feat(esp_tee): Protect the ECC peripheral from REE access

Author: laukik-hase

components/esp_system/port/soc/esp32c6/clk.c

@@ -297,8 +297,8 @@ __attribute__((weak)) void esp_perip_clk_init(void)
         periph_ll_disable_clk_set_rst(PERIPH_SHA_MODULE);
         periph_ll_disable_clk_set_rst(PERIPH_HMAC_MODULE);
         periph_ll_disable_clk_set_rst(PERIPH_DS_MODULE);
-#endif
         periph_ll_disable_clk_set_rst(PERIPH_ECC_MODULE);
+#endif
 
         // TODO: Replace with hal implementation
         REG_CLR_BIT(PCR_CTRL_TICK_CONF_REG, PCR_TICK_ENABLE);

components/esp_tee/scripts/esp32c6/sec_srv_tbl_default.yml

@@ -248,6 +248,14 @@ secure_services:
         type: IDF
         function: esp_crypto_mpi_enable_periph_clk
         args: 1
+      - id: 108
+        type: IDF
+        function: esp_ecc_point_multiply
+        args: 4
+      - id: 109
+        type: IDF
+        function: esp_ecc_point_verify
+        args: 1
   # ID: 134-149 (16) - eFuse
   - family: efuse
     entries:

components/esp_tee/src/esp_secure_service_wrapper.c

@@ -342,6 +342,33 @@ void __wrap_esp_crypto_mpi_enable_periph_clk(bool enable)
     esp_tee_service_call(2, SS_ESP_CRYPTO_MPI_ENABLE_PERIPH_CLK, enable);
 }
 
+/* ---------------------------------------------- ECC ------------------------------------------------- */
+
+#define P256_LEN        (256/8)
+#define P192_LEN        (192/8)
+
+typedef struct {
+    uint8_t x[P256_LEN]; /* Little endian order */
+    uint8_t y[P256_LEN]; /* Little endian order */
+    unsigned len;        /* P192_LEN or P256_LEN */
+} ecc_point_t;
+
+int __wrap_esp_ecc_point_multiply(const ecc_point_t *point, const uint8_t *scalar, ecc_point_t *result, bool verify_first)
+{
+    esp_crypto_ecc_lock_acquire();
+    esp_err_t err = esp_tee_service_call(5, SS_ESP_ECC_POINT_MULTIPLY, point, scalar, result, verify_first);
+    esp_crypto_ecc_lock_release();
+    return err;
+}
+
+int __wrap_esp_ecc_point_verify(const ecc_point_t *point)
+{
+    esp_crypto_ecc_lock_acquire();
+    esp_err_t err = esp_tee_service_call(2, SS_ESP_ECC_POINT_VERIFY, point);
+    esp_crypto_ecc_lock_release();
+    return err;
+}
+
 /* ---------------------------------------------- MMU HAL ------------------------------------------------- */
 
 void IRAM_ATTR __wrap_mmu_hal_map_region(uint32_t mmu_id, mmu_target_t mem_type, uint32_t vaddr, uint32_t paddr, uint32_t len, uint32_t *out_len)

components/esp_tee/subproject/main/core/esp_secure_services.c

@@ -29,6 +29,7 @@
 #include "esp_hmac.h"
 #include "esp_ds.h"
 #include "esp_crypto_periph_clk.h"
+#include "ecc_impl.h"
 
 #include "esp_tee.h"
 #include "esp_tee_memory_utils.h"
@@ -444,6 +445,26 @@ void _ss_esp_crypto_mpi_enable_periph_clk(bool enable)
     esp_crypto_mpi_enable_periph_clk(enable);
 }
 
