Merge branch 'change/remove_esp_security_dependency_from_esp_hw_support' into 'master'

Move security-related modules present in esp_hw_support component to esp_security

Closes IDF-10733

See merge request espressif/esp-idf!39490

components/bt/CMakeLists.txt

@@ -917,6 +917,7 @@ set(bt_priv_requires
     esp_driver_spi
     esp_driver_gpio
     esp_gdbstub
+    esp_security
 )
 
 idf_component_register(SRCS "${srcs}"

components/bt/Kconfig

@@ -78,7 +78,7 @@ menu "Bluetooth"
             a large free heap region when esp_bt_mem_release is called, total saving ~21kB or more of IRAM.
             ESP32-C2 only 3 configurable PMP entries available, rest of them are hard-coded.
             We cannot split the memory into 3 different regions (IRAM, BLE-IRAM, DRAM).
-            So this option will disable the PMP (ESP_SYSTEM_PMP_IDRAM_SPLIT)
+            So this option will disable the memory protection scheme (ESP_SYSTEM_MEMPROT)
 
     menu "Common Options"
         source "$IDF_PATH/components/bt/common/Kconfig.in"

components/bt/controller/esp32c2/bt.c

@@ -1156,15 +1156,15 @@ esp_err_t esp_bt_mem_release(esp_bt_mode_t mode)
 {
     esp_err_t ret = ESP_OK;
 
-#if CONFIG_BT_RELEASE_IRAM && CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT
+#if CONFIG_BT_RELEASE_IRAM && CONFIG_ESP_SYSTEM_MEMPROT
     /* Release Bluetooth text section and merge Bluetooth data, bss & text into a large free heap
      * region when esp_bt_mem_release is called, total saving ~21kB or more of IRAM. ESP32-C2 has
      * only 3 configurable PMP entries available, rest of them are hard-coded. We cannot split the
-     * memory into 3 different regions (IRAM, BLE-IRAM, DRAM). So `ESP_SYSTEM_PMP_IDRAM_SPLIT` needs
+     * memory into 3 different regions (IRAM, BLE-IRAM, DRAM). So `ESP_SYSTEM_MEMPROT` needs
      * to be disabled.
      */
-    #error "ESP_SYSTEM_PMP_IDRAM_SPLIT should be disabled to allow BT to be released"
+    #error "ESP_SYSTEM_MEMPROT should be disabled to allow BT to be released"
-#endif // CONFIG_BT_RELEASE_IRAM && CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT
+#endif // CONFIG_BT_RELEASE_IRAM && CONFIG_ESP_SYSTEM_MEMPROT
 
     if (ble_controller_status != ESP_BT_CONTROLLER_STATUS_IDLE) {
         return ESP_ERR_INVALID_STATE;

components/bt/test_apps/memory_release/sdkconfig.ci.iram

@@ -1,2 +1,2 @@
-CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT=n
+CONFIG_ESP_SYSTEM_MEMPROT=n
 CONFIG_BT_RELEASE_IRAM=y

components/esp_common/src/esp_err_to_name.c

@@ -816,7 +816,7 @@ static const esp_err_msg_t esp_err_msg_table[] = {
     ERR_TBL_IT(ESP_ERR_HW_CRYPTO_BASE),                         /* 49152 0xc000 Starting number of HW cryptography
                                                                                 module error codes */
 #   endif
-    // components/esp_hw_support/include/esp_ds_err.h
+    // components/esp_security/include/esp_ds_err.h
 #   ifdef      ESP_ERR_HW_CRYPTO_DS_HMAC_FAIL
     ERR_TBL_IT(ESP_ERR_HW_CRYPTO_DS_HMAC_FAIL),                 /* 49153 0xc001 HMAC peripheral problem */
 #   endif

components/esp_driver_ledc/test_apps/ledc/sdkconfig.defaults

@@ -1,6 +1,6 @@
 CONFIG_FREERTOS_HZ=1000
 CONFIG_ESP_TASK_WDT_INIT=n
 # Disable memory protection, because "LEDC continue work after software reset" test case requires a cpu reset
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=n
+CONFIG_ESP_SYSTEM_MEMPROT=n
 # primitives for checking sleep internal state
 CONFIG_ESP_SLEEP_DEBUG=y

components/esp_hw_support/CMakeLists.txt

@@ -11,8 +11,7 @@ endif()
 
 set(requires soc)
 # only esp_hw_support/adc_share_hw_ctrl.c requires efuse component
-# TODO: remove esp_security from REQUIRES in ESP-IDF v6.0 (see IDF-10733)
+set(priv_requires efuse spi_flash bootloader_support)
-set(priv_requires efuse spi_flash bootloader_support esp_security)
 
 if(${target} STREQUAL "esp32c6")
     list(APPEND priv_requires hal)

components/esp_hw_support/include/esp_memprot.h

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -12,7 +12,7 @@
 #pragma once
 
 #include "sdkconfig.h"
-#if CONFIG_ESP_SYSTEM_MEMPROT_FEATURE || CONFIG_ESP_SYSTEM_MEMPROT_TEST
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMS
 
 #include <stdbool.h>
 #include <stdint.h>
@@ -93,7 +93,7 @@ esp_err_t esp_mprot_get_active_intr(esp_memp_intr_source_t *active_memp_intr);
  * @brief Returns the address which caused the violation interrupt for given Memory type and CPU/Core ID.
  * This function is to be called after a basic resolving of (current) interrupt's parameters (ie corresponding
  * Memory type and CPU ID see esp_mprot_get_active_intr()). This is to minimize processing time of actual exception
- * as this API is typicaly used in a panic-handling code.
+ * as this API is typically used in a panic-handling code.
  * If there is no active interrupt available for the Memory type/CPU ID required, fault_addr is set to NULL.
  *
  * @param mem_type memory type
@@ -167,7 +167,7 @@ esp_err_t esp_mprot_get_violate_byte_enables(const esp_mprot_mem_t mem_type, uin
 /**
  * @brief Convenient routine for setting the PMS defaults
  *
- * Called on system startup, depending on ESP_SYSTEM_MEMPROT_FEATURE Kconfig value
+ * Called on system startup, depending on ESP_SYSTEM_MEMPROT Kconfig value
  *
  * @param memp_config pointer to Memprot configuration structure (esp_memp_config_t). The structure si chip-specific,
  * for details and defaults see appropriate [target-chip]/soc_memprot_types.h
@@ -197,4 +197,4 @@ esp_err_t esp_mprot_dump_configuration(char **dump_info_string);
 }
 #endif
 
-#endif //CONFIG_ESP_SYSTEM_MEMPROT_FEATURE || CONFIG_ESP_SYSTEM_MEMPROT_TEST
+#endif //CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMS

components/esp_hw_support/include/esp_private/esp_memprot_internal.h

@@ -13,7 +13,7 @@
 #include "hal/memprot_types.h"
 #include "esp_memprot_types.h"
 #include "sdkconfig.h"
-#if CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMS
 #include "soc_memprot_types.h"
 #endif
 

components/esp_hw_support/port/esp32c2/cpu_region_protect.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -10,7 +10,7 @@
 #include "esp_cpu.h"
 #include "esp_fault.h"
 
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
 extern int _iram_end;
 extern int _data_start;
 #define IRAM_END        (int)&_iram_end
@@ -64,12 +64,12 @@ void esp_cpu_configure_region_protection(void)
      *    - We cannot set the lock bit as we need to reconfigure it again for the application.
      *      We configure PMPADDR 0-1 to cover entire valid IRAM range and PMPADDR 2-3 to cover entire valid DRAM range.
      *
-     * 2. Application build with CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT enabled
+     * 2. Application build with CONFIG_ESP_SYSTEM_MEMPROT enabled
      *    - We split the SRAM into IRAM and DRAM such that IRAM region cannot be accessed via DBUS
      *      and DRAM region cannot be accessed via IBUS. We use _iram_end and _data_start markers to set the boundaries.
      *      We also lock these entries so the R/W/X permissions are enforced even for machine mode
      *
-     * 3. Application build with CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT disabled
+     * 3. Application build with CONFIG_ESP_SYSTEM_MEMPROT disabled
      *    - The IRAM-DRAM split is not enabled so we just need to ensure that access to only valid address ranges are successful
      *      so for that we set PMPADDR 0-1 to cover entire valid IRAM range and PMPADDR 2-3 to cover entire DRAM region.
      *      We also lock these entries so the R/W/X permissions are enforced even for machine mode
@@ -79,7 +79,7 @@ void esp_cpu_configure_region_protection(void)
      *      We set PMPADDR 0-1 to cover entire valid IRAM range and PMPADDR 2-3 to cover entire DRAM region.
      *      We also lock these entries so the R/W/X permissions are enforced even for machine mode
      *
-     *  PMPADDR 3-15 are hard-coded and are appicable to both, bootloader and application. So we configure and lock
+     *  PMPADDR 3-15 are hard-coded and are applicable to both, bootloader and application. So we configure and lock
      *  these during BOOTLOADER build itself. During application build, reconfiguration of these PMPADDR entries
      *  are silently ignored by the CPU
      */
@@ -99,7 +99,7 @@ void esp_cpu_configure_region_protection(void)
         // 1. IRAM
         PMP_ENTRY_SET(0, SOC_DIRAM_IRAM_LOW, CONDITIONAL_NONE);
 
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP
         PMP_ENTRY_SET(1, IRAM_END, PMP_TOR | CONDITIONAL_RX);
 #else
         PMP_ENTRY_SET(1, IRAM_END, PMP_TOR | CONDITIONAL_RWX);

components/esp_hw_support/port/esp32c3/CMakeLists.txt

@@ -12,7 +12,7 @@ if(NOT BOOTLOADER_BUILD)
     # init constructor for wifi
     list(APPEND srcs "adc2_init_cal.c")
 
-    if(CONFIG_ESP_SYSTEM_MEMPROT_FEATURE)
+    if(CONFIG_ESP_SYSTEM_MEMPROT AND CONFIG_ESP_SYSTEM_MEMPROT_PMS)
         list(APPEND srcs "esp_memprot.c" "../esp_memprot_conv.c")
     endif()
 

components/esp_hw_support/port/esp32c5/cpu_region_protect.c

@@ -100,12 +100,12 @@ void esp_cpu_configure_region_protection(void)
      *    - We cannot set the lock bit as we need to reconfigure it again for the application.
      *      We configure PMP to cover entire valid IRAM and DRAM range.
      *
-     * 2. Application build with CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT enabled
+     * 2. Application build with CONFIG_ESP_SYSTEM_MEMPROT enabled
      *    - We split the SRAM into IRAM and DRAM such that IRAM region cannot be written to
      *      and DRAM region cannot be executed. We use _iram_text_end and _data_start markers to set the boundaries.
      *      We also lock these entries so the R/W/X permissions are enforced even for machine mode
      *
-     * 3. Application build with CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT disabled
+     * 3. Application build with CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP disabled
      *    - The IRAM-DRAM split is not enabled so we just need to ensure that access to only valid address ranges are successful
      *      so for that we set PMP to cover entire valid IRAM and DRAM region.
      *      We also lock these entries so the R/W/X permissions are enforced even for machine mode
@@ -136,7 +136,7 @@ void esp_cpu_configure_region_protection(void)
     _Static_assert(SOC_CPU_SUBSYSTEM_LOW < SOC_CPU_SUBSYSTEM_HIGH, "Invalid CPU subsystem region");
 
