From b8c527a87c1930a2446a5148ec16892b14f99c8e Mon Sep 17 00:00:00 2001 From: Chen Jichang Date: Wed, 21 Jan 2026 15:11:59 +0800 Subject: [PATCH] refactor(flash_enc): move esp_flash_encryption_enabled() to efuse component --- components/app_update/esp_ota_ops.c | 7 ++- .../bootloader_flash/src/bootloader_flash.c | 4 +- .../include/esp_flash_encrypt.h | 5 +- .../src/bootloader_utility.c | 10 ++-- .../src/esp32/secure_boot_secure_features.c | 3 +- .../src/esp32c3/secure_boot_secure_features.c | 3 +- .../src/esp32c5/secure_boot_secure_features.c | 3 +- .../src/esp32c6/secure_boot_secure_features.c | 3 +- .../esp32c61/secure_boot_secure_features.c | 3 +- .../src/esp32h2/secure_boot_secure_features.c | 3 +- .../esp32h21/secure_boot_secure_features.c | 3 +- .../src/esp32p4/secure_boot_secure_features.c | 3 +- .../src/esp32s2/secure_boot_secure_features.c | 3 +- .../src/esp32s3/secure_boot_secure_features.c | 3 +- .../bootloader_support/src/flash_encrypt.c | 47 +++++-------------- .../src/flash_encryption/flash_encrypt.c | 4 +- .../src/secure_boot_v1/secure_boot.c | 3 +- components/efuse/include/esp_efuse.h | 9 +++- components/efuse/src/esp_efuse_fields.c | 25 +++++++++- components/esp_driver_dma/CMakeLists.txt | 2 +- components/esp_driver_dma/src/gdma.c | 2 +- components/esp_driver_dma/src/gdma_link.c | 6 +-- components/esp_driver_dma/src/gdma_priv.h | 2 +- .../test_apps/dma/main/CMakeLists.txt | 2 +- .../test_apps/dma/main/test_async_memcpy.c | 6 +-- .../test_apps/dma/main/test_dw_gdma.c | 4 +- .../test_apps/dma/main/test_gdma.c | 6 +-- components/esp_https_ota/CMakeLists.txt | 4 +- components/esp_https_ota/src/esp_https_ota.c | 4 +- components/esp_hw_support/CMakeLists.txt | 1 + .../heap_align_hw.c | 4 +- .../include/esp_private/heap_align_hw.h | 0 .../mipi_dsi_lcd/main/CMakeLists.txt | 2 +- .../mipi_dsi_lcd/main/test_mipi_dsi_panel.c | 4 +- components/esp_mm/CMakeLists.txt | 2 - components/esp_partition/CMakeLists.txt | 6 +-- components/esp_partition/partition.c | 4 +- components/espcoredump/CMakeLists.txt | 2 +- components/espcoredump/src/core_dump_elf.c | 4 +- components/espcoredump/src/core_dump_flash.c | 8 ++-- .../nvs_flash/test_apps/main/CMakeLists.txt | 2 +- .../nvs_flash/test_apps/main/test_nvs.c | 10 ++-- .../test_apps_bootloader/main/CMakeLists.txt | 2 +- .../main/test_encrypted_nvs_bootloader.c | 4 +- .../test_apps/flash_mmap/main/CMakeLists.txt | 2 +- .../flash_mmap/main/test_flash_mmap.c | 10 ++-- .../release-6.x/6.0/security.rst | 6 +++ docs/en/security/flash-encryption.rst | 2 +- .../release-6.x/6.0/security.rst | 6 +++ docs/zh_CN/security/flash-encryption.rst | 2 +- examples/system/efuse/main/efuse_main.c | 2 +- .../mock_build_test/main/mock_build_test.c | 2 +- .../g1_components/check_dependencies.py | 1 - 53 files changed, 139 insertions(+), 131 deletions(-) rename components/{esp_mm => esp_hw_support}/heap_align_hw.c (97%) rename components/{esp_mm => esp_hw_support}/include/esp_private/heap_align_hw.h (100%) diff --git a/components/app_update/esp_ota_ops.c b/components/app_update/esp_ota_ops.c index b43194301b..25dc90370e 100644 --- a/components/app_update/esp_ota_ops.c +++ b/components/app_update/esp_ota_ops.c @@ -16,7 +16,6 @@ #include "esp_partition.h" #include "esp_image_format.h" #include "esp_secure_boot.h" -#include "esp_flash_encrypt.h" #include "spi_flash_mmap.h" #include "sdkconfig.h" @@ -342,7 +341,7 @@ esp_err_t esp_ota_write(esp_ota_handle_t handle, const void *data, size_t size) } } - if (esp_flash_encryption_enabled()) { + if (esp_efuse_is_flash_encryption_enabled()) { /* Can only write 16 byte blocks to flash, so need to cache anything else */ size_t copy_len; @@ -407,7 +406,7 @@ esp_err_t esp_ota_write_with_offset(esp_ota_handle_t handle, const void *data, s /* esp_ota_write_with_offset is used to write data in non contiguous manner. * Hence, unaligned data(less than 16 bytes) cannot be cached if flash encryption is enabled. */ - if (esp_flash_encryption_enabled() && (size % 16)) { + if (esp_efuse_is_flash_encryption_enabled() && (size % 16)) { ESP_LOGE(TAG, "Size should be 16byte aligned for flash encryption case"); return ESP_ERR_INVALID_ARG; } @@ -880,7 +879,7 @@ esp_err_t esp_ota_get_bootloader_description(const esp_partition_t *bootloader_p esp_partition_t partition = { 0 }; if (bootloader_partition == NULL) { partition.flash_chip = esp_flash_default_chip; - partition.encrypted = esp_flash_encryption_enabled(); + partition.encrypted = esp_efuse_is_flash_encryption_enabled(); partition.address = CONFIG_BOOTLOADER_OFFSET_IN_FLASH; partition.size = CONFIG_PARTITION_TABLE_OFFSET - CONFIG_BOOTLOADER_OFFSET_IN_FLASH; } else { diff --git a/components/bootloader_support/bootloader_flash/src/bootloader_flash.c b/components/bootloader_support/bootloader_flash/src/bootloader_flash.c index d0b8aa449d..2e4182b263 100644 --- a/components/bootloader_support/bootloader_flash/src/bootloader_flash.c +++ b/components/bootloader_support/bootloader_flash/src/bootloader_flash.c @@ -7,7 +7,7 @@ #include #include -#include +#include "esp_efuse.h" #include "sdkconfig.h" #include "soc/soc_caps.h" #include "hal/efuse_ll.h" @@ -84,7 +84,7 @@ void bootloader_munmap(const void *mapping) esp_err_t bootloader_flash_read(size_t src, void *dest, size_t size, bool allow_decrypt) { - if (allow_decrypt && esp_flash_encryption_enabled()) { + if (allow_decrypt && esp_efuse_is_flash_encryption_enabled()) { return esp_flash_read_encrypted(NULL, src, dest, size); } else { return esp_flash_read(NULL, dest, src, size); diff --git a/components/bootloader_support/include/esp_flash_encrypt.h b/components/bootloader_support/include/esp_flash_encrypt.h index 0e502399eb..6fc517619e 100644 --- a/components/bootloader_support/include/esp_flash_encrypt.h +++ b/components/bootloader_support/include/esp_flash_encrypt.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -34,8 +34,11 @@ typedef enum { * * Flash encryption is enabled if the FLASH_CRYPT_CNT efuse has an odd number of bits set. * + * @deprecated This function is deprecated. Use esp_efuse_is_flash_encryption_enabled() instead. + * * @return true if flash encryption is enabled. */ +__attribute__((deprecated("Use esp_efuse_is_flash_encryption_enabled() instead"))) bool esp_flash_encryption_enabled(void); /* @brief Update on-device flash encryption diff --git a/components/bootloader_support/src/bootloader_utility.c b/components/bootloader_support/src/bootloader_utility.c index cce391e45a..0916ae9a3d 100644 --- a/components/bootloader_support/src/bootloader_utility.c +++ b/components/bootloader_support/src/bootloader_utility.