From 26e24fe3a6610b46e32cb5c3f1ac8c8f9ea56160 Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Fri, 19 Sep 2025 12:02:35 +0530 Subject: [PATCH] fix(bootloader_support): Reorder write protection bits of some shared security efuses --- components/bootloader/Kconfig.projbuild | 5 +++-- .../src/esp32h2/flash_encryption_secure_features.c | 2 +- components/bootloader_support/src/flash_encrypt.c | 7 ------- components/esp_system/startup.c | 2 +- 4 files changed, 5 insertions(+), 11 deletions(-) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index fc79d7dcfc..4f7bf2a253 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -1082,8 +1082,9 @@ menu "Security features" config SECURE_FLASH_PSEUDO_ROUND_FUNC bool "Permanently enable XTS-AES's pseudo rounds function" - default y - depends on SECURE_FLASH_ENCRYPTION_MODE_RELEASE && SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND + default y if SECURE_FLASH_ENCRYPTION_MODE_RELEASE + default n + depends on SECURE_FLASH_ENC_ENABLED && SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND help If set (default), the bootloader will permanently enable the XTS-AES peripheral's pseudo rounds function. Note: Enabling this config would burn an efuse. diff --git a/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c index d4b063a4d6..bb3517616e 100644 --- a/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c @@ -36,7 +36,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT); -#if defined(CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE) && defined(SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND) +#if defined(CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC) if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) { ESP_LOGI(TAG, "Enable XTS-AES pseudo rounds function..."); uint8_t xts_pseudo_level = CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH; diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index 5120dab27e..8405637328 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -204,13 +204,6 @@ void esp_flash_encryption_set_release_mode(void) #endif // CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED #endif // !CONFIG_IDF_TARGET_ESP32 -#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND - if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) { - uint8_t xts_pseudo_level = ESP_XTS_AES_PSEUDO_ROUNDS_LOW; - esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count); - } -#endif - #ifdef CONFIG_IDF_TARGET_ESP32 esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_CACHE); #else diff --git a/components/esp_system/startup.c b/components/esp_system/startup.c index 0c19da28db..9a94182cb1 100644 --- a/components/esp_system/startup.c +++ b/components/esp_system/startup.c @@ -405,7 +405,7 @@ static void do_core_init(void) #endif if (!esp_efuse_read_field_bit(ESP_EFUSE_ECC_FORCE_CONST_TIME) && force_constant_time) { ESP_EARLY_LOGD(TAG, "Forcefully enabling ECC constant time operations"); - esp_err_t err = esp_efuse_write_field_bit(ESP_EFUSE_ECC_FORCE_CONST_TIME); + err = esp_efuse_write_field_bit(ESP_EFUSE_ECC_FORCE_CONST_TIME); assert(err == ESP_OK && "Failed to enable ECC constant time operations"); } #endif