ci(flash_enc): Extend flash encryption and mbedtls test case to test PSRAM encryption

components/mbedtls/test_apps/.build-test-rules.yml

@@ -5,6 +5,10 @@ components/mbedtls/test_apps:
     - if: CONFIG_NAME == "psram" and SOC_SPIRAM_SUPPORTED != 1
     - if: CONFIG_NAME == "psram_all_ext" and SOC_SPIRAM_SUPPORTED != 1
     - if: CONFIG_NAME == "ecdsa_sign" and SOC_ECDSA_SUPPORTED != 1
+    - if: CONFIG_NAME == "psram_all_ext_flash_enc" and SOC_SPIRAM_SUPPORTED != 1
+  disable_test:
+    - if: CONFIG_NAME == "psram_all_ext_flash_enc" and IDF_TARGET not in ["esp32"]
+      reason: lack of runners
   depends_components:
     - efuse
     - mbedtls

components/mbedtls/test_apps/pytest_mbedtls_ut.py

@@ -51,6 +51,19 @@ def test_mbedtls_psram(dut: Dut) -> None:
     dut.run_all_single_board_cases()
 
 
+@pytest.mark.flash_encryption_psram
+@pytest.mark.parametrize(
+    'config',
+    [
+        'psram_all_ext_flash_enc',
+    ],
+    indirect=True,
+)
+@idf_parametrize('target', ['esp32'], indirect=['target'])
+def test_mbedtls_psram_all_ext_flash_enc(dut: Dut) -> None:
+    dut.run_all_single_board_cases()
+
+
 @pytest.mark.generic
 @pytest.mark.parametrize(
     'config',
@@ -62,6 +75,19 @@ def test_mbedtls_psram_esp32p4(dut: Dut) -> None:
     dut.run_all_single_board_cases()
 
 
+@pytest.mark.flash_encryption
+@pytest.mark.parametrize(
+    'config',
+    [
+        'psram_all_ext_flash_enc_esp32p4_200m',
+    ],
+    indirect=True,
+)
+@idf_parametrize('target', ['esp32p4'], indirect=['target'])
+def test_mbedtls_psram_all_ext_flash_enc_esp32p4_200m(dut: Dut) -> None:
+    dut.run_all_single_board_cases()
+
+
 @pytest.mark.ecdsa_efuse
 @pytest.mark.parametrize(
     'config',

components/mbedtls/test_apps/sdkconfig.ci.psram_all_ext_flash_enc

@@ -0,0 +1,17 @@
+CONFIG_SPIRAM=y
+CONFIG_ESP_INT_WDT_TIMEOUT_MS=800
+CONFIG_FREERTOS_TASK_CREATE_ALLOW_EXT_MEM=y
+CONFIG_SPIRAM_MALLOC_ALWAYSINTERNAL=0
+
+# Default settings for testing this example in CI.
+# This configuration is not secure, don't use it in production!
+# See Flash Encryption API Guide for more details.
+
+CONFIG_SECURE_FLASH_ENC_ENABLED=y
+CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y
+CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y
+CONFIG_SECURE_BOOT_ALLOW_JTAG=y
+CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y
+CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y
+CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y
+CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y

components/mbedtls/test_apps/sdkconfig.ci.psram_all_ext_flash_enc_esp32p4_200m

@@ -0,0 +1,21 @@
+CONFIG_IDF_TARGET="esp32p4"
+CONFIG_SPIRAM=y
+CONFIG_ESP_INT_WDT_TIMEOUT_MS=800
+CONFIG_FREERTOS_TASK_CREATE_ALLOW_EXT_MEM=y
+CONFIG_SPIRAM_MALLOC_ALWAYSINTERNAL=0
+
+CONFIG_IDF_EXPERIMENTAL_FEATURES=y
+CONFIG_SPIRAM_SPEED_200M=y
+
+# Default settings for testing this example in CI.
+# This configuration is not secure, don't use it in production!
+# See Flash Encryption API Guide for more details.
+
+CONFIG_SECURE_FLASH_ENC_ENABLED=y
+CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y
+CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y
+CONFIG_SECURE_BOOT_ALLOW_JTAG=y
+CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y
+CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y
+CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y
+CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y

