refactor(esp_tee): Update TEE secure storage interface APIs

Author: laukik-hase

components/esp_tee/Kconfig.projbuild

@@ -72,24 +72,24 @@ menu "ESP-TEE (Trusted Execution Environment)"
             config SECURE_TEE_SEC_STG_MODE_DEVELOPMENT
                 bool "Development"
                 help
-                    Secure storage will be encrypted by the data stored in eFuse BLK2
+                    Secure storage will be encrypted by a constant key embedded in the TEE firmware
 
             config SECURE_TEE_SEC_STG_MODE_RELEASE
                 depends on IDF_TARGET_ESP32C6
                 bool "Release"
                 help
                     Secure storage will be encrypted by the data stored in eFuse block
-                    configured through the SECURE_TEE_SEC_STG_KEY_EFUSE_BLK option
+                    configured through the SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID option
 
         endchoice
 
-        config SECURE_TEE_SEC_STG_KEY_EFUSE_BLK
-            int "Secure Storage: Encryption key eFuse block"
+        config SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID
+            int "Secure Storage: eFuse HMAC key ID"
             depends on SECURE_TEE_SEC_STG_MODE_RELEASE
-            range 4 10
-            default 10
+            range -1 5
+            default -1
             help
-                eFuse block ID storing the TEE secure storage encryption key
+                eFuse block key ID storing the HMAC key for deriving the TEE secure storage encryption keys
 
         config SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN
             bool "Secure Storage: Support signing with the ECDSA SECP192R1 curve"
@@ -104,13 +104,12 @@ menu "ESP-TEE (Trusted Execution Environment)"
                 This configuration enables the support for the Attestation service.
 
 
-        config SECURE_TEE_ATT_KEY_SLOT_ID
+        config SECURE_TEE_ATT_KEY_STR_ID
             depends on SECURE_TEE_ATTESTATION
-            int "Attestation: Secure Storage slot ID for EAT signing"
-            default 0
-            range 0 14
+            string "Attestation: Secure Storage key ID for EAT signing"
+            default "tee_att_key0"
             help
-                This configuration sets the slot ID from the TEE secure storage
+                This configuration sets the key ID from the TEE secure storage
                 storing the ECDSA keypair for executing sign/verify operations
                 from the TEE side for attestation.
 

components/esp_tee/scripts/esp32c6/sec_srv_tbl_default.yml

@@ -252,36 +252,28 @@ secure_services:
     entries:
       - id: 175
         type: custom
-        function: esp_tee_sec_storage_init
-        args: 0
+        function: esp_tee_sec_storage_clear_key
+        args: 1
       - id: 176
         type: custom
         function: esp_tee_sec_storage_gen_key
-        args: 2
+        args: 1
       - id: 177
         type: custom
-        function: esp_tee_sec_storage_get_signature
-        args: 5
+        function: esp_tee_sec_storage_ecdsa_sign
+        args: 4
       - id: 178
         type: custom
-        function: esp_tee_sec_storage_get_pubkey
-        args: 3
+        function: esp_tee_sec_storage_ecdsa_get_pubkey
+        args: 2
       - id: 179
         type: custom
-        function: esp_tee_sec_storage_encrypt
-        args: 8
+        function: esp_tee_sec_storage_aead_encrypt
+        args: 4
       - id: 180
         type: custom
-        function: esp_tee_sec_storage_decrypt
-        args: 8
-      - id: 181
-        type: custom
-        function: esp_tee_sec_storage_is_slot_empty
-        args: 1
-      - id: 182
-        type: custom
-        function: esp_tee_sec_storage_clear_slot
-        args: 1
+        function: esp_tee_sec_storage_aead_decrypt
+        args: 4
   # ID: 195-199 (5) - OTA
   - family: ota
     entries:

components/esp_tee/subproject/components/attestation/esp_att_utils_crypto.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -41,26 +41,23 @@ static esp_err_t gen_ecdsa_keypair_secp256r1(esp_att_ecdsa_keypair_t *keypair)
     if (keypair == NULL) {
         return ESP_ERR_INVALID_ARG;
     }
-
     memset(keypair, 0x00, sizeof(esp_att_ecdsa_keypair_t));
 
-    uint16_t slot_id = ESP_ATT_TK_KEY_ID;
-    esp_tee_sec_storage_pubkey_t pubkey = {0};
+    esp_tee_sec_storage_key_cfg_t key_cfg = {
+        .id = (const char *)(ESP_ATT_TK_KEY_ID),
+        .type = ESP_SEC_STG_KEY_ECDSA_SECP256R1,
+    };
 
