refactor(esp_tee): Revised the secure service ID numbering scheme

laukik-hase · laukik-hase · commit c4eec756f38d · 2025-01-23T12:39:19.000+05:30
Also:
- Split the secure service table into two parts: one DRAM-resident and the
  other DROM-resident. The former holds the services invoked when the cache is
  disabled or suspended while the latter holds rest of the services.
diff --git a/components/esp_hw_support/include/esp_cpu.h b/components/esp_hw_support/include/esp_cpu.h
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -22,6 +22,10 @@
 #include "esp_err.h"
 #include "esp_attr.h"
 
+#if CONFIG_SECURE_ENABLE_TEE && !NON_OS_BUILD
+#include "secure_service_num.h"
+#endif
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -452,9 +456,9 @@ FORCE_INLINE_ATTR void esp_cpu_intr_edge_ack(int intr_num)
 #ifdef __XTENSA__
     xthal_set_intclear((unsigned) (1 << intr_num));
 #else
-#if CONFIG_SECURE_ENABLE_TEE && !ESP_TEE_BUILD
+#if CONFIG_SECURE_ENABLE_TEE && !NON_OS_BUILD
     extern esprv_int_mgmt_t esp_tee_intr_sec_srv_cb;
-    esp_tee_intr_sec_srv_cb(2, TEE_INTR_EDGE_ACK_SRV_ID, intr_num);
+    esp_tee_intr_sec_srv_cb(2, SS_RV_UTILS_INTR_EDGE_ACK, intr_num);
 #else
     rv_utils_intr_edge_ack((unsigned) intr_num);
 #endif
diff --git a/components/esp_tee/CMakeLists.txt b/components/esp_tee/CMakeLists.txt
@@ -88,7 +88,7 @@ set(secure_service_tbl_parser_py
 
 set(secure_service_gen_headers
     ${CONFIG_DIR}/secure_service_num.h ${CONFIG_DIR}/secure_service_dec.h
-    ${CONFIG_DIR}/secure_service.h
+    ${CONFIG_DIR}/secure_service_int.h ${CONFIG_DIR}/secure_service_ext.h
 )
 
