feat(esp_tee): Protect the HMAC and DS peripherals from REE access

Author: laukik-hase

components/esp_hw_support/include/esp_ds.h

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -14,6 +14,8 @@
 
 #ifdef SOC_DIG_SIGN_SUPPORTED
 
+#include "rom/digital_signature.h"
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -38,7 +40,15 @@ extern "C" {
         + ESP_DS_SIGNATURE_L_BIT_LEN   \
         + ESP_DS_SIGNATURE_PADDING_BIT_LEN) / 8))
 
-typedef struct esp_ds_context esp_ds_context_t;
+/**
+ * @brief Context object used for non-blocking digital signature operations
+ *
+ * This object is allocated by \c esp_ds_start_sign() and must be passed to
+ * \c esp_ds_finish_sign() to complete the digital signature operation.
+ */
+typedef struct esp_ds_context {
+    const ets_ds_data_t *data;  /*!< Pointer to the encrypted private key data */
+} esp_ds_context_t;
 
 typedef enum {
     ESP_DS_RSA_1024 = (1024 / 32) - 1,

components/esp_security/CMakeLists.txt

@@ -32,7 +32,8 @@ if(NOT non_os_build)
     list(APPEND srcs "src/esp_crypto_lock.c" "src/esp_crypto_periph_clk.c")
     list(APPEND priv_requires efuse esp_hw_support esp_system esp_timer)
 elseif(esp_tee_build)
-    list(APPEND srcs "src/esp_crypto_lock.c" "src/esp_crypto_periph_clk.c")
+    list(APPEND srcs "src/esp_crypto_lock.c" "src/esp_crypto_periph_clk.c"
+                     "src/esp_hmac.c" "src/esp_ds.c")
     list(APPEND includes "src/${IDF_TARGET}")
     list(APPEND priv_requires esp_hw_support)
 endif()
@@ -44,4 +45,6 @@ idf_component_register(SRCS ${srcs}
 
 if(NOT non_os_build)
     target_link_libraries(${COMPONENT_LIB} PRIVATE "-u esp_security_init_include_impl")
+elseif(esp_tee_build)
+    target_link_libraries(${COMPONENT_LIB} PRIVATE idf::efuse)
 endif()

components/esp_security/src/esp_ds.c

@@ -8,10 +8,15 @@
 #include <string.h>
 #include <assert.h>
 
+#if !ESP_TEE_BUILD
 #include "freertos/FreeRTOS.h"
 #include "freertos/task.h"
-
 #include "esp_timer.h"
+#else
+#include "esp_rom_sys.h"
+#include "esp_cpu.h"
+#endif
+
 #include "esp_ds.h"
 #include "esp_crypto_lock.h"
 #include "esp_crypto_periph_clk.h"
@@ -32,42 +37,6 @@
 #include "hal/sha_ll.h"
 #endif /* !CONFIG_IDF_TARGET_ESP32S2 */
 
-#if CONFIG_IDF_TARGET_ESP32S2
-#include "esp32s2/rom/digital_signature.h"
-#endif
-
-#if CONFIG_IDF_TARGET_ESP32S3
-#include "esp32s3/rom/digital_signature.h"
-#endif
-
-#if CONFIG_IDF_TARGET_ESP32C3
-#include "esp32c3/rom/digital_signature.h"
-#endif
-
-#if CONFIG_IDF_TARGET_ESP32C6
-#include "esp32c6/rom/digital_signature.h"
-#endif
-
-#if CONFIG_IDF_TARGET_ESP32C5
-#include "esp32c5/rom/digital_signature.h"
-#endif
-
-#if CONFIG_IDF_TARGET_ESP32H2
-#include "esp32h2/rom/digital_signature.h"
-#endif
-
-#if CONFIG_IDF_TARGET_ESP32H21
-#include "esp32h21/rom/digital_signature.h"
-#endif
-
-#if CONFIG_IDF_TARGET_ESP32P4
-#include "esp32p4/rom/digital_signature.h"
-#endif
-
-struct esp_ds_context {
-    const ets_ds_data_t *data;
-};
-
 /**
  * The vtask delay \c esp_ds_sign() is using while waiting for completion of the signing operation.
  */
@@ -263,6 +232,15 @@ esp_err_t esp_ds_encrypt_params(esp_ds_data_t *data,
 
 #else /* !CONFIG_IDF_TARGET_ESP32S2 (targets other than esp32s2) */
 
+static inline int64_t get_time_us(void)
+{
+#if !ESP_TEE_BUILD
+    return esp_timer_get_time();
+#else
+    return (int64_t)esp_cpu_get_cycle_count() / (int64_t)esp_rom_get_cpu_ticks_per_us();
+#endif
+}
+
 static void ds_acquire_enable(void)
 {
     esp_crypto_ds_lock_acquire();
@@ -301,14 +279,23 @@ esp_err_t esp_ds_sign(const void *message,
         return ESP_ERR_INVALID_ARG;
     }
 
