Merge branch 'feature/security_soc_capabilities' into 'master'

soc: add security features related capabilities

Closes IDF-4854

See merge request espressif/esp-idf!17632

components/bootloader/Kconfig.projbuild

@@ -437,15 +437,21 @@ menu "Security features"
         select MBEDTLS_ECDSA_C
         depends on SECURE_SIGNED_ON_BOOT || SECURE_SIGNED_ON_UPDATE
 
-    config SECURE_BOOT_SUPPORTS_RSA
+    config SECURE_BOOT_V2_RSA_SUPPORTED
         bool
         default y
-        depends on ESP32_REV_MIN_3 || IDF_TARGET_ESP32S2 || IDF_TARGET_ESP32C3 || IDF_TARGET_ESP32S3
+        # RSA secure boot is supported in ESP32 revision >= ECO3
+        depends on ESP32_REV_MIN >= 3 || SOC_SECURE_BOOT_V2_RSA
 
-    config SECURE_TARGET_HAS_SECURE_ROM_DL_MODE
+    config SECURE_BOOT_V1_SUPPORTED
         bool
         default y
-        depends on IDF_TARGET_ESP32S2 || IDF_TARGET_ESP32C3 || IDF_TARGET_ESP32S3
+        depends on SOC_SECURE_BOOT_V1
+
+    config SECURE_BOOT_V2_PREFERRED
+        bool
+        default y
+        depends on ESP32_REV_MIN >= 3
 
 
     config SECURE_SIGNED_APPS_NO_SECURE_BOOT
@@ -474,7 +480,7 @@ menu "Security features"
 
         config SECURE_SIGNED_APPS_ECDSA_SCHEME
             bool "ECDSA"
-            depends on IDF_TARGET_ESP32 && (SECURE_SIGNED_APPS_NO_SECURE_BOOT || SECURE_BOOT_V1_ENABLED)
+            depends on SECURE_BOOT_V1_SUPPORTED && (SECURE_SIGNED_APPS_NO_SECURE_BOOT || SECURE_BOOT_V1_ENABLED)
             help
                 Embeds the ECDSA public key in the bootloader and signs the application with an ECDSA key.
 
@@ -482,7 +488,7 @@ menu "Security features"
 
         config SECURE_SIGNED_APPS_RSA_SCHEME
             bool "RSA"
-            depends on SECURE_BOOT_SUPPORTS_RSA && (SECURE_SIGNED_APPS_NO_SECURE_BOOT || SECURE_BOOT_V2_ENABLED)
+            depends on SECURE_BOOT_V2_RSA_SUPPORTED && (SECURE_SIGNED_APPS_NO_SECURE_BOOT || SECURE_BOOT_V2_ENABLED)
             help
                 Appends the RSA-3072 based Signature block to the application.
                 Refer to <Secure Boot Version 2 documentation link> before enabling.
@@ -517,7 +523,8 @@ menu "Security features"
     config SECURE_BOOT
         bool "Enable hardware Secure Boot in bootloader (READ DOCS FIRST)"
         default n
-        depends on IDF_TARGET_ESP32 || IDF_TARGET_ESP32S2 || ESP32C3_REV_MIN >= 3 || IDF_TARGET_ESP32S3
+        # Secure boot is not supported for ESP32-C3 revision < ECO3
+        depends on SOC_SECURE_BOOT_SUPPORTED && !(IDF_TARGET_ESP32C3 && ESP32C3_REV_MIN < 3)
         select ESPTOOLPY_NO_STUB if !IDF_TARGET_ESP32 && !IDF_TARGET_ESP32S2
         help
             Build a bootloader which enables Secure Boot on first boot.
@@ -530,7 +537,7 @@ menu "Security features"
 
     choice SECURE_BOOT_VERSION
         bool "Select secure boot version"
-        default SECURE_BOOT_V2_ENABLED if ESP32_REV_MIN_3
+        default SECURE_BOOT_V2_ENABLED if SECURE_BOOT_V2_PREFERRED
         depends on SECURE_BOOT
         help
             Select the Secure Boot Version. Depends on the Chip Revision.
@@ -541,14 +548,14 @@ menu "Security features"
 
         config SECURE_BOOT_V1_ENABLED
             bool "Enable Secure Boot version 1"
-            depends on IDF_TARGET_ESP32
+            depends on SECURE_BOOT_V1_SUPPORTED
             help
                 Build a bootloader which enables secure boot version 1 on first boot.
                 Refer to the Secure Boot section of the ESP-IDF Programmer's Guide for this version before enabling.
 
         config SECURE_BOOT_V2_ENABLED
             bool "Enable Secure Boot version 2"
-            depends on SECURE_BOOT_SUPPORTS_RSA
+            depends on SECURE_BOOT_V2_RSA_SUPPORTED
             help
                 Build a bootloader which enables Secure Boot version 2 on first boot.
                 Refer to Secure Boot V2 section of the ESP-IDF Programmer's Guide for this version before enabling.
@@ -632,7 +639,7 @@ menu "Security features"
 
     config SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE
         bool "Enable Aggressive key revoke strategy"
-        depends on SECURE_BOOT && (IDF_TARGET_ESP32S2 || IDF_TARGET_ESP32C3 || IDF_TARGET_ESP32S3)
+        depends on SECURE_BOOT && SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
         default N
         help
             If this option is set, ROM bootloader will revoke the public key digest burned in efuse block
@@ -697,7 +704,7 @@ menu "Security features"
     choice SECURE_FLASH_ENCRYPTION_KEYSIZE
         bool "Size of generated AES-XTS key"
         default SECURE_FLASH_ENCRYPTION_AES128
-        depends on (IDF_TARGET_ESP32S2 || IDF_TARGET_ESP32S3 || IDF_TARGET_ESP32C2) && SECURE_FLASH_ENC_ENABLED
+        depends on SOC_FLASH_ENCRYPTION_XTS_AES_256 && SECURE_FLASH_ENC_ENABLED
         help
             Size of generated AES-XTS key.
 
@@ -709,11 +716,9 @@ menu "Security features"
 
         config SECURE_FLASH_ENCRYPTION_AES128
             bool "AES-128 (256-bit key)"
-            depends on !IDF_TARGET_ESP32C2 # TODO: IDF-3899
 
         config SECURE_FLASH_ENCRYPTION_AES256
             bool "AES-256 (512-bit key)"
-            depends on !IDF_TARGET_ESP32C2 # TODO: IDF-3899
     endchoice
 
     choice SECURE_FLASH_ENCRYPTION_MODE
@@ -813,7 +818,7 @@ menu "Security features"
 
         config SECURE_BOOT_ALLOW_UNUSED_DIGEST_SLOTS
             bool "Leave unused digest slots available (not revoke)"
-            depends on SECURE_BOOT_INSECURE && !IDF_TARGET_ESP32
+            depends on SECURE_BOOT_INSECURE && SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS
             default N
             help
                 If not set (default), during startup in the app all unused digest slots will be revoked.
@@ -882,7 +887,7 @@ menu "Security features"
 
     config SECURE_ROM_DL_MODE_ENABLED
         bool
-        default y if SECURE_TARGET_HAS_SECURE_ROM_DL_MODE && !SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+        default y if SOC_SUPPORTS_SECURE_DL_MODE && !SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
 
     choice SECURE_UART_ROM_DL_MODE
         bool "UART ROM download mode"
@@ -908,7 +913,7 @@ menu "Security features"
 
         config SECURE_ENABLE_SECURE_ROM_DL_MODE
             bool "UART ROM download mode (Permanently switch to Secure mode (recommended))"
-            depends on SECURE_TARGET_HAS_SECURE_ROM_DL_MODE
+            depends on SOC_SUPPORTS_SECURE_DL_MODE
             select ESPTOOLPY_NO_STUB
             help
                 If set, during startup the app will burn an eFuse bit to permanently switch the UART ROM

components/soc/esp32/include/soc/Kconfig.soc_caps.in

@@ -75,10 +75,6 @@ config SOC_CCOMP_TIMER_SUPPORTED
     bool
     default y
 
-config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS
-    bool
-    default y
-
 config SOC_RTC_FAST_MEM_SUPPORTED
     bool
     default y
@@ -115,6 +111,14 @@ config SOC_SHA_SUPPORTED
     bool
     default y
 
