Merge branch 'feat/support_key_manager_esp32c5' into 'master'

Support key manager esp32c5 Closes IDF-12626, IDF-12628, IDF-12629, IDF-8621, IDF-9007, IDF-12855, IDF-9070, IDF-7902, and IDF-7548 See merge request espressif/esp-idf!38894
2025-08-23 17:24:44 +00:00 · 2025-07-01 11:36:19 +05:30
parent 5aff8a9d11 bba1448128
commit 78faa2535c
62 changed files with 3397 additions and 2869 deletions
--- a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c
+++ b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -71,12 +71,9 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
 esp_err_t esp_flash_encryption_enable_key_mgr(void)
 {
-    // Enable and reset key manager
+    _key_mgr_ll_enable_bus_clock(true);
-    // To suppress build errors about spinlock's __DECLARE_RCC_ATOMIC_ENV
+    _key_mgr_ll_enable_peripheral_clock(true);
-    int __DECLARE_RCC_ATOMIC_ENV __attribute__ ((unused));
+    _key_mgr_ll_reset_register();
    key_mgr_ll_enable_bus_clock(true);
    key_mgr_ll_enable_peripheral_clock(true);
    key_mgr_ll_reset_register();
    while (key_mgr_ll_get_state() != ESP_KEY_MGR_STATE_IDLE) {
    };
--- a/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c
+++ b/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -53,12 +53,9 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
 esp_err_t esp_flash_encryption_enable_key_mgr(void)
 {
-    // Enable and reset key manager
+    _key_mgr_ll_enable_bus_clock(true);
-    // To suppress build errors about spinlock's __DECLARE_RCC_ATOMIC_ENV
+    _key_mgr_ll_enable_peripheral_clock(true);
-    int __DECLARE_RCC_ATOMIC_ENV __attribute__ ((unused));
+    _key_mgr_ll_reset_register();
    key_mgr_ll_enable_bus_clock(true);
    key_mgr_ll_enable_peripheral_clock(true);
    key_mgr_ll_reset_register();
    while (key_mgr_ll_get_state() != ESP_KEY_MGR_STATE_IDLE) {
    };
--- a/components/esp_hw_support/include/esp_crypto_lock.h
+++ b/components/esp_hw_support/include/esp_crypto_lock.h
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
--- a/components/esp_hw_support/include/esp_hmac.h
+++ b/components/esp_hw_support/include/esp_hmac.h
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -9,6 +9,7 @@
 #include <stdbool.h>
 #include "esp_err.h"
 #include "soc/soc_caps.h"
 #include "hal/hmac_types.h"
 #if !SOC_HMAC_SUPPORTED && !CI_HEADER_CHECK
 #error "HMAC peripheral is not supported for the selected target"
@@ -18,19 +19,6 @@
 extern "C" {
 #endif
 /**
 * The possible efuse keys for the HMAC peripheral
 */
 typedef enum {
    HMAC_KEY0 = 0,
    HMAC_KEY1,
    HMAC_KEY2,
    HMAC_KEY3,
    HMAC_KEY4,
    HMAC_KEY5,
    HMAC_KEY_MAX
 } hmac_key_id_t;
 /**
 * @brief
 * Calculate the HMAC of a given message.
--- a/components/esp_rom/esp32c5/include/esp32c5/rom/key_mgr.h
+++ b/components/esp_rom/esp32c5/include/esp32c5/rom/key_mgr.h
@@ -0,0 +1,115 @@
 /*
 * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
 #pragma once
 #include "soc/soc_caps.h"
 #if SOC_KEY_MANAGER_SUPPORTED
 #include "rom/ets_sys.h"
 #include "esp_attr.h"
 #include <stdint.h>
 #include "rom/km.h"
 #if __cplusplus
 extern "C" {
 #endif
 // store huk info, occupy 96 words
 struct huk_info {
 // store huk info, occupy 165 words
 #define HUK_INFO_LEN 660
    uint8_t info[HUK_INFO_LEN];
    uint32_t crc;
 } PACKED_ATTR;
 // store key info, occupy 512 bits
 struct key_info {
 #define KEY_INFO_LEN 64
    uint8_t info[KEY_INFO_LEN];
    uint32_t crc;
 } PACKED_ATTR;
 struct huk_key_block {
 #define KEY_HUK_SECTOR_MAGIC 0xDEA5CE5A
    uint32_t magic;
    uint32_t version; // for backward compatibility
    uint8_t reserved[16];
    struct huk_info huk_info;
    struct key_info key_info[2]; // at most 2 key info (XTS-512_1 and XTS-512_2), at least use 1
 } WORD_ALIGNED_ATTR PACKED_ATTR;
 /*
 * We define two info sectors "active" and "backup" here
 * Most rom code would rely only on the "active" sector for the key information
 *
 * But there could be a situation where the huk and key information must be regenerated
 * based on ageing and other factors. For that scenario, we need a "backup" sector
 */
 #define KEY_HUK_SECTOR_OFFSET(i) ((i)*0x1000)
 #define ACTIVE_SECTOR_OFFSET     KEY_HUK_SECTOR_OFFSET(0)
 #define BACKUP_SECTOR_OFFSET     KEY_HUK_SECTOR_OFFSET(1)
 #define KM_PERI_ECDSA (BIT(0))
 #define KM_PERI_XTS   (BIT(1))
 struct km_deploy_ops {
 #define KM_KEY_PURPOSE_ECDSA_KEY_192   1
 #define KM_KEY_PURPOSE_ECDSA_KEY_256   2
 #define KM_KEY_PURPOSE_FLASH_XTS_256_1 3
 #define KM_KEY_PURPOSE_FLASH_XTS_256_2 4
 #define KM_KEY_PURPOSE_FLASH_XTS_128   5
 #define KM_KEY_PURPOSE_HMAC            6
 #define KM_KEY_PURPOSE_DS              7
 #define KM_KEY_PURPOSE_PSRAM_XTS_256_1 8
 #define KM_KEY_PURPOSE_PSRAM_XTS_256_2 9
 #define KM_KEY_PURPOSE_PSRAM_XTS_128   10
 #define KM_KEY_PURPOSE_ECDSA_KEY_384_L 11
 #define KM_KEY_PURPOSE_ECDSA_KEY_384_H 12
    int km_key_purpose;
 #define KM_DEPLOY_MODE_RANDOM  0
 #define KM_DEPLOY_MODE_AES     1
 #define KM_DEPLOY_MODE_ECDH0   2
 #define KM_DEPLOY_MODE_ECDH1   3
 #define KM_DEPLOY_MODE_RECOVER 4
 #define KM_DEPLOY_MODE_EXPORT  5
    int deploy_mode;
    uint8_t *init_key; // 256 bits, only used in aes and ecdh1 deploy mode
    int deploy_only_once;
    int force_use_km_key;
    int km_use_efuse_key;
    uint32_t efuse_km_rnd_switch_cycle; // 0 means use default
    uint32_t km_rnd_switch_cycle;       // 0 means use default
    int km_use_sw_init_key;
    struct huk_info *huk_info;
    struct key_info *key_info;
 };
 /* state of km */
 #define KM_STATE_IDLE    0
 #define KM_STATE_LOAD    1
 #define KM_STATE_GAIN    2
 #define KM_STATE_BUSY    3
 #define KM_STATE_INVALID 4
 /* state of huk generator
 * values defined same as km
 */
 #define HUK_STATE_IDLE 0
 #define HUK_STATE_LOAD 1
 #define HUK_STATE_GAIN 2
 #define HUK_STATE_BUSY 3
 #define HUK_NOT_GENERATED 0
 #define HUK_GEN_VALID     1
 #define HUK_GEN_INVALID   2
 #if __cplusplus
 }
 #endif
 #endif
--- a/components/esp_security/include/esp_key_mgr.h
+++ b/components/esp_security/include/esp_key_mgr.h
@@ -22,7 +22,7 @@ extern "C" {
 #define KEY_MGR_ASSIST_INFO_SIZE         64
 #define KEY_MGR_KEY_RECOVERY_INFO_SIZE   64
-#define KEY_MGR_HUK_INFO_SIZE            HUK_INFO_SIZE
+#define KEY_MGR_HUK_INFO_SIZE            HUK_INFO_LEN
 #define KEY_MGR_HUK_RISK_ALERT_LEVEL     HUK_RISK_ALERT_LEVEL
 /* AES deploy mode */
--- a/components/esp_security/src/esp_crypto_periph_clk.c
+++ b/components/esp_security/src/esp_crypto_periph_clk.c
@@ -80,7 +80,10 @@ void esp_crypto_mpi_enable_periph_clk(bool enable)
    MPI_RCC_ATOMIC() {
        mpi_ll_enable_bus_clock(enable);
        if (enable) {
            mpi_ll_power_up();
            mpi_ll_reset_register();
        } else {
            mpi_ll_power_down();
        }
    }
 }
@@ -141,9 +144,12 @@ void esp_crypto_ecdsa_enable_periph_clk(bool enable)
 void esp_crypto_key_mgr_enable_periph_clk(bool enable)
 {
    KEY_MANAGER_RCC_ATOMIC() {
        key_mgr_ll_power_up();
        key_mgr_ll_enable_bus_clock(enable);
        key_mgr_ll_enable_peripheral_clock(enable);
-        key_mgr_ll_reset_register();
+        if (enable) {
            key_mgr_ll_reset_register();
        }
    }
 }
 #endif
--- a/components/esp_security/src/esp_ds.c
+++ b/components/esp_security/src/esp_ds.c
@@ -17,6 +17,7 @@
 #include "esp_cpu.h"
 #endif
 #include "soc/soc_caps.h"
 #include "esp_ds.h"
 #include "esp_crypto_lock.h"
 #include "esp_crypto_periph_clk.h"
@@ -37,6 +38,10 @@
 #include "hal/sha_ll.h"
 #endif /* !CONFIG_IDF_TARGET_ESP32S2 */
 #ifdef SOC_KEY_MANAGER_DS_KEY_DEPLOY
 #include "hal/key_mgr_hal.h"
 #endif
 /**
 * The vtask delay \c esp_ds_sign() is using while waiting for completion of the signing operation.
 */
@@ -247,22 +252,16 @@ static void ds_acquire_enable(void)
    // We also enable SHA and HMAC here. SHA is used by HMAC, HMAC is used by DS.
    esp_crypto_hmac_enable_periph_clk(true);
    esp_crypto_sha_enable_periph_clk(true);
-
+    esp_crypto_mpi_enable_periph_clk(true);
    esp_crypto_ds_enable_periph_clk(true);
    hmac_hal_start();
 }
 static void ds_disable_release(void)
 {
    ds_hal_finish();
    esp_crypto_ds_enable_periph_clk(false);
-
+    esp_crypto_mpi_enable_periph_clk(false);
    esp_crypto_sha_enable_periph_clk(false);
    esp_crypto_hmac_enable_periph_clk(false);
    esp_crypto_ds_lock_release();
@@ -326,12 +325,24 @@ esp_err_t esp_ds_start_sign(const void *message,
    ds_acquire_enable();
-    // initiate hmac
+#if SOC_KEY_MANAGER_DS_KEY_DEPLOY
-    uint32_t conf_error = hmac_hal_configure(HMAC_OUTPUT_DS, key_id);
+    if (key_id == HMAC_KEY_KM) {
-    if (conf_error) {
+        key_mgr_hal_set_key_usage(ESP_KEY_MGR_DS_KEY, ESP_KEY_MGR_USE_OWN_KEY);
-        ds_disable_release();
+        ds_hal_set_key_source(DS_KEY_SOURCE_KEY_MGR);
-        return ESP_ERR_HW_CRYPTO_DS_HMAC_FAIL;
+    } else {
        key_mgr_hal_set_key_usage(ESP_KEY_MGR_DS_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
        ds_hal_set_key_source(DS_KEY_SOURCE_EFUSE);
 #endif
        // initiate hmac
        hmac_hal_start();
        uint32_t conf_error = hmac_hal_configure(HMAC_OUTPUT_DS, key_id);
        if (conf_error) {
            ds_disable_release();
            return ESP_ERR_HW_CRYPTO_DS_HMAC_FAIL;
        }
 #if SOC_KEY_MANAGER_DS_KEY_DEPLOY
    }
 #endif
    ds_hal_start();
@@ -339,6 +350,7 @@ esp_err_t esp_ds_start_sign(const void *message,
    int64_t start_time = get_time_us();
    while (ds_ll_busy() != 0) {
        if ((get_time_us() - start_time) > SOC_DS_KEY_CHECK_MAX_WAIT_US) {
            ds_hal_finish();
            ds_disable_release();
            return ESP_ERR_HW_CRYPTO_DS_INVALID_KEY;
        }
@@ -348,6 +360,7 @@ esp_err_t esp_ds_start_sign(const void *message,
    *esp_ds_ctx = malloc(sizeof(esp_ds_context_t));
 #endif
    if (!*esp_ds_ctx) {
        ds_hal_finish();
        ds_disable_release();
        return ESP_ERR_NO_MEM;
    }
@@ -398,6 +411,7 @@ esp_err_t esp_ds_finish_sign(void *signature, esp_ds_context_t *esp_ds_ctx)
 #endif
    hmac_hal_clean();
    ds_hal_finish();
    ds_disable_release();
--- a/components/esp_security/src/esp_key_mgr.c
+++ b/components/esp_security/src/esp_key_mgr.c
@@ -4,53 +4,60 @@
 * SPDX-License-Identifier: Apache-2.0
 */
 // The Hardware Support layer for Key manager
 #include <assert.h>
 #include <string.h>
 #include <sys/lock.h>
 #include "assert.h"
 #include "esp_key_mgr.h"
 #include "esp_crypto_periph_clk.h"
 #include "esp_crypto_lock.h"
 #include "esp_log.h"
 #include "esp_err.h"
 #include "esp_random.h"
 #include "esp_heap_caps.h"
 #include "esp_rom_crc.h"
 #include "esp_efuse.h"
 #include "freertos/FreeRTOS.h"
 #include "freertos/semphr.h"
 #include "hal/key_mgr_types.h"
 #include "hal/key_mgr_hal.h"
 #include "hal/key_mgr_ll.h"
 #include "hal/huk_types.h"
 #include "hal/huk_hal.h"
 #include "rom/key_mgr.h"
 #if CONFIG_LOG_DEFAULT_LEVEL_VERBOSE
 #include "soc/huk_reg.h"
 #include "soc/keymng_reg.h"
 #endif
 static const char *TAG = "esp_key_mgr";
 static _lock_t s_key_mgr_ecdsa_key_lock;
 static _lock_t s_key_mgr_xts_aes_key_lock;
 static _lock_t s_key_mgr_hmac_key_lock;
 static _lock_t s_key_mgr_ds_key_lock;
 static _lock_t s_key_mgr_psram_key_lock;
 ESP_STATIC_ASSERT(sizeof(esp_key_mgr_key_recovery_info_t) == sizeof(struct huk_key_block), "Size of esp_key_mgr_key_recovery_info_t should match huk_key_block (from ROM)");
 ESP_STATIC_ASSERT(sizeof(esp_key_mgr_key_info_t) == sizeof(struct key_info), "Size of esp_key_mgr_key_info_t should match key_info (from ROM)");
 ESP_STATIC_ASSERT(sizeof(esp_key_mgr_huk_info_t) == sizeof(struct huk_info), "Size of esp_key_mgr_huk_info_t should match huk_info (from ROM)");
 static void esp_key_mgr_acquire_key_lock(esp_key_mgr_key_type_t key_type)
 {
    switch (key_type) {
-    case ESP_KEY_MGR_ECDSA_KEY:
+    case ESP_KEY_MGR_ECDSA_192_KEY:
    case ESP_KEY_MGR_ECDSA_256_KEY:
    case ESP_KEY_MGR_ECDSA_384_KEY:
        _lock_acquire(&s_key_mgr_ecdsa_key_lock);
        break;
    case ESP_KEY_MGR_XTS_AES_128_KEY:
    case ESP_KEY_MGR_XTS_AES_256_KEY:
        _lock_acquire(&s_key_mgr_xts_aes_key_lock);
        break;
    case ESP_KEY_MGR_HMAC_KEY:
        _lock_acquire(&s_key_mgr_hmac_key_lock);
        break;
    case ESP_KEY_MGR_DS_KEY:
        _lock_acquire(&s_key_mgr_ds_key_lock);
        break;
    case ESP_KEY_MGR_PSRAM_128_KEY:
    case ESP_KEY_MGR_PSRAM_256_KEY:
        _lock_acquire(&s_key_mgr_psram_key_lock);
        break;
    default:
        ESP_LOGE(TAG, "Invalid key type");
        break;
    }
    ESP_LOGV(TAG, "Key lock acquired for key type %d", key_type);
 }
@@ -58,13 +65,28 @@ static void esp_key_mgr_acquire_key_lock(esp_key_mgr_key_type_t key_type)
 static void esp_key_mgr_release_key_lock(esp_key_mgr_key_type_t key_type)
 {
    switch (key_type) {
-    case ESP_KEY_MGR_ECDSA_KEY:
+    case ESP_KEY_MGR_ECDSA_192_KEY:
    case ESP_KEY_MGR_ECDSA_256_KEY:
    case ESP_KEY_MGR_ECDSA_384_KEY:
        _lock_release(&s_key_mgr_ecdsa_key_lock);
        break;
    case ESP_KEY_MGR_XTS_AES_128_KEY:
    case ESP_KEY_MGR_XTS_AES_256_KEY:
        _lock_release(&s_key_mgr_xts_aes_key_lock);
        break;
    case ESP_KEY_MGR_HMAC_KEY:
        _lock_release(&s_key_mgr_hmac_key_lock);
        break;
    case ESP_KEY_MGR_DS_KEY:
        _lock_release(&s_key_mgr_ds_key_lock);
        break;
    case ESP_KEY_MGR_PSRAM_128_KEY:
    case ESP_KEY_MGR_PSRAM_256_KEY:
        _lock_release(&s_key_mgr_psram_key_lock);
        break;
    default:
        ESP_LOGE(TAG, "Invalid key type");
        break;
    }
    ESP_LOGV(TAG, "Key lock released for key type %d", key_type);
 }
@@ -116,7 +138,7 @@ static void check_huk_risk_level(void)
                 "It is recommended to immediately regenerate HUK in order"
                 "to avoid permanently losing the deployed keys", huk_risk_level);
    } else {
-        ESP_LOGI(TAG, "HUK Risk level - %" PRId8 " within acceptable limit (%" PRIu32 ")", huk_risk_level, (uint32_t)KEY_MGR_HUK_RISK_ALERT_LEVEL);
+        ESP_LOGD(TAG, "HUK Risk level - %" PRId8 " within acceptable limit (%" PRIu32 ")", huk_risk_level, (uint32_t)KEY_MGR_HUK_RISK_ALERT_LEVEL);
    }
 }
@@ -147,6 +169,30 @@ typedef struct {
    esp_key_mgr_huk_info_t *huk_recovery_info;
 } huk_deploy_config_t;
 static esp_err_t configure_huk(esp_huk_mode_t huk_mode, uint8_t *huk_info)
 {
    esp_err_t ret = huk_hal_configure(huk_mode, huk_info);
    if (ret != ESP_OK) {
        return ret;
    }
 #if SOC_HUK_MEM_NEEDS_RECHARGE
    if (!key_mgr_hal_is_huk_valid()) {
        huk_hal_recharge_huk_memory();
        ret = huk_hal_configure(huk_mode, huk_info);
        if (ret != ESP_OK) {
            return ret;
        }
    }
 #endif
    if (!key_mgr_hal_is_huk_valid()) {
        return ESP_FAIL;
    }
    return ESP_OK;
 }
 static esp_err_t deploy_huk(huk_deploy_config_t *config)
 {
    esp_err_t esp_ret = ESP_FAIL;
@@ -157,41 +203,41 @@ static esp_err_t deploy_huk(huk_deploy_config_t *config)
    if (config->use_pre_generated_huk_info) {
        // If HUK info is provided then recover the HUK from given info
        check_huk_risk_level();
        if (!check_huk_info_validity(config->pre_generated_huk_info)) {
            ESP_LOGE(TAG, "HUK info is not valid");
            heap_caps_free(huk_recovery_info);
            return ESP_ERR_INVALID_ARG;
        }
        memcpy(huk_recovery_info, config->pre_generated_huk_info->info, KEY_MGR_HUK_INFO_SIZE);
-        ESP_LOGI(TAG, "Recovering HUK from given HUK recovery info");
+        ESP_LOGD(TAG, "Recovering HUK from given HUK recovery info");
-        esp_ret = huk_hal_configure(ESP_HUK_MODE_RECOVERY, huk_recovery_info);
+
        esp_ret = configure_huk(ESP_HUK_MODE_RECOVERY, huk_recovery_info);
        if (esp_ret != ESP_OK) {
            ESP_LOGE(TAG, "Failed to recover HUK");
            heap_caps_free(huk_recovery_info);
            return esp_ret;
        }
        // Copy the pre generated huk info in the output key recovery info
        memcpy(config->huk_recovery_info->info, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE);
        config->huk_recovery_info->crc = config->pre_generated_huk_info->crc;
    } else {
        // Generate new HUK and corresponding HUK info
-        ESP_LOGI(TAG, "Generating new HUK");
+        ESP_LOGD(TAG, "Generating new HUK");
-        esp_ret = huk_hal_configure(ESP_HUK_MODE_GENERATION, huk_recovery_info);
+
        esp_ret = configure_huk(ESP_HUK_MODE_GENERATION, huk_recovery_info);
        if (esp_ret != ESP_OK) {
            ESP_LOGE(TAG, "Failed to generate HUK");
            heap_caps_free(huk_recovery_info);
            return esp_ret;
        }
        memcpy(config->huk_recovery_info->info, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE);
        config->huk_recovery_info->crc = esp_rom_crc32_le(0,  huk_recovery_info, KEY_MGR_HUK_INFO_SIZE);
    }
    if (!key_mgr_hal_is_huk_valid()) {
        ESP_LOGE(TAG, "HUK is invalid");
        heap_caps_free(huk_recovery_info);
        return ESP_FAIL;
    }
    ESP_LOG_BUFFER_HEX_LEVEL("HUK INFO", huk_recovery_info, KEY_MGR_HUK_INFO_SIZE, ESP_LOG_DEBUG);
    // Free the local buffer for huk recovery info
    heap_caps_free(huk_recovery_info);
@@ -202,8 +248,9 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config)
 {
    esp_err_t esp_ret = ESP_FAIL;
    key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
    if ((!key_mgr_hal_is_huk_valid()) || (!config->huk_deployed)) {
-        // For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 this part shall be already executed
+        // For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 or ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2 this part shall be already executed
        huk_deploy_config_t huk_deploy_config = {};
        huk_deploy_config.use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info;
        huk_deploy_config.pre_generated_huk_info = &config->key_config->huk_info;
@@ -212,7 +259,7 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config)
        if (esp_ret != ESP_OK) {
            return esp_ret;
        }
-        ESP_LOGI(TAG, "HUK deployed successfully");
+        ESP_LOGD(TAG, "HUK deployed successfully");
    }
    // STEP 1: Init Step
@@ -223,61 +270,69 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config)
    if (!key_recovery_info) {
        return ESP_ERR_NO_MEM;
    }
-    // Set key purpose (XTS/ECDSA)
+
    // Set key purpose
    ESP_LOGD(TAG, "Key purpose = %d", config->key_purpose);
    key_mgr_hal_set_key_purpose(config->key_purpose);
    // Set key length for XTS-AES key
    esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) config->key_config->key_type;
-    if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
+    if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY || key_type == ESP_KEY_MGR_PSRAM_128_KEY) {
-        key_mgr_hal_set_xts_aes_key_len(ESP_KEY_MGR_XTS_AES_LEN_256);
+        key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_256);
-    } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
+    } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) {
-        key_mgr_hal_set_xts_aes_key_len(ESP_KEY_MGR_XTS_AES_LEN_512);
+        key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_512);
    }
    if (config->key_config->use_pre_generated_sw_init_key) {
        key_mgr_hal_use_sw_init_key();
-    } else {
+    } else if (!esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_KM_INIT_KEY, NULL)) {
-        if (!esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_KM_INIT_KEY, NULL)) {
+        ESP_LOGE(TAG, "Could not find key with purpose KM_INIT_KEY");
-            ESP_LOGE(TAG, "Could not find key with purpose KM_INIT_KEY");
+        heap_caps_free(key_recovery_info);
-            heap_caps_free(key_recovery_info);
+        return ESP_FAIL;
            return ESP_FAIL;
        }
    }
    key_mgr_hal_start();
    key_mgr_hal_continue();
    // Step 2: Load phase
    key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD);
    if (config->key_config->use_pre_generated_sw_init_key) {
        key_mgr_hal_write_sw_init_key(config->key_config->sw_init_key, KEY_MGR_SW_INIT_KEY_SIZE);
        ESP_LOG_BUFFER_HEX_LEVEL("SW_INIT_KEY", config->key_config->sw_init_key, KEY_MGR_SW_INIT_KEY_SIZE, ESP_LOG_DEBUG);
    }
    ESP_LOG_BUFFER_HEX_LEVEL("SW_INIT_KEY", config->key_config->sw_init_key, KEY_MGR_SW_INIT_KEY_SIZE, ESP_LOG_DEBUG);
    ESP_LOGD(TAG, "Writing Information into Key Manager Registers");
    key_mgr_hal_write_assist_info(config->key_config->k2_info, KEY_MGR_K2_INFO_SIZE);
    ESP_LOG_BUFFER_HEX_LEVEL("K2_INFO", config->key_config->k2_info, KEY_MGR_K2_INFO_SIZE, ESP_LOG_DEBUG);
    key_mgr_hal_write_public_info(config->k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE);
    ESP_LOG_BUFFER_HEX_LEVEL("K1_ENCRYPTED", config->k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE, ESP_LOG_DEBUG);
    key_mgr_hal_continue();
    // Step 3: Gain phase
    key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN);
    key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
    ESP_LOG_BUFFER_HEX_LEVEL("KEY_RECOVERY_INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG);
-    if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1) {
+    if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 || config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) {
        if (!key_mgr_hal_is_key_deployment_valid(config->key_config->key_type)) {
            ESP_LOGE(TAG, "Key deployment is not valid");
            heap_caps_free(key_recovery_info);
            return ESP_FAIL;
        }
-        ESP_LOGI(TAG, "Key deployment valid");
+        ESP_LOGD(TAG, "Key deployment valid");
    }
    // Wait till Key Manager deployment is complete
    key_mgr_hal_continue();
    key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
-    if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) {
+
    if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) {
        memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
        config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
@@ -285,6 +340,7 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config)
        memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
        config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
    }
    heap_caps_free(key_recovery_info);
    config->key_info->key_type = config->key_config->key_type;
    config->key_info->magic = KEY_HUK_SECTOR_MAGIC;
@@ -298,7 +354,7 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t
        return ESP_ERR_INVALID_ARG;
    }
-    ESP_LOGI(TAG, "Key deployment in AES mode");
+    ESP_LOGD(TAG, "Key deployment in AES mode");
    aes_deploy_config_t aes_deploy_config = {};
    aes_deploy_config.key_config = key_config;
@@ -306,13 +362,32 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t
    aes_deploy_config.k1_encrypted = key_config->k1_encrypted[0];
    esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type;
-    if (key_type == ESP_KEY_MGR_ECDSA_KEY) {
+    switch (key_type) {
-        aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA;
+    case ESP_KEY_MGR_ECDSA_192_KEY:
-    } else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
+        aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192;
        break;
    case ESP_KEY_MGR_ECDSA_256_KEY:
        aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256;
        break;
    case ESP_KEY_MGR_XTS_AES_128_KEY:
        aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128;
-    } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
+        break;
    case ESP_KEY_MGR_XTS_AES_256_KEY:
        aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1;
-    } else {
+        break;
    case ESP_KEY_MGR_HMAC_KEY:
        aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC;
        break;
    case ESP_KEY_MGR_DS_KEY:
        aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS;
        break;
    case ESP_KEY_MGR_PSRAM_128_KEY:
        aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_128;
        break;
    case ESP_KEY_MGR_PSRAM_256_KEY:
        aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1;
        break;
    default:
        ESP_LOGE(TAG, "Invalid key type");
        return ESP_ERR_INVALID_ARG;
    }
@@ -322,21 +397,25 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t
    esp_err_t esp_ret = key_mgr_deploy_key_aes_mode(&aes_deploy_config);
    if (esp_ret != ESP_OK) {
        ESP_LOGE(TAG, "Key deployment in AES mode failed");
        goto cleanup;
    }
    aes_deploy_config.huk_deployed = true;
-    if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
+    if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) {
-        aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2;
+        aes_deploy_config.key_purpose = key_type == ESP_KEY_MGR_XTS_AES_256_KEY ? ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2;
        aes_deploy_config.k1_encrypted = key_config->k1_encrypted[1];
        esp_ret = key_mgr_deploy_key_aes_mode(&aes_deploy_config);
        if (esp_ret != ESP_OK) {
            ESP_LOGE(TAG, "Key deployment in AES mode failed");
            goto cleanup;
        }
    }
    // Set the Key Manager Static Register to use own key for the respective key type
    key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY);
 cleanup:
    esp_key_mgr_release_hardware(true);
    return esp_ret;
 }
@@ -358,17 +437,13 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config)
    if ((!key_mgr_hal_is_huk_valid()) || (!config->huk_recovered)) {
        check_huk_risk_level();
-        esp_err_t esp_ret = huk_hal_configure(ESP_HUK_MODE_RECOVERY, config->key_recovery_info->huk_info.info);
+        esp_err_t esp_ret = configure_huk(ESP_HUK_MODE_RECOVERY, config->key_recovery_info->huk_info.info);
        if (esp_ret != ESP_OK) {
            ESP_LOGE(TAG, "Failed to recover HUK");
-            return ESP_FAIL;
+            return esp_ret;
        }
-        if (!key_mgr_hal_is_huk_valid()) {
+
-            ESP_LOGE(TAG, "HUK is invalid");
+        ESP_LOGD(TAG, "HUK recovered successfully");
            // TODO - define error code
            return ESP_FAIL;
        }
        ESP_LOGI(TAG, "HUK recovered successfully");
        ESP_LOG_BUFFER_HEX_LEVEL("HUK INFO", config->key_recovery_info->huk_info.info, KEY_MGR_HUK_INFO_SIZE, ESP_LOG_DEBUG);
        config->huk_recovered = true;
    }
@@ -377,17 +452,18 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config)
    // Set AES-XTS key len
    esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) config->key_recovery_info->key_type;
-    if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
+    if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY || key_type == ESP_KEY_MGR_PSRAM_128_KEY) {
-        key_mgr_hal_set_xts_aes_key_len(ESP_KEY_MGR_XTS_AES_LEN_256);
+        key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_256);
-    } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
+    } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) {
-        key_mgr_hal_set_xts_aes_key_len(ESP_KEY_MGR_XTS_AES_LEN_512);
+        key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_512);
    }
    key_mgr_hal_set_key_purpose(config->key_purpose);
    key_mgr_hal_start();
    key_mgr_hal_continue();
    key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD);
-    if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) {
+
    if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) {
        if (!check_key_info_validity(&config->key_recovery_info->key_info[1])) {
            ESP_LOGE(TAG, "Key info not valid");
            return ESP_FAIL;
@@ -405,6 +481,7 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config)
    key_mgr_hal_continue();
    key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN);
    if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1) {
        if (!key_mgr_hal_is_key_deployment_valid(config->key_recovery_info->key_type)) {
            ESP_LOGD(TAG, "Key deployment is not valid");
@@ -412,6 +489,7 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config)
        }
        ESP_LOGD(TAG, "Key Recovery valid");
    }
    key_mgr_hal_continue();
    key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
    return ESP_OK;
@@ -423,60 +501,85 @@ esp_err_t esp_key_mgr_activate_key(esp_key_mgr_key_recovery_info_t *key_recovery
        return ESP_ERR_INVALID_ARG;
    }
    esp_key_mgr_key_purpose_t key_purpose;
    ESP_LOGD(TAG, "Activating key of type %d", key_recovery_info->key_type);
    esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_recovery_info->key_type;
-    if (key_type == ESP_KEY_MGR_ECDSA_KEY) {
+    esp_key_mgr_key_purpose_t key_purpose;
-        key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA;
+
-    } else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
+    switch (key_type) {
    case ESP_KEY_MGR_ECDSA_192_KEY:
        key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192;
        break;
    case ESP_KEY_MGR_ECDSA_256_KEY:
        key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256;
        break;
    case ESP_KEY_MGR_XTS_AES_128_KEY:
        key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128;
-    } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
+        break;
    case ESP_KEY_MGR_XTS_AES_256_KEY:
        key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1;
-    } else {
+        break;
    case ESP_KEY_MGR_HMAC_KEY:
        key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC;
        break;
    case ESP_KEY_MGR_DS_KEY:
        key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS;
        break;
    case ESP_KEY_MGR_PSRAM_128_KEY:
        key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_128;
        break;
    case ESP_KEY_MGR_PSRAM_256_KEY:
        key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1;
        break;
    default:
        ESP_LOGE(TAG, "Invalid key type");
        return ESP_ERR_INVALID_ARG;
    }
    esp_err_t esp_ret = ESP_FAIL;
    esp_key_mgr_acquire_key_lock(key_type);
-    key_recovery_config_t key_recovery_config = {};
+    key_recovery_config_t key_recovery_config = {
-    key_recovery_config.key_recovery_info = key_recovery_info;
+        .key_recovery_info = key_recovery_info,
-    key_recovery_config.key_purpose = key_purpose;
+        .key_purpose = key_purpose,
    };
    esp_key_mgr_acquire_hardware(false);
    esp_ret = key_mgr_recover_key(&key_recovery_config);
    if (esp_ret != ESP_OK) {
        ESP_LOGE(TAG, "Failed to recover key");
        esp_key_mgr_release_key_lock(key_type);
        goto cleanup;
    }
-    if (key_recovery_info->key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
+    if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) {
-        key_recovery_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2;
+        key_recovery_config.key_purpose = key_type == ESP_KEY_MGR_XTS_AES_256_KEY ? ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2;
        esp_ret = key_mgr_recover_key(&key_recovery_config);
        if (esp_ret != ESP_OK) {
            ESP_LOGE(TAG, "Failed to recover key");
            esp_key_mgr_release_key_lock(key_type);
            goto cleanup;
        }
    }
    // Set the Key Manager Static Register to use own key for the respective key type
-    key_mgr_hal_set_key_usage(key_recovery_info->key_type, ESP_KEY_MGR_USE_OWN_KEY);
+    key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY);
-    ESP_LOGI(TAG, "Key activation for type %d successful", key_recovery_info->key_type);
+    esp_key_mgr_release_key_lock(key_type);
    ESP_LOGD(TAG, "Key activation for type %d successful", key_type);
    return ESP_OK;
 cleanup:
-    ESP_LOGI(TAG, "Key activation failed");
+    ESP_LOGE(TAG, "Key activation failed");
    esp_key_mgr_release_hardware(false);
    return esp_ret;
 }
 esp_err_t esp_key_mgr_deactivate_key(esp_key_mgr_key_type_t key_type)
 {
    ESP_LOGD(TAG, "Deactivating key of type %d", key_type);
    esp_key_mgr_release_key_lock(key_type);
    esp_key_mgr_release_hardware(false);
-    ESP_LOGI(TAG, "Key deactivation successful");
+    ESP_LOGD(TAG, "Key deactivation successful for type %d", key_type);
    return ESP_OK;
 }
@@ -495,7 +598,7 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config)
    key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
    if ((!key_mgr_hal_is_huk_valid()) || (!config->huk_deployed)) {
-        // For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 this part shall be already executed
+        // For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 or ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2 this part shall be already executed
        huk_deploy_config_t huk_deploy_config;
        huk_deploy_config.use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info;
        huk_deploy_config.pre_generated_huk_info = &config->key_config->huk_info;
@@ -504,7 +607,7 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config)
        if (esp_ret != ESP_OK) {
            return esp_ret;
        }
-        ESP_LOGI(TAG, "HUK deployed successfully");
+        ESP_LOGD(TAG, "HUK deployed successfully");
    }
    uint8_t *key_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_KEY_RECOVERY_INFO_SIZE, MALLOC_CAP_INTERNAL);
@@ -518,46 +621,50 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config)
    // Set AES-XTS key len
    esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) config->key_config->key_type;
-    if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
+    if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY || key_type == ESP_KEY_MGR_PSRAM_128_KEY) {
-        key_mgr_hal_set_xts_aes_key_len(ESP_KEY_MGR_XTS_AES_LEN_256);
+        key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_256);
-    } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
+    } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) {
-        key_mgr_hal_set_xts_aes_key_len(ESP_KEY_MGR_XTS_AES_LEN_512);
+        key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_512);
    }
-    // Set key purpose (XTS/ECDSA)
+    // Set key purpose
    key_mgr_hal_set_key_purpose(config->key_purpose);
    key_mgr_hal_start();
    key_mgr_hal_continue();
    // Step 2: Load phase
    key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD);
    ESP_LOGD(TAG, "Writing Information into Key Manager Registers");
    key_mgr_hal_write_public_info(config->k1_G, KEY_MGR_ECDH0_INFO_SIZE);
    key_mgr_hal_continue();
    // Step 3: Gain phase
    key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN);
    key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
    key_mgr_hal_read_assist_info(config->ecdh0_key_info);
    ESP_LOG_BUFFER_HEX_LEVEL("KEY_MGR KEY INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG);
-    ESP_LOGI(TAG, "HUK deplpoyed is Valid");
+    ESP_LOGD(TAG, "HUK deployed is valid");
-    if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1) {
+    if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 || config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) {
        if (!key_mgr_hal_is_key_deployment_valid(config->key_config->key_type)) {
            ESP_LOGE(TAG, "Key deployment is not valid");
            heap_caps_free(key_recovery_info);
            return ESP_FAIL;
        }
-        ESP_LOGI(TAG, "Key deployment valid");
+        ESP_LOGD(TAG, "Key deployment valid");
    }
    // Wait till Key Manager deployment is complete
    key_mgr_hal_continue();
    key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
-    if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) {
+
    if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) {
        memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
        config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
    } else {
        memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
        config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
@@ -576,25 +683,51 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi
    if (key_config == NULL || key_info == NULL || ecdh0_key_info == NULL) {
        return ESP_ERR_INVALID_ARG;
    }
-    ESP_LOGI(TAG, "Key Deployment in ECDH0 mode");
+
-    esp_key_mgr_key_purpose_t key_purpose;
+    ESP_LOGD(TAG, "Key Deployment in ECDH0 mode");
    esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type;
-    ecdh0_deploy_config_t ecdh0_deploy_config = {};
+    ecdh0_deploy_config_t ecdh0_deploy_config = {
-    ecdh0_deploy_config.key_config = key_config;
+        .key_config = key_config,
-    ecdh0_deploy_config.key_info = key_info;
+        .key_info = key_info,
-    ecdh0_deploy_config.k1_G = key_config->k1_G[0];
+        .k1_G = key_config->k1_G[0],
    };
-    if (key_type == ESP_KEY_MGR_ECDSA_KEY) {
+    switch (key_type) {
-        ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA;
+    case ESP_KEY_MGR_ECDSA_192_KEY:
        ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192;
        ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
-    } else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
+        break;
    case ESP_KEY_MGR_ECDSA_256_KEY:
        ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256;
        ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
        break;
    case ESP_KEY_MGR_XTS_AES_128_KEY:
        ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128;
        ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
-    } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
+        break;
    case ESP_KEY_MGR_XTS_AES_256_KEY:
        ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1;
        ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
-    } else {
+        break;
    case ESP_KEY_MGR_HMAC_KEY:
        ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC;
        ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
        break;
    case ESP_KEY_MGR_DS_KEY:
        ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS;
        ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
        break;
    case ESP_KEY_MGR_PSRAM_128_KEY:
        ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_128;
        ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
        break;
    case ESP_KEY_MGR_PSRAM_256_KEY:
        ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1;
        ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
        break;
    default:
        ESP_LOGE(TAG, "Invalid key type");
        return ESP_ERR_INVALID_ARG;
    }
@@ -605,13 +738,12 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi
    if (esp_ret != ESP_OK) {
        ESP_LOGE(TAG, "Failed to deploy key in ECDH0 mode");
    }
    ecdh0_deploy_config.huk_deployed = true;
-    if (key_config->key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
+    if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) {
-        key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2;
+        ecdh0_deploy_config.key_purpose = key_type == ESP_KEY_MGR_XTS_AES_256_KEY ? ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2;
        ecdh0_deploy_config.key_purpose = key_purpose;
        ecdh0_deploy_config.k1_G = key_config->k1_G[1];
        ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[1];
        esp_ret = key_mgr_deploy_key_ecdh0_mode(&ecdh0_deploy_config);
        if (esp_ret != ESP_OK) {
@@ -637,17 +769,20 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config)
 {
    esp_err_t esp_ret = ESP_FAIL;
    key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
    if ((!key_mgr_hal_is_huk_valid()) || (!config->huk_deployed)) {
-        // For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 this part shall be already executed
+        // For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 or ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2 this part shall be already executed
-        huk_deploy_config_t huk_deploy_config = {};
+        huk_deploy_config_t huk_deploy_config = {
-        huk_deploy_config.use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info;
+            .use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info,
-        huk_deploy_config.pre_generated_huk_info = &config->key_config->huk_info;
+            .pre_generated_huk_info = &config->key_config->huk_info,
-        huk_deploy_config.huk_recovery_info = &config->key_info->huk_info;
+            .huk_recovery_info = &config->key_info->huk_info,
        };
        esp_ret = deploy_huk(&huk_deploy_config);
        if (esp_ret != ESP_OK) {
            return esp_ret;
        }
-        ESP_LOGI(TAG, "HUK deployed successfully");
+        ESP_LOGD(TAG, "HUK deployed successfully");
    }
    // Configure deployment mode to RANDOM
@@ -655,10 +790,10 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config)
    // Set AES-XTS key len
    esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) config->key_config->key_type;
-    if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
+    if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY || key_type == ESP_KEY_MGR_PSRAM_128_KEY) {
-        key_mgr_hal_set_xts_aes_key_len(ESP_KEY_MGR_XTS_AES_LEN_256);
+        key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_256);
-    } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
+    } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) {
-        key_mgr_hal_set_xts_aes_key_len(ESP_KEY_MGR_XTS_AES_LEN_512);
+        key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_512);
    }
    uint8_t *key_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_KEY_RECOVERY_INFO_SIZE, MALLOC_CAP_INTERNAL);
@@ -673,35 +808,37 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config)
    key_mgr_hal_continue();
    key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD);
    key_mgr_hal_continue();
    // No configuration for Random deploy mode
    key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN);
    key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
    ESP_LOG_BUFFER_HEX_LEVEL("KEY_MGR KEY INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG);
-    if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1) {
+    if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 || config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) {
        if (!key_mgr_hal_is_key_deployment_valid(config->key_config->key_type)) {
            ESP_LOGE(TAG, "Key deployment is not valid");
            heap_caps_free(key_recovery_info);
            return ESP_FAIL;
        }
-        ESP_LOGI(TAG, "Key deployment valid");
+        ESP_LOGD(TAG, "Key deployment valid");
    }
    // Wait till Key Manager deployment is complete
    key_mgr_hal_continue();
    key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
-    if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) {
+
    if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) {
        memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
        config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
    } else {
        memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
        config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
    }
    heap_caps_free(key_recovery_info);
    config->key_info->key_type = config->key_config->key_type;
    config->key_info->magic = KEY_HUK_SECTOR_MAGIC;
    return ESP_OK;
 }
@@ -711,20 +848,41 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con
        return ESP_ERR_INVALID_ARG;
    }
-    ESP_LOGI(TAG, "Key deployment in Random mode");
+    ESP_LOGD(TAG, "Key deployment in Random mode");
    random_deploy_config_t random_deploy_config = {
        .key_config = key_config,
        .key_info = key_recovery_info,
    };
    random_deploy_config_t random_deploy_config = {};
    random_deploy_config.key_config = key_config;
    random_deploy_config.key_info = key_recovery_info;
    esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type;
-    if (key_type == ESP_KEY_MGR_ECDSA_KEY) {
+    switch (key_type) {
-        random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA;
+    case ESP_KEY_MGR_ECDSA_192_KEY:
-    } else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
+        random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192;
        break;
    case ESP_KEY_MGR_ECDSA_256_KEY:
        random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256;
        break;
    case ESP_KEY_MGR_XTS_AES_128_KEY:
        random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128;
-    } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
+        break;
    case ESP_KEY_MGR_XTS_AES_256_KEY:
        random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1;
-    } else {
+        break;
    case ESP_KEY_MGR_HMAC_KEY:
        random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC;
        break;
    case ESP_KEY_MGR_DS_KEY:
        random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS;
        break;
    case ESP_KEY_MGR_PSRAM_128_KEY:
        random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_128;
        break;
    case ESP_KEY_MGR_PSRAM_256_KEY:
        random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1;
        break;
    default:
        ESP_LOGE(TAG, "Invalid key type");
        return ESP_ERR_INVALID_ARG;
    }
@@ -736,10 +894,11 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con
        ESP_LOGE(TAG, "Key deployment in Random mode failed");
        return ESP_FAIL;
    }
    random_deploy_config.huk_deployed = true;
-    if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
+    if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) {
-        random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2;
+        random_deploy_config.key_purpose = key_type == ESP_KEY_MGR_XTS_AES_256_KEY ? ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2;
        esp_ret = key_mgr_deploy_key_random_mode(&random_deploy_config);
        if (esp_ret != ESP_OK) {
            ESP_LOGE(TAG, "Key deployment in Random mode failed");
@@ -748,8 +907,9 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con
    }
    // Set the Key Manager Static Register to use own key for the respective key type
-    key_mgr_hal_set_key_usage(key_config->key_type, ESP_KEY_MGR_USE_OWN_KEY);
+    key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY);
    esp_key_mgr_release_hardware(true);
    return esp_ret;
 }
--- a/components/esp_security/src/init.c
+++ b/components/esp_security/src/init.c
@@ -14,16 +14,20 @@
 #include "esp_err.h"
 #include "hal/efuse_hal.h"
-#if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY || SOC_KEY_MANAGER_FE_KEY_DEPLOY
+#if SOC_HUK_MEM_NEEDS_RECHARGE
-#include "hal/key_mgr_ll.h"
+#include "hal/huk_hal.h"
 #endif
 #if SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT
 #include "hal/key_mgr_ll.h"
 #endif /* SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT */
 __attribute__((unused)) static const char *TAG = "esp_security";
 static void esp_key_mgr_init(void)
 {
    // The following code initializes the key manager.
-#if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY || SOC_KEY_MANAGER_FE_KEY_DEPLOY
+#if SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT
    // Enable key manager clock
    // Using ll APIs which do not require critical section
    _key_mgr_ll_enable_bus_clock(true);
@@ -31,7 +35,7 @@ static void esp_key_mgr_init(void)
    _key_mgr_ll_reset_register();
    while (key_mgr_ll_get_state() != ESP_KEY_MGR_STATE_IDLE) {
    };
-#endif /* SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY || SOC_KEY_MANAGER_FE_KEY_DEPLOY */
+#endif /* SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT */
 }
 ESP_SYSTEM_INIT_FN(esp_security_init, SECONDARY, BIT(0), 103)
--- a/components/esp_security/test_apps/crypto_drivers/main/hmac_key.bin
+++ b/components/esp_security/test_apps/crypto_drivers/main/hmac_key.bin
@@ -0,0 +1,2 @@
--- a/components/esp_security/test_apps/crypto_drivers/main/hmac_test_cases.h
+++ b/components/esp_security/test_apps/crypto_drivers/main/hmac_test_cases.h
--- a/components/esp_security/test_apps/crypto_drivers/main/test_ds.c
+++ b/components/esp_security/test_apps/crypto_drivers/main/test_ds.c
@@ -184,7 +184,7 @@ TEST_CASE("Digital Signature start HMAC key out of range", "[hw_crypto] [ds]")
    esp_ds_context_t *ctx;
    const char *message = "test";
-    TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_start_sign(message, &ds_data, HMAC_KEY5 + 1, &ctx));
+    TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_start_sign(message, &ds_data, HMAC_KEY_MAX, &ctx));
    TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_start_sign(message, &ds_data, HMAC_KEY0 - 1, &ctx));
 }
@@ -255,7 +255,7 @@ TEST_CASE("Digital Signature Blocking HMAC key out of range", "[hw_crypto] [ds]"
    const char *message = "test";
    uint8_t signature_data [128 * 4];
-    TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_sign(message, &ds_data, HMAC_KEY5 + 1, signature_data));
+    TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_sign(message, &ds_data, HMAC_KEY_MAX, signature_data));
    TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, esp_ds_sign(message, &ds_data, HMAC_KEY0 - 1, signature_data));
 }
--- a/components/esp_security/test_apps/crypto_drivers/main/test_hmac.c
+++ b/components/esp_security/test_apps/crypto_drivers/main/test_hmac.c
--- a/components/esp_security/test_apps/crypto_drivers/main/test_key_mgr.c
+++ b/components/esp_security/test_apps/crypto_drivers/main/test_key_mgr.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Unlicense OR CC0-1.0
 */
@@ -18,6 +18,31 @@
 #include "esp_key_mgr.h"
 #include "esp_system.h"
 #include "unity_test_utils_memory.h"
 #if SOC_KEY_MANAGER_HMAC_KEY_DEPLOY
 #include "esp_hmac.h"
 #include "hmac_test_cases.h"
 #endif /* SOC_KEY_MANAGER_HMAC_KEY_DEPLOY */
 #if SOC_KEY_MANAGER_DS_KEY_DEPLOY
 #include "esp_ds.h"
 #define NUM_RESULTS 10
 typedef struct {
    uint8_t iv[ESP_DS_IV_LEN];
    esp_ds_p_data_t p_data;
    uint8_t expected_c[ESP_DS_C_LEN];
    uint8_t hmac_key_idx;
    uint32_t expected_results[NUM_RESULTS][SOC_RSA_MAX_BIT_LEN / 32];
 } encrypt_testcase_t;
 #if SOC_RSA_MAX_BIT_LEN == 4096
 #include "digital_signature_test_cases_4096.h"
 #elif SOC_RSA_MAX_BIT_LEN == 3072
 #include "digital_signature_test_cases_3072.h"
 #endif
 #endif /* SOC_KEY_MANAGER_DS_KEY_DEPLOY */
 static const char *TAG = "key_mgr_test";
 #define ENCRYPTED_DATA_SIZE 128
@@ -33,41 +58,55 @@ static const uint8_t plaintext_data[ENCRYPTED_DATA_SIZE] = {
 };
 static const uint8_t expected_ciphertext[ENCRYPTED_DATA_SIZE] = {
-    0x1f, 0x41, 0xa4, 0xec, 0x0f, 0xd3, 0xaf, 0xe1, 0xb5, 0xc0, 0x56, 0x41, 0xcb, 0x28, 0x97, 0x1c,
+    0xf9, 0xb6, 0x08, 0x0f, 0xfb, 0x37, 0x46, 0xe4, 0x99, 0x3c, 0xf9, 0x29, 0xab, 0x90, 0xd5, 0x3f,
-    0x45, 0x02, 0x23, 0xcd, 0x45, 0x06, 0x19, 0xd8, 0xf9, 0x40, 0x8d, 0xdf, 0xb8, 0x71, 0xa7, 0x79,
+    0xc8, 0x70, 0x45, 0xae, 0x28, 0x16, 0xbd, 0x83, 0x66, 0x16, 0x83, 0x86, 0x01, 0xc9, 0xa2, 0x97,
-    0xdf, 0xbb, 0x2d, 0x6a, 0xdd, 0x16, 0x18, 0x32, 0xe4, 0xa6, 0xfe, 0x23, 0xc9, 0x70, 0xa0, 0xfa,
+    0xa4, 0xf6, 0xf0, 0x40, 0xb5, 0xfd, 0xb7, 0x13, 0x60, 0xc3, 0x39, 0xf2, 0x32, 0x5a, 0xa3, 0x89,
-    0xec, 0x74, 0xf4, 0x62, 0xea, 0x31, 0xc7, 0x1e, 0xfe, 0x94, 0xda, 0xe1, 0x70, 0xf8, 0x9f, 0xa3,
+    0xfd, 0x77, 0x9c, 0x6b, 0x0e, 0x98, 0xdf, 0x8f, 0xf7, 0xcc, 0x2a, 0x1e, 0xce, 0xdc, 0xef, 0x41,
-    0x03, 0xdf, 0x89, 0x77, 0x0a, 0x41, 0x7d, 0xc5, 0xe6, 0xc8, 0xb1, 0x10, 0xc8, 0x12, 0xa6, 0x3f,
+    0xac, 0x0f, 0x48, 0x97, 0xa1, 0x1a, 0xc0, 0x82, 0x42, 0x7e, 0x1a, 0x35, 0xcd, 0xcb, 0x2b, 0x1d,
-    0xea, 0xf0, 0xfa, 0x7a, 0x5d, 0x33, 0xb3, 0xe6, 0xc2, 0x27, 0x07, 0x1e, 0x71, 0x22, 0x87, 0x73,
+    0x72, 0xc6, 0x78, 0xab, 0x35, 0x58, 0xd1, 0xe3, 0xb1, 0x61, 0x8d, 0x11, 0x70, 0x91, 0x62, 0xb4,
-    0xc4, 0x2a, 0xbd, 0x59, 0x8f, 0xc6, 0xfb, 0x28, 0x2e, 0xec, 0xa2, 0x1f, 0x42, 0x7c, 0x54, 0xec,
+    0x5f, 0xdd, 0x75, 0x2f, 0x78, 0xc4, 0x95, 0x67, 0x3a, 0xd3, 0x87, 0x02, 0x35, 0x78, 0x48, 0xef,
-    0x1e, 0x0f, 0x9f, 0xf2, 0x6e, 0x3f, 0xb8, 0x7d, 0xbf, 0xee, 0xf9, 0x7c, 0x93, 0xb2, 0x79, 0x98
+    0xf2, 0xde, 0xdb, 0x59, 0xda, 0x33, 0xa6, 0x27, 0xdd, 0x33, 0x18, 0x0c, 0x57, 0x24, 0x95, 0x38,
 };
 /* Big endian */
-uint8_t init_key[] = {
+static const uint8_t init_key[] = {
-    0x4d, 0x21, 0x64, 0x21, 0x8f, 0xa2, 0xe3, 0xa0, 0xab, 0x74, 0xb5, 0xab, 0x17, 0x9a, 0x5d, 0x08,
+    0xee, 0x89, 0x95, 0xda, 0x3c, 0x8a, 0x43, 0x83, 0xa9, 0x4b, 0x25, 0x5b, 0x04, 0x7e, 0xf1, 0x57,
-    0x58, 0xf4, 0x22, 0x03, 0xbd, 0x52, 0xe7, 0x88, 0x3c, 0x22, 0x0f, 0x95, 0x89, 0x70, 0xe1, 0x93
+    0xb8, 0xe8, 0x06, 0x45, 0x87, 0x76, 0xee, 0x1b, 0x4e, 0x2e, 0x55, 0xa7, 0x1f, 0x25, 0xe1, 0x94,
 };
 /* Big endian */
-uint8_t k2_info[] = {
+static const uint8_t k2_info[] = {
-    0xd8, 0xcd, 0x04, 0x45, 0xb4, 0x45, 0xc4, 0x15, 0xf6, 0x40, 0x1c, 0x7d, 0x90, 0x1b, 0x99, 0xa4,
+    0x8f, 0x96, 0x33, 0x47, 0xe1, 0xa5, 0x57, 0xe9, 0x2a, 0x51, 0xa9, 0xbe, 0x48, 0x84, 0x25, 0x4e,
-    0x79, 0x6b, 0xfb, 0x5b, 0x2a, 0x40, 0x60, 0xe1, 0xc1, 0xe1, 0x48, 0xcd, 0x46, 0x6b, 0x9b, 0x48,
+    0x6f, 0x50, 0x1c, 0x45, 0xdb, 0xb6, 0xfa, 0xeb, 0x35, 0xd2, 0x27, 0x91, 0x3f, 0x67, 0x57, 0xd9,
-    0xda, 0x7a, 0x70, 0x0a, 0x78, 0x0b, 0x9d, 0xf9, 0x0e, 0xed, 0x91, 0xfc, 0xa5, 0xc2, 0x96, 0x05,
+    0xcb, 0x55, 0xe4, 0x2b, 0x18, 0x16, 0xe7, 0xce, 0x6c, 0xf2, 0x58, 0x71, 0x17, 0x76, 0x2a, 0x86,
-    0x91, 0x76, 0xdb, 0x68, 0x84, 0x5d, 0x5e, 0x5b, 0xa6, 0xe9, 0x6b, 0x3b, 0x12, 0x50, 0x05, 0xc3
+    0x05, 0xe7, 0x37, 0x45, 0x71, 0x34, 0xca, 0xaf, 0x60, 0x07, 0xdf, 0xf4, 0xd2, 0xee, 0x3d, 0x4b,
 };
 /* Big endian */
-uint8_t k1_ecdsa_encrypt[] = {
+static const uint8_t k1_encrypt[] = {
-    0xeb, 0x83, 0x24, 0x7d, 0xf8, 0x40, 0xc9, 0x88, 0x5f, 0x5e, 0x58, 0x57, 0x25, 0xa9, 0x23, 0x4a,
+    0xe0, 0xe8, 0x41, 0xe3, 0xd0, 0x92, 0x71, 0x84, 0x4b, 0x02, 0x1e, 0xec, 0x14, 0xdd, 0xaf, 0xf8,
-    0xa4, 0xc4, 0x12, 0x17, 0xf3, 0x9e, 0x1f, 0xa0, 0xa0, 0xfa, 0xd5, 0xbf, 0xb6, 0x6c, 0xb5, 0x48
+    0x39, 0xf9, 0x6a, 0x8d, 0x1b, 0xd7, 0x64, 0x3b, 0x7b, 0xa6, 0x05, 0x42, 0x01, 0xfb, 0xab, 0xe1,
 };
-uint8_t k1_xts_encrypt[] = {
+static const uint8_t k1_hmac_encrypt[] = {
-    0xeb, 0x83, 0x24, 0x7d, 0xf8, 0x40, 0xc9, 0x88, 0x5f, 0x5e, 0x58, 0x57, 0x25, 0xa9, 0x23, 0x4a,
+    0x9e, 0xd8, 0x62, 0x4f, 0x27, 0xe1, 0x13, 0xfc, 0x50, 0x4b, 0x7f, 0x68, 0x70, 0x7b, 0xa1, 0xb2,
-    0xa4, 0xc4, 0x12, 0x17, 0xf3, 0x9e, 0x1f, 0xa0, 0xa0, 0xfa, 0xd5, 0xbf, 0xb6, 0x6c, 0xb5, 0x48
+    0xb1, 0x75, 0x21, 0x43, 0x88, 0x7d, 0xed, 0x4b, 0x58, 0x27, 0xb4, 0x15, 0x57, 0xc2, 0x46, 0x78,
 };
 // Note: generated using the hmac_key_idx = 0 of digital_signature_test_cases_3072
 static const uint8_t k1_ds_encrypt[] = {
    0xa9, 0xf7, 0xd1, 0xd9, 0xaa, 0x80, 0xfa, 0x6f, 0xfa, 0x34, 0xf6, 0x66, 0xbf, 0xba, 0x7b, 0xc9,
    0xa9, 0xf4, 0xeb, 0xba, 0x43, 0x61, 0x59, 0x32, 0x5d, 0xa0, 0xda, 0xd9, 0x0d, 0xc7, 0xde, 0xb2,
 };
 static const uint8_t k1_G[] = {
    0x25, 0x8c, 0x48, 0x4d, 0x0b, 0x4d, 0x3f, 0xbf, 0xde, 0xcf, 0x00, 0xc9, 0x4b, 0x0b, 0xf1, 0x14,
    0xb4, 0x31, 0x97, 0x79, 0x5a, 0xd3, 0x48, 0x72, 0x44, 0x2d, 0xab, 0x76, 0x29, 0xb9, 0x8b, 0x05,
    0xf5, 0x6b, 0xfb, 0xb4, 0xe4, 0xde, 0x81, 0x83, 0xa7, 0x0a, 0x90, 0xe4, 0x33, 0x41, 0x92, 0xaa,
    0xc5, 0xed, 0x93, 0xe0, 0x76, 0x2b, 0xe2, 0x4b, 0xdd, 0xa2, 0x8e, 0xe1, 0xc9, 0xe2, 0x94, 0x50,
 };
 #if SOC_KEY_MANAGER_FE_KEY_DEPLOY
 const esp_partition_t *get_test_storage_partition(void)
 {
    /* This finds "storage" partition defined partition table */
@@ -81,7 +120,7 @@ const esp_partition_t *get_test_storage_partition(void)
    return result;
 }
-static esp_err_t test_xts_aes_key(void)
+static esp_err_t test_xts_aes_key(bool verify)
 {
    const esp_partition_t *partition = get_test_storage_partition();
    ESP_ERROR_CHECK(esp_partition_erase_range(partition, 0, partition->size));
@@ -90,55 +129,268 @@ static esp_err_t test_xts_aes_key(void)
    ESP_ERROR_CHECK(esp_flash_write_encrypted(NULL, address, plaintext_data, sizeof(plaintext_data)));
    uint8_t read_data[ENCRYPTED_DATA_SIZE];
    ESP_ERROR_CHECK(esp_flash_read(NULL, read_data, address, sizeof(read_data)));
-    if (memcmp(read_data, expected_ciphertext, sizeof(expected_ciphertext)) != 0) {
+    if (verify) {
-        ESP_LOGE(TAG, "Encrypted data does not match expected data");
+        TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_ciphertext, read_data, sizeof(expected_ciphertext));
        return ESP_FAIL;
    }
    return ESP_OK;
 }
-extern void set_leak_threshold(int threshold);
+TEST_CASE("Key Manager AES mode: XTS-AES-128 key deployment", "[hw_crypto] [key_mgr]")
 TEST_CASE("Key Manager AES mode: XTS-AES key deployment", "[hw_crypto] [key_mgr]")
 {
-    static esp_key_mgr_aes_key_config_t key_config;
+    esp_key_mgr_aes_key_config_t *key_config = calloc(1, sizeof(esp_key_mgr_aes_key_config_t));
-    memcpy(key_config.k2_info, (uint8_t*) k2_info, KEY_MGR_K2_INFO_SIZE);
+    TEST_ASSERT_NOT_NULL(key_config);
    memcpy(key_config.k1_encrypted, (uint8_t*) k1_xts_encrypt, KEY_MGR_K1_ENCRYPTED_SIZE);
    memcpy(key_config.sw_init_key, (uint8_t*) init_key, KEY_MGR_SW_INIT_KEY_SIZE);
    key_config.use_pre_generated_sw_init_key = 1;
    key_config.key_type = ESP_KEY_MGR_XTS_AES_128_KEY;
-    static esp_key_mgr_key_recovery_info_t key_info;
+    memcpy(key_config->k2_info, (uint8_t*) k2_info, KEY_MGR_K2_INFO_SIZE);
-    esp_err_t esp_ret = ESP_FAIL;
+    memcpy(key_config->k1_encrypted, (uint8_t*) k1_encrypt, KEY_MGR_K1_ENCRYPTED_SIZE);
-    esp_ret = esp_key_mgr_deploy_key_in_aes_mode(&key_config, &key_info);
+    memcpy(key_config->sw_init_key, (uint8_t*) init_key, KEY_MGR_SW_INIT_KEY_SIZE);
-    TEST_ASSERT_EQUAL(ESP_OK, esp_ret);
+    key_config->use_pre_generated_sw_init_key = 1;
-    esp_ret = esp_key_mgr_activate_key(&key_info);
+    key_config->key_type = ESP_KEY_MGR_XTS_AES_128_KEY;
-    TEST_ASSERT_EQUAL(ESP_OK, esp_ret);
+
-    esp_ret = test_xts_aes_key();
+    esp_key_mgr_key_recovery_info_t *key_recovery_info = calloc(1, sizeof(esp_key_mgr_key_recovery_info_t));
-    TEST_ASSERT_EQUAL(ESP_OK, esp_ret);
+    TEST_ASSERT_NOT_NULL(key_recovery_info);
-    esp_ret = esp_key_mgr_deactivate_key(key_info.key_type);
+
-    TEST_ASSERT_EQUAL(ESP_OK, esp_ret);
+    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_aes_mode(key_config, key_recovery_info));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(key_recovery_info));
    TEST_ASSERT_EQUAL(ESP_OK, test_xts_aes_key(true));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info->key_type));
    free(key_config);
    free(key_recovery_info);
 }
-TEST_CASE("Key Manager random mode: XTS_AES_128 key deployment", "[hw_crypto] [key_mgr]")
+TEST_CASE("Key Manager ECDH0 mode: XTS-AES-128 key deployment", "[hw_crypto] [key_mgr]")
 {
-    ESP_LOGI(TAG, "Key Manager Example Start");
+    esp_key_mgr_ecdh0_key_config_t *key_config = calloc(1, sizeof(esp_key_mgr_ecdh0_key_config_t));
-    static esp_key_mgr_random_key_config_t key_config;
+    TEST_ASSERT_NOT_NULL(key_config);
-    key_config.key_type = ESP_KEY_MGR_XTS_AES_128_KEY;
+    memcpy(key_config->k1_G, (uint8_t*) k1_G, KEY_MGR_ECDH0_INFO_SIZE);
    key_config->key_type = ESP_KEY_MGR_XTS_AES_128_KEY;
-    static esp_key_mgr_key_recovery_info_t key_info;
+    esp_key_mgr_key_recovery_info_t *key_recovery_info = calloc(1, sizeof(esp_key_mgr_key_recovery_info_t));
-    esp_err_t esp_ret = ESP_FAIL;
+    TEST_ASSERT_NOT_NULL(key_recovery_info);
    esp_ret = esp_key_mgr_deploy_key_in_random_mode(&key_config, &key_info);
    TEST_ASSERT_EQUAL(ESP_OK, esp_ret);
    esp_key_mgr_ecdh0_info_t *ecdh0_info = calloc(1, sizeof(esp_key_mgr_ecdh0_info_t));
    TEST_ASSERT_NOT_NULL(ecdh0_info);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_ecdh0_mode(key_config, key_recovery_info, ecdh0_info));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(key_recovery_info));
    TEST_ASSERT_EQUAL(ESP_OK, test_xts_aes_key(false));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info->key_type));
    free(key_config);
    free(key_recovery_info);
    free(ecdh0_info);
 }
 TEST_CASE("Key Manager Random mode: XTS-AES-128 key deployment", "[hw_crypto] [key_mgr]")
 {
    esp_key_mgr_random_key_config_t *key_config = calloc(1, sizeof(esp_key_mgr_random_key_config_t));
    TEST_ASSERT_NOT_NULL(key_config);
    key_config->key_type = ESP_KEY_MGR_XTS_AES_128_KEY;
    esp_key_mgr_key_recovery_info_t *key_recovery_info = calloc(1, sizeof(esp_key_mgr_key_recovery_info_t));
    TEST_ASSERT_NOT_NULL(key_recovery_info);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_random_mode(key_config, key_recovery_info));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(key_recovery_info));
    TEST_ASSERT_EQUAL(ESP_OK, test_xts_aes_key(false));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info->key_type));
    free(key_config);
    free(key_recovery_info);
 }
 #endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY */
 #if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY
 TEST_CASE("Key Manager random mode: ECDSA key deployment", "[hw_crypto] [key_mgr]")
 {
-    static esp_key_mgr_random_key_config_t key_config;
+    esp_key_mgr_random_key_config_t *key_config = calloc(1, sizeof(esp_key_mgr_random_key_config_t));
-    static esp_key_mgr_key_recovery_info_t key_info;
+    TEST_ASSERT_NOT_NULL(key_config);
-    esp_err_t esp_ret = ESP_FAIL;
+
-    key_config.key_type = ESP_KEY_MGR_ECDSA_KEY;
+    key_config->key_type = ESP_KEY_MGR_ECDSA_256_KEY;
-    esp_ret = esp_key_mgr_deploy_key_in_random_mode(&key_config, &key_info);
+
-    TEST_ASSERT_EQUAL(ESP_OK, esp_ret);
+    esp_key_mgr_key_recovery_info_t *key_recovery_info = calloc(1, sizeof(esp_key_mgr_key_recovery_info_t));
    TEST_ASSERT_NOT_NULL(key_recovery_info);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_random_mode(key_config, key_recovery_info));
    free(key_config);
    free(key_recovery_info);
 }
 #endif /* SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY */
 #if SOC_KEY_MANAGER_HMAC_KEY_DEPLOY
 static esp_err_t test_hmac_key(bool verify)
 {
    uint8_t hmac[32];
    for (int i = 0; i < sizeof(results) / sizeof(hmac_result); i++) {
        TEST_ESP_OK(esp_hmac_calculate(HMAC_KEY_KM, message, results[i].msglen, hmac));
        if (verify) {
            TEST_ASSERT_EQUAL_HEX8_ARRAY(results[i].result, hmac, sizeof(hmac));
        }
    }
    return ESP_OK;
 }
 TEST_CASE("Key Manager AES mode: HMAC key deployment", "[hw_crypto] [key_mgr]")
 {
    esp_key_mgr_aes_key_config_t *key_config = calloc(1, sizeof(esp_key_mgr_aes_key_config_t));
    TEST_ASSERT_NOT_NULL(key_config);
    memcpy(key_config->k2_info, (uint8_t*) k2_info, KEY_MGR_K2_INFO_SIZE);
    memcpy(key_config->k1_encrypted, (uint8_t*) k1_hmac_encrypt, KEY_MGR_K1_ENCRYPTED_SIZE);
    memcpy(key_config->sw_init_key, (uint8_t*) init_key, KEY_MGR_SW_INIT_KEY_SIZE);
    key_config->use_pre_generated_sw_init_key = 1;
    key_config->key_type = ESP_KEY_MGR_HMAC_KEY;
    esp_key_mgr_key_recovery_info_t *key_recovery_info = calloc(1, sizeof(esp_key_mgr_key_recovery_info_t));
    TEST_ASSERT_NOT_NULL(key_recovery_info);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_aes_mode(key_config, key_recovery_info));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(key_recovery_info));
    TEST_ASSERT_EQUAL(ESP_OK, test_hmac_key(true));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info->key_type));
    free(key_config);
    free(key_recovery_info);
 }
 TEST_CASE("Key Manager ECDH0 mode: HMAC key deployment", "[hw_crypto] [key_mgr]")
 {
    esp_key_mgr_ecdh0_key_config_t *key_config = calloc(1, sizeof(esp_key_mgr_ecdh0_key_config_t));
    TEST_ASSERT_NOT_NULL(key_config);
    memcpy(key_config->k1_G, (uint8_t*) k1_G, KEY_MGR_ECDH0_INFO_SIZE);
    key_config->key_type = ESP_KEY_MGR_HMAC_KEY;
    esp_key_mgr_key_recovery_info_t *key_recovery_info = calloc(1, sizeof(esp_key_mgr_key_recovery_info_t));
    TEST_ASSERT_NOT_NULL(key_recovery_info);
    esp_key_mgr_ecdh0_info_t *ecdh0_info = calloc(1, sizeof(esp_key_mgr_ecdh0_info_t));
    TEST_ASSERT_NOT_NULL(ecdh0_info);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_ecdh0_mode(key_config, key_recovery_info, ecdh0_info));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(key_recovery_info));
    TEST_ASSERT_EQUAL(ESP_OK, test_hmac_key(false));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info->key_type));
    free(key_config);
    free(key_recovery_info);
    free(ecdh0_info);
 }
 TEST_CASE("Key Manager random mode: HMAC key deployment", "[hw_crypto] [key_mgr]")
 {
    esp_key_mgr_random_key_config_t *key_config = calloc(1, sizeof(esp_key_mgr_random_key_config_t));
    TEST_ASSERT_NOT_NULL(key_config);
    key_config->key_type = ESP_KEY_MGR_HMAC_KEY;
    esp_key_mgr_key_recovery_info_t *key_recovery_info = calloc(1, sizeof(esp_key_mgr_key_recovery_info_t));
    TEST_ASSERT_NOT_NULL(key_recovery_info);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_random_mode(key_config, key_recovery_info));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(key_recovery_info));
    TEST_ASSERT_EQUAL(ESP_OK, test_hmac_key(false));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info->key_type));
    free(key_config);
    free(key_recovery_info);
 }
 #endif /* SOC_KEY_MANAGER_HMAC_KEY_DEPLOY */
 #if SOC_KEY_MANAGER_DS_KEY_DEPLOY
 static esp_err_t test_ds_key(void)
 {
    esp_ds_data_t ds_data = { };
    uint8_t signature[ESP_DS_SIGNATURE_MAX_BIT_LEN / 8] = { 0 };
    esp_err_t ds_r = ESP_FAIL;
    for (int i = 0; i < NUM_MESSAGES; i++) {
        printf("Running test case %d...\n", i);
        const encrypt_testcase_t *t = &test_cases[0];
        assert(t->hmac_key_idx == 0); // as the key deployed using Key Manager is the HMAC key ID 0
        // copy encrypt parameter test case into ds_data structure
        memcpy(ds_data.iv, t->iv, ESP_DS_IV_LEN);
        memcpy(ds_data.c, t->expected_c, ESP_DS_C_LEN);
        ds_data.rsa_length = t->p_data.length;
        ds_r = esp_ds_sign(test_messages[i],
                           &ds_data,
                           HMAC_KEY_KM,
                           signature);
        TEST_ASSERT_EQUAL(ESP_OK, ds_r);
        TEST_ASSERT_EQUAL_HEX8_ARRAY(t->expected_results[i], signature, sizeof(signature));
    }
    return ESP_OK;
 }
 TEST_CASE("Key Manager AES mode: DS key deployment", "[hw_crypto] [key_mgr]")
 {
    esp_key_mgr_aes_key_config_t *key_config = calloc(1, sizeof(esp_key_mgr_aes_key_config_t));
    TEST_ASSERT_NOT_NULL(key_config);
    memcpy(key_config->k2_info, (uint8_t*) k2_info, KEY_MGR_K2_INFO_SIZE);
    memcpy(key_config->k1_encrypted, (uint8_t*) k1_ds_encrypt, KEY_MGR_K1_ENCRYPTED_SIZE);
    memcpy(key_config->sw_init_key, (uint8_t*) init_key, KEY_MGR_SW_INIT_KEY_SIZE);
    key_config->use_pre_generated_sw_init_key = 1;
    key_config->key_type = ESP_KEY_MGR_DS_KEY;
    esp_key_mgr_key_recovery_info_t *key_recovery_info = calloc(1, sizeof(esp_key_mgr_key_recovery_info_t));
    TEST_ASSERT_NOT_NULL(key_recovery_info);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_aes_mode(key_config, key_recovery_info));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(key_recovery_info));
    TEST_ASSERT_EQUAL(ESP_OK, test_ds_key());
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info->key_type));
    free(key_config);
    free(key_recovery_info);
 }
 TEST_CASE("Key Manager ECDH0 mode: DS key deployment", "[hw_crypto] [key_mgr]")
 {
    esp_key_mgr_ecdh0_key_config_t *key_config = calloc(1, sizeof(esp_key_mgr_ecdh0_key_config_t));
    TEST_ASSERT_NOT_NULL(key_config);
    memcpy(key_config->k1_G, (uint8_t*) k1_G, KEY_MGR_ECDH0_INFO_SIZE);
    key_config->key_type = ESP_KEY_MGR_DS_KEY;
    esp_key_mgr_key_recovery_info_t *key_recovery_info = calloc(1, sizeof(esp_key_mgr_key_recovery_info_t));
    TEST_ASSERT_NOT_NULL(key_recovery_info);
    esp_key_mgr_ecdh0_info_t *ecdh0_info = calloc(1, sizeof(esp_key_mgr_ecdh0_info_t));
    TEST_ASSERT_NOT_NULL(ecdh0_info);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_ecdh0_mode(key_config, key_recovery_info, ecdh0_info));
    // Generate the deployed DS key and use ds_encrypt_params to generate encrypted input params
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(key_recovery_info));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info->key_type));
    free(key_config);
    free(key_recovery_info);
    free(ecdh0_info);
 }
 TEST_CASE("Key Manager random mode: DS key deployment", "[hw_crypto] [key_mgr]")
 {
    esp_key_mgr_random_key_config_t *key_config = calloc(1, sizeof(esp_key_mgr_random_key_config_t));
    TEST_ASSERT_NOT_NULL(key_config);
    key_config->key_type = ESP_KEY_MGR_DS_KEY;
    esp_key_mgr_key_recovery_info_t *key_recovery_info = calloc(1, sizeof(esp_key_mgr_key_recovery_info_t));
    TEST_ASSERT_NOT_NULL(key_recovery_info);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_random_mode(key_config, key_recovery_info));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(key_recovery_info));
    // No way to generate encrypted input params when DS key deployed in random mode
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info->key_type));
    free(key_config);
    free(key_recovery_info);
 }
 #endif /* SOC_KEY_MANAGER_DS_KEY_DEPLOY */
--- a/components/esp_security/test_apps/crypto_drivers/sdkconfig.defaults.esp32c5
+++ b/components/esp_security/test_apps/crypto_drivers/sdkconfig.defaults.esp32c5
@@ -0,0 +1,3 @@
 CONFIG_PARTITION_TABLE_CUSTOM=y
 CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions.csv"
 CONFIG_PARTITION_TABLE_FILENAME="partitions.csv"
--- a/components/hal/ds_hal.c
+++ b/components/hal/ds_hal.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -7,6 +7,7 @@
 #include "hal/systimer_hal.h"
 #include "hal/ds_hal.h"
 #include "hal/ds_ll.h"
 #include "soc/soc_caps.h"
 void ds_hal_start(void)
 {
@@ -23,6 +24,13 @@ void ds_hal_configure_iv(const uint32_t *iv)
    ds_ll_configure_iv(iv);
 }
 #if SOC_KEY_MANAGER_DS_KEY_DEPLOY
 void ds_hal_set_key_source(ds_key_source_t key_source)
 {
    ds_ll_set_key_source(key_source);
 }
 #endif
 void ds_hal_write_message(const uint8_t *msg, size_t size)
 {
    ds_ll_write_message(msg, size);
--- a/components/hal/ecdsa_hal.c
+++ b/components/hal/ecdsa_hal.c
@@ -16,7 +16,7 @@
 #endif
 #ifdef SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY
-#include "hal/key_mgr_ll.h"
+#include "hal/key_mgr_hal.h"
 #endif
 #define ECDSA_HAL_P192_COMPONENT_LEN        24
@@ -30,12 +30,20 @@ static void configure_ecdsa_periph(ecdsa_hal_config_t *conf)
 #if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY
        // Force Key Manager to use eFuse key for XTS-AES operation
-        key_mgr_ll_set_key_usage(ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
+        if (conf->curve == ECDSA_CURVE_SECP192R1) {
            key_mgr_hal_set_key_usage(ESP_KEY_MGR_ECDSA_192_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
        } else {
            key_mgr_hal_set_key_usage(ESP_KEY_MGR_ECDSA_256_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
        }
 #endif
    }
 #if SOC_KEY_MANAGER_SUPPORTED
    else {
-        key_mgr_ll_set_key_usage(ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_USE_OWN_KEY);
+        if (conf->curve == ECDSA_CURVE_SECP192R1) {
            key_mgr_hal_set_key_usage(ESP_KEY_MGR_ECDSA_192_KEY, ESP_KEY_MGR_USE_OWN_KEY);
        } else {
            key_mgr_hal_set_key_usage(ESP_KEY_MGR_ECDSA_256_KEY, ESP_KEY_MGR_USE_OWN_KEY);
        }
    }
 #endif
--- a/components/hal/esp32c5/include/hal/ds_ll.h
+++ b/components/hal/esp32c5/include/hal/ds_ll.h
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -78,6 +78,14 @@ static inline ds_key_check_t ds_ll_key_error_source(void)
    }
 }
 /**
 * @brief Set the DS key source.
