From 7b57a1cd16fbc4bcaa88d4ec80f45226b2f7792d Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Tue, 4 Nov 2025 15:05:30 +0530 Subject: [PATCH 1/2] fix(esp_security): Fix undefined efuse build failure in case of ESP32-P4 - The `wr_dis` efuse bit corresponding to `SECURE_BOOT_SHA384_EN` is absent in P4 --- components/esp_security/src/init.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/components/esp_security/src/init.c b/components/esp_security/src/init.c index 237bb03753..8413e5b351 100644 --- a/components/esp_security/src/init.c +++ b/components/esp_security/src/init.c @@ -102,10 +102,13 @@ ESP_SYSTEM_INIT_FN(esp_security_init, SECONDARY, BIT(0), 103) #if !CONFIG_SECURE_BOOT_SKIP_WRITE_PROTECTION_SCA // C5 -#if SOC_ECDSA_SUPPORT_CURVE_P384 && !CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS +#if SOC_ECDSA_SUPPORT_CURVE_P384 && !CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS && !CONFIG_IDF_TARGET_ESP32P4 // Since SECURE_BOOT_SHA384_EN, XTS_DPA_PSEUDO_LEVEL, and ECC_FORCE_CONST_TIME share the // same write-protection bit, these efuses should only be write-protected after all of // them have been programmed. + // Note: ESP32-P4 lacks WR_DIS_SECURE_BOOT_SHA384_EN bit, so it relies on software protection + // in the efuse write APIs (see esp_efuse_api.c) to prevent unauthorized programming of + // SECURE_BOOT_SHA384_EN when Secure Boot using SHA-256 is enabled. err = esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_SECURE_BOOT_SHA384_EN); if (err != ESP_OK) { ESP_LOGE(TAG, "Failed to write protect the SECURE_BOOT_SHA384_EN efuse bit."); From 6ea63548d4f2ff4b9df040c7bee3b67a2e8b747f Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Sun, 26 Oct 2025 15:27:52 +0530 Subject: [PATCH 2/2] fix(esp_security): Set WR_DIS_SECURE_BOOT_SHA384_EN by default when Flash Encryption Release mode is enabled and Secure Boot P384 scheme not is enabled. --- components/bootloader/Kconfig.projbuild | 2 +- components/esp_security/src/init.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index e648a39a9a..d0fed3bf6f 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -967,7 +967,7 @@ menu "Security features" config SECURE_BOOT_SKIP_WRITE_PROTECTION_SCA bool "Skip write-protection of SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH" - default y if SECURE_FLASH_PSEUDO_ROUND_FUNC + default y if SECURE_FLASH_PSEUDO_ROUND_FUNC && !SECURE_FLASH_ENCRYPTION_MODE_RELEASE default n depends on SOC_ECDSA_SUPPORT_CURVE_P384 && SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND help diff --git a/components/esp_security/src/init.c b/components/esp_security/src/init.c index 8413e5b351..16ef897bad 100644 --- a/components/esp_security/src/init.c +++ b/components/esp_security/src/init.c @@ -90,7 +90,7 @@ ESP_SYSTEM_INIT_FN(esp_security_init, SECONDARY, BIT(0), 103) #if CONFIG_SECURE_BOOT_V2_ENABLED // H2, H21 #if SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED - // Also write protects the ECDSA_CURVE_MODE efuse bit. + // Also write protects the ECC_FORCE_CONST_TIME efuse bit. if (ecdsa_ll_is_configurable_curve_supported()) { err = esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_ECDSA_CURVE_MODE); if (err != ESP_OK) {