fix(bootloader_support): Reorder write disabling ECDSA_CURVE_MODE

components/bootloader_support/src/esp32h2/secure_boot_secure_features.c

@@ -37,12 +37,6 @@ esp_err_t esp_secure_boot_enable_secure_features(void)
     ESP_LOGW(TAG, "UART ROM Download mode kept enabled - SECURITY COMPROMISED");
 #endif
 
-#ifdef SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED
-    if (ecdsa_ll_is_configurable_curve_supported()) {
-        esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_ECDSA_CURVE_MODE);
-    }
-#endif
-
 #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG
     ESP_LOGI(TAG, "Disable hardware & software JTAG...");
     esp_efuse_write_field_bit(ESP_EFUSE_DIS_PAD_JTAG);

components/bootloader_support/src/esp32h21/secure_boot_secure_features.c

@@ -36,10 +36,6 @@ esp_err_t esp_secure_boot_enable_secure_features(void)
     ESP_LOGW(TAG, "UART ROM Download mode kept enabled - SECURITY COMPROMISED");
 #endif
 
-#ifdef SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED
-    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_ECDSA_CURVE_MODE);
-#endif
-
 #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG
     ESP_LOGI(TAG, "Disable hardware & software JTAG...");
     esp_efuse_write_field_bit(ESP_EFUSE_DIS_PAD_JTAG);

components/esp_security/src/init.c

@@ -22,6 +22,10 @@
 #include "hal/key_mgr_ll.h"
 #endif /* SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT */
 
+#if SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED
+#include "hal/ecdsa_ll.h"
+#endif /* SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED */
+
 __attribute__((unused)) static const char *TAG = "esp_security";
 
 static void esp_key_mgr_init(void)
@@ -73,6 +77,18 @@ ESP_SYSTEM_INIT_FN(esp_security_init, SECONDARY, BIT(0), 103)
 #endif
 
 #if CONFIG_SECURE_BOOT_V2_ENABLED
+// H2, H21
+#if SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED
+    // Also write protects the ECDSA_CURVE_MODE efuse bit.
+    if (ecdsa_ll_is_configurable_curve_supported()) {
+        err = esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_ECDSA_CURVE_MODE);
+        if (err != ESP_OK) {
+            ESP_LOGE(TAG, "Failed to write protect the ECDSA_CURVE_MODE efuse bit.");
+            return err;
+        }
+    }
+#endif
+
 #if !CONFIG_SECURE_BOOT_SKIP_WRITE_PROTECTION_SCA
 // C5
 #if SOC_ECDSA_SUPPORT_CURVE_P384 && !CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS

docs/en/security/security-features-enablement-workflows.rst

@@ -500,6 +500,7 @@ In this workflow we shall use ``espsecure`` tool to generate signing keys and us
         :SOC_EFUSE_DIS_USB_JTAG: - ``DIS_USB_JTAG``: Disable USB switch to JTAG.
         :SOC_EFUSE_DIS_PAD_JTAG: - ``DIS_PAD_JTAG``: Disable JTAG permanently.
         :SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS: - ``SECURE_BOOT_AGGRESSIVE_REVOKE``: Aggressive revocation of key digests, see :ref:`secure-boot-v2-aggressive-key-revocation` for more details.
+        :SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED: - ``WR_DIS_ECDSA_CURVE_MODE``: Disable writing to the ECDSA curve mode eFuse bit (As this write protection bit is shared with ECC_FORCE_CONST_TIME, it is recommended to write protect this bit only after configuring the ECC_FORCE_CONST_TIME efuse).
         :SOC_ECDSA_SUPPORT_CURVE_P384: - ``WR_DIS_SECURE_BOOT_SHA384_EN``: Disable writing to the SHA-384 secure boot eFuse bit (As this write protection bit is shared with XTS_DPA_PSEUDO_LEVEL and ECC_FORCE_CONST_TIME, it is recommended to write protect this bit only after configuring all the other shared efuses).
 
     The respective eFuses can be burned by running: