test(examples/security): Extend the flash enc example to flash enc enabled using KM targets

examples/security/.build-test-rules.yml

@@ -3,10 +3,14 @@
 examples/security/flash_encryption:
   disable:
     - if: CONFIG_NAME == "psram" and SOC_SPIRAM_SUPPORTED != 1
+    - if: CONFIG_NAME == "key_mgr" and SOC_KEY_MANAGER_SUPPORTED != 1
     - if: IDF_TARGET in ["esp32s31"]
       temporary: true
       reason: not support yet # TODO: [ESP32S31] IDF-14628
   disable_test:
+    - if: CONFIG_NAME == "key_mgr"
+      temporary: true
+      reason: lack of runners
     - if: IDF_TARGET in ["esp32s2", "esp32s3", "esp32c6", "esp32h2", "esp32c2", "esp32c5", "esp32c61"]
       temporary: true
       reason: lack of runners

examples/security/flash_encryption/README.md

@@ -14,6 +14,7 @@ The example also demonstrates:
 2. Initialization of FATFS, formatting, writing and reading file. Both encrypted as well as non-encrypted.
 3. Initialization of encrypted NVS partition. Both auto-generated as well as pre-generated NVS key scenarios are presented.
 4. Flashing the example in Development as well as Release mode.
+5. Using the Key Manager peripheral as the Flash Encryption key source (on targets with the Key Manager peripheral).
 
 ### NVS example
 The example demonstrates default and custom NVS partition initialisation when the flash encryption is enabled. From the code perspective the use of NVS API is transparent regardless of the flash encryption mode.
@@ -36,6 +37,10 @@ idf.py menuconfig
 #### Flash encryption configuration
 Enable the flash encryption mode (Development or Release) under (`menuconfig -> Security Features`). Default usage mode is Development (recommended during test and development phase).
 
+On targets that support the Key Manager peripheral (ESP32-C5, ESP32-P4), the flash encryption key source can be configured under (`menuconfig -> Security features -> Flash Encryption -> Flash Encryption key source`):
+- **eFuse-based key** (default): The key is generated by the bootloader and stored in a `BLOCK_KEYN` eFuse.
+- **Key Manager-based key**: The key is deployed into and managed by the Key Manager peripheral. See [Using Key Manager as Flash Encryption Key Source](#using-key-manager-as-flash-encryption-key-source) below.
+
 Note: After enabling flash encryption, the bootloader size increases, which means that default offset of the partition table (`menuconfig -> Partition Table -> Offset of partition table`) has to be increased from default value of 0x8000 to prevent the bootloader from overlapping with the partition table. In this example, the offset of the partition table is incereased to 0xD000.
 
 If you chose the Release mode, for better security, you can also disable UART ROM download mode using (`menuconfig -> Security features -> UART ROM download mode -> Permanently disabled`)
@@ -62,6 +67,35 @@ For convenience, file `sample_encryption_keys.bin` with a sample of pre-generate
 #### Configuration for FATFS encryption
 FATFS encryption example uses two additional partitions in the partition table. Both partitions are of type `data` and subtype `fat`. The first partition `fat_encrypted` has the encrypted flag set, the second partition `fat_not_encr` has the encryption flag off. Both partitions are defined in the partition configuration file `partitions_example.csv`
 
+### Using Key Manager as Flash Encryption Key Source
+
+> **Note:** This feature is only available on targets with the Key Manager peripheral: **ESP32-C5** and **ESP32-P4**.
+
+On supported targets, the Flash Encryption key can be deployed into and managed by the [Key Manager](https://docs.espressif.com/projects/esp-idf/en/latest/esp32c5/api-reference/peripherals/key_manager.html) peripheral instead of an eFuse block. This means the plaintext key material is never stored in eFuses, RAM, or flash - it is bound to the device's Hardware Unique Key (HUK) and accessible only to hardware peripherals.
+
+For the full workflow (key deployment, eFuse programming, and boot sequence), refer to the [Flash Encryption documentation](https://docs.espressif.com/projects/esp-idf/en/latest/esp32c5/security/flash-encryption.html).
+
+#### Configuration
+
+Enable Key Manager as the Flash Encryption key source in `menuconfig`:
+
+```
+menuconfig -> Security features -> Flash Encryption -> Flash Encryption key source -> Key Manager
+```
+
+This sets `CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR=y`. The CI configuration for this mode is provided in `sdkconfig.ci.key_mgr`. The following snippet shows only the **Key Manager–specific** Flash Encryption configurations; other configurations (e.g., NVS encryption scheme) must be set separately as needed:
+
+```
+CONFIG_SECURE_FLASH_ENC_ENABLED=y
+CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y
+CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR=y
+CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y
+```
+
+> **Note on `CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED`:** This option is set in the CI configuration to prevent flash encryption from being accidentally enabled on clean CI runners. When this option is enabled, the bootloader refuses to boot unless flash encryption is already active on the device. **For local development**, you should **disable** this option (set `CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=n`) so that the bootloader can enable flash encryption on the first boot.
+
+When using the Key Manager, the flash encryption key is deployed via the Key Manager peripheral. If no key recovery info is found in flash, the bootloader will generate a random key and deploy it through the Key Manager. The key recovery info is stored in flash at address `0x0`.
+
 ### Building
 
 ```

examples/security/flash_encryption/sdkconfig.ci.key_mgr

@@ -0,0 +1,12 @@
+# Configurations for flash encryption.
+CONFIG_SECURE_FLASH_ENC_ENABLED=y
+CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y
+CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y
+CONFIG_SECURE_BOOT_ALLOW_JTAG=y
+CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y
+CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y
+CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y
+CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y
+CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y
+
+CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR=y