Critical severity9.3NVD Advisory· Published Jun 10, 2026
CVE-2026-45328
CVE-2026-45328
Description
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.4 and 6.0, the esp_tee component exposes secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c that bridge calls from the user application (i.e. the REE) to TEE-protected hardware peripherals (AES, SHA, ECC, HMAC, SPI, MMU, WDT) and to the security feature like attestation, OTA updates, secure storage. This issue has been patched in versions 5.5.5 and 6.0.1.
Affected products
2Patches
6764626a1b7c8change(esp_tee): Move the internal memory secure service call table to IRAM
1 file changed · +1 −1
components/esp_tee/subproject/main/core/esp_secure_service_table.c+1 −1 modified@@ -13,7 +13,7 @@ #pragma GCC diagnostic ignored "-Woverride-init" #endif -const DRAM_ATTR secure_service_entry_t tee_sec_srv_tbl_int_mem[] = { +const IRAM_ATTR secure_service_entry_t tee_sec_srv_tbl_int_mem[] = { [0 ... SECURE_SERVICES_SPLIT_ID - 1] = { .func = NULL, .nargs = 0 }, #define __SECURE_SERVICE(NR, SYM, ARGC) [NR] = { .func = _ss_##SYM, .nargs = ARGC }, #include "secure_service_int.h"
afd14ab113acchange(esp_tee): Move the internal memory secure service call table to IRAM
1 file changed · +1 −1
components/esp_tee/subproject/main/core/esp_secure_service_table.c+1 −1 modified@@ -13,7 +13,7 @@ #pragma GCC diagnostic ignored "-Woverride-init" #endif -const DRAM_ATTR secure_service_entry_t tee_sec_srv_tbl_int_mem[] = { +const IRAM_ATTR secure_service_entry_t tee_sec_srv_tbl_int_mem[] = { [0 ... SECURE_SERVICES_SPLIT_ID - 1] = { .func = NULL, .nargs = 0 }, #define __SECURE_SERVICE(NR, SYM, ARGC) [NR] = { .func = _ss_##SYM, .nargs = ARGC }, #include "secure_service_int.h"
440a5d190650change(esp_tee): Move the internal memory secure service call table to IRAM
2 files changed · +3 −3
components/esp_tee/subproject/main/core/esp_secure_service_table.c+1 −1 modified@@ -13,7 +13,7 @@ #pragma GCC diagnostic ignored "-Woverride-init" #endif -const DRAM_ATTR secure_service_entry_t tee_sec_srv_tbl_int_mem[] = { +const IRAM_ATTR secure_service_entry_t tee_sec_srv_tbl_int_mem[] = { [0 ... SECURE_SERVICES_SPLIT_ID - 1] = { .func = NULL, .nargs = 0 }, #define __SECURE_SERVICE(NR, SYM, ARGC) [NR] = { .func = _ss_##SYM, .nargs = ARGC }, #include "secure_service_int.h"
components/esp_tee/test_apps/tee_cli_app/sdkconfig.ci.release+2 −2 modified@@ -1,6 +1,6 @@ # Reducing TEE IRAM size -# 29KB -CONFIG_SECURE_TEE_IRAM_SIZE=0x7400 +# 30KB +CONFIG_SECURE_TEE_IRAM_SIZE=0x7800 # TEE Secure Storage: Release mode CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE=y
eebabaff2fdcfix(esp_tee): Add missing input validation checks for TEE service calls
12 files changed · +412 −141
components/esp_tee/subproject/components/tee_ota_ops/esp_tee_ota_ops.c+1 −1 modified@@ -108,7 +108,7 @@ esp_err_t esp_tee_ota_write(uint32_t rel_offset, const void *data, size_t size) return ESP_ERR_INVALID_STATE; } - if (rel_offset + size > ota_handle.tee_next.pos.size) { + if (size > ota_handle.tee_next.pos.size || rel_offset > ota_handle.tee_next.pos.size - size) { ESP_LOGE(TAG, "Out of region write not allowed!"); return ESP_FAIL; }
components/esp_tee/subproject/main/common/multi_heap.c+5 −2 modified@@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2024-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -19,7 +19,10 @@ inline static void multi_heap_assert(bool condition, const char *format, int lin /* Can't use libc assert() here as it calls printf() which can cause another malloc() for a newlib lock. Also, it's useful to be able to print the memory address where corruption was detected. */ - (void) condition; + if (!condition) { + esp_rom_printf(format, line, address); + abort(); + } } #define MULTI_HEAP_ASSERT(CONDITION, ADDRESS) \
components/esp_tee/subproject/main/core/esp_secure_services.c+167 −39 modified@@ -44,8 +44,10 @@ int _ss_esp_aes_crypt_cbc(esp_aes_context *ctx, const unsigned char *input, unsigned char *output) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + length)) && esp_tee_ptr_in_ree((void *)(output + length)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_aes_context)) && + esp_tee_buf_in_ree(iv, 16) && + esp_tee_buf_in_ree(input, length) && + esp_tee_buf_in_ree(output, length)); if (!valid_addr) { return -1; @@ -63,8 +65,11 @@ int _ss_esp_aes_crypt_cfb128(esp_aes_context *ctx, const unsigned char *input, unsigned char *output) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + length)) && esp_tee_ptr_in_ree((void *)(output + length)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_aes_context)) && + esp_tee_buf_in_ree(iv_off, sizeof(size_t)) && + esp_tee_buf_in_ree(iv, 16) && + esp_tee_buf_in_ree(input, length) && + esp_tee_buf_in_ree(output, length)); if (!valid_addr) { return -1; @@ -81,8 +86,10 @@ int _ss_esp_aes_crypt_cfb8(esp_aes_context *ctx, const unsigned char *input, unsigned char *output) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + length)) && esp_tee_ptr_in_ree((void *)(output + length)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_aes_context)) && + esp_tee_buf_in_ree(iv, 16) && + esp_tee_buf_in_ree(input, length) && + esp_tee_buf_in_ree(output, length)); if (!valid_addr) { return -1; @@ -100,8 +107,12 @@ int _ss_esp_aes_crypt_ctr(esp_aes_context *ctx, const unsigned char *input, unsigned char *output) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + length)) && esp_tee_ptr_in_ree((void *)(output + length)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_aes_context)) && + esp_tee_buf_in_ree(nc_off, sizeof(size_t)) && + esp_tee_buf_in_ree(nonce_counter, 16) && + esp_tee_buf_in_ree(stream_block, 16) && + esp_tee_buf_in_ree(input, length) && + esp_tee_buf_in_ree(output, length)); if (!valid_addr) { return -1; @@ -116,8 +127,9 @@ int _ss_esp_aes_crypt_ecb(esp_aes_context *ctx, const unsigned char input[16], unsigned char output[16]) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + 16)) && esp_tee_ptr_in_ree((void *)(output + 16)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_aes_context)) && + esp_tee_buf_in_ree(input, 16) && + esp_tee_buf_in_ree(output, 16)); if (!valid_addr) { return -1; @@ -134,8 +146,11 @@ int _ss_esp_aes_crypt_ofb(esp_aes_context *ctx, const unsigned char *input, unsigned char *output) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + length)) && esp_tee_ptr_in_ree((void *)(output + length)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_aes_context)) && + esp_tee_buf_in_ree(iv_off, sizeof(size_t)) && + esp_tee_buf_in_ree(iv, 16) && + esp_tee_buf_in_ree(input, length) && + esp_tee_buf_in_ree(output, length)); if (!valid_addr) { return -1; @@ -147,10 +162,63 @@ int _ss_esp_aes_crypt_ofb(esp_aes_context *ctx, /* ---------------------------------------------- SHA ------------------------------------------------- */ +static size_t get_sha_digest_size(esp_sha_type sha_type) +{ + switch (sha_type) { + case SHA1: return 20; + case SHA2_224: return 28; + case SHA2_256: return 32; +#if SOC_SHA_SUPPORT_SHA384 + case SHA2_384: return 48; +#endif +#if SOC_SHA_SUPPORT_SHA512 + case SHA2_512: return 64; +#endif + default: return 0; + } +} + +static size_t get_sha_state_size(esp_sha_type sha_type) +{ + switch (sha_type) { + case SHA1: return 20; + case SHA2_224: + case SHA2_256: return 32; +#if SOC_SHA_SUPPORT_SHA384 + case SHA2_384: return 64; +#endif +#if SOC_SHA_SUPPORT_SHA512 + case SHA2_512: return 64; +#endif + default: return 0; + } +} + +static size_t get_sha_block_size(esp_sha_type sha_type) +{ + switch (sha_type) { + case SHA1: + case SHA2_224: + case SHA2_256: return 64; +#if SOC_SHA_SUPPORT_SHA384 + case SHA2_384: return 128; +#endif +#if SOC_SHA_SUPPORT_SHA512 + case SHA2_512: return 128; +#endif + default: return 0; + } +} + void _ss_esp_sha(esp_sha_type sha_type, const unsigned char *input, size_t ilen, unsigned char *output) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + ilen)))); + size_t digest_size = get_sha_digest_size(sha_type); + if (digest_size == 0) { + return; + } + + bool valid_addr = (esp_tee_buf_in_ree(input, ilen) && + esp_tee_buf_in_ree(output, digest_size)); if (!valid_addr) { return; @@ -163,11 +231,9 @@ void _ss_esp_sha(esp_sha_type sha_type, const unsigned char *input, size_t ilen, int _ss_esp_sha_dma(esp_sha_type sha_type, const void *input, uint32_t ilen, const void *buf, uint32_t buf_len, bool is_first_block) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)input) && - esp_tee_ptr_in_ree((void *)((char *)input + ilen))); + bool valid_addr = esp_tee_buf_in_ree(input, ilen); if (buf_len) { - valid_addr &= (esp_tee_ptr_in_ree((void *)buf) && - esp_tee_ptr_in_ree((void *)((char *)buf + buf_len))); + valid_addr &= esp_tee_buf_in_ree(buf, buf_len); } if (!valid_addr) { @@ -180,16 +246,52 @@ int _ss_esp_sha_dma(esp_sha_type sha_type, const void *input, uint32_t ilen, void _ss_esp_sha_read_digest_state(esp_sha_type sha_type, void *digest_state) { + size_t state_sz = get_sha_state_size(sha_type); + if (state_sz == 0) { + return; + } + + bool valid_addr = esp_tee_buf_in_ree(digest_state, state_sz); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + sha_hal_read_digest(sha_type, digest_state); } void _ss_esp_sha_write_digest_state(esp_sha_type sha_type, void *digest_state) { + size_t state_sz = get_sha_state_size(sha_type); + if (state_sz == 0) { + return; + } + + bool valid_addr = esp_tee_buf_in_ree(digest_state, state_sz); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + sha_hal_write_digest(sha_type, digest_state); } void _ss_esp_sha_block(esp_sha_type sha_type, const void *data_block, bool is_first_block) { + size_t block_sz = get_sha_block_size(sha_type); + if (block_sz == 0) { + return; + } + + bool valid_addr = esp_tee_buf_in_ree(data_block, block_sz); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + esp_sha_block(sha_type, data_block, is_first_block); } @@ -214,8 +316,8 @@ int _ss_esp_sha_512_t_init_hash(uint16_t t) esp_err_t _ss_esp_hmac_calculate(hmac_key_id_t key_id, const void *message, size_t message_len, uint8_t *hmac) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)message) && esp_tee_ptr_in_ree((void *)hmac)) && - esp_tee_ptr_in_ree((void *)((char *)message + message_len))); + bool valid_addr = (esp_tee_buf_in_ree(message, message_len) && + esp_tee_buf_in_ree(hmac, 32)); #if CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE valid_addr &= (key_id != (hmac_key_id_t)CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID); @@ -232,7 +334,7 @@ esp_err_t _ss_esp_hmac_calculate(hmac_key_id_t key_id, const void *message, size esp_err_t _ss_esp_hmac_jtag_enable(hmac_key_id_t key_id, const uint8_t *token) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)token)); + bool valid_addr = esp_tee_buf_in_ree((void *)token, 32); #if CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE valid_addr &= (key_id != (hmac_key_id_t)CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID); @@ -252,14 +354,25 @@ esp_err_t _ss_esp_hmac_jtag_disable(void) return esp_hmac_jtag_disable(); } +#define ESP_DS_DATA_KEY_SIZE 32 + +static size_t get_ds_msg_sign_len(esp_digital_signature_length_t rsa_length) +{ + if (rsa_length != ESP_DS_RSA_1024 && rsa_length != ESP_DS_RSA_2048 && + rsa_length != ESP_DS_RSA_3072 && rsa_length != ESP_DS_RSA_4096) { + return 0; + } + return (size_t)(rsa_length + 1) * 4; +} + esp_err_t _ss_esp_ds_sign(const void *message, const esp_ds_data_t *data, hmac_key_id_t key_id, void *signature) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)message) && - esp_tee_ptr_in_ree((void *)data) && - esp_tee_ptr_in_ree((void *)signature)); + bool valid_addr = esp_tee_buf_in_ree(data, sizeof(esp_ds_data_t)); + size_t n = get_ds_msg_sign_len(data->rsa_length); + valid_addr = (n > 0) && esp_tee_buf_in_ree(message, n) && esp_tee_buf_in_ree(signature, n); #if CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE valid_addr &= (key_id != (hmac_key_id_t)CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID); @@ -279,9 +392,10 @@ esp_err_t _ss_esp_ds_start_sign(const void *message, hmac_key_id_t key_id, esp_ds_context_t **esp_ds_ctx) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)message) && - esp_tee_ptr_in_ree((void *)data) && - esp_tee_ptr_in_ree((void *)esp_ds_ctx)); + bool valid_addr = (esp_tee_buf_in_ree(esp_ds_ctx, sizeof(esp_ds_context_t *)) && + esp_tee_buf_in_ree(data, sizeof(esp_ds_data_t))); + size_t n = get_ds_msg_sign_len(data->rsa_length); + valid_addr = (n > 0) && esp_tee_buf_in_ree(message, n); #if CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE valid_addr &= (key_id != (hmac_key_id_t)CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID); @@ -303,10 +417,8 @@ bool _ss_esp_ds_is_busy(void) esp_err_t _ss_esp_ds_finish_sign(void *signature, esp_ds_context_t *esp_ds_ctx) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)signature) && - esp_tee_ptr_in_ree((void *)esp_ds_ctx)); - - valid_addr &= esp_tee_ptr_in_ree((void *)((char *)esp_ds_ctx + sizeof(esp_ds_data_t))); + const size_t max_sign = get_ds_msg_sign_len(ESP_DS_RSA_4096); + bool valid_addr = esp_tee_buf_in_ree(signature, max_sign); if (!valid_addr) { return ESP_ERR_INVALID_ARG; @@ -321,10 +433,10 @@ esp_err_t _ss_esp_ds_encrypt_params(esp_ds_data_t *data, const esp_ds_p_data_t *p_data, const void *key) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)data) && esp_tee_ptr_in_ree((void *)p_data)) && - (esp_tee_ptr_in_ree((void *)iv) && esp_tee_ptr_in_ree((void *)key))); - - valid_addr &= esp_tee_ptr_in_ree((void *)((char *)data + sizeof(esp_ds_data_t))); + bool valid_addr = (esp_tee_buf_in_ree(data, sizeof(esp_ds_data_t)) && + esp_tee_buf_in_ree(iv, ESP_DS_IV_LEN) && + esp_tee_buf_in_ree(p_data, sizeof(esp_ds_p_data_t)) && + esp_tee_buf_in_ree(key, ESP_DS_DATA_KEY_SIZE)); if (!valid_addr) { return ESP_ERR_INVALID_ARG; @@ -345,8 +457,11 @@ void _ss_esp_crypto_mpi_enable_periph_clk(bool enable) int _ss_esp_ecc_point_multiply(const ecc_point_t *point, const uint8_t *scalar, ecc_point_t *result, bool verify_first) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)result)) && - esp_tee_ptr_in_ree((void *)((char *)result + sizeof(ecc_point_t))); + bool valid_addr = (esp_tee_buf_in_ree(point, sizeof(ecc_point_t)) && + esp_tee_buf_in_ree(result, sizeof(ecc_point_t))); + if (valid_addr) { + valid_addr = esp_tee_buf_in_ree(scalar, MAX_SIZE); + } if (!valid_addr) { return -1; @@ -358,6 +473,13 @@ int _ss_esp_ecc_point_multiply(const ecc_point_t *point, const uint8_t *scalar, int _ss_esp_ecc_point_verify(const ecc_point_t *point) { + bool valid_addr = esp_tee_buf_in_ree(point, sizeof(ecc_point_t)); + + if (!valid_addr) { + return -1; + } + ESP_FAULT_ASSERT(valid_addr); + return esp_ecc_point_verify(point); } @@ -375,8 +497,7 @@ int _ss_esp_tee_ota_begin(void) int _ss_esp_tee_ota_write(uint32_t rel_offset, void *data, size_t size) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)data)) && - (esp_tee_ptr_in_ree((void *)((char *)data + size)))); + bool valid_addr = esp_tee_buf_in_ree(data, size); if (!valid_addr) { return -1; @@ -400,5 +521,12 @@ esp_err_t _ss_esp_tee_sec_storage_clear_key(const char *key_id) esp_err_t _ss_esp_tee_sec_storage_gen_key(const esp_tee_sec_storage_key_cfg_t *cfg) { + bool valid_addr = esp_tee_buf_in_ree(cfg, sizeof(esp_tee_sec_storage_key_cfg_t)); + + if (!valid_addr) { + return ESP_ERR_INVALID_ARG; + } + ESP_FAULT_ASSERT(valid_addr); + return esp_tee_sec_storage_gen_key(cfg); }
