From 07cc2c7d3bbe4ce4db07927fb07cfe9ff64e358a Mon Sep 17 00:00:00 2001
From: Xiao Xufeng <xiaoxufeng@espressif.com>
Date: Wed, 24 Dec 2025 02:21:34 +0800
Subject: [PATCH] fix(esp_system): limit CPU clock to 160MHz in ESP32-C5 for
 flash encryption

This reverts commit 7145fc9558752a6532072bb272e94389807eda51.
---
 components/esp_security/src/init.c                 | 10 ++++++++++
 components/esp_system/port/soc/esp32c5/Kconfig.cpu |  8 +++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/components/esp_security/src/init.c b/components/esp_security/src/init.c
index 16ef897bad..86cc0a6fd2 100644
--- a/components/esp_security/src/init.c
+++ b/components/esp_security/src/init.c
@@ -55,6 +55,16 @@ static void esp_key_mgr_init(void)
 
 ESP_SYSTEM_INIT_FN(esp_security_init, SECONDARY, BIT(0), 103)
 {
+#if CONFIG_IDF_TARGET_ESP32C5
+    // Check for unsupported configuration: flash encryption with CPU frequency > 160MHz
+    // Manual encrypted flash writes are not stable at higher CPU clock.
+    // Please refer to the ESP32-C5 SoC Errata document for more details.
+    if (efuse_hal_flash_encryption_enabled() && CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ > 160) {
+        ESP_EARLY_LOGE(TAG, "Flash encryption with CPU frequency > 160MHz is not supported. Please reconfigure the CPU frequency.");
+        return ESP_ERR_NOT_SUPPORTED;
+    }
+#endif
+
     esp_crypto_clk_init();
     esp_key_mgr_init();
 #if CONFIG_ESP_CRYPTO_DPA_PROTECTION_AT_STARTUP
diff --git a/components/esp_system/port/soc/esp32c5/Kconfig.cpu b/components/esp_system/port/soc/esp32c5/Kconfig.cpu
index a9fd58e28f..95c3b92cbc 100644
--- a/components/esp_system/port/soc/esp32c5/Kconfig.cpu
+++ b/components/esp_system/port/soc/esp32c5/Kconfig.cpu
@@ -1,9 +1,12 @@
 choice ESP_DEFAULT_CPU_FREQ_MHZ
     prompt "CPU frequency"
     default ESP_DEFAULT_CPU_FREQ_MHZ_40 if IDF_ENV_FPGA
+    default ESP_DEFAULT_CPU_FREQ_MHZ_160 if SECURE_FLASH_ENC_ENABLED
     default ESP_DEFAULT_CPU_FREQ_MHZ_240
     help
-        CPU frequency to be set on application startup.
+        CPU frequency to be set on application startup. For flash encryption enabled case,
+        the default CPU frequency is 160MHz as the encrypted flash writes are not stable at
+        higher CPU clock. Please see SoC Errata document for details.
 
     config ESP_DEFAULT_CPU_FREQ_MHZ_40
         bool "40 MHz"
@@ -13,6 +16,9 @@ choice ESP_DEFAULT_CPU_FREQ_MHZ
     config ESP_DEFAULT_CPU_FREQ_MHZ_160
         bool "160 MHz"
     config ESP_DEFAULT_CPU_FREQ_MHZ_240
+        # Encrypted flash writes aren't supported at 240 MHz.
+        # Please see SoC Errata document for details.
+        depends on !SECURE_FLASH_ENC_ENABLED
         bool "240 MHz"
         help
             When 240MHz is selected, esp_flash_write_encrypted() will automatically limit CPU frequency during