From 26fa7109f357f36ecfb56218464624338fa65abc Mon Sep 17 00:00:00 2001 From: Laukik Hase Date: Thu, 6 Feb 2025 17:33:51 +0530 Subject: [PATCH] fix(esp_tee): Protect the AES/SHA clock registers from REE access --- components/esp_system/port/soc/esp32c6/clk.c | 3 ++ .../scripts/esp32c6/sec_srv_tbl_default.yml | 4 +++ .../esp_tee/src/esp_secure_service_wrapper.c | 5 +++ .../main/core/esp_secure_services.c | 6 ++++ .../main/soc/esp32c6/esp_tee_apm_prot_cfg.c | 31 ++++++++++------ .../main/soc/esp32c6/esp_tee_secure_sys_cfg.c | 7 +++- .../port/sha/core/include/esp_sha_internal.h | 7 ++++ components/mbedtls/port/sha/core/sha.c | 36 ++++++++----------- components/mbedtls/port/sha/esp_sha.c | 24 +++++++++++++ 9 files changed, 90 insertions(+), 33 deletions(-) diff --git a/components/esp_system/port/soc/esp32c6/clk.c b/components/esp_system/port/soc/esp32c6/clk.c index 15c8dfd70b..6b8355392a 100644 --- a/components/esp_system/port/soc/esp32c6/clk.c +++ b/components/esp_system/port/soc/esp32c6/clk.c @@ -291,8 +291,11 @@ __attribute__((weak)) void esp_perip_clk_init(void) periph_ll_disable_clk_set_rst(PERIPH_ASSIST_DEBUG_MODULE); #endif periph_ll_disable_clk_set_rst(PERIPH_RSA_MODULE); +#if !CONFIG_SECURE_ENABLE_TEE + // NOTE: [ESP-TEE] The TEE is responsible for the AES and SHA peripherals periph_ll_disable_clk_set_rst(PERIPH_AES_MODULE); periph_ll_disable_clk_set_rst(PERIPH_SHA_MODULE); +#endif periph_ll_disable_clk_set_rst(PERIPH_ECC_MODULE); periph_ll_disable_clk_set_rst(PERIPH_HMAC_MODULE); periph_ll_disable_clk_set_rst(PERIPH_DS_MODULE); diff --git a/components/esp_tee/scripts/esp32c6/sec_srv_tbl_default.yml b/components/esp_tee/scripts/esp32c6/sec_srv_tbl_default.yml index 45a0837722..53349f4d0e 100644 --- a/components/esp_tee/scripts/esp32c6/sec_srv_tbl_default.yml +++ b/components/esp_tee/scripts/esp32c6/sec_srv_tbl_default.yml @@ -208,6 +208,10 @@ secure_services: type: IDF function: esp_sha_write_digest_state args: 2 + - id: 132 + type: IDF + function: esp_sha_enable_periph_clk + args: 1 # ID: 134-149 (16) - eFuse - family: efuse entries: diff --git a/components/esp_tee/src/esp_secure_service_wrapper.c b/components/esp_tee/src/esp_secure_service_wrapper.c index 5c3e3232f8..692bceb92c 100644 --- a/components/esp_tee/src/esp_secure_service_wrapper.c +++ b/components/esp_tee/src/esp_secure_service_wrapper.c @@ -228,6 +228,11 @@ void __wrap_esp_sha_write_digest_state(esp_sha_type sha_type, void *digest_state esp_tee_service_call(3, SS_ESP_SHA_WRITE_DIGEST_STATE, sha_type, digest_state); } +void __wrap_esp_sha_enable_periph_clk(bool enable) +{ + esp_tee_service_call(2, SS_ESP_SHA_ENABLE_PERIPH_CLK, enable); +} + /* ---------------------------------------------- MMU HAL ------------------------------------------------- */ void IRAM_ATTR __wrap_mmu_hal_map_region(uint32_t mmu_id, mmu_target_t mem_type, uint32_t vaddr, uint32_t paddr, uint32_t len, uint32_t *out_len) diff --git a/components/esp_tee/subproject/main/core/esp_secure_services.c b/components/esp_tee/subproject/main/core/esp_secure_services.c index 6c5fb5dc9b..0961a304a3 100644 --- a/components/esp_tee/subproject/main/core/esp_secure_services.c +++ b/components/esp_tee/subproject/main/core/esp_secure_services.c @@ -26,6 +26,7 @@ #include "soc/soc_caps.h" #include "aes/esp_aes.h" #include "sha/sha_core.h" +#include "esp_sha_internal.h" #include "esp_tee.h" #include "esp_tee_memory_utils.h" @@ -325,6 +326,11 @@ void _ss_esp_sha_block(esp_sha_type sha_type, const void *data_block, bool is_fi esp_sha_block(sha_type, data_block, is_first_block); } +void _ss_esp_sha_enable_periph_clk(bool enable) +{ + esp_sha_enable_periph_clk(enable); +} + /* ---------------------------------------------- OTA ------------------------------------------------- */ int _ss_esp_tee_ota_begin(void) diff --git a/components/esp_tee/subproject/main/soc/esp32c6/esp_tee_apm_prot_cfg.c b/components/esp_tee/subproject/main/soc/esp32c6/esp_tee_apm_prot_cfg.c index 3c027c0693..da17b38773 100644 --- a/components/esp_tee/subproject/main/soc/esp32c6/esp_tee_apm_prot_cfg.c +++ b/components/esp_tee/subproject/main/soc/esp32c6/esp_tee_apm_prot_cfg.c @@ -11,6 +11,7 @@ #include "soc/soc.h" #include "soc/spi_mem_reg.h" #include "soc/efuse_reg.h" +#include "soc/pcr_reg.h" extern void tee_apm_violation_isr(void *arg); @@ -91,34 +92,41 @@ apm_ctrl_region_config_data_t hp_apm_pms_data[] = { .regn_pms = 0x6, .filter_enable = 1, }, - /* Region 5: Peripherals [RSA - TEE Controller & APM] (RW) */ - /* Protected: APM, TEE Controller */ + /* Region 5/6: Peripherals [RSA - TEE Controller & APM] (RW) */ + /* Protected: AES + SHA PCR, APM, TEE Controller */ { .regn_num = 5, .regn_start_addr = DR_REG_RSA_BASE, + .regn_end_addr = (PCR_AES_CONF_REG - 0x4), + .regn_pms = 0x6, + .filter_enable = 1, + }, + { + .regn_num = 6, + .regn_start_addr = PCR_RSA_CONF_REG, .regn_end_addr = (DR_REG_TEE_BASE - 0x4), .regn_pms = 0x6, .filter_enable = 1, }, - /* Region 6: Peripherals [Miscellaneous - PMU] (RW) */ + /* Region 7: Peripherals [Miscellaneous - PMU] (RW) */ { - .regn_num = 6, + .regn_num = 7, .regn_start_addr = DR_REG_MISC_BASE, .regn_end_addr = (DR_REG_PMU_BASE - 0x04), .regn_pms = 0x6, .filter_enable = 1, }, - /* Region 7: Peripherals [DEBUG - PWDET] (RW) */ + /* Region 8: Peripherals [DEBUG - PWDET] (RW) */ { - .regn_num = 7, + .regn_num = 8, .regn_start_addr = DR_REG_OPT_DEBUG_BASE, .regn_end_addr = 0x600D0000, .regn_pms = 0x6, .filter_enable = 1, }, - /* Region 8: REE SRAM region (RW) */ + /* Region 9: REE SRAM region (RW) */ { - .regn_num = 8, + .regn_num = 9, .regn_start_addr = SOC_NS_IRAM_START, .regn_end_addr = SOC_IRAM_HIGH, .regn_pms = 0x6, @@ -164,9 +172,9 @@ apm_ctrl_secure_mode_config_t hp_apm_sec_mode_data = { /* HP_APM: TEE mode accessible regions */ apm_ctrl_region_config_data_t hp_apm_pms_data_tee[] = { - /* Region 9: Entire memory region (RWX)*/ + /* Region 10: Entire memory region (RWX)*/ { - .regn_num = 9, + .regn_num = 10, .regn_start_addr = 0x0, .regn_end_addr = ~0x0, .regn_pms = 0x7, @@ -303,6 +311,9 @@ void esp_tee_configure_apm_protection(void) /* Disable all control filter first to have full access of address rage. */ apm_hal_apm_ctrl_filter_enable_all(false); + /* Switch HP_CPU to TEE mode */ + apm_tee_hal_set_master_secure_mode(HP_APM_CTRL, APM_LL_MASTER_HPCORE, APM_LL_SECURE_MODE_TEE); + /* LP APM0 configuration. */ lp_apm0_sec_mode_data.regn_count = sizeof(lp_apm0_pms_data) / sizeof(apm_ctrl_region_config_data_t); apm_hal_apm_ctrl_master_sec_mode_config(&lp_apm0_sec_mode_data); diff --git a/components/esp_tee/subproject/main/soc/esp32c6/esp_tee_secure_sys_cfg.c b/components/esp_tee/subproject/main/soc/esp32c6/esp_tee_secure_sys_cfg.c index 9b558054cc..f02e17a48d 100644 --- a/components/esp_tee/subproject/main/soc/esp32c6/esp_tee_secure_sys_cfg.c +++ b/components/esp_tee/subproject/main/soc/esp32c6/esp_tee_secure_sys_cfg.