mirror of
https://github.com/espressif/esp-idf
synced 2025-03-09 09:09:10 -04:00
186 lines
6.7 KiB
Plaintext
186 lines
6.7 KiB
Plaintext
menu "ESP-TEE (Trusted Execution Environment)"
|
|
depends on IDF_TARGET_ESP32C6
|
|
|
|
config SECURE_ENABLE_TEE
|
|
bool "Enable the ESP-TEE framework"
|
|
depends on IDF_TARGET_ESP32C6
|
|
select ESP_SYSTEM_MEMPROT_FEATURE_VIA_TEE
|
|
help
|
|
This configuration enables the Trusted Execution Environment (TEE) feature.
|
|
|
|
menu "Memory Configuration"
|
|
depends on SECURE_ENABLE_TEE
|
|
|
|
config SECURE_TEE_IRAM_SIZE
|
|
hex "IRAM region size"
|
|
default 0x8000
|
|
range 0x8000 0x10000
|
|
help
|
|
This configuration sets the IRAM size for the TEE module.
|
|
This should be a multiple of 0x1000.
|
|
|
|
config SECURE_TEE_DRAM_SIZE
|
|
hex "DRAM region size"
|
|
default 0x8000
|
|
range 0x8000 0x10000
|
|
help
|
|
This configuration sets the DRAM size for the TEE module.
|
|
This should be a multiple of 0x1000.
|
|
|
|
config SECURE_TEE_STACK_SIZE
|
|
hex "Stack size"
|
|
default 0xc00
|
|
range 0x800 0x1000
|
|
help
|
|
This configuration sets the stack size for the TEE module.
|
|
The TEE stack will be allocated from the TEE DRAM region.
|
|
This should be a multiple of 0x100.
|
|
|
|
config SECURE_TEE_INTR_STACK_SIZE
|
|
hex "Interrupt Stack size"
|
|
default 0x400
|
|
range 0x400 0x800
|
|
help
|
|
This configuration sets the interrupt stack size for the TEE module.
|
|
The TEE interrupt stack will be allocated from the TEE DRAM region.
|
|
This should be a multiple of 0x100.
|
|
|
|
config SECURE_TEE_IROM_SIZE
|
|
hex
|
|
default 0x10000
|
|
help
|
|
This should be a multiple of MMU_PAGE_SIZE.
|
|
|
|
config SECURE_TEE_DROM_SIZE
|
|
hex
|
|
default 0x10000
|
|
help
|
|
This should be a multiple of MMU_PAGE_SIZE.
|
|
|
|
endmenu
|
|
|
|
menu "Secure Services"
|
|
depends on SECURE_ENABLE_TEE
|
|
|
|
choice SECURE_TEE_SEC_STG_MODE
|
|
prompt "Secure Storage: Mode"
|
|
depends on SECURE_ENABLE_TEE
|
|
default SECURE_TEE_SEC_STG_MODE_DEVELOPMENT
|
|
help
|
|
Select the TEE secure storage mode
|
|
|
|
config SECURE_TEE_SEC_STG_MODE_DEVELOPMENT
|
|
bool "Development"
|
|
help
|
|
Secure storage will be encrypted by the data stored in eFuse BLK2
|
|
|
|
config SECURE_TEE_SEC_STG_MODE_RELEASE
|
|
depends on IDF_TARGET_ESP32C6
|
|
bool "Release"
|
|
help
|
|
Secure storage will be encrypted by the data stored in eFuse block
|
|
configured through the SECURE_TEE_SEC_STG_KEY_EFUSE_BLK option
|
|
|
|
endchoice
|
|
|
|
config SECURE_TEE_SEC_STG_KEY_EFUSE_BLK
|
|
int "Secure Storage: Encryption key eFuse block"
|
|
depends on SECURE_TEE_SEC_STG_MODE_RELEASE
|
|
range 4 10
|
|
default 10
|
|
help
|
|
eFuse block ID storing the TEE secure storage encryption key
|
|
|
|
config SECURE_TEE_ATTESTATION
|
|
bool "Enable Attestation"
|
|
default y
|
|
help
|
|
This configuration enables the support for the Attestation service.
