Merge branch 'bugfix/external_mem_enc_docs_v6.0' into 'release/v6.0'

docs: update PSRAM and flash encryption docs with per-page and separate key capabilities (v6.0)

See merge request espressif/esp-idf!46955

components/soc/esp32c5/include/soc/Kconfig.soc_caps.in

@@ -1255,10 +1255,22 @@ config SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
     bool
     default y
 
+config SOC_FLASH_ENCRYPTION_PAGE_CONFIGURABLE
+    bool
+    default y
+
 config SOC_PSRAM_ENCRYPTION_XTS_AES_128
     bool
     default y
 
+config SOC_PSRAM_ENCRYPTION_SEPARATE_KEY
+    bool
+    default y
+
+config SOC_PSRAM_ENCRYPTION_PAGE_CONFIGURABLE
+    bool
+    default y
+
 config SOC_RECOVERY_BOOTLOADER_SUPPORTED
     bool
     default y

components/soc/esp32c5/include/soc/soc_caps.h

@@ -508,9 +508,12 @@
 #define SOC_FLASH_ENCRYPTION_XTS_AES_128        1  /* SOC_EFUSE_XTS_AES_KEY_128 (1) || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 (1) */
 #define SOC_FLASH_ENCRYPTION_XTS_AES_256        1  /* SOC_EFUSE_XTS_AES_KEY_256 (0) || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 (1) */
 #define SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND  1
+#define SOC_FLASH_ENCRYPTION_PAGE_CONFIGURABLE  1  /* Flash encryption can be configured on a MMU page basis */
 
 /*-------------------------- PSRAM Encryption CAPS----------------------------*/
-#define SOC_PSRAM_ENCRYPTION_XTS_AES_128    (1)
+#define SOC_PSRAM_ENCRYPTION_XTS_AES_128        1
+#define SOC_PSRAM_ENCRYPTION_SEPARATE_KEY       1  /* PSRAM encryption can use independent key */
+#define SOC_PSRAM_ENCRYPTION_PAGE_CONFIGURABLE  1  /* PSRAM encryption can be configured on a MMU page basis */
 
 /*------------------------Bootloader CAPS---------------------------------*/
 /* Support Recovery Bootloader */

components/soc/esp32c6/include/soc/Kconfig.soc_caps.in

@@ -1051,6 +1051,10 @@ config SOC_FLASH_ENCRYPTION_XTS_AES_128
     bool
     default y
 
+config SOC_FLASH_ENCRYPTION_PAGE_CONFIGURABLE
+    bool
+    default y
+
 config SOC_APM_CTRL_FILTER_SUPPORTED
     bool
     default y

components/soc/esp32c6/include/soc/soc_caps.h

@@ -437,6 +437,7 @@
 #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX   (64)
 #define SOC_FLASH_ENCRYPTION_XTS_AES        1
 #define SOC_FLASH_ENCRYPTION_XTS_AES_128    1
+#define SOC_FLASH_ENCRYPTION_PAGE_CONFIGURABLE  1  /* Flash encryption can be configured on a MMU page basis */
 
 /*-------------------------- APM CAPS ----------------------------------------*/
 #define SOC_APM_CTRL_FILTER_SUPPORTED         1 /*!< Support for APM control filter */

components/soc/esp32c61/include/soc/Kconfig.soc_caps.in

@@ -939,6 +939,14 @@ config SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
     bool
     default y
 
+config SOC_FLASH_ENCRYPTION_PAGE_CONFIGURABLE
+    bool
+    default y
+
+config SOC_PSRAM_ENCRYPTION_PAGE_CONFIGURABLE
+    bool
+    default y
+
 config SOC_RECOVERY_BOOTLOADER_SUPPORTED
     bool
     default y

components/soc/esp32c61/include/soc/soc_caps.h

@@ -390,6 +390,10 @@
 #define SOC_FLASH_ENCRYPTION_XTS_AES        1
 #define SOC_FLASH_ENCRYPTION_XTS_AES_128    1
 #define SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND  1
+#define SOC_FLASH_ENCRYPTION_PAGE_CONFIGURABLE  1  /* Flash encryption can be configured on a MMU page basis */
+
+/*-------------------------- PSRAM Encryption CAPS----------------------------*/
+#define SOC_PSRAM_ENCRYPTION_PAGE_CONFIGURABLE  1  /* PSRAM encryption can be configured on a MMU page basis */
 
