mirror of
https://github.com/espressif/esp-idf.git
synced 2025-10-03 03:58:12 +00:00
refactor(esp_tee): Revised the secure service ID numbering scheme
Also: - Split the secure service table into two parts: one DRAM-resident and the other DROM-resident. The former holds the services invoked when the cache is disabled or suspended while the latter holds rest of the services.
This commit is contained in:
Laukik Hase
@@ -1,45 +1,56 @@
|
||||
# SS no. API type Function Args
|
||||
0 custom invalid_secure_service 0
|
||||
1 IDF esp_rom_route_intr_matrix 3
|
||||
2 IDF rv_utils_intr_enable 1
|
||||
3 IDF rv_utils_intr_disable 1
|
||||
4 IDF rv_utils_intr_set_priority 2
|
||||
5 IDF rv_utils_intr_set_type 2
|
||||
6 IDF rv_utils_intr_set_threshold 1
|
||||
7 IDF rv_utils_intr_edge_ack 1
|
||||
8 IDF rv_utils_intr_global_enable 0
|
||||
9 IDF efuse_hal_chip_revision 0
|
||||
10 IDF efuse_hal_get_chip_ver_pkg 1
|
||||
11 IDF efuse_hal_get_disable_wafer_version_major 0
|
||||
12 IDF efuse_hal_get_mac 1
|
||||
13 IDF esp_efuse_check_secure_version 1
|
||||
14 IDF esp_efuse_read_field_blob 3
|
||||
15 IDF esp_flash_encryption_enabled 0
|
||||
16 IDF wdt_hal_init 4
|
||||
17 IDF wdt_hal_deinit 1
|
||||
18 IDF esp_aes_intr_alloc 0
|
||||
19 IDF esp_aes_crypt_cbc 6
|
||||
20 IDF esp_aes_crypt_cfb8 6
|
||||
21 IDF esp_aes_crypt_cfb128 7
|
||||
22 IDF esp_aes_crypt_ctr 7
|
||||
23 IDF esp_aes_crypt_ecb 4
|
||||
24 IDF esp_aes_crypt_ofb 6
|
||||
25 IDF esp_sha 4
|
||||
26 IDF esp_sha_dma 6
|
||||
27 IDF esp_sha_read_digest_state 2
|
||||
28 IDF esp_sha_write_digest_state 2
|
||||
29 IDF mmu_hal_map_region 6
|
||||
30 IDF mmu_hal_unmap_region 3
|
||||
31 IDF mmu_hal_vaddr_to_paddr 4
|
||||
32 IDF mmu_hal_paddr_to_vaddr 5
|
||||
33 custom esp_tee_ota_begin 0
|
||||
34 custom esp_tee_ota_write 3
|
||||
35 custom esp_tee_ota_end 0
|
||||
36 custom esp_tee_sec_storage_init 0
|
||||
37 custom esp_tee_sec_storage_gen_key 1
|
||||
38 custom esp_tee_sec_storage_get_signature 4
|
||||
39 custom esp_tee_sec_storage_get_pubkey 2
|
||||
40 custom esp_tee_sec_storage_encrypt 8
|
||||
41 custom esp_tee_sec_storage_decrypt 8
|
||||
42 custom esp_tee_sec_storage_is_slot_empty 1
|
||||
43 custom esp_tee_sec_storage_clear_slot 1
|
||||
# ID: 1-47 (47) - External memory (Flash) protection
|
||||
1 IDF mmu_hal_map_region 6
|
||||
2 IDF mmu_hal_unmap_region 3
|
||||
3 IDF mmu_hal_vaddr_to_paddr 4
|
||||
4 IDF mmu_hal_paddr_to_vaddr 5
|
||||
# Services before the ID 48 will be placed in the internal memory table,
|
||||
# while the rest will be placed in the external memory table.
|
||||
# ID: 48-71 (24) - Interrupt Handling
|
||||
48 IDF esp_rom_route_intr_matrix 3
|
||||
49 IDF rv_utils_intr_enable 1
|
||||
50 IDF rv_utils_intr_disable 1
|
||||
51 IDF rv_utils_intr_set_priority 2
|
||||
52 IDF rv_utils_intr_set_type 2
|
||||
53 IDF rv_utils_intr_set_threshold 1
|
||||
54 IDF rv_utils_intr_edge_ack 1
|
||||
55 IDF rv_utils_intr_global_enable 0
|
||||
# ID: 72-119 (48) - HAL
|
||||
72 IDF efuse_hal_chip_revision 0
|
||||
73 IDF efuse_hal_get_chip_ver_pkg 1
|
||||
74 IDF efuse_hal_get_disable_wafer_version_major 0
|
||||
75 IDF efuse_hal_get_mac 1
|
||||
76 IDF wdt_hal_init 4
|
||||
77 IDF wdt_hal_deinit 1
|
||||
# ID: 120-167 (48) - Crypto
|
||||
120 IDF esp_aes_intr_alloc 0
|
||||
121 IDF esp_aes_crypt_cbc 6
|
||||
122 IDF esp_aes_crypt_cfb8 6
|
||||
123 IDF esp_aes_crypt_cfb128 7
|
||||
124 IDF esp_aes_crypt_ctr 7
|
||||
125 IDF esp_aes_crypt_ecb 4
|
||||
126 IDF esp_aes_crypt_ofb 6
|
||||
127 IDF esp_sha 4
|
||||
128 IDF esp_sha_dma 6
|
||||
129 IDF esp_sha_read_digest_state 2
|
||||
130 IDF esp_sha_write_digest_state 2
|
||||
# ID: 168-183 (16) - eFuse
|
||||
168 IDF esp_efuse_check_secure_version 1
|
||||
169 IDF esp_efuse_read_field_blob 3
|
||||
170 IDF esp_flash_encryption_enabled 0
|
||||
# ID: 184-249 (66) - Reserved for future use
|
||||
# ID: 270-293 (24) - Secure Storage
|
||||
270 custom esp_tee_sec_storage_init 0
|
||||
271 custom esp_tee_sec_storage_gen_key 2
|