 */
 static inline void ds_ll_set_key_source(ds_key_source_t key_source)
 {
    REG_WRITE(DS_KEY_SOURCE_REG, key_source);
 }
 /**
 * @brief Write the initialization vector to the corresponding register field.
 */
--- a/components/hal/esp32c5/include/hal/huk_ll.h
+++ b/components/hal/esp32c5/include/hal/huk_ll.h
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -22,6 +22,8 @@
 #include "hal/huk_types.h"
 #include "soc/huk_reg.h"
 #include "soc/soc_caps.h"
 #include "soc/lp_aon_reg.h"
 #include "esp_rom_sys.h"    // HUK memory recharge workaround
 #ifdef __cplusplus
 extern "C" {
@@ -103,6 +105,20 @@ static inline esp_huk_gen_status_t huk_ll_get_gen_status(void)
    return (esp_huk_gen_status_t) REG_GET_FIELD(HUK_STATUS_REG, HUK_STATUS);
 }
 static inline void __attribute__((always_inline)) huk_ll_recharge_huk_memory(void)
 {
    REG_CLR_BIT(LP_AON_MEM_CTRL_REG, LP_AON_HUK_MEM_FORCE_PD);
    REG_CLR_BIT(LP_AON_PUF_MEM_SW_REG, LP_AON_PUF_MEM_SW);
    REG_SET_BIT(LP_AON_PUF_MEM_DISCHARGE_REG, LP_AON_PUF_MEM_DISCHARGE);
    esp_rom_delay_us(100000);
    REG_CLR_BIT(LP_AON_PUF_MEM_DISCHARGE_REG, LP_AON_PUF_MEM_DISCHARGE);
    REG_SET_BIT(LP_AON_PUF_MEM_SW_REG, LP_AON_PUF_MEM_SW);
    esp_rom_delay_us(100000);
 }
 /**
 * @brief Read the HUK date information
 */
--- a/components/hal/esp32c5/include/hal/key_mgr_ll.h
+++ b/components/hal/esp32c5/include/hal/key_mgr_ll.h
@@ -19,6 +19,7 @@
 #include "hal/key_mgr_types.h"
 #include "soc/keymng_reg.h"
 #include "soc/pcr_struct.h"
 #include "soc/pcr_reg.h"
 #ifdef __cplusplus
 extern "C" {
@@ -34,32 +35,38 @@ static inline esp_key_mgr_state_t key_mgr_ll_get_state(void)
    return (esp_key_mgr_state_t) REG_GET_FIELD(KEYMNG_STATE_REG, KEYMNG_STATE);
 }
 static inline void key_mgr_ll_power_up(void)
 {
    /* Power up the Key Manager peripheral (default state is power-down) */
    REG_CLR_BIT(PCR_KM_PD_CTRL_REG, PCR_KM_MEM_FORCE_PD);
    REG_SET_BIT(PCR_KM_PD_CTRL_REG, PCR_KM_MEM_FORCE_PU);
 }
 #define key_mgr_ll_enable_bus_clock(...) do { \
        _key_mgr_ll_enable_bus_clock(__VA_ARGS__); \
    } while(0)
 static inline void key_mgr_ll_power_down(void)
 {
    /* Power down the Key Manager peripheral */
    REG_CLR_BIT(PCR_KM_PD_CTRL_REG, PCR_KM_MEM_FORCE_PU);
    REG_SET_BIT(PCR_KM_PD_CTRL_REG, PCR_KM_MEM_FORCE_PD);
 }
 /**
 * @brief Enable the bus clock for Key Manager peripheral
- * Note: Please use key_mgr_ll_enable_bus_clock which requires the critical section
+ *
 *       and do not use _key_mgr_ll_enable_bus_clock
 * @param true to enable, false to disable
 */
 static inline void _key_mgr_ll_enable_bus_clock(bool enable)
 {
    // Set the force power down bit to 0 to enable key manager
    PCR.km_pd_ctrl.km_mem_force_pd = 0;
    // Enable key manager clock
-    PCR.km_conf.km_clk_en = 1;
+    PCR.km_conf.km_clk_en = enable;
 }
 /// use a macro to wrap the function, force the caller to use it in a critical section
 /// the critical section needs to declare the __DECLARE_RCC_ATOMIC_ENV variable in advance
 #define key_mgr_ll_enable_bus_clock(...) do { \
        (void)__DECLARE_RCC_ATOMIC_ENV; \
        _key_mgr_ll_enable_bus_clock(__VA_ARGS__); \
    } while(0)
 /**
 * @brief Enable the peripheral clock for Key Manager
 *
 * Note: Please use key_mgr_ll_enable_peripheral_clock which requires the critical section
 *       and do not use _key_mgr_ll_enable_peripheral_clock
 * @param true to enable, false to disable
 */
 static inline void _key_mgr_ll_enable_peripheral_clock(bool enable)
@@ -68,14 +75,12 @@ static inline void _key_mgr_ll_enable_peripheral_clock(bool enable)
 }
 #define key_mgr_ll_enable_peripheral_clock(...) do { \
        (void)__DECLARE_RCC_ATOMIC_ENV; \
        _key_mgr_ll_enable_peripheral_clock(__VA_ARGS__); \
    } while(0)
 /**
 * @brief Reset the Key Manager peripheral
- * Note: Please use key_mgr_ll_reset_register which requires the critical section
+ *
 *       and do not use _key_mgr_ll_reset_register
 */
 static inline void _key_mgr_ll_reset_register(void)
 {
@@ -90,10 +95,7 @@ static inline void _key_mgr_ll_reset_register(void)
 }
 /// use a macro to wrap the function, force the caller to use it in a critical section
 /// the critical section needs to declare the __DECLARE_RCC_ATOMIC_ENV variable in advance
 #define key_mgr_ll_reset_register(...) do { \
        (void)__DECLARE_RCC_ATOMIC_ENV; \
        _key_mgr_ll_reset_register(__VA_ARGS__); \
    } while(0)
@@ -160,13 +162,16 @@ static inline void key_mgr_ll_use_sw_init_key(void)
 static inline void key_mgr_ll_set_key_usage(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_usage_t key_usage)
 {
    switch (key_type) {
-        case ESP_KEY_MGR_ECDSA_KEY:
+        case ESP_KEY_MGR_ECDSA_192_KEY:
        case ESP_KEY_MGR_ECDSA_256_KEY:
        case ESP_KEY_MGR_ECDSA_384_KEY:
            if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) {
                REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_ECDSA);
            } else {
                REG_CLR_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_ECDSA);
            }
            break;
        case ESP_KEY_MGR_XTS_AES_128_KEY:
        case ESP_KEY_MGR_XTS_AES_256_KEY:
            if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) {
@@ -176,6 +181,30 @@ static inline void key_mgr_ll_set_key_usage(const esp_key_mgr_key_type_t key_typ
            }
            break;
        case ESP_KEY_MGR_HMAC_KEY:
            if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) {
                REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_HMAC);
            } else {
                REG_CLR_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_HMAC);
            }
            break;
        case ESP_KEY_MGR_DS_KEY:
            if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) {
                REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_DS);
            } else {
                REG_CLR_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_DS);
            }
            break;
        case ESP_KEY_MGR_PSRAM_128_KEY:
        case ESP_KEY_MGR_PSRAM_256_KEY:
            if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) {
                REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_PSRAM);
            } else {
                REG_CLR_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_PSRAM);
            }
            break;
        default:
            HAL_ASSERT(false && "Unsupported mode");
            return;
@@ -185,7 +214,9 @@ static inline void key_mgr_ll_set_key_usage(const esp_key_mgr_key_type_t key_typ
 static inline esp_key_mgr_key_usage_t key_mgr_ll_get_key_usage(esp_key_mgr_key_type_t key_type)
 {
    switch (key_type) {
-        case ESP_KEY_MGR_ECDSA_KEY:
+        case ESP_KEY_MGR_ECDSA_192_KEY:
        case ESP_KEY_MGR_ECDSA_256_KEY:
        case ESP_KEY_MGR_ECDSA_384_KEY:
            return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_ECDSA));
            break;
@@ -194,6 +225,19 @@ static inline esp_key_mgr_key_usage_t key_mgr_ll_get_key_usage(esp_key_mgr_key_t
            return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_FLASH));
            break;
        case ESP_KEY_MGR_HMAC_KEY:
            return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_HMAC));
            break;
        case ESP_KEY_MGR_DS_KEY:
            return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_DS));
            break;
        case ESP_KEY_MGR_PSRAM_128_KEY:
        case ESP_KEY_MGR_PSRAM_256_KEY:
            return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_PSRAM));
            break;
        default:
            HAL_ASSERT(false && "Unsupported mode");
            return ESP_KEY_MGR_USAGE_INVALID;
@@ -219,13 +263,30 @@ static inline void key_mgr_ll_lock_use_sw_init_key_reg(void)
 static inline void key_mgr_ll_lock_use_efuse_key_reg(esp_key_mgr_key_type_t key_type)
 {
    switch(key_type) {
-        case ESP_KEY_MGR_ECDSA_KEY:
+        case ESP_KEY_MGR_ECDSA_192_KEY:
        case ESP_KEY_MGR_ECDSA_256_KEY:
        case ESP_KEY_MGR_ECDSA_384_KEY:
            REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA);
            break;
        case ESP_KEY_MGR_XTS_AES_128_KEY:
        case ESP_KEY_MGR_XTS_AES_256_KEY:
            REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_FLASH);
            break;
        case ESP_KEY_MGR_HMAC_KEY:
            REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_HMAC);
            break;
        case ESP_KEY_MGR_DS_KEY:
            REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_DS);
            break;
        case ESP_KEY_MGR_PSRAM_128_KEY:
        case ESP_KEY_MGR_PSRAM_256_KEY:
            REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_PSRAM);
            break;
        default:
            HAL_ASSERT(false && "Unsupported mode");
            return;
@@ -264,9 +325,12 @@ static inline bool key_mgr_ll_is_result_success(void)
 static inline bool key_mgr_ll_is_key_deployment_valid(const esp_key_mgr_key_type_t key_type)
 {
    switch (key_type) {
-
+        case ESP_KEY_MGR_ECDSA_192_KEY:
-        case ESP_KEY_MGR_ECDSA_KEY:
+            return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_192_VLD);
-            return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_VLD);
+        case ESP_KEY_MGR_ECDSA_256_KEY:
            return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_256_VLD);
        case ESP_KEY_MGR_ECDSA_384_KEY:
            return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_384_VLD);
            break;
        case ESP_KEY_MGR_XTS_AES_128_KEY:
@@ -274,6 +338,19 @@ static inline bool key_mgr_ll_is_key_deployment_valid(const esp_key_mgr_key_type
            return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_FLASH_VLD);
            break;
        case ESP_KEY_MGR_HMAC_KEY:
            return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_HMAC_VLD);
            break;
        case ESP_KEY_MGR_DS_KEY:
            return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_DS_VLD);
            break;
        case ESP_KEY_MGR_PSRAM_128_KEY:
        case ESP_KEY_MGR_PSRAM_256_KEY:
            return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_PSRAM_VLD);
            break;
        default:
            HAL_ASSERT(false && "Unsupported mode");
            return 0;
@@ -343,15 +420,23 @@ static inline bool key_mgr_ll_is_huk_valid(void)
 }
 /* @brief Set the XTS-AES (Flash Encryption) key length for the Key Manager */
-static inline void key_mgr_ll_set_xts_aes_key_len(const esp_key_mgr_xts_aes_key_len_t key_len)
+static inline void key_mgr_ll_set_xts_aes_key_len(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_xts_aes_key_len_t key_len)
 {
-    REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_FLASH_KEY_LEN, key_len);
+    if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY || key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
        REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_FLASH_KEY_LEN, key_len);
    } else if (key_type == ESP_KEY_MGR_PSRAM_128_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) {
        REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_PSRAM_KEY_LEN, key_len);
    }
 }
 /* @brief Get the XTS-AES (Flash Encryption) key length for the Key Manager */
-static inline esp_key_mgr_xts_aes_key_len_t key_mgr_ll_get_xts_aes_key_len(void)
+static inline esp_key_mgr_xts_aes_key_len_t key_mgr_ll_get_xts_aes_key_len(const esp_key_mgr_key_type_t key_type)
 {
-    return (esp_key_mgr_xts_aes_key_len_t) REG_GET_FIELD(KEYMNG_STATIC_REG, KEYMNG_FLASH_KEY_LEN);
+    if (key_type == ESP_KEY_MGR_PSRAM_128_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) {
        return (esp_key_mgr_xts_aes_key_len_t) REG_GET_FIELD(KEYMNG_STATIC_REG, KEYMNG_PSRAM_KEY_LEN);
    } else {
        return (esp_key_mgr_xts_aes_key_len_t) REG_GET_FIELD(KEYMNG_STATIC_REG, KEYMNG_FLASH_KEY_LEN);
    }
 }
 /**
--- a/components/hal/esp32p4/include/hal/key_mgr_ll.h
+++ b/components/hal/esp32p4/include/hal/key_mgr_ll.h
@@ -19,6 +19,7 @@
 #include "hal/key_mgr_types.h"
 #include "soc/keymng_reg.h"
 #include "soc/hp_sys_clkrst_struct.h"
 #include "esp_private/esp_crypto_lock_internal.h"
 #ifdef __cplusplus
 extern "C" {
@@ -158,7 +159,8 @@ static inline void key_mgr_ll_use_sw_init_key(void)
 static inline void key_mgr_ll_set_key_usage(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_usage_t key_usage)
 {
    switch (key_type) {
-        case ESP_KEY_MGR_ECDSA_KEY:
+        case ESP_KEY_MGR_ECDSA_192_KEY:
        case ESP_KEY_MGR_ECDSA_256_KEY:
            if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) {
                REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_ECDSA);
            } else {
@@ -182,7 +184,8 @@ static inline void key_mgr_ll_set_key_usage(const esp_key_mgr_key_type_t key_typ
 static inline esp_key_mgr_key_usage_t key_mgr_ll_get_key_usage(esp_key_mgr_key_type_t key_type)
 {
    switch (key_type) {
-        case ESP_KEY_MGR_ECDSA_KEY:
+        case ESP_KEY_MGR_ECDSA_192_KEY:
        case ESP_KEY_MGR_ECDSA_256_KEY:
            return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_ECDSA));
            break;
@@ -216,20 +219,38 @@ static inline void key_mgr_ll_lock_use_sw_init_key_reg(void)
 static inline void key_mgr_ll_lock_use_efuse_key_reg(esp_key_mgr_key_type_t key_type)
 {
    switch(key_type) {
-        case ESP_KEY_MGR_ECDSA_KEY:
+        case ESP_KEY_MGR_ECDSA_192_KEY:
        case ESP_KEY_MGR_ECDSA_256_KEY:
            REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA);
            break;
        case ESP_KEY_MGR_XTS_AES_128_KEY:
        case ESP_KEY_MGR_XTS_AES_256_KEY:
            REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_XTS);
            break;
        default:
            HAL_ASSERT(false && "Unsupported key type");
            return;
    }
 }
 /* @brief Configure the key purpose to be used by the Key Manager for key generator operation */
 static inline void key_mgr_ll_set_key_purpose(const esp_key_mgr_key_purpose_t key_purpose)
 {
-    REG_SET_FIELD(KEYMNG_CONF_REG, KEYMNG_KEY_PURPOSE, key_purpose);
+    switch(key_purpose) {
        case ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192:
        case ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256:
            REG_SET_FIELD(KEYMNG_CONF_REG, KEYMNG_KEY_PURPOSE, KEYMNG_KEY_PURPOSE_ECDSA);
            break;
        case ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1:
            REG_SET_FIELD(KEYMNG_CONF_REG, KEYMNG_KEY_PURPOSE, KEYMNG_KEY_PURPOSE_XTS_AES_256_1);
            break;
        case ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2:
            REG_SET_FIELD(KEYMNG_CONF_REG, KEYMNG_KEY_PURPOSE, KEYMNG_KEY_PURPOSE_XTS_AES_256_2);
            break;
        default:
            HAL_ASSERT(false && "Unsupported mode");
            return;
    }
 }
 /**
@@ -259,7 +280,8 @@ static inline bool key_mgr_ll_is_key_deployment_valid(const esp_key_mgr_key_type
 {
    switch (key_type) {
-        case ESP_KEY_MGR_ECDSA_KEY:
+        case ESP_KEY_MGR_ECDSA_192_KEY:
        case ESP_KEY_MGR_ECDSA_256_KEY:
            return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_VLD);
            break;
--- a/components/hal/hmac_hal.c
+++ b/components/hal/hmac_hal.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -7,6 +7,11 @@
 #include "stdio.h"
 #include "hal/hmac_hal.h"
 #include "hal/hmac_ll.h"
 #include "soc/soc_caps.h"
 #if SOC_KEY_MANAGER_HMAC_KEY_DEPLOY
 #include "hal/key_mgr_hal.h"
 #endif
 void hmac_hal_start(void)
 {
@@ -18,6 +23,20 @@ uint32_t hmac_hal_configure(hmac_hal_output_t config, uint32_t key_id)
 {
    hmac_ll_wait_idle();
    hmac_ll_config_output(config);
 #if SOC_KEY_MANAGER_HMAC_KEY_DEPLOY
    if (key_id == HMAC_KEY_KM) {
        if (config == HMAC_OUTPUT_USER) {
            key_mgr_hal_set_key_usage(ESP_KEY_MGR_HMAC_KEY, ESP_KEY_MGR_USE_OWN_KEY);
        } else {
            // No other HMAC output type is allowed when using key manager
            return 1;
        }
    } else {
        key_mgr_hal_set_key_usage(ESP_KEY_MGR_HMAC_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
    }
 #endif
    hmac_ll_config_hw_key_id(key_id);
    hmac_ll_config_finish();
    hmac_ll_wait_idle();
--- a/components/hal/huk_hal.c
+++ b/components/hal/huk_hal.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -13,6 +13,7 @@
 #include "hal/log.h"
 #include "rom/km.h"
 #include "esp_err.h"
 #include "soc/soc_caps.h"
 esp_huk_state_t huk_hal_get_state(void)
 {
@@ -28,11 +29,11 @@ static void inline huk_hal_wait_for_state(esp_huk_state_t state)
 esp_err_t huk_hal_configure(const esp_huk_mode_t huk_mode, uint8_t *huk_info_buf)
 {
-    if (esp_rom_km_huk_conf(huk_mode, huk_info_buf) == ETS_OK) {
+    if (esp_rom_km_huk_conf(huk_mode, huk_info_buf) != ETS_OK) {
        return ESP_OK;
    } else {
        return ESP_FAIL;
    }
    return ESP_OK;
 }
 uint8_t huk_hal_get_risk_level(void)
@@ -44,3 +45,10 @@ uint32_t huk_hal_get_date_info(void)
 {
    return huk_ll_get_date_info();
 }
 #if SOC_HUK_MEM_NEEDS_RECHARGE
 void huk_hal_recharge_huk_memory(void)
 {
    huk_ll_recharge_huk_memory();
 }
 #endif
--- a/components/hal/include/hal/ds_hal.h
+++ b/components/hal/include/hal/ds_hal.h
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -15,6 +15,7 @@
 #include <stdint.h>
 #include <stddef.h>
 #include <stdbool.h>
 #include "soc/soc_caps.h"
 #include "hal/ds_types.h"
 #ifdef __cplusplus
@@ -38,6 +39,13 @@ void ds_hal_finish(void);
 */
 void ds_hal_configure_iv(const uint32_t *iv);
 #if SOC_KEY_MANAGER_DS_KEY_DEPLOY
 /**
 * @brief Set the DS key source.
 */
 void ds_hal_set_key_source(ds_key_source_t key_source);
 #endif
 /**
 * @brief Write the message which should be signed.
 *
--- a/components/hal/include/hal/ds_types.h
+++ b/components/hal/include/hal/ds_types.h
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -9,6 +9,8 @@
 extern "C" {
 #endif
 #include "soc/soc_caps.h"
 /**
 * The result when checking whether the key to decrypt the RSA parameters is ready.
 */
@@ -25,6 +27,13 @@ typedef enum {
    DS_SIGNATURE_PADDING_AND_MD_FAIL = 3,   /**< Both padding and MD check failed. */
 } ds_signature_check_t;
 #if SOC_KEY_MANAGER_DS_KEY_DEPLOY
 typedef enum {
    DS_KEY_SOURCE_EFUSE = 0,
    DS_KEY_SOURCE_KEY_MGR = 1,
 } ds_key_source_t;
 #endif
 #ifdef __cplusplus
 }
 #endif
--- a/components/hal/include/hal/hmac_types.h
+++ b/components/hal/include/hal/hmac_types.h
@@ -1,14 +1,31 @@
 /*
- * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
 #pragma once
 #include "soc/soc_caps.h"
 #ifdef __cplusplus
 extern "C" {
 #endif
 /**
 * The possible efuse keys for the HMAC peripheral
 */
 typedef enum {
    HMAC_KEY0 = 0,
    HMAC_KEY1,
    HMAC_KEY2,
    HMAC_KEY3,
    HMAC_KEY4,
    HMAC_KEY5,
 #if SOC_KEY_MANAGER_HMAC_KEY_DEPLOY
    HMAC_KEY_KM = 7,
 #endif
    HMAC_KEY_MAX = 8,
 } hmac_key_id_t;
 /**
 * The HMAC peripheral can be configured to deliver its output to the user directly, or to deliver
 * the output directly to another peripheral instead, e.g. the Digital Signature peripheral.