components/esp_tee/subproject/main/core/esp_secure_services_iram.c+195 −81 modified@@ -27,6 +27,7 @@ #include "esp_tee_intr.h" #include "esp_tee_rv_utils.h" +#include "nvs.h" #include "esp_tee_flash.h" #include "esp_tee_sec_storage.h" @@ -114,21 +115,35 @@ void _ss_esprv_int_set_vectored(int rv_int_num, bool vectored) void _ss_wdt_hal_init(wdt_hal_context_t *hal, wdt_inst_t wdt_inst, uint32_t prescaler, bool enable_intr) { + bool valid_addr = esp_tee_buf_in_ree(hal, sizeof(wdt_hal_context_t)); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + wdt_hal_init(hal, wdt_inst, prescaler, enable_intr); } void _ss_wdt_hal_deinit(wdt_hal_context_t *hal) { + bool valid_addr = esp_tee_buf_in_ree(hal, sizeof(wdt_hal_context_t)); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + wdt_hal_deinit(hal); } /* ---------------------------------------------- Secure Storage ------------------------------------------------- */ esp_err_t _ss_esp_tee_sec_storage_ecdsa_sign(const esp_tee_sec_storage_key_cfg_t *cfg, const uint8_t *hash, size_t hlen, esp_tee_sec_storage_ecdsa_sign_t *out_sign) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)hash) && esp_tee_ptr_in_ree((void *)out_sign)) && - (esp_tee_ptr_in_ree((void *)(hash + hlen)) && - esp_tee_ptr_in_ree((void *)((char *)out_sign + sizeof(esp_tee_sec_storage_ecdsa_sign_t))))); + bool valid_addr = (esp_tee_buf_in_ree(cfg, sizeof(esp_tee_sec_storage_key_cfg_t)) && + esp_tee_buf_in_ree(hash, hlen) && + esp_tee_buf_in_ree(out_sign, sizeof(esp_tee_sec_storage_ecdsa_sign_t))); if (!valid_addr) { return ESP_ERR_INVALID_ARG; @@ -140,8 +155,8 @@ esp_err_t _ss_esp_tee_sec_storage_ecdsa_sign(const esp_tee_sec_storage_key_cfg_t esp_err_t _ss_esp_tee_sec_storage_ecdsa_get_pubkey(const esp_tee_sec_storage_key_cfg_t *cfg, esp_tee_sec_storage_ecdsa_pubkey_t *out_pubkey) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)out_pubkey)) && - (esp_tee_ptr_in_ree((void *)((char *)out_pubkey + sizeof(esp_tee_sec_storage_ecdsa_pubkey_t))))); + bool valid_addr = (esp_tee_buf_in_ree(cfg, sizeof(esp_tee_sec_storage_key_cfg_t)) && + esp_tee_buf_in_ree(out_pubkey, sizeof(esp_tee_sec_storage_ecdsa_pubkey_t))); if (!valid_addr) { return ESP_ERR_INVALID_ARG; @@ -153,18 +168,14 @@ esp_err_t _ss_esp_tee_sec_storage_ecdsa_get_pubkey(const esp_tee_sec_storage_key esp_err_t _ss_esp_tee_sec_storage_aead_encrypt(esp_tee_sec_storage_aead_ctx_t *ctx, uint8_t *tag, size_t tag_len, uint8_t *output) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)ctx->input) && - esp_tee_ptr_in_ree((void *)ctx->iv) && - esp_tee_ptr_in_ree((void *)tag) && - esp_tee_ptr_in_ree((void *)output)); - - valid_addr &= (esp_tee_ptr_in_ree((void *)(ctx->input + ctx->input_len)) && - esp_tee_ptr_in_ree((void *)(ctx->iv + AES_GCM_SUPPORTED_IV_LEN)) && - esp_tee_ptr_in_ree((void *)(tag + tag_len)) && - esp_tee_ptr_in_ree((void *)(output + ctx->input_len))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_tee_sec_storage_aead_ctx_t)) && + esp_tee_buf_in_ree(ctx->input, ctx->input_len) && + esp_tee_buf_in_ree(ctx->iv, AES_GCM_SUPPORTED_IV_LEN) && + esp_tee_buf_in_ree(tag, tag_len) && + esp_tee_buf_in_ree(output, ctx->input_len)); - if (ctx->aad) { - valid_addr &= (esp_tee_ptr_in_ree((void *)ctx->aad) && esp_tee_ptr_in_ree((void *)(ctx->aad + ctx->aad_len))); + if (ctx->aad_len != 0) { + valid_addr = esp_tee_buf_in_ree(ctx->aad, ctx->aad_len); } if (!valid_addr) { @@ -177,18 +188,14 @@ esp_err_t _ss_esp_tee_sec_storage_aead_encrypt(esp_tee_sec_storage_aead_ctx_t *c esp_err_t _ss_esp_tee_sec_storage_aead_decrypt(const esp_tee_sec_storage_aead_ctx_t *ctx, const uint8_t *tag, size_t tag_len, uint8_t *output) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)ctx->input) && - esp_tee_ptr_in_ree((void *)ctx->iv) && - esp_tee_ptr_in_ree((void *)tag) && - esp_tee_ptr_in_ree((void *)output)); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_tee_sec_storage_aead_ctx_t)) && + esp_tee_buf_in_ree(ctx->input, ctx->input_len) && + esp_tee_buf_in_ree(ctx->iv, AES_GCM_SUPPORTED_IV_LEN) && + esp_tee_buf_in_ree(tag, tag_len) && + esp_tee_buf_in_ree(output, ctx->input_len)); - valid_addr &= (esp_tee_ptr_in_ree((void *)(ctx->input + ctx->input_len)) && - esp_tee_ptr_in_ree((void *)(ctx->iv + AES_GCM_SUPPORTED_IV_LEN)) && - esp_tee_ptr_in_ree((void *)(tag + tag_len)) && - esp_tee_ptr_in_ree((void *)(output + ctx->input_len))); - - if (ctx->aad) { - valid_addr &= (esp_tee_ptr_in_ree((void *)ctx->aad) && esp_tee_ptr_in_ree((void *)(ctx->aad + ctx->aad_len))); + if (ctx->aad_len != 0) { + valid_addr = esp_tee_buf_in_ree(ctx->aad, ctx->aad_len); } if (!valid_addr) { @@ -201,15 +208,11 @@ esp_err_t _ss_esp_tee_sec_storage_aead_decrypt(const esp_tee_sec_storage_aead_ct esp_err_t _ss_esp_tee_sec_storage_ecdsa_sign_pbkdf2(const esp_tee_sec_storage_pbkdf2_ctx_t *ctx, const uint8_t *hash, size_t hlen, esp_tee_sec_storage_ecdsa_sign_t *out_sign, esp_tee_sec_storage_ecdsa_pubkey_t *out_pubkey) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)ctx) && - esp_tee_ptr_in_ree((void *)hash) && - esp_tee_ptr_in_ree((void *)out_sign) && - esp_tee_ptr_in_ree((void *)out_pubkey)); - - valid_addr &= (esp_tee_ptr_in_ree((void *)((char *)ctx + sizeof(esp_tee_sec_storage_pbkdf2_ctx_t))) && - esp_tee_ptr_in_ree((void *)(hash + hlen)) && - esp_tee_ptr_in_ree((void *)((char *)out_sign + sizeof(esp_tee_sec_storage_ecdsa_sign_t))) && - esp_tee_ptr_in_ree((void *)((char *)out_pubkey + sizeof(esp_tee_sec_storage_ecdsa_pubkey_t)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_tee_sec_storage_pbkdf2_ctx_t)) && + esp_tee_buf_in_ree(hash, hlen) && + esp_tee_buf_in_ree(out_sign, sizeof(esp_tee_sec_storage_ecdsa_sign_t)) && + esp_tee_buf_in_ree(out_pubkey, sizeof(esp_tee_sec_storage_ecdsa_pubkey_t)) && + esp_tee_buf_in_ree(ctx->salt, ctx->salt_len)); if (!valid_addr) { return ESP_ERR_INVALID_ARG; @@ -224,20 +227,23 @@ esp_err_t _ss_esp_tee_sec_storage_ecdsa_sign_pbkdf2(const esp_tee_sec_storage_pb void _ss_mmu_hal_map_region(uint32_t mmu_id, mmu_target_t mem_type, uint32_t vaddr, uint32_t paddr, uint32_t len, uint32_t *out_len) { - bool vaddr_chk = esp_tee_flash_check_vrange_in_tee_region(vaddr, len); - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(paddr, len); - if (vaddr_chk || paddr_chk) { + bool valid_addr = (!esp_tee_flash_check_vrange_in_tee_region(vaddr, len) && + !esp_tee_flash_check_prange_in_tee_region(paddr, len) && + esp_tee_buf_in_ree(out_len, sizeof(uint32_t))); + + if (!valid_addr) { ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x | 0x%08x", __func__, vaddr, paddr); return; } - ESP_FAULT_ASSERT(!vaddr_chk && !paddr_chk); + ESP_FAULT_ASSERT(valid_addr); mmu_hal_map_region(mmu_id, mem_type, vaddr, paddr, len, out_len); } void _ss_mmu_hal_unmap_region(uint32_t mmu_id, uint32_t vaddr, uint32_t len) { bool vaddr_chk = esp_tee_flash_check_vrange_in_tee_region(vaddr, len); + if (vaddr_chk) { ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, vaddr); return; @@ -249,21 +255,28 @@ void _ss_mmu_hal_unmap_region(uint32_t mmu_id, uint32_t vaddr, uint32_t len) bool _ss_mmu_hal_vaddr_to_paddr(uint32_t mmu_id, uint32_t vaddr, uint32_t *out_paddr, mmu_target_t *out_target) { - bool vaddr_chk = esp_tee_flash_check_vaddr_in_tee_region(vaddr); - if (vaddr_chk) { + bool valid_addr = (!esp_tee_flash_check_vaddr_in_tee_region(vaddr) && + esp_tee_buf_in_ree(out_paddr, sizeof(uint32_t)) && + esp_tee_buf_in_ree(out_target, sizeof(mmu_target_t))); + + if (!valid_addr) { return false; } - ESP_FAULT_ASSERT(!vaddr_chk); + ESP_FAULT_ASSERT(valid_addr); + return mmu_hal_vaddr_to_paddr(mmu_id, vaddr, out_paddr, out_target); } bool _ss_mmu_hal_paddr_to_vaddr(uint32_t mmu_id, uint32_t paddr, mmu_target_t target, mmu_vaddr_t type, uint32_t *out_vaddr) { - bool paddr_chk = esp_tee_flash_check_paddr_in_tee_region(paddr); - if (paddr_chk) { + bool valid_addr = (!esp_tee_flash_check_paddr_in_tee_region(paddr) && + esp_tee_buf_in_ree(out_vaddr, sizeof(uint32_t))); + + if (!valid_addr) { return false; } - ESP_FAULT_ASSERT(!paddr_chk); + ESP_FAULT_ASSERT(valid_addr); + return mmu_hal_paddr_to_vaddr(mmu_id, paddr, target, type, out_vaddr); } @@ -277,110 +290,192 @@ void _ss_Cache_Set_IDROM_MMU_Size(uint32_t irom_size, uint32_t drom_size) #if CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1 /* ---------------------------------------------- SPI Flash HAL ------------------------------------------------- */ +static bool is_spi_host_in_ree(spi_flash_host_inst_t *host) +{ + return esp_tee_buf_in_ree(host, sizeof(spi_flash_host_inst_t)); +} + +static bool is_spi_trans_valid(spi_flash_host_inst_t *host, spi_flash_trans_t *trans) +{ + bool valid_addr = (is_spi_host_in_ree(host) && + esp_tee_buf_in_ree(trans, sizeof(spi_flash_trans_t))); + + if (trans->mosi_len != 0) { + valid_addr &= esp_tee_buf_in_ree(trans->mosi_data, trans->mosi_len); + } + if (trans->miso_len != 0) { + valid_addr &= esp_tee_buf_in_ree(trans->miso_data, trans->miso_len); + } + return valid_addr; +} + uint32_t _ss_spi_flash_hal_check_status(spi_flash_host_inst_t *host) { + bool valid_addr = is_spi_host_in_ree(host); + + if (!valid_addr) { + return 0; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_check_status(host); } esp_err_t _ss_spi_flash_hal_common_command(spi_flash_host_inst_t *host, spi_flash_trans_t *trans) { - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(trans->address, trans->mosi_len); - paddr_chk |= esp_tee_flash_check_prange_in_tee_region(trans->address, trans->miso_len); - if (paddr_chk) { + bool valid_addr = (is_spi_trans_valid(host, trans) && + !esp_tee_flash_check_prange_in_tee_region(trans->address, trans->mosi_len) && + !esp_tee_flash_check_prange_in_tee_region(trans->address, trans->miso_len)); + + if (!valid_addr) { ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, trans->address); - return ESP_FAIL; + return ESP_ERR_INVALID_ARG; } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_common_command(host, trans); } esp_err_t _ss_spi_flash_hal_device_config(spi_flash_host_inst_t *host) { + bool valid_addr = is_spi_host_in_ree(host); + + if (!valid_addr) { + return ESP_ERR_INVALID_ARG; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_device_config(host); } void _ss_spi_flash_hal_erase_block(spi_flash_host_inst_t *host, uint32_t start_address) { - bool paddr_chk = esp_tee_flash_check_paddr_in_tee_region(start_address); - if (paddr_chk) { + bool valid_addr = (is_spi_host_in_ree(host) && + !esp_tee_flash_check_paddr_in_tee_region(start_address)); + + if (!valid_addr) { ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, start_address); return; } - ESP_FAULT_ASSERT(!paddr_chk); + ESP_FAULT_ASSERT(valid_addr); + spi_flash_hal_erase_block(host, start_address); } void _ss_spi_flash_hal_erase_sector(spi_flash_host_inst_t *host, uint32_t start_address) { - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(start_address, FLASH_SECTOR_SIZE); - if (paddr_chk) { + bool valid_addr = (is_spi_host_in_ree(host) && + !esp_tee_flash_check_prange_in_tee_region(start_address, FLASH_SECTOR_SIZE)); + + if (!valid_addr) { ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, start_address); return; } - ESP_FAULT_ASSERT(!paddr_chk); + ESP_FAULT_ASSERT(valid_addr); + spi_flash_hal_erase_sector(host, start_address); } void _ss_spi_flash_hal_program_page(spi_flash_host_inst_t *host, const void *buffer, uint32_t address, uint32_t length) { - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(address, length); - if (paddr_chk) { - ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, address); - return; - } + bool valid_addr = (is_spi_host_in_ree(host) && + !esp_tee_flash_check_prange_in_tee_region(address, length) && + esp_tee_buf_in_ree(buffer, length)); - bool buf_addr_chk = ((esp_tee_ptr_in_ree((void *)buffer) && esp_tee_ptr_in_ree((void *)(buffer + length)))); - if (!buf_addr_chk) { + if (!valid_addr) { + ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, address); return; } + ESP_FAULT_ASSERT(valid_addr); - ESP_FAULT_ASSERT(!paddr_chk && buf_addr_chk); spi_flash_hal_program_page(host, buffer, address, length); } esp_err_t _ss_spi_flash_hal_read(spi_flash_host_inst_t *host, void *buffer, uint32_t address, uint32_t read_len) { - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(address, read_len); - if (paddr_chk) { - ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, address); - return ESP_FAIL; - } + bool valid_addr = (is_spi_host_in_ree(host) && + !esp_tee_flash_check_prange_in_tee_region(address, read_len) && + esp_tee_buf_in_ree(buffer, read_len)); - bool buf_addr_chk = ((esp_tee_ptr_in_ree((void *)buffer) && esp_tee_ptr_in_ree((void *)(buffer + read_len)))); - if (!buf_addr_chk) { - return ESP_FAIL; + if (!valid_addr) { + ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, address); + return