     // 2. I/D-ROM
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
     const uint32_t drom_start = (uint32_t) (ets_rom_layout_p->drom_start);
     if ((drom_start & (SOC_CPU_PMP_REGION_GRANULARITY - 1)) == 0) {
         // We can skip configuring the PMP entry for the [SOC_IROM_MASK_LOW - drom_start]
@@ -162,7 +162,7 @@ void esp_cpu_configure_region_protection(void)
         PMP_ENTRY_SET(4, SOC_IRAM_HIGH, PMP_TOR | RWX);
         _Static_assert(SOC_IRAM_LOW < SOC_IRAM_HIGH, "Invalid RAM region");
     } else {
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
         extern int _iram_text_end;
         /* Reset the corresponding PMP config because PMP_ENTRY_SET only sets the given bits
          * Bootloader might have given extra permissions and those won't be cleared
@@ -181,7 +181,7 @@ void esp_cpu_configure_region_protection(void)
     }
 
     // 4. I_Cache / D_Cache (flash)
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
     extern int _instruction_reserved_end;
     extern int _rodata_reserved_end;
 
@@ -247,7 +247,7 @@ void esp_cpu_configure_region_protection(void)
 #endif
 
     // 5. LP memory
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
     extern int _rtc_text_start;
     extern int _rtc_text_end;
     /* Reset the corresponding PMP config because PMP_ENTRY_SET only sets the given bits
@@ -261,7 +261,7 @@ void esp_cpu_configure_region_protection(void)
     PMP_ENTRY_SET(11, SOC_RTC_IRAM_LOW, NONE);
 
     // First part of LP mem is reserved for ULP coprocessor
-#if CONFIG_ESP_SYSTEM_PMP_LP_CORE_RESERVE_MEM_EXECUTABLE
+#if CONFIG_ESP_SYSTEM_MEMPROT_PMP_LP_CORE_RESERVE_MEM_EXEC
     PMP_ENTRY_SET(12, (int)&_rtc_text_start, PMP_TOR | RWX);
 #else
     PMP_ENTRY_SET(12, (int)&_rtc_text_start, PMP_TOR | RW);

components/esp_hw_support/port/esp32c6/cpu_region_protect.c

@@ -90,12 +90,12 @@ void esp_cpu_configure_region_protection(void)
      *    - We cannot set the lock bit as we need to reconfigure it again for the application.
      *      We configure PMP to cover entire valid IRAM and DRAM range.
      *
-     * 2. Application build with CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT enabled
+     * 2. Application build with CONFIG_ESP_SYSTEM_MEMPROT enabled
      *    - We split the SRAM into IRAM and DRAM such that IRAM region cannot be written to
      *      and DRAM region cannot be executed. We use _iram_text_end and _data_start markers to set the boundaries.
      *      We also lock these entries so the R/W/X permissions are enforced even for machine mode
      *
-     * 3. Application build with CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT disabled
+     * 3. Application build with CONFIG_ESP_SYSTEM_MEMPROT disabled
      *    - The IRAM-DRAM split is not enabled so we just need to ensure that access to only valid address ranges are successful
      *      so for that we set PMP to cover entire valid IRAM and DRAM region.
      *      We also lock these entries so the R/W/X permissions are enforced even for machine mode
@@ -147,7 +147,7 @@ void esp_cpu_configure_region_protection(void)
         PMP_ENTRY_SET(3, pmpaddr3, PMP_NAPOT | RWX);
         _Static_assert(SOC_IRAM_LOW < SOC_IRAM_HIGH, "Invalid RAM region");
     } else {
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
         extern int _iram_text_end;
         // 3. IRAM and DRAM
         /* Reset the corresponding PMP config because PMP_ENTRY_SET only sets the given bits
@@ -167,7 +167,7 @@ void esp_cpu_configure_region_protection(void)
 #endif
     }
 
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
     extern int _instruction_reserved_end;
     extern int _rodata_reserved_end;
 
@@ -189,7 +189,7 @@ void esp_cpu_configure_region_protection(void)
 #endif
 
     // 5. LP memory
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
     extern int _rtc_text_start;
     extern int _rtc_text_end;
     /* Reset the corresponding PMP config because PMP_ENTRY_SET only sets the given bits
@@ -202,7 +202,7 @@ void esp_cpu_configure_region_protection(void)
     PMP_ENTRY_SET(9, SOC_RTC_IRAM_LOW, NONE);
 
     // First part of LP mem is reserved for ULP coprocessor
-#if CONFIG_ESP_SYSTEM_PMP_LP_CORE_RESERVE_MEM_EXECUTABLE
+#if CONFIG_ESP_SYSTEM_MEMPROT_PMP_LP_CORE_RESERVE_MEM_EXEC
     PMP_ENTRY_SET(10, (int)&_rtc_text_start, PMP_TOR | RWX);
 #else
     PMP_ENTRY_SET(10, (int)&_rtc_text_start, PMP_TOR | RW);

components/esp_hw_support/port/esp32c61/CMakeLists.txt

@@ -10,11 +10,6 @@ set(srcs "rtc_clk_init.c"
 
 if(NOT BOOTLOADER_BUILD)
     list(APPEND srcs "sar_periph_ctrl.c")
-
-    if(CONFIG_ESP_SYSTEM_MEMPROT_FEATURE)
-        list(APPEND srcs "esp_memprot.c" "../esp_memprot_conv.c")
-    endif()
-
 endif()
 
 add_prefix(srcs "${CMAKE_CURRENT_LIST_DIR}/" "${srcs}")

components/esp_hw_support/port/esp32c61/cpu_region_protect.c

@@ -98,12 +98,12 @@ void esp_cpu_configure_region_protection(void)
      *    - We cannot set the lock bit as we need to reconfigure it again for the application.
      *      We configure PMP to cover entire valid IRAM and DRAM range.
      *
-     * 2. Application build with CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT enabled
+     * 2. Application build with CONFIG_ESP_SYSTEM_MEMPROT enabled
      *    - We split the SRAM into IRAM and DRAM such that IRAM region cannot be written to
      *      and DRAM region cannot be executed. We use _iram_text_end and _data_start markers to set the boundaries.
      *      We also lock these entries so the R/W/X permissions are enforced even for machine mode
      *
-     * 3. Application build with CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT disabled
+     * 3. Application build with CONFIG_ESP_SYSTEM_MEMPROT disabled
      *    - The IRAM-DRAM split is not enabled so we just need to ensure that access to only valid address ranges are successful
      *      so for that we set PMP to cover entire valid IRAM and DRAM region.
      *      We also lock these entries so the R/W/X permissions are enforced even for machine mode
@@ -133,7 +133,7 @@ void esp_cpu_configure_region_protection(void)
     _Static_assert(SOC_CPU_SUBSYSTEM_LOW < SOC_CPU_SUBSYSTEM_HIGH, "Invalid CPU subsystem region");
 
     // 2. I/D-ROM
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
     const uint32_t drom_start = (uint32_t) (ets_rom_layout_p->drom_start);
     if ((drom_start & (SOC_CPU_PMP_REGION_GRANULARITY - 1)) == 0) {
         PMP_ENTRY_SET(1, SOC_IROM_MASK_LOW, NONE);
@@ -156,7 +156,7 @@ void esp_cpu_configure_region_protection(void)
         PMP_ENTRY_SET(5, SOC_IRAM_HIGH, PMP_TOR | RWX);
         _Static_assert(SOC_IRAM_LOW < SOC_IRAM_HIGH, "Invalid RAM region");
     } else {
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
         extern int _iram_text_end;
         /* Reset the corresponding PMP config because PMP_ENTRY_SET only sets the given bits
          * Bootloader might have given extra permissions and those won't be cleared
@@ -175,7 +175,7 @@ void esp_cpu_configure_region_protection(void)
     }
 
     // 4. I_Cache / D_Cache (flash)
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
     extern int _instruction_reserved_end;
     extern int _rodata_reserved_end;
 

components/esp_hw_support/port/esp32h2/cpu_region_protect.c

@@ -86,12 +86,12 @@ void esp_cpu_configure_region_protection(void)
      *    - We cannot set the lock bit as we need to reconfigure it again for the application.
      *      We configure PMP to cover entire valid IRAM and DRAM range.
      *
-     * 2. Application build with CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT enabled
+     * 2. Application build with CONFIG_ESP_SYSTEM_MEMPROT enabled
      *    - We split the SRAM into IRAM and DRAM such that IRAM region cannot be written to
      *      and DRAM region cannot be executed. We use _iram_text_end and _data_start markers to set the boundaries.
      *      We also lock these entries so the R/W/X permissions are enforced even for machine mode
      *
-     * 3. Application build with CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT disabled
+     * 3. Application build with CONFIG_ESP_SYSTEM_MEMPROT disabled
      *    - The IRAM-DRAM split is not enabled so we just need to ensure that access to only valid address ranges are successful
      *      so for that we set PMP to cover entire valid IRAM and DRAM region.
      *      We also lock these entries so the R/W/X permissions are enforced even for machine mode
@@ -143,7 +143,7 @@ void esp_cpu_configure_region_protection(void)
         PMP_ENTRY_SET(3, SOC_IRAM_HIGH, PMP_TOR | RWX);
         _Static_assert(SOC_IRAM_LOW < SOC_IRAM_HIGH, "Invalid RAM region");
     } else {
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
         extern int _iram_text_end;
         // 3. IRAM and DRAM
         /* Reset the corresponding PMP config because PMP_ENTRY_SET only sets the given bits
@@ -163,7 +163,7 @@ void esp_cpu_configure_region_protection(void)
 #endif
     }
 
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
     extern int _instruction_reserved_end;
     extern int _rodata_reserved_end;
 
@@ -185,7 +185,7 @@ void esp_cpu_configure_region_protection(void)
 #endif
 
     // 5. LP memory
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
     extern int _rtc_text_end;
     /* Reset the corresponding PMP config because PMP_ENTRY_SET only sets the given bits
      * Bootloader might have given extra permissions and those won't be cleared

components/esp_hw_support/port/esp32h21/cpu_region_protect.c

@@ -86,12 +86,12 @@ void esp_cpu_configure_region_protection(void)
      *    - We cannot set the lock bit as we need to reconfigure it again for the application.
      *      We configure PMP to cover entire valid IRAM and DRAM range.
      *
-     * 2. Application build with CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT enabled
+     * 2. Application build with CONFIG_ESP_SYSTEM_MEMPROT enabled
      *    - We split the SRAM into IRAM and DRAM such that IRAM region cannot be written to
      *      and DRAM region cannot be executed. We use _iram_text_end and _data_start markers to set the boundaries.
      *      We also lock these entries so the R/W/X permissions are enforced even for machine mode
      *
-     * 3. Application build with CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT disabled
+     * 3. Application build with CONFIG_ESP_SYSTEM_MEMPROT disabled
      *    - The IRAM-DRAM split is not enabled so we just need to ensure that access to only valid address ranges are successful
      *      so for that we set PMP to cover entire valid IRAM and DRAM region.
      *      We also lock these entries so the R/W/X permissions are enforced even for machine mode
@@ -135,7 +135,7 @@ void esp_cpu_configure_region_protection(void)
         PMP_ENTRY_SET(3, SOC_IRAM_HIGH, PMP_TOR | RWX);
         _Static_assert(SOC_IRAM_LOW < SOC_IRAM_HIGH, "Invalid RAM region");
     } else {
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
         extern int _iram_text_end;
         // 3. IRAM and DRAM
         /* Reset the corresponding PMP config because PMP_ENTRY_SET only sets the given bits
@@ -155,7 +155,7 @@ void esp_cpu_configure_region_protection(void)
 #endif
     }
 
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
     extern int _instruction_reserved_end;
     extern int _rodata_reserved_end;
 
