Merge branch 'fix/esp_tee_aes_sha_prot' into 'master'

fix(esp_tee): Protect the AES/SHA clock registers from REE access

Closes IDF-8954 and IDF-7188

See merge request espressif/esp-idf!36783

Author: mahavirj

components/esp_system/port/soc/esp32c6/clk.c

@@ -291,8 +291,11 @@ __attribute__((weak)) void esp_perip_clk_init(void)
         periph_ll_disable_clk_set_rst(PERIPH_ASSIST_DEBUG_MODULE);
 #endif
         periph_ll_disable_clk_set_rst(PERIPH_RSA_MODULE);
+#if !CONFIG_SECURE_ENABLE_TEE
+        // NOTE: [ESP-TEE] The TEE is responsible for the AES and SHA peripherals
         periph_ll_disable_clk_set_rst(PERIPH_AES_MODULE);
         periph_ll_disable_clk_set_rst(PERIPH_SHA_MODULE);
+#endif
         periph_ll_disable_clk_set_rst(PERIPH_ECC_MODULE);
         periph_ll_disable_clk_set_rst(PERIPH_HMAC_MODULE);
         periph_ll_disable_clk_set_rst(PERIPH_DS_MODULE);

components/esp_tee/include/esp_tee.h

@@ -43,9 +43,8 @@ typedef struct {
     uint32_t magic_word;
     uint32_t api_major_version;
     uint32_t api_minor_version;
-    uint32_t reserved[2];
+    uint32_t reserved[3];
     /* TEE-related fields */
-    void *s_entry_addr;
     void *s_int_handler;
     /* REE-related fields */
     void *ns_entry_addr;
@@ -85,14 +84,12 @@ uint32_t esp_tee_service_call_with_noniram_intr_disabled(int argc, ...);
 
 #if !(__DOXYGEN__)
 /* Offsets of some values in esp_tee_config_t that are used by assembly code */
-#define ESP_TEE_CFG_OFFS_S_ENTRY_ADDR      0x14
 #define ESP_TEE_CFG_OFFS_S_INTR_HANDLER    0x18
 #define ESP_TEE_CFG_OFFS_NS_ENTRY_ADDR     0x1C
 #define ESP_TEE_CFG_OFFS_NS_INTR_HANDLER   0x20
 
 #if !defined(__ASSEMBLER__)
 /* Check the offsets are correct using the C compiler */
-ESP_STATIC_ASSERT(offsetof(esp_tee_config_t, s_entry_addr) == ESP_TEE_CFG_OFFS_S_ENTRY_ADDR, "offset macro is wrong");
 ESP_STATIC_ASSERT(offsetof(esp_tee_config_t, s_int_handler) == ESP_TEE_CFG_OFFS_S_INTR_HANDLER, "offset macro is wrong");
 ESP_STATIC_ASSERT(offsetof(esp_tee_config_t, ns_entry_addr) == ESP_TEE_CFG_OFFS_NS_ENTRY_ADDR, "offset macro is wrong");
 ESP_STATIC_ASSERT(offsetof(esp_tee_config_t, ns_int_handler) == ESP_TEE_CFG_OFFS_NS_INTR_HANDLER, "offset macro is wrong");

components/esp_tee/scripts/esp32c6/sec_srv_tbl_default.yml

@@ -208,6 +208,10 @@ secure_services:
         type: IDF
         function: esp_sha_write_digest_state
         args: 2
+      - id: 132
+        type: IDF
+        function: esp_sha_enable_periph_clk
+        args: 1
   # ID: 134-149 (16) - eFuse
   - family: efuse
     entries:

components/esp_tee/src/esp_secure_service_wrapper.c

@@ -228,6 +228,11 @@ void __wrap_esp_sha_write_digest_state(esp_sha_type sha_type, void *digest_state
     esp_tee_service_call(3, SS_ESP_SHA_WRITE_DIGEST_STATE, sha_type, digest_state);
 }
 
+void __wrap_esp_sha_enable_periph_clk(bool enable)
+{
+    esp_tee_service_call(2, SS_ESP_SHA_ENABLE_PERIPH_CLK, enable);
+}
+
 /* ---------------------------------------------- MMU HAL ------------------------------------------------- */
 
 void IRAM_ATTR __wrap_mmu_hal_map_region(uint32_t mmu_id, mmu_target_t mem_type, uint32_t vaddr, uint32_t paddr, uint32_t len, uint32_t *out_len)

components/esp_tee/src/esp_tee_config.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2021-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -25,9 +25,9 @@ esp_tee_config_t esp_tee_app_config __attribute__((section(".esp_tee_app_cfg")))
     .api_major_version = ESP_TEE_API_MAJOR_VER,
     .api_minor_version = ESP_TEE_API_MINOR_VER,
 
