feat(security): add api to check flash is encrypted

example/stub_main.c

@@ -46,6 +46,9 @@ static void example_mem_utils(void)
 
 static void example_security(void)
 {
+    bool encryption_enabled = stub_lib_security_flash_is_encrypted();
+    STUB_LOGI("Flash encryption enabled: %d\n", encryption_enabled);
+
     uint32_t size = stub_lib_security_info_size();
     STUB_LOGI("Security info size: %u bytes\n", size);
 

include/esp-stub-lib/security.h

@@ -1,11 +1,12 @@
 /*
- * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0 OR MIT
  */
 
 #pragma once
 
+#include <stdbool.h>
 #include <stdint.h>
 
 #ifdef __cplusplus
@@ -36,6 +37,13 @@ uint32_t stub_lib_security_info_size(void);
  */
 int stub_lib_get_security_info(uint8_t *buffer, uint32_t buffer_size);
 
+/**
+ * @brief Check whether flash encryption is enabled.
+ *
+ * @return true if flash encryption is enabled, false otherwise.
+ */
+bool stub_lib_security_flash_is_encrypted(void);
+
 #ifdef __cplusplus
 }
 #endif // __cplusplus

src/security.c

@@ -1,10 +1,11 @@
 /*
- * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0 OR MIT
  */
 
 #include <stddef.h>
+#include <stdbool.h>
 #include <esp-stub-lib/security.h>
 #include <esp-stub-lib/err.h>
 #include <target/security.h>
@@ -18,3 +19,8 @@ int stub_lib_get_security_info(uint8_t *buffer, uint32_t buffer_size)
 {
     return stub_target_get_security_info(buffer, buffer_size);
 }
+
+bool stub_lib_security_flash_is_encrypted(void)
+{
+    return stub_target_security_flash_is_encrypted();
+}

src/target/base/include/target/security.h

@@ -1,11 +1,12 @@
 /*
- * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0 OR MIT
  */
 
 #pragma once
 
+#include <stdbool.h>
 #include <stdint.h>
 
 /**
@@ -31,3 +32,10 @@ uint32_t stub_target_security_info_size(void);
  * - STUB_LIB_FAIL if the operation failed
  */
 int stub_target_get_security_info(uint8_t *buffer, uint32_t buffer_size);
+
+/**
+ * @brief Check whether flash encryption is enabled.
+ *
+ * @return true if flash encryption is enabled, false otherwise.
+ */
+bool stub_target_security_flash_is_encrypted(void);

src/target/common/src/security.c

@@ -1,16 +1,18 @@
 /*
- * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0 OR MIT
  */
 
 #include <stddef.h>
+#include <stdbool.h>
 #include <stdint.h>
 #include <target/security.h>
 #include <err.h>
 
 /* GetSecurityInfoProc function from ROM */
 extern uint32_t GetSecurityInfoProc(int *pMsg, int *pnErr, uint8_t *buf);
+extern bool esp_rom_efuse_flash_encryption_enabled(void);
 
 #define SECURITY_INFO_BYTES_DEFAULT 20
 
@@ -37,3 +39,8 @@ int __attribute__((weak)) stub_target_get_security_info(uint8_t *buffer, uint32_
 
     return STUB_LIB_FAIL;
 }
+
+bool __attribute__((weak)) stub_target_security_flash_is_encrypted(void)
+{
+    return esp_rom_efuse_flash_encryption_enabled();
+}

src/target/esp32/src/security.c

@@ -1,13 +1,20 @@
 /*
- * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0 OR MIT
  */
 
 #include <stddef.h>
+#include <stdbool.h>
 #include <stdint.h>
 #include <target/security.h>
 #include <err.h>
+#include <esp-stub-lib/soc_utils.h>
+#include <soc/reg_base.h>
+
+#define EFUSE_BLK0_RDATA0_REG      (DR_REG_EFUSE_BASE + 0x0)
+#define EFUSE_RD_FLASH_CRYPT_CNT_V 0x0000007FU
+#define EFUSE_RD_FLASH_CRYPT_CNT_S 20
 
