feat(esp_tee): Support for ESP-TEE - esptool_py, esp_rom & other components

components/esp_app_format/esp_app_desc.c

@@ -13,7 +13,7 @@
 #include "esp_log.h"
 
 // startup_internal.h is necessary for startup function definition, which does not exist on Linux (TODO: IDF-9950)
-#if !CONFIG_IDF_TARGET_LINUX
+#if !CONFIG_IDF_TARGET_LINUX && !ESP_TEE_BUILD
 #include "esp_private/startup_internal.h"
 
 static const char *TAG = "app_init";
@@ -118,7 +118,7 @@ int esp_app_get_elf_sha256(char* dst, size_t size)
 
 // startup function definition and execution does not exist on the Linux target
 // (TODO: IDF-9950)
-#if !CONFIG_IDF_TARGET_LINUX
+#if !CONFIG_IDF_TARGET_LINUX && !ESP_TEE_BUILD
 ESP_SYSTEM_INIT_FN(init_show_app_info, CORE, BIT(0), 20)
 {
     // Load the current ELF SHA256

components/esp_partition/include/esp_partition.h

@@ -95,6 +95,11 @@ typedef enum {
     ESP_PARTITION_SUBTYPE_APP_OTA_MAX = ESP_PARTITION_SUBTYPE_APP_OTA_MIN + 16,//!< Max subtype of OTA partition
     ESP_PARTITION_SUBTYPE_APP_TEST = 0x20,                                    //!< Test application partition
 
+    ESP_PARTITION_SUBTYPE_APP_TEE_MIN = 0x30,                                 //!< Base for TEE partition subtypes
+    ESP_PARTITION_SUBTYPE_APP_TEE_0 = ESP_PARTITION_SUBTYPE_APP_TEE_MIN + 0,  //!< TEE partition 0
+    ESP_PARTITION_SUBTYPE_APP_TEE_1 = ESP_PARTITION_SUBTYPE_APP_TEE_MIN + 1,  //!< TEE partition 1
+    ESP_PARTITION_SUBTYPE_APP_TEE_MAX = ESP_PARTITION_SUBTYPE_APP_TEE_1,      //!< Max subtype of TEE partition
+
     ESP_PARTITION_SUBTYPE_DATA_OTA = 0x00,                                    //!< OTA selection partition
     ESP_PARTITION_SUBTYPE_DATA_PHY = 0x01,                                    //!< PHY init data partition
     ESP_PARTITION_SUBTYPE_DATA_NVS = 0x02,                                    //!< NVS partition
@@ -108,6 +113,9 @@ typedef enum {
     ESP_PARTITION_SUBTYPE_DATA_SPIFFS = 0x82,                                 //!< SPIFFS partition
     ESP_PARTITION_SUBTYPE_DATA_LITTLEFS = 0x83,                               //!< LITTLEFS partition
 
+    ESP_PARTITION_SUBTYPE_DATA_TEE_OTA = 0x90,                                //!< TEE OTA selection partition
+    ESP_PARTITION_SUBTYPE_DATA_TEE_SEC_STORAGE= 0x91,                         //!< TEE secure storage partition
+
 #if __has_include("extra_partition_subtypes.inc")
     #include "extra_partition_subtypes.inc"
 #endif

components/esp_phy/src/phy_override.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -11,6 +11,7 @@
 #include "esp_private/sar_periph_ctrl.h"
 #include "freertos/FreeRTOS.h"
 
+#include "hal/efuse_hal.h"
 