-    esp_err_t err = esp_tee_sec_storage_init();
-    if (err != ESP_OK) {
+    esp_err_t err = esp_tee_sec_storage_gen_key(&key_cfg);
+    if (err == ESP_ERR_INVALID_STATE) {
+        ESP_LOGW(TAG, "Using pre-existing key...");
+    } else if (err != ESP_OK) {
+        ESP_LOGE(TAG, "Failed to generate ECDSA keypair (%d)", err);
         return err;
     }
 
-    if (esp_tee_sec_storage_is_slot_empty(slot_id)) {
-        err = esp_tee_sec_storage_gen_key(slot_id, ESP_SEC_STG_KEY_ECDSA_SECP256R1);
-        if (err != ESP_OK) {
-            ESP_LOGE(TAG, "Failed to generate ECDSA keypair (%d)", err);
-            return err;
-        }
-    }
-
-    err = esp_tee_sec_storage_get_pubkey(slot_id, ESP_SEC_STG_KEY_ECDSA_SECP256R1, &pubkey);
+    esp_tee_sec_storage_ecdsa_pubkey_t pubkey = {};
+    err = esp_tee_sec_storage_ecdsa_get_pubkey(&key_cfg, &pubkey);
     if (err != ESP_OK) {
         ESP_LOGE(TAG, "Failed to fetch ECDSA pubkey (%d)", err);
         return err;
@@ -83,8 +80,13 @@ static esp_err_t get_ecdsa_sign_secp256r1(const esp_att_ecdsa_keypair_t *keypair
         return ESP_ERR_INVALID_SIZE;
     }
 
-    esp_tee_sec_storage_sign_t sign = {};
-    esp_err_t err = esp_tee_sec_storage_get_signature(ESP_ATT_TK_KEY_ID, ESP_SEC_STG_KEY_ECDSA_SECP256R1, (uint8_t *)digest, len, &sign);
+    esp_tee_sec_storage_key_cfg_t key_cfg = {
+        .id = (const char *)(ESP_ATT_TK_KEY_ID),
+        .type = ESP_SEC_STG_KEY_ECDSA_SECP256R1,
+    };
+
+    esp_tee_sec_storage_ecdsa_sign_t sign = {};
+    esp_err_t err = esp_tee_sec_storage_ecdsa_sign(&key_cfg, (uint8_t *)digest, len, &sign);
     if (err != ESP_OK) {
         return err;
     }

components/esp_tee/subproject/components/attestation/esp_att_utils_json.c

@@ -126,7 +126,7 @@ esp_err_t esp_att_utils_header_to_json(const esp_att_token_hdr_t *tk_hdr, char *
     json_gen_obj_set_string(&json_gen, "encr_alg", NULL);
     json_gen_obj_set_string(&json_gen, "sign_alg", ESP_ATT_TK_SIGN_ALG);
 
-    json_gen_obj_set_int(&json_gen, "key_id", ESP_ATT_TK_KEY_ID);
+    json_gen_obj_set_string(&json_gen, "key_id", ESP_ATT_TK_KEY_ID);
 
     // End the top-level JSON object
     json_gen_end_object(&json_gen);

components/esp_tee/subproject/components/attestation/private_include/esp_attestation_utils.h

@@ -42,9 +42,9 @@ extern "C" {
 #define ESP_ATT_TK_MIN_SIZE         (ESP_ATT_HDR_JSON_MAX_SZ + ESP_ATT_EAT_JSON_MAX_SZ + ESP_ATT_PUBKEY_JSON_MAX_SZ + ESP_ATT_SIGN_JSON_MAX_SZ)
 
 #if ESP_TEE_BUILD && CONFIG_SECURE_TEE_ATTESTATION
-#define ESP_ATT_TK_KEY_ID  (CONFIG_SECURE_TEE_ATT_KEY_SLOT_ID)
+#define ESP_ATT_TK_KEY_ID  (CONFIG_SECURE_TEE_ATT_KEY_STR_ID)
 #else
-#define ESP_ATT_TK_KEY_ID  (-1)
+#define ESP_ATT_TK_KEY_ID  ("NULL")
 #endif
 
 /**

components/esp_tee/subproject/components/tee_sec_storage/CMakeLists.txt

@@ -5,7 +5,7 @@ set(priv_requires efuse mbedtls spi_flash)
 
 if(esp_tee_build)
     list(APPEND srcs "tee_sec_storage.c")
-    list(APPEND priv_requires log tee_flash_mgr)
+    list(APPEND priv_requires esp_partition log nvs_flash tee_flash_mgr)
 else()
     list(APPEND srcs "tee_sec_storage_wrapper.c")
     set(priv_requires esp_tee)