ESP32-XX: fix hardware flash encryption issue when updating images

.github/workflows/espressif.yaml

@@ -18,7 +18,7 @@ jobs:
   environment:
     strategy:
       matrix:
-        targets: [esp32, esp32s2, esp32s3, esp32c3]
+        targets: [esp32, esp32s2, esp32s3, esp32c2, esp32c3, esp32c6, esp32h2]
         features:
         - "secureboot-sign-rsa2048,secureboot-sign-rsa3072,secureboot-sign-ec256,secureboot-sign-ed25519"
         - "serialrecovery"

boot/espressif/CMakeLists.txt

@@ -13,8 +13,9 @@ endif()
 
 add_definitions(-DMCUBOOT_TARGET=${MCUBOOT_TARGET})
 add_definitions(-D__ESPRESSIF__=1)
+add_definitions(-DCONFIG_MCUBOOT_ESPRESSIF=1)
 
-set(EXPECTED_IDF_HAL_VERSION "5.1.4")
+set(EXPECTED_IDF_HAL_VERSION "5.1.6")
 
 if ("${MCUBOOT_TARGET}" STREQUAL "esp32" OR
     "${MCUBOOT_TARGET}" STREQUAL "esp32s2" OR

boot/espressif/ci_configs/esp32-secureboot.conf

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# ATTENTION:
+# This configuration file targets the building for CI environment and contains
+# a set of definitions to resemble a bootloader image for RELEASE environment.
+# Running the generated firmware image may result in irreversible operations
+# to the chip!
+
+CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=1

boot/espressif/ci_configs/esp32c2-secureboot.conf

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# ATTENTION:
+# This configuration file targets the building for CI environment and contains
+# a set of definitions to resemble a bootloader image for RELEASE environment.
+# Running the generated firmware image may result in irreversible operations
+# to the chip!
+
+CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME=1

boot/espressif/ci_configs/esp32c3-secureboot.conf

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# ATTENTION:
+# This configuration file targets the building for CI environment and contains
+# a set of definitions to resemble a bootloader image for RELEASE environment.
+# Running the generated firmware image may result in irreversible operations
+# to the chip!
+
+CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=1

boot/espressif/ci_configs/esp32c6-secureboot.conf

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# ATTENTION:
+# This configuration file targets the building for CI environment and contains
+# a set of definitions to resemble a bootloader image for RELEASE environment.
+# Running the generated firmware image may result in irreversible operations
+# to the chip!
+
+CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=1

boot/espressif/ci_configs/esp32h2-secureboot.conf

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# ATTENTION:
+# This configuration file targets the building for CI environment and contains
+# a set of definitions to resemble a bootloader image for RELEASE environment.
+# Running the generated firmware image may result in irreversible operations
+# to the chip!
+
+CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH=1
+CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=1

boot/espressif/ci_configs/esp32s2-secureboot.conf

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# ATTENTION:
+# This configuration file targets the building for CI environment and contains
+# a set of definitions to resemble a bootloader image for RELEASE environment.
+# Running the generated firmware image may result in irreversible operations
+# to the chip!
+
+CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=1

boot/espressif/ci_configs/esp32s3-secureboot.conf

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# ATTENTION:
+# This configuration file targets the building for CI environment and contains
+# a set of definitions to resemble a bootloader image for RELEASE environment.
+# Running the generated firmware image may result in irreversible operations
+# to the chip!
+
+CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=1

boot/espressif/ci_configs/secureboot-sign-ec256.conf

@@ -9,7 +9,6 @@
 # to the chip!
 
 CONFIG_SECURE_SIGNED_ON_BOOT=1
-CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=1
 CONFIG_SECURE_BOOT=1
 CONFIG_SECURE_BOOT_V2_ENABLED=1
 CONFIG_SECURE_BOOT_SUPPORTS_RSA=1

boot/espressif/ci_configs/secureboot-sign-ed25519.conf

@@ -9,7 +9,6 @@
 # to the chip!
 
 CONFIG_SECURE_SIGNED_ON_BOOT=1
-CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=1
 CONFIG_SECURE_BOOT=1
 CONFIG_SECURE_BOOT_V2_ENABLED=1
 CONFIG_SECURE_BOOT_SUPPORTS_RSA=1

boot/espressif/ci_configs/secureboot-sign-rsa2048.conf

@@ -9,7 +9,6 @@
 # to the chip!
 
 CONFIG_SECURE_SIGNED_ON_BOOT=1
-CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=1
 CONFIG_SECURE_BOOT=1
 CONFIG_SECURE_BOOT_V2_ENABLED=1
 CONFIG_SECURE_BOOT_SUPPORTS_RSA=1

boot/espressif/ci_configs/secureboot-sign-rsa3072.conf

@@ -9,7 +9,6 @@
 # to the chip!
 
