fix(security): Fixed flash encryption for esp32p4

The flash encryption on esp32p4 was broken due to some code related to key manager not being executed when key manager support was disabled on esp32p4 target. This commit fixes that behaviour Additionally, the atomic env enablement for key_mgr_ll_enable_peripheral_clock was fixed.
2025-08-14 22:16:46 +00:00 · 2024-08-22 16:12:33 +05:30
parent 53b7d63ba5
commit d1c47835a2
7 changed files with 57 additions and 37 deletions
--- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c
+++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c
@@ -17,16 +17,15 @@
 #include "hal/wdt_hal.h"

 // Need to remove check and merge accordingly for ESP32C5 once key manager support added in IDF-8621
-#if SOC_KEY_MANAGER_SUPPORTED || CONFIG_IDF_TARGET_ESP32C5
+#if SOC_KEY_MANAGER_FE_KEY_DEPLOY || CONFIG_IDF_TARGET_ESP32C5
 #if CONFIG_IDF_TARGET_ESP32C5
 #include "soc/keymng_reg.h"
-#include "hal/key_mgr_types.h"
 #include "soc/pcr_reg.h"
-#else
-#include "hal/key_mgr_hal.h"
+#else /* CONFIG_IDF_TARGET_ESP32C5 */
+#include "hal/key_mgr_ll.h"
 #include "hal/mspi_timing_tuning_ll.h"
-#endif /* CONFIG_IDF_TARGET_ESP32C5 */
-#endif
+#endif /* !CONFIG_IDF_TARGET_ESP32C5 */
+#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY */

 #ifdef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK
 #include "soc/sensitive_reg.h"
@@ -223,17 +222,25 @@ static esp_err_t check_and_generate_encryption_keys(void)
        ESP_LOGI(TAG, "Using pre-loaded flash encryption key in efuse");
    }
 // Need to remove check for ESP32C5 and merge accordingly once key manager support added in IDF-8621
-#if SOC_KEY_MANAGER_SUPPORTED || CONFIG_IDF_TARGET_ESP32C5
+#if SOC_KEY_MANAGER_FE_KEY_DEPLOY || CONFIG_IDF_TARGET_ESP32C5
 #if CONFIG_IDF_TARGET_ESP32C5
    REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, 2);
    REG_SET_BIT(PCR_MSPI_CLK_CONF_REG, PCR_MSPI_AXI_RST_EN);
    REG_CLR_BIT(PCR_MSPI_CLK_CONF_REG, PCR_MSPI_AXI_RST_EN);
-#else
+#else /* CONFIG_IDF_TARGET_ESP32C5 */
+    // Enable and reset key manager
+    // To suppress build errors about spinlock's __DECLARE_RCC_ATOMIC_ENV
+    int __DECLARE_RCC_ATOMIC_ENV __attribute__ ((unused));
+    key_mgr_ll_enable_bus_clock(true);
+    key_mgr_ll_enable_peripheral_clock(true);
+    key_mgr_ll_reset_register();
+    while (key_mgr_ll_get_state() != ESP_KEY_MGR_STATE_IDLE) {
+    };
    // Force Key Manager to use eFuse key for XTS-AES operation
-    key_mgr_hal_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
+    key_mgr_ll_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
    _mspi_timing_ll_reset_mspi();
-#endif /* CONFIG_IDF_TARGET_ESP32C5 */
-#endif
+#endif /* !CONFIG_IDF_TARGET_ESP32C5 */
+#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY */

    return ESP_OK;
 }