docs: Update CN translation for key manager related docs

docs/en/api-reference/peripherals/key_manager.rst

@@ -6,6 +6,7 @@ Key Manager
 :link_to_translation:`zh_CN:[中文]`
 
 The {IDF_TARGET_NAME}'s Key Manager peripheral provides hardware-assisted **key deployment and recovery** for cryptographic keys. It allows cryptographic keys to be provisioned and used without storing plaintext key material in flash, RAM, or eFuses.
+
 The Key Manager is intended for applications that require secure handling of long-term cryptographic keys.
 
 .. only:: esp32p4
@@ -28,7 +29,7 @@ Key Manager provides the following properties:
 
 - **No plaintext key storage**
 
-  Key material is never exposed in software accessible memory.
+  Key material is never exposed to software accessible memory.
 
 - **Flexible key lifecycle**
 
@@ -41,18 +42,18 @@ Key Manager provides the following properties:
 Hardware Unique Key (HUK)
 -------------------------
 
-The Hardware Unique Key (HUK) is a device-specific unique key generated entirely in hardware HUK peripheral. It is generated using SRAM Physical Unclonable Function (PUF) and is reconstructed using the HUK recovery info stored in the key recovery info of a Key Manager deployed key. See *{IDF_TARGET_NAME} Technical Reference Manual* > *Chapter Key Manager* [`PDF <{IDF_TARGET_TRM_EN_URL}>`__] > *HUK Generator* for more details about the HUK peripheral.
+The Hardware Unique Key (HUK) is a device-specific unique key generated entirely in hardware HUK peripheral. It is generated using SRAM Physical Unclonable Function (PUF) and is reconstructed using the HUK recovery info stored in the key recovery info of a Key Manager deployed key. See **{IDF_TARGET_NAME} Technical Reference Manual** > **Chapter Key Manager** [`PDF <{IDF_TARGET_TRM_EN_URL}>`__] > **HUK Generator** for more details about the HUK peripheral.
 
 The HUK acts as the root of trust for all keys deployed through the Key Manager.
 
-Key deployment and key recovery
+Key Deployment and Key Recovery
 -------------------------------
 
 The Key Manager operates in two distinct phases:
 
 - **Key deployment**
 
-  A cryptographic key is generated or securely introduced into the chip and it gets bound to the HUK. This step is usually performed during manufacturing, first boot up or when generating transient or persistent keys during the application runtime.
+  A cryptographic key is generated or securely introduced into the chip, and it gets bound to the HUK. This step is usually performed during manufacturing, first boot up or when generating transient or persistent keys during the application runtime.
 
 - **Key recovery**
 
@@ -60,7 +61,7 @@ The Key Manager operates in two distinct phases:
 
 During deployment, the Key Manager generates a data structure referred to as :cpp:type:`esp_key_mgr_key_recovery_info_t`. In case of persistent keys, the applications must store this data in non-volatile storage (for example, flash) in order to recover the key on later boots.
 
-Supported key types
+Supported Key Types
 -------------------
 
 The Key Manager can manage keys for the following key types:
@@ -68,14 +69,14 @@ The Key Manager can manage keys for the following key types:
 .. list::
 
     :SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY: - ECDSA
-    :SOC_KEY_MANAGER_FE_KEY_DEPLOY: - Flash encryption (XTS-AES)
+    :SOC_KEY_MANAGER_FE_KEY_DEPLOY: - Flash Encryption (XTS-AES)
     :SOC_KEY_MANAGER_HMAC_KEY_DEPLOY: - HMAC
-    :SOC_KEY_MANAGER_DS_KEY_DEPLOY: - Digital signature peripherals
-    :SOC_KEY_MANAGER_FE_KEY_DEPLOY: - PSRAM encryption
+    :SOC_KEY_MANAGER_DS_KEY_DEPLOY: - Digital Signature peripherals
+    :SOC_KEY_MANAGER_FE_KEY_DEPLOY: - PSRAM Encryption
 
 Each key is associated with a :cpp:type:`esp_key_mgr_key_purpose_t`, which defines how the key can be used by hardware peripherals.
 
-Key deployment modes
+Key Deployment Modes
 --------------------
 
 The Key Manager provides multiple key deployment modes to support different provisioning and security requirements.
@@ -85,29 +86,29 @@ Random Deploy Mode
 
 In this mode, the Key Manager generates a random private key internally.
 
-- The key value is never known to the application software
-- No external key material is required
-- Intended for use cases where the key does not need to be backed up or exported
+- The key value is never known to the application software.
+- No external key material is required.
+- Intended for use cases where the key does not need to be backed up or exported.
 
 AES Deploy Mode
 ^^^^^^^^^^^^^^^
 
 In this mode, a user-specified private key is securely deployed.
 
-- The key is encrypted before being transmitted to the chip
-- Auxiliary key material is used to protect the deployment process
-- Intended for factory provisioning scenarios where the key value must be predefined
+- The key is encrypted before being transmitted to the chip.
+- Auxiliary key material is used to protect the deployment process.
+- Intended for factory provisioning scenarios where the key value must be predefined.
 
 ECDH0 Deploy Mode
 ^^^^^^^^^^^^^^^^^
 
 In this mode, a private key is negotiated using Elliptic Curve Diffie-Hellman (ECDH).
 
-- The final private key is never transmitted
-- The deployment process can occur over an untrusted channel
-- Intended for high-security provisioning environments
+- The final private key is never transmitted.
+- The deployment process can occur over an untrusted channel.
+- Intended for high-security provisioning environments.
 
-For detailed information various deployment modes, see *{IDF_TARGET_NAME} Technical Reference Manual* > *Chapter Key Manager* [`PDF <{IDF_TARGET_TRM_EN_URL}>`__] > *Key Manager*.
+For detailed information various deployment modes, see **{IDF_TARGET_NAME} Technical Reference Manual** > **Chapter Key Manager** [`PDF <{IDF_TARGET_TRM_EN_URL}>`__] > **Section Key Manager**.
 
 .. ECDH1 Deploy Mode
 .. ~~~~~~~~~~~~~~~~~
@@ -118,7 +119,7 @@ For detailed information various deployment modes, see *{IDF_TARGET_NAME} Techni
 .. - Allows updating deployed keys by replacing auxiliary information
 .. - Intended for large-scale manufacturing with controlled trust assumptions
 
-Typical workflows
+Typical Workflows
 -----------------
 
 First Boot or Manufacturing
@@ -138,19 +139,19 @@ Normal Boot
 
 During a normal boot:
 
-1. The application provides the previously generated and stored ``key_recovery_info`` of a Key Manager-deployed key
-2. The HUK is reconstructed automatically by hardware
-3. The Key Manager recovers the deployed key internally
-4. Cryptographic peripherals can use the recovered key
+1. The application provides the previously generated and stored ``key_recovery_info`` of a Key Manager-deployed key.
+2. The HUK is reconstructed automatically by hardware.
+3. The Key Manager recovers the deployed key internally.
+4. Cryptographic peripherals can use the recovered key.
 
-Security considerations
+Security Considerations
 -----------------------
 
 Applications using the Key Manager should consider the following:
 
-- Protect the ``key_recovery_info`` of a Key Manager-deployed key against unauthorized modification or loss
-- Lock Key Manager's security-related eFuses after successful key deployment to prevent re-deployment of a key of the same type
-- Avoid deploying new XTS-AES keys when Flash Encryption is already enabled unless explicitly intended
+- Protect the ``key_recovery_info`` of a Key Manager-deployed key against unauthorized modification or loss.
+- Lock Key Manager's security-related eFuses after successful key deployment to prevent re-deployment of a key of the same type.
+- Avoid deploying new XTS-AES keys when Flash Encryption is already enabled unless explicitly intended.
 
 API Reference
 -------------
@@ -161,13 +162,10 @@ API Reference
 Examples
 --------
 
-An example demonstrating key deployment using the Key Manager and using the deployed key to perform signing operations is available at:
-
-See :example:`security/key_manager` for the example.
+See :example:`security/key_manager` for an example demonstrating key deployment using the Key Manager and using the deployed key to perform signing operations.
 
 This example shows how to:
 
 - Initialize the Key Manager
 - Deploy keys using the AES deployment mode
-- Uses the PSA interface to perform signing operations using the Key Manager deployed key
-
+- Use the PSA interface to perform signing operations using the Key Manager deployed key

docs/en/security/flash-encryption.rst

@@ -13,7 +13,7 @@ This is a quick start guide to {IDF_TARGET_NAME}'s flash encryption feature. Usi
 
 .. note::
 
-    In this guide, most used commands are in the form of ``idf.py secure-<command>``, which is a wrapper around corresponding ``espsecure <command>``. The ``idf.py`` based commands provides more user-friendly experience, although may lack some of the advanced functionality of their ``espsecure`` based counterparts.
+    In this guide, most used commands are in the form of ``idf.py secure-<command>``, which is a wrapper around corresponding ``espsecure <command>``. The ``idf.py`` based commands provide a more user-friendly experience, although may lack some of the advanced functionality of their ``espsecure`` based counterparts.
 
 Introduction
 ------------
@@ -26,7 +26,7 @@ Flash encryption is intended for encrypting the contents of the {IDF_TARGET_NAME
 
 .. important::
 
-   For production use, flash encryption should be enabled in the "Release" mode only.
+    For production use, flash encryption should be enabled in the release mode only.
 
 .. important::
 
@@ -73,7 +73,7 @@ The flash encryption operation is controlled by various eFuses available on {IDF
          - 2
        * - ``flash_encryption`` (block1)
          - AES key storage.
-         - 256 bit key block
+         - 256-bit key block
        * - ``FLASH_CRYPT_CONFIG``
          - Controls the AES encryption process.
          - 4
@@ -84,7 +84,7 @@ The flash encryption operation is controlled by various eFuses available on {IDF
          - If set, disables flash decryption while running in UART Firmware Download mode.
          - 1
        * - ``{IDF_TARGET_CRYPT_CNT}``
-         - A :math:`2^n` number that indicating whether the contents of flash have been encrypted.
+         - A :math:`2^n` number indicating whether the contents of flash have been encrypted.
 
            * If an odd number of bits are set (e.g., ``0b0000001`` or ``0b0000111``), this indicates the contents of flash are encrypted. The contents will need to be transparently decrypted when read.
            * If an even number of bits are set (e.g., ``0b0000000`` or ``0b0000011``), this indicates the contents of flash are unencrypted (i.e., plain text).
@@ -106,16 +106,16 @@ The flash encryption operation is controlled by various eFuses available on {IDF
          - AES key storage. N is between 0 and 5. When using a Key Manager-based key, this eFuse is not used.
          - One 256-bit key block for XTS_AES_128; two 256-bit key blocks for XTS_AES_256 (512-bit total).
        * - ``KEY_PURPOSE_N``
-         - Controls the purpose of eFuse block ``BLOCK_KEYN``, where N is between 0 and 5. Possible values: ``2`` for ``XTS_AES_256_KEY_1`` , ``3`` for ``XTS_AES_256_KEY_2``, and ``4`` for ``XTS_AES_128_KEY``. Final AES key is derived based on the value of one or two of these purpose eFuses. For a detailed description of the possible combinations, see *{IDF_TARGET_NAME} Technical Reference Manual* > *External Memory Encryption and Decryption (XTS_AES)* [`PDF <{IDF_TARGET_TRM_EN_URL}#extmemencr>`__]. When enabling Flash Encryption using a Key Manager-based key, this eFuse is not used.
+         - Controls the purpose of eFuse block ``BLOCK_KEYN``, where N is between 0 and 5. Possible values: ``2`` for ``XTS_AES_256_KEY_1``, ``3`` for ``XTS_AES_256_KEY_2``, and ``4`` for ``XTS_AES_128_KEY``. Final AES key is derived based on the value of one or two of these purpose eFuses. For a detailed description of the possible combinations, see **{IDF_TARGET_NAME} Technical Reference Manual** > **External Memory Encryption and Decryption (XTS_AES)** [`PDF <{IDF_TARGET_TRM_EN_URL}#extmemencr>`__]. When enabling Flash Encryption using a Key Manager-based key, this eFuse is not used.
          - 4
        * - ``KM_XTS_KEY_LENGTH_256``
-         - When enabling Flash Encryption using a Key Manager-based key, this eFuse is used to control the length of the XTS-AES key. Set this eFuse to 1 to use a 128-bit key, and to 0 to use a 256-bit key. This efuses field is unused when enabling Flash Encryption using a eFuses-based key.
+         - When enabling Flash Encryption using a Key Manager-based key, this eFuse is used to control the length of the XTS-AES key. Set this eFuse to 1 to use a 128-bit key, and to 0 to use a 256-bit key. This eFuse field is unused when enabling Flash Encryption using an eFuse-based key.
          - 1
        * - ``FORCE_USE_KEY_MANAGER_KEY``
-         - When enabling Flash Encryption using a Key Manager-based key, this eFuse is used to force the Key Manager to use the XTS-AES key. Set the bit 1 of this eFuse to use the Key Manager-based key. This efuses field is unused when enabling Flash Encryption using a eFuses-based key.
+         - When enabling Flash Encryption using a Key Manager-based key, this eFuse is used to force the Key Manager to use the XTS-AES key. Set the bit 1 of this eFuse to use the Key Manager-based key. This eFuse field is unused when enabling Flash Encryption using an eFuse-based key.
          - 1
        * - ``DIS_DOWNLOAD_MANUAL_ENCRYPT``
-         - If set, disables flash encryption when in download bootmodes.
+         - If set, disables Flash Encryption when in download bootmodes.
          - 1
        * - ``{IDF_TARGET_CRYPT_CNT}``
          - Enables encryption and decryption, when an SPI boot mode is set. Feature is enabled if 1 or 3 bits are set in the eFuse, disabled otherwise.
@@ -132,9 +132,9 @@ The flash encryption operation is controlled by various eFuses available on {IDF
          - **Bit Depth**
        * - ``BLOCK_KEYN``
          - AES key storage. N is between 0 and 5.
-         - One 256 bit key block for XTS_AES_128, Two 256 bit key blocks for XTS_AES_256 (512 bit total)
+         - One 256-bit key block for XTS_AES_128, Two 256-bit key blocks for XTS_AES_256 (512 bit total)
        * - ``KEY_PURPOSE_N``
-         - Controls the purpose of eFuse block ``BLOCK_KEYN``, where N is between 0 and 5. Possible values: ``2`` for ``XTS_AES_256_KEY_1`` , ``3`` for ``XTS_AES_256_KEY_2``, and ``4`` for ``XTS_AES_128_KEY``. Final AES key is derived based on the value of one or two of these purpose eFuses. For a detailed description of the possible combinations, see *{IDF_TARGET_NAME} Technical Reference Manual* > *External Memory Encryption and Decryption (XTS_AES)* [`PDF <{IDF_TARGET_TRM_EN_URL}#extmemencr>`__].
+         - Controls the purpose of eFuse block ``BLOCK_KEYN``, where N is between 0 and 5. Possible values: ``2`` for ``XTS_AES_256_KEY_1`` , ``3`` for ``XTS_AES_256_KEY_2``, and ``4`` for ``XTS_AES_128_KEY``. Final AES key is derived based on the value of one or two of these purpose eFuses. For a detailed description of the possible combinations, see **{IDF_TARGET_NAME} Technical Reference Manual** > **External Memory Encryption and Decryption (XTS_AES)** [`PDF <{IDF_TARGET_TRM_EN_URL}#extmemencr>`__].
          - 4
        * - ``DIS_DOWNLOAD_MANUAL_ENCRYPT``
          - If set, disables flash encryption when in download bootmodes.
@@ -154,15 +154,15 @@ The flash encryption operation is controlled by various eFuses available on {IDF
          - **Bit Depth**
        * - ``BLOCK_KEYN``
          - AES key storage. N is between 0 and 5. When using a Key Manager-based key, this eFuse is not used.
-         - 256 bit key block.
+         - 256-bit key block.
        * - ``KEY_PURPOSE_N``
          - Control the purpose of eFuse block ``BLOCK_KEYN``, where N is between 0 and 5. For flash encryption, the only valid value is ``4`` for ``XTS_AES_128_KEY``. When enabling Flash Encryption using a Key Manager-based key, this eFuse is not used.
          - 4
        * - ``KM_XTS_KEY_LENGTH_256``
-         - When enabling Flash Encryption using a Key Manager-based key, this eFuse is used to control the length of the XTS-AES key. Set this eFuse to 1 to use a 128-bit key, and to 0 to use a 256-bit key. This efuses field is unused when enabling Flash Encryption using a eFuses-based key.
+         - When enabling Flash Encryption using a Key Manager-based key, this eFuse is used to control the length of the XTS-AES key. Set this eFuse to 1 to use a 128-bit key, and to 0 to use a 256-bit key. This eFuse field is unused when enabling Flash Encryption using an eFuse-based key.
          - 1
        * - ``FORCE_USE_KEY_MANAGER_KEY``
-         - When enabling Flash Encryption using a Key Manager-based key, this eFuse is used to force the Key Manager to use the XTS-AES key. Set the bit 1 of this eFuse to use the Key Manager-based key. This efuses field is unused when enabling Flash Encryption using a eFuses-based key.
+         - When enabling Flash Encryption using a Key Manager-based key, this eFuse is used to force the Key Manager to use the XTS-AES key. Set the bit 1 of this eFuse to use the Key Manager-based key. This eFuse field is unused when enabling Flash Encryption using an eFuse-based key.
          - 1
        * - ``DIS_DOWNLOAD_MANUAL_ENCRYPT``
          - If set, disable flash encryption when in download bootmodes.
@@ -182,7 +182,7 @@ The flash encryption operation is controlled by various eFuses available on {IDF
          - **Bit Depth**
        * - ``BLOCK_KEYN``
          - AES key storage. N is between 0 and 5.
-         - 256 bit key block
+         - 256-bit key block
        * - ``KEY_PURPOSE_N``
          - Control the purpose of eFuse block ``BLOCK_KEYN``, where N is between 0 and 5. For flash encryption, the only valid value is ``4`` for ``XTS_AES_128_KEY``.
          - 4
@@ -237,7 +237,7 @@ Assuming that the eFuse values are in their default states and the second stage
 
   1. On the first power-on reset, all data in flash is un-encrypted (plaintext). The first stage (ROM) bootloader loads the second stage bootloader.
 
-  2. Second stage bootloader reads the ``{IDF_TARGET_CRYPT_CNT}`` eFuse value (``0b0000000``). Since the value is ``0`` (even number of bits set), it configures and enables the flash encryption block. It also sets the ``FLASH_CRYPT_CONFIG`` eFuse to 0xF. For more information on the flash encryption block, see *{IDF_TARGET_NAME} Technical Reference Manual* > *eFuse Controller (eFuse)* > *Flash Encryption Block* [`PDF <{IDF_TARGET_TRM_EN_URL}#efuse>`__].
+  2. Second stage bootloader reads the ``{IDF_TARGET_CRYPT_CNT}`` eFuse value (``0b0000000``). Since the value is ``0`` (even number of bits set), it configures and enables the flash encryption block. It also sets the ``FLASH_CRYPT_CONFIG`` eFuse to 0xF. For more information on the flash encryption block, see **{IDF_TARGET_NAME} Technical Reference Manual** > **eFuse Controller (eFuse)** > **Flash Encryption Block** [`PDF <{IDF_TARGET_TRM_EN_URL}#efuse>`__].
 
   3. Second stage bootloader first checks if a valid key is already present in the eFuse (e.g., burned using espefuse tool), then the process of key generation is skipped and the same key is used for flash encryption process. Otherwise, Second stage bootloader uses RNG (random) module to generate an AES-256 bit key and then writes it into the ``flash_encryption`` eFuse. The key cannot be accessed via software as the write and read protection bits for the ``flash_encryption`` eFuse are set. The flash encryption operations happen entirely by hardware, and the key cannot be accessed via software.
 
@@ -255,13 +255,18 @@ Assuming that the eFuse values are in their default states and the second stage
 
   1. On the first power-on reset, all data in flash is un-encrypted (plaintext). The first stage (ROM) bootloader loads the second stage bootloader.
 
-  2. Second stage bootloader reads the ``{IDF_TARGET_CRYPT_CNT}`` eFuse value (``0b000``). Since the value is ``0`` (even number of bits set), it configures and enables the flash encryption block. For more information on the flash encryption block, see *{IDF_TARGET_NAME} Technical Reference Manual* > *eFuse Controller (eFuse)* > *Manual Encryption Block* [`PDF <{IDF_TARGET_TRM_EN_URL}#efuse>`__].
+  2. Second stage bootloader reads the ``{IDF_TARGET_CRYPT_CNT}`` eFuse value (``0b000``). Since the value is ``0`` (even number of bits set), it configures and enables the flash encryption block. For more information on the flash encryption block, see **{IDF_TARGET_NAME} Technical Reference Manual** > **eFuse Controller (eFuse)** > **Manual Encryption Block** [`PDF <{IDF_TARGET_TRM_EN_URL}#efuse>`__].
 
-  3. Second stage bootloader first checks if a valid key is already present in the eFuse (e.g., burned using espefuse tool) (if Flash Encryption is intended to be enabled using a eFuses-based key), or checks if there exists a valid key recovery info in the flash memory at the addresses: 0x0 and 0x1000 (if Flash Encryption is intended to be enabled using a Key Manager-based key), then the process of key generation is skipped and the same key is used for flash encryption process.
+  3. Second stage bootloader first checks if a valid key already exists, to decide whether to skip the key generation step:
 
-  4. Otherwise, if using a efuses-based key second stage bootloader uses RNG (random) module to generate an 256 bit or 512 bit key, depending on the value of :ref:`Size of generated XTS-AES key <CONFIG_SECURE_FLASH_ENCRYPTION_KEYSIZE>`, and then writes it into respectively one or two `BLOCK_KEYN` eFuses. The software also updates the ``KEY_PURPOSE_N`` for the blocks where the keys were stored. The key cannot be accessed via software as the write and read protection bits for one or two `BLOCK_KEYN` eFuses are set. ``KEY_PURPOSE_N`` field is write-protected as well. Whereas if using a Key Manager-based key, second stage bootloader writes the key recovery info to the flash memory at the address 0x0, followed by programming the ``KM_XTS_KEY_LENGTH_256`` and the ``FORCE_USE_KEY_MANAGER_KEY`` eFuses. The flash encryption operations happen entirely by hardware, and the key cannot be accessed via software.
+    - If Flash Encryption is intended to be enabled using an eFuse-based key, it checks if a valid key is already present in the eFuse (e.g., burned using espefuse tool).
+    - If Flash Encryption is intended to be enabled using a Key Manager-based key, it checks if there exists a valid key recovery info in the flash memory at the addresses: 0x0 and 0x1000.
 
