fix(bootloader_support): Reorder write protection bits of some shared security efuses

2026-04-27 19:13:21 +00:00 · 2025-09-19 12:02:35 +05:30
parent 7e6e0d0be9
commit 26e24fe3a6
4 changed files with 5 additions and 11 deletions
@@ -1082,8 +1082,9 @@ menu "Security features"

    config SECURE_FLASH_PSEUDO_ROUND_FUNC
        bool "Permanently enable XTS-AES's pseudo rounds function"
-        default y
-        depends on SECURE_FLASH_ENCRYPTION_MODE_RELEASE && SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
+        default y if SECURE_FLASH_ENCRYPTION_MODE_RELEASE
+        default n
+        depends on SECURE_FLASH_ENC_ENABLED && SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
        help
            If set (default), the bootloader will permanently enable the XTS-AES peripheral's pseudo rounds function.
            Note: Enabling this config would burn an efuse.
@@ -36,7 +36,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)

    esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);

-#if defined(CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE) && defined(SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND)
+#if defined(CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC)
    if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) {
        ESP_LOGI(TAG, "Enable XTS-AES pseudo rounds function...");
        uint8_t xts_pseudo_level = CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH;
@@ -204,13 +204,6 @@ void esp_flash_encryption_set_release_mode(void)
 #endif // CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED
 #endif // !CONFIG_IDF_TARGET_ESP32

-#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
-    if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) {
-        uint8_t xts_pseudo_level = ESP_XTS_AES_PSEUDO_ROUNDS_LOW;
-        esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count);
-    }
-#endif
-
 #ifdef CONFIG_IDF_TARGET_ESP32
    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_CACHE);
 #else
@@ -405,7 +405,7 @@ static void do_core_init(void)
 #endif
    if (!esp_efuse_read_field_bit(ESP_EFUSE_ECC_FORCE_CONST_TIME) && force_constant_time) {
        ESP_EARLY_LOGD(TAG, "Forcefully enabling ECC constant time operations");
-        esp_err_t err = esp_efuse_write_field_bit(ESP_EFUSE_ECC_FORCE_CONST_TIME);
+        err = esp_efuse_write_field_bit(ESP_EFUSE_ECC_FORCE_CONST_TIME);
        assert(err == ESP_OK && "Failed to enable ECC constant time operations");
    }
 #endif