Merge branch 'feature/secure_features_are_enabled_correctly' into 'master'

security: Adds new APIs to check that all eFuse security features are enabled correctly

Closes IDF-1814

See merge request espressif/esp-idf!19532

components/bootloader_support/include/esp_flash_encrypt.h

@@ -8,6 +8,7 @@
 #include <stdbool.h>
 #include "esp_attr.h"
 #include "esp_err.h"
+#include "soc/soc_caps.h"
 #ifndef BOOTLOADER_BUILD
 #include "spi_flash_mmap.h"
 #endif
@@ -184,6 +185,19 @@ void esp_flash_encryption_init_checks(void);
  */
 esp_err_t esp_flash_encryption_enable_secure_features(void);
 
+/** @brief Returns the verification status for all physical security features of flash encryption in release mode
+ *
+ * If the device has flash encryption feature configured in the release mode,
+ * then it is highly recommended to call this API in the application startup code.
+ * This API verifies the sanity of the eFuse configuration against
+ * the release (production) mode of the flash encryption feature.
+ *
+ * @return
+ *  - True - all eFuses are configured correctly
+ *  - False - not all eFuses are configured correctly.
+ */
+bool esp_flash_encryption_cfg_verify_release_mode(void);
+
 /** @brief Switches Flash Encryption from "Development" to "Release"
  *
  * If already in "Release" mode, the function will do nothing.

components/bootloader_support/include/esp_secure_boot.h

@@ -269,6 +269,19 @@ esp_err_t esp_secure_boot_get_signature_blocks_for_running_app(bool digest_publi
  */
 esp_err_t esp_secure_boot_enable_secure_features(void);
 
+/** @brief Returns the verification status for all physical security features of secure boot in release mode
+ *
+ * If the device has secure boot feature configured in the release mode,
+ * then it is highly recommended to call this API in the application startup code.
+ * This API verifies the sanity of the eFuse configuration against
+ * the release (production) mode of the secure boot feature.
+ *
+ * @return
+ *  - True - all eFuses are configured correctly
+ *  - False - not all eFuses are configured correctly.
+ */
+bool esp_secure_boot_cfg_verify_release_mode(void);
+
 #ifdef __cplusplus
 }
 #endif

components/bootloader_support/src/esp32c2/secure_boot_secure_features.c

@@ -45,5 +45,17 @@ esp_err_t esp_secure_boot_enable_secure_features(void)
 
     esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN);
 
+#ifndef CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS
+    // Secure boot and Flash encryption share one eFuse key block so they can not be set separately.
+    // CONFIG_SECURE_BOOT_FLASH_ENC_KEYS_BURN_TOGETHER option is used to burn SB and FE at the same time.
+    // SB key is readable, the corresponding bit in RD_DIS is unset.
+    //   We set write-protection for RD_DIS to ensure that the SB key is always readable.
+    // FE key is read-protected, the corresponding bit in RD_DIS is set.
+    ESP_LOGI(TAG, "Prevent read disabling of additional efuses...");
+    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
+#else
+    ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED");
+#endif
+
     return ESP_OK;
 }