--- a/components/hal/include/hal/huk_hal.h
+++ b/components/hal/include/hal/huk_hal.h
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -9,7 +9,7 @@
 #include "soc/soc_caps.h"
-#if SOC_KEY_MANAGER_SUPPORTED
+#if SOC_HUK_SUPPORTED
 #include "hal/huk_types.h"
 #include <stdint.h>
 #include "esp_err.h"
@@ -51,6 +51,13 @@ uint8_t huk_hal_get_risk_level(void);
 */
 uint32_t huk_hal_get_date_info(void);
 #if SOC_HUK_MEM_NEEDS_RECHARGE
 /**
 * @brief Recharge HUK memory
 */
 void huk_hal_recharge_huk_memory(void);
 #endif
 #ifdef __cplusplus
 }
 #endif
--- a/components/hal/include/hal/huk_types.h
+++ b/components/hal/include/hal/huk_types.h
@@ -11,12 +11,12 @@
 #include "esp_assert.h"
 #include "rom/km.h"
 #include "rom/key_mgr.h"
 #ifdef __cplusplus
 extern "C" {
 #endif
 #define HUK_INFO_SIZE           384
 #define HUK_RISK_ALERT_LEVEL    4
 /**
@@ -35,7 +35,7 @@ ESP_STATIC_ASSERT(sizeof(esp_huk_mode_t) == sizeof(huk_mode_t), "Size of esp_huk
 */
 typedef enum {
    ESP_HUK_STATE_IDLE = 0, /* Key Manager is idle */
-    ESP_HUK_STATE_LOAD,     /* Key Manager is read to recieve input */
+    ESP_HUK_STATE_LOAD,     /* Key Manager is read to receive input */
    ESP_HUK_STATE_GAIN,     /* Key Manager is ready to provide output */
    ESP_HUK_STATE_BUSY      /* Key Manager is busy */
 } esp_huk_state_t;
--- a/components/hal/include/hal/key_mgr_hal.h
+++ b/components/hal/include/hal/key_mgr_hal.h
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -111,11 +111,11 @@ void key_mgr_hal_write_public_info(const uint8_t *public_info_buf, const size_t
 */
 void key_mgr_hal_read_public_info(uint8_t *public_info_buf, const size_t read_len);
-/* @brief Set the AES-XTS key length for the Key Manager */
+/* @brief Set the XTS-AES key length for the Key Manager */
-void key_mgr_hal_set_xts_aes_key_len(const esp_key_mgr_xts_aes_key_len_t key_len);
+void key_mgr_hal_set_xts_aes_key_len(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_xts_aes_key_len_t key_len);
-/* @brief Get the AES-XTS key length for the Key Manager */
+/* @brief Get the XTS-AES key length for the Key Manager */
-esp_key_mgr_xts_aes_key_len_t key_mgr_hal_get_aes_xts_key_len(void);
+esp_key_mgr_xts_aes_key_len_t key_mgr_hal_get_xts_aes_key_len(const esp_key_mgr_key_type_t key_type);
 /**
 * @brief Read state of Key Manager
--- a/components/hal/include/hal/key_mgr_types.h
+++ b/components/hal/include/hal/key_mgr_types.h
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -30,17 +30,31 @@ typedef enum {
 * @brief Length of the XTS AES key
 */
 typedef enum {
-    ESP_KEY_MGR_XTS_AES_LEN_256 = 0,     /* xts-aes key is 256 bit, please note that xts-aes algorithm is XTS_AES_128*/
+    ESP_KEY_MGR_XTS_AES_LEN_256 = 0,     /* xts-aes key is 256 bit, please note that xts-aes algorithm is XTS_AES_128 */
-    ESP_KEY_MGR_XTS_AES_LEN_512, /* xts-aes key is 512 bit, please note that xts-aes algorithm is XTS_AES_256  */
+    ESP_KEY_MGR_XTS_AES_LEN_512,         /* xts-aes key is 512 bit, please note that xts-aes algorithm is XTS_AES_256  */
 } esp_key_mgr_xts_aes_key_len_t;
 /**
 * @brief Length of the PSRAM key
 */
 typedef enum {
    ESP_KEY_MGR_PSRAM_LEN_256 = 0,     /* psram key is 256 bit, please note that xts-aes algorithm is XTS_AES_128 */
    ESP_KEY_MGR_PSRAM_LEN_512,         /* psram key is 512 bit, please note that xts-aes algorithm is XTS_AES_256 */
 } esp_key_mgr_psram_key_len_t;
 /**
 * @brief Type of the key: ECDSA, XTS
 */
 typedef enum {
-    ESP_KEY_MGR_ECDSA_KEY = 0,          /* ECDSA key */
+    ESP_KEY_MGR_XTS_AES_128_KEY,        /* XTS-AES 128-bit key */
-    ESP_KEY_MGR_XTS_AES_128_KEY,        /* XTS-AES 128 key */
+    ESP_KEY_MGR_XTS_AES_256_KEY,        /* XTS-AES 256-bit key */
-    ESP_KEY_MGR_XTS_AES_256_KEY,        /* XTS-AES 256 key */
+    ESP_KEY_MGR_ECDSA_192_KEY,          /* ECDSA 192-bit key */
    ESP_KEY_MGR_ECDSA_256_KEY,          /* ECDSA 256-bit key */
    ESP_KEY_MGR_ECDSA_384_KEY,          /* ECDSA 384-bit key */
    ESP_KEY_MGR_HMAC_KEY,               /* HMAC key */
    ESP_KEY_MGR_DS_KEY,                 /* Digital signature key */
    ESP_KEY_MGR_PSRAM_128_KEY,          /* PSRAM 128-bit key */
    ESP_KEY_MGR_PSRAM_256_KEY,          /* PSRAM 256-bit key */
 } esp_key_mgr_key_type_t;
 /*
@@ -48,7 +62,7 @@ typedef enum {
 */
 typedef enum {
    ESP_KEY_MGR_USE_OWN_KEY = 0, /* Use key from the key manager */
-    ESP_KEY_MGR_USE_EFUSE_KEY, /* Use key from the eFuse */
+    ESP_KEY_MGR_USE_EFUSE_KEY,   /* Use key from the eFuse */
    ESP_KEY_MGR_USAGE_INVALID,
 } esp_key_mgr_key_usage_t;
@@ -56,10 +70,21 @@ typedef enum {
 * @brief Key Purpose to be set for a particular key in the Key Manager
 */
 typedef enum {
-    ESP_KEY_MGR_KEY_PURPOSE_ECDSA = 1,
+    ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192 = 1,      /* ECDSA 192-bit key */
-    ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 = 2, /* First half of the XTS AES 256 bit key */
+    ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256 = 2,      /* ECDSA 256-bit key */
-    ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 = 3, /* Second half of the XTS AES 256 bit key */
+    ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 = 3,    /* First half of flash 256-bit key */
-    ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128 = 4,    /* XTS AES 128 bit key */
+    ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 = ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1,
    ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 = 4,    /* Second half of flash 256-bit key */
    ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 = ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2,
    ESP_KEY_MGR_KEY_PURPOSE_FLASH_128 = 5,      /* Flash 128-bit key */
    ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128 = ESP_KEY_MGR_KEY_PURPOSE_FLASH_128,
    ESP_KEY_MGR_KEY_PURPOSE_HMAC = 6,           /* HMAC key */
    ESP_KEY_MGR_KEY_PURPOSE_DS = 7,             /* Digital signature key */
    ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1 = 8,    /* First half of PSRAM 256-bit key */
    ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2 = 9,    /* Second half of PSRAM 256-bit key */
    ESP_KEY_MGR_KEY_PURPOSE_PSRAM_128 = 10,     /* PSRAM 128-bit key */
    ESP_KEY_MGR_KEY_PURPOSE_ECDSA_384_L = 11,   /* Lower half of ECDSA 384-bit key */
    ESP_KEY_MGR_KEY_PURPOSE_ECDSA_384_H = 12,   /* Higher half of ECDSA 384-bit key */
 } esp_key_mgr_key_purpose_t;
 /**
@@ -86,7 +111,7 @@ typedef enum {
 // store huk info, occupy 96 words
 typedef struct PACKED_ATTR {
-#define HUK_INFO_LEN 384
+#define HUK_INFO_LEN 660
    uint8_t info[HUK_INFO_LEN];
    uint32_t crc;
 } esp_key_mgr_huk_info_t;
--- a/components/hal/key_mgr_hal.c
+++ b/components/hal/key_mgr_hal.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -79,14 +79,14 @@ bool key_mgr_hal_is_huk_valid(void)
    return key_mgr_ll_is_huk_valid();
 }
-void key_mgr_hal_set_xts_aes_key_len(const esp_key_mgr_xts_aes_key_len_t key_len)
+void key_mgr_hal_set_xts_aes_key_len(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_xts_aes_key_len_t key_len)
 {
-    key_mgr_ll_set_xts_aes_key_len(key_len);
+    key_mgr_ll_set_xts_aes_key_len(key_type, key_len);
 }
-esp_key_mgr_xts_aes_key_len_t key_mgr_hal_get_xts_aes_key_len(void)
+esp_key_mgr_xts_aes_key_len_t key_mgr_hal_get_xts_aes_key_len(const esp_key_mgr_key_type_t key_type)
 {
-    return key_mgr_ll_get_xts_aes_key_len();
+    return key_mgr_ll_get_xts_aes_key_len(key_type);
 }
 void key_mgr_hal_continue(void)
--- a/components/hal/mpi_hal.c
+++ b/components/hal/mpi_hal.c
@@ -15,7 +15,6 @@ size_t mpi_hal_calc_hardware_words(size_t words)
 void mpi_hal_enable_hardware_hw_op(void)
 {
    mpi_ll_power_up();
    while (mpi_ll_check_memory_init_complete()) {
    }
    // Note: from enabling RSA clock to here takes about 1.3us
@@ -27,7 +26,7 @@ void mpi_hal_enable_hardware_hw_op(void)
 void mpi_hal_disable_hardware_hw_op(void)
 {
-    mpi_ll_power_down();
+
 }
 void mpi_hal_interrupt_enable(bool enable)
--- a/components/hal/test_apps/crypto/main/aes/aes_block.c
+++ b/components/hal/test_apps/crypto/main/aes/aes_block.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: CC0-1.0
 */
@@ -8,7 +8,7 @@
 #include <stdlib.h>
 #include <string.h>
-#include "esp_private/esp_crypto_lock_internal.h"
+#include "esp_crypto_periph_clk.h"
 #include "hal/aes_types.h"
 #include "hal/aes_hal.h"
 #include "hal/aes_ll.h"
@@ -30,10 +30,7 @@ void aes_crypt_cbc_block(int mode,
    uint32_t *iv_words = (uint32_t *)iv;
    unsigned char temp[16];
-    AES_RCC_ATOMIC() {
+    esp_crypto_aes_enable_periph_clk(true);
        aes_ll_enable_bus_clock(true);
        aes_ll_reset_register();
    }
    /* Sets the key used for AES encryption/decryption */
    aes_hal_setkey(key, key_bytes, mode);
@@ -71,9 +68,7 @@ void aes_crypt_cbc_block(int mode,
        }
    }
-    AES_RCC_ATOMIC() {
+    esp_crypto_aes_enable_periph_clk(false);
        aes_ll_enable_bus_clock(false);
    }
 }
@@ -89,10 +84,7 @@ void aes_crypt_ctr_block(uint8_t key_bytes,
    int c, i;
    size_t n = *nc_off;
-    AES_RCC_ATOMIC() {
+    esp_crypto_aes_enable_periph_clk(true);
        aes_ll_enable_bus_clock(true);
        aes_ll_reset_register();
    }
    /* Sets the key used for AES encryption/decryption */
    aes_hal_setkey(key, key_bytes, ESP_AES_ENCRYPT);
@@ -113,9 +105,7 @@ void aes_crypt_ctr_block(uint8_t key_bytes,
    *nc_off = n;
-    AES_RCC_ATOMIC() {
+    esp_crypto_aes_enable_periph_clk(false);
        aes_ll_enable_bus_clock(false);
    }
 }
 #endif
--- a/components/hal/test_apps/crypto/main/ds/ds_types.h
+++ b/components/hal/test_apps/crypto/main/ds/ds_types.h
@@ -0,0 +1,47 @@
 /*
 * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Unlicense OR CC0-1.0
 */
 #include <stdint.h>
 #include "soc/soc_caps.h"
 #define ESP_ERR_HW_CRYPTO_DS_HMAC_FAIL           (0x1) /*!< HMAC peripheral problem */
 #define ESP_ERR_HW_CRYPTO_DS_INVALID_KEY         (0x2) /*!< given HMAC key isn't correct, HMAC peripheral problem */
 #define ESP_ERR_HW_CRYPTO_DS_INVALID_DIGEST      (0x4) /*!< message digest check failed, result is invalid */
 #define ESP_ERR_HW_CRYPTO_DS_INVALID_PADDING     (0x5) /*!< padding check failed, but result is produced anyway and can be read*/
 #define ESP_DS_IV_BIT_LEN 128
 #define ESP_DS_IV_LEN (ESP_DS_IV_BIT_LEN / 8)
 #define ESP_DS_SIGNATURE_MAX_BIT_LEN SOC_RSA_MAX_BIT_LEN
 #define ESP_DS_SIGNATURE_MD_BIT_LEN 256
 #define ESP_DS_SIGNATURE_M_PRIME_BIT_LEN 32
 #define ESP_DS_SIGNATURE_L_BIT_LEN 32
 #define ESP_DS_SIGNATURE_PADDING_BIT_LEN 64
 #define ESP_DS_C_LEN (((ESP_DS_SIGNATURE_MAX_BIT_LEN * 3 \
        + ESP_DS_SIGNATURE_MD_BIT_LEN   \
        + ESP_DS_SIGNATURE_M_PRIME_BIT_LEN   \
        + ESP_DS_SIGNATURE_L_BIT_LEN   \
        + ESP_DS_SIGNATURE_PADDING_BIT_LEN) / 8))
 typedef enum {
    ESP_DS_RSA_1024 = (1024 / 32) - 1,
    ESP_DS_RSA_2048 = (2048 / 32) - 1,
    ESP_DS_RSA_3072 = (3072 / 32) - 1,
    ESP_DS_RSA_4096 = (4096 / 32) - 1
 } esp_digital_signature_length_t;
 typedef struct esp_digital_signature_data {
    esp_digital_signature_length_t rsa_length;
    uint32_t iv[ESP_DS_IV_BIT_LEN / 32];
    uint8_t c[ESP_DS_C_LEN];
 } esp_ds_data_t;
 typedef struct {
    uint32_t  Y[ESP_DS_SIGNATURE_MAX_BIT_LEN / 32];
    uint32_t  M[ESP_DS_SIGNATURE_MAX_BIT_LEN / 32];
    uint32_t Rb[ESP_DS_SIGNATURE_MAX_BIT_LEN / 32];
    uint32_t M_prime;
    uint32_t length;
 } esp_ds_p_data_t;
--- a/components/hal/test_apps/crypto/main/ds/test_ds.c
+++ b/components/hal/test_apps/crypto/main/ds/test_ds.c
@@ -13,84 +13,23 @@
 #include "soc/soc_caps.h"
 #include "esp_log.h"
 #include "ds_types.h"
 const static char *TAG = "test_ds";
 #include "rom/efuse.h"
-#if CONFIG_IDF_TARGET_ESP32S2
+#include "rom/sha.h"
-#include "esp32s2/rom/digital_signature.h"
+#include "rom/digital_signature.h"
-#include "esp32s2/rom/aes.h"
+#include "rom/aes.h"
-#include "esp32s2/rom/sha.h"
+#include "rom/hmac.h"
-#include "esp32s2/rom/hmac.h"
+
-#include "soc/soc_memory_layout.h"
+#if SOC_KEY_MANAGER_DS_KEY_DEPLOY
-#elif CONFIG_IDF_TARGET_ESP32C3
+#include "hal/key_mgr_ll.h"
 #include "esp32c3/rom/digital_signature.h"
 #include "esp32c3/rom/hmac.h"
 #elif CONFIG_IDF_TARGET_ESP32S3
 #include "esp32s3/rom/digital_signature.h"
 #include "esp32s3/rom/aes.h"
 #include "esp32s3/rom/sha.h"
 #elif CONFIG_IDF_TARGET_ESP32C6
 #include "esp32c6/rom/digital_signature.h"
 #include "esp32c6/rom/aes.h"
 #include "esp32c6/rom/sha.h"
 #elif CONFIG_IDF_TARGET_ESP32H2
 #include "esp32h2/rom/digital_signature.h"
 #include "esp32h2/rom/aes.h"
 #include "esp32h2/rom/sha.h"
 #elif CONFIG_IDF_TARGET_ESP32P4
 #include "esp32p4/rom/digital_signature.h"
 #include "esp32p4/rom/aes.h"
 #include "esp32p4/rom/sha.h"
 #elif CONFIG_IDF_TARGET_ESP32C5
 #include "esp32c5/rom/digital_signature.h"
 #include "esp32c5/rom/aes.h"
 #include "esp32c5/rom/sha.h"
 #elif CONFIG_IDF_TARGET_ESP32H21
 #include "esp32h21/rom/digital_signature.h"
 #include "esp32h21/rom/aes.h"
 #include "esp32h21/rom/sha.h"
 #endif
-#define ESP_ERR_HW_CRYPTO_DS_HMAC_FAIL           (0x1) /*!< HMAC peripheral problem */
+#if CONFIG_IDF_TARGET_ESP32S2
-#define ESP_ERR_HW_CRYPTO_DS_INVALID_KEY         (0x2) /*!< given HMAC key isn't correct, HMAC peripheral problem */
+#include "soc/soc_memory_layout.h"
-#define ESP_ERR_HW_CRYPTO_DS_INVALID_DIGEST      (0x4) /*!< message digest check failed, result is invalid */
+#endif
 #define ESP_ERR_HW_CRYPTO_DS_INVALID_PADDING     (0x5) /*!< padding check failed, but result is produced anyway and can be read*/
 #define ESP_DS_IV_BIT_LEN 128
 #define ESP_DS_IV_LEN (ESP_DS_IV_BIT_LEN / 8)
 #define ESP_DS_SIGNATURE_MAX_BIT_LEN SOC_RSA_MAX_BIT_LEN
 #define ESP_DS_SIGNATURE_MD_BIT_LEN 256
 #define ESP_DS_SIGNATURE_M_PRIME_BIT_LEN 32
 #define ESP_DS_SIGNATURE_L_BIT_LEN 32
 #define ESP_DS_SIGNATURE_PADDING_BIT_LEN 64
 #define ESP_DS_C_LEN (((ESP_DS_SIGNATURE_MAX_BIT_LEN * 3 \
        + ESP_DS_SIGNATURE_MD_BIT_LEN   \
        + ESP_DS_SIGNATURE_M_PRIME_BIT_LEN   \
        + ESP_DS_SIGNATURE_L_BIT_LEN   \
        + ESP_DS_SIGNATURE_PADDING_BIT_LEN) / 8))
 typedef enum {
    ESP_DS_RSA_1024 = (1024 / 32) - 1,
    ESP_DS_RSA_2048 = (2048 / 32) - 1,
    ESP_DS_RSA_3072 = (3072 / 32) - 1,
    ESP_DS_RSA_4096 = (4096 / 32) - 1
 } esp_digital_signature_length_t;
 typedef struct esp_digital_signature_data {
    esp_digital_signature_length_t rsa_length;
    uint32_t iv[ESP_DS_IV_BIT_LEN / 32];
    uint8_t c[ESP_DS_C_LEN];
 } esp_ds_data_t;
 typedef struct {
    uint32_t  Y[ESP_DS_SIGNATURE_MAX_BIT_LEN / 32];
    uint32_t  M[ESP_DS_SIGNATURE_MAX_BIT_LEN / 32];
    uint32_t Rb[ESP_DS_SIGNATURE_MAX_BIT_LEN / 32];
    uint32_t M_prime;
    uint32_t length;
 } esp_ds_p_data_t;
 #define NUM_RESULTS 10
@@ -128,43 +67,23 @@ _Static_assert(NUM_RESULTS == NUM_MESSAGES, "expected_results size should be the
 #include "hal/hmac_hal.h"
 #include "hal/hmac_ll.h"
 #include "hal/sha_ll.h"
-
+#include "esp_crypto_periph_clk.h"
 static void ds_acquire_enable(void)
 {
-    HMAC_RCC_ATOMIC() {
+    // We also enable SHA and HMAC here. SHA is used by HMAC, HMAC is used by DS.
-        hmac_ll_enable_bus_clock(true);
+    esp_crypto_hmac_enable_periph_clk(true);
-        hmac_ll_reset_register();
+    esp_crypto_sha_enable_periph_clk(true);
-    }
+    esp_crypto_mpi_enable_periph_clk(true);
-
+    esp_crypto_ds_enable_periph_clk(true);
    SHA_RCC_ATOMIC() {
        sha_ll_enable_bus_clock(true);
        sha_ll_reset_register();
    }
    DS_RCC_ATOMIC() {
        ds_ll_enable_bus_clock(true);
        ds_ll_reset_register();
    }
    hmac_hal_start();
 }
 static void ds_disable_release(void)
 {
-    ds_hal_finish();
+    esp_crypto_mpi_enable_periph_clk(false);
-
+    esp_crypto_sha_enable_periph_clk(false);
-    DS_RCC_ATOMIC() {
+    esp_crypto_hmac_enable_periph_clk(false);
-        ds_ll_enable_bus_clock(false);
+    esp_crypto_ds_enable_periph_clk(false);
    }
    SHA_RCC_ATOMIC() {
        sha_ll_enable_bus_clock(false);
    }
    HMAC_RCC_ATOMIC() {
        hmac_ll_enable_bus_clock(false);
    }
 }
@@ -172,11 +91,22 @@ static esp_err_t esp_ds_start_sign(const void *message, const esp_ds_data_t *dat
 {
    ds_acquire_enable();
-    uint32_t conf_error = hmac_hal_configure(HMAC_OUTPUT_DS, key_id);
+#if SOC_KEY_MANAGER_DS_KEY_DEPLOY
-    if (conf_error) {
+    if (key_id == HMAC_KEY_KM) {
-        ds_disable_release();
+        ds_hal_set_key_source(DS_KEY_SOURCE_KEY_MGR);
-        return ESP_ERR_HW_CRYPTO_DS_HMAC_FAIL;
+    } else {
        ds_hal_set_key_source(DS_KEY_SOURCE_EFUSE);
 #endif
        hmac_hal_start();
        uint32_t conf_error = hmac_hal_configure(HMAC_OUTPUT_DS, key_id);
        if (conf_error) {
            ds_disable_release();
            ESP_LOGE(TAG, "HMAC configure failed");
            return ESP_ERR_HW_CRYPTO_DS_HMAC_FAIL;
        }
 #if SOC_KEY_MANAGER_DS_KEY_DEPLOY
    }
 #endif
    ds_hal_start();
@@ -211,13 +141,13 @@ static esp_err_t esp_ds_finish_sign(void *signature, const esp_ds_data_t *data)
    }
    hmac_hal_clean();
-
+    ds_hal_finish();
    ds_disable_release();
    return return_value;
 }
-static esp_err_t esp_ds_sign(const void *message,
+esp_err_t esp_ds_sign(const void *message,
                      const esp_ds_data_t *data,
                      uint32_t key_id,
                      void *signature)
@@ -287,8 +217,8 @@ static void ds_disable_release(void)
 }
 static esp_err_t esp_ds_start_sign(const void *message,
-                            const esp_ds_data_t *data,
+                                const esp_ds_data_t *data,
-                            uint32_t key_id)
+                                uint32_t key_id)
 {
    ds_acquire_enable();
--- a/components/hal/test_apps/crypto/main/ecc/test_ecc.c
+++ b/components/hal/test_apps/crypto/main/ecc/test_ecc.c
@@ -9,7 +9,7 @@
 #include <string.h>
 #include <sys/param.h>
 #include "sdkconfig.h"
-#include "esp_private/esp_crypto_lock_internal.h"
+#include "esp_crypto_periph_clk.h"
 #include "esp_log.h"
 #include "ecc_params.h"
 #include "soc/soc_caps.h"
@@ -43,24 +43,6 @@ static void ecc_be_to_le(const uint8_t* be_point, uint8_t *le_point, uint8_t len
    }
 }
 static void ecc_enable_and_reset(void)
 {
    ECC_RCC_ATOMIC() {
        ecc_ll_enable_bus_clock(true);
        ecc_ll_power_up();
        ecc_ll_reset_register();
    }
 }
 static void ecc_disable(void)
 {
    ECC_RCC_ATOMIC() {
        ecc_ll_enable_bus_clock(false);
        ecc_ll_power_down();
    }
 }
 TEST_GROUP(ecc);
 TEST_SETUP(ecc)
@@ -79,7 +61,7 @@ TEST_TEAR_DOWN(ecc)
 static void ecc_point_mul(const uint8_t *k_le, const uint8_t *x_le, const uint8_t *y_le, uint8_t len, bool verify_first,
                          uint8_t *res_x_le, uint8_t *res_y_le)
 {
-    ecc_enable_and_reset();
+    esp_crypto_ecc_enable_periph_clk(true);
    ecc_hal_write_mul_param(k_le, x_le, y_le, len);
    if (verify_first) {
@@ -95,7 +77,7 @@ static void ecc_point_mul(const uint8_t *k_le, const uint8_t *x_le, const uint8_
    }
    ecc_hal_read_mul_result(res_x_le, res_y_le, len);
-    ecc_disable();
+    esp_crypto_ecc_enable_periph_clk(false);
 }
 static void test_ecc_point_mul_inner(bool verify_first)
@@ -161,7 +143,7 @@ TEST(ecc, ecc_point_multiplication_on_SECP192R1_and_SECP256R1)
 #if SOC_ECC_CONSTANT_TIME_POINT_MUL
-#define CONST_TIME_DEVIATION_PERCENT 0.002
+#define CONST_TIME_DEVIATION_PERCENT 0.0025
 static void test_ecc_point_mul_inner_constant_time(void)
 {
@@ -237,7 +219,7 @@ TEST(ecc, ecc_point_multiplication_const_time_check_on_SECP192R1_and_SECP256R1)
 #if SOC_ECC_SUPPORT_POINT_VERIFY && !defined(SOC_ECC_SUPPORT_POINT_VERIFY_QUIRK)
 static int ecc_point_verify(const uint8_t *x_le, const uint8_t *y_le, uint8_t len)
 {
-    ecc_enable_and_reset();
+    esp_crypto_ecc_enable_periph_clk(true);
    ecc_hal_write_verify_param(x_le, y_le, len);
    ecc_hal_set_mode(ECC_MODE_VERIFY);
@@ -248,7 +230,7 @@ static int ecc_point_verify(const uint8_t *x_le, const uint8_t *y_le, uint8_t le
    }
    int ret = ecc_hal_read_verify_result();
-    ecc_disable();
+    esp_crypto_ecc_enable_periph_clk(false);
    return ret;
 }
@@ -297,7 +279,7 @@ TEST(ecc, ecc_point_verification_and_multiplication_on_SECP192R1_and_SECP256R1)
 #if SOC_ECC_SUPPORT_POINT_DIVISION
 static void ecc_point_inv_mul(const uint8_t *num_le, const uint8_t *deno_le, uint8_t len, uint8_t *res_le)
 {
-    ecc_enable_and_reset();
+    esp_crypto_ecc_enable_periph_clk(true);
    uint8_t zero[32] = {0};
    ecc_hal_write_mul_param(zero, num_le, deno_le, len);
@@ -311,7 +293,7 @@ static void ecc_point_inv_mul(const uint8_t *num_le, const uint8_t *deno_le, uin
    }
    ecc_hal_read_mul_result(zero, res_le, len);
-    ecc_disable();
+    esp_crypto_ecc_enable_periph_clk(false);
 }
 TEST(ecc, ecc_inverse_multiplication_or_mod_division_using_SECP192R1_and_SECP256R1_order_of_curve)
@@ -329,7 +311,7 @@ TEST(ecc, ecc_inverse_multiplication_or_mod_division_using_SECP192R1_and_SECP256
 static void ecc_jacob_mul(uint8_t *k_le, uint8_t *x_le, uint8_t *y_le, uint8_t len, bool verify_first,
                          uint8_t *res_x_le, uint8_t *res_y_le, uint8_t *res_z_le)
 {
-    ecc_enable_and_reset();
+    esp_crypto_ecc_enable_periph_clk(true);
    ecc_hal_write_mul_param(k_le, x_le, y_le, len);
    if (verify_first) {
@@ -344,7 +326,7 @@ static void ecc_jacob_mul(uint8_t *k_le, uint8_t *x_le, uint8_t *y_le, uint8_t l
    }
    ecc_hal_read_jacob_mul_result(res_x_le, res_y_le, res_z_le, len);
-    ecc_disable();
+    esp_crypto_ecc_enable_periph_clk(false);
 }
 static void test_ecc_jacob_mul_inner(bool verify_first)
@@ -393,7 +375,7 @@ TEST(ecc, ecc_jacobian_point_multiplication_on_SECP192R1_and_SECP256R1)
 #if SOC_ECC_SUPPORT_JACOB_POINT_VERIFY
 static int ecc_jacob_verify(const uint8_t *x_le, const uint8_t *y_le, const uint8_t *z_le, uint8_t len)
 {
-    ecc_enable_and_reset();
+    esp_crypto_ecc_enable_periph_clk(true);
    ecc_hal_write_jacob_verify_param(x_le, y_le, z_le, len);
@@ -406,7 +388,7 @@ static int ecc_jacob_verify(const uint8_t *x_le, const uint8_t *y_le, const uint
    }
    int ret = ecc_hal_read_verify_result();
-    ecc_disable();
+    esp_crypto_ecc_enable_periph_clk(false);
    return ret;
 }
@@ -436,7 +418,7 @@ static void ecc_point_addition(uint8_t *px_le, uint8_t *py_le, uint8_t *qx_le, u
                               uint8_t len, bool jacob_output,
                               uint8_t *x_res_le, uint8_t *y_res_le, uint8_t *z_res_le)
 {
-    ecc_enable_and_reset();
+    esp_crypto_ecc_enable_periph_clk(true);
    ecc_hal_write_point_add_param(px_le, py_le, qx_le, qy_le, qz_le, len);
@@ -449,7 +431,7 @@ static void ecc_point_addition(uint8_t *px_le, uint8_t *py_le, uint8_t *qx_le, u
    }
    ecc_hal_read_point_add_result(x_res_le, y_res_le, z_res_le, len, jacob_output);
-    ecc_disable();
+    esp_crypto_ecc_enable_periph_clk(false);
 }
 TEST(ecc, ecc_point_addition_on_SECP192R1_and_SECP256R1)
@@ -508,7 +490,7 @@ TEST(ecc, ecc_point_addition_on_SECP192R1_and_SECP256R1)
 #if SOC_ECC_SUPPORT_MOD_ADD || SOC_ECC_SUPPORT_MOD_SUB || SOC_ECC_SUPPORT_MOD_MUL
 static void ecc_mod_op(ecc_mode_t mode, const uint8_t *a, const uint8_t *b, uint8_t len, uint8_t *res_le)
 {
-    ecc_enable_and_reset();
+    esp_crypto_ecc_enable_periph_clk(true);
    ecc_hal_write_mod_op_param(a, b, len);
@@ -521,7 +503,7 @@ static void ecc_mod_op(ecc_mode_t mode, const uint8_t *a, const uint8_t *b, uint
    }
    ecc_hal_read_mod_op_result(res_le, len);
-    ecc_disable();
+    esp_crypto_ecc_enable_periph_clk(false);
 }
 #endif
--- a/components/hal/test_apps/crypto/main/ecdsa/test_ecdsa.c
+++ b/components/hal/test_apps/crypto/main/ecdsa/test_ecdsa.c
@@ -10,7 +10,7 @@
 #include "esp_crypto_lock.h"
 #include "esp_efuse_chip.h"
-#include "esp_private/esp_crypto_lock_internal.h"
+#include "esp_crypto_periph_clk.h"
 #include "esp_random.h"
 #include "esp_err.h"
 #include "esp_efuse.h"
@@ -35,41 +35,20 @@ __attribute__((unused)) static const char * TAG = "crypto_test";
 static void ecdsa_enable_and_reset(void)
 {
-    ECDSA_RCC_ATOMIC() {
+    esp_crypto_ecdsa_enable_periph_clk(true);
-        ecdsa_ll_enable_bus_clock(true);
+    esp_crypto_ecc_enable_periph_clk(true);
        ecdsa_ll_reset_register();
    }
    ECC_RCC_ATOMIC() {
        ecc_ll_enable_bus_clock(true);
        ecc_ll_power_up();
        ecc_ll_reset_register();
    }
 #ifdef SOC_ECDSA_USES_MPI
-    MPI_RCC_ATOMIC() {
+    esp_crypto_mpi_enable_periph_clk(true);
        mpi_ll_enable_bus_clock(true);
        mpi_ll_reset_register();
    }
 #endif
 }
 static void ecdsa_disable(void)
 {
 #ifdef SOC_ECDSA_USES_MPI
-    MPI_RCC_ATOMIC() {
+    esp_crypto_mpi_enable_periph_clk(false);
        mpi_ll_enable_bus_clock(false);
    }
 #endif
-
+    esp_crypto_ecc_enable_periph_clk(false);
-    ECC_RCC_ATOMIC() {
+    esp_crypto_ecdsa_enable_periph_clk(false);
        ecc_ll_enable_bus_clock(false);
        ecc_ll_power_down();
    }
    ECDSA_RCC_ATOMIC() {
        ecdsa_ll_enable_bus_clock(false);
    }
 }
 static void ecc_be_to_le(const uint8_t* be_point, uint8_t *le_point, uint8_t len)
--- a/components/hal/test_apps/crypto/main/hmac/test_hmac.c
+++ b/components/hal/test_apps/crypto/main/hmac/test_hmac.c
@@ -1,11 +1,11 @@
 /*
- * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
 #include <string.h>
-#include "esp_private/esp_crypto_lock_internal.h"
+#include "esp_crypto_periph_clk.h"
 #include "esp_log.h"
 #include "memory_checks.h"
 #include "unity_fixture.h"
@@ -61,24 +61,13 @@ static void write_and_padd(uint8_t *block, const uint8_t *data, uint16_t data_le
    bzero(block + data_len + 1, SHA256_BLOCK_SZ - data_len - 1);
 }
-static esp_err_t hmac_calculate(uint32_t key_id, const void *message, size_t message_len, uint8_t *hmac)
+esp_err_t hmac_calculate(uint32_t key_id, const void *message, size_t message_len, uint8_t *hmac)
 {
    const uint8_t *message_bytes = (const uint8_t *)message;
-    HMAC_RCC_ATOMIC() {
+    esp_crypto_hmac_enable_periph_clk(true);
-        hmac_ll_enable_bus_clock(true);
+    esp_crypto_sha_enable_periph_clk(true);
-        hmac_ll_reset_register();
+    esp_crypto_ds_enable_periph_clk(true);
    }
    SHA_RCC_ATOMIC() {
        sha_ll_enable_bus_clock(true);
        sha_ll_reset_register();
    }
    DS_RCC_ATOMIC() {
        ds_ll_enable_bus_clock(true);
        ds_ll_reset_register();
    }
    hmac_hal_start();
@@ -130,17 +119,9 @@ static esp_err_t hmac_calculate(uint32_t key_id, const void *message, size_t mes
    hmac_hal_read_result_256(hmac);
-    DS_RCC_ATOMIC() {
+    esp_crypto_hmac_enable_periph_clk(false);
-        ds_ll_enable_bus_clock(false);
+    esp_crypto_sha_enable_periph_clk(false);
-    }
+    esp_crypto_ds_enable_periph_clk(false);
    SHA_RCC_ATOMIC() {
        sha_ll_enable_bus_clock(false);
    }
    HMAC_RCC_ATOMIC() {
        hmac_ll_enable_bus_clock(false);
    }
    return ESP_OK;
 }
--- a/components/hal/test_apps/crypto/main/key_manager/ecdsa_256_key.pem
+++ b/components/hal/test_apps/crypto/main/key_manager/ecdsa_256_key.pem
@@ -0,0 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
 MHcCAQEEICySt/VCEPFi962COuQDE+cXD3Bz8XjZy2O5SM1LsHsGoAoGCCqGSM49
 AwEHoUQDQgAEBYu5KXarLURySNNaeZcxtBTxC0vJAM/evz9NC01IjCVQlOLJ4Y6i
 3UviK3bgk+3FqpJBM+SQCqeDgd7ktPtr9Q==
 -----END EC PRIVATE KEY-----
--- a/components/hal/test_apps/crypto/main/key_manager/gen_key_manager_test_cases.py
+++ b/components/hal/test_apps/crypto/main/key_manager/gen_key_manager_test_cases.py
@@ -1,19 +1,29 @@
-# SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
+# SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
 # SPDX-License-Identifier: Unlicense OR CC0-1.0
 import argparse
 import hashlib
 import hmac
 import os
 import random
 import struct
 from typing import Any
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import ec
-from cryptography.hazmat.primitives.ciphers import algorithms
+from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives.ciphers import Cipher
 from cryptography.hazmat.primitives.ciphers import algorithms
 from cryptography.hazmat.primitives.ciphers import modes
 from cryptography.utils import int_to_bytes
 from ecdsa.curves import NIST256p
 supported_targets = {'esp32p4', 'esp32c5'}
 supported_ds_key_size = {'esp32p4': [4096, 3072, 2048, 1024], 'esp32c5': [3072, 2048, 1024]}
 # Constants
 TEST_COUNT = 5
 STORAGE_PARTITION_OFFSET = 0x160000
 # Helper functions
@@ -45,7 +55,9 @@ def calculate_aes_cipher(data: bytes, key: bytes) -> Any:
    return encryptor.update(data) + encryptor.finalize()
-def _flash_encryption_operation_aes_xts(input_data: bytes, flash_address: int, key: bytes, do_decrypt: bool = False) -> bytes:
+def _flash_encryption_operation_aes_xts(
    input_data: bytes, flash_address: int, key: bytes, do_decrypt: bool = False
 ) -> bytes:
    backend = default_backend()
    indata = input_data
@@ -54,9 +66,9 @@ def _flash_encryption_operation_aes_xts(input_data: bytes, flash_address: int, k
    indata = (b'\x00' * pad_left) + indata
    pad_right = (0x80 - (len(indata) % 0x80)) % 0x80
-    indata += (b'\x00' * pad_right)
+    indata += b'\x00' * pad_right
-    inblocks = [indata[i:i + 0x80] for i in range(0, len(indata), 0x80)]
+    inblocks = [indata[i : i + 0x80] for i in range(0, len(indata), 0x80)]
    output = b''
    for inblock in inblocks:
@@ -68,17 +80,17 @@ def _flash_encryption_operation_aes_xts(input_data: bytes, flash_address: int, k
        outblock = encryptor.update(inblock[::-1])
        output += outblock[::-1]
-    return output[pad_left:len(output) - pad_right]
+    return output[pad_left : len(output) - pad_right]
-def generate_xts_test_data(key: bytes, base_flash_address: int = 0x120000) -> list:
+def generate_xts_test_data(key: bytes, base_flash_address: int = STORAGE_PARTITION_OFFSET) -> list:
    xts_test_data = []
    plaintext_data = bytes(range(1, 129))
    data_size = 16
    flash_address = base_flash_address
    for i in range(TEST_COUNT):
        data_size = (data_size * 2) % 256
-        if (data_size < 16):
+        if data_size < 16:
            data_size = 16
        input_data = plaintext_data[:data_size]
        flash_address = base_flash_address + (i * 0x100)
@@ -96,7 +108,7 @@ def generate_ecdsa_256_key_and_pub_key(filename: str) -> tuple:
    pem = private_key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.TraditionalOpenSSL,
-        encryption_algorithm=serialization.NoEncryption()
+        encryption_algorithm=serialization.NoEncryption(),
    )
    with open('ecdsa_256_key.pem', 'wb') as pem_file:
@@ -134,10 +146,120 @@ def generate_k1_G(key_file_path: str) -> tuple:
    return k1_G, k1_G
-def write_to_c_header(init_key: bytes, k1: bytes, k2_info: bytes, k1_encrypted_32: list,
+def generate_hmac_test_data(key: bytes) -> tuple:
-                      test_data_xts_aes_128: list, k1_encrypted_64: list,
+    hmac_message = (
-                      xts_test_data_xts_aes_256: list, pubx: bytes,
+        'Deleniti voluptas explicabo et assumenda. Sed et aliquid minus quis. '
-                      puby: bytes, k1_G_0: bytes, k1_G_1: bytes) -> None:
+        'Praesentium cupiditate quia nemo est. Laboriosam pariatur ut distinctio tenetur. '
        'Sunt architecto iure aspernatur soluta ut recusandae. '
        'Ut quibusdam occaecati ut qui sit dignissimos eaque..'
