bootloader_support(esp32c2): Fix WR_DIS_RD_DIS burn for secure boot key

SB key is left readable, the corresponding bit in RD_DIS is unset.
We set write-protection for RD_DIS to ensure that the SB key is always readable.

components/bootloader_support/src/esp32c2/secure_boot_secure_features.c

@@ -45,5 +45,17 @@ esp_err_t esp_secure_boot_enable_secure_features(void)
 
     esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN);
 
+#ifndef CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS
+    // Secure boot and Flash encryption share one eFuse key block so they can not be set separately.
+    // CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER option is used to burn SB and FE at the same time.
+    // SB key is readable, the corresponding bit in RD_DIS is unset.
+    //   We set write-protection for RD_DIS to ensure that the SB key is always readable.
+    // FE key is read-protected, the corresponding bit in RD_DIS is set.
+    ESP_LOGI(TAG, "Prevent read disabling of additional efuses...");
+    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
+#else
+    ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED");
+#endif
+
     return ESP_OK;
 }

components/efuse/esp32c2/esp_efuse_table.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -9,7 +9,7 @@
 #include <assert.h>
 #include "esp_efuse_table.h"
 
-// md5_digest_table ceedae45d1a885ced865a05eeca7d7ee
+// md5_digest_table 2216d0ff3e0f4e8803f85711b5cc2829
 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY.
 // If you want to change some fields, you need to change esp_efuse_table.csv file
 // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file.
@@ -19,8 +19,8 @@ static const esp_efuse_desc_t WR_DIS[] = {
     {EFUSE_BLK0, 0, 8}, 	 // Write protection,
 };
 
-static const esp_efuse_desc_t WR_DIS_KEY0_RD_DIS[] = {
-    {EFUSE_BLK0, 0, 1}, 	 // Write protection for KEY0_RD_DIS,
+static const esp_efuse_desc_t WR_DIS_RD_DIS[] = {
+    {EFUSE_BLK0, 0, 1}, 	 // Write protection for RD_DIS,
 };
 
 static const esp_efuse_desc_t WR_DIS_GROUP_1[] = {
@@ -265,8 +265,8 @@ const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[] = {
     NULL
 };
 
-const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_KEY0_RD_DIS[] = {
-    &WR_DIS_KEY0_RD_DIS[0],    		// Write protection for KEY0_RD_DIS
+const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[] = {
+    &WR_DIS_RD_DIS[0],    		// Write protection for RD_DIS
     NULL
 };
 

components/efuse/esp32c2/esp_efuse_table.csv

@@ -12,7 +12,7 @@
 ##############################
     # EFUSE_RD_WR_DIS_REG #
         WR_DIS,                           EFUSE_BLK0,    0,    8,      Write protection
-            WR_DIS.KEY0_RD_DIS,           EFUSE_BLK0,    0,    1,      Write protection for KEY0_RD_DIS
+            WR_DIS.RD_DIS,                EFUSE_BLK0,    0,    1,      Write protection for RD_DIS
             WR_DIS.GROUP_1,               EFUSE_BLK0,    1,    1,      Write protection for WDT_DELAY DIS_PAD_JTAG DIS_DOWNLOAD_ICACHE
             WR_DIS.GROUP_2,               EFUSE_BLK0,    2,    1,      Write protection for DOWNLOAD_DIS_MANUAL_ENCRYPT SPI_BOOT_CRYPT_CNT XTS_KEY_LENGTH_256 SECURE_BOOT_EN
             WR_DIS.SPI_BOOT_CRYPT_CNT,    EFUSE_BLK0,    2,    1,      Write protection for DOWNLOAD_DIS_MANUAL_ENCRYPT [SPI_BOOT_CRYPT_CNT] XTS_KEY_LENGTH_256 SECURE_BOOT_EN

components/efuse/esp32c2/include/esp_efuse_table.h

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -10,7 +10,7 @@ extern "C" {
 
 #include "esp_efuse.h"
 
-// md5_digest_table ceedae45d1a885ced865a05eeca7d7ee
+// md5_digest_table 2216d0ff3e0f4e8803f85711b5cc2829
 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY.
 // If you want to change some fields, you need to change esp_efuse_table.csv file
 // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file.
@@ -18,7 +18,7 @@ extern "C" {
 
 
 extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[];
-extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_KEY0_RD_DIS[];
+extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[];
 extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_1[];
 extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_2[];
 extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT[];