components/bootloader_support/src/flash_encrypt.c

@@ -218,3 +218,206 @@ void esp_flash_encryption_set_release_mode(void)
     }
     ESP_LOGI(TAG, "Flash encryption mode is RELEASE");
 }
+
+#ifdef CONFIG_IDF_TARGET_ESP32
+bool esp_flash_encryption_cfg_verify_release_mode(void)
+{
+    bool result = false;
+    bool secure;
+
+    secure = esp_flash_encryption_enabled();
+    result = secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not enabled Flash Encryption (FLASH_CRYPT_CNT->1 or max)");
+    }
+
+    uint8_t crypt_config = 0;
+    esp_efuse_read_field_blob(ESP_EFUSE_ENCRYPT_CONFIG, &crypt_config, 4);
+    if (crypt_config != EFUSE_FLASH_CRYPT_CONFIG) {
+        result &= false;
+        ESP_LOGW(TAG, "ENCRYPT_CONFIG must be set 0xF (set ENCRYPT_CONFIG->0xF)");
+    }
+
+    uint8_t flash_crypt_cnt = 0;
+    esp_efuse_read_field_blob(ESP_EFUSE_FLASH_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count);
+    if (flash_crypt_cnt != (1 << (ESP_EFUSE_FLASH_CRYPT_CNT[0]->bit_count)) - 1) {
+        if (!esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT)) {
+            result &= false;
+            ESP_LOGW(TAG, "Not release mode of Flash Encryption (set FLASH_CRYPT_CNT->max or WR_DIS_FLASH_CRYPT_CNT->1)");
+        }
+    }
+
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_ENCRYPT);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled UART bootloader encryption (set DISABLE_DL_ENCRYPT->1)");
+    }
+
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_DECRYPT);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled UART bootloader decryption (set DISABLE_DL_DECRYPT->1)");
+    }
+
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_DL_CACHE);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled UART bootloader MMU cache (set DISABLE_DL_CACHE->1)");
+    }
+
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_JTAG);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled JTAG (set DISABLE_JTAG->1)");
+    }
+
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)");
+    }
+
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK1);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not read-protected flash ecnryption key (set RD_DIS_BLK1->1)");
+    }
+
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_BLK1);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not write-protected flash ecnryption key (set WR_DIS_BLK1->1)");
+    }
+    return result;
+}
+#else // not CONFIG_IDF_TARGET_ESP32
+bool esp_flash_encryption_cfg_verify_release_mode(void)
+{
+    bool result = false;
+    bool secure;
+
+    secure = esp_flash_encryption_enabled();
+    result = secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not enabled Flash Encryption (SPI_BOOT_CRYPT_CNT->1 or max)");
+    }
+
+    uint8_t flash_crypt_cnt = 0;
+    esp_efuse_read_field_blob(ESP_EFUSE_SPI_BOOT_CRYPT_CNT, &flash_crypt_cnt, ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count);
+    if (flash_crypt_cnt != (1 << (ESP_EFUSE_SPI_BOOT_CRYPT_CNT[0]->bit_count)) - 1) {
+        if (!esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT)) {
+            result &= false;
+            ESP_LOGW(TAG, "Not release mode of Flash Encryption (set SPI_BOOT_CRYPT_CNT->max or WR_DIS_SPI_BOOT_CRYPT_CNT->1)");
+        }
+    }
+
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled UART bootloader encryption (set DIS_DOWNLOAD_MANUAL_ENCRYPT->1)");
+    }
+
+#if SOC_EFUSE_DIS_DOWNLOAD_DCACHE
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_DCACHE);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled UART bootloader Dcache (set DIS_DOWNLOAD_DCACHE->1)");
+    }
+#endif
+
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_ICACHE);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled UART bootloader cache (set DIS_DOWNLOAD_ICACHE->1)");
+    }
+
+#if SOC_EFUSE_DIS_PAD_JTAG
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)");
+    }
+#endif
+
+#if SOC_EFUSE_DIS_USB_JTAG
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)");
+    }
+#endif
+
+#if SOC_EFUSE_DIS_DIRECT_BOOT
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled direct boot mode (set DIS_DIRECT_BOOT->1)");
+    }
+#endif
+
+#if SOC_EFUSE_HARD_DIS_JTAG
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)");
+    }
+#endif
+
+#if SOC_EFUSE_DIS_BOOT_REMAP
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled boot from RAM (set DIS_BOOT_REMAP->1)");
+    }
+#endif
+
+#if SOC_EFUSE_DIS_LEGACY_SPI_BOOT
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled Legcy SPI boot (set DIS_LEGACY_SPI_BOOT->1)");
+    }
+#endif
+
+    esp_efuse_purpose_t purposes[] = {
+#if SOC_FLASH_ENCRYPTION_XTS_AES_256
+        ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1,
+        ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2,
+#endif
+#if SOC_FLASH_ENCRYPTION_XTS_AES_128
+        ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY,
+#endif
+    };
+    // S2 and S3 chips have both XTS_AES_128_KEY and XTS_AES_256_KEY_1/2.
+    // The check below does not take into account that XTS_AES_128_KEY and XTS_AES_256_KEY_1/2
+    // are mutually exclusive because this will make the chip not functional.
+    // Only one type key must be configured in eFuses.
+    secure = false;
+    for (unsigned i = 0; i < sizeof(purposes) / sizeof(esp_efuse_purpose_t); i++) {
+        esp_efuse_block_t block;
+        if (esp_efuse_find_purpose(purposes[i], &block)) {
+            secure = esp_efuse_get_key_dis_read(block);
+            result &= secure;
+            if (!secure) {
+                ESP_LOGW(TAG, "Not read-protected Flash encryption key in BLOCK%d (set RD_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0);
+            }
+            secure = esp_efuse_get_key_dis_write(block);
+            result &= secure;
+            if (!secure) {
+                ESP_LOGW(TAG, "Not write-protected Flash encryption key in BLOCK%d (set WR_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0);
+            }
+
+#if SOC_EFUSE_KEY_PURPOSE_FIELD
+            secure = esp_efuse_get_keypurpose_dis_write(block);
+            result &= secure;
+            if (!secure) {
+                ESP_LOGW(TAG, "Not write-protected KEY_PURPOSE for BLOCK%d (set WR_DIS_KEY_PURPOSE%d->1)", block, block - EFUSE_BLK_KEY0);
+            }
+#endif
+        }
+    }
+    result &= secure;
+
+    return result;
+}
+#endif // not CONFIG_IDF_TARGET_ESP32