 /*------------------------Bootloader CAPS---------------------------------*/
 /* Support Recovery Bootloader */

components/soc/esp32h2/include/soc/Kconfig.soc_caps.in

@@ -1063,6 +1063,10 @@ config SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
     bool
     default y
 
+config SOC_FLASH_ENCRYPTION_PAGE_CONFIGURABLE
+    bool
+    default y
+
 config SOC_APM_CTRL_FILTER_SUPPORTED
     bool
     default y

components/soc/esp32h2/include/soc/soc_caps.h

@@ -457,6 +457,7 @@
 #define SOC_FLASH_ENCRYPTION_XTS_AES        1
 #define SOC_FLASH_ENCRYPTION_XTS_AES_128    1
 #define SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND  1 /*!< Only avliable in chip version above 1.2*/
+#define SOC_FLASH_ENCRYPTION_PAGE_CONFIGURABLE  1  /* Flash encryption can be configured on a MMU page basis */
 
 /*-------------------------- APM CAPS ----------------------------------------*/
 #define SOC_APM_CTRL_FILTER_SUPPORTED   1 /*!< Support for APM control filter */

components/soc/esp32p4/include/soc/Kconfig.soc_caps.in

@@ -1663,6 +1663,18 @@ config SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
     bool
     default y
 
+config SOC_FLASH_ENCRYPTION_PAGE_CONFIGURABLE
+    bool
+    default y
+
+config SOC_PSRAM_ENCRYPTION_SEPARATE_KEY
+    bool
+    default y
+
+config SOC_PSRAM_ENCRYPTION_PAGE_CONFIGURABLE
+    bool
+    default y
+
 config SOC_UART_NUM
     int
     default 6

components/soc/esp32p4/include/soc/soc_caps.h

@@ -634,6 +634,11 @@
 #define SOC_FLASH_ENCRYPTION_XTS_AES_128    1  /* SOC_EFUSE_XTS_AES_KEY_128 (1) || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 (1) */
 #define SOC_FLASH_ENCRYPTION_XTS_AES_256    1  /* SOC_EFUSE_XTS_AES_KEY_256 (1) || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 (1) */
 #define SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND  1 /*!< Only available in chip version above 3.0 */
+#define SOC_FLASH_ENCRYPTION_PAGE_CONFIGURABLE  1  /* Flash encryption can be configured on a MMU page basis */
+
+/*-------------------------- PSRAM Encryption CAPS----------------------------*/
+#define SOC_PSRAM_ENCRYPTION_SEPARATE_KEY       1  /* PSRAM encryption can use independent key */
+#define SOC_PSRAM_ENCRYPTION_PAGE_CONFIGURABLE  1  /* PSRAM encryption can be configured on a MMU page basis */
 
 /*-------------------------- MEMPROT CAPS ------------------------------------*/
 

docs/en/api-guides/external-ram.rst

@@ -243,6 +243,13 @@ By default, failure to initialize external RAM will cause the ESP-IDF startup to
 
     This feature is enabled whenever flash encryption is enabled. For more information on how to enable and how it works see :doc:`Flash Encryption </security/flash-encryption>`.
 
+    .. only:: SOC_PSRAM_ENCRYPTION_PAGE_CONFIGURABLE
+
+        On {IDF_TARGET_NAME}, PSRAM encryption can be controlled on a per-MMU-page basis, allowing individual PSRAM pages to be selectively encrypted or left unencrypted. However, in the default configuration, all PSRAM pages are encrypted when flash encryption is enabled.
+
+    .. only:: SOC_PSRAM_ENCRYPTION_SEPARATE_KEY
+
+        On {IDF_TARGET_NAME}, PSRAM encryption can use an independent encryption key. If the PSRAM encryption key is not programmed, the flash encryption key will be used as the PSRAM encryption key.
 
