-Wl,--wrap={entry["function"]}'
for family in data.get('secure_services', [])
for entry in family.get('entries', [])
if entry['type'] == 'IDF' and family.get('family', '') not in excluded_fam
)
print(' '.join(wrap_list), end='') print(' '.join(wrap_list), end='')
def main() -> None: def main() -> None:
parser = argparse.ArgumentParser(description='Generate secure service outputs') parser = argparse.ArgumentParser(description='Generate secure service outputs from YAML table')
parser.add_argument('--wrap', action='store_true', help='Generate linker wrap options') parser.add_argument('--wrap', action='store_true', help='Generate linker wrap options')
parser.add_argument('secure_service_tbl', type=str, help='Path to secure service table file') parser.add_argument('-s', '--sec_srv', nargs='+', required=True, help='Secure service table(s) in YAML')
parser.add_argument('output_files', nargs='*', help='Output files: [secure_service_num.h, secure_service_dec.h, secure_service_1.h, secure_service_2.h]') parser.add_argument('--exclude', nargs='*', default=[], help='List of API families to exclude from the output')
args = parser.parse_args() args = parser.parse_args()
excluded_fam = set(args.exclude)
if args.wrap: if args.wrap:
generate_wrap_list(args.secure_service_tbl) generate_wrap_list(args.sec_srv, excluded_fam)
else: else:
if len(args.output_files) != 4: services = parse_services(args.sec_srv, excluded_fam)
parser.error('Missing output header files!') generate_num_header(services, OUTPUT_HEADERS[0])
services = parse_services(args.secure_service_tbl) generate_dec_header(services, OUTPUT_HEADERS[1])
generate_num_header(services, args.output_files[0]) generate_table_split(services, OUTPUT_HEADERS[2], OUTPUT_HEADERS[3])
generate_dec_header(services, args.output_files[1])
generate_table_split(services, args.output_files[2], args.output_files[3])
if __name__ == '__main__': if __name__ == '__main__':

5
components/esp_tee/subproject/components/tee_attestation/esp_tee_att.cmake
View File

@@ -1,5 +0,0 @@
# This file must be manually included in the project's top level CMakeLists.txt before project()
# This ensures that the variables are set before TEE starts building
# Append secure service table consisting of secure services
idf_build_set_property(CUSTOM_SECURE_SERVICE_TBL ${CMAKE_CURRENT_LIST_DIR}/esp_tee_att.tbl APPEND)

2
components/esp_tee/subproject/components/tee_attestation/esp_tee_att.tbl
View File

@@ -1,2 +0,0 @@
# SS no. API type Function Args
250 custom esp_tee_att_generate_token 6

3
components/esp_tee/test_apps/tee_cli_app/CMakeLists.txt
View File

@@ -4,7 +4,4 @@ cmake_minimum_required(VERSION 3.16)
include($ENV{IDF_PATH}/tools/cmake/project.cmake) include($ENV{IDF_PATH}/tools/cmake/project.cmake)
# For registering the attestation secure service
include($ENV{IDF_PATH}/components/esp_tee/subproject/components/tee_attestation/esp_tee_att.cmake)
project(tee_cli) project(tee_cli)

1
components/esp_tee/test_apps/tee_test_fw/CMakeLists.txt
View File

@@ -5,6 +5,5 @@ include($ENV{IDF_PATH}/tools/cmake/project.cmake)
# For registering the test-specific and attestation secure services # For registering the test-specific and attestation secure services
include(${CMAKE_CURRENT_LIST_DIR}/components/test_sec_srv/test_tee_project.cmake) include(${CMAKE_CURRENT_LIST_DIR}/components/test_sec_srv/test_tee_project.cmake)
include($ENV{IDF_PATH}/components/esp_tee/subproject/components/tee_attestation/esp_tee_att.cmake)
project(esp_tee_test) project(esp_tee_test)

71
components/esp_tee/test_apps/tee_test_fw/components/test_sec_srv/sec_srv_tbl_test.yml Normal file
View File