components/bootloader_support/src/secure_boot.c

@@ -10,6 +10,7 @@
 #include "esp_efuse.h"
 #include "esp_efuse_table.h"
 #include "esp_secure_boot.h"
+#include "hal/efuse_hal.h"
 
 #ifndef BOOTLOADER_BUILD
 static __attribute__((unused)) const char *TAG = "secure_boot";
@@ -188,4 +189,220 @@ void esp_secure_boot_init_checks(void)
 #endif // CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME && CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT
 
 }
+
+#ifdef CONFIG_IDF_TARGET_ESP32
+bool esp_secure_boot_cfg_verify_release_mode(void)
+{
+    bool result = false;
+    bool secure;
+
+    bool secure_boot_v1 = esp_efuse_read_field_bit(ESP_EFUSE_ABS_DONE_0);
+    bool chip_supports_sbv2 = efuse_hal_chip_revision() >= 300;
+    bool secure_boot_v2 = (chip_supports_sbv2) ? esp_efuse_read_field_bit(ESP_EFUSE_ABS_DONE_1) : false;
+    result = secure_boot_v1 || secure_boot_v2;
+    if (secure_boot_v1 && secure_boot_v2) {
+        ESP_LOGI(TAG, "ABS_DONE_0=1 (V1) and ABS_DONE_1=1 (V2)");
+        ESP_LOGI(TAG, "Secure boot V2 shall take the precedence");
+    } else if (!secure_boot_v1 && !secure_boot_v2) {
+        result = false;
+        ESP_LOGE(TAG, "Not enabled Secure Boot V1 (set ABS_DONE_0->1)");
+        if (chip_supports_sbv2) {
+            ESP_LOGE(TAG, "Not enabled Secure Boot V2 (set ABS_DONE_1->1)");
+        }
+    }
+
+    if (secure_boot_v1 && !secure_boot_v2) {
+        secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK2);
+        result &= secure;
+        if (!secure) {
+            ESP_LOGW(TAG, "Not read-protected secure boot key (set RD_DIS_BLK2->1)");
+        }
+    }
+
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_BLK2);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not write-protected secure boot key (set WR_DIS_BLK2->1)");
+    }
+
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_DISABLE_JTAG);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled JTAG (set DISABLE_JTAG->1)");
+    }
+
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_CONSOLE_DEBUG_DISABLE);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)");
+    }
+
+    if (secure_boot_v2) {
+        secure = esp_efuse_read_field_bit(ESP_EFUSE_UART_DOWNLOAD_DIS);
+        result &= secure;
+        if (!secure) {
+            ESP_LOGW(TAG, "Not disabled UART ROM Download mode (set UART_DOWNLOAD_DIS->1)");
+        }
+
+        secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE);
+        result &= secure;
+        if (!secure) {
+            ESP_LOGW(TAG, "Not disabled write-protection for read-protection (set WR_DIS_EFUSE_RD_DISABLE->1)");
+        }
+    }
+
+    return result;
+}
+#else // not CONFIG_IDF_TARGET_ESP32
+bool esp_secure_boot_cfg_verify_release_mode(void)
+{
+    bool result = false;
+    bool secure;
+
+    secure = esp_secure_boot_enabled();
+    result = secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not enabled Secure Boot (SECURE_BOOT_EN->1)");
+    }
+
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DOWNLOAD_MODE);
+    bool en_secure_download = esp_efuse_read_field_bit(ESP_EFUSE_ENABLE_SECURITY_DOWNLOAD);
+    if (!secure && !en_secure_download) {
+        result &= false;
+        ESP_LOGW(TAG, "Download mode has not been changed, disable it or set security mode:");
+        ESP_LOGW(TAG, "Not disabled ROM Download mode (DIS_DOWNLOAD_MODE->1)");
+        ESP_LOGW(TAG, "Not enabled Security download mode (ENABLE_SECURITY_DOWNLOAD->1)");
+    }
+
+#if SOC_EFUSE_DIS_BOOT_REMAP
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_BOOT_REMAP);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled boot from RAM (set DIS_BOOT_REMAP->1)");
+    }
+#endif
+
+#if SOC_EFUSE_DIS_LEGACY_SPI_BOOT
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled Legcy SPI boot (set DIS_LEGACY_SPI_BOOT->1)");
+    }
+#endif
+
+#if SOC_EFUSE_DIS_DIRECT_BOOT
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled direct boot mode (set DIS_DIRECT_BOOT->1)");