-    /* .s_entry_addr and .s_intr_handler are NULL in the
-       app binary, but will be written by the TEE before it loads the binary
-    */
+    /* s_intr_handler is NULL in the REE image, but will be written by
+     * the TEE before it loads the binary
+     */
 
     .ns_int_handler = &_tee_interrupt_handler,
     .ns_entry_addr = &_u2m_switch,

components/esp_tee/subproject/main/CMakeLists.txt

@@ -20,8 +20,7 @@ set(srcs "core/esp_tee_init.c"
 
 # Arch specific implementation for TEE
 list(APPEND srcs "arch/${arch}/esp_tee_vectors.S"
-                 "arch/${arch}/esp_tee_vector_table.S"
-                 "arch/${arch}/esp_tee_secure_entry.S")
+                 "arch/${arch}/esp_tee_vector_table.S")
 
 # SoC specific implementation for TEE
 list(APPEND srcs "soc/${target}/esp_tee_secure_sys_cfg.c"
@@ -78,7 +77,9 @@ list(APPEND srcs "common/esp_app_desc_tee.c")
 idf_component_register(SRCS ${srcs}
                        INCLUDE_DIRS ${include})
 
-set_source_files_properties("core/esp_secure_services.c" PROPERTIES COMPILE_FLAGS -Wno-deprecated)
+# TODO: Currently only -Og optimization level works correctly at runtime
+set_source_files_properties("core/esp_secure_dispatcher.c" PROPERTIES COMPILE_FLAGS "-Og")
+
 include(${CMAKE_CURRENT_LIST_DIR}/ld/esp_tee_ld.cmake)
 
 # esp_app_desc_t configuration structure for TEE: Linking symbol and trimming project version and name

components/esp_tee/subproject/main/arch/riscv/esp_tee_secure_entry.S

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -12,6 +12,7 @@
 
 #include "riscv/encoding.h"
 #include "riscv/rvruntime-frames.h"
+#include "esp_private/vectors_const.h"
 
 #include "esp_tee.h"
 #include "sdkconfig.h"
@@ -25,9 +26,12 @@
     .equ ECALL_U_MODE, 0x8
     .equ ECALL_M_MODE, 0xb
     .equ TEE_APM_INTR_MASK_0, 0x00300000
-    .equ TEE_APM_INTR_MASK_1, 0x000000F8
+    .equ TEE_APM_INTR_MASK_1, 0x000000f8
+    .equ TEE_INTR_DELEG_MASK, 0xffffbfff
 
     .global esp_tee_global_interrupt_handler
+    .global   esp_tee_service_dispatcher
+
 
     .section .data
     .align 4
@@ -177,15 +181,18 @@ _panic_handler:
     addi    sp, sp, -16
     sw      t0, 0(sp)
 
-    /* Check whether the exception is an M-mode ecall */
+    /* Read mcause */
     csrr    t0, mcause
-    xori    t0, t0, ECALL_M_MODE
-    beqz    t0, _machine_ecall
+    li      t1, VECTORS_MCAUSE_INTBIT_MASK | VECTORS_MCAUSE_REASON_MASK
+    and     t0, t0, t1
+
+    /* Check whether the exception is an M-mode ecall */
+    li      t1, ECALL_M_MODE
+    beq     t0, t1, _machine_ecall
 
     /* Check whether the exception is an U-mode ecall */
-    csrr    t0, mcause
-    xori    t0, t0, ECALL_U_MODE
-    beqz    t0, _user_ecall
+    li      t1, ECALL_U_MODE
+    beq     t0, t1, _user_ecall
 
     /* Restore t0 from the stack */
     lw      t0, 0(sp)
@@ -250,6 +257,10 @@ _return_from_exception:
 _ecall_handler:
     /* M-mode ecall handler */
 _machine_ecall:
+    /* Set the privilege mode to transition to after mret to U-mode  */
+    li      t0, MSTATUS_MPP
+    csrc    mstatus, t0
+
     /* Check whether this is the first M-mode ecall (see esp_tee_init) and skip context restoration */
     lui     t0, ESP_TEE_M2U_SWITCH_MAGIC
     beq     a1, t0, _skip_ctx_restore
@@ -267,15 +278,10 @@ _machine_ecall:
     restore_general_regs RV_STK_FRMSZ
     csrrw   a0, mscratch, zero
 
-    /* This point is reached only after the first M-mode ecall, never again (see esp_tee_init) */
 _skip_ctx_restore:
     /* Copy the ra register to mepc which contains the user app entry point (i.e. call_start_cpu0) */
     csrw    mepc, ra
 
-    /* Set the privilege mode to transition to after mret to U-mode  */
-    li      t3, MSTATUS_MPP
-    csrc    mstatus, t3
-
     /* Jump to the REE */
     mret
 
@@ -291,28 +297,34 @@ _user_ecall:
     lw      t0, 0(sp)
     addi    sp, sp, 16
 
