feedc0de/esp-idf
1
0
Fork 0
forked from espressif/esp-idf
Code Pull Requests Activity

Merge branch 'refactor/esp_tee_aes_gcm_port' into 'master'

Browse Source 
refactor(esp_tee): Use the AES-GCM port layer for operations in the TEE

See merge request espressif/esp-idf!37650
This commit is contained in:
Mahavir Jain
2025-03-20 16:11:38 +08:00
parent b4abab382a 98e16412a7
commit b3f525d12f
9 changed files with 86 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
components/bootloader_support/CMakeLists.txt
View File

@@ -24,12 +24,11 @@ if(esp_tee_build)
"src/secure_boot_v2/secure_boot.c"
"src/${IDF_TARGET}/secure_boot_secure_features.c")
endif()
list(APPEND priv_requires efuse)
endif()
idf_component_register(SRCS ${tee_srcs}
INCLUDE_DIRS ${tee_inc_dirs}
PRIV_REQUIRES efuse)
PRIV_REQUIRES efuse esp_app_format)
return()
endif()

6
components/esp_tee/subproject/CMakeLists.txt
View File

@@ -24,6 +24,9 @@ list(APPEND EXTRA_COMPONENT_DIRS ${CUSTOM_SECURE_SERVICE_COMPONENT_DIR})
set(ESP_TEE_BUILD 1)
set(NON_OS_BUILD 1)
# Additional components
list(APPEND COMPONENTS bootloader_support efuse mbedtls)
# TEE-specific components
list(APPEND COMPONENTS tee_flash_mgr tee_ota_ops tee_sec_storage tee_attestation)
@@ -37,9 +40,6 @@ if(CONFIG_IDF_TARGET_ARCH_RISCV)
list(APPEND common_req riscv)
endif()
# Included for `esp_app_desc` configuration structure
list(APPEND common_req esp_app_format)
idf_build_set_property(__COMPONENT_REQUIRES_COMMON "${common_req}")
idf_build_set_property(__OUTPUT_SDKCONFIG 0)
# NOTE: Helps to analyse the components built for the TEE binary by CMake Graphviz

30
components/esp_tee/subproject/main/CMakeLists.txt
View File

@@ -1,12 +1,6 @@
idf_build_get_property(target IDF_TARGET)
idf_build_get_property(arch IDF_TARGET_ARCH)
idf_build_get_property(idf_path IDF_PATH)
idf_component_get_property(efuse_dir efuse COMPONENT_DIR)
idf_component_get_property(esp_hw_support_dir esp_hw_support COMPONENT_DIR)
idf_component_get_property(hal_dir hal COMPONENT_DIR)
idf_component_get_property(heap_dir heap COMPONENT_DIR)
idf_component_get_property(mbedtls_dir mbedtls COMPONENT_DIR)
set(srcs)
set(include)
@@ -45,31 +39,11 @@ list(APPEND include "include"
# Heap
list(APPEND srcs "common/multi_heap.c")
# Sources and headers shared with IDF
list(APPEND include "${efuse_dir}/private_include"
"${efuse_dir}/${target}/private_include")
list(APPEND srcs "${hal_dir}/apm_hal.c"
"${hal_dir}/brownout_hal.c"
"${hal_dir}/wdt_hal_iram.c")
if(CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1)
list(APPEND srcs "${hal_dir}/spi_flash_hal.c")
endif()
# TLSF implementation for heap
list(APPEND include "${heap_dir}/include"
"${heap_dir}/tlsf"
list(APPEND include "${heap_dir}/tlsf"
"${heap_dir}/tlsf/include")
list(APPEND srcs "${heap_dir}/tlsf/tlsf.c")
# Crypto
# AES
list(APPEND include "${mbedtls_dir}/port/include"
"${mbedtls_dir}/port/aes/include"
"${mbedtls_dir}/port/aes/dma/include")
# SHA
list(APPEND include "${mbedtls_dir}/port/sha/core/include")
list(APPEND srcs "${heap_dir}/tlsf/tlsf.c")
# esp_app_desc_t configuration structure for TEE
list(APPEND srcs "common/esp_app_desc_tee.c")

1
components/esp_tee/subproject/main/common/brownout.c
View File

@@ -13,7 +13,6 @@
#include "esp_cpu.h"
#include "soc/soc.h"
#include "esp_attr.h"
#include "bootloader_flash.h"
#include "hal/brownout_hal.h"
#include "hal/brownout_ll.h"
#include "esp_rom_sys.h"

