docs(esp_tee): Added documentation for the ESP-TEE framework

- Co-authored-by: Shen Meng Jing <[email protected]>

Author: laukik-hase

docs/_static/esp_tee/esp32c6/esp_tee_arch.png

@@ -12,3 +12,7 @@ components/ulp/lp_core/lp_core/include/ulp_lp_core_spi.h
 components/driver/test_apps/components/esp_serial_slave_link/include/esp_serial_slave_link/essl_sdio.h
 components/driver/test_apps/components/esp_serial_slave_link/include/esp_serial_slave_link/essl_spi.h
 components/driver/test_apps/components/esp_serial_slave_link/include/esp_serial_slave_link/essl.h
+# ESP-TEE header files
+components/esp_tee/subproject/components/tee_sec_storage/include/esp_tee_sec_storage.h
+components/esp_tee/subproject/components/tee_attestation/esp_tee_attestation.h
+components/esp_tee/subproject/components/tee_ota_ops/include/esp_tee_ota_ops.h

docs/_static/esp_tee/esp32c6/esp_tee_flash_layout.png

@@ -199,6 +199,13 @@
 
 QEMU_DOCS = ['api-guides/tools/qemu.rst']
 
+ESP_TEE_DOCS = ['security/tee/index.rst',
+                'security/tee/tee.rst',
+                'security/tee/tee-advanced.rst',
+                'security/tee/tee-attestation.rst',
+                'security/tee/tee-ota.rst',
+                'security/tee/tee-sec-storage.rst']
+
 ESP32_DOCS = ['api-reference/system/himem.rst',
               'api-guides/romconsole.rst',
               'api-reference/system/ipc.rst',
@@ -242,7 +249,7 @@
 
 ESP32C6_DOCS = ['api-guides/RF_calibration.rst',
                 'api-reference/peripherals/sd_pullup_requirements.rst',
-                'api-guides/phy.rst']
+                'api-guides/phy.rst'] + ESP_TEE_DOCS
 
 ESP32H2_DOCS = ['api-guides/RF_calibration.rst',
                 'api-guides/phy.rst']

docs/_static/esp_tee/esp32c6/esp_tee_intr_handling.png

@@ -15,3 +15,7 @@ INPUT += \
     $(PROJECT_PATH)/components/ulp/ulp_common/include/ulp_common.h \
     $(PROJECT_PATH)/components/esp_wifi/include/esp_wifi_he_types.h \
     $(PROJECT_PATH)/components/esp_wifi/include/esp_wifi_he.h \
+    $(PROJECT_PATH)/components/esp_tee/include/esp_tee.h \
+    $(PROJECT_PATH)/components/esp_tee/subproject/components/tee_sec_storage/include/esp_tee_sec_storage.h \
+    $(PROJECT_PATH)/components/esp_tee/subproject/components/tee_attestation/esp_tee_attestation.h \
+    $(PROJECT_PATH)/components/esp_tee/subproject/components/tee_ota_ops/include/esp_tee_ota_ops.h \

docs/_static/esp_tee/esp32c6/esp_tee_memory_layout.png

@@ -123,7 +123,13 @@ The 8-bit SubType field is specific to a given partition type. ESP-IDF currently
 
 See enum :cpp:type:`esp_partition_subtype_t` for the full list of subtypes defined by ESP-IDF, including the following:
 
-* When type is ``app``, the SubType field can be specified as ``factory`` (0x00), ``ota_0`` (0x10) ... ``ota_15`` (0x1F) or ``test`` (0x20).
+.. only:: not esp32c6
+
+  * When type is ``app``, the SubType field can be specified as ``factory`` (0x00), ``ota_0`` (0x10) ... ``ota_15`` (0x1F) or ``test`` (0x20).
+
+.. only:: esp32c6
+
+  * When type is ``app``, the SubType field can be specified as ``factory`` (0x00), ``ota_0`` (0x10) through ``ota_15`` (0x1F), or ``test`` (0x20). Additionally, if :doc:`ESP-TEE <../security/tee/tee>` functionality is enabled, two TEE-specific subtypes become available: ``tee_0`` (0x30) and ``tee_1`` (0x31).
 
     - ``factory`` (0x00) is the default app partition. The bootloader will execute the factory app unless there it sees a partition of type data/ota, in which case it reads this partition to determine which OTA image to boot.
 