+config SOC_FLASH_ENC_SUPPORTED
+    bool
+    default y
+
+config SOC_SECURE_BOOT_SUPPORTED
+    bool
+    default y
+
 config SOC_ADC_RTC_CTRL_SUPPORTED
     bool
     default y
@@ -571,6 +575,14 @@ config SOC_AES_SUPPORT_AES_256
     bool
     default y
 
+config SOC_SECURE_BOOT_V1
+    bool
+    default y
+
+config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS
+    bool
+    default y
+
 config SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX
     int
     default 32

components/soc/esp32/include/soc/soc_caps.h

@@ -78,7 +78,6 @@
 #define SOC_CPU_CORES_NUM           2
 #define SOC_ULP_SUPPORTED           1
 #define SOC_CCOMP_TIMER_SUPPORTED   1
-#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 1
 #define SOC_RTC_FAST_MEM_SUPPORTED        1
 #define SOC_RTC_SLOW_MEM_SUPPORTED        1
 #define SOC_I2S_SUPPORTED           1
@@ -88,6 +87,8 @@
 #define SOC_AES_SUPPORTED           1
 #define SOC_MPI_SUPPORTED           1
 #define SOC_SHA_SUPPORTED           1
+#define SOC_FLASH_ENC_SUPPORTED     1
+#define SOC_SECURE_BOOT_SUPPORTED   1
 
 /*-------------------------- ADC CAPS ----------------------------------------*/
 /**
@@ -319,6 +320,15 @@
 #define SOC_AES_SUPPORT_AES_192 (1)
 #define SOC_AES_SUPPORT_AES_256 (1)
 
+/*-------------------------- Secure Boot CAPS----------------------------*/
+/*
+ * ESP32 ECO3 revision also supports `SOC_SECURE_BOOT_V2_RSA` but for that we will need selected ECO
+ * version from `Kconfig`, which is not possible while generating `Kconfig.soc_caps.in` from this header.
+ * Hence, for now we are handling this special capability in bootloader "security" configuration itself.
+ */
+#define SOC_SECURE_BOOT_V1                  1
+#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS   1
+
 /*-------------------------- Flash Encryption CAPS----------------------------*/
 #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX   (32)
 

components/soc/esp32c2/include/soc/Kconfig.soc_caps.in

@@ -35,14 +35,6 @@ config SOC_SUPPORTS_SECURE_DL_MODE
     bool
     default y
 
-config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS
-    bool
-    default y
-
-config SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS
-    bool
-    default n
-
 config SOC_EFUSE_KEY_PURPOSE_FIELD
     bool
     default n
@@ -59,19 +51,19 @@ config SOC_RTC_SLOW_MEM_SUPPORTED
     bool
     default n
 
-config SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
+config SOC_SHA_SUPPORTED
     bool
     default n
 
-config SOC_FLASH_ENCRYPTION_XTS_AES
+config SOC_ECC_SUPPORTED
     bool
     default y
 
-config SOC_SHA_SUPPORTED
+config SOC_FLASH_ENC_SUPPORTED
     bool
-    default n
+    default y
 
-config SOC_ECC_SUPPORTED
+config SOC_SECURE_BOOT_SUPPORTED
     bool
     default y
 
