diff --git a/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c index f1a6d2aef9..d4b063a4d6 100644 --- a/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c @@ -1,15 +1,18 @@ /* - * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ +#include #include #include "esp_flash_encrypt.h" #include "esp_secure_boot.h" #include "esp_efuse.h" #include "esp_efuse_table.h" #include "esp_log.h" +#include "hal/spi_flash_encrypted_ll.h" +#include "soc/soc_caps.h" #include "sdkconfig.h" static __attribute__((unused)) const char *TAG = "flash_encrypt"; @@ -33,6 +36,14 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT); +#if defined(CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE) && defined(SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND) + if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) { + ESP_LOGI(TAG, "Enable XTS-AES pseudo rounds function..."); + uint8_t xts_pseudo_level = CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH; + esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count); + } +#endif + #if defined(CONFIG_SECURE_BOOT_V2_ENABLED) && !defined(CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS) // This bit is set when enabling Secure Boot V2, but we can't enable it until this later point in the first boot // otherwise the Flash Encryption key cannot be read protected diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index 4bfa33e87d..381f17ed40 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -12,6 +12,7 @@ #include "esp_flash_encrypt.h" #include "esp_secure_boot.h" #include "hal/efuse_hal.h" +#include "hal/spi_flash_encrypted_ll.h" #include "hal/spi_flash_encrypt_hal.h" #include "soc/soc_caps.h" @@ -210,8 +211,10 @@ void esp_flash_encryption_set_release_mode(void) #endif // !CONFIG_IDF_TARGET_ESP32 #ifdef SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND - uint8_t xts_pseudo_level = ESP_XTS_AES_PSEUDO_ROUNDS_LOW; - esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count); + if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) { + uint8_t xts_pseudo_level = ESP_XTS_AES_PSEUDO_ROUNDS_LOW; + esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count); + } #endif #ifdef CONFIG_IDF_TARGET_ESP32 @@ -476,11 +479,13 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) result &= secure; #if SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND - uint8_t xts_pseudo_level = 0; - esp_efuse_read_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count); - if (!xts_pseudo_level) { - result &= false; - ESP_LOGW(TAG, "Not enabled XTS-AES pseudo rounds function (set XTS_DPA_PSEUDO_LEVEL->1 or more)"); + if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) { + uint8_t xts_pseudo_level = 0; + esp_efuse_read_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count); + if (!xts_pseudo_level) { + result &= false; + ESP_LOGW(TAG, "Not enabled XTS-AES pseudo rounds function (set XTS_DPA_PSEUDO_LEVEL->1 or more)"); + } } #endif diff --git a/components/hal/esp32/include/hal/spi_flash_encrypted_ll.h b/components/hal/esp32/include/hal/spi_flash_encrypted_ll.h index 682be30815..7827c5cab9 100644 --- a/components/hal/esp32/include/hal/spi_flash_encrypted_ll.h +++ b/components/hal/esp32/include/hal/spi_flash_encrypted_ll.h @@ -11,6 +11,7 @@ ******************************************************************************/ // The Lowlevel layer for SPI Flash Encryption. +#pragma once #include "soc/dport_reg.h" #include "soc/flash_encryption_reg.h" diff --git a/components/hal/esp32c2/include/hal/spi_flash_encrypted_ll.h b/components/hal/esp32c2/include/hal/spi_flash_encrypted_ll.h index 8d59c99148..7c8b10376e 100644 --- a/components/hal/esp32c2/include/hal/spi_flash_encrypted_ll.h +++ b/components/hal/esp32c2/include/hal/spi_flash_encrypted_ll.