Merge branch 'fix/migration_guide_secure_boot_192_curve_deprecation' into 'master'

fix(secure_boot): marks 192 bit support curve legacy

See merge request espressif/esp-idf!46255

components/bootloader/Kconfig.projbuild

@@ -563,7 +563,7 @@ menu "Security features"
         help
             Select the ECDSA key size. Three key sizes are supported depending upon on the target:
 
-            - 192 bit key using NISTP192 curve
+            - 192 bit key using NISTP192 curve (Legacy, not recommended)
             - 256 bit key using NISTP256 curve (Recommended)
             - 384 bit key using NISTP384 curve (Recommended)
 
@@ -572,8 +572,10 @@ menu "Security features"
             At present, both key sizes are practically implausible to bruteforce.
 
         config SECURE_BOOT_ECDSA_KEY_LEN_192_BITS
-            bool "Using ECC curve NISTP192"
+            bool "Using ECC curve NISTP192 (Legacy, not recommended)"
             depends on SECURE_SIGNED_APPS_ECDSA_V2_SCHEME
+            help
+                This legacy option is not recommended for new designs. Prefer NISTP256 or NISTP384.
 
         config SECURE_BOOT_ECDSA_KEY_LEN_256_BITS
             bool "Using ECC curve NISTP256 (Recommended)"

components/mbedtls/port/include/mbedtls/esp_config.h

@@ -539,6 +539,11 @@
 #undef MBEDTLS_ECP_DP_SECP384R1_ENABLED
 #undef PSA_WANT_ECC_SECP_R1_384
 #endif
+#ifdef CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_192_BITS
+#define PSA_WANT_ECC_SECP_R1_192 1
+#else
+#undef PSA_WANT_ECC_SECP_R1_192
+#endif
 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED
 #define MBEDTLS_ECP_DP_SECP521R1_ENABLED
 #else

docs/en/migration-guides/release-6.x/6.0/security.rst

@@ -146,6 +146,12 @@ The following function has been deprecated:
 
 - :cpp:func:`esp_flash_encryption_enabled` – Use :cpp:func:`esp_efuse_is_flash_encryption_enabled` instead. The component dependency has been changed from ``bootloader_support`` to ``efuse``.
 
+**Secure Boot ECDSA curve selection**
+
+- In ESP-IDF v6.0, secure boot ECDSA should use NISTP256/NISTP384.
+- Legacy NISTP192 support is deprecated and is only available when explicitly enabled via ``CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_192_BITS``.
+- Legacy NISTP192 support may be disabled in the next ESP-IDF release, so migration to NISTP256/NISTP384 is strongly recommended.
+
 **Removed Deprecated APIs**
 
 The following deprecated functions have been removed:

docs/zh_CN/migration-guides/release-6.x/6.0/security.rst

@@ -146,6 +146,12 @@ BluFi（基于 BLE 的 Wi-Fi 配网）功能受到 ESP-IDF v6.0 中 Mbed TLS v4.
 
 - :cpp:func:`esp_flash_encryption_enabled` 已被弃用。请使用 :cpp:func:`esp_efuse_is_flash_encryption_enabled` 代替。需要依赖的组件由 ``bootloader_support`` 替换为 ``efuse``。
 
+**安全启动中的 ECDSA 曲线选择**
+
+- 在 ESP-IDF v6.0 中，用于安全启动的 ECDSA 应为 NISTP256/NISTP384 曲线。
+- 对旧版 NISTP192 的支持已弃用，仅当通过 ``CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_192_BITS`` 显式启用时方可使用。
+- 对旧版 NISTP192 的支持可能会在下一个 ESP-IDF 版本中被移除，因此强烈建议迁移至 NISTP256/NISTP384。
+
 **已移除的废弃 API**
 
 以下废弃函数已被移除：