espressif
diff --git a/‎components/esp_hw_support/include/esp_cpu.h‎
Lines changed: 7 additions & 3 deletions b/‎components/esp_hw_support/include/esp_cpu.h‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎components/esp_tee/CMakeLists.txt‎
Lines changed: 26 additions & 45 deletions b/‎components/esp_tee/CMakeLists.txt‎
Lines changed: 26 additions & 45 deletions
diff --git a/‎components/esp_tee/Kconfig.projbuild‎
Lines changed: 42 additions & 30 deletions b/‎components/esp_tee/Kconfig.projbuild‎
Lines changed: 42 additions & 30 deletions
diff --git a/‎components/esp_tee/scripts/esp32c6/secure_service.tbl‎
Lines changed: 54 additions & 44 deletions b/‎components/esp_tee/scripts/esp32c6/secure_service.tbl‎
Lines changed: 54 additions & 44 deletions
diff --git a/‎components/esp_tee/scripts/secure_service_hdr.py‎
Lines changed: 0 additions & 76 deletions b/‎components/esp_tee/scripts/secure_service_hdr.py‎
Lines changed: 0 additions & 76 deletions
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -22,6 +22,10 @@
 #include "esp_err.h"
 #include "esp_attr.h"
 
+#if CONFIG_SECURE_ENABLE_TEE && !NON_OS_BUILD
+#include "secure_service_num.h"
+#endif
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -452,9 +456,9 @@ FORCE_INLINE_ATTR void esp_cpu_intr_edge_ack(int intr_num)
 #ifdef __XTENSA__
     xthal_set_intclear((unsigned) (1 << intr_num));
 #else
-#if CONFIG_SECURE_ENABLE_TEE && !ESP_TEE_BUILD
+#if CONFIG_SECURE_ENABLE_TEE && !NON_OS_BUILD
     extern esprv_int_mgmt_t esp_tee_intr_sec_srv_cb;
-    esp_tee_intr_sec_srv_cb(2, TEE_INTR_EDGE_ACK_SRV_ID, intr_num);
+    esp_tee_intr_sec_srv_cb(2, SS_RV_UTILS_INTR_EDGE_ACK, intr_num);
 #else
     rv_utils_intr_edge_ack((unsigned) intr_num);
 #endif
 
@@ -82,57 +82,38 @@ else()
     endif()
 endif()
 
-set(secure_service_hdr_py
-    ${COMPONENT_DIR}/scripts/secure_service_hdr.py ${CMAKE_CURRENT_BINARY_DIR}/secure_service.tbl
-    )
-
-set(secure_service_tbl_py
-    ${COMPONENT_DIR}/scripts/secure_service_tbl.py ${CMAKE_CURRENT_BINARY_DIR}/secure_service.tbl
-    )
-
-set(secure_service_wrap_py
-    ${COMPONENT_DIR}/scripts/secure_service_wrap.py ${CMAKE_CURRENT_BINARY_DIR}/secure_service.tbl
+set(secure_service_tbl_parser_py
+    ${COMPONENT_DIR}/scripts/secure_service_tbl_parser.py ${CMAKE_CURRENT_BINARY_DIR}/secure_service.tbl
+)
+
+set(secure_service_gen_headers
+    ${CONFIG_DIR}/secure_service_num.h ${CONFIG_DIR}/secure_service_dec.h
+    ${CONFIG_DIR}/secure_service_int.h ${CONFIG_DIR}/secure_service_ext.h
+)
+
+if(CONFIG_SECURE_ENABLE_TEE AND NOT esp_tee_build)
+    execute_process(
+        COMMAND cat ${COMPONENT_DIR}/scripts/${target}/secure_service.tbl ${custom_secure_service_tbl}
+        OUTPUT_FILE secure_service.tbl
+        WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
     )
 
-set(secure_service_num_h
-    ${CONFIG_DIR}/secure_service_num.h
+    execute_process(
+        COMMAND python ${secure_service_tbl_parser_py} ${secure_service_gen_headers}
+        WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
     )
-set(secure_service_dec_h
-    ${CONFIG_DIR}/secure_service_dec.h)
 
-set(secure_service_h
-    ${CONFIG_DIR}/secure_service.h
+    set_property(DIRECTORY ${COMPONENT_DIR} APPEND PROPERTY
+        ADDITIONAL_MAKE_CLEAN_FILES ${secure_service_gen_headers}
     )
 
-if(CONFIG_SECURE_ENABLE_TEE)
-    execute_process(COMMAND cat ${COMPONENT_DIR}/scripts/${target}/secure_service.tbl ${custom_secure_service_tbl}
-        OUTPUT_FILE secure_service.tbl
+    execute_process(
+        COMMAND python ${secure_service_tbl_parser_py} "--wrap"
+        OUTPUT_VARIABLE wrap_list
         WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
-        )
-
-    execute_process(COMMAND python ${secure_service_hdr_py} ${secure_service_num_h} ${secure_service_dec_h}
-        WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
-        )
-
-    execute_process(COMMAND python ${secure_service_tbl_py} ${secure_service_h}
-        WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
-        )
-
-    set_property(DIRECTORY "${COMPONENT_DIR}" APPEND PROPERTY
-        ADDITIONAL_MAKE_CLEAN_FILES ${secure_service_num_h} ${secure_service_dec_h} ${secure_service_h})
-
-    # For TEE implementation, we don't wrap the APIs since the TEE would also internally use the same API and
-    # it shouldn't route to secure service API.
-    # Instead of wrapping, we append _ss_* to the API name and then it must be defined in esp_secure_services.c
-    if(NOT esp_tee_build)
-        execute_process(COMMAND python ${secure_service_wrap_py}
-            OUTPUT_VARIABLE wrap_list
-            WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
-            OUTPUT_STRIP_TRAILING_WHITESPACE
-            )
-
-        string(STRIP ${wrap_list} wrap_list)
+        OUTPUT_STRIP_TRAILING_WHITESPACE
+    )
 
-        target_link_libraries(${COMPONENT_LIB} INTERFACE "${wrap_list}")
-    endif()
+    string(STRIP "${wrap_list}" wrap_list)
+    target_link_libraries(${COMPONENT_LIB} INTERFACE "${wrap_list}")
 endif()
@@ -59,44 +59,56 @@ menu "ESP-TEE (Trusted Execution Environment)"
 
     endmenu
 
-    choice SECURE_TEE_SEC_STG_MODE
-        prompt "Secure Storage: Mode"
+    menu "Secure Services"
         depends on SECURE_ENABLE_TEE
-        default SECURE_TEE_SEC_STG_MODE_DEVELOPMENT
-        help
-            Select the TEE secure storage mode
 
-        config SECURE_TEE_SEC_STG_MODE_DEVELOPMENT
-            bool "Development"
+        choice SECURE_TEE_SEC_STG_MODE
+            prompt "Secure Storage: Mode"
+            depends on SECURE_ENABLE_TEE
+            default SECURE_TEE_SEC_STG_MODE_DEVELOPMENT
+            help
+                Select the TEE secure storage mode
+
+            config SECURE_TEE_SEC_STG_MODE_DEVELOPMENT
+                bool "Development"
+                help
+                    Secure storage will be encrypted by the data stored in eFuse BLK2
+
+            config SECURE_TEE_SEC_STG_MODE_RELEASE
+                depends on IDF_TARGET_ESP32C6
+                bool "Release"
+                help
+                    Secure storage will be encrypted by the data stored in eFuse block
+                    configured through the SECURE_TEE_SEC_STG_KEY_EFUSE_BLK option
+
+        endchoice
+
+        config SECURE_TEE_SEC_STG_KEY_EFUSE_BLK
+            int "Secure Storage: Encryption key eFuse block"
+            depends on SECURE_TEE_SEC_STG_MODE_RELEASE
+            range 4 10
+            default 10
             help
-                Secure storage will be encrypted by the data stored in eFuse BLK2
+                eFuse block ID storing the TEE secure storage encryption key
 