@@ -177,7 +177,7 @@ void esp_cpu_configure_region_protection(void)
 #endif
 
     // 5. LP memory
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
     extern int _rtc_text_end;
     /* Reset the corresponding PMP config because PMP_ENTRY_SET only sets the given bits
      * Bootloader might have given extra permissions and those won't be cleared

components/esp_hw_support/port/esp32h4/CMakeLists.txt

@@ -14,11 +14,6 @@ endif()
 
 if(NOT BOOTLOADER_BUILD)
     # list(APPEND srcs "sar_periph_ctrl.c") // TODO: [ESP32H4] IDF-12368
-
-    if(CONFIG_ESP_SYSTEM_MEMPROT_FEATURE)
-        list(APPEND srcs "esp_memprot.c" "../esp_memprot_conv.c")
-    endif()
-
 endif()
 
 add_prefix(srcs "${CMAKE_CURRENT_LIST_DIR}/" "${srcs}")

components/esp_hw_support/port/esp32h4/cpu_region_protect.c

@@ -56,12 +56,12 @@ void esp_cpu_configure_region_protection(void)
      *    - We cannot set the lock bit as we need to reconfigure it again for the application.
      *      We configure PMP to cover entire valid IRAM and DRAM range.
      *
-     * 2. Application build with CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT enabled
+     * 2. Application build with CONFIG_ESP_SYSTEM_MEMPROT enabled
      *    - We split the SRAM into IRAM and DRAM such that IRAM region cannot be written to
      *      and DRAM region cannot be executed. We use _iram_end and _data_start markers to set the boundaries.
      *      We also lock these entries so the R/W/X permissions are enforced even for machine mode
      *
-     * 3. Application build with CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT disabled
+     * 3. Application build with CONFIG_ESP_SYSTEM_MEMPROT disabled
      *    - The IRAM-DRAM split is not enabled so we just need to ensure that access to only valid address ranges are successful
      *      so for that we set PMP to cover entire valid IRAM and DRAM region.
      *      We also lock these entries so the R/W/X permissions are enforced even for machine mode
@@ -113,7 +113,7 @@ void esp_cpu_configure_region_protection(void)
         PMP_ENTRY_SET(6, SOC_IRAM_HIGH, PMP_TOR | RWX);
         _Static_assert(SOC_IRAM_LOW < SOC_IRAM_HIGH, "Invalid RAM region");
     } else {
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
         extern int _iram_end;
         // 5. IRAM and DRAM
         /* Reset the corresponding PMP config because PMP_ENTRY_SET only sets the given bits
@@ -147,7 +147,7 @@ void esp_cpu_configure_region_protection(void)
     _Static_assert(SOC_DROM_LOW < SOC_DROM_HIGH, "Invalid D_Cache region");
 
     // 6. LP memory
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
     extern int _rtc_text_end;
     /* Reset the corresponding PMP config because PMP_ENTRY_SET only sets the given bits
      * Bootloader might have given extra permissions and those won't be cleared

components/esp_hw_support/port/esp32p4/cpu_region_protect.c

@@ -117,12 +117,12 @@ void esp_cpu_configure_region_protection(void)
      *    - We cannot set the lock bit as we need to reconfigure it again for the application.
      *      We configure PMP to cover entire valid IRAM and DRAM range.
      *
-     * 2. Application build with CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT enabled
+     * 2. Application build with CONFIG_ESP_SYSTEM_MEMPROT enabled
      *    - We split the SRAM into IRAM and DRAM such that IRAM region cannot be written to
      *      and DRAM region cannot be executed. We use _iram_text_end and _data_start markers to set the boundaries.
      *      We also lock these entries so the R/W/X permissions are enforced even for machine mode
      *
-     * 3. Application build with CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT disabled
+     * 3. Application build with CONFIG_ESP_SYSTEM_MEMPROT disabled
      *    - The IRAM-DRAM split is not enabled so we just need to ensure that access to only valid address ranges are successful
      *      so for that we set PMP to cover entire valid IRAM and DRAM region.
      *      We also lock these entries so the R/W/X permissions are enforced even for machine mode
@@ -171,7 +171,7 @@ void esp_cpu_configure_region_protection(void)
         PMP_ENTRY_SET(4, SOC_IRAM_HIGH, PMP_TOR | RWX);
         _Static_assert(SOC_IRAM_LOW < SOC_IRAM_HIGH, "Invalid RAM region");
     } else {
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
         extern int _iram_text_end;
         // 4. IRAM and DRAM
         /* Reset the corresponding PMP config because PMP_ENTRY_SET only sets the given bits
@@ -191,7 +191,7 @@ void esp_cpu_configure_region_protection(void)
 #endif
     }
 
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
     extern int _instruction_reserved_end;
     extern int _rodata_reserved_end;
 
@@ -231,7 +231,7 @@ void esp_cpu_configure_region_protection(void)
 #endif
 
     // 6. LP memory
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT && !BOOTLOADER_BUILD
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMP && !BOOTLOADER_BUILD
     extern int _rtc_text_start;
     extern int _rtc_text_end;
     /* Reset the corresponding PMP config because PMP_ENTRY_SET only sets the given bits
@@ -244,7 +244,7 @@ void esp_cpu_configure_region_protection(void)
     PMP_ENTRY_SET(11, SOC_RTC_IRAM_LOW, NONE);
     // First part of LP mem is reserved for RTC reserved mem (shared between bootloader and app)
     // as well as memory for ULP coprocessor
-#if CONFIG_ESP_SYSTEM_PMP_LP_CORE_RESERVE_MEM_EXECUTABLE
+#if CONFIG_ESP_SYSTEM_MEMPROT_PMP_LP_CORE_RESERVE_MEM_EXEC
     PMP_ENTRY_SET(12, (int)&_rtc_text_start, PMP_TOR | RWX);
 #else
     PMP_ENTRY_SET(12, (int)&_rtc_text_start, PMP_TOR | RW);

components/esp_hw_support/port/esp32s3/CMakeLists.txt

@@ -12,7 +12,7 @@ set(srcs
 if(NOT BOOTLOADER_BUILD)
     list(APPEND srcs "sar_periph_ctrl.c")
 
-    if(CONFIG_ESP_SYSTEM_MEMPROT_FEATURE)
+    if(CONFIG_ESP_SYSTEM_MEMPROT AND CONFIG_ESP_SYSTEM_MEMPROT_PMS)
         list(APPEND srcs "esp_memprot.c" "../esp_memprot_conv.c")
     endif()
 endif()

components/esp_security/CMakeLists.txt

@@ -30,12 +30,11 @@ if(NOT non_os_build)
     endif()
 
     list(APPEND srcs "src/esp_crypto_lock.c" "src/esp_crypto_periph_clk.c")
-    list(APPEND priv_requires efuse esp_hw_support esp_system esp_timer)
+    list(APPEND priv_requires efuse esp_system esp_timer)
 elseif(esp_tee_build)
     list(APPEND srcs "src/esp_crypto_lock.c" "src/esp_crypto_periph_clk.c"
                      "src/esp_hmac.c" "src/esp_ds.c")
     list(APPEND includes "src/${IDF_TARGET}")
-    list(APPEND priv_requires esp_hw_support)
 endif()
 
 idf_component_register(SRCS ${srcs}

components/esp_system/Kconfig

@@ -157,59 +157,65 @@ menu "ESP System Settings"
 
     endchoice
 
-    menu "Memory protection"
+    config ESP_SYSTEM_MEMPROT
-
+        bool "Enable memory protection"
-        config ESP_SYSTEM_PMP_IDRAM_SPLIT
+        default y
-            bool "Enable IRAM/DRAM split protection"
+        depends on SOC_CPU_IDRAM_SPLIT_USING_PMP || SECURE_ENABLE_TEE || SOC_MEMPROT_SUPPORTED
-            depends on SOC_CPU_IDRAM_SPLIT_USING_PMP && !SECURE_ENABLE_TEE
-            default "y"
         help
-                If enabled, the CPU watches all the memory access and raises an exception in case
+            This option enables memory protection for the valid memory regions.
-                of any memory violation. This feature automatically splits
+            This feature also automatically splits the ROM, RAM and flash memory into data and
-                the SRAM memory, using PMP, into data and instruction segments and sets Read/Execute permissions
+            instruction segments and sets Read/Execute permissions for the instruction part
-                for the instruction part (below given splitting address) and Read/Write permissions
+            (below given splitting address) and Read/Write permissions for the data part
-                for the data part (above the splitting address). The memory protection is effective
+            (above the splitting address). The memory protection is effective on all access
-                on all access through the IRAM0 and DRAM0 buses.
+            through the IRAM0 and DRAM0 buses.
 
-        config ESP_SYSTEM_PMP_LP_CORE_RESERVE_MEM_EXECUTABLE
+    choice ESP_SYSTEM_MEMPROT_MODE
+        prompt "Memory Protection configurations"
+        depends on ESP_SYSTEM_MEMPROT
+        default ESP_SYSTEM_MEMPROT_TEE if SECURE_ENABLE_TEE
+        default ESP_SYSTEM_MEMPROT_PMP if SOC_CPU_IDRAM_SPLIT_USING_PMP && !SECURE_ENABLE_TEE
+        default ESP_SYSTEM_MEMPROT_PMS if SOC_MEMPROT_SUPPORTED
+
+        config ESP_SYSTEM_MEMPROT_PMS
+            bool "Enable Permission Control Module (PMS) configurations"
+            depends on SOC_MEMPROT_SUPPORTED
+            help
+                    This option enables memory protection using the Permission Control Module (PMS).
+
+        config ESP_SYSTEM_MEMPROT_PMP
+            bool "Enable CPU's Physical Memory Protection (PMP) configurations"
+            depends on SOC_CPU_IDRAM_SPLIT_USING_PMP && !SECURE_ENABLE_TEE
+            help
+                    This option enables memory protection using CPU PMP.
+
+        config ESP_SYSTEM_MEMPROT_TEE
+            bool "Enable Trusted Execution Environment (TEE) configurations"
+            depends on SECURE_ENABLE_TEE
+            help
+                    This option enables the default memory protection provided by TEE.
+
+    endchoice
+
+
+    config ESP_SYSTEM_MEMPROT_PMS_LOCK
+        bool "Lock memory protection settings"
+        depends on ESP_SYSTEM_MEMPROT && ESP_SYSTEM_MEMPROT_PMS
+        default y
+        help
+                Once locked, memory protection settings cannot be changed anymore.
+                The lock is reset only on the chip startup.
+
+
+    config ESP_SYSTEM_MEMPROT_PMP_LP_CORE_RESERVE_MEM_EXEC
         bool "Make LP core reserved memory executable from HP core"
-            depends on IDF_TARGET_ARCH_RISCV && SOC_LP_CORE_SUPPORTED && ESP_SYSTEM_PMP_IDRAM_SPLIT
+        depends on ESP_SYSTEM_MEMPROT&& IDF_TARGET_ARCH_RISCV && SOC_LP_CORE_SUPPORTED && ESP_SYSTEM_MEMPROT_PMP
-            default "n"
+        default n
         help
                 If enabled, user can run code available in LP Core image.
 
                 Warning: on ESP32-P4 this will also mark the memory area used for BOOTLOADER_RESERVE_RTC_MEM
                 as executable. If you consider this a security risk then do not activate this option.
 
