From 1db26df63d49e497139cb53822599026e736e682 Mon Sep 17 00:00:00 2001
From: "harshal.patil" <harshal.patil@espressif.com>
Date: Tue, 24 Mar 2026 14:32:44 +0530
Subject: [PATCH] fix(esp_security): Fixes incorrect key manager configuration
 for ESP32-P4 rev < 3

---
 components/esp_hal_security/ecdsa_hal.c              |  1 -
 .../test_apps/crypto/main/ds/test_ds.c               |  9 +++++++--
 components/esp_security/src/esp_ds.c                 | 12 +++++++-----
 3 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/components/esp_hal_security/ecdsa_hal.c b/components/esp_hal_security/ecdsa_hal.c
index 0b027be1b7..5356e4e2cc 100644
--- a/components/esp_hal_security/ecdsa_hal.c
+++ b/components/esp_hal_security/ecdsa_hal.c
@@ -45,7 +45,6 @@ static void configure_ecdsa_periph(ecdsa_hal_config_t *conf)
         ecdsa_hal_set_efuse_key(conf->curve, conf->efuse_key_blk);
 
 #if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY
-
         // Force Key Manager to use eFuse key for ECDSA operation
         key_mgr_hal_set_key_usage(ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
 #endif
diff --git a/components/esp_hal_security/test_apps/crypto/main/ds/test_ds.c b/components/esp_hal_security/test_apps/crypto/main/ds/test_ds.c
index 0269309924..504bcfb2fd 100644
--- a/components/esp_hal_security/test_apps/crypto/main/ds/test_ds.c
+++ b/components/esp_hal_security/test_apps/crypto/main/ds/test_ds.c
@@ -24,6 +24,7 @@ ESP_LOG_ATTR_TAG(TAG, "test_ds");
 #include "rom/hmac.h"
 
 #if SOC_KEY_MANAGER_DS_KEY_DEPLOY
+#include "hal/key_mgr_hal.h"
 #include "hal/key_mgr_ll.h"
 #endif
 
@@ -92,11 +93,15 @@ static esp_err_t esp_ds_start_sign(const void *message, const esp_ds_data_t *dat
 #if SOC_KEY_MANAGER_DS_KEY_DEPLOY
     if (key_id == HMAC_KEY_KM) {
         if (!key_mgr_ll_is_supported()) {
-            HAL_ASSERT(false && "Key manager is not supported");
+            ds_disable_release();
+            assert(false && "Key manager is not supported");
         }
-
+        key_mgr_hal_set_key_usage(ESP_KEY_MGR_DS_KEY, ESP_KEY_MGR_USE_OWN_KEY);
         ds_hal_set_key_source(DS_KEY_SOURCE_KEY_MGR);
     } else {
+        if (key_mgr_ll_is_supported()) {
+            key_mgr_hal_set_key_usage(ESP_KEY_MGR_DS_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
+        }
         ds_hal_set_key_source(DS_KEY_SOURCE_EFUSE);
 #endif
         hmac_hal_start();
diff --git a/components/esp_security/src/esp_ds.c b/components/esp_security/src/esp_ds.c
index 621f54242f..bf1e1fb024 100644
--- a/components/esp_security/src/esp_ds.c
+++ b/components/esp_security/src/esp_ds.c
@@ -332,15 +332,17 @@ esp_err_t esp_ds_start_sign(const void *message,
     ds_acquire_enable();
 
 #if SOC_KEY_MANAGER_DS_KEY_DEPLOY
-    if (!key_mgr_ll_is_supported()) {
-        assert(false && "Key manager is not supported");
-    }
-
     if (key_id == HMAC_KEY_KM) {
+        if (!key_mgr_ll_is_supported()) {
+            ds_disable_release();
+            assert(false && "Key manager is not supported");
+        }
         key_mgr_hal_set_key_usage(ESP_KEY_MGR_DS_KEY, ESP_KEY_MGR_USE_OWN_KEY);
         ds_hal_set_key_source(DS_KEY_SOURCE_KEY_MGR);
     } else {
-        key_mgr_hal_set_key_usage(ESP_KEY_MGR_DS_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
+        if (key_mgr_ll_is_supported()) {
+            key_mgr_hal_set_key_usage(ESP_KEY_MGR_DS_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
+        }
         ds_hal_set_key_source(DS_KEY_SOURCE_EFUSE);
 #endif
         // initiate hmac