+    }
+#endif
+
+#if SOC_EFUSE_HARD_DIS_JTAG
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled JTAG (set HARD_DIS_JTAG->1)");
+    }
+#endif
+
+#if SOC_EFUSE_SOFT_DIS_JTAG
+    size_t soft_dis_jtag_cnt_val = 0;
+    esp_efuse_read_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, &soft_dis_jtag_cnt_val);
+    if (soft_dis_jtag_cnt_val != ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count) {
+        result &= secure;
+        ESP_LOGW(TAG, "Not disabled JTAG in the soft way (set SOFT_DIS_JTAG->max)");
+    }
+#endif
+
+#if SOC_EFUSE_DIS_PAD_JTAG
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_PAD_JTAG);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled JTAG PADs (set DIS_PAD_JTAG->1)");
+    }
+#endif
+
+#if SOC_EFUSE_DIS_USB_JTAG
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_DIS_USB_JTAG);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled USB JTAG (set DIS_USB_JTAG->1)");
+    }
+#endif
+
+#ifdef CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_SECURE_BOOT_AGGRESSIVE_REVOKE);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not enabled AGGRESSIVE KEY REVOKE (set SECURE_BOOT_AGGRESSIVE_REVOKE->1)");
+    }
+#endif
+
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not disabled write-protection for read-protection (set WR_DIS_RD_DIS->1)");
+    }
+
+#if SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS == 1
+    unsigned purpose = ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_V2;
+#else
+    unsigned purpose = ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST0; // DIGEST0, DIGEST1 and DIGEST2
+#endif
+    secure = false;
+    unsigned num_keys = 0;
+    for (unsigned i = 0; i < SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS; ++i) {
+        esp_efuse_block_t block;
+        if (esp_efuse_find_purpose(purpose + i, &block)) {
+            // if chip has a few secure boot slots then we check all
+#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
+            bool revoke = esp_efuse_get_digest_revoke(i);
+            if (revoke) {
+                continue;
+            }
+#endif
+            ++num_keys;
+            secure = !esp_efuse_get_key_dis_read(block);
+            result &= secure;
+            if (!secure) {
+                ESP_LOGE(TAG, "Secure boot key in BLOCK%d must NOT be read-protected (can not be used)", block);
+#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
+                ESP_LOGE(TAG, "Revoke this secure boot key (set SECURE_BOOT_KEY_REVOKE%d->1)", i);
+#endif
+            }
+            secure = !esp_efuse_block_is_empty(block);
+            result &= secure;
+            if (!secure) {
+                ESP_LOGE(TAG, "Secure boot key in BLOCK%d must NOT be empty (can not be used)", block);
+#if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY
+                ESP_LOGE(TAG, "Revoke this secure boot key (set SECURE_BOOT_KEY_REVOKE%d->1)", i);
+#endif
+            }
+            secure = esp_efuse_get_key_dis_write(block);
+            result &= secure;
+            if (!secure) {
+                ESP_LOGW(TAG, "Not write-protected secure boot key in BLOCK%d (set WR_DIS_KEY%d->1)", block, block - EFUSE_BLK_KEY0);
+            }
+#if SOC_EFUSE_KEY_PURPOSE_FIELD
+            secure = esp_efuse_get_keypurpose_dis_write(block);
+            result &= secure;
+            if (!secure) {
+                ESP_LOGW(TAG, "Not write-protected KEY_PURPOSE for BLOCK%d (set WR_DIS_KEY_PURPOSE%d->1)", block, block - EFUSE_BLK_KEY0);
+            }
+#endif
+        }
+    }
+    result &= secure;
+
+    secure = (num_keys != 0);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGE(TAG, "No secure boot key found");
+    }
+
+    return result;
+}
+#endif // not CONFIG_IDF_TARGET_ESP32
+
 #endif // not BOOTLOADER_BUILD

components/efuse/esp32c2/esp_efuse_table.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -9,7 +9,7 @@
 #include <assert.h>
 #include "esp_efuse_table.h"
 
