diff --git a/components/bootloader_support/CMakeLists.txt b/components/bootloader_support/CMakeLists.txt index 7099727b41..1f10d80e8b 100644 --- a/components/bootloader_support/CMakeLists.txt +++ b/components/bootloader_support/CMakeLists.txt @@ -24,12 +24,11 @@ if(esp_tee_build) "src/secure_boot_v2/secure_boot.c" "src/${IDF_TARGET}/secure_boot_secure_features.c") endif() - list(APPEND priv_requires efuse) endif() idf_component_register(SRCS ${tee_srcs} INCLUDE_DIRS ${tee_inc_dirs} - PRIV_REQUIRES efuse) + PRIV_REQUIRES efuse esp_app_format) return() endif() diff --git a/components/esp_tee/subproject/CMakeLists.txt b/components/esp_tee/subproject/CMakeLists.txt index 07c0feb5ab..e346447c96 100644 --- a/components/esp_tee/subproject/CMakeLists.txt +++ b/components/esp_tee/subproject/CMakeLists.txt @@ -24,6 +24,9 @@ list(APPEND EXTRA_COMPONENT_DIRS ${CUSTOM_SECURE_SERVICE_COMPONENT_DIR}) set(ESP_TEE_BUILD 1) set(NON_OS_BUILD 1) +# Additional components +list(APPEND COMPONENTS bootloader_support efuse mbedtls) + # TEE-specific components list(APPEND COMPONENTS tee_flash_mgr tee_ota_ops tee_sec_storage tee_attestation) @@ -37,9 +40,6 @@ if(CONFIG_IDF_TARGET_ARCH_RISCV) list(APPEND common_req riscv) endif() -# Included for `esp_app_desc` configuration structure -list(APPEND common_req esp_app_format) - idf_build_set_property(__COMPONENT_REQUIRES_COMMON "${common_req}") idf_build_set_property(__OUTPUT_SDKCONFIG 0) # NOTE: Helps to analyse the components built for the TEE binary by CMake Graphviz diff --git a/components/esp_tee/subproject/main/CMakeLists.txt b/components/esp_tee/subproject/main/CMakeLists.txt index 9dfeb7e527..a2cb8059df 100644 --- a/components/esp_tee/subproject/main/CMakeLists.txt +++ b/components/esp_tee/subproject/main/CMakeLists.txt @@ -1,12 +1,6 @@ idf_build_get_property(target IDF_TARGET) idf_build_get_property(arch IDF_TARGET_ARCH) -idf_build_get_property(idf_path IDF_PATH) - -idf_component_get_property(efuse_dir efuse COMPONENT_DIR) -idf_component_get_property(esp_hw_support_dir esp_hw_support COMPONENT_DIR) -idf_component_get_property(hal_dir hal COMPONENT_DIR) idf_component_get_property(heap_dir heap COMPONENT_DIR) -idf_component_get_property(mbedtls_dir mbedtls COMPONENT_DIR) set(srcs) set(include) @@ -45,31 +39,11 @@ list(APPEND include "include" # Heap list(APPEND srcs "common/multi_heap.c") -# Sources and headers shared with IDF -list(APPEND include "${efuse_dir}/private_include" - "${efuse_dir}/${target}/private_include") - -list(APPEND srcs "${hal_dir}/apm_hal.c" - "${hal_dir}/brownout_hal.c" - "${hal_dir}/wdt_hal_iram.c") - -if(CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1) - list(APPEND srcs "${hal_dir}/spi_flash_hal.c") -endif() - # TLSF implementation for heap -list(APPEND include "${heap_dir}/include" - "${heap_dir}/tlsf" +list(APPEND include "${heap_dir}/tlsf" "${heap_dir}/tlsf/include") -list(APPEND srcs "${heap_dir}/tlsf/tlsf.c") -# Crypto -# AES -list(APPEND include "${mbedtls_dir}/port/include" - "${mbedtls_dir}/port/aes/include" - "${mbedtls_dir}/port/aes/dma/include") -# SHA -list(APPEND include "${mbedtls_dir}/port/sha/core/include") +list(APPEND srcs "${heap_dir}/tlsf/tlsf.c") # esp_app_desc_t configuration structure for TEE list(APPEND srcs "common/esp_app_desc_tee.c") diff --git a/components/esp_tee/subproject/main/common/brownout.c b/components/esp_tee/subproject/main/common/brownout.c index e0038abeb3..ca09abb76e 100644 --- a/components/esp_tee/subproject/main/common/brownout.c +++ b/components/esp_tee/subproject/main/common/brownout.c @@ -13,7 +13,6 @@ #include "esp_cpu.h" #include "soc/soc.h" #include "esp_attr.h" -#include "bootloader_flash.h" #include "hal/brownout_hal.h" #include "hal/brownout_ll.h" #include "esp_rom_sys.h" diff --git a/components/esp_tee/subproject/main/ld/esp32c6/esp_tee.ld.in b/components/esp_tee/subproject/main/ld/esp32c6/esp_tee.ld.in index b0e259c1e3..b9cfadaa1b 100644 --- a/components/esp_tee/subproject/main/ld/esp32c6/esp_tee.ld.in +++ b/components/esp_tee/subproject/main/ld/esp32c6/esp_tee.ld.in @@ -102,12 +102,18 @@ SECTIONS .dram.tee.rodata : { _rodata_start = ABSOLUTE(.); + /* TEE flash manager */ *libtee_flash_mgr.a:*(.rodata .srodata .rodata.