||||
272 custom esp_tee_sec_storage_get_signature 4
|
||||
273 custom esp_tee_sec_storage_get_pubkey 2
|
||||
274 custom esp_tee_sec_storage_encrypt 8
|
||||
275 custom esp_tee_sec_storage_decrypt 8
|
||||
276 custom esp_tee_sec_storage_is_slot_empty 1
|
||||
277 custom esp_tee_sec_storage_clear_slot 1
|
||||
# ID: 294-299 (6) - OTA
|
||||
294 custom esp_tee_ota_begin 0
|
||||
295 custom esp_tee_ota_write 3
|
||||
296 custom esp_tee_ota_end 0
|
||||
# ID: 300+ - User-defined
|
||||
|
||||
@@ -5,6 +5,8 @@ import re
|
||||
from typing import List
|
||||
from typing import Tuple
|
||||
|
||||
SEC_SRV_TABLE_SPLIT_ID = 48
|
||||
|
||||
|
||||
def parse_services(secure_service_tbl: str) -> List[Tuple[int, str, int]]:
|
||||
services, service_ids = [], set()
|
||||
@@ -37,8 +39,9 @@ extern "C" {
|
||||
body = '\n'.join(f'#define SS_{name.upper()}\t{nr}' for nr, name, _ in services)
|
||||
footer = f'\n#define MAX_SECURE_SERVICES_ID\t{services[-1][0] + 1 if services else 0}\n'
|
||||
footer += f'#define SECURE_SERVICES_NUM\t{len(services)}\n\n'
|
||||
footer += f'#define SECURE_SERVICES_SPLIT_ID\t{SEC_SRV_TABLE_SPLIT_ID}\n\n'
|
||||
footer += '''typedef void (*secure_service_t)(void);
|
||||
typedef struct { int id; secure_service_t func; int nargs; } secure_service_entry_t;
|
||||
typedef struct { secure_service_t func; int nargs; } secure_service_entry_t;
|
||||
'''
|
||||
footer += '\n#ifdef __cplusplus\n}\n#endif\n'
|
||||
with open(output_file, 'w') as f:
|
||||
@@ -62,16 +65,22 @@ extern "C" {
|
||||
f.write(header + body + footer)
|
||||
|
||||
|
||||
def generate_table(services: List[Tuple[int, str, int]], output_file: str) -> None:
|
||||
def generate_table_split(services: List[Tuple[int, str, int]], output_file_1: str, output_file_2: str) -> None:
|
||||
header = '''/**
|
||||
* THIS FILE WAS AUTOMATICALLY GENERATED. DO NOT EDIT!
|
||||
*/
|
||||
|
||||
#pragma once
|
||||
'''
|
||||
body = '\n'.join(f'__SECURE_SERVICE({nr}, {name}, {nargs})' for nr, name, nargs in services)
|
||||
with open(output_file, 'w') as f:
|
||||
f.write(header + body)
|
||||
services_1 = [service for service in services if service[0] < SEC_SRV_TABLE_SPLIT_ID]
|
||||
services_2 = [service for service in services if service[0] >= SEC_SRV_TABLE_SPLIT_ID]
|
||||
|
||||
body_1 = '\n'.join(f'__SECURE_SERVICE({nr}, {name}, {nargs})' for nr, name, nargs in services_1)
|
||||
body_2 = '\n'.join(f'__SECURE_SERVICE({nr}, {name}, {nargs})' for nr, name, nargs in services_2)
|
||||
|
||||
with open(output_file_1, 'w') as f1, open(output_file_2, 'w') as f2:
|
||||
f1.write(header + body_1)
|
||||
f2.write(header + body_2)
|
||||
|
||||
|
||||
def generate_wrap_list(secure_service_tbl: str) -> None:
|
||||
@@ -85,19 +94,19 @@ def main() -> None:
|
||||
parser = argparse.ArgumentParser(description='Generate secure service outputs')
|
||||
parser.add_argument('--wrap', action='store_true', help='Generate linker wrap options')
|
||||
parser.add_argument('secure_service_tbl', type=str, help='Path to secure service table file')
|
||||
parser.add_argument('output_files', nargs='*', help='Output files: [secure_service_num.h, secure_service_dec.h, secure_service.h]')
|
||||
parser.add_argument('output_files', nargs='*', help='Output files: [secure_service_num.h, secure_service_dec.h, secure_service_1.h, secure_service_2.h]')
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
if args.wrap:
|
||||
generate_wrap_list(args.secure_service_tbl)
|
||||
else:
|
||||
if len(args.output_files) != 3:
|
||||
if len(args.output_files) != 4:
|
||||
parser.error('Missing output header files!')
|
||||
services = parse_services(args.secure_service_tbl)
|
||||
generate_num_header(services, args.output_files[0])
|
||||
generate_dec_header(services, args.output_files[1])
|
||||
generate_table(services, args.output_files[2])
|
||||
generate_table_split(services, args.output_files[2], args.output_files[3])
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
|
||||
Reference in New Issue
Block a user