Merge branch 'feature/esp_tee' into 'master'

feat(security): Support for ESP-TEE

Closes IDF-6902, IDF-8268, IDF-9389, IDF-10479, IDF-10480, IDF-10482, IDF-10755, and IDF-11438

See merge request espressif/esp-idf!32050

.gitlab/CODEOWNERS

@@ -111,6 +111,7 @@
 /components/esp_rom/                  @esp-idf-codeowners/system @esp-idf-codeowners/bluetooth @esp-idf-codeowners/wifi
 /components/esp_security/             @esp-idf-codeowners/security
 /components/esp_system/               @esp-idf-codeowners/system
+/components/esp_tee/                  @esp-idf-codeowners/security
 /components/esp_timer/                @esp-idf-codeowners/system
 /components/esp-tls/                  @esp-idf-codeowners/app-utilities
 /components/esp_vfs_*/                @esp-idf-codeowners/storage

CMakeLists.txt

@@ -13,9 +13,9 @@ endif()
 # Add the following build specifications here, since these seem to be dependent
 # on config values on the root Kconfig.
 
-if(NOT BOOTLOADER_BUILD)
+if(BOOTLOADER_BUILD)
 
-    if(CONFIG_COMPILER_OPTIMIZATION_SIZE)
+    if(CONFIG_BOOTLOADER_COMPILER_OPTIMIZATION_SIZE)
         if(CMAKE_C_COMPILER_ID MATCHES "Clang")
             list(APPEND compile_options "-Oz")
         else()
@@ -24,20 +24,29 @@ if(NOT BOOTLOADER_BUILD)
         if(CMAKE_C_COMPILER_ID MATCHES "GNU")
             list(APPEND compile_options "-freorder-blocks")
         endif()
-    elseif(CONFIG_COMPILER_OPTIMIZATION_DEBUG)
+    elseif(CONFIG_BOOTLOADER_COMPILER_OPTIMIZATION_DEBUG)
         list(APPEND compile_options "-Og")
         if(CMAKE_C_COMPILER_ID MATCHES "GNU" AND NOT CONFIG_IDF_TARGET_LINUX)
             list(APPEND compile_options "-fno-shrink-wrap")  # Disable shrink-wrapping to reduce binary size
         endif()
-    elseif(CONFIG_COMPILER_OPTIMIZATION_NONE)
+    elseif(CONFIG_BOOTLOADER_COMPILER_OPTIMIZATION_NONE)
         list(APPEND compile_options "-O0")
-    elseif(CONFIG_COMPILER_OPTIMIZATION_PERF)
+    elseif(CONFIG_BOOTLOADER_COMPILER_OPTIMIZATION_PERF)
         list(APPEND compile_options "-O2")
     endif()
 
-else()  # BOOTLOADER_BUILD
+elseif(ESP_TEE_BUILD)
 
-    if(CONFIG_BOOTLOADER_COMPILER_OPTIMIZATION_SIZE)
+    if(CMAKE_C_COMPILER_ID MATCHES "Clang")
+        list(APPEND compile_options "-Oz")
+    else()
+        list(APPEND compile_options "-Os")
+        list(APPEND compile_options "-freorder-blocks")
+    endif()
+
+else()
+
+    if(CONFIG_COMPILER_OPTIMIZATION_SIZE)
         if(CMAKE_C_COMPILER_ID MATCHES "Clang")
             list(APPEND compile_options "-Oz")
         else()
@@ -46,14 +55,14 @@ else()  # BOOTLOADER_BUILD
         if(CMAKE_C_COMPILER_ID MATCHES "GNU")
             list(APPEND compile_options "-freorder-blocks")
         endif()
-    elseif(CONFIG_BOOTLOADER_COMPILER_OPTIMIZATION_DEBUG)
+    elseif(CONFIG_COMPILER_OPTIMIZATION_DEBUG)
         list(APPEND compile_options "-Og")
         if(CMAKE_C_COMPILER_ID MATCHES "GNU" AND NOT CONFIG_IDF_TARGET_LINUX)
             list(APPEND compile_options "-fno-shrink-wrap")  # Disable shrink-wrapping to reduce binary size
         endif()
-    elseif(CONFIG_BOOTLOADER_COMPILER_OPTIMIZATION_NONE)
+    elseif(CONFIG_COMPILER_OPTIMIZATION_NONE)
         list(APPEND compile_options "-O0")
-    elseif(CONFIG_BOOTLOADER_COMPILER_OPTIMIZATION_PERF)
+    elseif(CONFIG_COMPILER_OPTIMIZATION_PERF)
         list(APPEND compile_options "-O2")
     endif()
 

components/bootloader/CMakeLists.txt

@@ -1,4 +1,5 @@
 idf_build_get_property(target IDF_TARGET)
+idf_build_get_property(esp_tee_build ESP_TEE_BUILD)
 
 if(${target} STREQUAL "linux")
     return() # This component is not supported by the POSIX/Linux simulator
@@ -7,7 +8,9 @@ endif()
 idf_component_register(PRIV_REQUIRES partition_table esptool_py)
 
