feat(esp_tee): Miscellaneous fixes and updates

- Rename `tee_test_fw` app configs for better CI tracking
- Decrease the lower bound of TEE I/DRAM config options
- Trim the TEE test-apps build
- Improve the TEE/REE OTA pytest script with additional checks
- Fix build issues when `tee_sec_storage`/`tee_ota_ops` are a
  a part of the project build but ESP-TEE is disabled

Author: laukik-hase

components/esp_tee/Kconfig.projbuild

@@ -13,15 +13,15 @@ menu "ESP-TEE (Trusted Execution Environment)"
         config SECURE_TEE_IRAM_SIZE
             hex "IRAM region size"
             default 0x8000
-            range 0x7000 0xA000
+            range 0x5000 0xA000
             help
                 This configuration sets the IRAM size for the TEE module.
                 This should be 256-byte (0x100) aligned.
 
         config SECURE_TEE_DRAM_SIZE
             hex "DRAM region size"
-            default 0x6000
-            range 0x5000 0x7000
+            default 0x5000
+            range 0x4000 0x7000
             help
                 This configuration sets the DRAM size for the TEE module.
                 This should be 256-byte (0x100) aligned.

components/esp_tee/subproject/components/tee_ota_ops/CMakeLists.txt

@@ -1,15 +1,16 @@
 idf_build_get_property(esp_tee_build ESP_TEE_BUILD)
 
 set(srcs)
-set(priv_requires)
+set(priv_requires esp_tee)
 set(include_dirs  "include")
 
 if(esp_tee_build)
     list(APPEND srcs "esp_tee_ota_ops.c")
-    list(APPEND priv_requires bootloader_support esp_tee log spi_flash tee_flash_mgr)
+    list(APPEND priv_requires bootloader_support log spi_flash tee_flash_mgr)
 else()
-    list(APPEND srcs "esp_tee_ota_ops_wrapper.c")
-    list(APPEND priv_requires esp_tee)
+    if(CONFIG_SECURE_ENABLE_TEE)
+        list(APPEND srcs "esp_tee_ota_ops_wrapper.c")
+    endif()
 endif()
 
 idf_component_register(SRCS ${srcs}

components/esp_tee/subproject/components/tee_sec_storage/CMakeLists.txt

@@ -7,7 +7,9 @@ if(esp_tee_build)
     list(APPEND srcs "tee_sec_storage.c")
     list(APPEND priv_requires efuse esp_partition log mbedtls nvs_flash spi_flash tee_flash_mgr)
 else()
-    list(APPEND srcs "tee_sec_storage_wrapper.c")
+    if(CONFIG_SECURE_ENABLE_TEE)
+        list(APPEND srcs "tee_sec_storage_wrapper.c")
+    endif()
 endif()
 
 idf_component_register(SRCS ${srcs}

components/esp_tee/test_apps/tee_cli_app/CMakeLists.txt

@@ -4,4 +4,7 @@ cmake_minimum_required(VERSION 3.16)
 
 include($ENV{IDF_PATH}/tools/cmake/project.cmake)
 
+# "Trim" the build. Include the minimal set of components, main, and anything it depends on.
+idf_build_set_property(MINIMAL_BUILD ON)
+
 project(tee_cli)

components/esp_tee/test_apps/tee_cli_app/main/CMakeLists.txt

@@ -8,4 +8,6 @@ if(CONFIG_SECURE_TEE_ATTESTATION)
 endif()
 
 idf_component_register(SRCS ${srcs}
-                       INCLUDE_DIRS ".")
+                       INCLUDE_DIRS "."
+                       PRIV_REQUIRES app_update console esp_event esp_http_client
+                                     esp_https_ota esp_wifi mbedtls nvs_flash)

components/esp_tee/test_apps/tee_cli_app/pytest_tee_cli.py

@@ -176,6 +176,13 @@ def test_tee_cli_secure_ota_wifi(dut: Dut) -> None:
     server_port = 8001
     tee_bin = 'esp_tee/esp_tee.bin'
     user_bin = 'tee_cli.bin'
+    prev_tee_offs = None
+    prev_app_offs = None
+
+    # Fetch Wi-Fi credentials
+    env_name = 'wifi_high_traffic'
+    ap_ssid = get_env_config_variable(env_name, 'ap_ssid')
+    ap_password = get_env_config_variable(env_name, 'ap_password')
 