 /* ESP32 does not support GetSecurityInfoProc */
 uint32_t stub_target_security_info_size(void)
@@ -21,3 +28,19 @@ int stub_target_get_security_info(uint8_t *buffer, uint32_t buffer_size)
     (void)buffer_size;
     return STUB_LIB_ERR_NOT_SUPPORTED;
 }
+
+bool stub_target_security_flash_is_encrypted(void)
+{
+    uint32_t flash_crypt_cnt = REG_READ(EFUSE_BLK0_RDATA0_REG);
+    flash_crypt_cnt = (flash_crypt_cnt >> EFUSE_RD_FLASH_CRYPT_CNT_S) & EFUSE_RD_FLASH_CRYPT_CNT_V;
+
+    bool enabled = false;
+    while (flash_crypt_cnt) {
+        if (flash_crypt_cnt & 1U) {
+            enabled = !enabled;
+        }
+        flash_crypt_cnt >>= 1;
+    }
+
+    return enabled;
+}

src/target/esp32c2/ld/esp32c2.rom.api.ld

@@ -16,6 +16,7 @@ PROVIDE ( esp_rom_gpio_connect_out_signal = gpio_matrix_out );
 
 PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char );

src/target/esp32c3/ld/esp32c3.rom.api.ld

@@ -18,6 +18,7 @@ PROVIDE ( esp_rom_gpio_connect_out_signal = gpio_matrix_out );
 PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_get_flash_gpio_info    = ets_efuse_get_spiconfig );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 PROVIDE ( esp_rom_efuse_get_flash_wp_gpio      = ets_efuse_get_wp_pad );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );

src/target/esp32c5/ld/esp32c5.rom.api.ld

@@ -17,6 +17,7 @@ PROVIDE ( esp_rom_gpio_connect_out_signal = gpio_matrix_out );
 
 PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char2 );

src/target/esp32c6/ld/esp32c6.rom.api.ld

@@ -17,6 +17,7 @@ PROVIDE ( esp_rom_gpio_connect_out_signal = gpio_matrix_out );
 
 PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char2 );

src/target/esp32c61/ld/esp32c61.rom.api.ld

@@ -14,6 +14,7 @@ PROVIDE ( esp_rom_gpio_connect_out_signal = gpio_matrix_out );
 
 PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char2 );

src/target/esp32h2/ld/esp32h2.rom.api.ld

@@ -17,6 +17,7 @@ PROVIDE ( esp_rom_gpio_connect_out_signal = gpio_matrix_out );
 
 PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char2 );

src/target/esp32h21/ld/esp32h21.rom.api.ld

@@ -14,6 +14,7 @@ PROVIDE ( esp_rom_gpio_connect_out_signal = gpio_matrix_out );
 
 PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char2 );

src/target/esp32h4/ld/esp32h4.rom.api.ld

@@ -16,6 +16,7 @@ PROVIDE ( esp_rom_gpio_connect_out_signal = rom_gpio_matrix_out );
 
 PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char2 );

src/target/esp32p4/ld/esp32p4.rom.api.ld

@@ -31,6 +31,7 @@ PROVIDE ( esp_rom_gpio_connect_out_signal = gpio_matrix_out );
 
 PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char2 );

src/target/esp32s2/ld/esp32s2.rom.api.ld

@@ -31,6 +31,7 @@ PROVIDE ( esp_rom_efuse_get_flash_gpio_info    = ets_efuse_get_spiconfig );
 PROVIDE ( esp_rom_efuse_get_flash_wp_gpio      = ets_efuse_get_wp_pad );
 PROVIDE ( esp_rom_efuse_get_opiconfig          = ets_efuse_get_opiconfig );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char );

src/target/esp32s3/ld/esp32s3.rom.api.ld

@@ -32,6 +32,7 @@ PROVIDE ( esp_rom_efuse_mac_address_crc8       = esp_crc8 );
 PROVIDE ( esp_rom_efuse_get_flash_gpio_info    = ets_efuse_get_spiconfig );
 PROVIDE ( esp_rom_efuse_get_flash_wp_gpio      = ets_efuse_get_wp_pad );
 PROVIDE ( esp_rom_efuse_is_secure_boot_enabled = ets_efuse_secure_boot_enabled );
+PROVIDE ( esp_rom_efuse_flash_encryption_enabled = ets_efuse_cache_encryption_enabled );
 
 PROVIDE ( esp_rom_uart_flush_tx       = uart_tx_flush );
 PROVIDE ( esp_rom_uart_tx_one_char    = uart_tx_one_char );

src/target/esp8266/src/security.c

@@ -1,10 +1,11 @@
 /*
- * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0 OR MIT
  */
 
 #include <stddef.h>
+#include <stdbool.h>
 #include <stdint.h>
 #include <target/security.h>
 #include <err.h>
@@ -21,3 +22,8 @@ int stub_target_get_security_info(uint8_t *buffer, uint32_t buffer_size)
     (void)buffer_size;
     return STUB_LIB_ERR_NOT_SUPPORTED;
 }
+
+bool stub_target_security_flash_is_encrypted(void)
+{
+    return false;
+}