feat(esp_security): Add a TEE-specific crypto lock layer with stub implementations

laukik-hase · laukik-hase · commit 1c4969bc476c · 2025-04-16T19:19:03.000+05:30
diff --git a/components/esp_security/CMakeLists.txt b/components/esp_security/CMakeLists.txt
@@ -32,7 +32,7 @@ if(NOT non_os_build)
     list(APPEND srcs "src/esp_crypto_lock.c" "src/esp_crypto_periph_clk.c")
     list(APPEND priv_requires efuse esp_hw_support esp_system esp_timer)
 elseif(esp_tee_build)
-    list(APPEND srcs "src/esp_crypto_periph_clk.c")
+    list(APPEND srcs "src/esp_crypto_lock.c" "src/esp_crypto_periph_clk.c")
     list(APPEND includes "src/${IDF_TARGET}")
     list(APPEND priv_requires esp_hw_support)
 endif()
diff --git a/components/esp_security/src/esp_crypto_lock.c b/components/esp_security/src/esp_crypto_lock.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -18,6 +18,7 @@ DS: needs HMAC (which needs SHA), AES and MPI
 ECDSA: needs ECC and MPI
 */
 
+#if !NON_OS_BUILD
 #ifdef SOC_DIG_SIGN_SUPPORTED
 /* Lock for DS peripheral */
 static _lock_t s_crypto_ds_lock;
@@ -162,3 +163,52 @@ void esp_crypto_key_manager_lock_release(void)
     _lock_release(&s_crypto_key_manager_lock);
 }
 #endif /* SOC_KEY_MANAGER_SUPPORTED */
+#else /* NON_OS_BUILD */
+#ifdef SOC_HMAC_SUPPORTED
+void esp_crypto_hmac_lock_acquire(void) {}
+
+void esp_crypto_hmac_lock_release(void) {}
+#endif /* SOC_HMAC_SUPPORTED */
+
+#ifdef SOC_DIG_SIGN_SUPPORTED
+void esp_crypto_ds_lock_acquire(void) {}
+
+void esp_crypto_ds_lock_release(void) {}
+#endif /* SOC_DIG_SIGN_SUPPORTED */
+
+#if defined(SOC_SHA_SUPPORTED) || defined(SOC_AES_SUPPORTED)
+void esp_crypto_sha_aes_lock_acquire(void) {}
+
+void esp_crypto_sha_aes_lock_release(void) {}
+#endif /* defined(SOC_SHA_SUPPORTED) || defined(SOC_AES_SUPPORTED) */
+
+#if defined(SOC_SHA_CRYPTO_DMA) || defined(SOC_AES_CRYPTO_DMA)
+void esp_crypto_dma_lock_acquire(void) {}
+
+void esp_crypto_dma_lock_release(void) {}
+#endif /* defined(SOC_SHA_CRYPTO_DMA) || defined(SOC_AES_CRYPTO_DMA) */
+
+#ifdef SOC_MPI_SUPPORTED
+void esp_crypto_mpi_lock_acquire(void) {}
+
+void esp_crypto_mpi_lock_release(void) {}
+#endif /* SOC_MPI_SUPPORTED */
+
+#ifdef SOC_ECC_SUPPORTED
+void esp_crypto_ecc_lock_acquire(void) {}
+
+void esp_crypto_ecc_lock_release(void) {}
+#endif /* SOC_ECC_SUPPORTED */
+
+#ifdef SOC_ECDSA_SUPPORTED
+void esp_crypto_ecdsa_lock_acquire(void) {}
+
+void esp_crypto_ecdsa_lock_release(void) {}
+#endif /* SOC_ECDSA_SUPPORTED */
+
+#ifdef SOC_KEY_MANAGER_SUPPORTED
+void esp_crypto_key_manager_lock_acquire(void) {}
+
+void esp_crypto_key_manager_lock_release(void) {}
+#endif /* SOC_KEY_MANAGER_SUPPORTED */
+#endif /* !NON_OS_BUILD */
diff --git a/components/mbedtls/port/aes/dma/esp_aes.c b/components/mbedtls/port/aes/dma/esp_aes.c
@@ -35,13 +35,8 @@
 #include "esp_crypto_periph_clk.h"
 
 #if SOC_AES_GDMA
-#if !ESP_TEE_BUILD
 #define AES_LOCK() esp_crypto_sha_aes_lock_acquire()
 #define AES_RELEASE() esp_crypto_sha_aes_lock_release()
-#else
-#define AES_LOCK()
-#define AES_RELEASE()
-#endif
 #elif SOC_AES_CRYPTO_DMA
 #define AES_LOCK() esp_crypto_dma_lock_acquire()
 #define AES_RELEASE() esp_crypto_dma_lock_release()
diff --git a/components/mbedtls/port/sha/core/sha.c b/components/mbedtls/port/sha/core/sha.c
@@ -52,14 +52,6 @@
 #endif
 #endif /* SOC_SHA_SUPPORT_DMA */
 
-#if !ESP_TEE_BUILD
-#define SHA_LOCK()    esp_crypto_sha_aes_lock_acquire()
-#define SHA_RELEASE() esp_crypto_sha_aes_lock_release()
-#else
-#define SHA_LOCK()
-#define SHA_RELEASE()
-#endif
-
 void esp_sha_write_digest_state(esp_sha_type sha_type, void *digest_state)
 {
     sha_hal_write_digest(sha_type, digest_state);
@@ -99,15 +91,15 @@ inline static size_t block_length(esp_sha_type type)
 void esp_sha_acquire_hardware(void)
 {
     /* Released when releasing hw with esp_sha_release_hardware() */
-    SHA_LOCK();
+    esp_crypto_sha_aes_lock_acquire();
     esp_crypto_sha_enable_periph_clk(true);
 }
 
 /* Disable SHA peripheral block and then release it */
 void esp_sha_release_hardware(void)
 {
     esp_crypto_sha_enable_periph_clk(false);
-    SHA_RELEASE();
+    esp_crypto_sha_aes_lock_release();
 }
 
 void esp_sha_block(esp_sha_type sha_type, const void *data_block, bool is_first_block)

Original file line number	Diff line number	Diff line change
`@@ -52,14 +52,6 @@`
`52`	`52`	`#endif`
`53`	`53`	`#endif /* SOC_SHA_SUPPORT_DMA */`
`54`	`54`
`55`		`-#if !ESP_TEE_BUILD`
`56`		`-#define SHA_LOCK() esp_crypto_sha_aes_lock_acquire()`
`57`		`-#define SHA_RELEASE() esp_crypto_sha_aes_lock_release()`
`58`		`-#else`
`59`		`-#define SHA_LOCK()`
`60`		`-#define SHA_RELEASE()`
`61`		`-#endif`
`62`		`-`
`63`	`55`	`void esp_sha_write_digest_state(esp_sha_type sha_type, void *digest_state)`
`64`	`56`	`{`
`65`	`57`	`sha_hal_write_digest(sha_type, digest_state);`
`@@ -99,15 +91,15 @@ inline static size_t block_length(esp_sha_type type)`
`99`	`91`	`void esp_sha_acquire_hardware(void)`
`100`	`92`	`{`
`101`	`93`	`/* Released when releasing hw with esp_sha_release_hardware() */`
`102`		`- SHA_LOCK();`
	`94`	`+ esp_crypto_sha_aes_lock_acquire();`
`103`	`95`	`esp_crypto_sha_enable_periph_clk(true);`
`104`	`96`	`}`
`105`	`97`
`106`	`98`	`/* Disable SHA peripheral block and then release it */`
`107`	`99`	`void esp_sha_release_hardware(void)`
`108`	`100`	`{`
`109`	`101`	`esp_crypto_sha_enable_periph_clk(false);`
`110`		`- SHA_RELEASE();`
	`102`	`+ esp_crypto_sha_aes_lock_release();`
`111`	`103`	`}`
`112`	`104`
`113`	`105`	`void esp_sha_block(esp_sha_type sha_type, const void *data_block, bool is_first_block)`