feat(bootloader_support): Permanently enable pseudo rounds function for XTS-AES during start-up

components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c

@@ -4,15 +4,17 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
+#include <stdint.h>
 #include <strings.h>
 #include "esp_flash_encrypt.h"
 #include "esp_secure_boot.h"
 #include "esp_efuse.h"
 #include "esp_efuse_table.h"
 #include "esp_log.h"
-#include "sdkconfig.h"
 #include "hal/key_mgr_ll.h"
 #include "hal/mspi_timing_tuning_ll.h"
+#include "soc/soc_caps.h"
+#include "sdkconfig.h"
 
 static __attribute__((unused)) const char *TAG = "flash_encrypt";
 
@@ -42,6 +44,12 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
 
     esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
 
+#if defined(CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE) && defined(SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND)
+    ESP_LOGI(TAG, "Enable XTS-AES pseudo rounds function...");
+    uint8_t xts_pseudo_level = CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH;
+    esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count);
+#endif
+
 #if defined(CONFIG_SECURE_BOOT_V2_ENABLED) && !defined(CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS)
     // This bit is set when enabling Secure Boot V2, but we can't enable it until this later point in the first boot
     // otherwise the Flash Encryption key cannot be read protected