Merge pull request #67 from espressif/get_flash_encryption

erhankur · web-flow · commit 1c7e7505e365 · 2026-02-19T22:35:05.000+01:00
feat(security): add api to check flash is encrypted
diff --git a/example/stub_main.c b/example/stub_main.c
@@ -46,6 +46,9 @@ static void example_mem_utils(void)
 
 static void example_security(void)
 {
+    bool encryption_enabled = stub_lib_security_flash_is_encrypted();
+    STUB_LOGI("Flash encryption enabled: %d\n", encryption_enabled);
+
     uint32_t size = stub_lib_security_info_size();
     STUB_LOGI("Security info size: %u bytes\n", size);
 
diff --git a/include/esp-stub-lib/security.h b/include/esp-stub-lib/security.h
@@ -1,11 +1,12 @@
 /*
- * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0 OR MIT
  */
 
 #pragma once
 
+#include <stdbool.h>
 #include <stdint.h>
 
 #ifdef __cplusplus
@@ -36,6 +37,13 @@ uint32_t stub_lib_security_info_size(void);
  */
 int stub_lib_get_security_info(uint8_t *buffer, uint32_t buffer_size);
 
+/**
+ * @brief Check whether flash encryption is enabled.
+ *
+ * @return true if flash encryption is enabled, false otherwise.
+ */
+bool stub_lib_security_flash_is_encrypted(void);
+
 #ifdef __cplusplus
 }
 #endif // __cplusplus
diff --git a/src/security.c b/src/security.c
@@ -1,10 +1,11 @@
 /*
- * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0 OR MIT
  */
 
 #include <stddef.h>
+#include <stdbool.h>
 #include <esp-stub-lib/security.h>
 #include <esp-stub-lib/err.h>
 #include <target/security.h>
@@ -18,3 +19,8 @@ int stub_lib_get_security_info(uint8_t *buffer, uint32_t buffer_size)
 {
     return stub_target_get_security_info(buffer, buffer_size);
 }
+
+bool stub_lib_security_flash_is_encrypted(void)
+{
+    return stub_target_security_flash_is_encrypted();
+}
diff --git a/src/target/base/include/target/security.h b/src/target/base/include/target/security.h
@@ -1,11 +1,12 @@
 /*
- * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0 OR MIT
  */
 
 #pragma once
 
+#include <stdbool.h>
 #include <stdint.h>
 
 /**
@@ -31,3 +32,10 @@ uint32_t stub_target_security_info_size(void);
  * - STUB_LIB_FAIL if the operation failed
  */
 int stub_target_get_security_info(uint8_t *buffer, uint32_t buffer_size);
+
+/**
+ * @brief Check whether flash encryption is enabled.
+ *
+ * @return true if flash encryption is enabled, false otherwise.
+ */
+bool stub_target_security_flash_is_encrypted(void);
diff --git a/src/target/common/src/security.c b/src/target/common/src/security.c
@@ -1,16 +1,18 @@
 /*
- * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0 OR MIT
  */
 
 #include <stddef.h>
+#include <stdbool.h>
 #include <stdint.h>
 #include <target/security.h>
 #include <err.h>
 
 /* GetSecurityInfoProc function from ROM */
 extern uint32_t GetSecurityInfoProc(int *pMsg, int *pnErr, uint8_t *buf);
+extern bool esp_rom_efuse_flash_encryption_enabled(void);
 
 #define SECURITY_INFO_BYTES_DEFAULT 20
 
@@ -37,3 +39,8 @@ int __attribute__((weak)) stub_target_get_security_info(uint8_t *buffer, uint32_
 
     return STUB_LIB_FAIL;
 }
+
+bool __attribute__((weak)) stub_target_security_flash_is_encrypted(void)
+{
+    return esp_rom_efuse_flash_encryption_enabled();
+}
diff --git a/src/target/esp32/src/security.c b/src/target/esp32/src/security.c
@@ -1,13 +1,20 @@
 /*
- * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0 OR MIT
  */
 
 #include <stddef.h>
+#include <stdbool.h>
 #include <stdint.h>
 #include <target/security.h>
 #include <err.h>
+#include <esp-stub-lib/soc_utils.h>
+#include <soc/reg_base.h>
+
+#define EFUSE_BLK0_RDATA0_REG      (DR_REG_EFUSE_BASE + 0x0)
+#define EFUSE_RD_FLASH_CRYPT_CNT_V 0x0000007FU
+#define EFUSE_RD_FLASH_CRYPT_CNT_S 20
 
 /* ESP32 does not support GetSecurityInfoProc */
 uint32_t stub_target_security_info_size(void)
@@ -21,3 +28,19 @@ int stub_target_get_security_info(uint8_t *buffer, uint32_t buffer_size)
     (void)buffer_size;
     return STUB_LIB_ERR_NOT_SUPPORTED;
 }
+
+bool stub_target_security_flash_is_encrypted(void)
+{
+    uint32_t flash_crypt_cnt = REG_READ(EFUSE_BLK0_RDATA0_REG);
+    flash_crypt_cnt = (flash_crypt_cnt >> EFUSE_RD_FLASH_CRYPT_CNT_S) & EFUSE_RD_FLASH_CRYPT_CNT_V;
+
+    bool enabled = false;
+    while (flash_crypt_cnt) {
+        if (flash_crypt_cnt & 1U) {
+            enabled = !enabled;
+        }
+        flash_crypt_cnt >>= 1;
+    }
+
+    return enabled;
+}
diff --git a/src/target/esp32c2/ld/esp32c2.rom.api.ld b/src/target/esp32c2/ld/esp32c2.rom.api.ld
@@ -16,6 +16,7 @@ PROVIDE ( esp_rom_gpio_connect_out_signal = gpio_matrix_out );
 
 PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char );
diff --git a/src/target/esp32c3/ld/esp32c3.rom.api.ld b/src/target/esp32c3/ld/esp32c3.rom.api.ld
@@ -18,6 +18,7 @@ PROVIDE ( esp_rom_gpio_connect_out_signal = gpio_matrix_out );
 PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_get_flash_gpio_info    = ets_efuse_get_spiconfig );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 PROVIDE ( esp_rom_efuse_get_flash_wp_gpio      = ets_efuse_get_wp_pad );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
diff --git a/src/target/esp32c5/ld/esp32c5.rom.api.ld b/src/target/esp32c5/ld/esp32c5.rom.api.ld
@@ -17,6 +17,7 @@ PROVIDE ( esp_rom_gpio_connect_out_signal = gpio_matrix_out );
 
 PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char2 );
diff --git a/src/target/esp32c6/ld/esp32c6.rom.api.ld b/src/target/esp32c6/ld/esp32c6.rom.api.ld
@@ -17,6 +17,7 @@ PROVIDE ( esp_rom_gpio_connect_out_signal = gpio_matrix_out );
 
 PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char2 );
diff --git a/src/target/esp32c61/ld/esp32c61.rom.api.ld b/src/target/esp32c61/ld/esp32c61.rom.api.ld
@@ -14,6 +14,7 @@ PROVIDE ( esp_rom_gpio_connect_out_signal = gpio_matrix_out );
 
 PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char2 );
diff --git a/src/target/esp32h2/ld/esp32h2.rom.api.ld b/src/target/esp32h2/ld/esp32h2.rom.api.ld
@@ -17,6 +17,7 @@ PROVIDE ( esp_rom_gpio_connect_out_signal = gpio_matrix_out );
 
 PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char2 );
diff --git a/src/target/esp32h21/ld/esp32h21.rom.api.ld b/src/target/esp32h21/ld/esp32h21.rom.api.ld
@@ -14,6 +14,7 @@ PROVIDE ( esp_rom_gpio_connect_out_signal = gpio_matrix_out );
 
 PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char2 );
diff --git a/src/target/esp32h4/ld/esp32h4.rom.api.ld b/src/target/esp32h4/ld/esp32h4.rom.api.ld
@@ -16,6 +16,7 @@ PROVIDE ( esp_rom_gpio_connect_out_signal = rom_gpio_matrix_out );
 
 PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char2 );
diff --git a/src/target/esp32p4/ld/esp32p4.rom.api.ld b/src/target/esp32p4/ld/esp32p4.rom.api.ld
@@ -31,6 +31,7 @@ PROVIDE ( esp_rom_gpio_connect_out_signal = gpio_matrix_out );
 
 PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char2 );
diff --git a/src/target/esp32s2/ld/esp32s2.rom.api.ld b/src/target/esp32s2/ld/esp32s2.rom.api.ld
@@ -31,6 +31,7 @@ PROVIDE ( esp_rom_efuse_get_flash_gpio_info    = ets_efuse_get_spiconfig );
 PROVIDE ( esp_rom_efuse_get_flash_wp_gpio      = ets_efuse_get_wp_pad );
 PROVIDE ( esp_rom_efuse_get_opiconfig          = ets_efuse_get_opiconfig );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char );
diff --git a/src/target/esp32s3/ld/esp32s3.rom.api.ld b/src/target/esp32s3/ld/esp32s3.rom.api.ld
@@ -32,6 +32,7 @@ PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_get_flash_gpio_info    = ets_efuse_get_spiconfig );
 PROVIDE ( esp_rom_efuse_get_flash_wp_gpio      = ets_efuse_get_wp_pad );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char );
diff --git a/src/target/esp8266/src/security.c b/src/target/esp8266/src/security.c
@@ -1,10 +1,11 @@
 /*
- * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0 OR MIT
  */
 
 #include <stddef.h>
+#include <stdbool.h>
 #include <stdint.h>
 #include <target/security.h>
 #include <err.h>
@@ -21,3 +22,8 @@ int stub_target_get_security_info(uint8_t *buffer, uint32_t buffer_size)
     (void)buffer_size;
     return STUB_LIB_ERR_NOT_SUPPORTED;
 }
+
+bool stub_target_security_flash_is_encrypted(void)
+{
+    return false;
+}

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,9 @@ static void example_mem_utils(void)`
`46`	`46`
`47`	`47`	`static void example_security(void)`
`48`	`48`	`{`
	`49`	`+ bool encryption_enabled = stub_lib_security_flash_is_encrypted();`
	`50`	`+ STUB_LOGI("Flash encryption enabled: %d\n", encryption_enabled);`
	`51`	`+`
`49`	`52`	`uint32_t size = stub_lib_security_info_size();`
`50`	`53`	`STUB_LOGI("Security info size: %u bytes\n", size);`
`51`	`54`