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2018-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2018-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -393,7 +393,7 @@ int bootloader_utility_get_selected_boot_partition(const bootloader_state_t *bs) ESP_LOGD(TAG, "otadata[1]: sequence values 0x%08"PRIx32, otadata[1].ota_seq); #ifdef CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE - bool write_encrypted = esp_flash_encryption_enabled(); + bool write_encrypted = esp_efuse_is_flash_encryption_enabled(); for (int i = 0; i < 2; ++i) { if (otadata[i].ota_state == ESP_OTA_IMG_PENDING_VERIFY) { ESP_LOGD(TAG, "otadata[%d] is marking as ABORTED", i); @@ -496,7 +496,7 @@ static void set_actual_ota_seq(const bootloader_state_t *bs, int index) otadata.ota_state = ESP_OTA_IMG_VALID; otadata.crc = bootloader_common_ota_select_crc(&otadata); - bool write_encrypted = esp_flash_encryption_enabled(); + bool write_encrypted = esp_efuse_is_flash_encryption_enabled(); write_otadata(&otadata, bs->ota_info.offset + FLASH_SECTOR_SIZE * 0, write_encrypted); ESP_LOGI(TAG, "Set actual ota_seq=%"PRIu32" in otadata[0]", otadata.ota_seq); #ifdef CONFIG_BOOTLOADER_APP_ANTI_ROLLBACK @@ -684,7 +684,7 @@ static void load_image(const esp_image_metadata_t *image_data) return; } - if (!esp_secure_boot_enabled() || !esp_flash_encryption_enabled()) { + if (!esp_secure_boot_enabled() || !esp_efuse_is_flash_encryption_enabled()) { esp_efuse_batch_write_begin(); } #endif // CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER @@ -777,7 +777,7 @@ static void load_image(const esp_image_metadata_t *image_data) #endif #ifdef CONFIG_SECURE_FLASH_ENC_ENABLED - if (!flash_encryption_enabled && esp_flash_encryption_enabled()) { + if (!flash_encryption_enabled && esp_efuse_is_flash_encryption_enabled()) { /* Flash encryption was just enabled for the first time, so issue a system reset to ensure flash encryption cache resets properly */ diff --git a/components/bootloader_support/src/esp32/secure_boot_secure_features.c b/components/bootloader_support/src/esp32/secure_boot_secure_features.c index 6eaa426181..04ea77213b 100644 --- a/components/bootloader_support/src/esp32/secure_boot_secure_features.c +++ b/components/bootloader_support/src/esp32/secure_boot_secure_features.c @@ -5,7 +5,6 @@ */ #include -#include "esp_flash_encrypt.h" #include "esp_secure_boot.h" #include "esp_efuse.h" #include "esp_efuse_table.h" @@ -87,7 +86,7 @@ esp_err_t esp_secure_boot_enable_secure_features(void) #ifdef CONFIG_SECURE_FLASH_ENC_ENABLED /* If flash encryption is not enabled yet then don't read-disable efuses yet, do it later in the boot when Flash Encryption is being enabled */ - rd_dis_now = esp_flash_encryption_enabled(); + rd_dis_now = esp_efuse_is_flash_encryption_enabled(); #endif if (rd_dis_now) { ESP_LOGI(TAG, "Prevent read disabling of additional efuses..."); diff --git a/components/bootloader_support/src/esp32c3/secure_boot_secure_features.c b/components/bootloader_support/src/esp32c3/secure_boot_secure_features.c index 1e662ad8e8..6ea9fdc825 100644 --- a/components/bootloader_support/src/esp32c3/secure_boot_secure_features.c +++ b/components/bootloader_support/src/esp32c3/secure_boot_secure_features.c @@ -5,7 +5,6 @@ */ #include -#include "esp_flash_encrypt.h" #include "esp_secure_boot.h" #include "esp_efuse.h" #include "esp_efuse_table.h" @@ -56,7 +55,7 @@ esp_err_t esp_secure_boot_enable_secure_features(void) #ifdef CONFIG_SECURE_FLASH_ENC_ENABLED /* If flash encryption is not enabled yet then don't read-disable efuses yet, do it later in the boot when Flash Encryption is being enabled */ - rd_dis_now = esp_flash_encryption_enabled(); + rd_dis_now = esp_efuse_is_flash_encryption_enabled(); #endif if (rd_dis_now) { ESP_LOGI(TAG, "Prevent read disabling of additional efuses..."); diff --git a/components/bootloader_support/src/esp32c5/secure_boot_secure_features.c b/components/bootloader_support/src/esp32c5/secure_boot_secure_features.c index cc9f57b766..49255d08d0 100644 --- a/components/bootloader_support/src/esp32c5/secure_boot_secure_features.c +++ b/components/bootloader_support/src/esp32c5/secure_boot_secure_features.c @@ -5,7 +5,6 @@ */ #include -#include "esp_flash_encrypt.h" #include "esp_secure_boot.h" #include "esp_efuse.h" #include "esp_efuse_table.h" @@ -60,7 +59,7 @@ esp_err_t esp_secure_boot_enable_secure_features(void) #ifdef CONFIG_SECURE_FLASH_ENC_ENABLED /* If flash encryption is not enabled yet then don't read-disable efuses yet, do it later in the boot when Flash Encryption is being enabled */ - rd_dis_now = esp_flash_encryption_enabled(); + rd_dis_now = esp_efuse_is_flash_encryption_enabled(); #endif if (rd_dis_now) { ESP_LOGI(TAG, "Prevent read disabling of additional efuses..."); diff --git a/components/bootloader_support/src/esp32c6/secure_boot_secure_features.c b/components/bootloader_support/src/esp32c6/secure_boot_secure_features.c index dd2b72cc70..3d440ae7c6 100644 --- a/components/bootloader_support/src/esp32c6/secure_boot_secure_features.c +++ b/components/bootloader_support/src/esp32c6/secure_boot_secure_features.c @@ -5,7 +5,6 @@ */ #include -#include "esp_flash_encrypt.h" #include "esp_secure_boot.h" #include "esp_efuse.h" #include "esp_efuse_table.h" @@ -56,7 +55,7 @@ esp_err_t esp_secure_boot_enable_secure_features(void) #ifdef CONFIG_SECURE_FLASH_ENC_ENABLED /* If flash encryption is not enabled yet then don't read-disable efuses yet, do it later in the boot when Flash Encryption is being enabled */ - rd_dis_now = esp_flash_encryption_enabled(); + rd_dis_now = esp_efuse_is_flash_encryption_enabled(); #endif if (rd_dis_now) { ESP_LOGI(TAG, "Prevent read disabling of additional efuses..."); diff --git a/components/bootloader_support/src/esp32c61/secure_boot_secure_features.c b/components/bootloader_support/src/esp32c61/secure_boot_secure_features.c index 27f9bcc741..464802dfb8 100644 --- a/components/bootloader_support/src/esp32c61/secure_boot_secure_features.c +++ b/components/bootloader_support/src/esp32c61/secure_boot_secure_features.c @@ -5,7 +5,6 @@ */ #include -#include "esp_flash_encrypt.h" #include "esp_secure_boot.h" #include "esp_efuse.h" #include "esp_efuse_table.h" @@ -55,7 +54,7 @@ esp_err_t esp_secure_boot_enable_secure_features(void) #ifdef CONFIG_SECURE_FLASH_ENC_ENABLED /* If flash encryption is not enabled yet then don't read-disable efuses yet, do it later in the boot when Flash Encryption is being enabled */ - rd_dis_now = esp_flash_encryption_enabled(); + rd_dis_now = esp_efuse_is_flash_encryption_enabled(); #endif if (rd_dis_now) { ESP_LOGI(TAG, "Prevent read disabling of additional efuses..."); diff --git a/components/bootloader_support/src/esp32h2/secure_boot_secure_features.c b/components/bootloader_support/src/esp32h2/secure_boot_secure_features.c index 9798c7e73b..c9843cd943 100644 --- a/components/bootloader_support/src/esp32h2/secure_boot_secure_features.c +++ b/components/bootloader_support/src/esp32h2/secure_boot_secure_features.c @@ -6,7 +6,6 @@ #include #include "hal/ecdsa_ll.h" -#include "esp_flash_encrypt.h" #include "esp_secure_boot.h" #include "esp_efuse.h" #include "esp_efuse_table.h" @@ -57,7 +56,7 @@ esp_err_t esp_secure_boot_enable_secure_features(void) #ifdef CONFIG_SECURE_FLASH_ENC_ENABLED /* If flash encryption is not enabled yet then don't read-disable efuses yet, do it later in the boot when Flash Encryption is being enabled */ - rd_dis_now = esp_flash_encryption_enabled(); + rd_dis_now = esp_efuse_is_flash_encryption_enabled(); #endif if (rd_dis_now) { ESP_LOGI(TAG, "Prevent read disabling of additional efuses..."); diff --git a/components/bootloader_support/src/esp32h21/secure_boot_secure_features.c b/components/bootloader_support/src/esp32h21/secure_boot_secure_features.c index a63f05d6c6..29bcbd8f35 100644 --- a/components/bootloader_support/src/esp32h21/secure_boot_secure_features.c +++ b/components/bootloader_support/src/esp32h21/secure_boot_secure_features.c @@ -5,7 +5,6 @@ */ #include -#include "esp_flash_encrypt.h" #include "esp_secure_boot.h" #include "esp_efuse.h" #include "esp_efuse_table.h" @@ -56,7 +55,7 @@ esp_err_t esp_secure_boot_enable_secure_features(void) #ifdef CONFIG_SECURE_FLASH_ENC_ENABLED /* If flash encryption is not enabled yet then don't read-disable efuses yet, do it later in the boot when Flash Encryption is being enabled */ - rd_dis_now = esp_flash_encryption_enabled(); + rd_dis_now = esp_efuse_is_flash_encryption_enabled(); #endif if (rd_dis_now) { ESP_LOGI(TAG, "Prevent read disabling of additional efuses..."); diff --git a/components/bootloader_support/src/esp32p4/secure_boot_secure_features.c b/components/bootloader_support/src/esp32p4/secure_boot_secure_features.c index a3232f4a5d..d98664dc39 100644 --- a/components/bootloader_support/src/esp32p4/secure_boot_secure_features.c +++ b/components/bootloader_support/src/esp32p4/secure_boot_secure_features.c @@ -5,7 +5,6 @@ */ #include -#include "esp_flash_encrypt.h" #include "esp_secure_boot.h" #include "esp_efuse.h" #include "esp_efuse_table.h" @@ -56,7 +55,7 @@ esp_err_t esp_secure_boot_enable_secure_features(void) #ifdef CONFIG_SECURE_FLASH_ENC_ENABLED /* If flash encryption is not enabled yet then don't read-disable efuses yet, do it later in the boot when Flash Encryption is being enabled */ - rd_dis_now = esp_flash_encryption_enabled(); + rd_dis_now = esp_efuse_is_flash_encryption_enabled(); #endif if (rd_dis_now) { ESP_LOGI(TAG, "Prevent read disabling of additional efuses..."); diff --git a/components/bootloader_support/src/esp32s2/secure_boot_secure_features.c b/components/bootloader_support/src/esp32s2/secure_boot_secure_features.c index 830843b00c..7d87588b3c 100644 --- a/components/bootloader_support/src/esp32s2/secure_boot_secure_features.c +++ b/components/bootloader_support/src/esp32s2/secure_boot_secure_features.c @@ -5,7 +5,6 @@ */ #include -#include "esp_flash_encrypt.h" #include "esp_secure_boot.h" #include "esp_efuse.h" #include "esp_efuse_table.h" @@ -56,7 +55,7 @@ esp_err_t esp_secure_boot_enable_secure_features(void) #ifdef CONFIG_SECURE_FLASH_ENC_ENABLED /* If flash encryption is not enabled yet then don't read-disable efuses yet, do it later in the boot when Flash Encryption is being enabled */ - rd_dis_now = esp_flash_encryption_enabled(); + rd_dis_now = esp_efuse_is_flash_encryption_enabled(); #endif if (rd_dis_now) { ESP_LOGI(TAG, "Prevent read disabling of additional efuses..."); diff --git a/components/bootloader_support/src/esp32s3/secure_boot_secure_features.c b/components/bootloader_support/src/esp32s3/secure_boot_secure_features.c index ad72623248..ee5c80b731 100644 --- a/components/bootloader_support/src/esp32s3/secure_boot_secure_features.c +++ b/components/bootloader_support/src/esp32s3/secure_boot_secure_features.c @@ -5,7 +5,6 @@ */ #include -#include "esp_flash_encrypt.h" #include "esp_secure_boot.h" #include "esp_efuse.h" #include "esp_efuse_table.h" @@ -56,7 +55,7 @@ esp_err_t esp_secure_boot_enable_secure_features(void) #ifdef CONFIG_SECURE_FLASH_ENC_ENABLED /* If flash encryption is not enabled yet then don't read-disable efuses yet, do it later in the boot when Flash Encryption is being enabled */ - rd_dis_now = esp_flash_encryption_enabled(); + rd_dis_now = esp_efuse_is_flash_encryption_enabled(); #endif if (rd_dis_now) { ESP_LOGI(TAG, "Prevent read disabling of additional efuses..."); diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index 4ba4a0a3b9..e3c52b4305 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -36,7 +36,7 @@ void esp_flash_encryption_init_checks() esp_flash_enc_mode_t mode; #ifdef CONFIG_SECURE_FLASH_CHECK_ENC_EN_IN_APP - if (!esp_flash_encryption_enabled()) { + if (!esp_efuse_is_flash_encryption_enabled()) { ESP_LOGE(TAG, "Flash encryption eFuse bit was not enabled in bootloader but CONFIG_SECURE_FLASH_ENC_ENABLED is on"); abort(); } @@ -47,7 +47,7 @@ void esp_flash_encryption_init_checks() // if bootloader is IDF V4.0 or newer but may not have happened for previous ESP-IDF bootloaders. #ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE #ifdef CONFIG_SECURE_BOOT - if (esp_secure_boot_enabled() && esp_flash_encryption_enabled()) { + if (esp_secure_boot_enabled() && esp_efuse_is_flash_encryption_enabled()) { bool flash_crypt_cnt_wr_dis = esp_efuse_read_field_bit(WR_DIS_CRYPT_CNT); if (!flash_crypt_cnt_wr_dis) { uint8_t flash_crypt_cnt = 0; @@ -80,35 +80,6 @@ void esp_flash_encryption_init_checks() } #endif // BOOTLOADER_BUILD -/** - * This former inlined function must not be defined in the header file anymore. - * As it depends on efuse component, any use of it outside of `bootloader_support`, - * would require the caller component to include `efuse` as part of its `REQUIRES` or - * `PRIV_REQUIRES` entries. - * Attribute IRAM_ATTR must be specified for the app build. - */ -bool IRAM_ATTR esp_flash_encryption_enabled(void) -{ -#ifndef CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH - return efuse_hal_flash_encryption_enabled(); -#else - uint32_t flash_crypt_cnt = 0; -#if CONFIG_IDF_TARGET_ESP32 - esp_efuse_read_field_blob(ESP_EFUSE_FLASH_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count); -#else - esp_efuse_read_field_blob(ESP_EFUSE_SPI_BOOT_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count); -#endif - /* __builtin_parity is in flash, so we calculate parity inline */ - bool enabled = false; - while (flash_crypt_cnt) { - if (flash_crypt_cnt & 1) { - enabled = !enabled; - } - flash_crypt_cnt >>= 1; - } - return enabled; -#endif // CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH -} void esp_flash_write_protect_crypt_cnt(void) { @@ -120,7 +91,7 @@ esp_flash_enc_mode_t esp_get_flash_encryption_mode(void) bool flash_crypt_cnt_wr_dis = false; esp_flash_enc_mode_t mode = ESP_FLASH_ENC_MODE_DEVELOPMENT; - if (esp_flash_encryption_enabled()) { + if (esp_efuse_is_flash_encryption_enabled()) { /* Check if FLASH CRYPT CNT is write protected */ flash_crypt_cnt_wr_dis = esp_efuse_read_field_bit(WR_DIS_CRYPT_CNT); @@ -253,7 +224,7 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) bool result = false; bool secure; - secure = esp_flash_encryption_enabled(); + secure = esp_efuse_is_flash_encryption_enabled(); result = secure; if (!secure) { ESP_LOGW(TAG, "Not enabled Flash Encryption (FLASH_CRYPT_CNT->1 or max)"); @@ -330,7 +301,7 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) bool result = false; bool secure; - secure = esp_flash_encryption_enabled(); + secure = esp_efuse_is_flash_encryption_enabled(); result = secure; if (!secure) { ESP_LOGW(TAG, "Not enabled Flash Encryption (SPI_BOOT_CRYPT_CNT->1 or max)"); @@ -517,3 +488,9 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) return result; } #endif // not CONFIG_IDF_TARGET_ESP32 + +// Deprecated function +bool IRAM_ATTR esp_flash_encryption_enabled(void) +{ + return esp_efuse_is_flash_encryption_enabled(); +} diff --git a/components/bootloader_support/src/flash_encryption/flash_encrypt.c b/components/bootloader_support/src/flash_encryption/flash_encrypt.c index 7da8a6957d..a5cb61609d 100644 --- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c @@ -406,7 +406,7 @@ static esp_err_t check_and_generate_encryption_keys(void) esp_err_t esp_flash_encrypt_init(void) { - if (esp_flash_encryption_enabled()) { + if (esp_efuse_is_flash_encryption_enabled()) { return ESP_OK; } @@ -503,7 +503,7 @@ esp_err_t esp_flash_encrypt_contents(void) esp_err_t esp_flash_encrypt_enable(void) { esp_err_t err = ESP_OK; - if (!esp_flash_encryption_enabled()) { + if (!esp_efuse_is_flash_encryption_enabled()) { if (esp_flash_encrypt_is_write_protected(true)) { return ESP_FAIL; diff --git a/components/bootloader_support/src/secure_boot_v1/secure_boot.c b/components/bootloader_support/src/secure_boot_v1/secure_boot.c index fa22af115a..3297c93f26 100644 --- a/components/bootloader_support/src/secure_boot_v1/secure_boot.c +++ b/components/bootloader_support/src/secure_boot_v1/secure_boot.c @@ -22,7 +22,6 @@ #include "bootloader_random.h" #include "esp_image_format.h" #include "esp_secure_boot.h" -#include "esp_flash_encrypt.h" #include "esp_efuse.h" #include "esp_efuse_table.h" @@ -77,7 +76,7 @@ static bool secure_boot_generate(uint32_t image_len){ ESP_LOGD(TAG, "write iv+digest to flash"); err = bootloader_flash_write(FLASH_OFFS_SECURE_BOOT_IV_DIGEST, &digest, - sizeof(digest), esp_flash_encryption_enabled()); + sizeof(digest), esp_efuse_is_flash_encryption_enabled()); if (err != ESP_OK) { ESP_LOGE(TAG, "SPI write failed: 0x%x", err); return false; diff --git a/components/efuse/include/esp_efuse.h b/components/efuse/include/esp_efuse.h index fb027ca2a9..d12d20f67c 100644 --- a/components/efuse/include/esp_efuse.h +++ b/components/efuse/include/esp_efuse.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -823,6 +823,13 @@ esp_err_t esp_efuse_check_errors(void); */ esp_err_t esp_efuse_destroy_block(esp_efuse_block_t block); +/** + * @brief Checks if flash encryption is enabled. + * + * This function checks if the current eFuse configuration supports flash encryption. +*/ +bool esp_efuse_is_flash_encryption_enabled(void); + #if SOC_ECDSA_SUPPORTED /** * @brief Checks if 192-bit ECDSA curve operations are supported. diff --git a/components/efuse/src/esp_efuse_fields.c b/components/efuse/src/esp_efuse_fields.c index 3ac433e62f..5410ffb4fd 100644 --- a/components/efuse/src/esp_efuse_fields.c +++ b/components/efuse/src/esp_efuse_fields.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -187,3 +187,26 @@ esp_err_t esp_efuse_set_recovery_bootloader_offset(const uint32_t offset) return ESP_OK; } #endif // SOC_RECOVERY_BOOTLOADER_SUPPORTED + +bool IRAM_ATTR esp_efuse_is_flash_encryption_enabled(void) +{ +#ifndef CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH + return efuse_hal_flash_encryption_enabled(); +#else + uint32_t flash_crypt_cnt = 0; +#if CONFIG_IDF_TARGET_ESP32 + esp_efuse_read_field_blob(ESP_EFUSE_FLASH_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count); +#else + esp_efuse_read_field_blob(ESP_EFUSE_SPI_BOOT_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count); +#endif + /* __builtin_parity is in flash, so we calculate parity inline */ + bool enabled = false; + while (flash_crypt_cnt) { + if (flash_crypt_cnt & 1) { + enabled = !enabled; + } + flash_crypt_cnt >>= 1; + } + return enabled; +#endif // CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH +} diff --git a/components/esp_driver_dma/CMakeLists.txt b/components/esp_driver_dma/CMakeLists.txt index 40671b0359..667e50ea95 100644 --- a/components/esp_driver_dma/CMakeLists.txt +++ b/components/esp_driver_dma/CMakeLists.txt @@ -41,7 +41,7 @@ endif() idf_component_register(SRCS ${srcs} INCLUDE_DIRS ${public_include} REQUIRES ${requires} - PRIV_REQUIRES esp_mm + PRIV_REQUIRES esp_mm efuse LDFRAGMENTS "linker.lf" ) diff --git a/components/esp_driver_dma/src/gdma.c b/components/esp_driver_dma/src/gdma.c index 930a799b44..98c24bccd9 100644 --- a/components/esp_driver_dma/src/gdma.c +++ b/components/esp_driver_dma/src/gdma.c @@ -436,7 +436,7 @@ esp_err_t gdma_config_transfer(gdma_channel_handle_t dma_chan, const gdma_transf // While, for AHB GDMA version 2 and AXI GDMA, we need to ensure the alignment by software #if (SOC_PSRAM_DMA_CAPABLE || SOC_DMA_CAN_ACCESS_FLASH) && SOC_AHB_GDMA_VERSION != 1 // if MSPI encryption is enabled, and DMA wants to read/write external memory - if (esp_flash_encryption_enabled() && config->access_ext_mem) { + if (esp_efuse_is_flash_encryption_enabled() && config->access_ext_mem) { uint32_t enc_mem_alignment = GDMA_LL_GET(ACCESS_ENCRYPTION_MEM_ALIGNMENT); // when DMA access the encrypted external memory, extra alignment is needed for external memory ext_mem_alignment = MAX(ext_mem_alignment, enc_mem_alignment); diff --git a/components/esp_driver_dma/src/gdma_link.c b/components/esp_driver_dma/src/gdma_link.c index ffaaabad41..27e48d7ea7 100644 --- a/components/esp_driver_dma/src/gdma_link.c +++ b/components/esp_driver_dma/src/gdma_link.c @@ -19,7 +19,7 @@ #include "hal/efuse_hal.h" #include "hal/cache_ll.h" #include "esp_cache.h" -#include "esp_flash_encrypt.h" +#include "esp_efuse.h" ESP_LOG_ATTR_TAG(TAG, "gdma-link"); @@ -78,7 +78,7 @@ esp_err_t gdma_new_link_list(const gdma_link_list_config_t *config, gdma_link_li bool items_in_ext_mem = config->flags.items_in_ext_mem; uint32_t list_items_mem_caps = MALLOC_CAP_8BIT | MALLOC_CAP_DMA; if (items_in_ext_mem) { - if (esp_flash_encryption_enabled()) { + if (esp_efuse_is_flash_encryption_enabled()) { items_in_ext_mem = false; list_items_mem_caps |= MALLOC_CAP_INTERNAL; ESP_LOGW(TAG, "DMA linked list items cannot be placed