diff --git a/components/bootloader_support/src/bootloader_mem.c b/components/bootloader_support/src/bootloader_mem.c index 2c428b7b0f..b8dbd700d6 100644 --- a/components/bootloader_support/src/bootloader_mem.c +++ b/components/bootloader_support/src/bootloader_mem.c @@ -27,7 +27,15 @@ void bootloader_init_mem(void) */ #ifdef SOC_APM_CTRL_FILTER_SUPPORTED apm_hal_apm_ctrl_filter_enable_all(false); -#endif + /* [APM] On power-up, only the HP CPU starts in TEE mode; others default to REE2. + * APM blocks REE0–REE2 access by default. C5 ECO2 adds per-peripheral control + * (default REEx blocking), but config support is pending. As a workaround, + * all masters are set to TEE mode. + */ +#if SOC_APM_SUPPORT_TEE_PERI_ACCESS_CTRL + apm_tee_hal_set_master_secure_mode_all(APM_LL_SECURE_MODE_TEE); +#endif // SOC_APM_SUPPORT_TEE_PERI_ACCESS_CTRL +#endif // SOC_APM_CTRL_FILTER_SUPPORTED #endif #ifdef CONFIG_BOOTLOADER_REGION_PROTECTION_ENABLE diff --git a/components/hal/apm_hal.c b/components/hal/apm_hal.c index 75f8a48d4d..e82f491f5e 100644 --- a/components/hal/apm_hal.c +++ b/components/hal/apm_hal.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -58,6 +58,16 @@ void apm_tee_hal_set_master_secure_mode(apm_ll_apm_ctrl_t apm_ctrl, apm_ll_maste apm_tee_ll_set_master_secure_mode(apm_ctrl, master_id, sec_mode); } +void apm_tee_hal_set_master_secure_mode_all(apm_ll_secure_mode_t sec_mode) +{ + for (int i = 0; i < APM_LL_MASTER_MAX; i++) { + apm_tee_hal_set_master_secure_mode(HP_APM_CTRL, i, sec_mode); + } +#if SOC_LP_CORE_SUPPORTED + apm_tee_hal_set_master_secure_mode(LP_APM_CTRL, APM_LL_MASTER_LPCORE, sec_mode); +#endif +} + void apm_tee_hal_clk_gating_enable(bool enable) { apm_tee_ll_clk_gating_enable(enable); diff --git a/components/hal/include/hal/apm_hal.h b/components/hal/include/hal/apm_hal.h index 23714f3f62..6f95b26af4 100644 --- a/components/hal/include/hal/apm_hal.h +++ b/components/hal/include/hal/apm_hal.h @@ -136,6 +136,13 @@ typedef struct { void apm_tee_hal_set_master_secure_mode(apm_ll_apm_ctrl_t apm_ctrl, apm_ll_master_id_t master_id, apm_ll_secure_mode_t sec_mode); +/** + * @brief Set all masters to a given secure mode + * + * @param sec_mode Secure mode + */ +void apm_tee_hal_set_master_secure_mode_all(apm_ll_secure_mode_t sec_mode); + /** * @brief TEE controller clock auto gating enable * diff --git a/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in index e2377f087e..7fde2d8c23 100644 --- a/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in @@ -1427,6 +1427,10 @@ config SOC_APM_LP_APM0_SUPPORTED bool default y +config SOC_APM_SUPPORT_TEE_PERI_ACCESS_CTRL + bool + default y + config SOC_CRYPTO_DPA_PROTECTION_SUPPORTED bool default y diff --git a/components/soc/esp32c5/include/soc/soc_caps.h b/components/soc/esp32c5/include/soc/soc_caps.h index 5688d39afc..42dcfd3488 100644 --- a/components/soc/esp32c5/include/soc/soc_caps.h +++ b/components/soc/esp32c5/include/soc/soc_caps.h @@ -558,8 +558,9 @@ #define SOC_BOOTLOADER_ANTI_ROLLBACK_SUPPORTED (0) /*-------------------------- APM CAPS-----------------------------------------*/ -#define SOC_APM_CTRL_FILTER_SUPPORTED 1 /*!< Support for APM control filter */ -#define SOC_APM_LP_APM0_SUPPORTED 1 /*!< Support for LP APM0 control filter */ +#define SOC_APM_CTRL_FILTER_SUPPORTED 1 /*!< Support for APM control filter */ +#define SOC_APM_LP_APM0_SUPPORTED 1 /*!< Support for LP APM0 control filter */ +#define SOC_APM_SUPPORT_TEE_PERI_ACCESS_CTRL 1 /*!< Support for TEE controller per-peripheral access control */ /*------------------------ Anti DPA (Security) CAPS --------------------------*/ #define SOC_CRYPTO_DPA_PROTECTION_SUPPORTED 1