     # Start server
     thread1 = multiprocessing.Process(target=start_https_server, args=(dut.app.binary_path, '0.0.0.0', server_port))
@@ -187,17 +194,26 @@ def test_tee_cli_secure_ota_wifi(dut: Dut) -> None:
         # start test
         for i in range(iterations):
             # Boot up sequence checks
-            dut.expect('Loaded TEE app from partition at offset', timeout=30)
-            dut.expect('Loaded app from partition at offset', timeout=30)
+            curr_tee_offs = (
+                dut.expect(r'Loaded TEE app from partition at offset (0x[0-9a-fA-F]+)', timeout=30).group(1).decode()
+            )
+            curr_app_offs = (
+                dut.expect(r'Loaded app from partition at offset (0x[0-9a-fA-F]+)', timeout=30).group(1).decode()
+            )
+
+            # Check for offset change across iterations
+            if prev_tee_offs is not None and curr_tee_offs == prev_tee_offs:
+                raise ValueError('Updated TEE app is not running')
+
+            prev_tee_offs = curr_tee_offs
+            if prev_app_offs is None:
+                prev_app_offs = curr_app_offs
 
             # Starting the test
             dut.expect('ESP-TEE: Secure services demonstration', timeout=30)
             time.sleep(2)
 
             # Connecting to Wi-Fi
-            env_name = 'wifi_high_traffic'
-            ap_ssid = get_env_config_variable(env_name, 'ap_ssid')
-            ap_password = get_env_config_variable(env_name, 'ap_password')
             dut.write(f'wifi_connect {ap_ssid} {ap_password}')
 
             # Fetch the DUT IP address
@@ -213,6 +229,11 @@ def test_tee_cli_secure_ota_wifi(dut: Dut) -> None:
             if i == (iterations - 1):
                 dut.write(f'user_ota https://{host_ip}:{str(server_port)}/{user_bin}')
                 dut.expect('OTA Succeed, Rebooting', timeout=150)
+                curr_app_offs = (
+                    dut.expect(r'Loaded app from partition at offset (0x[0-9a-fA-F]+)', timeout=30).group(1).decode()
+                )
+                if curr_app_offs == prev_app_offs:
+                    raise ValueError('Updated user app is not running')
             else:
                 dut.write(f'tee_ota https://{host_ip}:{str(server_port)}/{tee_bin}')
                 dut.expect('esp_tee_ota_end succeeded', timeout=150)

components/esp_tee/test_apps/tee_test_fw/CMakeLists.txt

@@ -6,4 +6,7 @@ include($ENV{IDF_PATH}/tools/cmake/project.cmake)
 # For registering the test-specific and attestation secure services
 include(${CMAKE_CURRENT_LIST_DIR}/components/test_sec_srv/test_tee_project.cmake)
 
+# "Trim" the build. Include the minimal set of components, main, and anything it depends on.
+idf_build_set_property(MINIMAL_BUILD ON)
+
 project(esp_tee_test)

components/esp_tee/test_apps/tee_test_fw/main/CMakeLists.txt

@@ -1,8 +1,8 @@
 idf_build_get_property(idf_path IDF_PATH)
 
-set(priv_requires bootloader_support driver esp_tee esp_timer mbedtls spi_flash)
+set(priv_requires bootloader_support esp_driver_gptimer esp_tee esp_timer mbedtls spi_flash)
 # Test FW related
-list(APPEND priv_requires cmock json nvs_flash test_utils unity)
+list(APPEND priv_requires json nvs_flash test_utils unity)
 # TEE related
 list(APPEND priv_requires tee_sec_storage tee_attestation tee_ota_ops test_sec_srv)
 

components/esp_tee/test_apps/tee_test_fw/pytest_esp_tee_ut.py

@@ -14,20 +14,20 @@
 
 CONFIG_DEFAULT = [
     # 'config, target, markers',
-    ('default', target, (pytest.mark.generic,))
+    ('tee_default', target, (pytest.mark.generic,))
     for target in SUPPORTED_TARGETS
 ]
 
 CONFIG_OTA = [
     # 'config, target, skip_autoflash, markers',
-    ('ota', target, 'y', (pytest.mark.generic,))
+    ('tee_ota', target, 'y', (pytest.mark.generic,))
     for target in SUPPORTED_TARGETS
 ]
 
 CONFIG_ALL = [
     # 'config, target, markers',
     (config, target, (pytest.mark.generic,))
-    for config in ['default', 'ota']
+    for config in ['tee_default', 'tee_ota']
     for target in SUPPORTED_TARGETS
 ]
 