@@ -0,0 +1,71 @@
secure_services:
- family: test
entries:
- id: 200
type: custom
function: esp_tee_service_add
args: 2
- id: 201
type: custom
function: esp_tee_service_sub
args: 2
- id: 202
type: custom
function: esp_tee_service_mul
args: 2
- id: 203
type: custom
function: esp_tee_service_div
args: 2
- id: 204
type: custom
function: esp_tee_test_timer_init
args: 1
- id: 205
type: custom
function: esp_tee_secure_int_test
args: 0
- id: 206
type: custom
function: esp_tee_non_secure_int_test
args: 1
- id: 207
type: custom
function: esp_tee_test_int_count
args: 1
- id: 208
type: custom
function: esp_tee_test_resv_reg1_write_violation
args: 0
- id: 209
type: custom
function: esp_tee_test_resv_reg1_exec_violation
args: 0
- id: 210
type: custom
function: esp_tee_test_iram_reg1_write_violation
args: 0
- id: 211
type: custom
function: esp_tee_test_iram_reg2_write_violation
args: 0
- id: 212
type: custom
function: esp_tee_test_dram_reg1_exec_violation
args: 0
- id: 213
type: custom
function: esp_tee_test_dram_reg2_exec_violation
args: 0
- id: 214
type: custom
function: esp_tee_test_illegal_instruction
args: 0
- id: 215
type: custom
function: dummy_secure_service
args: 0
- id: 216
type: custom
function: add_in_loop
args: 3

18
components/esp_tee/test_apps/tee_test_fw/components/test_sec_srv/test.tbl
View File

@@ -1,18 +0,0 @@
# SS no. API type Function Args
300 custom esp_tee_service_add 2
301 custom esp_tee_service_sub 2
302 custom esp_tee_service_mul 2
303 custom esp_tee_service_div 2
304 custom esp_tee_test_timer_init 1
305 custom esp_tee_secure_int_test 0
306 custom esp_tee_non_secure_int_test 1
307 custom esp_tee_test_int_count 1
308 custom esp_tee_test_resv_reg1_write_violation 0
309 custom esp_tee_test_resv_reg1_exec_violation 0
310 custom esp_tee_test_iram_reg1_write_violation 0
311 custom esp_tee_test_iram_reg2_write_violation 0
312 custom esp_tee_test_dram_reg1_exec_violation 0
313 custom esp_tee_test_dram_reg2_exec_violation 0
314 custom esp_tee_test_illegal_instruction 0
315 custom dummy_secure_service 0
316 custom add_in_loop 3

2
components/esp_tee/test_apps/tee_test_fw/components/test_sec_srv/test_tee_project.cmake
View File

@@ -5,7 +5,7 @@ get_filename_component(directory "${CMAKE_CURRENT_LIST_DIR}/.." ABSOLUTE DIRECTO
get_filename_component(name ${CMAKE_CURRENT_LIST_DIR} NAME) get_filename_component(name ${CMAKE_CURRENT_LIST_DIR} NAME)
# Append secure service table consisting of secure services # Append secure service table consisting of secure services
idf_build_set_property(CUSTOM_SECURE_SERVICE_TBL ${CMAKE_CURRENT_LIST_DIR}/test.tbl APPEND) idf_build_set_property(CUSTOM_SECURE_SERVICE_YAML ${CMAKE_CURRENT_LIST_DIR}/sec_srv_tbl_test.yml APPEND)
# Append the directory of this component which is used by esp_tee component as # Append the directory of this component which is used by esp_tee component as
# EXTRA_COMPONENT_DIRS # EXTRA_COMPONENT_DIRS

