refactor(esp_tee): Update TEE attestation tests and examples to use the PSA interface

examples/security/tee/tee_attestation/README.md

@@ -26,7 +26,7 @@
     "key_id": "tee_att_key0",
   },
   "eat": {
-    "nonce": -1582119980,
+    "auth_challenge": "dcb9b53143ad6b081dad1a05c7ebda4e314d388762215799cf24ed52e9387678",
     "client_id": 262974944,
     "device_ver": 1,
     "device_id": "e8cddb2a7f9a5a7c61735d6dda26e4bd153c6d772a9be6f26bd321dfe25e0ac8",

examples/security/tee/tee_attestation/main/CMakeLists.txt

@@ -1,2 +1,3 @@
 idf_component_register(SRCS "app_main.c"
-                       INCLUDE_DIRS ".")
+                       INCLUDE_DIRS "."
+                       PRIV_REQUIRES esp_tee mbedtls)

examples/security/tee/tee_attestation/main/app_main.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Unlicense OR CC0-1.0
  */
@@ -9,43 +9,54 @@
 
 #include "esp_system.h"
 #include "esp_log.h"
+#include "esp_random.h"
 
 #include "freertos/FreeRTOS.h"
 #include "freertos/task.h"
 
-#include "esp_tee_attestation.h"
+#include "psa/crypto.h"
+#include "psa/initial_attestation.h"
 
 static const char *TAG = "example_tee_attest";
 
-#define ESP_ATT_TK_NONCE         (0xA1B2C3D4)
-#define ESP_ATT_TK_CLIENT_ID     (0x0FACADE0)
-
-#define ESP_ATT_TK_BUF_SIZE      (1792)
-#define ESP_ATT_TK_PSA_CERT_REF  ("0716053550477-10100")
-
-static uint8_t token_buf[ESP_ATT_TK_BUF_SIZE] = {0};
-
 void app_main(void)
 {
     ESP_LOGI(TAG, "TEE Attestation Service");
 
-    uint32_t token_len = 0;
+    // Prepare authentication challenge for freshness
+    uint8_t auth_challenge[PSA_INITIAL_ATTEST_CHALLENGE_SIZE_32];
+    size_t challenge_size = sizeof(auth_challenge);
+    esp_fill_random(auth_challenge, challenge_size);
 
-    /* Generate entity attestation token using the following parameters
-     * and return the token length in token_len:
-     * - Nonce value for freshness
-     * - Client ID to identify requester
-     * - PSA certification ID reference string
-     * - Buffer to store the generated token
+    // Get the required token buffer size
+    size_t token_buf_size = 0;
+    psa_status_t status = psa_initial_attest_get_token_size(challenge_size, &token_buf_size);
+    if (status != PSA_SUCCESS) {
+        ESP_LOGE(TAG, "Failed to get token size: %x", status);
+        abort();
+    }
+
+    // Allocate buffer based on the required size
+    uint8_t *token_buf = calloc(token_buf_size, sizeof(uint8_t));
+    if (token_buf == NULL) {
+        abort();
+    }
+
+    /* Generate entity attestation token using PSA interface
+     * - Authentication challenge for freshness
+     * - Dynamic buffer allocation based on required size
      */
-    esp_err_t err = esp_tee_att_generate_token(ESP_ATT_TK_NONCE, ESP_ATT_TK_CLIENT_ID, (const char *)ESP_ATT_TK_PSA_CERT_REF,
-                                               token_buf, sizeof(token_buf), &token_len);
-    if (err != ESP_OK) {
-        ESP_LOGE(TAG, "Failed to generate entity attestation token!");
+    size_t token_len = 0;
+    status = psa_initial_attest_get_token(auth_challenge, challenge_size, token_buf, token_buf_size, &token_len);
+    if (status != PSA_SUCCESS) {
+        ESP_LOGE(TAG, "Failed to generate entity attestation token: %x (PSA status)", status);
+        free(token_buf);
         abort();
     }
 
     /* Print the generated token details - length and contents */
-    ESP_LOGI(TAG, "Attestation token - Length: %lu", token_len);
+    ESP_LOGI(TAG, "Attestation token - Length: %zu", token_len);
     ESP_LOGI(TAG, "Attestation token - Data:\n'%.*s'", (int)token_len, token_buf);
+
+    free(token_buf);
 }

examples/security/tee/tee_attestation/main/idf_component.yml

@@ -1,3 +0,0 @@
-dependencies:
-  tee_attestation:
-    path: ${IDF_PATH}/components/esp_tee/subproject/components/tee_attestation