 CONFIG_SECURE_SIGNED_ON_BOOT=1
-CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=1
 CONFIG_SECURE_BOOT=1
 CONFIG_SECURE_BOOT_V2_ENABLED=1
 CONFIG_SECURE_BOOT_SUPPORTS_RSA=1

boot/espressif/hal/include/esp32c2/esp32c2.cmake

@@ -17,6 +17,7 @@ endif()
 
 list(APPEND LINKER_SCRIPTS
     -T${esp_hal_dir}/components/esp_rom/${MCUBOOT_TARGET}/ld/${MCUBOOT_TARGET}.rom.newlib.ld
+    -T${esp_hal_dir}/components/esp_rom/${MCUBOOT_TARGET}/ld/${MCUBOOT_TARGET}.rom.version.ld
 )
 
 set_source_files_properties(

boot/espressif/hal/include/esp32c3/esp32c3.cmake

@@ -17,4 +17,5 @@ endif()
 list(APPEND LINKER_SCRIPTS
     -T${esp_hal_dir}/components/esp_rom/${MCUBOOT_TARGET}/ld/${MCUBOOT_TARGET}.rom.newlib.ld
     -T${esp_hal_dir}/components/esp_rom/${MCUBOOT_TARGET}/ld/${MCUBOOT_TARGET}.rom.eco3.ld
+    -T${esp_hal_dir}/components/esp_rom/${MCUBOOT_TARGET}/ld/${MCUBOOT_TARGET}.rom.version.ld
 )

boot/espressif/hal/include/esp32c6/esp32c6.cmake

@@ -7,6 +7,7 @@ list(APPEND include_dirs
 )
 
 list(APPEND hal_srcs
+    ${esp_hal_dir}/components/bootloader_support/src/${MCUBOOT_TARGET}/bootloader_ecdsa.c
     ${esp_hal_dir}/components/hal/cache_hal.c
     ${esp_hal_dir}/components/hal/lp_timer_hal.c
     ${esp_hal_dir}/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c
@@ -22,6 +23,7 @@ endif()
 
 list(APPEND LINKER_SCRIPTS
     -T${esp_hal_dir}/components/esp_rom/${MCUBOOT_TARGET}/ld/${MCUBOOT_TARGET}.rom.newlib.ld
+    -T${esp_hal_dir}/components/esp_rom/${MCUBOOT_TARGET}/ld/${MCUBOOT_TARGET}.rom.version.ld
 )
 
 set_source_files_properties(

boot/espressif/hal/include/esp32h2/esp32h2.cmake

@@ -9,6 +9,7 @@ list(APPEND include_dirs
 list(APPEND hal_srcs
     ${esp_hal_dir}/components/hal/cache_hal.c
     ${esp_hal_dir}/components/hal/lp_timer_hal.c
+    ${esp_hal_dir}/components/efuse/${MCUBOOT_TARGET}/esp_efuse_table_v0.0_v1.1.c
     ${esp_hal_dir}/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c
     ${esp_hal_dir}/components/esp_rom/patches/esp_rom_regi2c_${MCUBOOT_TARGET}.c
     ${esp_hal_dir}/components/esp_hw_support/port/${MCUBOOT_TARGET}/pmu_param.c
@@ -22,6 +23,7 @@ endif()
 
 list(APPEND LINKER_SCRIPTS
     -T${esp_hal_dir}/components/esp_rom/${MCUBOOT_TARGET}/ld/${MCUBOOT_TARGET}.rom.newlib.ld
+    -T${esp_hal_dir}/components/esp_rom/${MCUBOOT_TARGET}/ld/${MCUBOOT_TARGET}.rom.version.ld
 )
 
 set_source_files_properties(

boot/espressif/hal/include/esp32s3/esp32s3.cmake

@@ -17,6 +17,7 @@ endif()
 
 list(APPEND LINKER_SCRIPTS
     -T${esp_hal_dir}/components/esp_rom/${MCUBOOT_TARGET}/ld/${MCUBOOT_TARGET}.rom.newlib.ld
+    -T${esp_hal_dir}/components/esp_rom/${MCUBOOT_TARGET}/ld/${MCUBOOT_TARGET}.rom.version.ld
     )
 