-// md5_digest_table ceedae45d1a885ced865a05eeca7d7ee
+// md5_digest_table 2216d0ff3e0f4e8803f85711b5cc2829
 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY.
 // If you want to change some fields, you need to change esp_efuse_table.csv file
 // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file.
@@ -19,8 +19,8 @@ static const esp_efuse_desc_t WR_DIS[] = {
     {EFUSE_BLK0, 0, 8}, 	 // Write protection,
 };
 
-static const esp_efuse_desc_t WR_DIS_KEY0_RD_DIS[] = {
-    {EFUSE_BLK0, 0, 1}, 	 // Write protection for KEY0_RD_DIS,
+static const esp_efuse_desc_t WR_DIS_RD_DIS[] = {
+    {EFUSE_BLK0, 0, 1}, 	 // Write protection for RD_DIS,
 };
 
 static const esp_efuse_desc_t WR_DIS_GROUP_1[] = {
@@ -265,8 +265,8 @@ const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[] = {
     NULL
 };
 
-const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_KEY0_RD_DIS[] = {
-    &WR_DIS_KEY0_RD_DIS[0],    		// Write protection for KEY0_RD_DIS
+const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[] = {
+    &WR_DIS_RD_DIS[0],    		// Write protection for RD_DIS
     NULL
 };
 

components/efuse/esp32c2/esp_efuse_table.csv

@@ -12,7 +12,7 @@
 ##############################
     # EFUSE_RD_WR_DIS_REG #
         WR_DIS,                           EFUSE_BLK0,    0,    8,      Write protection
-            WR_DIS.KEY0_RD_DIS,           EFUSE_BLK0,    0,    1,      Write protection for KEY0_RD_DIS
+            WR_DIS.RD_DIS,                EFUSE_BLK0,    0,    1,      Write protection for RD_DIS
             WR_DIS.GROUP_1,               EFUSE_BLK0,    1,    1,      Write protection for WDT_DELAY DIS_PAD_JTAG DIS_DOWNLOAD_ICACHE
             WR_DIS.GROUP_2,               EFUSE_BLK0,    2,    1,      Write protection for DOWNLOAD_DIS_MANUAL_ENCRYPT SPI_BOOT_CRYPT_CNT XTS_KEY_LENGTH_256 SECURE_BOOT_EN
             WR_DIS.SPI_BOOT_CRYPT_CNT,    EFUSE_BLK0,    2,    1,      Write protection for DOWNLOAD_DIS_MANUAL_ENCRYPT [SPI_BOOT_CRYPT_CNT] XTS_KEY_LENGTH_256 SECURE_BOOT_EN

components/efuse/esp32c2/include/esp_efuse_table.h

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -10,7 +10,7 @@ extern "C" {
 
 #include "esp_efuse.h"
 
-// md5_digest_table ceedae45d1a885ced865a05eeca7d7ee
+// md5_digest_table 2216d0ff3e0f4e8803f85711b5cc2829
 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY.
 // If you want to change some fields, you need to change esp_efuse_table.csv file
 // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file.
@@ -18,7 +18,7 @@ extern "C" {
 
 
 extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[];
-extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_KEY0_RD_DIS[];
+extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[];
 extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_1[];
 extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_2[];
 extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_SPI_BOOT_CRYPT_CNT[];

components/soc/esp32c2/include/soc/Kconfig.soc_caps.in

@@ -495,6 +495,14 @@ config SOC_TIMER_GROUP_TOTAL_TIMERS
     int
     default 1
 
+config SOC_EFUSE_DIS_PAD_JTAG
+    bool
+    default y
+
+config SOC_EFUSE_DIS_DIRECT_BOOT
+    bool
+    default y
+
 config SOC_SECURE_BOOT_V2_ECC
     bool
     default y

components/soc/esp32c2/include/soc/soc_caps.h

@@ -241,6 +241,10 @@
 #define SOC_TIMER_GROUP_SUPPORT_PLL_F40M  (1)
 #define SOC_TIMER_GROUP_TOTAL_TIMERS      (1U)
 