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -11,6 +11,7 @@ ******************************************************************************/ // The Lowlevel layer for SPI Flash Encryption. +#pragma once #include #include @@ -24,7 +25,7 @@ extern "C" { #endif -/// Choose type of chip you want to encrypt manully +/// Choose type of chip you want to encrypt manually typedef enum { FLASH_ENCRYPTION_MANU = 0, ///!< Manually encrypt the flash chip. @@ -51,7 +52,7 @@ static inline void spi_flash_encrypt_ll_disable(void) } /** - * Choose type of chip you want to encrypt manully + * Choose type of chip you want to encrypt manually * * @param type The type of chip to be encrypted * diff --git a/components/hal/esp32c3/include/hal/spi_flash_encrypted_ll.h b/components/hal/esp32c3/include/hal/spi_flash_encrypted_ll.h index 8857e1f915..7c8b10376e 100644 --- a/components/hal/esp32c3/include/hal/spi_flash_encrypted_ll.h +++ b/components/hal/esp32c3/include/hal/spi_flash_encrypted_ll.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -11,6 +11,7 @@ ******************************************************************************/ // The Lowlevel layer for SPI Flash Encryption. +#pragma once #include #include @@ -24,7 +25,7 @@ extern "C" { #endif -/// Choose type of chip you want to encrypt manully +/// Choose type of chip you want to encrypt manually typedef enum { FLASH_ENCRYPTION_MANU = 0, ///!< Manually encrypt the flash chip. @@ -51,7 +52,7 @@ static inline void spi_flash_encrypt_ll_disable(void) } /** - * Choose type of chip you want to encrypt manully + * Choose type of chip you want to encrypt manually * * @param type The type of chip to be encrypted * diff --git a/components/hal/esp32c5/include/hal/spi_flash_encrypted_ll.h b/components/hal/esp32c5/include/hal/spi_flash_encrypted_ll.h index 59b66cecda..4c5ed687af 100644 --- a/components/hal/esp32c5/include/hal/spi_flash_encrypted_ll.h +++ b/components/hal/esp32c5/include/hal/spi_flash_encrypted_ll.h @@ -11,6 +11,7 @@ ******************************************************************************/ // The Lowlevel layer for SPI Flash Encryption. +#pragma once #include #include diff --git a/components/hal/esp32c6/include/hal/spi_flash_encrypted_ll.h b/components/hal/esp32c6/include/hal/spi_flash_encrypted_ll.h index 20c303344a..debef0835f 100644 --- a/components/hal/esp32c6/include/hal/spi_flash_encrypted_ll.h +++ b/components/hal/esp32c6/include/hal/spi_flash_encrypted_ll.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -11,6 +11,7 @@ ******************************************************************************/ // The Lowlevel layer for SPI Flash Encryption. +#pragma once #include #include @@ -24,7 +25,7 @@ extern "C" { #endif -/// Choose type of chip you want to encrypt manully +/// Choose type of chip you want to encrypt manually typedef enum { FLASH_ENCRYPTION_MANU = 0, ///!< Manually encrypt the flash chip. @@ -51,7 +52,7 @@ static inline void spi_flash_encrypt_ll_disable(void) } /** - * Choose type of chip you want to encrypt manully + * Choose type of chip you want to encrypt manually * * @param type The type of chip to be encrypted * diff --git a/components/hal/esp32c61/include/hal/spi_flash_encrypted_ll.h b/components/hal/esp32c61/include/hal/spi_flash_encrypted_ll.h index 88fdee0486..3a7f63b56f 100644 --- a/components/hal/esp32c61/include/hal/spi_flash_encrypted_ll.h +++ b/components/hal/esp32c61/include/hal/spi_flash_encrypted_ll.h @@ -11,6 +11,7 @@ ******************************************************************************/ // The Lowlevel layer for SPI Flash Encryption. +#pragma once #include #include diff --git a/components/hal/esp32h2/include/hal/spi_flash_encrypted_ll.h b/components/hal/esp32h2/include/hal/spi_flash_encrypted_ll.h index 93a707e76c..eefe8b30ab 