flash encryption: Ensure flash encryption can't be disabled if Secure Boot is on

components/bootloader_support/include/esp_flash_encrypt.h

@@ -133,6 +133,21 @@ void esp_flash_write_protect_crypt_cnt();
  */
 esp_flash_enc_mode_t esp_get_flash_encryption_mode();
 
+
+/** @brief Check the flash encryption mode during startup
+ *
+ * @note This function is called automatically during app startup,
+ * it doesn't need to be called from the app.
+ *
+ * Verifies the flash encryption config during startup:
+ *
+ * - Correct any insecure flash encryption settings if hardware
+ *   Secure Boot is enabled.
+ * - Log warnings if the efuse config doesn't match the project
+ *  config in any way
+ */
+void esp_flash_encryption_init_checks(void);
+
 #ifdef __cplusplus
 }
 #endif

components/bootloader_support/src/flash_encrypt.c

@@ -13,9 +13,51 @@
 // limitations under the License.
 
 #include <strings.h>
+#include "sdkconfig.h"
+#include "esp_log.h"
 #include "esp_efuse.h"
 #include "esp_efuse_table.h"
 #include "esp_flash_encrypt.h"
+#include "esp_secure_boot.h"
+
+#ifndef BOOTLOADER_BUILD
+static const char *TAG = "flash_encrypt";
+
+void esp_flash_encryption_init_checks()
+{
+    esp_flash_enc_mode_t mode;
+
+    // First check is: if Release mode flash encryption & secure boot are enabled then
+    // FLASH_CRYPT_CNT *must* be write protected. This will have happened automatically
+    // if bootloader is IDF V4.0 or newer but may not have happened for previous ESP-IDF bootloaders.
+#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE
+#ifdef CONFIG_SECURE_BOOT_ENABLED
+    if (esp_secure_boot_enabled() && esp_flash_encryption_enabled()) {
+        uint8_t flash_crypt_cnt_wr_dis = 0;
+        esp_efuse_read_field_blob(ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT, &flash_crypt_cnt_wr_dis, 1);
+        if (!flash_crypt_cnt_wr_dis) {
+            ESP_EARLY_LOGE(TAG, "Flash encryption & Secure Boot together requires FLASH_CRYPT_CNT efuse to be write protected. Fixing now...");
+            esp_flash_write_protect_crypt_cnt();
+        }
+    }
+#endif // CONFIG_SECURE_BOOT_ENABLED
+#endif // CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE
+
+    // Second check is to print a warning or error if the current running flash encryption mode
+    // doesn't match the expectation from project config (due to mismatched bootloader and app, probably)
+    mode = esp_get_flash_encryption_mode();
+    if (mode == ESP_FLASH_ENC_MODE_DEVELOPMENT) {
+#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE
+        ESP_EARLY_LOGE(TAG, "Flash encryption settings error: app is configured for RELEASE but efuses are set for DEVELOPMENT");
+        ESP_EARLY_LOGE(TAG, "Mismatch found in security options in bootloader menuconfig and efuse settings. Device is not secure.");
+#else
+        ESP_EARLY_LOGW(TAG, "Flash encryption mode is DEVELOPMENT (not secure)");
+#endif
+    } else if (mode == ESP_FLASH_ENC_MODE_RELEASE) {
+        ESP_EARLY_LOGI(TAG, "Flash encryption mode is RELEASE");
+    }
+}
+#endif
 
 void esp_flash_write_protect_crypt_cnt()
 {

components/esp32/cpu_start.c

@@ -205,18 +205,9 @@ void IRAM_ATTR call_start_cpu0()
     }
     ESP_EARLY_LOGI(TAG, "Starting app cpu, entry point is %p", call_start_cpu1);
 
-    esp_flash_enc_mode_t mode;
-    mode = esp_get_flash_encryption_mode();
-    if (mode == ESP_FLASH_ENC_MODE_DEVELOPMENT) {
-#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE
-        ESP_EARLY_LOGE(TAG, "Flash encryption settings error: mode should be RELEASE but is actually DEVELOPMENT");
-        ESP_EARLY_LOGE(TAG, "Mismatch found in security options in menuconfig and efuse settings");
-#else
-        ESP_EARLY_LOGW(TAG, "Flash encryption mode is DEVELOPMENT");
+#ifdef CONFIG_SECURE_FLASH_ENC_ENABLED
+    esp_flash_encryption_init_checks();
 #endif
-    } else if (mode == ESP_FLASH_ENC_MODE_RELEASE) {
-        ESP_EARLY_LOGI(TAG, "Flash encryption mode is RELEASE");
-    }
 
     //Flush and enable icache for APP CPU
     Cache_Flush(1);