refactor(esp_system): Place all memory protection options under one option

components/esp_system/Kconfig

@@ -157,59 +157,65 @@ menu "ESP System Settings"
 
     endchoice
 
-    menu "Memory protection"
+    config ESP_SYSTEM_MEMPROT
-
+        bool "Enable memory protection"
-        config ESP_SYSTEM_PMP_IDRAM_SPLIT
+        default y
-            bool "Enable IRAM/DRAM split protection"
+        depends on SOC_CPU_IDRAM_SPLIT_USING_PMP || SECURE_ENABLE_TEE || SOC_MEMPROT_SUPPORTED
-            depends on SOC_CPU_IDRAM_SPLIT_USING_PMP && !SECURE_ENABLE_TEE
-            default "y"
         help
-                If enabled, the CPU watches all the memory access and raises an exception in case
+            This option enables memory protection for the valid memory regions.
-                of any memory violation. This feature automatically splits
+            This feature also automatically splits the ROM, RAM and flash memory into data and
-                the SRAM memory, using PMP, into data and instruction segments and sets Read/Execute permissions
+            instruction segments and sets Read/Execute permissions for the instruction part
-                for the instruction part (below given splitting address) and Read/Write permissions
+            (below given splitting address) and Read/Write permissions for the data part
-                for the data part (above the splitting address). The memory protection is effective
+            (above the splitting address). The memory protection is effective on all access
-                on all access through the IRAM0 and DRAM0 buses.
+            through the IRAM0 and DRAM0 buses.
 
-        config ESP_SYSTEM_PMP_LP_CORE_RESERVE_MEM_EXECUTABLE
+    choice ESP_SYSTEM_MEMPROT_MODE
+        prompt "Memory Protection configurations"
+        depends on ESP_SYSTEM_MEMPROT
+        default ESP_SYSTEM_MEMPROT_TEE if SECURE_ENABLE_TEE
+        default ESP_SYSTEM_MEMPROT_PMP if SOC_CPU_IDRAM_SPLIT_USING_PMP && !SECURE_ENABLE_TEE
+        default ESP_SYSTEM_MEMPROT_PMS if SOC_MEMPROT_SUPPORTED
+
+        config ESP_SYSTEM_MEMPROT_PMS
+            bool "Enable Permission Control Module (PMS) configurations"
+            depends on SOC_MEMPROT_SUPPORTED
+            help
+                    This option enables memory protection using the Permission Control Module (PMS).
+
+        config ESP_SYSTEM_MEMPROT_PMP
+            bool "Enable CPU's Physical Memory Protection (PMP) configurations"
+            depends on SOC_CPU_IDRAM_SPLIT_USING_PMP && !SECURE_ENABLE_TEE
+            help
+                    This option enables memory protection using CPU PMP.
+
+        config ESP_SYSTEM_MEMPROT_TEE
+            bool "Enable Trusted Execution Environment (TEE) configurations"
+            depends on SECURE_ENABLE_TEE
+            help
+                    This option enables the default memory protection provided by TEE.
+
+    endchoice
+
+
+    config ESP_SYSTEM_MEMPROT_PMS_LOCK
+        bool "Lock memory protection settings"
+        depends on ESP_SYSTEM_MEMPROT && ESP_SYSTEM_MEMPROT_PMS
+        default y
+        help
+                Once locked, memory protection settings cannot be changed anymore.
+                The lock is reset only on the chip startup.
+
+
+    config ESP_SYSTEM_MEMPROT_PMP_LP_CORE_RESERVE_MEM_EXEC
         bool "Make LP core reserved memory executable from HP core"
-            depends on IDF_TARGET_ARCH_RISCV && SOC_LP_CORE_SUPPORTED && ESP_SYSTEM_PMP_IDRAM_SPLIT
+        depends on ESP_SYSTEM_MEMPROT&& IDF_TARGET_ARCH_RISCV && SOC_LP_CORE_SUPPORTED && ESP_SYSTEM_MEMPROT_PMP
-            default "n"
+        default n
         help
                 If enabled, user can run code available in LP Core image.
 
                 Warning: on ESP32-P4 this will also mark the memory area used for BOOTLOADER_RESERVE_RTC_MEM
                 as executable. If you consider this a security risk then do not activate this option.
 
-        config ESP_SYSTEM_MEMPROT_FEATURE_VIA_TEE
-            bool "Enable memory protection (via TEE)"
-            depends on SECURE_ENABLE_TEE
-            default "y"
-            help
-                This option enables the default memory protection provided by TEE.
-
-        config ESP_SYSTEM_MEMPROT_FEATURE
-            bool "Enable memory protection"
-            depends on SOC_MEMPROT_SUPPORTED
-            default "y"
-            help
-                If enabled, the permission control module watches all the memory access and fires the panic handler
-                if a permission violation is detected. This feature automatically splits
-                the SRAM memory into data and instruction segments and sets Read/Execute permissions
-                for the instruction part (below given splitting address) and Read/Write permissions
-                for the data part (above the splitting address). The memory protection is effective
-                on all access through the IRAM0 and DRAM0 buses.
-
-        config ESP_SYSTEM_MEMPROT_FEATURE_LOCK
-            depends on ESP_SYSTEM_MEMPROT_FEATURE
-            bool "Lock memory protection settings"
-            default "y"
-            help
-                Once locked, memory protection settings cannot be changed anymore.
-                The lock is reset only on the chip startup.
-
-    endmenu  # Memory protection
-
     config ESP_SYSTEM_EVENT_QUEUE_SIZE
         int "System event queue size"
         default 32

