fix: add check to ensure OTA buffer size for 16-byte aligned

This commit added guide to, round off OTA written size to allowed
aignmnet when flash ecnryption enabled.

Author: nileshkale123

components/app_update/include/esp_ota_ops.h

@@ -89,6 +89,10 @@ esp_err_t esp_ota_begin(const esp_partition_t* partition, size_t image_size, esp
  * Unlike esp_ota_begin(), this function does not erase the partition which receives the OTA update, but rather expects that part of the image
  * has already been written correctly, and it resumes writing from the given offset.
  *
+ * @note When flash encryption is enabled, data writes must be 16-byte aligned.
+ *       Any leftover (non-aligned) data is temporarily cached and may be lost after reboot.
+ *       Therefore, during resumption, ensure that image offset is always 16-byte aligned.
+ *
  * @param partition Pointer to info for the partition which is receiving the OTA update. Required.
  * @param erase_size Specifies how much flash memory to erase before resuming OTA, depending on whether a sequential write or a bulk erase is being used.
  * @param image_offset Offset from where to resume the OTA process. Should be set to the number of bytes already written.

components/esp_https_ota/src/esp_https_ota.c

@@ -14,6 +14,7 @@
 #include <sys/param.h>
 #include <inttypes.h>
 #include "esp_check.h"
+#include "esp_flash_encrypt.h"
 #include "hal/efuse_hal.h"
 
 ESP_EVENT_DEFINE_BASE(ESP_HTTPS_OTA_EVENT);
@@ -528,6 +529,14 @@ esp_err_t esp_https_ota_begin(const esp_https_ota_config_t *ota_config, esp_http
     }
 
     const int alloc_size = MAX(ota_config->http_config->buffer_size, DEFAULT_OTA_BUF_SIZE);
+    if (ota_config->ota_resumption) {
+        if (esp_flash_encryption_enabled() && (alloc_size & 0xFU) != 0) {
+            // For FE case the flash is written in multiples of 16 bytes
+            ESP_LOGE(TAG, "Buffer size must be multiple of 16 bytes for FE and ota resumption case");
+            goto http_cleanup;
+        }
+    }
+
     if (ota_config->buffer_caps != 0) {
         https_ota_handle->ota_upgrade_buf = (char *)heap_caps_malloc(alloc_size, ota_config->buffer_caps);
     } else {