 set_source_files_properties(

boot/espressif/hal/src/flash_encrypt.c

@@ -423,7 +423,7 @@ static esp_err_t encrypt_primary_slot(void)
      * MCUboot header
      */
     err = bootloader_flash_read(CONFIG_ESP_IMAGE0_PRIMARY_START_ADDRESS + 0x20,
-                                &img_header, sizeof(esp_image_load_header_t), true);
+                                &img_header, sizeof(esp_image_load_header_t), false);
     if (err != ESP_OK) {
         ESP_LOGE(TAG, "Failed to read slot img header");
         return err;
@@ -464,7 +464,7 @@ esp_err_t esp_flash_encrypt_region(uint32_t src_addr, size_t data_length)
         wdt_hal_feed(&rtc_wdt_ctx);
         wdt_hal_write_protect_enable(&rtc_wdt_ctx);
         uint32_t sec_start = i + src_addr;
-        err = bootloader_flash_read(sec_start, buf, FLASH_SECTOR_SIZE, true);
+        err = bootloader_flash_read(sec_start, buf, FLASH_SECTOR_SIZE, false);
         if (err != ESP_OK) {
             goto flash_failed;
         }

boot/espressif/port/esp32/ld/bootloader.ld

@@ -33,10 +33,59 @@ SECTIONS
     _loader_text_start = ABSOLUTE(.);
     *(.stub .gnu.warning .gnu.linkonce.literal.* .gnu.linkonce.t.*.literal .gnu.linkonce.t.*)
     *(.iram1 .iram1.*) /* catch stray IRAM_ATTR */
-    *libhal.a:*.*(.literal .text .literal.* .text.*)
     *esp_mcuboot.*(.literal .text .literal.* .text.*)
     *esp_loader.*(.literal .text .literal.* .text.*)
     *main.*(.literal .text .literal.* .text.*)
+
+    /* iram_loader section must not be overlapped by application IRAM/DRAM
+     * mapping, therefore the following were added based on the dependencies
+     * from esp_loader as its from where the application RAM parts will be
+     * loaded into memory and ultimately boot. The cross reference table
+     * were used to map the reachable dependencies
+     */
+    *libhal.a:app_cpu_start.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_banner.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_clock_init.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_clock_loader.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_common.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_common_loader.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_console.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_console_loader.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_efuse.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_esp32.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_flash.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_flash_config_esp32.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_init.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_mem.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_panic.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_random.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_random_esp32.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_sha.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_soc.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_utility.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_wdt.*(.literal .text .literal.* .text.*)
+    *libhal.a:cpu.*(.literal .text .literal.* .text.*)
+    *libhal.a:efuse_hal.*(.literal .text .literal.* .text.*)
+    *libhal.a:esp_efuse_api.*(.literal .text .literal.* .text.*)
+    *libhal.a:esp_efuse_api_key.*(.literal .text .literal.* .text.*)
+    *libhal.a:esp_efuse_table.*(.literal .text .literal.* .text.*)
+    *libhal.a:esp_efuse_utility.*(.literal .text .literal.* .text.*)
+    *libhal.a:esp_image_format.*(.literal .text .literal.* .text.*)
+    *libhal.a:esp_rom_spiflash.*(.literal .text .literal.* .text.*)
+    *libhal.a:esp_rom_sys.*(.literal .text .literal.* .text.*)
+    *libhal.a:esp_rom_uart.*(.literal .text .literal.* .text.*)
+    *libhal.a:flash_encrypt.*(.literal .text .literal.* .text.*)
+    *libhal.a:flash_encryption_secure_features.*(.literal .text .literal.* .text.*)
+    *libhal.a:gpio_periph.*(.literal .text .literal.* .text.*)
+    *libhal.a:log_noos.*(.literal .text .literal.* .text.*)
+    *libhal.a:mmu_hal.*(.literal .text .literal.* .text.*)
+    *libhal.a:rtc_clk.*(.literal .text .literal.* .text.*)
+    *libhal.a:rtc_clk_init.*(.literal .text .literal.* .text.*)
+    *libhal.a:rtc_time.*(.literal .text .literal.* .text.*)
+    *libhal.a:secure_boot_signatures_bootloader.*(.literal .text .literal.* .text.*)
+    *libhal.a:wdt_hal_iram.*(.literal .text .literal.* .text.*)
+    *libgcc.a:*.*(.literal .text .literal.* .text.*)
+
     *(.fini.literal)
     *(.fini)
     *(.gnu.version)