@@ -431,10 +423,26 @@ config SOC_TOUCH_SENSOR_NUM
     int
     default 0
 
+config SOC_SECURE_BOOT_V2_ECC
+    bool
+    default y
+
+config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS
+    bool
+    default y
+
 config SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX
     int
     default 32
 
+config SOC_FLASH_ENCRYPTION_XTS_AES
+    bool
+    default y
+
+config SOC_FLASH_ENCRYPTION_XTS_AES_128
+    bool
+    default n
+
 config SOC_UART_NUM
     int
     default 2

components/soc/esp32c2/include/soc/soc_caps.h

@@ -33,16 +33,15 @@
 #define SOC_WIFI_SUPPORTED              0 // Enable during bringup, IDF-3905
 #define SOC_ASYNC_MEMCPY_SUPPORTED      1
 #define SOC_SUPPORTS_SECURE_DL_MODE     1
-#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 1
-#define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS 0
 #define SOC_EFUSE_KEY_PURPOSE_FIELD     0
 #define SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK 1
 #define SOC_RTC_FAST_MEM_SUPPORTED      0
 #define SOC_RTC_SLOW_MEM_SUPPORTED      0
-#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY             0
-#define SOC_FLASH_ENCRYPTION_XTS_AES    1
+
 #define SOC_SHA_SUPPORTED               0 // This will be enabled with IDF-3830
 #define SOC_ECC_SUPPORTED               1
+#define SOC_FLASH_ENC_SUPPORTED         1
+#define SOC_SECURE_BOOT_SUPPORTED       1
 
 /*-------------------------- ADC CAPS -------------------------------*/
 /*!< SAR ADC Module*/
@@ -224,8 +223,14 @@
 /*-------------------------- TOUCH SENSOR CAPS -------------------------------*/
 #define SOC_TOUCH_SENSOR_NUM            (0U)    /*! No touch sensors on ESP32-C2 */
 
+/*-------------------------- Secure Boot CAPS----------------------------*/
+#define SOC_SECURE_BOOT_V2_ECC              1
+#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS   1
+
 /*-------------------------- Flash Encryption CAPS----------------------------*/
 #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX   (32)
+#define SOC_FLASH_ENCRYPTION_XTS_AES            1
+#define SOC_FLASH_ENCRYPTION_XTS_AES_128        0        // This will be enabled with IDF-3899
 
 /*-------------------------- UART CAPS ---------------------------------------*/
 // ESP32-C2 has 2 UARTs

components/soc/esp32c3/include/soc/Kconfig.soc_caps.in

@@ -43,10 +43,6 @@ config SOC_TEMP_SENSOR_SUPPORTED
     bool
     default y
 
-config SOC_FLASH_ENCRYPTION_XTS_AES
-    bool
-    default y
-
 config SOC_XT_WDT_SUPPORTED
     bool
     default y
@@ -59,14 +55,6 @@ config SOC_SUPPORTS_SECURE_DL_MODE
     bool
     default y
 
-config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS
-    int
-    default 3
-
-config SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS
-    bool
-    default y
-
 config SOC_EFUSE_KEY_PURPOSE_FIELD
     bool
     default y
@@ -79,10 +67,6 @@ config SOC_RTC_SLOW_MEM_SUPPORTED
     bool
     default n
 
-config SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
-    bool
-    default y
-
 config SOC_I2S_SUPPORTED
     bool
     default y
@@ -119,6 +103,14 @@ config SOC_DIG_SIGN_SUPPORTED
     bool
     default y
 
+config SOC_FLASH_ENC_SUPPORTED
+    bool
+    default y
+
+config SOC_SECURE_BOOT_SUPPORTED
+    bool
+    default y
+
 config SOC_AES_SUPPORT_DMA
     bool
     default y
@@ -607,10 +599,34 @@ config SOC_TWAI_SUPPORTS_RX_STATUS
     bool
     default y
 
+config SOC_SECURE_BOOT_V2_RSA
+    bool
+    default y
+
+config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS
+    int
+    default 3
+
+config SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS
+    bool
+    default y
+
+config SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
+    bool
+    default y
+
 config SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX
     int
     default 32
 