 /*
  * This file is used to override the hooks provided by the PHY lib for some system features.
@@ -99,3 +100,20 @@ int16_t phy_get_tsens_value(void)
     return 0;
 #endif
 }
+
+/* NOTE:: With ESP-TEE enabled, we override certain functions from the libphy
+ * component archive which directly access the eFuse later (e.g. REG_READ)
+ * with the HAL APIs.
+ *
+ * In the future, ESP-TEE would need to protect the entire eFuse range through
+ * APM and expects users to use HAL APIs which would be redirected as service calls.
+ */
+void esp_phy_efuse_get_mac(uint8_t *mac)
+{
+    efuse_hal_get_mac(mac);
+}
+
+uint32_t esp_phy_efuse_get_chip_ver_pkg(void)
+{
+    return efuse_hal_get_chip_ver_pkg();
+}

components/esp_rom/CMakeLists.txt

@@ -126,6 +126,12 @@ if(CONFIG_ESP_ROM_HAS_VERSION)
     rom_linker_script("version")
 endif()
 
+if(ESP_TEE_BUILD)
+    if(target STREQUAL "esp32c6")
+        rom_linker_script("spiflash")
+    endif()
+endif()
+
 if(BOOTLOADER_BUILD)
     if(target STREQUAL "esp32")
         if(NOT CONFIG_SPI_FLASH_ROM_DRIVER_PATCH)

components/esp_rom/esp32c6/ld/esp32c6.rom.ld

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -259,11 +259,11 @@ gpio_bypass_matrix_in = 0x40000714;
  ***************************************/
 
 /* Functions */
-esprv_intc_int_set_priority = 0x40000718;
-esprv_intc_int_set_threshold = 0x4000071c;
-esprv_intc_int_enable = 0x40000720;
-esprv_intc_int_disable = 0x40000724;
-esprv_intc_int_set_type = 0x40000728;
+PROVIDE( esprv_intc_int_set_priority = 0x40000718 );
+PROVIDE( esprv_intc_int_set_threshold = 0x4000071c );
+PROVIDE( esprv_intc_int_enable = 0x40000720 );
+PROVIDE( esprv_intc_int_disable = 0x40000724 );
+PROVIDE( esprv_intc_int_set_type = 0x40000728 );
 PROVIDE( intr_handler_set = 0x4000072c );
 intr_matrix_set = 0x40000730;
 ets_intr_lock = 0x40000734;

components/esptool_py/CMakeLists.txt

@@ -1,9 +1,15 @@
 idf_build_get_property(target IDF_TARGET)
+idf_build_get_property(esp_tee_build ESP_TEE_BUILD)
 
 if(${target} STREQUAL "linux")
     return() # This component is not supported by the POSIX/Linux simulator
 endif()
 
+if(esp_tee_build)
+    idf_component_register()
+    return()
+endif()
+
 idf_component_register(REQUIRES bootloader PRIV_REQUIRES partition_table)
 
 if(NOT BOOTLOADER_BUILD)

components/esptool_py/project_include.cmake

@@ -112,7 +112,7 @@ idf_build_get_property(build_dir BUILD_DIR)
 idf_build_get_property(elf_name EXECUTABLE_NAME GENERATOR_EXPRESSION)
 idf_build_get_property(elf EXECUTABLE GENERATOR_EXPRESSION)
 
-if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES AND NOT BOOTLOADER_BUILD)
+if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES AND NOT non_os_build)
     set(unsigned_project_binary "${elf_name}-unsigned.bin")
 else()
     set(unsigned_project_binary "${elf_name}.bin")

components/log/include/esp_log.h

@@ -101,7 +101,7 @@ void esp_log_writev(esp_log_level_t level, const char* tag, const char* format,
             esp_rom_printf(LOG_FORMAT(log_tag_letter, format), esp_log_timestamp(), tag, ##__VA_ARGS__); \
         }} while(0)
 