-    esp_ds_context_t *context;
+    esp_ds_context_t *context = NULL;
+#if ESP_TEE_BUILD
+    esp_ds_context_t ctx;
+    context = &ctx;
+#endif
+
     esp_err_t result = esp_ds_start_sign(message, data, key_id, &context);
     if (result != ESP_OK) {
         return result;
     }
 
     while (esp_ds_is_busy()) {
+#if !ESP_TEE_BUILD
         vTaskDelay(ESP_DS_SIGN_TASK_DELAY_MS / portTICK_PERIOD_MS);
+#else
+        esp_rom_delay_us(1);
+#endif
     }
 
     return esp_ds_finish_sign(signature, context);
@@ -349,16 +336,18 @@ esp_err_t esp_ds_start_sign(const void *message,
     ds_hal_start();
 
     // check encryption key from HMAC
-    int64_t start_time = esp_timer_get_time();
+    int64_t start_time = get_time_us();
     while (ds_ll_busy() != 0) {
-        if ((esp_timer_get_time() - start_time) > SOC_DS_KEY_CHECK_MAX_WAIT_US) {
+        if ((get_time_us() - start_time) > SOC_DS_KEY_CHECK_MAX_WAIT_US) {
             ds_disable_release();
             return ESP_ERR_HW_CRYPTO_DS_INVALID_KEY;
         }
     }
 
-    esp_ds_context_t *context = malloc(sizeof(esp_ds_context_t));
-    if (!context) {
+#if !ESP_TEE_BUILD
+    *esp_ds_ctx = malloc(sizeof(esp_ds_context_t));
+#endif
+    if (!*esp_ds_ctx) {
         ds_disable_release();
         return ESP_ERR_NO_MEM;
     }
@@ -371,8 +360,7 @@ esp_err_t esp_ds_start_sign(const void *message,
     // initiate signing
     ds_hal_start_sign();
 
-    context->data = (const ets_ds_data_t *)data;
-    *esp_ds_ctx = context;
+    (*esp_ds_ctx)->data = (const ets_ds_data_t *)data;
 
     return ESP_OK;
 }
@@ -405,7 +393,9 @@ esp_err_t esp_ds_finish_sign(void *signature, esp_ds_context_t *esp_ds_ctx)
         return_value = ESP_ERR_HW_CRYPTO_DS_INVALID_PADDING;
     }
 
+#if !ESP_TEE_BUILD
     free(esp_ds_ctx);
+#endif
 
     hmac_hal_clean();
 

components/esp_system/port/soc/esp32c6/clk.c

@@ -295,10 +295,10 @@ __attribute__((weak)) void esp_perip_clk_init(void)
         // NOTE: [ESP-TEE] The TEE is responsible for the AES and SHA peripherals
         periph_ll_disable_clk_set_rst(PERIPH_AES_MODULE);
         periph_ll_disable_clk_set_rst(PERIPH_SHA_MODULE);
-#endif
-        periph_ll_disable_clk_set_rst(PERIPH_ECC_MODULE);
         periph_ll_disable_clk_set_rst(PERIPH_HMAC_MODULE);
         periph_ll_disable_clk_set_rst(PERIPH_DS_MODULE);
+#endif
+        periph_ll_disable_clk_set_rst(PERIPH_ECC_MODULE);
 
         // TODO: Replace with hal implementation
         REG_CLR_BIT(PCR_CTRL_TICK_CONF_REG, PCR_TICK_ENABLE);

components/esp_tee/CMakeLists.txt

@@ -73,7 +73,7 @@ else()
 
     idf_component_register(INCLUDE_DIRS include
                            SRCS ${srcs}
-                           PRIV_REQUIRES efuse esp_system spi_flash)
+                           PRIV_REQUIRES efuse esp_security esp_system spi_flash)
 
     if(CONFIG_SECURE_ENABLE_TEE)
         set(EXTRA_LINK_FLAGS)

components/esp_tee/scripts/esp32c6/sec_srv_tbl_default.yml

@@ -212,6 +212,42 @@ secure_services:
         type: IDF
         function: esp_crypto_sha_enable_periph_clk
         args: 1
+      - id: 99
+        type: IDF
+        function: esp_hmac_calculate
+        args: 4
+      - id: 100
+        type: IDF
+        function: esp_hmac_jtag_enable
+        args: 2
+      - id: 101
+        type: IDF
+        function: esp_hmac_jtag_disable
+        args: 0
+      - id: 102
+        type: IDF
+        function: esp_ds_sign
+        args: 4
+      - id: 103
+        type: IDF
+        function: esp_ds_start_sign
+        args: 4
+      - id: 104
+        type: IDF
+        function: esp_ds_is_busy
+        args: 0
+      - id: 105
+        type: IDF
+        function: esp_ds_finish_sign
+        args: 2
+      - id: 106
+        type: IDF
+        function: esp_ds_encrypt_params
+        args: 4
+      - id: 107
+        type: IDF
+        function: esp_crypto_mpi_enable_periph_clk
+        args: 1
   # ID: 134-149 (16) - eFuse
   - family: efuse
     entries: