bootloader_support(esp32c2): Fix WR_DIS_RD_DIS burn for secure boot key

SB key is left readable, the corresponding bit in RD_DIS is unset.
We set write-protection for RD_DIS to ensure that the SB key is always readable.

components/bootloader_support/src/esp32c2/secure_boot_secure_features.c

@@ -45,5 +45,17 @@ esp_err_t esp_secure_boot_enable_secure_features(void)
 
     esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN);
 
+#ifndef CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS
+    // Secure boot and Flash encryption share one eFuse key block so they can not be set separately.
+    // CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER option is used to burn SB and FE at the same time.
+    // SB key is readable, the corresponding bit in RD_DIS is unset.
+    //   We set write-protection for RD_DIS to ensure that the SB key is always readable.
+    // FE key is read-protected, the corresponding bit in RD_DIS is set.
+    ESP_LOGI(TAG, "Prevent read disabling of additional efuses...");
+    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
+#else
+    ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED");
+#endif
+
     return ESP_OK;
 }