refactor(esp_tee): Component dependency cleanup for the TEE build

components/bootloader_support/CMakeLists.txt

@@ -24,12 +24,11 @@ if(esp_tee_build)
                                  "src/secure_boot_v2/secure_boot.c"
                                  "src/${IDF_TARGET}/secure_boot_secure_features.c")
         endif()
-        list(APPEND priv_requires efuse)
     endif()
 
     idf_component_register(SRCS ${tee_srcs}
                            INCLUDE_DIRS ${tee_inc_dirs}
-                           PRIV_REQUIRES efuse)
+                           PRIV_REQUIRES efuse esp_app_format)
     return()
 endif()
 

components/esp_tee/subproject/CMakeLists.txt

@@ -24,6 +24,9 @@ list(APPEND EXTRA_COMPONENT_DIRS ${CUSTOM_SECURE_SERVICE_COMPONENT_DIR})
 set(ESP_TEE_BUILD 1)
 set(NON_OS_BUILD 1)
 
+# Additional components
+list(APPEND COMPONENTS bootloader_support efuse mbedtls)
+
 # TEE-specific components
 list(APPEND COMPONENTS tee_flash_mgr tee_ota_ops tee_sec_storage tee_attestation)
 
@@ -37,9 +40,6 @@ if(CONFIG_IDF_TARGET_ARCH_RISCV)
     list(APPEND common_req riscv)
 endif()
 
-# Included for `esp_app_desc` configuration structure
-list(APPEND common_req esp_app_format)
-
 idf_build_set_property(__COMPONENT_REQUIRES_COMMON "${common_req}")
 idf_build_set_property(__OUTPUT_SDKCONFIG 0)
 # NOTE: Helps to analyse the components built for the TEE binary by CMake Graphviz

components/esp_tee/subproject/main/CMakeLists.txt

@@ -1,12 +1,6 @@
 idf_build_get_property(target IDF_TARGET)
 idf_build_get_property(arch IDF_TARGET_ARCH)
-idf_build_get_property(idf_path IDF_PATH)
-
-idf_component_get_property(efuse_dir efuse COMPONENT_DIR)
-idf_component_get_property(esp_hw_support_dir esp_hw_support COMPONENT_DIR)
-idf_component_get_property(hal_dir hal COMPONENT_DIR)
 idf_component_get_property(heap_dir heap COMPONENT_DIR)
-idf_component_get_property(mbedtls_dir mbedtls COMPONENT_DIR)
 
 set(srcs)
 set(include)
@@ -45,31 +39,11 @@ list(APPEND include "include"
 # Heap
 list(APPEND srcs "common/multi_heap.c")
 
-# Sources and headers shared with IDF
-list(APPEND include "${efuse_dir}/private_include"
-                    "${efuse_dir}/${target}/private_include")
-
-list(APPEND srcs "${hal_dir}/apm_hal.c"
-                 "${hal_dir}/brownout_hal.c"
-                 "${hal_dir}/wdt_hal_iram.c")
-
-if(CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1)
-    list(APPEND srcs "${hal_dir}/spi_flash_hal.c")
-endif()
-
 # TLSF implementation for heap
-list(APPEND include "${heap_dir}/include"
-                    "${heap_dir}/tlsf"
+list(APPEND include "${heap_dir}/tlsf"
                     "${heap_dir}/tlsf/include")
-list(APPEND srcs "${heap_dir}/tlsf/tlsf.c")
 
-# Crypto
-# AES
-list(APPEND include "${mbedtls_dir}/port/include"
-                    "${mbedtls_dir}/port/aes/include"
-                    "${mbedtls_dir}/port/aes/dma/include")
-# SHA
-list(APPEND include "${mbedtls_dir}/port/sha/core/include")
+list(APPEND srcs "${heap_dir}/tlsf/tlsf.c")
 
 # esp_app_desc_t configuration structure for TEE
 list(APPEND srcs "common/esp_app_desc_tee.c")

components/esp_tee/subproject/main/common/brownout.c

@@ -13,7 +13,6 @@
 #include "esp_cpu.h"
 #include "soc/soc.h"
 #include "esp_attr.h"
-#include "bootloader_flash.h"
 #include "hal/brownout_hal.h"
 #include "hal/brownout_ll.h"
 #include "esp_rom_sys.h"

components/esp_tee/subproject/main/ld/esp32c6/esp_tee.ld.in

@@ -102,12 +102,18 @@ SECTIONS
   .dram.tee.rodata :
   {
     _rodata_start = ABSOLUTE(.);
+    /* TEE flash manager */
     *libtee_flash_mgr.a:*(.rodata .srodata .rodata.* .srodata.*)
     *libbootloader_support.a:bootloader_flash.*(.rodata .srodata .rodata.* .srodata.*)
+    /* Secure services */
     *libmain.a:esp_secure_services.c.*(.rodata .srodata .rodata.* .srodata.*)
     *libmain.a:esp_secure_dispatcher.c.*(.rodata .srodata .rodata.* .srodata.*)
+    /* Panic handler */
     *libmain.a:panic_helper_riscv.*(.rodata .srodata .rodata.* .srodata.*)
     *libmain.a:esp_tee_apm_intr.c.*(.rodata .srodata .rodata.* .srodata.*)
+    /* HAL (noflash) */
+    *libhal.a:mmu_hal.c*(.rodata .srodata .rodata.* .srodata.*)
+    *libhal.a:cache_hal.c*(.rodata .srodata .rodata.* .srodata.*)
     _rodata_end = ABSOLUTE(.);
     _tee_dram_end = ABSOLUTE(.);
   } > dram_tee_seg
@@ -157,9 +163,41 @@ SECTIONS
     . = ALIGN(CONFIG_MMU_PAGE_SIZE) + 0x20;
   } > flash_text_seg
 