in PSRAM when external memory encryption is enabled, using internal memory instead"); @@ -195,7 +195,7 @@ esp_err_t gdma_link_mount_buffers(gdma_link_list_handle_t list, int start_item_i size_t max_buffer_mount_length = ALIGN_DOWN(GDMA_MAX_BUFFER_SIZE_PER_LINK_ITEM, buffer_alignment); if (!config->flags.bypass_buffer_align_check) { ESP_RETURN_ON_FALSE_ISR(((uintptr_t)buf & (buffer_alignment - 1)) == 0, ESP_ERR_INVALID_ARG, TAG, "buf misalign idx=%"PRIu32" align=%"PRIu32, bi, buffer_alignment); - if (esp_flash_encryption_enabled()) { + if (esp_efuse_is_flash_encryption_enabled()) { // buffer size must be aligned to the encryption alignment which should be provided by the upper buffer_alignment ESP_RETURN_ON_FALSE_ISR((len & (buffer_alignment - 1)) == 0, ESP_ERR_INVALID_ARG, TAG, "buf len misalign idx=%"PRIu32" len=%"PRIu32" align=%"PRIu32"", bi, len, buffer_alignment); } diff --git a/components/esp_driver_dma/src/gdma_priv.h b/components/esp_driver_dma/src/gdma_priv.h index 940289d923..b008a95b45 100644 --- a/components/esp_driver_dma/src/gdma_priv.h +++ b/components/esp_driver_dma/src/gdma_priv.h @@ -36,7 +36,7 @@ #include "esp_private/periph_ctrl.h" #include "esp_private/critical_section.h" #include "esp_private/sleep_retention.h" -#include "esp_flash_encrypt.h" +#include "esp_efuse.h" #if CONFIG_GDMA_OBJ_DRAM_SAFE #define GDMA_MEM_ALLOC_CAPS (MALLOC_CAP_INTERNAL | MALLOC_CAP_8BIT) diff --git a/components/esp_driver_dma/test_apps/dma/main/CMakeLists.txt b/components/esp_driver_dma/test_apps/dma/main/CMakeLists.txt index 560a51409b..a2c1e51c94 100644 --- a/components/esp_driver_dma/test_apps/dma/main/CMakeLists.txt +++ b/components/esp_driver_dma/test_apps/dma/main/CMakeLists.txt @@ -23,7 +23,7 @@ endif() # In order for the cases defined by `TEST_CASE` to be linked into the final elf, # the component can be registered as WHOLE_ARCHIVE idf_component_register(SRCS ${srcs} - PRIV_REQUIRES unity esp_mm esp_driver_gpio esp_psram esp_driver_dma + PRIV_REQUIRES unity esp_mm esp_driver_gpio esp_psram esp_driver_dma efuse WHOLE_ARCHIVE) idf_component_get_property(lib_name esp_hal_dma COMPONENT_LIB) diff --git a/components/esp_driver_dma/test_apps/dma/main/test_async_memcpy.c b/components/esp_driver_dma/test_apps/dma/main/test_async_memcpy.c index 2f4d85f7e1..810cdb4ba0 100644 --- a/components/esp_driver_dma/test_apps/dma/main/test_async_memcpy.c +++ b/components/esp_driver_dma/test_apps/dma/main/test_async_memcpy.c @@ -17,7 +17,7 @@ #include "ccomp_timer.h" #include "esp_async_memcpy.h" #include "hal/efuse_hal.h" -#include "esp_flash_encrypt.h" +#include "esp_efuse.h" #if SOC_GDMA_SUPPORTED #include "hal/gdma_ll.h" @@ -171,7 +171,7 @@ static void test_memory_copy_blocking(async_memcpy_handle_t driver) for (int off = 0; off < 4; off++) { test_context.buffer_size = test_buffer_size[i]; test_context.seed = i; - if (!esp_flash_encryption_enabled()) { + if (!esp_efuse_is_flash_encryption_enabled()) { test_context.src_offset = off; test_context.dst_offset = off; } @@ -258,7 +258,7 @@ TEST_CASE("memory copy with dest address unaligned", "[async mcp]") }; [[maybe_unused]] async_memcpy_handle_t driver = NULL; - if (esp_flash_encryption_enabled()) { + if (esp_efuse_is_flash_encryption_enabled()) { TEST_PASS_MESSAGE("Flash encryption is enabled, skip this test"); } diff --git a/components/esp_driver_dma/test_apps/dma/main/test_dw_gdma.c b/components/esp_driver_dma/test_apps/dma/main/test_dw_gdma.c index 2d4591cb25..e1c01944a5 100644 --- a/components/esp_driver_dma/test_apps/dma/main/test_dw_gdma.c +++ b/components/esp_driver_dma/test_apps/dma/main/test_dw_gdma.c @@ -14,7 +14,7 @@ #include "hal/efuse_hal.h" #include "esp_cache.h" #include "esp_private/esp_cache_private.h" -#include "esp_flash_encrypt.h" +#include "esp_efuse.h" TEST_CASE("DW_GDMA channel allocation", "[DW_GDMA]") { @@ -542,7 +542,7 @@ TEST_CASE("DW_GDMA M2M Test: memory set with fixed address", "[DW_GDMA]") size_t int_mem_alignment = 0; TEST_ESP_OK(esp_cache_get_alignment(MALLOC_CAP_SPIRAM, &ext_mem_alignment)); TEST_ESP_OK(esp_cache_get_alignment(0, &int_mem_alignment)); - if (esp_flash_encryption_enabled()) { + if (esp_efuse_is_flash_encryption_enabled()) { TEST_PASS_MESSAGE("Flash encryption is enabled, skip this test"); } uint8_t *src_buf = heap_caps_aligned_calloc(ext_mem_alignment, 1, 256, MALLOC_CAP_SPIRAM | MALLOC_CAP_8BIT); diff --git a/components/esp_driver_dma/test_apps/dma/main/test_gdma.c b/components/esp_driver_dma/test_apps/dma/main/test_gdma.c index acefae7a5d..953120f6b7 100644 --- a/components/esp_driver_dma/test_apps/dma/main/test_gdma.c +++ b/components/esp_driver_dma/test_apps/dma/main/test_gdma.c @@ -24,7 +24,7 @@ #include "esp_cache.h" #include "esp_memory_utils.h" #include "gdma_test_utils.h" -#include "esp_flash_encrypt.h" +#include "esp_efuse.h" #define ALIGN_UP(num, align) (((num) + ((align) - 1)) & ~((align) - 1)) #define ALIGN_DOWN(num, align) ((num) & ~((align) - 1)) @@ -277,7 +277,7 @@ static void test_gdma_m2m_transaction(gdma_channel_handle_t tx_chan, gdma_channe TEST_ASSERT_NOT_NULL(done_sem); TEST_ESP_OK(gdma_register_rx_event_callbacks(rx_chan, &rx_cbs, done_sem)); - if (esp_flash_encryption_enabled()) { + if (esp_efuse_is_flash_encryption_enabled()) { dma_link_in_ext_mem = false; } @@ -539,7 +539,7 @@ static void test_gdma_m2m_unaligned_buffer_test(uint8_t *dst_data, uint8_t *src_ TEST_CASE("GDMA M2M Unaligned RX Buffer Test", "[GDMA][M2M]") { - if (esp_flash_encryption_enabled()) { + if (esp_efuse_is_flash_encryption_enabled()) { TEST_PASS_MESSAGE("Flash encryption is enabled, skip this test"); } diff --git a/components/esp_https_ota/CMakeLists.txt b/components/esp_https_ota/CMakeLists.txt index 1fa2418108..95b5bbbde1 100644 --- a/components/esp_https_ota/CMakeLists.txt +++ b/components/esp_https_ota/CMakeLists.txt @@ -6,6 +6,6 @@ endif() idf_component_register(SRCS "src/esp_https_ota.c" INCLUDE_DIRS "include" - REQUIRES esp_http_client bootloader_support esp_bootloader_format esp_app_format + REQUIRES esp_http_client esp_bootloader_format esp_app_format esp_event esp_partition - PRIV_REQUIRES log app_update) + PRIV_REQUIRES log app_update efuse) diff --git a/components/esp_https_ota/src/esp_https_ota.c b/components/esp_https_ota/src/esp_https_ota.c index 7a5ee46bb0..2a750fbb6a 100644 --- a/components/esp_https_ota/src/esp_https_ota.c +++ b/components/esp_https_ota/src/esp_https_ota.c @@ -14,7 +14,7 @@ #include #include #include "esp_check.h" -#include "esp_flash_encrypt.h" +#include "esp_efuse.h" #include "hal/efuse_hal.h" ESP_EVENT_DEFINE_BASE(ESP_HTTPS_OTA_EVENT); @@ -350,7 +350,7 @@ esp_err_t esp_https_ota_begin(const esp_https_ota_config_t *ota_config, esp_http // We allow resumption only if we have minimum buffer size already written to flash if (ota_config->ota_image_bytes_written >= DEFAULT_OTA_BUF_SIZE) { // For FE case the flash is written in multiples of 16 bytes. So, we need to align the offset to 16 bytes. - https_ota_handle->binary_file_len = esp_flash_encryption_enabled() ? (ota_config->ota_image_bytes_written & ~0xF) : ota_config->ota_image_bytes_written; + https_ota_handle->binary_file_len = esp_efuse_is_flash_encryption_enabled() ? (ota_config->ota_image_bytes_written & ~0xF) : ota_config->ota_image_bytes_written; ESP_LOGD(TAG, "Resuming OTA from offset: %d", https_ota_handle->binary_file_len); } } diff --git a/components/esp_hw_support/CMakeLists.txt b/components/esp_hw_support/CMakeLists.txt index 81b0c77229..1ad9c0f801 100644 --- a/components/esp_hw_support/CMakeLists.txt +++ b/components/esp_hw_support/CMakeLists.txt @@ -30,6 +30,7 @@ if(NOT non_os_build) "port/${target}/io_mux.c" "port/${target}/esp_clk_tree.c" "spi_bus_lock.c" + "heap_align_hw.c" "clk_utils.c") if(CONFIG_SOC_USB_OTG_SUPPORTED) list(APPEND srcs "usb_phy/usb_phy.c") diff --git a/components/esp_mm/heap_align_hw.c b/components/esp_hw_support/heap_align_hw.c similarity index 97% rename from components/esp_mm/heap_align_hw.c rename to components/esp_hw_support/heap_align_hw.c index 4aa9c46cb0..d786b3705b 100644 --- a/components/esp_mm/heap_align_hw.c +++ b/components/esp_hw_support/heap_align_hw.c @@ -13,7 +13,7 @@ #if SOC_HAS(GDMA) #include "hal/gdma_ll.h" #include "hal/efuse_hal.h" -#include "esp_flash_encrypt.h" +#include "esp_efuse.h" #endif #if CONFIG_HEAP_PLACE_FUNCTION_INTO_FLASH @@ -83,7 +83,7 @@ HEAP_IRAM_ATTR void esp_heap_adjust_alignment_to_hw(size_t *p_alignment, size_t #endif #if SOC_HAS(GDMA) && (SOC_PSRAM_DMA_CAPABLE || SOC_DMA_CAN_ACCESS_FLASH) - if ((caps & MALLOC_CAP_DMA) && esp_flash_encryption_enabled()) { + if ((caps & MALLOC_CAP_DMA) && esp_efuse_is_flash_encryption_enabled()) { alignment = (alignment > GDMA_LL_GET(ACCESS_ENCRYPTION_MEM_ALIGNMENT)) ? alignment : GDMA_LL_GET(ACCESS_ENCRYPTION_MEM_ALIGNMENT); } #endif diff --git a/components/esp_mm/include/esp_private/heap_align_hw.h b/components/esp_hw_support/include/esp_private/heap_align_hw.h similarity index 100% rename from components/esp_mm/include/esp_private/heap_align_hw.h rename to components/esp_hw_support/include/esp_private/heap_align_hw.h diff --git a/components/esp_lcd/test_apps/mipi_dsi_lcd/main/CMakeLists.txt b/components/esp_lcd/test_apps/mipi_dsi_lcd/main/CMakeLists.txt index 43a25613de..3c3cb8e6b6 100644 --- a/components/esp_lcd/test_apps/mipi_dsi_lcd/main/CMakeLists.txt +++ b/components/esp_lcd/test_apps/mipi_dsi_lcd/main/CMakeLists.txt @@ -9,5 +9,5 @@ endif() # In order for the cases defined by `TEST_CASE` to be linked into the final elf, # the component can be registered as WHOLE_ARCHIVE idf_component_register(SRCS ${srcs} - PRIV_REQUIRES esp_lcd unity esp_driver_ppa bootloader_support + PRIV_REQUIRES esp_lcd unity esp_driver_ppa efuse WHOLE_ARCHIVE) diff --git a/components/esp_lcd/test_apps/mipi_dsi_lcd/main/test_mipi_dsi_panel.c b/components/esp_lcd/test_apps/mipi_dsi_lcd/main/test_mipi_dsi_panel.c index 1d925d8730..8b5488b299 100644 --- a/components/esp_lcd/test_apps/mipi_dsi_lcd/main/test_mipi_dsi_panel.c +++ b/components/esp_lcd/test_apps/mipi_dsi_lcd/main/test_mipi_dsi_panel.c @@ -17,7 +17,7 @@ #include "test_mipi_dsi_board.h" #include "esp_lcd_ek79007.h" #include "driver/ppa.h" -#include "esp_flash_encrypt.h" +#include "esp_efuse.h" #define ALIGN_UP(num, align) (((num) + ((align) - 1)) & ~((align) - 1)) #define ALIGN_DOWN(num, align) ((num) & ~((align) - 1)) @@ -250,7 +250,7 @@ TEST_CASE("MIPI DSI use DMA2D (EK79007)", "[mipi_dsi]") size_t src_x_start = 50; size_t src_y_start = 50; // If flash encryption is enabled, the buffer address and size must be aligned to SOC_GDMA_EXT_MEM_ENC_ALIGNMENT. - if (esp_flash_encryption_enabled()) { + if (esp_efuse_is_flash_encryption_enabled()) { test_block_size = ALIGN_DOWN(test_block_size, SOC_GDMA_EXT_MEM_ENC_ALIGNMENT); start_alignment = SOC_GDMA_EXT_MEM_ENC_ALIGNMENT; src_x_start = ALIGN_DOWN(src_x_start, SOC_GDMA_EXT_MEM_ENC_ALIGNMENT); diff --git a/components/esp_mm/CMakeLists.txt b/components/esp_mm/CMakeLists.txt index 7fed361905..b79155fc70 100644 --- a/components/esp_mm/CMakeLists.txt +++ b/components/esp_mm/CMakeLists.txt @@ -26,8 +26,6 @@ else() endif() endif() -list(APPEND srcs "heap_align_hw.c") - idf_component_register(SRCS ${srcs} INCLUDE_DIRS ${includes} PRIV_REQUIRES ${priv_requires} diff --git a/components/esp_partition/CMakeLists.txt b/components/esp_partition/CMakeLists.txt index 5dc13db76f..3bd605b3ca 100644 --- a/components/esp_partition/CMakeLists.txt +++ b/components/esp_partition/CMakeLists.txt @@ -6,7 +6,7 @@ set(reqs esp_blockdev) if(BOOTLOADER_BUILD) set(srcs "partition_bootloader.c") list(APPEND reqs spi_flash) - set(priv_reqs "bootloader_support") + set(priv_reqs "bootloader_support" "efuse") idf_component_register(SRCS "${srcs}" INCLUDE_DIRS "include" @@ -18,7 +18,7 @@ if(BOOTLOADER_BUILD) elseif(esp_tee_build) set(srcs "partition_tee.c") list(APPEND reqs spi_flash) - set(priv_reqs "tee_flash_mgr") + set(priv_reqs "tee_flash_mgr" "efuse") idf_component_register(SRCS "${srcs}" INCLUDE_DIRS "include" @@ -29,7 +29,7 @@ elseif(esp_tee_build) # regular, OS build else() set(srcs "partition.c") - set(priv_reqs esp_system spi_flash partition_table) + set(priv_reqs esp_system spi_flash partition_table efuse) set(reqs esp_blockdev) set(private_include_dirs) diff --git a/components/esp_partition/partition.c b/components/esp_partition/partition.c index bbed812d6c..f5034fe840 100644 --- a/components/esp_partition/partition.c +++ b/components/esp_partition/partition.c @@ -26,7 +26,7 @@ #include "esp_partition.h" #include "esp_flash.h" #if !CONFIG_IDF_TARGET_LINUX -#include "esp_flash_encrypt.h" +#include "esp_efuse.h" #endif #include "spi_flash_mmap.h" #include "esp_log.h" @@ -80,7 +80,7 @@ static bool is_partition_encrypted(bool encryption_config, esp_partition_type_t return false; #else bool ret_encrypted = encryption_config; - if (!esp_flash_encryption_enabled()) { + if (!esp_efuse_is_flash_encryption_enabled()) { /* If flash encryption is not turned on, no partitions should be treated as encrypted */ ret_encrypted = false; } else if (type == ESP_PARTITION_TYPE_APP diff --git a/components/espcoredump/CMakeLists.txt b/components/espcoredump/CMakeLists.txt index b0329d71b6..a6805a8b27 100644 --- a/components/espcoredump/CMakeLists.txt +++ b/components/espcoredump/CMakeLists.txt @@ -9,7 +9,7 @@ set(includes "") set(priv_includes "") set(priv_requires esp_partition spi_flash bootloader_support mbedtls esp_rom soc esp_system esp_driver_gpio esp_app_format - esp_hal_security) + esp_hal_security efuse) if(CONFIG_ESP_COREDUMP_ENABLE) list(APPEND srcs "src/core_dump_init.c" diff --git a/components/espcoredump/src/core_dump_elf.c