feat(security): add api to check flash is encrypted

[erhankur]

Add a new API to report whether flash encryption is enabled.

[github-actions]

	Messages
📖	🎉 Good Job! All checks are passing!

👋 Hello erhankur, we appreciate your contribution to this project!

---

Click to see more instructions ...

This automated output is generated by the PR linter DangerJS, which checks if your Pull Request meets the project's requirements and helps you fix potential issues.

DangerJS is triggered with each push event to a Pull Request and modify the contents of this comment.

Please consider the following:
- Danger mainly focuses on the PR structure and formatting and can't understand the meaning behind your code or changes.
- Danger is not a substitute for human code reviews; it's still important to request a code review from your colleagues.
- To manually retry these Danger checks, please navigate to the Actions tab and re-run last Danger workflow.

Review and merge process you can expect ...

We do welcome contributions in the form of bug reports, feature requests and pull requests.

1. An internal issue has been created for the PR, we assign it to the relevant engineer.
2. They review the PR and either approve it or ask you for changes or clarifications.
3. Once the GitHub PR is approved we do the final review, collect approvals from core owners and make sure all the automated tests are passing.
- At this point we may do some adjustments to the proposed change, or extend it by adding tests or documentation.
4. If the change is approved and passes the tests it is merged into the default branch.

Generated by 🚫 dangerJS against 96e788b

[Copilot]

Pull request overview

Adds a new security-related API to query whether flash encryption is enabled, exposing it through the public esp-stub-lib/security.h interface and wiring it into target/common implementations.

Changes:

• Add stub_lib_flash_encryption_is_enabled() public API and stub_target_flash_encryption_is_enabled() internal target hook.
• Implement the check via ROM eFuse helper on most targets, with explicit target overrides for ESP32 and ESP8266.
• Export the required ROM symbol alias (esp_rom_efuse_flash_encryption_enabled) for multiple targets via *.rom.api.ld.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/target/esp8266/src/security.c	Adds ESP8266 implementation returning false for flash encryption enabled check.
src/target/esp32/src/security.c	Adds ESP32-specific eFuse register-based implementation.
src/target/common/src/security.c	Adds weak default implementation calling ROM eFuse helper.
src/target/base/include/target/security.h	Extends internal target security interface with new boolean API.
src/security.c	Adds top-level library API forwarding to target implementation.
include/esp-stub-lib/security.h	Exposes new public API declaration.
example/stub_main.c	Demonstrates/logs flash encryption enabled status in example security routine.
src/target/esp32s3/ld/esp32s3.rom.api.ld	Exports ROM alias for flash encryption enabled helper.
src/target/esp32s2/ld/esp32s2.rom.api.ld	Exports ROM alias for flash encryption enabled helper.
src/target/esp32p4/ld/esp32p4.rom.api.ld	Exports ROM alias for flash encryption enabled helper.
src/target/esp32h4/ld/esp32h4.rom.api.ld	Exports ROM alias for flash encryption enabled helper.
src/target/esp32h21/ld/esp32h21.rom.api.ld	Exports ROM alias for flash encryption enabled helper.
src/target/esp32h2/ld/esp32h2.rom.api.ld	Exports ROM alias for flash encryption enabled helper.
src/target/esp32c61/ld/esp32c61.rom.api.ld	Exports ROM alias for flash encryption enabled helper.
src/target/esp32c6/ld/esp32c6.rom.api.ld	Exports ROM alias for flash encryption enabled helper.
src/target/esp32c5/ld/esp32c5.rom.api.ld	Exports ROM alias for flash encryption enabled helper.
src/target/esp32c3/ld/esp32c3.rom.api.ld	Exports ROM alias for flash encryption enabled helper.
src/target/esp32c2/ld/esp32c2.rom.api.ld	Exports ROM alias for flash encryption enabled helper.

[erhankur]

@radimkarnis @Dzarda7 I might be missing efuse related functionality for all targets. PTAL

[Dzarda7]

LGTM, I would just consider renaming the function as stub_lib_flash is beginning of all functions in flash.h so it is a bit confusing, maybe something like stub_lib_security_cache/flash_encryption_enabled, maybe even stub_lib_security_encryption_is_enabled is okay. First one is quite long, maybe you have better idea.

Regarding the eFuse, you will need to add support for eFuse reading and writing?

[erhankur]

LGTM, I would just consider renaming the function as stub_lib_flash is beginning of all functions in flash.h so it is a bit confusing, maybe something like stub_lib_security_cache/flash_encryption_enabled, maybe even stub_lib_security_encryption_is_enabled is okay. First one is quite long, maybe you have better idea.

Regarding the eFuse, you will need to add support for eFuse reading and writing?

Good point. Renamed as stub_lib_security_flash_is_encrypted

We have a task to update efuses from jtag. So it will be nice to have it in the stub-lib

[radimkarnis]

LGTM