40
docs/en/security/tee/tee-advanced.rst
View File

@@ -286,31 +286,43 @@ To extend the ESP-TEE framework with custom service calls, follow the steps outl
1. Create a Custom Service Call Table 1. Create a Custom Service Call Table
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Define a component for defining custom service calls and create a ``.tbl`` file within the component. Define a component for defining custom service calls and create a ``.yml`` file within the component.
.. code-block:: bash .. code-block:: bash
touch <path/to/tbl/file>/custom_srvcall.tbl touch <path/to/yml/file>/custom_srvcall.yml
Add your custom service call entries to the ``.tbl`` file in the following format: Add your custom service call entries to the ``.yml`` file in the following format:
.. code-block:: none .. code-block:: yaml
<service_call_number> custom <function_name> <arguments_count> secure_services:
- family: <api_family>
entries:
- id: <service_call_number>
type: custom
function: <function_name>
args: <arguments_count>
**Example Entry** **Example Entry**
.. code-block:: none .. code-block:: yaml
# SS no. API type Function Args secure_services:
201 custom custom_sec_srv_op 1 - family: example
entries:
- id: 300
type: custom
function: example_sec_serv_aes_op
args: 5
- ``201``: Unique service call number
- ``300``: Unique service call number
- ``custom``: Custom service call type - ``custom``: Custom service call type
- ``custom_sec_srv_op``: Function name - ``example_sec_serv_aes_op``: Function name
- ``1``: Number of arguments - ``5``: Number of arguments
Ensure that the custom service call numbers does not conflict with the :component_file:`default service call table<esp_tee/scripts/{IDF_TARGET_PATH_NAME}/secure_service.tbl>`. The ESP-TEE framework parses the custom service call table along with the default table to generate relevant header files used in applications. Ensure that the custom service call numbers does not conflict with the :component_file:`default service call table<esp_tee/scripts/{IDF_TARGET_PATH_NAME}/sec_srv_tbl_default.yml>`. The ESP-TEE framework parses the custom service call table along with the default table to generate relevant header files used in applications.
2. Define the Service Call Implementation 2. Define the Service Call Implementation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -327,7 +339,7 @@ Define the function corresponding to the custom service call in the TEE. This fu
return 0; return 0;
} }
The function name should have the prefix ``_ss_`` before the name and must match the name specified in the ``.tbl`` file. The function name should have the prefix ``_ss_`` before the name and must match the name specified in the ``.yml`` file.
For reference, all default service call functions are defined in the :component_file:`file<esp_tee/subproject/main/core/esp_secure_services.c>`. For reference, all default service call functions are defined in the :component_file:`file<esp_tee/subproject/main/core/esp_secure_services.c>`.
@@ -342,7 +354,7 @@ Define a CMake file (e.g., ``custom_sec_srv.cmake``) in the component that defin
.. code-block:: cmake .. code-block:: cmake
idf_build_set_property(CUSTOM_SECURE_SERVICE_TBL ${CMAKE_CURRENT_LIST_DIR}/custom_srvcall.tbl APPEND) idf_build_set_property(CUSTOM_SECURE_SERVICE_YAML ${CMAKE_CURRENT_LIST_DIR}/custom_srvcall.yml APPEND)
#. Set the custom component directory and name so that the ``esp_tee`` subproject can use it #. Set the custom component directory and name so that the ``esp_tee`` subproject can use it

4
docs/en/security/tee/tee-attestation.rst
View File

@@ -255,8 +255,6 @@ API Reference
.. note:: .. note::
- To use the TEE Attestation APIs in your project, ensure that the :component:`tee_attestation <esp_tee/subproject/components/tee_attestation>` component is listed as a local dependency in the component manager manifest file `idf_component.yml <https://docs.espressif.com/projects/idf-component-manager/en/latest/reference/manifest_file.html>`_. Refer to the :example:`tee_attestation <security/tee/tee_attestation>` example for guidance. To use the TEE Attestation APIs in your project, ensure that the :component:`tee_attestation <esp_tee/subproject/components/tee_attestation>` component is listed as a local dependency in the component manager manifest file `idf_component.yml <https://docs.espressif.com/projects/idf-component-manager/en/latest/reference/manifest_file.html>`_. Refer to the :example:`tee_attestation <security/tee/tee_attestation>` example for guidance.
- Additionally, the component-specific :component_file:`CMake <esp_tee/subproject/components/tee_attestation/esp_tee_att.cmake>` file needs to be included in the top-level ``CMakeLists.txt`` of your project before calling the ``project()`` command to integrate the corresponding service calls into the project.
.. include-build-file:: inc/esp_tee_attestation.inc .. include-build-file:: inc/esp_tee_attestation.inc