|
|
|
|
|
|
config SECURE_TEE_ATT_KEY_SLOT_ID
|
|
depends on SECURE_TEE_ATTESTATION
|
|
int "Attestation: Secure Storage slot ID for EAT signing"
|
|
default 0
|
|
range 0 14
|
|
help
|
|
This configuration sets the slot ID from the TEE secure storage
|
|
storing the ECDSA keypair for executing sign/verify operations
|
|
from the TEE side for attestation.
|
|
|
|
endmenu
|
|
|
|
config SECURE_TEE_EXT_FLASH_MEMPROT_SPI1
|
|
bool "Memprot: Isolate TEE flash regions over SPI1"
|
|
depends on SECURE_ENABLE_TEE
|
|
default n
|
|
help
|
|
This configuration restricts access to TEE-reserved regions in external flash
|
|
by making them inaccessible to the REE via the SPI1 interface (physical addresses).
|
|
|
|
With this enabled, all SPI flash read, write, or erase operations over SPI1 will
|
|
be routed through service calls to the TEE, introducing additional performance
|
|
overhead.
|
|
|
|
When Flash Encryption (SECURE_FLASH_ENC_ENABLED) is enabled, the REE can still
|
|
access TEE-related flash partitions over SPI1, but read operations will return
|
|
encrypted data contents. This prevents attackers from inferring the TEE contents
|
|
with direct reads.
|
|
|
|
Additionally, with Secure Boot enabled (SECURE_BOOT_V2_ENABLED), any unauthorized
|
|
modifications to the TEE firmware will be detected during boot, causing signature
|
|
verification to fail. Thus, these options provide a level of protection suitable for
|
|
most applications. However, while the TEE firmware integrity is protected, other TEE
|
|
partitions (Secure Storage, TEE OTA data) can be manipulated through direct writes.
|
|
|
|
Enable this option only when complete isolation of all TEE flash regions is required,
|
|
even with the associated performance tradeoffs.
|
|
|
|
Note: All accesses to the TEE partitions over SPI0 (i.e. the MMU) are blocked
|
|
unconditionally.
|
|
|
|
config SECURE_TEE_DEBUG_MODE
|
|
bool "Enable Debug Mode"
|
|
default y
|
|
depends on SECURE_ENABLE_TEE
|
|
help
|
|
This configuration enables the logging from the TEE module.
|
|
|
|
choice SECURE_TEE_LOG_LEVEL
|
|
bool "Log verbosity"
|
|
default SECURE_TEE_LOG_LEVEL_WARN
|
|
depends on SECURE_TEE_DEBUG_MODE
|
|
help
|
|
Specify how much output to see in TEE logs.
|
|
|
|
config SECURE_TEE_LOG_LEVEL_NONE
|
|
bool "No output"
|
|
config SECURE_TEE_LOG_LEVEL_ERROR
|
|
bool "Error"
|
|
config SECURE_TEE_LOG_LEVEL_WARN
|
|
bool "Warning"
|
|
config SECURE_TEE_LOG_LEVEL_INFO
|
|
bool "Info"
|
|
config SECURE_TEE_LOG_LEVEL_DEBUG
|
|
bool "Debug"
|
|
config SECURE_TEE_LOG_LEVEL_VERBOSE
|
|
bool "Verbose"
|
|
endchoice
|
|
|
|
config SECURE_TEE_LOG_LEVEL
|
|
int
|
|
default 0 if SECURE_TEE_LOG_LEVEL_NONE || !SECURE_TEE_DEBUG_MODE
|
|
default 1 if SECURE_TEE_LOG_LEVEL_ERROR
|
|
default 2 if SECURE_TEE_LOG_LEVEL_WARN
|
|
default 3 if SECURE_TEE_LOG_LEVEL_INFO
|
|
default 4 if SECURE_TEE_LOG_LEVEL_DEBUG
|
|
default 5 if SECURE_TEE_LOG_LEVEL_VERBOSE
|
|
|
|
config SECURE_TEE_TEST_MODE
|
|
bool "Enable Test Mode"
|
|
depends on SECURE_ENABLE_TEE
|
|
help
|
|
This configuration sets up the TEE framework as required for executing the test suite.
|
|
|
|
endmenu
|