@@ -97,12 +97,7 @@ def test_esp_tee_crypto_sha(dut: IdfDut) -> None:
 def test_esp_tee_aes_perf(dut: IdfDut) -> None:
     # start test
     for i in range(24):
-        if not i:
-            dut.expect_exact('Press ENTER to see the list of tests')
-        else:
-            dut.expect_exact("Enter next test, or 'enter' to see menu")
-        dut.write('"mbedtls AES performance"')
-        dut.expect_unity_test_output(timeout=60)
+        dut.run_all_single_board_cases(name=['mbedtls AES performance'])
 
 
 # ---------------- TEE Exceptions generation Tests ----------------
@@ -263,7 +258,7 @@ def test_esp_tee_flash_prot_esp_partition_mmap(dut: IdfDut) -> None:
     dut.serial.custom_flash()
 
     # start test
-    extra_data = dut.parse_test_menu()
+    extra_data = dut._parse_test_menu()
     for test_case in extra_data:
         if test_case.name == 'Test REE-TEE isolation: Flash - SPI0 (esp_partition_mmap)':
             run_multiple_stages(dut, test_case.index, len(test_case.subcases), TeeFlashAccessApi.ESP_PARTITION_MMAP)
@@ -281,7 +276,7 @@ def test_esp_tee_flash_prot_spi_flash_mmap(dut: IdfDut) -> None:
     dut.serial.custom_flash()
 
     # start test
-    extra_data = dut.parse_test_menu()
+    extra_data = dut._parse_test_menu()
     for test_case in extra_data:
         if test_case.name == 'Test REE-TEE isolation: Flash - SPI0 (spi_flash_mmap)':
             run_multiple_stages(dut, test_case.index, len(test_case.subcases), TeeFlashAccessApi.SPI_FLASH_MMAP)
@@ -299,7 +294,7 @@ def test_esp_tee_flash_prot_esp_rom_spiflash(dut: IdfDut) -> None:
     dut.serial.custom_flash()
 
     # start test
-    extra_data = dut.parse_test_menu()
+    extra_data = dut._parse_test_menu()
     for test_case in extra_data:
         if test_case.name == 'Test REE-TEE isolation: Flash - SPI1 (esp_rom_spiflash)':
             run_multiple_stages(dut, test_case.index, len(test_case.subcases), TeeFlashAccessApi.ESP_ROM_SPIFLASH)
@@ -317,7 +312,7 @@ def test_esp_tee_flash_prot_esp_partition(dut: IdfDut) -> None:
     dut.serial.custom_flash()
 
     # start test
-    extra_data = dut.parse_test_menu()
+    extra_data = dut._parse_test_menu()
     for test_case in extra_data:
         if test_case.name == 'Test REE-TEE isolation: Flash - SPI1 (esp_partition)':
             run_multiple_stages(dut, test_case.index, len(test_case.subcases), TeeFlashAccessApi.ESP_PARTITION)
@@ -335,7 +330,7 @@ def test_esp_tee_flash_prot_esp_flash(dut: IdfDut) -> None:
     dut.serial.custom_flash()
 
     # start test
-    extra_data = dut.parse_test_menu()
+    extra_data = dut._parse_test_menu()
     for test_case in extra_data:
         if test_case.name == 'Test REE-TEE isolation: Flash - SPI1 (esp_flash)':
             run_multiple_stages(dut, test_case.index, len(test_case.subcases), TeeFlashAccessApi.ESP_FLASH)
@@ -347,13 +342,11 @@ def test_esp_tee_flash_prot_esp_flash(dut: IdfDut) -> None:
 
 
 @pytest.mark.generic
-@idf_parametrize('config', ['ota'], indirect=['config'])
+@idf_parametrize('config', ['tee_ota'], indirect=['config'])
 @idf_parametrize('target', SUPPORTED_TARGETS, indirect=['target'])
 def test_esp_tee_ota_negative(dut: IdfDut) -> None:
     # start test
-    dut.expect_exact('Press ENTER to see the list of tests')
-    dut.write('[ota_neg_1]')
-    dut.expect_unity_test_output(timeout=120)
+    dut.run_all_single_board_cases(group='ota_neg_1', timeout=30)
 
     # erasing TEE otadata
     dut.serial.erase_partition('tee_otadata')
@@ -369,9 +362,7 @@ def test_esp_tee_ota_corrupted_img(dut: IdfDut) -> None:
     dut.serial.custom_flash_w_test_tee_img_gen()
 
     # start test
-    dut.expect_exact('Press ENTER to see the list of tests')
-    dut.write('"Test TEE OTA - Corrupted image"')
-    dut.expect_unity_test_output(timeout=120)
+    dut.run_all_single_board_cases(name=['Test TEE OTA - Corrupted image'], timeout=30)
 
     # erasing TEE otadata
     dut.serial.erase_partition('tee_otadata')