+config SOC_FLASH_ENCRYPTION_XTS_AES
+    bool
+    default y
+
+config SOC_FLASH_ENCRYPTION_XTS_AES_128
+    bool
+    default y
+
 config SOC_UART_NUM
     int
     default 2

components/soc/esp32c3/include/soc/soc_caps.h

@@ -35,16 +35,12 @@
 #define SOC_ASYNC_MEMCPY_SUPPORTED      1
 #define SOC_USB_SERIAL_JTAG_SUPPORTED   1
 #define SOC_TEMP_SENSOR_SUPPORTED       1
-#define SOC_FLASH_ENCRYPTION_XTS_AES    1
 #define SOC_XT_WDT_SUPPORTED            1
 #define SOC_WIFI_SUPPORTED              1
 #define SOC_SUPPORTS_SECURE_DL_MODE     1
-#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS   3
-#define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS   1
 #define SOC_EFUSE_KEY_PURPOSE_FIELD         1
 #define SOC_RTC_FAST_MEM_SUPPORTED        1
 #define SOC_RTC_SLOW_MEM_SUPPORTED        0
-#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY               1
 #define SOC_I2S_SUPPORTED               1
 #define SOC_RMT_SUPPORTED               1
 #define SOC_SIGMADELTA_SUPPORTED        1
@@ -54,6 +50,11 @@
 #define SOC_SHA_SUPPORTED               1
 #define SOC_HMAC_SUPPORTED              1
 #define SOC_DIG_SIGN_SUPPORTED          1
+#define SOC_FLASH_ENC_SUPPORTED         1
+/* Secure boot is only supported in ESP32-C3 revision > ECO3. We check ECO revision in
+ * bootloader "security" configuration and accordingly prevent its usage for ECO2 and
+ * earlier revisions */
+#define SOC_SECURE_BOOT_SUPPORTED       1
 
 /*-------------------------- AES CAPS -----------------------------------------*/
 #define SOC_AES_SUPPORT_DMA     (1)
@@ -291,8 +292,16 @@
 #define SOC_TWAI_BRP_MAX                16384
 #define SOC_TWAI_SUPPORTS_RX_STATUS     1
 
+/*-------------------------- Secure Boot CAPS----------------------------*/
+#define SOC_SECURE_BOOT_V2_RSA              1
+#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS   3
+#define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS   1
+#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY  1
+
 /*-------------------------- Flash Encryption CAPS----------------------------*/
 #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX   (32)
+#define SOC_FLASH_ENCRYPTION_XTS_AES        1
+#define SOC_FLASH_ENCRYPTION_XTS_AES_128    1
 
 /*-------------------------- UART CAPS ---------------------------------------*/
 // ESP32-C3 has 2 UARTs

components/soc/esp32h2/include/soc/Kconfig.soc_caps.in

@@ -47,10 +47,6 @@ config SOC_SUPPORTS_SECURE_DL_MODE
     bool
     default y
 
-config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS
-    int
-    default 3
-
 config SOC_EFUSE_KEY_PURPOSE_FIELD
     bool
     default y
@@ -67,10 +63,6 @@ config SOC_RTC_SLOW_MEM_SUPPORTED
     bool
     default n
 
-config SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
-    bool
-    default y
-
 config SOC_I2S_SUPPORTED
     bool
     default y
@@ -107,6 +99,14 @@ config SOC_ECC_SUPPORTED
     bool
     default n
 
+config SOC_FLASH_ENC_SUPPORTED
+    bool
+    default y
+
+config SOC_SECURE_BOOT_SUPPORTED
+    bool
+    default y
+
 config SOC_AES_SUPPORT_DMA
     bool
     default y
@@ -591,10 +591,34 @@ config SOC_TWAI_SUPPORTS_RX_STATUS
     bool
     default y
 