b/components/espcoredump/src/core_dump_elf.c index 422d016057..18e24f1094 100644 --- a/components/espcoredump/src/core_dump_elf.c +++ b/components/espcoredump/src/core_dump_elf.c @@ -8,7 +8,7 @@ #include #include "esp_attr.h" #include "esp_partition.h" -#include "esp_flash_encrypt.h" +#include "esp_efuse.h" #include "core_dump_checksum.h" #include "esp_core_dump_port.h" #include "esp_core_dump_common.h" @@ -901,7 +901,7 @@ static esp_err_t elf_core_dump_image_mmap(esp_partition_mmap_handle_t* core_data /* Data read from the mmapped core dump partition will be garbage if flash * encryption is enabled in hardware and core dump partition is not encrypted */ - if (esp_flash_encryption_enabled() && !core_part->encrypted) { + if (esp_efuse_is_flash_encryption_enabled() && !core_part->encrypted) { ESP_COREDUMP_LOGE("Flash encryption enabled in hardware and core dump partition is not encrypted!"); return ESP_ERR_NOT_SUPPORTED; } diff --git a/components/espcoredump/src/core_dump_flash.c b/components/espcoredump/src/core_dump_flash.c index 95e6e26a4c..eff2abd616 100644 --- a/components/espcoredump/src/core_dump_flash.c +++ b/components/espcoredump/src/core_dump_flash.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -11,7 +11,7 @@ #include "esp_core_dump_types.h" #include "core_dump_checksum.h" #include "esp_private/esp_flash_internal.h" -#include "esp_flash_encrypt.h" +#include "esp_efuse.h" #include "esp_rom_crc.h" #include "esp_private/spi_flash_os.h" #include "spi_flash_mmap.h" @@ -72,7 +72,7 @@ static esp_err_t esp_core_dump_flash_custom_write(uint32_t address, const void * { esp_err_t err = ESP_OK; - if (esp_flash_encryption_enabled() && s_core_flash_config.partition.encrypted) { + if (esp_efuse_is_flash_encryption_enabled() && s_core_flash_config.partition.encrypted) { err = ESP_COREDUMP_FLASH_WRITE_ENCRYPTED(address, buffer, length); } else { err = ESP_COREDUMP_FLASH_WRITE(address, buffer, length); @@ -143,7 +143,7 @@ static void esp_core_dump_partition_init(void) s_core_flash_config.partition_config_crc = esp_core_dump_calc_flash_config_crc(); - if (esp_flash_encryption_enabled() && !core_part->encrypted) { + if (esp_efuse_is_flash_encryption_enabled() && !core_part->encrypted) { ESP_COREDUMP_LOGW("core dump partition is plain text, consider enabling `encrypted` flag"); } } diff --git a/components/nvs_flash/test_apps/main/CMakeLists.txt b/components/nvs_flash/test_apps/main/CMakeLists.txt index 59b17ad7f1..27385e8056 100644 --- a/components/nvs_flash/test_apps/main/CMakeLists.txt +++ b/components/nvs_flash/test_apps/main/CMakeLists.txt @@ -1,6 +1,6 @@ idf_component_register(SRC_DIRS "." PRIV_REQUIRES cmock test_utils nvs_flash nvs_sec_provider - bootloader_support esp_psram + esp_psram efuse EMBED_TXTFILES encryption_keys.bin partition_encrypted.bin partition_encrypted_hmac.bin sample.bin WHOLE_ARCHIVE) diff --git a/components/nvs_flash/test_apps/main/test_nvs.c b/components/nvs_flash/test_apps/main/test_nvs.c index e4d1dfc5ca..a36861d816 100644 --- a/components/nvs_flash/test_apps/main/test_nvs.c +++ b/components/nvs_flash/test_apps/main/test_nvs.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2016-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2016-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Unlicense OR CC0-1.0 */ @@ -13,7 +13,7 @@ #include #include -#include "esp_flash_encrypt.h" +#include "esp_efuse.h" #include "esp_log.h" #include "esp_partition.h" #include "esp_system.h" @@ -502,7 +502,7 @@ TEST_CASE("Check nvs key partition APIs (read and generate keys)", "[nvs]") { nvs_sec_cfg_t cfg, cfg2; #if CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC - if (!esp_flash_encryption_enabled()) { + if (!esp_efuse_is_flash_encryption_enabled()) { TEST_IGNORE_MESSAGE("flash encryption disabled, skipping nvs_key partition related tests"); } @@ -529,7 +529,7 @@ TEST_CASE("Check nvs key partition APIs (read and generate keys)", "[nvs]") TEST_CASE("test nvs apis with encryption enabled", "[nvs]") { #if CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC - if (!esp_flash_encryption_enabled()) { + if (!esp_efuse_is_flash_encryption_enabled()) { TEST_IGNORE_MESSAGE("flash encryption disabled, skipping nvs_api tests with encryption enabled"); } const esp_partition_t* key_part = esp_partition_find_first( @@ -653,7 +653,7 @@ TEST_CASE("test nvs apis for nvs partition generator utility with encryption ena extern const char sample_bin_start[] asm("_binary_sample_bin_start"); #if CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC - if (!esp_flash_encryption_enabled()) { + if (!esp_efuse_is_flash_encryption_enabled()) { TEST_IGNORE_MESSAGE("flash encryption disabled, skipping nvs_api tests with encryption enabled"); } diff --git a/components/nvs_flash/test_apps_bootloader/main/CMakeLists.txt b/components/nvs_flash/test_apps_bootloader/main/CMakeLists.txt index 18179a483d..a62d701910 100644 --- a/components/nvs_flash/test_apps_bootloader/main/CMakeLists.txt +++ b/components/nvs_flash/test_apps_bootloader/main/CMakeLists.txt @@ -12,7 +12,7 @@ endif() idf_component_register(SRCS "${srcs}" INCLUDE_DIRS "." - REQUIRES unity nvs_flash nvs_sec_provider bootloader_support + REQUIRES unity nvs_flash nvs_sec_provider efuse EMBED_TXTFILES "${embed_txtfiles}" WHOLE_ARCHIVE ) diff --git a/components/nvs_flash/test_apps_bootloader/main/test_encrypted_nvs_bootloader.c b/components/nvs_flash/test_apps_bootloader/main/test_encrypted_nvs_bootloader.c index 10c3acaa47..9d571da858 100644 --- a/components/nvs_flash/test_apps_bootloader/main/test_encrypted_nvs_bootloader.c +++ b/components/nvs_flash/test_apps_bootloader/main/test_encrypted_nvs_bootloader.c @@ -9,7 +9,7 @@ #include #include "esp_err.h" -#include "esp_flash_encrypt.h" +#include "esp_efuse.h" #include "esp_partition.h" #include "nvs_sec_provider.h" #include "unity.h" @@ -24,7 +24,7 @@ static esp_err_t configure_nvs_sec_cfg(nvs_sec_cfg_t *cfg, nvs_sec_scheme_t **se ESP_ERROR_CHECK(esp_partition_erase_range(nvs_part, 0, nvs_part->size)); #if CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC - if (!esp_flash_encryption_enabled()) { + if (!esp_efuse_is_flash_encryption_enabled()) { TEST_IGNORE_MESSAGE("flash encryption disabled, skipping nvs_api tests with encryption enabled"); } diff --git a/components/spi_flash/test_apps/flash_mmap/main/CMakeLists.txt b/components/spi_flash/test_apps/flash_mmap/main/CMakeLists.txt index 903367c6e1..1c3c3a14e0 100644 --- a/components/spi_flash/test_apps/flash_mmap/main/CMakeLists.txt +++ b/components/spi_flash/test_apps/flash_mmap/main/CMakeLists.txt @@ -4,5 +4,5 @@ set(srcs "test_app_main.c" # In order for the cases defined by `TEST_CASE` to be linked into the final elf, # the component can be registered as WHOLE_ARCHIVE idf_component_register(SRCS ${srcs} - PRIV_REQUIRES unity test_utils spi_flash bootloader_support esp_partition + PRIV_REQUIRES unity test_utils spi_flash esp_partition efuse WHOLE_ARCHIVE) diff --git a/components/spi_flash/test_apps/flash_mmap/main/test_flash_mmap.c b/components/spi_flash/test_apps/flash_mmap/main/test_flash_mmap.c index 42c1b0c550..9115ea6c29 100644 --- a/components/spi_flash/test_apps/flash_mmap/main/test_flash_mmap.c +++ b/components/spi_flash/test_apps/flash_mmap/main/test_flash_mmap.