ESP_ERR_INVALID_ARG; } + ESP_FAULT_ASSERT(valid_addr); - ESP_FAULT_ASSERT(!paddr_chk && buf_addr_chk); return spi_flash_hal_read(host, buffer, address, read_len); } void _ss_spi_flash_hal_resume(spi_flash_host_inst_t *host) { + bool valid_addr = is_spi_host_in_ree(host); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + spi_flash_hal_resume(host); } esp_err_t _ss_spi_flash_hal_set_write_protect(spi_flash_host_inst_t *host, bool wp) { + bool valid_addr = is_spi_host_in_ree(host); + + if (!valid_addr) { + return ESP_ERR_INVALID_ARG; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_set_write_protect(host, wp); } esp_err_t _ss_spi_flash_hal_setup_read_suspend(spi_flash_host_inst_t *host, const spi_flash_sus_cmd_conf *sus_conf) { + bool valid_addr = (is_spi_host_in_ree(host) && + esp_tee_buf_in_ree(sus_conf, sizeof(spi_flash_sus_cmd_conf))); + + if (!valid_addr) { + return ESP_ERR_INVALID_ARG; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_setup_read_suspend(host, sus_conf); } bool _ss_spi_flash_hal_supports_direct_read(spi_flash_host_inst_t *host, const void *p) { + bool valid_addr = (is_spi_host_in_ree(host) && esp_tee_ptr_in_ree(p)); + + if (!valid_addr) { + return false; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_supports_direct_read(host, p); } bool _ss_spi_flash_hal_supports_direct_write(spi_flash_host_inst_t *host, const void *p) { + bool valid_addr = (is_spi_host_in_ree(host) && esp_tee_ptr_in_ree(p)); + + if (!valid_addr) { + return false; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_supports_direct_write(host, p); } void _ss_spi_flash_hal_suspend(spi_flash_host_inst_t *host) { + bool valid_addr = is_spi_host_in_ree(host); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + spi_flash_hal_suspend(host); } @@ -397,29 +492,41 @@ uint32_t _ss_bootloader_flash_execute_command_common( uint8_t mosi_len, uint32_t mosi_data, uint8_t miso_len) { - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(address, mosi_len); - paddr_chk |= esp_tee_flash_check_prange_in_tee_region(address, miso_len); - if (paddr_chk) { + bool valid_addr = (!esp_tee_flash_check_prange_in_tee_region(address, mosi_len) && + !esp_tee_flash_check_prange_in_tee_region(address, miso_len)); + + if (!valid_addr) { ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, address); return 0; } - ESP_FAULT_ASSERT(!paddr_chk); + ESP_FAULT_ASSERT(valid_addr); + return bootloader_flash_execute_command_common(command, addr_len, address, dummy_len, mosi_len, mosi_data, miso_len); } esp_err_t _ss_memspi_host_flush_cache(spi_flash_host_inst_t *host, uint32_t addr, uint32_t size) { - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(addr, size); - if (paddr_chk) { - return ESP_FAIL; + bool valid_addr = (is_spi_host_in_ree(host) && + !esp_tee_flash_check_prange_in_tee_region(addr, size)); + + if (!valid_addr) { + return ESP_ERR_INVALID_ARG; } - ESP_FAULT_ASSERT(!paddr_chk); + ESP_FAULT_ASSERT(valid_addr); + return memspi_host_flush_cache(host, addr, size); } esp_err_t _ss_spi_flash_chip_generic_config_host_io_mode(esp_flash_t *chip, uint32_t flags) { + bool valid_addr = esp_tee_buf_in_ree(chip, sizeof(struct esp_flash_t)); + + if (!valid_addr) { + return ESP_ERR_INVALID_ARG; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_chip_generic_config_host_io_mode(chip, flags); } @@ -451,6 +558,13 @@ void _ss_mspi_timing_change_speed_mode_cache_safe(bool switch_down) void _ss_spi_timing_get_flash_timing_param(spi_flash_hal_timing_config_t *out_timing_config) { + bool valid_addr = esp_tee_buf_in_ree(out_timing_config, sizeof(spi_flash_hal_timing_config_t)); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + spi_timing_get_flash_timing_param(out_timing_config); } #endif
components/esp_tee/subproject/main/include/esp_tee_memory_utils.h+25 −4 modified@@ -1,10 +1,12 @@ /* - * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ #pragma once +#include <stddef.h> +#include <stdint.h> #include "esp_attr.h" #include "soc/soc.h" #include "soc/ext_mem_defs.h" @@ -16,9 +18,28 @@ extern "C" { FORCE_INLINE_ATTR bool esp_tee_ptr_in_ree(const void *p) { - return (((intptr_t)p >= SOC_NS_IDRAM_START && (intptr_t)p < SOC_NS_IDRAM_END) || - ((intptr_t)p >= (size_t)esp_tee_app_config.ns_drom_start && (intptr_t)p < SOC_S_MMU_MMAP_RESV_START_VADDR) || - ((intptr_t)p >= SOC_RTC_DATA_LOW && (intptr_t)p < SOC_RTC_DATA_HIGH)); + uintptr_t addr = (uintptr_t)p; + return ( + (addr >= SOC_NS_IDRAM_START && addr < SOC_NS_IDRAM_END) || + (addr >= (uintptr_t)esp_tee_app_config.ns_drom_start && + addr < SOC_S_MMU_MMAP_RESV_START_VADDR) +#if SOC_RTC_MEM_SUPPORTED + || (addr >= SOC_RTC_DATA_LOW && addr < SOC_RTC_DATA_HIGH) +#endif + ); +} + +FORCE_INLINE_ATTR bool esp_tee_buf_in_ree(const void *p, size_t len) +{ + uintptr_t start = (uintptr_t)p; + + /* Reject zero-length and overflow */ + if (len == 0 || len > (SIZE_MAX - start)) { + return false; + } + + return esp_tee_ptr_in_ree(p) && + esp_tee_ptr_in_ree((const char *)p + len - 1); } #ifdef __cplusplus
components/esp_tee/test_apps/tee_cli_app/sdkconfig.ci.default+3 −0 modified@@ -0,0 +1,3 @@ +# Increasing TEE DRAM size +# 17.5KB +CONFIG_SECURE_TEE_DRAM_SIZE=0x4600
components/esp_tee/test_apps/tee_cli_app/sdkconfig.ci.minimal_tee+2 −2 modified@@ -5,8 +5,8 @@ CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID=5 # Reducing TEE I/DRAM sizes # 24KB CONFIG_SECURE_TEE_IRAM_SIZE=0x6000 -# 12KB -CONFIG_SECURE_TEE_DRAM_SIZE=0x3000 +# 13KB +CONFIG_SECURE_TEE_DRAM_SIZE=0x3400 # Disable TEE logs (also disable all panic logs) CONFIG_SECURE_TEE_DEBUG_MODE=n
components/esp_tee/test_apps/tee_cli_app/sdkconfig.ci.release+3 −3 modified@@ -1,6 +1,6 @@ -# Reducing TEE I/DRAM sizes -# 28KB -CONFIG_SECURE_TEE_IRAM_SIZE=0x7000 +# Reducing TEE IRAM size +# 29.5KB +CONFIG_SECURE_TEE_IRAM_SIZE=0x7600 # TEE Secure Storage: Release mode CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE=y
components/esp_tee/test_apps/tee_cli_app/sdkconfig.ci.sb_fe+3 −1 modified@@ -14,6 +14,8 @@ CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE=y CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID=5 -# Increasing TEE DRAM size +# Increasing TEE I/DRAM size +# 34KB +CONFIG_SECURE_TEE_IRAM_SIZE=0x8800 # 18KB CONFIG_SECURE_TEE_DRAM_SIZE=0x4800
components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_sec_stg.c+4 −4 modified@@ -296,9 +296,9 @@ TEST_CASE("Test TEE Secure Storage - Null Pointer and Zero Length", "[sec_storag }; TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_encrypt(&aead_ctx, NULL, sizeof(tag), data)); - TEST_ESP_ERR(ESP_ERR_INVALID_SIZE, esp_tee_sec_storage_aead_encrypt(&aead_ctx, tag, 0, data)); + TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_encrypt(&aead_ctx, tag, 0, data)); TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_decrypt(&aead_ctx, NULL, sizeof(tag), data)); - TEST_ESP_ERR(ESP_ERR_INVALID_SIZE, esp_tee_sec_storage_aead_decrypt(&aead_ctx, tag, 0, data)); + TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_decrypt(&aead_ctx, tag, 0, data)); aead_ctx.input = NULL; aead_ctx.input_len = sizeof(data); @@ -307,8 +307,8 @@ TEST_CASE("Test TEE Secure Storage - Null Pointer and Zero Length", "[sec_storag aead_ctx.input = data; aead_ctx.input_len = 0; - TEST_ESP_ERR(ESP_ERR_INVALID_SIZE, esp_tee_sec_storage_aead_encrypt(&aead_ctx, tag, sizeof(tag), data)); - TEST_ESP_ERR(ESP_ERR_INVALID_SIZE, esp_tee_sec_storage_aead_decrypt(&aead_ctx, tag, sizeof(tag), data)); + TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_encrypt(&aead_ctx, tag, sizeof(tag), data)); + TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_decrypt(&aead_ctx, tag, sizeof(tag), data)); TEST_ESP_OK(esp_tee_sec_storage_clear_key(key_id));
components/esp_tee/test_apps/tee_test_fw/sdkconfig.ci.tee_ota+0 −4 modified@@ -15,7 +15,3 @@ CONFIG_SECURE_TEE_ATT_KEY_STR_ID="tee_att_keyN" # Enabling flash protection over SPI1 CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1=y - -# Increasing TEE DRAM size -# 19KB -CONFIG_SECURE_TEE_DRAM_SIZE=0x4c00
components/esp_tee/test_apps/tee_test_fw/sdkconfig.defaults+4 −0 modified@@ -13,3 +13,7 @@ CONFIG_SECURE_TEE_TEST_MODE=y # Setting partition table CONFIG_PARTITION_TABLE_SINGLE_APP_TEE=y CONFIG_PARTITION_TABLE_OFFSET=0xF000 + +# Increasing TEE I/DRAM size +CONFIG_SECURE_TEE_IRAM_SIZE=0x8800 +CONFIG_SECURE_TEE_DRAM_SIZE=0x4c00
145ba4c42dc8fix(esp_tee): Add missing input validation checks for TEE service calls
10 files changed · +416 −154
components/esp_tee/subproject/components/tee_ota_ops/esp_tee_ota_ops.c+1 −1 modified@@ -108,7 +108,7 @@ esp_err_t esp_tee_ota_write(uint32_t rel_offset, const void *data, size_t size) return ESP_ERR_INVALID_STATE; } - if (rel_offset + size > ota_handle.tee_next.pos.size) { + if (size > ota_handle.tee_next.pos.size || rel_offset > ota_handle.tee_next.pos.size - size) { ESP_LOGE(TAG, "Out of region write not allowed!"); return ESP_FAIL; }
components/esp_tee/subproject/main/common/multi_heap.c+5 −2 modified@@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2024-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -19,7 +19,10 @@ inline static void multi_heap_assert(bool condition, const char *format, int lin /* Can't use libc assert() here as it calls printf() which can cause another malloc() for a newlib lock. Also, it's useful to be able to print the memory address where corruption was detected. */ - (void) condition; + if (!condition) { + esp_rom_printf(format, line, address); + abort(); + } } #define MULTI_HEAP_ASSERT(CONDITION, ADDRESS) \
components/esp_tee/subproject/main/core/esp_secure_services.c+180 −52 modified@@ -27,6 +27,7 @@ #endif #include "psa/initial_attestation.h" #include "esp_crypto_periph_clk.h" +#include "nvs.h" #include "esp_tee.h" #include "esp_tee_memory_utils.h" @@ -60,8 +61,10 @@ int _ss_esp_aes_crypt_cbc(esp_aes_context *ctx, const unsigned char *input, unsigned char *output) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + length)) && esp_tee_ptr_in_ree((void *)(output + length)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_aes_context)) && + esp_tee_buf_in_ree(iv, 16) && + esp_tee_buf_in_ree(input, length) && + esp_tee_buf_in_ree(output, length)); if (!valid_addr) { return -1; @@ -79,8 +82,11 @@ int _ss_esp_aes_crypt_cfb128(esp_aes_context *ctx, const unsigned char *input, unsigned char *output) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + length)) && esp_tee_ptr_in_ree((void *)(output + length)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_aes_context)) && + esp_tee_buf_in_ree(iv_off, sizeof(size_t)) && + esp_tee_buf_in_ree(iv, 16) && + esp_tee_buf_in_ree(input, length) && + esp_tee_buf_in_ree(output, length)); if (!valid_addr) { return -1; @@ -97,8 +103,10 @@ int _ss_esp_aes_crypt_cfb8(esp_aes_context *ctx, const unsigned char *input, unsigned char *output) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + length)) && esp_tee_ptr_in_ree((void *)(output + length)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_aes_context)) && + esp_tee_buf_in_ree(iv, 16) && + esp_tee_buf_in_ree(input, length) && + esp_tee_buf_in_ree(output, length)); if (!valid_addr) { return -1; @@ -116,8 +124,12 @@ int _ss_esp_aes_crypt_ctr(esp_aes_context *ctx, const unsigned char *input, unsigned char *output) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + length)) && esp_tee_ptr_in_ree((void *)(output + length)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_aes_context)) && + esp_tee_buf_in_ree(nc_off, sizeof(size_t)) && + esp_tee_buf_in_ree(nonce_counter, 16) && + esp_tee_buf_in_ree(stream_block, 16) && + esp_tee_buf_in_ree(input, length) && + esp_tee_buf_in_ree(output, length)); if (!valid_addr) { return -1; @@ -132,8 +144,9 @@ int _ss_esp_aes_crypt_ecb(esp_aes_context *ctx, const unsigned char input[16], unsigned char output[16]) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + 16)) && esp_tee_ptr_in_ree((void *)(output + 16)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_aes_context)) && + esp_tee_buf_in_ree(input, 16) && + esp_tee_buf_in_ree(output, 16)); if (!valid_addr) { return -1; @@ -150,8 +163,11 @@ int _ss_esp_aes_crypt_ofb(esp_aes_context *ctx, const unsigned char *input, unsigned char *output) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + length)) && esp_tee_ptr_in_ree((void *)(output + length)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_aes_context)) && + esp_tee_buf_in_ree(iv_off, sizeof(size_t)) && + esp_tee_buf_in_ree(iv, 16) && + esp_tee_buf_in_ree(input, length) && + esp_tee_buf_in_ree(output, length)); if (!valid_addr) { return -1; @@ -165,10 +181,63 @@ int _ss_esp_aes_crypt_ofb(esp_aes_context *ctx, /* ---------------------------------------------- SHA ------------------------------------------------- */ #if SOC_SHA_SUPPORTED +static size_t get_sha_digest_size(esp_sha_type sha_type) +{ + switch (sha_type) { + case SHA1: return 20; + case SHA2_224: return 28; + case SHA2_256: return 32; +#if SOC_SHA_SUPPORT_SHA384 + case SHA2_384: return 48; +#endif +#if SOC_SHA_SUPPORT_SHA512 + case SHA2_512: return 64; +#endif + default: return 0; + } +} + +static size_t get_sha_state_size(esp_sha_type sha_type) +{ + switch (sha_type) { + case SHA1: return 20; + case SHA2_224: + case SHA2_256: return 32; +#if SOC_SHA_SUPPORT_SHA384 + case SHA2_384: return 64; +#endif +#if SOC_SHA_SUPPORT_SHA512 + case SHA2_512: return 64; +#endif + default: return 0; + } +} + +static size_t get_sha_block_size(esp_sha_type sha_type) +{ + switch (sha_type) { + case SHA1: + case SHA2_224: + case SHA2_256: return 64; +#if SOC_SHA_SUPPORT_SHA384 + case SHA2_384: return 128; +#endif +#if SOC_SHA_SUPPORT_SHA512 + case SHA2_512: return 128; +#endif + default: return 0; + } +} + void _ss_esp_sha(esp_sha_type sha_type, const unsigned char *input, size_t ilen, unsigned char *output) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + ilen)))); + size_t digest_size = get_sha_digest_size(sha_type); + if (digest_size == 0) { + return; + } + + bool valid_addr = (esp_tee_buf_in_ree(input, ilen) && + esp_tee_buf_in_ree(output, digest_size)); if (!valid_addr) { return; @@ -181,11 +250,9 @@ void _ss_esp_sha(esp_sha_type sha_type, const unsigned char *input, size_t ilen, int _ss_esp_sha_dma(esp_sha_type sha_type, const void *input, uint32_t ilen, const void *buf, uint32_t buf_len, bool is_first_block) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)input) && - esp_tee_ptr_in_ree((void *)((char *)input + ilen))); + bool valid_addr = esp_tee_buf_in_ree(input, ilen); if (buf_len) { - valid_addr &= (esp_tee_ptr_in_ree((void *)buf) && - esp_tee_ptr_in_ree((void *)((char *)buf + buf_len))); + valid_addr &= esp_tee_buf_in_ree(buf, buf_len); } if (!valid_addr) { @@ -198,16 +265,52 @@ int _ss_esp_sha_dma(esp_sha_type sha_type, const void *input, uint32_t ilen, void _ss_esp_sha_read_digest_state(esp_sha_type sha_type, void *digest_state) { + size_t state_sz = get_sha_state_size(sha_type); + if (state_sz == 0) { + return; + } + + bool valid_addr = esp_tee_buf_in_ree(digest_state, state_sz); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + sha_hal_read_digest(sha_type, digest_state); } void _ss_esp_sha_write_digest_state(esp_sha_type sha_type, void *digest_state) { + size_t state_sz = get_sha_state_size(sha_type); + if (state_sz == 0) { + return; + } + + bool valid_addr = esp_tee_buf_in_ree(digest_state, state_sz); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + sha_hal_write_digest(sha_type, digest_state); } void _ss_esp_sha_block(esp_sha_type sha_type, const void *data_block, bool is_first_block) { + size_t block_sz = get_sha_block_size(sha_type); + if (block_sz == 0) { + return; + } + + bool valid_addr = esp_tee_buf_in_ree(data_block, block_sz); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + esp_sha_block(sha_type, data_block, is_first_block); } @@ -234,8 +337,8 @@ int _ss_esp_sha_512_t_init_hash(uint16_t t) #if SOC_HMAC_SUPPORTED esp_err_t _ss_esp_hmac_calculate(hmac_key_id_t key_id, const void *message, size_t message_len, uint8_t *hmac) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)message) && esp_tee_ptr_in_ree((void *)hmac)) && - esp_tee_ptr_in_ree((void *)((char *)message + message_len))); + bool valid_addr = (esp_tee_buf_in_ree(message, message_len) && + esp_tee_buf_in_ree(hmac, 32)); #if CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE valid_addr &= (key_id != (hmac_key_id_t)CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID); @@ -252,7 +355,7 @@ esp_err_t _ss_esp_hmac_calculate(hmac_key_id_t key_id, const void *message, size esp_err_t _ss_esp_hmac_jtag_enable(hmac_key_id_t key_id, const uint8_t *token) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)token)); + bool valid_addr = esp_tee_buf_in_ree((void *)token, 32); #if CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE valid_addr &= (key_id != (hmac_key_id_t)CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID); @@ -274,14 +377,23 @@ esp_err_t _ss_esp_hmac_jtag_disable(void) #endif #if SOC_DIG_SIGN_SUPPORTED +static size_t get_ds_msg_sign_len(esp_digital_signature_length_t rsa_length) +{ + if (rsa_length != ESP_DS_RSA_1024 && rsa_length != ESP_DS_RSA_2048 && + rsa_length != ESP_DS_RSA_3072 && rsa_length != ESP_DS_RSA_4096) { + return 0; + } + return (size_t)(rsa_length + 1) * 4; +} + esp_err_t _ss_esp_ds_sign(const void *message, const esp_ds_data_t *data, hmac_key_id_t key_id, void *signature) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)message) && - esp_tee_ptr_in_ree((void *)data) && - esp_tee_ptr_in_ree((void *)signature)); + bool valid_addr = esp_tee_buf_in_ree(data, sizeof(esp_ds_data_t)); + size_t n = get_ds_msg_sign_len(data->rsa_length); + valid_addr = (n > 0) && esp_tee_buf_in_ree(message, n) && esp_tee_buf_in_ree(signature, n); #if CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE valid_addr &= (key_id != (hmac_key_id_t)CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID); @@ -301,9 +413,10 @@ esp_err_t _ss_esp_ds_start_sign(const void *message, hmac_key_id_t key_id, esp_ds_context_t **esp_ds_ctx) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)message) && - esp_tee_ptr_in_ree((void *)data) && - esp_tee_ptr_in_ree((void *)esp_ds_ctx)); + bool valid_addr = (esp_tee_buf_in_ree(esp_ds_ctx, sizeof(esp_ds_context_t *)) && + esp_tee_buf_in_ree(data, sizeof(esp_ds_data_t))); + size_t n = get_ds_msg_sign_len(data->rsa_length); + valid_addr = (n > 0) && esp_tee_buf_in_ree(message, n); #if CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE valid_addr &= (key_id != (hmac_key_id_t)CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID); @@ -325,10 +438,8 @@ bool _ss_esp_ds_is_busy(void) esp_err_t _ss_esp_ds_finish_sign(void *signature, esp_ds_context_t *esp_ds_ctx) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)signature) && - esp_tee_ptr_in_ree((void *)esp_ds_ctx)); - - valid_addr &= esp_tee_ptr_in_ree((void *)((char *)esp_ds_ctx + sizeof(esp_ds_data_t))); + const size_t max_sign = get_ds_msg_sign_len(ESP_DS_RSA_4096); + bool valid_addr = esp_tee_buf_in_ree(signature, max_sign); if (!valid_addr) { return ESP_ERR_INVALID_ARG; @@ -343,12 +454,10 @@ esp_err_t _ss_esp_ds_encrypt_params(esp_ds_data_t *data, const esp_ds_p_data_t *p_data, const void *key) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)data) && esp_tee_ptr_in_ree((void *)p_data)) && - (esp_tee_ptr_in_ree((void *)iv) && esp_tee_ptr_in_ree((void *)key))); - - valid_addr &= esp_tee_ptr_in_ree((void *)((char *)data + sizeof(esp_ds_data_t))); - valid_addr &= esp_tee_ptr_in_ree((void *)((char *)p_data + sizeof(esp_ds_p_data_t))); - valid_addr &= esp_tee_ptr_in_ree((void *)((char *)key + ESP_DS_DATA_KEY_SIZE)); + bool valid_addr = (esp_tee_buf_in_ree(data, sizeof(esp_ds_data_t)) && + esp_tee_buf_in_ree(iv, ESP_DS_IV_LEN) && + esp_tee_buf_in_ree(p_data, sizeof(esp_ds_p_data_t)) && + esp_tee_buf_in_ree(key, ESP_DS_DATA_KEY_SIZE)); if (!valid_addr) { return ESP_ERR_INVALID_ARG; @@ -364,12 +473,10 @@ esp_err_t _ss_esp_ds_encrypt_params_using_key_type(esp_ds_data_t *data, const void *key, esp_ds_key_type_t key_type) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)data) && esp_tee_ptr_in_ree((void *)p_data)) && - (esp_tee_ptr_in_ree((void *)iv) && esp_tee_ptr_in_ree((void *)key))); - - valid_addr &= esp_tee_ptr_in_ree((void *)((char *)data + sizeof(esp_ds_data_t))); - valid_addr &= esp_tee_ptr_in_ree((void *)((char *)p_data + sizeof(esp_ds_p_data_t))); - valid_addr &= esp_tee_ptr_in_ree((void *)((char *)key + ESP_DS_DATA_KEY_SIZE)); + bool valid_addr = (esp_tee_buf_in_ree(data, sizeof(esp_ds_data_t)) && + esp_tee_buf_in_ree(iv, ESP_DS_IV_LEN) && + esp_tee_buf_in_ree(p_data, sizeof(esp_ds_p_data_t)) && + esp_tee_buf_in_ree(key, ESP_DS_DATA_KEY_SIZE)); if (!valid_addr) { return ESP_ERR_INVALID_ARG; @@ -394,8 +501,11 @@ void _ss_esp_crypto_mpi_enable_periph_clk(bool enable) #if SOC_ECC_SUPPORTED int _ss_esp_ecc_point_multiply(const ecc_point_t *point, const uint8_t *scalar, ecc_point_t *result, bool verify_first) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)result)) && - esp_tee_ptr_in_ree((void *)((char *)result + sizeof(ecc_point_t))); + bool valid_addr = (esp_tee_buf_in_ree(point, sizeof(ecc_point_t)) && + esp_tee_buf_in_ree(result, sizeof(ecc_point_t))); + if (valid_addr) { + valid_addr = esp_tee_buf_in_ree(scalar, MAX_SIZE); + } if (!valid_addr) { return -1; @@ -407,6 +517,13 @@ int _ss_esp_ecc_point_multiply(const ecc_point_t *point, const uint8_t *scalar, int _ss_esp_ecc_point_verify(const ecc_point_t *point) { + bool valid_addr = esp_tee_buf_in_ree(point, sizeof(ecc_point_t)); + + if (!valid_addr) { + return -1; + } + ESP_FAULT_ASSERT(valid_addr); + return esp_ecc_point_verify(point); } #endif @@ -427,8 +544,7 @@ int _ss_esp_tee_ota_begin(void) int _ss_esp_tee_ota_write(uint32_t rel_offset, void *data, size_t size) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)data)) && - (esp_tee_ptr_in_ree((void *)((char *)data + size)))); + bool valid_addr = esp_tee_buf_in_ree(data, size); if (!valid_addr) { return -1; @@ -452,6 +568,13 @@ esp_err_t _ss_esp_tee_sec_storage_clear_key(const char *key_id) esp_err_t _ss_esp_tee_sec_storage_gen_key(const esp_tee_sec_storage_key_cfg_t *cfg) { + bool valid_addr = esp_tee_buf_in_ree(cfg, sizeof(esp_tee_sec_storage_key_cfg_t)); + + if (!valid_addr) { + return ESP_ERR_INVALID_ARG; + } + ESP_FAULT_ASSERT(valid_addr); + return esp_tee_sec_storage_gen_key(cfg); } @@ -475,11 +598,9 @@ psa_status_t _ss_psa_initial_attest_get_token(const uint8_t *auth_challenge, siz uint8_t *token_buf, size_t token_buf_size, size_t *token_size) { #if CONFIG_SECURE_TEE_ATTESTATION - bool valid_addr = (esp_tee_ptr_in_ree((void *)auth_challenge) && - esp_tee_ptr_in_ree((void *)token_buf) && - esp_tee_ptr_in_ree((void *)token_size)); - valid_addr &= (esp_tee_ptr_in_ree((void *)((uint8_t *)auth_challenge + challenge_size)) && - esp_tee_ptr_in_ree((void *)((uint8_t *)token_buf + token_buf_size))); + bool valid_addr = (esp_tee_buf_in_ree(auth_challenge, challenge_size) && + esp_tee_buf_in_ree(token_buf, token_buf_size) && + esp_tee_buf_in_ree(token_size, sizeof(size_t))); if (!valid_addr) { return PSA_ERROR_INVALID_ARGUMENT; @@ -495,6 +616,13 @@ psa_status_t _ss_psa_initial_attest_get_token(const uint8_t *auth_challenge, siz psa_status_t _ss_psa_initial_attest_get_token_size(size_t challenge_size, size_t *token_size) { #if CONFIG_SECURE_TEE_ATTESTATION + bool valid_addr = esp_tee_buf_in_ree(token_size, sizeof(size_t)); + + if (!valid_addr) { + return PSA_ERROR_INVALID_ARGUMENT; + } + ESP_FAULT_ASSERT(valid_addr); + return esp_err_to_psa_status(esp_att_get_token_size(challenge_size, token_size)); #else return PSA_ERROR_NOT_SUPPORTED;
components/esp_tee/subproject/main/core/esp_secure_services_iram.c+196 −81 modified@@ -20,13 +20,15 @@ #include "esp_private/memspi_host_driver.h" #include "esp_private/mspi_timing_tuning.h" #include "esp_flash.h" +#include "esp_flash_chips/esp_flash_types.h" #include "riscv/rv_utils.h" #include "esp_tee.h" #include "esp_tee_memory_utils.h" #include "esp_tee_intr.h" #include "esp_tee_rv_utils.h" +#include "nvs.h" #include "esp_tee_flash.h" #include "esp_tee_sec_storage.h" @@ -114,21 +116,35 @@ void _ss_esprv_int_set_vectored(int rv_int_num, bool vectored) void _ss_wdt_hal_init(wdt_hal_context_t *hal, wdt_inst_t wdt_inst, uint32_t prescaler, bool enable_intr) { + bool valid_addr = esp_tee_buf_in_ree(hal, sizeof(wdt_hal_context_t)); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + wdt_hal_init(hal, wdt_inst, prescaler, enable_intr); } void _ss_wdt_hal_deinit(wdt_hal_context_t *hal) { + bool valid_addr = esp_tee_buf_in_ree(hal, sizeof(wdt_hal_context_t)); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + wdt_hal_deinit(hal); } /* ---------------------------------------------- Secure Storage ------------------------------------------------- */ esp_err_t _ss_esp_tee_sec_storage_ecdsa_sign(const esp_tee_sec_storage_key_cfg_t *cfg, const uint8_t *hash, size_t hlen, esp_tee_sec_storage_ecdsa_sign_t *out_sign) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)hash) && esp_tee_ptr_in_ree((void *)out_sign)) && - (esp_tee_ptr_in_ree((void *)(hash + hlen)) && - esp_tee_ptr_in_ree((void *)((char *)out_sign + sizeof(esp_tee_sec_storage_ecdsa_sign_t))))); + bool valid_addr = (esp_tee_buf_in_ree(cfg, sizeof(esp_tee_sec_storage_key_cfg_t)) && + esp_tee_buf_in_ree(hash, hlen) && + esp_tee_buf_in_ree(out_sign, sizeof(esp_tee_sec_storage_ecdsa_sign_t))); if (!valid_addr) { return ESP_ERR_INVALID_ARG; @@ -140,8 +156,8 @@ esp_err_t _ss_esp_tee_sec_storage_ecdsa_sign(const esp_tee_sec_storage_key_cfg_t esp_err_t _ss_esp_tee_sec_storage_ecdsa_get_pubkey(const esp_tee_sec_storage_key_cfg_t *cfg, esp_tee_sec_storage_ecdsa_pubkey_t *out_pubkey) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)out_pubkey)) && - (esp_tee_ptr_in_ree((void *)((char *)out_pubkey + sizeof(esp_tee_sec_storage_ecdsa_pubkey_t))))); + bool valid_addr = (esp_tee_buf_in_ree(cfg, sizeof(esp_tee_sec_storage_key_cfg_t)) && + esp_tee_buf_in_ree(out_pubkey, sizeof(esp_tee_sec_storage_ecdsa_pubkey_t))); if (!valid_addr) { return ESP_ERR_INVALID_ARG; @@ -153,18 +169,14 @@ esp_err_t _ss_esp_tee_sec_storage_ecdsa_get_pubkey(const esp_tee_sec_storage_key esp_err_t _ss_esp_tee_sec_storage_aead_encrypt(const esp_tee_sec_storage_aead_ctx_t *ctx, uint8_t *iv, size_t iv_len, uint8_t *tag, size_t tag_len, uint8_t *output) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)ctx->input) && - esp_tee_ptr_in_ree((void *)iv) && - esp_tee_ptr_in_ree((void *)tag) && - esp_tee_ptr_in_ree((void *)output)); - - valid_addr &= (esp_tee_ptr_in_ree((void *)(ctx->input + ctx->input_len)) && - esp_tee_ptr_in_ree((void *)(iv + iv_len)) && - esp_tee_ptr_in_ree((void *)(tag + tag_len)) && - esp_tee_ptr_in_ree((void *)(output + ctx->input_len))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_tee_sec_storage_aead_ctx_t)) && + esp_tee_buf_in_ree(ctx->input, ctx->input_len) && + esp_tee_buf_in_ree(iv, iv_len) && + esp_tee_buf_in_ree(tag, tag_len) && + esp_tee_buf_in_ree(output, ctx->input_len)); - if (ctx->aad) { - valid_addr &= (esp_tee_ptr_in_ree((void *)ctx->aad) && esp_tee_ptr_in_ree((void *)(ctx->aad + ctx->aad_len))); + if (ctx->aad_len != 0) { + valid_addr = esp_tee_buf_in_ree(ctx->aad, ctx->aad_len); } if (!valid_addr) { @@ -177,18 +189,14 @@ esp_err_t _ss_esp_tee_sec_storage_aead_encrypt(const esp_tee_sec_storage_aead_ct esp_err_t _ss_esp_tee_sec_storage_aead_decrypt(const esp_tee_sec_storage_aead_ctx_t *ctx, const uint8_t *iv, size_t iv_len, const uint8_t *tag, size_t tag_len, uint8_t *output) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)ctx->input) && - esp_tee_ptr_in_ree((void *)iv) && - esp_tee_ptr_in_ree((void *)tag) && - esp_tee_ptr_in_ree((void *)output)); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_tee_sec_storage_aead_ctx_t)) && + esp_tee_buf_in_ree(ctx->input, ctx->input_len) && + esp_tee_buf_in_ree(iv, iv_len) && + esp_tee_buf_in_ree(tag, tag_len) && + esp_tee_buf_in_ree(output, ctx->input_len)); - valid_addr &= (esp_tee_ptr_in_ree((void *)(ctx->input + ctx->input_len)) && - esp_tee_ptr_in_ree((void *)(iv + iv_len)) && - esp_tee_ptr_in_ree((void *)(tag + tag_len)) && - esp_tee_ptr_in_ree((void *)(output + ctx->input_len))); - - if (ctx->aad) { - valid_addr &= (esp_tee_ptr_in_ree((void *)ctx->aad) && esp_tee_ptr_in_ree((void *)(ctx->aad + ctx->aad_len))); + if (ctx->aad_len != 0) { + valid_addr = esp_tee_buf_in_ree(ctx->aad, ctx->aad_len); } if (!valid_addr) { @@ -201,15 +209,11 @@ esp_err_t _ss_esp_tee_sec_storage_aead_decrypt(const esp_tee_sec_storage_aead_ct esp_err_t _ss_esp_tee_sec_storage_ecdsa_sign_pbkdf2(const esp_tee_sec_storage_pbkdf2_ctx_t *ctx, const uint8_t *hash, size_t hlen, esp_tee_sec_storage_ecdsa_sign_t *out_sign, esp_tee_sec_storage_ecdsa_pubkey_t *out_pubkey) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)ctx) && - esp_tee_ptr_in_ree((void *)hash) && - esp_tee_ptr_in_ree((void *)out_sign) && - esp_tee_ptr_in_ree((void *)out_pubkey)); - - valid_addr &= (esp_tee_ptr_in_ree((void *)((char *)ctx + sizeof(esp_tee_sec_storage_pbkdf2_ctx_t))) && - esp_tee_ptr_in_ree((void *)(hash + hlen)) && - esp_tee_ptr_in_ree((void *)((char *)out_sign + sizeof(esp_tee_sec_storage_ecdsa_sign_t))) && - esp_tee_ptr_in_ree((void *)((char *)out_pubkey + sizeof(esp_tee_sec_storage_ecdsa_pubkey_t)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_tee_sec_storage_pbkdf2_ctx_t)) && + esp_tee_buf_in_ree(hash, hlen) && + esp_tee_buf_in_ree(out_sign, sizeof(esp_tee_sec_storage_ecdsa_sign_t)) && + esp_tee_buf_in_ree(out_pubkey, sizeof(esp_tee_sec_storage_ecdsa_pubkey_t)) && + esp_tee_buf_in_ree(ctx->salt, ctx->salt_len)); if (!valid_addr) { return ESP_ERR_INVALID_ARG; @@ -224,20 +228,23 @@ esp_err_t _ss_esp_tee_sec_storage_ecdsa_sign_pbkdf2(const esp_tee_sec_storage_pb void _ss_mmu_hal_map_region(uint32_t mmu_id, mmu_target_t mem_type, uint32_t vaddr, uint32_t paddr, uint32_t len, uint32_t *out_len) { - bool vaddr_chk = esp_tee_flash_check_vrange_in_tee_region(vaddr, len); - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(paddr, len); - if (vaddr_chk || paddr_chk) { + bool valid_addr = (!esp_tee_flash_check_vrange_in_tee_region(vaddr, len) && + !esp_tee_flash_check_prange_in_tee_region(paddr, len) && + esp_tee_buf_in_ree(out_len, sizeof(uint32_t))); + + if (!valid_addr) { ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x | 0x%08x", __func__, vaddr, paddr); return; } - ESP_FAULT_ASSERT(!vaddr_chk && !paddr_chk); + ESP_FAULT_ASSERT(valid_addr); mmu_hal_map_region(mmu_id, mem_type, vaddr, paddr, len, out_len); } void _ss_mmu_hal_unmap_region(uint32_t mmu_id, uint32_t vaddr, uint32_t len) { bool vaddr_chk = esp_tee_flash_check_vrange_in_tee_region(vaddr, len); + if (vaddr_chk) { ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, vaddr); return; @@ -249,21 +256,28 @@ void _ss_mmu_hal_unmap_region(uint32_t mmu_id, uint32_t vaddr, uint32_t len) bool _ss_mmu_hal_vaddr_to_paddr(uint32_t mmu_id, uint32_t vaddr, uint32_t *out_paddr, mmu_target_t *out_target) { - bool vaddr_chk = esp_tee_flash_check_vaddr_in_tee_region(vaddr); - if (vaddr_chk) { + bool valid_addr = (!esp_tee_flash_check_vaddr_in_tee_region(vaddr) && + esp_tee_buf_in_ree(out_paddr, sizeof(uint32_t)) && + esp_tee_buf_in_ree(out_target, sizeof(mmu_target_t))); + + if (!valid_addr) { return false; } - ESP_FAULT_ASSERT(!vaddr_chk); + ESP_FAULT_ASSERT(valid_addr); + return mmu_hal_vaddr_to_paddr(mmu_id, vaddr, out_paddr, out_target); } bool _ss_mmu_hal_paddr_to_vaddr(uint32_t mmu_id, uint32_t paddr, mmu_target_t target, mmu_vaddr_t type, uint32_t *out_vaddr) { - bool paddr_chk = esp_tee_flash_check_paddr_in_tee_region(paddr); - if (paddr_chk) { + bool valid_addr = (!esp_tee_flash_check_paddr_in_tee_region(paddr) && + esp_tee_buf_in_ree(out_vaddr, sizeof(uint32_t))); + + if (!valid_addr) { return false; } - ESP_FAULT_ASSERT(!paddr_chk); + ESP_FAULT_ASSERT(valid_addr); + return mmu_hal_paddr_to_vaddr(mmu_id, paddr, target, type, out_vaddr); } @@ -277,110 +291,192 @@ void _ss_Cache_Set_IDROM_MMU_Size(uint32_t irom_size, uint32_t drom_size) #if CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1 /* ---------------------------------------------- SPI Flash HAL ------------------------------------------------- */ +static bool is_spi_host_in_ree(spi_flash_host_inst_t *host) +{ + return esp_tee_buf_in_ree(host, sizeof(spi_flash_host_inst_t)); +} + +static bool is_spi_trans_valid(spi_flash_host_inst_t *host, spi_flash_trans_t *trans) +{ + bool valid_addr = (is_spi_host_in_ree(host) && + esp_tee_buf_in_ree(trans, sizeof(spi_flash_trans_t))); + + if (trans->mosi_len != 0) { + valid_addr &= esp_tee_buf_in_ree(trans->mosi_data, trans->mosi_len); + } + if (trans->miso_len != 0) { + valid_addr &= esp_tee_buf_in_ree(trans->miso_data, trans->miso_len); + } + return valid_addr; +} + uint32_t _ss_spi_flash_hal_check_status(spi_flash_host_inst_t *host) { + bool valid_addr = is_spi_host_in_ree(host); + + if (!valid_addr) { + return 0; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_check_status(host); } esp_err_t _ss_spi_flash_hal_common_command(spi_flash_host_inst_t *host, spi_flash_trans_t *trans) { - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(trans->address, trans->mosi_len); - paddr_chk |= esp_tee_flash_check_prange_in_tee_region(trans->address, trans->miso_len); - if (paddr_chk) { + bool valid_addr = (is_spi_trans_valid(host, trans) && + !esp_tee_flash_check_prange_in_tee_region(trans->address, trans->mosi_len) && + !esp_tee_flash_check_prange_in_tee_region(trans->address, trans->miso_len)); + + if (!valid_addr) { ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, trans->address); - return ESP_FAIL; + return ESP_ERR_INVALID_ARG; } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_common_command(host, trans); } esp_err_t _ss_spi_flash_hal_device_config(spi_flash_host_inst_t *host) { + bool valid_addr = is_spi_host_in_ree(host); + + if (!valid_addr) { + return ESP_ERR_INVALID_ARG; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_device_config(host); } void _ss_spi_flash_hal_erase_block(spi_flash_host_inst_t *host, uint32_t start_address) { - bool paddr_chk = esp_tee_flash_check_paddr_in_tee_region(start_address); - if (paddr_chk) { + bool valid_addr = (is_spi_host_in_ree(host) && + !esp_tee_flash_check_paddr_in_tee_region(start_address)); + + if (!valid_addr) { ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, start_address); return; } - ESP_FAULT_ASSERT(!paddr_chk); + ESP_FAULT_ASSERT(valid_addr); + spi_flash_hal_erase_block(host, start_address); } void _ss_spi_flash_hal_erase_sector(spi_flash_host_inst_t *host, uint32_t start_address) { - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(start_address, FLASH_SECTOR_SIZE); - if (paddr_chk) { + bool valid_addr = (is_spi_host_in_ree(host) && + !esp_tee_flash_check_prange_in_tee_region(start_address, FLASH_SECTOR_SIZE)); + + if (!valid_addr) { ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, start_address); return; } - ESP_FAULT_ASSERT(!paddr_chk); + ESP_FAULT_ASSERT(valid_addr); + spi_flash_hal_erase_sector(host, start_address); } void _ss_spi_flash_hal_program_page(spi_flash_host_inst_t *host, const void *buffer, uint32_t address, uint32_t length) { - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(address, length); - if (paddr_chk) { - ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, address); - return; - } + bool valid_addr = (is_spi_host_in_ree(host) && + !esp_tee_flash_check_prange_in_tee_region(address, length) && + esp_tee_buf_in_ree(buffer, length)); - bool buf_addr_chk = ((esp_tee_ptr_in_ree((void *)buffer) && esp_tee_ptr_in_ree((void *)(buffer + length)))); - if (!buf_addr_chk) { + if (!valid_addr) { + ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, address); return; } + ESP_FAULT_ASSERT(valid_addr); - ESP_FAULT_ASSERT(!paddr_chk && buf_addr_chk); spi_flash_hal_program_page(host, buffer, address, length); } esp_err_t _ss_spi_flash_hal_read(spi_flash_host_inst_t *host, void *buffer, uint32_t address, uint32_t read_len) { - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(address, read_len); - if (paddr_chk) { - ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, address); - return ESP_FAIL; - } + bool valid_addr = (is_spi_host_in_ree(host) && + !esp_tee_flash_check_prange_in_tee_region(address, read_len) && + esp_tee_buf_in_ree(buffer, read_len)); - bool buf_addr_chk = ((esp_tee_ptr_in_ree((void *)buffer) && esp_tee_ptr_in_ree((void *)(buffer + read_len)))); - if (!buf_addr_chk) { - return ESP_FAIL; + if (!valid_addr) { + ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, address); + return ESP_ERR_INVALID_ARG; } + ESP_FAULT_ASSERT(valid_addr); - ESP_FAULT_ASSERT(!paddr_chk && buf_addr_chk); return spi_flash_hal_read(host, buffer, address, read_len); } void _ss_spi_flash_hal_resume(spi_flash_host_inst_t *host) { + bool valid_addr = is_spi_host_in_ree(host); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + spi_flash_hal_resume(host); } esp_err_t _ss_spi_flash_hal_set_write_protect(spi_flash_host_inst_t *host, bool wp) { + bool valid_addr = is_spi_host_in_ree(host); + + if (!valid_addr) { + return ESP_ERR_INVALID_ARG; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_set_write_protect(host, wp); } esp_err_t _ss_spi_flash_hal_setup_read_suspend(spi_flash_host_inst_t *host, const spi_flash_sus_cmd_conf *sus_conf) { + bool valid_addr = (is_spi_host_in_ree(host) && + esp_tee_buf_in_ree(sus_conf, sizeof(spi_flash_sus_cmd_conf))); + + if (!valid_addr) { + return ESP_ERR_INVALID_ARG; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_setup_read_suspend(host, sus_conf); } bool _ss_spi_flash_hal_supports_direct_read(spi_flash_host_inst_t *host, const void *p) { + bool valid_addr = (is_spi_host_in_ree(host) && esp_tee_ptr_in_ree(p)); + + if (!valid_addr) { + return false; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_supports_direct_read(host, p); } bool _ss_spi_flash_hal_supports_direct_write(spi_flash_host_inst_t *host, const void *p) { + bool valid_addr = (is_spi_host_in_ree(host) && esp_tee_ptr_in_ree(p)); + + if (!valid_addr) { + return false; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_supports_direct_write(host, p); } void _ss_spi_flash_hal_suspend(spi_flash_host_inst_t *host) { + bool valid_addr = is_spi_host_in_ree(host); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + spi_flash_hal_suspend(host); } @@ -397,29 +493,41 @@ uint32_t _ss_bootloader_flash_execute_command_common( uint8_t mosi_len, uint32_t mosi_data, uint8_t miso_len) { - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(address, mosi_len); - paddr_chk |= esp_tee_flash_check_prange_in_tee_region(address, miso_len); - if (paddr_chk) { + bool valid_addr = (!esp_tee_flash_check_prange_in_tee_region(address, mosi_len) && + !esp_tee_flash_check_prange_in_tee_region(address, miso_len)); + + if (!valid_addr) { ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, address); return 0; } - ESP_FAULT_ASSERT(!paddr_chk); + ESP_FAULT_ASSERT(valid_addr); + return bootloader_flash_execute_command_common(command, addr_len, address, dummy_len, mosi_len, mosi_data, miso_len); } esp_err_t _ss_memspi_host_flush_cache(spi_flash_host_inst_t *host, uint32_t addr, uint32_t size) { - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(addr, size); - if (paddr_chk) { - return ESP_FAIL; + bool valid_addr = (is_spi_host_in_ree(host) && + !esp_tee_flash_check_prange_in_tee_region(addr, size)); + + if (!valid_addr) { + return ESP_ERR_INVALID_ARG; } - ESP_FAULT_ASSERT(!paddr_chk); + ESP_FAULT_ASSERT(valid_addr); + return memspi_host_flush_cache(host, addr, size); } esp_err_t _ss_spi_flash_chip_generic_config_host_io_mode(esp_flash_t *chip, uint32_t flags) { + bool valid_addr = esp_tee_buf_in_ree(chip, sizeof(struct esp_flash_t)); + + if (!valid_addr) { + return ESP_ERR_INVALID_ARG; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_chip_generic_config_host_io_mode(chip, flags); } @@ -451,6 +559,13 @@ void _ss_mspi_timing_change_speed_mode_cache_safe(bool switch_down) void _ss_spi_timing_get_flash_timing_param(spi_flash_hal_timing_config_t *out_timing_config) { + bool valid_addr = esp_tee_buf_in_ree(out_timing_config, sizeof(spi_flash_hal_timing_config_t)); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + spi_timing_get_flash_timing_param(out_timing_config); } #endif
components/esp_tee/subproject/main/include/esp_tee_memory_utils.h+18 −3 modified@@ -1,10 +1,12 @@ /* - * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ #pragma once +#include <stddef.h> +#include <stdint.h> #include "esp_attr.h" #include "soc/soc.h" #include "soc/ext_mem_defs.h" @@ -16,17 +18,30 @@ extern "C" { FORCE_INLINE_ATTR bool esp_tee_ptr_in_ree(const void *p) { - intptr_t addr = (intptr_t)p; + uintptr_t addr = (uintptr_t)p; return ( (addr >= SOC_NS_IDRAM_START && addr < SOC_NS_IDRAM_END) || - (addr >= (intptr_t)esp_tee_app_config.ns_drom_start && + (addr >= (uintptr_t)esp_tee_app_config.ns_drom_start && addr < SOC_S_MMU_MMAP_RESV_START_VADDR) #if SOC_RTC_MEM_SUPPORTED || (addr >= SOC_RTC_DATA_LOW && addr < SOC_RTC_DATA_HIGH) #endif ); } +FORCE_INLINE_ATTR bool esp_tee_buf_in_ree(const void *p, size_t len) +{ + uintptr_t start = (uintptr_t)p; + + /* Reject zero-length and overflow */ + if (len == 0 || len > (SIZE_MAX - start)) { + return false; + } + + return esp_tee_ptr_in_ree(p) && + esp_tee_ptr_in_ree((const char *)p + len - 1); +} + #ifdef __cplusplus } #endif
components/esp_tee/test_apps/tee_cli_app/sdkconfig.ci.release+1 −3 modified@@ -1,8 +1,6 @@ -# Reducing TEE I/DRAM sizes +# Reducing TEE IRAM size # 29KB CONFIG_SECURE_TEE_IRAM_SIZE=0x7400 -# 20KB -CONFIG_SECURE_TEE_DRAM_SIZE=0x5000 # TEE Secure Storage: Release mode CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE=y
components/esp_tee/test_apps/tee_cli_app/sdkconfig.ci.sb_fe+6 −0 modified@@ -1,3 +1,9 @@ +# Increasing TEE I/DRAM sizes +# 34KB +CONFIG_SECURE_TEE_IRAM_SIZE=0x8800 +# 22KB +CONFIG_SECURE_TEE_DRAM_SIZE=0x5800 + # Security features - build-only configuration CONFIG_PARTITION_TABLE_OFFSET=0xf000