    ).encode('utf-8')
    hmac_result = hmac.HMAC(key, hmac_message, hashlib.sha256).digest()
    return hmac_message, hmac_result
 def number_as_bytes(number, pad_bits=0):  # type: (int, int) -> bytes
    """
    Given a number, format as a little endian array of bytes
    """
    result = int_to_bytes(number)[::-1]  # type: bytes
    while pad_bits != 0 and len(result) < (pad_bits // 8):
        result += b'\x00'
    return result
 def number_as_bignum_words(number):  # type: (int) -> str
    """
    Given a number, format result as a C array of words
    (little-endian, same as ESP32 RSA peripheral or mbedTLS)
    """
    result = []
    while number != 0:
        result.append('0x%08x' % (number & 0xFFFFFFFF))
        number >>= 32
    return '{ ' + ', '.join(result) + ' }'
 def generate_ds_encrypted_input_params(aes_key: bytes, target: str) -> tuple:
    iv = os.urandom(16)
    max_key_size = max(supported_ds_key_size[target])
    key_size = max_key_size
    private_key = rsa.generate_private_key(public_exponent=65537, key_size=key_size, backend=default_backend())
    priv_numbers = private_key.private_numbers()
    pub_numbers = private_key.public_key().public_numbers()
    Y = priv_numbers.d
    M = pub_numbers.n
    rr = 1 << (key_size * 2)
    rinv = rr % pub_numbers.n
    mprime = -rsa._modinv(M, 1 << 32)
    mprime &= 0xFFFFFFFF
    length = key_size // 32 - 1
    # calculate MD from preceding values and IV
    # Y_max_key_size || M_max_key_size || Rb_max_key_size || M_prime32 || LENGTH32 || IV128
    md_in = (
        number_as_bytes(Y, max_key_size)
        + number_as_bytes(M, max_key_size)
        + number_as_bytes(rinv, max_key_size)
        + struct.pack('<II', mprime, length)
        + iv
    )
    md = hashlib.sha256(md_in).digest()
    # generate expected C value from P bitstring
    #
    # Y_max_key_size || M_max_key_size || Rb_max_key_size || M_prime32 || LENGTH32 ||  0x08*8
    # E.g. for C3: Y3072 || M3072 || Rb3072 || M_prime32 || LENGTH32 || MD256 || 0x08*8
    p = (
        number_as_bytes(Y, max_key_size)
        + number_as_bytes(M, max_key_size)
        + number_as_bytes(rinv, max_key_size)
        + md
        + struct.pack('<II', mprime, length)
        + b'\x08' * 8
    )
    # expected_len = max_len_Y + max_len_M + max_len_rinv + md (32 bytes)
    #               + (mprime + length packed (8bytes)) + padding (8 bytes)
    expected_len = (max_key_size / 8) * 3 + 32 + 8 + 8
    assert len(p) == expected_len
    cipher = Cipher(algorithms.AES(aes_key), modes.CBC(iv), backend=default_backend())
    encryptor = cipher.encryptor()
    ds_encrypted_input_params = encryptor.update(p) + encryptor.finalize()
    mask = (1 << key_size) - 1  # truncate messages if needed
    ds_message = random.randrange(0, 1 << max_key_size)
    ds_result = number_as_bytes(pow(ds_message & mask, Y, M))
    return number_as_bytes(ds_message), ds_encrypted_input_params, iv, key_size, ds_result
 def write_to_c_header(
    init_key: bytes,
    k1: bytes,
    k2_info: bytes,
    k1_encrypted_32: list,
    k1_encrypted_32_reversed: list,
    test_data_xts_aes_128: list,
    k1_encrypted_64: list,
    k1_encrypted_64_reversed: list,
    xts_test_data_xts_aes_256: list,
    pubx: bytes,
    puby: bytes,
    k1_G_0: bytes,
    k1_G_1: bytes,
    hmac_message: bytes,
    hmac_result: bytes,
    ds_message: bytes,
    ds_encrypted_input_params: bytes,
    ds_encrypted_input_params_iv: bytes,
    ds_key_size: int,
    ds_result: bytes,
 ) -> None:
    with open('key_manager_test_cases.h', 'w', encoding='utf-8') as file:
        header_content = """#include <stdint.h>
@@ -154,13 +276,30 @@ typedef struct test_ecdsa_data {
    uint8_t puby[32];
 } test_ecdsa_data_t;
 typedef struct test_hmac_data {
    uint8_t message[%d];
    uint8_t hmac_result[32];
 } test_hmac_data_t;
 typedef struct test_ds_data {
    uint8_t ds_message[%d / 8];
    uint8_t ds_encrypted_input_params[%d];
    uint8_t ds_encrypted_input_params_iv[16];
    size_t ds_key_size;
    uint8_t ds_result[%d];
 } test_ds_data_t;
 typedef struct test_data {
    uint8_t init_key[32];
    uint8_t k2_info[64];
    uint8_t k1_encrypted[2][32];  // For both 256-bit and 512-bit keys
    uint8_t plaintext_data[128];
-    test_xts_data_t xts_test_data[TEST_COUNT];
+    union {
-    test_ecdsa_data_t ecdsa_test_data;
+        test_xts_data_t xts_test_data[TEST_COUNT];
        test_ecdsa_data_t ecdsa_test_data;
        test_hmac_data_t hmac_test_data;
        test_ds_data_t ds_test_data;
    };
 } test_data_aes_mode_t;
 typedef struct test_data_ecdh0 {
@@ -176,10 +315,23 @@ test_data_aes_mode_t test_data_xts_aes_128 = {
    .k1_encrypted = { { %s }, {  } },
    .plaintext_data = { %s },
    .xts_test_data = {
-""" % (key_to_c_format(init_key), key_to_c_format(k2_info), key_to_c_format(k1_encrypted_32[0]), key_to_c_format(bytes(range(1, 129))))
+""" % (
            len(hmac_message),
            ds_key_size,
            len(ds_encrypted_input_params),
            len(ds_result),
            key_to_c_format(init_key),
            key_to_c_format(k2_info),
            key_to_c_format(k1_encrypted_32_reversed[0]),
            key_to_c_format(bytes(range(1, 129))),
        )
        for data_size, flash_address, ciphertext in test_data_xts_aes_128:
-            header_content += f'\t\t{{.data_size = {data_size}, .data_offset = 0x{flash_address:x}, .ciphertext = {{{key_to_c_format(ciphertext)}}}}},\n'
+            header_content += (
                f'\t\t{{.data_size = {data_size}, '
                f'.data_offset = 0x{flash_address:x}, '
                f'.ciphertext = {{{key_to_c_format(ciphertext)}}}}},\n'
            )
        header_content += '\t}\n};\n\n'
        # For 64-byte k1 key
@@ -187,14 +339,22 @@ test_data_aes_mode_t test_data_xts_aes_128 = {
        header_content += 'test_data_aes_mode_t test_data_xts_aes_256 = {\n'
        header_content += f'\t.init_key = {{{key_to_c_format(init_key)}}},\n'
        header_content += f'\t.k2_info = {{{key_to_c_format(k2_info)}}},\n'
-        header_content += f'\t.k1_encrypted = {{{{{key_to_c_format(k1_encrypted_64[0])}}}, {{{key_to_c_format(k1_encrypted_64[1])}}}}},\n'
+        header_content += (
            f'\t.k1_encrypted = {{{{{key_to_c_format(k1_encrypted_64_reversed[0])}}}, '
            f'{{{key_to_c_format(k1_encrypted_64_reversed[1])}}}}},\n'
        )
        header_content += f'\t.plaintext_data = {{{key_to_c_format(bytes(range(1, 129)))}}},\n'
        header_content += '    .xts_test_data = {\n'
        for data_size, flash_address, ciphertext in xts_test_data_xts_aes_256:
-            header_content += f'        {{.data_size = {data_size}, .data_offset = 0x{flash_address:x}, .ciphertext = {{{key_to_c_format(ciphertext)}}}}},\n'
+            header_content += (
-        header_content += '    }\n};\n'
+                f'\t\t{{.data_size = {data_size}, '
-        header_content += '''
+                f'.data_offset = 0x{flash_address:x}, '
                f'.ciphertext = {{{key_to_c_format(ciphertext)}}}}},\n'
            )
        header_content += '\t}\n};\n'
        header_content += """
 test_data_aes_mode_t test_data_ecdsa = {
    .init_key = { %s },
    .k2_info = { %s },
@@ -204,8 +364,15 @@ test_data_aes_mode_t test_data_ecdsa = {
        .puby = { %s }
    }
 };\n
-''' % (key_to_c_format(init_key), key_to_c_format(k2_info), key_to_c_format(k1_encrypted_32[0]), key_to_c_format(pubx),key_to_c_format(puby))
+""" % (
-        header_content += '''
+            key_to_c_format(init_key),
            key_to_c_format(k2_info),
            key_to_c_format(k1_encrypted_32_reversed[0]),
            key_to_c_format(pubx),
            key_to_c_format(puby),
        )
        header_content += """
 test_data_ecdh0_mode_t test_data_ecdh0 = {
    .plaintext_data = { %s },
    .k1 = {
@@ -217,41 +384,132 @@ test_data_ecdh0_mode_t test_data_ecdh0 = {
        { %s },
    }
 };\n
 """ % (
            key_to_c_format(bytes(range(1, 129))),
            key_to_c_format(k1),
            key_to_c_format(k1),
            key_to_c_format(k1_G_0),
            key_to_c_format(k1_G_1),
        )
-''' % (key_to_c_format(bytes(range(1, 129))), key_to_c_format(k1), key_to_c_format(k1), key_to_c_format(k1_G_0), key_to_c_format(k1_G_1))
+        header_content += """
 test_data_aes_mode_t test_data_hmac = {
    .init_key = { %s },
    .k2_info = { %s },
    .k1_encrypted = { { %s }, {  } },
    .hmac_test_data = {
        .message = { %s },
        .hmac_result = { %s }
    }
 };\n
 """ % (
            key_to_c_format(init_key),
            key_to_c_format(k2_info),
            key_to_c_format(k1_encrypted_32[0]),
            key_to_c_format(hmac_message),
            key_to_c_format(hmac_result),
        )
        header_content += """
 test_data_aes_mode_t test_data_ds = {
    .init_key = { %s },
    .k2_info = { %s },
    .k1_encrypted = { { %s }, {  } },
    .ds_test_data = {
        .ds_message = { %s },
        .ds_encrypted_input_params = { %s },
        .ds_encrypted_input_params_iv = { %s },
        .ds_key_size = %d,
        .ds_result = { %s }
    }
 };\n
 """ % (
            key_to_c_format(init_key),
            key_to_c_format(k2_info),
            key_to_c_format(k1_encrypted_32_reversed[0]),
            key_to_c_format(ds_message),
            key_to_c_format(ds_encrypted_input_params),
            key_to_c_format(ds_encrypted_input_params_iv),
            ds_key_size,
            key_to_c_format(ds_result),
        )
        file.write(header_content)
-# Main script logic follows as per your provided structure
+def generate_tests_cases(target: str) -> None:
-init_key = key_from_file_or_generate('init_key.bin', 32)
+    # Main script logic follows as per your provided structure
-k2 = key_from_file_or_generate('k2.bin', 32)
+    init_key = key_from_file_or_generate('init_key.bin', 32)
-rand_num = key_from_file_or_generate('rand_num.bin', 32)
+    k2 = key_from_file_or_generate('k2.bin', 32)
    rand_num = key_from_file_or_generate('rand_num.bin', 32)
-temp_result_inner = calculate_aes_cipher(k2, rand_num)
+    temp_result_inner = calculate_aes_cipher(k2, rand_num)
-temp_result_outer = calculate_aes_cipher(temp_result_inner + rand_num, init_key)
+    temp_result_outer = calculate_aes_cipher(temp_result_inner + rand_num, init_key)
-k2_info = temp_result_outer
+    k2_info = temp_result_outer
-k1_32 = key_from_file_or_generate('k1.bin', 32)
+    k1_32 = key_from_file_or_generate('k1.bin', 32)
-k1_64 = key_from_file_or_generate('k1_64.bin', 64)
+    k1_64 = key_from_file_or_generate('k1_64.bin', 64)
-k1_32_reversed = k1_32[::-1]
+    k1_32_reversed = k1_32[::-1]
-k1_64_reversed = k1_64[::-1]
+    k1_64_1 = k1_64[:32]
    k1_64_1_reversed = k1_64_1[::-1]
    k1_64_2 = k1_64[32:]
    k1_64_2_reversed = k1_64_2[::-1]
-k1_64_1 = k1_64[:32]
+    k1_encrypted_32 = [calculate_aes_cipher(k1_32, k2)]
-k1_64_1_reversed = k1_64_1[::-1]
+    k1_encrypted_64 = [calculate_aes_cipher(k1_64_1, k2), calculate_aes_cipher(k1_64_2, k2)]
 k1_64_2 = k1_64[32:]
 k1_64_2_reversed = k1_64_2[::-1]
-k1_encrypted_32 = [calculate_aes_cipher(k1_32_reversed, k2)]
+    k1_encrypted_32_reversed = [calculate_aes_cipher(k1_32_reversed, k2)]
-k1_encrypted_64 = [calculate_aes_cipher(k1_64_1_reversed, k2), calculate_aes_cipher(k1_64_2_reversed, k2)]
+    k1_encrypted_64_reversed = [calculate_aes_cipher(k1_64_1_reversed, k2), calculate_aes_cipher(k1_64_2_reversed, k2)]
-test_data_xts_aes_128 = generate_xts_test_data(k1_32)
+    test_data_xts_aes_128 = generate_xts_test_data(k1_32)
-xts_test_data_xts_aes_256 = generate_xts_test_data(k1_64)
+    xts_test_data_xts_aes_256 = generate_xts_test_data(k1_64)
-pubx, puby = generate_ecdsa_256_key_and_pub_key('k1.bin')
+    pubx, puby = generate_ecdsa_256_key_and_pub_key('k1.bin')
-k1_G_0, k1_G_1 = generate_k1_G('k1.bin')
+    k1_G_0, k1_G_1 = generate_k1_G('k1.bin')
-write_to_c_header(init_key, k1_32, k2_info, k1_encrypted_32, test_data_xts_aes_128, k1_encrypted_64, xts_test_data_xts_aes_256, pubx, puby, k1_G_0, k1_G_1)
+    hmac_message, hmac_result = generate_hmac_test_data(k1_32)
    ds_message, ds_encrypted_input_params, ds_encrypted_input_params_iv, ds_key_size, ds_result = (
        generate_ds_encrypted_input_params(k1_32, target)
    )
    write_to_c_header(
        init_key,
        k1_32,
        k2_info,
        k1_encrypted_32,
        k1_encrypted_32_reversed,
        test_data_xts_aes_128,
        k1_encrypted_64,
        k1_encrypted_64_reversed,
        xts_test_data_xts_aes_256,
        pubx,
        puby,
        k1_G_0,
        k1_G_1,
        hmac_message,
        hmac_result,
        ds_message,
        ds_encrypted_input_params,
        ds_encrypted_input_params_iv,
        ds_key_size,
        ds_result,
    )
 if __name__ == '__main__':
    parser = argparse.ArgumentParser(description="""Generates Digital Signature Test Cases""")
    parser.add_argument(
        '--target',
        required=True,
        choices=supported_targets,
        help='Target to generate test cases for, different targets support different max key length',
    )
    args = parser.parse_args()
    generate_tests_cases(args.target)
--- a/components/hal/test_apps/crypto/main/key_manager/init_key.bin
+++ b/components/hal/test_apps/crypto/main/key_manager/init_key.bin
@@ -0,0 +1 @@
 <EFBFBD><<3C>C<EFBFBD><43>K%[~<7E>W<EFBFBD><57>E<>v<EFBFBD>N.U<>%<25><>
--- a/components/hal/test_apps/crypto/main/key_manager/k1.bin
+++ b/components/hal/test_apps/crypto/main/key_manager/k1.bin
@@ -0,0 +1 @@
 ,<2C><><EFBFBD>B<10>b<EFBFBD><62><EFBFBD>:<3A><13>ps<70>x<EFBFBD><78>c<EFBFBD>H<EFBFBD>K<EFBFBD>{
--- a/components/hal/test_apps/crypto/main/key_manager/k1_64.bin
+++ b/components/hal/test_apps/crypto/main/key_manager/k1_64.bin
--- a/components/hal/test_apps/crypto/main/key_manager/k2.bin
+++ b/components/hal/test_apps/crypto/main/key_manager/k2.bin
@@ -0,0 +1 @@
 !<21>V1,J<>8~f<>*<2A>D<EFBFBD>_<EFBFBD>*<2A>B+<2B>(7<><16>X(<28>
--- a/components/hal/test_apps/crypto/main/key_manager/key_manager_test_cases.h
+++ b/components/hal/test_apps/crypto/main/key_manager/key_manager_test_cases.h
--- a/components/hal/test_apps/crypto/main/key_manager/rand_num.bin
+++ b/components/hal/test_apps/crypto/main/key_manager/rand_num.bin
@@ -0,0 +1 @@
 <EFBFBD>y/<2F>A╙<08>fI<0E>B<EFBFBD>XR<10>Fn&<26>S&6l<36><6C>V
--- a/components/hal/test_apps/crypto/main/key_manager/test_key_manager.c
+++ b/components/hal/test_apps/crypto/main/key_manager/test_key_manager.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Unlicense OR CC0-1.0
 */
@@ -25,9 +25,17 @@
 #include "key_manager_test_cases.h"
 #include "esp_log.h"
-// For ECDSA tests
+#if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY
-#include "hal/ecdsa_hal.h"
+#include "hal/ecdsa_types.h"
 #endif
 #if SOC_KEY_MANAGER_HMAC_KEY_DEPLOY
 #include "hal/hmac_types.h"
 #endif
 #if SOC_KEY_MANAGER_DS_KEY_DEPLOY
 #include "ds/ds_types.h"
 #endif
 #if SOC_KEY_MANAGER_FE_KEY_DEPLOY
 const esp_partition_t *get_test_storage_partition(void)
 {
    /* This finds "storage" partition defined partition table */
@@ -35,32 +43,26 @@ const esp_partition_t *get_test_storage_partition(void)
                                                             ESP_PARTITION_SUBTYPE_ANY, "storage");
    if (!result) {
        /* means partition table set wrong */
-        printf("ERROR in obtaining storage partition");
+        ESP_LOGE("", "ERROR in obtaining storage partition");
        return NULL;
    }
    return result;
 }
 static void print_data_in_hex(const uint8_t *data, int size, const char *info_str)
 {
    printf("%s: 0x", info_str);
    for(int i = 0 ; i < size; i++) {
        printf("%02x", data[i]);
    }
    printf("\n");
 }
 static void test_xts_aes_key_aes_mode(test_data_aes_mode_t *test_data)
 {
    const esp_partition_t *partition = get_test_storage_partition();
    ESP_ERROR_CHECK(esp_partition_erase_range(partition, 0, partition->size));
    uint8_t read_data[128];
    for (int i = 0; i < TEST_COUNT; i++) {
        memset(read_data, 0, sizeof(read_data));
        uint32_t address = test_data->xts_test_data[i].data_offset;
        uint32_t data_size = test_data->xts_test_data[i].data_size;
        ESP_ERROR_CHECK(esp_flash_write_encrypted(NULL, address, test_data->plaintext_data, data_size));
        static uint8_t read_data[128];
        ESP_ERROR_CHECK(esp_flash_read(NULL, read_data, address, data_size));
        TEST_ASSERT_EQUAL_HEX8_ARRAY(test_data->xts_test_data[i].ciphertext, read_data, data_size);
    }
 }
@@ -70,18 +72,20 @@ static void test_xts_aes_key_ecdh0_mode(test_data_ecdh0_mode_t *test_data)
    const esp_partition_t *partition = get_test_storage_partition();
    ESP_ERROR_CHECK(esp_partition_erase_range(partition, 0, partition->size));
    uint8_t read_data[128] = { 0 };
    uint32_t address = partition->address;
    uint32_t data_size = 32;
-    print_data_in_hex(test_data->plaintext_data, data_size, "Plaintext data");
+    ESP_LOG_BUFFER_HEXDUMP("Plaintext data", test_data->plaintext_data, data_size, ESP_LOG_DEBUG);
    ESP_ERROR_CHECK(esp_flash_write_encrypted(NULL, address, test_data->plaintext_data, data_size));
    static uint8_t read_data[128];
    ESP_ERROR_CHECK(esp_flash_read(NULL, read_data, address, data_size));
-    print_data_in_hex(read_data, data_size, "Encrypted data");
+
    ESP_LOG_BUFFER_HEXDUMP("Encrypted data", read_data, data_size, ESP_LOG_DEBUG);
 }
-static void key_mgr_test_xts_aes_128(void)
+#if SOC_FLASH_ENCRYPTION_XTS_AES_128
 static void key_mgr_test_xts_aes_128_aes_mode(void)
 {
    static esp_key_mgr_aes_key_config_t key_config;
    memcpy(key_config.k2_info, (uint8_t*) test_data_xts_aes_128.k2_info, KEY_MGR_K2_INFO_SIZE);
@@ -95,9 +99,27 @@ static void key_mgr_test_xts_aes_128(void)
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info));
    test_xts_aes_key_aes_mode(&test_data_xts_aes_128);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
 }
 static void key_mgr_test_xts_aes_128_ecdh0_mode(void)
 {
    static esp_key_mgr_ecdh0_key_config_t key_config;
    memcpy(key_config.k1_G[0], (uint8_t*) test_data_ecdh0.k1_G[0], KEY_MGR_ECDH0_INFO_SIZE);
    key_config.key_type = ESP_KEY_MGR_XTS_AES_128_KEY;
    static esp_key_mgr_key_recovery_info_t key_recovery_info;
    static esp_key_mgr_ecdh0_info_t ecdh0_info;
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_ecdh0_mode(&key_config, &key_recovery_info, &ecdh0_info));
    ESP_LOG_BUFFER_HEXDUMP("K2_G", ecdh0_info.k2_G[0], KEY_MGR_ECDH0_INFO_SIZE, ESP_LOG_DEBUG);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info));
    test_xts_aes_key_ecdh0_mode(&test_data_ecdh0);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
 }
 #endif /* SOC_FLASH_ENCRYPTION_XTS_AES_128 */
 #if SOC_FLASH_ENCRYPTION_XTS_AES_256
 static void key_mgr_test_xts_aes_256_aes_mode(void)
 {
    static esp_key_mgr_aes_key_config_t key_config;
@@ -115,11 +137,80 @@ static void key_mgr_test_xts_aes_256_aes_mode(void)
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
 }
-#ifdef SOC_ECDSA_SUPPORT_EXPORT_PUBKEY
+static void key_mgr_test_xts_aes_256_ecdh0_mode(void)
 {
    static esp_key_mgr_ecdh0_key_config_t key_config;
    memcpy(key_config.k1_G[0], (uint8_t*) test_data_ecdh0.k1_G[0], KEY_MGR_ECDH0_INFO_SIZE);
    memcpy(key_config.k1_G[1], (uint8_t*) test_data_ecdh0.k1_G[1], KEY_MGR_ECDH0_INFO_SIZE);
    key_config.key_type = ESP_KEY_MGR_XTS_AES_256_KEY;
    static esp_key_mgr_key_recovery_info_t key_recovery_info;
    static esp_key_mgr_ecdh0_info_t ecdh0_info;
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_ecdh0_mode(&key_config, &key_recovery_info, &ecdh0_info));
    ESP_LOG_BUFFER_HEXDUMP("K2_G_0", ecdh0_info.k2_G[0], KEY_MGR_ECDH0_INFO_SIZE, ESP_LOG_DEBUG);
    ESP_LOG_BUFFER_HEXDUMP("K2_G_1", ecdh0_info.k2_G[1], KEY_MGR_ECDH0_INFO_SIZE, ESP_LOG_DEBUG);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info));
    test_xts_aes_key_ecdh0_mode(&test_data_ecdh0);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
 }
 #endif /* SOC_FLASH_ENCRYPTION_XTS_AES_256 */
 #if CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS
 static void test_xts_aes_key_random_mode(void)
 {
    const esp_partition_t *partition = get_test_storage_partition();
    ESP_ERROR_CHECK(esp_partition_erase_range(partition, 0, partition->size));
    uint8_t plaintext_data[1024] = {[0 ... 1023] = 0xBE};
    const int write_size = 16;
    for (int i = 0; i < sizeof(plaintext_data) / write_size; i++) {
        ESP_LOGI("", " i = %d", i);
        ESP_ERROR_CHECK(esp_flash_write_encrypted(NULL, partition->address + (i * write_size), plaintext_data, write_size));
        static uint8_t read_data[128];
        ESP_ERROR_CHECK(esp_partition_read(partition, write_size * i, read_data, write_size));
        TEST_ASSERT_EQUAL_HEX8_ARRAY(plaintext_data + (i * write_size), read_data, write_size);
    }
 }
 #if SOC_FLASH_ENCRYPTION_XTS_AES_128
 static void key_mgr_test_xts_aes_128_random_mode(void)
 {
    static esp_key_mgr_random_key_config_t key_config;
    key_config.key_type = ESP_KEY_MGR_XTS_AES_128_KEY;
    static esp_key_mgr_key_recovery_info_t key_recovery_info;
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_random_mode(&key_config, &key_recovery_info));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info));
    test_xts_aes_key_random_mode();
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
 }
 #endif /* SOC_FLASH_ENCRYPTION_XTS_AES_128 */
 #if SOC_FLASH_ENCRYPTION_XTS_AES_256
 static void key_mgr_test_xts_aes_256_random_mode(void)
 {
    static esp_key_mgr_random_key_config_t key_config;
    key_config.key_type = ESP_KEY_MGR_XTS_AES_256_KEY;
    static esp_key_mgr_key_recovery_info_t key_recovery_info;
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_random_mode(&key_config, &key_recovery_info));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info));
    test_xts_aes_key_random_mode();
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
 }
 #endif /* SOC_FLASH_ENCRYPTION_XTS_AES_256 */
 #endif /* CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS */
 #endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY */
 #if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY
 #if SOC_ECDSA_SUPPORT_EXPORT_PUBKEY
 extern void test_ecdsa_export_pubkey(bool is_p256, uint8_t *ecdsa_pub_x, uint8_t *ecdsa_pub_y, bool use_km_key);
 extern void test_ecdsa_export_pubkey_inner(bool is_p256, uint8_t *exported_pub_x, uint8_t *exported_pub_y, bool use_km_key, uint16_t *len);
 #endif
 extern void test_ecdsa_sign(bool is_p256, uint8_t* sha, uint8_t* r_le, uint8_t* s_le, bool use_km_key, ecdsa_sign_type_t k_type);
 extern int test_ecdsa_verify(bool is_p256, uint8_t* sha, uint8_t* r_le, uint8_t* s_le, uint8_t *pub_x, uint8_t *pub_y);
 extern void test_ecdsa_sign_and_verify(bool is_p256, uint8_t* sha, uint8_t* pub_x, uint8_t* pub_y, bool use_km_key, ecdsa_sign_type_t k_type);
 /*
@@ -137,11 +228,6 @@ void test_ecdsa_key_aes_mode(test_data_aes_mode_t *ecdsa_test_data, ecdsa_sign_t
 #endif
 }
 extern void test_ecdsa_sign(bool is_p256, uint8_t* sha, uint8_t* r_le, uint8_t* s_le, bool use_km_key, ecdsa_sign_type_t k_type);
 extern int test_ecdsa_verify(bool is_p256, uint8_t* sha, uint8_t* r_le, uint8_t* s_le, uint8_t *pub_x, uint8_t *pub_y);
 void key_mgr_test_ecdsa_key(bool is_p256, ecdsa_sign_type_t k_type)
 {
    uint8_t pub_x[32] = {};
@@ -151,18 +237,17 @@ void key_mgr_test_ecdsa_key(bool is_p256, ecdsa_sign_type_t k_type)
    test_ecdsa_sign(is_p256, sha256_digest, r_le, s_le, 1, k_type);
-    print_data_in_hex(sha256_digest, sizeof(sha256_digest), "ECDSA message sha256 digest");
+    ESP_LOG_BUFFER_HEXDUMP("ECDSA message sha256 digest", sha256_digest, sizeof(sha256_digest), ESP_LOG_DEBUG);
-    print_data_in_hex(r_le, sizeof(r_le), "ECDSA signature r_le");
+    ESP_LOG_BUFFER_HEXDUMP("ECDSA signature r_le", r_le, sizeof(r_le), ESP_LOG_DEBUG);
-    print_data_in_hex(s_le, sizeof(s_le), "ECDSA signature s_le");
+    ESP_LOG_BUFFER_HEXDUMP("ECDSA signature s_le", s_le, sizeof(s_le), ESP_LOG_DEBUG);
    // Export the pubkey from ECDSA peripheral
    uint16_t pubkey_len = 0;
    test_ecdsa_export_pubkey_inner(is_p256, pub_x, pub_y, 1, &pubkey_len);
-    print_data_in_hex(pub_x, pubkey_len, "ECDSA key pubx");
+    ESP_LOG_BUFFER_HEXDUMP("ECDSA key pubx", pub_x, pubkey_len, ESP_LOG_DEBUG);
-    print_data_in_hex(pub_y, pubkey_len, "ECDSA key puby");
+    ESP_LOG_BUFFER_HEXDUMP("ECDSA key puby", pub_y, pubkey_len, ESP_LOG_DEBUG);
    TEST_ASSERT_EQUAL(0, test_ecdsa_verify(is_p256, sha256_digest, r_le, s_le, pub_x, pub_y));
 }
 static void key_mgr_test_ecdsa_p256_aes_mode(void)
@@ -172,7 +257,7 @@ static void key_mgr_test_ecdsa_p256_aes_mode(void)
    memcpy(key_config.k1_encrypted, (uint8_t*) test_data_ecdsa.k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE);
    memcpy(key_config.sw_init_key, (uint8_t*) test_data_ecdsa.init_key, KEY_MGR_SW_INIT_KEY_SIZE);
    key_config.use_pre_generated_sw_init_key = 1;
-    key_config.key_type = ESP_KEY_MGR_ECDSA_KEY;
+    key_config.key_type = ESP_KEY_MGR_ECDSA_256_KEY;
    static esp_key_mgr_key_recovery_info_t key_recovery_info;
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_aes_mode(&key_config, &key_recovery_info));
@@ -185,56 +270,16 @@ static void key_mgr_test_ecdsa_p256_aes_mode(void)
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
 }
 static void key_mgr_test_xts_aes_128_ecdh0_mode(void)
 {
    printf("\nKey Manager ECDH0 deployment: XTS_AES_128 key\n");
    static esp_key_mgr_ecdh0_key_config_t key_config;
    memcpy(key_config.k1_G[0], (uint8_t*) test_data_ecdh0.k1_G[0], KEY_MGR_ECDH0_INFO_SIZE);
    key_config.key_type = ESP_KEY_MGR_XTS_AES_128_KEY;
    static esp_key_mgr_key_recovery_info_t key_recovery_info;
    static esp_key_mgr_ecdh0_info_t ecdh0_info;
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_ecdh0_mode(&key_config, &key_recovery_info, &ecdh0_info));
    print_data_in_hex(ecdh0_info.k2_G[0], KEY_MGR_ECDH0_INFO_SIZE, "K2_G");
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info));
    test_xts_aes_key_ecdh0_mode(&test_data_ecdh0);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
 }
 static void key_mgr_test_xts_aes_256_ecdh0_mode(void)
 {
    printf("\nKey Manager ECDH0 deployment: XTS_AES_256 key\n");
    static esp_key_mgr_ecdh0_key_config_t key_config;
    memcpy(key_config.k1_G[0], (uint8_t*) test_data_ecdh0.k1_G[0], KEY_MGR_ECDH0_INFO_SIZE);
    memcpy(key_config.k1_G[1], (uint8_t*) test_data_ecdh0.k1_G[1], KEY_MGR_ECDH0_INFO_SIZE);
    key_config.key_type = ESP_KEY_MGR_XTS_AES_256_KEY;
    static esp_key_mgr_key_recovery_info_t key_recovery_info;
    static esp_key_mgr_ecdh0_info_t ecdh0_info;
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_ecdh0_mode(&key_config, &key_recovery_info, &ecdh0_info));
    print_data_in_hex(ecdh0_info.k2_G[0], KEY_MGR_ECDH0_INFO_SIZE, "K2_G_0");
    print_data_in_hex(ecdh0_info.k2_G[1], KEY_MGR_ECDH0_INFO_SIZE, "K2_G_1");
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info));
    test_xts_aes_key_ecdh0_mode(&test_data_ecdh0);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
 }
 static void key_mgr_test_ecdsa_ecdh0_mode(void)
 {
    printf("\nKey Manager ECDH0 deployment: ECDSA_256 key\n");
    static esp_key_mgr_ecdh0_key_config_t key_config;
    memcpy(key_config.k1_G[0], (uint8_t*) test_data_ecdh0.k1_G[0], KEY_MGR_ECDH0_INFO_SIZE);
-    key_config.key_type = ESP_KEY_MGR_ECDSA_KEY;
+    key_config.key_type = ESP_KEY_MGR_ECDSA_256_KEY;
    static esp_key_mgr_key_recovery_info_t key_recovery_info;
    static esp_key_mgr_ecdh0_info_t ecdh0_info;
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_ecdh0_mode(&key_config, &key_recovery_info, &ecdh0_info));
-
+    ESP_LOG_BUFFER_HEXDUMP("K2_G", ecdh0_info.k2_G[0], KEY_MGR_ECDH0_INFO_SIZE, ESP_LOG_DEBUG);
    print_data_in_hex(ecdh0_info.k2_G[0], KEY_MGR_ECDH0_INFO_SIZE, "K2_G");
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info));
 #ifdef SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE
@@ -246,72 +291,142 @@ static void key_mgr_test_ecdsa_ecdh0_mode(void)
 static void key_mgr_test_ecdsa_random_mode(void)
 {
    printf("\nKey Manager Random deployment: ECDSA_256 key\n");
    static esp_key_mgr_random_key_config_t key_config;
-    key_config.key_type = ESP_KEY_MGR_ECDSA_KEY;
+    key_config.key_type = ESP_KEY_MGR_ECDSA_256_KEY;
    static esp_key_mgr_key_recovery_info_t key_recovery_info;
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_random_mode(&key_config, &key_recovery_info));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info));
 #ifdef SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE
    key_mgr_test_ecdsa_key(1, ECDSA_K_TYPE_DETERMINISITIC);
 #endif
    key_mgr_test_ecdsa_key(1, ECDSA_K_TYPE_TRNG);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
 }
 #endif /* SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY */
-#if CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS
+#if SOC_KEY_MANAGER_HMAC_KEY_DEPLOY
 extern esp_err_t hmac_calculate(uint32_t key_id, const void *message, size_t message_len, uint8_t *hmac);
-static void test_xts_aes_key_random_mode(void)
+static void key_mgr_test_hmac_key_aes_mode(test_data_aes_mode_t *test_data)
 {
-    const esp_partition_t *partition = get_test_storage_partition();
+    uint8_t hmac[32] = {0};
-    ESP_ERROR_CHECK(esp_partition_erase_range(partition, 0, partition->size));
+    TEST_ASSERT_EQUAL(ESP_OK, hmac_calculate(HMAC_KEY_KM, test_data->hmac_test_data.message, sizeof(test_data->hmac_test_data.message), hmac));
-    uint8_t plaintext_data[1024] = {[0 ... 1023] = 0xBE};
+    TEST_ASSERT_EQUAL_HEX8_ARRAY(test_data->hmac_test_data.hmac_result, hmac, sizeof(test_data->hmac_test_data.hmac_result));
-    const int write_size = 16;
+}
-    for (int i = 0; i < sizeof(plaintext_data) / write_size; i++) {
+
-        printf("\n i = %d\n", i);
+static void key_mgr_test_hmac_key_ecdh0_mode(const uint8_t *message, size_t message_len)
-        ESP_ERROR_CHECK(esp_flash_write_encrypted(NULL, partition->address + (i * write_size), plaintext_data, write_size));
+{
-        static uint8_t read_data[128];
+    uint8_t hmac[32] = {0};
-        ESP_ERROR_CHECK(esp_partition_read(partition, write_size * i, read_data, write_size));
+    TEST_ASSERT_EQUAL(ESP_OK, hmac_calculate(HMAC_KEY_KM, message, message_len, hmac));
-        TEST_ASSERT_EQUAL_HEX8_ARRAY(plaintext_data + (i * write_size), read_data, write_size);
+    // We cannot verify the result here as the HMAC key deployed is unknown.