+/* ---------------------------------------------- ECC ------------------------------------------------- */
+
+int _ss_esp_ecc_point_multiply(const ecc_point_t *point, const uint8_t *scalar, ecc_point_t *result, bool verify_first)
+{
+    bool valid_addr = (esp_tee_ptr_in_ree((void *)result)) &&
+                      esp_tee_ptr_in_ree((void *)((char *)result + sizeof(ecc_point_t)));
+
+    if (!valid_addr) {
+        return -1;
+    }
+    ESP_FAULT_ASSERT(valid_addr);
+
+    return esp_ecc_point_multiply(point, scalar, result, verify_first);
+}
+
+int _ss_esp_ecc_point_verify(const ecc_point_t *point)
+{
+    return esp_ecc_point_verify(point);
+}
+
 /* ---------------------------------------------- OTA ------------------------------------------------- */
 
 int _ss_esp_tee_ota_begin(void)

components/esp_tee/subproject/main/ld/esp32c6/esp_tee.ld.in

@@ -177,6 +177,7 @@ SECTIONS
  * | SHA       | text          | Flash  |
  * | HMAC      | text          | Flash  |
  * | DS        | text          | Flash  |
+ * | ECC       | text          | Flash  |
  * | BROWNOUT  | text          | Flash  |
  * | EFUSE     | text          | Flash  |
  * | LPTIMER   | text          | Flash  |
@@ -196,6 +197,7 @@ SECTIONS
     *libhal.a:sha_hal.c*(.literal .text .literal.* .text.*)
     *libhal.a:hmac_hal.c*(.literal .text .literal.* .text.*)
     *libhal.a:ds_hal.c*(.literal .text .literal.* .text.*)
+    *libhal.a:ecc_hal.c*(.literal .text .literal.* .text.*)
     *libhal.a:apm_hal.c*(.literal .text .literal.* .text.*)
     *libhal.a:brownout_hal.c*(.literal .text .literal.* .text.*)
     *libhal.a:spi_flash_hal.c*(.literal .text .literal.* .text.*)

components/esp_tee/subproject/main/soc/esp32c6/esp_tee_apm_prot_cfg.c

@@ -107,7 +107,7 @@ apm_ctrl_region_config_data_t hp_apm_pms_data[] = {
         .filter_enable   = 1,
     },
     /* Region 6/7: Peripherals [H/W Lock - HMAC] (RW) */
-    /* Protected: AES, SHA, DS, HMAC */
+    /* Protected: AES, SHA, ECC, DS, HMAC */
     {
         .regn_num = 6,
         .regn_start_addr = DR_REG_ATOMIC_BASE,
@@ -118,12 +118,12 @@ apm_ctrl_region_config_data_t hp_apm_pms_data[] = {
     {
         .regn_num = 7,
         .regn_start_addr = DR_REG_RSA_BASE,
-        .regn_end_addr   = (DR_REG_DS_BASE - 0x4),
+        .regn_end_addr   = (DR_REG_ECC_MULT_BASE - 0x4),
         .regn_pms        = 0x6,
         .filter_enable   = 1,
     },
-    /* Region 8/9/10: Peripherals [DS - TEE Controller & APM] (RW) */
-    /* Protected: AES, SHA, DS, HMAC PCR, APM, TEE Controller */
+    /* Region 8/9/10: Peripherals [IO_MUX - TEE Controller & APM] (RW) */
+    /* Protected: AES, SHA, ECC, DS and HMAC PCRs, APM, TEE Controller */
     {
         .regn_num = 8,
         .regn_start_addr = DR_REG_IO_MUX_BASE,
@@ -134,7 +134,7 @@ apm_ctrl_region_config_data_t hp_apm_pms_data[] = {
     {
         .regn_num = 9,
         .regn_start_addr = PCR_RSA_CONF_REG,
-        .regn_end_addr   = (PCR_DS_CONF_REG - 0x4),
+        .regn_end_addr   = (PCR_ECC_CONF_REG - 0x4),
         .regn_pms        = 0x6,
         .filter_enable   = 1,
     },

components/esp_tee/subproject/main/soc/esp32c6/esp_tee_secure_sys_cfg.c

@@ -16,6 +16,7 @@
 #include "hal/sha_ll.h"
 #include "hal/hmac_ll.h"
 #include "hal/ds_ll.h"
+#include "hal/ecc_ll.h"
 
 #include "esp_tee.h"
 #include "esp_tee_intr.h"
@@ -95,12 +96,14 @@ void esp_tee_soc_secure_sys_init(void)
     esp_tee_protect_intr_src(ETS_EFUSE_INTR_SOURCE);        // eFuse
     esp_tee_protect_intr_src(ETS_AES_INTR_SOURCE);          // AES
     esp_tee_protect_intr_src(ETS_SHA_INTR_SOURCE);          // SHA
+    esp_tee_protect_intr_src(ETS_ECC_INTR_SOURCE);          // ECC
 