@@ -133,6 +139,10 @@ See enum :cpp:type:`esp_partition_subtype_t` for the full list of subtypes defin
     - ``ota_0`` (0x10) ... ``ota_15`` (0x1F) are the OTA app slots. When :doc:`OTA <../api-reference/system/ota>` is in use, the OTA data partition configures which app slot the bootloader should boot. When using OTA, an application should have at least two OTA application slots (``ota_0`` & ``ota_1``). Refer to the :doc:`OTA documentation <../api-reference/system/ota>` for more details.
     - ``test`` (0x20) is a reserved subtype for factory test procedures. It will be used as the fallback boot partition if no other valid app partition is found. It is also possible to configure the bootloader to read a GPIO input during each boot, and boot this partition if the GPIO is held low, see :ref:`bootloader_boot_from_test_firmware`.
 
+    .. only:: esp32c6
+
+      - ``tee_0`` (0x30) and ``tee_1`` (0x31) are the TEE app slots. When :doc:`TEE OTA <../security/tee/tee-ota>` is in use, the TEE OTA data partition configures which TEE app slot the bootloader should boot. When using TEE OTA, the partition table should have these two TEE app slots. Refer to the :doc:`TEE OTA documentation <../security/tee/tee-ota>` for more details.
+
 * When type is ``bootloader``, the SubType field can be specified as:
 
     - ``primary`` (0x00). This is the 2nd stage bootloader, located at the {IDF_TARGET_CONFIG_BOOTLOADER_OFFSET_IN_FLASH} address in flash memory. The tool automatically determines the appropriate size and offset for this subtype, so any size or offset specified for this subtype will be ignored. You can either leave these fields blank or use ``N/A`` as a placeholder.
@@ -171,6 +181,11 @@ See enum :cpp:type:`esp_partition_subtype_t` for the full list of subtypes defin
         - It is used to store NVS encryption keys when `NVS Encryption` feature is enabled.
         - The size of this partition should be 4096 bytes (minimum partition size).
 
+    .. only:: esp32c6
+
+            - ``tee_ota`` (0x90) is the :ref:`TEE OTA data partition <tee-ota-data-partition>` which stores information about the currently selected TEE OTA app slot. This partition should be 0x2000 bytes in size. Refer to the :doc:`TEE OTA documentation <../security/tee/tee-ota>` for more details.
+            - ``tee_sec_stg`` (0x91) is the TEE secure storage partition which stores encrypted data that can only be accessed by the TEE application. This partition is used by the :doc:`TEE Secure Storage <../security/tee/tee-sec-storage>` to store sensitive data like cryptographic keys. The size of this partition depends on the application requirements.
+
     - There are other predefined data subtypes for data storage supported by ESP-IDF. These include:
 
         - ``coredump`` (0x03) is for storing core dumps while using a custom partition table CSV file. See :doc:`/api-guides/core_dump` for more details.

docs/_static/esp_tee/esp32c6/esp_tee_ota_flash_partitions.png

@@ -481,6 +481,8 @@ In CI, all generated target test jobs are named according to the pattern "<targe
 
 The binaries in the target test jobs are downloaded from our internal MinIO servers. For most of the test cases, only the files that are required by flash (like .bin files, flash_args files, etc) would be downloaded. For some test cases, like jtag test cases, .elf files are also downloaded.
 
+.. _run_the_tests_locally:
+
 Running Tests Locally
 =====================
 

docs/_static/esp_tee/esp_tee_boot_seq.png

@@ -18,6 +18,7 @@ Features
    flash-encryption
    :esp32: secure-boot-v1
    secure-boot-v2
+   :esp32c6: tee/index
 
 Workflows
 ---------

docs/_static/esp_tee/esp_tee_ota_flow.png

@@ -0,0 +1,24 @@
+###################################
+Trusted Execution Environment (TEE)
+###################################
+
+*********************
+The ESP-TEE Framework
+*********************
+
+.. toctree::
+   :maxdepth: 1
+
+   tee
+   tee-advanced
+
+****************
+Salient Features
+****************
+
+.. toctree::
+   :maxdepth: 1
+
+   tee-sec-storage
+   tee-ota
+   tee-attestation