+config SOC_SECURE_BOOT_V2_RSA
+    bool
+    default y
+
+config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS
+    int
+    default 3
+
+config SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS
+    bool
+    default y
+
+config SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
+    bool
+    default y
+
 config SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX
     int
     default 32
 
+config SOC_FLASH_ENCRYPTION_XTS_AES
+    bool
+    default y
+
+config SOC_FLASH_ENCRYPTION_XTS_AES_128
+    bool
+    default y
+
 config SOC_UART_NUM
     int
     default 2

components/soc/esp32h2/include/soc/soc_caps.h

@@ -44,12 +44,10 @@
 #define SOC_ASYNC_MEMCPY_SUPPORTED      1
 #define SOC_USB_SERIAL_JTAG_SUPPORTED   1
 #define SOC_SUPPORTS_SECURE_DL_MODE         1
-#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS   3
 #define SOC_EFUSE_KEY_PURPOSE_FIELD         1
 #define SOC_TEMP_SENSOR_SUPPORTED           1
 #define SOC_RTC_FAST_MEM_SUPPORTED          1
 #define SOC_RTC_SLOW_MEM_SUPPORTED          0
-#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY                 1
 #define SOC_I2S_SUPPORTED               1
 #define SOC_RMT_SUPPORTED               1
 #define SOC_SIGMADELTA_SUPPORTED        1
@@ -59,6 +57,9 @@
 #define SOC_HMAC_SUPPORTED              1
 #define SOC_DIG_SIGN_SUPPORTED          1
 #define SOC_ECC_SUPPORTED               0 // This will be enabled with IDF-3397
+#define SOC_FLASH_ENC_SUPPORTED         1
+#define SOC_SECURE_BOOT_SUPPORTED       1
+
 
 /*-------------------------- AES CAPS -----------------------------------------*/
 #define SOC_AES_SUPPORT_DMA     (1)
@@ -302,8 +303,16 @@
 #define SOC_TWAI_BRP_MAX                16384
 #define SOC_TWAI_SUPPORTS_RX_STATUS     1
 
+/*-------------------------- Secure Boot CAPS----------------------------*/
+#define SOC_SECURE_BOOT_V2_RSA              1
+#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS   3
+#define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS   1
+#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY  1
+
 /*-------------------------- Flash Encryption CAPS----------------------------*/
 #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX   (32)
+#define SOC_FLASH_ENCRYPTION_XTS_AES        1
+#define SOC_FLASH_ENCRYPTION_XTS_AES_128    1
 
 /*-------------------------- UART CAPS ---------------------------------------*/
 // ESP32-H2 has 2 UARTs

components/soc/esp32s2/include/soc/Kconfig.soc_caps.in

@@ -59,14 +59,6 @@ config SOC_ASYNC_MEMCPY_SUPPORTED
     bool
     default y
 
-config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS
-    int
-    default 3
-
-config SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS
-    bool
-    default y
-
 config SOC_EFUSE_KEY_PURPOSE_FIELD
     bool
     default y
@@ -79,14 +71,6 @@ config SOC_CACHE_SUPPORT_WRAP
     bool
     default y
 
-config SOC_FLASH_ENCRYPTION_XTS_AES
-    bool
-    default y
-
-config SOC_FLASH_ENCRYPTION_XTS_AES_256
-    bool
-    default y
-
 config SOC_RTC_FAST_MEM_SUPPORTED
     bool
     default y
@@ -103,10 +87,6 @@ config SOC_XT_WDT_SUPPORTED
     bool
     default y
 
-config SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
-    bool
-    default y
-
 config SOC_I2S_SUPPORTED
     bool
     default y
@@ -143,6 +123,14 @@ config SOC_DIG_SIGN_SUPPORTED
     bool
     default y
 