-        config ESP_SYSTEM_MEMPROT_FEATURE_VIA_TEE
-            bool "Enable memory protection (via TEE)"
-            depends on SECURE_ENABLE_TEE
-            default "y"
-            help
-                This option enables the default memory protection provided by TEE.
-
-        config ESP_SYSTEM_MEMPROT_FEATURE
-            bool "Enable memory protection"
-            depends on SOC_MEMPROT_SUPPORTED
-            default "y"
-            help
-                If enabled, the permission control module watches all the memory access and fires the panic handler
-                if a permission violation is detected. This feature automatically splits
-                the SRAM memory into data and instruction segments and sets Read/Execute permissions
-                for the instruction part (below given splitting address) and Read/Write permissions
-                for the data part (above the splitting address). The memory protection is effective
-                on all access through the IRAM0 and DRAM0 buses.
-
-        config ESP_SYSTEM_MEMPROT_FEATURE_LOCK
-            depends on ESP_SYSTEM_MEMPROT_FEATURE
-            bool "Lock memory protection settings"
-            default "y"
-            help
-                Once locked, memory protection settings cannot be changed anymore.
-                The lock is reset only on the chip startup.
-
-    endmenu  # Memory protection
-
     config ESP_SYSTEM_EVENT_QUEUE_SIZE
         int "System event queue size"
         default 32

components/esp_system/esp_system.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -8,13 +8,6 @@
 #include "esp_private/system_internal.h"
 #include "freertos/FreeRTOS.h"
 #include "freertos/task.h"
-#if CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
-#if CONFIG_IDF_TARGET_ESP32S2
-#include "esp32s2/memprot.h"
-#else
-#include "esp_memprot.h"
-#endif
-#endif
 
 #define SHUTDOWN_HANDLERS_NO 5
 

components/esp_system/port/arch/riscv/panic_arch.c

@@ -14,7 +14,7 @@
 #include "esp_private/cache_err_int.h"
 #include "soc/timer_periph.h"
 
-#if CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMS
 #include "esp_private/esp_memprot_internal.h"
 #include "esp_memprot.h"
 #endif
@@ -88,7 +88,7 @@ static inline void print_assist_debug_details(const void *frame)
  * Function called when a memory protection error occurs (PMS). It prints details such as the
  * explanation of why the panic occurred.
  */
-#if CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMS
 
 static esp_memp_intr_source_t s_memp_intr = {MEMPROT_TYPE_INVALID, -1};
 
@@ -151,7 +151,7 @@ static inline void print_memprot_err_details(const void *frame __attribute__((un
 
     panic_print_str("\r\n");
 }
-#endif
+#endif //CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMS
 
 static void panic_print_register_array(const char* names[], const uint32_t* regs, int size)
 {
@@ -256,13 +256,13 @@ void panic_soc_fill_info(void *f, panic_info_t *info)
         info->details = print_assist_debug_details;
     }
 #endif
-#if CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMS
     else if (frame->mcause == ETS_MEMPROT_ERR_INUM) {
         info->reason = "Memory protection fault";
         info->details = print_memprot_err_details;
         info->core = esp_mprot_get_active_intr(&s_memp_intr) == ESP_OK ? s_memp_intr.core : -1;
     }
-#endif
+#endif //CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMS
 }
 
 void panic_arch_fill_info(void *frame, panic_info_t *info)

components/esp_system/port/arch/xtensa/panic_arch.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -20,7 +20,7 @@
 
 #if !CONFIG_IDF_TARGET_ESP32
 #include "soc/rtc_cntl_reg.h"
-#if CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMS
 #ifdef CONFIG_IDF_TARGET_ESP32S2
 #include "esp32s2/memprot.h"
 #else
@@ -165,7 +165,7 @@ static void print_debug_exception_details(const void *f)
     }
 }
 
-#if CONFIG_IDF_TARGET_ESP32S2 && CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
+#if CONFIG_IDF_TARGET_ESP32S2 && CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMS
 #define MEMPROT_OP_INVALID 0xFFFFFFFF
 static inline void print_memprot_err_details(const void *f)
 {
@@ -198,7 +198,7 @@ static inline void print_memprot_err_details(const void *f)
     panic_print_str(esp_memprot_type_to_str(mem_type));
     panic_print_str(")\r\n");
 }
-#endif
+#endif //CONFIG_IDF_TARGET_ESP32S2 && CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMS
 
 static inline void print_cache_err_details(const void *f)
 {
@@ -304,7 +304,7 @@ void panic_soc_fill_info(void *f, panic_info_t *info)
 
     //MV note: ESP32S3 PMS handling?
     if (frame->exccause == PANIC_RSN_CACHEERR) {
-#if CONFIG_ESP_SYSTEM_MEMPROT_FEATURE && CONFIG_IDF_TARGET_ESP32S2
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMS && CONFIG_IDF_TARGET_ESP32S2
         if (esp_memprot_is_intr_ena_any()) {
             info->details = print_memprot_err_details;
             info->reason = "Memory protection fault";

components/esp_system/port/cpu_start.c

@@ -782,7 +782,7 @@ NOINLINE_ATTR static void system_early_init(const soc_reset_reason_t *rst_reas)
     esp_cache_err_int_init();
 #endif
 
-#if CONFIG_ESP_SYSTEM_MEMPROT_FEATURE && !CONFIG_ESP_SYSTEM_MEMPROT_TEST
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMS && !CONFIG_ESP_SYSTEM_MEMPROT_PMS_TEST
     // Memprot cannot be locked during OS startup as the lock-on prevents any PMS changes until a next reboot
     // If such a situation appears, it is likely an malicious attempt to bypass the system safety setup -> print error & reset
 
@@ -799,14 +799,14 @@ NOINLINE_ATTR static void system_early_init(const soc_reset_reason_t *rst_reas)
     //default configuration of PMS Memprot
     esp_err_t memp_err = ESP_OK;
 #if CONFIG_IDF_TARGET_ESP32S2 //specific for ESP32S2 unless IDF-3024 is merged
-#if CONFIG_ESP_SYSTEM_MEMPROT_FEATURE_LOCK
+#if CONFIG_ESP_SYSTEM_MEMPROT_PMS_LOCK
     memp_err = esp_memprot_set_prot(PANIC_HNDL_ON, MEMPROT_LOCK, NULL);
 #else
     memp_err = esp_memprot_set_prot(PANIC_HNDL_ON, MEMPROT_UNLOCK, NULL);
 #endif
 #else //CONFIG_IDF_TARGET_ESP32S2 specific end
     esp_memp_config_t memp_cfg = ESP_MEMPROT_DEFAULT_CONFIG();
-#if !CONFIG_ESP_SYSTEM_MEMPROT_FEATURE_LOCK
+#if !CONFIG_ESP_SYSTEM_MEMPROT_PMS_LOCK
     memp_cfg.lock_feature = false;
 #endif
     memp_err = esp_mprot_set_prot(&memp_cfg);
@@ -816,7 +816,7 @@ NOINLINE_ATTR static void system_early_init(const soc_reset_reason_t *rst_reas)
         ESP_EARLY_LOGE(TAG, "Failed to set Memprot feature (0x%08X: %s), rebooting.", memp_err, esp_err_to_name(memp_err));
         esp_restart_noos();
     }
-#endif //CONFIG_ESP_SYSTEM_MEMPROT_FEATURE && !CONFIG_ESP_SYSTEM_MEMPROT_TEST
+#endif //CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMS && !CONFIG_ESP_SYSTEM_MEMPROT_PMS_TEST
 
 #if !CONFIG_APP_BUILD_TYPE_PURE_RAM_APP
     // External devices (including SPI0/1, cache) should be initialized

components/esp_system/port/panic_handler.c

@@ -24,14 +24,6 @@
 #include "sdkconfig.h"
 #include "esp_rom_sys.h"
 
-#if CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
-#ifdef CONFIG_IDF_TARGET_ESP32S2
-#include "esp32s2/memprot.h"
-#else
-#include "esp_memprot.h"
-#endif
-#endif
-
 #include "esp_private/panic_internal.h"
 #include "esp_private/panic_reason.h"
 

components/esp_system/sdkconfig.rename

@@ -40,3 +40,9 @@ CONFIG_BROWNOUT_DET_LVL_SEL_5                           CONFIG_ESP_BROWNOUT_DET_
 CONFIG_BROWNOUT_DET_LVL_SEL_6                           CONFIG_ESP_BROWNOUT_DET_LVL_SEL_6
 CONFIG_BROWNOUT_DET_LVL_SEL_7                           CONFIG_ESP_BROWNOUT_DET_LVL_SEL_7
 CONFIG_BROWNOUT_DET_LVL                                 CONFIG_ESP_BROWNOUT_DET_LVL
+
+CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT                       CONFIG_ESP_SYSTEM_MEMPROT
+CONFIG_ESP_SYSTEM_PMP_LP_CORE_RESERVE_MEM_EXECUTABLE    CONFIG_ESP_SYSTEM_MEMPROT_PMP_LP_CORE_RESERVE_MEM_EXEC
+CONFIG_ESP_SYSTEM_MEMPROT_FEATURE_VIA_TEE               CONFIG_ESP_SYSTEM_MEMPROT
+CONFIG_ESP_SYSTEM_MEMPROT_FEATURE                       CONFIG_ESP_SYSTEM_MEMPROT
+CONFIG_ESP_SYSTEM_MEMPROT_FEATURE_LOCK                  CONFIG_ESP_SYSTEM_MEMPROT_PMS_LOCK

components/esp_system/sdkconfig.rename.esp32c3

@@ -1,8 +1,8 @@
 # sdkconfig replacement configurations for deprecated options formatted as
 # CONFIG_DEPRECATED_OPTION CONFIG_NEW_OPTION
 
-CONFIG_ESP32C3_MEMPROT_FEATURE                          CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
+CONFIG_ESP32C3_MEMPROT_FEATURE                          CONFIG_ESP_SYSTEM_MEMPROT
-CONFIG_ESP32C3_MEMPROT_FEATURE_LOCK                     CONFIG_ESP_SYSTEM_MEMPROT_FEATURE_LOCK
+CONFIG_ESP32C3_MEMPROT_FEATURE_LOCK                     CONFIG_ESP_SYSTEM_MEMPROT_PMS_LOCK
 CONFIG_ESP32C3_DEBUG_OCDAWARE                           CONFIG_ESP_DEBUG_OCDAWARE
 
 CONFIG_ESP32C3_BROWNOUT_DET                             CONFIG_ESP_BROWNOUT_DET

components/esp_system/sdkconfig.rename.esp32s2

@@ -6,8 +6,8 @@ CONFIG_ESP32S2_PANIC_PRINT_HALT                         CONFIG_ESP_SYSTEM_PANIC_
 CONFIG_ESP32S2_PANIC_PRINT_REBOOT                       CONFIG_ESP_SYSTEM_PANIC_PRINT_REBOOT
 CONFIG_ESP32S2_PANIC_SILENT_REBOOT                      CONFIG_ESP_SYSTEM_PANIC_SILENT_REBOOT
 CONFIG_ESP32S2_PANIC_GDBSTUB                            CONFIG_ESP_SYSTEM_PANIC_GDBSTUB
-CONFIG_ESP32S2_MEMPROT_FEATURE                          CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
+CONFIG_ESP32S2_MEMPROT_FEATURE                          CONFIG_ESP_SYSTEM_MEMPROT
-CONFIG_ESP32S2_MEMPROT_FEATURE_LOCK                     CONFIG_ESP_SYSTEM_MEMPROT_FEATURE_LOCK
+CONFIG_ESP32S2_MEMPROT_FEATURE_LOCK                     CONFIG_ESP_SYSTEM_MEMPROT_PMS_LOCK
 CONFIG_ESP32S2_ALLOW_RTC_FAST_MEM_AS_HEAP               CONFIG_ESP_SYSTEM_ALLOW_RTC_FAST_MEM_AS_HEAP
 CONFIG_ESP32S2_DEBUG_OCDAWARE                           CONFIG_ESP_DEBUG_OCDAWARE
 CONFIG_ESP32S2_NO_BLOBS                                 CONFIG_APP_NO_BLOBS

components/esp_tee/Kconfig.projbuild

@@ -3,7 +3,6 @@ menu "ESP-TEE (Trusted Execution Environment)"
 
     config SECURE_ENABLE_TEE
         bool "Enable the ESP-TEE framework"
-        select ESP_SYSTEM_MEMPROT_FEATURE_VIA_TEE
         help
             This configuration enables the Trusted Execution Environment (TEE) feature.
 