 .. only:: esp32
 

docs/en/security/flash-encryption.rst

@@ -1244,8 +1244,17 @@ The command ``idf.py decrypt-flash-data`` can be used with the same options (and
   External RAM
   ------------
 
-  When Flash Encryption is enabled any data read from and written to external SPI RAM through the cache will also be encrypted/decrypted. This happens the same way and with the same key as for Flash Encryption. If Flash Encryption is enabled then encryption for external SPI RAM is also always enabled, it is not possible to separately control this functionality.
+  .. only:: SOC_PSRAM_ENCRYPTION_PAGE_CONFIGURABLE
 
+    When Flash Encryption is enabled any data read from and written to external SPI RAM through the cache can also be encrypted/decrypted. On {IDF_TARGET_NAME}, PSRAM encryption can be controlled on a per-MMU-page basis, allowing individual PSRAM pages to be selectively encrypted or left unencrypted. However, in the default configuration, all PSRAM pages are encrypted when flash encryption is enabled.
+
+  .. only:: not SOC_PSRAM_ENCRYPTION_PAGE_CONFIGURABLE
+
+    When Flash Encryption is enabled any data read from and written to external SPI RAM through the cache will also be encrypted/decrypted. If Flash Encryption is enabled then encryption for external SPI RAM is also automatically enabled.
+
+  .. only:: SOC_PSRAM_ENCRYPTION_SEPARATE_KEY
+
+    On {IDF_TARGET_NAME}, PSRAM encryption can use an independent encryption key. If the PSRAM encryption key is not programmed, the flash encryption key will be used as the PSRAM encryption key.
 
 Technical Details
 -----------------

docs/zh_CN/api-guides/external-ram.rst

@@ -243,6 +243,14 @@ ESP-IDF 启动过程中，片外 RAM 被映射到数据虚拟地址空间，该
 
     只要启用了 flash 加密功能，就会启用这个功能。关于如何启用 flash 加密以及其工作原理，请参考 :doc:`/security/flash-encryption`。
 
+    .. only:: SOC_PSRAM_ENCRYPTION_PAGE_CONFIGURABLE
+
+        在 {IDF_TARGET_NAME} 上，PSRAM 加密可以按 MMU 页面粒度进行控制，允许对单个 PSRAM 页面选择性地加密或不加密。但在默认配置下，启用 flash 加密时所有 PSRAM 页面都会被加密。
+
+    .. only:: SOC_PSRAM_ENCRYPTION_SEPARATE_KEY
+
+        在 {IDF_TARGET_NAME} 上，PSRAM 加密可以使用独立的加密密钥。如果未烧录 PSRAM 加密密钥，则会使用 flash 加密密钥作为 PSRAM 加密密钥。
+
 
 .. only:: esp32
 

docs/zh_CN/security/flash-encryption.rst

@@ -1244,7 +1244,17 @@ JTAG 调试
     片外 RAM
     ------------
 
-    启用 flash 加密后，任何通过缓存从片外 SPI RAM 读取和写入的数据也将被加密/解密。这个实现的方式以及使用的密钥与 flash 加密相同。如果启用 flash 加密，则片外 SPI RAM 的加密也会被启用，无法单独控制此功能。
+    .. only:: SOC_PSRAM_ENCRYPTION_PAGE_CONFIGURABLE
+
+      启用 flash 加密后，任何通过缓存从片外 SPI RAM 读取和写入的数据也可以被加密/解密。在 {IDF_TARGET_NAME} 上，PSRAM 加密可以按 MMU 页面粒度进行控制，允许对单个 PSRAM 页面选择性地加密或不加密。但在默认配置下，启用 flash 加密时所有 PSRAM 页面都会被加密。
+
+    .. only:: not SOC_PSRAM_ENCRYPTION_PAGE_CONFIGURABLE
+
+      启用 flash 加密后，任何通过缓存从片外 SPI RAM 读取和写入的数据也将被加密/解密。如果启用 flash 加密，则片外 SPI RAM 的加密也会自动启用。
+
+    .. only:: SOC_PSRAM_ENCRYPTION_SEPARATE_KEY
+
+      在 {IDF_TARGET_NAME} 上，PSRAM 加密可以使用独立的加密密钥。如果未烧录 PSRAM 加密密钥，则会使用 flash 加密密钥作为 PSRAM 加密密钥。
 
 
 技术细节