* .srodata.*) *libbootloader_support.a:bootloader_flash.*(.rodata .srodata .rodata.* .srodata.*) + /* Secure services */ *libmain.a:esp_secure_services.c.*(.rodata .srodata .rodata.* .srodata.*) *libmain.a:esp_secure_dispatcher.c.*(.rodata .srodata .rodata.* .srodata.*) + /* Panic handler */ *libmain.a:panic_helper_riscv.*(.rodata .srodata .rodata.* .srodata.*) *libmain.a:esp_tee_apm_intr.c.*(.rodata .srodata .rodata.* .srodata.*) + /* HAL (noflash) */ + *libhal.a:mmu_hal.c*(.rodata .srodata .rodata.* .srodata.*) + *libhal.a:cache_hal.c*(.rodata .srodata .rodata.* .srodata.*) _rodata_end = ABSOLUTE(.); _tee_dram_end = ABSOLUTE(.); } > dram_tee_seg @@ -157,9 +163,41 @@ SECTIONS . = ALIGN(CONFIG_MMU_PAGE_SIZE) + 0x20; } > flash_text_seg + +/* HAL modules and their memory placement: + * + * +-----------+---------------+--------+ + * | Module | Section | Memory | + * +-----------+---------------+--------+ + * | MMU | text+rodata | SRAM | + * | CACHE | text+rodata | SRAM | + * | WDT | text | SRAM | + * | APM | text | Flash | + * | AES | text | Flash | + * | SHA | text | Flash | + * | BROWNOUT | text | Flash | + * | EFUSE | text | Flash | + * | LPTIMER | text | Flash | + * | SPI_FLASH | text | Flash | + * +-----------+---------------+--------+ + * + * By default, for ESP-TEE, text sections are placed in SRAM while rodata sections go to the flash. + * Therefore, only HAL modules that require SRAM placement for proper functionality are located there, + * while the remaining modules are placed in flash memory. + */ + .flash.text : { _tee_xip_text_start = ABSOLUTE(.); + /* HAL */ + *libhal.a:aes_hal.c*(.literal .text .literal.* .text.*) + *libhal.a:sha_hal.c*(.literal .text .literal.* .text.*) + *libhal.a:apm_hal.c*(.literal .text .literal.* .text.*) + *libhal.a:brownout_hal.c*(.literal .text .literal.* .text.*) + *libhal.a:spi_flash_hal.c*(.literal .text .literal.* .text.*) + /* These HAL modules have functions marked with the IRAM_ATTR attribute which get placed in the SRAM */ + *libhal.a:efuse_hal.c*(.literal .text .literal.* .text.*) + *libhal.a:lp_timer_hal.c*(.literal .text .literal.* .text.*) /* Mbedtls for TEE */ *libmbedtls.a:*(.literal .text .literal.* .text.*) *libmbedcrypto.a:*(.literal .text .literal.* .text.*) diff --git a/components/hal/CMakeLists.txt b/components/hal/CMakeLists.txt index 674f3cfa1a..c30987b9bf 100644 --- a/components/hal/CMakeLists.txt +++ b/components/hal/CMakeLists.txt @@ -45,7 +45,17 @@ if(NOT CONFIG_APP_BUILD_TYPE_PURE_RAM_APP) endif() endif() -if(NOT BOOTLOADER_BUILD AND NOT esp_tee_build) +if(esp_tee_build) + list(APPEND srcs "apm_hal.c" + "brownout_hal.c" + "wdt_hal_iram.c" + "aes_hal.c" + "sha_hal.c") + + if(CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1) + list(APPEND srcs "spi_flash_hal.c") + endif() +elseif(NOT BOOTLOADER_BUILD) list(APPEND srcs "color_hal.c") if(NOT CONFIG_APP_BUILD_TYPE_PURE_RAM_APP) diff --git a/components/mbedtls/esp_tee/esp_tee_mbedtls.cmake b/components/mbedtls/esp_tee/esp_tee_mbedtls.cmake index 7d33abf0a2..9072a91c6c 100644 --- a/components/mbedtls/esp_tee/esp_tee_mbedtls.cmake +++ b/components/mbedtls/esp_tee/esp_tee_mbedtls.cmake @@ -1,35 +1,34 @@ -idf_component_get_property(hal_dir hal COMPONENT_DIR) idf_component_get_property(heap_dir heap COMPONENT_DIR) -set(priv_requires soc esp_hw_support) +set(priv_requires esp_hw_support hal soc) + set(include_dirs "${COMPONENT_DIR}/port/include" "${COMPONENT_DIR}/mbedtls/include" "${COMPONENT_DIR}/mbedtls/library") +# Supporting headers +list(APPEND include_dirs "${heap_dir}/include") + # Shared GDMA layer for TEE set(srcs "${COMPONENT_DIR}/esp_tee/esp_tee_crypto_shared_gdma.c") -# HAL for the AES/SHA peripherals -list(APPEND srcs "${hal_dir}/aes_hal.c" - "${hal_dir}/sha_hal.c") +# AES-SHA implementation +list(APPEND srcs "${COMPONENT_DIR}/port/aes/dma/esp_aes.c" + "${COMPONENT_DIR}/port/aes/dma/esp_aes_dma_core.c") + +list(APPEND srcs "${COMPONENT_DIR}/port/aes/esp_aes_common.c" + "${COMPONENT_DIR}/port/aes/esp_aes_gcm.c") + +list(APPEND srcs "${COMPONENT_DIR}/port/sha/core/sha.c" + "${COMPONENT_DIR}/port/sha/esp_sha.c") list(APPEND include_dirs "${COMPONENT_DIR}/port/aes/include" "${COMPONENT_DIR}/port/aes/dma/include" "${COMPONENT_DIR}/port/sha/core/include") -list(APPEND srcs "${COMPONENT_DIR}/port/aes/esp_aes_common.c" - "${COMPONENT_DIR}/port/aes/dma/esp_aes.c" - "${COMPONENT_DIR}/port/aes/dma/esp_aes_dma_core.c") - -list(APPEND srcs "${COMPONENT_DIR}/port/sha/core/sha.c" - "${COMPONENT_DIR}/port/sha/esp_sha.c") - -# Supporting headers -list(APPEND include_dirs "${heap_dir}/include") - -idf_component_register(INCLUDE_DIRS "${include_dirs}" - PRIV_REQUIRES "${priv_requires}" - SRCS "${srcs}") +idf_component_register(SRCS "${srcs}" + INCLUDE_DIRS "${include_dirs}" + PRIV_REQUIRES "${priv_requires}") # Only build mbedtls libraries set(ENABLE_TESTING CACHE BOOL OFF) @@ -53,9 +52,6 @@ endforeach() target_link_libraries(${COMPONENT_LIB} INTERFACE ${mbedtls_targets}) -if(CONFIG_MBEDTLS_HARDWARE_SHA) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/core/esp_sha1.c" - "${COMPONENT_DIR}/port/sha/core/esp_sha256.c" - "${COMPONENT_DIR}/port/sha/core/esp_sha512.c" - ) -endif() +target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/core/esp_sha1.c" + "${COMPONENT_DIR}/port/sha/core/esp_sha256.c" + "${COMPONENT_DIR}/port/sha/core/esp_sha512.c") diff --git a/components/mbedtls/esp_tee/esp_tee_mbedtls_config.h b/components/mbedtls/esp_tee/esp_tee_mbedtls_config.h index 665a009e1c..a676cd20a9 100644 --- a/components/mbedtls/esp_tee/esp_tee_mbedtls_config.h +++ b/components/mbedtls/esp_tee/esp_tee_mbedtls_config.h @@ -34,6 +34,7 @@ #define MBEDTLS_CIPHER_C #define MBEDTLS_AES_C #define MBEDTLS_GCM_C +#define MBEDTLS_GCM_ALT #define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_ASN1_PARSE_C diff --git a/components/mbedtls/port/aes/dma/esp_aes_dma_core.c b/components/mbedtls/port/aes/dma/esp_aes_dma_core.c index 34152306d8..a4a3d7c43b 100644 --- a/components/mbedtls/port/aes/dma/esp_aes_dma_core.c +++ b/components/mbedtls/port/aes/dma/esp_aes_dma_core.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -100,9 +100,11 @@ static IRAM_ATTR void esp_aes_complete_isr(void *arg) portYIELD_FROM_ISR(); } } +#endif void esp_aes_intr_alloc(void) { +#if !ESP_TEE_BUILD if (op_complete_sem == NULL) { const int isr_flags = esp_intr_level_to_flags(CONFIG_MBEDTLS_AES_INTERRUPT_LEVEL); @@ -120,8 +122,14 @@ void esp_aes_intr_alloc(void) // Static semaphore creation is unlikely to fail but still basic sanity assert(op_complete_sem != NULL); } -} +#else + // NOTE: Need to extern since the mbedtls component does not depend on + // the esp_tee (main) component + extern void esp_tee_aes_intr_alloc(void); + esp_tee_aes_intr_alloc(); #endif +} + static esp_err_t esp_aes_isr_initialise( void ) {