feat(security): Enable Flash encryption for ESP32P4

components/bootloader_support/src/flash_encrypt.c

@@ -137,16 +137,14 @@ esp_flash_enc_mode_t esp_get_flash_encryption_mode(void)
             }
 #else
             if (esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT)
-#if CONFIG_IDF_TARGET_ESP32P4
-                //TODO: IDF-7545
+#if SOC_EFUSE_DIS_DOWNLOAD_MSPI
                 && esp_efuse_read_field_bit(ESP_EFUSE_SPI_DOWNLOAD_MSPI_DIS)
-#else
+#endif
 #if SOC_EFUSE_DIS_DOWNLOAD_ICACHE
                 && esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE)
 #endif
 #if SOC_EFUSE_DIS_DOWNLOAD_DCACHE
                 && esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE)
-#endif
 #endif
                 ) {
                 mode = ESP_FLASH_ENC_MODE_RELEASE;
@@ -192,17 +190,15 @@ void esp_flash_encryption_set_release_mode(void)
     esp_efuse_write_field_bit(ESP_EFUSE_DISABLE_DL_DECRYPT);
 #else
     esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT);
-#if CONFIG_IDF_TARGET_ESP32P4
-    //TODO: IDF-7545
+#if SOC_EFUSE_DIS_DOWNLOAD_MSPI
     esp_efuse_write_field_bit(ESP_EFUSE_SPI_DOWNLOAD_MSPI_DIS);
-#else
+#endif
 #if SOC_EFUSE_DIS_DOWNLOAD_ICACHE
     esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE);
 #endif
 #if SOC_EFUSE_DIS_DOWNLOAD_DCACHE
     esp_efuse_write_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE);
 #endif
-#endif
 #ifdef CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED
     // For AES128_DERIVED, FE key is 16 bytes and XTS_KEY_LENGTH_256 is 0.
     // It is important to protect XTS_KEY_LENGTH_256 from further changing it to 1. Set write protection for this bit.
@@ -345,14 +341,13 @@ bool esp_flash_encryption_cfg_verify_release_mode(void)
     }
 #endif
 
-#if CONFIG_IDF_TARGET_ESP32P4
-    //TODO: IDF-7545
+#if SOC_EFUSE_DIS_DOWNLOAD_MSPI
     secure = esp_efuse_read_field_bit(ESP_EFUSE_SPI_DOWNLOAD_MSPI_DIS);
     result &= secure;
     if (!secure) {
         ESP_LOGW(TAG, "Not disabled UART bootloader download mspi (set DIS_DOWNLOAD_MSPI->1)");
     }
-#else
+#endif
 #if SOC_EFUSE_DIS_DOWNLOAD_ICACHE
     secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE);
     result &= secure;
@@ -360,7 +355,6 @@ bool esp_flash_encryption_cfg_verify_release_mode(void)
         ESP_LOGW(TAG, "Not disabled UART bootloader cache (set DIS_DOWNLOAD_ICACHE->1)");
     }
 #endif
-#endif
 
 #if SOC_EFUSE_DIS_PAD_JTAG
     secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG);

components/bootloader_support/src/flash_encryption/flash_encrypt.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -15,6 +15,11 @@
 #include "esp_efuse_table.h"
 #include "esp_log.h"
 #include "hal/wdt_hal.h"
+
+#if CONFIG_IDF_TARGET_ESP32P4 //TODO-IDF-7925
+#include "soc/keymng_reg.h"
+#endif
+
 #ifdef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK
 #include "soc/sensitive_reg.h"
 #endif
@@ -209,6 +214,12 @@ static esp_err_t check_and_generate_encryption_keys(void)
         }
         ESP_LOGI(TAG, "Using pre-loaded flash encryption key in efuse");
     }
+
+#if CONFIG_IDF_TARGET_ESP32P4 //TODO - IDF-7925
+    // Force Key Manager to use eFuse key for XTS-AES operation
+    REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, 2);
+#endif
+
     return ESP_OK;
 }
 

components/esp_system/port/cpu_start.c

@@ -66,6 +66,7 @@
 #include "soc/hp_sys_clkrst_reg.h"
 #include "soc/interrupt_core0_reg.h"
 #include "soc/interrupt_core1_reg.h"
+#include "soc/keymng_reg.h"
 #endif
 
