Merge branch 'feature/esp_tee_flash_prot_spi1' into 'master'

feat(esp_tee): Add support for flash memory isolation and protection (SPI1)

Closes IDF-10481, IDF-10083, and IDF-8915

See merge request espressif/esp-idf!36454

Author: mahavirj

components/bootloader_support/bootloader_flash/src/bootloader_flash.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -752,6 +752,15 @@ esp_err_t IRAM_ATTR bootloader_flash_unlock_default(void)
 
 esp_err_t __attribute__((weak, alias("bootloader_flash_unlock_default"))) bootloader_flash_unlock(void);
 
+
+#if CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1 && !NON_OS_BUILD
+extern uint32_t bootloader_flash_execute_command_common(
+    uint8_t command,
+    uint32_t addr_len, uint32_t address,
+    uint8_t dummy_len,
+    uint8_t mosi_len, uint32_t mosi_data,
+    uint8_t miso_len);
+#else
 IRAM_ATTR uint32_t bootloader_flash_execute_command_common(
     uint8_t command,
     uint32_t addr_len, uint32_t address,
@@ -804,6 +813,7 @@ IRAM_ATTR uint32_t bootloader_flash_execute_command_common(
     }
     return ret;
 }
+#endif
 
 uint32_t IRAM_ATTR bootloader_execute_flash_command(uint8_t command, uint32_t mosi_data, uint8_t mosi_len, uint8_t miso_len)
 {

components/esp_tee/CMakeLists.txt

@@ -1,5 +1,5 @@
 idf_build_get_property(esp_tee_build ESP_TEE_BUILD)
-idf_build_get_property(custom_secure_service_tbl CUSTOM_SECURE_SERVICE_TBL)
+idf_build_get_property(custom_secure_service_yaml CUSTOM_SECURE_SERVICE_YAML)
 idf_build_get_property(custom_secure_service_dir CUSTOM_SECURE_SERVICE_COMPONENT_DIR)
 idf_build_get_property(custom_secure_service_component CUSTOM_SECURE_SERVICE_COMPONENT)
 idf_build_get_property(target IDF_TARGET)
@@ -82,33 +82,37 @@ else()
     endif()
 endif()
 
-set(secure_service_tbl_parser_py
-    ${COMPONENT_DIR}/scripts/secure_service_tbl_parser.py ${CMAKE_CURRENT_BINARY_DIR}/secure_service.tbl
+set(secure_service_yml
+    ${COMPONENT_DIR}/scripts/${IDF_TARGET}/sec_srv_tbl_default.yml ${custom_secure_service_yaml}
 )
 
-set(secure_service_gen_headers
-    ${CONFIG_DIR}/secure_service_num.h ${CONFIG_DIR}/secure_service_dec.h
-    ${CONFIG_DIR}/secure_service_int.h ${CONFIG_DIR}/secure_service_ext.h
+set(secure_service_yml_parser_py
+    ${COMPONENT_DIR}/scripts/secure_service_yml_parser.py
 )
 
 if(CONFIG_SECURE_ENABLE_TEE AND NOT esp_tee_build)
-    execute_process(
-        COMMAND cat ${COMPONENT_DIR}/scripts/${target}/secure_service.tbl ${custom_secure_service_tbl}
-        OUTPUT_FILE secure_service.tbl
-        WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
-    )
+    # Default secure service API families: flash_protection_spi0, flash_protection_spi1,
+    # interrupt_handling, hal, crypto, efuse, secure_storage, ota, attestation
+    set(exclude_srv)
+    if(NOT CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1)
+        list(APPEND exclude_srv "flash_protection_spi1")
+    endif()
 
-    execute_process(
-        COMMAND python ${secure_service_tbl_parser_py} ${secure_service_gen_headers}
-        WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
-    )
+    if(NOT CONFIG_SECURE_TEE_ATTESTATION)
+        list(APPEND exclude_srv "attestation")
+    endif()
 
-    set_property(DIRECTORY ${COMPONENT_DIR} APPEND PROPERTY
-        ADDITIONAL_MAKE_CLEAN_FILES ${secure_service_gen_headers}
+    execute_process(
+        COMMAND python ${secure_service_yml_parser_py}
+        "--sec_srv" ${secure_service_yml}
+        "--exclude" ${exclude_srv}
+        WORKING_DIRECTORY ${CONFIG_DIR}
     )
 
     execute_process(
-        COMMAND python ${secure_service_tbl_parser_py} "--wrap"
+        COMMAND python ${secure_service_yml_parser_py}
+        "--sec_srv" ${secure_service_yml}
+        "--exclude" ${exclude_srv} "--wrap"
         OUTPUT_VARIABLE wrap_list
         WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
         OUTPUT_STRIP_TRAILING_WHITESPACE

components/esp_tee/Kconfig.projbuild

@@ -110,6 +110,35 @@ menu "ESP-TEE (Trusted Execution Environment)"
 
     endmenu
 
+    config SECURE_TEE_EXT_FLASH_MEMPROT_SPI1
+        bool "Memprot: Isolate TEE flash regions over SPI1"
+        depends on SECURE_ENABLE_TEE
+        default n
+        help
+            This configuration restricts access to TEE-reserved regions in external flash
+            by making them inaccessible to the REE via the SPI1 interface (physical addresses).
+
+            With this enabled, all SPI flash read, write, or erase operations over SPI1 will
+            be routed through service calls to the TEE, introducing additional performance
+            overhead.
+
+            When Flash Encryption (SECURE_FLASH_ENC_ENABLED) is enabled, the REE can still
+            access TEE-related flash partitions over SPI1, but read operations will return
+            encrypted data contents. This prevents attackers from inferring the TEE contents
+            with direct reads.
+
+            Additionally, with Secure Boot enabled (SECURE_BOOT_V2_ENABLED), any unauthorized
+            modifications to the TEE firmware will be detected during boot, causing signature
+            verification to fail. Thus, these options provide a level of protection suitable for
+            most applications. However, while the TEE firmware integrity is protected, other TEE
+            partitions (Secure Storage, TEE OTA data) can be manipulated through direct writes.
+
+            Enable this option only when complete isolation of all TEE flash regions is required,
+            even with the associated performance tradeoffs.
+
+            Note: All accesses to the TEE partitions over SPI0 (i.e. the MMU) are blocked
+            unconditionally.
+
     config SECURE_TEE_DEBUG_MODE
         bool "Enable Debug Mode"
         default y