boot/espressif/port/esp32c2/ld/bootloader.ld

@@ -62,10 +62,44 @@ SECTIONS
     _loader_text_start = ABSOLUTE(.);
     *(.stub .gnu.warning .gnu.linkonce.literal.* .gnu.linkonce.t.*.literal .gnu.linkonce.t.*)
     *(.iram1 .iram1.*) /* catch stray IRAM_ATTR */
-    *libhal.a:*.*(.literal .text .literal.* .text.*)
     *esp_mcuboot.*(.literal .text .literal.* .text.*)
     *esp_loader.*(.literal .text .literal.* .text.*)
     *main.*(.literal .text .literal.* .text.*)
+
+    /* iram_loader section must not be overlapped by application IRAM/DRAM
+     * mapping, therefore the following were added based on the dependencies
+     * from esp_loader as its from where the application RAM parts will be
+     * loaded into memory and ultimately boot. The cross reference table
+     * were used to map the reachable dependencies */
+    *libhal.a:bootloader_banner.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_common_loader.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_console_loader.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_flash.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_flash_config_esp32c2.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_init.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_panic.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_random.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_random_esp32c2.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_sha.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_soc.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_utility.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_wdt.*(.literal .text .literal.* .text.*)
+    *libhal.a:cache_hal.*(.literal .text .literal.* .text.*)
+    *libhal.a:efuse_hal.*(.literal .text .literal.* .text.*)
+    *libhal.a:esp_efuse_api.*(.literal .text .literal.* .text.*)
+    *libhal.a:esp_efuse_api_key.*(.literal .text .literal.* .text.*)
+    *libhal.a:esp_efuse_table.*(.literal .text .literal.* .text.*)
+    *libhal.a:esp_efuse_utility.*(.literal .text .literal.* .text.*)
+    *libhal.a:esp_image_format.*(.literal .text .literal.* .text.*)
+    *libhal.a:flash_encrypt.*(.literal .text .literal.* .text.*)
+    *libhal.a:flash_encryption_secure_features.*(.literal .text .literal.* .text.*)
+    *libhal.a:mmu_hal.*(.literal .text .literal.* .text.*)
+    *libhal.a:rtc_clk.*(.literal .text .literal.* .text.*)
+    *libhal.a:rtc_clk_init.*(.literal .text .literal.* .text.*)
+    *libhal.a:secure_boot_signatures_bootloader.*(.literal .text .literal.* .text.*)
+    *libhal.a:wdt_hal_iram.*(.literal .text .literal.* .text.*)
+    *libgcc.a:*.*(.literal .text .literal.* .text.*)
+
     *(.fini.literal)
     *(.fini)
     *(.gnu.version)

boot/espressif/port/esp32c3/ld/bootloader.ld

@@ -28,10 +28,43 @@ SECTIONS
     _loader_text_start = ABSOLUTE(.);
     *(.stub .gnu.warning .gnu.linkonce.literal.* .gnu.linkonce.t.*.literal .gnu.linkonce.t.*)
     *(.iram1 .iram1.*) /* catch stray IRAM_ATTR */
-    *libhal.a:*.*(.literal .text .literal.* .text.*)
     *esp_mcuboot.*(.literal .text .literal.* .text.*)
     *esp_loader.*(.literal .text .literal.* .text.*)
     *main.*(.literal .text .literal.* .text.*)
+
+    /* iram_loader section must not be overlapped by application IRAM/DRAM
+     * mapping, therefore the following were added based on the dependencies
+     * from esp_loader as its from where the application RAM parts will be
+     * loaded into memory and ultimately boot. The cross reference table
+     * were used to map the reachable dependencies
+     */
+    *libhal.a:bootloader_common_loader.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_console_loader.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_flash.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_flash_config_esp32c3.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_init.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_panic.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_random.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_random_esp32c3.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_sha.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_soc.*(.literal .text .literal.* .text.*)
+    *libhal.a:bootloader_utility.*(.literal .text .literal.* .text.*)
+    *libhal.a:cache_hal.*(.literal .text .literal.* .text.*)
+    *libhal.a:efuse_hal.*(.literal .text .literal.* .text.*)
+    *libhal.a:esp_efuse_api.*(.literal .text .literal.* .text.*)
+    *libhal.a:esp_efuse_api_key.*(.literal .text .literal.* .text.*)
+    *libhal.a:esp_efuse_table.*(.literal .text .literal.* .text.*)
+    *libhal.a:esp_efuse_utility.*(.literal .text .literal.* .text.*)
+    *libhal.a:esp_image_format.*(.literal .text .literal.* .text.*)
+    *libhal.a:flash_encrypt.*(.literal .text .literal.* .text.*)
+    *libhal.a:flash_encryption_secure_features.*(.literal .text .literal.* .text.*)
+    *libhal.a:mmu_hal.*(.literal .text .literal.* .text.*)
+    *libhal.a:rtc_clk.*(.literal .text .literal.* .text.*)
+    *libhal.a:rtc_clk_init.*(.literal .text .literal.* .text.*)
+    *libhal.a:secure_boot_signatures_bootloader.*(.literal .text .literal.* .text.*)
+    *libhal.a:wdt_hal_iram.*(.literal .text .literal.* .text.*)
+    *libgcc.a:*.*(.literal .text .literal.* .text.*)
+
     *(.fini.literal)
     *(.fini)
     *(.gnu.version)