flash encryption: add option to require flash encryption to be enabled

In testing environment, to avoid accidentally enabling flash
encryption on a device, CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED
can be set. If set, the bootloader will refuse to boot if flash
encryption is not enabled, instead of enabling it.

components/bootloader/Kconfig.projbuild

@@ -515,6 +515,20 @@ menu "Security features"
 
                 Only set this option in testing environments.
 
+        config SECURE_FLASH_REQUIRE_ALREADY_ENABLED
+            bool "Require flash encryption to be already enabled"
+            depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+            default N
+            help
+                If not set (default), and flash encryption is not yet enabled in eFuses, the 2nd stage bootloader
+                will enable flash encryption: generate the flash encryption key and program eFuses.
+                If this option is set, and flash encryption is not yet enabled, the bootloader will error out and
+                reboot.
+                If flash encryption is enabled in eFuses, this option does not change the bootloader behavior.
+
+                Only use this option in testing environments, to avoid accidentally enabling flash encryption on
+                the wrong device. The device needs to have flash encryption already enabled using espefuse.py.
+
     endmenu  # Potentially Insecure
 endmenu  # Security features