2
docs/en/security/tee/tee.rst
View File

@@ -120,7 +120,7 @@ All features that the TEE exposes to the REE are implemented as secure services.
Since multitasking is not currently supported in the TEE, secure service calls are serialized, and subsequent calls remain pending until the current service completes. Since multitasking is not currently supported in the TEE, secure service calls are serialized, and subsequent calls remain pending until the current service completes.
For {IDF_TARGET_NAME}, a list of secure services can be found at this :component_file:`table<esp_tee/scripts/{IDF_TARGET_PATH_NAME}/secure_service.tbl>`. Following are the types of secure services. For {IDF_TARGET_NAME}, a list of secure services can be found at this :component_file:`table<esp_tee/scripts/{IDF_TARGET_PATH_NAME}/sec_srv_tbl_default.yml>`. Following are the types of secure services.
- **Core secure services**: Built-in services within the TEE firmware that provide routine functionalities to the REE, such as interrupt configuration and eFuse access. - **Core secure services**: Built-in services within the TEE firmware that provide routine functionalities to the REE, such as interrupt configuration and eFuse access.

3
examples/security/tee/tee_attestation/CMakeLists.txt
View File

@@ -4,9 +4,6 @@ cmake_minimum_required(VERSION 3.16)
include($ENV{IDF_PATH}/tools/cmake/project.cmake) include($ENV{IDF_PATH}/tools/cmake/project.cmake)
# For registering the attestation secure service
include($ENV{IDF_PATH}/components/esp_tee/subproject/components/tee_attestation/esp_tee_att.cmake)
# "Trim" the build. Include the minimal set of components, main, and anything it depends on. # "Trim" the build. Include the minimal set of components, main, and anything it depends on.
idf_build_set_property(MINIMAL_BUILD ON) idf_build_set_property(MINIMAL_BUILD ON)
project(tee_attestation) project(tee_attestation)

2
examples/security/tee/tee_basic/README.md
View File

@@ -13,7 +13,7 @@
└── example_secure_service # Component parent directory └── example_secure_service # Component parent directory
├── CMakeLists.txt ├── CMakeLists.txt
├── example_service.c # Custom secure service APIs ├── example_service.c # Custom secure service APIs
├── example.tbl # Custom secure service table, which is appended to the default one provided by TEE ├── sec_srv_tbl_example.yml # Custom secure service table, which is parsed alongwith the default one provided by TEE
├── include ├── include
│   └── example_service.h │   └── example_service.h
└── tee_project.cmake # To be manually included in the project's top level CMakeLists.txt before project(...) └── tee_project.cmake # To be manually included in the project's top level CMakeLists.txt before project(...)

2
examples/security/tee/tee_basic/components/example_secure_service/example.tbl
View File

@@ -1,2 +0,0 @@
# SS no. API type Function Args
300 custom example_sec_serv_aes_op 5

7
examples/security/tee/tee_basic/components/example_secure_service/sec_srv_tbl_example.yml Normal file
View File

@@ -0,0 +1,7 @@
secure_services:
- family: example
entries:
- id: 200
type: custom
function: example_sec_serv_aes_op
args: 5

4
examples/security/tee/tee_basic/components/example_secure_service/tee_project.cmake
View File

@@ -1,11 +1,11 @@
# tee_project.cmake file must be manually included in the project's top level CMakeLists.txt before project() # This file must be manually included in the project's top level CMakeLists.txt before project()
# This ensures that the variables are set before TEE starts building # This ensures that the variables are set before TEE starts building
get_filename_component(directory "${CMAKE_CURRENT_LIST_DIR}/.." ABSOLUTE DIRECTORY) get_filename_component(directory "${CMAKE_CURRENT_LIST_DIR}/.." ABSOLUTE DIRECTORY)
get_filename_component(name ${CMAKE_CURRENT_LIST_DIR} NAME) get_filename_component(name ${CMAKE_CURRENT_LIST_DIR} NAME)
# Append secure service table consisting of secure services # Append secure service table consisting of secure services
idf_build_set_property(CUSTOM_SECURE_SERVICE_TBL ${CMAKE_CURRENT_LIST_DIR}/example.tbl APPEND) idf_build_set_property(CUSTOM_SECURE_SERVICE_YAML ${CMAKE_CURRENT_LIST_DIR}/sec_srv_tbl_example.yml APPEND)
# Append the directory of this component which is used by esp_tee component as # Append the directory of this component which is used by esp_tee component as
# EXTRA_COMPONENT_DIRS # EXTRA_COMPONENT_DIRS