From 8b663ebe4d9daa3b3ef5bd0367c4c1c3886e3488 Mon Sep 17 00:00:00 2001
From: "harshal.patil" <harshal.patil@espressif.com>
Date: Fri, 19 Sep 2025 10:13:52 +0530
Subject: [PATCH] fix(esp_security): Configure the Key Manager to use XTS-AES
 efuse key by-default

---
 components/esp_security/src/init.c            | 25 +++++++++++++------
 .../hal/esp32p4/include/hal/key_mgr_ll.h      | 10 ++++++++
 2 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/components/esp_security/src/init.c b/components/esp_security/src/init.c
index 14ede2dc0d..772b2c4b74 100644
--- a/components/esp_security/src/init.c
+++ b/components/esp_security/src/init.c
@@ -20,6 +20,7 @@
 
 #if SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT
 #include "hal/key_mgr_ll.h"
+#include "hal/key_mgr_types.h"
 #endif /* SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT */
 
 __attribute__((unused)) static const char *TAG = "esp_security";
@@ -27,14 +28,24 @@ __attribute__((unused)) static const char *TAG = "esp_security";
 static void esp_key_mgr_init(void)
 {
     // The following code initializes the key manager.
+    // When Flash Encryption is already enabled, Key Manager is initialized by the
+    // ROM, and when Flash Encryption is enabled during boot up, Key Manager is
+    // initialized by the bootloader.
 #if SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT
-    // Enable key manager clock
-    // Using ll APIs which do not require critical section
-    _key_mgr_ll_enable_bus_clock(true);
-    _key_mgr_ll_enable_peripheral_clock(true);
-    _key_mgr_ll_reset_register();
-    while (key_mgr_ll_get_state() != ESP_KEY_MGR_STATE_IDLE) {
-    };
+    if (!efuse_hal_flash_encryption_enabled()) {
+        // Enable key manager clock
+        key_mgr_ll_power_up();
+        // Using ll APIs which do not require critical section
+        _key_mgr_ll_enable_bus_clock(true);
+        _key_mgr_ll_enable_peripheral_clock(true);
+        _key_mgr_ll_reset_register();
+
+        while (key_mgr_ll_get_state() != ESP_KEY_MGR_STATE_IDLE) {
+        };
+
+        // Force Key Manager to use eFuse key by-default for an XTS-AES operation.
+        key_mgr_ll_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
+    }
 #endif /* SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT */
 }
 
diff --git a/components/hal/esp32p4/include/hal/key_mgr_ll.h b/components/hal/esp32p4/include/hal/key_mgr_ll.h
index 7e7be21d50..c418c30c5f 100644
--- a/components/hal/esp32p4/include/hal/key_mgr_ll.h
+++ b/components/hal/esp32p4/include/hal/key_mgr_ll.h
@@ -25,6 +25,16 @@
 extern "C" {
 #endif
 
+static inline void key_mgr_ll_power_up(void)
+{
+    // TODO: IDF-13524
+}
+
+static inline void key_mgr_ll_power_down(void)
+{
+    // TODO: IDF-13524
+}
+
 /**
  * @brief Enable the bus clock for Key Manager peripheral
  * Note: Please use key_mgr_ll_enable_bus_clock which requires the critical section