-  5. Flash encryption block encrypts the flash contents - the second stage bootloader, applications and partitions marked as ``encrypted``. Encrypting in-place can take time, up to a minute for large partitions.
+    If the check passes, the process of key generation is skipped and the same key is used for the flash encryption process.
+
+  4. Otherwise, if using an eFuse-based key, second stage bootloader uses RNG (random) module to generate an 256-bit or 512-bit key, depending on the value of :ref:`Size of generated XTS-AES key <CONFIG_SECURE_FLASH_ENCRYPTION_KEYSIZE>`, and then writes it into respectively one or two ``BLOCK_KEYN`` eFuses. The software also updates the ``KEY_PURPOSE_N`` for the blocks where the keys were stored. The key cannot be accessed via software as the write and read protection bits for one or two ``BLOCK_KEYN`` eFuses are set. ``KEY_PURPOSE_N`` field is write-protected as well. Whereas if using a Key Manager-based key, second stage bootloader writes the key recovery info to the flash memory at the address 0x0, followed by programming the ``KM_XTS_KEY_LENGTH_256`` and the ``FORCE_USE_KEY_MANAGER_KEY`` eFuses. The flash encryption operations happen entirely by hardware, and the key cannot be accessed via software.
+
+  5. Flash encryption block encrypts the flash contents – the second stage bootloader, applications and partitions marked as ``encrypted``. Encrypting in-place can take time, up to a minute for large partitions.
 
   6. Second stage bootloader sets the first available bit in ``{IDF_TARGET_CRYPT_CNT}`` (0b001) to mark the flash contents as encrypted. Odd number of bits is set.
 
@@ -283,9 +288,9 @@ Assuming that the eFuse values are in their default states and the second stage
 
   1. On the first power-on reset, all data in flash is un-encrypted (plaintext). The first stage (ROM) bootloader loads the second stage bootloader.
 
-  2. Second stage bootloader reads the ``{IDF_TARGET_CRYPT_CNT}`` eFuse value (``0b000``). Since the value is ``0`` (even number of bits set), it configures and enables the flash encryption block. For more information on the flash encryption block, see *{IDF_TARGET_NAME} Technical Reference Manual* > *eFuse Controller (eFuse)* > *Auto Encryption Block* [`PDF <{IDF_TARGET_TRM_EN_URL}#efuse>`__].
+  2. Second stage bootloader reads the ``{IDF_TARGET_CRYPT_CNT}`` eFuse value (``0b000``). Since the value is ``0`` (even number of bits set), it configures and enables the flash encryption block. For more information on the flash encryption block, see **{IDF_TARGET_NAME} Technical Reference Manual** > **eFuse Controller (eFuse)** > **Auto Encryption Block** [`PDF <{IDF_TARGET_TRM_EN_URL}#efuse>`__].
 
-  3. Second stage bootloader first checks if a valid key is already present in the eFuse (e.g., burned using espefuse tool) then the process of key generation is skipped and the same key is used for flash encryption process. Otherwise, second stage bootloader uses RNG (random) module to generate an 256 bit or 512 bit key, depending on the value of :ref:`Size of generated XTS-AES key <CONFIG_SECURE_FLASH_ENCRYPTION_KEYSIZE>`, and then writes it into respectively one or two `BLOCK_KEYN` eFuses. The software also updates the ``KEY_PURPOSE_N`` for the blocks where the keys were stored. The key cannot be accessed via software as the write and read protection bits for one or two `BLOCK_KEYN` eFuses are set. ``KEY_PURPOSE_N`` field is write-protected as well. The flash encryption operations happen entirely by hardware, and the key cannot be accessed via software.
+  3. Second stage bootloader first checks if a valid key is already present in the eFuse (e.g., burned using espefuse tool) then the process of key generation is skipped and the same key is used for flash encryption process. Otherwise, second stage bootloader uses RNG (random) module to generate a 256-bit or 512-bit key, depending on the value of :ref:`Size of generated XTS-AES key <CONFIG_SECURE_FLASH_ENCRYPTION_KEYSIZE>`, and then writes it into respectively one or two ``BLOCK_KEYN`` eFuses. The software also updates the ``KEY_PURPOSE_N`` for the blocks where the keys were stored. The key cannot be accessed via software as the write and read protection bits for one or two `BLOCK_KEYN` eFuses are set. ``KEY_PURPOSE_N`` field is write-protected as well. The flash encryption operations happen entirely by hardware, and the key cannot be accessed via software.
 
   4. Flash encryption block encrypts the flash contents - the second stage bootloader, applications and partitions marked as ``encrypted``. Encrypting in-place can take time, up to a minute for large partitions.
 
@@ -311,9 +316,14 @@ Assuming that the eFuse values are in their default states and the second stage
 
   2. Second stage bootloader reads the ``{IDF_TARGET_CRYPT_CNT}`` eFuse value (``0b000``). Since the value is ``0`` (even number of bits set), it configures and enables the flash encryption block. For more information on the flash encryption block, see `{IDF_TARGET_NAME} Technical Reference Manual <{IDF_TARGET_TRM_EN_URL}>`_.
 
-  3. Second stage bootloader first checks if a valid key is already present in the eFuse (e.g., burned using espefuse tool) (if Flash Encryption is intended to be enabled using a eFuses-based key), or checks if there exists a valid key recovery info in the flash memory at the addresses: 0x0 and 0x1000 (if Flash Encryption is intended to be enabled using a Key Manager-based key), then the process of key generation is skipped and the same key is used for flash encryption process.
+  3. Second stage bootloader first checks if a valid key already exists, to decide whether to skip the key generation step:
 
-  4. Otherwise, if using a efuses-based key second stage bootloader uses RNG (random) module to generate an 256 bit key, and then writes it into respectively one `BLOCK_KEYN` eFuses. The software also updates the ``KEY_PURPOSE_N`` for the block where the key were stored. The key cannot be accessed via software as the write and read protection bits for the one `BLOCK_KEYN` eFuses is set. ``KEY_PURPOSE_N`` field is write-protected as well. Whereas if using a Key Manager-based key, second stage bootloader writes the key recovery info to the flash memory at the address 0x0, followed by programming the ``KM_XTS_KEY_LENGTH_256`` and the ``FORCE_USE_KEY_MANAGER_KEY`` eFuses. The flash encryption operations happen entirely by hardware, and the key cannot be accessed via software.
+    - If Flash Encryption is intended to be enabled using an eFuse-based key, it checks if a valid key is already present in the eFuse (e.g., burned using espefuse tool).
+    - If Flash Encryption is intended to be enabled using a Key Manager-based key, it checks if there exists a valid key recovery info in the flash memory at the addresses: 0x0 and 0x1000.
+
+    If the check passes, the process of key generation is skipped and the same key is used for the flash encryption process.
+
+  4. Otherwise, if using an eFuse-based key second stage bootloader uses RNG (random) module to generate a 256-bit key, and then writes it into respectively one ``BLOCK_KEYN`` eFuse block. The software also updates the ``KEY_PURPOSE_N`` for the block where the key were stored. The key cannot be accessed via software as the write and read protection bits for the ``BLOCK_KEYN`` eFuse block is set. ``KEY_PURPOSE_N`` field is write-protected as well. Whereas if using a Key Manager-based key, second stage bootloader writes the key recovery info to the flash memory at the address 0x0, followed by programming the ``KM_XTS_KEY_LENGTH_256`` and the ``FORCE_USE_KEY_MANAGER_KEY`` eFuses. The flash encryption operations happen entirely by hardware, and the key cannot be accessed via software.
 
   5. Flash encryption block encrypts the flash contents - the second stage bootloader, applications and partitions marked as ``encrypted``. Encrypting in-place can take time, up to a minute for large partitions.
 
@@ -333,7 +343,7 @@ Assuming that the eFuse values are in their default states and the second stage
 
   3. Second stage bootloader first checks if a valid key is already present in the eFuse (e.g., burned using espefuse tool), then the process of key generation is skipped and the same key is used for flash encryption process.
 
-  4. Otherwise, second stage bootloader uses RNG (random) module to generate an 256 bit key and then writes it into `BLOCK_KEYN` eFuse. The software also updates the ``KEY_PURPOSE_N`` for the block where the key is stored. The key cannot be accessed via software as the write and read protection bits for `BLOCK_KEYN` eFuse are set. ``KEY_PURPOSE_N`` field is write-protected as well. The flash encryption is completely conducted by hardware, and the key cannot be accessed via software.
+  4. Otherwise, second stage bootloader uses RNG (random) module to generate a 256-bit key and then writes it into ``BLOCK_KEYN`` eFuse. The software also updates the ``KEY_PURPOSE_N`` for the block where the key is stored. The key cannot be accessed via software as the write and read protection bits for ``BLOCK_KEYN`` eFuse are set. ``KEY_PURPOSE_N`` field is write-protected as well. The flash encryption is completely conducted by hardware, and the key cannot be accessed via software.
 
   5. Flash encryption block encrypts the flash contents - the second stage bootloader, applications and partitions marked as ``encrypted``. Encrypting in-place can take time, up to a minute for large partitions.
 
@@ -347,11 +357,11 @@ Assuming that the eFuse values are in their default states and the second stage
 
 .. only:: SOC_FLASH_ENCRYPTION_XTS_AES_128 and SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK
 
-  1. On the first power-on reset, all data in flash is un-encrypted (plaintext). The first stage (ROM) bootloaders loads the second stage bootloader.
+  1. On the first power-on reset, all data in flash is un-encrypted (plaintext). The first stage (ROM) bootloader loads the second stage bootloader.
 
   2. The second stage bootloader reads the ``{IDF_TARGET_CRYPT_CNT}`` eFuse value (``0b000``). Since the value is ``0`` (even number of bits set), it configures and enables the flash encryption block. For more information on the flash encryption block, see `{IDF_TARGET_NAME} Technical Reference Manual <{IDF_TARGET_TRM_EN_URL}>`_.
 
-  3. The second stage bootloader uses RNG (random) module to generate an 256 or 128 bit key (depends on :ref:`Size of generated XTS-AES key <CONFIG_SECURE_FLASH_ENCRYPTION_KEYSIZE>`) and then writes it into `BLOCK_KEY0` eFuse. The software also updates the ``XTS_KEY_LENGTH_256`` according to the chosen option. The key cannot be accessed via software as the write and read protection bits for ``BLOCK_KEY0`` eFuse are set. The flash encryption operations happen entirely by hardware, and the key cannot be accessed via software. If 128-bit flash encryption key is used, then only the lower 128 bits of the eFuse key block are read-protected, the remaining 128 bits are readable, which is required for secure boot. The entire eFuse block is write-protected. If the FE key is 256 bits long, then ``XTS_KEY_LENGTH_256`` is 1, otherwise it is 0. To prevent this eFuse from being accidentally changed in the future (from 0 to 1), we set a write-protect bit for the RELEASE mode. If a valid key is already present in the eFuse (e.g., burned using espefuse tool) then the process of key generation is skipped and the same key is used for flash encryption process.
+  3. The second stage bootloader uses RNG (random) module to generate an 256 or 128 bit key (depends on :ref:`Size of generated XTS-AES key <CONFIG_SECURE_FLASH_ENCRYPTION_KEYSIZE>`) and then writes it into `BLOCK_KEY0` eFuse. The software also updates the ``XTS_KEY_LENGTH_256`` according to the chosen option. The key cannot be accessed via software as the write and read protection bits for ``BLOCK_KEY0`` eFuse are set. The flash encryption operations happen entirely by hardware, and the key cannot be accessed via software. If 128-bit flash encryption key is used, then only the lower 128 bits of the eFuse key block are read-protected, the remaining 128 bits are readable, which is required for secure boot. The entire eFuse block is write-protected. If the FE key is 256 bits long, then ``XTS_KEY_LENGTH_256`` is 1, otherwise it is 0. To prevent this eFuse from being accidentally changed in the future (from 0 to 1), we set a write-protect bit for the release mode. If a valid key is already present in the eFuse (e.g., burned using espefuse tool) then the process of key generation is skipped and the same key is used for flash encryption process.
 
   4. Flash encryption block encrypts the flash contents - the second stage bootloader, applications and partitions marked as ``encrypted``. Encrypting in-place can take time, up to a minute for large partitions.
 
@@ -403,15 +413,15 @@ To test flash encryption process, take the following steps:
   .. list::
 
     - :ref:`Enable flash encryption on boot <CONFIG_SECURE_FLASH_ENC_ENABLED>`.
-    - :ref:`Select encryption mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` (**Development mode** by default).
+    - :ref:`Select encryption mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` (**development mode** by default).
     :esp32: - :ref:`Select UART ROM download mode <CONFIG_SECURE_UART_ROM_DL_MODE>` (**enabled** by default). Note that for the ESP32 target, the choice is only available when :ref:`CONFIG_ESP32_REV_MIN` level is set to 3 (ESP32 V3).
     :not esp32: - :ref:`Select UART ROM download mode <CONFIG_SECURE_UART_ROM_DL_MODE>` (**enabled** by default).
     :SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS: - Set :ref:`Size of generated XTS-AES key <CONFIG_SECURE_FLASH_ENCRYPTION_KEYSIZE>`.
-    :SOC_KEY_MANAGER_SUPPORTED: - :ref:`Select the key source for the Flash Encryption Key <CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE>`.
+    :SOC_KEY_MANAGER_SUPPORTED: - :ref:`Select the key source for the Flash Encryption key <CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE>`.
     - :ref:`Select the appropriate bootloader log verbosity <CONFIG_BOOTLOADER_LOG_LEVEL>`.
     - Save the configuration and exit.
 
-Enabling flash encryption will increase the size of bootloader, which might require updating partition table offset. See :ref:`bootloader-size`.
+  Enabling flash encryption will increase the size of bootloader, which might require updating partition table offset. See :ref:`bootloader-size`.
 
 3. Run the command given below to build and flash the complete images.
 
@@ -433,19 +443,19 @@ Enabling flash encryption will increase the size of bootloader, which might requ
     :start-after: first_boot_enc_km
     :end-before: ------
 
-  A sample output of subsequent {IDF_TARGET_NAME} boot just mentions that flash encryption is already enabled (ESP-ROM log mentions that the Key Manager-based key is being used):
+  A sample output of subsequent {IDF_TARGET_NAME} boot mentions that Flash Encryption is already enabled (ESP-ROM log mentions that the Key Manager-based key is being used):
 
   .. include:: {IDF_TARGET_PATH_NAME}_log.inc
     :start-after: already_en_enc_km
     :end-before: ------
 
-A sample output of the first {IDF_TARGET_NAME} boot after enabling flash encryption using a eFuses-based key is given below:
+A sample output of the first {IDF_TARGET_NAME} boot after enabling flash encryption using an eFuse-based key is given below:
 
 .. include:: {IDF_TARGET_PATH_NAME}_log.inc
    :start-after: first_boot_enc
    :end-before: ------
 
-A sample output of subsequent {IDF_TARGET_NAME} boot just mentions that flash encryption is already enabled:
+A sample output of subsequent {IDF_TARGET_NAME} boot mentions that Flash Encryption is already enabled:
 
 .. include:: {IDF_TARGET_PATH_NAME}_log.inc
    :start-after: already_en_enc
@@ -542,13 +552,13 @@ To use a host generated key and program it into the eFuses of the device, take t
 
         idf.py --port PORT efuse-burn-key BLOCK my_flash_encryption_key.bin XTS_AES_128_KEY
 
-    For AES-256 (512-bit key) - ``XTS_AES_256_KEY_1`` and ``XTS_AES_256_KEY_2``. ``idf.py`` supports burning both these two key purposes together with a 512 bit key to two separate key blocks via the virtual key purpose ``XTS_AES_256_KEY``. When this is used ``idf.py`` will burn the first 256 bit of the key to the specified ``BLOCK`` and burn the corresponding block key purpose to ``XTS_AES_256_KEY_1``. The last 256 bit of the key will be burned to the first free key block after ``BLOCK`` and the corresponding block key purpose to ``XTS_AES_256_KEY_2``
+    For AES-256 (512-bit key) - ``XTS_AES_256_KEY_1`` and ``XTS_AES_256_KEY_2``. ``idf.py`` supports burning both these two key purposes together with a 512 bit key to two separate key blocks via the virtual key purpose ``XTS_AES_256_KEY``. When this is used ``idf.py`` will burn the first 256 bits of the key to the specified ``BLOCK`` and burn the corresponding block key purpose to ``XTS_AES_256_KEY_1``. The last 256 bits of the key will be burned to the first free key block after ``BLOCK`` and the corresponding block key purpose to ``XTS_AES_256_KEY_2``
 
     .. code-block:: bash
 
         idf.py --port PORT efuse-burn-key BLOCK my_flash_encryption_key.bin XTS_AES_256_KEY
 
-    If you wish to specify exactly which two blocks are used then it is possible to divide key into two 256 bit keys, and manually burn each half with ``XTS_AES_256_KEY_1`` and ``XTS_AES_256_KEY_2`` as key purposes:
+    If you wish to specify exactly which two blocks are used then it is possible to divide key into two 256-bit keys, and manually burn each half with ``XTS_AES_256_KEY_1`` and ``XTS_AES_256_KEY_2`` as key purposes:
 
     .. code-block:: bash
 
@@ -590,12 +600,12 @@ To use a host generated key and program it into the eFuses of the device, take t
 
 4. In :ref:`project-configuration-menu`, do the following:
 
-    - :ref:`Enable flash encryption on boot <CONFIG_SECURE_FLASH_ENC_ENABLED>`
-    - :ref:`Select encryption mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` (**Development mode** by default)
-    - :ref:`Select the appropriate bootloader log verbosity <CONFIG_BOOTLOADER_LOG_LEVEL>`
-    - Save the configuration and exit.
+   - :ref:`Enable flash encryption on boot <CONFIG_SECURE_FLASH_ENC_ENABLED>`
+   - :ref:`Select encryption mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` (**development mode** by default)
+   - :ref:`Select the appropriate bootloader log verbosity <CONFIG_BOOTLOADER_LOG_LEVEL>`
+   - Save the configuration and exit.
 
-Enabling flash encryption will increase the size of bootloader, which might require updating partition table offset. See :ref:`bootloader-size`.
+  Enabling flash encryption will increase the size of bootloader, which might require updating partition table offset. See :ref:`bootloader-size`.
 
 5. Run the command given below to build and flash the complete images.
 
@@ -641,9 +651,9 @@ Enabling flash encryption will increase the size of bootloader, which might requ
             idf.py secure-generate-flash-encryption-key my_flash_encryption_key.bin
 
 
-  3. **Before the first encrypted boot**, deploy the key into your device's Key Manager using the AES-deploy mode of the Key Manager using a init key and an auxiliary key.
+  3. **Before the first encrypted boot**, deploy the key into your device's Key Manager via its AES-deploy mode, using an init key and an auxiliary key.
 
-  4. The deployment process will generate a key recovery information for the deployed key. Store this information at the flash address 0x0 using the following command:
+  4. The deployment process will generate key recovery information for the deployed key. Store the information at the flash address 0x0 using the following command:
 
     .. code-block:: bash
 
@@ -653,23 +663,17 @@ Enabling flash encryption will increase the size of bootloader, which might requ
 
     .. note::
 
-        This command does not include any user files which should be written to the partitions on the flash memory. Please write them manually before running this command otherwise the files should be encrypted separately before writing.
+        This command does not include any user files which should be written to the partitions on the flash memory. Please write them manually before running this command. Otherwise, the files should be encrypted separately before writing.
 
-<<<<<<< HEAD
-=======
-    This command will write to flash memory unencrypted images: the second stage bootloader, the partition table and applications. Once the flashing is complete, {IDF_TARGET_NAME} will reset. On the next boot, the second stage bootloader encrypts: the second stage bootloader, application partitions and partitions marked as ``encrypted`` then resets. Encrypting in-place can take time, up to a minute for large partitions. After that, the application is decrypted at runtime and executed.
-
-
->>>>>>> 78b730138b6 (docs(key-manager): Add Key-Manager peripheral related documentation)
   5. In :ref:`project-configuration-menu`, do the following:
 
-      - :ref:`Enable flash encryption on boot <CONFIG_SECURE_FLASH_ENC_ENABLED>`
-      - :ref:`Select encryption mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` (**Development mode** by default)
-      - :ref:`Select flash encryption key source as the Key Manager<CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE>`
-      - :ref:`Select the appropriate bootloader log verbosity <CONFIG_BOOTLOADER_LOG_LEVEL>`
-      - Save the configuration and exit.
+     - :ref:`Enable Flash Encryption on boot <CONFIG_SECURE_FLASH_ENC_ENABLED>`
+     - :ref:`Select encryption mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` (**development mode** by default)
+     - :ref:`Select Flash Encryption key source as the Key Manager <CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE>`
+     - :ref:`Select the appropriate bootloader log verbosity <CONFIG_BOOTLOADER_LOG_LEVEL>`
+     - Save the configuration and exit.
 
-  Enabling flash encryption will increase the size of bootloader, which might require updating partition table offset. See :ref:`bootloader-size`.
+    Enabling flash encryption will increase the size of bootloader, which might require updating partition table offset. See :ref:`bootloader-size`.
 
   6. Run the command given below to build and flash the complete images.
 
@@ -679,11 +683,11 @@ Enabling flash encryption will increase the size of bootloader, which might requ
 
     .. note::
 
-        This command does not include any user files which should be written to the partitions on the flash memory. Please write them manually before running this command otherwise the files should be encrypted separately before writing.
+        This command does not include any user files which should be written to the partitions on the flash memory. Please write them manually before running this command. Otherwise, the files should be encrypted separately before writing.
 
-If using Development Mode, then the easiest way to update and re-flash binaries is :ref:`encrypt-partitions`.
+If using development mode, then the easiest way to update and re-flash binaries is :ref:`encrypt-partitions`.
 
-If using Release Mode, then it is possible to pre-encrypt the binaries on the host and then flash them as ciphertext. See :ref:`manual-encryption`.
+If using release mode, then it is possible to pre-encrypt the binaries on the host and then flash them as ciphertext. See :ref:`manual-encryption`.
 
 
 .. _encrypt-partitions:
@@ -697,7 +701,7 @@ If you update your application code (done in plaintext) and want to re-flash it,
 
     idf.py encrypted-app-flash monitor
 
-If all partitions needs to be updated in encrypted format, run:
+If all partitions need to be updated in encrypted format, run:
 
 .. code-block:: bash
 
@@ -712,7 +716,7 @@ If all partitions needs to be updated in encrypted format, run:
 Release Mode
 ^^^^^^^^^^^^
 
-In Release mode, UART bootloader cannot perform flash encryption operations. New plaintext images can ONLY be downloaded using the over-the-air (OTA) scheme which will encrypt the plaintext image before writing to flash.
+In release mode, UART bootloader cannot perform flash encryption operations. New plaintext images can ONLY be downloaded using the over-the-air (OTA) scheme which will encrypt the plaintext image before writing to flash.
 
