diff --git a/components/bootloader_support/include/esp_flash_encrypt.h b/components/bootloader_support/include/esp_flash_encrypt.h index fc00cbf36b..0e502399eb 100644 --- a/components/bootloader_support/include/esp_flash_encrypt.h +++ b/components/bootloader_support/include/esp_flash_encrypt.h @@ -189,7 +189,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void); * @return * - ESP_OK - On success */ -esp_err_t esp_flash_encryption_enable_key_mgr(void); +esp_err_t esp_flash_encryption_use_efuse_key(void); #endif // SOC_KEY_MANAGER_FE_KEY_DEPLOY #endif /* BOOTLOADER_BUILD && CONFIG_SECURE_FLASH_ENC_ENABLED */ diff --git a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c index a1804969bf..54a14dcfdb 100644 --- a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c @@ -17,7 +17,7 @@ #include "hal/mspi_ll.h" #include "soc/soc_caps.h" #include "sdkconfig.h" -#include "esp_crypto_periph_clk.h" +#include "hal/key_mgr_ll.h" ESP_LOG_ATTR_TAG(TAG, "flash_encrypt"); @@ -72,13 +72,14 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) return ESP_OK; } -esp_err_t esp_flash_encryption_enable_key_mgr(void) +esp_err_t esp_flash_encryption_use_efuse_key(void) { esp_crypto_key_mgr_enable_periph_clk(true); // Force Key Manager to use eFuse key for XTS-AES operation key_mgr_hal_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); + // TODO: Check if this is necessary else remove it // In case Flash Encryption is enabled by a key deployed using the Key Manager, // we just need to reset the SPI flash to ensure the key is used. // Enabling Key Manager and forcing it to use its OWN key is handled in the diff --git a/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c index c111cbf665..907626ce32 100644 --- a/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c @@ -12,6 +12,8 @@ #include "esp_log.h" #include "sdkconfig.h" #include "esp_crypto_periph_clk.h" +#include "esp_key_mgr.h" +#include "hal/key_mgr_hal.h" #include "hal/key_mgr_ll.h" #include "hal/mspi_ll.h" @@ -52,12 +54,13 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) return ESP_OK; } -esp_err_t esp_flash_encryption_enable_key_mgr(void) +esp_err_t esp_flash_encryption_use_efuse_key(void) { esp_crypto_key_mgr_enable_periph_clk(true); // Force Key Manager to use eFuse key for XTS-AES operation - key_mgr_ll_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); + key_mgr_hal_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); + _mspi_timing_ll_reset_mspi(); return ESP_OK; diff --git a/components/bootloader_support/src/flash_encryption/flash_encrypt.c b/components/bootloader_support/src/flash_encryption/flash_encrypt.c index 64c5afff42..766183b176 100644 --- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c @@ -364,6 +364,11 @@ static esp_err_t check_and_generate_encryption_keys(void) } ESP_LOGI(TAG, "Using pre-loaded flash encryption key in efuse"); } + +#if SOC_KEY_MANAGER_FE_KEY_DEPLOY + // In the case of Key Manager supported targets, the default XTS-AES key source is set to Key Manager. + esp_flash_encryption_use_efuse_key(); +#endif #elif CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR esp_err_t err = key_manager_check_and_generate_key(); if (err != ESP_OK) {