+config SOC_FLASH_ENC_SUPPORTED
+    bool
+    default y
+
+config SOC_SECURE_BOOT_SUPPORTED
+    bool
+    default y
+
 config SOC_ADC_RTC_CTRL_SUPPORTED
     bool
     default y
@@ -707,10 +695,38 @@ config SOC_AES_SUPPORT_GCM
     bool
     default y
 
+config SOC_SECURE_BOOT_V2_RSA
+    bool
+    default y
+
+config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS
+    int
+    default 3
+
+config SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS
+    bool
+    default y
+
+config SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
+    bool
+    default y
+
 config SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX
     int
     default 64
 
+config SOC_FLASH_ENCRYPTION_XTS_AES
+    bool
+    default y
+
+config SOC_FLASH_ENCRYPTION_XTS_AES_128
+    bool
+    default y
+
+config SOC_FLASH_ENCRYPTION_XTS_AES_256
+    bool
+    default y
+
 config SOC_AES_CRYPTO_DMA
     bool
     default y

components/soc/esp32s2/include/soc/soc_caps.h

@@ -53,18 +53,13 @@
 #define SOC_ULP_SUPPORTED               1
 #define SOC_CCOMP_TIMER_SUPPORTED       1
 #define SOC_ASYNC_MEMCPY_SUPPORTED      1
-#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS   3
-#define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS   1
 #define SOC_EFUSE_KEY_PURPOSE_FIELD         1
 #define SOC_TEMP_SENSOR_SUPPORTED           1
 #define SOC_CACHE_SUPPORT_WRAP              1
-#define SOC_FLASH_ENCRYPTION_XTS_AES        1
-#define SOC_FLASH_ENCRYPTION_XTS_AES_256    1
 #define SOC_RTC_FAST_MEM_SUPPORTED      1
 #define SOC_RTC_SLOW_MEM_SUPPORTED      1
 #define SOC_PSRAM_DMA_CAPABLE               1
 #define SOC_XT_WDT_SUPPORTED                1
-#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY             1
 #define SOC_I2S_SUPPORTED               1
 #define SOC_RMT_SUPPORTED               1
 #define SOC_SIGMADELTA_SUPPORTED        1
@@ -74,6 +69,8 @@
 #define SOC_SHA_SUPPORTED               1
 #define SOC_HMAC_SUPPORTED              1
 #define SOC_DIG_SIGN_SUPPORTED          1
+#define SOC_FLASH_ENC_SUPPORTED         1
+#define SOC_SECURE_BOOT_SUPPORTED       1
 
 
 /*-------------------------- ADC CAPS ----------------------------------------*/
@@ -332,8 +329,17 @@
 #define SOC_AES_SUPPORT_DMA     (1)
 #define SOC_AES_SUPPORT_GCM     (1)
 
+/*-------------------------- Secure Boot CAPS----------------------------*/
+#define SOC_SECURE_BOOT_V2_RSA              1
+#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS   3
+#define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS   1
+#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY  1
+
 /*-------------------------- Flash Encryption CAPS----------------------------*/
 #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX   (64)
+#define SOC_FLASH_ENCRYPTION_XTS_AES        1
+#define SOC_FLASH_ENCRYPTION_XTS_AES_128    1
+#define SOC_FLASH_ENCRYPTION_XTS_AES_256    1
 
 /* Has "crypto DMA", which is shared with SHA */
 #define SOC_AES_CRYPTO_DMA      (1)

components/soc/esp32s3/include/soc/Kconfig.soc_caps.in

@@ -135,14 +135,6 @@ config SOC_SUPPORTS_SECURE_DL_MODE
     bool
     default y
 
-config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS
-    int
-    default 3
-
-config SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS
-    bool
-    default y
-
 config SOC_EFUSE_KEY_PURPOSE_FIELD
     bool
     default y
@@ -151,10 +143,6 @@ config SOC_SDMMC_HOST_SUPPORTED
     bool
     default y
 
