pioarduino
diff --git a/‎espefuse/efuse/esp32c5/fields.py
Lines changed: 13 additions & 1 deletion b/‎espefuse/efuse/esp32c5/fields.py
Lines changed: 13 additions & 1 deletion
diff --git a/‎espefuse/efuse/esp32c5/mem_definition.py
Lines changed: 9 additions & 9 deletions b/‎espefuse/efuse/esp32c5/mem_definition.py
Lines changed: 9 additions & 9 deletions
diff --git a/‎espefuse/efuse/esp32c5/operations.py
Lines changed: 68 additions & 1 deletion b/‎espefuse/efuse/esp32c5/operations.py
Lines changed: 68 additions & 1 deletion
@@ -405,8 +405,12 @@ def print_field(e, new_value):
 class EfuseKeyPurposeField(EfuseField):
     KEY_PURPOSES = [
         ("USER",                         0,  None,       None,      "no_need_rd_protect"),   # User purposes (software-only use)
-        ("ECDSA_KEY",                    1,  None,       "Reverse", "need_rd_protect"),      # ECDSA key
+        ("ECDSA_KEY",                    1,  None,       "Reverse", "need_rd_protect"),      # ECDSA key P256
+        ("ECDSA_KEY_P256",               1,  None,       "Reverse", "need_rd_protect"),      # ECDSA key P256
         ("RESERVED",                     1,  None,       None,      "no_need_rd_protect"),   # Reserved
+        ("XTS_AES_256_KEY_1",            2,  None,       "Reverse", "need_rd_protect"),      # XTS_AES_256_KEY_1 (flash/PSRAM encryption)
+        ("XTS_AES_256_KEY_2",            3,  None,       "Reverse", "need_rd_protect"),      # XTS_AES_256_KEY_2 (flash/PSRAM encryption)
+        ("XTS_AES_256_KEY",             -1, "VIRTUAL",   None,      "no_need_rd_protect"),   # Virtual purpose splits to XTS_AES_256_KEY_1 and XTS_AES_256_KEY_2
         ("XTS_AES_128_KEY",              4,  None,       "Reverse", "need_rd_protect"),      # XTS_AES_128_KEY (flash/PSRAM encryption)
         ("HMAC_DOWN_ALL",                5,  None,       None,      "need_rd_protect"),      # HMAC Downstream mode
         ("HMAC_DOWN_JTAG",               6,  None,       None,      "need_rd_protect"),      # JTAG soft enable key (uses HMAC Downstream mode)
@@ -415,6 +419,14 @@ class EfuseKeyPurposeField(EfuseField):
         ("SECURE_BOOT_DIGEST0",          9,  "DIGEST",   None,      "no_need_rd_protect"),   # SECURE_BOOT_DIGEST0 (Secure Boot key digest)
         ("SECURE_BOOT_DIGEST1",          10, "DIGEST",   None,      "no_need_rd_protect"),   # SECURE_BOOT_DIGEST1 (Secure Boot key digest)
         ("SECURE_BOOT_DIGEST2",          11, "DIGEST",   None,      "no_need_rd_protect"),   # SECURE_BOOT_DIGEST2 (Secure Boot key digest)
+        ("KM_INIT_KEY",                  12, None,       None,      "need_rd_protect"),      # init key that is used for the generation of AES/ECDSA key
+        ("XTS_AES_256_PSRAM_KEY_1",      13, None,       "Reverse", "need_rd_protect"),      # XTS_AES_256_PSRAM_KEY_1 (PSRAM encryption)
+        ("XTS_AES_256_PSRAM_KEY_2",      14, None,       "Reverse", "need_rd_protect"),      # XTS_AES_256_PSRAM_KEY_1 (PSRAM encryption)
+        # ("XTS_AES_256_PSRAM_KEY",        -2, "VIRTUAL",  None,      "no_need_rd_protect"),   # Virtual purpose splits to XTS_AES_256_PSRAM_KEY_1 and XTS_AES_256_PSRAM_KEY_1
+        ("XTS_AES_128_PSRAM_KEY",        15, None,       "Reverse", "need_rd_protect"),      # XTS_AES_128_PSRAM_KEY (PSRAM encryption)
+        ("ECDSA_KEY_P192",               16, None,       "Reverse", "need_rd_protect"),      # ECDSA key P192
+        ("ECDSA_KEY_P384_L",             17, None,       "Reverse", "need_rd_protect"),      # ECDSA key P384 low
+        ("ECDSA_KEY_P384_H",             18, None,       "Reverse", "need_rd_protect"),      # ECDSA key P384 high
     ]
 # fmt: on
     KEY_PURPOSES_NAME = [name[0] for name in KEY_PURPOSES]
 
