Merge branch 'espressif:release/v5.5' into release/v5.5

Author: Jason2866

.gitlab/ci/build.yml

@@ -245,17 +245,11 @@ build_docker:
   stage: host_test
   needs: []
   image: espressif/docker-builder:1
-  tags:
-    - build_docker_amd64_brno
+  tags: [shiny, dind]
   variables:
     DOCKER_TMP_IMAGE_NAME: "idf_tmp_image"
   script:
-    - export LOCAL_CI_REPOSITORY_URL=$CI_REPOSITORY_URL
-    - if [ -n "$LOCAL_GITLAB_HTTPS_HOST" ]; then export LOCAL_CI_REPOSITORY_URL="https://gitlab-ci-token:${CI_JOB_TOKEN}@${LOCAL_GITLAB_HTTPS_HOST}/${CI_PROJECT_PATH}"; fi
-    - if [ -n "$LOCAL_GIT_MIRROR" ]; then export LOCAL_CI_REPOSITORY_URL="${LOCAL_GIT_MIRROR}/${CI_PROJECT_PATH}"; fi
-    - echo "Using repository at $LOCAL_CI_REPOSITORY_URL"
-    - export DOCKER_BUILD_ARGS="--build-arg IDF_CLONE_URL=${LOCAL_CI_REPOSITORY_URL} --build-arg IDF_CLONE_BRANCH_OR_TAG=${CI_COMMIT_REF_NAME} --build-arg IDF_CHECKOUT_REF=${CI_COMMIT_TAG:-$PIPELINE_COMMIT_SHA}"
-    # Build
+    - export DOCKER_BUILD_ARGS="--build-arg IDF_CLONE_URL=${CI_REPOSITORY_URL} --build-arg IDF_CLONE_BRANCH_OR_TAG=${CI_COMMIT_REF_NAME} --build-arg IDF_CHECKOUT_REF=${CI_COMMIT_TAG:-$CI_COMMIT_SHA} --build-arg IDF_CLONE_SHALLOW=1 --build-arg IDF_GITHUB_ASSETS=${INTERNAL_GITHUB_ASSETS}"
     - docker build --tag ${DOCKER_TMP_IMAGE_NAME} ${DOCKER_BUILD_ARGS} tools/docker/
     # We can't mount $PWD/examples/get-started/blink into the container, see https://gitlab.com/gitlab-org/gitlab-ce/issues/41227.
     # The workaround mentioned there works, but leaves around directories which need to be cleaned up manually.

.gitlab/ci/test-win.yml

@@ -14,7 +14,12 @@
     - job: upload-submodules-cache
       optional: true
       artifacts: false
-  before_script: []
+  variables:
+    GIT_STRATEGY: fetch  # use brew local mirror first
+  before_script:
+    - if ($env:IDF_DONT_USE_MIRRORS) {
+        $env:IDF_MIRROR_PREFIX_MAP = ""
+      }
   after_script: []
 
 test_cli_installer_win:

components/bootloader/Kconfig.projbuild

@@ -965,6 +965,24 @@ menu "Security features"
                 so that the bootloader would not need to enable secure boot and thus you could avoid its revocation
                 strategy.
 
+        config SECURE_BOOT_SKIP_WRITE_PROTECTION_SCA
+            bool "Skip write-protection of SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH"
+            default y if SECURE_FLASH_PSEUDO_ROUND_FUNC
+            default n
+            depends on SOC_ECDSA_SUPPORT_CURVE_P384 && SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
+            help
+                If not set (default, recommended), on the first boot when Secure Boot is enabled for
+                targets that support Secure Boot using ECDSA-P384, the bootloader will burn the write-protection bit of
+                of SECURE_BOOT_SHA384_EN that could be shared by multiple other efuse bits like
+                SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH / XTS_DPA_PSEUDO_LEVEL.
+
+                Once this efuse bit is write-protected you cannot update the values of the shared efuses, for example,
+                the security strength value of XTS_DPA_PSEUDO_LEVEL or setting ECC_FORCE_CONST_TIME.
+
+                List of eFuses with the same write protection bit:
+
+                ESP32-C5: XTS_DPA_PSEUDO_LEVEL and ECC_FORCE_CONST_TIME
+
         config SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC
             bool "Leave UART bootloader encryption enabled"
             depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
@@ -1048,6 +1066,7 @@ menu "Security features"
                 ESP32-S3: DIS_ICACHE, DIS_DCACHE, DIS_DOWNLOAD_ICACHE, DIS_DOWNLOAD_DCACHE,
                 DIS_FORCE_DOWNLOAD, DIS_USB_OTG, DIS_TWAI, DIS_APP_CPU, DIS_PAD_JTAG,
                 DIS_DOWNLOAD_MANUAL_ENCRYPT, DIS_USB_JTAG, DIS_USB_SERIAL_JTAG, STRAP_JTAG_SEL, USB_PHY_SEL.
+
     endmenu  # Potentially Insecure
 
     config SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART
@@ -1080,8 +1099,9 @@ menu "Security features"
 
     config SECURE_FLASH_PSEUDO_ROUND_FUNC
         bool "Permanently enable XTS-AES's pseudo rounds function"
-        default y
-        depends on SECURE_FLASH_ENCRYPTION_MODE_RELEASE && SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
+        default y if SECURE_FLASH_ENCRYPTION_MODE_RELEASE
+        default n
+        depends on SECURE_FLASH_ENC_ENABLED && SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
         help
             If set (default), the bootloader will permanently enable the XTS-AES peripheral's pseudo rounds function.
             Note: Enabling this config would burn an efuse.
@@ -1094,6 +1114,12 @@ menu "Security features"
             The strength of the pseudo rounds functions can be configured to low, medium and high,
             each denoting the values that would be stored in the efuses field.
             By default the value to set to low.
+
+            It is recommended that the required strength of the pseudo rounds function should be set during the
+            first boot itself. If your workflow needs to update the function's strength after the first boot,
+            you should enable CONFIG_SECURE_BOOT_SKIP_WRITE_PROTECTION_SCA to avoid write protecting this
+            bit during the boot up for targets that support Secure Boot using ECDSA-P384.
+
             You can configure the strength of the pseudo rounds functions according to your use cases,
             for example, increasing the strength would provide higher security but would slow down the
             flash encryption/decryption operations.

components/bootloader/subproject/CMakeLists.txt

@@ -67,9 +67,13 @@ idf_build_set_property(__COMPONENT_REQUIRES_COMMON "${common_req}")
 idf_build_set_property(__OUTPUT_SDKCONFIG 0)
 # Define a property for the default linker script
 set(LD_DEFAULT_PATH "${CMAKE_CURRENT_SOURCE_DIR}/main/ld/${IDF_TARGET}")
-idf_build_set_property(BOOTLOADER_LINKER_SCRIPT "${LD_DEFAULT_PATH}/bootloader.ld" APPEND)
 idf_build_set_property(BOOTLOADER_LINKER_SCRIPT "${LD_DEFAULT_PATH}/bootloader.rom.ld" APPEND)
 project(bootloader)
+if(CONFIG_ESP32P4_REV_MIN_300)
+    target_linker_script("__idf_main" INTERFACE "${LD_DEFAULT_PATH}/bootloader.rev3.ld")
+else()
+    target_linker_script("__idf_main" INTERFACE "${LD_DEFAULT_PATH}/bootloader.ld")
+endif()
 
 idf_build_set_property(COMPILE_DEFINITIONS "BOOTLOADER_BUILD=1" APPEND)
 idf_build_set_property(COMPILE_DEFINITIONS "NON_OS_BUILD=1" APPEND)