Merge branch 'feature/secure_set_efuses_to_prevent_brick_chip' into '…

…master'

security: write-protect DIS_ICAHE and DIS_DCACHE

Closes IDF-5177

See merge request espressif/esp-idf!22640

components/bootloader/Kconfig.projbuild

@@ -841,6 +841,10 @@ menu "Security features"
 
     endchoice
 
+    config SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE
+        bool
+        default y if (SOC_EFUSE_DIS_ICACHE || IDF_TARGET_ESP32) && SECURE_FLASH_ENC_ENABLED
+
     menu "Potentially insecure options"
         visible if SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT || SECURE_BOOT_INSECURE || SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT # NOERROR
 
@@ -867,6 +871,7 @@ menu "Security features"
         config SECURE_BOOT_ALLOW_JTAG
             bool "Allow JTAG Debugging"
             depends on SECURE_BOOT_INSECURE || SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+            select SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE if SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE
             default N
             help
                 If not set (default), the bootloader will permanently disable JTAG (across entire chip) on first boot
@@ -924,6 +929,7 @@ menu "Security features"
         config SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC
             bool "Leave UART bootloader encryption enabled"
             depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+            select SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE if SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE
             default N
             help
                 If not set (default), the bootloader will permanently disable UART bootloader encryption access on
@@ -946,6 +952,7 @@ menu "Security features"
             bool "Leave UART bootloader flash cache enabled"
             depends on SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT && (IDF_TARGET_ESP32 || SOC_EFUSE_DIS_DOWNLOAD_ICACHE || SOC_EFUSE_DIS_DOWNLOAD_DCACHE) # NOERROR
             default N
+            select SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE if SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE
             help
                 If not set (default), the bootloader will permanently disable UART bootloader flash cache access on
                 first boot. If set, the UART bootloader will still be able to access the flash cache.
@@ -966,6 +973,40 @@ menu "Security features"
                 Only use this option in testing environments, to avoid accidentally enabling flash encryption on
                 the wrong device. The device needs to have flash encryption already enabled using espefuse.py.
 
+        config SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE
+            bool "Skip write-protection of DIS_CACHE (DIS_ICACHE, DIS_DCACHE)"
+            default n
+            depends on SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE
+            help
+                If not set (default, recommended), on the first boot the bootloader will burn the write-protection of
+                DIS_CACHE(for ESP32) or DIS_ICACHE/DIS_DCACHE(for other chips) eFuse when Flash Encryption is enabled.
+                Write protection for cache disable efuse prevents the chip from being blocked if it is set by accident.
+                App and bootloader use cache so disabling it makes the chip useless for IDF.
+                Due to other eFuses are linked with the same write protection bit (see the list below) then
+                write-protection will not be done if these SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC,
+                SECURE_BOOT_ALLOW_JTAG or SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE options are selected
+                to give a chance to turn on the chip into the release mode later.
+
+                List of eFuses with the same write protection bit:
+                ESP32: MAC, MAC_CRC, DISABLE_APP_CPU, DISABLE_BT, DIS_CACHE, VOL_LEVEL_HP_INV.
+
+                ESP32-C3: DIS_ICACHE, DIS_USB_JTAG, DIS_DOWNLOAD_ICACHE, DIS_USB_SERIAL_JTAG,
+                DIS_FORCE_DOWNLOAD, DIS_TWAI, JTAG_SEL_ENABLE, DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT.
+
+                ESP32-C6: SWAP_UART_SDIO_EN, DIS_ICACHE, DIS_USB_JTAG, DIS_DOWNLOAD_ICACHE,
+                DIS_USB_SERIAL_JTAG, DIS_FORCE_DOWNLOAD, DIS_TWAI, JTAG_SEL_ENABLE,
+                DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT.
+
+                ESP32-H2: DIS_ICACHE, DIS_USB_JTAG, POWERGLITCH_EN, DIS_FORCE_DOWNLOAD, SPI_DOWNLOAD_MSPI_DIS,
+                DIS_TWAI, JTAG_SEL_ENABLE, DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT.
+
+                ESP32-S2: DIS_ICACHE, DIS_DCACHE, DIS_DOWNLOAD_ICACHE, DIS_DOWNLOAD_DCACHE,
+                DIS_FORCE_DOWNLOAD, DIS_USB, DIS_TWAI, DIS_BOOT_REMAP, SOFT_DIS_JTAG,
+                HARD_DIS_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT.
+
+                ESP32-S3: DIS_ICACHE, DIS_DCACHE, DIS_DOWNLOAD_ICACHE, DIS_DOWNLOAD_DCACHE,
+                DIS_FORCE_DOWNLOAD, DIS_USB_OTG, DIS_TWAI, DIS_APP_CPU, DIS_PAD_JTAG,
+                DIS_DOWNLOAD_MANUAL_ENCRYPT, DIS_USB_JTAG, DIS_USB_SERIAL_JTAG, STRAP_JTAG_SEL, USB_PHY_SEL.
     endmenu  # Potentially Insecure
 
