security: write-protect DIS_ICAHE and DIS_DCACHE

Closes IDF-5177

components/bootloader_support/src/flash_encrypt.c

@@ -200,6 +200,14 @@ void esp_flash_encryption_set_release_mode(void)
 #endif // CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED
 #endif // !CONFIG_IDF_TARGET_ESP32
 
+#ifdef CONFIG_IDF_TARGET_ESP32
+    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_CACHE);
+#else
+#if SOC_EFUSE_DIS_ICACHE
+    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE);
+#endif
+#endif // !CONFIG_IDF_TARGET_ESP32
+
 #if CONFIG_SOC_SUPPORTS_SECURE_DL_MODE
     esp_efuse_enable_rom_secure_download_mode();
 #else
@@ -272,6 +280,12 @@ bool esp_flash_encryption_cfg_verify_release_mode(void)
         ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)");
     }
 
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_DIS_CACHE);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not write-protected DIS_CACHE (set WR_DIS_DIS_CACHE->1)");
+    }
+
     secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK1);
     result &= secure;
     if (!secure) {
@@ -376,6 +390,14 @@ bool esp_flash_encryption_cfg_verify_release_mode(void)
     }
 #endif
 
+#if SOC_EFUSE_DIS_ICACHE
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not write-protected DIS_ICACHE (set WR_DIS_DIS_ICACHE->1)");
+    }
+#endif
+
     esp_efuse_purpose_t purposes[] = {
 #if SOC_FLASH_ENCRYPTION_XTS_AES_256
         ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1,