Merge branch 'feature/adds_check_in_app_that_flash_enc_is_on' into 'master'

bootloader: Adds a check that app is run under FE

Closes IDF-640

See merge request espressif/esp-idf!12368

components/bootloader/Kconfig.projbuild

@@ -804,5 +804,16 @@ menu "Security features"
             It is also possible to enable secure download mode at runtime by calling
             esp_efuse_enable_rom_secure_download_mode()
 
+    config SECURE_FLASH_CHECK_ENC_EN_IN_APP
+        bool "Check Flash Encryption enabled on app startup"
+        depends on SECURE_FLASH_ENC_ENABLED
+        default y
+        help
+            If set (default), in an app during startup code,
+            there is a check of the flash encryption eFuse bit is on
+            (as the bootloader should already have set it).
+            The app requires this bit is on to continue work otherwise abort.
+
+            If not set, the app does not care if the flash encryption eFuse bit is set or not.
 
 endmenu  # Security features

components/bootloader_support/src/flash_encrypt.c

@@ -23,13 +23,7 @@
 #if CONFIG_IDF_TARGET_ESP32
 #define CRYPT_CNT ESP_EFUSE_FLASH_CRYPT_CNT
 #define WR_DIS_CRYPT_CNT ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT
-#elif CONFIG_IDF_TARGET_ESP32S2
-#define CRYPT_CNT ESP_EFUSE_SPI_BOOT_CRYPT_CNT
-#define WR_DIS_CRYPT_CNT ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT
-#elif CONFIG_IDF_TARGET_ESP32S3
-#define CRYPT_CNT ESP_EFUSE_SPI_BOOT_CRYPT_CNT
-#define WR_DIS_CRYPT_CNT ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT
-#elif CONFIG_IDF_TARGET_ESP32C3
+#else
 #define CRYPT_CNT ESP_EFUSE_SPI_BOOT_CRYPT_CNT
 #define WR_DIS_CRYPT_CNT ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT
 #endif
@@ -41,6 +35,13 @@ void esp_flash_encryption_init_checks()
 {
     esp_flash_enc_mode_t mode;
 
+#ifdef CONFIG_SECURE_FLASH_CHECK_ENC_EN_IN_APP
+    if (!esp_flash_encryption_enabled()) {
+        ESP_LOGE(TAG, "Flash encryption eFuse bit was not enabled in bootloader but CONFIG_SECURE_FLASH_ENC_ENABLED is on");
+        abort();
+    }
+#endif
+
     // First check is: if Release mode flash encryption & secure boot are enabled then
     // FLASH_CRYPT_CNT *must* be write protected. This will have happened automatically
     // if bootloader is IDF V4.0 or newer but may not have happened for previous ESP-IDF bootloaders.