chore: import upstream snapshot with attribution

This commit is contained in:
wehub-resource-sync
2026-07-13 13:04:25 +08:00
commit 548b49ebc0
20937 changed files with 5455372 additions and 0 deletions
@@ -0,0 +1,14 @@
cmake_minimum_required(VERSION 3.22)
idf_build_get_property(esp_tee_build ESP_TEE_BUILD)
set(srcs)
set(include_dirs include)
if(esp_tee_build)
list(APPEND srcs "example_service.c")
endif()
idf_component_register(SRCS ${srcs}
INCLUDE_DIRS ${include_dirs}
PRIV_REQUIRES main)
@@ -0,0 +1,125 @@
/*
* SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Unlicense OR CC0-1.0
*/
#include <string.h>
#include "esp_cpu.h"
#include "esp_err.h"
#include "esp_log.h"
#include "psa/crypto.h"
#include "esp_tee.h"
#include "secure_service_num.h"
#include "example_service.h"
#define AES256_KEY_LEN 32
#define AES256_KEY_BITS (AES256_KEY_LEN * 8)
#define AES256_NONCE_LEN 12
static const char *TAG = "tee_secure_service";
/* Fixed key (only for example purposes) */
static const uint8_t key[AES256_KEY_LEN] = {[0 ... AES256_KEY_LEN - 1] = 0xA5};
/* Fixed nonce (only for example purposes) */
static const uint8_t nonce[AES256_NONCE_LEN] = {[0 ... AES256_NONCE_LEN - 1] = 0x5A};
static esp_err_t aes_gcm_crypt_common(example_aes_gcm_ctx_t *ctx, uint8_t *tag, size_t tag_len,
uint8_t *output, bool is_encrypt)
{
if (esp_cpu_get_curr_privilege_level() != ESP_CPU_S_MODE) {
ESP_LOGE(TAG, "Operation executing from illegal privilege level!");
return ESP_ERR_INVALID_STATE;
}
if (ctx == NULL || ctx->input == NULL || output == NULL || tag == NULL) {
return ESP_ERR_INVALID_ARG;
}
if (ctx->input_len == 0 || tag_len == 0) {
return ESP_ERR_INVALID_ARG;
}
ESP_LOGI(TAG, "Secure service call: PROTECTED M-mode");
ESP_LOGI(TAG, "AES-256-GCM %s", is_encrypt ? "encryption" : "decryption");
esp_err_t err = ESP_FAIL;
psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
psa_status_t status;
psa_key_id_t key_id;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t alg = PSA_ALG_GCM;
psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
psa_set_key_algorithm(&key_attributes, alg);
psa_set_key_type(&key_attributes, PSA_KEY_TYPE_AES);
psa_set_key_bits(&key_attributes, AES256_KEY_BITS);
status = psa_import_key(&key_attributes, key, sizeof(key), &key_id);
psa_reset_key_attributes(&key_attributes);
if (status != PSA_SUCCESS) {
ESP_LOGE(TAG, "Error in importing key: %d", status);
return ESP_ERR_INVALID_STATE;
}
if (is_encrypt) {
status = psa_aead_encrypt_setup(&operation, key_id, alg);
} else {
status = psa_aead_decrypt_setup(&operation, key_id, alg);
}
if (status != PSA_SUCCESS) {
ESP_LOGE(TAG, "Error in AEAD setup: %d", status);
goto cleanup;
}
status = psa_aead_set_lengths(&operation, ctx->aad_len, ctx->input_len);
if (status != PSA_SUCCESS) {
ESP_LOGE(TAG, "Error in setting lengths: %d", status);
goto cleanup;
}
psa_aead_set_nonce(&operation, nonce, AES256_NONCE_LEN);
if (ctx->aad_len > 0) {
status = psa_aead_update_ad(&operation, ctx->aad, ctx->aad_len);
if (status != PSA_SUCCESS) {
ESP_LOGE(TAG, "Error in updating AAD: %d", status);
goto cleanup;
}
}
size_t output_len = 0;
status = psa_aead_update(&operation, ctx->input, ctx->input_len, output, ctx->input_len, &output_len);
if (status != PSA_SUCCESS) {
ESP_LOGE(TAG, "Error in updating aead: %d", status);
goto cleanup;
}
if (is_encrypt) {
size_t output_tag_len = 0;
status = psa_aead_finish(&operation, output + output_len, ctx->input_len + tag_len - output_len, &output_len, tag, tag_len, &output_tag_len);
if (status != PSA_SUCCESS) {
ESP_LOGE(TAG, "Error in finishing encryption: %d", status);
goto cleanup;
}
} else {
size_t plaintext_len = 0;
status = psa_aead_verify(&operation, output, ctx->input_len, &plaintext_len, tag, tag_len);
if (status != PSA_SUCCESS) {
ESP_LOGE(TAG, "Error in verifying decryption: %d", status);
goto cleanup;
}
}
err = ESP_OK;
cleanup:
psa_aead_abort(&operation);
psa_destroy_key(key_id);
return err;
}
esp_err_t _ss_example_sec_serv_aes_gcm_encrypt(example_aes_gcm_ctx_t *ctx, uint8_t *tag, size_t tag_len, uint8_t *output)
{
return aes_gcm_crypt_common(ctx, tag, tag_len, output, true);
}
esp_err_t _ss_example_sec_serv_aes_gcm_decrypt(example_aes_gcm_ctx_t *ctx, const uint8_t *tag, size_t tag_len, uint8_t *output)
{
return aes_gcm_crypt_common(ctx, (uint8_t *)tag, tag_len, output, false);
}
@@ -0,0 +1,18 @@
/*
* SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Unlicense OR CC0-1.0
*/
#include "esp_err.h"
typedef struct {
const uint8_t *aad; /*!< Additional authenticated data */
size_t aad_len; /*!< Length of additional authenticated data */
const uint8_t *input; /*!< Input data buffer */
size_t input_len; /*!< Length of input data */
} example_aes_gcm_ctx_t;
esp_err_t example_sec_serv_aes_gcm_encrypt(example_aes_gcm_ctx_t *ctx, uint8_t *tag, size_t tag_len, uint8_t *output);
esp_err_t example_sec_serv_aes_gcm_decrypt(example_aes_gcm_ctx_t *ctx, const uint8_t *tag, size_t tag_len, uint8_t *output);
@@ -0,0 +1,11 @@
secure_services:
- family: example
entries:
- id: 200
type: custom
function: example_sec_serv_aes_gcm_encrypt
args: 4
- id: 201
type: custom
function: example_sec_serv_aes_gcm_decrypt
args: 4
@@ -0,0 +1,15 @@
# This file must be manually included in the project's top level CMakeLists.txt before project()
# This ensures that the variables are set before TEE starts building
get_filename_component(directory "${CMAKE_CURRENT_LIST_DIR}/.." ABSOLUTE DIRECTORY)
get_filename_component(name ${CMAKE_CURRENT_LIST_DIR} NAME)
# Append secure service table consisting of secure services
idf_build_set_property(CUSTOM_SECURE_SERVICE_YAML ${CMAKE_CURRENT_LIST_DIR}/sec_srv_tbl_example.yml APPEND)
# Append the directory of this component which is used by esp_tee component as
# EXTRA_COMPONENT_DIRS
idf_build_set_property(CUSTOM_SECURE_SERVICE_COMPONENT_DIR ${directory} APPEND)
# Append the name of the component so that esp_tee can include it in its COMPONENTS list
idf_build_set_property(CUSTOM_SECURE_SERVICE_COMPONENT ${name} APPEND)