fix(cpu_region_protect): set DROM mask PMP entry to read-only

PMP entry 3 (SOC_DROM_MASK_HIGH, TOR mode) in the memprot path
was incorrectly granted RW permission on esp32h21 and esp32c61.
The mask ROM data region is inherently read-only; remove the W bit.

Also added necessary tests to check voilations and re-enabled
tests for ESP32P4

tools/test_apps/system/panic/main/include/test_memprot.h

@@ -63,6 +63,12 @@ void test_spiram_xip_irom_alignment_reg_execute_violation(void);
 
 void test_spiram_xip_drom_alignment_reg_execute_violation(void);
 
+void test_irom_mask_reg_write_violation(void);
+
+#ifdef SOC_DROM_MASK_HIGH
+void test_drom_mask_reg_write_violation(void);
+#endif
+
 void test_drom_reg_write_violation(void);
 
 void test_drom_reg_execute_violation(void);

tools/test_apps/system/panic/main/test_app_main.c

@@ -188,6 +188,10 @@ void app_main(void)
 
 #if CONFIG_ESP_SYSTEM_MEMPROT
     HANDLE_TEST(test_name, test_irom_reg_write_violation);
+    HANDLE_TEST(test_name, test_irom_mask_reg_write_violation);
+#ifdef SOC_DROM_MASK_HIGH
+    HANDLE_TEST(test_name, test_drom_mask_reg_write_violation);
+#endif
     HANDLE_TEST(test_name, test_drom_reg_write_violation);
     HANDLE_TEST(test_name, test_drom_reg_execute_violation);
 

tools/test_apps/system/panic/main/test_memprot.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2021-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -299,6 +299,23 @@ void test_irom_reg_write_violation(void)
     *test_addr = RND_VAL;
 }
 
+void test_irom_mask_reg_write_violation(void)
+{
+    uint32_t *test_addr = (uint32_t *)(SOC_IROM_MASK_LOW + 0x04);
+    printf("ROM (IROM Mask): Write operation | Address: %p\n", test_addr);
+    *test_addr = RND_VAL;
+}
+
+#ifdef SOC_DROM_MASK_HIGH
+void test_drom_mask_reg_write_violation(void)
+{
+    uint32_t *test_addr = (uint32_t *)(SOC_DROM_MASK_HIGH - 0x04);
+    printf("ROM (DROM Mask): Write operation | Address: %p\n", test_addr);
+    *test_addr = RND_VAL;
+}
+
+#endif
+
 void test_drom_reg_write_violation(void)
 {
     uint32_t *test_addr = (uint32_t *)((uint32_t)(foo_buf));

tools/test_apps/system/panic/pytest_panic.py

@@ -1121,6 +1121,34 @@ def test_non_cache_irom_reg_write_violation(dut: PanicTestDut, test_func_name: s
         irom_reg_write_violation(dut, test_func_name)
 
 
+def irom_mask_reg_write_violation(dut: PanicTestDut, test_func_name: str) -> None:
+    dut.run_test_func(test_func_name)
+    dut.expect_gme('Store access fault')
+    dut.expect_reg_dump(0)
+    dut.expect_cpu_reset()
+
+
+@pytest.mark.generic
+@pytest.mark.temp_skip_ci(targets=['esp32h21'], reason='lack of runners')
+@idf_parametrize('config, target', CONFIGS_MEMPROT_FLASH_IDROM, indirect=['config', 'target'])
+def test_irom_mask_reg_write_violation(dut: PanicTestDut, test_func_name: str) -> None:
+    irom_mask_reg_write_violation(dut, test_func_name)
+
+
+def drom_mask_reg_write_violation(dut: PanicTestDut, test_func_name: str) -> None:
+    dut.run_test_func(test_func_name)
+    dut.expect_gme('Store access fault')
+    dut.expect_reg_dump(0)
+    dut.expect_cpu_reset()
+
+
+@pytest.mark.generic
+@pytest.mark.temp_skip_ci(targets=['esp32h21'], reason='lack of runners')
+@idf_parametrize('config, target', CONFIGS_MEMPROT_FLASH_IDROM, indirect=['config', 'target'])
+def test_drom_mask_reg_write_violation(dut: PanicTestDut, test_func_name: str) -> None:
+    drom_mask_reg_write_violation(dut, test_func_name)
+
+
 def drom_reg_write_violation(dut: PanicTestDut, test_func_name: str) -> None:
     dut.run_test_func(test_func_name)
     dut.expect_gme('Store access fault')