 To use this mode, take the following steps:
 
@@ -724,16 +728,16 @@ To use this mode, take the following steps:
 
   .. list::
 
-    - :ref:`Enable flash encryption on boot <CONFIG_SECURE_FLASH_ENC_ENABLED>`.
-    :esp32: - :ref:`Select Release mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>`. (Note that once Release mode is selected, the ``DISABLE_DL_ENCRYPT`` and ``DISABLE_DL_DECRYPT`` eFuse bits will be burned to disable flash encryption hardware in ROM Download Mode.)
+    - :ref:`Enable Flash Encryption on boot <CONFIG_SECURE_FLASH_ENC_ENABLED>`.
+    :esp32: - :ref:`Select release mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>`. (Note that once release mode is selected, the ``DISABLE_DL_ENCRYPT`` and ``DISABLE_DL_DECRYPT`` eFuse bits will be burned to disable flash encryption hardware in ROM Download Mode.)
     :esp32: - :ref:`Select UART ROM download mode (Permanently disabled (recommended)) <CONFIG_SECURE_UART_ROM_DL_MODE>` (Note that this option is only available when :ref:`CONFIG_ESP32_REV_MIN` is set to 3 (ESP32 V3).) The default choice is to keep UART ROM download mode enabled, however it is recommended to permanently disable this mode to reduce the options available to an attacker.
-    :not esp32: - :ref:`Select Release mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>`. (Note that once Release mode is selected, the ``EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT`` eFuse bit will be burned to disable flash encryption hardware in ROM Download Mode.)
+    :not esp32: - :ref:`Select release mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>`. (Note that once release mode is selected, the ``EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT`` eFuse bit will be burned to disable flash encryption hardware in ROM Download Mode.)
     :not esp32: - :ref:`Select UART ROM download mode (Permanently switch to Secure mode (recommended)) <CONFIG_SECURE_UART_ROM_DL_MODE>`. This is the default option, and is recommended. It is also possible to change this configuration setting to permanently disable UART ROM download mode, if this mode is not needed.
     :SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND: - :ref:`Select enable XTS-AES's pseudo rounds function <CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC>`. This option is selected by default and its strength is configured to level low considering the performance impact on the flash encryption/decryption operations. Please refer to :ref:`xts-aes-pseudo-round-func` for more information regarding the performance impact per security level.
     - :ref:`Select the appropriate bootloader log verbosity <CONFIG_BOOTLOADER_LOG_LEVEL>`.
     - Save the configuration and exit.
 
-Enabling flash encryption will increase the size of bootloader, which might require updating partition table offset. See :ref:`bootloader-size`.
+    Enabling flash encryption will increase the size of bootloader, which might require updating partition table offset. See :ref:`bootloader-size`.
 
 3. Run the command given below to build and flash the complete images.
 
@@ -748,7 +752,7 @@ Enabling flash encryption will increase the size of bootloader, which might requ
 
   This command will write to flash memory unencrypted images: the second stage bootloader, the partition table and applications. Once the flashing is complete, {IDF_TARGET_NAME} will reset. On the next boot, the second stage bootloader encrypts: the second stage bootloader, application partitions and partitions marked as ``encrypted`` then resets. Encrypting in-place can take time, up to a minute for large partitions. After that, the application is decrypted at runtime and executed.
 
-Once the flash encryption is enabled in Release mode, the bootloader will write-protect the ``{IDF_TARGET_CRYPT_CNT}`` eFuse.
+Once the flash encryption is enabled in release mode, the bootloader will write-protect the ``{IDF_TARGET_CRYPT_CNT}`` eFuse.
 
 For subsequent plaintext field updates, use :ref:`OTA scheme <updating-encrypted-flash-ota>`.
 
@@ -767,7 +771,7 @@ When using Flash Encryption in production:
 
    - Do not reuse the same flash encryption key between multiple devices. This means that an attacker who copies encrypted data from one device cannot transfer it to a second device.
    :esp32: - When using ESP32 V3, if the UART ROM Download Mode is not needed for a production device then it should be disabled to provide an extra level of protection. Do this by calling :cpp:func:`esp_efuse_disable_rom_download_mode` during application startup. Alternatively, configure the project :ref:`CONFIG_ESP32_REV_MIN` level to 3 (targeting ESP32 V3 only) and select the :ref:`CONFIG_SECURE_UART_ROM_DL_MODE` to "Permanently disable ROM Download Mode (recommended)". The ability to disable ROM Download Mode is not available on earlier ESP32 versions.
-   :not esp32: - The UART ROM Download Mode should be disabled entirely if it is not needed, or permanently set to "Secure Download Mode" otherwise. Secure Download Mode permanently limits the available commands to updating SPI config, changing baud rate, basic flash write, and returning a summary of the currently enabled security features with the `get-security-info` command. The default behaviour is to set Secure Download Mode on first boot in Release mode. To disable Download Mode entirely, select :ref:`CONFIG_SECURE_UART_ROM_DL_MODE` to "Permanently disable ROM Download Mode (recommended)" or call :cpp:func:`esp_efuse_disable_rom_download_mode` at runtime.
+   :not esp32: - The UART ROM Download Mode should be disabled entirely if it is not needed, or permanently set to "Secure Download Mode" otherwise. Secure Download Mode permanently limits the available commands to updating SPI config, changing baud rate, basic flash write, and returning a summary of the currently enabled security features with the `get-security-info` command. The default behaviour is to set Secure Download Mode on first boot in release mode. To disable Download Mode entirely, select :ref:`CONFIG_SECURE_UART_ROM_DL_MODE` to "Permanently disable ROM Download Mode (recommended)" or call :cpp:func:`esp_efuse_disable_rom_download_mode` at runtime.
    - Enable :doc:`Secure Boot <secure-boot-v2>` as an extra layer of protection, and to prevent an attacker from selectively corrupting any part of the flash before boot.
 
 Enable Flash Encryption Externally
@@ -782,55 +786,55 @@ Once flash encryption is enabled, the ``{IDF_TARGET_CRYPT_CNT}`` eFuse value wil
 
 1. If the bootloader partition is re-flashed with a **plaintext second stage bootloader image**, the first stage (ROM) bootloader will fail to load the second stage bootloader resulting in the following failure:
 
-.. only:: esp32
+  .. only:: esp32
 
-  .. code-block:: bash
+    .. code-block:: bash
 
-      rst:0x3 (SW_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
-      flash read err, 1000
-      ets_main.c 371
-      ets Jun  8 2016 00:22:57
+        rst:0x3 (SW_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
+        flash read err, 1000
+        ets_main.c 371
+        ets Jun  8 2016 00:22:57
 
-      rst:0x7 (TG0WDT_SYS_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
-      flash read err, 1000
-      ets_main.c 371
-      ets Jun  8 2016 00:22:57
+        rst:0x7 (TG0WDT_SYS_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
+        flash read err, 1000
+        ets_main.c 371
+        ets Jun  8 2016 00:22:57
 
-      rst:0x7 (TG0WDT_SYS_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
-      flash read err, 1000
-      ets_main.c 371
-      ets Jun  8 2016 00:22:57
+        rst:0x7 (TG0WDT_SYS_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
+        flash read err, 1000
+        ets_main.c 371
+        ets Jun  8 2016 00:22:57
 
-      rst:0x7 (TG0WDT_SYS_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
-      flash read err, 1000
-      ets_main.c 371
-      ets Jun  8 2016 00:22:57
+        rst:0x7 (TG0WDT_SYS_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
+        flash read err, 1000
+        ets_main.c 371
+        ets Jun  8 2016 00:22:57
 
-      rst:0x7 (TG0WDT_SYS_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
-      flash read err, 1000
-      ets_main.c 371
-      ets Jun  8 2016 00:22:57
+        rst:0x7 (TG0WDT_SYS_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
+        flash read err, 1000
+        ets_main.c 371
+        ets Jun  8 2016 00:22:57
 
-.. only:: not esp32
+  .. only:: not esp32
 
-  .. code-block:: bash
+    .. code-block:: bash
 
-      rst:0x3 (SW_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
-      invalid header: 0xb414f76b
-      invalid header: 0xb414f76b
-      invalid header: 0xb414f76b
-      invalid header: 0xb414f76b
-      invalid header: 0xb414f76b
-      invalid header: 0xb414f76b
-      invalid header: 0xb414f76b
+        rst:0x3 (SW_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
+        invalid header: 0xb414f76b
+        invalid header: 0xb414f76b
+        invalid header: 0xb414f76b
+        invalid header: 0xb414f76b
+        invalid header: 0xb414f76b
+        invalid header: 0xb414f76b
+        invalid header: 0xb414f76b
 
-  .. note::
+    .. note::
 
-    The value of invalid header will be different for every application.
+      The value of invalid header will be different for every application.
 
-.. note::
+    .. note::
 
-    This error also appears if the flash contents are erased or corrupted.
+      This error also appears if the flash contents are erased or corrupted.
 
 2. If the second stage bootloader is encrypted, but the partition table is re-flashed with a **plaintext partition table image**, the bootloader will fail to read the partition table resulting in the following failure:
 
@@ -893,7 +897,7 @@ Once flash encryption is enabled, the ``{IDF_TARGET_CRYPT_CNT}`` eFuse value wil
 {IDF_TARGET_NAME} Flash Encryption Status
 -----------------------------------------
 
-1. Ensure that you have an {IDF_TARGET_NAME} device with default flash encryption eFuse settings as shown in :ref:`flash-encryption-efuse`.
+Ensure that you have an {IDF_TARGET_NAME} device with default flash encryption eFuse settings as shown in :ref:`flash-encryption-efuse`.
 
 To check if flash encryption on your {IDF_TARGET_NAME} device is enabled, do one of the following:
 
@@ -951,7 +955,7 @@ It is recommended to use the partition write function :cpp:func:`esp_partition_w
 
 You can also pre-encrypt and write data using the function :cpp:func:`esp_flash_write_encrypted`
 
-Also, the following ROM function exist but not supported in esp-idf applications:
+Also, the following ROM functions exist but are not supported in ESP-IDF applications:
 
 - ``esp_rom_spiflash_write_encrypted`` pre-encrypts and writes data to flash
 - ``SPIWrite`` writes unencrypted data to flash
@@ -983,9 +987,9 @@ Updating Encrypted Flash via Serial
 
 Flashing an encrypted device via serial bootloader requires that the serial bootloader download interface has not been permanently disabled via eFuse.
 
-In Development Mode, the recommended method is :ref:`encrypt-partitions`.
+In development mode, the recommended method is :ref:`encrypt-partitions`.
 
-In Release Mode, if a copy of the same key stored in eFuse is available on the host then it is possible to pre-encrypt files on the host and then flash them. See :ref:`manual-encryption`.
+In release mode, if a copy of the same key stored in eFuse is available on the host then it is possible to pre-encrypt files on the host and then flash them. See :ref:`manual-encryption`.
 
 Disabling Flash Encryption
 --------------------------
@@ -994,11 +998,11 @@ If flash encryption was enabled accidentally, flashing of plaintext data will so
 
 .. only:: esp32
 
-  For flash encryption in Development mode, encryption can be disabled by burning the ``{IDF_TARGET_CRYPT_CNT}`` eFuse. It can only be done three times per chip by taking the following steps:
+  For flash encryption in development mode, encryption can be disabled by burning the ``{IDF_TARGET_CRYPT_CNT}`` eFuse. It can only be done three times per chip by taking the following steps:
 
 .. only:: not esp32
 
-  For flash encryption in Development mode, encryption can be disabled by burning the ``{IDF_TARGET_CRYPT_CNT}`` eFuse. It can only be done one time per chip by taking the following steps:
+  For flash encryption in development mode, encryption can be disabled by burning the ``{IDF_TARGET_CRYPT_CNT}`` eFuse. It can only be done one time per chip by taking the following steps:
 
 #. In :ref:`project-configuration-menu`, disable :ref:`Enable flash encryption on boot <CONFIG_SECURE_FLASH_ENC_ENABLED>`, then save and exit.
 #. Open project configuration menu again and **double-check** that you have disabled this option! If this option is left enabled, the bootloader will immediately re-enable encryption when it boots.
@@ -1021,9 +1025,9 @@ Key Points About Flash Encryption
 
   :esp32: - The flash encryption algorithm is AES-256, where the key is "tweaked" with the offset address of each 32 byte block of flash. This means that every 32-byte block (two consecutive 16 byte AES blocks) is encrypted with a unique key derived from the flash encryption key.
 
-  :SOC_FLASH_ENCRYPTION_XTS_AES_256 and SOC_KEY_MANAGER_SUPPORTED: - Flash memory contents is encrypted using XTS-AES-128 or XTS-AES-256. The flash encryption key is 256 bits and 512 bits respectively and stored in one or two ``BLOCK_KEYN`` eFuses internal to the chip and, by default, is protected from software access.
+  :SOC_FLASH_ENCRYPTION_XTS_AES_256 and SOC_KEY_MANAGER_SUPPORTED: - Flash memory contents are encrypted using XTS-AES-128 or XTS-AES-256. The flash encryption key is 256 bits and 512 bits respectively and stored in one or two ``BLOCK_KEYN`` eFuses internal to the chip and, by default, is protected from software access.
 
-  :SOC_FLASH_ENCRYPTION_XTS_AES_256 and not SOC_KEY_MANAGER_SUPPORTED: - Flash memory contents is encrypted using XTS-AES-128 or XTS-AES-256. The flash encryption key is 256 bits and 512 bits respectively and stored in one or two ``BLOCK_KEYN`` eFuses internal to the chip if Flash Encryption is enabled using a eFuses-based key, whereas if Flash Encryption is enabled using a Key Manager-based key, the flash encryption key is stored in the Key Manager and, by default, is protected from software access.
+  :SOC_FLASH_ENCRYPTION_XTS_AES_256 and not SOC_KEY_MANAGER_SUPPORTED: - Flash memory contents are encrypted using XTS-AES-128 or XTS-AES-256, with respective key sizes of 256 or 512 bits. If using an eFuse-based key, the key is stored in one or two internal ``BLOCK_KEYN`` eFuses. However, if using a Key Manager-based key, the key is stored within the Key Manager itself. In either case, the key is protected from software access by default.
 
   :SOC_FLASH_ENCRYPTION_XTS_AES_128 and not SOC_FLASH_ENCRYPTION_XTS_AES_256 and not SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED: - Flash memory contents is encrypted using XTS-AES-128. The flash encryption key is 256 bits and stored in one ``BLOCK_KEYN`` eFuse internal to the chip and, by default, is protected from software access.
 
@@ -1039,9 +1043,9 @@ Key Points About Flash Encryption
 
 Enabling flash encryption will increase the size of bootloader, which might require updating partition table offset. See :ref:`bootloader-size`.
 
-    .. important::
+.. important::
 
-        Do not interrupt power to the {IDF_TARGET_NAME} while the first boot encryption pass is running. If power is interrupted, the flash contents will be corrupted and will require flashing with unencrypted data again. In this case, re-flashing will not count towards the flashing limit.
+    Do not interrupt power to the {IDF_TARGET_NAME} while the first boot encryption pass is running. If power is interrupted, the flash contents will be corrupted and will require flashing with unencrypted data again. In this case, re-flashing will not count towards the flashing limit.
 
 
 .. _flash-encryption-limitations:
@@ -1188,7 +1192,7 @@ However, before the first boot you can choose to keep any of these features enab
 JTAG Debugging
 ^^^^^^^^^^^^^^
 
-By default, when Flash Encryption is enabled (in either Development or Release mode) then JTAG debugging is disabled via eFuse. The bootloader does this on first boot, at the same time it enables flash encryption.
+By default, when Flash Encryption is enabled (in either development or release mode) then JTAG debugging is disabled via eFuse. The bootloader does this on first boot, at the same time it enables flash encryption.
 
 See :ref:`jtag-debugging-security-features` for more information about using JTAG Debugging with Flash Encryption.
 
@@ -1200,11 +1204,11 @@ Manually Encrypting Files
 
 .. only:: SOC_KEY_MANAGER_SUPPORTED
 
-  Manually encrypting or decrypting files requires the flash encryption key to be deployed in the Key Manager or pre-burned in eFuses (see :ref:`pregenerated-flash-encryption-key`) and a copy to be kept on the host. If the flash encryption is configured in Development Mode then it is not necessary to keep a copy of the key or follow these steps, the simpler :ref:`encrypt-partitions` steps can be used.
+  Manually encrypting or decrypting files require the flash encryption key to be deployed in the Key Manager or pre-burned in eFuses (see :ref:`pregenerated-flash-encryption-key`) and a copy to be kept on the host. If the flash encryption is configured in development mode, then it is not necessary to keep a copy of the key or follow these steps. The simpler :ref:`encrypt-partitions` steps can be used.
 
 .. only:: not SOC_KEY_MANAGER_SUPPORTED
 
-  Manually encrypting or decrypting files requires the flash encryption key to be pre-burned in eFuse (see :ref:`pregenerated-flash-encryption-key`) and a copy to be kept on the host. If the flash encryption is configured in Development Mode then it is not necessary to keep a copy of the key or follow these steps, the simpler :ref:`encrypt-partitions` steps can be used.
+  Manually encrypting or decrypting files require the flash encryption key to be pre-burned in eFuse (see :ref:`pregenerated-flash-encryption-key`) and a copy to be kept on the host. If the flash encryption is configured in development mode, then it is not necessary to keep a copy of the key or follow these steps. The simpler :ref:`encrypt-partitions` steps can be used.
 
 The key file should be a single raw binary file (example: ``key.bin``).
 
@@ -1226,11 +1230,11 @@ The file ``my-app-ciphertext.bin`` can then be flashed to offset 0x10000 using `
 
 .. note::
 
-   If the flashed ciphertext file is not recognized by the {IDF_TARGET_NAME} when it boots, check that the keys match and that the command line arguments match exactly, including the correct offset.
+  If the flashed ciphertext file is not recognized by the {IDF_TARGET_NAME} when it boots, check that the keys match and that the command line arguments match exactly, including the correct offset.
 
-   .. only:: esp32
+  .. only:: esp32
 
-       If your ESP32 uses non-default :ref:`FLASH_CRYPT_CONFIG value in eFuse <setting-flash-crypt-config>` then you will need to pass the ``--flash-crypt-conf`` argument to ``idf.py`` command to set the matching value. This will not happen if the device configured flash encryption by itself, but may happen if burning eFuses manually to enable flash encryption.
+    If your ESP32 uses non-default :ref:`FLASH_CRYPT_CONFIG value in eFuse <setting-flash-crypt-config>` then you will need to pass the ``--flash-crypt-conf`` argument to ``idf.py`` command to set the matching value. This will not happen if the device configured flash encryption by itself, but may happen if burning eFuses manually to enable flash encryption.
 
 The command ``idf.py decrypt-flash-data`` can be used with the same options (and different input/output files), to decrypt ciphertext flash contents or a previously encrypted file.
 
@@ -1299,13 +1303,13 @@ The following sections provide some reference information about the operation of
   Flash Encryption Algorithm
   ^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-  - {IDF_TARGET_NAME} use the XTS-AES block cipher mode with 256 bit or 512 bit key size for flash encryption.
+  - {IDF_TARGET_NAME} use the XTS-AES block cipher mode with 256-bit or 512-bit key size for flash encryption.
 
   - XTS-AES is a block cipher mode specifically designed for disc encryption and addresses the weaknesses other potential modes (e.g., AES-CTR) have for this use case. A detailed description of the XTS-AES algorithm can be found in `IEEE Std 1619-2007 <https://ieeexplore.ieee.org/document/4493450>`_.
 
   - The flash encryption key is stored in one or two ``BLOCK_KEYN`` eFuses and, by default, is protected from further writes or software readout.
 
-  - To see the full flash encryption algorithm implemented in Python, refer to the `_flash_encryption_operation()` function in the ``espsecure`` source code.
+  - To see the full flash encryption algorithm implemented in Python, refer to the ``_flash_encryption_operation()`` function in the ``espsecure`` source code.
 
 .. only:: SOC_FLASH_ENCRYPTION_XTS_AES_128 and not SOC_FLASH_ENCRYPTION_XTS_AES_256 and not SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK
 
@@ -1315,7 +1319,7 @@ The following sections provide some reference information about the operation of
   Flash Encryption Algorithm
   ^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-  - {IDF_TARGET_NAME} use the XTS-AES block cipher mode with 256 bit size for flash encryption.
+  - {IDF_TARGET_NAME} use the XTS-AES block cipher mode with 256-bit size for flash encryption.
 
   - XTS-AES is a block cipher mode specifically designed for disc encryption and addresses the weaknesses other potential modes (e.g., AES-CTR) have for this use case. A detailed description of the XTS-AES algorithm can be found in `IEEE Std 1619-2007 <https://ieeexplore.ieee.org/document/4493450>`_.
 
@@ -1330,7 +1334,7 @@ The following sections provide some reference information about the operation of
   Flash Encryption Algorithm
   ^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-  - {IDF_TARGET_NAME} use the XTS-AES block cipher mode with 256 bit size for flash encryption. In case the 128-bit key is stored in the eFuse key block, the final 256-bit AES key is obtained as SHA256(EFUSE_KEY0_FE_128BIT).
+  - {IDF_TARGET_NAME} use the XTS-AES block cipher mode with 256-bit size for flash encryption. In case the 128-bit key is stored in the eFuse key block, the final 256-bit AES key is obtained as SHA256(EFUSE_KEY0_FE_128BIT).
 
   - XTS-AES is a block cipher mode specifically designed for disc encryption and addresses the weaknesses other potential modes (e.g., AES-CTR) have for this use case. A detailed description of the XTS-AES algorithm can be found in `IEEE Std 1619-2007 <https://ieeexplore.ieee.org/document/4493450>`_.
 

docs/en/security/security-features-enablement-workflows.rst

@@ -61,19 +61,19 @@ Enable Flash Encryption and Secure Boot v2 Externally
 
     It is recommended to enable both Flash Encryption and Secure Boot v2 for a production use case.
 
-When enabling the Flash Encryption and Secure Boot v2 together, they need to enable them in the following order:
+When enabling the Flash Encryption and Secure Boot v2 together, they must be enabled in the following order:
 
 #. Enable the Flash Encryption feature by following the steps listed in :ref:`enable-flash-encryption-externally`.
 #. Enable the Secure Boot v2 feature by following the steps listed in :ref:`enable-secure-boot-v2-externally`.
 
-The reason this particular ordering is that when enabling Secure Boot (SB) v2, it is necessary to keep the SB v2 key readable. To protect the key's readability, the write protection for ``RD_DIS`` (``ESP_EFUSE_WR_DIS_RD_DIS``) is applied. However, this action poses a challenge when attempting to enable Flash Encryption, as the Flash Encryption (FE) key needs to remain unreadable. This conflict arises because the ``RD_DIS`` is already write-protected, making it impossible to read protect the FE key.
+The reason for this particular ordering is that when enabling Secure Boot (SB) v2, it is necessary to keep the SB v2 key readable. To protect the key's readability, the write protection for ``RD_DIS`` (``ESP_EFUSE_WR_DIS_RD_DIS``) is applied. However, this action poses a challenge when attempting to enable Flash Encryption, as the Flash Encryption (FE) key needs to remain unreadable. This conflict arises because the ``RD_DIS`` is already write-protected, making it impossible to read protect the FE key.
 
 .. _enable-flash-encryption-externally:
 
 Enable Flash Encryption Externally
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-In this case all the eFuses related to Flash Encryption are written with help of the espefuse tool. More details about Flash Encryption can process can be found in :doc:`/security/flash-encryption`.
+In this case, all the eFuses related to Flash Encryption are written with help of the espefuse tool. More details about Flash Encryption process can be found in :doc:`/security/flash-encryption`.
 