-        config SECURE_TEE_SEC_STG_MODE_RELEASE
-            depends on IDF_TARGET_ESP32C6
-            bool "Release"
+        config SECURE_TEE_ATTESTATION
+            bool "Enable Attestation"
+            default y
             help
-                Secure storage will be encrypted by the data stored in eFuse block
-                configured through the SECURE_TEE_SEC_STG_KEY_EFUSE_BLK option
+                This configuration enables the support for the Attestation service.
 
-    endchoice
 
-    config SECURE_TEE_SEC_STG_KEY_EFUSE_BLK
-        int "Secure Storage: Encryption key eFuse block"
-        depends on SECURE_TEE_SEC_STG_MODE_RELEASE
-        range 4 10
-        default 10
-        help
-            eFuse block ID storing the TEE secure storage encryption key
+        config SECURE_TEE_ATT_KEY_SLOT_ID
+            depends on SECURE_TEE_ATTESTATION
+            int "Attestation: Secure Storage slot ID for EAT signing"
+            default 0
+            range 0 14
+            help
+                This configuration sets the slot ID from the TEE secure storage
+                storing the ECDSA keypair for executing sign/verify operations
+                from the TEE side for attestation.
 
-    config SECURE_TEE_ATT_KEY_SLOT_ID
-        depends on SECURE_ENABLE_TEE
-        int "Attestation: Secure Storage slot ID for EAT signing"
-        default 0
-        range 0 14
-        help
-            This configuration sets the slot ID from the TEE secure storage
-            storing the ECDSA keypair for executing sign/verify operations
-            from the TEE side (E.g. Attestation)
+    endmenu
 
     config SECURE_TEE_DEBUG_MODE
         bool "Enable Debug Mode"
 