     config SECURE_FLASH_CHECK_ENC_EN_IN_APP

components/bootloader_support/src/esp32/flash_encryption_secure_features.c

@@ -79,5 +79,13 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
     esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE);
 #endif
 
+#ifndef CONFIG_SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE
+    // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally.
+    // esp32 has DIS_ICACHE. Write-protection bit = 3.
+    // List of eFuses with the same write protection bit:
+    // MAC, MAC_CRC, DISABLE_APP_CPU, DISABLE_BT, DIS_CACHE, VOL_LEVEL_HP_INV.
+    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_CACHE);
+#endif
+
     return ESP_OK;
 }

components/bootloader_support/src/esp32c3/flash_encryption_secure_features.c

@@ -46,5 +46,14 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
     esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
 #endif
 
+#ifndef CONFIG_SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE
+    // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally.
+    // esp32c3 has DIS_ICACHE. Write-protection bit = 2.
+    // List of eFuses with the same write protection bit:
+    // DIS_ICACHE, DIS_USB_JTAG, DIS_DOWNLOAD_ICACHE, DIS_USB_SERIAL_JTAG,
+    // DIS_FORCE_DOWNLOAD, DIS_TWAI, JTAG_SEL_ENABLE, DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT.
+    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE);
+#endif
+
     return ESP_OK;
 }

components/bootloader_support/src/esp32c6/flash_encryption_secure_features.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -46,5 +46,15 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
     esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
 #endif
 
+#ifndef CONFIG_SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE
+    // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally.
+    // esp32c6 has DIS_ICACHE. Write-protection bit = 2.
+    // List of eFuses with the same write protection bit:
+    // SWAP_UART_SDIO_EN, DIS_ICACHE, DIS_USB_JTAG, DIS_DOWNLOAD_ICACHE,
+    // DIS_USB_SERIAL_JTAG, DIS_FORCE_DOWNLOAD, DIS_TWAI, JTAG_SEL_ENABLE,
+    // DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT.
+    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE);
+#endif
+
     return ESP_OK;
 }

components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c

@@ -39,5 +39,14 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
     esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
 #endif
 
+#ifndef CONFIG_SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE
+    // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally.
+    // esp32h2 has DIS_ICACHE. Write-protection bit = 2.
+    // List of eFuses with the same write protection bit:
+    // DIS_ICACHE, DIS_USB_JTAG, POWERGLITCH_EN, DIS_FORCE_DOWNLOAD, SPI_DOWNLOAD_MSPI_DIS,
+    // DIS_TWAI, JTAG_SEL_ENABLE, DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT
+    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE);
+#endif
+
     return ESP_OK;
 }

components/bootloader_support/src/esp32h4/flash_encryption_secure_features.c

@@ -46,5 +46,14 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
     esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
 #endif
 
+#ifndef CONFIG_SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE
+    // Set write-protection for DIS_ICACHE to prevent bricking chip in case it will be set accidentally.
+    // esp32h4 has DIS_ICACHE. Write-protection bit = 2.
+    // List of eFuses with the same write protection bit:
+    // DIS_ICACHE, DIS_USB_JTAG, POWERGLITCH_EN, DIS_FORCE_DOWNLOAD, SPI_DOWNLOAD_MSPI_DIS,
+    // DIS_TWAI, JTAG_SEL_ENABLE, DIS_PAD_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT
+    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE);
+#endif
+
     return ESP_OK;
 }

components/bootloader_support/src/esp32s2/flash_encryption_secure_features.c

@@ -47,5 +47,15 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
     esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
 #endif
 
+#ifndef CONFIG_SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE
+    // Set write-protection for DIS_ICACHE and DIS_DCACHE to prevent bricking chip in case it will be set accidentally.
+    // esp32s2 has DIS_ICACHE and DIS_DCACHE. Write-protection bit = 2 for both.
+    // List of eFuses with the same write protection bit:
+    // DIS_ICACHE, DIS_DCACHE, DIS_DOWNLOAD_ICACHE, DIS_DOWNLOAD_DCACHE,
+    // DIS_FORCE_DOWNLOAD, DIS_USB, DIS_TWAI, DIS_BOOT_REMAP, SOFT_DIS_JTAG,
+    // HARD_DIS_JTAG, DIS_DOWNLOAD_MANUAL_ENCRYPT.
+    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE);
+#endif
+
     return ESP_OK;
 }

components/bootloader_support/src/esp32s3/flash_encryption_secure_features.c

@@ -47,5 +47,15 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
     esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
 #endif
 