 1. Ensure that you have an {IDF_TARGET_NAME} device with default Flash Encryption eFuse settings as shown in :ref:`flash-encryption-efuse`
 
@@ -130,7 +130,7 @@ In this case all the eFuses related to Flash Encryption are written with help of
 
             espsecure generate-flash-encryption-key --keylen 128 my_flash_encryption_key.bin
 
-3. Programming the generated Flash Encryption key into the device
+3. Program the generated Flash Encryption key into the device
 
     .. only:: SOC_KEY_MANAGER_SUPPORTED
 
@@ -140,7 +140,7 @@ In this case all the eFuses related to Flash Encryption are written with help of
 
             esptool --port PORT write-flash 0x0 key_recovery_info.bin
 
-        Once the Key Recovery info is stored in the flash memory, you also need to program the ``KM_XTS_KEY_LENGTH_256`` and the ``FORCE_USE_KEY_MANAGER_KEY`` eFuses.
+        After storing the Key Recovery Information in flash memory, you also need to program the ``KM_XTS_KEY_LENGTH_256`` and the ``FORCE_USE_KEY_MANAGER_KEY`` eFuses.
 
         .. warning::
 
@@ -152,30 +152,25 @@ In this case all the eFuses related to Flash Encryption are written with help of
 
             espefuse --port PORT burn-efuse FORCE_USE_KEY_MANAGER_KEY 2
 
-        The ``KM_XTS_KEY_LENGTH_256`` eFuse is used to control the length of the Key-Manager based XTS-AES key. Set this eFuse to 1 to use a 128-bit key, and to 0 to use a 256-bit key.
+        The ``KM_XTS_KEY_LENGTH_256`` eFuse controls the length of the Key-Manager based XTS-AES key. Set this eFuse to 1 to use a 128-bit key, and to 0 to use a 256-bit key.
 
-        In case of using a 128-bit key, set the ``KM_XTS_KEY_LENGTH_256`` eFuse to 1.
+        To use a 128-bit key, set the ``KM_XTS_KEY_LENGTH_256`` eFuse to 1.
 
         .. code-block:: bash
 
             espefuse --port PORT burn-efuse KM_XTS_KEY_LENGTH_256 1
 
-        Otherwise in case of using a 256-bit key, set the ``KM_XTS_KEY_LENGTH_256`` eFuse to 0.
+        Otherwise, to use a 256-bit key, set the ``KM_XTS_KEY_LENGTH_256`` eFuse to 0.
 
         .. code-block:: bash
 
             espefuse --port PORT burn-efuse KM_XTS_KEY_LENGTH_256 0
 
-<<<<<<< HEAD
         b. To store the Flash Encryption key in the eFuses, run the following commands:
 
     .. only:: not SOC_KEY_MANAGER_SUPPORTED
 
         To store the Flash Encryption key in the eFuses, run the following commands:
-=======
-
-    To store the Flash Encryption key in the eFuses, run the following commands:
->>>>>>> 78b730138b6 (docs(key-manager): Add Key-Manager peripheral related documentation)
 
     .. warning::
 
@@ -226,13 +221,13 @@ In this case all the eFuses related to Flash Encryption are written with help of
 
     .. only:: SOC_FLASH_ENCRYPTION_XTS_AES_128 and SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK
 
-        For AES-128 (256-bit key) - ``XTS_AES_128_KEY`` (the ``XTS_KEY_LENGTH_256`` eFuse will be burn to 1):
+        For AES-128 (256-bit key) - ``XTS_AES_128_KEY`` (the ``XTS_KEY_LENGTH_256`` eFuse will be burned to 1):
 
         .. code-block:: bash
 
             espefuse --port PORT burn-key BLOCK_KEY0 flash_encryption_key256.bin XTS_AES_128_KEY
 
-        For AES-128 key derived from SHA256(128 eFuse bits) - ``XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS``. The FE key will be written in the lower part of eFuse BLOCK_KEY0. The upper 128 bits are not used and will remain available for reading by software. Using the special mode of the espefuse tool, shown in the ``For burning both keys together`` section below, the user can write their data to it using any espefuse commands.
+        For AES-128 key derived from SHA256 (128 eFuse bits) - ``XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS``. The FE key will be written in the lower part of eFuse BLOCK_KEY0. The upper 128 bits are not used and will remain available for reading by software. Using the special mode of the espefuse tool, shown in the ``For burning both keys together`` section below, the user can write their data to it using any espefuse commands.
 
         .. code-block:: bash
 
@@ -287,7 +282,7 @@ In this case all the eFuses related to Flash Encryption are written with help of
         :SOC_EFUSE_DIS_DOWNLOAD_ICACHE: - ``DIS_DOWNLOAD_ICACHE``: Disable UART cache
         :SOC_EFUSE_DIS_DOWNLOAD_DCACHE: - ``DIS_DOWNLOAD_DCACHE``: Disable UART cache
         :SOC_EFUSE_HARD_DIS_JTAG: - ``HARD_DIS_JTAG``: Hard disable JTAG peripheral
-        :SOC_EFUSE_DIS_DIRECT_BOOT:- ``DIS_DIRECT_BOOT``: Disable direct boot (legacy SPI boot mode)
+        :SOC_EFUSE_DIS_DIRECT_BOOT: - ``DIS_DIRECT_BOOT``: Disable direct boot (legacy SPI boot mode)
         :SOC_EFUSE_DIS_LEGACY_SPI_BOOT: - ``DIS_LEGACY_SPI_BOOT``: Disable legacy SPI boot mode
         :SOC_EFUSE_DIS_USB_JTAG: - ``DIS_USB_JTAG``: Disable USB switch to JTAG
         :SOC_EFUSE_DIS_PAD_JTAG: - ``DIS_PAD_JTAG``: Disable JTAG permanently
@@ -309,7 +304,7 @@ In this case all the eFuses related to Flash Encryption are written with help of
 
         B) Write protect security eFuses
 
-        After burning the respective eFuses we need to write_protect the security configurations. It can be done by burning following eFuse:
+        After burning the respective eFuses we need to write-protect the security configurations. It can be done by burning following eFuse:
 
         .. code:: bash
 
@@ -542,12 +537,12 @@ In this workflow we shall use ``espsecure`` tool to generate signing keys and us
         :SOC_EFUSE_DIS_BOOT_REMAP: - ``DIS_BOOT_REMAP``: Disable capability to remap ROM to RAM address space.
         :SOC_EFUSE_HARD_DIS_JTAG: - ``HARD_DIS_JTAG``: Hard disable JTAG peripheral.
         :SOC_EFUSE_SOFT_DIS_JTAG: - ``SOFT_DIS_JTAG``: Disable software access to JTAG peripheral.
-        :SOC_EFUSE_DIS_DIRECT_BOOT:- ``DIS_DIRECT_BOOT``: Disable direct boot (legacy SPI boot mode).
+        :SOC_EFUSE_DIS_DIRECT_BOOT: - ``DIS_DIRECT_BOOT``: Disable direct boot (legacy SPI boot mode).
         :SOC_EFUSE_DIS_LEGACY_SPI_BOOT: - ``DIS_LEGACY_SPI_BOOT``: Disable legacy SPI boot mode.
         :SOC_EFUSE_DIS_USB_JTAG: - ``DIS_USB_JTAG``: Disable USB switch to JTAG.
         :SOC_EFUSE_DIS_PAD_JTAG: - ``DIS_PAD_JTAG``: Disable JTAG permanently.
         :SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS: - ``SECURE_BOOT_AGGRESSIVE_REVOKE``: Aggressive revocation of key digests, see :ref:`secure-boot-v2-aggressive-key-revocation` for more details.
-        :SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED: - ``WR_DIS_ECDSA_CURVE_MODE``: Disable writing to the ECDSA curve mode eFuse bit. As this write protection bit is shared with ``ECC_FORCE_CONST_TIME``, it is recommended to write protect this bit only after configuring the ``ECC_FORCE_CONST_TIME`` eFuse.
+        :SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED: - ``WR_DIS_ECDSA_CURVE_MODE``: Disable writing to the ECDSA curve mode eFuse bit. As this write protection bit is shared with ``ECC_FORCE_CONST_TIME``, it is recommended to write-protect this bit only after configuring the ``ECC_FORCE_CONST_TIME`` eFuse.
         :SOC_ECDSA_SUPPORT_CURVE_P384: - ``WR_DIS_SECURE_BOOT_SHA384_EN``: Disable writing to the SHA-384 Secure Boot eFuse bit. As this write protection bit is shared with ``XTS_DPA_PSEUDO_LEVEL`` and ``ECC_FORCE_CONST_TIME``, it is recommended to write protect this bit only after configuring all the other shared eFuses.
 
     The respective eFuses can be burned by running:

docs/en/security/security.rst

@@ -11,7 +11,7 @@ This guide provides an overview of the overall security features available in va
 
 .. note::
 
-    In this guide, most used commands are in the form of ``idf.py secure-<command>``, which is a wrapper around corresponding ``espsecure <command>``. The ``idf.py`` based commands provides more user-friendly experience, although may lack some of the advanced functionality of their ``espsecure`` based counterparts.
+    In this guide, most used commands are in the form of ``idf.py secure-<command>``, which is a wrapper around corresponding ``espsecure <command>``. The ``idf.py`` based commands provides a more user-friendly experience, although may lack some of the advanced functionality of their ``espsecure`` based counterparts.
 
 .. only:: TARGET_SUPPORT_QEMU
 
@@ -70,7 +70,7 @@ Please refer to :doc:`flash-encryption` for detailed information about this feat
 
 .. only:: SOC_SPIRAM_SUPPORTED and not esp32
 
-    If {IDF_TARGET_NAME} is connected to an external SPI RAM, the contents written to or read from the SPI RAM will also be encrypted and decrypted respectively (via the MMU's flash cache, provided that FLash Encryption is enabled). This provides an additional safety layer for the data stored in SPI RAM, hence configurations like ``CONFIG_MBEDTLS_EXTERNAL_MEM_ALLOC`` can be safely enabled in this case.
+    If {IDF_TARGET_NAME} is connected to an external SPI RAM, the contents written to or read from the SPI RAM will also be encrypted and decrypted respectively (via the MMU's flash cache, provided that Flash Encryption is enabled). This provides an additional safety layer for the data stored in SPI RAM, hence configurations like ``CONFIG_MBEDTLS_EXTERNAL_MEM_ALLOC`` can be safely enabled in this case.
 
 Flash Encryption Best Practices
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -106,7 +106,7 @@ Flash Encryption Best Practices
     Key Manager
     ~~~~~~~~~~~
 
-    The Key Manager peripheral in {IDF_TARGET_NAME} provides hardware-assisted **key deployment and recovery** for cryptographic keys. Keys are cryptographically bound to a Hardware Unique Key (HUK) that is unique to each chip, ensuring that key material is never exposed in software-accessible memory.
+    The Key Manager peripheral in {IDF_TARGET_NAME} provides hardware-assisted **key deployment and recovery** for cryptographic keys. Keys are cryptographically bound to a Hardware Unique Key (HUK) that is unique to each chip, ensuring that key material is never exposed to software-accessible memory.
 
     The Key Manager supports key management for the following cryptographic peripherals: :doc:`ECDSA <../api-reference/peripherals/ecdsa>`, :doc:`HMAC <../api-reference/peripherals/hmac>`, :doc:`Digital Signature (DS) <../api-reference/peripherals/ds>`, and Flash Encryption.
 
@@ -142,7 +142,7 @@ Flash Encryption Best Practices
         DPA (Differential Power Analysis) Protection
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-        {IDF_TARGET_NAME} has support for protection mechanisms against the Differential Power Analysis related security attacks. DPA protection dynamically adjusts the clock frequency of the crypto peripherals, thereby blurring the power consumption trajectory during its operation. Based on the configured DPA security level, the clock variation range changes. Please refer to the *{IDF_TARGET_NAME} Technical Reference Manual* [`PDF <{IDF_TARGET_TRM_EN_URL}>`__]. for more details on this topic.
+        {IDF_TARGET_NAME} has support for protection mechanisms against the Differential Power Analysis related security attacks. DPA protection dynamically adjusts the clock frequency of the crypto peripherals, thereby blurring the power consumption trajectory during its operation. Based on the configured DPA security level, the clock variation range changes. Please refer to the **{IDF_TARGET_NAME} Technical Reference Manual** [`PDF <{IDF_TARGET_TRM_EN_URL}>`__] for more details on this topic.
 
         :ref:`CONFIG_ESP_CRYPTO_DPA_PROTECTION_LEVEL` can help to select the DPA level. Higher level means better security, but it can also have an associated performance impact. By default, the lowest DPA level is kept enabled but it can be modified based on the security requirement.
 
@@ -158,7 +158,7 @@ Flash Encryption Best Practices
         {IDF_TARGET_NAME} incorporates a pseudo-round function in the AES peripheral, thus enabling the peripheral to randomly insert pseudo-rounds before and after the original operation rounds and also generate a pseudo key to perform these dummy operations.
         These operations do not alter the original result, but they increase the complexity to perform side channel analysis attacks by randomizing the power profile.
 
-        :ref:`CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH` can be used to select the strength of the pseudo-round function. Increasing the strength improves the security provided, but would slow down the encrryption/decryption operations.
+        :ref:`CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH` can be used to select the strength of the pseudo-round function. Increasing the strength improves the security provided, but would slow down the encryption/decryption operations.
 
 
         .. list-table:: Performance impact on AES operations per strength level

docs/zh_CN/api-reference/peripherals/ds.rst

@@ -3,7 +3,7 @@
 
 :link_to_translation:`en:[English]`
 
-数字签名 (DS) 模块利用 RSA 硬件加速器为信息签名。HMAC 作为密钥派生函数，使用 eFuse 作为输入密钥，输出一组加密参数。随后，数字签名模块利用这组预加密的参数，计算出签名。
+数字签名 (DS) 模块提供基于 RSA 的消息签名硬件加速，并使用预加密参数来计算签名。这些参数通过 HMAC 作为密钥派生函数进行加密，而 HMAC 则以 eFuse 作为输入密钥。
 
 .. only:: SOC_KEY_MANAGER_SUPPORTED
 

docs/zh_CN/api-reference/peripherals/ecdsa.rst

@@ -84,7 +84,7 @@ ECDSA 密钥可以通过 ``idf.py`` 脚本在外部编程。以下是关于编
 
     ECDSA 私钥可以存储在密钥管理器中，详情请参阅 :ref:`key-manager`。
 
-    将 ECDSA 密钥部署到密钥管理器中，对于持久化密钥，需将生成的密钥恢复信息存储在 flash 中。
+    将 ECDSA 密钥部署到密钥管理器中。对于持久密钥，需将生成的密钥恢复信息存储在 flash 中。
 
 另外，ECDSA 密钥也可以通过在目标上运行的应用程序进行编程。
 

docs/zh_CN/api-reference/peripherals/hmac.rst

@@ -26,7 +26,7 @@
 {IDF_TARGET_NAME} 上的 HMAC
 -----------------------------
 
-在 {IDF_TARGET_NAME} HMAC 模块的 eFuse 中会烧录一个密钥。
+在 {IDF_TARGET_NAME} 上，HMAC 模块会使用烧录到 eFuse 中的密钥。
 
 .. only:: SOC_KEY_MANAGER_SUPPORTED
 

docs/zh_CN/api-reference/peripherals/index.rst

@@ -11,6 +11,7 @@
     :SOC_GDMA_SUPPORT_CRC: async_crc
     :SOC_ASYNC_MEMCPY_SUPPORTED: async_memcpy
     :SOC_BITSCRAMBLER_SUPPORTED: bitscrambler
+    :SOC_MIPI_CSI_SUPPORTED: camera_driver
     :SOC_CLK_TREE_SUPPORTED: clk_tree
     :SOC_CORDIC_SUPPORTED: cordic
     :SOC_DAC_SUPPORTED: dac
@@ -25,11 +26,11 @@
     :SOC_I2S_SUPPORTED: i2s
     :SOC_I3C_MASTER_SUPPORTED: i3c_master
     :SOC_ISP_SUPPORTED: isp
+    :SOC_JPEG_CODEC_SUPPORTED: jpeg
     :SOC_KEY_MANAGER_SUPPORTED: key_manager
     lcd/index
     :SOC_GP_LDO_SUPPORTED: ldo_regulator
     ledc
-    :SOC_MIPI_CSI_SUPPORTED: camera_driver
     :SOC_MCPWM_SUPPORTED: mcpwm
     :SOC_PARLIO_SUPPORTED: parlio/index
     :SOC_PCNT_SUPPORTED: pcnt
@@ -46,7 +47,6 @@
     :SOC_SPI_SUPPORT_SLAVE_HD_VER2: spi_slave_hd
     :SOC_LP_I2S_SUPPORTED: lp_i2s
     :SOC_LP_VAD_SUPPORTED: vad
-    :SOC_JPEG_CODEC_SUPPORTED: jpeg
     :SOC_TEMP_SENSOR_SUPPORTED: temp_sensor
     :SOC_TOUCH_SENSOR_SUPPORTED: cap_touch_sens
     :SOC_TWAI_SUPPORTED: twai

docs/zh_CN/api-reference/peripherals/key_manager.rst

@@ -5,7 +5,9 @@
 
 :link_to_translation:`en:[English]`
 
-{IDF_TARGET_NAME} 的密钥管理器外设为密码密钥提供了硬件辅助的 **密钥部署和密钥恢复** 功能。它允许对密码密钥进行配置和使用，而无需将明文密钥材料存储在 flash、RAM 或 eFuse 中。密钥管理器适用于需要安全处理长期密码密钥的应用程序。
+{IDF_TARGET_NAME} 中的密钥管理器外设为加密密钥提供了硬件辅助的 **密钥部署和密钥恢复** 功能，用于配置和使用加密密钥，而无需将明文密钥内容存储在 flash、RAM 或 eFuse 中。
+
+密钥管理器适用于需要安全处理常驻加密密钥的应用程序。
 
 .. only:: esp32p4
 
@@ -23,7 +25,7 @@
 
 - **设备唯一性**
 
-  密钥通过加密手段绑定到硬件唯一密钥 (HUK)，而 HUK 对每个芯片都是唯一的。
+  密钥通过每块芯片独有的硬件唯一密钥 (HUK) 进行加密绑定。
 
 - **无明文密钥存储**
 
@@ -40,24 +42,24 @@
 硬件唯一密钥 (HUK)
 -------------------
 
-硬件唯一密钥 (HUK) 是完全由硬件 HUK 外设生成的设备专属唯一密钥。它通过 SRAM 物理不可克隆函数 (PUF) 生成，并使用存储在密钥管理器已部署密钥的密钥恢复信息中的 HUK 恢复信息进行重建。有关 HUK 外设的更多详情，请参阅 *{IDF_TARGET_NAME} 技术参考手册* > *密钥管理器章节* [`PDF <{IDF_TARGET_TRM_EN_URL}>`__] > *HUK Generator*。
+硬件唯一密钥 (HUK) 是完全由硬件 HUK 外设生成的设备专属密钥，源自 SRAM 物理不可克隆函数 (PUF)。重建 HUK 时，需要用到 HUK 恢复信息，该信息包含在密钥管理器为已部署密钥生成的密钥恢复信息中。有关 HUK 外设的更多信息，请参阅 **《{IDF_TARGET_NAME} 技术参考手册》** > **密钥管理器章节** [`PDF <{IDF_TARGET_TRM_CN_URL}>`__] > **HUK 生成器**。
 
 HUK 是所有通过密钥管理器部署的密钥的信任根。
 
-密钥部署与密钥恢复
-------------------
+密钥部署与恢复
+--------------
 
-密钥管理器在两个不同阶段中工作：
+密钥管理器分为两个不同的阶段运行：
 
 - **密钥部署**
 
-  密码密钥在芯片内部生成或被安全导入，并与 HUK 绑定。此步骤通常在生产阶段、首次启动时，或在应用程序运行时生成瞬态或持久密钥时执行。
+  加密密钥在芯片内部生成或被安全导入，并与 HUK 绑定。此步骤通常在生产阶段、首次启动时，或在应用程序运行并生成临时/持久密钥时执行。
 
 - **密钥恢复**
 
-  在后续启动过程中，密钥管理器部署的持久密钥使用之前生成的密钥恢复信息进行还原，而不会暴露密钥值。
+  在后续启动过程中，密钥管理器部署的持久密钥会使用先前生成的密钥恢复信息进行还原，而不会暴露密钥值。
 
-在部署过程中，密钥管理器生成一个称为 :cpp:type:`esp_key_mgr_key_recovery_info_t` 的数据结构。对于持久密钥，应用程序必须将此数据存储在非易失性存储器（例如 flash）中，以便在后续启动时恢复密钥。
+在部署过程中，密钥管理器生成 :cpp:type:`esp_key_mgr_key_recovery_info_t` 数据结构。对于持久密钥，应用程序必须将此数据保存在非易失性存储器（例如 flash）中，以便在后续启动时恢复密钥。
 
 支持的密钥类型
 --------------
@@ -67,12 +69,12 @@ HUK 是所有通过密钥管理器部署的密钥的信任根。
 .. list::
 
     :SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY: - ECDSA
-    :SOC_KEY_MANAGER_FE_KEY_DEPLOY: - Flash 加密 (XTS-AES)
+    :SOC_KEY_MANAGER_FE_KEY_DEPLOY: - flash 加密 (XTS-AES)
     :SOC_KEY_MANAGER_HMAC_KEY_DEPLOY: - HMAC
     :SOC_KEY_MANAGER_DS_KEY_DEPLOY: - 数字签名外设
     :SOC_KEY_MANAGER_FE_KEY_DEPLOY: - PSRAM 加密
 
-每个密钥都与一个 :cpp:type:`esp_key_mgr_key_purpose_t` 相关联，它定义了密钥如何被硬件外设使用。
+每个密钥都与一个 :cpp:type:`esp_key_mgr_key_purpose_t` 相关联，该类型定义了硬件外设如何使用密钥。
 
 密钥部署模式
 ------------
@@ -84,29 +86,29 @@ HUK 是所有通过密钥管理器部署的密钥的信任根。
 
 在此模式下，密钥管理器在内部生成一个随机私钥。
 
-- 应用程序软件不知道密钥值
-- 不需要外部密钥材料
-- 适用于不需要备份或导出密钥的场景
+- 应用程序软件无法获取密钥值。
+- 不需要外部密钥材料。
+- 适用于不需要备份或导出密钥的场景。
 
 AES 部署模式
 ^^^^^^^^^^^^
 
-在此模式下，用户指定的私钥被安全部署。
+在此模式下，可以安全部署用户指定的私钥。
 
-- 密钥在传输到芯片之前进行加密
-- 使用辅助密钥材料保护部署过程
-- 适用于需要预定义密钥值的工厂配置场景
+- 密钥在传输到芯片之前进行加密。
+- 使用辅助密钥材料保护部署过程。
+- 适用于需要预定义密钥值的出厂配置场景。
 
 ECDH0 部署模式
 ^^^^^^^^^^^^^^
 
 在此模式下，私钥通过椭圆曲线 Diffie-Hellman (ECDH) 协商生成。
 
-- 最终私钥不会被传输
-- 部署过程可以通过不受信任的信道进行
-- 适用于高安全性的配置环境
+- 最终私钥不会被传输。
+- 部署过程可以通过不受信任的信道进行。
+- 适用于高安全性的配置环境。
 
