Merge branch 'refactor/esp_tee_aes_gcm_port' into 'master'

refactor(esp_tee): Use the AES-GCM port layer for operations in the TEE

See merge request espressif/esp-idf!37650

components/bootloader_support/CMakeLists.txt

@@ -24,12 +24,11 @@ if(esp_tee_build)
                                  "src/secure_boot_v2/secure_boot.c"
                                  "src/${IDF_TARGET}/secure_boot_secure_features.c")
         endif()
-        list(APPEND priv_requires efuse)
     endif()
 
     idf_component_register(SRCS ${tee_srcs}
                            INCLUDE_DIRS ${tee_inc_dirs}
-                           PRIV_REQUIRES efuse)
+                           PRIV_REQUIRES efuse esp_app_format)
     return()
 endif()
 

components/esp_tee/subproject/CMakeLists.txt

@@ -24,6 +24,9 @@ list(APPEND EXTRA_COMPONENT_DIRS ${CUSTOM_SECURE_SERVICE_COMPONENT_DIR})
 set(ESP_TEE_BUILD 1)
 set(NON_OS_BUILD 1)
 
+# Additional components
+list(APPEND COMPONENTS bootloader_support efuse mbedtls)
+
 # TEE-specific components
 list(APPEND COMPONENTS tee_flash_mgr tee_ota_ops tee_sec_storage tee_attestation)
 
@@ -37,9 +40,6 @@ if(CONFIG_IDF_TARGET_ARCH_RISCV)
     list(APPEND common_req riscv)
 endif()
 
-# Included for `esp_app_desc` configuration structure
-list(APPEND common_req esp_app_format)
-
 idf_build_set_property(__COMPONENT_REQUIRES_COMMON "${common_req}")
 idf_build_set_property(__OUTPUT_SDKCONFIG 0)
 # NOTE: Helps to analyse the components built for the TEE binary by CMake Graphviz

components/esp_tee/subproject/main/CMakeLists.txt

@@ -1,12 +1,6 @@
 idf_build_get_property(target IDF_TARGET)
 idf_build_get_property(arch IDF_TARGET_ARCH)
-idf_build_get_property(idf_path IDF_PATH)
-
-idf_component_get_property(efuse_dir efuse COMPONENT_DIR)
-idf_component_get_property(esp_hw_support_dir esp_hw_support COMPONENT_DIR)
-idf_component_get_property(hal_dir hal COMPONENT_DIR)
 idf_component_get_property(heap_dir heap COMPONENT_DIR)
-idf_component_get_property(mbedtls_dir mbedtls COMPONENT_DIR)
 
 set(srcs)
 set(include)
@@ -45,31 +39,11 @@ list(APPEND include "include"
 # Heap
 list(APPEND srcs "common/multi_heap.c")
 
-# Sources and headers shared with IDF
-list(APPEND include "${efuse_dir}/private_include"
-                    "${efuse_dir}/${target}/private_include")
-
-list(APPEND srcs "${hal_dir}/apm_hal.c"
-                 "${hal_dir}/brownout_hal.c"
-                 "${hal_dir}/wdt_hal_iram.c")
-
-if(CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1)
-    list(APPEND srcs "${hal_dir}/spi_flash_hal.c")
-endif()
-
 # TLSF implementation for heap
-list(APPEND include "${heap_dir}/include"
+list(APPEND include "${heap_dir}/tlsf"
-                    "${heap_dir}/tlsf"
                     "${heap_dir}/tlsf/include")
-list(APPEND srcs "${heap_dir}/tlsf/tlsf.c")
 
-# Crypto
+list(APPEND srcs "${heap_dir}/tlsf/tlsf.c")
-# AES
-list(APPEND include "${mbedtls_dir}/port/include"
-                    "${mbedtls_dir}/port/aes/include"
-                    "${mbedtls_dir}/port/aes/dma/include")
-# SHA
-list(APPEND include "${mbedtls_dir}/port/sha/core/include")
 
 # esp_app_desc_t configuration structure for TEE
 list(APPEND srcs "common/esp_app_desc_tee.c")

components/esp_tee/subproject/main/common/brownout.c

@@ -13,7 +13,6 @@
 #include "esp_cpu.h"
 #include "soc/soc.h"
 #include "esp_attr.h"
-#include "bootloader_flash.h"
 #include "hal/brownout_hal.h"
 #include "hal/brownout_ll.h"
 #include "esp_rom_sys.h"

components/esp_tee/subproject/main/ld/esp32c6/esp_tee.ld.in

@@ -102,12 +102,18 @@ SECTIONS
   .dram.tee.rodata :
   {
     _rodata_start = ABSOLUTE(.);
+    /* TEE flash manager */
     *libtee_flash_mgr.a:*(.rodata .srodata .rodata.* .srodata.*)
     *libbootloader_support.a:bootloader_flash.*(.rodata .srodata .rodata.* .srodata.*)
+    /* Secure services */
     *libmain.a:esp_secure_services.c.*(.rodata .srodata .rodata.* .srodata.*)
     *libmain.a:esp_secure_dispatcher.c.*(.rodata .srodata .rodata.* .srodata.*)
+    /* Panic handler */
     *libmain.a:panic_helper_riscv.*(.rodata .srodata .rodata.* .srodata.*)
     *libmain.a:esp_tee_apm_intr.c.*(.rodata .srodata .rodata.* .srodata.*)
+    /* HAL (noflash) */
+    *libhal.a:mmu_hal.c*(.rodata .srodata .rodata.* .srodata.*)
+    *libhal.a:cache_hal.c*(.rodata .srodata .rodata.* .srodata.*)
     _rodata_end = ABSOLUTE(.);
     _tee_dram_end = ABSOLUTE(.);
   } > dram_tee_seg
@@ -157,9 +163,41 @@ SECTIONS
     . = ALIGN(CONFIG_MMU_PAGE_SIZE) + 0x20;
   } > flash_text_seg
 
+
+/* HAL modules and their memory placement:
+ *
+ * +-----------+---------------+--------+
+ * | Module    | Section       | Memory |
+ * +-----------+---------------+--------+
+ * | MMU       | text+rodata   | SRAM   |
+ * | CACHE     | text+rodata   | SRAM   |
+ * | WDT       | text          | SRAM   |
+ * | APM       | text          | Flash  |
+ * | AES       | text          | Flash  |
+ * | SHA       | text          | Flash  |
+ * | BROWNOUT  | text          | Flash  |
+ * | EFUSE     | text          | Flash  |
+ * | LPTIMER   | text          | Flash  |
+ * | SPI_FLASH | text          | Flash  |
+ * +-----------+---------------+--------+
+ *
+ * By default, for ESP-TEE, text sections are placed in SRAM while rodata sections go to the flash.
+ * Therefore, only HAL modules that require SRAM placement for proper functionality are located there,
+ * while the remaining modules are placed in flash memory.
+ */
+
   .flash.text :
   {
     _tee_xip_text_start = ABSOLUTE(.);
+    /* HAL */
+    *libhal.a:aes_hal.c*(.literal .text .literal.* .text.*)
+    *libhal.a:sha_hal.c*(.literal .text .literal.* .text.*)
+    *libhal.a:apm_hal.c*(.literal .text .literal.* .text.*)
+    *libhal.a:brownout_hal.c*(.literal .text .literal.* .text.*)
+    *libhal.a:spi_flash_hal.c*(.literal .text .literal.* .text.*)
+    /* These HAL modules have functions marked with the IRAM_ATTR attribute which get placed in the SRAM */
+    *libhal.a:efuse_hal.c*(.literal .text .literal.* .text.*)
+    *libhal.a:lp_timer_hal.c*(.literal .text .literal.* .text.*)
     /* Mbedtls for TEE */
     *libmbedtls.a:*(.literal .text .literal.* .text.*)
     *libmbedcrypto.a:*(.literal .text .literal.* .text.*)

components/hal/CMakeLists.txt

@@ -45,7 +45,17 @@ if(NOT CONFIG_APP_BUILD_TYPE_PURE_RAM_APP)
     endif()
 endif()
 
-if(NOT BOOTLOADER_BUILD AND NOT esp_tee_build)
+if(esp_tee_build)
+    list(APPEND srcs "apm_hal.c"
+                     "brownout_hal.c"
+                     "wdt_hal_iram.c"
+                     "aes_hal.c"
+                     "sha_hal.c")
+
+    if(CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1)
+        list(APPEND srcs "spi_flash_hal.c")
+    endif()
+elseif(NOT BOOTLOADER_BUILD)
     list(APPEND srcs "color_hal.c")
 
     if(NOT CONFIG_APP_BUILD_TYPE_PURE_RAM_APP)

components/mbedtls/esp_tee/esp_tee_mbedtls.cmake

@@ -1,35 +1,34 @@
-idf_component_get_property(hal_dir hal COMPONENT_DIR)
 idf_component_get_property(heap_dir heap COMPONENT_DIR)
 
-set(priv_requires soc esp_hw_support)
+set(priv_requires esp_hw_support hal soc)
+
 set(include_dirs "${COMPONENT_DIR}/port/include"
                  "${COMPONENT_DIR}/mbedtls/include"
                  "${COMPONENT_DIR}/mbedtls/library")
 