-    /* This point is reached after a secure service call is issued from the REE */
-    /* Save register context and the mepc */
+    /* This point is reached when a secure service call is issued from the REE */
+    /* Save register context and mepc */
     save_general_regs RV_STK_FRMSZ
     save_mepc
 
-    /* Saving the U-mode (i.e. REE) stack pointer */
+    /* Save the U-mode (i.e. REE) stack pointer */
     la      t0, _ns_sp
     sw      sp, 0(t0)
 
-    /* Switching to the M-mode (i.e. TEE) stack */
+    /* Switch to the M-mode (i.e. TEE) stack */
     la      sp, _tee_stack
 
-    /* Load the TEE entry point (see sec_world_entry) in the mepc */
-    la      t2, esp_tee_app_config
-    lw      t2, ESP_TEE_CFG_OFFS_S_ENTRY_ADDR(t2)
-    csrw    mepc, t2
+    /* Disable the U-mode delegation of all interrupts */
+    csrwi   mideleg, 0
 
-    /* Set the privilege mode to transition to after mret to M-mode  */
-    li      t3, MSTATUS_MPP
-    csrs    mstatus, t3
+    /* Enable interrupts */
+    csrsi   mstatus, MSTATUS_MIE
 
-    mret
+    /* Jump to the secure service dispatcher */
+    jal     esp_tee_service_dispatcher
+
+    /* Enable the U-mode delegation of all interrupts (except the TEE secure interrupt) */
+    li      t0, TEE_INTR_DELEG_MASK
+    csrs    mideleg, t0
+
+    /* Fire an M-ecall */
+    mv      a1, zero
+    ecall
 
     /* This point is reached after servicing a U-mode interrupt occurred
      * while executing a secure service */
@@ -333,7 +345,7 @@ _rtn_from_ns_int:
 
     /* Restore register context and resume the secure service */
     restore_mepc
-    restore_general_regs
+    restore_general_regs RV_STK_FRMSZ
 
     mret
 
@@ -347,7 +359,7 @@ _rtn_from_ns_int:
 _tee_ns_intr_handler:
     /* Start by saving the general purpose registers and the PC value before
      * the interrupt happened. */
-    save_general_regs
+    save_general_regs RV_STK_FRMSZ
     save_mepc
 
     /* Though it is not necessary we save GP and SP here.
@@ -357,7 +369,7 @@ _tee_ns_intr_handler:
     /* As gp register is not saved by the macro, save it here */
     sw      gp, RV_STK_GP(sp)
     /* Same goes for the SP value before trapping */
-    addi    t0, sp, CONTEXT_SIZE /* restore sp with the value when interrupt happened */
+    addi    t0, sp, RV_STK_FRMSZ /* restore sp with the value when interrupt happened */
     /* Save SP */
     sw      t0, RV_STK_SP(sp)
 
@@ -395,8 +407,8 @@ _tee_ns_intr_handler:
     csrw    mscratch, t0
 
     /* Enable the U-mode interrupt delegation (except for the TEE secure interrupt) */
-    li      t0, 0xffffbfff
-    csrw    mideleg, t0
+    li      t0, TEE_INTR_DELEG_MASK
+    csrs    mideleg, t0
 
     /* Place magic bytes in all the general registers */
     store_magic_general_regs
@@ -413,7 +425,7 @@ _tee_ns_intr_handler:
 _tee_s_intr_handler:
     /* Start by saving the general purpose registers and the PC value before
      * the interrupt happened. */
-    save_general_regs
+    save_general_regs RV_STK_FRMSZ
     save_mepc
 
     /* Though it is not necessary we save GP and SP here.
@@ -423,7 +435,7 @@ _tee_s_intr_handler:
     /* As gp register is not saved by the macro, save it here */
     sw      gp, RV_STK_GP(sp)
     /* Same goes for the SP value before trapping */
-    addi    t0, sp, CONTEXT_SIZE /* restore sp with the value when interrupt happened */
+    addi    t0, sp, RV_STK_FRMSZ /* restore sp with the value when interrupt happened */
     /* Save SP */
     sw      t0, RV_STK_SP(sp)
 
@@ -457,7 +469,7 @@ _save_reg_ctx:
 _continue:
     /* Before doing anything preserve the stack pointer */
     mv      s11, sp
-    /* Switching to the TEE interrupt stack */
+    /* Switch to the TEE interrupt stack */
     la      sp, _tee_intr_stack
     /* If this is a non-nested interrupt, SP now points to the interrupt stack */
 
@@ -527,7 +539,7 @@ _intr_hdlr_exec:
     mv      sp, s11
 
     restore_mepc
-    restore_general_regs
+    restore_general_regs RV_STK_FRMSZ
     /* exit, this will also re-enable the interrupts */
     mret