examples/security/tee/tee_secure_storage/README.md

| Supported Targets | ESP32-C6 |
| ----------------- | -------- |

# TEE: Secure Storage example

## Overview

- This example demonstrates the ESP-TEE framework's Secure Storage with two workflows:
  - Signing and verification
    - Create and securely store an ECDSA `secp256r1` keypair in a protected memory space i.e. the secure storage partition
    - Sign a message in the TEE (given its digest) using the ECDSA keypair stored in the given slot ID
    - Retrieve the ECDSA public key associated with the private key for the given slot ID
    - Verify the generated signature in the REE
  - Encryption and decryption
    - Generate and securely store an AES-256 key in the secure storage partition
    - Encrypt a message in the TEE using the AES key stored in the given slot ID with the `aes-256-gcm` algorithm and generate an authentication tag
    - Decrypt the ciphertext using the same AES key and validate the authentication tag
    - Verify that the decrypted message matches the original

### Notes

- Secure Storage currently supports only the `ecdsa-secp256r1-sha256` algorithm for signing and the `aes-256-gcm` algorithm for encryption.

## How to use the example

### Hardware Required

This example can be executed on any development board with a Espressif SOC chip supporting the TEE framework (see Supported Targets table above).

### Configure the project

Before the project configuration and build, be sure to set the correct chip target using `idf.py set-target <chip_name>`.

Open the project configuration menu (`idf.py menuconfig`).

- Configure the secure storage slot ID for storing the ECDSA keypair at `Example Configuration → TEE: Secure Storage keypair slot ID`.

The TEE Secure Storage feature supports two modes for determining which eFuse block stores the encryption key:

- **Development** Mode: The encryption key is embedded (constant for all instances) in the ESP-TEE firmware.
- **Release** Mode: The encryption key is stored in eFuse BLK4 - BLK9, depending on the `SECURE_TEE_SEC_STG_KEY_EFUSE_BLK` Kconfig option.

#### Configure the eFuse Block ID for Encryption Key Storage

- Navigate to `Security features → Trusted Execution Environment → TEE: Secure Storage Mode` and enable the Release mode configuration.
- Set the eFuse block ID to store the encryption key in `Security features → Trusted Execution Environment → TEE: Secure Storage encryption key eFuse block`.

**Note:** Before running the example, users must program the encryption key into the configured eFuse block - refer to the snippet below. The TEE checks whether the specified eFuse block is empty or already programmed with a key. If the block is empty, an error will be returned; otherwise, the pre-programmed key will be used.

```shell
# Programming the user key (256-bit) in eFuse
# Here, BLOCK_KEYx is a free eFuse key-block between BLOCK_KEY0 and BLOCK_KEY5
espefuse.py -p PORT burn_key BLOCK_KEYx user_key.bin USER
```

### Build and Flash

Build the project and flash it to the board, then run the monitor tool to view the serial output:

```
idf.py -p PORT flash monitor
```

(To exit the serial monitor, type `Ctrl-]`.)

See the Getting Started Guide for full steps to configure and use ESP-IDF to build projects.

### Example Output

```log
I (321) main_task: Calling app_main()
I (321) example_tee_sec_stg: TEE Secure Storage
I (331) example_tee_sec_stg: Message-to-be-signed: Lorem ipsum dolor sit amet, consectetur adipiscing elit.
I (961) Signature: 21 68 98 44 68 04 f2 39 70 f6 dc 79 73 5e 88 80
I (961) Signature: 39 e8 88 4b 41 ea 6f 3c 63 6f 89 08 bf 8d b7 29
I (961) Signature: 97 2b 21 0e 6a 35 a9 86 ee b9 e5 97 e4 b5 3f 76
I (971) Signature: d8 b6 bc d0 7a a6 f9 76 ad 9f e4 6b 3c 50 be 5b
I (1001) example_tee_sec_stg: Signature verified successfully!
I (1001) Plaintext: 4c 6f 72 65 6d 20 69 70 73 75 6d 20 64 6f 6c 6f
I (1001) Plaintext: 72 20 73 69 74 20 61 6d 65 74 2c 20 63 6f 6e 73
I (1011) Plaintext: 65 63 74 65 74 75 72 20 61 64 69 70 69 73 63 69
I (1021) Plaintext: 6e 67 20 65 6c 69 74 2e
I (1111) Encrypted data: 18 85 a2 97 7d 20 be 53 47 b7 3f 6f 52 06 8a 44
I (1111) Encrypted data: 3b 7e 2e 25 7b 33 5d 4f 2a e5 17 5e bc d7 4e 23
I (1111) Encrypted data: 2a 8f 89 a1 80 9c 6c 6b 00 e6 c6 39 7b 3f 75 65
I (1121) Encrypted data: cd d5 f6 f6 3c 9a fb bb
I (1131) Tag: 6d 7f 1f 8e 1e a9 2c d9 d2 7f 9b db 16 cc 9b 68
I (1131) example_tee_sec_stg: Done with encryption/decryption!
I (1141) main_task: Returned from app_main()
```
feat(esp_tee): Added examples demonstrating the ESP-TEE framework 2024-11-12 17:03:54 +05:30			`\| Supported Targets \| ESP32-C6 \|`
			`\| ----------------- \| -------- \|`

			`# TEE: Secure Storage example`

			`## Overview`

			`- This example demonstrates the ESP-TEE framework's Secure Storage with two workflows:`
			`- Signing and verification`
			- Create and securely store an ECDSA `secp256r1` keypair in a protected memory space i.e. the secure storage partition
			`- Sign a message in the TEE (given its digest) using the ECDSA keypair stored in the given slot ID`
			`- Retrieve the ECDSA public key associated with the private key for the given slot ID`
			`- Verify the generated signature in the REE`
			`- Encryption and decryption`
			`- Generate and securely store an AES-256 key in the secure storage partition`
			- Encrypt a message in the TEE using the AES key stored in the given slot ID with the `aes-256-gcm` algorithm and generate an authentication tag
			`- Decrypt the ciphertext using the same AES key and validate the authentication tag`
			`- Verify that the decrypted message matches the original`

			`### Notes`

			- Secure Storage currently supports only the `ecdsa-secp256r1-sha256` algorithm for signing and the `aes-256-gcm` algorithm for encryption.

			`## How to use the example`

			`### Hardware Required`

			`This example can be executed on any development board with a Espressif SOC chip supporting the TEE framework (see Supported Targets table above).`

			`### Configure the project`

			Before the project configuration and build, be sure to set the correct chip target using `idf.py set-target <chip_name>`.

			Open the project configuration menu (`idf.py menuconfig`).

			- Configure the secure storage slot ID for storing the ECDSA keypair at `Example Configuration → TEE: Secure Storage keypair slot ID`.

			`The TEE Secure Storage feature supports two modes for determining which eFuse block stores the encryption key:`

			`- Development Mode: The encryption key is embedded (constant for all instances) in the ESP-TEE firmware.`
			- Release Mode: The encryption key is stored in eFuse BLK4 - BLK9, depending on the `SECURE_TEE_SEC_STG_KEY_EFUSE_BLK` Kconfig option.

			`#### Configure the eFuse Block ID for Encryption Key Storage`

			- Navigate to `Security features → Trusted Execution Environment → TEE: Secure Storage Mode` and enable the Release mode configuration.
			- Set the eFuse block ID to store the encryption key in `Security features → Trusted Execution Environment → TEE: Secure Storage encryption key eFuse block`.

			`Note: Before running the example, users must program the encryption key into the configured eFuse block - refer to the snippet below. The TEE checks whether the specified eFuse block is empty or already programmed with a key. If the block is empty, an error will be returned; otherwise, the pre-programmed key will be used.`

			```shell
			`# Programming the user key (256-bit) in eFuse`
			`# Here, BLOCK_KEYx is a free eFuse key-block between BLOCK_KEY0 and BLOCK_KEY5`
			`espefuse.py -p PORT burn_key BLOCK_KEYx user_key.bin USER`
			```

			`### Build and Flash`

			`Build the project and flash it to the board, then run the monitor tool to view the serial output:`

			```
			`idf.py -p PORT flash monitor`
			```

			(To exit the serial monitor, type `Ctrl-]`.)

			`See the Getting Started Guide for full steps to configure and use ESP-IDF to build projects.`

			`### Example Output`

			```log
			`I (321) main_task: Calling app_main()`
			`I (321) example_tee_sec_stg: TEE Secure Storage`
			`I (331) example_tee_sec_stg: Message-to-be-signed: Lorem ipsum dolor sit amet, consectetur adipiscing elit.`
			`I (961) Signature: 21 68 98 44 68 04 f2 39 70 f6 dc 79 73 5e 88 80`
			`I (961) Signature: 39 e8 88 4b 41 ea 6f 3c 63 6f 89 08 bf 8d b7 29`
			`I (961) Signature: 97 2b 21 0e 6a 35 a9 86 ee b9 e5 97 e4 b5 3f 76`
			`I (971) Signature: d8 b6 bc d0 7a a6 f9 76 ad 9f e4 6b 3c 50 be 5b`
			`I (1001) example_tee_sec_stg: Signature verified successfully!`
			`I (1001) Plaintext: 4c 6f 72 65 6d 20 69 70 73 75 6d 20 64 6f 6c 6f`
			`I (1001) Plaintext: 72 20 73 69 74 20 61 6d 65 74 2c 20 63 6f 6e 73`
			`I (1011) Plaintext: 65 63 74 65 74 75 72 20 61 64 69 70 69 73 63 69`
			`I (1021) Plaintext: 6e 67 20 65 6c 69 74 2e`
			`I (1111) Encrypted data: 18 85 a2 97 7d 20 be 53 47 b7 3f 6f 52 06 8a 44`
			`I (1111) Encrypted data: 3b 7e 2e 25 7b 33 5d 4f 2a e5 17 5e bc d7 4e 23`
			`I (1111) Encrypted data: 2a 8f 89 a1 80 9c 6c 6b 00 e6 c6 39 7b 3f 75 65`
			`I (1121) Encrypted data: cd d5 f6 f6 3c 9a fb bb`
			`I (1131) Tag: 6d 7f 1f 8e 1e a9 2c d9 d2 7f 9b db 16 cc 9b 68`
			`I (1131) example_tee_sec_stg: Done with encryption/decryption!`
			`I (1141) main_task: Returned from app_main()`
			```