+#ifndef CONFIG_SECURE_FLASH_SKIP_WRITE_PROTECTION_CACHE
+    // Set write-protection for DIS_ICACHE and DIS_DCACHE to prevent bricking chip in case it will be set accidentally.
+    // esp32s3 has DIS_ICACHE and DIS_DCACHE. Write-protection bit = 2 for both.
+    // List of eFuses with the same write protection bit:
+    // DIS_ICACHE, DIS_DCACHE, DIS_DOWNLOAD_ICACHE, DIS_DOWNLOAD_DCACHE,
+    // DIS_FORCE_DOWNLOAD, DIS_USB_OTG, DIS_TWAI, DIS_APP_CPU, DIS_PAD_JTAG,
+    // DIS_DOWNLOAD_MANUAL_ENCRYPT, DIS_USB_JTAG, DIS_USB_SERIAL_JTAG, STRAP_JTAG_SEL, USB_PHY_SEL.
+    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE);
+#endif
+
     return ESP_OK;
 }

components/bootloader_support/src/flash_encrypt.c

@@ -201,6 +201,14 @@ void esp_flash_encryption_set_release_mode(void)
 #endif // CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED
 #endif // !CONFIG_IDF_TARGET_ESP32
 
+#ifdef CONFIG_IDF_TARGET_ESP32
+    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_CACHE);
+#else
+#if SOC_EFUSE_DIS_ICACHE
+    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE);
+#endif
+#endif // !CONFIG_IDF_TARGET_ESP32
+
 #if CONFIG_SOC_SUPPORTS_SECURE_DL_MODE
     esp_efuse_enable_rom_secure_download_mode();
 #else
@@ -273,6 +281,12 @@ bool esp_flash_encryption_cfg_verify_release_mode(void)
         ESP_LOGW(TAG, "Not disabled ROM BASIC interpreter fallback (set CONSOLE_DEBUG_DISABLE->1)");
     }
 
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_DIS_CACHE);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not write-protected DIS_CACHE (set WR_DIS_DIS_CACHE->1)");
+    }
+
     secure = esp_efuse_read_field_bit(ESP_EFUSE_RD_DIS_BLK1);
     result &= secure;
     if (!secure) {
@@ -377,6 +391,14 @@ bool esp_flash_encryption_cfg_verify_release_mode(void)
     }
 #endif
 
+#if SOC_EFUSE_DIS_ICACHE
+    secure = esp_efuse_read_field_bit(ESP_EFUSE_WR_DIS_DIS_ICACHE);
+    result &= secure;
+    if (!secure) {
+        ESP_LOGW(TAG, "Not write-protected DIS_ICACHE (set WR_DIS_DIS_ICACHE->1)");
+    }
+#endif
+
     esp_efuse_purpose_t purposes[] = {
 #if SOC_FLASH_ENCRYPTION_XTS_AES_256
         ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1,

components/efuse/efuse_table_gen.py

@@ -439,7 +439,7 @@ def to_struct(self, debug):
                          str(self.get_bit_count()) + '}, \t // ' + self.comment])
 
     def get_alt_names(self):
-        result = re.search(r'\[(.*?)\]', self.comment)
+        result = re.search(r'^\[(.*?)\]', self.comment)
         if result:
             return result.group(1).split()
         return []

components/efuse/esp32/esp_efuse_table.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -9,7 +9,7 @@
 #include <assert.h>
 #include "esp_efuse_table.h"
 
-// md5_digest_table 6256f9b7c6783e0b651bf52b5b162aa8
+// md5_digest_table c5ac3aa2d3a97d98ced4f4fccf48c328
 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY.
 // If you want to change some fields, you need to change esp_efuse_table.csv file
 // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file.
@@ -99,6 +99,10 @@ static const esp_efuse_desc_t UART_DOWNLOAD_DIS[] = {
     {EFUSE_BLK0, 27, 1}, 	 // Disable UART download mode. Valid for ESP32 V3 and newer,
 };
 