@@ -25,20 +25,20 @@ class EfuseDefineRegisters(EfuseRegistersBase):
     EFUSE_CHECK_VALUE0_REG = DR_REG_EFUSE_BASE + 0x020
     EFUSE_CLK_REG = DR_REG_EFUSE_BASE + 0x1C8
     EFUSE_CONF_REG = DR_REG_EFUSE_BASE + 0x1CC
-    EFUSE_STATUS_REG = DR_REG_EFUSE_BASE + 0x1D0
-    EFUSE_CMD_REG = DR_REG_EFUSE_BASE + 0x1D4
-    EFUSE_RD_RS_ERR0_REG = DR_REG_EFUSE_BASE + 0x1C0
-    EFUSE_RD_RS_ERR1_REG = DR_REG_EFUSE_BASE + 0x1C4
+    EFUSE_STATUS_REG = DR_REG_EFUSE_BASE + 0x1D4
+    EFUSE_CMD_REG = DR_REG_EFUSE_BASE + 0x1D8
+    EFUSE_RD_RS_ERR0_REG = DR_REG_EFUSE_BASE + 0x190
+    EFUSE_RD_RS_ERR1_REG = DR_REG_EFUSE_BASE + 0x194
     EFUSE_RD_REPEAT_ERR0_REG = DR_REG_EFUSE_BASE + 0x17C
     EFUSE_RD_REPEAT_ERR1_REG = DR_REG_EFUSE_BASE + 0x180
     EFUSE_RD_REPEAT_ERR2_REG = DR_REG_EFUSE_BASE + 0x184
     EFUSE_RD_REPEAT_ERR3_REG = DR_REG_EFUSE_BASE + 0x188
     EFUSE_RD_REPEAT_ERR4_REG = DR_REG_EFUSE_BASE + 0x18C
-    EFUSE_DAC_CONF_REG = DR_REG_EFUSE_BASE + 0x1E8
-    EFUSE_RD_TIM_CONF_REG = DR_REG_EFUSE_BASE + 0x1EC
-    EFUSE_WR_TIM_CONF1_REG = DR_REG_EFUSE_BASE + 0x1F0
-    EFUSE_WR_TIM_CONF2_REG = DR_REG_EFUSE_BASE + 0x1F4
-    EFUSE_DATE_REG = DR_REG_EFUSE_BASE + 0x1FC
+    EFUSE_DAC_CONF_REG = DR_REG_EFUSE_BASE + 0x1EC
+    EFUSE_RD_TIM_CONF_REG = DR_REG_EFUSE_BASE + 0x1F0
+    EFUSE_WR_TIM_CONF1_REG = DR_REG_EFUSE_BASE + 0x1F4
+    EFUSE_WR_TIM_CONF2_REG = DR_REG_EFUSE_BASE + 0x1F8
+    EFUSE_DATE_REG = DR_REG_EFUSE_BASE + 0x198
     EFUSE_WRITE_OP_CODE = 0x5A5A
     EFUSE_READ_OP_CODE = 0x5AA5
     EFUSE_PGM_CMD_MASK = 0x3
 
