fix(esp_tee): Protect the AES/SHA clock registers from REE access

Author: laukik-hase

components/esp_system/port/soc/esp32c6/clk.c

@@ -291,8 +291,11 @@ __attribute__((weak)) void esp_perip_clk_init(void)
         periph_ll_disable_clk_set_rst(PERIPH_ASSIST_DEBUG_MODULE);
 #endif
         periph_ll_disable_clk_set_rst(PERIPH_RSA_MODULE);
+#if !CONFIG_SECURE_ENABLE_TEE
+        // NOTE: [ESP-TEE] The TEE is responsible for the AES and SHA peripherals
         periph_ll_disable_clk_set_rst(PERIPH_AES_MODULE);
         periph_ll_disable_clk_set_rst(PERIPH_SHA_MODULE);
+#endif
         periph_ll_disable_clk_set_rst(PERIPH_ECC_MODULE);
         periph_ll_disable_clk_set_rst(PERIPH_HMAC_MODULE);
         periph_ll_disable_clk_set_rst(PERIPH_DS_MODULE);

components/esp_tee/scripts/esp32c6/sec_srv_tbl_default.yml

@@ -208,6 +208,10 @@ secure_services:
         type: IDF
         function: esp_sha_write_digest_state
         args: 2
+      - id: 132
+        type: IDF
+        function: esp_sha_enable_periph_clk
+        args: 1
   # ID: 134-149 (16) - eFuse
   - family: efuse
     entries:

components/esp_tee/src/esp_secure_service_wrapper.c

@@ -228,6 +228,11 @@ void __wrap_esp_sha_write_digest_state(esp_sha_type sha_type, void *digest_state
     esp_tee_service_call(3, SS_ESP_SHA_WRITE_DIGEST_STATE, sha_type, digest_state);
 }
 
+void __wrap_esp_sha_enable_periph_clk(bool enable)
+{
+    esp_tee_service_call(2, SS_ESP_SHA_ENABLE_PERIPH_CLK, enable);
+}
+
 /* ---------------------------------------------- MMU HAL ------------------------------------------------- */
 
 void IRAM_ATTR __wrap_mmu_hal_map_region(uint32_t mmu_id, mmu_target_t mem_type, uint32_t vaddr, uint32_t paddr, uint32_t len, uint32_t *out_len)

components/esp_tee/subproject/main/core/esp_secure_services.c

@@ -26,6 +26,7 @@
 #include "soc/soc_caps.h"
 #include "aes/esp_aes.h"
 #include "sha/sha_core.h"
+#include "esp_sha_internal.h"
 
 #include "esp_tee.h"
 #include "esp_tee_memory_utils.h"
@@ -325,6 +326,11 @@ void _ss_esp_sha_block(esp_sha_type sha_type, const void *data_block, bool is_fi
     esp_sha_block(sha_type, data_block, is_first_block);
 }
 
+void _ss_esp_sha_enable_periph_clk(bool enable)
+{
+    esp_sha_enable_periph_clk(enable);
+}
+
 /* ---------------------------------------------- OTA ------------------------------------------------- */
 
 int _ss_esp_tee_ota_begin(void)

components/esp_tee/subproject/main/soc/esp32c6/esp_tee_apm_prot_cfg.c

@@ -11,6 +11,7 @@
 #include "soc/soc.h"
 #include "soc/spi_mem_reg.h"
 #include "soc/efuse_reg.h"
+#include "soc/pcr_reg.h"
 
 extern void tee_apm_violation_isr(void *arg);
 
@@ -91,34 +92,41 @@ apm_ctrl_region_config_data_t hp_apm_pms_data[] = {
         .regn_pms        = 0x6,
         .filter_enable   = 1,
     },
-    /* Region 5: Peripherals [RSA - TEE Controller & APM] (RW) */
-    /* Protected: APM, TEE Controller */
+    /* Region 5/6: Peripherals [RSA - TEE Controller & APM] (RW) */
+    /* Protected: AES + SHA PCR, APM, TEE Controller */
     {
         .regn_num = 5,
         .regn_start_addr = DR_REG_RSA_BASE,
-        .regn_end_addr   = (DR_REG_TEE_BASE - 0x4),
+        .regn_end_addr   = (PCR_AES_CONF_REG - 0x4),
         .regn_pms        = 0x6,
         .filter_enable   = 1,
     },
-    /* Region 6: Peripherals [Miscellaneous - PMU] (RW) */
     {
         .regn_num = 6,
+        .regn_start_addr = PCR_RSA_CONF_REG,
+        .regn_end_addr   = (DR_REG_TEE_BASE - 0x4),
+        .regn_pms        = 0x6,
+        .filter_enable   = 1,
+    },
+    /* Region 7: Peripherals [Miscellaneous - PMU] (RW) */
+    {
+        .regn_num = 7,
         .regn_start_addr = DR_REG_MISC_BASE,
         .regn_end_addr   = (DR_REG_PMU_BASE - 0x04),
         .regn_pms        = 0x6,
         .filter_enable   = 1,
     },
-    /* Region 7: Peripherals [DEBUG - PWDET] (RW) */
+    /* Region 8: Peripherals [DEBUG - PWDET] (RW) */
     {
-        .regn_num = 7,
+        .regn_num = 8,
         .regn_start_addr = DR_REG_OPT_DEBUG_BASE,
         .regn_end_addr   = 0x600D0000,
         .regn_pms        = 0x6,
         .filter_enable   = 1,
     },
-    /* Region 8: REE SRAM region (RW) */
+    /* Region 9: REE SRAM region (RW) */
     {
-        .regn_num = 8,
+        .regn_num = 9,
         .regn_start_addr = SOC_NS_IRAM_START,
         .regn_end_addr   = SOC_IRAM_HIGH,
         .regn_pms        = 0x6,
@@ -164,9 +172,9 @@ apm_ctrl_secure_mode_config_t hp_apm_sec_mode_data = {
 
 /* HP_APM: TEE mode accessible regions */
 apm_ctrl_region_config_data_t hp_apm_pms_data_tee[] = {
-    /* Region 9: Entire memory region (RWX)*/
+    /* Region 10: Entire memory region (RWX)*/
     {
-        .regn_num = 9,
+        .regn_num = 10,
         .regn_start_addr = 0x0,
         .regn_end_addr   = ~0x0,
         .regn_pms        = 0x7,
@@ -303,6 +311,9 @@ void esp_tee_configure_apm_protection(void)
     /* Disable all control filter first to have full access of address rage. */
     apm_hal_apm_ctrl_filter_enable_all(false);
 
+    /* Switch HP_CPU to TEE mode */
+    apm_tee_hal_set_master_secure_mode(HP_APM_CTRL, APM_LL_MASTER_HPCORE, APM_LL_SECURE_MODE_TEE);
+
     /* LP APM0 configuration. */
     lp_apm0_sec_mode_data.regn_count = sizeof(lp_apm0_pms_data) / sizeof(apm_ctrl_region_config_data_t);
     apm_hal_apm_ctrl_master_sec_mode_config(&lp_apm0_sec_mode_data);

components/esp_tee/subproject/main/soc/esp32c6/esp_tee_secure_sys_cfg.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -12,6 +12,7 @@
 #include "esp_cpu.h"
 #include "esp_log.h"
 #include "hal/apm_hal.h"
+#include "hal/clk_gate_ll.h"
 
 #include "esp_tee.h"
 #include "esp_tee_intr.h"
@@ -91,6 +92,10 @@ void esp_tee_soc_secure_sys_init(void)
     esp_tee_protect_intr_src(ETS_EFUSE_INTR_SOURCE);        // eFuse
     esp_tee_protect_intr_src(ETS_AES_INTR_SOURCE);          // AES
     esp_tee_protect_intr_src(ETS_SHA_INTR_SOURCE);          // SHA
+
+    /* Disable AES/SHA peripheral clocks; they will be toggled as needed when the peripheral is in use */
+    periph_ll_disable_clk_set_rst(PERIPH_AES_MODULE);
+    periph_ll_disable_clk_set_rst(PERIPH_SHA_MODULE);
 }
 
 IRAM_ATTR inline void esp_tee_switch_to_ree(uint32_t ree_entry_addr)

components/mbedtls/port/sha/core/include/esp_sha_internal.h

@@ -56,6 +56,13 @@ static inline esp_sha_mode sha_operation_mode(size_t length)
     return SHA_BLOCK_MODE;
 }
 
+/**
+ * @brief Enable or disable the SHA peripheral clock
+ *
+ * @param enable true to enable, false to disable
+ */
+void esp_sha_enable_periph_clk(bool enable);
+
 #ifdef __cplusplus
 }
 #endif

components/mbedtls/port/sha/core/sha.c

@@ -16,6 +16,7 @@
 #include "esp_private/esp_crypto_lock_internal.h"
 #include "esp_log.h"
 #include "sha/sha_core.h"
+#include "esp_sha_internal.h"
 #include "hal/sha_hal.h"
 #include "hal/sha_ll.h"
 #include "soc/soc_caps.h"
@@ -51,6 +52,15 @@
 #endif
 #endif /* SOC_SHA_SUPPORT_DMA */
 
+#if !ESP_TEE_BUILD
+#define SHA_LOCK()    esp_crypto_sha_aes_lock_acquire()
+#define SHA_RELEASE() esp_crypto_sha_aes_lock_release()
+#else
+#define SHA_RCC_ATOMIC()
+#define SHA_LOCK()
+#define SHA_RELEASE()
+#endif
+
 void esp_sha_write_digest_state(esp_sha_type sha_type, void *digest_state)
 {
     sha_hal_write_digest(sha_type, digest_state);
@@ -89,34 +99,16 @@ inline static size_t block_length(esp_sha_type type)
 /* Enable SHA peripheral and then lock it */
 void esp_sha_acquire_hardware(void)
 {
-#if !ESP_TEE_BUILD
     /* Released when releasing hw with esp_sha_release_hardware() */
-    esp_crypto_sha_aes_lock_acquire();
-#endif
-
-    SHA_RCC_ATOMIC() {
-        sha_ll_enable_bus_clock(true);
-        sha_ll_reset_register();
-#if SOC_AES_CRYPTO_DMA
-        crypto_dma_ll_enable_bus_clock(true);
-        crypto_dma_ll_reset_register();
-#endif
-    }
+    SHA_LOCK();
+    esp_sha_enable_periph_clk(true);
 }
 
 /* Disable SHA peripheral block and then release it */
 void esp_sha_release_hardware(void)
 {
-    SHA_RCC_ATOMIC() {
-        sha_ll_enable_bus_clock(false);
-#if SOC_AES_CRYPTO_DMA
-        crypto_dma_ll_enable_bus_clock(false);
-#endif
-    }
-
-#if !ESP_TEE_BUILD
-    esp_crypto_sha_aes_lock_release();
-#endif
+    esp_sha_enable_periph_clk(false);
+    SHA_RELEASE();
 }
 
 void esp_sha_block(esp_sha_type sha_type, const void *data_block, bool is_first_block)

components/mbedtls/port/sha/esp_sha.c

@@ -7,6 +7,7 @@
 #include <string.h>
 #include <stdio.h>
 #include <assert.h>
+#include "hal/sha_ll.h"
 #include "hal/sha_hal.h"
 #include "hal/sha_types.h"
 #include "soc/soc_caps.h"
@@ -20,10 +21,33 @@
 #include "sha/sha_parallel_engine.h"
 #else
 #include "sha/sha_core.h"
+#include "esp_sha_internal.h"
+#include "esp_private/esp_crypto_lock_internal.h"
+#if SOC_SHA_CRYPTO_DMA
+#include "hal/crypto_dma_ll.h"
+#endif
 #endif
 
 static const char *TAG = "esp_sha";
 
+#if !SOC_SHA_SUPPORT_PARALLEL_ENG
+void esp_sha_enable_periph_clk(bool enable)
+{
+    SHA_RCC_ATOMIC() {
+        sha_ll_enable_bus_clock(enable);
+        if (enable) {
+            sha_ll_reset_register();
+        }
+#if SOC_SHA_CRYPTO_DMA
+        crypto_dma_ll_enable_bus_clock(enable);
+        if (enable) {
+            crypto_dma_ll_reset_register();
+        }
+#endif
+    }
+}
+#endif
+
 void esp_sha(esp_sha_type sha_type, const unsigned char *input, size_t ilen, unsigned char *output)
 {
     union {