 if(CONFIG_SECURE_ENABLE_TEE AND NOT esp_tee_build)
diff --git a/components/esp_tee/scripts/esp32c6/secure_service.tbl b/components/esp_tee/scripts/esp32c6/secure_service.tbl
@@ -1,45 +1,56 @@
 # SS no.    API type    Function                                      Args
 0           custom      invalid_secure_service                        0
-1           IDF         esp_rom_route_intr_matrix                     3
-2           IDF         rv_utils_intr_enable                          1
-3           IDF         rv_utils_intr_disable                         1
-4           IDF         rv_utils_intr_set_priority                    2
-5           IDF         rv_utils_intr_set_type                        2
-6           IDF         rv_utils_intr_set_threshold                   1
-7           IDF         rv_utils_intr_edge_ack                        1
-8           IDF         rv_utils_intr_global_enable                   0
-9           IDF         efuse_hal_chip_revision                       0
-10          IDF         efuse_hal_get_chip_ver_pkg                    1
-11          IDF         efuse_hal_get_disable_wafer_version_major     0
-12          IDF         efuse_hal_get_mac                             1
-13          IDF         esp_efuse_check_secure_version                1
-14          IDF         esp_efuse_read_field_blob                     3
-15          IDF         esp_flash_encryption_enabled                  0
-16          IDF         wdt_hal_init                                  4
-17          IDF         wdt_hal_deinit                                1
-18          IDF         esp_aes_intr_alloc                            0
-19          IDF         esp_aes_crypt_cbc                             6
-20          IDF         esp_aes_crypt_cfb8                            6
-21          IDF         esp_aes_crypt_cfb128                          7
-22          IDF         esp_aes_crypt_ctr                             7
-23          IDF         esp_aes_crypt_ecb                             4
-24          IDF         esp_aes_crypt_ofb                             6
-25          IDF         esp_sha                                       4
-26          IDF         esp_sha_dma                                   6
-27          IDF         esp_sha_read_digest_state                     2
-28          IDF         esp_sha_write_digest_state                    2
-29          IDF         mmu_hal_map_region                            6
-30          IDF         mmu_hal_unmap_region                          3
-31          IDF         mmu_hal_vaddr_to_paddr                        4
-32          IDF         mmu_hal_paddr_to_vaddr                        5
-33          custom      esp_tee_ota_begin                             0
-34          custom      esp_tee_ota_write                             3
-35          custom      esp_tee_ota_end                               0
-36          custom      esp_tee_sec_storage_init                      0
-37          custom      esp_tee_sec_storage_gen_key                   1
-38          custom      esp_tee_sec_storage_get_signature             4
-39          custom      esp_tee_sec_storage_get_pubkey                2
-40          custom      esp_tee_sec_storage_encrypt                   8
-41          custom      esp_tee_sec_storage_decrypt                   8
-42          custom      esp_tee_sec_storage_is_slot_empty             1
-43          custom      esp_tee_sec_storage_clear_slot                1
+# ID: 1-47 (47) - External memory (Flash) protection
+1           IDF         mmu_hal_map_region                            6
+2           IDF         mmu_hal_unmap_region                          3
+3           IDF         mmu_hal_vaddr_to_paddr                        4
+4           IDF         mmu_hal_paddr_to_vaddr                        5
+# Services before the ID 48 will be placed in the internal memory table,
+# while the rest will be placed in the external memory table.
+# ID: 48-71 (24) - Interrupt Handling
+48          IDF         esp_rom_route_intr_matrix                     3
+49          IDF         rv_utils_intr_enable                          1
+50          IDF         rv_utils_intr_disable                         1
+51          IDF         rv_utils_intr_set_priority                    2
+52          IDF         rv_utils_intr_set_type                        2
+53          IDF         rv_utils_intr_set_threshold                   1
+54          IDF         rv_utils_intr_edge_ack                        1
+55          IDF         rv_utils_intr_global_enable                   0
+# ID: 72-119 (48) - HAL
+72          IDF         efuse_hal_chip_revision                       0
+73          IDF         efuse_hal_get_chip_ver_pkg                    1
+74          IDF         efuse_hal_get_disable_wafer_version_major     0
+75          IDF         efuse_hal_get_mac                             1
+76          IDF         wdt_hal_init                                  4
+77          IDF         wdt_hal_deinit                                1
+# ID: 120-167 (48) - Crypto
+120         IDF         esp_aes_intr_alloc                            0
+121         IDF         esp_aes_crypt_cbc                             6
+122         IDF         esp_aes_crypt_cfb8                            6
+123         IDF         esp_aes_crypt_cfb128                          7
+124         IDF         esp_aes_crypt_ctr                             7
+125         IDF         esp_aes_crypt_ecb                             4
+126         IDF         esp_aes_crypt_ofb                             6
+127         IDF         esp_sha                                       4
+128         IDF         esp_sha_dma                                   6
+129         IDF         esp_sha_read_digest_state                     2
+130         IDF         esp_sha_write_digest_state                    2
+# ID: 168-183 (16) - eFuse
+168         IDF         esp_efuse_check_secure_version                1
+169         IDF         esp_efuse_read_field_blob                     3
+170         IDF         esp_flash_encryption_enabled                  0
+# ID: 184-249 (66) - Reserved for future use
+# ID: 270-293 (24) - Secure Storage
+270         custom      esp_tee_sec_storage_init                      0
+271         custom      esp_tee_sec_storage_gen_key                   2
+272         custom      esp_tee_sec_storage_get_signature             4
+273         custom      esp_tee_sec_storage_get_pubkey                2
+274         custom      esp_tee_sec_storage_encrypt                   8
+275         custom      esp_tee_sec_storage_decrypt                   8
+276         custom      esp_tee_sec_storage_is_slot_empty             1
+277         custom      esp_tee_sec_storage_clear_slot                1
+# ID: 294-299 (6) - OTA
+294         custom      esp_tee_ota_begin                             0
+295         custom      esp_tee_ota_write                             3
+296         custom      esp_tee_ota_end                               0
+# ID: 300+ - User-defined
diff --git a/components/esp_tee/scripts/secure_service_tbl_parser.py b/components/esp_tee/scripts/secure_service_tbl_parser.py
@@ -5,6 +5,8 @@
 from typing import List
 from typing import Tuple
 
+SEC_SRV_TABLE_SPLIT_ID = 48
+
 
 def parse_services(secure_service_tbl: str) -> List[Tuple[int, str, int]]:
     services, service_ids = [], set()
@@ -37,8 +39,9 @@ def generate_num_header(services: List[Tuple[int, str, int]], output_file: str)
     body = '\n'.join(f'#define SS_{name.upper()}\t{nr}' for nr, name, _ in services)
     footer = f'\n#define MAX_SECURE_SERVICES_ID\t{services[-1][0] + 1 if services else 0}\n'
     footer += f'#define SECURE_SERVICES_NUM\t{len(services)}\n\n'
+    footer += f'#define SECURE_SERVICES_SPLIT_ID\t{SEC_SRV_TABLE_SPLIT_ID}\n\n'
     footer += '''typedef void (*secure_service_t)(void);
-typedef struct { int id; secure_service_t func; int nargs; } secure_service_entry_t;
+typedef struct { secure_service_t func; int nargs; } secure_service_entry_t;
 '''
     footer += '\n#ifdef __cplusplus\n}\n#endif\n'
     with open(output_file, 'w') as f:
@@ -62,16 +65,22 @@ def generate_dec_header(services: List[Tuple[int, str, int]], output_file: str)
         f.write(header + body + footer)
 