+# Supporting headers
+list(APPEND include_dirs "${heap_dir}/include")
+
 # Shared GDMA layer for TEE
 set(srcs "${COMPONENT_DIR}/esp_tee/esp_tee_crypto_shared_gdma.c")
 
-# HAL for the AES/SHA peripherals
+# AES-SHA implementation
-list(APPEND srcs "${hal_dir}/aes_hal.c"
+list(APPEND srcs "${COMPONENT_DIR}/port/aes/dma/esp_aes.c"
-                 "${hal_dir}/sha_hal.c")
+                 "${COMPONENT_DIR}/port/aes/dma/esp_aes_dma_core.c")
+
+list(APPEND srcs "${COMPONENT_DIR}/port/aes/esp_aes_common.c"
+                 "${COMPONENT_DIR}/port/aes/esp_aes_gcm.c")
+
+list(APPEND srcs "${COMPONENT_DIR}/port/sha/core/sha.c"
+                 "${COMPONENT_DIR}/port/sha/esp_sha.c")
 
 list(APPEND include_dirs "${COMPONENT_DIR}/port/aes/include"
                          "${COMPONENT_DIR}/port/aes/dma/include"
                          "${COMPONENT_DIR}/port/sha/core/include")
 
-list(APPEND srcs "${COMPONENT_DIR}/port/aes/esp_aes_common.c"
+idf_component_register(SRCS "${srcs}"
-                 "${COMPONENT_DIR}/port/aes/dma/esp_aes.c"
+                       INCLUDE_DIRS "${include_dirs}"
-                 "${COMPONENT_DIR}/port/aes/dma/esp_aes_dma_core.c")
+                       PRIV_REQUIRES "${priv_requires}")
-
-list(APPEND srcs "${COMPONENT_DIR}/port/sha/core/sha.c"
-                 "${COMPONENT_DIR}/port/sha/esp_sha.c")
-
-# Supporting headers
-list(APPEND include_dirs "${heap_dir}/include")
-
-idf_component_register(INCLUDE_DIRS "${include_dirs}"
-                       PRIV_REQUIRES "${priv_requires}"
-                       SRCS "${srcs}")
 
 # Only build mbedtls libraries
 set(ENABLE_TESTING CACHE BOOL OFF)
@@ -53,9 +52,6 @@ endforeach()
 
 target_link_libraries(${COMPONENT_LIB} INTERFACE ${mbedtls_targets})
 
-if(CONFIG_MBEDTLS_HARDWARE_SHA)
+target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/core/esp_sha1.c"
-    target_sources(mbedcrypto PRIVATE  "${COMPONENT_DIR}/port/sha/core/esp_sha1.c"
+                                  "${COMPONENT_DIR}/port/sha/core/esp_sha256.c"
-                                       "${COMPONENT_DIR}/port/sha/core/esp_sha256.c"
+                                  "${COMPONENT_DIR}/port/sha/core/esp_sha512.c")
-                                       "${COMPONENT_DIR}/port/sha/core/esp_sha512.c"
-    )
-endif()

components/mbedtls/esp_tee/esp_tee_mbedtls_config.h

@@ -34,6 +34,7 @@
 #define MBEDTLS_CIPHER_C
 #define MBEDTLS_AES_C
 #define MBEDTLS_GCM_C
+#define MBEDTLS_GCM_ALT
 
 #define MBEDTLS_ASN1_WRITE_C
 #define MBEDTLS_ASN1_PARSE_C

components/mbedtls/port/aes/dma/esp_aes_dma_core.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -100,9 +100,11 @@ static IRAM_ATTR void esp_aes_complete_isr(void *arg)
         portYIELD_FROM_ISR();
     }
 }
+#endif
 
 void esp_aes_intr_alloc(void)
 {
+#if !ESP_TEE_BUILD
     if (op_complete_sem == NULL) {
         const int isr_flags = esp_intr_level_to_flags(CONFIG_MBEDTLS_AES_INTERRUPT_LEVEL);
 
@@ -120,8 +122,14 @@ void esp_aes_intr_alloc(void)
         // Static semaphore creation is unlikely to fail but still basic sanity
         assert(op_complete_sem != NULL);
     }
-}
+#else
+    // NOTE: Need to extern since the mbedtls component does not depend on
+    // the esp_tee (main) component
+    extern void esp_tee_aes_intr_alloc(void);
+    esp_tee_aes_intr_alloc();
 #endif
+}
+
 
 static esp_err_t esp_aes_isr_initialise( void )
 {