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Unlicense OR CC0-1.0 */ @@ -16,7 +16,7 @@ #include #include #include -#include +#include "esp_efuse.h" #include "esp_flash.h" #include "test_utils.h" @@ -32,7 +32,7 @@ static spi_flash_mmap_handle_t handle1, handle2, handle3; static esp_err_t spi_flash_read_maybe_encrypted(size_t src_addr, void *des_addr, size_t size) { - if (!esp_flash_encryption_enabled()) { + if (!esp_efuse_is_flash_encryption_enabled()) { return esp_flash_read(NULL, des_addr, src_addr, size); } else { return esp_flash_read_encrypted(NULL, src_addr, des_addr, size); @@ -41,7 +41,7 @@ static esp_err_t spi_flash_read_maybe_encrypted(size_t src_addr, void *des_addr, static esp_err_t spi_flash_write_maybe_encrypted(size_t des_addr, const void *src_addr, size_t size) { - if (!esp_flash_encryption_enabled()) { + if (!esp_efuse_is_flash_encryption_enabled()) { return esp_flash_write(NULL, src_addr, des_addr, size); } else { return esp_flash_write_encrypted(NULL, des_addr, src_addr, size); @@ -293,7 +293,7 @@ TEST_CASE("flash_mmap invalidates just-written data", "[spi_flash][mmap]") setup_mmap_tests(); - if (esp_flash_encryption_enabled()) { + if (esp_efuse_is_flash_encryption_enabled()) { TEST_IGNORE_MESSAGE("flash encryption enabled, spi_flash_write_encrypted() test won't pass as-is"); } diff --git a/docs/en/migration-guides/release-6.x/6.0/security.rst b/docs/en/migration-guides/release-6.x/6.0/security.rst index 7d98a63265..9003389391 100644 --- a/docs/en/migration-guides/release-6.x/6.0/security.rst +++ b/docs/en/migration-guides/release-6.x/6.0/security.rst @@ -115,6 +115,12 @@ BluFi (Wi-Fi provisioning over BLE) is affected by the Mbed TLS v4.x / PSA Crypt Bootloader Support ------------------ +**Deprecated APIs** + +The following function has been deprecated: + +- :cpp:func:`esp_flash_encryption_enabled` – Use :cpp:func:`esp_efuse_is_flash_encryption_enabled` instead. The component dependency has been changed from ``bootloader_support`` to ``efuse``. + **Removed Deprecated APIs** The following deprecated functions have been removed: diff --git a/docs/en/security/flash-encryption.rst b/docs/en/security/flash-encryption.rst index 030bfef78b..7609919bd4 100644 --- a/docs/en/security/flash-encryption.rst +++ b/docs/en/security/flash-encryption.rst @@ -718,7 +718,7 @@ To check if flash encryption on your {IDF_TARGET_NAME} device is enabled, do one Reading and Writing Data in Encrypted Flash ------------------------------------------- -{IDF_TARGET_NAME} application code can check if flash encryption is currently enabled by calling :cpp:func:`esp_flash_encryption_enabled`. Also, a device can identify the flash encryption mode by calling :cpp:func:`esp_get_flash_encryption_mode`. +{IDF_TARGET_NAME} application code can check if flash encryption is currently enabled by calling :cpp:func:`esp_efuse_is_flash_encryption_enabled`. Also, a device can identify the flash encryption mode by calling :cpp:func:`esp_get_flash_encryption_mode`. Once flash encryption is enabled, be more careful with accessing flash contents from code. diff --git a/docs/zh_CN/migration-guides/release-6.x/6.0/security.rst b/docs/zh_CN/migration-guides/release-6.x/6.0/security.rst index 2f67c3efcb..34d58df42c 100644 --- a/docs/zh_CN/migration-guides/release-6.x/6.0/security.rst +++ b/docs/zh_CN/migration-guides/release-6.x/6.0/security.rst @@ -115,6 +115,12 @@ BluFi(基于 BLE 的 Wi-Fi 配网)功能受到 ESP-IDF v6.0 中 Mbed TLS v4. 引导加载程序支持 ---------------- +**已弃用的 API** + +以下函数已被弃用: + +- :cpp:func:`esp_flash_encryption_enabled` 已被弃用。请使用 :cpp:func:`esp_efuse_is_flash_encryption_enabled` 代替。需要依赖的组件由 ``bootloader_support`` 替换为 ``efuse``。 + **已移除的废弃 API** 以下废弃函数已被移除: diff --git a/docs/zh_CN/security/flash-encryption.rst b/docs/zh_CN/security/flash-encryption.rst index 14cafd3dd6..39a14a2b0c 100644 --- a/docs/zh_CN/security/flash-encryption.rst +++ b/docs/zh_CN/security/flash-encryption.rst @@ -718,7 +718,7 @@ flash 加密设置 在加密的 flash 中读写数据 ------------------------------------- -{IDF_TARGET_NAME} 应用程序代码可以通过调用函数 :cpp:func:`esp_flash_encryption_enabled` 来检查当前是否启用了 flash 加密。此外,设备可以通过调用函数 :cpp:func:`esp_get_flash_encryption_mode` 来识别 flash 加密模式。 +{IDF_TARGET_NAME} 应用程序代码可以通过调用函数 :cpp:func:`esp_efuse_is_flash_encryption_enabled` 来检查当前是否启用了 flash 加密。此外,设备可以通过调用函数 :cpp:func:`esp_get_flash_encryption_mode` 来识别 flash 加密模式。 一旦启用 flash 加密,使用代码访问 flash 内容时要更加小心。 diff --git a/examples/system/efuse/main/efuse_main.c b/examples/system/efuse/main/efuse_main.c index 73bec51072..253da4f772 100644 --- a/examples/system/efuse/main/efuse_main.c +++ b/examples/system/efuse/main/efuse_main.c @@ -166,7 +166,7 @@ void app_main(void) #if CONFIG_IDF_TARGET_ESP32C2 - if (esp_secure_boot_enabled() || esp_flash_encryption_enabled()) { + if (esp_secure_boot_enabled() || esp_efuse_is_flash_encryption_enabled()) { ESP_LOGW(TAG, "BLOCK3 is used for secure boot or/and flash encryption"); ESP_LOGW(TAG, "eFuses from the custom eFuse table can not be used as they are placed in BLOCK3"); ESP_LOGI(TAG, "Done"); diff --git a/tools/test_apps/linux_compatible/mock_build_test/main/mock_build_test.c b/tools/test_apps/linux_compatible/mock_build_test/main/mock_build_test.c index 60383e51fa..d3a22fe3bb 100644 --- a/tools/test_apps/linux_compatible/mock_build_test/main/mock_build_test.c +++ b/tools/test_apps/linux_compatible/mock_build_test/main/mock_build_test.c @@ -151,7 +151,7 @@ void app_main(void) bootloader_random_enable(); esp_flash_encryption_enabled_IgnoreAndReturn(true); - bool flash_encrypted = esp_flash_encryption_enabled(); + bool flash_encrypted = esp_efuse_is_flash_encryption_enabled(); (void)flash_encrypted; esp_partition_main_flash_region_safe_IgnoreAndReturn(true); diff --git a/tools/test_apps/system/g1_components/check_dependencies.py b/tools/test_apps/system/g1_components/check_dependencies.py index fb75ebc794..482af9cd04 100644 --- a/tools/test_apps/system/g1_components/check_dependencies.py +++ b/tools/test_apps/system/g1_components/check_dependencies.py @@ -56,7 +56,6 @@ expected_dep_violations = { 'esp_system': ['esp_timer', 'bootloader_support', 'esp_pm', 'esp_usb_cdc_rom_console'], 'spi_flash': ['bootloader_support', 'esp_blockdev', 'esp_driver_gpio'], 'esp_hw_support': ['efuse', 'bootloader_support', 'esp_driver_gpio', 'esp_timer', 'esp_pm'], - 'esp_mm': ['bootloader_support'], 'cxx': ['pthread'], }