TEE secure-service handlers had two bugs letting REE bypass
pointer-region validation:
1. valid_addr = instead of valid_addr &= in AEAD encrypt/decrypt
and DS sign handlers, clobbering prior failed checks.
Impact: REE writes to TEE DRAM via DS signature output, or reads
TEE DRAM via AEAD output.
2. data->rsa_length dereferenced before data is validated in DS sign
and DS start_sign handlers.
Fix: use &= for subsequent checks, add early return after initial
data pointer check in DS handlers.
- Using PMA, the TEE IRAM is marked as R/X while TEE DRAM is marked as R/W.
Moving the internal memory secure service call table from DRAM to IRAM
makes it immutable.
- Fix intermittent TEE stack underflow test failures
- Fix out-of-bounds access Coverity report from the attestation
component
- Add appropriate checks and asserts for TEE flash memory regions'
sizes
This commit reorganizes SPI flash header files to better reflect their
visibility and intended usage:
1. Rename `esp_flash_port/` to `esp_flash_chips/`:
- Better reflects that these headers are for chip driver implementations
- All chip driver headers moved to `esp_flash_chips/` directory
- Added README.md explaining semi-public nature of these headers
2. Move internal headers to `esp_private/`:
- `esp_flash_internal.h` -> `esp_private/esp_flash_internal.h`
- `memspi_host_driver.h` -> `esp_private/memspi_host_driver.h`
3. Move chip driver related headers to `esp_flash_chips/`:
- `esp_private/esp_flash_types.h` -> `esp_flash_chips/esp_flash_types.h`
- `spi_flash/spi_flash_defs.h` -> `esp_flash_chips/spi_flash_defs.h`
- `spi_flash_override.h` -> `esp_flash_chips/spi_flash_override.h`
- All `spi_flash_chip_*.h` headers moved to `esp_flash_chips/`
4. Code improvements:
- Remove unused includes (e.g., `spi_flash_override.h` from `cache_utils.c`)
- Use public API `esp_flash_get_size()` instead of direct member access
- Add `esp_flash_is_quad_mode` to linker.lf for IRAM placement
5. Documentation updates:
- Add README.md in `esp_flash_chips/` explaining semi-public headers
- Update programming guide with warnings about internal headers
- Update both English and Chinese documentation
6. Update all references across the codebase:
- Update includes in `spi_flash` component
- Update `bootloader_support`, `app_update`, `esp_tee`, `espcoredump`
- Update example projects
Breaking changes:
- Headers moved to new locations require include path updates
- `custom_flash_driver` example temporarily disabled until external
components are updated
- Increased the TEE stack when secure boot is enabled
- Also, generate a build error when the generated TEE binary image size is
greater than the TEE partition size
remove the configurable constraint for sleep memory usage optimization option
Closes IDFGH-16634 and IDF-13780
See merge request espressif/esp-idf!42882
- Also set the RX burst size correctly for AES/SHA DMA operations
with ESP-TEE
- Fix the compile-time minimum chip revision check for patching
the `ets_delay_us` API
- Also fixed an issue where NewLib ROM APIs, when called from TEE, were
using the syscall table located in the REE SRAM. This could be abused
as an attack vector to invoke illegal functions from the TEE.
To prevent this, the syscall table is now switched to the TEE-specific
copy during every M-U mode transition.
Mahavir Jain
Aditya Patwardhan
Laukik Hase
harshal.patil
Michael (XIAO Xufeng)
Li Shuai
Ashish Sharma
armando
Alexey Lapshin