+/*-------------------------- eFuse CAPS----------------------------*/
+#define SOC_EFUSE_DIS_PAD_JTAG 1
+#define SOC_EFUSE_DIS_DIRECT_BOOT 1
+
 /*-------------------------- Secure Boot CAPS----------------------------*/
 #define SOC_SECURE_BOOT_V2_ECC              1
 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS   (1U)

components/soc/esp32c3/include/soc/Kconfig.soc_caps.in

@@ -731,6 +731,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS
     bool
     default y
 
+config SOC_EFUSE_DIS_PAD_JTAG
+    bool
+    default y
+
+config SOC_EFUSE_DIS_USB_JTAG
+    bool
+    default y
+
+config SOC_EFUSE_DIS_DIRECT_BOOT
+    bool
+    default y
+
+config SOC_EFUSE_SOFT_DIS_JTAG
+    bool
+    default y
+
 config SOC_SECURE_BOOT_V2_RSA
     bool
     default y

components/soc/esp32c3/include/soc/soc_caps.h

@@ -329,6 +329,12 @@
 #define SOC_TWAI_BRP_MAX                16384
 #define SOC_TWAI_SUPPORTS_RX_STATUS     1
 
+/*-------------------------- eFuse CAPS----------------------------*/
+#define SOC_EFUSE_DIS_PAD_JTAG 1
+#define SOC_EFUSE_DIS_USB_JTAG 1
+#define SOC_EFUSE_DIS_DIRECT_BOOT 1
+#define SOC_EFUSE_SOFT_DIS_JTAG 1
+
 /*-------------------------- Secure Boot CAPS----------------------------*/
 #define SOC_SECURE_BOOT_V2_RSA              1
 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS   3

components/soc/esp32c6/include/soc/Kconfig.soc_caps.in

@@ -867,6 +867,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS
     bool
     default y
 
+config SOC_EFUSE_DIS_PAD_JTAG
+    bool
+    default y
+
+config SOC_EFUSE_DIS_USB_JTAG
+    bool
+    default y
+
+config SOC_EFUSE_DIS_DIRECT_BOOT
+    bool
+    default y
+
+config SOC_EFUSE_SOFT_DIS_JTAG
+    bool
+    default y
+
 config SOC_SECURE_BOOT_V2_RSA
     bool
     default y

components/soc/esp32c6/include/soc/soc_caps.h

@@ -381,6 +381,12 @@
 #define SOC_TWAI_BRP_MAX                32768
 #define SOC_TWAI_SUPPORTS_RX_STATUS     1
 
+/*-------------------------- eFuse CAPS----------------------------*/
+#define SOC_EFUSE_DIS_PAD_JTAG 1
+#define SOC_EFUSE_DIS_USB_JTAG 1
+#define SOC_EFUSE_DIS_DIRECT_BOOT 1
+#define SOC_EFUSE_SOFT_DIS_JTAG 1
+
 // TODO: IDF-5357 (Copy from esp32c3, need check)
 /*-------------------------- Secure Boot CAPS----------------------------*/
 #define SOC_SECURE_BOOT_V2_RSA              1

components/soc/esp32h2/include/soc/Kconfig.soc_caps.in

@@ -687,6 +687,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS
     bool
     default y
 
+config SOC_EFUSE_DIS_PAD_JTAG
+    bool
+    default y
+
+config SOC_EFUSE_DIS_USB_JTAG
+    bool
+    default y
+
+config SOC_EFUSE_DIS_DIRECT_BOOT
+    bool
+    default y
+
+config SOC_EFUSE_SOFT_DIS_JTAG
+    bool
+    default y
+
 config SOC_SECURE_BOOT_V2_RSA
     bool
     default y

components/soc/esp32h2/include/soc/soc_caps.h

@@ -361,6 +361,12 @@
 #define SOC_TWAI_BRP_MAX                32768
 #define SOC_TWAI_SUPPORTS_RX_STATUS     1
 
+/*-------------------------- eFuse CAPS----------------------------*/
+#define SOC_EFUSE_DIS_PAD_JTAG 1
+#define SOC_EFUSE_DIS_USB_JTAG 1
+#define SOC_EFUSE_DIS_DIRECT_BOOT 1
+#define SOC_EFUSE_SOFT_DIS_JTAG 1
+
 // TODO: IDF-6281 (Copy from esp32c6, need check)
 /*-------------------------- Secure Boot CAPS----------------------------*/
 #define SOC_SECURE_BOOT_V2_RSA              1