+static const esp_efuse_desc_t WR_DIS[] = {
+    {EFUSE_BLK0, 0, 16}, 	 // [] Efuse write disable mask,
+};
+
 static const esp_efuse_desc_t WR_DIS_EFUSE_RD_DISABLE[] = {
     {EFUSE_BLK0, 0, 1}, 	 // Write protection for EFUSE_RD_DISABLE,
 };
@@ -107,6 +111,10 @@ static const esp_efuse_desc_t WR_DIS_FLASH_CRYPT_CNT[] = {
     {EFUSE_BLK0, 2, 1}, 	 // Flash encrypt. Write protection FLASH_CRYPT_CNT,
 };
 
+static const esp_efuse_desc_t WR_DIS_DIS_CACHE[] = {
+    {EFUSE_BLK0, 3, 1}, 	 // [] wr_dis of DIS_CACHE,
+};
+
 static const esp_efuse_desc_t WR_DIS_BLK1[] = {
     {EFUSE_BLK0, 7, 1}, 	 // Flash encrypt. Write protection encryption key. EFUSE_WR_DIS_BLK1,
 };
@@ -294,6 +302,11 @@ const esp_efuse_desc_t* ESP_EFUSE_UART_DOWNLOAD_DIS[] = {
     NULL
 };
 
+const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[] = {
+    &WR_DIS[0],    		// [] Efuse write disable mask
+    NULL
+};
+
 const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE[] = {
     &WR_DIS_EFUSE_RD_DISABLE[0],    		// Write protection for EFUSE_RD_DISABLE
     NULL
@@ -304,6 +317,11 @@ const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT[] = {
     NULL
 };
 
+const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_DIS_CACHE[] = {
+    &WR_DIS_DIS_CACHE[0],    		// [] wr_dis of DIS_CACHE
+    NULL
+};
+
 const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_BLK1[] = {
     &WR_DIS_BLK1[0],    		// Flash encrypt. Write protection encryption key. EFUSE_WR_DIS_BLK1
     NULL

components/efuse/esp32/esp_efuse_table.csv

@@ -49,11 +49,13 @@ UART_DOWNLOAD_DIS,      EFUSE_BLK0,    27,    1,    Disable UART download mode.
 
 # Write protection #
 ####################
-WR_DIS_EFUSE_RD_DISABLE,EFUSE_BLK0,    0,     1,    Write protection for EFUSE_RD_DISABLE
-WR_DIS_FLASH_CRYPT_CNT, EFUSE_BLK0,    2,     1,    Flash encrypt. Write protection FLASH_CRYPT_CNT, UART_DOWNLOAD_DIS. EFUSE_WR_DIS_FLASH_CRYPT_CNT
-WR_DIS_BLK1,            EFUSE_BLK0,    7,     1,    Flash encrypt. Write protection encryption key. EFUSE_WR_DIS_BLK1
-WR_DIS_BLK2,            EFUSE_BLK0,    8,     1,    Security boot. Write protection security key. EFUSE_WR_DIS_BLK2
-WR_DIS_BLK3,            EFUSE_BLK0,    9,     1,    Write protection for EFUSE_BLK3. EFUSE_WR_DIS_BLK3
+WR_DIS,                 EFUSE_BLK0,    0,    16,   [] Efuse write disable mask
+WR_DIS.EFUSE_RD_DISABLE,EFUSE_BLK0,    0,     1,    Write protection for EFUSE_RD_DISABLE
+WR_DIS.FLASH_CRYPT_CNT, EFUSE_BLK0,    2,     1,    Flash encrypt. Write protection FLASH_CRYPT_CNT, UART_DOWNLOAD_DIS. EFUSE_WR_DIS_FLASH_CRYPT_CNT
+WR_DIS.DIS_CACHE,       EFUSE_BLK0,    3,     1,    [] wr_dis of DIS_CACHE
+WR_DIS.BLK1,            EFUSE_BLK0,    7,     1,    Flash encrypt. Write protection encryption key. EFUSE_WR_DIS_BLK1
+WR_DIS.BLK2,            EFUSE_BLK0,    8,     1,    Security boot. Write protection security key. EFUSE_WR_DIS_BLK2
+WR_DIS.BLK3,            EFUSE_BLK0,    9,     1,    Write protection for EFUSE_BLK3. EFUSE_WR_DIS_BLK3
 
 # Read protection #
 ###################

components/efuse/esp32/include/esp_efuse_table.h

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -10,7 +10,7 @@ extern "C" {
 
 #include "esp_efuse.h"
 