-    }
+}
 static void key_mgr_test_hmac_key_aes_random_mode(const uint8_t *message, size_t message_len)
 {
    uint8_t hmac[32] = {0};
    TEST_ASSERT_EQUAL(ESP_OK, hmac_calculate(HMAC_KEY_KM, message, message_len, hmac));
    // We cannot verify the result here as the HMAC key deployed is unknown.
 }
-static void key_mgr_test_xts_aes_128_random_mode(void)
+static void key_mgr_test_hmac_aes_mode(void)
 {
-    static esp_key_mgr_random_key_config_t key_config;
+    static esp_key_mgr_aes_key_config_t key_config;
-    key_config.key_type = ESP_KEY_MGR_XTS_AES_128_KEY;
+    memcpy(key_config.k2_info, (uint8_t*) test_data_hmac.k2_info, KEY_MGR_K2_INFO_SIZE);
    memcpy(key_config.k1_encrypted, (uint8_t*) test_data_hmac.k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE);
    memcpy(key_config.sw_init_key, (uint8_t*) test_data_hmac.init_key, KEY_MGR_SW_INIT_KEY_SIZE);
    key_config.use_pre_generated_sw_init_key = 1;
    key_config.key_type = ESP_KEY_MGR_HMAC_KEY;
    static esp_key_mgr_key_recovery_info_t key_recovery_info;
-    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_random_mode(&key_config, &key_recovery_info));
+    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_aes_mode(&key_config, &key_recovery_info));
-    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info));
+    ESP_LOG_BUFFER_HEXDUMP("key_info", key_recovery_info.key_info, sizeof(esp_key_mgr_key_info_t), ESP_LOG_DEBUG);
    test_xts_aes_key_random_mode();
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info));
    key_mgr_test_hmac_key_aes_mode(&test_data_hmac);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
 }
-static void key_mgr_test_xts_aes_256_random_mode(void)
+static void key_mgr_test_hmac_ecdh0_mode(void)
 {
    static esp_key_mgr_ecdh0_key_config_t key_config;
    memcpy(key_config.k1_G[0], (uint8_t*) test_data_ecdh0.k1_G[0], KEY_MGR_ECDH0_INFO_SIZE);
    key_config.key_type = ESP_KEY_MGR_HMAC_KEY;
    static esp_key_mgr_key_recovery_info_t key_recovery_info;
    static esp_key_mgr_ecdh0_info_t ecdh0_info;
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_ecdh0_mode(&key_config, &key_recovery_info, &ecdh0_info));
    ESP_LOG_BUFFER_HEXDUMP("K2_G", ecdh0_info.k2_G[0], KEY_MGR_ECDH0_INFO_SIZE, ESP_LOG_DEBUG);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info));
    key_mgr_test_hmac_key_ecdh0_mode(test_data_hmac.hmac_test_data.message, sizeof(test_data_hmac.hmac_test_data.message));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
 }
 static void key_mgr_test_hmac_random_mode(void)
 {
    static esp_key_mgr_random_key_config_t key_config;
-    key_config.key_type = ESP_KEY_MGR_XTS_AES_256_KEY;
+    key_config.key_type = ESP_KEY_MGR_HMAC_KEY;
    static esp_key_mgr_key_recovery_info_t key_recovery_info;
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_random_mode(&key_config, &key_recovery_info));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info));
-    test_xts_aes_key_random_mode();
+    key_mgr_test_hmac_key_aes_random_mode(test_data_hmac.hmac_test_data.message, sizeof(test_data_hmac.hmac_test_data.message));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
 }
-#endif
+#endif /* SOC_KEY_MANAGER_HMAC_KEY_DEPLOY */
 #if SOC_KEY_MANAGER_DS_KEY_DEPLOY
 extern esp_err_t esp_ds_sign(const void *message,
                            const esp_ds_data_t *data,
                            uint32_t key_id,
                            void *signature);
 static void key_mgr_test_ds_key_aes_mode(test_data_aes_mode_t *test_data)
 {
    esp_ds_data_t esp_ds_data = {0};
    esp_ds_data.rsa_length = test_data->ds_test_data.ds_key_size / 32 - 1;
    memcpy(esp_ds_data.iv, test_data->ds_test_data.ds_encrypted_input_params_iv, sizeof(esp_ds_data.iv));
    memcpy(esp_ds_data.c, test_data->ds_test_data.ds_encrypted_input_params, sizeof(esp_ds_data.c));
    uint8_t signature[4096 / 8] = {0}; // Max possible RSA signature size
    esp_err_t ds_r = esp_ds_sign(test_data->ds_test_data.ds_message,
                                 &esp_ds_data,
                                 HMAC_KEY_KM,
                                 signature);
    TEST_ASSERT_EQUAL(ESP_OK, ds_r);
    TEST_ASSERT_EQUAL_HEX8_ARRAY(test_data->ds_test_data.ds_result, signature, sizeof(test_data->ds_test_data.ds_result));
 }
 static void key_mgr_test_ds_aes_mode(void)
 {
    static esp_key_mgr_aes_key_config_t key_config;
    memcpy(key_config.k2_info, (uint8_t*) test_data_ds.k2_info, KEY_MGR_K2_INFO_SIZE);
    memcpy(key_config.k1_encrypted, (uint8_t*) test_data_ds.k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE);
    memcpy(key_config.sw_init_key, (uint8_t*) test_data_ds.init_key, KEY_MGR_SW_INIT_KEY_SIZE);
    key_config.use_pre_generated_sw_init_key = 1;
    key_config.key_type = ESP_KEY_MGR_DS_KEY;
    static esp_key_mgr_key_recovery_info_t key_recovery_info;
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_aes_mode(&key_config, &key_recovery_info));
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info));
    key_mgr_test_ds_key_aes_mode(&test_data_ds);
    TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
 }
 #endif /* SOC_KEY_MANAGER_DS_KEY_DEPLOY */
 TEST_GROUP(key_manager);
 TEST_SETUP(key_manager)
 {
    test_utils_record_free_mem();
-    TEST_ESP_OK(test_utils_set_leak_level(700, ESP_LEAK_TYPE_CRITICAL, ESP_COMP_LEAK_GENERAL));
+    TEST_ESP_OK(test_utils_set_leak_level(800, ESP_LEAK_TYPE_CRITICAL, ESP_COMP_LEAK_GENERAL));
 }
 TEST_TEAR_DOWN(key_manager)
@@ -320,55 +435,124 @@ TEST_TEAR_DOWN(key_manager)
                                         test_utils_get_leak_level(ESP_LEAK_TYPE_CRITICAL, ESP_COMP_LEAK_ALL));
 }
 #if SOC_KEY_MANAGER_FE_KEY_DEPLOY
 #if SOC_FLASH_ENCRYPTION_XTS_AES_128
 TEST(key_manager, xts_aes_128_key_aes_deployment)
 {
-    key_mgr_test_xts_aes_128();
+    key_mgr_test_xts_aes_128_aes_mode();
 }
 TEST(key_manager, xts_key_128_ecdh0_deployment)
 {
    key_mgr_test_xts_aes_128_ecdh0_mode();
 }
 #if CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS
 TEST(key_manager, xts_key_128_random_deployment)
 {
    key_mgr_test_xts_aes_128_random_mode();
 }
 #endif /* CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS */
 #endif /* SOC_FLASH_ENCRYPTION_XTS_AES_128 */
 #if SOC_FLASH_ENCRYPTION_XTS_AES_256
 TEST(key_manager, xts_aes_256_key_aes_deployment)
 {
    key_mgr_test_xts_aes_256_aes_mode();
 }
-TEST(key_manager, ecdsa_key_aes_deployment)
+TEST(key_manager, xts_key_256_ecdh0_deployment)
 {
    key_mgr_test_xts_aes_256_ecdh0_mode();
 }
 #if CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS
 TEST(key_manager, xts_key_256_random_deployment)
 {
    key_mgr_test_xts_aes_256_random_mode();
 }
 #endif /* CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS */
 #endif /* SOC_FLASH_ENCRYPTION_XTS_AES_256 */
 #endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY */
 #if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY
 TEST(key_manager, ecdsa_p256_key_aes_deployment)
 {
    key_mgr_test_ecdsa_p256_aes_mode();
 }
-TEST(key_manager, xts_key_ecdh0_deployment)
+TEST(key_manager, ecdsa_p256_key_ecdh0_deployment)
 {
    key_mgr_test_xts_aes_128_ecdh0_mode();
    key_mgr_test_xts_aes_256_ecdh0_mode();
 }
 TEST(key_manager, ecdsa_key_ecdh0_deployment)
 {
    key_mgr_test_ecdsa_ecdh0_mode();
 }
-TEST(key_manager, ecdsa_key_random_deployment)
+TEST(key_manager, ecdsa_p256_key_random_deployment)
 {
    key_mgr_test_ecdsa_random_mode();
 }
 #endif /* SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY */
-#if CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS
+#if SOC_KEY_MANAGER_HMAC_KEY_DEPLOY
-TEST(key_manager, xts_key_random_deployment)
+TEST(key_manager, hmac_key_aes_deployment)
 {
-    key_mgr_test_xts_aes_128_random_mode();
+    key_mgr_test_hmac_aes_mode();
    key_mgr_test_xts_aes_256_random_mode();
 }
-#endif
+
 TEST(key_manager, hmac_key_ecdh0_deployment)
 {
    key_mgr_test_hmac_ecdh0_mode();
 }
 TEST(key_manager, hmac_key_random_deployment)
 {
    key_mgr_test_hmac_random_mode();
 }
 #endif /* SOC_KEY_MANAGER_HMAC_KEY_DEPLOY */
 #if SOC_KEY_MANAGER_DS_KEY_DEPLOY
 TEST(key_manager, ds_key_aes_deployment)
 {
    key_mgr_test_ds_aes_mode();
 }
 #endif /* SOC_KEY_MANAGER_DS_KEY_DEPLOY */
 TEST_GROUP_RUNNER(key_manager)
 {
 #if SOC_KEY_MANAGER_FE_KEY_DEPLOY
 #if SOC_FLASH_ENCRYPTION_XTS_AES_128
    RUN_TEST_CASE(key_manager, xts_aes_128_key_aes_deployment);
-    RUN_TEST_CASE(key_manager, xts_aes_256_key_aes_deployment);
+    RUN_TEST_CASE(key_manager, xts_key_128_ecdh0_deployment);
    RUN_TEST_CASE(key_manager, ecdsa_key_aes_deployment);
    RUN_TEST_CASE(key_manager, xts_key_ecdh0_deployment);
    RUN_TEST_CASE(key_manager, ecdsa_key_ecdh0_deployment);
    RUN_TEST_CASE(key_manager, ecdsa_key_random_deployment);
 #if CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS
-    RUN_TEST_CASE(key_manager, xts_key_random_deployment);
+    // This tests expects Flash encryption to be enabled as the test compares the decrypted flash data with the plaintext data
-#endif
+    RUN_TEST_CASE(key_manager, xts_key_128_random_deployment);
 #endif /* CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS */
 #endif /* SOC_FLASH_ENCRYPTION_XTS_AES_128 */
 #if SOC_FLASH_ENCRYPTION_XTS_AES_256
    RUN_TEST_CASE(key_manager, xts_aes_256_key_aes_deployment);
    RUN_TEST_CASE(key_manager, xts_key_256_ecdh0_deployment);
 #if CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS
    RUN_TEST_CASE(key_manager, xts_key_256_random_deployment);
 #endif /* CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS */
 #endif /* SOC_FLASH_ENCRYPTION_XTS_AES_256 */
 #endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY */
 #if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY
    RUN_TEST_CASE(key_manager, ecdsa_p256_key_aes_deployment);
    RUN_TEST_CASE(key_manager, ecdsa_p256_key_ecdh0_deployment);
    RUN_TEST_CASE(key_manager, ecdsa_p256_key_random_deployment);
 #endif /* SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY */
 #if SOC_KEY_MANAGER_HMAC_KEY_DEPLOY
    RUN_TEST_CASE(key_manager, hmac_key_aes_deployment);
    RUN_TEST_CASE(key_manager, hmac_key_ecdh0_deployment);
    RUN_TEST_CASE(key_manager, hmac_key_random_deployment);
 #endif /* SOC_KEY_MANAGER_HMAC_KEY_DEPLOY */
 #if SOC_KEY_MANAGER_DS_KEY_DEPLOY
    RUN_TEST_CASE(key_manager, ds_key_aes_deployment);
    // Verifying deployment of a DS key using the ECDH0 and Random mode of the Key Manager
    // is not possible as the deployed DS key is not known to user in these modes to
    // pre-generate the ciphertext input data.
 #endif /* SOC_KEY_MANAGER_DS_KEY_DEPLOY */
 }
--- a/components/hal/test_apps/crypto/main/mpi/test_mpi.c
+++ b/components/hal/test_apps/crypto/main/mpi/test_mpi.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Unlicense OR CC0-1.0
 */
@@ -19,17 +19,13 @@
 #include "hal/mpi_hal.h"
 #include "hal/mpi_ll.h"
 #include "mpi_params.h"
 #include "esp_crypto_periph_clk.h"
 #define _DEBUG_ 0
 static void esp_mpi_enable_hardware_hw_op( void )
 {
-    /* Enable RSA hardware */
+    esp_crypto_mpi_enable_periph_clk(true);
    MPI_RCC_ATOMIC() {
        mpi_ll_enable_bus_clock(true);
        mpi_ll_reset_register();
    }
    mpi_hal_enable_hardware_hw_op();
 }
@@ -37,11 +33,7 @@ static void esp_mpi_enable_hardware_hw_op( void )
 static void esp_mpi_disable_hardware_hw_op( void )
 {
    mpi_hal_disable_hardware_hw_op();
-
+    esp_crypto_mpi_enable_periph_clk(false);
    /* Disable RSA hardware */
    MPI_RCC_ATOMIC() {
        mpi_ll_enable_bus_clock(false);
    }
 }
--- a/components/hal/test_apps/crypto/main/sha/sha_block.c
+++ b/components/hal/test_apps/crypto/main/sha/sha_block.c
@@ -12,7 +12,7 @@
 #include "soc/periph_defs.h"
 #include "esp_private/periph_ctrl.h"
-#include "esp_private/esp_crypto_lock_internal.h"
+#include "esp_crypto_periph_clk.h"
 #include "hal/sha_hal.h"
 #include "hal/sha_ll.h"
 #include "sha_block.h"
@@ -68,10 +68,7 @@ static void sha1_update_block(sha1_ctx* ctx, esp_sha_type sha_type, const unsign
    if ( (ilen >= 64) || local_len) {
        /* Enable peripheral module */
-        SHA_RCC_ATOMIC() {
+        esp_crypto_sha_enable_periph_clk(true);
            sha_ll_enable_bus_clock(true);
            sha_ll_reset_register();
        }
        sha_hal_wait_idle();
        sha_hal_set_mode(sha_type);
@@ -103,9 +100,7 @@ static void sha1_update_block(sha1_ctx* ctx, esp_sha_type sha_type, const unsign
        sha_hal_read_digest(sha_type, ctx->state);
        /* Disable peripheral module */
-        SHA_RCC_ATOMIC() {
+        esp_crypto_sha_enable_periph_clk(false);
            sha_ll_enable_bus_clock(false);
        }
    }
    if ( ilen > 0 ) {
@@ -172,10 +167,7 @@ static void sha256_update_block(sha256_ctx* ctx, esp_sha_type sha_type, const un
    if ( (ilen >= 64) || local_len) {
        /* Enable peripheral module */
-        SHA_RCC_ATOMIC() {
+        esp_crypto_sha_enable_periph_clk(true);
            sha_ll_enable_bus_clock(true);
            sha_ll_reset_register();
        }
        sha_hal_wait_idle();
        sha_hal_set_mode(sha_type);
@@ -207,9 +199,7 @@ static void sha256_update_block(sha256_ctx* ctx, esp_sha_type sha_type, const un
        sha_hal_read_digest(sha_type, ctx->state);
        /* Disable peripheral module */
-        SHA_RCC_ATOMIC() {
+        esp_crypto_sha_enable_periph_clk(false);
            sha_ll_enable_bus_clock(false);
        }
    }
    if ( ilen > 0 ) {
@@ -321,10 +311,7 @@ static void sha512_update_block(sha512_ctx* ctx, esp_sha_type sha_type, const un
    if ( (ilen >= 128) || local_len) {
        /* Enable peripheral module */
-        SHA_RCC_ATOMIC() {
+        esp_crypto_sha_enable_periph_clk(true);
            sha_ll_enable_bus_clock(true);
            sha_ll_reset_register();
        }
        sha_hal_wait_idle();
        sha_hal_set_mode(sha_type);
@@ -360,9 +347,7 @@ static void sha512_update_block(sha512_ctx* ctx, esp_sha_type sha_type, const un
        sha_hal_read_digest(sha_type, ctx->state);
        /* Disable peripheral module */
-        SHA_RCC_ATOMIC() {
+        esp_crypto_sha_enable_periph_clk(false);
            sha_ll_enable_bus_clock(false);
        }
    }
    if ( ilen > 0 ) {
--- a/components/mbedtls/port/bignum/bignum_alt.c
+++ b/components/mbedtls/port/bignum/bignum_alt.c
@@ -24,8 +24,6 @@ void esp_mpi_enable_hardware_hw_op( void )
 void esp_mpi_disable_hardware_hw_op( void )
 {
    mpi_hal_disable_hardware_hw_op();
    /* Disable RSA hardware */
    esp_crypto_mpi_enable_periph_clk(false);
--- a/components/mbedtls/test_apps/main/CMakeLists.txt
+++ b/components/mbedtls/test_apps/main/CMakeLists.txt
@@ -7,7 +7,7 @@ set(TEST_CRTS "crts/server_cert_chain.pem"
 idf_component_register(SRC_DIRS "."
                    PRIV_INCLUDE_DIRS "."
-                    PRIV_REQUIRES efuse cmock test_utils mbedtls esp_timer unity spi_flash esp_psram
+                    PRIV_REQUIRES efuse cmock test_utils mbedtls esp_timer unity spi_flash esp_psram esp_security
                    EMBED_TXTFILES ${TEST_CRTS}
                    WHOLE_ARCHIVE)
--- a/components/mbedtls/test_apps/main/test_mbedtls_ecdsa.c
+++ b/components/mbedtls/test_apps/main/test_mbedtls_ecdsa.c
@@ -205,20 +205,20 @@ const uint8_t ecdsa192_sign_pub_y[] = {
 /* Big endian */
 const uint8_t init_key[] = {
-    0x4d, 0x21, 0x64, 0x21, 0x8f, 0xa2, 0xe3, 0xa0, 0xab, 0x74, 0xb5, 0xab, 0x17, 0x9a, 0x5d, 0x08, 0x58, 0xf4, 0x22, 0x03, 0xbd, 0x52, 0xe7, 0x88, 0x3c, 0x22, 0x0f, 0x95, 0x89, 0x70, 0xe1, 0x93
+    0xee, 0x89, 0x95, 0xda, 0x3c, 0x8a, 0x43, 0x83, 0xa9, 0x4b, 0x25, 0x5b, 0x04, 0x7e, 0xf1, 0x57, 0xb8, 0xe8, 0x06, 0x45, 0x87, 0x76, 0xee, 0x1b, 0x4e, 0x2e, 0x55, 0xa7, 0x1f, 0x25, 0xe1, 0x94,
 };
 /* Big endian */
 const uint8_t k2_info[] = {
-    0xd8, 0xcd, 0x04, 0x45, 0xb4, 0x45, 0xc4, 0x15, 0xf6, 0x40, 0x1c, 0x7d, 0x90, 0x1b, 0x99, 0xa4, 0x79, 0x6b, 0xfb, 0x5b, 0x2a, 0x40, 0x60, 0xe1, 0xc1, 0xe1, 0x48, 0xcd, 0x46, 0x6b, 0x9b, 0x48, 0xda, 0x7a, 0x70, 0x0a, 0x78, 0x0b, 0x9d, 0xf9, 0x0e, 0xed, 0x91, 0xfc, 0xa5, 0xc2, 0x96, 0x05, 0x91, 0x76, 0xdb, 0x68, 0x84, 0x5d, 0x5e, 0x5b, 0xa6, 0xe9, 0x6b, 0x3b, 0x12, 0x50, 0x05, 0xc3
+    0x8f, 0x96, 0x33, 0x47, 0xe1, 0xa5, 0x57, 0xe9, 0x2a, 0x51, 0xa9, 0xbe, 0x48, 0x84, 0x25, 0x4e, 0x6f, 0x50, 0x1c, 0x45, 0xdb, 0xb6, 0xfa, 0xeb, 0x35, 0xd2, 0x27, 0x91, 0x3f, 0x67, 0x57, 0xd9, 0xcb, 0x55, 0xe4, 0x2b, 0x18, 0x16, 0xe7, 0xce, 0x6c, 0xf2, 0x58, 0x71, 0x17, 0x76, 0x2a, 0x86, 0x05, 0xe7, 0x37, 0x45, 0x71, 0x34, 0xca, 0xaf, 0x60, 0x07, 0xdf, 0xf4, 0xd2, 0xee, 0x3d, 0x4b,
 };
-const uint8_t k1_ecdsa256_xts_encrypt[] = {
+const uint8_t k1_ecdsa256_encrypt[] = {
-    0x9f, 0x64, 0x80, 0x16, 0xa3, 0xab, 0x26, 0x64, 0x9b, 0xe6, 0x86, 0xcd, 0xf5, 0x14, 0x11, 0xb9, 0xb0, 0xe9, 0x87, 0xf6, 0xfe, 0x1b, 0x98, 0x0f, 0x9c, 0x3e, 0x21, 0xa7, 0xfa, 0x53, 0x47, 0x60
+    0xcb, 0x8b, 0x74, 0xfb, 0xdf, 0x8f, 0x52, 0x0a, 0xff, 0x00, 0xf2, 0x83, 0xfa, 0xdb, 0x34, 0x18, 0xbe, 0xae, 0xe2, 0x58, 0x75, 0x94, 0x69, 0x89, 0xdd, 0x72, 0xdb, 0x04, 0x2c, 0xad, 0x4e, 0x3a,
 };
-const uint8_t k1_ecdsa192_xts_encrypt[] = {
+const uint8_t k1_ecdsa192_encrypt[] = {
-   0x54, 0xf5, 0x97, 0xb8, 0xff, 0x1d, 0x34, 0x85, 0x8d, 0xf1, 0x43, 0xaa, 0xc0, 0x0f, 0xe2, 0x4d, 0x0b, 0xee, 0xdd, 0x89, 0x31, 0x39, 0x1b, 0xbe, 0x9b, 0x55, 0x53, 0xe0, 0xc7, 0xd9, 0x79, 0xaf
+   0xde, 0xe9, 0x9c, 0x89, 0xf2, 0x3b, 0x29, 0xb7, 0x9e, 0x33, 0xec, 0x76, 0x75, 0x2f, 0x3e, 0xab, 0x61, 0x06, 0x4d, 0xea, 0x05, 0x2c, 0xc3, 0x29, 0x1c, 0x7f, 0xb7, 0x3d, 0xb8, 0x1c, 0xb2, 0x17,
 };
 void test_ecdsa_sign(mbedtls_ecp_group_id id, const uint8_t *hash, const uint8_t *pub_x, const uint8_t *pub_y, bool is_deterministic, int efuse_key_block)
@@ -273,8 +273,47 @@ TEST_CASE("mbedtls ECDSA signature generation on SECP256R1", "[mbedtls][efuse_ke
    test_ecdsa_sign(MBEDTLS_ECP_DP_SECP256R1, sha, ecdsa256_sign_pub_x, ecdsa256_sign_pub_y, false, SECP256R1_EFUSE_BLOCK);
 }
-#ifdef SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE
+#if SOC_KEY_MANAGER_SUPPORTED
 static void deploy_key_in_key_manager(const uint8_t *k1_encrypted, esp_key_mgr_key_type_t key_type) {
    esp_key_mgr_aes_key_config_t *key_config = NULL;
    key_config = heap_caps_calloc(1, sizeof(esp_key_mgr_aes_key_config_t), MALLOC_CAP_INTERNAL);
    TEST_ASSERT_NOT_NULL(key_config);
    key_config->key_type = key_type;
    key_config->use_pre_generated_sw_init_key = 1;
    memcpy(key_config->k2_info, (uint8_t*) k2_info, KEY_MGR_K2_INFO_SIZE);
    memcpy(key_config->k1_encrypted[0], (uint8_t*) k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE);
    memcpy(key_config->sw_init_key, (uint8_t*) init_key, KEY_MGR_SW_INIT_KEY_SIZE);
    esp_key_mgr_key_recovery_info_t *key_info = NULL;
    key_info = heap_caps_calloc(1, sizeof(esp_key_mgr_key_recovery_info_t), MALLOC_CAP_INTERNAL);
    TEST_ASSERT_NOT_NULL(key_info);
    esp_key_mgr_deploy_key_in_aes_mode(key_config, key_info);
    ESP_LOGI(TAG, "Key deployed successfully");
    esp_key_mgr_activate_key(key_info);
    free(key_info);
    free(key_config);
 }
 TEST_CASE("mbedtls ECDSA signature generation on SECP192R1", "[mbedtls][key_manager_key]")
 {
    deploy_key_in_key_manager(k1_ecdsa192_encrypt, ESP_KEY_MGR_ECDSA_192_KEY);
    test_ecdsa_sign(MBEDTLS_ECP_DP_SECP192R1, sha, ecdsa192_sign_pub_x, ecdsa192_sign_pub_y, false, USE_ECDSA_KEY_FROM_KEY_MANAGER);
    esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_192_KEY);
 }
 TEST_CASE("mbedtls ECDSA signature generation on SECP256R1", "[mbedtls][key_manager_key]")
 {
    deploy_key_in_key_manager(k1_ecdsa256_encrypt, ESP_KEY_MGR_ECDSA_256_KEY);
    test_ecdsa_sign(MBEDTLS_ECP_DP_SECP256R1, sha, ecdsa256_sign_pub_x, ecdsa256_sign_pub_y, false, USE_ECDSA_KEY_FROM_KEY_MANAGER);
    esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_256_KEY);
 }
 #endif /* SOC_KEY_MANAGER_SUPPORTED */
 #ifdef SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE
 TEST_CASE("mbedtls ECDSA deterministic signature generation on SECP192R1", "[mbedtls][efuse_key]")
 {
    if (!ecdsa_ll_is_deterministic_mode_supported()) {
@@ -293,48 +332,32 @@ TEST_CASE("mbedtls ECDSA deterministic signature generation on SECP256R1", "[mbe
    }
 }
 #if SOC_KEY_MANAGER_SUPPORTED
 TEST_CASE("mbedtls ECDSA deterministic signature generation on SECP192R1", "[mbedtls][key_manager_key]")
 {
    if (!ecdsa_ll_is_deterministic_mode_supported()) {
        ESP_LOGI(TAG, "Skipping test because ECDSA deterministic mode is not supported.");
    } else {
        deploy_key_in_key_manager(k1_ecdsa192_encrypt, ESP_KEY_MGR_ECDSA_192_KEY);
        test_ecdsa_sign(MBEDTLS_ECP_DP_SECP192R1, sha, ecdsa192_sign_pub_x, ecdsa192_sign_pub_y, true, USE_ECDSA_KEY_FROM_KEY_MANAGER);
        esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_192_KEY);
    }
 }
 TEST_CASE("mbedtls ECDSA deterministic signature generation on SECP256R1", "[mbedtls][key_manager_key]")
 {
    if (!ecdsa_ll_is_deterministic_mode_supported()) {
        ESP_LOGI(TAG, "Skipping test because ECDSA deterministic mode is not supported.");
    } else {
        deploy_key_in_key_manager(k1_ecdsa256_encrypt, ESP_KEY_MGR_ECDSA_256_KEY);
        test_ecdsa_sign(MBEDTLS_ECP_DP_SECP256R1, sha, ecdsa256_sign_pub_x, ecdsa256_sign_pub_y, true, USE_ECDSA_KEY_FROM_KEY_MANAGER);
        esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_256_KEY);
    }
 }
 #endif /* SOC_KEY_MANAGER_SUPPORTED */
 #endif /* SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE */
 #if SOC_KEY_MANAGER_SUPPORTED
 void deploy_key_in_key_manager(const uint8_t *k1_encrypted) {
    esp_key_mgr_aes_key_config_t *key_config;
    key_config = heap_caps_calloc(1, sizeof(esp_key_mgr_aes_key_config_t), MALLOC_CAP_INTERNAL);
    TEST_ASSERT_NOT_NULL(key_config);
    memcpy(key_config->k2_info, (uint8_t*) k2_info, KEY_MGR_K2_INFO_SIZE);
    memcpy(key_config->k1_encrypted[0], (uint8_t*) k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE);
    memcpy(key_config->sw_init_key, (uint8_t*) init_key, KEY_MGR_SW_INIT_KEY_SIZE);
    key_config->use_pre_generated_sw_init_key = 1;
    key_config->key_type = ESP_KEY_MGR_ECDSA_KEY;
    esp_key_mgr_key_recovery_info_t *key_info;
    key_info = heap_caps_calloc(1, sizeof(esp_key_mgr_key_recovery_info_t), MALLOC_CAP_INTERNAL);
    TEST_ASSERT_NOT_NULL(key_config);
    esp_key_mgr_deploy_key_in_aes_mode(key_config, key_info);
    printf("\nkey deployed successfully\n");
    esp_key_mgr_activate_key(key_info);
    free(key_info);
    free(key_config);
 }
 TEST_CASE("mbedtls ECDSA signature generation on SECP192R1", "[mbedtls][key_manager_key]")
 {
    deploy_key_in_key_manager(k1_ecdsa192_xts_encrypt);
    test_ecdsa_sign(MBEDTLS_ECP_DP_SECP192R1, sha, ecdsa192_sign_pub_x, ecdsa192_sign_pub_y, false, USE_ECDSA_KEY_FROM_KEY_MANAGER);
    esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_KEY);
 }
 TEST_CASE("mbedtls ECDSA signature generation on SECP256R1", "[mbedtls][key_manager_key]")
 {
    deploy_key_in_key_manager(k1_ecdsa256_xts_encrypt);
    test_ecdsa_sign(MBEDTLS_ECP_DP_SECP256R1, sha, ecdsa256_sign_pub_x, ecdsa256_sign_pub_y, false, USE_ECDSA_KEY_FROM_KEY_MANAGER);
    esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_KEY);
 }
 #endif
 #ifdef SOC_ECDSA_SUPPORT_EXPORT_PUBKEY
 void test_ecdsa_export_pubkey(mbedtls_ecp_group_id id, const uint8_t *pub_x, const uint8_t *pub_y, int efuse_key_block)
 {
    uint8_t export_pub_x[32] = {0};
@@ -344,9 +367,14 @@ void test_ecdsa_export_pubkey(mbedtls_ecp_group_id id, const uint8_t *pub_x, con
    esp_ecdsa_pk_conf_t pk_conf = {
        .grp_id = id,
        .load_pubkey = true,
        .efuse_block = efuse_key_block,
    };
    if (efuse_key_block == USE_ECDSA_KEY_FROM_KEY_MANAGER) {
        pk_conf.use_km_key = true;
    } else {
        pk_conf.efuse_block = efuse_key_block;
    }
    if (id == MBEDTLS_ECP_DP_SECP192R1) {
        len = 24;
    } else if (id == MBEDTLS_ECP_DP_SECP256R1) {
@@ -382,18 +410,17 @@ TEST_CASE("mbedtls ECDSA export public key on SECP256R1", "[mbedtls][efuse_key]"
 #if SOC_KEY_MANAGER_SUPPORTED
 TEST_CASE("mbedtls ECDSA export public key on SECP192R1", "[mbedtls][key_manager_key]")
 {
-    deploy_key_in_key_manager(k1_ecdsa192_xts_encrypt);
+    deploy_key_in_key_manager(k1_ecdsa192_encrypt, ESP_KEY_MGR_ECDSA_192_KEY);
    test_ecdsa_export_pubkey(MBEDTLS_ECP_DP_SECP192R1, ecdsa192_sign_pub_x, ecdsa192_sign_pub_y, USE_ECDSA_KEY_FROM_KEY_MANAGER);
-    esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_KEY);
+    esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_192_KEY);
 }
 TEST_CASE("mbedtls ECDSA export public key on SECP256R1", "[mbedtls][key_manager_key]")
 {
-    deploy_key_in_key_manager(k1_ecdsa256_xts_encrypt);
+    deploy_key_in_key_manager(k1_ecdsa256_encrypt, ESP_KEY_MGR_ECDSA_256_KEY);
    test_ecdsa_export_pubkey(MBEDTLS_ECP_DP_SECP256R1, ecdsa256_sign_pub_x, ecdsa256_sign_pub_y,  USE_ECDSA_KEY_FROM_KEY_MANAGER);
-    esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_KEY);
+    esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_256_KEY);
 }
 #endif
 #endif /* SOC_ECDSA_SUPPORT_EXPORT_PUBKEY */
 #endif /* CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN */
--- a/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in
+++ b/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in
@@ -239,6 +239,14 @@ config SOC_RNG_SUPPORTED
    bool
    default y
 config SOC_KEY_MANAGER_SUPPORTED
    bool
    default y
 config SOC_HUK_SUPPORTED
    bool
    default y
 config SOC_MODEM_CLOCK_SUPPORTED
    bool
    default y
@@ -1399,6 +1407,14 @@ config SOC_EFUSE_ECDSA_KEY_P384
    bool
    default y
 config SOC_HUK_MEM_NEEDS_RECHARGE
    bool
    default y
 config SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT
    bool
    default y
 config SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY
    bool
    default y
@@ -1407,6 +1423,14 @@ config SOC_KEY_MANAGER_FE_KEY_DEPLOY
    bool
    default y
 config SOC_KEY_MANAGER_HMAC_KEY_DEPLOY
    bool
    default y
 config SOC_KEY_MANAGER_DS_KEY_DEPLOY
    bool
    default y
 config SOC_SECURE_BOOT_V2_RSA
    bool
    default y
--- a/components/soc/esp32c5/include/soc/soc_caps.h
+++ b/components/soc/esp32c5/include/soc/soc_caps.h
@@ -76,8 +76,8 @@
 #define SOC_SPI_FLASH_SUPPORTED         1     // TODO: [ESP32C5] IDF-8715
 #define SOC_ECDSA_SUPPORTED             1
 #define SOC_RNG_SUPPORTED               1
-// #define SOC_KEY_MANAGER_SUPPORTED       1  // TODO: [ESP32C5] IDF-8621
+#define SOC_KEY_MANAGER_SUPPORTED       1
-// #define SOC_HUK_SUPPORTED               1  // TODO: [ESP32C5] IDF-8617
+#define SOC_HUK_SUPPORTED               1
 #define SOC_MODEM_CLOCK_SUPPORTED       1
 #define SOC_LIGHT_SLEEP_SUPPORTED       1
 #define SOC_DEEP_SLEEP_SUPPORTED        1
@@ -540,9 +540,15 @@
 #define SOC_EFUSE_ECDSA_KEY_P192 1
 #define SOC_EFUSE_ECDSA_KEY_P384 1
 /*-------------------------- HUK CAPS----------------------------*/
 #define SOC_HUK_MEM_NEEDS_RECHARGE 1
 /*-------------------------- Key Manager CAPS----------------------------*/
-#define SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY    1 /*!< Key manager responsible to deploy ECDSA key */
+#define SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT  1 /*!< Key manager supports key deployment */
-#define SOC_KEY_MANAGER_FE_KEY_DEPLOY       1 /*!< Key manager responsible to deploy Flash Encryption key */
+#define SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY        1 /*!< Key manager responsible to deploy ECDSA key */
 #define SOC_KEY_MANAGER_FE_KEY_DEPLOY           1 /*!< Key manager responsible to deploy Flash Encryption key */
 #define SOC_KEY_MANAGER_HMAC_KEY_DEPLOY         1 /*!< Key manager responsible to deploy HMAC key */
 #define SOC_KEY_MANAGER_DS_KEY_DEPLOY           1 /*!< Key manager responsible to deploy DS key */
 /*-------------------------- Secure Boot CAPS----------------------------*/
 #define SOC_SECURE_BOOT_V2_RSA              1
--- a/components/soc/esp32c5/register/soc/keymng_reg.h
+++ b/components/soc/esp32c5/register/soc/keymng_reg.h
@@ -1,5 +1,5 @@
 /**
- * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
 *
 *  SPDX-License-Identifier: Apache-2.0
 */
@@ -148,20 +148,45 @@ extern "C" {
 #define KEYMNG_USE_EFUSE_KEY_V  0x0000001FU
 #define KEYMNG_USE_EFUSE_KEY_S  0
-/* KEYMNG_USE_EFUSE_KEY_ECDSA : R/W ;bitpos:[0] ;default: 1'd0 ; */
+/** KEYMNG_USE_EFUSE_KEY_ECDSA : R/W; bitpos:[0]; default: 0;
-/*description: Set this bit to choose efuse key instead of key manager deployed key for ecdsa.*/
+ *  Set this bit to choose efuse key instead of key manager deployed key for ecdsa.