+
+/* HAL modules and their memory placement:
+ *
+ * +-----------+---------------+--------+
+ * | Module    | Section       | Memory |
+ * +-----------+---------------+--------+
+ * | MMU       | text+rodata   | SRAM   |
+ * | CACHE     | text+rodata   | SRAM   |
+ * | WDT       | text          | SRAM   |
+ * | APM       | text          | Flash  |
+ * | AES       | text          | Flash  |
+ * | SHA       | text          | Flash  |
+ * | BROWNOUT  | text          | Flash  |
+ * | EFUSE     | text          | Flash  |
+ * | LPTIMER   | text          | Flash  |
+ * | SPI_FLASH | text          | Flash  |
+ * +-----------+---------------+--------+
+ *
+ * By default, for ESP-TEE, text sections are placed in SRAM while rodata sections go to the flash.
+ * Therefore, only HAL modules that require SRAM placement for proper functionality are located there,
+ * while the remaining modules are placed in flash memory.
+ */
+
   .flash.text :
   {
     _tee_xip_text_start = ABSOLUTE(.);
+    /* HAL */
+    *libhal.a:aes_hal.c*(.literal .text .literal.* .text.*)
+    *libhal.a:sha_hal.c*(.literal .text .literal.* .text.*)
+    *libhal.a:apm_hal.c*(.literal .text .literal.* .text.*)
+    *libhal.a:brownout_hal.c*(.literal .text .literal.* .text.*)
+    *libhal.a:spi_flash_hal.c*(.literal .text .literal.* .text.*)
+    /* These HAL modules have functions marked with the IRAM_ATTR attribute which get placed in the SRAM */
+    *libhal.a:efuse_hal.c*(.literal .text .literal.* .text.*)
+    *libhal.a:lp_timer_hal.c*(.literal .text .literal.* .text.*)
     /* Mbedtls for TEE */
     *libmbedtls.a:*(.literal .text .literal.* .text.*)
     *libmbedcrypto.a:*(.literal .text .literal.* .text.*)

components/hal/CMakeLists.txt

@@ -45,7 +45,17 @@ if(NOT CONFIG_APP_BUILD_TYPE_PURE_RAM_APP)
     endif()
 endif()
 
-if(NOT BOOTLOADER_BUILD AND NOT esp_tee_build)
+if(esp_tee_build)
+    list(APPEND srcs "apm_hal.c"
+                     "brownout_hal.c"
+                     "wdt_hal_iram.c"
+                     "aes_hal.c"
+                     "sha_hal.c")
+
+    if(CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1)
+        list(APPEND srcs "spi_flash_hal.c")
+    endif()
+elseif(NOT BOOTLOADER_BUILD)
     list(APPEND srcs "color_hal.c")
 
     if(NOT CONFIG_APP_BUILD_TYPE_PURE_RAM_APP)

components/mbedtls/esp_tee/esp_tee_mbedtls.cmake

@@ -1,18 +1,18 @@
-idf_component_get_property(hal_dir hal COMPONENT_DIR)
 idf_component_get_property(heap_dir heap COMPONENT_DIR)
 
-set(priv_requires soc esp_hw_support)
+set(priv_requires esp_hw_support hal soc)
+
 set(include_dirs "${COMPONENT_DIR}/port/include"
                  "${COMPONENT_DIR}/mbedtls/include"
                  "${COMPONENT_DIR}/mbedtls/library")
 
+# Supporting headers
+list(APPEND include_dirs "${heap_dir}/include")
+
 # Shared GDMA layer for TEE
 set(srcs "${COMPONENT_DIR}/esp_tee/esp_tee_crypto_shared_gdma.c")
 
-# HAL for the AES/SHA peripherals
-list(APPEND srcs "${hal_dir}/aes_hal.c"
-                 "${hal_dir}/sha_hal.c")
-
+# AES-SHA implementation
 list(APPEND include_dirs "${COMPONENT_DIR}/port/aes/include"
                          "${COMPONENT_DIR}/port/aes/dma/include"
                          "${COMPONENT_DIR}/port/sha/core/include")
@@ -24,9 +24,6 @@ list(APPEND srcs "${COMPONENT_DIR}/port/aes/esp_aes_common.c"
 list(APPEND srcs "${COMPONENT_DIR}/port/sha/core/sha.c"
                  "${COMPONENT_DIR}/port/sha/esp_sha.c")
 
-# Supporting headers
-list(APPEND include_dirs "${heap_dir}/include")
-
 idf_component_register(INCLUDE_DIRS "${include_dirs}"
                        PRIV_REQUIRES "${priv_requires}"
                        SRCS "${srcs}")