38
components/esp_tee/subproject/main/ld/esp32c6/esp_tee.ld.in
View File

@@ -102,12 +102,18 @@ SECTIONS
.dram.tee.rodata :
{
_rodata_start = ABSOLUTE(.);
/* TEE flash manager */
*libtee_flash_mgr.a:*(.rodata .srodata .rodata.* .srodata.*)
*libbootloader_support.a:bootloader_flash.*(.rodata .srodata .rodata.* .srodata.*)
/* Secure services */
*libmain.a:esp_secure_services.c.*(.rodata .srodata .rodata.* .srodata.*)
*libmain.a:esp_secure_dispatcher.c.*(.rodata .srodata .rodata.* .srodata.*)
/* Panic handler */
*libmain.a:panic_helper_riscv.*(.rodata .srodata .rodata.* .srodata.*)
*libmain.a:esp_tee_apm_intr.c.*(.rodata .srodata .rodata.* .srodata.*)
/* HAL (noflash) */
*libhal.a:mmu_hal.c*(.rodata .srodata .rodata.* .srodata.*)
*libhal.a:cache_hal.c*(.rodata .srodata .rodata.* .srodata.*)
_rodata_end = ABSOLUTE(.);
_tee_dram_end = ABSOLUTE(.);
} > dram_tee_seg
@@ -157,9 +163,41 @@ SECTIONS
. = ALIGN(CONFIG_MMU_PAGE_SIZE) + 0x20;
} > flash_text_seg
/* HAL modules and their memory placement:
*
* +-----------+---------------+--------+
* | Module | Section | Memory |
* +-----------+---------------+--------+
* | MMU | text+rodata | SRAM |
* | CACHE | text+rodata | SRAM |
* | WDT | text | SRAM |
* | APM | text | Flash |
* | AES | text | Flash |
* | SHA | text | Flash |
* | BROWNOUT | text | Flash |
* | EFUSE | text | Flash |
* | LPTIMER | text | Flash |
* | SPI_FLASH | text | Flash |
* +-----------+---------------+--------+
*
* By default, for ESP-TEE, text sections are placed in SRAM while rodata sections go to the flash.
* Therefore, only HAL modules that require SRAM placement for proper functionality are located there,
* while the remaining modules are placed in flash memory.
*/
.flash.text :
{
_tee_xip_text_start = ABSOLUTE(.);
/* HAL */
*libhal.a:aes_hal.c*(.literal .text .literal.* .text.*)
*libhal.a:sha_hal.c*(.literal .text .literal.* .text.*)
*libhal.a:apm_hal.c*(.literal .text .literal.* .text.*)
*libhal.a:brownout_hal.c*(.literal .text .literal.* .text.*)
*libhal.a:spi_flash_hal.c*(.literal .text .literal.* .text.*)
/* These HAL modules have functions marked with the IRAM_ATTR attribute which get placed in the SRAM */
*libhal.a:efuse_hal.c*(.literal .text .literal.* .text.*)
*libhal.a:lp_timer_hal.c*(.literal .text .literal.* .text.*)
/* Mbedtls for TEE */
*libmbedtls.a:*(.literal .text .literal.* .text.*)
*libmbedcrypto.a:*(.literal .text .literal.* .text.*)

12
components/hal/CMakeLists.txt
View File

@@ -45,7 +45,17 @@ if(NOT CONFIG_APP_BUILD_TYPE_PURE_RAM_APP)
endif()
endif()
if(NOT BOOTLOADER_BUILD AND NOT esp_tee_build)
if(esp_tee_build)
list(APPEND srcs "apm_hal.c"
"brownout_hal.c"
"wdt_hal_iram.c"
"aes_hal.c"
"sha_hal.c")
if(CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1)
list(APPEND srcs "spi_flash_hal.c")
endif()
elseif(NOT BOOTLOADER_BUILD)
list(APPEND srcs "color_hal.c")
if(NOT CONFIG_APP_BUILD_TYPE_PURE_RAM_APP)

