- Also fixed an issue where NewLib ROM APIs, when called from TEE, were
using the syscall table located in the REE SRAM. This could be abused
as an attack vector to invoke illegal functions from the TEE.
To prevent this, the syscall table is now switched to the TEE-specific
copy during every M-U mode transition.
Currently, REE SPI flash HAL operations are routed as service calls to TEE,
but the TEE implementation incorrectly uses ROM APIs instead of HAL APIs.
This leads to issues and is not the recommended approach.
- Previously, only the U-mode interrupt threshold was raised in REE critical sections,
leaving M-mode at the lowest level.
- As a result, when a service call transitioned to M-mode, all interrupts were still
allowed to fire, including those that should have been masked.
- Remove GPTIMER and TIMG related definitions from soc_caps_full.h files
- Move timer peripheral definitions to appropriate HAL layer files
- Update references across components to use proper HAL abstractions
- Consolidate timer group and GPTIMER capabilities organization
- Ensure consistent timer configuration across all ESP32 variants
This refactoring improves the separation of concerns between SOC
capabilities and HAL implementations for timer-related functionality.
- Ensure bound checks correctly handle all scenarios, including
when a requested operation's (SPI0/1) range fully contains the
TEE-protected region.
- Disable delegation of INTWDT timeout and Cache error interrupts as they reset
the device after the panic handler
- Fix incorrect setting in the edge interrupt acknowledgement API
- Avoid executing the service call dispatcher in the U-mode ecall,
rather execute `mret` to jump it
- Avoid `t1` register corruption when processing `ecall`
- Switch back to the bootloader stack from TEE stack after the
execution of the entire TEE initialization routine
- Place the APM HAL into TEE IRAM when `CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1`
is enabled, as APM violations related to SPI1 can occur with the flash cache disabled.
- Also fix an issue where flash protection tests were passing due to incorrect checks
- Decreased from 32KB to 24KB, keeping in mind the current maximum TEE heap
usage and some overhead
- Make the TEE panic handler logs concise, saving some DRAM
- Remove `mret` for jumping to the service call dispatcher; instead, enable
interrupts and execute directly
- Fix potential corruption of the `t3` register when returning from a service
call
- Simplify the secure service dispatcher function
feat(esp_tee): Add support for flash memory isolation and protection (SPI1)
Closes IDF-10481, IDF-10083, and IDF-8915
See merge request espressif/esp-idf!36454
Also:
- Split the secure service table into two parts: one DRAM-resident and the
other DROM-resident. The former holds the services invoked when the cache is
disabled or suspended while the latter holds rest of the services.
Laukik Hase
Ashish Sharma
Alexey Lapshin
Mahavir Jain
morris
Aditya Patwardhan
harshal.patil