components/soc/esp32h4/include/soc/Kconfig.soc_caps.in

@@ -707,6 +707,22 @@ config SOC_TWAI_SUPPORTS_RX_STATUS
     bool
     default y
 
+config SOC_EFUSE_DIS_PAD_JTAG
+    bool
+    default y
+
+config SOC_EFUSE_DIS_USB_JTAG
+    bool
+    default y
+
+config SOC_EFUSE_DIS_DIRECT_BOOT
+    bool
+    default y
+
+config SOC_EFUSE_SOFT_DIS_JTAG
+    bool
+    default y
+
 config SOC_SECURE_BOOT_V2_RSA
     bool
     default y

components/soc/esp32h4/include/soc/soc_caps.h

@@ -336,6 +336,12 @@
 #define SOC_TWAI_BRP_MAX                16384
 #define SOC_TWAI_SUPPORTS_RX_STATUS     1
 
+/*-------------------------- eFuse CAPS----------------------------*/
+#define SOC_EFUSE_DIS_PAD_JTAG 1
+#define SOC_EFUSE_DIS_USB_JTAG 1
+#define SOC_EFUSE_DIS_DIRECT_BOOT 1
+#define SOC_EFUSE_SOFT_DIS_JTAG 1
+
 /*-------------------------- Secure Boot CAPS----------------------------*/
 #define SOC_SECURE_BOOT_V2_RSA              1
 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS   3

components/soc/esp32s2/include/soc/Kconfig.soc_caps.in

@@ -815,6 +815,26 @@ config SOC_AES_SUPPORT_GCM
     bool
     default y
 
+config SOC_EFUSE_DIS_DOWNLOAD_DCACHE
+    bool
+    default y
+
+config SOC_EFUSE_HARD_DIS_JTAG
+    bool
+    default y
+
+config SOC_EFUSE_SOFT_DIS_JTAG
+    bool
+    default y
+
+config SOC_EFUSE_DIS_BOOT_REMAP
+    bool
+    default y
+
+config SOC_EFUSE_DIS_LEGACY_SPI_BOOT
+    bool
+    default y
+
 config SOC_SECURE_BOOT_V2_RSA
     bool
     default y

components/soc/esp32s2/include/soc/soc_caps.h

@@ -362,6 +362,13 @@
 #define SOC_AES_SUPPORT_DMA     (1)
 #define SOC_AES_SUPPORT_GCM     (1)
 
+/*-------------------------- eFuse CAPS----------------------------*/
+#define SOC_EFUSE_DIS_DOWNLOAD_DCACHE 1
+#define SOC_EFUSE_HARD_DIS_JTAG 1
+#define SOC_EFUSE_SOFT_DIS_JTAG 1
+#define SOC_EFUSE_DIS_BOOT_REMAP 1
+#define SOC_EFUSE_DIS_LEGACY_SPI_BOOT 1
+
 /*-------------------------- Secure Boot CAPS----------------------------*/
 #define SOC_SECURE_BOOT_V2_RSA              1
 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS   3

components/soc/esp32s3/include/soc/Kconfig.soc_caps.in

@@ -1011,6 +1011,26 @@ config SOC_CLK_RC_FAST_SUPPORT_CALIBRATION
     bool
     default y
 
+config SOC_EFUSE_DIS_DOWNLOAD_DCACHE
+    bool
+    default y
+
+config SOC_EFUSE_HARD_DIS_JTAG
+    bool
+    default y
+
+config SOC_EFUSE_DIS_USB_JTAG
+    bool
+    default y
+
+config SOC_EFUSE_SOFT_DIS_JTAG
+    bool
+    default y
+
+config SOC_EFUSE_DIS_DIRECT_BOOT
+    bool
+    default y
+
 config SOC_SECURE_BOOT_V2_RSA
     bool
     default y

components/soc/esp32s3/include/soc/soc_caps.h

@@ -417,6 +417,13 @@
 #define SOC_RTC_SLOW_CLK_SUPPORT_RC_FAST_D256     (1)
 #define SOC_CLK_RC_FAST_SUPPORT_CALIBRATION       (1)
 
+/*-------------------------- eFuse CAPS----------------------------*/
+#define SOC_EFUSE_DIS_DOWNLOAD_DCACHE 1
+#define SOC_EFUSE_HARD_DIS_JTAG 1
+#define SOC_EFUSE_DIS_USB_JTAG 1
+#define SOC_EFUSE_SOFT_DIS_JTAG 1
+#define SOC_EFUSE_DIS_DIRECT_BOOT 1
+
 /*-------------------------- Secure Boot CAPS----------------------------*/
 #define SOC_SECURE_BOOT_V2_RSA              1
 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS   3

docs/en/api-reference/peripherals/hmac.rst

@@ -106,6 +106,14 @@ Setup
 
     .. note:: The API *esp_efuse_write_field_cnt(ESP_EFUSE_SOFT_DIS_JTAG, ESP_EFUSE_SOFT_DIS_JTAG[0]->bit_count)* can be used to burn "soft JTAG disable" bits on {IDF_TARGET_NAME}.
 