 
-def generate_table(services: List[Tuple[int, str, int]], output_file: str) -> None:
+def generate_table_split(services: List[Tuple[int, str, int]], output_file_1: str, output_file_2: str) -> None:
     header = '''/**
   * THIS FILE WAS AUTOMATICALLY GENERATED. DO NOT EDIT!
   */
 
 #pragma once
 '''
-    body = '\n'.join(f'__SECURE_SERVICE({nr}, {name}, {nargs})' for nr, name, nargs in services)
-    with open(output_file, 'w') as f:
-        f.write(header + body)
+    services_1 = [service for service in services if service[0] < SEC_SRV_TABLE_SPLIT_ID]
+    services_2 = [service for service in services if service[0] >= SEC_SRV_TABLE_SPLIT_ID]
+
+    body_1 = '\n'.join(f'__SECURE_SERVICE({nr}, {name}, {nargs})' for nr, name, nargs in services_1)
+    body_2 = '\n'.join(f'__SECURE_SERVICE({nr}, {name}, {nargs})' for nr, name, nargs in services_2)
+
+    with open(output_file_1, 'w') as f1, open(output_file_2, 'w') as f2:
+        f1.write(header + body_1)
+        f2.write(header + body_2)
 
 
 def generate_wrap_list(secure_service_tbl: str) -> None:
@@ -85,19 +94,19 @@ def main() -> None:
     parser = argparse.ArgumentParser(description='Generate secure service outputs')
     parser.add_argument('--wrap', action='store_true', help='Generate linker wrap options')
     parser.add_argument('secure_service_tbl', type=str, help='Path to secure service table file')
-    parser.add_argument('output_files', nargs='*', help='Output files: [secure_service_num.h, secure_service_dec.h, secure_service.h]')
+    parser.add_argument('output_files', nargs='*', help='Output files: [secure_service_num.h, secure_service_dec.h, secure_service_1.h, secure_service_2.h]')
 
     args = parser.parse_args()
 
     if args.wrap:
         generate_wrap_list(args.secure_service_tbl)
     else:
-        if len(args.output_files) != 3:
+        if len(args.output_files) != 4:
             parser.error('Missing output header files!')
         services = parse_services(args.secure_service_tbl)
         generate_num_header(services, args.output_files[0])
         generate_dec_header(services, args.output_files[1])
-        generate_table(services, args.output_files[2])
+        generate_table_split(services, args.output_files[2], args.output_files[3])
 
 
 if __name__ == '__main__':
diff --git a/components/esp_tee/subproject/components/tee_attestation/esp_tee_att.tbl b/components/esp_tee/subproject/components/tee_attestation/esp_tee_att.tbl
@@ -1,2 +1,2 @@
 # SS no.    API type    Function                                    Args
-101         custom      esp_tee_att_generate_token                  6
+250         custom      esp_tee_att_generate_token                  6
diff --git a/components/esp_tee/subproject/main/core/esp_secure_dispatcher.c b/components/esp_tee/subproject/main/core/esp_secure_dispatcher.c
@@ -13,29 +13,21 @@
 
 static const char *TAG = "esp_tee_sec_disp";
 
-extern const secure_service_entry_t tee_secure_service_table[];
+extern const secure_service_entry_t tee_sec_srv_tbl_int_mem[];
+extern const secure_service_entry_t tee_sec_srv_tbl_ext_mem[];
 
 /* ---------------------------------------------- Secure Service Dispatcher ------------------------------------------------- */
 
-const secure_service_entry_t *find_service_by_id(uint32_t id)
+static const secure_service_entry_t *find_service_by_id(uint32_t id)
 {
     if (id >= MAX_SECURE_SERVICES_ID) {
         return NULL;
     }
 
-    size_t left = 0;
-    size_t right = SECURE_SERVICES_NUM;
-
-    while (left < right) {
-        size_t mid = left + (right - left) / 2;
-
-        if (tee_secure_service_table[mid].id == id) {
-            return &tee_secure_service_table[mid];
-        } else if (tee_secure_service_table[mid].id < id) {
-            left = mid + 1;
-        } else {
-            right = mid;
-        }
+    if (id < SECURE_SERVICES_SPLIT_ID) {
+        return &tee_sec_srv_tbl_int_mem[id];
+    } else {
+        return &tee_sec_srv_tbl_ext_mem[id];
     }
 
     return NULL;
diff --git a/components/esp_tee/subproject/main/core/esp_secure_service_table.c b/components/esp_tee/subproject/main/core/esp_secure_service_table.c
@@ -13,10 +13,20 @@
 #pragma GCC diagnostic ignored "-Woverride-init"
 #endif
 