components/hal/test_apps/tee/sdkconfig.defaults

@@ -3,4 +3,4 @@ CONFIG_FREERTOS_HZ=1000
 CONFIG_ESP_INT_WDT=n
 CONFIG_ESP_TASK_WDT_INIT=n
 CONFIG_BOOTLOADER_LOG_LEVEL_WARN=y
-CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT=n
+CONFIG_ESP_SYSTEM_MEMPROT=n

components/heap/port/esp32c2/memory_layout.c

@@ -32,7 +32,7 @@ enum {
     SOC_MEMORY_TYPE_NUM,
 };
 
-#ifdef CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT
+#ifdef CONFIG_ESP_SYSTEM_MEMPROT
 #define ESP32C2_MEM_COMMON_CAPS (MALLOC_CAP_DEFAULT | MALLOC_CAP_DMA | MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL | MALLOC_CAP_32BIT)
 #else
 #define ESP32C2_MEM_COMMON_CAPS (MALLOC_CAP_DEFAULT | MALLOC_CAP_DMA | MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL | MALLOC_CAP_32BIT | MALLOC_CAP_EXEC)

components/heap/port/esp32c3/memory_layout.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -34,7 +34,7 @@ enum {
 };
 
 /* COMMON_CAPS is the set of attributes common to all types of memory on this chip */
-#ifdef CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
+#ifdef CONFIG_ESP_SYSTEM_MEMPROT
 #define ESP32C3_MEM_COMMON_CAPS (MALLOC_CAP_DEFAULT | MALLOC_CAP_INTERNAL | MALLOC_CAP_32BIT | MALLOC_CAP_8BIT)
 #else
 #define ESP32C3_MEM_COMMON_CAPS (MALLOC_CAP_DEFAULT | MALLOC_CAP_INTERNAL | MALLOC_CAP_32BIT | MALLOC_CAP_8BIT | MALLOC_CAP_EXEC)
@@ -43,11 +43,11 @@ enum {
 /**
  * Defined the attributes and allocation priority of each memory on the chip,
  * The heap allocator will traverse all types of memory types in column High Priority Matching and match the specified caps at first,
- * if no memory caps matched or the allocation is failed, it will go to columns Medium Priorty Matching and Low Priority Matching
+ * if no memory caps matched or the allocation is failed, it will go to columns Medium Priority Matching and Low Priority Matching
  * in turn to continue matching.
  */
 const soc_memory_type_desc_t soc_memory_types[SOC_MEMORY_TYPE_NUM] = {
-    /*                                   Mem Type Name   | High Priority Matching                  | Medium Priorty Matching                 | Low Priority Matching */
+    /*                                   Mem Type Name   | High Priority Matching                  | Medium Priority Matching                 | Low Priority Matching */
     [SOC_MEMORY_TYPE_RAM]           = { "RAM",           { ESP32C3_MEM_COMMON_CAPS | MALLOC_CAP_DMA, 0 ,                                       0}},
     [SOC_MEMORY_TYPE_RETENTION_RAM] = { "Retention RAM", { MALLOC_CAP_RETENTION,                     ESP32C3_MEM_COMMON_CAPS | MALLOC_CAP_DMA, 0}},
     [SOC_MEMORY_TYPE_RTCRAM]        = { "RTCRAM",        { MALLOC_CAP_RTCRAM,                        0,                                        ESP32C3_MEM_COMMON_CAPS }},

components/heap/port/esp32c5/memory_layout.c

@@ -34,7 +34,7 @@ enum {
 };
 
 /* COMMON_CAPS is the set of attributes common to all types of memory on this chip */
-#ifdef CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT
+#ifdef CONFIG_ESP_SYSTEM_MEMPROT
 #define ESP32C5_MEM_COMMON_CAPS (MALLOC_CAP_DEFAULT | MALLOC_CAP_INTERNAL | MALLOC_CAP_32BIT | MALLOC_CAP_8BIT)
 #else
 #define ESP32C5_MEM_COMMON_CAPS (MALLOC_CAP_DEFAULT | MALLOC_CAP_INTERNAL | MALLOC_CAP_32BIT | MALLOC_CAP_8BIT | MALLOC_CAP_EXEC)

components/heap/port/esp32c6/memory_layout.c

@@ -38,7 +38,7 @@ enum {
 };
 
 /* COMMON_CAPS is the set of attributes common to all types of memory on this chip */
-#ifdef CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT
+#ifdef CONFIG_ESP_SYSTEM_MEMPROT
 #define ESP32C6_MEM_COMMON_CAPS (MALLOC_CAP_DEFAULT | MALLOC_CAP_INTERNAL | MALLOC_CAP_32BIT | MALLOC_CAP_8BIT)
 #else
 #define ESP32C6_MEM_COMMON_CAPS (MALLOC_CAP_DEFAULT | MALLOC_CAP_INTERNAL | MALLOC_CAP_32BIT | MALLOC_CAP_8BIT | MALLOC_CAP_EXEC)

components/heap/port/esp32c61/memory_layout.c

@@ -36,7 +36,7 @@ enum {
 };
 
 /* COMMON_CAPS is the set of attributes common to all types of memory on this chip */
-#ifdef CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT
+#ifdef CONFIG_ESP_SYSTEM_MEMPROT
 #define ESP32C61_MEM_COMMON_CAPS (MALLOC_CAP_DEFAULT | MALLOC_CAP_INTERNAL | MALLOC_CAP_32BIT | MALLOC_CAP_8BIT)
 #else
 #define ESP32C61_MEM_COMMON_CAPS (MALLOC_CAP_DEFAULT | MALLOC_CAP_INTERNAL | MALLOC_CAP_32BIT | MALLOC_CAP_8BIT | MALLOC_CAP_EXEC)

components/heap/port/esp32h2/memory_layout.c

@@ -36,7 +36,7 @@ enum {
 };
 
 /* COMMON_CAPS is the set of attributes common to all types of memory on this chip */
-#ifdef CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT
+#ifdef CONFIG_ESP_SYSTEM_MEMPROT
 #define ESP32H2_MEM_COMMON_CAPS (MALLOC_CAP_DEFAULT | MALLOC_CAP_INTERNAL | MALLOC_CAP_32BIT | MALLOC_CAP_8BIT)
 #else
 #define ESP32H2_MEM_COMMON_CAPS (MALLOC_CAP_DEFAULT | MALLOC_CAP_INTERNAL | MALLOC_CAP_32BIT | MALLOC_CAP_8BIT | MALLOC_CAP_EXEC)

components/heap/port/esp32h21/memory_layout.c

@@ -32,7 +32,7 @@ enum {
 };
 
 /* COMMON_CAPS is the set of attributes common to all types of memory on this chip */
-#ifdef CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT
+#ifdef CONFIG_ESP_SYSTEM_MEMPROT
 #define ESP32H21_MEM_COMMON_CAPS (MALLOC_CAP_DEFAULT | MALLOC_CAP_INTERNAL | MALLOC_CAP_32BIT | MALLOC_CAP_8BIT)
 #else
 #define ESP32H21_MEM_COMMON_CAPS (MALLOC_CAP_DEFAULT | MALLOC_CAP_INTERNAL | MALLOC_CAP_32BIT | MALLOC_CAP_8BIT | MALLOC_CAP_EXEC)

components/heap/port/esp32h4/memory_layout.c

@@ -36,7 +36,7 @@ enum {
 };
 
 /* COMMON_CAPS is the set of attributes common to all types of memory on this chip */
-#ifdef CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT
+#ifdef CONFIG_ESP_SYSTEM_MEMPROT
 #define ESP32H4_MEM_COMMON_CAPS (MALLOC_CAP_DEFAULT | MALLOC_CAP_INTERNAL | MALLOC_CAP_32BIT | MALLOC_CAP_8BIT)
 #else
 #define ESP32H4_MEM_COMMON_CAPS (MALLOC_CAP_DEFAULT | MALLOC_CAP_INTERNAL | MALLOC_CAP_32BIT | MALLOC_CAP_8BIT | MALLOC_CAP_EXEC)

components/heap/port/esp32p4/memory_layout.c

@@ -36,7 +36,7 @@ enum {
 /* COMMON_CAPS is the set of attributes common to all types of memory on this chip */
 #define ESP32P4_MEM_COMMON_CAPS (MALLOC_CAP_DEFAULT | MALLOC_CAP_32BIT | MALLOC_CAP_8BIT)
 
-#ifdef CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT
+#ifdef CONFIG_ESP_SYSTEM_MEMPROT
 #define MALLOC_L2MEM_BASE_CAPS      ESP32P4_MEM_COMMON_CAPS | MALLOC_CAP_INTERNAL | MALLOC_CAP_DMA
 #define MALLOC_RTCRAM_BASE_CAPS     ESP32P4_MEM_COMMON_CAPS | MALLOC_CAP_INTERNAL
 #else

components/heap/port/esp32s2/memory_layout.c

@@ -40,7 +40,7 @@ enum {
 /* COMMON_CAPS is the set of attributes common to all types of memory on this chip */
 #define ESP32S2_MEM_COMMON_CAPS (MALLOC_CAP_DEFAULT | MALLOC_CAP_32BIT | MALLOC_CAP_8BIT)
 
-#ifdef CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
+#ifdef CONFIG_ESP_SYSTEM_MEMPROT
 #define MALLOC_DIRAM_BASE_CAPS    ESP32S2_MEM_COMMON_CAPS | MALLOC_CAP_INTERNAL | MALLOC_CAP_DMA
 #define MALLOC_RTCRAM_BASE_CAPS   ESP32S2_MEM_COMMON_CAPS | MALLOC_CAP_INTERNAL
 #else

components/heap/port/esp32s3/memory_layout.c

@@ -41,7 +41,7 @@ enum {
 #define ESP32S3_MEM_COMMON_CAPS (MALLOC_CAP_DEFAULT | MALLOC_CAP_32BIT | MALLOC_CAP_8BIT)
 
 
-#ifdef CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
+#ifdef CONFIG_ESP_SYSTEM_MEMPROT
 #define MALLOC_DIRAM_BASE_CAPS      ESP32S3_MEM_COMMON_CAPS | MALLOC_CAP_INTERNAL | MALLOC_CAP_DMA | MALLOC_CAP_RETENTION
 #define MALLOC_RTCRAM_BASE_CAPS     ESP32S3_MEM_COMMON_CAPS | MALLOC_CAP_INTERNAL
 #else
@@ -82,7 +82,7 @@ const size_t soc_memory_type_count = sizeof(soc_memory_types) / sizeof(soc_memor
 #define APP_USABLE_DRAM_END           (SOC_ROM_STACK_START - SOC_ROM_STACK_SIZE)
 
 const soc_memory_region_t soc_memory_regions[] = {
-#if CONFIG_ESP32S3_INSTRUCTION_CACHE_16KB && !defined(CONFIG_ESP_SYSTEM_MEMPROT_FEATURE)
+#if CONFIG_ESP32S3_INSTRUCTION_CACHE_16KB && !defined(CONFIG_ESP_SYSTEM_MEMPROT)
     { 0x40374000,           0x4000,                                     SOC_MEMORY_TYPE_IRAM,   0,                                      false}, //Level 1, IRAM
 #endif
     { 0x3FC88000,           0x8000,                                     SOC_MEMORY_TYPE_DIRAM,  0x40378000,                             false}, //Level 2, IDRAM, can be used as trace memory

components/heap/test_apps/heap_tests/main/test_diram.c

@@ -15,7 +15,7 @@
 
 #define ALLOC_SZ 1024
 
-#if  !(CONFIG_ESP_SYSTEM_MEMPROT_FEATURE || CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT)
+#if !CONFIG_ESP_SYSTEM_MEMPROT
 static void *malloc_block_diram(uint32_t caps)
 {
     void *attempts[256] = { 0 }; // Allocate up to 256 ALLOC_SZ blocks to exhaust all non-D/IRAM memory temporarily
@@ -78,4 +78,4 @@ TEST_CASE("Allocate D/IRAM as IRAM", "[heap][qemu-ignore]")
 
     free(iram);
 }
-#endif // !(CONFIG_ESP_SYSTEM_MEMPROT_FEATURE || CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT)
+#endif // !CONFIG_ESP_SYSTEM_MEMPROT

components/heap/test_apps/heap_tests/main/test_malloc_caps.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Unlicense OR CC0-1.0
  */
@@ -18,7 +18,7 @@
 #include <stdlib.h>
 #include <sys/param.h>
 
-#if  !(CONFIG_ESP_SYSTEM_MEMPROT_FEATURE || CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT) && !(CONFIG_HEAP_TASK_TRACKING)
+#if !CONFIG_ESP_SYSTEM_MEMPROT && !CONFIG_HEAP_TASK_TRACKING
 TEST_CASE("Capabilities allocator test", "[heap]")
 {
     char *m1, *m2[10];
@@ -108,7 +108,7 @@ TEST_CASE("Capabilities allocator test", "[heap]")
     free(m1);
     printf("Done.\n");
 }
-#endif // !(CONFIG_ESP_SYSTEM_MEMPROT_FEATURE || CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT) && !(CONFIG_HEAP_TASK_TRACKING)
+#endif // !CONFIG_ESP_SYSTEM_MEMPROT && !CONFIG_HEAP_TASK_TRACKING
 
 #ifdef CONFIG_ESP32_IRAM_AS_8BIT_ACCESSIBLE_MEMORY
 TEST_CASE("IRAM_8BIT capability test", "[heap]")
@@ -230,7 +230,7 @@ TEST_CASE("heap caps minimum free bytes fault cases", "[heap]")
 /* Small function runs from IRAM to check that malloc/free/realloc
    all work OK when cache is disabled...
 */
-#if !(CONFIG_ESP_SYSTEM_MEMPROT_FEATURE || CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT) && !CONFIG_HEAP_PLACE_FUNCTION_INTO_FLASH && !CONFIG_HEAP_TASK_TRACKING
+#if !CONFIG_ESP_SYSTEM_MEMPROT && !CONFIG_HEAP_PLACE_FUNCTION_INTO_FLASH && !CONFIG_HEAP_TASK_TRACKING
 static IRAM_ATTR __attribute__((noinline)) bool iram_malloc_test(void)
 {
     spi_flash_guard_get()->start(); // Disables flash cache
@@ -252,7 +252,7 @@ TEST_CASE("heap_caps_xxx functions work with flash cache disabled", "[heap]")
 {
     TEST_ASSERT( iram_malloc_test() );
 }
-#endif // !(CONFIG_ESP_SYSTEM_MEMPROT_FEATURE || CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT) && !CONFIG_HEAP_PLACE_FUNCTION_INTO_FLASH && !CONFIG_HEAP_TASK_TRACKING
+#endif // !CONFIG_ESP_SYSTEM_MEMPROT && !CONFIG_HEAP_PLACE_FUNCTION_INTO_FLASH && !CONFIG_HEAP_TASK_TRACKING
 
 #ifdef CONFIG_HEAP_ABORT_WHEN_ALLOCATION_FAILS
 TEST_CASE("When enabled, allocation operation failure generates an abort", "[heap][reset=abort,SW_CPU_RESET]")
@@ -342,7 +342,7 @@ TEST_CASE("test memory protection features", "[heap][mem_prot]")
     // no memory is being allocated
     uint32_t *iram_ptr = heap_caps_malloc(4, MALLOC_CAP_EXEC);
 
-#if !(CONFIG_ESP_SYSTEM_MEMPROT_FEATURE || CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT)
+#if !CONFIG_ESP_SYSTEM_MEMPROT
     // System memory protection not active, check that iram_ptr is not null
     // Check that iram_ptr is in IRAM
     TEST_ASSERT_NOT_NULL(iram_ptr);
@@ -353,5 +353,5 @@ TEST_CASE("test memory protection features", "[heap][mem_prot]")
 #else
     // System memory protection is active, DIRAM seen as DRAM, iram_ptr should be null
     TEST_ASSERT_NULL(iram_ptr);
-#endif // !(CONFIG_ESP_SYSTEM_MEMPROT_FEATURE || CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT)
+#endif // !CONFIG_ESP_SYSTEM_MEMPROT
 }

components/heap/test_apps/heap_tests/main/test_realloc.c

@@ -29,7 +29,7 @@ TEST_CASE("realloc shrink buffer in place", "[heap]")
 
 #endif
 
-#if !(CONFIG_ESP_SYSTEM_MEMPROT_FEATURE || CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT)
+#if !CONFIG_ESP_SYSTEM_MEMPROT
 TEST_CASE("realloc shrink buffer with EXEC CAPS", "[heap]")
 {
     const size_t buffer_size = 64;
@@ -68,4 +68,4 @@ TEST_CASE("realloc move data to a new heap type", "[heap]")
 
     free(c);
 }
-#endif // !(CONFIG_ESP_SYSTEM_MEMPROT_FEATURE || CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT)
+#endif // !CONFIG_ESP_SYSTEM_MEMPROT

components/heap/test_apps/heap_tests/sdkconfig.ci.mem_prot

@@ -1 +1 @@
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=y
+CONFIG_ESP_SYSTEM_MEMPROT=y

components/heap/test_apps/heap_tests/sdkconfig.defaults

@@ -1,7 +1,6 @@
 CONFIG_COMPILER_DUMP_RTL_FILES=y
 CONFIG_ESP_TASK_WDT_CHECK_IDLE_TASK_CPU0=n
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=n # memory protection needs to be disabled for certain tests
+CONFIG_ESP_SYSTEM_MEMPROT=n # for c2 and c6 this config must be disabled for certain tests
-CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT=n # for c2 and c6 this config must be disabled for certain tests
 
 CONFIG_COMPILER_STACK_CHECK_MODE_ALL=y
 CONFIG_COMPILER_STACK_CHECK=y

components/mbedtls/CMakeLists.txt

@@ -23,6 +23,7 @@ if(NOT ${IDF_TARGET} STREQUAL "linux")
     set(priv_requires soc esp_hw_support)
     if(NOT BOOTLOADER_BUILD)
         list(APPEND priv_requires esp_pm)
+        set(requires esp_security)
     endif()
 endif()
 
@@ -41,6 +42,7 @@ endif()
 idf_component_register(SRCS "${mbedtls_srcs}"
     INCLUDE_DIRS "${mbedtls_include_dirs}"
     PRIV_REQUIRES "${priv_requires}"
+    REQUIRES "${requires}"
     )
 
 # Determine the type of mbedtls component library

components/mbedtls/test_apps/sdkconfig.defaults.esp32c2

@@ -1,2 +1,2 @@
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=n
+CONFIG_ESP_SYSTEM_MEMPROT=n
 CONFIG_ESPTOOLPY_FLASHSIZE_2MB=y

components/mbedtls/test_apps/sdkconfig.defaults.esp32c3

@@ -1 +1 @@
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=n
+CONFIG_ESP_SYSTEM_MEMPROT=n

components/mbedtls/test_apps/sdkconfig.defaults.esp32s2

@@ -1,2 +1,2 @@
 CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_240=y
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=n
+CONFIG_ESP_SYSTEM_MEMPROT=n

components/mbedtls/test_apps/sdkconfig.defaults.esp32s3

@@ -1,2 +1,2 @@
 CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_240=y
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=n
+CONFIG_ESP_SYSTEM_MEMPROT=n

components/nvs_sec_provider/CMakeLists.txt

@@ -12,7 +12,8 @@ endif()
 
 idf_component_register(SRCS ${srcs}
                        INCLUDE_DIRS include
-                       PRIV_REQUIRES bootloader_support efuse esp_partition nvs_flash)
+                       PRIV_REQUIRES bootloader_support efuse esp_partition nvs_flash
+                       REQUIRES esp_security)
 
 # NOTE: In a case where only the default NVS partition is to be encrypted
 # and no custom NVS partitions exist, `nvs_flash_init` is the only API that

components/riscv/vectors_clic.S

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -8,11 +8,7 @@
 
 /* If memory protection interrupts are meant to trigger a panic, attach them to panic handler,
  * else, attach them to the interrupt handler. */
-#if CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
+#define MEMPROT_ISR _interrupt_handler
-    #define MEMPROT_ISR _panic_handler
-#else
-    #define MEMPROT_ISR _interrupt_handler
-#endif // CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
 
 #if CONFIG_ESP_SYSTEM_HW_STACK_GUARD
     #define ASTDBG_ISR _panic_handler

components/riscv/vectors_intc.S

@@ -12,11 +12,11 @@
 
 /* If memory protection interrupts are meant to trigger a panic, attach them to panic handler,
  * else, attach them to the interrupt handler. */
-#if CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
+#if CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMS
     #define MEMPROT_ISR _panic_handler
 #else
     #define MEMPROT_ISR _interrupt_handler
-#endif // CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
+#endif // CONFIG_ESP_SYSTEM_MEMPROT && CONFIG_ESP_SYSTEM_MEMPROT_PMS
 
 /* Same goes for the assist debug interrupt */
 #if CONFIG_ESP_SYSTEM_HW_STACK_GUARD

components/spi_flash/CMakeLists.txt

@@ -53,6 +53,10 @@ else()
 
     list(APPEND srcs ${cache_srcs})
     set(priv_requires bootloader_support soc esp_mm)
+
+    if(${target} STREQUAL "esp32s2")
+        list(APPEND priv_requires esp_security)
+    endif()
 endif()
 
 idf_component_register(SRCS "${srcs}"

components/spi_flash/test_apps/esp_flash/sdkconfig.ci.special

@@ -2,6 +2,6 @@
 CONFIG_ESP_TASK_WDT_EN=n
 CONFIG_PARTITION_TABLE_CUSTOM=y
 CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions.csv"
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=n
+CONFIG_ESP_SYSTEM_MEMPROT=n
 CONFIG_FREERTOS_PLACE_FUNCTIONS_INTO_FLASH=y
 CONFIG_COMPILER_OPTIMIZATION_NONE=y

components/spi_flash/test_apps/mspi_test/sdkconfig.ci.psram

@@ -8,4 +8,4 @@ CONFIG_SPIRAM_USE_CAPS_ALLOC=y
 CONFIG_SPIRAM_FETCH_INSTRUCTIONS=y
 CONFIG_SPIRAM_RODATA=y
 CONFIG_SPIRAM_ALLOW_BSS_SEG_EXTERNAL_MEMORY=y
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=n
+CONFIG_ESP_SYSTEM_MEMPROT=n

components/spi_flash/test_apps/mspi_test/sdkconfig.ci.release

@@ -3,4 +3,4 @@ CONFIG_COMPILER_OPTIMIZATION_SIZE=y
 CONFIG_BOOTLOADER_COMPILER_OPTIMIZATION_SIZE=y
 CONFIG_COMPILER_OPTIMIZATION_ASSERTIONS_SILENT=y
 CONFIG_SPI_FLASH_ENABLE_COUNTERS=y
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=n
+CONFIG_ESP_SYSTEM_MEMPROT=n

components/spi_flash/test_apps/mspi_test/sdkconfig.ci.special

@@ -1,5 +1,5 @@
 # This config lists merged freertos_flash no_optimization in UT all together.
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=n
+CONFIG_ESP_SYSTEM_MEMPROT=n
 CONFIG_FREERTOS_PLACE_FUNCTIONS_INTO_FLASH=y
 CONFIG_COMPILER_OPTIMIZATION_NONE=y
 CONFIG_COMPILER_OPTIMIZATION_ASSERTIONS_SILENT=y

components/spi_flash/test_apps/mspi_test/sdkconfig.defaults

@@ -1,4 +1,4 @@
 CONFIG_ESP_TASK_WDT_EN=n
 CONFIG_PARTITION_TABLE_CUSTOM=y
 CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions.csv"
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=n
+CONFIG_ESP_SYSTEM_MEMPROT=n

docs/doxygen/Doxyfile

@@ -171,8 +171,6 @@ INPUT = \
     $(PROJECT_PATH)/components/esp_hw_support/include/esp_cpu.h \
     $(PROJECT_PATH)/components/esp_hw_support/include/esp_crc.h \
     $(PROJECT_PATH)/components/esp_hw_support/include/esp_etm.h \
-    $(PROJECT_PATH)/components/esp_hw_support/include/esp_ds.h \
-    $(PROJECT_PATH)/components/esp_hw_support/include/esp_hmac.h \
     $(PROJECT_PATH)/components/esp_hw_support/include/esp_intr_alloc.h \
     $(PROJECT_PATH)/components/esp_hw_support/include/esp_intr_types.h \
     $(PROJECT_PATH)/components/esp_hw_support/include/esp_mac.h \
@@ -204,6 +202,8 @@ INPUT = \
     $(PROJECT_PATH)/components/esp_pm/include/esp_pm.h \
     $(PROJECT_PATH)/components/esp_ringbuf/include/freertos/ringbuf.h \
     $(PROJECT_PATH)/components/esp_rom/include/esp_rom_sys.h \
+    $(PROJECT_PATH)/components/esp_security/include/esp_ds.h \
+    $(PROJECT_PATH)/components/esp_security/include/esp_hmac.h \
     $(PROJECT_PATH)/components/esp_system/include/esp_expression_with_stack.h \
     $(PROJECT_PATH)/components/esp_system/include/esp_freertos_hooks.h \
     $(PROJECT_PATH)/components/esp_system/include/esp_ipc_isr.h \

docs/en/api-guides/fatal-errors.rst

@@ -423,7 +423,7 @@ In some situations, ESP-IDF will temporarily disable access to external SPI flas
     * writing to instruction RAM after the program is loaded
     * executing code from data RAM (areas used for heap and static .data and .bss)
 
-    Such operations are not necessary for most programs. Prohibiting such operations typically makes software vulnerabilities harder to exploit. Applications which rely on dynamic loading or self-modifying code may disable this protection using :ref:`CONFIG_ESP_SYSTEM_MEMPROT_FEATURE` Kconfig option.
+    Such operations are not necessary for most programs. Prohibiting such operations typically makes software vulnerabilities harder to exploit. Applications which rely on dynamic loading or self-modifying code may disable this protection using :ref:`CONFIG_ESP_SYSTEM_MEMPROT` Kconfig option.
 
     When the fault occurs, the panic handler reports the address of the fault and the type of memory access that caused it.
 

docs/en/security/security.rst

@@ -108,7 +108,7 @@ Flash Encryption Best Practices
 
     {IDF_TARGET_NAME} supports the **Memory Protection** scheme, either through architecture or special peripheral like PMS, which provides an ability to enforce and monitor permission attributes to memory and, in some cases, peripherals. ESP-IDF application startup code configures the permissions attributes like Read/Write access on data memories and Read/Execute access on instruction memories using the relevant peripheral. If there is any attempt made that breaks these permission attributes, e.g., a write operation to instruction memory region, then a violation interrupt is raised, and it results in system panic.
 
-    This feature depends on the config option :ref:`CONFIG_ESP_SYSTEM_MEMPROT_FEATURE` and it is kept enabled by default. Please note that the API for this feature is **private** and used exclusively by ESP-IDF code only.
+    This feature depends on the config option :ref:`CONFIG_ESP_SYSTEM_MEMPROT` and it is kept enabled by default. Please note that the API for this feature is **private** and used exclusively by ESP-IDF code only.
 
     .. note::
 

docs/zh_CN/api-guides/fatal-errors.rst

@@ -423,7 +423,7 @@ Interrupt wdt timeout on CPU0/CPU1
     * 程序加载后向指令 RAM 写入代码
     * 从数据 RAM（用于堆、静态 .data 和 .bss 区域）执行代码
 
-    该类操作对于大多数程序来说并不必要，禁止此类操作往往使软件漏洞更难被利用。依赖动态加载或自修改代码的应用程序可以使用 :ref:`CONFIG_ESP_SYSTEM_MEMPROT_FEATURE` 选项来禁用此项保护。
+    该类操作对于大多数程序来说并不必要，禁止此类操作往往使软件漏洞更难被利用。依赖动态加载或自修改代码的应用程序可以使用 :ref:`CONFIG_ESP_SYSTEM_MEMPROT` 选项来禁用此项保护。
 
     发生故障时，紧急处理程序会报告故障的地址和引起故障的内存访问的类型。
 

docs/zh_CN/security/security.rst

@@ -108,7 +108,7 @@ flash 加密最佳实践
 
     {IDF_TARGET_NAME} 可以通过架构或 PMS 等特定外设实现 **内存保护**，强制执行和监控内存以及某些外设的权限属性。使用相应外设，ESP-IDF 应用程序启动代码可以配置数据内存的读取/写入权限以及指令内存的读取/执行权限。如有任何操作尝试违反这些权限属性，如写入指令内存区域，将触发违规中断，导致系统 panic。
 
-    使用该功能需启用配置选项 :ref:`CONFIG_ESP_SYSTEM_MEMPROT_FEATURE`，该选项默认启用。请注意，该功能的 API 是 **私有** 的，仅供 ESP-IDF 代码使用。
+    使用该功能需启用配置选项 :ref:`CONFIG_ESP_SYSTEM_MEMPROT`，该选项默认启用。请注意，该功能的 API 是 **私有** 的，仅供 ESP-IDF 代码使用。
 
     .. note::
 

examples/security/hmac_soft_jtag/main/CMakeLists.txt

@@ -1,3 +1,3 @@
 idf_component_register(SRCS "example_main.c" "jtag_commands.c"
-                       PRIV_REQUIRES console efuse mbedtls nvs_flash
+                       PRIV_REQUIRES console efuse mbedtls nvs_flash esp_security
                        PRIV_INCLUDE_DIRS ".")

examples/security/nvs_encryption_hmac/main/CMakeLists.txt

@@ -1,3 +1,3 @@
 idf_component_register(SRCS "main.c"
-                       PRIV_REQUIRES nvs_flash spi_flash nvs_sec_provider
+                       PRIV_REQUIRES nvs_flash spi_flash nvs_sec_provider esp_security
                        INCLUDE_DIRS ".")

tools/test_apps/system/g1_components/CMakeLists.txt

@@ -66,12 +66,12 @@ set(extra_components_which_shouldnt_be_included
     # IDF-10415
     esp_pm
 
-    # esp_timer is a dependency of esp_pm, esp_system and esp_hw_support
+    # esp_timer is a dependency of esp_pm, esp_system, esp_security, esp_hw_support
     # esp_pm should be removed from G1 build
     # esp_system's dependency is due to usb_console (used for timeout functionality)
     # and task_wdt timer implementation on C2, we could possibly place this implementation in esp_timer instead
-    # esp_hw_support uses it for esp_ds (used for timeout functionality)
+    # esp_security uses it for esp_ds (used for timeout functionality)
-    # and for componensating time after sleep (dependency could be reversed) IDF-10416
+    # esp_hw_support uses it for componensating time after sleep (dependency could be reversed) IDF-10416
     esp_timer
 
     # esptool_py is a dependency of bootloader, app_update, partition_table, all of which
@@ -92,9 +92,7 @@ set(extra_components_which_shouldnt_be_included
     # pthread is required by cxx. See [refactor-todo] about cxx, can it work without pthread?
     pthread
 
-    # esp_security is a private dependency of the following G1 components:
+    # esp_security is required by mbedtls and spi_flash
-    #    esp_hw_support
-    #    TODO: will be removed in IDF 6.x (see IDF-10733)
     esp_security
 )
 
@@ -117,10 +115,13 @@ if(NOT "${expected_components}" STREQUAL "${build_components}")
 endif()
 
 set(comp_deps_dot "${CMAKE_BINARY_DIR}/component_deps.dot")
+idf_build_get_property(target IDF_TARGET)
 
 execute_process(
     COMMAND ${CMAKE_COMMAND} -E echo "Checking dependency violations"
-    COMMAND python "${CMAKE_SOURCE_DIR}/check_dependencies.py" --component_deps_file ${comp_deps_dot}
+    COMMAND python "${CMAKE_SOURCE_DIR}/check_dependencies.py"
+            --component_deps_file ${comp_deps_dot}
+            --target ${IDF_TARGET}
     RESULT_VARIABLE result
 )
 

tools/test_apps/system/g1_components/check_dependencies.py

@@ -4,6 +4,7 @@ import argparse
 import logging
 from typing import Dict
 from typing import List
+from typing import Optional
 from typing import Tuple
 
 g1_g0_components = [
@@ -24,17 +25,62 @@ g1_g0_components = [
     'esp_mm',
 ]
 
+# Global expected dependency violations that apply to all targets
 expected_dep_violations = {
     'esp_system': ['esp_timer', 'bootloader_support', 'esp_pm'],
     'spi_flash': ['bootloader_support'],
-    'esp_hw_support': ['efuse', 'bootloader_support', 'esp_driver_gpio', 'esp_timer', 'esp_pm', 'esp_security'],
+    'esp_hw_support': ['efuse', 'bootloader_support', 'esp_driver_gpio', 'esp_timer', 'esp_pm'],
     'cxx': ['pthread'],
 }
 
+# Target-specific expected dependency violations
+target_specific_expected_dep_violations = {
+    # 'target': {
+    # Add target-specific violations for target here
+    # 'component_name': ['dependency1', 'dependency2'],
+    # },
+    'esp32s2': {
+        # ESP32-S2 uses the crypto DMA lock for encrypted writes, thus, spi_flash needs to depend on esp_security
+        'spi_flash': ['esp_security'],
+    },
+}
 
-def parse_dependencies(file_path: str) -> Tuple[Dict[str, List[str]], List[str]]:
+
+def merge_expected_violations(target: Optional[str] = None) -> Dict[str, List[str]]:
+    """
+    Merge global and target-specific expected dependency violations.
+
+    Args:
+        target: The target target name (e.g., 'esp32', 'esp32s3', etc.)
+
+    Returns:
+        Merged dictionary of expected dependency violations
+    """
+    # Start with a deep copy of global violations
+    merged_violations = {}
+    for component, deps in expected_dep_violations.items():
+        merged_violations[component] = deps.copy()
+
+    # Add target-specific violations if target is specified
+    if target and target in target_specific_expected_dep_violations:
+        target_violations = target_specific_expected_dep_violations[target]
+        for component, deps in target_violations.items():
+            if component in merged_violations:
+                # Extend existing list with target-specific dependencies
+                merged_violations[component].extend(deps)
+            else:
+                # Add new component with its dependencies
+                merged_violations[component] = deps.copy()
+
+    return merged_violations
+
+
+def parse_dependencies(file_path: str, target: Optional[str] = None) -> Tuple[Dict[str, List[str]], List[str]]:
     new_dependency_errors = []
 