 */
 #define KEYMNG_USE_EFUSE_KEY_ECDSA    (BIT(0))
-#define KEYMNG_USE_EFUSE_KEY_ECDSA_M  ((KEYMNG_USE_EFUSE_KEY_ECDSA_V)<<(KEYMNG_USE_EFUSE_KEY_ECDSA_S))
+#define KEYMNG_USE_EFUSE_KEY_ECDSA_M  (KEYMNG_USE_EFUSE_KEY_ECDSA_V << KEYMNG_USE_EFUSE_KEY_ECDSA_S)
-#define KEYMNG_USE_EFUSE_KEY_ECDSA_V  0x1
+#define KEYMNG_USE_EFUSE_KEY_ECDSA_V  0x00000001U
 #define KEYMNG_USE_EFUSE_KEY_ECDSA_S  0
-/* KEYMNG_USE_EFUSE_KEY_FLASH : R/W ;bitpos:[1] ;default: 1'd0 ; */
+/** KEYMNG_USE_EFUSE_KEY_FLASH : R/W; bitpos:[1]; default: 0;
-/*description: Set this bit to choose efuse key instead of key manager deployed key for flash.*/
+ *  Set this bit to choose efuse key instead of key manager deployed key for flash.
 */
 #define KEYMNG_USE_EFUSE_KEY_FLASH    (BIT(1))
-#define KEYMNG_USE_EFUSE_KEY_FLASH_M  ((KEYMNG_USE_EFUSE_KEY_FLASH_V)<<(KEYMNG_USE_EFUSE_KEY_FLASH_S))
+#define KEYMNG_USE_EFUSE_KEY_FLASH_M  (KEYMNG_USE_EFUSE_KEY_FLASH_V << KEYMNG_USE_EFUSE_KEY_FLASH_S)
-#define KEYMNG_USE_EFUSE_KEY_FLASH_V  0x1
+#define KEYMNG_USE_EFUSE_KEY_FLASH_V  0x00000001U
 #define KEYMNG_USE_EFUSE_KEY_FLASH_S  1
 /** KEYMNG_USE_EFUSE_KEY_HMAC : R/W; bitpos:[0]; default: 0;
 *  Set this bit to choose efuse key instead of key manager deployed key for hmac.
 */
 #define KEYMNG_USE_EFUSE_KEY_HMAC    (BIT(2))
 #define KEYMNG_USE_EFUSE_KEY_HMAC_M  (KEYMNG_USE_EFUSE_KEY_HMAC_V << KEYMNG_USE_EFUSE_KEY_HMAC_S)
 #define KEYMNG_USE_EFUSE_KEY_HMAC_V  0x00000001U
 #define KEYMNG_USE_EFUSE_KEY_HMAC_S  2
 /** KEYMNG_USE_EFUSE_KEY_DS : R/W; bitpos:[1]; default: 0;
 *  Set this bit to choose efuse key instead of key manager deployed key for ds.
 */
 #define KEYMNG_USE_EFUSE_KEY_DS    (BIT(3))
 #define KEYMNG_USE_EFUSE_KEY_DS_M  (KEYMNG_USE_EFUSE_KEY_DS_V << KEYMNG_USE_EFUSE_KEY_DS_S)
 #define KEYMNG_USE_EFUSE_KEY_DS_V  0x00000001U
 #define KEYMNG_USE_EFUSE_KEY_DS_S  3
 /** KEYMNG_USE_EFUSE_KEY_PSRAM : R/W; bitpos:[1]; default: 0;
 *  Set this bit to choose efuse key instead of key manager deployed key for psram.
 */
 #define KEYMNG_USE_EFUSE_KEY_PSRAM    (BIT(4))
 #define KEYMNG_USE_EFUSE_KEY_PSRAM_M  (KEYMNG_USE_EFUSE_KEY_PSRAM_V << KEYMNG_USE_EFUSE_KEY_PSRAM_S)
 #define KEYMNG_USE_EFUSE_KEY_PSRAM_V  0x00000001U
 #define KEYMNG_USE_EFUSE_KEY_PSRAM_S  4
 /** KEYMNG_RND_SWITCH_CYCLE : R/W; bitpos: [9:5]; default: 15;
 *  The core clock cycle number to sample one rng input data. Please set it bigger than
@@ -208,21 +233,41 @@ extern "C" {
 #define KEYMNG_USE_EFUSE_KEY_LOCK_V  0x0000001FU
 #define KEYMNG_USE_EFUSE_KEY_LOCK_S  0
-/* KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA : R/W1 ;bitpos:[0] ;default: 1'd0 ; */
+/** KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA : R/W1 ;bitpos:[0]; default: 0;
-/*description: Write 1 to lock reg_use_efuse_key for esdsa*/
+ * Write 1 to lock reg_use_efuse_key for esdsa
-
+ */
 #define KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA    (BIT(0))
-#define KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA_M  ((KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA_V)<<(KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA_S))
+#define KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA_M  (KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA_V << KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA_S)
-#define KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA_V  0x1
+#define KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA_V  0x00000001U
 #define KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA_S  0
-
+/** KEYMNG_USE_EFUSE_KEY_LOCK_FLASH : R/W1 ;bitpos:[1]; default: 0;
-/* KEYMNG_USE_EFUSE_KEY_LOCK_FLASH : R/W1 ;bitpos:[1] ;default: 1'd0 ; */
+ * Write 1 to lock reg_use_efuse_key for FLASH
-/*description: Write 1 to lock reg_use_efuse_key for FLASH*/
+ */
 #define KEYMNG_USE_EFUSE_KEY_LOCK_FLASH    (BIT(1))
-#define KEYMNG_USE_EFUSE_KEY_LOCK_FLASH_M  ((KEYMNG_USE_EFUSE_KEY_LOCK_FLASH_V)<<(KEYMNG_USE_EFUSE_KEY_LOCK_FLASH_S))
+#define KEYMNG_USE_EFUSE_KEY_LOCK_FLASH_M  (KEYMNG_USE_EFUSE_KEY_LOCK_FLASH_V << KEYMNG_USE_EFUSE_KEY_LOCK_FLASH_S)
-#define KEYMNG_USE_EFUSE_KEY_LOCK_FLASH_V  0x1
+#define KEYMNG_USE_EFUSE_KEY_LOCK_FLASH_V  0x00000001U
 #define KEYMNG_USE_EFUSE_KEY_LOCK_FLASH_S  1
 /** KEYMNG_USE_EFUSE_KEY_LOCK_HMAC : R/W1 ;bitpos:[0]; default: 0;
 * Write 1 to lock reg_use_efuse_key for hmac
 */
 #define KEYMNG_USE_EFUSE_KEY_LOCK_HMAC    (BIT(2))
 #define KEYMNG_USE_EFUSE_KEY_LOCK_HMAC_M  (KEYMNG_USE_EFUSE_KEY_LOCK_HMAC_V << KEYMNG_USE_EFUSE_KEY_LOCK_HMAC_S)
 #define KEYMNG_USE_EFUSE_KEY_LOCK_HMAC_V  0x00000001U
 #define KEYMNG_USE_EFUSE_KEY_LOCK_HMAC_S  2
 /** KEYMNG_USE_EFUSE_KEY_LOCK_DS : R/W1 ;bitpos:[1]; default: 0;
 * Write 1 to lock reg_use_efuse_key for ds
 */
 #define KEYMNG_USE_EFUSE_KEY_LOCK_DS    (BIT(3))
 #define KEYMNG_USE_EFUSE_KEY_LOCK_DS_M  (KEYMNG_USE_EFUSE_KEY_LOCK_DS_V << KEYMNG_USE_EFUSE_KEY_LOCK_DS_S)
 #define KEYMNG_USE_EFUSE_KEY_LOCK_DS_V  0x00000001U
 #define KEYMNG_USE_EFUSE_KEY_LOCK_DS_S  3
 /** KEYMNG_USE_EFUSE_KEY_LOCK_PSRAM : R/W1 ;bitpos:[1]; default: 0;
 * Write 1 to lock reg_use_efuse_key for PSRAM
 */
 #define KEYMNG_USE_EFUSE_KEY_LOCK_PSRAM    (BIT(4))
 #define KEYMNG_USE_EFUSE_KEY_LOCK_PSRAM_M  (KEYMNG_USE_EFUSE_KEY_LOCK_PSRAM_V << KEYMNG_USE_EFUSE_KEY_LOCK_PSRAM_S)
 #define KEYMNG_USE_EFUSE_KEY_LOCK_PSRAM_V  0x00000001U
 #define KEYMNG_USE_EFUSE_KEY_LOCK_PSRAM_S  4
 /** KEYMNG_RND_SWITCH_CYCLE_LOCK : R/W1; bitpos: [5]; default: 0;
 *  Write 1 to lock reg_rnd_switch_cycle.
@@ -266,9 +311,10 @@ extern "C" {
 #define KEYMNG_KGEN_MODE_V  0x00000007U
 #define KEYMNG_KGEN_MODE_S  0
 /** KEYMNG_KEY_PURPOSE : R/W; bitpos: [6:3]; default: 0;
- *  Set this field to choose the key purpose. 1: ecdsa_key 2: flash_256_1_key. 3:
+ *  Set this field to choose the key purpose. 1: ecdsa_key_192. 2: ecdsa_key_256. 3:
- *  flash_256_2_key. 4: flash_128_key. 6: hmac_key. 7: ds_key. 8: psram_256_1_key. 9:
+ *  flash_256_1_key. 4: flash_256_2_key. 5: flash_128_key. 6: hmac_key. 7: ds_key. 8:
- *  psram_256_2_key. 10: psram_128_key. Others: reserved.
+ *  psram_256_1_key. 9: psram_256_2_key. 10: psram_128_key. 11: ecdsa_key_384_l. 12:
 *  ecdsa_key_384_h. Others: reserved.
 */
 #define KEYMNG_KEY_PURPOSE    0x0000000FU
 #define KEYMNG_KEY_PURPOSE_M  (KEYMNG_KEY_PURPOSE_V << KEYMNG_KEY_PURPOSE_S)
@@ -323,46 +369,62 @@ extern "C" {
 *  Key Manager key status register
 */
 #define KEYMNG_KEY_VLD_REG (DR_REG_KEYMNG_BASE + 0x30)
-/** KEYMNG_KEY_ECDSA_VLD : RO; bitpos: [0]; default: 0;
+/** KEYMNG_KEY_ECDSA_192_VLD : RO; bitpos: [0]; default: 0;
- *  The status bit for key_ecdsa.   1: The key has been deployed correctly. 0: The key
+ *  The status bit for key_ecdsa_192.   1: The key has been deployed correctly. 0: The
- *  has not been deployed yet.
+ *  key has not been deployed yet.
 */
-#define KEYMNG_KEY_ECDSA_VLD    (BIT(0))
+#define KEYMNG_KEY_ECDSA_192_VLD    (BIT(0))
-#define KEYMNG_KEY_ECDSA_VLD_M  (KEYMNG_KEY_ECDSA_VLD_V << KEYMNG_KEY_ECDSA_VLD_S)
+#define KEYMNG_KEY_ECDSA_192_VLD_M  (KEYMNG_KEY_ECDSA_192_VLD_V << KEYMNG_KEY_ECDSA_192_VLD_S)
-#define KEYMNG_KEY_ECDSA_VLD_V  0x00000001U
+#define KEYMNG_KEY_ECDSA_192_VLD_V  0x00000001U
-#define KEYMNG_KEY_ECDSA_VLD_S  0
+#define KEYMNG_KEY_ECDSA_192_VLD_S  0
-/** KEYMNG_KEY_FLASH_VLD : RO; bitpos: [1]; default: 0;
+/** KEYMNG_KEY_ECDSA_256_VLD : RO; bitpos: [1]; default: 0;
 *  The status bit for key_ecdsa_256.   1: The key has been deployed correctly. 0: The
 *  key has not been deployed yet.
 */
 #define KEYMNG_KEY_ECDSA_256_VLD    (BIT(1))
 #define KEYMNG_KEY_ECDSA_256_VLD_M  (KEYMNG_KEY_ECDSA_256_VLD_V << KEYMNG_KEY_ECDSA_256_VLD_S)
 #define KEYMNG_KEY_ECDSA_256_VLD_V  0x00000001U
 #define KEYMNG_KEY_ECDSA_256_VLD_S  1
 /** KEYMNG_KEY_FLASH_VLD : RO; bitpos: [2]; default: 0;
 *  The status bit for key_flash.     1: The key has been deployed correctly. 0: The
 *  key has not been deployed yet.
 */
-#define KEYMNG_KEY_FLASH_VLD    (BIT(1))
+#define KEYMNG_KEY_FLASH_VLD    (BIT(2))
 #define KEYMNG_KEY_FLASH_VLD_M  (KEYMNG_KEY_FLASH_VLD_V << KEYMNG_KEY_FLASH_VLD_S)
 #define KEYMNG_KEY_FLASH_VLD_V  0x00000001U
-#define KEYMNG_KEY_FLASH_VLD_S  1
+#define KEYMNG_KEY_FLASH_VLD_S  2
-/** KEYMNG_KEY_HMAC_VLD : RO; bitpos: [2]; default: 0;
+/** KEYMNG_KEY_HMAC_VLD : RO; bitpos: [3]; default: 0;
 *  The status bit for key_hmac.    1: The key has been deployed correctly. 0: The key
 *  has not been deployed yet.
 */
-#define KEYMNG_KEY_HMAC_VLD    (BIT(2))
+#define KEYMNG_KEY_HMAC_VLD    (BIT(3))
 #define KEYMNG_KEY_HMAC_VLD_M  (KEYMNG_KEY_HMAC_VLD_V << KEYMNG_KEY_HMAC_VLD_S)
 #define KEYMNG_KEY_HMAC_VLD_V  0x00000001U
-#define KEYMNG_KEY_HMAC_VLD_S  2
+#define KEYMNG_KEY_HMAC_VLD_S  3
-/** KEYMNG_KEY_DS_VLD : RO; bitpos: [3]; default: 0;
+/** KEYMNG_KEY_DS_VLD : RO; bitpos: [4]; default: 0;
 *  The status bit for key_ds.         1: The key has been deployed correctly. 0: The
 *  key has not been deployed yet.
 */
-#define KEYMNG_KEY_DS_VLD    (BIT(3))
+#define KEYMNG_KEY_DS_VLD    (BIT(4))
 #define KEYMNG_KEY_DS_VLD_M  (KEYMNG_KEY_DS_VLD_V << KEYMNG_KEY_DS_VLD_S)
 #define KEYMNG_KEY_DS_VLD_V  0x00000001U
-#define KEYMNG_KEY_DS_VLD_S  3
+#define KEYMNG_KEY_DS_VLD_S  4
-/** KEYMNG_KEY_PSRAM_VLD : RO; bitpos: [4]; default: 0;
+/** KEYMNG_KEY_PSRAM_VLD : RO; bitpos: [5]; default: 0;
 *  The status bit for key_psram.   1: The key has been deployed correctly. 0: The key
 *  has not been deployed yet.
 */
-#define KEYMNG_KEY_PSRAM_VLD    (BIT(4))
+#define KEYMNG_KEY_PSRAM_VLD    (BIT(5))
 #define KEYMNG_KEY_PSRAM_VLD_M  (KEYMNG_KEY_PSRAM_VLD_V << KEYMNG_KEY_PSRAM_VLD_S)
 #define KEYMNG_KEY_PSRAM_VLD_V  0x00000001U
-#define KEYMNG_KEY_PSRAM_VLD_S  4
+#define KEYMNG_KEY_PSRAM_VLD_S  5
 /** KEYMNG_KEY_ECDSA_384_VLD : RO; bitpos: [6]; default: 0;
 *  The status bit for key_ecdsa_384.   1: The key has been deployed correctly. 0: The
 *  key has not been deployed yet.
 */
 #define KEYMNG_KEY_ECDSA_384_VLD    (BIT(6))
 #define KEYMNG_KEY_ECDSA_384_VLD_M  (KEYMNG_KEY_ECDSA_384_VLD_V << KEYMNG_KEY_ECDSA_384_VLD_S)
 #define KEYMNG_KEY_ECDSA_384_VLD_V  0x00000001U
 #define KEYMNG_KEY_ECDSA_384_VLD_S  6
 /** KEYMNG_HUK_VLD_REG register
 *  Key Manager HUK status register
@@ -380,7 +442,7 @@ extern "C" {
 *  Version control register
 */
 #define KEYMNG_DATE_REG (DR_REG_KEYMNG_BASE + 0xfc)
-/** KEYMNG_DATE : R/W; bitpos: [27:0]; default: 36774224;
+/** KEYMNG_DATE : R/W; bitpos: [27:0]; default: 37781824;
 *  Key Manager version control register.
 */
 #define KEYMNG_DATE    0x0FFFFFFFU
--- a/components/soc/esp32c5/register/soc/keymng_reg_eco2.h
+++ b/components/soc/esp32c5/register/soc/keymng_reg_eco2.h
@@ -1,395 +0,0 @@
 /**
 * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
 *
 *  SPDX-License-Identifier: Apache-2.0
 */
 #pragma once
 #include <stdint.h>
 #include "soc/soc.h"
 #ifdef __cplusplus
 extern "C" {
 #endif
 /** KEYMNG_CLK_REG register
 *  Key Manager clock gate control register
 */
 #define KEYMNG_CLK_REG (DR_REG_KEYMNG_BASE + 0x4)
 /** KEYMNG_REG_CG_FORCE_ON : R/W; bitpos: [0]; default: 1;
 *  Write 1 to force on register clock gate.
 */
 #define KEYMNG_REG_CG_FORCE_ON    (BIT(0))
 #define KEYMNG_REG_CG_FORCE_ON_M  (KEYMNG_REG_CG_FORCE_ON_V << KEYMNG_REG_CG_FORCE_ON_S)
 #define KEYMNG_REG_CG_FORCE_ON_V  0x00000001U
 #define KEYMNG_REG_CG_FORCE_ON_S  0
 /** KEYMNG_MEM_CG_FORCE_ON : R/W; bitpos: [1]; default: 0;
 *  Write 1 to force on memory clock gate.
 */
 #define KEYMNG_MEM_CG_FORCE_ON    (BIT(1))
 #define KEYMNG_MEM_CG_FORCE_ON_M  (KEYMNG_MEM_CG_FORCE_ON_V << KEYMNG_MEM_CG_FORCE_ON_S)
 #define KEYMNG_MEM_CG_FORCE_ON_V  0x00000001U
 #define KEYMNG_MEM_CG_FORCE_ON_S  1
 /** KEYMNG_INT_RAW_REG register
 *  Key Manager interrupt raw register, valid in level.
 */
 #define KEYMNG_INT_RAW_REG (DR_REG_KEYMNG_BASE + 0x8)
 /** KEYMNG_PREP_DONE_INT_RAW : RO/WTC/SS; bitpos: [0]; default: 0;
 *  The raw interrupt status bit  for the km_prep_done_int interrupt
 */
 #define KEYMNG_PREP_DONE_INT_RAW    (BIT(0))
 #define KEYMNG_PREP_DONE_INT_RAW_M  (KEYMNG_PREP_DONE_INT_RAW_V << KEYMNG_PREP_DONE_INT_RAW_S)
 #define KEYMNG_PREP_DONE_INT_RAW_V  0x00000001U
 #define KEYMNG_PREP_DONE_INT_RAW_S  0
 /** KEYMNG_PROC_DONE_INT_RAW : RO/WTC/SS; bitpos: [1]; default: 0;
 *  The raw interrupt status bit  for the km_proc_done_int interrupt
 */
 #define KEYMNG_PROC_DONE_INT_RAW    (BIT(1))
 #define KEYMNG_PROC_DONE_INT_RAW_M  (KEYMNG_PROC_DONE_INT_RAW_V << KEYMNG_PROC_DONE_INT_RAW_S)
 #define KEYMNG_PROC_DONE_INT_RAW_V  0x00000001U
 #define KEYMNG_PROC_DONE_INT_RAW_S  1
 /** KEYMNG_POST_DONE_INT_RAW : RO/WTC/SS; bitpos: [2]; default: 0;
 *  The raw interrupt status bit  for the km_post_done_int interrupt
 */
 #define KEYMNG_POST_DONE_INT_RAW    (BIT(2))
 #define KEYMNG_POST_DONE_INT_RAW_M  (KEYMNG_POST_DONE_INT_RAW_V << KEYMNG_POST_DONE_INT_RAW_S)
 #define KEYMNG_POST_DONE_INT_RAW_V  0x00000001U
 #define KEYMNG_POST_DONE_INT_RAW_S  2
 /** KEYMNG_INT_ST_REG register
 *  Key Manager interrupt status register.
 */
 #define KEYMNG_INT_ST_REG (DR_REG_KEYMNG_BASE + 0xc)
 /** KEYMNG_PREP_DONE_INT_ST : RO; bitpos: [0]; default: 0;
 *  The masked interrupt status bit  for the km_prep_done_int interrupt
 */
 #define KEYMNG_PREP_DONE_INT_ST    (BIT(0))
 #define KEYMNG_PREP_DONE_INT_ST_M  (KEYMNG_PREP_DONE_INT_ST_V << KEYMNG_PREP_DONE_INT_ST_S)
 #define KEYMNG_PREP_DONE_INT_ST_V  0x00000001U
 #define KEYMNG_PREP_DONE_INT_ST_S  0
 /** KEYMNG_PROC_DONE_INT_ST : RO; bitpos: [1]; default: 0;
 *  The masked interrupt status bit  for the km_proc_done_int interrupt
 */
 #define KEYMNG_PROC_DONE_INT_ST    (BIT(1))
 #define KEYMNG_PROC_DONE_INT_ST_M  (KEYMNG_PROC_DONE_INT_ST_V << KEYMNG_PROC_DONE_INT_ST_S)
 #define KEYMNG_PROC_DONE_INT_ST_V  0x00000001U
 #define KEYMNG_PROC_DONE_INT_ST_S  1
 /** KEYMNG_POST_DONE_INT_ST : RO; bitpos: [2]; default: 0;
 *  The masked interrupt status bit  for the km_post_done_int interrupt
 */
 #define KEYMNG_POST_DONE_INT_ST    (BIT(2))
 #define KEYMNG_POST_DONE_INT_ST_M  (KEYMNG_POST_DONE_INT_ST_V << KEYMNG_POST_DONE_INT_ST_S)
 #define KEYMNG_POST_DONE_INT_ST_V  0x00000001U
 #define KEYMNG_POST_DONE_INT_ST_S  2
 /** KEYMNG_INT_ENA_REG register
 *  Key Manager interrupt enable register.
 */
 #define KEYMNG_INT_ENA_REG (DR_REG_KEYMNG_BASE + 0x10)
 /** KEYMNG_PREP_DONE_INT_ENA : R/W; bitpos: [0]; default: 0;
 *  The interrupt enable bit  for the km_prep_done_int interrupt
 */
 #define KEYMNG_PREP_DONE_INT_ENA    (BIT(0))
 #define KEYMNG_PREP_DONE_INT_ENA_M  (KEYMNG_PREP_DONE_INT_ENA_V << KEYMNG_PREP_DONE_INT_ENA_S)
 #define KEYMNG_PREP_DONE_INT_ENA_V  0x00000001U
 #define KEYMNG_PREP_DONE_INT_ENA_S  0
 /** KEYMNG_PROC_DONE_INT_ENA : R/W; bitpos: [1]; default: 0;
 *  The interrupt enable bit  for the km_proc_done_int interrupt
 */
 #define KEYMNG_PROC_DONE_INT_ENA    (BIT(1))
 #define KEYMNG_PROC_DONE_INT_ENA_M  (KEYMNG_PROC_DONE_INT_ENA_V << KEYMNG_PROC_DONE_INT_ENA_S)
 #define KEYMNG_PROC_DONE_INT_ENA_V  0x00000001U
 #define KEYMNG_PROC_DONE_INT_ENA_S  1
 /** KEYMNG_POST_DONE_INT_ENA : R/W; bitpos: [2]; default: 0;
 *  The interrupt enable bit  for the km_post_done_int interrupt
 */
 #define KEYMNG_POST_DONE_INT_ENA    (BIT(2))
 #define KEYMNG_POST_DONE_INT_ENA_M  (KEYMNG_POST_DONE_INT_ENA_V << KEYMNG_POST_DONE_INT_ENA_S)
 #define KEYMNG_POST_DONE_INT_ENA_V  0x00000001U
 #define KEYMNG_POST_DONE_INT_ENA_S  2
 /** KEYMNG_INT_CLR_REG register
 *  Key Manager interrupt clear register.
 */
 #define KEYMNG_INT_CLR_REG (DR_REG_KEYMNG_BASE + 0x14)
 /** KEYMNG_PREP_DONE_INT_CLR : WT; bitpos: [0]; default: 0;
 *  Set this bit to clear the km_prep_done_int interrupt
 */
 #define KEYMNG_PREP_DONE_INT_CLR    (BIT(0))
 #define KEYMNG_PREP_DONE_INT_CLR_M  (KEYMNG_PREP_DONE_INT_CLR_V << KEYMNG_PREP_DONE_INT_CLR_S)
 #define KEYMNG_PREP_DONE_INT_CLR_V  0x00000001U
 #define KEYMNG_PREP_DONE_INT_CLR_S  0
 /** KEYMNG_PROC_DONE_INT_CLR : WT; bitpos: [1]; default: 0;
 *  Set this bit to clear the km_proc_done_int interrupt
 */
 #define KEYMNG_PROC_DONE_INT_CLR    (BIT(1))
 #define KEYMNG_PROC_DONE_INT_CLR_M  (KEYMNG_PROC_DONE_INT_CLR_V << KEYMNG_PROC_DONE_INT_CLR_S)
 #define KEYMNG_PROC_DONE_INT_CLR_V  0x00000001U
 #define KEYMNG_PROC_DONE_INT_CLR_S  1
 /** KEYMNG_POST_DONE_INT_CLR : WT; bitpos: [2]; default: 0;
 *  Set this bit to clear the km_post_done_int interrupt
 */
 #define KEYMNG_POST_DONE_INT_CLR    (BIT(2))
 #define KEYMNG_POST_DONE_INT_CLR_M  (KEYMNG_POST_DONE_INT_CLR_V << KEYMNG_POST_DONE_INT_CLR_S)
 #define KEYMNG_POST_DONE_INT_CLR_V  0x00000001U
 #define KEYMNG_POST_DONE_INT_CLR_S  2
 /** KEYMNG_STATIC_REG register
 *  Key Manager static configuration register
 */
 #define KEYMNG_STATIC_REG (DR_REG_KEYMNG_BASE + 0x18)
 /** KEYMNG_USE_EFUSE_KEY : R/W; bitpos: [4:0]; default: 0;
 *  Set each bit to choose efuse key instead of key manager deployed key. Each bit
 *  stands for a key type:bit 4 for psram_key; bit 3 for ds_key; bit 2 for hmac_key;
 *  bit 1 for flash_key; bit 0 for ecdsa_key
 */
 #define KEYMNG_USE_EFUSE_KEY    0x0000001FU
 #define KEYMNG_USE_EFUSE_KEY_M  (KEYMNG_USE_EFUSE_KEY_V << KEYMNG_USE_EFUSE_KEY_S)
 #define KEYMNG_USE_EFUSE_KEY_V  0x0000001FU
 #define KEYMNG_USE_EFUSE_KEY_S  0
 /** KEYMNG_RND_SWITCH_CYCLE : R/W; bitpos: [9:5]; default: 15;
 *  The core clock cycle number to sample one rng input data. Please set it bigger than
 *  the clock cycle ratio: T_rng/T_km
 */
 #define KEYMNG_RND_SWITCH_CYCLE    0x0000001FU
 #define KEYMNG_RND_SWITCH_CYCLE_M  (KEYMNG_RND_SWITCH_CYCLE_V << KEYMNG_RND_SWITCH_CYCLE_S)
 #define KEYMNG_RND_SWITCH_CYCLE_V  0x0000001FU
 #define KEYMNG_RND_SWITCH_CYCLE_S  5
 /** KEYMNG_USE_SW_INIT_KEY : R/W; bitpos: [10]; default: 0;
 *  Set this bit to use software written init key instead of efuse_init_key.
 */
 #define KEYMNG_USE_SW_INIT_KEY    (BIT(10))
 #define KEYMNG_USE_SW_INIT_KEY_M  (KEYMNG_USE_SW_INIT_KEY_V << KEYMNG_USE_SW_INIT_KEY_S)
 #define KEYMNG_USE_SW_INIT_KEY_V  0x00000001U
 #define KEYMNG_USE_SW_INIT_KEY_S  10
 /** KEYMNG_FLASH_KEY_LEN : R/W; bitpos: [11]; default: 0;
 *  Set this bit to choose flash crypt using xts-aes-256 or xts-aes-128. 1: use
 *  xts-aes-256. 0: use xts-aes-128.
 */
 #define KEYMNG_FLASH_KEY_LEN    (BIT(11))
 #define KEYMNG_FLASH_KEY_LEN_M  (KEYMNG_FLASH_KEY_LEN_V << KEYMNG_FLASH_KEY_LEN_S)
 #define KEYMNG_FLASH_KEY_LEN_V  0x00000001U
 #define KEYMNG_FLASH_KEY_LEN_S  11
 /** KEYMNG_PSRAM_KEY_LEN : R/W; bitpos: [12]; default: 0;
 *  Set this bit to choose psram crypt using xts-aes-256 or xts-aes-128. 1: use
 *  xts-aes-256. 0: use xts-aes-128.
 */
 #define KEYMNG_PSRAM_KEY_LEN    (BIT(12))
 #define KEYMNG_PSRAM_KEY_LEN_M  (KEYMNG_PSRAM_KEY_LEN_V << KEYMNG_PSRAM_KEY_LEN_S)
 #define KEYMNG_PSRAM_KEY_LEN_V  0x00000001U
 #define KEYMNG_PSRAM_KEY_LEN_S  12
 /** KEYMNG_LOCK_REG register
 *  Key Manager static configuration locker register
 */
 #define KEYMNG_LOCK_REG (DR_REG_KEYMNG_BASE + 0x1c)
 /** KEYMNG_USE_EFUSE_KEY_LOCK : R/W1; bitpos: [4:0]; default: 0;
 *  Write 1 to lock reg_use_efuse_key. Each bit locks the corresponding bit of
 *  reg_use_efuse_key.
 */
 #define KEYMNG_USE_EFUSE_KEY_LOCK    0x0000001FU
 #define KEYMNG_USE_EFUSE_KEY_LOCK_M  (KEYMNG_USE_EFUSE_KEY_LOCK_V << KEYMNG_USE_EFUSE_KEY_LOCK_S)
 #define KEYMNG_USE_EFUSE_KEY_LOCK_V  0x0000001FU
 #define KEYMNG_USE_EFUSE_KEY_LOCK_S  0
 /** KEYMNG_RND_SWITCH_CYCLE_LOCK : R/W1; bitpos: [5]; default: 0;
 *  Write 1 to lock reg_rnd_switch_cycle.
 */
 #define KEYMNG_RND_SWITCH_CYCLE_LOCK    (BIT(5))
 #define KEYMNG_RND_SWITCH_CYCLE_LOCK_M  (KEYMNG_RND_SWITCH_CYCLE_LOCK_V << KEYMNG_RND_SWITCH_CYCLE_LOCK_S)
 #define KEYMNG_RND_SWITCH_CYCLE_LOCK_V  0x00000001U
 #define KEYMNG_RND_SWITCH_CYCLE_LOCK_S  5
 /** KEYMNG_USE_SW_INIT_KEY_LOCK : R/W1; bitpos: [6]; default: 0;
 *  Write 1 to lock reg_use_sw_init_key.