44
components/mbedtls/esp_tee/esp_tee_mbedtls.cmake
View File

@@ -1,35 +1,34 @@
idf_component_get_property(hal_dir hal COMPONENT_DIR)
idf_component_get_property(heap_dir heap COMPONENT_DIR)
set(priv_requires soc esp_hw_support)
set(priv_requires esp_hw_support hal soc)
set(include_dirs "${COMPONENT_DIR}/port/include"
"${COMPONENT_DIR}/mbedtls/include"
"${COMPONENT_DIR}/mbedtls/library")
# Supporting headers
list(APPEND include_dirs "${heap_dir}/include")
# Shared GDMA layer for TEE
set(srcs "${COMPONENT_DIR}/esp_tee/esp_tee_crypto_shared_gdma.c")
# HAL for the AES/SHA peripherals
list(APPEND srcs "${hal_dir}/aes_hal.c"
"${hal_dir}/sha_hal.c")
# AES-SHA implementation
list(APPEND srcs "${COMPONENT_DIR}/port/aes/dma/esp_aes.c"
"${COMPONENT_DIR}/port/aes/dma/esp_aes_dma_core.c")
list(APPEND srcs "${COMPONENT_DIR}/port/aes/esp_aes_common.c"
"${COMPONENT_DIR}/port/aes/esp_aes_gcm.c")
list(APPEND srcs "${COMPONENT_DIR}/port/sha/core/sha.c"
"${COMPONENT_DIR}/port/sha/esp_sha.c")
list(APPEND include_dirs "${COMPONENT_DIR}/port/aes/include"
"${COMPONENT_DIR}/port/aes/dma/include"
"${COMPONENT_DIR}/port/sha/core/include")
list(APPEND srcs "${COMPONENT_DIR}/port/aes/esp_aes_common.c"
"${COMPONENT_DIR}/port/aes/dma/esp_aes.c"
"${COMPONENT_DIR}/port/aes/dma/esp_aes_dma_core.c")
list(APPEND srcs "${COMPONENT_DIR}/port/sha/core/sha.c"
"${COMPONENT_DIR}/port/sha/esp_sha.c")
# Supporting headers
list(APPEND include_dirs "${heap_dir}/include")
idf_component_register(INCLUDE_DIRS "${include_dirs}"
PRIV_REQUIRES "${priv_requires}"
SRCS "${srcs}")
idf_component_register(SRCS "${srcs}"
INCLUDE_DIRS "${include_dirs}"
PRIV_REQUIRES "${priv_requires}")
# Only build mbedtls libraries
set(ENABLE_TESTING CACHE BOOL OFF)
@@ -53,9 +52,6 @@ endforeach()
target_link_libraries(${COMPONENT_LIB} INTERFACE ${mbedtls_targets})
if(CONFIG_MBEDTLS_HARDWARE_SHA)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/core/esp_sha1.c"
"${COMPONENT_DIR}/port/sha/core/esp_sha256.c"
"${COMPONENT_DIR}/port/sha/core/esp_sha512.c"
)
endif()
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/core/esp_sha1.c"
"${COMPONENT_DIR}/port/sha/core/esp_sha256.c"
"${COMPONENT_DIR}/port/sha/core/esp_sha512.c")

1
components/mbedtls/esp_tee/esp_tee_mbedtls_config.h
View File

@@ -34,6 +34,7 @@
#define MBEDTLS_CIPHER_C
#define MBEDTLS_AES_C
#define MBEDTLS_GCM_C
#define MBEDTLS_GCM_ALT
#define MBEDTLS_ASN1_WRITE_C
#define MBEDTLS_ASN1_PARSE_C

12
components/mbedtls/port/aes/dma/esp_aes_dma_core.c
View File

@@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@@ -100,9 +100,11 @@ static IRAM_ATTR void esp_aes_complete_isr(void *arg)
portYIELD_FROM_ISR();
}
}
#endif
void esp_aes_intr_alloc(void)
{
#if !ESP_TEE_BUILD
if (op_complete_sem == NULL) {
const int isr_flags = esp_intr_level_to_flags(CONFIG_MBEDTLS_AES_INTERRUPT_LEVEL);
@@ -120,8 +122,14 @@ void esp_aes_intr_alloc(void)
// Static semaphore creation is unlikely to fail but still basic sanity
assert(op_complete_sem != NULL);
}
}
#else
// NOTE: Need to extern since the mbedtls component does not depend on
// the esp_tee (main) component
extern void esp_tee_aes_intr_alloc(void);
esp_tee_aes_intr_alloc();
#endif
}
static esp_err_t esp_aes_isr_initialise( void )
{