feat(mbedtls): Add support for ECDSA signing with TEE secure storage

2025-08-30 22:05:21 +00:00 · 2025-02-13 14:22:30 +05:30
parent 1e8933d296
commit 3fd107aa04
8 changed files with 388 additions and 58 deletions
--- a/components/mbedtls/CMakeLists.txt
+++ b/components/mbedtls/CMakeLists.txt
@@ -294,27 +294,40 @@ if(CONFIG_MBEDTLS_HARDWARE_ECC)
                                       "${COMPONENT_DIR}/port/ecc/ecc_alt.c")
 endif()

-if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY)
-    target_sources(mbedcrypto PRIVATE  "${COMPONENT_DIR}/port/ecdsa/ecdsa_alt.c")
+if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY OR CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN)
+    target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/ecdsa/ecdsa_alt.c")

-    if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN)
-        target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_ecdsa_sign")
-        target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_ecdsa_sign_restartable")
-        target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_ecdsa_write_signature")
-        target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_ecdsa_write_signature_restartable")
+    set(WRAP_FUNCTIONS_SIGN
+        mbedtls_ecdsa_sign
+        mbedtls_ecdsa_sign_restartable
+        mbedtls_ecdsa_write_signature
+        mbedtls_ecdsa_write_signature_restartable)
+
+    set(WRAP_FUNCTIONS_VERIFY
+        mbedtls_ecdsa_verify
+        mbedtls_ecdsa_verify_restartable
+        mbedtls_ecdsa_read_signature
+        mbedtls_ecdsa_read_signature_restartable)
+
+    if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN)
+        foreach(wrap ${WRAP_FUNCTIONS_SIGN})
+            target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=${wrap}")
+        endforeach()

        if(CONFIG_SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE)
            target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_ecdsa_sign_det_ext")
            target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_ecdsa_sign_det_restartable")
        endif()
-
    endif()

    if(CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY)
-        target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_ecdsa_verify")
-        target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_ecdsa_verify_restartable")
-        target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_ecdsa_read_signature")
-        target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_ecdsa_read_signature_restartable")
+        foreach(wrap ${WRAP_FUNCTIONS_VERIFY})
+            target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=${wrap}")
+        endforeach()
+    endif()
+
+    if(CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN)
+        target_link_libraries(mbedcrypto PRIVATE idf::tee_sec_storage)
    endif()
 endif()