100644 --- a/components/hal/esp32h2/include/hal/spi_flash_encrypted_ll.h +++ b/components/hal/esp32h2/include/hal/spi_flash_encrypted_ll.h @@ -11,6 +11,7 @@ ******************************************************************************/ // The Lowlevel layer for SPI Flash Encryption. +#pragma once #include #include diff --git a/components/hal/esp32h21/include/hal/spi_flash_encrypted_ll.h b/components/hal/esp32h21/include/hal/spi_flash_encrypted_ll.h index 24df42b49f..340363bcde 100644 --- a/components/hal/esp32h21/include/hal/spi_flash_encrypted_ll.h +++ b/components/hal/esp32h21/include/hal/spi_flash_encrypted_ll.h @@ -11,6 +11,7 @@ ******************************************************************************/ // The Lowlevel layer for SPI Flash Encryption. +#pragma once #include #include diff --git a/components/hal/esp32p4/include/hal/spi_flash_encrypted_ll.h b/components/hal/esp32p4/include/hal/spi_flash_encrypted_ll.h index 9c3304832b..948e964db3 100644 --- a/components/hal/esp32p4/include/hal/spi_flash_encrypted_ll.h +++ b/components/hal/esp32p4/include/hal/spi_flash_encrypted_ll.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -11,6 +11,7 @@ ******************************************************************************/ // The Lowlevel layer for SPI Flash Encryption. +#pragma once #include #include @@ -24,7 +25,7 @@ extern "C" { #endif -/// Choose type of chip you want to encrypt manully +/// Choose type of chip you want to encrypt manually typedef enum { FLASH_ENCRYPTION_MANU = 0, ///!< Manually encrypt the flash chip. @@ -51,7 +52,7 @@ static inline void spi_flash_encrypt_ll_disable(void) } /** - * Choose type of chip you want to encrypt manully + * Choose type of chip you want to encrypt manually * * @param type The type of chip to be encrypted * diff --git a/components/hal/esp32s2/include/hal/spi_flash_encrypted_ll.h b/components/hal/esp32s2/include/hal/spi_flash_encrypted_ll.h index 529fb99007..93e369d2fd 100644 --- a/components/hal/esp32s2/include/hal/spi_flash_encrypted_ll.h +++ b/components/hal/esp32s2/include/hal/spi_flash_encrypted_ll.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -11,6 +11,7 @@ ******************************************************************************/ // The Lowlevel layer for SPI Flash Encryption. +#pragma once #include #include @@ -24,7 +25,7 @@ extern "C" { #endif -/// Choose type of chip you want to encrypt manully +/// Choose type of chip you want to encrypt manually typedef enum { FLASH_ENCRYPTION_MANU = 0, ///!< Manually encrypt the flash chip. @@ -61,7 +62,7 @@ static inline void spi_flash_encrypt_ll_disable(void) } /** - * Choose type of chip you want to encrypt manully + * Choose type of chip you want to encrypt manually * * @param type The type of chip to be encrypted * diff --git a/components/hal/esp32s3/include/hal/spi_flash_encrypted_ll.h b/components/hal/esp32s3/include/hal/spi_flash_encrypted_ll.h index dae3528dd9..d5b168c55e 100644 --- a/components/hal/esp32s3/include/hal/spi_flash_encrypted_ll.h +++ b/components/hal/esp32s3/include/hal/spi_flash_encrypted_ll.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -11,6 +11,7 @@ ******************************************************************************/ // The Lowlevel layer for SPI Flash Encryption. +#pragma once #include #include @@ -24,7 +25,7 @@ extern "C" { #endif -/// Choose type of chip you want to encrypt manully +/// Choose type of chip you want to encrypt manually typedef enum { FLASH_ENCRYPTION_MANU = 0, ///!< Manually encrypt the flash chip. @@ -51,7 +52,7 @@ static inline void spi_flash_encrypt_ll_disable(void) } /** - * Choose type of chip you want to encrypt manully + * Choose type of chip you want to encrypt manually * * @param type The type of chip to be encrypted *