feat(mbedtls): Add support for ECDSA signing with TEE secure storage

components/mbedtls/port/include/ecdsa/ecdsa_alt.h

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -27,13 +27,20 @@ extern "C" {
  */
 typedef struct {
     mbedtls_ecp_group_id grp_id;            /*!< MbedTLS ECP group identifier */
-    uint8_t efuse_block;                    /*!< EFuse block id for ECDSA private key */
-#ifdef SOC_ECDSA_SUPPORT_EXPORT_PUBKEY
+    union {
+        uint8_t efuse_block;                /*!< EFuse block id for ECDSA private key */
+        uint8_t tee_slot_id;                /*!< TEE secure storage slot id for ECDSA private key */
+    };                                      /*!< Union to hold either EFuse block id or TEE secure storage slot id for ECDSA private key */
+#if SOC_ECDSA_SUPPORT_EXPORT_PUBKEY || CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN
     bool load_pubkey;                       /*!< Export ECDSA public key from the hardware */
 
 #endif
     bool use_km_key;                        /*!< Use key deployed in the key manager for ECDSA operation.
                                                  Note: The key must be already deployed by the application and it must be activated for the lifetime of this context */
+#if CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN
+    bool use_tee_sec_stg_key;               /*!< Use key deployed in the TEE secure storage for ECDSA operation.
+                                                 Note: The key must be already deployed by the application and it must be activated for the lifetime of this context */
+#endif
 } esp_ecdsa_pk_conf_t;  //TODO: IDF-9008 (Add a config to select the ecdsa key from the key manager peripheral)
 
 #if SOC_ECDSA_SUPPORT_EXPORT_PUBKEY || __DOXYGEN__
@@ -106,6 +113,38 @@ int esp_ecdsa_set_pk_context(mbedtls_pk_context *key_ctx, esp_ecdsa_pk_conf_t *c
 
 #endif // CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN || __DOXYGEN__
 
+#if CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN || __DOXYGEN__
+
+/**
+ * @brief Populate the public key buffer of the mbedtls_ecp_keypair context from
+ *        the TEE secure storage.
+ *
+ * @param keypair The mbedtls ECP key-pair structure
+ * @param slot_id The TEE secure storage slot id that holds the private key.
+ *
+ * @return - 0 if successful else MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+ */
+int esp_ecdsa_tee_load_pubkey(mbedtls_ecp_keypair *keypair, int slot_id);
+
+/**
+ * @brief Initialize PK context and fully populate the mbedtls_ecp_keypair context.
+ *        This function modifies the MPI struct used to represent the private key `d`
+ *        in the ECP keypair to differentiate between TEE secure storage keys and software keys.
+ *        It also populates the ECP group field in the mbedtls_ecp_keypair context.
+ *        Additionally, if the load_pubkey flag is set in the esp_ecdsa_pk_conf_t config argument,
+ *        the public key buffer of the mbedtls_ecp_keypair context will be populated.
+ *
+ * @param key_ctx The context in which this function stores the TEE secure storage context.
+ *                This must be uninitialized.
+ * @param conf ESP-ECDSA private key context initialization config structure.
+ *
+ * @return - 0 if successful
+ *         - -1 otherwise
+ */
+int esp_ecdsa_tee_set_pk_context(mbedtls_pk_context *key_ctx, esp_ecdsa_pk_conf_t *conf);
+
+#endif // CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN || __DOXYGEN__
+
 #ifdef __cplusplus
 }
 #endif