+    # Get merged expected violations for the specified target
+    merged_expected_violations = merge_expected_violations(target)
+
     with open(file_path, 'r') as file:
         for line in file:
             line = line.strip(' ;')
@@ -43,22 +89,28 @@ def parse_dependencies(file_path: str) -> Tuple[Dict[str, List[str]], List[str]]
                 parts = line.split(' -> ')
 
                 if len(parts) >= 2:
-                    source = parts[0]
+                    source_component = parts[0]
-                    target = parts[1].split()[0]  # Extracting the target component
+                    target_component = parts[1].split()[0]  # Extracting the target component
-                    logging.debug(f'Parsed dependency: {source} -> {target}')
+                    logging.debug(f'Parsed dependency: {source_component} -> {target_component}')
 
                     # Check that g1/g0 dependencies are either on the list of expected violations
                     # or dependencies to other g1/g0 components
-                    if source in g1_g0_components and target not in g1_g0_components:
+                    if source_component in g1_g0_components and target_component not in g1_g0_components:
-                        if target in expected_dep_violations[source]:
+                        if (
-                            logging.debug(f'Removing dependency {target} from {source} in list of expected violations')
+                            source_component in merged_expected_violations
-                            expected_dep_violations[source].remove(target)
+                            and target_component in merged_expected_violations[source_component]
+                        ):
+                            logging.debug(
+                                f'Removing dependency {target_component} from {source_component} '
+                                f'in list of expected violations'
+                            )
+                            merged_expected_violations[source_component].remove(target_component)
                         else:
-                            new_dependency_errors.append(f'{source} -> {target}')
+                            new_dependency_errors.append(f'{source_component} -> {target_component}')
 
-    # Any leftover dependencies in the expected_dep_violations are no longer true dependencies and
+    # Any leftover dependencies in the merged_expected_violations are no longer true dependencies and
     # can be removed from the list
-    false_dependencies = {k: v for k, v in expected_dep_violations.items() if len(v) > 0}
+    false_dependencies = {k: v for k, v in merged_expected_violations.items() if len(v) > 0}
 
     return (false_dependencies, new_dependency_errors)
 
@@ -68,10 +120,11 @@ if __name__ == '__main__':
     parser.add_argument(
         '--component_deps_file', required=True, type=str, help='The path to the component_deps.dot file'
     )
+    parser.add_argument('--target', type=str, help='The target name (e.g., esp32, esp32s3, esp32c6, etc.)')
 
     args = parser.parse_args()
 
-    (false_dependencies, new_dependency_errors) = parse_dependencies(args.component_deps_file)
+    (false_dependencies, new_dependency_errors) = parse_dependencies(args.component_deps_file, args.target)
 
     if new_dependency_errors:
         print('Found the following new dependency violations:')

tools/test_apps/system/memprot/main/Kconfig.projbuild

@@ -1,3 +1,3 @@
-config ESP_SYSTEM_MEMPROT_TEST
+config ESP_SYSTEM_MEMPROT_PMS_TEST
     bool
     default y

tools/test_apps/system/memprot/sdkconfig.defaults

@@ -1,3 +1,3 @@
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=y
+CONFIG_ESP_SYSTEM_MEMPROT=y
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE_LOCK=n
+CONFIG_ESP_SYSTEM_MEMPROT_PMS_LOCK=n
-CONFIG_ESP_SYSTEM_MEMPROT_TEST=y
+CONFIG_ESP_SYSTEM_MEMPROT_PMS_TEST=y

tools/test_apps/system/panic/main/test_app_main.c

@@ -171,7 +171,7 @@ void app_main(void)
     HANDLE_TEST(test_name, test_rtc_slow_reg2_execute_violation);
 #endif
 
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT
+#if CONFIG_ESP_SYSTEM_MEMPROT
     HANDLE_TEST(test_name, test_irom_reg_write_violation);
     HANDLE_TEST(test_name, test_drom_reg_write_violation);
     HANDLE_TEST(test_name, test_drom_reg_execute_violation);

tools/test_apps/system/panic/main/test_memprot.c

@@ -223,7 +223,7 @@ static void __attribute__((constructor)) test_print_rtc_var_func(void)
 
 /* ---------------------------------------------------- I/D Cache (Flash) Violation Checks ---------------------------------------------------- */
 
-#if CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT
+#if CONFIG_ESP_SYSTEM_MEMPROT
 static const uint16_t foo_buf[8] = {
     0x0001, 0x0001, 0x0001, 0x0001,
     0x0001, 0x0001, 0x0001, 0x0001,

tools/test_apps/system/panic/sdkconfig.ci.memprot_esp32c2

@@ -2,7 +2,7 @@
 CONFIG_IDF_TARGET="esp32c2"
 
 # Enabling memory protection
-CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT=y
+CONFIG_ESP_SYSTEM_MEMPROT=y
 
 # Enable memprot test
 CONFIG_TEST_MEMPROT=y

tools/test_apps/system/panic/sdkconfig.ci.memprot_esp32c3

@@ -2,8 +2,8 @@
 CONFIG_IDF_TARGET="esp32c3"
 
 # Enabling memory protection
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=y
+CONFIG_ESP_SYSTEM_MEMPROT=y
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE_LOCK=y
+CONFIG_ESP_SYSTEM_MEMPROT_PMS_LOCK=y
 
 # Enable memprot test
 CONFIG_TEST_MEMPROT=y

tools/test_apps/system/panic/sdkconfig.ci.memprot_esp32c5

@@ -2,7 +2,7 @@
 CONFIG_IDF_TARGET="esp32c5"
 
 # Enabling memory protection
-CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT=y
+CONFIG_ESP_SYSTEM_MEMPROT=y
 
 # Enable memprot test
 CONFIG_TEST_MEMPROT=y

tools/test_apps/system/panic/sdkconfig.ci.memprot_esp32c6

@@ -2,7 +2,7 @@
 CONFIG_IDF_TARGET="esp32c6"
 
 # Enabling memory protection
-CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT=y
+CONFIG_ESP_SYSTEM_MEMPROT=y
 
 # Enable memprot test
 CONFIG_TEST_MEMPROT=y

tools/test_apps/system/panic/sdkconfig.ci.memprot_esp32c61

@@ -2,7 +2,7 @@
 CONFIG_IDF_TARGET="esp32c61"
 
 # Enabling memory protection
-CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT=y
+CONFIG_ESP_SYSTEM_MEMPROT=y
 
 # Enable memprot test
 CONFIG_TEST_MEMPROT=y

tools/test_apps/system/panic/sdkconfig.ci.memprot_esp32h2

@@ -2,7 +2,7 @@
 CONFIG_IDF_TARGET="esp32h2"
 
 # Enabling memory protection
-CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT=y
+CONFIG_ESP_SYSTEM_MEMPROT=y
 
 # Enable memprot test
 CONFIG_TEST_MEMPROT=y

tools/test_apps/system/panic/sdkconfig.ci.memprot_esp32h21

@@ -2,7 +2,7 @@
 CONFIG_IDF_TARGET="esp32h21"
 
 # Enabling memory protection
-CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT=y
+CONFIG_ESP_SYSTEM_MEMPROT=y
 
 # Enable memprot test
 CONFIG_TEST_MEMPROT=y

tools/test_apps/system/panic/sdkconfig.ci.memprot_esp32p4

@@ -2,7 +2,7 @@
 CONFIG_IDF_TARGET="esp32p4"
 
 # Enabling memory protection
-CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT=y
+CONFIG_ESP_SYSTEM_MEMPROT=y
 
 # Enable memprot test
 CONFIG_TEST_MEMPROT=y

tools/test_apps/system/panic/sdkconfig.ci.memprot_esp32s2

@@ -2,8 +2,8 @@
 CONFIG_IDF_TARGET="esp32s2"
 
 # Enabling memory protection
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=y
+CONFIG_ESP_SYSTEM_MEMPROT=y
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE_LOCK=y
+CONFIG_ESP_SYSTEM_MEMPROT_PMS_LOCK=y
 
 # Enabling DCACHE
 CONFIG_ESP32S2_DATA_CACHE_8KB=y

tools/test_apps/system/panic/sdkconfig.ci.memprot_esp32s3

@@ -2,8 +2,8 @@
 CONFIG_IDF_TARGET="esp32s3"
 
 # Enabling memory protection
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=y
+CONFIG_ESP_SYSTEM_MEMPROT=y
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE_LOCK=y
+CONFIG_ESP_SYSTEM_MEMPROT_PMS_LOCK=y
 
 # Enabling DCACHE
 CONFIG_ESP32S3_DATA_CACHE_16KB=y

tools/test_apps/system/panic/sdkconfig.ci.memprot_spiram_xip_esp32c5

@@ -2,7 +2,7 @@
 CONFIG_IDF_TARGET="esp32c5"
 
 # Enabling memory protection
-CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT=y
+CONFIG_ESP_SYSTEM_MEMPROT=y
 
 # Enable memprot test
 CONFIG_TEST_MEMPROT=y

tools/test_apps/system/panic/sdkconfig.ci.memprot_spiram_xip_esp32c61

@@ -2,7 +2,7 @@
 CONFIG_IDF_TARGET="esp32c61"
 
 # Enabling memory protection
-CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT=y
+CONFIG_ESP_SYSTEM_MEMPROT=y
 
 # Enable memprot test
 CONFIG_TEST_MEMPROT=y

tools/test_apps/system/panic/sdkconfig.ci.memprot_spiram_xip_esp32p4

@@ -2,7 +2,7 @@
 CONFIG_IDF_TARGET="esp32p4"
 
 # Enabling memory protection
-CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT=y
+CONFIG_ESP_SYSTEM_MEMPROT=y
 
 # Enable memprot test
 CONFIG_TEST_MEMPROT=y

tools/test_apps/system/panic/sdkconfig.ci.memprot_spiram_xip_esp32s3

@@ -2,8 +2,8 @@
 CONFIG_IDF_TARGET="esp32s3"
 
 # Enabling memory protection
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=y
+CONFIG_ESP_SYSTEM_MEMPROT=y
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE_LOCK=y
+CONFIG_ESP_SYSTEM_MEMPROT_PMS_LOCK=y
 
 # Enabling DCACHE
 CONFIG_ESP32S3_DATA_CACHE_16KB=y

tools/unit-test-app/sdkconfig.defaults.esp32c2

@@ -1,4 +1,4 @@
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=n
+CONFIG_ESP_SYSTEM_MEMPROT=n
 CONFIG_ESPTOOLPY_FLASHSIZE_2MB=y
 CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partition_table_unit_test_app_2m.csv"
 CONFIG_PARTITION_TABLE_FILENAME="partition_table_unit_test_app_2m.csv"

tools/unit-test-app/sdkconfig.defaults.esp32c3

@@ -1 +1 @@
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=n
+CONFIG_ESP_SYSTEM_MEMPROT=n

tools/unit-test-app/sdkconfig.defaults.esp32s2

@@ -1,2 +1,2 @@
 CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_240=y
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=n
+CONFIG_ESP_SYSTEM_MEMPROT=n

tools/unit-test-app/sdkconfig.defaults.esp32s3

@@ -1,2 +1,2 @@
 CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_240=y
-CONFIG_ESP_SYSTEM_MEMPROT_FEATURE=n
+CONFIG_ESP_SYSTEM_MEMPROT=n