examples/security/.build-test-rules.yml

@@ -1,8 +1,10 @@
 # Documentation: .gitlab/ci/README.md#manifest-file-to-control-the-buildtest-apps
 
 examples/security/flash_encryption:
+  disable:
+    - if: CONFIG_NAME == "psram" and SOC_SPIRAM_SUPPORTED != 1
   disable_test:
-    - if: IDF_TARGET in ["esp32s2", "esp32s3", "esp32c6", "esp32h2", "esp32c2", "esp32p4", "esp32c5", "esp32c61"]
+    - if: IDF_TARGET in ["esp32s2", "esp32s3", "esp32c6", "esp32h2", "esp32c2", "esp32c5", "esp32c61"]
       temporary: true
       reason: lack of runners
 

examples/security/flash_encryption/main/CMakeLists.txt

@@ -1,5 +1,5 @@
 idf_component_register(SRCS "flash_encrypt_main.c"
                             "flash_encrypt_fatfs.c"
                        PRIV_REQUIRES vfs nvs_flash spi_flash efuse bootloader_support
-                                     fatfs espcoredump nvs_sec_provider
+                                     fatfs espcoredump nvs_sec_provider esp_psram
                        INCLUDE_DIRS ".")

examples/security/flash_encryption/pytest_flash_encryption.py

@@ -8,6 +8,7 @@ import espsecure
 import pytest
 from pytest_embedded import Dut
 from pytest_embedded_idf.utils import idf_parametrize
+
 # To prepare a test runner for this example:
 # 1. Generate zero flash encryption key:
 #   dd if=/dev/zero of=key.bin bs=1 count=32
@@ -75,7 +76,7 @@ def _test_flash_encryption(dut: Dut) -> None:
 
 
 @pytest.mark.flash_encryption
-@idf_parametrize('target', ['esp32', 'esp32c3'], indirect=['target'])
+@idf_parametrize('target', ['esp32', 'esp32c3', 'esp32p4'], indirect=['target'])
 def test_examples_security_flash_encryption(dut: Dut) -> None:
     _test_flash_encryption(dut)
 
@@ -91,3 +92,29 @@ def test_examples_security_flash_encryption(dut: Dut) -> None:
 @idf_parametrize('target', ['esp32c3'], indirect=['target'])
 def test_examples_security_flash_encryption_rom_impl(dut: Dut) -> None:
     _test_flash_encryption(dut)
+
+
+@pytest.mark.flash_encryption_psram
+@pytest.mark.parametrize(
+    'config',
+    [
+        'psram',
+    ],
+    indirect=True,
+)
+@idf_parametrize('target', ['esp32'], indirect=['target'])
+def test_examples_security_flash_encryption_psram_esp32(dut: Dut) -> None:
+    _test_flash_encryption(dut)
+
+
+@pytest.mark.flash_encryption
+@pytest.mark.parametrize(
+    'config',
+    [
+        'psram',
+    ],
+    indirect=True,
+)
+@idf_parametrize('target', ['esp32p4'], indirect=['target'])
+def test_examples_security_flash_encryption_psram(dut: Dut) -> None:
+    _test_flash_encryption(dut)

examples/security/flash_encryption/sdkconfig.ci.psram

@@ -0,0 +1,16 @@
+# Configurations for flash encryption.
+CONFIG_SECURE_FLASH_ENC_ENABLED=y
+CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y
+CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y
+CONFIG_SECURE_BOOT_ALLOW_JTAG=y
+CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y
+CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y
+CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y
+CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y
+
+CONFIG_SPIRAM=y
+CONFIG_SPIRAM_BOOT_INIT=y
+
+# Enabling PSRAM MEMTEST to verify the PSRAM encryption
+# case when flash encryption is enabled
+CONFIG_SPIRAM_MEMTEST=y

pytest.ini

@@ -64,6 +64,7 @@ env_markers =
     flash_encryption_f4r8: Flash Encryption runners with 4-line flash and 8-line psram
     flash_encryption_f8r8: Flash Encryption runners with 8-line flash and 8-line psram
     flash_encryption_ota: Flash Encryption runners with ethernet OTA support with 4mb flash size
+    flash_encryption_psram: ESP32 Flash Encryption runners with psram
     flash_multi: Multiple flash chips tests
     psram: Chip has 4-line psram
     ir_transceiver: runners with a pair of IR transmitter and receiver