From 390a6a071974f9b29bc1e2a6652c7a056ea8b8af Mon Sep 17 00:00:00 2001
From: Aditya Patwardhan <aditya.patwardhan@espressif.com>
Date: Wed, 15 Jan 2025 12:15:44 +0530
Subject: [PATCH] feat(docs): Update minimizing binary size

        The ESP32-H2 software countermeasure may not be necessary
        for ESP32-H2 v1.2 and above, this commit updates
        the relevant documentation
---
 components/hal/Kconfig                  |  2 ++
 components/mbedtls/Kconfig              |  4 ++-
 docs/en/api-guides/performance/size.rst | 37 +++++++++++++------------
 3 files changed, 25 insertions(+), 18 deletions(-)

diff --git a/components/hal/Kconfig b/components/hal/Kconfig
index dcd91df039..2c8e44d657 100644
--- a/components/hal/Kconfig
+++ b/components/hal/Kconfig
@@ -111,5 +111,7 @@ menu "Hardware Abstraction Layer (HAL) and Low Level (LL)"
             Enable this option to apply the countermeasure for ECDSA signature operation
             This countermeasure masks the real ECDSA sign operation
             under dummy sign operations to add randomness in the generated power signature.
+            This countermeasure is only necessary for ESP32-H2 < v1.2.
+
 
 endmenu
diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig
index f376e351d9..fed9a21960 100644
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@@ -555,13 +555,14 @@ menu "mbedTLS"
             select HAL_ECDSA_GEN_SIG_CM
             default y
             help
-                The ECDSA peripheral before ECO5 does not offer constant time ECDSA sign operation.
+                The ECDSA peripheral before ESP32-H2 v1.2 does not offer constant time ECDSA sign operation.
                 This time can be observed through power profiling of the device,
                 making the ECDSA private key vulnerable to side-channel timing attacks.
                 This countermeasure masks the real ECDSA sign operation
                 under dummy sign operations to add randomness in the generated power signature.
                 It is highly recommended to also enable Secure Boot for the device in addition to this countermeasure
                 so that only trusted software can execute on the device.
+                This countermeasure can be safely disabled for ESP32-H2 v1.2 and above.
 
         config MBEDTLS_HARDWARE_ECDSA_SIGN_CONSTANT_TIME_CM
             bool "Make ECDSA signature operation pseudo constant time for software"
@@ -574,6 +575,7 @@ menu "mbedTLS"
                 of an arbitrary message.
                 The signature time would appear to be constant to the external entity after enabling
                 this option.
+                This countermeasure can be safely disabled for ESP32-H2 v1.2 and above.
 
     endmenu
 
diff --git a/docs/en/api-guides/performance/size.rst b/docs/en/api-guides/performance/size.rst
index 6b499af0f9..460da4867d 100644
--- a/docs/en/api-guides/performance/size.rst
+++ b/docs/en/api-guides/performance/size.rst
@@ -401,23 +401,26 @@ Under *Component Config* -> *mbedTLS* there are multiple mbedTLS features which
 
 These include:
 
-- :ref:`CONFIG_MBEDTLS_HAVE_TIME`
-- :ref:`CONFIG_MBEDTLS_ECDSA_DETERMINISTIC`
-- :ref:`CONFIG_MBEDTLS_SHA512_C`
-- :ref:`CONFIG_MBEDTLS_SHA3_C`
-- :ref:`CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS`
-- :ref:`CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS`
-- :ref:`CONFIG_MBEDTLS_SSL_CONTEXT_SERIALIZATION`
-- :ref:`CONFIG_MBEDTLS_SSL_ALPN`
-- :ref:`CONFIG_MBEDTLS_SSL_RENEGOTIATION`
-- :ref:`CONFIG_MBEDTLS_CCM_C`
-- :ref:`CONFIG_MBEDTLS_GCM_C`
-- :ref:`CONFIG_MBEDTLS_ECP_C` (Alternatively: Leave this option enabled but disable some of the elliptic curves listed in the sub-menu.)
-- :ref:`CONFIG_MBEDTLS_ECP_NIST_OPTIM`
-- :ref:`CONFIG_MBEDTLS_ECP_FIXED_POINT_OPTIM`
-- Change :ref:`CONFIG_MBEDTLS_TLS_MODE` if both server & client functionalities are not needed
-- Consider disabling some ciphersuites listed in the "TLS Key Exchange Methods" sub-menu (i.e. :ref:`CONFIG_MBEDTLS_KEY_EXCHANGE_RSA`)
-- Consider disabling :ref:`CONFIG_MBEDTLS_ERROR_STRINGS` if the application is pulling in mbedTLS error strings because of :cpp:func:`mbedtls_strerror` usage
+.. list::
+
+    - :ref:`CONFIG_MBEDTLS_HAVE_TIME`
+    - :ref:`CONFIG_MBEDTLS_ECDSA_DETERMINISTIC`
+    - :ref:`CONFIG_MBEDTLS_SHA512_C`
+    - :ref:`CONFIG_MBEDTLS_SHA3_C`
+    - :ref:`CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS`
+    - :ref:`CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS`
+    - :ref:`CONFIG_MBEDTLS_SSL_CONTEXT_SERIALIZATION`
+    - :ref:`CONFIG_MBEDTLS_SSL_ALPN`
+    - :ref:`CONFIG_MBEDTLS_SSL_RENEGOTIATION`
+    - :ref:`CONFIG_MBEDTLS_CCM_C`
+    - :ref:`CONFIG_MBEDTLS_GCM_C`
+    - :ref:`CONFIG_MBEDTLS_ECP_C` (Alternatively: Leave this option enabled but disable some of the elliptic curves listed in the sub-menu.)
+    - :ref:`CONFIG_MBEDTLS_ECP_NIST_OPTIM`
+    - :ref:`CONFIG_MBEDTLS_ECP_FIXED_POINT_OPTIM`
+    - Change :ref:`CONFIG_MBEDTLS_TLS_MODE` if both server & client functionalities are not needed.
+    - Consider disabling some cipher suites listed in the ``TLS Key Exchange Methods`` sub-menu (i.e., :ref:`CONFIG_MBEDTLS_KEY_EXCHANGE_RSA`).
+    - Consider disabling :ref:`CONFIG_MBEDTLS_ERROR_STRINGS` if the application is already pulling in mbedTLS error strings through using :cpp:func:`mbedtls_strerror`.
+    :esp32h2: - For {IDF_TARGET_NAME} v1.2 and above, consider disabling :ref:`CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN_MASKING_CM` and :ref:`CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN_CONSTANT_TIME_CM` as the software countermeasures for the ECDSA sign operation are not required.
 
 The help text for each option has some more information.