@@ -1,46 +1,56 @@
 # SS no.    API type    Function                                      Args
 0           custom      invalid_secure_service                        0
-1           IDF         esp_rom_route_intr_matrix                     3
-2           IDF         rv_utils_intr_enable                          1
-3           IDF         rv_utils_intr_disable                         1
-4           IDF         rv_utils_intr_set_priority                    2
-5           IDF         rv_utils_intr_set_type                        2
-6           IDF         rv_utils_intr_set_threshold                   1
-7           IDF         rv_utils_intr_edge_ack                        1
-8           IDF         rv_utils_intr_global_enable                   0
-9           IDF         efuse_hal_chip_revision                       0
-10          IDF         efuse_hal_get_chip_ver_pkg                    1
-11          IDF         efuse_hal_get_disable_wafer_version_major     0
-12          IDF         efuse_hal_get_mac                             1
-13          IDF         esp_efuse_check_secure_version                1
-14          IDF         esp_efuse_read_field_blob                     3
-15          IDF         esp_flash_encryption_enabled                  0
-16          IDF         wdt_hal_init                                  4
-17          IDF         wdt_hal_deinit                                1
-18          IDF         esp_aes_intr_alloc                            0
-19          IDF         esp_aes_crypt_cbc                             6
-20          IDF         esp_aes_crypt_cfb8                            6
-21          IDF         esp_aes_crypt_cfb128                          7
-22          IDF         esp_aes_crypt_ctr                             7
-23          IDF         esp_aes_crypt_ecb                             4
-24          IDF         esp_aes_crypt_ofb                             6
-25          IDF         esp_sha                                       4
-26          IDF         esp_sha_dma                                   6
-27          IDF         esp_sha_read_digest_state                     2
-28          IDF         esp_sha_write_digest_state                    2
-29          IDF         mmu_hal_map_region                            6
-30          IDF         mmu_hal_unmap_region                          3
-31          IDF         mmu_hal_vaddr_to_paddr                        4
-32          IDF         mmu_hal_paddr_to_vaddr                        5
-33          custom      esp_tee_ota_begin                             0
-34          custom      esp_tee_ota_write                             3
-35          custom      esp_tee_ota_end                               0
-36          custom      esp_tee_sec_storage_init                      0
-37          custom      esp_tee_sec_storage_gen_key                   1
-38          custom      esp_tee_sec_storage_get_signature             4
-39          custom      esp_tee_sec_storage_get_pubkey                2
-40          custom      esp_tee_sec_storage_encrypt                   8
-41          custom      esp_tee_sec_storage_decrypt                   8
-42          custom      esp_tee_sec_storage_is_slot_empty             1
-43          custom      esp_tee_sec_storage_clear_slot                1
-44          custom      esp_tee_att_generate_token                    6
+# ID: 1-47 (47) - External memory (Flash) protection
+1           IDF         mmu_hal_map_region                            6
+2           IDF         mmu_hal_unmap_region                          3
+3           IDF         mmu_hal_vaddr_to_paddr                        4
+4           IDF         mmu_hal_paddr_to_vaddr                        5
+# Services before the ID 48 will be placed in the internal memory table,
+# while the rest will be placed in the external memory table.
+# ID: 48-71 (24) - Interrupt Handling
+48          IDF         esp_rom_route_intr_matrix                     3
+49          IDF         rv_utils_intr_enable                          1
+50          IDF         rv_utils_intr_disable                         1
+51          IDF         rv_utils_intr_set_priority                    2
+52          IDF         rv_utils_intr_set_type                        2
+53          IDF         rv_utils_intr_set_threshold                   1
+54          IDF         rv_utils_intr_edge_ack                        1
+55          IDF         rv_utils_intr_global_enable                   0
+# ID: 72-119 (48) - HAL
+72          IDF         efuse_hal_chip_revision                       0
+73          IDF         efuse_hal_get_chip_ver_pkg                    1
+74          IDF         efuse_hal_get_disable_wafer_version_major     0
+75          IDF         efuse_hal_get_mac                             1
+76          IDF         wdt_hal_init                                  4
+77          IDF         wdt_hal_deinit                                1
+# ID: 120-167 (48) - Crypto
+120         IDF         esp_aes_intr_alloc                            0
+121         IDF         esp_aes_crypt_cbc                             6
+122         IDF         esp_aes_crypt_cfb8                            6
+123         IDF         esp_aes_crypt_cfb128                          7
+124         IDF         esp_aes_crypt_ctr                             7
+125         IDF         esp_aes_crypt_ecb                             4
+126         IDF         esp_aes_crypt_ofb                             6
+127         IDF         esp_sha                                       4
+128         IDF         esp_sha_dma                                   6
+129         IDF         esp_sha_read_digest_state                     2
+130         IDF         esp_sha_write_digest_state                    2
+# ID: 168-183 (16) - eFuse
+168         IDF         esp_efuse_check_secure_version                1
+169         IDF         esp_efuse_read_field_blob                     3
+170         IDF         esp_flash_encryption_enabled                  0
+# ID: 184-249 (66) - Reserved for future use
+# ID: 270-293 (24) - Secure Storage
+270         custom      esp_tee_sec_storage_init                      0
+271         custom      esp_tee_sec_storage_gen_key                   2
+272         custom      esp_tee_sec_storage_get_signature             4
+273         custom      esp_tee_sec_storage_get_pubkey                2
+274         custom      esp_tee_sec_storage_encrypt                   8
+275         custom      esp_tee_sec_storage_decrypt                   8
+276         custom      esp_tee_sec_storage_is_slot_empty             1
+277         custom      esp_tee_sec_storage_clear_slot                1
+# ID: 294-299 (6) - OTA
+294         custom      esp_tee_ota_begin                             0
+295         custom      esp_tee_ota_write                             3
+296         custom      esp_tee_ota_end                               0
+# ID: 300+ - User-defined