 */
 #define KEYMNG_USE_SW_INIT_KEY_LOCK    (BIT(6))
 #define KEYMNG_USE_SW_INIT_KEY_LOCK_M  (KEYMNG_USE_SW_INIT_KEY_LOCK_V << KEYMNG_USE_SW_INIT_KEY_LOCK_S)
 #define KEYMNG_USE_SW_INIT_KEY_LOCK_V  0x00000001U
 #define KEYMNG_USE_SW_INIT_KEY_LOCK_S  6
 /** KEYMNG_FLASH_KEY_LEN_LOCK : R/W1; bitpos: [7]; default: 0;
 *  Write 1 to lock reg_flash_key_len.
 */
 #define KEYMNG_FLASH_KEY_LEN_LOCK    (BIT(7))
 #define KEYMNG_FLASH_KEY_LEN_LOCK_M  (KEYMNG_FLASH_KEY_LEN_LOCK_V << KEYMNG_FLASH_KEY_LEN_LOCK_S)
 #define KEYMNG_FLASH_KEY_LEN_LOCK_V  0x00000001U
 #define KEYMNG_FLASH_KEY_LEN_LOCK_S  7
 /** KEYMNG_PSRAM_KEY_LEN_LOCK : R/W1; bitpos: [8]; default: 0;
 *  Write 1 to lock reg_psram_key_len.
 */
 #define KEYMNG_PSRAM_KEY_LEN_LOCK    (BIT(8))
 #define KEYMNG_PSRAM_KEY_LEN_LOCK_M  (KEYMNG_PSRAM_KEY_LEN_LOCK_V << KEYMNG_PSRAM_KEY_LEN_LOCK_S)
 #define KEYMNG_PSRAM_KEY_LEN_LOCK_V  0x00000001U
 #define KEYMNG_PSRAM_KEY_LEN_LOCK_S  8
 /** KEYMNG_CONF_REG register
 *  Key Manager configuration register
 */
 #define KEYMNG_CONF_REG (DR_REG_KEYMNG_BASE + 0x20)
 /** KEYMNG_KGEN_MODE : R/W; bitpos: [2:0]; default: 0;
 *  Set this field to choose the key generator deployment mode. 0: random mode. 1: AES
 *  mode. 2: ECDH0 mode. 3: ECDH1 mode. 4: recover mode. 5: export mode. 6-7: reserved.
 */
 #define KEYMNG_KGEN_MODE    0x00000007U
 #define KEYMNG_KGEN_MODE_M  (KEYMNG_KGEN_MODE_V << KEYMNG_KGEN_MODE_S)
 #define KEYMNG_KGEN_MODE_V  0x00000007U
 #define KEYMNG_KGEN_MODE_S  0
 /** KEYMNG_KEY_PURPOSE : R/W; bitpos: [6:3]; default: 0;
 *  Set this field to choose the key purpose. 1: ecdsa_key_192. 2: ecdsa_key_256. 3:
 *  flash_256_1_key. 4: flash_256_2_key. 5: flash_128_key. 6: hmac_key. 7: ds_key. 8:
 *  psram_256_1_key. 9: psram_256_2_key. 10: psram_128_key. 11: ecdsa_key_384_l. 12:
 *  ecdsa_key_384_h. Others: reserved.
 */
 #define KEYMNG_KEY_PURPOSE    0x0000000FU
 #define KEYMNG_KEY_PURPOSE_M  (KEYMNG_KEY_PURPOSE_V << KEYMNG_KEY_PURPOSE_S)
 #define KEYMNG_KEY_PURPOSE_V  0x0000000FU
 #define KEYMNG_KEY_PURPOSE_S  3
 /** KEYMNG_START_REG register
 *  Key Manager control register
 */
 #define KEYMNG_START_REG (DR_REG_KEYMNG_BASE + 0x24)
 /** KEYMNG_START : WT; bitpos: [0]; default: 0;
 *  Write 1 to continue Key Manager operation at LOAD/GAIN state.
 */
 #define KEYMNG_START    (BIT(0))
 #define KEYMNG_START_M  (KEYMNG_START_V << KEYMNG_START_S)
 #define KEYMNG_START_V  0x00000001U
 #define KEYMNG_START_S  0
 /** KEYMNG_CONTINUE : WT; bitpos: [1]; default: 0;
 *  Write 1 to start Key Manager at IDLE state.
 */
 #define KEYMNG_CONTINUE    (BIT(1))
 #define KEYMNG_CONTINUE_M  (KEYMNG_CONTINUE_V << KEYMNG_CONTINUE_S)
 #define KEYMNG_CONTINUE_V  0x00000001U
 #define KEYMNG_CONTINUE_S  1
 /** KEYMNG_STATE_REG register
 *  Key Manager state register
 */
 #define KEYMNG_STATE_REG (DR_REG_KEYMNG_BASE + 0x28)
 /** KEYMNG_STATE : RO; bitpos: [1:0]; default: 0;
 *  The state of Key Manager. 0: IDLE. 1: LOAD. 2: GAIN. 3: BUSY.
 */
 #define KEYMNG_STATE    0x00000003U
 #define KEYMNG_STATE_M  (KEYMNG_STATE_V << KEYMNG_STATE_S)
 #define KEYMNG_STATE_V  0x00000003U
 #define KEYMNG_STATE_S  0
 /** KEYMNG_RESULT_REG register
 *  Key Manager operation result register
 */
 #define KEYMNG_RESULT_REG (DR_REG_KEYMNG_BASE + 0x2c)
 /** KEYMNG_PROC_RESULT : RO/SS; bitpos: [0]; default: 0;
 *  The procedure result bit of Key Manager, only valid when Key Manager procedure is
 *  done. 1: Key Manager procedure succeeded. 0: Key Manager procedure failed.
 */
 #define KEYMNG_PROC_RESULT    (BIT(0))
 #define KEYMNG_PROC_RESULT_M  (KEYMNG_PROC_RESULT_V << KEYMNG_PROC_RESULT_S)
 #define KEYMNG_PROC_RESULT_V  0x00000001U
 #define KEYMNG_PROC_RESULT_S  0
 /** KEYMNG_KEY_VLD_REG register
 *  Key Manager key status register
 */
 #define KEYMNG_KEY_VLD_REG (DR_REG_KEYMNG_BASE + 0x30)
 /** KEYMNG_KEY_ECDSA_192_VLD : RO; bitpos: [0]; default: 0;
 *  The status bit for key_ecdsa_192.   1: The key has been deployed correctly. 0: The
 *  key has not been deployed yet.
 */
 #define KEYMNG_KEY_ECDSA_192_VLD    (BIT(0))
 #define KEYMNG_KEY_ECDSA_192_VLD_M  (KEYMNG_KEY_ECDSA_192_VLD_V << KEYMNG_KEY_ECDSA_192_VLD_S)
 #define KEYMNG_KEY_ECDSA_192_VLD_V  0x00000001U
 #define KEYMNG_KEY_ECDSA_192_VLD_S  0
 /** KEYMNG_KEY_ECDSA_256_VLD : RO; bitpos: [1]; default: 0;
 *  The status bit for key_ecdsa_256.   1: The key has been deployed correctly. 0: The
 *  key has not been deployed yet.
 */
 #define KEYMNG_KEY_ECDSA_256_VLD    (BIT(1))
 #define KEYMNG_KEY_ECDSA_256_VLD_M  (KEYMNG_KEY_ECDSA_256_VLD_V << KEYMNG_KEY_ECDSA_256_VLD_S)
 #define KEYMNG_KEY_ECDSA_256_VLD_V  0x00000001U
 #define KEYMNG_KEY_ECDSA_256_VLD_S  1
 /** KEYMNG_KEY_FLASH_VLD : RO; bitpos: [2]; default: 0;
 *  The status bit for key_flash.     1: The key has been deployed correctly. 0: The
 *  key has not been deployed yet.
 */
 #define KEYMNG_KEY_FLASH_VLD    (BIT(2))
 #define KEYMNG_KEY_FLASH_VLD_M  (KEYMNG_KEY_FLASH_VLD_V << KEYMNG_KEY_FLASH_VLD_S)
 #define KEYMNG_KEY_FLASH_VLD_V  0x00000001U
 #define KEYMNG_KEY_FLASH_VLD_S  2
 /** KEYMNG_KEY_HMAC_VLD : RO; bitpos: [3]; default: 0;
 *  The status bit for key_hmac.    1: The key has been deployed correctly. 0: The key
 *  has not been deployed yet.
 */
 #define KEYMNG_KEY_HMAC_VLD    (BIT(3))
 #define KEYMNG_KEY_HMAC_VLD_M  (KEYMNG_KEY_HMAC_VLD_V << KEYMNG_KEY_HMAC_VLD_S)
 #define KEYMNG_KEY_HMAC_VLD_V  0x00000001U
 #define KEYMNG_KEY_HMAC_VLD_S  3
 /** KEYMNG_KEY_DS_VLD : RO; bitpos: [4]; default: 0;
 *  The status bit for key_ds.         1: The key has been deployed correctly. 0: The
 *  key has not been deployed yet.
 */
 #define KEYMNG_KEY_DS_VLD    (BIT(4))
 #define KEYMNG_KEY_DS_VLD_M  (KEYMNG_KEY_DS_VLD_V << KEYMNG_KEY_DS_VLD_S)
 #define KEYMNG_KEY_DS_VLD_V  0x00000001U
 #define KEYMNG_KEY_DS_VLD_S  4
 /** KEYMNG_KEY_PSRAM_VLD : RO; bitpos: [5]; default: 0;
 *  The status bit for key_psram.   1: The key has been deployed correctly. 0: The key
 *  has not been deployed yet.
 */
 #define KEYMNG_KEY_PSRAM_VLD    (BIT(5))
 #define KEYMNG_KEY_PSRAM_VLD_M  (KEYMNG_KEY_PSRAM_VLD_V << KEYMNG_KEY_PSRAM_VLD_S)
 #define KEYMNG_KEY_PSRAM_VLD_V  0x00000001U
 #define KEYMNG_KEY_PSRAM_VLD_S  5
 /** KEYMNG_KEY_ECDSA_384_VLD : RO; bitpos: [6]; default: 0;
 *  The status bit for key_ecdsa_384.   1: The key has been deployed correctly. 0: The
 *  key has not been deployed yet.
 */
 #define KEYMNG_KEY_ECDSA_384_VLD    (BIT(6))
 #define KEYMNG_KEY_ECDSA_384_VLD_M  (KEYMNG_KEY_ECDSA_384_VLD_V << KEYMNG_KEY_ECDSA_384_VLD_S)
 #define KEYMNG_KEY_ECDSA_384_VLD_V  0x00000001U
 #define KEYMNG_KEY_ECDSA_384_VLD_S  6
 /** KEYMNG_HUK_VLD_REG register
 *  Key Manager HUK status register
 */
 #define KEYMNG_HUK_VLD_REG (DR_REG_KEYMNG_BASE + 0x34)
 /** KEYMNG_HUK_VALID : RO; bitpos: [0]; default: 0;
 *  The HUK status. 0: HUK is not valid. 1: HUK is valid.
 */
 #define KEYMNG_HUK_VALID    (BIT(0))
 #define KEYMNG_HUK_VALID_M  (KEYMNG_HUK_VALID_V << KEYMNG_HUK_VALID_S)
 #define KEYMNG_HUK_VALID_V  0x00000001U
 #define KEYMNG_HUK_VALID_S  0
 /** KEYMNG_DATE_REG register
 *  Version control register
 */
 #define KEYMNG_DATE_REG (DR_REG_KEYMNG_BASE + 0xfc)
 /** KEYMNG_DATE : R/W; bitpos: [27:0]; default: 37781824;
 *  Key Manager version control register.
 */
 #define KEYMNG_DATE    0x0FFFFFFFU
 #define KEYMNG_DATE_M  (KEYMNG_DATE_V << KEYMNG_DATE_S)
 #define KEYMNG_DATE_V  0x0FFFFFFFU
 #define KEYMNG_DATE_S  0
 /** KEYMNG_ASSIST_INFO_MEM register
 *  The memory that stores assist key info.
 */
 #define KEYMNG_ASSIST_INFO_MEM (DR_REG_KEYMNG_BASE + 0x100)
 #define KEYMNG_ASSIST_INFO_MEM_SIZE_BYTES 64
 /** KEYMNG_PUBLIC_INFO_MEM register
 *  The memory that stores public key info.
 */
 #define KEYMNG_PUBLIC_INFO_MEM (DR_REG_KEYMNG_BASE + 0x140)
 #define KEYMNG_PUBLIC_INFO_MEM_SIZE_BYTES 64
 /** KEYMNG_SW_INIT_KEY_MEM register
 *  The memory that stores software written init key.
 */
 #define KEYMNG_SW_INIT_KEY_MEM (DR_REG_KEYMNG_BASE + 0x180)
 #define KEYMNG_SW_INIT_KEY_MEM_SIZE_BYTES 32
 #ifdef __cplusplus
 }
 #endif
--- a/components/soc/esp32c5/register/soc/keymng_struct.h
+++ b/components/soc/esp32c5/register/soc/keymng_struct.h
@@ -1,5 +1,5 @@
 /**
- * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
 *
 *  SPDX-License-Identifier: Apache-2.0
 */
@@ -202,9 +202,10 @@ typedef union {
         */
        uint32_t kgen_mode:3;
        /** key_purpose : R/W; bitpos: [6:3]; default: 0;
-         *  Set this field to choose the key purpose. 1: ecdsa_key 2: flash_256_1_key. 3:
+         *  Set this field to choose the key purpose. 1: ecdsa_key_192. 2: ecdsa_key_256. 3:
-         *  flash_256_2_key. 4: flash_128_key. 6: hmac_key. 7: ds_key. 8: psram_256_1_key. 9:
+         *  flash_256_1_key. 4: flash_256_2_key. 5: flash_128_key. 6: hmac_key. 7: ds_key. 8:
-         *  psram_256_2_key. 10: psram_128_key. Others: reserved.
+         *  psram_256_1_key. 9: psram_256_2_key. 10: psram_128_key. 11: ecdsa_key_384_l. 12:
         *  ecdsa_key_384_h. Others: reserved.
         */
        uint32_t key_purpose:4;
        uint32_t reserved_7:25;
@@ -270,32 +271,42 @@ typedef union {
 */
 typedef union {
    struct {
-        /** key_ecdsa_vld : RO; bitpos: [0]; default: 0;
+        /** key_ecdsa_192_vld : RO; bitpos: [0]; default: 0;
-         *  The status bit for key_ecdsa.   1: The key has been deployed correctly. 0: The key
+         *  The status bit for key_ecdsa_192.   1: The key has been deployed correctly. 0: The
-         *  has not been deployed yet.
+         *  key has not been deployed yet.
         */
-        uint32_t key_ecdsa_vld:1;
+        uint32_t key_ecdsa_192_vld:1;
-        /** key_flash_vld : RO; bitpos: [1]; default: 0;
+        /** key_ecdsa_256_vld : RO; bitpos: [1]; default: 0;
         *  The status bit for key_ecdsa_256.   1: The key has been deployed correctly. 0: The
         *  key has not been deployed yet.
         */
        uint32_t key_ecdsa_256_vld:1;
        /** key_flash_vld : RO; bitpos: [2]; default: 0;
         *  The status bit for key_flash.     1: The key has been deployed correctly. 0: The
         *  key has not been deployed yet.
         */
        uint32_t key_flash_vld:1;
-        /** key_hmac_vld : RO; bitpos: [2]; default: 0;
+        /** key_hmac_vld : RO; bitpos: [3]; default: 0;
         *  The status bit for key_hmac.    1: The key has been deployed correctly. 0: The key
         *  has not been deployed yet.
         */
        uint32_t key_hmac_vld:1;
-        /** key_ds_vld : RO; bitpos: [3]; default: 0;
+        /** key_ds_vld : RO; bitpos: [4]; default: 0;
         *  The status bit for key_ds.         1: The key has been deployed correctly. 0: The
         *  key has not been deployed yet.
         */
        uint32_t key_ds_vld:1;
-        /** key_psram_vld : RO; bitpos: [4]; default: 0;
+        /** key_psram_vld : RO; bitpos: [5]; default: 0;
         *  The status bit for key_psram.   1: The key has been deployed correctly. 0: The key
         *  has not been deployed yet.
         */
        uint32_t key_psram_vld:1;
-        uint32_t reserved_5:27;
+        /** key_ecdsa_384_vld : RO; bitpos: [6]; default: 0;
         *  The status bit for key_ecdsa_384.   1: The key has been deployed correctly. 0: The
         *  key has not been deployed yet.
         */
        uint32_t key_ecdsa_384_vld:1;
        uint32_t reserved_7:25;
    };
    uint32_t val;
 } keymng_key_vld_reg_t;
@@ -321,7 +332,7 @@ typedef union {
 */
 typedef union {
    struct {
-        /** date : R/W; bitpos: [27:0]; default: 36774224;
+        /** date : R/W; bitpos: [27:0]; default: 37781824;
         *  Key Manager version control register.
         */
        uint32_t date:28;
@@ -338,7 +349,7 @@ typedef struct {
    volatile keymng_int_st_reg_t int_st;
    volatile keymng_int_ena_reg_t int_ena;
    volatile keymng_int_clr_reg_t int_clr;
-    volatile keymng_static_reg_t static_cfg;
+    volatile keymng_static_reg_t static_conf;
    volatile keymng_lock_reg_t lock;
    volatile keymng_conf_reg_t conf;
    volatile keymng_start_reg_t start;
--- a/components/soc/esp32c5/register/soc/keymng_struct_eco2.h
+++ b/components/soc/esp32c5/register/soc/keymng_struct_eco2.h
@@ -1,375 +0,0 @@
 /**
 * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
 *
 *  SPDX-License-Identifier: Apache-2.0
 */
 #pragma once
 #include <stdint.h>
 #ifdef __cplusplus
 extern "C" {
 #endif
 /** Group: Memory data */
 /** Group: Clock gate register */
 /** Type of clk register
 *  Key Manager clock gate control register
 */
 typedef union {
    struct {
        /** reg_cg_force_on : R/W; bitpos: [0]; default: 1;
         *  Write 1 to force on register clock gate.
         */
        uint32_t reg_cg_force_on:1;
        /** mem_cg_force_on : R/W; bitpos: [1]; default: 0;
         *  Write 1 to force on memory clock gate.
         */
        uint32_t mem_cg_force_on:1;
        uint32_t reserved_2:30;
    };
    uint32_t val;
 } keymng_clk_reg_t;
 /** Group: Interrupt registers */
 /** Type of int_raw register
 *  Key Manager interrupt raw register, valid in level.
 */
 typedef union {
    struct {
        /** prep_done_int_raw : RO/WTC/SS; bitpos: [0]; default: 0;
         *  The raw interrupt status bit  for the km_prep_done_int interrupt
         */
        uint32_t prep_done_int_raw:1;
        /** proc_done_int_raw : RO/WTC/SS; bitpos: [1]; default: 0;
         *  The raw interrupt status bit  for the km_proc_done_int interrupt
         */
        uint32_t proc_done_int_raw:1;
        /** post_done_int_raw : RO/WTC/SS; bitpos: [2]; default: 0;
         *  The raw interrupt status bit  for the km_post_done_int interrupt
         */
        uint32_t post_done_int_raw:1;
        uint32_t reserved_3:29;
    };
    uint32_t val;
 } keymng_int_raw_reg_t;
 /** Type of int_st register
 *  Key Manager interrupt status register.
 */
 typedef union {
    struct {
        /** prep_done_int_st : RO; bitpos: [0]; default: 0;
         *  The masked interrupt status bit  for the km_prep_done_int interrupt
         */
        uint32_t prep_done_int_st:1;
        /** proc_done_int_st : RO; bitpos: [1]; default: 0;
         *  The masked interrupt status bit  for the km_proc_done_int interrupt
         */
        uint32_t proc_done_int_st:1;
        /** post_done_int_st : RO; bitpos: [2]; default: 0;
         *  The masked interrupt status bit  for the km_post_done_int interrupt
         */
        uint32_t post_done_int_st:1;
        uint32_t reserved_3:29;
    };
    uint32_t val;
 } keymng_int_st_reg_t;
 /** Type of int_ena register
 *  Key Manager interrupt enable register.
 */
 typedef union {
    struct {
        /** prep_done_int_ena : R/W; bitpos: [0]; default: 0;
         *  The interrupt enable bit  for the km_prep_done_int interrupt
         */
        uint32_t prep_done_int_ena:1;
        /** proc_done_int_ena : R/W; bitpos: [1]; default: 0;
         *  The interrupt enable bit  for the km_proc_done_int interrupt
         */
        uint32_t proc_done_int_ena:1;
        /** post_done_int_ena : R/W; bitpos: [2]; default: 0;
         *  The interrupt enable bit  for the km_post_done_int interrupt
         */
        uint32_t post_done_int_ena:1;
        uint32_t reserved_3:29;
    };
    uint32_t val;
 } keymng_int_ena_reg_t;
 /** Type of int_clr register
 *  Key Manager interrupt clear register.
 */
 typedef union {
    struct {
        /** prep_done_int_clr : WT; bitpos: [0]; default: 0;
         *  Set this bit to clear the km_prep_done_int interrupt
         */
        uint32_t prep_done_int_clr:1;
        /** proc_done_int_clr : WT; bitpos: [1]; default: 0;
         *  Set this bit to clear the km_proc_done_int interrupt
         */
        uint32_t proc_done_int_clr:1;
        /** post_done_int_clr : WT; bitpos: [2]; default: 0;
         *  Set this bit to clear the km_post_done_int interrupt
         */
        uint32_t post_done_int_clr:1;
        uint32_t reserved_3:29;
    };
    uint32_t val;
 } keymng_int_clr_reg_t;
 /** Group: Static configuration registers */
 /** Type of static register
 *  Key Manager static configuration register
 */
 typedef union {
    struct {
        /** use_efuse_key : R/W; bitpos: [4:0]; default: 0;
         *  Set each bit to choose efuse key instead of key manager deployed key. Each bit
         *  stands for a key type:bit 4 for psram_key; bit 3 for ds_key; bit 2 for hmac_key;
         *  bit 1 for flash_key; bit 0 for ecdsa_key
         */
        uint32_t use_efuse_key:5;
        /** rnd_switch_cycle : R/W; bitpos: [9:5]; default: 15;
         *  The core clock cycle number to sample one rng input data. Please set it bigger than
         *  the clock cycle ratio: T_rng/T_km
         */
        uint32_t rnd_switch_cycle:5;
        /** use_sw_init_key : R/W; bitpos: [10]; default: 0;
         *  Set this bit to use software written init key instead of efuse_init_key.
         */
        uint32_t use_sw_init_key:1;
        /** flash_key_len : R/W; bitpos: [11]; default: 0;
         *  Set this bit to choose flash crypt using xts-aes-256 or xts-aes-128. 1: use
         *  xts-aes-256. 0: use xts-aes-128.
         */
        uint32_t flash_key_len:1;
        /** psram_key_len : R/W; bitpos: [12]; default: 0;
         *  Set this bit to choose psram crypt using xts-aes-256 or xts-aes-128. 1: use
         *  xts-aes-256. 0: use xts-aes-128.
         */
        uint32_t psram_key_len:1;
        uint32_t reserved_13:19;
    };
    uint32_t val;
 } keymng_static_reg_t;
 /** Type of lock register
 *  Key Manager static configuration locker register
 */
 typedef union {
    struct {
        /** use_efuse_key_lock : R/W1; bitpos: [4:0]; default: 0;
         *  Write 1 to lock reg_use_efuse_key. Each bit locks the corresponding bit of
         *  reg_use_efuse_key.
         */
        uint32_t use_efuse_key_lock:5;
        /** rnd_switch_cycle_lock : R/W1; bitpos: [5]; default: 0;
         *  Write 1 to lock reg_rnd_switch_cycle.
         */
        uint32_t rnd_switch_cycle_lock:1;
        /** use_sw_init_key_lock : R/W1; bitpos: [6]; default: 0;
         *  Write 1 to lock reg_use_sw_init_key.
         */
        uint32_t use_sw_init_key_lock:1;
        /** flash_key_len_lock : R/W1; bitpos: [7]; default: 0;
         *  Write 1 to lock reg_flash_key_len.
         */
        uint32_t flash_key_len_lock:1;
        /** psram_key_len_lock : R/W1; bitpos: [8]; default: 0;
         *  Write 1 to lock reg_psram_key_len.
         */
        uint32_t psram_key_len_lock:1;
        uint32_t reserved_9:23;
    };
    uint32_t val;
 } keymng_lock_reg_t;
 /** Group: Configuration registers */
 /** Type of conf register
 *  Key Manager configuration register
 */
 typedef union {
    struct {
        /** kgen_mode : R/W; bitpos: [2:0]; default: 0;
         *  Set this field to choose the key generator deployment mode. 0: random mode. 1: AES
         *  mode. 2: ECDH0 mode. 3: ECDH1 mode. 4: recover mode. 5: export mode. 6-7: reserved.
         */
        uint32_t kgen_mode:3;
        /** key_purpose : R/W; bitpos: [6:3]; default: 0;
         *  Set this field to choose the key purpose. 1: ecdsa_key_192. 2: ecdsa_key_256. 3:
         *  flash_256_1_key. 4: flash_256_2_key. 5: flash_128_key. 6: hmac_key. 7: ds_key. 8:
         *  psram_256_1_key. 9: psram_256_2_key. 10: psram_128_key. 11: ecdsa_key_384_l. 12:
         *  ecdsa_key_384_h. Others: reserved.
         */
        uint32_t key_purpose:4;
        uint32_t reserved_7:25;
    };
    uint32_t val;
 } keymng_conf_reg_t;
 /** Group: Control registers */
 /** Type of start register
 *  Key Manager control register
 */
 typedef union {
    struct {
        /** start : WT; bitpos: [0]; default: 0;
         *  Write 1 to conti Key Manager operation at LOAD/GAIN state.
         */
        uint32_t start:1;
        /** conti : WT; bitpos: [1]; default: 0;
         *  Write 1 to start Key Manager at IDLE state.
         */
        uint32_t conti:1;
        uint32_t reserved_2:30;
    };
    uint32_t val;
 } keymng_start_reg_t;
 /** Group: State registers */
 /** Type of state register
 *  Key Manager state register
 */
 typedef union {
    struct {
        /** state : RO; bitpos: [1:0]; default: 0;
         *  The state of Key Manager. 0: IDLE. 1: LOAD. 2: GAIN. 3: BUSY.
         */
        uint32_t state:2;
        uint32_t reserved_2:30;
    };
    uint32_t val;
 } keymng_state_reg_t;
 /** Group: Result registers */
 /** Type of result register
 *  Key Manager operation result register
 */
 typedef union {
    struct {
        /** proc_result : RO/SS; bitpos: [0]; default: 0;
         *  The procedure result bit of Key Manager, only valid when Key Manager procedure is
         *  done. 1: Key Manager procedure succeeded. 0: Key Manager procedure failed.
         */
        uint32_t proc_result:1;
        uint32_t reserved_1:31;
    };
    uint32_t val;
 } keymng_result_reg_t;
 /** Type of key_vld register
 *  Key Manager key status register
 */
 typedef union {
    struct {
        /** key_ecdsa_192_vld : RO; bitpos: [0]; default: 0;
         *  The status bit for key_ecdsa_192.   1: The key has been deployed correctly. 0: The
         *  key has not been deployed yet.
         */
        uint32_t key_ecdsa_192_vld:1;
        /** key_ecdsa_256_vld : RO; bitpos: [1]; default: 0;
         *  The status bit for key_ecdsa_256.   1: The key has been deployed correctly. 0: The
         *  key has not been deployed yet.
         */
        uint32_t key_ecdsa_256_vld:1;
        /** key_flash_vld : RO; bitpos: [2]; default: 0;
         *  The status bit for key_flash.     1: The key has been deployed correctly. 0: The
         *  key has not been deployed yet.
         */
        uint32_t key_flash_vld:1;
        /** key_hmac_vld : RO; bitpos: [3]; default: 0;
         *  The status bit for key_hmac.    1: The key has been deployed correctly. 0: The key
         *  has not been deployed yet.
         */
        uint32_t key_hmac_vld:1;
        /** key_ds_vld : RO; bitpos: [4]; default: 0;
         *  The status bit for key_ds.         1: The key has been deployed correctly. 0: The
         *  key has not been deployed yet.
         */
        uint32_t key_ds_vld:1;
        /** key_psram_vld : RO; bitpos: [5]; default: 0;
         *  The status bit for key_psram.   1: The key has been deployed correctly. 0: The key
         *  has not been deployed yet.
         */
        uint32_t key_psram_vld:1;
        /** key_ecdsa_384_vld : RO; bitpos: [6]; default: 0;
         *  The status bit for key_ecdsa_384.   1: The key has been deployed correctly. 0: The
         *  key has not been deployed yet.
         */
        uint32_t key_ecdsa_384_vld:1;
        uint32_t reserved_7:25;
    };
    uint32_t val;
 } keymng_key_vld_reg_t;
 /** Type of huk_vld register
 *  Key Manager HUK status register
 */
 typedef union {
    struct {
        /** huk_valid : RO; bitpos: [0]; default: 0;
         *  The HUK status. 0: HUK is not valid. 1: HUK is valid.
         */
        uint32_t huk_valid:1;
        uint32_t reserved_1:31;
    };
    uint32_t val;
 } keymng_huk_vld_reg_t;
 /** Group: Version register */
 /** Type of date register
 *  Version control register
 */
 typedef union {
    struct {
        /** date : R/W; bitpos: [27:0]; default: 37781824;
         *  Key Manager version control register.
         */
        uint32_t date:28;
        uint32_t reserved_28:4;
    };
    uint32_t val;
 } keymng_date_reg_t;
 typedef struct {
    uint32_t reserved_000;
    volatile keymng_clk_reg_t clk;
    volatile keymng_int_raw_reg_t int_raw;
    volatile keymng_int_st_reg_t int_st;
    volatile keymng_int_ena_reg_t int_ena;
    volatile keymng_int_clr_reg_t int_clr;
    volatile keymng_static_reg_t static_conf;
    volatile keymng_lock_reg_t lock;
    volatile keymng_conf_reg_t conf;
    volatile keymng_start_reg_t start;
    volatile keymng_state_reg_t state;
    volatile keymng_result_reg_t result;
    volatile keymng_key_vld_reg_t key_vld;
    volatile keymng_huk_vld_reg_t huk_vld;
    uint32_t reserved_038[49];
    volatile keymng_date_reg_t date;
    volatile uint32_t assist_info[16];
    volatile uint32_t public_info[16];
    volatile uint32_t sw_init_key[8];
 } keymng_dev_t;
 extern keymng_dev_t KEYMNG;
 #ifndef __cplusplus
 _Static_assert(sizeof(keymng_dev_t) == 0x1a0, "Invalid size of keymng_dev_t structure");
 #endif
 #ifdef __cplusplus
 }
 #endif
--- a/components/soc/esp32p4/include/soc/Kconfig.soc_caps.in
+++ b/components/soc/esp32p4/include/soc/Kconfig.soc_caps.in
@@ -1839,6 +1839,10 @@ config SOC_EFUSE_ECDSA_KEY
    bool
    default y
 config SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT
    bool
    default y
 config SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY
    bool
    default y
--- a/components/soc/esp32p4/include/soc/soc_caps.h
+++ b/components/soc/esp32p4/include/soc/soc_caps.h
@@ -673,8 +673,10 @@
 #define SOC_EFUSE_ECDSA_KEY 1
 /*-------------------------- Key Manager CAPS----------------------------*/
-#define SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY    1 /*!< Key manager responsible to deploy ECDSA key */
+#define SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT  1 /*!< Key manager supports key deployment */
-#define SOC_KEY_MANAGER_FE_KEY_DEPLOY       1 /*!< Key manager responsible to deploy Flash Encryption key */
+#define SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY        1 /*!< Key manager responsible to deploy ECDSA key */
 #define SOC_KEY_MANAGER_FE_KEY_DEPLOY           1 /*!< Key manager responsible to deploy Flash Encryption key */
 /*-------------------------- Secure Boot CAPS----------------------------*/
 #define SOC_SECURE_BOOT_V2_RSA              1
 #define SOC_SECURE_BOOT_V2_ECC              1
--- a/components/soc/esp32p4/register/soc/keymng_reg.h
+++ b/components/soc/esp32p4/register/soc/keymng_reg.h
@@ -1,5 +1,5 @@
 /**
- * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
 *
 *  SPDX-License-Identifier: Apache-2.0
 */
@@ -239,6 +239,21 @@ extern "C" {
 #define KEYMNG_KEY_PURPOSE_V  0x0000000FU
 #define KEYMNG_KEY_PURPOSE_S  3
 #define KEYMNG_KEY_PURPOSE_ECDSA    (BIT(0))
 #define KEYMNG_KEY_PURPOSE_ECDSA_M  (KEYMNG_KEY_PURPOSE_ECDSA_V << KEYMNG_KEY_PURPOSE_ECDSA_S)
 #define KEYMNG_KEY_PURPOSE_ECDSA_V  0x00000001U
 #define KEYMNG_KEY_PURPOSE_ECDSA_S  0
 #define KEYMNG_KEY_PURPOSE_XTS_AES_256_1    (BIT(1))
 #define KEYMNG_KEY_PURPOSE_XTS_AES_256_1_M  (KEYMNG_KEY_PURPOSE_XTS_AES_256_1_V << KEYMNG_KEY_PURPOSE_XTS_AES_256_1_S)
 #define KEYMNG_KEY_PURPOSE_XTS_AES_256_1_V  0x00000001U
 #define KEYMNG_KEY_PURPOSE_XTS_AES_256_1_S  1
 #define KEYMNG_KEY_PURPOSE_XTS_AES_256_2    (BIT(2))
 #define KEYMNG_KEY_PURPOSE_XTS_AES_256_2_M  (KEYMNG_KEY_PURPOSE_XTS_AES_256_2_V << KEYMNG_KEY_PURPOSE_XTS_AES_256_2_S)
 #define KEYMNG_KEY_PURPOSE_XTS_AES_256_2_V  0x00000001U
 #define KEYMNG_KEY_PURPOSE_XTS_AES_256_2_S  2
 /** KEYMNG_START_REG register
 *  Key Manager control register
 */
		`@@ -0,0 +1 @@`
							`<EFBFBD><<3C>C<EFBFBD><43>K%[~<7E>W<EFBFBD><57>E<>v<EFBFBD>N.U<>%<25><>`
		`@@ -0,0 +1 @@`
							`,<2C><><EFBFBD>B<10>b<EFBFBD><62><EFBFBD>:<3A><13>ps<70>x<EFBFBD><78>c<EFBFBD>H<EFBFBD>K<EFBFBD>{`
		`@@ -0,0 +1 @@`
							`!<21>V1,J<>8~f<><2A>D<EFBFBD>_<EFBFBD><2A>B+<2B>(7<><16>X(<28>`
		`@@ -0,0 +1 @@`
							`<EFBFBD>y/<2F>A╙<08>fI<0E>B<EFBFBD>XR<10>Fn&<26>S&6l<36><6C>V`