-#ifndef NON_OS_BUILD
+#if !NON_OS_BUILD
 #if defined(__cplusplus) && (__cplusplus >  201703L)
 #define ESP_LOGE( tag, format, ... ) ESP_LOG_LEVEL_LOCAL(ESP_LOG_ERROR,   tag, format __VA_OPT__(,) __VA_ARGS__)
 #define ESP_LOGW( tag, format, ... ) ESP_LOG_LEVEL_LOCAL(ESP_LOG_WARN,    tag, format __VA_OPT__(,) __VA_ARGS__)

components/log/include/esp_log_level.h

@@ -32,12 +32,14 @@ typedef enum {
 #ifndef LOG_LOCAL_LEVEL
 #if BOOTLOADER_BUILD
 #define LOG_LOCAL_LEVEL  CONFIG_BOOTLOADER_LOG_LEVEL
-#else // !BOOTLOADER_BUILD
+#elif ESP_TEE_BUILD
+#define LOG_LOCAL_LEVEL  CONFIG_SECURE_TEE_LOG_LEVEL
+#else
 #define LOG_LOCAL_LEVEL  CONFIG_LOG_MAXIMUM_LEVEL
-#endif // !BOOTLOADER_BUILD
+#endif
 #endif // LOG_LOCAL_LEVEL
 
-#ifdef NON_OS_BUILD
+#if NON_OS_BUILD
 
 #define _ESP_LOG_ENABLED(log_level) (LOG_LOCAL_LEVEL >= (log_level))
 #define _ESP_LOG_EARLY_ENABLED(log_level) _ESP_LOG_ENABLED(log_level)

components/log/src/log_timestamp_common.c

@@ -12,7 +12,7 @@
 #include "esp_private/log_timestamp.h"
 #include "sdkconfig.h"
 
-#ifndef NON_OS_BUILD
+#if !NON_OS_BUILD
 #include <sys/lock.h>
 #include "freertos/FreeRTOS.h"
 #include "freertos/task.h"

components/partition_table/Kconfig.projbuild

@@ -100,6 +100,30 @@ menu "Partition Table"
                 The corresponding CSV file in the IDF directory is
                 components/partition_table/partitions_two_ota_encr_nvs.csv
 
+        config PARTITION_TABLE_SINGLE_APP_TEE
+            bool "Single factory app, no OTA, TEE"
+            depends on SECURE_ENABLE_TEE
+            help
+                This is a variation of the default "Single factory app, no OTA" partition table
+                that supports the ESP-TEE framework. See the Trusted Execution Environment (TEE) section
+                in the ESP-IDF Programmers Guide for more information.
+
+                The corresponding CSV file in the IDF directory is
+                components/partition_table/partitions_singleapp_tee.csv
+
+        config PARTITION_TABLE_TWO_OTA_TEE
+            bool "Two OTA definitions, TEE"
+            depends on SECURE_ENABLE_TEE
+            help
+                This is a basic OTA-enabled partition table with two OTA app partitions each
+                for the TEE and the user (REE) application. The user app partition sizes are 1536K,
+                so this partition table requires 4MB or larger flash size. See the
+                Trusted Execution Environment (TEE) section in the ESP-IDF Programmers Guide
+                for more information.
+
+                The corresponding CSV file in the IDF directory is
+                components/partition_table/partitions_two_ota_tee.csv
+
     endchoice
 
     config PARTITION_TABLE_CUSTOM_FILENAME
@@ -122,6 +146,8 @@ menu "Partition Table"
         default "partitions_two_ota_coredump.csv" if PARTITION_TABLE_TWO_OTA && ESP_COREDUMP_ENABLE_TO_FLASH
         default "partitions_two_ota_encr_nvs.csv" if PARTITION_TABLE_TWO_OTA_ENCRYPTED_NVS
         default "partitions_two_ota_large.csv" if PARTITION_TABLE_TWO_OTA_LARGE && !ESP_COREDUMP_ENABLE_TO_FLASH
+        default "partitions_singleapp_tee.csv" if PARTITION_TABLE_SINGLE_APP_TEE
+        default "partitions_two_ota_tee.csv" if PARTITION_TABLE_TWO_OTA_TEE
         default PARTITION_TABLE_CUSTOM_FILENAME if PARTITION_TABLE_CUSTOM
 
     config PARTITION_TABLE_OFFSET

components/partition_table/gen_esp32part.py

@@ -24,6 +24,8 @@ PARTITION_TABLE_SIZE  = 0x1000  # Size of partition table
 
 MIN_PARTITION_SUBTYPE_APP_OTA = 0x10
 NUM_PARTITION_SUBTYPE_APP_OTA = 16
+MIN_PARTITION_SUBTYPE_APP_TEE = 0x30
+NUM_PARTITION_SUBTYPE_APP_TEE = 2
 