 # Do not generate flash file when building bootloader or is in early expansion of the build
-if(BOOTLOADER_BUILD OR NOT CONFIG_APP_BUILD_BOOTLOADER)
+# This also applies to the ESP-TEE build, as the esp_tee component only requires the
+# Kconfig options from the bootloader
+if(BOOTLOADER_BUILD OR esp_tee_build OR NOT CONFIG_APP_BUILD_BOOTLOADER)
     return()
 endif()
 

components/bootloader/project_include.cmake

@@ -1,7 +1,9 @@
+idf_build_get_property(esp_tee_build ESP_TEE_BUILD)
+
 set(BOOTLOADER_OFFSET ${CONFIG_BOOTLOADER_OFFSET_IN_FLASH})
 
 # Do not generate flash file when building bootloader
-if(BOOTLOADER_BUILD OR NOT CONFIG_APP_BUILD_BOOTLOADER)
+if(BOOTLOADER_BUILD OR esp_tee_build OR NOT CONFIG_APP_BUILD_BOOTLOADER)
     return()
 endif()
 

components/bootloader/subproject/CMakeLists.txt

@@ -32,7 +32,8 @@ set(COMPONENTS
     main
     efuse
     esp_system
-    newlib)
+    newlib
+    esp_tee)
 
 # EXTRA_COMPONENT_DIRS can be populated with directories containing one or several components.
 # Make sure this variable contains `bootloader_components` directory of the project being compiled.

components/bootloader/subproject/main/bootloader_start.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -53,6 +53,11 @@ void __attribute__((noreturn)) call_start_cpu0(void)
         bootloader_reset();
     }
 
+    // 2.1 Load the TEE image
+#if CONFIG_SECURE_ENABLE_TEE
+    bootloader_utility_load_tee_image(&bs);
+#endif
+
     // 3. Load the app image for booting
     bootloader_utility_load_boot_image(&bs, boot_index);
 }

components/bootloader/subproject/main/ld/esp32c6/bootloader.ld

@@ -71,6 +71,7 @@ SECTIONS
     *libbootloader_support.a:bootloader_random*.*(.literal.bootloader_random_enable .text.bootloader_random_enable)
     *libbootloader_support.a:bootloader_efuse.*(.literal .text .literal.* .text.*)
     *libbootloader_support.a:bootloader_utility.*(.literal .text .literal.* .text.*)
+    *libbootloader_support.a:bootloader_utility_tee.*(.literal .text .literal.* .text.*)
     *libbootloader_support.a:bootloader_sha.*(.literal .text .literal.* .text.*)
     *libbootloader_support.a:bootloader_console_loader.*(.literal .text .literal.* .text.*)
     *libbootloader_support.a:bootloader_panic.*(.literal .text .literal.* .text.*)

components/bootloader_support/CMakeLists.txt

@@ -1,9 +1,38 @@
 idf_build_get_property(target IDF_TARGET)
+idf_build_get_property(esp_tee_build ESP_TEE_BUILD)
 
 if(${target} STREQUAL "linux")
     return() # This component is not supported by the POSIX/Linux simulator
 endif()
 
+if(esp_tee_build)
+    set(tee_inc_dirs "include"
+                     "private_include"
+                     "bootloader_flash/include")
+
+    set(tee_srcs "src/flash_partitions.c"
+                 "src/${IDF_TARGET}/bootloader_sha.c"
+                 "src/bootloader_common_loader.c"
+                 "src/esp_image_format.c"
+                 "src/bootloader_utility.c"
+                 "src/bootloader_utility_tee.c"
+                 "bootloader_flash/src/bootloader_flash.c")
+
+    if(CONFIG_SECURE_BOOT_V2_ENABLED)
+        if(CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME OR CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME)
+            list(APPEND tee_srcs "src/secure_boot_v2/secure_boot_signatures_bootloader.c"
+                                 "src/secure_boot_v2/secure_boot.c"
+                                 "src/${IDF_TARGET}/secure_boot_secure_features.c")
+        endif()
+        list(APPEND priv_requires efuse)
+    endif()
+
+    idf_component_register(SRCS ${tee_srcs}
+                           INCLUDE_DIRS ${tee_inc_dirs}
+                           PRIV_REQUIRES efuse)
+    return()
+endif()
+
 set(srcs
     "src/bootloader_common.c"
     "src/bootloader_common_loader.c"
@@ -49,6 +78,9 @@ if(BOOTLOADER_BUILD OR CONFIG_APP_BUILD_TYPE_RAM)
     "src/${IDF_TARGET}/bootloader_soc.c"
     "src/${IDF_TARGET}/bootloader_${IDF_TARGET}.c"
     )
+    if(CONFIG_SECURE_ENABLE_TEE)
+        list(APPEND srcs "src/bootloader_utility_tee.c")
+    endif()
     list(APPEND priv_requires hal)
     if(CONFIG_ESP_ROM_REV0_HAS_NO_ECDSA_INTERFACE)
         list(APPEND srcs