diff --git a/docs/_static/esp_tee/esp32c6/esp_tee_arch.png b/docs/_static/esp_tee/esp_tee_arch.png similarity index 100% rename from docs/_static/esp_tee/esp32c6/esp_tee_arch.png rename to docs/_static/esp_tee/esp_tee_arch.png diff --git a/docs/_static/esp_tee/esp32c6/esp_tee_flash_layout.png b/docs/_static/esp_tee/esp_tee_flash_layout.png similarity index 100% rename from docs/_static/esp_tee/esp32c6/esp_tee_flash_layout.png rename to docs/_static/esp_tee/esp_tee_flash_layout.png diff --git a/docs/_static/esp_tee/esp32c6/esp_tee_intr_handling.png b/docs/_static/esp_tee/esp_tee_intr_handling.png similarity index 100% rename from docs/_static/esp_tee/esp32c6/esp_tee_intr_handling.png rename to docs/_static/esp_tee/esp_tee_intr_handling.png diff --git a/docs/_static/esp_tee/esp32c6/esp_tee_memory_layout.png b/docs/_static/esp_tee/esp_tee_memory_layout.png similarity index 100% rename from docs/_static/esp_tee/esp32c6/esp_tee_memory_layout.png rename to docs/_static/esp_tee/esp_tee_memory_layout.png diff --git a/docs/_static/esp_tee/esp32c6/esp_tee_ota_flash_partitions.png b/docs/_static/esp_tee/esp_tee_ota_flash_partitions.png similarity index 100% rename from docs/_static/esp_tee/esp32c6/esp_tee_ota_flash_partitions.png rename to docs/_static/esp_tee/esp_tee_ota_flash_partitions.png diff --git a/docs/conf_common.py b/docs/conf_common.py index 33c14f2f3b..3a0b3e7046 100644 --- a/docs/conf_common.py +++ b/docs/conf_common.py @@ -299,7 +299,7 @@ ESP32C5_DOCS = [ 'api-guides/phy.rst', 'api-reference/peripherals/sd_pullup_requirements.rst', 'api-guides/RF_calibration.rst', -] +] + ESP_TEE_DOCS ESP32C61_DOCS = [ 'api-guides/phy.rst', diff --git a/docs/doxygen/Doxyfile_esp32c5 b/docs/doxygen/Doxyfile_esp32c5 index 6a5f12226d..e8aa39b2aa 100644 --- a/docs/doxygen/Doxyfile_esp32c5 +++ b/docs/doxygen/Doxyfile_esp32c5 @@ -19,3 +19,7 @@ INPUT += \ $(PROJECT_PATH)/components/bt/include/$(IDF_TARGET)/include/esp_bt_vs.h \ $(PROJECT_PATH)/components/esp_phy/include/esp_phy_init.h \ $(PROJECT_PATH)/components/esp_phy/include/esp_phy_cert_test.h \ + $(PROJECT_PATH)/components/esp_tee/include/esp_tee.h \ + $(PROJECT_PATH)/components/esp_tee/subproject/components/tee_sec_storage/include/esp_tee_sec_storage.h \ + $(PROJECT_PATH)/components/esp_tee/subproject/components/tee_attestation/esp_tee_attestation.h \ + $(PROJECT_PATH)/components/esp_tee/subproject/components/tee_ota_ops/include/esp_tee_ota_ops.h \ diff --git a/docs/en/security/index.rst b/docs/en/security/index.rst index 6ff97c213c..9a108e9302 100644 --- a/docs/en/security/index.rst +++ b/docs/en/security/index.rst @@ -10,6 +10,6 @@ Security Guides flash-encryption :esp32: secure-boot-v1 secure-boot-v2 - :esp32c6: tee/index + :esp32c6 or esp32c5: tee/index security-features-enablement-workflows vulnerabilities diff --git a/docs/en/security/tee/tee-advanced.rst b/docs/en/security/tee/tee-advanced.rst index 5ba828552c..2ee59f643c 100644 --- a/docs/en/security/tee/tee-advanced.rst +++ b/docs/en/security/tee/tee-advanced.rst @@ -20,7 +20,7 @@ The ESP-TEE framework on {IDF_TARGET_NAME} utilizes the inherent features of the Together, these components enable the {IDF_TARGET_NAME} SoC to allocate the chip's hardware resources (internal memory, external memory, and peripherals) and software resources into two modes - Machine (M) mode and User (U) mode. The CPU can switch between these modes, with the TEE running in the higher privilege M-mode and the REE running in the lower privilege U-mode. - .. figure:: ../../../_static/esp_tee/{IDF_TARGET_PATH_NAME}/esp_tee_arch.png + .. figure:: ../../../_static/esp_tee/esp_tee_arch.png :align: center :scale: 90% :alt: ESP TEE Architecture for {IDF_TARGET_NAME} @@ -87,7 +87,7 @@ A region at the top of the HP SRAM is reserved for the TEE, allocated for TEE co The REE memory is partitioned into IRAM (text: Read/Execute) and DRAM (data: Read/Write) sections, with the division controlled by the PMP. However, the TEE memory is divided into IRAM and DRAM sections, with division enforced by the PMA. - .. figure:: ../../../_static/esp_tee/{IDF_TARGET_PATH_NAME}/esp_tee_memory_layout.png + .. figure:: ../../../_static/esp_tee/esp_tee_memory_layout.png :align: center :scale: 80% :alt: ESP TEE Memory Map for {IDF_TARGET_NAME} @@ -100,7 +100,7 @@ External Memory (Flash) Designated partitions in the external flash are reserved for the TEE, serving various purposes, including TEE code execution via XIP, secure storage, and OTA data. The PMS safeguards these partitions from unauthorized access, with the APM module protecting the MMU and SPI1 controller registers, and the PMP securing the cache. -.. figure:: ../../../_static/esp_tee/{IDF_TARGET_PATH_NAME}/esp_tee_flash_layout.png +.. figure:: ../../../_static/esp_tee/esp_tee_flash_layout.png :align: center :scale: 80% :alt: ESP TEE Flash Memory Map for {IDF_TARGET_NAME} @@ -163,20 +163,24 @@ The following peripherals are protected using the APM module and accessible only .. list:: - Access Permission Management (APM) peripheral - - AES, SHA accelerators - - ECC accelerator - - Hash-Based Message Authentication Code (HMAC) module - - Digital Signature module - - eFuse Controller - Interrupt Controller + - eFuse Controller - Brownout Detector - Super Watchdog Timer (SWDT) + :SOC_AES_SUPPORTED: - AES accelerator + :SOC_SHA_SUPPORTED: - SHA accelerator + :SOC_ECC_SUPPORTED: - ECC accelerator + :SOC_HMAC_SUPPORTED: - Hash-Based Message Authentication Code (HMAC) module + :SOC_DIG_SIGN_SUPPORTED: - Digital Signature module .. note:: - - The following peripherals will be secured in future releases - + The following peripherals will be secured in future releases: - - MPI accelerator (RSA) + .. list:: + + :SOC_MPI_SUPPORTED: - MPI accelerator (RSA) + :SOC_ECDSA_SUPPORTED: - ECDSA accelerator Firmware ^^^^^^^^ @@ -245,7 +249,7 @@ Once the interrupt is handled in the other execution environment, execution retu } -.. figure:: ../../../_static/esp_tee/{IDF_TARGET_PATH_NAME}/esp_tee_intr_handling.png +.. figure:: ../../../_static/esp_tee/esp_tee_intr_handling.png :align: center :alt: ESP-TEE: Interrupt Handling :figclass: align-center diff --git a/docs/en/security/tee/tee-ota.rst b/docs/en/security/tee/tee-ota.rst index 264b9c4be2..5b3adc33be 100644 --- a/docs/en/security/tee/tee-ota.rst +++ b/docs/en/security/tee/tee-ota.rst @@ -8,7 +8,7 @@ The OTA update mechanism allows a device to update itself based on data received TEE OTA requires configuring the partition table of the device with at least two TEE OTA app slot partitions (i.e., ``tee_0`` and ``tee_1``) and a TEE OTA Data Partition (type ``data`` and subtype ``tee_ota``). - .. figure:: ../../../_static/esp_tee/{IDF_TARGET_PATH_NAME}/esp_tee_ota_flash_partitions.png + .. figure:: ../../../_static/esp_tee/esp_tee_ota_flash_partitions.png :align: center :scale: 75% :alt: ESP TEE OTA Flash Partition diff --git a/docs/zh_CN/security/index.rst b/docs/zh_CN/security/index.rst index 5bbc61841e..da5da3dd41 100644 --- a/docs/zh_CN/security/index.rst +++ b/docs/zh_CN/security/index.rst @@ -10,6 +10,6 @@ flash-encryption :esp32: secure-boot-v1 secure-boot-v2 - :esp32c6: tee/index + :esp32c6 or esp32c5: tee/index security-features-enablement-workflows vulnerabilities