From 6ea63548d4f2ff4b9df040c7bee3b67a2e8b747f Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Sun, 26 Oct 2025 15:27:52 +0530 Subject: [PATCH] fix(esp_security): Set WR_DIS_SECURE_BOOT_SHA384_EN by default when Flash Encryption Release mode is enabled and Secure Boot P384 scheme not is enabled. --- components/bootloader/Kconfig.projbuild | 2 +- components/esp_security/src/init.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index e648a39a9a..d0fed3bf6f 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -967,7 +967,7 @@ menu "Security features" config SECURE_BOOT_SKIP_WRITE_PROTECTION_SCA bool "Skip write-protection of SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH" - default y if SECURE_FLASH_PSEUDO_ROUND_FUNC + default y if SECURE_FLASH_PSEUDO_ROUND_FUNC && !SECURE_FLASH_ENCRYPTION_MODE_RELEASE default n depends on SOC_ECDSA_SUPPORT_CURVE_P384 && SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND help diff --git a/components/esp_security/src/init.c b/components/esp_security/src/init.c index 8413e5b351..16ef897bad 100644 --- a/components/esp_security/src/init.c +++ b/components/esp_security/src/init.c @@ -90,7 +90,7 @@ ESP_SYSTEM_INIT_FN(esp_security_init, SECONDARY, BIT(0), 103) #if CONFIG_SECURE_BOOT_V2_ENABLED // H2, H21 #if SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED - // Also write protects the ECDSA_CURVE_MODE efuse bit. + // Also write protects the ECC_FORCE_CONST_TIME efuse bit. if (ecdsa_ll_is_configurable_curve_supported()) { err = esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_ECDSA_CURVE_MODE); if (err != ESP_OK) {