 #include "esp_private/esp_mmu_map_private.h"
@@ -299,6 +300,11 @@ static void start_other_core(void)
     if(REG_GET_BIT(HP_SYS_CLKRST_HP_RST_EN0_REG, HP_SYS_CLKRST_REG_RST_EN_CORE1_GLOBAL)){
         REG_CLR_BIT(HP_SYS_CLKRST_HP_RST_EN0_REG, HP_SYS_CLKRST_REG_RST_EN_CORE1_GLOBAL);
     }
+    // The following operation makes the Key Manager to use eFuse key for ECDSA and XTS-AES operation by default
+    // This is to keep the default behavior same as the other chips
+    // If the Key Manager configuration is already locked then following operation does not have any effect
+    // TODO-IDF 7925 (Move this under SOC_KEY_MANAGER_SUPPORTED)
+    REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, 3);
 #endif
     ets_set_appcpu_boot_addr((uint32_t)call_start_cpu1);
 

components/spi_flash/test_apps/.build-test-rules.yml

@@ -17,13 +17,10 @@ components/spi_flash/test_apps/esp_flash:
 
 components/spi_flash/test_apps/flash_encryption:
   disable_test:
-    - if: IDF_TARGET in ["esp32c2", "esp32s2", "esp32c6", "esp32h2"]
+    - if: IDF_TARGET in ["esp32c2", "esp32s2", "esp32c6", "esp32h2", "esp32p4"]
       temporary: true
       reason: No runners # IDF-5634
-  disable:
-    - if: IDF_TARGET == "esp32p4"
-      temporary: true
-      reason: target esp32p4 is not supported yet # TODO: IDF-7545
+
   depends_components:
     - esp_mm
     - spi_flash

components/spi_flash/test_apps/flash_encryption/README.md

@@ -1,5 +1,5 @@
-| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C6 | ESP32-H2 | ESP32-S2 | ESP32-S3 |
-| ----------------- | ----- | -------- | -------- | -------- | -------- | -------- | -------- |
+| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C6 | ESP32-H2 | ESP32-P4 | ESP32-S2 | ESP32-S3 |
+| ----------------- | ----- | -------- | -------- | -------- | -------- | -------- | -------- | -------- |
 
 ## Prepare runner
 

docs/en/security/flash-encryption.rst

@@ -929,6 +929,7 @@ On the first boot, the flash encryption process burns by default the following e
     :SOC_EFUSE_DIS_PAD_JTAG and SOC_EFUSE_DIS_USB_JTAG: - ``DIS_PAD_JTAG`` and ``DIS_USB_JTAG`` which disables JTAG.
     :SOC_EFUSE_HARD_DIS_JTAG and SOC_EFUSE_DIS_USB_JTAG: - ``HARD_DIS_JTAG`` and ``DIS_USB_JTAG`` which disables JTAG.
     - ``DIS_DIRECT_BOOT`` (old name ``DIS_LEGACY_SPI_BOOT``)  which disables direct boot mode
+    :SOC_EFUSE_DIS_DOWNLOAD_MSPI: - ``DIS_DOWNLOAD_MSPI`` which disables the MSPI access in download mode.
 
 However, before the first boot you can choose to keep any of these features enabled by burning only selected eFuses and write-protect the rest of eFuses with unset value 0. For example:
 

docs/en/security/host-based-security-workflows.rst

@@ -290,6 +290,7 @@ In this case, all the eFuses related to flash encryption are written with help o
         :SOC_EFUSE_DIS_USB_JTAG: - ``DIS_USB_JTAG``: Disable USB switch to JTAG
         :SOC_EFUSE_DIS_PAD_JTAG: - ``DIS_PAD_JTAG``: Disable JTAG permanently
         :not esp32: - ``DIS_DOWNLOAD_MANUAL_ENCRYPT``: Disable UART bootloader encryption access
+        :SOC_EFUSE_DIS_DOWNLOAD_MSPI: - ``DIS_DOWNLOAD_MSPI``: Disable the MSPI access in download mode
   
     The respective eFuses can be burned by running:
   

examples/security/.build-test-rules.yml

@@ -2,7 +2,7 @@
 
 examples/security/flash_encryption:
   disable_test:
-    - if: IDF_TARGET in ["esp32s2", "esp32s3", "esp32c6", "esp32h2", "esp32c2"]
+    - if: IDF_TARGET in ["esp32s2", "esp32s3", "esp32c6", "esp32h2", "esp32c2", "esp32p4"]
       temporary: true
       reason: lack of runners
 

examples/system/efuse/sdkconfig.ci.virt_sb_v2_and_fe.esp32p4

@@ -0,0 +1,18 @@
+# FLASH_ENCRYPTION & SECURE_BOOT_V2 with EFUSE_VIRTUAL_KEEP_IN_FLASH
+
+CONFIG_IDF_TARGET="esp32p4"
+
+CONFIG_PARTITION_TABLE_OFFSET=0xD000
+CONFIG_PARTITION_TABLE_CUSTOM=y
+CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="test/partitions_efuse_emul.csv"
+
+CONFIG_SECURE_BOOT=y
+CONFIG_SECURE_BOOT_V2_ENABLED=y
+CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key.pem"
+CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y
+
+CONFIG_SECURE_FLASH_ENC_ENABLED=y
+
+# IMPORTANT: ONLY VIRTUAL eFuse MODE!
+CONFIG_EFUSE_VIRTUAL=y
+CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH=y