     /* Disable protected crypto peripheral clocks; they will be toggled as needed when the peripheral is in use */
     aes_ll_enable_bus_clock(false);
     sha_ll_enable_bus_clock(false);
     hmac_ll_enable_bus_clock(false);
     ds_ll_enable_bus_clock(false);
+    ecc_ll_enable_bus_clock(false);
 }
 
 IRAM_ATTR inline void esp_tee_switch_to_ree(uint32_t ree_entry_addr)

components/esp_tee/test_apps/tee_test_fw/main/CMakeLists.txt

@@ -32,6 +32,10 @@ list(APPEND srcs "${mbedtls_test_srcs_dir}/test_mbedtls_sha.c"
 
 # Mixed
 list(APPEND srcs "${mbedtls_test_srcs_dir}/test_aes_sha_parallel.c")
+
+# ECC
+list(APPEND srcs "${mbedtls_test_srcs_dir}/test_ecp.c")
+
 # Utility
 list(APPEND srcs "${mbedtls_test_srcs_dir}/test_apb_dport_access.c"
                  "${mbedtls_test_srcs_dir}/test_mbedtls_utils.c")

components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_att.c

@@ -256,7 +256,6 @@ TEST_CASE("Test TEE Attestation - Generate and verify the EAT", "[attestation]")
     uint8_t *token_buf = heap_caps_calloc(ESP_ATT_TK_BUF_SIZE, sizeof(uint8_t), MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
     TEST_ASSERT_NOT_NULL(token_buf);
 
-    ESP_LOGI(TAG, "Generating EAT for all active firmwares (Bootloader, TEE and non-secure app)...");
     // Generating the attestation token
     uint32_t token_len = 0;
     TEST_ESP_OK(esp_tee_att_generate_token(0xA1B2C3D4, 0x0FACADE0, (const char *)ESP_ATT_TK_PSA_CERT_REF,
@@ -275,7 +274,6 @@ TEST_CASE("Test TEE Attestation - Generate and verify the EAT", "[attestation]")
     esp_tee_sec_storage_sign_t sign_ctx = {};
     fetch_signature((const char *)token_buf, &sign_ctx);
 
-    ESP_LOGI(TAG, "Verifying the generated EAT...");
     // Verifying the generated token
     TEST_ASSERT_EQUAL(0, verify_ecdsa_sign(digest, sizeof(digest), &pubkey_ctx, &sign_ctx, false));
     free(token_buf);

components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_panic.c

@@ -63,7 +63,8 @@ TEST_CASE("Test APM violation interrupt: AES", "[apm_violation]")
 TEST_CASE("Test APM violation interrupt: HMAC", "[apm_violation]")
 {
     uint32_t val = UINT32_MAX;
-    REG_WRITE(HMAC_SET_PARA_KEY_REG, val);
+    val = REG_READ(HMAC_SET_PARA_KEY_REG);
+    TEST_ASSERT_EQUAL(0, val);
     TEST_FAIL_MESSAGE("APM violation interrupt should have been generated");
 }
 
@@ -77,16 +78,15 @@ TEST_CASE("Test APM violation interrupt: DS", "[apm_violation]")
 
 TEST_CASE("Test APM violation interrupt: SHA PCR", "[apm_violation]")
 {
-    uint32_t val = UINT32_MAX;
-    val = REG_READ(PCR_SHA_CONF_REG);
-    TEST_ASSERT_EQUAL(0, val);
+    uint32_t val = 0;
+    REG_WRITE(PCR_SHA_CONF_REG, val);
     TEST_FAIL_MESSAGE("APM violation interrupt should have been generated");
 }
 
-TEST_CASE("Test APM violation interrupt: DS PCR", "[apm_violation]")
+TEST_CASE("Test APM violation interrupt: ECC PCR", "[apm_violation]")
 {
-    uint32_t val = UINT32_MAX;
-    REG_WRITE(PCR_DS_CONF_REG, val);
+    uint32_t val = 0;
+    REG_WRITE(PCR_ECC_CONF_REG, val);
     TEST_FAIL_MESSAGE("APM violation interrupt should have been generated");
 }