-有关各种部署模式的详细信息，请参阅 *{IDF_TARGET_NAME} 技术参考手册* > *密钥管理器章节* [`PDF <{IDF_TARGET_TRM_EN_URL}>`__] > *Key Manager*。
+有关各种部署模式的详细信息，请参阅 **《{IDF_TARGET_NAME} 技术参考手册》** > **密钥管理器章节** [`PDF <{IDF_TARGET_TRM_EN_URL}>`__] > **密钥管理器小节**。
 
 .. ECDH1 Deploy Mode
 .. ~~~~~~~~~~~~~~~~~
@@ -126,8 +128,8 @@ ECDH0 部署模式
 典型的配置流程包括：
 
 1. 生成硬件唯一密钥 (HUK)
-2. 使用适当的部署模式部署所需的密码密钥
-3. 将生成的 ``key_recovery_info`` 存储到非易失性存储器中
+2. 使用恰当的部署模式部署所需的加密密钥
+3. 将生成的 ``key_recovery_info`` 保存至非易失性存储器中
 4. 如有需要，锁定相关安全配置 eFuse
 
 此过程通常每台设备仅执行一次。
@@ -137,19 +139,19 @@ ECDH0 部署模式
 
 在正常启动过程中：
 
-1. 应用程序提供之前生成并存储的密钥管理器已部署密钥的 ``key_recovery_info``
+1. 应用程序提供先前由密钥管理器部署的密钥所生成的 ``key_recovery_info``
 2. HUK 由硬件自动重建
 3. 密钥管理器在内部恢复已部署的密钥
-4. 密码外设可以使用恢复的密钥
+4. 密码外设可以使用已恢复的密钥
 
 安全注意事项
 ------------
 
 使用密钥管理器的应用程序应注意以下事项：
 
-- 保护密钥管理器已部署密钥的 ``key_recovery_info``，防止未经授权的修改或丢失
-- 密钥部署成功后，锁定密钥管理器的安全相关 eFuse，以防止同类型密钥被重新部署
-- 除非有明确意图，否则在 Flash 加密已启用时，应避免部署新的 XTS-AES 密钥
+- 防止密钥管理器部署密钥的 ``key_recovery_info`` 遭受未授权的修改或丢失。
+- 密钥部署成功后，锁定密钥管理器安全相关的 eFuse，防止重新部署同类型密钥。
+- 除非明确需要，否则在已启用 flash 加密时，应避免部署新的 XTS-AES 密钥。
 
 API 参考
 --------
@@ -160,12 +162,10 @@ API 参考
 应用示例
 --------
 
-以下示例演示了如何使用密钥管理器进行密钥部署，以及如何使用已部署的密钥执行签名操作：
-
-请参阅 :example:`security/key_manager` 查看该示例。
+:example:`security/key_manager` 演示了如何使用密钥管理器进行密钥部署，以及如何使用已部署的密钥执行签名操作。
 
 该示例展示了如何：
 
 - 初始化密钥管理器
 - 使用 AES 部署模式部署密钥
-- 使用 PSA 接口通过密钥管理器已部署的密钥执行签名操作
+- 使用 PSA 接口通过密钥管理器部署的密钥执行签名操作

docs/zh_CN/security/flash-encryption.rst

@@ -26,7 +26,7 @@ flash 加密功能用于加密与 {IDF_TARGET_NAME} 搭载使用的片外 flash
 
 .. important::
 
-    对于生产用途，flash 加密仅应在“发布”模式下启用。
+    对于生产用途，flash 加密仅应在量产模式下启用。
 
 .. important::
 
@@ -52,8 +52,8 @@ flash 加密功能用于加密与 {IDF_TARGET_NAME} 搭载使用的片外 flash
 
 .. _flash-encryption-efuse:
 
-相关 eFuses
-------------------------------
+相关 eFuse
+----------
 
 flash 加密操作由 {IDF_TARGET_NAME} 上的多个 eFuse 控制，具体 eFuse 名称及其描述请参见下表。``espefuse`` 工具和基于 ``idf.py`` 的 eFuse 指令也会使用下表中的 eFuse 名。为了能在 eFuse API 中使用，请在名称前加上 ``ESP_EFUSE_``，如：esp_efuse_read_field_bit (ESP_EFUSE_DISABLE_DL_ENCRYPT)。
 
@@ -61,7 +61,7 @@ flash 加密操作由 {IDF_TARGET_NAME} 上的多个 eFuse 控制，具体 eFuse
 
 .. only:: not SOC_FLASH_ENCRYPTION_XTS_AES
 
-    .. list-table:: flash 加密过程中使用的 eFuses
+    .. list-table:: 用于 flash 加密的 eFuse
        :widths: 25 40 10
        :header-rows: 0
 
@@ -69,7 +69,7 @@ flash 加密操作由 {IDF_TARGET_NAME} 上的多个 eFuse 控制，具体 eFuse
          - **描述**
          - **位深**
        * - ``CODING_SCHEME``
-         - 控制用于产生最终 256 位 AES 密钥的 block1 的实际位数。可能的值：``0`` 代表 256 位，``1`` 代表 192 位，``2`` 代表 128 位。最终的 AES 密钥根据 ``FLASH_CRYPT_CONFIG`` 值得出。
+         - 控制用于产生最终 256 位 AES 密钥的 block1 的实际位数。可选值：``0`` 代表 256 位，``1`` 代表 192 位，``2`` 代表 128 位。最终的 AES 密钥根据 ``FLASH_CRYPT_CONFIG`` 值得出。
          - 2
        * - ``flash_encryption`` (block1)
          - AES 密钥存储。
@@ -86,16 +86,16 @@ flash 加密操作由 {IDF_TARGET_NAME} 上的多个 eFuse 控制，具体 eFuse
        * - ``{IDF_TARGET_CRYPT_CNT}``
          - 通过 :math:`2^n` 数字来表示 flash 的内容是否已被加密.
 
-           * 如果设置了奇数个比特位（例如 ``0b0000001`` 或 ``0b0000111``）, 表示 flash 的内容已加密。读取时，内容需要进行透明解密。
-           * 如果设置了偶数个比特位（例如 ``0b0000000`` 或 ``0b0000011``）, 表示 flash 的内容未被加密 (即明文)。
+           * 如果设置了奇数个比特位（例如 ``0b0000001`` 或 ``0b0000111``），表示 flash 的内容已加密。读取时，内容需要进行透明解密。
+           * 如果设置了偶数个比特位（例如 ``0b0000000`` 或 ``0b0000011``），表示 flash 的内容未被加密（即明文）。
 
-           随着每次连续的 flash 未加密（例如烧录一个新的未加密二进制文件）与进行 flash 加密（通过 :ref:`启动时启用 flash 加密功能 <CONFIG_SECURE_FLASH_ENC_ENABLED>` 选项）, ``{IDF_TARGET_CRYPT_CNT}`` 的下一个的最高有效位 (MSB) 会被设置。
+           每次进行未加密的 flash 更新（例如烧录新的未加密二进制文件），并通过 :ref:`启动时启用 flash 加密功能 <CONFIG_SECURE_FLASH_ENC_ENABLED>` 选项对 flash 进行加密后，``{IDF_TARGET_CRYPT_CNT}`` 的下一个最高有效位 (MSB) 会被置为 1。
          - 7
 
 
 .. only:: SOC_FLASH_ENCRYPTION_XTS_AES_256 and SOC_KEY_MANAGER_SUPPORTED
 
-    .. list-table:: flash 加密过程中使用的 eFuses
+    .. list-table:: 用于 flash 加密的 eFuse
        :widths: 25 40 10
        :header-rows: 0
 
@@ -103,27 +103,27 @@ flash 加密操作由 {IDF_TARGET_NAME} 上的多个 eFuse 控制，具体 eFuse
          - **描述**
          - **位深**
        * - ``BLOCK_KEYN``
-         - AES 密钥存储，N 在 0-5 之间。当使用基于密钥管理器的密钥时，此 eFuse 不被使用。
+         - AES 密钥存储，其中 N 在 0~5 之间。使用基于密钥管理器的密钥时，不会使用此 eFuse。
          - XTS_AES_128 有一个 256 位密钥块，XTS_AES_256 有两个 256 位密钥块（共 512 位）。
        * - ``KEY_PURPOSE_N``
-         - 控制 eFuse 块 ``BLOCK_KEYN`` 的目的，其中 N 在 0-5 之间。可能的值：``2`` 代表 ``XTS_AES_256_KEY_1``，``3`` 代表 ``XTS_AES_256_KEY_2``，``4`` 代表 ``XTS_AES_128_KEY``。最终 AES 密钥是基于其中一个或两个目的 eFuses 值推导。有关各种可能的组合，请参阅 *{IDF_TARGET_NAME} 技术参考手册* > *外部内存加密和解密（XTS_AES)* [`PDF <{IDF_TARGET_TRM_CN_URL}#extmemencr>`__]。使用基于密钥管理器的密钥启用 flash 加密时，此 eFuse 不被使用。
+         - 控制 eFuse 块 ``BLOCK_KEYN`` 的用途，其中 N 在 0~5 之间。可选值：``2`` 代表 ``XTS_AES_256_KEY_1``；``3`` 代表 ``XTS_AES_256_KEY_2``；``4`` 代表 ``XTS_AES_128_KEY``。最终 AES 密钥通过其中一个或两个用于指定密钥用途的 eFuse 字段值推导得出。有关各种可能的组合，请参阅 **《{IDF_TARGET_NAME} 技术参考手册》** > **片外存储器加密与解密 (XTS_AES)** [`PDF <{IDF_TARGET_TRM_CN_URL}#extmemencr>`__]。若使用基于密钥管理器的密钥启用 flash 加密，则不会使用此 eFuse 字段。
          - 4
        * - ``KM_XTS_KEY_LENGTH_256``
-         - 使用基于密钥管理器的密钥启用 flash 加密时，此 eFuse 用于控制 XTS-AES 密钥的长度。将此 eFuse 设置为 1 表示使用 128 位密钥，设置为 0 表示使用 256 位密钥。使用基于 eFuse 的密钥启用 flash 加密时，此 eFuse 字段不被使用。
+         - 使用基于密钥管理器的密钥启用 flash 加密时，此 eFuse 字段用于控制 XTS-AES 密钥的长度。将此 eFuse 字段设置为 1 表示使用 128 位密钥，设置为 0 表示使用 256 位密钥。若使用基于 eFuse 的密钥启用 flash 加密，则不会使用此 eFuse 字段。
          - 1
        * - ``FORCE_USE_KEY_MANAGER_KEY``
-         - 使用基于密钥管理器的密钥启用 flash 加密时，此 eFuse 用于强制密钥管理器使用 XTS-AES 密钥。将此 eFuse 的第 1 位设置为 1 以使用基于密钥管理器的密钥。使用基于 eFuse 的密钥启用 flash 加密时，此 eFuse 字段不被使用。
+         - 使用基于密钥管理器的密钥启用 flash 加密时，此 eFuse 用于强制密钥管理器使用 XTS-AES 密钥。将此 eFuse 的位 1 置为 1 以使用基于密钥管理器的密钥。若使用基于 eFuse 的密钥启用 flash 加密，则不会使用此 eFuse 字段。
          - 1
        * - ``DIS_DOWNLOAD_MANUAL_ENCRYPT``
          - 设置后，在下载启动模式下禁用 flash 加密。
          - 1
        * - ``{IDF_TARGET_CRYPT_CNT}``
-         - 设置 SPI 启动模式后，可启用加密和解密。如果在 eFuse 中设置了 1 或 3 个比特位，则启用该功能，否则将禁用。
+         - 设置 SPI 启动模式后，可启用加密和解密。如果在 eFuse 中设置了一个或三个位，则启用此功能，否则将禁用。
          - 3
 
 .. only:: SOC_FLASH_ENCRYPTION_XTS_AES_256 and not SOC_KEY_MANAGER_SUPPORTED
 
-    .. list-table:: flash 加密过程中使用的 eFuses
+    .. list-table:: 用于 flash 加密的 eFuse
        :widths: 25 40 10
        :header-rows: 0
 
@@ -131,21 +131,21 @@ flash 加密操作由 {IDF_TARGET_NAME} 上的多个 eFuse 控制，具体 eFuse
          - **描述**
          - **位深**
        * - ``BLOCK_KEYN``
-         - AES 密钥存储，N 在 0-5 之间。
+         - AES 密钥存储，其中 N 在 0~5 之间。
          - XTS_AES_128 有一个 256 位密钥块，XTS_AES_256 有两个 256 位密钥块（共 512 位）。
        * - ``KEY_PURPOSE_N``
-         - 控制 eFuse 块 ``BLOCK_KEYN`` 的目的，其中 N 在 0-5 之间。可能的值：``2`` 代表 ``XTS_AES_256_KEY_1``，``3`` 代表 ``XTS_AES_256_KEY_2``，``4`` 代表 ``XTS_AES_128_KEY``。最终 AES 密钥是基于其中一个或两个目的 eFuses 值推导。有关各种可能的组合，请参阅 *{IDF_TARGET_NAME} 技术参考手册* > *外部内存加密和解密（XTS_AES)* [`PDF <{IDF_TARGET_TRM_CN_URL}#extmemencr>`__]。
+         - 控制 eFuse 块 ``BLOCK_KEYN`` 的用途，其中 N 在 0~5 之间。可选值：``2`` 代表 ``XTS_AES_256_KEY_1``；``3`` 代表 ``XTS_AES_256_KEY_2``；``4`` 代表 ``XTS_AES_128_KEY``。最终 AES 密钥通过其中一个或两个用于指定密钥用途的 eFuse 字段值推导得出。有关各种可能的组合，请参阅 **《{IDF_TARGET_NAME} 技术参考手册》** > **片外存储器加密与解密 (XTS_AES)** [`PDF <{IDF_TARGET_TRM_CN_URL}#extmemencr>`__]。
          - 4
        * - ``DIS_DOWNLOAD_MANUAL_ENCRYPT``
          - 设置后，在下载启动模式下禁用 flash 加密。
          - 1
        * - ``{IDF_TARGET_CRYPT_CNT}``
-         - 设置 SPI 启动模式后，可启用加密和解密。如果在 eFuse 中设置了 1 或 3 个比特位，则启用该功能，否则将禁用。
+         - 设置 SPI 启动模式后，可启用加密和解密。如果在 eFuse 中设置了一个或三个位，则启用此功能，否则将禁用。
          - 3
 
 .. only:: SOC_FLASH_ENCRYPTION_XTS_AES_128 and not SOC_FLASH_ENCRYPTION_XTS_AES_256 and not SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK and SOC_KEY_MANAGER_SUPPORTED
 
-    .. list-table:: flash 加密过程中使用的 eFuses
+    .. list-table:: 用于 flash 加密的 eFuse
        :widths: 25 40 10
        :header-rows: 0
 
@@ -153,27 +153,27 @@ flash 加密操作由 {IDF_TARGET_NAME} 上的多个 eFuse 控制，具体 eFuse
          - **描述**
          - **位深**
        * - ``BLOCK_KEYN``
-         - AES 密钥存储，N 在 0-5 之间。当使用基于密钥管理器的密钥时，此 eFuse 不被使用。
+         - AES 密钥存储，其中 N 在 0~5 之间。使用基于密钥管理器的密钥时，不会使用此 eFuse。
          - 256 位密钥块。
        * - ``KEY_PURPOSE_N``
-         - 控制 eFuse 块 ``BLOCK_KEYN`` 的目的，其中 N 在 0 到 5 之间。对于 flash 加密，唯一的有效值是 4，代表 ``XTS_AES_128_KEY``。使用基于密钥管理器的密钥启用 flash 加密时，此 eFuse 不被使用。
+         - 控制 eFuse 块 ``BLOCK_KEYN`` 的用途，其中 N 在 0~5 之间。对于 flash 加密，唯一的有效值是 ``4``，代表 ``XTS_AES_128_KEY``。若使用基于密钥管理器的密钥启用 flash 加密，则不会使用此 eFuse 字段。
          - 4
        * - ``KM_XTS_KEY_LENGTH_256``
-         - 使用基于密钥管理器的密钥启用 flash 加密时，此 eFuse 用于控制 XTS-AES 密钥的长度。将此 eFuse 设置为 1 表示使用 128 位密钥，设置为 0 表示使用 256 位密钥。使用基于 eFuse 的密钥启用 flash 加密时，此 eFuse 字段不被使用。
+         - 使用基于密钥管理器的密钥启用 flash 加密时，此 eFuse 字段用于控制 XTS-AES 密钥的长度。将此 eFuse 字段设置为 1 表示使用 128 位密钥，设置为 0 表示使用 256 位密钥。若使用基于 eFuse 的密钥启用 flash 加密，则不会使用此 eFuse 字段。
          - 1
        * - ``FORCE_USE_KEY_MANAGER_KEY``
-         - 使用基于密钥管理器的密钥启用 flash 加密时，此 eFuse 用于强制密钥管理器使用 XTS-AES 密钥。将此 eFuse 的第 1 位设置为 1 以使用基于密钥管理器的密钥。使用基于 eFuse 的密钥启用 flash 加密时，此 eFuse 字段不被使用。
+         - 使用基于密钥管理器的密钥启用 flash 加密时，此 eFuse 用于强制密钥管理器使用 XTS-AES 密钥。将此 eFuse 的位 1 置为 1 以使用基于密钥管理器的密钥。若使用基于 eFuse 的密钥启用 flash 加密，则不会使用此 eFuse 字段。
          - 1
        * - ``DIS_DOWNLOAD_MANUAL_ENCRYPT``
-         - 设置后，则在下载引导模式时禁用 flash 加密。
+         - 设置后，在下载启动模式下禁用 flash 加密。
          - 1
        * - ``{IDF_TARGET_CRYPT_CNT}``
-         - 设置 SPI 启动模式后，可启用加密和解密。如果在 eFuse 中设置 1 或 3 个比特位，则启用该功能，否则将禁用。
+         - 设置 SPI 启动模式后，可启用加密和解密。如果在 eFuse 中设置了一个或三个位，则启用此功能，否则将禁用。
          - 3
 
 .. only:: SOC_FLASH_ENCRYPTION_XTS_AES_128 and not SOC_FLASH_ENCRYPTION_XTS_AES_256 and not SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK and not SOC_KEY_MANAGER_SUPPORTED
 
-    .. list-table:: flash 加密过程中使用的 eFuses
+    .. list-table:: 用于 flash 加密的 eFuse
        :widths: 25 40 10
        :header-rows: 0
 
@@ -181,21 +181,21 @@ flash 加密操作由 {IDF_TARGET_NAME} 上的多个 eFuse 控制，具体 eFuse
          - **描述**
          - **位深**
        * - ``BLOCK_KEYN``
-         - AES 密钥存储，N 在 0-5 之间。
+         - AES 密钥存储，N 在 0~5 之间。
          - 256 位密钥块
        * - ``KEY_PURPOSE_N``
-         - 控制 eFuse 块 ``BLOCK_KEYN`` 的目的，其中 N 在 0 到 5 之间。对于 flash 加密，唯一的有效值是 4，代表 ``XTS_AES_128_KEY``。
+         - 控制 eFuse 块 ``BLOCK_KEYN`` 的用途，其中 N 在 0~5 之间。对于 flash 加密，唯一的有效值是 ``4``，代表 ``XTS_AES_128_KEY``。
          - 4
        * - ``DIS_DOWNLOAD_MANUAL_ENCRYPT``
-         - 设置后，则在下载引导模式时禁用 flash 加密。
+         - 设置后，在下载引导模式时禁用 flash 加密。
          - 1
        * - ``{IDF_TARGET_CRYPT_CNT}``
-         - 设置 SPI 启动模式后，可启用加密和解密。如果在 eFuse 中设置 1 或 3 个比特位，则启用该功能，否则将禁用。
+         - 设置 SPI 启动模式后，可启用加密和解密。如果在 eFuse 中设置了一个或三个位，则启用此功能，否则将禁用。
          - 3
 
 .. only:: SOC_FLASH_ENCRYPTION_XTS_AES_128 and SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK
 
-    .. list-table:: flash 加密过程中使用的 eFuses
+    .. list-table:: 用于 flash 加密的 eFuse
        :widths: 25 40 10
        :header-rows: 0
 
@@ -203,16 +203,16 @@ flash 加密操作由 {IDF_TARGET_NAME} 上的多个 eFuse 控制，具体 eFuse
          - **描述**
          - **位深**
        * - ``XTS_KEY_LENGTH_256``
-         - 控制用于得出最终 256 位 AES 密钥的 eFuse 比特的实际数量。可能的值：``1`` 使用 eFuse 块的全部 256 位作为密钥，``0`` 使用 eFuse 块的低 128 位作为密钥（高 128 位保留给安全启动密钥）。对于 128 位选项，最终的 AES 密钥会以 SHA256 (EFUSE_KEY0_FE_128BIT) 的形式得出。
+         - 控制用于产生最终 256 位 AES 密钥的 eFuse 位的实际数量。可选值：``1`` 使用 eFuse 块的全部 256 位作为密钥，``0`` 使用 eFuse 块的低 128 位作为密钥（高 128 位保留给安全启动密钥）。对于 128 位选项，最终的 AES 密钥会以 SHA256 (EFUSE_KEY0_FE_128BIT) 的形式得出。
          - 1
        * - ``BLOCK_KEY0``
          - AES 密钥存储
          - 256 位或 128 位密钥块
        * - ``DIS_DOWNLOAD_MANUAL_ENCRYPT``
-         - 设置后，则在下载引导模式时禁用 flash 加密。
+         - 设置后，在下载引导模式时禁用 flash 加密。
          - 1
        * - ``{IDF_TARGET_CRYPT_CNT}``
-         - 设置 SPI 启动模式后，可启用加密和解密。如果在 eFuse 中设置 1 或 3 个比特位，则启用该功能，否则将禁用。
+         - 设置 SPI 启动模式后，可启用加密和解密。如果在 eFuse 中设置了一个或三个位，则启用此功能，否则将禁用。
          - 3
 
 .. note::
@@ -237,11 +237,11 @@ flash 的加密过程
 
   1. 第一次开机复位时，flash 中的所有数据都是未加密的（明文）。一级 (ROM) 引导加载程序加载二级引导加载程序。
 
-  2. 二级引导加载程序将读取 ``{IDF_TARGET_CRYPT_CNT}`` eFuse 值 (``0b0000000``)。因为该值为 0（偶数位），二级引导加载程序将配置并启用 flash 加密块，同时将 ``FLASH_CRYPT_CONFIG`` eFuse 的值编程为 0xF。关于 flash 加密块的更多信息，请参考 *{IDF_TARGET_NAME} 技术参考手册* > *eFuse 控制器 (eFuse)* > *flash 加密块* [`PDF <{IDF_TARGET_TRM_CN_URL}#efuse>`__]。
+  2. 二级引导加载程序将读取 ``{IDF_TARGET_CRYPT_CNT}`` eFuse 值 (``0b0000000``)。因为该值为 0（偶数位），二级引导加载程序将配置并启用 flash 加密块，同时将 ``FLASH_CRYPT_CONFIG`` eFuse 的值编程为 0xF。关于 flash 加密块的更多信息，请参考 **《{IDF_TARGET_NAME} 技术参考手册》** > **eFuse 控制器 (eFuse)** > **flash 加密块** [`PDF <{IDF_TARGET_TRM_CN_URL}#efuse>`__]。
 