-const DRAM_ATTR secure_service_entry_t tee_secure_service_table[] = {
-#define __SECURE_SERVICE(NR, SYM, ARGC) { .id = NR, .func = _ss_##SYM, .nargs = ARGC },
-#include "secure_service.h"
+const DRAM_ATTR secure_service_entry_t tee_sec_srv_tbl_int_mem[] = {
+    [0 ... SECURE_SERVICES_SPLIT_ID - 1] = { .func = NULL, .nargs = 0 },
+#define __SECURE_SERVICE(NR, SYM, ARGC)  [NR] = { .func = _ss_##SYM, .nargs = ARGC },
+#include "secure_service_int.h"
+#undef __SECURE_SERVICE
 };
+
+const secure_service_entry_t tee_sec_srv_tbl_ext_mem[] = {
+    [0 ... MAX_SECURE_SERVICES_ID] = { .func = NULL, .nargs = 0 },
+#define __SECURE_SERVICE(NR, SYM, ARGC)  [NR] = { .func = _ss_##SYM, .nargs = ARGC },
+#include "secure_service_ext.h"
+#undef __SECURE_SERVICE
+};
+
 #ifdef __GNUC__
 #pragma GCC diagnostic pop
 #endif
diff --git a/components/esp_tee/test_apps/tee_test_fw/components/test_sec_srv/test.tbl b/components/esp_tee/test_apps/tee_test_fw/components/test_sec_srv/test.tbl
@@ -1,18 +1,18 @@
 # SS no.    API type    Function                                    Args
-201         custom      esp_tee_service_add                         6
-202         custom      esp_tee_service_sub                         6
-203         custom      esp_tee_service_mul                         6
-204         custom      esp_tee_service_div                         6
-205         custom      esp_tee_test_timer_init                     6
-206         custom      esp_tee_secure_int_test                     6
-207         custom      esp_tee_non_secure_int_test                 6
-208         custom      esp_tee_test_int_count                      6
-209         custom      esp_tee_test_resv_reg1_write_violation      0
-210         custom      esp_tee_test_resv_reg1_exec_violation       0
-211         custom      esp_tee_test_iram_reg1_write_violation      0
-212         custom      esp_tee_test_iram_reg2_write_violation      0
-213         custom      esp_tee_test_dram_reg1_exec_violation       0
-214         custom      esp_tee_test_dram_reg2_exec_violation       0
-215         custom      esp_tee_test_illegal_instruction            0
-216         custom      dummy_secure_service                        6
-217         custom      add_in_loop                                 6
+300         custom      esp_tee_service_add                         2
+301         custom      esp_tee_service_sub                         2
+302         custom      esp_tee_service_mul                         2
+303         custom      esp_tee_service_div                         2
+304         custom      esp_tee_test_timer_init                     1
+305         custom      esp_tee_secure_int_test                     0
+306         custom      esp_tee_non_secure_int_test                 1
+307         custom      esp_tee_test_int_count                      1
+308         custom      esp_tee_test_resv_reg1_write_violation      0
+309         custom      esp_tee_test_resv_reg1_exec_violation       0
+310         custom      esp_tee_test_iram_reg1_write_violation      0
+311         custom      esp_tee_test_iram_reg2_write_violation      0
+312         custom      esp_tee_test_dram_reg1_exec_violation       0
+313         custom      esp_tee_test_dram_reg2_exec_violation       0
+314         custom      esp_tee_test_illegal_instruction            0
+315         custom      dummy_secure_service                        0
+316         custom      add_in_loop                                 3
diff --git a/components/riscv/include/riscv/rv_utils.h b/components/riscv/include/riscv/rv_utils.h
diff --git a/components/riscv/interrupt_plic.c b/components/riscv/interrupt_plic.c
diff --git a/examples/security/tee/tee_basic/components/example_secure_service/example.tbl b/examples/security/tee/tee_basic/components/example_secure_service/example.tbl

Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,7 @@ set(secure_service_tbl_parser_py`
`88`	`88`
`89`	`89`	`set(secure_service_gen_headers`
`90`	`90`	`${CONFIG_DIR}/secure_service_num.h ${CONFIG_DIR}/secure_service_dec.h`
`91`		`- ${CONFIG_DIR}/secure_service.h`
	`91`	`+ ${CONFIG_DIR}/secure_service_int.h ${CONFIG_DIR}/secure_service_ext.h`
`92`	`92`	`)`
`93`	`93`
`94`	`94`	`if(CONFIG_SECURE_ENABLE_TEE AND NOT esp_tee_build)`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`# SS no. API type Function Args`
`2`		`-101 custom esp_tee_att_generate_token 6`
	`2`	`+250 custom esp_tee_att_generate_token 6`