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -12,6 +12,7 @@ #include "esp_cpu.h" #include "esp_log.h" #include "hal/apm_hal.h" +#include "hal/clk_gate_ll.h" #include "esp_tee.h" #include "esp_tee_intr.h" @@ -91,6 +92,10 @@ void esp_tee_soc_secure_sys_init(void) esp_tee_protect_intr_src(ETS_EFUSE_INTR_SOURCE); // eFuse esp_tee_protect_intr_src(ETS_AES_INTR_SOURCE); // AES esp_tee_protect_intr_src(ETS_SHA_INTR_SOURCE); // SHA + + /* Disable AES/SHA peripheral clocks; they will be toggled as needed when the peripheral is in use */ + periph_ll_disable_clk_set_rst(PERIPH_AES_MODULE); + periph_ll_disable_clk_set_rst(PERIPH_SHA_MODULE); } IRAM_ATTR inline void esp_tee_switch_to_ree(uint32_t ree_entry_addr) diff --git a/components/mbedtls/port/sha/core/include/esp_sha_internal.h b/components/mbedtls/port/sha/core/include/esp_sha_internal.h index 55e667774e..76fcf5f7db 100644 --- a/components/mbedtls/port/sha/core/include/esp_sha_internal.h +++ b/components/mbedtls/port/sha/core/include/esp_sha_internal.h @@ -56,6 +56,13 @@ static inline esp_sha_mode sha_operation_mode(size_t length) return SHA_BLOCK_MODE; } +/** + * @brief Enable or disable the SHA peripheral clock + * + * @param enable true to enable, false to disable + */ +void esp_sha_enable_periph_clk(bool enable); + #ifdef __cplusplus } #endif diff --git a/components/mbedtls/port/sha/core/sha.c b/components/mbedtls/port/sha/core/sha.c index 84e11396af..fe3731196a 100644 --- a/components/mbedtls/port/sha/core/sha.c +++ b/components/mbedtls/port/sha/core/sha.c @@ -16,6 +16,7 @@ #include "esp_private/esp_crypto_lock_internal.h" #include "esp_log.h" #include "sha/sha_core.h" +#include "esp_sha_internal.h" #include "hal/sha_hal.h" #include "hal/sha_ll.h" #include "soc/soc_caps.h" @@ -51,6 +52,15 @@ #endif #endif /* SOC_SHA_SUPPORT_DMA */ +#if !ESP_TEE_BUILD +#define SHA_LOCK() esp_crypto_sha_aes_lock_acquire() +#define SHA_RELEASE() esp_crypto_sha_aes_lock_release() +#else +#define SHA_RCC_ATOMIC() +#define SHA_LOCK() +#define SHA_RELEASE() +#endif + void esp_sha_write_digest_state(esp_sha_type sha_type, void *digest_state) { sha_hal_write_digest(sha_type, digest_state); @@ -89,34 +99,16 @@ inline static size_t block_length(esp_sha_type type) /* Enable SHA peripheral and then lock it */ void esp_sha_acquire_hardware(void) { -#if !ESP_TEE_BUILD /* Released when releasing hw with esp_sha_release_hardware() */ - esp_crypto_sha_aes_lock_acquire(); -#endif - - SHA_RCC_ATOMIC() { - sha_ll_enable_bus_clock(true); - sha_ll_reset_register(); -#if SOC_AES_CRYPTO_DMA - crypto_dma_ll_enable_bus_clock(true); - crypto_dma_ll_reset_register(); -#endif - } + SHA_LOCK(); + esp_sha_enable_periph_clk(true); } /* Disable SHA peripheral block and then release it */ void esp_sha_release_hardware(void) { - SHA_RCC_ATOMIC() { - sha_ll_enable_bus_clock(false); -#if SOC_AES_CRYPTO_DMA - crypto_dma_ll_enable_bus_clock(false); -#endif - } - -#if !ESP_TEE_BUILD - esp_crypto_sha_aes_lock_release(); -#endif + esp_sha_enable_periph_clk(false); + SHA_RELEASE(); } void esp_sha_block(esp_sha_type sha_type, const void *data_block, bool is_first_block) diff --git a/components/mbedtls/port/sha/esp_sha.c b/components/mbedtls/port/sha/esp_sha.c index e0882987d5..30185ff620 100644 --- a/components/mbedtls/port/sha/esp_sha.c +++ b/components/mbedtls/port/sha/esp_sha.c @@ -7,6 +7,7 @@ #include #include #include +#include "hal/sha_ll.h" #include "hal/sha_hal.h" #include "hal/sha_types.h" #include "soc/soc_caps.h" @@ -20,10 +21,33 @@ #include "sha/sha_parallel_engine.h" #else #include "sha/sha_core.h" +#include "esp_sha_internal.h" +#include "esp_private/esp_crypto_lock_internal.h" +#if SOC_SHA_CRYPTO_DMA +#include "hal/crypto_dma_ll.h" +#endif #endif static const char *TAG = "esp_sha"; +#if !SOC_SHA_SUPPORT_PARALLEL_ENG +void esp_sha_enable_periph_clk(bool enable) +{ + SHA_RCC_ATOMIC() { + sha_ll_enable_bus_clock(enable); + if (enable) { + sha_ll_reset_register(); + } +#if SOC_SHA_CRYPTO_DMA + crypto_dma_ll_enable_bus_clock(enable); + if (enable) { + crypto_dma_ll_reset_register(); + } +#endif + } +} +#endif + void esp_sha(esp_sha_type sha_type, const unsigned char *input, size_t ilen, unsigned char *output) { union {