   3. 二级引导加载程序首先检查 eFuse 中是否已经存在有效密钥（例如用 espefuse 工具烧写的密钥），如果存在，则会跳过密钥生成，并将该密钥用于 flash 加密过程。否则，二级引导加载程序会使用 RNG（随机数发生器）模块生成一个 AES-256 位密钥，并将其写入 ``flash_encryption`` eFuse 中。由于已设置了 ``flash_encryption`` eFuse 的读保护位和写保护位，因此无法通过软件访问密钥。flash 加密操作完全在硬件中完成，无法通过软件访问密钥。
 
-  4. flash 加密块将加密 flash 的内容（二级引导加载程序、应用程序、以及标有 ``加密`` 标志的分区）。就地加密可能会耗些时间（对于大分区最多需要一分钟）。
+  4. flash 加密块会加密 flash 中的内容，包括二级引导加载程序、应用程序、以及带有 ``encrypted`` 标志的分区。就地加密需要一定时间，对于大分区来说最多需要一分钟。
 
   5. 二级引导加载程序将在 ``{IDF_TARGET_CRYPT_CNT}`` (0b0000001) 中设置第一个可用位来对已加密的 flash 内容进行标记。设置奇数个比特位。
 
@@ -255,15 +255,20 @@ flash 的加密过程
 
   1. 第一次开机复位时，flash 中的所有数据都是未加密的（明文）。一级 (ROM) 引导加载程序加载二级引导加载程序。
 
-  2. 二级引导加载程序将读取 ``{IDF_TARGET_CRYPT_CNT}`` eFuse 值 (``0b000``)。因为该值为 0（偶数位），二级引导加载程序将配置并启用 flash 加密块。关于 flash 加密块的更多信息，请参考 *{IDF_TARGET_NAME} 技术参考手册* > *eFuse 控制器 (eFuse)* > *手动加密块* [`PDF <{IDF_TARGET_TRM_CN_URL}#efuse>`__]。
+  2. 二级引导加载程序将读取 ``{IDF_TARGET_CRYPT_CNT}`` eFuse 值 (``0b000``)。因为该值为 0（偶数位），二级引导加载程序将配置并启用 flash 加密块。关于 flash 加密块的更多信息，请参阅 **《{IDF_TARGET_NAME} 技术参考手册》** > **eFuse 控制器 (eFuse)** > **手动加密块** [`PDF <{IDF_TARGET_TRM_CN_URL}#efuse>`__]。
 
-  3. 二级引导加载程序首先检查 eFuse 中是否已经存在有效密钥（例如用 espefuse 工具烧写的密钥）（若打算使用基于 eFuse 的密钥启用 flash 加密），或者检查 flash 内存地址 0x0 和 0x1000 处是否存在有效的密钥恢复信息（若打算使用基于密钥管理器的密钥启用 flash 加密），若存在则跳过密钥生成步骤，并将该密钥用于 flash 加密过程。
+  3. 第二阶段引导加载程序会先判断是否已存在可用的密钥，从而决定是否跳过密钥生成步骤：
 
-  4. 否则，如果使用基于 eFuse 的密钥，二级引导加载程序将使用 RNG（随机数发生器）模块生成 256 位或 512 位的密钥（具体位数取决于 :ref:`生成的 XTS-AES 密钥的大小 <CONFIG_SECURE_FLASH_ENCRYPTION_KEYSIZE>`），然后将其分别写入一个或两个 `BLOCK_KEYN` eFuse 中。软件也为存储密钥的块更新了 ``KEY_PURPOSE_N``。由于上述一个或两个 ``BLOCK_KEYN`` eFuse 已设置了读保护和写保护位，因此无法通过软件访问密钥。``KEY_PURPOSE_N`` 字段也受写保护。如果使用基于密钥管理器的密钥，二级引导加载程序则将密钥恢复信息写入 flash 内存地址 0x0，随后对 ``KM_XTS_KEY_LENGTH_256`` 和 ``FORCE_USE_KEY_MANAGER_KEY`` eFuse 进行编程。flash 加密操作完全在硬件中完成，无法通过软件访问密钥。
+    - 若使用基于 eFuse 的密钥启用 flash 加密，则检查 eFuse 中是否已存在有效密钥（例如通过 espefuse 工具烧录的密钥）。
+    - 若使用基于密钥管理器的密钥启用 flash 加密，则检查 flash 存储器的地址 0x0 和 0x1000 处是否存在有效的密钥恢复信息。
 
-  5. flash 加密块将加密 flash 的内容（二级引导加载程序、应用程序、以及标有”加密”标志的分区）。就地加密可能会耗些时间（对于大分区最多需要一分钟）。
+    检查通过，则跳过密钥生成过程，直接使用现有密钥进行 flash 加密。
 
-  6. 二级引导加载程序将在 ``{IDF_TARGET_CRYPT_CNT}`` (0b001) 中设置第一个可用位来对已加密的 flash 内容进行标记。设置奇数位。
+  4. 如果使用基于 eFuse 的密钥，二级引导加载程序将使用 RNG（随机数发生器）模块生成 256 位或 512 位的密钥（具体位数取决于 :ref:`生成的 XTS-AES 密钥的大小 <CONFIG_SECURE_FLASH_ENCRYPTION_KEYSIZE>`），然后将其分别写入一个或两个 ``BLOCK_KEYN`` eFuse 块中。软件也为存储密钥的块更新了 ``KEY_PURPOSE_N``。由于上述一个或两个 ``BLOCK_KEYN`` eFuse 块已设置了读写保护位，因此无法通过软件访问密钥。``KEY_PURPOSE_N`` 字段也受写保护。如果使用基于密钥管理器的密钥，二级引导加载程序则将密钥恢复信息写入 flash 内存地址 0x0，随后烧录 ``KM_XTS_KEY_LENGTH_256`` 和 ``FORCE_USE_KEY_MANAGER_KEY`` eFuse 字段。flash 加密操作全部在硬件中完成，因此无法通过软件访问密钥。
+
+  5. flash 加密块会加密 flash 中的内容，包括二级引导加载程序、应用程序、以及带有 ``encrypted`` 标志的分区。就地加密需要一定时间，对于大分区来说最多需要一分钟。
+
+  6. 二级引导加载程序将 ``{IDF_TARGET_CRYPT_CNT}`` (0b001) 中的第一个可用位设置为 1，以标记 flash 内容为加密状态，此时位数为奇数。
 
   7. 对于 :ref:`flash-enc-development-mode`，二级引导加载程序允许 UART 引导加载程序重新烧录加密后的二进制文件。同时，``{IDF_TARGET_CRYPT_CNT}`` eFuse 位不受写入保护。此外，二级引导加载程序默认置位以下 eFuse 位：
 
@@ -275,15 +280,15 @@ flash 的加密过程
       - ``HARD_DIS_JTAG``
       - ``DIS_LEGACY_SPI_BOOT``
 
-  8. 对于 :ref:`flash-enc-release-mode`，二级引导加载程序设置所有在开发模式下设置的 eFuse 位以及 ``DIS_DOWNLOAD_MANUAL_ENCRYPT``。它还写保护 ``{IDF_TARGET_CRYPT_CNT}`` eFuse 位。要修改此行为，请参阅 :ref:`uart-bootloader-encryption`。
+  8. 对于 :ref:`flash-enc-release-mode`，二级引导加载程序设置所有在开发模式下设置的 eFuse 位以及 ``DIS_DOWNLOAD_MANUAL_ENCRYPT``，同时写保护 ``{IDF_TARGET_CRYPT_CNT}`` eFuse 位。若要修改此行为，请参阅 :ref:`uart-bootloader-encryption`。
 
-  9. 重新启动设备以开始执行加密镜像。二级引导加载程序调用 flash 解密块来解密 flash 内容，然后将解密的内容加载到 IRAM 中。
+  9. 重新启动设备以开始执行加密镜像。二级引导加载程序调用 flash 解密块来解密 flash 内容，然后将解密后的内容加载到 IRAM 中。
 
 .. only:: SOC_FLASH_ENCRYPTION_XTS_AES_256 and not SOC_KEY_MANAGER_SUPPORTED
 
   1. 第一次开机复位时，flash 中的所有数据都是未加密的（明文）。一级 (ROM) 引导加载程序加载二级引导加载程序。
 
-  2. 二级引导加载程序将读取 ``{IDF_TARGET_CRYPT_CNT}`` eFuse 值 (``0b000``)。因为该值为 0（偶数位），二级引导加载程序将配置并启用 flash 加密块。关于 flash 加密块的更多信息，请参考 *{IDF_TARGET_NAME} 技术参考手册* > *eFuse 控制器 (eFuse)* > *自动加密块* [`PDF <{IDF_TARGET_TRM_CN_URL}#efuse>`__]。
+  2. 二级引导加载程序将读取 ``{IDF_TARGET_CRYPT_CNT}`` eFuse 值 (``0b000``)。因为该值为 0（偶数位），二级引导加载程序将配置并启用 flash 加密块。关于 flash 加密块的更多信息，请参考 **《{IDF_TARGET_NAME} 技术参考手册》** > **eFuse 控制器 (eFuse)** > **自动加密块** [`PDF <{IDF_TARGET_TRM_CN_URL}#efuse>`__]。
 
   3. 二级引导加载程序首先检查 eFuse 中是否已经存在有效密钥（例如用 espefuse 工具烧写的密钥），如果存在，则会跳过密钥生成，并将该密钥用于 flash 加密过程。否则，二级引导加载程序使用 RNG（随机数发生器）模块生成一个 256 位或 512 位的密钥，具体位数取决于 :ref:`生成的 XTS-AES 密钥的大小 <CONFIG_SECURE_FLASH_ENCRYPTION_KEYSIZE>`，然后将其分别写入一个或两个 `BLOCK_KEYN` eFuse 中。软件也为存储密钥的块更新了 ``KEY_PURPOSE_N``。由于上述一个或两个 ``BLOCK_KEYN`` eFuse 已设置了读保护和写保护位，因此无法通过软件访问密钥。``KEY_PURPOSE_N`` 字段也受写保护。flash 加密操作完全在硬件中完成，无法通过软件访问密钥。
 
@@ -309,41 +314,46 @@ flash 的加密过程
 
   1. 第一次开机复位时，flash 中的所有数据都是未加密的（明文）。一级 (ROM) 引导加载程序加载二级引导加载程序。
 
-  2. 二级引导加载程序将读取 ``{IDF_TARGET_CRYPT_CNT}`` eFuse 值 (``0b000``)。因为该值为 0（偶数位），二级引导加载程序将配置并启用 flash 加密块。关于 flash 加密块的更多信息，请参考 `{IDF_TARGET_NAME} 技术参考手册 <{IDF_TARGET_TRM_CN_URL}>`_。
+  2. 二级引导加载程序将读取 ``{IDF_TARGET_CRYPT_CNT}`` eFuse 值 (``0b000``)。因为该值为 0（偶数位），二级引导加载程序将配置并启用 flash 加密块。关于 flash 加密块的更多信息，请参阅 `{IDF_TARGET_NAME} 技术参考手册 <{IDF_TARGET_TRM_CN_URL}>`_。
 
-  3. 二级引导加载程序首先检查 eFuse 中是否已经存在有效密钥（例如用 espefuse 工具烧写的密钥）（若打算使用基于 eFuse 的密钥启用 flash 加密），或者检查 flash 内存地址 0x0 和 0x1000 处是否存在有效的密钥恢复信息（若打算使用基于密钥管理器的密钥启用 flash 加密），若存在则跳过密钥生成步骤，并将该密钥用于 flash 加密过程。
+  3. 第二阶段引导加载程序会先判断是否已存在可用的密钥，从而决定是否跳过密钥生成步骤：
 
-  4. 否则，如果使用基于 eFuse 的密钥，二级引导加载程序将使用 RNG（随机数发生器）模块生成一个 256 位密钥，然后将其写入一个 `BLOCK_KEYN` eFuse。软件也为存储密钥的块更新了 ``KEY_PURPOSE_N``。由于该 ``BLOCK_KEYN`` eFuse 已设置了读保护和写保护位，因此无法通过软件访问密钥。``KEY_PURPOSE_N`` 字段也受写保护。如果使用基于密钥管理器的密钥，二级引导加载程序则将密钥恢复信息写入 flash 内存地址 0x0，随后对 ``KM_XTS_KEY_LENGTH_256`` 和 ``FORCE_USE_KEY_MANAGER_KEY`` eFuse 进行编程。flash 加密操作完全在硬件中完成，无法通过软件访问密钥。
+    - 若使用基于 eFuse 的密钥启用 flash 加密，则检查 eFuse 中是否已存在有效密钥（例如通过 espefuse 工具烧录的密钥）。
+    - 若使用基于密钥管理器的密钥启用 flash 加密，则检查 flash 存储器的地址 0x0 和 0x1000 处是否存在有效的密钥恢复信息。
 
-  5. flash 加密块将加密 flash 的内容（二级引导加载程序、应用程序、以及标有”加密”标志的分区）。就地加密可能会耗些时间（对于大分区最多需要一分钟）。
+    检查通过，则跳过密钥生成过程，直接使用现有密钥进行 flash 加密。
 
-  6. 二级引导加载程序将在 ``{IDF_TARGET_CRYPT_CNT}`` (0b001) 中设置第一个可用位来对已加密的 flash 内容进行标记。设置奇数位。
+  4. 如果使用基于 eFuse 的密钥，二级引导加载程序将使用 RNG（随机数发生器）模块生成一个 256 位密钥，然后将其写入 ``BLOCK_KEYN`` eFuse 块。软件也为存储密钥的块更新了 ``KEY_PURPOSE_N``。该 ``BLOCK_KEYN`` eFuse 已设置了读写保护位，因此无法通过软件访问密钥。``KEY_PURPOSE_N`` 字段也受写保护。如果使用基于密钥管理器的密钥，二级引导加载程序则将密钥恢复信息写入 flash 内存地址 0x0，随后烧录 ``KM_XTS_KEY_LENGTH_256`` 和 ``FORCE_USE_KEY_MANAGER_KEY`` eFuse 字段。flash 加密操作全部在硬件中完成，因此无法通过软件访问密钥。
 
-  7. 对于 :ref:`flash-enc-development-mode`，二级引导加载程序允许 UART 引导加载程序重新烧录加密后的二进制文件。同时，``{IDF_TARGET_CRYPT_CNT}`` eFuse 位不受写入保护。此外，默认情况下，二级引导加载程序设置 ``DIS_DOWNLOAD_ICACHE``、 ``DIS_PAD_JTAG``、 ``DIS_USB_JTAG`` 和 ``DIS_LEGACY_SPI_BOOT`` eFuse 位。
+  5. flash 加密块会加密 flash 中的内容，包括二级引导加载程序、应用程序、以及带有 ``encrypted`` 标志的分区。就地加密需要一定时间，对于大分区来说最多需要一分钟。
 
-  8. 对于 :ref:`flash-enc-release-mode`，二级引导加载程序设置所有在开发模式下设置的 eFuse 位以及 ``DIS_DOWNLOAD_MANUAL_ENCRYPT``。它还写保护 ``{IDF_TARGET_CRYPT_CNT}`` eFuse 位。要修改此行为，请参阅 :ref:`uart-bootloader-encryption`。
+  6. 二级引导加载程序将 ``{IDF_TARGET_CRYPT_CNT}`` (0b001) 中的第一个可用位设置为 1，以标记 flash 内容为加密状态，此时位数为奇数。
 
-  9. 重新启动设备以开始执行加密镜像。二级引导加载程序调用 flash 解密块来解密 flash 内容，然后将解密的内容加载到 IRAM 中。
+  7. 对于 :ref:`flash-enc-development-mode`，二级引导加载程序允许 UART 引导加载程序重新烧录加密后的二进制文件。同时，``{IDF_TARGET_CRYPT_CNT}`` eFuse 位不受写入保护。此外，二级引导加载程序默认置位 ``DIS_DOWNLOAD_ICACHE``、 ``DIS_PAD_JTAG``、 ``DIS_USB_JTAG`` 和 ``DIS_LEGACY_SPI_BOOT``。
+
+  8. 对于 :ref:`flash-enc-release-mode`，二级引导加载程序设置所有在开发模式下设置的 eFuse 位以及 ``DIS_DOWNLOAD_MANUAL_ENCRYPT``，同时写保护 ``{IDF_TARGET_CRYPT_CNT}`` eFuse 位。要修改此行为，请参阅 :ref:`uart-bootloader-encryption`。
+
+  9. 重新启动设备以开始执行加密镜像。二级引导加载程序调用 flash 解密块来解密 flash 内容，然后将解密后的内容加载到 IRAM 中。
 
 .. only:: SOC_FLASH_ENCRYPTION_XTS_AES_128 and not SOC_FLASH_ENCRYPTION_XTS_AES_256 and not SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK
 
   1. 第一次开机复位时，flash 中的所有数据都是未加密的（明文）。一级 (ROM) 引导加载程序加载二级引导加载程序。
 
-  2. 二级引导加载程序将读取 ``{IDF_TARGET_CRYPT_CNT}`` eFuse 值 (``0b000``)。因为该值为 0（偶数位），二级引导加载程序将配置并启用 flash 加密块。关于 flash 加密块的更多信息，请参考 `{IDF_TARGET_NAME} 技术参考手册 <{IDF_TARGET_TRM_CN_URL}>`_。
+  2. 二级引导加载程序将读取 ``{IDF_TARGET_CRYPT_CNT}`` eFuse 值 (``0b000``)。因为该值为 0（偶数位），二级引导加载程序将配置并启用 flash 加密块。关于 flash 加密块的更多信息，请参阅 `{IDF_TARGET_NAME} 技术参考手册 <{IDF_TARGET_TRM_CN_URL}>`_。
 
-  3. 二级引导加载程序首先检查 eFuse 中是否已经存在有效密钥（例如用 espefuse 工具烧写的密钥），如果存在，则会跳过密钥生成，并将该密钥用于 flash 加密过程。
+  3. 二级引导加载程序会先判断 eFuse 中是否已经存在有效密钥（例如用 espefuse 工具烧录的密钥），如果存在，则会跳过密钥生成，直接使用现有密钥进行 flash 加密。
 
-  4. 否则，二级引导加载程序使用 RNG（随机数发生器）模块生成 256 位密钥，然后将其写入 `BLOCK_KEYN` eFuse。软件也为存储密钥的块更新了 ``KEY_PURPOSE_N``。由于 ``BLOCK_KEYN`` eFuse 已设置了读保护和写保护位，因此无法通过软件访问密钥。``KEY_PURPOSE_N`` 字段也受写保护。flash 加密操作完全在硬件中完成，无法通过软件访问密钥。
+  4. 如果 eFuse 中不存在可用密钥，则二级引导加载程序使用 RNG（随机数发生器）模块生成 256 位密钥，然后将其写入 ``BLOCK_KEYN`` eFuse。软件也为存储密钥的块更新了 ``KEY_PURPOSE_N``。``BLOCK_KEYN`` eFuse 已设置了读写保护位，因此无法通过软件访问密钥。``KEY_PURPOSE_N`` 字段也受写保护。flash 加密操作全部在硬件中完成，因此无法通过软件访问密钥。
 
-  5. flash 加密块将加密 flash 的内容（二级引导加载程序、应用程序、以及标有”加密”标志的分区）。就地加密可能会耗些时间（对于大分区最多需要一分钟）。
+  5. flash 加密块会加密 flash 中的内容，包括二级引导加载程序、应用程序、以及带有 ``encrypted`` 标志的分区。就地加密需要一定时间，对于大分区来说最多需要一分钟。
 
-  6. 二级引导加载程序将在 ``{IDF_TARGET_CRYPT_CNT}`` (0b001) 中设置第一个可用位来对已加密的 flash 内容进行标记。设置奇数位。
+  6. 二级引导加载程序将 ``{IDF_TARGET_CRYPT_CNT}`` (0b001) 中的第一个可用位设置为 1，以标记 flash 内容为加密状态，此时位数为奇数。
 
-  7. 对于 :ref:`flash-enc-development-mode`，二级引导加载程序允许 UART 引导加载程序重新烧录加密后的二进制文件。同时，``{IDF_TARGET_CRYPT_CNT}`` eFuse 位不受写入保护。此外，默认情况下，二级引导加载程序设置 ``DIS_DOWNLOAD_ICACHE``、 ``DIS_PAD_JTAG``、 ``DIS_USB_JTAG`` 和 ``DIS_LEGACY_SPI_BOOT`` eFuse 位。
+  7. 对于 :ref:`flash-enc-development-mode`，二级引导加载程序允许 UART 引导加载程序重新烧录加密后的二进制文件。同时，``{IDF_TARGET_CRYPT_CNT}`` eFuse 位不受写入保护。此外，二级引导加载程序默认置位 ``DIS_DOWNLOAD_ICACHE``、 ``DIS_PAD_JTAG``、 ``DIS_USB_JTAG`` 和 ``DIS_LEGACY_SPI_BOOT``。
 
-  8. 对于 :ref:`flash-enc-release-mode`，二级引导加载程序设置所有在开发模式下设置的 eFuse 位以及 ``DIS_DOWNLOAD_MANUAL_ENCRYPT``。它还写保护 ``{IDF_TARGET_CRYPT_CNT}`` eFuse 位。要修改此行为，请参阅 :ref:`uart-bootloader-encryption`。
+  8. 对于 :ref:`flash-enc-release-mode`，二级引导加载程序设置所有在开发模式下设置的 eFuse 位以及 ``DIS_DOWNLOAD_MANUAL_ENCRYPT``，同时写保护 ``{IDF_TARGET_CRYPT_CNT}`` eFuse 位。要修改此行为，请参阅 :ref:`uart-bootloader-encryption`。
 
-  9. 重新启动设备以开始执行加密镜像。二级引导加载程序调用 flash 解密块来解密 flash 内容，然后将解密的内容加载到 IRAM 中。
+  9. 重新启动设备以开始执行加密镜像。二级引导加载程序调用 flash 解密块来解密 flash 内容，然后将解密后的内容加载到 IRAM 中。
 
 .. only:: SOC_FLASH_ENCRYPTION_XTS_AES_128 and SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK
 
@@ -407,11 +417,11 @@ flash 加密设置
     :esp32: - :ref:`选择 UART ROM 下载模式 <CONFIG_SECURE_UART_ROM_DL_MODE>` （默认是 **启用**）。请注意，对于 ESP32 芯片，该选项仅在 :ref:`CONFIG_ESP32_REV_MIN` 级别设置为 3 时 (ESP32 V3) 可用。
     :not esp32: - :ref:`选择 UART ROM 下载模式 <CONFIG_SECURE_UART_ROM_DL_MODE>` （默认是 **启用**）。
     :SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS: - 设置 :ref:`生成的 XTS-AES 密钥大小 <CONFIG_SECURE_FLASH_ENCRYPTION_KEYSIZE>`。
-    :SOC_KEY_MANAGER_SUPPORTED: - :ref:`选择 Flash 加密密钥的密钥来源 <CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE>`。
+    :SOC_KEY_MANAGER_SUPPORTED: - :ref:`选择 flash 加密密钥的来源 <CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE>`。
     - :ref:`选择适当详细程度的引导加载程序日志 <CONFIG_BOOTLOADER_LOG_LEVEL>`。
     - 保存配置并退出。
 