-// md5_digest_table 6256f9b7c6783e0b651bf52b5b162aa8
+// md5_digest_table c5ac3aa2d3a97d98ced4f4fccf48c328
 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY.
 // If you want to change some fields, you need to change esp_efuse_table.csv file
 // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file.
@@ -34,8 +34,10 @@ extern const esp_efuse_desc_t* ESP_EFUSE_FLASH_CRYPT_CNT[];
 extern const esp_efuse_desc_t* ESP_EFUSE_DISABLE_JTAG[];
 extern const esp_efuse_desc_t* ESP_EFUSE_CONSOLE_DEBUG_DISABLE[];
 extern const esp_efuse_desc_t* ESP_EFUSE_UART_DOWNLOAD_DIS[];
+extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS[];
 extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_EFUSE_RD_DISABLE[];
 extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT[];
+extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_DIS_CACHE[];
 extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_BLK1[];
 extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_BLK2[];
 extern const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_BLK3[];

components/efuse/esp32c3/esp_efuse_table.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -9,7 +9,7 @@
 #include <assert.h>
 #include "esp_efuse_table.h"
 
-// md5_digest_table d006c80095638b5dbdc8649bf7e04dce
+// md5_digest_table 2bf0cfccdc9e055a493d80400a248794
 // This file was generated from the file esp_efuse_table.csv. DO NOT CHANGE THIS FILE MANUALLY.
 // If you want to change some fields, you need to change esp_efuse_table.csv file
 // then run `efuse_common_table` or `efuse_custom_table` command it will generate this file.
@@ -23,6 +23,10 @@ static const esp_efuse_desc_t WR_DIS_RD_DIS[] = {
     {EFUSE_BLK0, 0, 1}, 	 // Write protection for RD_DIS_KEY0 RD_DIS_KEY1 RD_DIS_KEY2 RD_DIS_KEY3 RD_DIS_KEY4 RD_DIS_KEY5 RD_DIS_SYS_DATA_PART2,
 };
 
+static const esp_efuse_desc_t WR_DIS_DIS_ICACHE[] = {
+    {EFUSE_BLK0, 2, 1}, 	 // [] wr_dis of DIS_ICACHE,
+};
+
 static const esp_efuse_desc_t WR_DIS_GROUP_1[] = {
     {EFUSE_BLK0, 2, 1}, 	 // Write protection for DIS_ICACHE DIS_DOWNLOAD_ICACHE DIS_FORCE_DOWNLOAD DIS_USB DIS_CAN SOFT_DIS_JTAG DIS_DOWNLOAD_MANUAL_ENCRYPT,
 };
@@ -515,6 +519,11 @@ const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_RD_DIS[] = {
     NULL
 };
 
+const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_DIS_ICACHE[] = {
+    &WR_DIS_DIS_ICACHE[0],    		// [] wr_dis of DIS_ICACHE
+    NULL
+};
+
 const esp_efuse_desc_t* ESP_EFUSE_WR_DIS_GROUP_1[] = {
     &WR_DIS_GROUP_1[0],    		// Write protection for DIS_ICACHE DIS_DOWNLOAD_ICACHE DIS_FORCE_DOWNLOAD DIS_USB DIS_CAN SOFT_DIS_JTAG DIS_DOWNLOAD_MANUAL_ENCRYPT
     NULL

components/efuse/esp32c3/esp_efuse_table.csv

@@ -15,6 +15,7 @@
     # EFUSE_RD_WR_DIS_REG #
         WR_DIS,                           EFUSE_BLK0,   0,    32,     Write protection
             WR_DIS.RD_DIS,                EFUSE_BLK0,   0,    1,      Write protection for RD_DIS_KEY0 RD_DIS_KEY1 RD_DIS_KEY2 RD_DIS_KEY3 RD_DIS_KEY4 RD_DIS_KEY5 RD_DIS_SYS_DATA_PART2
+            WR_DIS.DIS_ICACHE,            EFUSE_BLK0,   2,    1,      [] wr_dis of DIS_ICACHE
             WR_DIS.GROUP_1,               EFUSE_BLK0,   2,    1,      Write protection for DIS_ICACHE DIS_DOWNLOAD_ICACHE DIS_FORCE_DOWNLOAD DIS_USB DIS_CAN SOFT_DIS_JTAG DIS_DOWNLOAD_MANUAL_ENCRYPT
             WR_DIS.GROUP_2,               EFUSE_BLK0,   3,    1,      Write protection for WDT_DELAY_SEL
             WR_DIS.SPI_BOOT_CRYPT_CNT,    EFUSE_BLK0,   4,    1,      Write protection for SPI_BOOT_CRYPT_CNT