From 18c042abf16e6919174634b1d87d2bba992adff9 Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Fri, 19 Sep 2025 12:51:50 +0530 Subject: [PATCH] fix(bootloader_support): Allow pre-programmed XTS-AES psuedo round level efuses - The API esp_flash_encryption_set_release_mode() by defualt programs the XTS-AES pseudo round level efuse to level low but did not considered any existing value that would have been programmed in the efuse bit. --- .../bootloader_support/include/esp_flash_encrypt.h | 4 ++++ .../src/esp32h2/flash_encryption_secure_features.c | 2 +- components/bootloader_support/src/flash_encrypt.c | 12 ++++++++++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/components/bootloader_support/include/esp_flash_encrypt.h b/components/bootloader_support/include/esp_flash_encrypt.h index d6b0a54c5a..8c0142c60d 100644 --- a/components/bootloader_support/include/esp_flash_encrypt.h +++ b/components/bootloader_support/include/esp_flash_encrypt.h @@ -205,6 +205,10 @@ bool esp_flash_encryption_cfg_verify_release_mode(void); * It burns: * - "disable encrypt in dl mode" * - set FLASH_CRYPT_CNT efuse to max + * + * In case of the targets that support the XTS-AES peripheral's pseudo rounds function, + * this API would configure the pseudo rounds level efuse bit to level low if the efuse bit + * is not set already. */ void esp_flash_encryption_set_release_mode(void); diff --git a/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c index bb3517616e..23f3c915dd 100644 --- a/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c @@ -36,7 +36,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT); -#if defined(CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC) +#if CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) { ESP_LOGI(TAG, "Enable XTS-AES pseudo rounds function..."); uint8_t xts_pseudo_level = CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH; diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index 8405637328..df8928b959 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -204,6 +204,18 @@ void esp_flash_encryption_set_release_mode(void) #endif // CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED #endif // !CONFIG_IDF_TARGET_ESP32 +#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND + if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) { + uint8_t xts_pseudo_level = 0; + esp_efuse_read_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count); + + if (xts_pseudo_level == ESP_XTS_AES_PSEUDO_ROUNDS_DISABLE) { + xts_pseudo_level = ESP_XTS_AES_PSEUDO_ROUNDS_LOW; + esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count); + } + } +#endif + #ifdef CONFIG_IDF_TARGET_ESP32 esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_CACHE); #else