-config SOC_FLASH_ENCRYPTION_XTS_AES
-    bool
-    default y
-
 config SOC_RTC_FAST_MEM_SUPPORTED
     bool
     default y
@@ -163,14 +151,6 @@ config SOC_RTC_SLOW_MEM_SUPPORTED
     bool
     default y
 
-config SOC_FLASH_ENCRYPTION_XTS_AES_256
-    bool
-    default y
-
-config SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
-    bool
-    default y
-
 config SOC_PSRAM_DMA_CAPABLE
     bool
     default y
@@ -219,6 +199,14 @@ config SOC_DIG_SIGN_SUPPORTED
     bool
     default y
 
+config SOC_FLASH_ENC_SUPPORTED
+    bool
+    default y
+
+config SOC_SECURE_BOOT_SUPPORTED
+    bool
+    default y
+
 config SOC_APPCPU_HAS_CLOCK_GATING_BUG
     bool
     default y
@@ -839,10 +827,38 @@ config SOC_PM_SUPPORT_DEEPSLEEP_CHECK_STUB_ONLY
     bool
     default y
 
+config SOC_SECURE_BOOT_V2_RSA
+    bool
+    default y
+
+config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS
+    int
+    default 3
+
+config SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS
+    bool
+    default y
+
+config SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
+    bool
+    default y
+
 config SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX
     int
     default 64
 
+config SOC_FLASH_ENCRYPTION_XTS_AES
+    bool
+    default y
+
+config SOC_FLASH_ENCRYPTION_XTS_AES_128
+    bool
+    default y
+
+config SOC_FLASH_ENCRYPTION_XTS_AES_256
+    bool
+    default y
+
 config SOC_WIFI_HW_TSF
     bool
     default y

components/soc/esp32s3/include/soc/soc_caps.h

@@ -44,15 +44,10 @@
 #define SOC_CCOMP_TIMER_SUPPORTED       1
 #define SOC_ASYNC_MEMCPY_SUPPORTED      1
 #define SOC_SUPPORTS_SECURE_DL_MODE     1
-#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3
-#define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS 1
 #define SOC_EFUSE_KEY_PURPOSE_FIELD       1
 #define SOC_SDMMC_HOST_SUPPORTED          1
-#define SOC_FLASH_ENCRYPTION_XTS_AES      1
 #define SOC_RTC_FAST_MEM_SUPPORTED        1
 #define SOC_RTC_SLOW_MEM_SUPPORTED        1
-#define SOC_FLASH_ENCRYPTION_XTS_AES_256  1
-#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY             1
 #define SOC_PSRAM_DMA_CAPABLE             1
 #define SOC_XT_WDT_SUPPORTED              1
 #define SOC_I2S_SUPPORTED               1
@@ -65,6 +60,8 @@
 #define SOC_SHA_SUPPORTED               1
 #define SOC_HMAC_SUPPORTED              1
 #define SOC_DIG_SIGN_SUPPORTED          1
+#define SOC_FLASH_ENC_SUPPORTED         1
+#define SOC_SECURE_BOOT_SUPPORTED       1
 
 
 /*-------------------------- SOC CAPS ----------------------------------------*/
@@ -364,10 +361,17 @@
 
 #define SOC_PM_SUPPORT_DEEPSLEEP_CHECK_STUB_ONLY   (1)
 
+/*-------------------------- Secure Boot CAPS----------------------------*/
+#define SOC_SECURE_BOOT_V2_RSA              1
+#define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS   3
+#define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS   1
+#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY  1
 
 /*-------------------------- Flash Encryption CAPS----------------------------*/
 #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX   (64)
-
+#define SOC_FLASH_ENCRYPTION_XTS_AES        1
+#define SOC_FLASH_ENCRYPTION_XTS_AES_128    1
+#define SOC_FLASH_ENCRYPTION_XTS_AES_256    1
 
 /*-------------------------- WI-FI HARDWARE TSF CAPS -------------------------------*/
 #define SOC_WIFI_HW_TSF                 (1)