components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_sec_stg.c+6 −6 modified@@ -329,13 +329,13 @@ TEST_CASE("Test TEE Secure Storage - Null Pointer and Zero Length", "[sec_storag }; TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_encrypt(&aead_ctx, iv, sizeof(iv), NULL, sizeof(tag), data)); - TEST_ESP_ERR(ESP_ERR_INVALID_SIZE, esp_tee_sec_storage_aead_encrypt(&aead_ctx, iv, sizeof(iv), tag, 0, data)); + TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_encrypt(&aead_ctx, iv, sizeof(iv), tag, 0, data)); TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_encrypt(&aead_ctx, NULL, sizeof(iv), tag, sizeof(tag), data)); - TEST_ESP_ERR(ESP_ERR_INVALID_SIZE, esp_tee_sec_storage_aead_encrypt(&aead_ctx, iv, 0, tag, sizeof(tag), data)); + TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_encrypt(&aead_ctx, iv, 0, tag, sizeof(tag), data)); TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_decrypt(&aead_ctx, iv, sizeof(iv), NULL, sizeof(tag), data)); - TEST_ESP_ERR(ESP_ERR_INVALID_SIZE, esp_tee_sec_storage_aead_decrypt(&aead_ctx, iv, sizeof(iv), tag, 0, data)); + TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_decrypt(&aead_ctx, iv, sizeof(iv), tag, 0, data)); TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_decrypt(&aead_ctx, NULL, sizeof(iv), tag, sizeof(tag), data)); - TEST_ESP_ERR(ESP_ERR_INVALID_SIZE, esp_tee_sec_storage_aead_decrypt(&aead_ctx, iv, 0, tag, sizeof(tag), data)); + TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_decrypt(&aead_ctx, iv, 0, tag, sizeof(tag), data)); aead_ctx.input = NULL; aead_ctx.input_len = sizeof(data); @@ -344,8 +344,8 @@ TEST_CASE("Test TEE Secure Storage - Null Pointer and Zero Length", "[sec_storag aead_ctx.input = data; aead_ctx.input_len = 0; - TEST_ESP_ERR(ESP_ERR_INVALID_SIZE, esp_tee_sec_storage_aead_encrypt(&aead_ctx, iv, sizeof(iv), tag, sizeof(tag), data)); - TEST_ESP_ERR(ESP_ERR_INVALID_SIZE, esp_tee_sec_storage_aead_decrypt(&aead_ctx, iv, sizeof(iv), tag, sizeof(tag), data)); + TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_encrypt(&aead_ctx, iv, sizeof(iv), tag, sizeof(tag), data)); + TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_decrypt(&aead_ctx, iv, sizeof(iv), tag, sizeof(tag), data)); TEST_ESP_OK(esp_tee_sec_storage_clear_key(key_id));
components/esp_tee/test_apps/tee_test_fw/sdkconfig.ci.tee_ota+0 −4 modified@@ -16,7 +16,3 @@ CONFIG_SECURE_TEE_ATT_KEY_STR_ID="tee_att_keyN" # Enabling flash protection over SPI1 CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1=y - -# Increasing TEE DRAM size -# 20KB -CONFIG_SECURE_TEE_DRAM_SIZE=0x5000
components/esp_tee/test_apps/tee_test_fw/sdkconfig.defaults+3 −2 modified@@ -12,8 +12,9 @@ CONFIG_SECURE_TEE_TEST_MODE=y CONFIG_PARTITION_TABLE_SINGLE_APP_TEE=y CONFIG_PARTITION_TABLE_OFFSET=0xF000 -# TEE IRAM size -CONFIG_SECURE_TEE_IRAM_SIZE=0xC400 +# Increasing TEE I/DRAM size +CONFIG_SECURE_TEE_IRAM_SIZE=0x8800 +CONFIG_SECURE_TEE_DRAM_SIZE=0x5800 # Takes effect only when Secure boot is enabled CONFIG_SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT=y
7867f4a57560fix(esp_tee): Add missing input validation checks for TEE service calls
10 files changed · +416 −154
components/esp_tee/subproject/components/tee_ota_ops/esp_tee_ota_ops.c+1 −1 modified@@ -108,7 +108,7 @@ esp_err_t esp_tee_ota_write(uint32_t rel_offset, const void *data, size_t size) return ESP_ERR_INVALID_STATE; } - if (rel_offset + size > ota_handle.tee_next.pos.size) { + if (size > ota_handle.tee_next.pos.size || rel_offset > ota_handle.tee_next.pos.size - size) { ESP_LOGE(TAG, "Out of region write not allowed!"); return ESP_FAIL; }
components/esp_tee/subproject/main/common/multi_heap.c+5 −2 modified@@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2024-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -19,7 +19,10 @@ inline static void multi_heap_assert(bool condition, const char *format, int lin /* Can't use libc assert() here as it calls printf() which can cause another malloc() for a newlib lock. Also, it's useful to be able to print the memory address where corruption was detected. */ - (void) condition; + if (!condition) { + esp_rom_printf(format, line, address); + abort(); + } } #define MULTI_HEAP_ASSERT(CONDITION, ADDRESS) \
components/esp_tee/subproject/main/core/esp_secure_services.c+180 −52 modified@@ -27,6 +27,7 @@ #endif #include "psa/initial_attestation.h" #include "esp_crypto_periph_clk.h" +#include "nvs.h" #include "esp_tee.h" #include "esp_tee_memory_utils.h" @@ -60,8 +61,10 @@ int _ss_esp_aes_crypt_cbc(esp_aes_context *ctx, const unsigned char *input, unsigned char *output) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + length)) && esp_tee_ptr_in_ree((void *)(output + length)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_aes_context)) && + esp_tee_buf_in_ree(iv, 16) && + esp_tee_buf_in_ree(input, length) && + esp_tee_buf_in_ree(output, length)); if (!valid_addr) { return -1; @@ -79,8 +82,11 @@ int _ss_esp_aes_crypt_cfb128(esp_aes_context *ctx, const unsigned char *input, unsigned char *output) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + length)) && esp_tee_ptr_in_ree((void *)(output + length)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_aes_context)) && + esp_tee_buf_in_ree(iv_off, sizeof(size_t)) && + esp_tee_buf_in_ree(iv, 16) && + esp_tee_buf_in_ree(input, length) && + esp_tee_buf_in_ree(output, length)); if (!valid_addr) { return -1; @@ -97,8 +103,10 @@ int _ss_esp_aes_crypt_cfb8(esp_aes_context *ctx, const unsigned char *input, unsigned char *output) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + length)) && esp_tee_ptr_in_ree((void *)(output + length)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_aes_context)) && + esp_tee_buf_in_ree(iv, 16) && + esp_tee_buf_in_ree(input, length) && + esp_tee_buf_in_ree(output, length)); if (!valid_addr) { return -1; @@ -116,8 +124,12 @@ int _ss_esp_aes_crypt_ctr(esp_aes_context *ctx, const unsigned char *input, unsigned char *output) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + length)) && esp_tee_ptr_in_ree((void *)(output + length)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_aes_context)) && + esp_tee_buf_in_ree(nc_off, sizeof(size_t)) && + esp_tee_buf_in_ree(nonce_counter, 16) && + esp_tee_buf_in_ree(stream_block, 16) && + esp_tee_buf_in_ree(input, length) && + esp_tee_buf_in_ree(output, length)); if (!valid_addr) { return -1; @@ -132,8 +144,9 @@ int _ss_esp_aes_crypt_ecb(esp_aes_context *ctx, const unsigned char input[16], unsigned char output[16]) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + 16)) && esp_tee_ptr_in_ree((void *)(output + 16)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_aes_context)) && + esp_tee_buf_in_ree(input, 16) && + esp_tee_buf_in_ree(output, 16)); if (!valid_addr) { return -1; @@ -150,8 +163,11 @@ int _ss_esp_aes_crypt_ofb(esp_aes_context *ctx, const unsigned char *input, unsigned char *output) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + length)) && esp_tee_ptr_in_ree((void *)(output + length)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_aes_context)) && + esp_tee_buf_in_ree(iv_off, sizeof(size_t)) && + esp_tee_buf_in_ree(iv, 16) && + esp_tee_buf_in_ree(input, length) && + esp_tee_buf_in_ree(output, length)); if (!valid_addr) { return -1; @@ -165,10 +181,63 @@ int _ss_esp_aes_crypt_ofb(esp_aes_context *ctx, /* ---------------------------------------------- SHA ------------------------------------------------- */ #if SOC_SHA_SUPPORTED +static size_t get_sha_digest_size(esp_sha_type sha_type) +{ + switch (sha_type) { + case SHA1: return 20; + case SHA2_224: return 28; + case SHA2_256: return 32; +#if SOC_SHA_SUPPORT_SHA384 + case SHA2_384: return 48; +#endif +#if SOC_SHA_SUPPORT_SHA512 + case SHA2_512: return 64; +#endif + default: return 0; + } +} + +static size_t get_sha_state_size(esp_sha_type sha_type) +{ + switch (sha_type) { + case SHA1: return 20; + case SHA2_224: + case SHA2_256: return 32; +#if SOC_SHA_SUPPORT_SHA384 + case SHA2_384: return 64; +#endif +#if SOC_SHA_SUPPORT_SHA512 + case SHA2_512: return 64; +#endif + default: return 0; + } +} + +static size_t get_sha_block_size(esp_sha_type sha_type) +{ + switch (sha_type) { + case SHA1: + case SHA2_224: + case SHA2_256: return 64; +#if SOC_SHA_SUPPORT_SHA384 + case SHA2_384: return 128; +#endif +#if SOC_SHA_SUPPORT_SHA512 + case SHA2_512: return 128; +#endif + default: return 0; + } +} + void _ss_esp_sha(esp_sha_type sha_type, const unsigned char *input, size_t ilen, unsigned char *output) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)input) && esp_tee_ptr_in_ree((void *)output)) && - (esp_tee_ptr_in_ree((void *)(input + ilen)))); + size_t digest_size = get_sha_digest_size(sha_type); + if (digest_size == 0) { + return; + } + + bool valid_addr = (esp_tee_buf_in_ree(input, ilen) && + esp_tee_buf_in_ree(output, digest_size)); if (!valid_addr) { return; @@ -181,11 +250,9 @@ void _ss_esp_sha(esp_sha_type sha_type, const unsigned char *input, size_t ilen, int _ss_esp_sha_dma(esp_sha_type sha_type, const void *input, uint32_t ilen, const void *buf, uint32_t buf_len, bool is_first_block) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)input) && - esp_tee_ptr_in_ree((void *)((char *)input + ilen))); + bool valid_addr = esp_tee_buf_in_ree(input, ilen); if (buf_len) { - valid_addr &= (esp_tee_ptr_in_ree((void *)buf) && - esp_tee_ptr_in_ree((void *)((char *)buf + buf_len))); + valid_addr &= esp_tee_buf_in_ree(buf, buf_len); } if (!valid_addr) { @@ -198,16 +265,52 @@ int _ss_esp_sha_dma(esp_sha_type sha_type, const void *input, uint32_t ilen, void _ss_esp_sha_read_digest_state(esp_sha_type sha_type, void *digest_state) { + size_t state_sz = get_sha_state_size(sha_type); + if (state_sz == 0) { + return; + } + + bool valid_addr = esp_tee_buf_in_ree(digest_state, state_sz); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + sha_hal_read_digest(sha_type, digest_state); } void _ss_esp_sha_write_digest_state(esp_sha_type sha_type, void *digest_state) { + size_t state_sz = get_sha_state_size(sha_type); + if (state_sz == 0) { + return; + } + + bool valid_addr = esp_tee_buf_in_ree(digest_state, state_sz); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + sha_hal_write_digest(sha_type, digest_state); } void _ss_esp_sha_block(esp_sha_type sha_type, const void *data_block, bool is_first_block) { + size_t block_sz = get_sha_block_size(sha_type); + if (block_sz == 0) { + return; + } + + bool valid_addr = esp_tee_buf_in_ree(data_block, block_sz); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + esp_sha_block(sha_type, data_block, is_first_block); } @@ -234,8 +337,8 @@ int _ss_esp_sha_512_t_init_hash(uint16_t t) #if SOC_HMAC_SUPPORTED esp_err_t _ss_esp_hmac_calculate(hmac_key_id_t key_id, const void *message, size_t message_len, uint8_t *hmac) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)message) && esp_tee_ptr_in_ree((void *)hmac)) && - esp_tee_ptr_in_ree((void *)((char *)message + message_len))); + bool valid_addr = (esp_tee_buf_in_ree(message, message_len) && + esp_tee_buf_in_ree(hmac, 32)); #if CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE valid_addr &= (key_id != (hmac_key_id_t)CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID); @@ -252,7 +355,7 @@ esp_err_t _ss_esp_hmac_calculate(hmac_key_id_t key_id, const void *message, size esp_err_t _ss_esp_hmac_jtag_enable(hmac_key_id_t key_id, const uint8_t *token) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)token)); + bool valid_addr = esp_tee_buf_in_ree((void *)token, 32); #if CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE valid_addr &= (key_id != (hmac_key_id_t)CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID); @@ -274,14 +377,23 @@ esp_err_t _ss_esp_hmac_jtag_disable(void) #endif #if SOC_DIG_SIGN_SUPPORTED +static size_t get_ds_msg_sign_len(esp_digital_signature_length_t rsa_length) +{ + if (rsa_length != ESP_DS_RSA_1024 && rsa_length != ESP_DS_RSA_2048 && + rsa_length != ESP_DS_RSA_3072 && rsa_length != ESP_DS_RSA_4096) { + return 0; + } + return (size_t)(rsa_length + 1) * 4; +} + esp_err_t _ss_esp_ds_sign(const void *message, const esp_ds_data_t *data, hmac_key_id_t key_id, void *signature) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)message) && - esp_tee_ptr_in_ree((void *)data) && - esp_tee_ptr_in_ree((void *)signature)); + bool valid_addr = esp_tee_buf_in_ree(data, sizeof(esp_ds_data_t)); + size_t n = get_ds_msg_sign_len(data->rsa_length); + valid_addr = (n > 0) && esp_tee_buf_in_ree(message, n) && esp_tee_buf_in_ree(signature, n); #if CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE valid_addr &= (key_id != (hmac_key_id_t)CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID); @@ -301,9 +413,10 @@ esp_err_t _ss_esp_ds_start_sign(const void *message, hmac_key_id_t key_id, esp_ds_context_t **esp_ds_ctx) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)message) && - esp_tee_ptr_in_ree((void *)data) && - esp_tee_ptr_in_ree((void *)esp_ds_ctx)); + bool valid_addr = (esp_tee_buf_in_ree(esp_ds_ctx, sizeof(esp_ds_context_t *)) && + esp_tee_buf_in_ree(data, sizeof(esp_ds_data_t))); + size_t n = get_ds_msg_sign_len(data->rsa_length); + valid_addr = (n > 0) && esp_tee_buf_in_ree(message, n); #if CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE valid_addr &= (key_id != (hmac_key_id_t)CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID); @@ -325,10 +438,8 @@ bool _ss_esp_ds_is_busy(void) esp_err_t _ss_esp_ds_finish_sign(void *signature, esp_ds_context_t *esp_ds_ctx) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)signature) && - esp_tee_ptr_in_ree((void *)esp_ds_ctx)); - - valid_addr &= esp_tee_ptr_in_ree((void *)((char *)esp_ds_ctx + sizeof(esp_ds_data_t))); + const size_t max_sign = get_ds_msg_sign_len(ESP_DS_RSA_4096); + bool valid_addr = esp_tee_buf_in_ree(signature, max_sign); if (!valid_addr) { return ESP_ERR_INVALID_ARG; @@ -343,12 +454,10 @@ esp_err_t _ss_esp_ds_encrypt_params(esp_ds_data_t *data, const esp_ds_p_data_t *p_data, const void *key) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)data) && esp_tee_ptr_in_ree((void *)p_data)) && - (esp_tee_ptr_in_ree((void *)iv) && esp_tee_ptr_in_ree((void *)key))); - - valid_addr &= esp_tee_ptr_in_ree((void *)((char *)data + sizeof(esp_ds_data_t))); - valid_addr &= esp_tee_ptr_in_ree((void *)((char *)p_data + sizeof(esp_ds_p_data_t))); - valid_addr &= esp_tee_ptr_in_ree((void *)((char *)key + ESP_DS_DATA_KEY_SIZE)); + bool valid_addr = (esp_tee_buf_in_ree(data, sizeof(esp_ds_data_t)) && + esp_tee_buf_in_ree(iv, ESP_DS_IV_LEN) && + esp_tee_buf_in_ree(p_data, sizeof(esp_ds_p_data_t)) && + esp_tee_buf_in_ree(key, ESP_DS_DATA_KEY_SIZE)); if (!valid_addr) { return ESP_ERR_INVALID_ARG; @@ -364,12 +473,10 @@ esp_err_t _ss_esp_ds_encrypt_params_using_key_type(esp_ds_data_t *data, const void *key, esp_ds_key_type_t key_type) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)data) && esp_tee_ptr_in_ree((void *)p_data)) && - (esp_tee_ptr_in_ree((void *)iv) && esp_tee_ptr_in_ree((void *)key))); - - valid_addr &= esp_tee_ptr_in_ree((void *)((char *)data + sizeof(esp_ds_data_t))); - valid_addr &= esp_tee_ptr_in_ree((void *)((char *)p_data + sizeof(esp_ds_p_data_t))); - valid_addr &= esp_tee_ptr_in_ree((void *)((char *)key + ESP_DS_DATA_KEY_SIZE)); + bool valid_addr = (esp_tee_buf_in_ree(data, sizeof(esp_ds_data_t)) && + esp_tee_buf_in_ree(iv, ESP_DS_IV_LEN) && + esp_tee_buf_in_ree(p_data, sizeof(esp_ds_p_data_t)) && + esp_tee_buf_in_ree(key, ESP_DS_DATA_KEY_SIZE)); if (!valid_addr) { return ESP_ERR_INVALID_ARG; @@ -394,8 +501,11 @@ void _ss_esp_crypto_mpi_enable_periph_clk(bool enable) #if SOC_ECC_SUPPORTED int _ss_esp_ecc_point_multiply(const ecc_point_t *point, const uint8_t *scalar, ecc_point_t *result, bool verify_first) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)result)) && - esp_tee_ptr_in_ree((void *)((char *)result + sizeof(ecc_point_t))); + bool valid_addr = (esp_tee_buf_in_ree(point, sizeof(ecc_point_t)) && + esp_tee_buf_in_ree(result, sizeof(ecc_point_t))); + if (valid_addr) { + valid_addr = esp_tee_buf_in_ree(scalar, MAX_SIZE); + } if (!valid_addr) { return -1; @@ -407,6 +517,13 @@ int _ss_esp_ecc_point_multiply(const ecc_point_t *point, const uint8_t *scalar, int _ss_esp_ecc_point_verify(const ecc_point_t *point) { + bool valid_addr = esp_tee_buf_in_ree(point, sizeof(ecc_point_t)); + + if (!valid_addr) { + return -1; + } + ESP_FAULT_ASSERT(valid_addr); + return esp_ecc_point_verify(point); } #endif @@ -427,8 +544,7 @@ int _ss_esp_tee_ota_begin(void) int _ss_esp_tee_ota_write(uint32_t rel_offset, void *data, size_t size) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)data)) && - (esp_tee_ptr_in_ree((void *)((char *)data + size)))); + bool valid_addr = esp_tee_buf_in_ree(data, size); if (!valid_addr) { return -1; @@ -452,6 +568,13 @@ esp_err_t _ss_esp_tee_sec_storage_clear_key(const char *key_id) esp_err_t _ss_esp_tee_sec_storage_gen_key(const esp_tee_sec_storage_key_cfg_t *cfg) { + bool valid_addr = esp_tee_buf_in_ree(cfg, sizeof(esp_tee_sec_storage_key_cfg_t)); + + if (!valid_addr) { + return ESP_ERR_INVALID_ARG; + } + ESP_FAULT_ASSERT(valid_addr); + return esp_tee_sec_storage_gen_key(cfg); } @@ -475,11 +598,9 @@ psa_status_t _ss_psa_initial_attest_get_token(const uint8_t *auth_challenge, siz uint8_t *token_buf, size_t token_buf_size, size_t *token_size) { #if CONFIG_SECURE_TEE_ATTESTATION - bool valid_addr = (esp_tee_ptr_in_ree((void *)auth_challenge) && - esp_tee_ptr_in_ree((void *)token_buf) && - esp_tee_ptr_in_ree((void *)token_size)); - valid_addr &= (esp_tee_ptr_in_ree((void *)((uint8_t *)auth_challenge + challenge_size)) && - esp_tee_ptr_in_ree((void *)((uint8_t *)token_buf + token_buf_size))); + bool valid_addr = (esp_tee_buf_in_ree(auth_challenge, challenge_size) && + esp_tee_buf_in_ree(token_buf, token_buf_size) && + esp_tee_buf_in_ree(token_size, sizeof(size_t))); if (!valid_addr) { return PSA_ERROR_INVALID_ARGUMENT; @@ -495,6 +616,13 @@ psa_status_t _ss_psa_initial_attest_get_token(const uint8_t *auth_challenge, siz psa_status_t _ss_psa_initial_attest_get_token_size(size_t challenge_size, size_t *token_size) { #if CONFIG_SECURE_TEE_ATTESTATION + bool valid_addr = esp_tee_buf_in_ree(token_size, sizeof(size_t)); + + if (!valid_addr) { + return PSA_ERROR_INVALID_ARGUMENT; + } + ESP_FAULT_ASSERT(valid_addr); + return esp_err_to_psa_status(esp_att_get_token_size(challenge_size, token_size)); #else return PSA_ERROR_NOT_SUPPORTED;
components/esp_tee/subproject/main/core/esp_secure_services_iram.c+196 −81 modified@@ -20,13 +20,15 @@ #include "esp_private/memspi_host_driver.h" #include "esp_private/mspi_timing_tuning.h" #include "esp_flash.h" +#include "esp_flash_chips/esp_flash_types.h" #include "riscv/rv_utils.h" #include "esp_tee.h" #include "esp_tee_memory_utils.h" #include "esp_tee_intr.h" #include "esp_tee_rv_utils.h" +#include "nvs.h" #include "esp_tee_flash.h" #include "esp_tee_sec_storage.h" @@ -114,21 +116,35 @@ void _ss_esprv_int_set_vectored(int rv_int_num, bool vectored) void _ss_wdt_hal_init(wdt_hal_context_t *hal, wdt_inst_t wdt_inst, uint32_t prescaler, bool enable_intr) { + bool valid_addr = esp_tee_buf_in_ree(hal, sizeof(wdt_hal_context_t)); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + wdt_hal_init(hal, wdt_inst, prescaler, enable_intr); } void _ss_wdt_hal_deinit(wdt_hal_context_t *hal) { + bool valid_addr = esp_tee_buf_in_ree(hal, sizeof(wdt_hal_context_t)); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + wdt_hal_deinit(hal); } /* ---------------------------------------------- Secure Storage ------------------------------------------------- */ esp_err_t _ss_esp_tee_sec_storage_ecdsa_sign(const esp_tee_sec_storage_key_cfg_t *cfg, const uint8_t *hash, size_t hlen, esp_tee_sec_storage_ecdsa_sign_t *out_sign) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)hash) && esp_tee_ptr_in_ree((void *)out_sign)) && - (esp_tee_ptr_in_ree((void *)(hash + hlen)) && - esp_tee_ptr_in_ree((void *)((char *)out_sign + sizeof(esp_tee_sec_storage_ecdsa_sign_t))))); + bool valid_addr = (esp_tee_buf_in_ree(cfg, sizeof(esp_tee_sec_storage_key_cfg_t)) && + esp_tee_buf_in_ree(hash, hlen) && + esp_tee_buf_in_ree(out_sign, sizeof(esp_tee_sec_storage_ecdsa_sign_t))); if (!valid_addr) { return ESP_ERR_INVALID_ARG; @@ -140,8 +156,8 @@ esp_err_t _ss_esp_tee_sec_storage_ecdsa_sign(const esp_tee_sec_storage_key_cfg_t esp_err_t _ss_esp_tee_sec_storage_ecdsa_get_pubkey(const esp_tee_sec_storage_key_cfg_t *cfg, esp_tee_sec_storage_ecdsa_pubkey_t *out_pubkey) { - bool valid_addr = ((esp_tee_ptr_in_ree((void *)out_pubkey)) && - (esp_tee_ptr_in_ree((void *)((char *)out_pubkey + sizeof(esp_tee_sec_storage_ecdsa_pubkey_t))))); + bool valid_addr = (esp_tee_buf_in_ree(cfg, sizeof(esp_tee_sec_storage_key_cfg_t)) && + esp_tee_buf_in_ree(out_pubkey, sizeof(esp_tee_sec_storage_ecdsa_pubkey_t))); if (!valid_addr) { return ESP_ERR_INVALID_ARG; @@ -153,18 +169,14 @@ esp_err_t _ss_esp_tee_sec_storage_ecdsa_get_pubkey(const esp_tee_sec_storage_key esp_err_t _ss_esp_tee_sec_storage_aead_encrypt(const esp_tee_sec_storage_aead_ctx_t *ctx, uint8_t *iv, size_t iv_len, uint8_t *tag, size_t tag_len, uint8_t *output) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)ctx->input) && - esp_tee_ptr_in_ree((void *)iv) && - esp_tee_ptr_in_ree((void *)tag) && - esp_tee_ptr_in_ree((void *)output)); - - valid_addr &= (esp_tee_ptr_in_ree((void *)(ctx->input + ctx->input_len)) && - esp_tee_ptr_in_ree((void *)(iv + iv_len)) && - esp_tee_ptr_in_ree((void *)(tag + tag_len)) && - esp_tee_ptr_in_ree((void *)(output + ctx->input_len))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_tee_sec_storage_aead_ctx_t)) && + esp_tee_buf_in_ree(ctx->input, ctx->input_len) && + esp_tee_buf_in_ree(iv, iv_len) && + esp_tee_buf_in_ree(tag, tag_len) && + esp_tee_buf_in_ree(output, ctx->input_len)); - if (ctx->aad) { - valid_addr &= (esp_tee_ptr_in_ree((void *)ctx->aad) && esp_tee_ptr_in_ree((void *)(ctx->aad + ctx->aad_len))); + if (ctx->aad_len != 0) { + valid_addr = esp_tee_buf_in_ree(ctx->aad, ctx->aad_len); } if (!valid_addr) { @@ -177,18 +189,14 @@ esp_err_t _ss_esp_tee_sec_storage_aead_encrypt(const esp_tee_sec_storage_aead_ct esp_err_t _ss_esp_tee_sec_storage_aead_decrypt(const esp_tee_sec_storage_aead_ctx_t *ctx, const uint8_t *iv, size_t iv_len, const uint8_t *tag, size_t tag_len, uint8_t *output) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)ctx->input) && - esp_tee_ptr_in_ree((void *)iv) && - esp_tee_ptr_in_ree((void *)tag) && - esp_tee_ptr_in_ree((void *)output)); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_tee_sec_storage_aead_ctx_t)) && + esp_tee_buf_in_ree(ctx->input, ctx->input_len) && + esp_tee_buf_in_ree(iv, iv_len) && + esp_tee_buf_in_ree(tag, tag_len) && + esp_tee_buf_in_ree(output, ctx->input_len)); - valid_addr &= (esp_tee_ptr_in_ree((void *)(ctx->input + ctx->input_len)) && - esp_tee_ptr_in_ree((void *)(iv + iv_len)) && - esp_tee_ptr_in_ree((void *)(tag + tag_len)) && - esp_tee_ptr_in_ree((void *)(output + ctx->input_len))); - - if (ctx->aad) { - valid_addr &= (esp_tee_ptr_in_ree((void *)ctx->aad) && esp_tee_ptr_in_ree((void *)(ctx->aad + ctx->aad_len))); + if (ctx->aad_len != 0) { + valid_addr = esp_tee_buf_in_ree(ctx->aad, ctx->aad_len); } if (!valid_addr) { @@ -201,15 +209,11 @@ esp_err_t _ss_esp_tee_sec_storage_aead_decrypt(const esp_tee_sec_storage_aead_ct esp_err_t _ss_esp_tee_sec_storage_ecdsa_sign_pbkdf2(const esp_tee_sec_storage_pbkdf2_ctx_t *ctx, const uint8_t *hash, size_t hlen, esp_tee_sec_storage_ecdsa_sign_t *out_sign, esp_tee_sec_storage_ecdsa_pubkey_t *out_pubkey) { - bool valid_addr = (esp_tee_ptr_in_ree((void *)ctx) && - esp_tee_ptr_in_ree((void *)hash) && - esp_tee_ptr_in_ree((void *)out_sign) && - esp_tee_ptr_in_ree((void *)out_pubkey)); - - valid_addr &= (esp_tee_ptr_in_ree((void *)((char *)ctx + sizeof(esp_tee_sec_storage_pbkdf2_ctx_t))) && - esp_tee_ptr_in_ree((void *)(hash + hlen)) && - esp_tee_ptr_in_ree((void *)((char *)out_sign + sizeof(esp_tee_sec_storage_ecdsa_sign_t))) && - esp_tee_ptr_in_ree((void *)((char *)out_pubkey + sizeof(esp_tee_sec_storage_ecdsa_pubkey_t)))); + bool valid_addr = (esp_tee_buf_in_ree(ctx, sizeof(esp_tee_sec_storage_pbkdf2_ctx_t)) && + esp_tee_buf_in_ree(hash, hlen) && + esp_tee_buf_in_ree(out_sign, sizeof(esp_tee_sec_storage_ecdsa_sign_t)) && + esp_tee_buf_in_ree(out_pubkey, sizeof(esp_tee_sec_storage_ecdsa_pubkey_t)) && + esp_tee_buf_in_ree(ctx->salt, ctx->salt_len)); if (!valid_addr) { return ESP_ERR_INVALID_ARG; @@ -224,20 +228,23 @@ esp_err_t _ss_esp_tee_sec_storage_ecdsa_sign_pbkdf2(const esp_tee_sec_storage_pb void _ss_mmu_hal_map_region(uint32_t mmu_id, mmu_target_t mem_type, uint32_t vaddr, uint32_t paddr, uint32_t len, uint32_t *out_len) { - bool vaddr_chk = esp_tee_flash_check_vrange_in_tee_region(vaddr, len); - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(paddr, len); - if (vaddr_chk || paddr_chk) { + bool valid_addr = (!esp_tee_flash_check_vrange_in_tee_region(vaddr, len) && + !esp_tee_flash_check_prange_in_tee_region(paddr, len) && + esp_tee_buf_in_ree(out_len, sizeof(uint32_t))); + + if (!valid_addr) { ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x | 0x%08x", __func__, vaddr, paddr); return; } - ESP_FAULT_ASSERT(!vaddr_chk && !paddr_chk); + ESP_FAULT_ASSERT(valid_addr); mmu_hal_map_region(mmu_id, mem_type, vaddr, paddr, len, out_len); } void _ss_mmu_hal_unmap_region(uint32_t mmu_id, uint32_t vaddr, uint32_t len) { bool vaddr_chk = esp_tee_flash_check_vrange_in_tee_region(vaddr, len); + if (vaddr_chk) { ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, vaddr); return; @@ -249,21 +256,28 @@ void _ss_mmu_hal_unmap_region(uint32_t mmu_id, uint32_t vaddr, uint32_t len) bool _ss_mmu_hal_vaddr_to_paddr(uint32_t mmu_id, uint32_t vaddr, uint32_t *out_paddr, mmu_target_t *out_target) { - bool vaddr_chk = esp_tee_flash_check_vaddr_in_tee_region(vaddr); - if (vaddr_chk) { + bool valid_addr = (!esp_tee_flash_check_vaddr_in_tee_region(vaddr) && + esp_tee_buf_in_ree(out_paddr, sizeof(uint32_t)) && + esp_tee_buf_in_ree(out_target, sizeof(mmu_target_t))); + + if (!valid_addr) { return false; } - ESP_FAULT_ASSERT(!vaddr_chk); + ESP_FAULT_ASSERT(valid_addr); + return mmu_hal_vaddr_to_paddr(mmu_id, vaddr, out_paddr, out_target); } bool _ss_mmu_hal_paddr_to_vaddr(uint32_t mmu_id, uint32_t paddr, mmu_target_t target, mmu_vaddr_t type, uint32_t *out_vaddr) { - bool paddr_chk = esp_tee_flash_check_paddr_in_tee_region(paddr); - if (paddr_chk) { + bool valid_addr = (!esp_tee_flash_check_paddr_in_tee_region(paddr) && + esp_tee_buf_in_ree(out_vaddr, sizeof(uint32_t))); + + if (!valid_addr) { return false; } - ESP_FAULT_ASSERT(!paddr_chk); + ESP_FAULT_ASSERT(valid_addr); + return mmu_hal_paddr_to_vaddr(mmu_id, paddr, target, type, out_vaddr); } @@ -277,110 +291,192 @@ void _ss_Cache_Set_IDROM_MMU_Size(uint32_t irom_size, uint32_t drom_size) #if CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1 /* ---------------------------------------------- SPI Flash HAL ------------------------------------------------- */ +static bool is_spi_host_in_ree(spi_flash_host_inst_t *host) +{ + return esp_tee_buf_in_ree(host, sizeof(spi_flash_host_inst_t)); +} + +static bool is_spi_trans_valid(spi_flash_host_inst_t *host, spi_flash_trans_t *trans) +{ + bool valid_addr = (is_spi_host_in_ree(host) && + esp_tee_buf_in_ree(trans, sizeof(spi_flash_trans_t))); + + if (trans->mosi_len != 0) { + valid_addr &= esp_tee_buf_in_ree(trans->mosi_data, trans->mosi_len); + } + if (trans->miso_len != 0) { + valid_addr &= esp_tee_buf_in_ree(trans->miso_data, trans->miso_len); + } + return valid_addr; +} + uint32_t _ss_spi_flash_hal_check_status(spi_flash_host_inst_t *host) { + bool valid_addr = is_spi_host_in_ree(host); + + if (!valid_addr) { + return 0; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_check_status(host); } esp_err_t _ss_spi_flash_hal_common_command(spi_flash_host_inst_t *host, spi_flash_trans_t *trans) { - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(trans->address, trans->mosi_len); - paddr_chk |= esp_tee_flash_check_prange_in_tee_region(trans->address, trans->miso_len); - if (paddr_chk) { + bool valid_addr = (is_spi_trans_valid(host, trans) && + !esp_tee_flash_check_prange_in_tee_region(trans->address, trans->mosi_len) && + !esp_tee_flash_check_prange_in_tee_region(trans->address, trans->miso_len)); + + if (!valid_addr) { ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, trans->address); - return ESP_FAIL; + return ESP_ERR_INVALID_ARG; } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_common_command(host, trans); } esp_err_t _ss_spi_flash_hal_device_config(spi_flash_host_inst_t *host) { + bool valid_addr = is_spi_host_in_ree(host); + + if (!valid_addr) { + return ESP_ERR_INVALID_ARG; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_device_config(host); } void _ss_spi_flash_hal_erase_block(spi_flash_host_inst_t *host, uint32_t start_address) { - bool paddr_chk = esp_tee_flash_check_paddr_in_tee_region(start_address); - if (paddr_chk) { + bool valid_addr = (is_spi_host_in_ree(host) && + !esp_tee_flash_check_paddr_in_tee_region(start_address)); + + if (!valid_addr) { ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, start_address); return; } - ESP_FAULT_ASSERT(!paddr_chk); + ESP_FAULT_ASSERT(valid_addr); + spi_flash_hal_erase_block(host, start_address); } void _ss_spi_flash_hal_erase_sector(spi_flash_host_inst_t *host, uint32_t start_address) { - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(start_address, FLASH_SECTOR_SIZE); - if (paddr_chk) { + bool valid_addr = (is_spi_host_in_ree(host) && + !esp_tee_flash_check_prange_in_tee_region(start_address, FLASH_SECTOR_SIZE)); + + if (!valid_addr) { ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, start_address); return; } - ESP_FAULT_ASSERT(!paddr_chk); + ESP_FAULT_ASSERT(valid_addr); + spi_flash_hal_erase_sector(host, start_address); } void _ss_spi_flash_hal_program_page(spi_flash_host_inst_t *host, const void *buffer, uint32_t address, uint32_t length) { - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(address, length); - if (paddr_chk) { - ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, address); - return; - } + bool valid_addr = (is_spi_host_in_ree(host) && + !esp_tee_flash_check_prange_in_tee_region(address, length) && + esp_tee_buf_in_ree(buffer, length)); - bool buf_addr_chk = ((esp_tee_ptr_in_ree((void *)buffer) && esp_tee_ptr_in_ree((void *)(buffer + length)))); - if (!buf_addr_chk) { + if (!valid_addr) { + ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, address); return; } + ESP_FAULT_ASSERT(valid_addr); - ESP_FAULT_ASSERT(!paddr_chk && buf_addr_chk); spi_flash_hal_program_page(host, buffer, address, length); } esp_err_t _ss_spi_flash_hal_read(spi_flash_host_inst_t *host, void *buffer, uint32_t address, uint32_t read_len) { - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(address, read_len); - if (paddr_chk) { - ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, address); - return ESP_FAIL; - } + bool valid_addr = (is_spi_host_in_ree(host) && + !esp_tee_flash_check_prange_in_tee_region(address, read_len) && + esp_tee_buf_in_ree(buffer, read_len)); - bool buf_addr_chk = ((esp_tee_ptr_in_ree((void *)buffer) && esp_tee_ptr_in_ree((void *)(buffer + read_len)))); - if (!buf_addr_chk) { - return ESP_FAIL; + if (!valid_addr) { + ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, address); + return ESP_ERR_INVALID_ARG; } + ESP_FAULT_ASSERT(valid_addr); - ESP_FAULT_ASSERT(!paddr_chk && buf_addr_chk); return spi_flash_hal_read(host, buffer, address, read_len); } void _ss_spi_flash_hal_resume(spi_flash_host_inst_t *host) { + bool valid_addr = is_spi_host_in_ree(host); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + spi_flash_hal_resume(host); } esp_err_t _ss_spi_flash_hal_set_write_protect(spi_flash_host_inst_t *host, bool wp) { + bool valid_addr = is_spi_host_in_ree(host); + + if (!valid_addr) { + return ESP_ERR_INVALID_ARG; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_set_write_protect(host, wp); } esp_err_t _ss_spi_flash_hal_setup_read_suspend(spi_flash_host_inst_t *host, const spi_flash_sus_cmd_conf *sus_conf) { + bool valid_addr = (is_spi_host_in_ree(host) && + esp_tee_buf_in_ree(sus_conf, sizeof(spi_flash_sus_cmd_conf))); + + if (!valid_addr) { + return ESP_ERR_INVALID_ARG; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_setup_read_suspend(host, sus_conf); } bool _ss_spi_flash_hal_supports_direct_read(spi_flash_host_inst_t *host, const void *p) { + bool valid_addr = (is_spi_host_in_ree(host) && esp_tee_ptr_in_ree(p)); + + if (!valid_addr) { + return false; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_supports_direct_read(host, p); } bool _ss_spi_flash_hal_supports_direct_write(spi_flash_host_inst_t *host, const void *p) { + bool valid_addr = (is_spi_host_in_ree(host) && esp_tee_ptr_in_ree(p)); + + if (!valid_addr) { + return false; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_hal_supports_direct_write(host, p); } void _ss_spi_flash_hal_suspend(spi_flash_host_inst_t *host) { + bool valid_addr = is_spi_host_in_ree(host); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + spi_flash_hal_suspend(host); } @@ -397,29 +493,41 @@ uint32_t _ss_bootloader_flash_execute_command_common( uint8_t mosi_len, uint32_t mosi_data, uint8_t miso_len) { - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(address, mosi_len); - paddr_chk |= esp_tee_flash_check_prange_in_tee_region(address, miso_len); - if (paddr_chk) { + bool valid_addr = (!esp_tee_flash_check_prange_in_tee_region(address, mosi_len) && + !esp_tee_flash_check_prange_in_tee_region(address, miso_len)); + + if (!valid_addr) { ESP_LOGD(TAG, "[%s] Illegal flash access at 0x%08x", __func__, address); return 0; } - ESP_FAULT_ASSERT(!paddr_chk); + ESP_FAULT_ASSERT(valid_addr); + return bootloader_flash_execute_command_common(command, addr_len, address, dummy_len, mosi_len, mosi_data, miso_len); } esp_err_t _ss_memspi_host_flush_cache(spi_flash_host_inst_t *host, uint32_t addr, uint32_t size) { - bool paddr_chk = esp_tee_flash_check_prange_in_tee_region(addr, size); - if (paddr_chk) { - return ESP_FAIL; + bool valid_addr = (is_spi_host_in_ree(host) && + !esp_tee_flash_check_prange_in_tee_region(addr, size)); + + if (!valid_addr) { + return ESP_ERR_INVALID_ARG; } - ESP_FAULT_ASSERT(!paddr_chk); + ESP_FAULT_ASSERT(valid_addr); + return memspi_host_flush_cache(host, addr, size); } esp_err_t _ss_spi_flash_chip_generic_config_host_io_mode(esp_flash_t *chip, uint32_t flags) { + bool valid_addr = esp_tee_buf_in_ree(chip, sizeof(struct esp_flash_t)); + + if (!valid_addr) { + return ESP_ERR_INVALID_ARG; + } + ESP_FAULT_ASSERT(valid_addr); + return spi_flash_chip_generic_config_host_io_mode(chip, flags); } @@ -451,6 +559,13 @@ void _ss_mspi_timing_change_speed_mode_cache_safe(bool switch_down) void _ss_spi_timing_get_flash_timing_param(spi_flash_hal_timing_config_t *out_timing_config) { + bool valid_addr = esp_tee_buf_in_ree(out_timing_config, sizeof(spi_flash_hal_timing_config_t)); + + if (!valid_addr) { + return; + } + ESP_FAULT_ASSERT(valid_addr); + spi_timing_get_flash_timing_param(out_timing_config); } #endif
components/esp_tee/subproject/main/include/esp_tee_memory_utils.h+18 −3 modified@@ -1,10 +1,12 @@ /* - * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ #pragma once +#include <stddef.h> +#include <stdint.h> #include "esp_attr.h" #include "soc/soc.h" #include "soc/ext_mem_defs.h" @@ -16,17 +18,30 @@ extern "C" { FORCE_INLINE_ATTR bool esp_tee_ptr_in_ree(const void *p) { - intptr_t addr = (intptr_t)p; + uintptr_t addr = (uintptr_t)p; return ( (addr >= SOC_NS_IDRAM_START && addr < SOC_NS_IDRAM_END) || - (addr >= (intptr_t)esp_tee_app_config.ns_drom_start && + (addr >= (uintptr_t)esp_tee_app_config.ns_drom_start && addr < SOC_S_MMU_MMAP_RESV_START_VADDR) #if SOC_RTC_MEM_SUPPORTED || (addr >= SOC_RTC_DATA_LOW && addr < SOC_RTC_DATA_HIGH) #endif ); } +FORCE_INLINE_ATTR bool esp_tee_buf_in_ree(const void *p, size_t len) +{ + uintptr_t start = (uintptr_t)p; + + /* Reject zero-length and overflow */ + if (len == 0 || len > (SIZE_MAX - start)) { + return false; + } + + return esp_tee_ptr_in_ree(p) && + esp_tee_ptr_in_ree((const char *)p + len - 1); +} + #ifdef __cplusplus } #endif
components/esp_tee/test_apps/tee_cli_app/sdkconfig.ci.release+1 −3 modified@@ -1,8 +1,6 @@ -# Reducing TEE I/DRAM sizes +# Reducing TEE IRAM size # 29KB CONFIG_SECURE_TEE_IRAM_SIZE=0x7400 -# 20KB -CONFIG_SECURE_TEE_DRAM_SIZE=0x5000 # TEE Secure Storage: Release mode CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE=y
components/esp_tee/test_apps/tee_cli_app/sdkconfig.ci.sb_fe+6 −0 modified@@ -1,3 +1,9 @@ +# Increasing TEE I/DRAM sizes +# 34KB +CONFIG_SECURE_TEE_IRAM_SIZE=0x8800 +# 22KB +CONFIG_SECURE_TEE_DRAM_SIZE=0x5800 + # Security features - build-only configuration CONFIG_PARTITION_TABLE_OFFSET=0xf000
components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_sec_stg.c+6 −6 modified@@ -329,13 +329,13 @@ TEST_CASE("Test TEE Secure Storage - Null Pointer and Zero Length", "[sec_storag }; TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_encrypt(&aead_ctx, iv, sizeof(iv), NULL, sizeof(tag), data)); - TEST_ESP_ERR(ESP_ERR_INVALID_SIZE, esp_tee_sec_storage_aead_encrypt(&aead_ctx, iv, sizeof(iv), tag, 0, data)); + TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_encrypt(&aead_ctx, iv, sizeof(iv), tag, 0, data)); TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_encrypt(&aead_ctx, NULL, sizeof(iv), tag, sizeof(tag), data)); - TEST_ESP_ERR(ESP_ERR_INVALID_SIZE, esp_tee_sec_storage_aead_encrypt(&aead_ctx, iv, 0, tag, sizeof(tag), data)); + TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_encrypt(&aead_ctx, iv, 0, tag, sizeof(tag), data)); TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_decrypt(&aead_ctx, iv, sizeof(iv), NULL, sizeof(tag), data)); - TEST_ESP_ERR(ESP_ERR_INVALID_SIZE, esp_tee_sec_storage_aead_decrypt(&aead_ctx, iv, sizeof(iv), tag, 0, data)); + TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_decrypt(&aead_ctx, iv, sizeof(iv), tag, 0, data)); TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_decrypt(&aead_ctx, NULL, sizeof(iv), tag, sizeof(tag), data)); - TEST_ESP_ERR(ESP_ERR_INVALID_SIZE, esp_tee_sec_storage_aead_decrypt(&aead_ctx, iv, 0, tag, sizeof(tag), data)); + TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_decrypt(&aead_ctx, iv, 0, tag, sizeof(tag), data)); aead_ctx.input = NULL; aead_ctx.input_len = sizeof(data); @@ -344,8 +344,8 @@ TEST_CASE("Test TEE Secure Storage - Null Pointer and Zero Length", "[sec_storag aead_ctx.input = data; aead_ctx.input_len = 0; - TEST_ESP_ERR(ESP_ERR_INVALID_SIZE, esp_tee_sec_storage_aead_encrypt(&aead_ctx, iv, sizeof(iv), tag, sizeof(tag), data)); - TEST_ESP_ERR(ESP_ERR_INVALID_SIZE, esp_tee_sec_storage_aead_decrypt(&aead_ctx, iv, sizeof(iv), tag, sizeof(tag), data)); + TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_encrypt(&aead_ctx, iv, sizeof(iv), tag, sizeof(tag), data)); + TEST_ESP_ERR(ESP_ERR_INVALID_ARG, esp_tee_sec_storage_aead_decrypt(&aead_ctx, iv, sizeof(iv), tag, sizeof(tag), data)); TEST_ESP_OK(esp_tee_sec_storage_clear_key(key_id));
components/esp_tee/test_apps/tee_test_fw/sdkconfig.ci.tee_ota+0 −4 modified@@ -16,7 +16,3 @@ CONFIG_SECURE_TEE_ATT_KEY_STR_ID="tee_att_keyN" # Enabling flash protection over SPI1 CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1=y - -# Increasing TEE DRAM size -# 20KB -CONFIG_SECURE_TEE_DRAM_SIZE=0x5000
components/esp_tee/test_apps/tee_test_fw/sdkconfig.defaults+3 −2 modified@@ -12,5 +12,6 @@ CONFIG_SECURE_TEE_TEST_MODE=y CONFIG_PARTITION_TABLE_SINGLE_APP_TEE=y CONFIG_PARTITION_TABLE_OFFSET=0xF000 -# TEE IRAM size -CONFIG_SECURE_TEE_IRAM_SIZE=0xC400 +# Increasing TEE I/DRAM size +CONFIG_SECURE_TEE_IRAM_SIZE=0x8800 +CONFIG_SECURE_TEE_DRAM_SIZE=0x5800
Vulnerability mechanics
Root cause
"The esp_tee component lacked sufficient input validation for calls bridging the REE to TEE-protected hardware peripherals and security features."
Attack vector
An attacker with local access to the device can trigger this vulnerability by making calls to the esp_tee component. These calls are intended to bridge user applications in the REE to TEE-protected hardware and security features. The lack of proper input validation allows for malformed or unexpected data to be passed to these sensitive operations, potentially leading to unintended consequences. The vulnerability affects the esp_tee component within versions 5.5.4 and 6.0 of the Espressif IoT Development Framework [ref_id=1].
Affected code
The vulnerability resides within the esp_tee component, specifically in files like `esp_secure_services.c` and `esp_secure_services_iram.c`. The patches address issues in functions related to AES encryption/decryption (e.g., `_ss_esp_aes_crypt_cbc`), SHA hashing (e.g., `_ss_esp_sha`), HMAC calculations (e.g., `_ss_esp_hmac_calculate`), and digital signature operations (e.g., `_ss_esp_ds_sign`) [ref_id=1].
What the fix does
The patches introduce more robust input validation checks for various TEE service calls, specifically within the AES, SHA, and Digital Signature functions. For example, the AES functions now use `esp_tee_buf_in_ree` to verify buffer boundaries, and SHA functions have added checks for digest, state, and block sizes using helper functions like `get_sha_digest_size` [ref_id=1]. These additions ensure that only valid memory regions and sizes are processed, preventing potential memory corruption or unauthorized access that could arise from malformed inputs.
Preconditions
- inputThe device must be running a vulnerable version of the Espressif IoT Development Framework (versions 5.5.4 and 6.0).
- inputThe attacker must have local access to the device to trigger the vulnerable TEE service calls.
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/espressif/esp-idf/commit/145ba4c42dc8283054cfde9a1c3470db7399192fnvd
- github.com/espressif/esp-idf/commit/440a5d1906502023f2a0fb0aecbdf0602d14acbfnvd
- github.com/espressif/esp-idf/commit/764626a1b7c85b943d207da08a2f8f7d7f3def4dnvd
- github.com/espressif/esp-idf/commit/7867f4a57560bf9fc4a931e37ba02b7a3e9f406bnvd
- github.com/espressif/esp-idf/commit/afd14ab113acd0ca369965404c99ac42e74d4fcdnvd
- github.com/espressif/esp-idf/commit/eebabaff2fdc273b1530fe66e55fb3bcd181dfd6nvd
- github.com/espressif/esp-idf/security/advisories/GHSA-mmgp-73p4-92xpnvd
News mentions
0No linked articles in our index yet.