-启用 flash 加密将增大引导加载程序，因而可能需更新分区表偏移量。请参考 :ref:`引导加载程序大小 <bootloader-size>`。
+  启用 flash 加密将增大引导加载程序，因而可能需更新分区表偏移量。请参考 :ref:`引导加载程序大小 <bootloader-size>`。
 
 3. 运行以下命令来构建和烧录完整的镜像。
 
@@ -423,29 +433,29 @@ flash 加密设置
 
        这个命令不包括任何应该写入 flash 分区的用户文件。请在运行此命令前手动写入这些文件，否则在写入前应单独对这些文件进行加密。
 
-该命令将向 flash 写入未加密的镜像：二级引导加载程序、分区表和应用程序。烧录完成后，{IDF_TARGET_NAME} 将复位。在下一次启动时，二级引导加载程序会加密：二级引导加载程序、应用程序分区和标记为”加密”的分区，然后复位。就地加密可能需要时间，对于大分区最多需要一分钟。之后，应用程序在运行时解密并执行命令。
+  该命令将向 flash 写入未加密的镜像：二级引导加载程序、分区表和应用程序。烧录完成后，{IDF_TARGET_NAME} 将复位。在下一次启动时，二级引导加载程序会加密：二级引导加载程序、应用程序分区和标记为 ``encrypted`` 分区，然后复位。就地加密可能需要时间，对于大分区最多需要一分钟。之后，应用程序在运行时解密并执行。
 
 .. only:: SOC_KEY_MANAGER_SUPPORTED
 
-  下面是使用基于密钥管理器的密钥启用 flash 加密后 {IDF_TARGET_NAME} 首次启动时的样例输出：
+  下面是使用基于密钥管理器的密钥启用 flash 加密后，{IDF_TARGET_NAME} 首次启动时的样例输出：
 
   .. include:: {IDF_TARGET_PATH_NAME}_log.inc
     :start-after: first_boot_enc_km
     :end-before: ------
 
-  下面是 {IDF_TARGET_NAME} 后续启动时的样例输出，仅说明 flash 加密已启用（ESP-ROM 日志会提示正在使用基于密钥管理器的密钥）：
+  下面是 {IDF_TARGET_NAME} 后续启动时的样例输出，说明 flash 加密已启用（ESP-ROM 日志会提示正在使用基于密钥管理器的密钥）：
 
   .. include:: {IDF_TARGET_PATH_NAME}_log.inc
     :start-after: already_en_enc_km
     :end-before: ------
 
-下面是使用基于 eFuse 的密钥启用 flash 加密后 {IDF_TARGET_NAME} 首次启动时的样例输出：
+下面是使用基于 eFuse 的密钥启用 flash 加密后，{IDF_TARGET_NAME} 首次启动时的样例输出：
 
 .. include:: {IDF_TARGET_PATH_NAME}_log.inc
    :start-after: first_boot_enc
    :end-before: ------
 
-启用 flash 加密后，在下次启动时输出将显示已启用 flash 加密，样例输出如下：
+下面是 {IDF_TARGET_NAME} 后续启动时的样例输出，说明 flash 加密已启用
 
 .. include:: {IDF_TARGET_PATH_NAME}_log.inc
    :start-after: already_en_enc
@@ -459,7 +469,7 @@ flash 加密设置
 使用主机生成的密钥
 """"""""""""""""""""""""
 
-可在主机中预生成 flash 加密密钥，并将其编程到设备中。这样，无需明文 flash 更新便可以在主机上预加密数据并将其烧录。该功能可在 :ref:`flash-enc-development-mode` 和 :ref:`flash-enc-release-mode` 两模式下使用。如果没有预生成的密钥，数据将以明文形式烧录，然后 {IDF_TARGET_NAME} 对数据进行就地加密。
+可在主机中预生成 flash 加密密钥，并将其烧录到设备中。这样，无需明文 flash 更新便可以在主机上预加密数据并将其烧录。该功能可在 :ref:`flash-enc-development-mode` 和 :ref:`flash-enc-release-mode` 两模式下使用。如果没有预生成的密钥，数据将以明文形式烧录，然后 {IDF_TARGET_NAME} 对数据进行就地加密。
 
 .. note::
 
@@ -471,7 +481,7 @@ flash 加密设置
 
        请注意， {IDF_TARGET_NAME} 只有一个 eFuse 密钥块，同时用于安全启动和 flash 加密密钥。因此，如果使用了安全启动密钥，则主机生成的 flash 加密密钥必须与安全启动密钥一起写入，否则将无法使用安全启动。
 
-使用主机生成的密钥需完成以下步骤：
+如需使用主机生成的密钥并将其烧录至设备的 eFuse 中，请完成以下步骤：
 
 1. 确保你的 {IDF_TARGET_NAME} 设备有 :ref:`flash-encryption-efuse` 中所示的 flash 加密 eFuse 的默认设置。
 
@@ -590,12 +600,12 @@ flash 加密设置
 
 4. 在 :ref:`项目配置菜单 <project-configuration-menu>` 中进行如下设置：
 
-    - :ref:`启动时启用 flash 加密功能 <CONFIG_SECURE_FLASH_ENC_ENABLED>`
-    - :ref:`选择加密模式 <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` （默认为 **开发模式**）
-    - :ref:`选择适当详细程度的引导加载程序日志 <CONFIG_BOOTLOADER_LOG_LEVEL>`
-    - 保存配置并退出
+   - :ref:`启动时启用 flash 加密功能 <CONFIG_SECURE_FLASH_ENC_ENABLED>`
+   - :ref:`选择加密模式 <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` （默认为 **开发模式**）
+   - :ref:`选择适当详细程度的引导加载程序日志 <CONFIG_BOOTLOADER_LOG_LEVEL>`
+   - 保存配置并退出
 
-启用 flash 加密将增大引导加载程序，因而可能需更新分区表偏移量。请参考 :ref:`引导加载程序大小 <bootloader-size>`。
+  启用 flash 加密将增大引导加载程序，因而可能需更新分区表偏移量。请参考 :ref:`引导加载程序大小 <bootloader-size>`。
 
 5. 运行以下命令来构建并烧录完整的镜像：
 
@@ -607,7 +617,73 @@ flash 加密设置
 
       这个命令不包括任何应该被写入 flash 上的分区的用户文件。请在运行此命令前手动写入这些文件，否则在写入前应单独对这些文件进行加密。
 
-  该命令将向 flash 写入未加密的镜像：二级引导加载程序、分区表和应用程序。烧录完成后，{IDF_TARGET_NAME} 将复位。在下一次启动时，二级引导加载程序会加密：二级引导加载程序、应用程序分区和标记为 ``加密`` 的分区，然后复位。就地加密可能需要时间，对于大的分区来说可能耗时一分钟。之后，应用程序在运行时被解密并执行。
+  该命令将向 flash 写入未加密的镜像：二级引导加载程序、分区表和应用程序。烧录完成后，{IDF_TARGET_NAME} 将复位。在下一次启动时，二级引导加载程序会加密：二级引导加载程序、应用程序分区和标记为 ``encrypted`` 的分区，然后复位。就地加密可能需要时间，对于大的分区来说可能耗时一分钟。之后，应用程序在运行时被解密并执行。
+
+.. only:: SOC_KEY_MANAGER_SUPPORTED
+
+  如需使用主机生成的密钥并将其部署至设备的密钥管理器，请完成以下步骤：
+
+  1. 确保你的 {IDF_TARGET_NAME} 设备有 :ref:`flash-encryption-efuse` 中所示的 flash 加密 eFuse 的默认设置。
+
+    请参考如何检查 :ref:`flash-encryption-status`。
+
+  2. 通过运行以下命令生成一个随机密钥：
+
+    .. only:: SOC_FLASH_ENCRYPTION_XTS_AES_256
+
+        如果 :ref:`生成的 XTS-AES 密钥大小 <CONFIG_SECURE_FLASH_ENCRYPTION_KEYSIZE>` 是 AES-128（256 位密钥）：
+
+        .. code-block:: bash
+
+            idf.py secure-generate-flash-encryption-key my_flash_encryption_key.bin
+
+        如果 :ref:`生成的 XTS-AES 密钥大小 <CONFIG_SECURE_FLASH_ENCRYPTION_KEYSIZE>` 是 AES-256（512 位密钥）：
+
+        .. code-block:: bash
+
+            idf.py secure-generate-flash-encryption-key --keylen 512 my_flash_encryption_key.bin
+
+
+    .. only:: SOC_FLASH_ENCRYPTION_XTS_AES_128 and not SOC_FLASH_ENCRYPTION_XTS_AES_256 and not SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK
+
+        .. code-block:: bash
+
+            idf.py secure-generate-flash-encryption-key my_flash_encryption_key.bin
+
+
+  3. **在首次加密启动前**，使用密钥管理器的 AES 部署模式，通过初始化密钥和辅助密钥将密钥部署到设备的密钥管理器中。
+
+  4. 部署过程将为已部署的密钥生成密钥恢复信息。使用以下命令将该信息存储到 flash 地址 0x0 处：
+
+    .. code-block:: bash
+
+        esptool --port PORT --baud BAUD write-flash 0x0 key_recovery_info.bin
+
+    如果未部署密钥就在启用 flash 加密后启动设备，{IDF_TARGET_NAME} 将生成并部署一个软件无法访问或修改的随机密钥。
+
+    .. note::
+
+        上述命令不包括任何应该被写入 flash 分区的用户文件。请在运行此命令前手动写入这些文件，或者在写入前单独对这些文件进行加密。
+
+  5. 在 :ref:`project-configuration-menu` 中进行如下设置：
+
+     - :ref:`启动时启用 flash 加密功能 <CONFIG_SECURE_FLASH_ENC_ENABLED>`
+     - :ref:`选择加密模式 <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` （默认为 **开发模式**）
+     - :ref:`选择 flash 加密密钥来源为密钥管理器 <CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE>`
+     - :ref:`选择适当详细程度的引导加载程序日志 <CONFIG_BOOTLOADER_LOG_LEVEL>`
+     - 保存配置并退出。
+
+    启用 flash 加密将增大引导加载程序，因而可能需更新分区表偏移量。详情请参阅 :ref:`bootloader-size`。
+
+  6. 运行以下命令来构建并烧录完整的镜像：
+
+    .. code-block:: bash
+
+        idf.py flash monitor
+
+    .. note::
+
+        上述命令不包括任何应该被写入 flash 分区的用户文件。请在运行此命令前手动写入这些文件，或者在写入前单独对这些文件进行加密。
 
 如果使用开发模式，那么更新和重新烧录二进制文件最简单的方法是 :ref:`encrypt-partitions`。
 
@@ -661,7 +737,7 @@ flash 加密设置
     - :ref:`选择适当详细程度的引导加载程序日志级别 <CONFIG_BOOTLOADER_LOG_LEVEL>`。
     - 保存配置并退出。
 
-启用 flash 加密将增大引导加载程序，因而可能需更新分区表偏移量。请参考 :ref:`引导加载程序大小 <bootloader-size>`。
+    启用 flash 加密将增大引导加载程序，因而可能需更新分区表偏移量。请参考 :ref:`引导加载程序大小 <bootloader-size>`。
 
 3. 运行以下命令来构建并烧录完整的镜像：
 
@@ -674,73 +750,7 @@ flash 加密设置
 
       这个命令不包括任何应该被写入 flash 分区的用户文件。请在运行此命令前手动写入这些文件，否则在写入前应单独对这些文件进行加密。
 
-  该命令将向 flash 写入未加密的镜像：二级引导加载程序、分区表和应用程序。烧录完成后，{IDF_TARGET_NAME} 将复位。在下一次启动时，二级引导加载程序会加密：二级引导加载程序、应用程序分区和标记为 ``加密`` 的分区，然后复位。就地加密可能需要时间，对于大的分区来说可能耗时一分钟。之后，应用程序在运行时被解密并执行。
-
-.. only:: SOC_KEY_MANAGER_SUPPORTED
-
-  如需使用主机生成的密钥并将其部署到设备的密钥管理器，请完成以下步骤：
-
-  1. 确保你的 {IDF_TARGET_NAME} 设备有 :ref:`flash-encryption-efuse` 中所示的 flash 加密 eFuse 的默认设置。
-
-    请参考如何检查 :ref:`flash-encryption-status`。
-
-  2. 通过运行以下命令生成一个随机密钥：
-
-    .. only:: SOC_FLASH_ENCRYPTION_XTS_AES_256
-
-        如果 :ref:`生成的 XTS-AES 密钥大小 <CONFIG_SECURE_FLASH_ENCRYPTION_KEYSIZE>` 是 AES-128（256 位密钥）：
-
-        .. code-block:: bash
-
-            idf.py secure-generate-flash-encryption-key my_flash_encryption_key.bin
-
-        否则如果 :ref:`生成的 XTS-AES 密钥大小 <CONFIG_SECURE_FLASH_ENCRYPTION_KEYSIZE>` 是 AES-256（512 位密钥）：
-
-        .. code-block:: bash
-
-            idf.py secure-generate-flash-encryption-key --keylen 512 my_flash_encryption_key.bin
-
-
-    .. only:: SOC_FLASH_ENCRYPTION_XTS_AES_128 and not SOC_FLASH_ENCRYPTION_XTS_AES_256 and not SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK
-
-        .. code-block:: bash
-
-            idf.py secure-generate-flash-encryption-key my_flash_encryption_key.bin
-
-
-  3. **在第一次加密启动前**，使用密钥管理器的 AES 部署模式，通过初始化密钥和辅助密钥将密钥部署到设备的密钥管理器中。
-
-  4. 部署过程将为已部署的密钥生成密钥恢复信息。使用以下命令将该信息存储到 flash 地址 0x0：
-
-    .. code-block:: bash
-
-        esptool --port PORT --baud BAUD write-flash 0x0 key_recovery_info.bin
-
-    如果未部署密钥就在启用 flash 加密后启动设备，{IDF_TARGET_NAME} 将生成并部署一个软件无法访问或修改的随机密钥。
-
-    .. note::
-
-        这个命令不包括任何应该被写入 flash 上的分区的用户文件。请在运行此命令前手动写入这些文件，否则在写入前应单独对这些文件进行加密。
-
-  5. 在 :ref:`项目配置菜单 <project-configuration-menu>` 中进行如下设置：
-
-      - :ref:`启动时启用 flash 加密功能 <CONFIG_SECURE_FLASH_ENC_ENABLED>`
-      - :ref:`选择加密模式 <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` （默认为 **开发模式**）
-      - :ref:`选择 flash 加密密钥来源为密钥管理器 <CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE>`
-      - :ref:`选择适当详细程度的引导加载程序日志 <CONFIG_BOOTLOADER_LOG_LEVEL>`
-      - 保存配置并退出。
-
-  启用 flash 加密将增大引导加载程序，因而可能需更新分区表偏移量。请参考 :ref:`引导加载程序大小 <bootloader-size>`。
-
-  6. 运行以下命令来构建并烧录完整的镜像：
-
-    .. code-block:: bash
-
-        idf.py flash monitor
-
-    .. note::
-
-        这个命令不包括任何应该被写入 flash 上的分区的用户文件。请在运行此命令前手动写入这些文件，否则在写入前应单独对这些文件进行加密。
+  该命令将向 flash 写入未加密的镜像：二级引导加载程序、分区表和应用程序。烧录完成后，{IDF_TARGET_NAME} 将复位。在下一次启动时，二级引导加载程序会加密：二级引导加载程序、应用程序分区和标记为 ``encrypted`` 的分区，然后复位。就地加密可能需要时间，对于大的分区来说可能耗时一分钟。之后，应用程序在运行时被解密并执行。
 
 一旦在量产模式下启用 flash 加密，引导加载程序将写保护 ``{IDF_TARGET_CRYPT_CNT}`` eFuse。
 
@@ -776,55 +786,55 @@ flash 加密设置
 
 1. 如果通过 **明文二级引导加载程序镜像** 重新烧录了引导加载程序分区，则 ROM 加载器将无法加载二级引导加载程序，并会显示以下错误类型：
 
-.. only:: esp32
+  .. only:: esp32
 
-  .. code-block:: bash
+    .. code-block:: bash
 
-      rst:0x3 (SW_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
-      flash read err, 1000
-      ets_main.c 371
-      ets Jun  8 2016 00:22:57
+        rst:0x3 (SW_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
+        flash read err, 1000
+        ets_main.c 371
+        ets Jun  8 2016 00:22:57
 
-      rst:0x7 (TG0WDT_SYS_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
-      flash read err, 1000
-      ets_main.c 371
-      ets Jun  8 2016 00:22:57
+        rst:0x7 (TG0WDT_SYS_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
+        flash read err, 1000
+        ets_main.c 371
+        ets Jun  8 2016 00:22:57
 
-      rst:0x7 (TG0WDT_SYS_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
-      flash read err, 1000
-      ets_main.c 371
-      ets Jun  8 2016 00:22:57
+        rst:0x7 (TG0WDT_SYS_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
+        flash read err, 1000
+        ets_main.c 371
+        ets Jun  8 2016 00:22:57
 
-      rst:0x7 (TG0WDT_SYS_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
-      flash read err, 1000
-      ets_main.c 371
-      ets Jun  8 2016 00:22:57
+        rst:0x7 (TG0WDT_SYS_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
+        flash read err, 1000
+        ets_main.c 371
+        ets Jun  8 2016 00:22:57
 
-      rst:0x7 (TG0WDT_SYS_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
-      flash read err, 1000
-      ets_main.c 371
-      ets Jun  8 2016 00:22:57
+        rst:0x7 (TG0WDT_SYS_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
+        flash read err, 1000
+        ets_main.c 371
+        ets Jun  8 2016 00:22:57
 
-.. only:: not esp32
+  .. only:: not esp32
 
-  .. code-block:: bash
+    .. code-block:: bash
 
-      rst:0x3 (SW_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
-      invalid header: 0xb414f76b
-      invalid header: 0xb414f76b
-      invalid header: 0xb414f76b
-      invalid header: 0xb414f76b
-      invalid header: 0xb414f76b
-      invalid header: 0xb414f76b
-      invalid header: 0xb414f76b
+        rst:0x3 (SW_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
+        invalid header: 0xb414f76b
+        invalid header: 0xb414f76b
+        invalid header: 0xb414f76b
+        invalid header: 0xb414f76b
+        invalid header: 0xb414f76b
+        invalid header: 0xb414f76b
+        invalid header: 0xb414f76b
 
-  .. note::
+    .. note::
 
-    不同应用程序中无效头文件的值不同。
+      不同应用程序中无效头文件的值不同。
 
-.. note::
+    .. note::
 
-    如果 flash 内容被擦除或损坏，也会出现这个错误。
+      如果 flash 内容被擦除或损坏，也会出现这个错误。
 
 2. 如果二级引导加载程序已加密，但通过 **明文分区表镜像** 重新烧录了分区表，引导加载程序将无法读取分区表，从而出现以下错误：
 
@@ -887,7 +897,7 @@ flash 加密设置
 {IDF_TARGET_NAME} flash 加密状态
 -----------------------------------------
 
-1. 确保你的 {IDF_TARGET_NAME} 设备有 :ref:`flash-encryption-efuse` 中所示的 flash 加密 eFuse 的默认设置。
+确保你的 {IDF_TARGET_NAME} 设备有 :ref:`flash-encryption-efuse` 中所示的 flash 加密 eFuse 的默认设置。
 
 要检查你的 {IDF_TARGET_NAME} 设备上是否启用了 flash 加密，请执行以下操作之一：
 
@@ -945,7 +955,7 @@ flash 加密范围
 
 也可以使用函数 :cpp:func:`esp_flash_write_encrypted` 预加密和写入数据。
 
-此外，esp-idf 应用程序中存在但不支持以下 ROM 函数：
+此外，ESP-IDF 应用程序中存在但不支持以下 ROM 函数：
 
 - ``esp_rom_spiflash_write_encrypted`` 预加密并将数据写入 flash
 - ``SPIWrite`` 将未加密的数据写入 flash
@@ -1015,13 +1025,13 @@ flash 加密的要点
 
   :esp32: - flash 加密算法采用的是 AES-256，其中密钥随着 flash 的每个 32 字节块的偏移地址“调整”。这意味着，每个 32 字节块（2 个连续的 16 字节 AES 块）使用从 flash 加密密钥中产生的一个特殊密钥进行加密。
 
-  :SOC_FLASH_ENCRYPTION_XTS_AES_256 and SOC_KEY_MANAGER_SUPPORTED: - 使用 XTS-AES-128 或 XTS-AES-256 加密 flash。flash 加密密钥分别为 256 位和 512 位，若 flash 加密使用基于 eFuse 的密钥启用，则存储于芯片内部一个或两个 ``BLOCK_KEYN`` eFuse 中；若 flash 加密使用基于密钥管理器的密钥启用，则 flash 加密密钥存储于密钥管理器中，并（默认）受保护，防止软件访问。
+  :SOC_FLASH_ENCRYPTION_XTS_AES_256 and not SOC_KEY_MANAGER_SUPPORTED: - 使用 XTS-AES-128 或 XTS-AES-256 加密 flash。flash 加密密钥分别为 256 位和 512 位，存储于芯片内部的一个或两个 ``BLOCK_KEYN`` eFuse 块中。默认情况下，这些密钥受硬件保护，软件无法访问。
 
-  :SOC_FLASH_ENCRYPTION_XTS_AES_256 and not SOC_KEY_MANAGER_SUPPORTED: - 使用 XTS-AES-128 或 XTS-AES-256 加密 flash。flash 加密密钥分别为 256 位和 512 位，存储于芯片内部一个或两个 ``BLOCK_KEYN`` eFuse 中，并（默认）受保护，防止软件访问。
+  :SOC_FLASH_ENCRYPTION_XTS_AES_256 and SOC_KEY_MANAGER_SUPPORTED: - 使用 XTS-AES-128 或 XTS-AES-256 加密 flash。flash 加密密钥分别为 256 位和 512 位。若 flash 加密使用基于 eFuse 的密钥启用，则密钥存储于芯片内部的一个或两个 ``BLOCK_KEYN`` eFuse 块中；若 flash 加密使用基于密钥管理器的密钥启用，则 flash 加密密钥存储于密钥管理器中。默认情况下，这些密钥受硬件保护，软件无法访问。
 
-  :esp32c3: - 使用 XTS-AES-128 加密 flash。 flash 加密密钥为 256 位，存储于芯片内部的 ``BLOCK_KEYN`` eFuse 中，并（默认）受保护，防止软件访问。
+  :SOC_FLASH_ENCRYPTION_XTS_AES_128 and not SOC_FLASH_ENCRYPTION_XTS_AES_256 and not SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED: - 使用 XTS-AES-128 加密 flash。flash 加密密钥为 256 位，存储于芯片内部的 ``BLOCK_KEYN`` eFuse 块中。默认情况下，该密钥受硬件保护，软件无法访问。
 