@@ -5,6 +5,7 @@
 # SPDX-License-Identifier: GPL-2.0-or-later
 
 import argparse
+import io
 import os  # noqa: F401. It is used in IDF scripts
 import traceback
 
@@ -199,6 +200,67 @@ def adc_info(esp, efuses, args):
                 print(f"{efuse.name:<30} = ", efuses[efuse.name].get())
 
 
+def key_block_is_unused(block, key_purpose_block):
+    if not block.is_readable() or not block.is_writeable():
+        return False
+
+    if key_purpose_block.get() != "USER" or not key_purpose_block.is_writeable():
+        return False
+
+    if not block.get_bitstring().all(False):
+        return False
+
+    return True
+
+
+def get_next_key_block(efuses, current_key_block, block_name_list):
+    key_blocks = [b for b in efuses.blocks if b.key_purpose_name]
+    start = key_blocks.index(current_key_block)
+
+    # Sort key blocks so that we pick the next free block (and loop around if necessary)
+    key_blocks = key_blocks[start:] + key_blocks[0:start]
+
+    # Exclude any other blocks that will be be burned
+    key_blocks = [b for b in key_blocks if b.name not in block_name_list]
+
+    for block in key_blocks:
+        key_purpose_block = efuses[block.key_purpose_name]
+        if key_block_is_unused(block, key_purpose_block):
+            return block
+
+    return None
+
+
+def split_512_bit_key(efuses, block_name_list, datafile_list, keypurpose_list):
+    i = keypurpose_list.index("XTS_AES_256_KEY")
+    block_name = block_name_list[i]
+
+    block_num = efuses.get_index_block_by_name(block_name)
+    block = efuses.blocks[block_num]
+
+    data = datafile_list[i].read()
+    if len(data) != 64:
+        raise esptool.FatalError(
+            "Incorrect key file size %d, XTS_AES_256_KEY should be 64 bytes" % len(data)
+        )
+
+    key_block_2 = get_next_key_block(efuses, block, block_name_list)
+    if not key_block_2:
+        raise esptool.FatalError("XTS_AES_256_KEY requires two free keyblocks")
+
+    keypurpose_list.append("XTS_AES_256_KEY_1")
+    datafile_list.append(io.BytesIO(data[:32]))
+    block_name_list.append(block_name)
+
+    keypurpose_list.append("XTS_AES_256_KEY_2")
+    datafile_list.append(io.BytesIO(data[32:]))
+    block_name_list.append(key_block_2.name)
+
+    keypurpose_list.pop(i)
+    datafile_list.pop(i)
+    block_name_list.pop(i)
+
+
 def burn_key(esp, efuses, args, digest=None):
     if digest is None:
         datafile_list = args.keyfile[
@@ -214,6 +276,11 @@ def burn_key(esp, efuses, args, digest=None):
         0 : len([name for name in args.keypurpose if name is not None]) :
     ]
 
+    if "XTS_AES_256_KEY" in keypurpose_list:
+        # XTS_AES_256_KEY is not an actual HW key purpose, needs to be split into
+        # XTS_AES_256_KEY_1 and XTS_AES_256_KEY_2
+        split_512_bit_key(efuses, block_name_list, datafile_list, keypurpose_list)
+
     util.check_duplicate_name_in_list(block_name_list)
     if len(block_name_list) != len(datafile_list) or len(block_name_list) != len(
         keypurpose_list
@@ -240,7 +307,7 @@ def burn_key(esp, efuses, args, digest=None):
         block = efuses.blocks[block_num]
 
         if digest is None:
-            if keypurpose == "ECDSA_KEY":
+            if keypurpose.startswith("ECDSA_KEY"):
                 sk = espsecure.load_ecdsa_signing_key(datafile)
                 data = espsecure.get_ecdsa_signing_key_raw_bytes(sk)
                 if len(data) == 24: