fix(security): Update key manager specific initializations for esp32c5

components/bootloader_support/include/esp_flash_encrypt.h

@@ -184,12 +184,14 @@ void esp_flash_encryption_init_checks(void);
  */
 esp_err_t esp_flash_encryption_enable_secure_features(void);
 
+#if CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY
 /** @brief Enable the key manager for flash encryption
  *
  * @return
  *  - ESP_OK - On success
  */
 esp_err_t esp_flash_encryption_enable_key_mgr(void);
+#endif // CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY
 
 #endif /* BOOTLOADER_BUILD && CONFIG_SECURE_FLASH_ENC_ENABLED */
 

components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c

@@ -11,9 +11,8 @@
 #include "esp_efuse_table.h"
 #include "esp_log.h"
 #include "sdkconfig.h"
-#include "soc/keymng_reg.h"
+#include "hal/key_mgr_ll.h"
-#include "soc/pcr_reg.h"
+#include "hal/mspi_timing_tuning_ll.h"
-#include "soc/pcr_struct.h"
 
 static __attribute__((unused)) const char *TAG = "flash_encrypt";
 
@@ -62,30 +61,21 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
     return ESP_OK;
 }
 
-// TODO: Update to use LL APIs once key manager support added in IDF-8621
 esp_err_t esp_flash_encryption_enable_key_mgr(void)
 {
-    // Set the force power down bit to 0 to enable key manager
+    // Enable and reset key manager
-    PCR.km_pd_ctrl.km_mem_force_pd = 0;
+    // To suppress build errors about spinlock's __DECLARE_RCC_ATOMIC_ENV
-    // Reset the key manager
+    int __DECLARE_RCC_ATOMIC_ENV __attribute__ ((unused));
-    PCR.km_conf.km_clk_en = 1;
+    key_mgr_ll_enable_bus_clock(true);
-    PCR.km_conf.km_rst_en = 1;
+    key_mgr_ll_enable_peripheral_clock(true);
-    PCR.km_conf.km_rst_en = 0;
+    key_mgr_ll_reset_register();
 
-    // Wait for key manager to be ready
+    while (key_mgr_ll_get_state() != ESP_KEY_MGR_STATE_IDLE) {
-    while (!PCR.km_conf.km_ready) {
     };
 
-    // Wait for key manager state machine to be idle
+    // Force Key Manager to use eFuse key for XTS-AES operation
-    while (REG_READ(KEYMNG_STATE_REG) != 0) {
+    key_mgr_ll_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
-    };
+    _mspi_timing_ll_reset_mspi();
-
-    // Set the key manager to use efuse key
-    REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, 2);
-
-    // Reset MSPI to re-load the flash encryption key
-    REG_SET_BIT(PCR_MSPI_CLK_CONF_REG, PCR_MSPI_AXI_RST_EN);
-    REG_CLR_BIT(PCR_MSPI_CLK_CONF_REG, PCR_MSPI_AXI_RST_EN);
 
     return ESP_OK;
 }

components/bootloader_support/src/flash_encryption/flash_encrypt.c

@@ -258,8 +258,7 @@ esp_err_t esp_flash_encrypt_contents(void)
     REG_WRITE(SENSITIVE_XTS_AES_KEY_UPDATE_REG, 1);
 #endif
 
-// TODO: Remove C5 target config after key manager LL support- see IDF-8621
+#if CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY
-#if CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY || CONFIG_IDF_TARGET_ESP32C5
     esp_flash_encryption_enable_key_mgr();
 #endif
 

components/esp_security/src/init.c

@@ -20,23 +20,15 @@ __attribute__((unused)) static const char *TAG = "esp_security";
 
 static void esp_key_mgr_init(void)
 {
-    // The following operation makes the Key Manager to use eFuse key for ECDSA and XTS-AES operation by default
+    // The following code initializes the key manager.
-    // This is to keep the default behavior same as the other chips
-    // If the Key Manager configuration is already locked then following operation does not have any effect
 #if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY || SOC_KEY_MANAGER_FE_KEY_DEPLOY
     // Enable key manager clock
     // Using ll APIs which do not require critical section
     _key_mgr_ll_enable_bus_clock(true);
     _key_mgr_ll_enable_peripheral_clock(true);
-
+    _key_mgr_ll_reset_register();
     while (key_mgr_ll_get_state() != ESP_KEY_MGR_STATE_IDLE) {
     };
-#if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY
-    key_mgr_ll_set_key_usage(ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
-#endif
-#if SOC_KEY_MANAGER_FE_KEY_DEPLOY
-    key_mgr_ll_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
-#endif
 #endif /* SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY || SOC_KEY_MANAGER_FE_KEY_DEPLOY */
 }
 

components/hal/ecdsa_hal.c

@@ -14,13 +14,8 @@
 #include "esp_random.h"
 #endif
 
-// Need to remove in IDF-8621
-#if CONFIG_IDF_TARGET_ESP32C5
-#include "soc/keymng_reg.h"
-#endif
-
 #ifdef SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY
-#include "hal/key_mgr_hal.h"
+#include "hal/key_mgr_ll.h"
 #endif
 
 #define ECDSA_HAL_P192_COMPONENT_LEN        24
@@ -32,11 +27,6 @@ static void configure_ecdsa_periph(ecdsa_hal_config_t *conf)
     if (conf->use_km_key == 0) {
         efuse_hal_set_ecdsa_key(conf->efuse_key_blk);
 
-// Need to remove in IDF-8621
-#if CONFIG_IDF_TARGET_ESP32C5
-        REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, 1);
-#endif
-
 #if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY
         // Force Key Manager to use eFuse key for XTS-AES operation
         key_mgr_ll_set_key_usage(ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);

components/hal/esp32c5/include/hal/key_mgr_ll.h

@@ -67,7 +67,10 @@ static inline void _key_mgr_ll_enable_peripheral_clock(bool enable)
 #define key_mgr_ll_enable_peripheral_clock(...) (void)__DECLARE_RCC_ATOMIC_ENV; _key_mgr_ll_enable_peripheral_clock(__VA_ARGS__)
 
 /**
- * @brief Reset the Key Manager peripheral */
+ * @brief Reset the Key Manager peripheral
+ * Note: Please use key_mgr_ll_reset_register which requires the critical section
+ *       and do not use _key_mgr_ll_reset_register
+ */
 static inline void _key_mgr_ll_reset_register(void)
 {
     PCR.km_conf.km_rst_en = 1;

components/hal/esp32c5/include/hal/mspi_timing_tuning_ll.h

@@ -68,8 +68,11 @@ static inline __attribute__((always_inline)) void mspi_ll_enable_bus_clock(bool
  */
 static inline __attribute__((always_inline)) void _mspi_timing_ll_reset_mspi(void)
 {
-    PCR.mspi_conf.mspi_rst_en = 1;
+    PCR.mspi_clk_conf.mspi_axi_rst_en = 1;
-    PCR.mspi_conf.mspi_rst_en = 0;
+    PCR.mspi_clk_conf.mspi_axi_rst_en = 0;
+    // Wait for mspi to be ready
+    while (!PCR.mspi_conf.mspi_ready) {
+    };
 }
 
 #ifdef __cplusplus