 SECURE_NONE = None
 SECURE_V1 = 'v1'
@@ -82,6 +84,8 @@ SUBTYPES = {
         'fat': 0x81,
         'spiffs': 0x82,
         'littlefs': 0x83,
+        'tee_ota': 0x90,
+        'tee_sec_stg': 0x91,
     },
 }
 
@@ -308,6 +312,18 @@ class PartitionTable(list):
             critical('%s' % (p.to_csv()))
             raise InputError('otadata partition must have size = 0x2000')
 
+        # Above checks but for TEE otadata
+        otadata_duplicates = [p for p in self if p.type == TYPES['data'] and p.subtype == SUBTYPES[DATA_TYPE]['tee_ota']]
+        if len(otadata_duplicates) > 1:
+            for p in otadata_duplicates:
+                critical('%s' % (p.to_csv()))
+            raise InputError('Found multiple TEE otadata partitions. Only one partition can be defined with type="data"(1) and subtype="tee_ota"(0x90).')
+
+        if len(otadata_duplicates) == 1 and otadata_duplicates[0].size != 0x2000:
+            p = otadata_duplicates[0]
+            critical('%s' % (p.to_csv()))
+            raise InputError('TEE otadata partition must have size = 0x2000')
+
     def flash_size(self):
         """ Return the size that partitions will occupy in flash
             (ie the offset the last partition ends at)
@@ -379,6 +395,10 @@ class PartitionDefinition(object):
     for ota_slot in range(NUM_PARTITION_SUBTYPE_APP_OTA):
         SUBTYPES[TYPES['app']]['ota_%d' % ota_slot] = MIN_PARTITION_SUBTYPE_APP_OTA + ota_slot
 
+    # add subtypes for the 2 TEE OTA slot values ("tee_XX, etc.")
+    for tee_slot in range(NUM_PARTITION_SUBTYPE_APP_TEE):
+        SUBTYPES[TYPES['app']]['tee_%d' % tee_slot] = MIN_PARTITION_SUBTYPE_APP_TEE + tee_slot
+
     def __init__(self):
         self.name = ''
         self.type = None

components/partition_table/partitions_singleapp_tee.csv

@@ -0,0 +1,7 @@
+# Name,   Type, SubType, Offset,  Size, Flags
+# Note: if you have increased the bootloader size, make sure to update the offsets to avoid overlap
+tee,            app,   tee_0,       , 192K,
+secure_storage, data,  tee_sec_stg, , 64K,
+factory,        app,   factory,     , 1536K,
+nvs,            data,  nvs,         , 24K,
+phy_init,       data,  phy,         , 4K,

components/partition_table/partitions_two_ota_tee.csv

@@ -0,0 +1,11 @@
+# Name,   Type, SubType, Offset,  Size, Flags
+# Note: if you have increased the bootloader size, make sure to update the offsets to avoid overlap
+tee_0,          app,   tee_0,       , 192K,
+tee_1,          app,   tee_1,       , 192K,
+tee_otadata,    data,  tee_ota,     , 8K,
+secure_storage, data,  tee_sec_stg, , 56K,
+ota_0,          app,   ota_0,       , 1536K,
+ota_1,          app,   ota_1,       , 1536K,
+otadata,        data,  ota,         , 8K,
+nvs,            data,  nvs,         , 24K,
+phy_init,       data,  phy,         , 4K,