+.. only:: esp32s2 or esp32s3
+
+    .. note:: If ``HARD_DIS_JTAG`` eFuse is set, then ``SOFT_DIS_JTAG`` functionality does not work because JTAG is permanently disabled.
+
+.. only:: not esp32s2 and not esp32s3
+
+    .. note:: If ``DIS_PAD_JTAG`` eFuse is set, then ``SOFT_DIS_JTAG`` functionality does not work because JTAG is permanently disabled.
+
 JTAG enable
 
 1. The key to re-enable JTAG is the output of the HMAC-SHA256 function using the secret key in eFuse and 32 0x00 bytes as the message.

examples/system/efuse/main/efuse_main.c

@@ -15,10 +15,8 @@
 #include "esp_efuse.h"
 #include "esp_efuse_table.h"
 #include "esp_efuse_custom_table.h"
-#if CONFIG_IDF_TARGET_ESP32C2
 #include "esp_secure_boot.h"
 #include "esp_flash_encrypt.h"
-#endif
 #include "sdkconfig.h"
 
 static const char* TAG = "example";
@@ -135,6 +133,21 @@ void app_main(void)
 {
     ESP_LOGI(TAG, "Start eFuse example");
 
+#ifdef CONFIG_SECURE_FLASH_ENC_ENABLED
+    if (esp_flash_encryption_cfg_verify_release_mode()) {
+        ESP_LOGI(TAG, "Flash Encryption is in RELEASE mode");
+    } else {
+        ESP_LOGW(TAG, "Flash Encryption is NOT in RELEASE mode");
+    }
+#endif
+#ifdef CONFIG_SECURE_BOOT
+    if (esp_secure_boot_cfg_verify_release_mode()) {
+        ESP_LOGI(TAG, "Secure Boot is in RELEASE mode");
+    } else {
+        ESP_LOGW(TAG, "Secure Boot is NOT in RELEASE mode");
+    }
+#endif
+
     esp_efuse_coding_scheme_t coding_scheme = get_coding_scheme();
     (void) coding_scheme;
 

examples/system/efuse/pytest_system_efuse_example.py

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD
+# SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
 # SPDX-License-Identifier: Unlicense OR CC0-1.0
 from __future__ import unicode_literals
 
@@ -248,6 +248,7 @@ def test_examples_efuse_with_virt_flash_enc_release(dut: Dut) -> None:
     dut.expect_exact('flash encryption is enabled (0 plaintext flashes left)', timeout=5)
     dut.expect('Flash encryption mode is RELEASE')
     dut.expect('Start eFuse example')
+    dut.expect('Flash Encryption is in RELEASE mode')
     dut.expect('example: Done')
 
 
@@ -772,6 +773,8 @@ def test_examples_efuse_with_virt_sb_v1_and_fe(dut: Dut) -> None:
     dut.expect_exact('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)')
     dut.expect('main_task: Calling app_main()')
     dut.expect('Start eFuse example')
+    dut.expect('example: Flash Encryption is NOT in RELEASE mode')
+    dut.expect('example: Secure Boot is in RELEASE mode')
     dut.expect('example: Done')
 
 
@@ -851,6 +854,8 @@ def test_examples_efuse_with_virt_sb_v2_and_fe(dut: Dut) -> None:
     dut.expect_exact('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)')
     dut.expect('main_task: Calling app_main()')
     dut.expect('Start eFuse example')
+    dut.expect('example: Flash Encryption is NOT in RELEASE mode')
+    dut.expect('example: Secure Boot is in RELEASE mode')
     dut.expect('example: Done')
 
 
@@ -938,6 +943,8 @@ def test_examples_efuse_with_virt_sb_v2_and_fe_esp32xx(dut: Dut) -> None:
     dut.expect_exact('flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)')
     dut.expect('main_task: Calling app_main()')
     dut.expect('Start eFuse example')
+    dut.expect('example: Flash Encryption is NOT in RELEASE mode')
+    dut.expect('example: Secure Boot is in RELEASE mode')
     dut.expect('example: Done')