alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2025-11-04 06:11:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
3d45e8578e4d8632c9bb227e5895b71873170cb2
esp-idf/components/esp_tee/Kconfig.projbuild

189 lines
7.0 KiB
Plaintext
Raw Blame History

menu "ESP-TEE (Trusted Execution Environment)"
depends on IDF_TARGET_ESP32C6 || IDF_TARGET_ESP32H2
config SECURE_ENABLE_TEE
bool "Enable the ESP-TEE framework"
select ESP_SYSTEM_MEMPROT_FEATURE_VIA_TEE
help
This configuration enables the Trusted Execution Environment (TEE) feature.
menu "Memory Configuration"
depends on SECURE_ENABLE_TEE
config SECURE_TEE_IRAM_SIZE
hex "IRAM region size"
default 0x8000
range 0x7000 0xA000
help
This configuration sets the IRAM size for the TEE module.
This should be 256-byte (0x100) aligned.
config SECURE_TEE_DRAM_SIZE
hex "DRAM region size"
default 0x6000
range 0x5000 0x7000
help
This configuration sets the DRAM size for the TEE module.
This should be 256-byte (0x100) aligned.
config SECURE_TEE_STACK_SIZE
hex "Stack size"
default 0xc00
range 0x800 0x1000
help
This configuration sets the stack size for the TEE module.
The TEE stack will be allocated from the TEE DRAM region.
This should be 16-byte (0x10) aligned.
config SECURE_TEE_INTR_STACK_SIZE
hex "Interrupt Stack size"
default 0x400
range 0x400 0x800
help
This configuration sets the interrupt stack size for the TEE module.
The TEE interrupt stack will be allocated from the TEE DRAM region.
This should be 16-byte (0x10) aligned.
config SECURE_TEE_IROM_SIZE
hex
default 0x10000
help
This should be a multiple of MMU_PAGE_SIZE.
config SECURE_TEE_DROM_SIZE
hex
default 0x10000
help
This should be a multiple of MMU_PAGE_SIZE.
endmenu
menu "Secure Services"
depends on SECURE_ENABLE_TEE
choice SECURE_TEE_SEC_STG_MODE
prompt "Secure Storage: Mode"
depends on SECURE_ENABLE_TEE
default SECURE_TEE_SEC_STG_MODE_DEVELOPMENT
help
Select the TEE secure storage mode
config SECURE_TEE_SEC_STG_MODE_DEVELOPMENT
bool "Development"
help
Secure storage will be encrypted by a constant key embedded in the TEE firmware
config SECURE_TEE_SEC_STG_MODE_RELEASE
bool "Release"
help
Secure storage will be encrypted by the data stored in eFuse block
configured through the SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID option
endchoice
config SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID
int "Secure Storage: eFuse HMAC key ID"
depends on SECURE_TEE_SEC_STG_MODE_RELEASE
range -1 5
default -1
help
eFuse block key ID storing the HMAC key for deriving the TEE secure storage encryption keys
config SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN
bool "Secure Storage: Support signing with the ECDSA SECP192R1 curve"
default n
help
Enable ECDSA signing with the SECP192R1 curve using the TEE secure storage.
config SECURE_TEE_ATTESTATION
bool "Enable Attestation"
default y
help
This configuration enables the support for the Attestation service.
config SECURE_TEE_ATT_KEY_STR_ID
depends on SECURE_TEE_ATTESTATION
string "Attestation: Secure Storage key ID for EAT signing"
default "tee_att_key0"
help
This configuration sets the key ID from the TEE secure storage
storing the ECDSA keypair for executing sign/verify operations
from the TEE side for attestation.
endmenu
config SECURE_TEE_EXT_FLASH_MEMPROT_SPI1
bool "Memprot: Isolate TEE flash regions over SPI1"
depends on SECURE_ENABLE_TEE
default n
help
This configuration restricts access to TEE-reserved regions in external flash
by making them inaccessible to the REE via the SPI1 interface (physical addresses).
With this enabled, all SPI flash read, write, or erase operations over SPI1 will
be routed through service calls to the TEE, introducing additional performance
overhead.
When Flash Encryption (SECURE_FLASH_ENC_ENABLED) is enabled, the REE can still
access TEE-related flash partitions over SPI1, but read operations will return
encrypted data contents. This prevents attackers from inferring the TEE contents
with direct reads.
Additionally, with Secure Boot enabled (SECURE_BOOT_V2_ENABLED), any unauthorized
modifications to the TEE firmware will be detected during boot, causing signature
verification to fail. Thus, these options provide a level of protection suitable for
most applications. However, while the TEE firmware integrity is protected, other TEE
partitions (Secure Storage, TEE OTA data) can be manipulated through direct writes.
Enable this option only when complete isolation of all TEE flash regions is required,
even with the associated performance tradeoffs.
Note: All accesses to the TEE partitions over SPI0 (i.e. the MMU) are blocked
unconditionally.
config SECURE_TEE_DEBUG_MODE
bool "Enable Debug Mode"
default y
depends on SECURE_ENABLE_TEE
help
This configuration enables the logging from the TEE module.
choice SECURE_TEE_LOG_LEVEL
bool "Log verbosity"
default SECURE_TEE_LOG_LEVEL_WARN
depends on SECURE_TEE_DEBUG_MODE
help
Specify how much output to see in TEE logs.
config SECURE_TEE_LOG_LEVEL_NONE
bool "No output"
config SECURE_TEE_LOG_LEVEL_ERROR
bool "Error"
config SECURE_TEE_LOG_LEVEL_WARN
bool "Warning"
config SECURE_TEE_LOG_LEVEL_INFO
bool "Info"
config SECURE_TEE_LOG_LEVEL_DEBUG
bool "Debug"
config SECURE_TEE_LOG_LEVEL_VERBOSE
bool "Verbose"
endchoice
config SECURE_TEE_LOG_LEVEL
int
default 0 if SECURE_TEE_LOG_LEVEL_NONE || !SECURE_TEE_DEBUG_MODE
default 1 if SECURE_TEE_LOG_LEVEL_ERROR
default 2 if SECURE_TEE_LOG_LEVEL_WARN
default 3 if SECURE_TEE_LOG_LEVEL_INFO
default 4 if SECURE_TEE_LOG_LEVEL_DEBUG
default 5 if SECURE_TEE_LOG_LEVEL_VERBOSE
config SECURE_TEE_TEST_MODE
bool "Enable Test Mode"
depends on SECURE_ENABLE_TEE
help
This configuration sets up the TEE framework as required for executing the test suite.
endmenu
Reference in New Issue View Git Blame Copy Permalink