-  :esp32c2: - 使用 XTS-AES-128 加密 flash。 flash 加密密钥为 128 位或 256 位，存储于芯片内部的 ``BLOCK_KEY0`` eFuse 中，并（默认）受保护，防止软件访问。
+  :SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED: - 使用 XTS-AES-128 加密 flash。 flash 加密密钥为 128 位或 256 位，存储于芯片内部的 ``BLOCK_KEY0`` eFuse 块中。默认情况下，该密钥受硬件保护，软件无法访问。
 
   - 通过 {IDF_TARGET_NAME} 的 flash 缓存映射功能，flash 可支持透明访问——任何映射到地址空间的 flash 区域在读取时都将被透明地解密。
 
@@ -1031,11 +1041,11 @@ flash 加密的要点
 
   - 如果已启用安全启动，重新烧录加密设备的引导加载程序则需要“可重新烧录”的安全启动摘要（可参考 :ref:`flash-encryption-and-secure-boot`）。
 
-  启用 flash 加密将增大引导加载程序，因此可能需更新分区表偏移量。请参考 :ref:`引导加载程序大小 <bootloader-size>`。
+启用 flash 加密将增大引导加载程序，因此可能需更新分区表偏移量。请参考 :ref:`引导加载程序大小 <bootloader-size>`。
 
-    .. important::
+.. important::
 
-        在首次启动加密过程中，请勿切断 {IDF_TARGET_NAME} 的电源。如果电源被切断，flash 的内容将受到破坏，并需要重新烧录未加密数据。而这类重新烧录将不计入烧录限制次数。
+    在首次启动加密过程中，请勿切断 {IDF_TARGET_NAME} 的电源。如果电源被切断，flash 的内容将受到破坏，并需要重新烧录未加密数据。而这类重新烧录将不计入烧录限制次数。
 
 
 .. _flash-encryption-limitations:
@@ -1072,7 +1082,7 @@ flash 加密与安全启动
 
   - 在启用 flash 加密量产模式时，建议在首次启动时就设置 :ref:`xts-aes-pseudo-round-func` 所需的强度。如果你的工作流程需要在首次启动后更新该函数的强度，则应启用 :ref:`CONFIG_SECURE_BOOT_SKIP_WRITE_PROTECTION_SCA`，避免在启动过程中对该位进行写保护。
 
-.. _flash-encryption-without-secure-boot:
+.. _flash-encryption-advanced-features:
 
 flash 加密的高级功能
 --------------------------------
@@ -1123,11 +1133,11 @@ flash 加密的高级功能
   .. list::
 
     - ``DIS_DOWNLOAD_MANUAL_ENCRYPT`` 在 UART 引导加载程序启动模式下运行时，禁止 flash 加密操作。
-    :esp32s2 or esp32s3: - ``DIS_DOWNLOAD_ICACHE`` 和 ``DIS_DOWNLOAD_DCACHE`` 在 UART 引导加载程序模式下运行时禁止整个 MMU flash 缓存。
-    :esp32c3 or esp32c2: - ``DIS_DOWNLOAD_ICACHE`` 在 UART 引导加载程序模式下运行时禁止整个 MMU flash 缓存。
+    :SOC_EFUSE_DIS_DOWNLOAD_ICACHE and SOC_EFUSE_DIS_DOWNLOAD_DCACHE: - ``DIS_DOWNLOAD_ICACHE`` 和 ``DIS_DOWNLOAD_DCACHE`` 在 UART 引导加载程序模式下运行时禁止整个 MMU flash 缓存。
+    :SOC_EFUSE_DIS_DOWNLOAD_ICACHE and not SOC_EFUSE_DIS_DOWNLOAD_DCACHE: - ``DIS_DOWNLOAD_ICACHE`` 在 UART 引导加载程序模式下运行时禁止整个 MMU flash 缓存。
     :esp32s2: - ``HARD_DIS_JTAG`` 禁用 JTAG。
-    :esp32c3: - ``DIS_PAD_JTAG`` 和 ``DIS_USB_JTAG`` 禁用 JTAG。
-    :esp32s3: - ``HARD_DIS_JTAG`` 和 ``DIS_USB_JTAG`` 禁用 JTAG。
+    :SOC_EFUSE_DIS_PAD_JTAG and SOC_EFUSE_DIS_USB_JTAG: - ``DIS_PAD_JTAG`` 和 ``DIS_USB_JTAG`` 禁用 JTAG。
+    :SOC_EFUSE_HARD_DIS_JTAG and SOC_EFUSE_DIS_USB_JTAG: - ``HARD_DIS_JTAG`` 和 ``DIS_USB_JTAG`` 禁用 JTAG。
     - ``DIS_DIRECT_BOOT``（即之前的 ``DIS_LEGACY_SPI_BOOT``）禁用传统的 SPI 启动模式。
     :SOC_EFUSE_DIS_DOWNLOAD_MSPI: - ``DIS_DOWNLOAD_MSPI`` 在下载模式下禁用 MSPI 访问
 
@@ -1194,11 +1204,11 @@ JTAG 调试
 
 .. only:: SOC_KEY_MANAGER_SUPPORTED
 
-  手动加密或解密文件需要将 flash 加密密钥部署到密钥管理器或在 eFuse 中预烧录（请参阅 :ref:`pregenerated-flash-encryption-key`）并在主机上保留一份副本。如果 flash 加密配置在开发模式下，那么则不需要保留密钥的副本或遵循这些步骤，可以使用更简单的 :ref:`encrypt-partitions` 步骤。
+  手动加密或解密文件需要将 flash 加密密钥部署到密钥管理器或在 eFuse 中预烧录（请参阅 :ref:`pregenerated-flash-encryption-key`）并在主机上保留一份副本。如果 flash 加密配置在开发模式下，则不需要保留密钥的副本或遵循以下步骤，可以使用更简单的 :ref:`encrypt-partitions` 步骤。
 
 .. only:: not SOC_KEY_MANAGER_SUPPORTED
 
-  手动加密或解密文件需要在 eFuse 中预烧录 flash 加密密钥（请参阅 :ref:`pregenerated-flash-encryption-key`）并在主机上保留一份副本。 如果 flash 加密配置在开发模式下，那么则不需要保留密钥的副本或遵循这些步骤，可以使用更简单的 :ref:`encrypt-partitions` 步骤。
+  手动加密或解密文件需要在 eFuse 中预烧录 flash 加密密钥（请参阅 :ref:`pregenerated-flash-encryption-key`）并在主机上保留一份副本。如果 flash 加密配置在开发模式下，则不需要保留密钥的副本或遵循以下步骤，可以使用更简单的 :ref:`encrypt-partitions` 步骤。
 
 密钥文件应该是单个原始二进制文件（例如：``key.bin``）。
 
@@ -1220,7 +1230,7 @@ JTAG 调试
 
 .. note::
 
-    如果 {IDF_TARGET_NAME} 在启动时无法识别烧录进去的密文文件，请检查密钥是否匹配以及命令行参数是否完全匹配，包括偏移量是否正确。
+  如果 {IDF_TARGET_NAME} 在启动时无法识别烧录进去的密文文件，请检查密钥是否匹配以及命令行参数是否完全匹配，包括偏移量是否正确。
 
   .. only:: esp32
 

docs/zh_CN/security/security-features-enablement-workflows.rst

@@ -118,7 +118,7 @@
 
     .. only:: SOC_FLASH_ENCRYPTION_XTS_AES_128 and SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK
 
-        如果 :ref:` 生成的 AES-XTS 密钥的大小 <CONFIG_SECURE_FLASH_ENCRYPTION_KEYSIZE>` 为 AES-128（256 位密钥）：
+        如果 :ref:`生成的 AES-XTS 密钥的大小 <CONFIG_SECURE_FLASH_ENCRYPTION_KEYSIZE>` 为 AES-128（256 位密钥）：
 
         .. code-block:: bash
 
@@ -130,57 +130,57 @@
 
             espsecure generate-flash-encryption-key --keylen 128 my_flash_encryption_key.bin
 
-3. 将生成的 Flash 加密密钥编程到设备中
+3. 将生成的 flash 加密密钥烧录到设备中
 
     .. only:: SOC_KEY_MANAGER_SUPPORTED
 
-        a. 如果打算使用 Key Manager 存储 Flash 加密密钥，请使用脚本 `generate_km_test_cases.py` 生成密钥部署参数，并使用该参数将密钥部署到 Key Manager 中。密钥部署到 Key Manager 后，使用以下命令将生成的密钥恢复信息存储到 flash 存储器地址 0x0 处：
+        a. 若使用密钥管理器存储 flash 加密密钥，请为 flash 加密密钥生成密钥恢复信息，并使用以下命令将其保存至 flash 地址 0x0 处：
 
         .. code-block:: bash
 
             esptool --port PORT write-flash 0x0 key_recovery_info.bin
 
-        将密钥恢复信息存储到 flash 存储器后，还需要编程 ``KM_XTS_KEY_LENGTH_256`` 和 ``FORCE_USE_KEY_MANAGER_KEY`` eFuse。
+        将密钥恢复信息存储至 flash 后，还需要烧录 ``KM_XTS_KEY_LENGTH_256`` 和 ``FORCE_USE_KEY_MANAGER_KEY`` eFuse。
 
         .. warning::
 
-            这个操作 **无法回退**。
+            此操作 **无法回退**。
 
-        ``FORCE_USE_KEY_MANAGER_KEY`` eFuse 的第 1 位用于强制使用基于 Key Manager 的 XTS-AES 密钥。
+        ``FORCE_USE_KEY_MANAGER_KEY`` eFuse 的第 1 位用于强制使用基于密钥管理器的 XTS-AES 密钥。
 
         .. code-block:: bash
 
             espefuse --port PORT burn-efuse FORCE_USE_KEY_MANAGER_KEY 2
 
-        ``KM_XTS_KEY_LENGTH_256`` eFuse 用于控制基于 Key Manager 的 XTS-AES 密钥的长度。将该 eFuse 设置为 1 表示使用 128 位密钥，设置为 0 表示使用 256 位密钥。
+        ``KM_XTS_KEY_LENGTH_256`` eFuse 用于控制基于密钥管理器的 XTS-AES 密钥长度。将该 eFuse 设置为 1 表示使用 128 位密钥，设置为 0 表示使用 256 位密钥。
 
-        如果使用 128 位密钥，将 ``KM_XTS_KEY_LENGTH_256`` eFuse 设置为 1。
+        若使用 128 位密钥，请将 ``KM_XTS_KEY_LENGTH_256`` eFuse 设置为 1。
 
         .. code-block:: bash
 
             espefuse --port PORT burn-efuse KM_XTS_KEY_LENGTH_256 1
 
-        如果使用 256 位密钥，将 ``KM_XTS_KEY_LENGTH_256`` eFuse 设置为 0。
+        若使用 256 位密钥，请将 ``KM_XTS_KEY_LENGTH_256`` eFuse 设置为 0。
 
         .. code-block:: bash
 
             espefuse --port PORT burn-efuse KM_XTS_KEY_LENGTH_256 0
 
-        b. 如需将 Flash 加密密钥存储在 eFuse 中，请运行以下命令：
+        b. 如需将 flash 加密密钥存储至 eFuse 中，请运行以下命令：
 
     .. only:: not SOC_KEY_MANAGER_SUPPORTED
 
-        如需将 Flash 加密密钥存储在 eFuse 中，请运行以下命令：
+        如需将 flash 加密密钥存储在 eFuse 中，请运行以下命令：
 
     .. warning::
 
-        这个操作 **无法回退**。
+        此操作 **无法回退**。
 
     .. only:: not SOC_FLASH_ENCRYPTION_XTS_AES
 
         .. code-block:: bash
 
-            espefuse --port PORT burn-key flash-encryption my_flash_encryption_key.bin
+            espefuse --port PORT burn-key flash_encryption my_flash_encryption_key.bin
 
     .. only:: SOC_FLASH_ENCRYPTION_XTS_AES_256
 
@@ -188,7 +188,7 @@
 
             espefuse --port PORT burn-key BLOCK my_flash_encryption_key.bin KEYPURPOSE
 
-        其中， ``BLOCK`` 是位于 ``BLOCK_KEY0`` 和 ``BLOCK_KEY5`` 之间的空闲密钥块， ``KEYPURPOSE`` 是 ``XTS_AES_256_KEY_1``， ``XTS_AES_256_KEY_2`` 或 ``XTS_AES_128_KEY``。有关密钥用途的说明，请参阅 `{IDF_TARGET_NAME} 技术参考手册 <{IDF_TARGET_TRM_EN_URL}>`__。
+        其中， ``BLOCK`` 是位于 ``BLOCK_KEY0`` 和 ``BLOCK_KEY5`` 之间的空闲密钥块， ``KEYPURPOSE`` 是 ``XTS_AES_256_KEY_1``， ``XTS_AES_256_KEY_2`` 或 ``XTS_AES_128_KEY``。有关密钥用途的说明，请参阅 `{IDF_TARGET_NAME} 技术参考手册 <{IDF_TARGET_TRM_CN_URL}>`__。
 
         对于 AES-128（256 位密钥）- ``XTS_AES_128_KEY``：
 
@@ -227,7 +227,7 @@
 
             espefuse --port PORT burn-key BLOCK_KEY0 flash_encryption_key256.bin XTS_AES_128_KEY
 
-        对于从 SHA256（128 eFuse 位）派生的 AES-128 密钥 - ``XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS``。FE 密钥会被写入 eFuse BLOCK_KEY0 的后半部分。前 128 位不会被使用，并保持可供软件读取状态。使用 espefuse 工具的特殊模式，可以用任何 espefuse 命令将数据写入其中，可参考下文 ``同时烧录两个密钥``。
+        对于从 SHA256（128 eFuse 位）派生的 AES-128 密钥 - ``XTS_AES_128_KEY_DERIVED_FROM_128_EFUSE_BITS``。FE 密钥会被写入 eFuse BLOCK_KEY0 低位部分。高 128 位不会被使用，并保持可供软件读取状态。使用 espefuse 工具的特殊模式，可以用任何 espefuse 命令将数据写入其中，可参考下文 ``同时烧录两个密钥``。
 
         .. code-block:: bash
 
@@ -438,7 +438,7 @@ flash 加密指南
 
         .. code:: bash
 
-            espsecure generate-signing-key --version 2 --scheme rsa3072 secure_boot_signinig_key.pem
+            espsecure generate-signing-key --version 2 --scheme rsa3072 secure_boot_signing_key.pem
 
     .. only:: SOC_SECURE_BOOT_V2_ECC
 
@@ -537,12 +537,12 @@ flash 加密指南
         :SOC_EFUSE_DIS_BOOT_REMAP: - ``DIS_BOOT_REMAP``：禁用将 ROM 重新映射到 RAM 地址空间的功能。
         :SOC_EFUSE_HARD_DIS_JTAG: - ``HARD_DIS_JTAG``：硬禁用 JTAG 外设。
         :SOC_EFUSE_SOFT_DIS_JTAG: - ``SOFT_DIS_JTAG``：禁止软件对 JTAG 外设的访问。
-        :SOC_EFUSE_DIS_DIRECT_BOOT:- ``DIS_DIRECT_BOOT``: 禁用直接引导（旧版 SPI 引导模式）。
+        :SOC_EFUSE_DIS_DIRECT_BOOT: - ``DIS_DIRECT_BOOT``: 禁用直接引导（旧版 SPI 引导模式）。
         :SOC_EFUSE_DIS_LEGACY_SPI_BOOT: - ``DIS_LEGACY_SPI_BOOT``：禁用旧版 SPI 引导模式。
         :SOC_EFUSE_DIS_USB_JTAG: - ``DIS_USB_JTAG``：禁止从 USB 切换到 JTAG。
         :SOC_EFUSE_DIS_PAD_JTAG: - ``DIS_PAD_JTAG``：永久禁用 JTAG。
         :SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS: - ``SECURE_BOOT_AGGRESSIVE_REVOKE``：主动吊销密钥摘要。详请请参阅 :ref:`secure-boot-v2-aggressive-key-revocation`。
-        :SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED: - ``WR_DIS_ECDSA_CURVE_MODE``：禁止写入 ECDSA 曲线模式的 eFuse 位。由于此写保护位与 ``ECC_FORCE_CONST_TIME`` 共享，建议先配置好 ``ECC_FORCE_CONST_TIME`` eFuse 字段后，再设置此写保护位）。
+        :SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED: - ``WR_DIS_ECDSA_CURVE_MODE``：禁止写入 ECDSA 曲线模式的 eFuse 位。由于此写保护位与 ``ECC_FORCE_CONST_TIME`` 共享，建议配置好 ``ECC_FORCE_CONST_TIME`` eFuse 字段后，再设置此写保护位。
         :SOC_ECDSA_SUPPORT_CURVE_P384: - ``WR_DIS_SECURE_BOOT_SHA384_EN``：禁止写入 SHA-384 Secure Boot 的 eFuse 位。由于此写保护位与 ``XTS_DPA_PSEUDO_LEVEL`` 和 ``ECC_FORCE_CONST_TIME`` 共享，建议先配置好这两个 eFuse，再设置此写保护位。
 
     运行以下命令烧录相应的 eFuse：
@@ -715,7 +715,7 @@ Secure Boot v2 指南
 
     3. 生成加密的 NVS 分区
 
-        主机上将会生成加密 NVS 分区。有关生成加密 NVS 分区的详细信息，请参阅读 :ref:`generate-encrypted-nvs-partition`。为此，CSV 文件中应该包含 NVS 文件的全部内容。详情请参阅 :ref:`nvs-csv-file-format`。
+        主机上将会生成加密 NVS 分区。有关生成加密 NVS 分区的详细信息，请参阅 :ref:`generate-encrypted-nvs-partition`。为此，CSV 文件中应该包含 NVS 文件的全部内容。详情请参阅 :ref:`nvs-csv-file-format`。
 
         使用以下命令，可以生成加密的 NVS 分区：
 
@@ -774,7 +774,7 @@ Secure Boot v2 指南
 
     下文解释了上述命令中的一些参数：
 
-    * CSV 文件名 - 上述命名中的 `sample_singlepage_blob.csv` 是指包含 NVS 数据的 CSV 文件，请将其替换为所选文件。
+    * CSV 文件名 - 上述命令中的 `sample_singlepage_blob.csv` 是指包含 NVS 数据的 CSV 文件，请将其替换为所选文件。
 
     * NVS 分区大小 - 这是 NVS 分区的大小（以字节为单位）。请将上述命令中的示例值 ``0x3000`` 更新为你实际 NVS 分区的正确大小。
 

docs/zh_CN/security/security.rst

@@ -3,7 +3,7 @@
 
 {IDF_TARGET_CIPHER_SCHEME:default="RSA", esp32h2="RSA 或 ECDSA", esp32p4="RSA 或 ECDSA", esp32c5="RSA 或 ECDSA", esp32c61="ECDSA", esp32h21="RSA 或 ECDSA"}
 
-{IDF_TARGET_SIG_PERI:default="DS", esp32h2="DS 或 ECDSA", esp32p4="DS 或 ECDSA", esp32c5="DS 或 ECDSA", esp32c61="ECDSA"}
+{IDF_TARGET_SIG_PERI:default="DS", esp32h2="DS 或 ECDSA", esp32p4="DS 或 ECDSA", esp32c5="DS 或 ECDSA"}
 
 :link_to_translation:`en:[English]`
 
@@ -106,7 +106,7 @@ flash 加密最佳实践
     密钥管理器
     ~~~~~~~~~~
 
-    {IDF_TARGET_NAME} 中的密钥管理器外设提供硬件辅助的 **密钥部署和恢复** 功能，适用于加密密钥。密钥通过硬件唯一密钥 (HUK) 与芯片绑定，该密钥对每块芯片唯一，从而确保密钥内容不会暴露在软件可访问的内存中。
+    {IDF_TARGET_NAME} 中的密钥管理器外设提供硬件辅助的 **密钥部署和恢复** 功能，适用于加密密钥。密钥通过每块芯片独有的硬件唯一密钥 (HUK) 进行加密绑定，确保密钥内容不会暴露给软件可访问的内存。
 
     密钥管理器支持以下加密外设的密钥管理：:doc:`ECDSA <../api-reference/peripherals/ecdsa>`、:doc:`HMAC <../api-reference/peripherals/hmac>`、:doc:`数字签名 (DS) <../api-reference/peripherals/ds>` 以及 flash 加密。
 
@@ -116,9 +116,8 @@ flash 加密最佳实践
     ^^^^^^^^^^^^^^^^^^
 
     * 防止密钥管理器部署密钥的 ``key_recovery_info`` 遭受未授权修改或丢失。
-    * 在成功部署密钥后，锁定密钥管理器相关的安全 eFuse，以防止重新部署同类型密钥。
-    * 除非明确需要，否则在 flash 加密已启用的情况下，避免部署新的 XTS-AES 密钥。
-
+    * 在成功部署密钥后，锁定密钥管理器相关的安全 eFuse，防止重新部署同类型密钥。
+    * 除非明确需要，否则在已启用 flash 加密的情况下，避免部署新的 XTS-AES 密钥。
 
 .. only:: SOC_MEMPROT_SUPPORTED or SOC_CPU_IDRAM_SPLIT_USING_PMP
 
@@ -143,7 +142,7 @@ flash 加密最佳实践
         差分功耗分析 (DPA) 保护
         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-        {IDF_TARGET_NAME} 支持针对 DPA 相关安全攻击的保护机制。DPA 保护通过动态调整加密外设的时钟频率，在其运行期间模糊了功耗轨迹。时钟变化范围会根据配置的 DPA 安全级别改变。更多详情请参阅 *{IDF_TARGET_NAME} 技术参考手册* > [`PDF <{IDF_TARGET_TRM_CN_URL}>`__]。
+        {IDF_TARGET_NAME} 支持针对 DPA 相关安全攻击的保护机制。DPA 保护通过动态调整加密外设的时钟频率，在其运行期间模糊了功耗轨迹。时钟变化范围会根据配置的 DPA 安全级别改变。详情请参阅 **《{IDF_TARGET_NAME} 技术参考手册》** [`PDF <{IDF_TARGET_TRM_CN_URL}>`__]。
 
         通过 :ref:`CONFIG_ESP_CRYPTO_DPA_PROTECTION_LEVEL` 可以调整 DPA 级别。级别越高安全性越强，但也可能会影响性能。默认启用最低级别 DPA 保护，可以根据安全需求修改。
 
@@ -159,7 +158,7 @@ flash 加密最佳实践
         {IDF_TARGET_NAME} 在 AES 外设中集成了伪轮次功能，使该外设能够在原始操作轮次前后随机插入伪轮次，并生成一个伪密钥来执行这些虚拟操作。
         这些操作不会改变原始结果，但能够通过随机化功耗特征，提高实施侧信道分析攻击的复杂性。
 
-        可以使用 :ref:`CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH` 选择伪轮次功能的强度。提高强度会增强该功能所提供的安全性，但会加密/解密操作的速度。
+        可以使用 :ref:`CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH` 选择伪轮次功能的强度。提高强度会增强该功能所提供的安全性，但会减缓加密/解密操作的速度。
 
 
         .. list-table:: 伪轮次功能的不同强度对 AES 操作性能的影响