components/esp_system/sdkconfig.rename

@@ -40,3 +40,9 @@ CONFIG_BROWNOUT_DET_LVL_SEL_5                           CONFIG_ESP_BROWNOUT_DET_
 CONFIG_BROWNOUT_DET_LVL_SEL_6                           CONFIG_ESP_BROWNOUT_DET_LVL_SEL_6
 CONFIG_BROWNOUT_DET_LVL_SEL_7                           CONFIG_ESP_BROWNOUT_DET_LVL_SEL_7
 CONFIG_BROWNOUT_DET_LVL                                 CONFIG_ESP_BROWNOUT_DET_LVL
+
+CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT                       CONFIG_ESP_SYSTEM_MEMPROT
+CONFIG_ESP_SYSTEM_PMP_LP_CORE_RESERVE_MEM_EXECUTABLE    CONFIG_ESP_SYSTEM_MEMPROT_PMP_LP_CORE_RESERVE_MEM_EXEC
+CONFIG_ESP_SYSTEM_MEMPROT_FEATURE_VIA_TEE               CONFIG_ESP_SYSTEM_MEMPROT
+CONFIG_ESP_SYSTEM_MEMPROT_FEATURE                       CONFIG_ESP_SYSTEM_MEMPROT
+CONFIG_ESP_SYSTEM_MEMPROT_FEATURE_LOCK                  CONFIG_ESP_SYSTEM_MEMPROT_PMS_LOCK

components/esp_system/sdkconfig.rename.esp32c3

@@ -1,8 +1,8 @@
 # sdkconfig replacement configurations for deprecated options formatted as
 # CONFIG_DEPRECATED_OPTION CONFIG_NEW_OPTION
 
-CONFIG_ESP32C3_MEMPROT_FEATURE                          CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
+CONFIG_ESP32C3_MEMPROT_FEATURE                          CONFIG_ESP_SYSTEM_MEMPROT
-CONFIG_ESP32C3_MEMPROT_FEATURE_LOCK                     CONFIG_ESP_SYSTEM_MEMPROT_FEATURE_LOCK
+CONFIG_ESP32C3_MEMPROT_FEATURE_LOCK                     CONFIG_ESP_SYSTEM_MEMPROT_PMS_LOCK
 CONFIG_ESP32C3_DEBUG_OCDAWARE                           CONFIG_ESP_DEBUG_OCDAWARE
 
 CONFIG_ESP32C3_BROWNOUT_DET                             CONFIG_ESP_BROWNOUT_DET

components/esp_system/sdkconfig.rename.esp32s2

@@ -6,8 +6,8 @@ CONFIG_ESP32S2_PANIC_PRINT_HALT                         CONFIG_ESP_SYSTEM_PANIC_
 CONFIG_ESP32S2_PANIC_PRINT_REBOOT                       CONFIG_ESP_SYSTEM_PANIC_PRINT_REBOOT
 CONFIG_ESP32S2_PANIC_SILENT_REBOOT                      CONFIG_ESP_SYSTEM_PANIC_SILENT_REBOOT
 CONFIG_ESP32S2_PANIC_GDBSTUB                            CONFIG_ESP_SYSTEM_PANIC_GDBSTUB
-CONFIG_ESP32S2_MEMPROT_FEATURE                          CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
+CONFIG_ESP32S2_MEMPROT_FEATURE                          CONFIG_ESP_SYSTEM_MEMPROT
-CONFIG_ESP32S2_MEMPROT_FEATURE_LOCK                     CONFIG_ESP_SYSTEM_MEMPROT_FEATURE_LOCK
+CONFIG_ESP32S2_MEMPROT_FEATURE_LOCK                     CONFIG_ESP_SYSTEM_MEMPROT_PMS_LOCK
 CONFIG_ESP32S2_ALLOW_RTC_FAST_MEM_AS_HEAP               CONFIG_ESP_SYSTEM_ALLOW_RTC_FAST_MEM_AS_HEAP
 CONFIG_ESP32S2_DEBUG_OCDAWARE                           CONFIG_ESP_DEBUG_OCDAWARE
 CONFIG_ESP32S2_NO_BLOBS                                 CONFIG_APP_NO_BLOBS

components/esp_tee/Kconfig.projbuild

@@ -3,7 +3,6 @@ menu "ESP-TEE (Trusted Execution Environment)"
 
     config SECURE_ENABLE_TEE
         bool "Enable the ESP-TEE framework"
-        select ESP_SYSTEM_MEMPROT_FEATURE_VIA_TEE
         help
             This configuration enables the Trusted Execution Environment (TEE) feature.